Re: Sharing SSL information via PROXY protocol or HAProxy internally

On 15.04.2016 16:01, Christian Ruppert wrote: > Hi, > > would it be possible to inherit the SSL information from a SSL > listener/frontend via PROXY protocol? > So for example: > > listen ssl-relay > mode tcp > > ... > > server rsa unix@/var/run/haproxy_ssl_rsa.sock send-proxy-v2 >

Re: 100% cpu , epoll_wait()

Did a bit more digging on the most recent instance, and found that the haproxy pid doing the hogging was handling a connection to the stats port : listen haproxy_stats :5 stats enable stats uri / no log , with this 'netstat -pantlu' entry : tcp0 99756

Re: 100% cpu , epoll_wait()

Hi Jim, Le 15/04/2016 23:20, Jim Freeman a écrit : I have haproxy slaved to 2d cpu (CPU1), with frequent config changes and a '-sf' soft-stop with the now-old non-listening process nannying old connections. Sometimes CPU1 goes to %100, and then a few minutes later request latencies suffer

Coding style for coonfig files

Hello, I know this question is stupid. Is there a coding style for config files, like this: http://www.haproxy.org/coding-style.html ? Cheers, Michael signature.asc Description: OpenPGP digital signature

100% cpu , epoll_wait()

I have haproxy slaved to 2d cpu (CPU1), with frequent config changes and a '-sf' soft-stop with the now-old non-listening process nannying old connections. Sometimes CPU1 goes to %100, and then a few minutes later request latencies suffer across multiple haproxy peers. An strace of the nanny

Re: use of variables in ACL

Oh, great thanks! On Thu, Apr 14, 2016 at 11:50 PM Willy Tarreau wrote: > Hi David, > > On Fri, Apr 15, 2016 at 03:35:11AM +, David Birdsong wrote: > > Is there anyway to use: > > > > http-request set-var() > > > > to set a var for later use in forming an ACL? > > > > I've

TTL-based DNS resolution ?

Hi, are there are plans to support DNS resolution based on TTL a la NGINX? This would be helpful for use cases where the upstream is an ELB or similar system. I've pasted a reply from AWS support based on some observations from a couple of our services that use HAProxy 1.6 in front of ELBs. Note

Re: [PATCH] use SSL_CTX_set_ecdh_auto() for ecdh curve selection

On Apr 15, 2016 4:24 AM, "Janusz Dziemidowicz" wrote: > > 2016-04-14 17:39 GMT+02:00 David Martin : > > Here's a revised patch, it throws a fatal config error if > > SSL_CTX_set1_curves_list() fails. The default echde option is used so > > current

Sharing SSL information via PROXY protocol or HAProxy internally

Hi, would it be possible to inherit the SSL information from a SSL listener/frontend via PROXY protocol? So for example: listen ssl-relay mode tcp ... server rsa unix@/var/run/haproxy_ssl_rsa.sock send-proxy-v2 listen ssl-rsa_ecc mode tcp ... bind

Re: Q: about HTTP/2

Hi, I have a concret use case that need http/2 : one ssl frontend with multiple heterogeneous (h2,http/1.1) backends gRPC is http2 only and if you have to use it behind a single domain you need to be able to route http/2 traffic among http/1.1. In this case, I need to apply some http specific

Re: nbproc 1 vs >1 performance

On 15/04/2016 11:44 πμ, Willy Tarreau wrote: > Hi Christian, > > On Fri, Apr 15, 2016 at 11:26:18AM +0200, Christian Ruppert wrote: >> Just in case someone is interested in this setup: >> Don't put the two SSL binds into the frontend. Add a second listener for the >> two SSL binds and from

Re: nbproc 1 vs >1 performance

On Fri, Apr 15, 2016 at 11:56:20AM +0200, Pavlos Parissis wrote: > nbproc > 1 introduces also 2 other __issues__ which has been discussed > several times in this ML: > > 1) the aggregation of statistics > 2) performing operations such as disable/enable/change weight. > In setups where the

Re: nbproc 1 vs >1 performance

On 15/04/2016 11:26 πμ, Christian Ruppert wrote: > On 2016-04-14 11:06, Christian Ruppert wrote: >> Hi Willy, >> >> On 2016-04-14 10:17, Willy Tarreau wrote: >>> On Thu, Apr 14, 2016 at 08:55:47AM +0200, Lukas Tribus wrote: Le me put it this way: frontend haproxy_test

Re: nbproc 1 vs >1 performance

Hi Christian, On Fri, Apr 15, 2016 at 11:26:18AM +0200, Christian Ruppert wrote: > Just in case someone is interested in this setup: > Don't put the two SSL binds into the frontend. Add a second listener for the > two SSL binds and from there via send-proxy-v2 to the frontend. > Why? Because

Re: nbproc 1 vs >1 performance

On 2016-04-14 11:06, Christian Ruppert wrote: Hi Willy, On 2016-04-14 10:17, Willy Tarreau wrote: On Thu, Apr 14, 2016 at 08:55:47AM +0200, Lukas Tribus wrote: Le me put it this way: frontend haproxy_test bind-process 1-8 bind :12345 process 1 bind :12345 process 2 bind :12345 process 3

Re: [PATCH] use SSL_CTX_set_ecdh_auto() for ecdh curve selection

2016-04-15 11:16 GMT+02:00 Pavlos Parissis : > But on server side you need openssl 1.1.0[1] which is not ready yet and > I think it requires changes on haproxy. Nginx has already some level of > support[2] for openssl 1.1.0. Sure, I didn't mean that it will work right

Re: [PATCH] use SSL_CTX_set_ecdh_auto() for ecdh curve selection

2016-04-14 17:39 GMT+02:00 David Martin : > Here's a revised patch, it throws a fatal config error if > SSL_CTX_set1_curves_list() fails. The default echde option is used so > current configurations should not be impacted. > > Sorry Janusz, forgot the list on my reply. I

Re: [PATCH] use SSL_CTX_set_ecdh_auto() for ecdh curve selection

On 15/04/2016 10:58 πμ, Janusz Dziemidowicz wrote: > 2016-04-15 6:55 GMT+02:00 Willy Tarreau : >>> Switching ECDHE curves can have performance impact, for example result >>> of openssl speed on my laptop: >>> 256 bit ecdh (nistp256) 0.0003s 2935.3 >>> 384 bit ecdh (nistp384)

Re: [PATCH] use SSL_CTX_set_ecdh_auto() for ecdh curve selection

2016-04-15 6:55 GMT+02:00 Willy Tarreau : >> Switching ECDHE curves can have performance impact, for example result >> of openssl speed on my laptop: >> 256 bit ecdh (nistp256) 0.0003s 2935.3 >> 384 bit ecdh (nistp384) 0.0027s364.9 >> 521 bit ecdh (nistp521) 0.0016s

Re: use of variables in ACL

Hi David, On Fri, Apr 15, 2016 at 03:35:11AM +, David Birdsong wrote: > Is there anyway to use: > > http-request set-var() > > to set a var for later use in forming an ACL? > > I've tried all the prefixes to make the variable survive past http > processing, but the ACL is always rejected

Re: [PATCH] BUG/MINOR: fix maxaccept computation according to the frontend process range

On Fri, Apr 15, 2016 at 07:58:43AM +0200, Cyril Bonté wrote: > commit 7c0ffd23 is only considering the explicit use of the "process" keyword > on the listeners. But at this step, if it's not defined in the configuration, > the listener bind_proc mask is set to 0. As a result, the code will compute