Re: Use regex for backend selection

use_backend %[req.hdr(host),lower] On Thu, Jun 23, 2016 at 6:21 AM, Mildis wrote: > Hi, > > I’m in the process of setting HAProxy as an HTTPS frontend switch to > different backends. > As I have 10+ different backends, I’d like to replace > > acl to-server1 hdr_beg(host) -i

Re: "errorfile 503" doesn't appear to be working

My previous post included a couple of spurious spaces after a couple of the header values. Corrected here: HTTP/1.0 503 Service Unavailable[0d][0a]Content-Type: text/html[0d][0a]Cache-Control: no-cache[0d][0a]Connection: close[0d][0a][0d][0a]... Side note: be sure your body is at least 512

Re: "errorfile 503" doesn't appear to be working

On Jun 22, 2016 7:06 PM, "Shawn Heisey" wrote: > > I have verified that there is nothing on the line after the headers. On > the recommendation I saw elsewhere, the file is in DOS text format, so > each line ends in CRLF, not just LF. Could the line endings be the problem?

Re: "errorfile 503" doesn't appear to be working

On 6/22/2016 12:45 AM, Jarno Huuskonen wrote: > On Tue, Jun 21, Shawn Heisey wrote: >> When I take down the back end server and make a request, I get the >> browser's standard unavailable page, I do not see the custom page I >> defined. Have I done something wrong? > > With "browser's standard

Use regex for backend selection

Hi, I’m in the process of setting HAProxy as an HTTPS frontend switch to different backends. As I have 10+ different backends, I’d like to replace acl to-server1 hdr_beg(host) -i server1.domain.tld acl to-server2 hdr_beg(host) -i server2.domain.tld … acl to-serverN hdr_beg(host) -i

MINOR: ssl: close ssl key file on error

Hi, Please find attached a patch which corrects ssl_sock.c. It closes explicitly the FILE opened to read the ssl key file when parsing fails to find a valid key. Previous behavior : returned from the function after having set the error flags but not closed the file. Regards, Mildis

Re: Refuse connection if no certificate match

Hi Olivier, Olivier Doucet wrote: > Is there a way to not present the first loaded certificate and refuse > connection instead ? You can use the strict-sni argument on the bind line to force the client to speak SNI and refuse the TLS handshake otherwise. See the documentation for details at

Refuse connection if no certificate match

Hello, I'm actually using HTTPS/SNI on HAProxy 1.6 Documentation states the following : "If no SNI is provided by the client or if the SSL library does not support TLS extensions, or if the client provides an SNI hostname which does not match any certificate, then the first loaded certificate

How to validate source trustworthiness

Hello, I'm trying to validate haproxy sources but git tags doesn't seems to be signed using PGP and the HTTPS certificate is self signed. Providing a signed commit/tags or, at the very least, using a valid TLS certificate would do the job (it's now free with letsencrypt.org). regards, --

Re: external-check stdout ends up in load-balanced traffic, destroying tcp sessions

Yes I noticed there were more issues with the FD's. Thanks for all of your work, I will test 1.6.6 as soon as it hits vbernat's PPA. Best, Luke smime.p7s Description: S/MIME Cryptographic Signature

RE: Why session rate is bigger than session current?

1) Yes, session rate is connections per second. Sessions are active (open) connections in the moment you display the stats page. 2) My numbers are more or less equal usually, but it could perhaps be that you have a lot of HTTP requests that haProxy rejects (e.g. empty or invalid) and

Re: Saving server state in 1.6.5

On Wed, Jun 22, 2016 at 11:00:48AM +0200, Eric Webster wrote: > Willy, > > I tested the patch on top of the 1.6.5 source as well as a fresh git > pull for the 1.6 line. In both cases server state was not loaded on > restart. Anything else I can do to help out or information I can give > to

Re: Saving server state in 1.6.5

Willy, I tested the patch on top of the 1.6.5 source as well as a fresh git pull for the 1.6 line. In both cases server state was not loaded on restart. Anything else I can do to help out or information I can give to assist? Best, Eric On Tue, Jun 21, 2016 at 6:57 PM, Willy Tarreau

http-response capture without id

Hi, the following configuration leads to "...while parsing 'http-response capture' rule : expects 'id', found 'len'": listen www bind :8080 mode http http-request capture req.hdr(X) len 1 http-response capture res.hdr(Y) len 1 server dummy 127.0.0.1:80

Re: "errorfile 503" doesn't appear to be working

Hi, On Tue, Jun 21, Shawn Heisey wrote: > When I take down the back end server and make a request, I get the > browser's standard unavailable page, I do not see the custom page I > defined. Have I done something wrong? With "browser's standard unavail. page" do you mean IE with it's "helpful"