Re: [PATCH] MINOR: ssl: don't show prefer-server-ciphers output

On Wed, Jan 11, 2017 at 10:47:18PM +, Lukas Tribus wrote: > The output of whether prefer-server-ciphers is supported by OpenSSL > actually always show yes in 1.8, because SSL_OP_CIPHER_SERVER_PREFERENCE > is redefined before the actual check in src/ssl_sock.c, since it was > moved from here

[PATCH] MINOR: ssl: don't show prefer-server-ciphers output

The output of whether prefer-server-ciphers is supported by OpenSSL actually always show yes in 1.8, because SSL_OP_CIPHER_SERVER_PREFERENCE is redefined before the actual check in src/ssl_sock.c, since it was moved from here from src/haproxy.c. Since this is not really relevant anymore as we

Re: [PATCH] MINOR: compression: fix -vv output without zlib/slz

Hi. Am 11-01-2017 18:40, schrieb Lukas Tribus: Hello, Am 11.01.2017 um 18:40 schrieb Aleksandar Lazic: Just for my curiosity, why someone want no compression? There are a number of reasons to compile with a smaller number of dependencies: - smaller builds for embedded systems - faster

Re: [PATCH] BUG/MINOR: Reset errno variable before calling strtol(3)

On Wed, Jan 11, 2017 at 07:39:55PM +0400, Ryabin Sergey wrote: > Sometimes errno != 0 before calling strtol(3) > > > diff --git a/src/server.c b/src/server.c > index 2f539c99..28340ddb 100644 > --- a/src/server.c > +++ b/src/server.c > @@ -2815,6 +2815,7 @@ const char

Re: HTTP Authorization header problem with v1.7.1

Hi Willy, Thanks for your quick reply and explanation. Cheers, Brian On Wed, Jan 11, 2017 at 3:11 AM Willy Tarreau wrote: > Hi Brian, > > On Wed, Jan 11, 2017 at 02:08:39AM +, Brian Glogower wrote: > > Hi all, > > > > I noticed that after upgrading to haproxy v1.7.1, haproxy

Re: HTTP redirects while still allowing keep-alive

On Wed, Jan 11, 2017 at 08:53:18PM +0200, Ciprian Dorin Craciun wrote: > On Wed, Jan 11, 2017 at 8:27 PM, Lukas Tribus wrote: > > But if we do remove those conditions, I guess we break a number of "old > > assumptions" > > and we will hit new code paths, so there is a potential for

Re: HTTP redirects while still allowing keep-alive

On Wed, Jan 11, 2017 at 07:27:08PM +0100, Lukas Tribus wrote: > Hello, > > > Am 11.01.2017 um 14:44 schrieb Willy Tarreau: > > On Wed, Jan 11, 2017 at 01:41:27PM +0200, Ciprian Dorin Craciun wrote: > > > Unfortunately a lot of these sites have hard-coded resources with the > > > `www`

Re: HTTP redirects while still allowing keep-alive

On Wed, Jan 11, 2017 at 8:27 PM, Lukas Tribus wrote: > But if we do remove those conditions, I guess we break a number of "old > assumptions" > and we will hit new code paths, so there is a potential for bugs :) [I can't speak with much confidence as this is the first time I see

Re: [PATCH] MINOR: compression: fix -vv output without zlib/slz

On Wed, Jan 11, 2017 at 04:08:03PM +, Lukas Tribus wrote: > > Ah crap, and I was particularly careful about it when I did it :-( > > There is more from this conversation: > > The prefer-server-ciphers output relies on the macro > SSL_OP_CIPHER_SERVER_PREFERENCE, however it is (now) redefined

Re: [PATCH] MINOR: compression: fix -vv output without zlib/slz

Hello, Am 11.01.2017 um 18:40 schrieb Aleksandar Lazic: Just for my curiosity, why someone want no compression? There are a number of reasons to compile with a smaller number of dependencies: - smaller builds for embedded systems - faster compilation for development - lack of trust in

Re: HTTP redirects while still allowing keep-alive

Hello, Am 11.01.2017 um 14:44 schrieb Willy Tarreau: On Wed, Jan 11, 2017 at 01:41:27PM +0200, Ciprian Dorin Craciun wrote: Unfortunately a lot of these sites have hard-coded resources with the `www` alternative domain and HTTP-only. Therefore at least until we rewrite those (which given

Re: [PATCH] MINOR: compression: fix -vv output without zlib/slz

Hi. Am 11-01-2017 14:24, schrieb Lukas Tribus: When haproxy is compiled without zlib or slz, the output of haproxy -vv shows (null). Just for my curiosity, why someone want no compression? BR Aleks

AW: [PATCH] MINOR: compression: fix -vv output without zlib/slz

> Ah crap, and I was particularly careful about it when I did it :-( There is more from this conversation: The prefer-server-ciphers output relies on the macro SSL_OP_CIPHER_SERVER_PREFERENCE, however it is (now) redefined before checking its presence in src/ssl_sock.c. We may just remove this

[PATCH] BUG/MINOR: Reset errno variable before calling strtol(3)

Sometimes errno != 0 before calling strtol(3) diff --git a/src/server.c b/src/server.c index 2f539c99..28340ddb 100644 --- a/src/server.c +++ b/src/server.c @@ -2815,6 +2815,7 @@ const char *update_server_addr_port(struct server *s, const char *addr, const ch /* check if PORT

Re: [PATCH] MINOR: compression: fix -vv output without zlib/slz

On Wed, Jan 11, 2017 at 02:24:35PM +, Lukas Tribus wrote: > When haproxy is compiled without zlib or slz, the output of > haproxy -vv shows (null). > > Make haproxy -vv output great again by providing the proper > information (which is what we did before). > > This is for 1.8 only. Ah crap,

[PATCH] MINOR: compression: fix -vv output without zlib/slz

When haproxy is compiled without zlib or slz, the output of haproxy -vv shows (null). Make haproxy -vv output great again by providing the proper information (which is what we did before). This is for 1.8 only. --- src/compression.c | 2 ++ 1 file changed, 2 insertions(+) diff --git

Re: HTTP redirects while still allowing keep-alive

On Wed, Jan 11, 2017 at 01:41:27PM +0200, Ciprian Dorin Craciun wrote: > Unfortunately a lot of these sites have hard-coded resources with the > `www` alternative domain and HTTP-only. Therefore at least until we > rewrite those (which given their low-value might be delayed forever), > we'll end

Re: HTTP redirects while still allowing keep-alive

On Wed, Jan 11, 2017 at 1:07 PM, Willy Tarreau wrote: > This one is obsolete, the format of the Location header field is > described here : > >https://tools.ietf.org/html/rfc7231#page-68 > > and it uses this format : > >https://tools.ietf.org/html/rfc3986#section-4.2 > > As

Re: HTTP redirects while still allowing keep-alive

On Wed, Jan 11, 2017 at 1:02 PM, Willy Tarreau wrote: > Yes that's indeed the place. The reason for this behaviour is that > (normally) when the client gets a redirect to another host or scheme, > it will no longer use the current connection and will have to close > it. The typical

Re: [PATCH 2/2] DOC: "block" deny_status documentation.

> -block { if | unless } (deprecated) > +block [deny_status ] { if | unless } (deprecated) I'd rather not add details suggesting how to do side-effect things to a deprecated keyword. It supports it only because it's being emulated using "http-request deny", so better not encourage its use

Re: [PATCH 1/2] DOC: add deprecation notice to "block"

applied, thanks.

Re: [PATCH] MINOR: proto_http.c 502 error txt typo.

On Wed, Dec 28, 2016 at 10:49:01AM +0200, Jarno Huuskonen wrote: > --- > src/proto_http.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/src/proto_http.c b/src/proto_http.c > index aa8d997..d804e60 100644 > --- a/src/proto_http.c > +++ b/src/proto_http.c > @@ -343,7

Re: 500 Server Error vs. 500 Internal Server Error ?

Hi Jarno, On Mon, Jan 09, 2017 at 02:38:32PM +0200, Jarno Huuskonen wrote: > Hello, > > Haproxy uses 500 "Server Error" for error/status code 500. > AFAIK RFC 2616/7231 and most? other servers use 500 "Internal Server Error". > > Is there a reason for using "Server Error" and not "Internal

Re: HAProxy Lua Map.end & reserved keywords

On Mon, Jan 09, 2017 at 08:47:17PM +, Robin H. Johnson wrote: > Maybe Willy would considering changing the name of the matches to 'prefix' > & 'suffix' instead of 'beg' & 'end', and just keep beg/end as legacy. It's convenient to keep short names there as they're commonly used in anonymous

Re: HTTP Authorization header problem with v1.7.1

Hi Brian, On Wed, Jan 11, 2017 at 02:08:39AM +, Brian Glogower wrote: > Hi all, > > I noticed that after upgrading to haproxy v1.7.1, haproxy returning 400s > for certain requests that include the HTTP Authorization header. The > following is the output from 'show errors'. I am not seeing

Re: HTTP redirects while still allowing keep-alive

On Wed, Jan 11, 2017 at 12:05:43AM +0200, Ciprian Dorin Craciun wrote: > On Tue, Jan 10, 2017 at 11:00 PM, Bryan Talbot > wrote: > > Whatever the reason for forcing the connection closed -- it only closes > > when the scheme changes. Redirecting to a different host or

Re: HTTP redirects while still allowing keep-alive

Hi Ciprian, On Wed, Jan 11, 2017 at 12:58:57AM +0200, Ciprian Dorin Craciun wrote: > On Tue, Jan 10, 2017 at 9:36 AM, Cyril Bonté wrote: > > This is because haproxy behaves differently depending on the the Location > > URL : > > - beginning with /, it will allow HTTP

Re: [PATCH] BUG/MINOR: ssl: assert on SSL_set_shutdown with BoringSSL

Merged in 1.8, thanks Manu. It looks valid even for previous versions by the way though not having it there doesn't seem to cause any impact. Thus I'll let it cook there and if someone finds a valid reason for backporting it we'll do it later. Thanks, Willy

Re: [PATCH] BUG/MINOR: ssl: EVP_PKEY must be freed after X509_get_pubkey

merged, thanks Manu. Willy