[PATCH 0/2] openssl 1.1 async mode and engine support

Hi list, This is to request comments regarding the support of openssl 1.1 async mode and async-capable engine. openssl s_time utility is used to compare the performance: #> openssl s_time -new -cipher ECDHE-RSA-AES128-GCM-SHA256 -nbio With single haproxy process, software only: ~500

[PATCH 2/2] RFC: add openssl async support

ssl_async is a global configuration parameter which enables asynchronous processing in OPENSSL for all SSL connections haproxy handles. With SSL_MODE_ASYNC mode set, TLS I/O operations may indicate a retry with SSL_ERROR_WANT_ASYNC with this mode set if an asynchronous capable engine is used to

[PATCH 1/2] RFC: add openssl engine support

Global configuration parameter "ssl_engine" may be used to specify openssl engine. --- include/proto/ssl_sock.h | 2 ++ include/types/global.h | 1 + src/cfgparse.c | 21 + src/haproxy.c| 3 +++ src/ssl_sock.c | 38

Re: Reverse proxy settings

Title: Re: Reverse proxy settings Bonjour Aaron, I have modified  it, now I do  have: This is  now working :) Thx a lot ... Le vendredi 13 janvier 2017 à 20:18:13, vous écriviez : Hi Thierry, You need to add "ssl" to the server line, probably "ssl verify none" if you don't need it to

Re: Reverse proxy settings

Hi Thierry, You need to add "ssl" to the server line, probably "ssl verify none" if you don't need it to check validity of the backend cert. So : backend https-in mode http option httplog option forwardfor http-request set-header X-Forwarded-Port %[dst_port]

Reverse proxy settings

Hi, Still me working around ... The main target is to send HTTPS request through my web server using the HAproxy as frontend. My web server only accept HTTPS (443) requests. My HAproxy config: Web Server Config frontend https-in mode http bind :443 ssl crt

Re: HTTP 429 Too Many Requests (tarpit deny_status)

Hello, On Fri, Jun 24, James Brown wrote: > +1 I am also using a fake backend with no servers and a 503 errorfile, and > it confuses everybody who looks at the config or the metrics. Being able to > directly emit a 429 would be fantastic. This is my first attempt in adding deny_status to:

[PATCH] BUILD: ssl: fix to build (again) with boringssl

for 1.8dev 0001-BUILD-ssl-fix-to-build-again-with-boringssl.patch Description: Binary data

Re: [PATCH] BUG/MINOR: ssl: assert on SSL_set_shutdown with BoringSSL

> Le 11 janv. 2017 à 11:56, Willy Tarreau a écrit : > > Merged in 1.8, thanks Manu. It looks valid even for previous versions > by the way though not having it there doesn't seem to cause any impact. > Thus I'll let it cook there and if someone finds a valid reason for >

Re: How can I change the URI when forwarding to a server

> You’re looking for http-request with set-uri or set-path + > set-query: > https://cbonte.github.io/haproxy-dconv/1.6/configuration.html#4..2-http-request > > > -Bryan This is exactly what I was looking for,

Re: Add agent-host configuration directive and allow changing it and agent-send via socket/CLI

Hi Michal, On Mon, Jan 09, 2017 at 02:00:19PM +0100, Micha?? wrote: > Hello! > It's my first PR to haproxy, so please tell me if anything still wrong. > I've read CONTRIBUTING. > > This patches implements possiblity to define different host (agent-host) for > agent checks in config and they also

Re: [PATCH] BUG/MINOR: stream: Fix how backend-specific analyzers are set, on a stream

On Thu, Jan 12, 2017 at 05:14:53PM +0100, Willy Tarreau wrote: > Christopher, > > I suspect that below you spotted a deeper bug which probably also affects > older versions : After your explanation I've merged it now and added it to 1.7. Thanks, Willy

Re: [DEV] ssl bind_conf per certificat

Hi Manu, On Fri, Jan 13, 2017 at 11:01:14AM +0100, Emmanuel Hocdet wrote: > > This patch implement the ssl bind configuration per certificat. > It???s for 1.8dev. Now applied with Emeric's blessing, thanks! Willy

Re: [DEV] ssl bind_conf per certificat

On Fri, Jan 13, 2017 at 11:07:02AM +0100, Emmanuel Hocdet wrote: > > This patch implement ???curves??? ssl parameter for bind and crt-list. > It???s for 1.8dev. Applied as well, thanks! Willy

Re: [DEV] ssl bind_conf per certificat

This patch implement ‘curves’ ssl parameter for bind and crt-list.It’s for 1.8dev. 0001-MINOR-ssl-add-curve-suite-for-ECDHE-negotiation.patch Description: Binary data Le 13 janv. 2017 à 11:01, Emmanuel Hocdet a écrit :This patch implement the ssl bind configuration per

Re: [DEV] ssl bind_conf per certificat

This patch implement the ssl bind configuration per certificat.It’s for 1.8dev.for example:haproxy.cfg:    bind :443 ssl strict-sni crt-list /etc/haproxy/crtlist.cfgcrtlist.cfg:mycert.pem  [alpn h2,http/1.1]  h2.mydom.netmycert.pem  [verify required ca-file ca-admin.pem]