Re: HAProxy won't shut down

On 05/29/2017 06:12 PM, Patrick Hemmer wrote: On 2017/5/29 08:22, Frederic Lecaille wrote: Hi Patrick, First thank you for this nice and helpful report. Would it be possible to have an output of this command the next time you reproduce such an issue please? echo "show sess" | socat stdi

Re: HAProxy won't shut down

On 2017/5/29 08:22, Frederic Lecaille wrote: > > Hi Patrick, > > First thank you for this nice and helpful report. > > Would it be possible to have an output of this command the next time > you reproduce such an issue please? > > echo "show sess" | socat stdio Unfortunately this would not be

[PATCH 9/9] MAJOR: systemd-wrapper: get rid of the wrapper

The master worker mode obsoletes the systemd-wrapper, to ensure that nobody uses it anymore, the code has been removed. --- Makefile | 18 +-- contrib/systemd/haproxy.service.in | 2 +- src/haproxy-systemd-wrapper.c | 319 - 3 f

[PATCH 7/9] DOC: add documentation for the master-worker mode

--- doc/configuration.txt | 16 doc/management.txt| 15 +-- 2 files changed, 29 insertions(+), 2 deletions(-) diff --git a/doc/configuration.txt b/doc/configuration.txt index ad7d3a8..5fa49d3 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -803,6

[PATCH 2/9] MEDIUM: mworker: handle reload and signals

The master-worker will reload itself on SIGUSR2/SIGHUP It's inherited from the systemd wrapper, when the SIGUSR2 signal is received, the master process will reexecute itself with the -sf flag followed by the PIDs of the children. In the systemd wrapper, the children were using a pipe to notify wh

[PATCH 6/9] MEDIUM: mworker: workers exit when the master leaves

This patch ensure that the children will exit when the master quits, even if the master didn't send any signal. The master and the workers are connected through a pipe, when the pipe closes the children leave. --- src/haproxy.c | 55 +++ 1 file

[PATCH 8/9] MEDIUM: systemd: Type=forking in unit file

Adding Type=forking in the unit file ensure better monitoring from systemd. During a systemctl start the tool is able to return an error if it didn't work with this option. --- contrib/systemd/haproxy.service.in | 1 + 1 file changed, 1 insertion(+) diff --git a/contrib/systemd/haproxy.service.in

[PATCH 3/9] MEDIUM: mworker: wait mode on reload failure

In Master Worker mode, when the reloading of the configuration fail, the process is exiting leaving the children without their father. To handle this, we register an exit function with atexit(3), which is reexecuting the binary in a special mode. This particular mode of HAProxy don't reload the co

[PATCH 5/9] MEDIUM: mworker: exit-on-failure option

This option exits every workers when one of the current workers die. It allows you to monitor the master process in order to relaunch everything on a failure. For example it can be used with systemd and Restart=on-failure in a spec file. --- include/types/global.h | 1 + src/cfgparse.c

[PATCH 4/9] MEDIUM: mworker: try to guess the next stats socket to use with -x

In master worker mode, you can't specify the stats socket where you get your listeners FDs on a reload, because the command line of the re-exec is launched by the master. To solve the problem, when -x is found on the command line, its parameter is rewritten on a reexec with the first stats socket

[PATCH 1/9] MEDIUM: mworker: replace systemd mode by master worker mode

This commit remove the -Ds systemd mode in HAProxy in order to replace it by a more generic master worker system. It aims to replace entirely the systemd wrapper in the near future. The master worker mode implements a new way of managing HAProxy processes. The master is in charge of parsing the co

Replace the systemd-wrapper by the master worker mode

The master worker mode replaces the systemd wrapper, it does not need a separated binary anymore, everything is builtin. This mode will launch a "master" which will monitor the "workers". Using this mode, you can reload HAProxy directly by sending a SIGUSR2 signal to the master. The master-worker

Re: Mod Defender (a NAXSI clone) integration patch

Hi Dragan Dosen. Dragan Dosen have written on Mon, 29 May 2017 15:56:06 +0200: > Hi Aleksandar, > > Thank you for your comments and feedback. > > > On 29.5.2017. 14:58, Aleksandar Lazic wrote: > > > > Is there a comparison table what's the difference between mod > > defender and mod security

Re: Mod Defender (a NAXSI clone) integration patch

Hi Aleksandar, Thank you for your comments and feedback. On 29.5.2017. 14:58, Aleksandar Lazic wrote: > > Is there a comparison table what's the difference between mod defender > and mod security? > Not really, as far as I know. But existing comparisons of ModSecurity and Naxsi functionality

Re: Mod Defender (a NAXSI clone) integration patch

On Mon, May 29, 2017 at 03:02:57PM +0200, Aleksandar Lazic wrote: Hi Aleks, > > Since both of them are at the exact same commit ID, do you know if the > > project simply moved or is forked ? Does this mean we should expect to > > find updates only at the new URL above and not at the previous one ?

Re: Mod Defender (a NAXSI clone) integration patch

Hi Willy TARREAU. Willy TARREAU have written on Mon, 29 May 2017 11:40:18 +0200: > Hi Thierry, Dragan, > > On Mon, May 29, 2017 at 11:25:48AM +0200, Thierry Fournier wrote: > > Hi dragan, thats a great news. > > Yep great news and apparently great work (as usual). > > > Just for information

Re: Mod Defender (a NAXSI clone) integration patch

Hi Dragan Dosen. Dragan Dosen have written on Mon, 29 May 2017 10:29:55 +0200: > Hi all, > > I'm sending you a patch for Mod Defender (a NAXSI clone) integration > -- a service that talks SPOE and uses the Mod Defender > (https://github.com/Annihil/mod_defender) functionality to detect HTTP > a

New feature request

Hello, in ROADMAP I see: - spare servers : servers which are used in LB only when a minimum farm weight threshold is not satisfied anymore. Useful for inter-site LB with local pref by default. Is it possible to push this item priority to get it done for 1.8 please? It looks like it should not

[PATCH] BUILD: ssl: fix build with OPENSSL_NO_ENGINE

Hi, Last patches with openssl engine break build with boringssl. Fix include in the mail. Manu 0001-BUILD-ssl-fix-build-with-OPENSSL_NO_ENGINE.patch Description: Binary data

Re: New feature proposal: Add support for decompressing proxyed gziped requests

Hi Willy, Thank you for your reply. The time schedule is not yet set, but I believe we will require one/two months as this is not high priority on our side at the moment. Since we have confirmed that merging is indeed promising (depending on the quality of the patches), I can give the green li

Re: HAProxy won't shut down

Hi Patrick, First thank you for this nice and helpful report. Would it be possible to have an output of this command the next time you reproduce such an issue please? echo "show sess" | socat stdio I have only one question (see below). On 05/24/2017 10:40 AM, Willy Tarreau wrote: Hi

Re: [PATCHES] Major DNS changes

Hi Baptiste. Baptiste have written on Mon, 29 May 2017 11:14:14 +0200: > Hi Aleksandar, > > I have take a look into the code and have just some questions about > > calloc in [PATCH 03/11] & [PATCH 07/11] > > > > In the function dns_alloc_resolution is calloc used, would the use > > of haproxy p

Re: Mod Defender (a NAXSI clone) integration patch

Hi Thierry, Dragan, On Mon, May 29, 2017 at 11:25:48AM +0200, Thierry Fournier wrote: > Hi dragan, thats a great news. Yep great news and apparently great work (as usual). > Just for information, the official project “mod_defender” is now here > >https://github.com/VultureProject/mod_d

Re: Mod Defender (a NAXSI clone) integration patch

Hi dragan, thats a great news. Just for information, the official project “mod_defender” is now here https://github.com/VultureProject/mod_defender Thierry > On 29 May 2017, at 10:29, Dragan Dosen wrote: > > Hi all, > > I'm sending you a p

Re: [PATCHES] Major DNS changes

Hi Aleksandar, I have take a look into the code and have just some questions about > calloc in [PATCH 03/11] & [PATCH 07/11] > > In the function dns_alloc_resolution is calloc used, would the use of > haproxy pools bring any benefit? > > it may help a bit from memory usage point of view. I planned

Re: Is it possible to disable SSL if not certificates are found?

Hi Simos, The workaround is to have a default (fake) certificat in first and use « strict-sni » parameter. Manu > Le 22 mai 2017 à 10:28, Simos Xenitellis a écrit > : > > Hi All, > > I am trying to automate some tasks with adding multiple https > (LetsEncrypt) websites, > and using HAProxy

Re: Haproxy first core 100%

Hello Lukas, Since this is a production environment i had to find a window to run the tasks... 1. Upgraded to 1.7.5 2. below is the output of haproxy -vv (before and after upgrade) HA-Proxy version 1.7.3 2017/02/28 Copyright 2000-2017 Willy Tarreau Build options : TARGET = linux2628