Re: rewrite URI

Hi, On Wed, Jun 14, Haim Ari wrote: > yea, i tried that, does not work Doesn't work how: path is not set to /Test or wrong backend is used or something else ? Have you tested with acl is_test path_beg instead of url_beg ? For me these two configs work: # version one using temp. header frontend

Re: X-forwarded-For have two ip address

Hi， Comma is a special symbol，Can do so: backend b1 acl forward-exist req.hdr(X-Forwarded-For) -m found http-request set-header X-Forwarded-For %[capture.req.hdr(2)],%ci if forward-exist http-request set-header X-Forwarded-For %ci if !forward-exist server def 127.0.0.1:81

X-forwarded-For have two ip address

Hi! We are integrating WAF in my company. WAF send http request when in POST request X-Real-Ip: 10.254.13.100, 10.254.42.32 X-Forwarded-For: 10.254.13.100, 10.254.42.32 Maybe HAPROXY do take only secondary IP from X-Real-Ip/ X-Forwarded-For. Always take ip from secondary position(in may

Re: BUG: Seg fault when reloading from saved state after config change

Hi Shelley, Willy, I can confirm seeing similar on 1.7.1 on FreeBSD amd64, when there was a discrepancy between the backends listed in the state file vs. the ones configured for the new process. I never had time to sort out the precise conditions, rather, shelved the use of the state file

Re: BUG: Seg fault when reloading from saved state after config change

Aha. The problem is that the new haproxy.cfg file has hosts that are not in the stat file. If there is no state file, the haproxy.cfg file is perfectly valid. I've attached a self-contained config file and state file that will reproduce the seg fault. Also the output of haproxy -c using those

Re: HAProxy won't shut down

Hi Frederic & Willy. Willy Tarreau wrote on 14.06.2017: > On Wed, Jun 14, 2017 at 03:24:31PM +0200, Frederic Lecaille wrote: >> Ok. Here is a patch for that. > Many thanks, doc is even more complete than I hoped, I'm sure I'll > use this in the near future :-) +1 As this link is mentioned in

Re: [PATCH] BUG/MINOR: ssl: Be sure that SSLv3 connection methods exist for openssl < 1.1.0

> Le 14 juin 2017 à 16:43, Willy Tarreau a écrit : > > On Wed, Jun 14, 2017 at 03:11:28PM +0200, Christopher Faulet wrote: >> Hi, >> >> HAProxy compilation fails if OpenSSL 1.0.2 is compiled without the support >> of SSLv3 methods (SSL3_server_method and SSL3_client_method). The

Re: Issue while using Proxy protocol in TCP mode

An important thing I missed to mention that *the load balancer is an EC2 instance in AWS*. Also, consider 5.6.7.8 as an EIP and the frontend uses private IP to bind. When I tested proxy protocol with similar local setup, it works as expect (disregard any version of haproxy). Its likely, AWS to

Re: [PATCH] MEDIUM: ssl: allow haproxy to start without default certificate

> Le 14 juin 2017 à 13:58, Dennis Jacobfeuerborn a > écrit : > > On 12.06.2017 16:21, Emmanuel Hocdet wrote: >> In haproxy 1.8dev, default certificate can now be optional. >> This patch allow that. > > This looks like a big footgun. While the idea is interesting and

Re: [PATCH] BUG/MINOR: http/filters: Be sure to wait if a filter loops in HTTP_MSG_ENDING

Le 14/06/2017 à 16:47, Willy Tarreau a écrit : On Wed, Jun 14, 2017 at 03:43:19PM +0200, Christopher Faulet wrote: A filter can choose to loop when a HTTP message is in the state HTTP_MSG_ENDING. But the transaction is terminated with an error if the input is closed (CF_SHUTR set on the

Re: [PATCH] BUG/MINOR: http/filters: Be sure to wait if a filter loops in HTTP_MSG_ENDING

On Wed, Jun 14, 2017 at 03:43:19PM +0200, Christopher Faulet wrote: > A filter can choose to loop when a HTTP message is in the state > HTTP_MSG_ENDING. But the transaction is terminated with an error if the input > is > closed (CF_SHUTR set on the channel). At this step, we have received all

Re: [PATCH] BUG/MINOR: ssl: Be sure that SSLv3 connection methods exist for openssl < 1.1.0

On Wed, Jun 14, 2017 at 03:11:28PM +0200, Christopher Faulet wrote: > Hi, > > HAProxy compilation fails if OpenSSL 1.0.2 is compiled without the support > of SSLv3 methods (SSL3_server_method and SSL3_client_method). The manpage > SSL_CTX_new(3) specifies that these functions are available if >

Re: [PATCH] BUG/MINOR: acls: Set the right refflag when patterns are, loaded from a map

On Wed, Jun 14, 2017 at 03:03:33PM +0200, Christopher Faulet wrote: > For an ACL, we can load patterns from a map using the flag -M. For example: > > acl test hdr(host) -M -f hosts.map > > The file is parsed as a map et the ACL will be executed as expected. But the > reference flag is wrong.

Re: Possible regression in 1.6.12

Hi Veiko, [ CCing Baptiste at the same time ] On Wed, Jun 14, 2017 at 02:59:16PM +0300, Veiko Kukk wrote: > Possible regression in 1.6.12 > > I might have discovered a haproxy bug. It occurs when all of the following > configuration conditions are satisfied: > * haproxy version 1.6.12 > *

Re: HAProxy won't shut down

On Wed, Jun 14, 2017 at 03:24:31PM +0200, Frederic Lecaille wrote: > Ok. Here is a patch for that. Many thanks, doc is even more complete than I hoped, I'm sure I'll use this in the near future :-) Willy

[PATCH] BUG/MINOR: http/filters: Be sure to wait if a filter loops in HTTP_MSG_ENDING

This one is about filters. Thanks -- Christopher Faulet >From 5358c71aa67a5fe21f29063bc7f837073ef8d20d Mon Sep 17 00:00:00 2001 From: Christopher Faulet Date: Fri, 31 Mar 2017 15:37:29 +0200 Subject: [PATCH] BUG/MINOR: http/filters: Be sure to wait if a filter loops in

Re: HAProxy won't shut down

On 06/14/2017 01:43 PM, Willy Tarreau wrote: Hi Fred, On Tue, Jun 13, 2017 at 09:16:33PM +0200, Frederic Lecaille wrote: (...) So I have compiled haproxy with the little src/plug_qdisc.c source file (attached to this mail) highly inspired from libnl-utils package sources and managed to make a

[PATCH] BUG/MINOR: ssl: Be sure that SSLv3 connection methods exist for openssl < 1.1.0

Hi, HAProxy compilation fails if OpenSSL 1.0.2 is compiled without the support of SSLv3 methods (SSL3_server_method and SSL3_client_method). The manpage SSL_CTX_new(3) specifies that these functions are available if OPENSSL_NO_SSL3_METHOD is undefined. Here is a fix. Thanks, -- Christopher

[PATCH] BUG/MINOR: acls: Set the right refflag when patterns are, loaded from a map

Hi, Here is a little patch to fix a little bug :) Thanks -- Christopher Faulet >From e11c7f0ffe159f1e77c2c2568dd5f217f67327ee Mon Sep 17 00:00:00 2001 From: Christopher Faulet Date: Wed, 14 Jun 2017 14:41:33 +0200 Subject: [PATCH] BUG/MINOR: acls: Set the right refflag

Re: Issue while using Proxy protocol in TCP mode

Le 14/06/2017 à 13:07, Vijay Bais a écrit : On Wed, Jun 14, 2017 at 3:06 PM, Christopher Faulet > wrote: Ok, If the problem is still there with a stable release, be sure to have the "send-proxy" directive on your server line (the one

Re: [PATCH] MEDIUM: ssl: allow haproxy to start without default certificate

On 17-06-14 13:58:01, Dennis Jacobfeuerborn wrote: > On 12.06.2017 16:21, Emmanuel Hocdet wrote: > > In haproxy 1.8dev, default certificate can now be optional. > > This patch allow that. > > This looks like a big footgun. While the idea is interesting and > useful if this is to be considered at

Possible regression in 1.6.12

Possible regression in 1.6.12 I might have discovered a haproxy bug. It occurs when all of the following configuration conditions are satisfied: * haproxy version 1.6.12 * multiple processes * resolvers section with more than one server configured (not even used anywhere) * haproxy is either

Re: [PATCH] MEDIUM: ssl: allow haproxy to start without default certificate

On 12.06.2017 16:21, Emmanuel Hocdet wrote: > In haproxy 1.8dev, default certificate can now be optional. > This patch allow that. This looks like a big footgun. While the idea is interesting and useful if this is to be considered at all this behavior should only be allowed after the user

Re: HAProxy won't shut down

Hi Fred, On Tue, Jun 13, 2017 at 09:16:33PM +0200, Frederic Lecaille wrote: (...) > So I have compiled haproxy with the little src/plug_qdisc.c source file > (attached to this mail) highly inspired from libnl-utils package sources and > managed to make a haproxy peer block and unblock incoming

Re: Issue while using Proxy protocol in TCP mode

On Wed, Jun 14, 2017 at 3:06 PM, Christopher Faulet wrote: > > Ok, If the problem is still there with a stable release, be sure to have > the "send-proxy" directive on your server line (the one which forwards the > traffic to haproxy itself). If you have any doubt about your

Re: rewrite URI

yea, i tried that, does not work Haim Ari / SysOps Manager M: 972.584563032 / T: 972.722288367 From: Jin Hu Sent: Wednesday, June 14, 2017 1:20 PM To: Haim Ari Cc: haproxy@formilux.org Subject: Re: rewrite URI Hi, I think you

Re: rewrite URI

Hi, I think you can achieve this by moving rewrite operations into backend section, likes the following: frontend: acl is_test url_beg /Test use_backend test if is_test backend: acl is_test url_beg /Test http-request set-path /Prod if is_test On Wed, Jun 14, 2017 at 5:08

Re: Issue while using Proxy protocol in TCP mode

Le 13/06/2017 à 18:37, Vijay Bais a écrit : Yes, I agree it's an old and unstable version; will upgrade to a stable release. The client is also haproxy of same old version, which forwards the traffic using proxy protocol (similar to the link specified earlier). Ok, If the problem is still

Re: Issue while using Proxy protocol in TCP mode

On 06/14/2017 11:17 AM, Vijay Bais wrote: > Upgraded haproxy to 1.5.18. > Why not 1.5.19? 1.5.18 was released a year ago. Do you have a reason for not switching to 1.7.5? Having said this, your problem could be a configuration issue or a new bug. Cheers. Pavlos signature.asc Description:

rewrite URI

Hello, I'm would like to create an ACL that will rewrite the URI if the URI is "/Test" https://test.example.com/Test Change it to: /Prod https://test.example.com/Prod But At the same time also send it to a specific backend Here is what I've tried but does not seem

Re: HAProxy won't shut down

On 06/14/2017 08:51 AM, Frederic Lecaille wrote: On 06/13/2017 09:16 PM, Frederic Lecaille wrote: Hello Patrick, [snipped] I hope the pach attached to this mail will definitively fix such peer CLOSE_WAIT issues. A better patch which fixes the comments and commit message. Sorry again

Re: HAProxy won't shut down

On 06/13/2017 09:16 PM, Frederic Lecaille wrote: Hello Patrick, [snipped] I hope the pach attached to this mail will definitively fix such peer CLOSE_WAIT issues. A better patch which fixes the comments and commit message. >From 5535bcd5298bbbce11385eee18ef740848d31903 Mon Sep 17