Re: Haproxy 1.8 with OpenSSL 1.1.1-pre4 stops working after 1 hour

Hello, On 23 May 2018 at 22:17, Jim Freeman wrote: > Or kludge around it with eg; http://www.issihosts.com/haveged/ ? No, it's not about insufficient entropy in the kernel. It's about interfacing with that entropy while in chroot. Lukas

Re: Haproxy 1.8 with OpenSSL 1.1.1-pre4 stops working after 1 hour

Or kludge around it with eg; http://www.issihosts.com/haveged/ ? On Wed, May 23, 2018 at 1:48 PM, Lukas Tribus wrote: > Hello, > > > On 23 May 2018 at 18:29, Emeric Brun wrote: > > This issue was due to openssl-1.1.1 which re-seed after an elapsed time > or

Re: Haproxy 1.8 with OpenSSL 1.1.1-pre4 stops working after 1 hour

Hello, On 23 May 2018 at 18:29, Emeric Brun wrote: > This issue was due to openssl-1.1.1 which re-seed after an elapsed time or > number of request. > > If /dev/urandom is used as seeding source when haproxy is chrooted it fails > to re-open /dev/urandom > > By defaut

Re: Dynamically adding/deleting SSL certificates

Hello Emeric, On Tue, May 22, 2018 at 05:37:58PM +0200, Emeric Brun wrote: > Hi Auréline > > I see that you're using the domain to known the certificate to delete. > > If you take a look to crt-list, you will see that the identifier of the > certificate > is customizable and is not necessarily

Re: remaining process after (seamless) reload

On Wed, May 23, 2018 at 06:49:09PM +0200, William Dauchy wrote: > We do frequent reloads (approximatively every 10s). > After a while some processes remains alive and seem to never exit (waited >24 > hours). While stracing them, some of them are still handling traffic and > doing healthchecks.

Re: Rewrite image path based on HTTP_REQUEST

Hi, On Sat, May 19, Aleksandar Lazic wrote: > On 17/05/2018, Lotic Lists wrote: > > How can I rewrite a image path based on URL? > > > > Example, users request the url www.example.com/images/logo.png, haproxy just > > balance to backend servers normally. > > > > Now users request

remaining process after (seamless) reload

Hello, I am trying to understand a possible issue we have regarding haproxy (seamless) reloads. I am using haproxy v1.8.9 with the following config (using nbthread): global log 127.0.0.1 local0 info maxconn 262144 user haproxy group haproxy nbproc 1 daemon

Re: Haproxy 1.8 with OpenSSL 1.1.1-pre4 stops working after 1 hour

Hi Sander, Lukas, On 05/23/2018 02:32 PM, Lukas Tribus wrote: > Hello, > > On 23 May 2018 at 13:10, Sander Hoentjen wrote: >> I can confirm the issue is gone when I don't use chroot. I will try to >> see if I can get more info like a strace soon. I won't be able to today >>

Re: DNS resolver + threads, 100% cpu usage / hang 1.9dev

Hi Olivier, On Wed, May 23, 2018 at 04:13:20PM +0200, Olivier Houchard wrote: > Thanks a lot for testing, and your usual investigation work ! > > Willy, can you please apply this ? Sure, now done, thanks! Willy

Re: [RFC PATCH] MINOR: ssl: set SSL_OP_PRIORITIZE_CHACHA

Hi Lukas, On Wed, May 23, 2018 at 03:30:55PM +0200, Lukas Tribus wrote: > You can merge as-is, it was just RFC to see if there are any > objections to enable this flag unconditionally. OK now merged, thank you! Willy

Re: DNS resolver + threads, 100% cpu usage / hang 1.9dev

Hi Pieter, On Tue, May 22, 2018 at 09:00:24PM +0200, PiBa-NL wrote: > Hi Olivier, > > Op 22-5-2018 om 18:46 schreef Olivier Houchard: > > Hi Pieter, > > > > Does the attached patch fix it for you ? It's been generated from master, > > but will probably apply against 1.8 as well. > > > > Thanks

Re: [RFC PATCH] MINOR: ssl: set SSL_OP_PRIORITIZE_CHACHA

Hi Willy, On 22 May 2018 at 18:54, Willy Tarreau wrote: > On Tue, May 22, 2018 at 04:28:38PM +0200, Emeric Brun wrote: >> I agree, we could merge it as it is. > > OK thanks Emeric. > > So Lukas, just let me know if you want me to merge it as-is or if you > still have some polishing

Re: SSL certs loading performance regression

Hi Hervé, > Le 22 mai 2018 à 10:31, Hervé Commowick a > écrit : > > Hello HAProxy ML, > > I tracked down a performance regression about loading bunch of > certificates, at least 3x to 5x more time for loading 10 certs since > this commit >

Re: Haproxy 1.8 with OpenSSL 1.1.1-pre4 stops working after 1 hour

Hello, On 23 May 2018 at 13:10, Sander Hoentjen wrote: > I can confirm the issue is gone when I don't use chroot. I will try to > see if I can get more info like a strace soon. I won't be able to today > though. Thanks Lucas and Emeric! 1.8.9 with 1.1.1-pre6 chrooted is now

Process crash on reload with TLS tickets

Hi, this seems harmless, but haproxy processes crash on reload when using TLS tickets with multiple sockets per port. Following configuration reproduces the problem: global nbproc 2 user haproxy group haproxy daemon defaults timeout connect 5000 timeout client 5 timeout server

Re: Fwd: [haproxy/haproxy] BUG/MAJOR: server: Segfault after parsing server state file. (0bedb8a)

Willy,(writing from my phone, blame it, if I mess up the quotes) Am 23.05.2018 11:20 vorm. schrieb Willy Tarreau : Well, please post here instead, it's where people are present and follow the activity. I'm adding Fred in CC since he's the one who fixed the crash, and Baptiste as

gRPC protocol

Hi. Any plans to add the gRPC Protocol into haproxy? Have anyone used https://github.com/jinq0123/grpc-lua or similar in haproxy? In some areas is the gRPC Protocol more and more famous due to this fact I ask just ask what's the plan for this protocol is like mqtt? Best regards Aleks

Re: Haproxy 1.8 with OpenSSL 1.1.1-pre4 stops working after 1 hour

On 05/22/2018 04:31 PM, Sander Hoentjen wrote: > On 05/22/2018 04:19 PM, Emeric Brun wrote: >> Hi Sander, >> >> On 05/22/2018 02:04 PM, Sander Hoentjen wrote: >>> On 05/22/2018 12:04 PM, Lukas Tribus wrote: Hello, On 22 May 2018 at 11:48, Sander Hoentjen

Re: SPOE and modsecurity contrib

On Sun, May 20, 2018 at 10:59:02AM -0400, Daniel Corbett wrote: > While I haven't been able to get 'tcp-request content reject' to work with > this configuration -- I am able to get 'http-request deny' to work: > > http-request deny if { var(txn.modsec.code) -m int gt 0 } This is expected. The

Re: Fwd: [haproxy/haproxy] BUG/MAJOR: server: Segfault after parsing server state file. (0bedb8a)

Hi Tim, On Tue, May 22, 2018 at 09:52:16PM +0200, Tim Düsterhus wrote: > Hi list > > the following comment has been posted to GitHub on commit > 0bedb8ac90ffdf1498a999c44d1c91556fb726ee > > https://github.com/haproxy/haproxy/commit/0bedb8ac90ffdf1498a999c44d1c91556fb726ee#commitcomment-29087381

Re: [PATCH] MINOR: http: Log warning if (add|set)-header fails

Hi Tim, On Sun, May 20, 2018 at 05:55:06PM +0200, Tim Duesterhus wrote: > Willy, > > attached is a first attempt at a patch that adds logging (without any rate > limiting). I have a few questions regarding the whole counters and logging > infrastructure: > > 1. I noticed that there is