SSL Labs says my server isn't doing ssl session resumption

I'm fiddling with ssl labs to see how I can improve my TLS setup. Here's what they say about a site I have behind haproxy with TLS: https://www.elyograg.org/foo/haproxy-ssllabs-session-resumption-not-working.png They claim that session resumption isn't working. I'm hoping that I've just done

Re: http-response set-header and redirect

Thanks! On Fri, Jun 11, 2021 at 11:36 AM Tim Düsterhus wrote: > James, > > On 6/11/21 8:28 PM, James Brown wrote: > > Is there any reason (performance or otherwise) to use http-response > instead > > of just turning everything into http-after-response? > > There is a difference: If a http-respon

HAProxyConf 2021 - Call for papers

Hi all, some of you have probably already noticed the announce in [1], the 2021 edition of the HAProxyConf will take place on November 16-17 as a "virtual event" (I personally prefer to say "online" as "virtual" always makes me feel that I'm losing something important). For sure we'll all miss th

Re: http-response set-header and redirect

James, On 6/11/21 8:28 PM, James Brown wrote: Is there any reason (performance or otherwise) to use http-response instead of just turning everything into http-after-response? There is a difference: If a http-response rule fails [1] then a standard error page will be emitted. For this error pa

Re: http-response set-header and redirect

Is there any reason (performance or otherwise) to use http-response instead of just turning everything into http-after-response? On Fri, Jun 11, 2021 at 11:07 AM Tim Düsterhus wrote: > James, > > On 6/11/21 8:03 PM, James Brown wrote: > > Is there any way to set a HTTP header on a redirect being

Re: Weird behavior of spoe between http and https requests

Hi. On 11.06.21 18:07, Aleksandar Lazic wrote: Hi. I use haproxy 2.4 with this fe config. ``` global     log stdout format raw daemon     daemon     maxconn 2     stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners     stats timeout 30s     tune.ssl.defaul

Re: [PATCH 0/4] Use 'feature cmd' in regtests

haproxy/regression-testing.txt at master · haproxy/haproxy (github.com) can it be converted into md/rst ?? please please ? пт, 11 июн. 2021 г. в 23:19, Илья Шипицин : > there's reg-test documentation for beginners. > sho

Re: [PATCH 0/4] Use 'feature cmd' in regtests

there's reg-test documentation for beginners. should it be updated as well ? пт, 11 июн. 2021 г. в 22:56, Tim Duesterhus : > Hi! > > I hope I added all the active developers that touch the reg-tests to the > 'CC' > list :-) > > This series updates the regtests to make use of VTest's 'feature cmd'

Re: http-response set-header and redirect

James, On 6/11/21 8:03 PM, James Brown wrote: Is there any way to set a HTTP header on a redirect being emitted by haproxy? To also match HAProxy generated responses (including redirects and error pages) you will need to use 'http-after-response': https://cbonte.github.io/haproxy-dconv/2.4/

http-response set-header and redirect

Is there any way to set a HTTP header on a redirect being emitted by haproxy? Given the following simplified config: global log stdout user defaults log global timeout client 9s timeout server 10s timeout connect 1s frontend test_fe mode http http-response set-header

Re: [PATCH] CI: cirrus: add alpine linux to the jobs

it works :) oops · chipitsine/haproxy@2ce9681 (github.com) I'll polish it a bit and will send final patch tomorrow пт, 11 июн. 2021 г. в 20:42, Илья Шипицин : > > > пт, 11 июн. 2021 г. в 20:34, William Lallemand : > >> On Fri, Jun 11, 2021

[PATCH 0/4] Use 'feature cmd' in regtests

Hi! I hope I added all the active developers that touch the reg-tests to the 'CC' list :-) This series updates the regtests to make use of VTest's 'feature cmd' syntax to skip tests that are not supported in the current environment. In the long run this will should result in much cleaner tests,

[PATCH 3/4] REGTESTS: Replace REQUIRE_BINARIES with 'command -v'

This migrates the tests to the native `feature cmd` functionality of VTest. --- reg-tests/mcli/mcli_start_progs.vtc | 2 +- reg-tests/ssl/add_ssl_crt-list.vtc | 2 +- reg-tests/ssl/new_del_ssl_cafile.vtc| 2 +- reg-tests/ssl/new_del_ssl_crlfile.vtc | 2 +- reg-tests/ssl/set_ssl_cafi

[PATCH 2/4] REGTESTS: Replace REQUIRE_OPTIONS with 'haproxy -cc' for 2.5+ tests

This migrates the tests for HAProxy versions that support '-cc' to the native VTest functionality. --- reg-tests/ssl/new_del_ssl_cafile.vtc| 2 +- reg-tests/ssl/new_del_ssl_crlfile.vtc | 2 +- reg-tests/ssl/set_ssl_cafile.vtc| 2 +- reg-tests/ssl/set_ssl_crlfile.vtc | 2 +- reg

[PATCH 4/4] REGTESTS: Remove support for REQUIRE_BINARIES

This is no longer used since the migration to the native `feature cmd` functionality. --- scripts/run-regtests.sh | 12 1 file changed, 12 deletions(-) diff --git a/scripts/run-regtests.sh b/scripts/run-regtests.sh index b542f24f8..6eadc06c7 100755 --- a/scripts/run-regtests.sh +++ b

[PATCH 1/4] REGTESTS: Replace REQUIRE_VERSION=2.5 with 'haproxy -cc'

This is safe, because running `haproxy -cc 'version_atleast(2.5-dev0)'` on HAProxy 2.4 will also result in an exit code of 1. --- reg-tests/http-messaging/http_abortonclose.vtc | 2 +- reg-tests/ssl/new_del_ssl_cafile.vtc | 2 +- reg-tests/ssl/new_del_ssl_crlfile.vtc | 2 +- reg

Re: [PATCH 1/2] REGTESTS: Remove REQUIRE_VERSION=1.6 from all tests

On Fri, Jun 11, 2021 at 06:16:24PM +0200, Tim Duesterhus wrote: > HAProxy 1.6 is EOL, thus this always matches. (...) Both applied, thanks Tim! willy

[PATCH 1/2] REGTESTS: Remove REQUIRE_VERSION=1.6 from all tests

HAProxy 1.6 is EOL, thus this always matches. --- reg-tests/compression/lua_validation.vtc | 1 - reg-tests/converter/json.vtc | 1 - reg-tests/converter/url_dec.vtc | 1 - reg-tests/http-messaging/h1_to_h1.vtc | 1 - reg-

[PATCH 2/2] REGTESTS: Remove REQUIRE_VERSION=1.7 from all tests

HAProxy 1.7 is the lowest supported version, thus this always matches. --- reg-tests/http-rules/map_regm_with_backref.vtc | 1 - 1 file changed, 1 deletion(-) diff --git a/reg-tests/http-rules/map_regm_with_backref.vtc b/reg-tests/http-rules/map_regm_with_backref.vtc index 7a5b879d2..78af44721 1

Weird behavior of spoe between http and https requests

Hi. I use haproxy 2.4 with this fe config. ``` global log stdout format raw daemon daemon maxconn 2 stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners stats timeout 30s tune.ssl.default-dh-param 2048 # Default SSL material locations

Re: [PATCH] CI: cirrus: add alpine linux to the jobs

пт, 11 июн. 2021 г. в 20:34, William Lallemand : > On Fri, Jun 11, 2021 at 08:14:49PM +0500, Илья Шипицин wrote: > > I've found ubuntu musl package, so we can just link to it in CI, for > > example (I'll try) > > > > > Well, that won't give you the same environnement as a docker image, > with the

Re: [PATCH] CI: cirrus: add alpine linux to the jobs

On Fri, Jun 11, 2021 at 08:14:49PM +0500, Илья Шипицин wrote: > I've found ubuntu musl package, so we can just link to it in CI, for > example (I'll try) > Well, that won't give you the same environnement as a docker image, with the same versions. I'll honestly prefer if we could do it with the

Re: [PATCH] CI: cirrus: add alpine linux to the jobs

пт, 11 июн. 2021 г. в 20:18, Willy Tarreau : > On Fri, Jun 11, 2021 at 08:14:49PM +0500, ??? wrote: > > @Willy Tarreau , do you think it is good idea to display libc > > variant in "haproxy -vv" ? > > If needed we can (for those that are detectable), but I'm not convinced > of the benefi

Re: [PATCH] CI: cirrus: add alpine linux to the jobs

On Fri, Jun 11, 2021 at 08:14:49PM +0500, ??? wrote: > @Willy Tarreau , do you think it is good idea to display libc > variant in "haproxy -vv" ? If needed we can (for those that are detectable), but I'm not convinced of the benefits. If it's in order to exclude some tests, I'd rather me

Re: [PATCH] CI: cirrus: add alpine linux to the jobs

@Willy Tarreau , do you think it is good idea to display libc variant in "haproxy -vv" ? (not sure actually whether musl represent itself in recognizable way) I've found ubuntu musl package, so we can just link to it in CI, for example (I'll try) пт, 11 июн. 2021 г. в 20:03, Илья Шипицин : > >

Re: [PATCH] CI: cirrus: add alpine linux to the jobs

пт, 11 июн. 2021 г. в 19:43, William Lallemand : > On Fri, Jun 11, 2021 at 07:09:14PM +0500, Илья Шипицин wrote: > > I'm against expanding cirrus matrix. cirrus is overloaded already, I'm > > afraid they will not stay for long time. > > using custom images in github actions is straightforward, hav

Re: [PATCH] CI: cirrus: add alpine linux to the jobs

On Fri, Jun 11, 2021 at 07:09:14PM +0500, Илья Шипицин wrote: > I'm against expanding cirrus matrix. cirrus is overloaded already, I'm > afraid they will not stay for long time. > using custom images in github actions is straightforward, have a look > > centos 6 · chipitsine/haproxy@20fabcd (githu

Re: [PATCH] CI: cirrus: add alpine linux to the jobs

On Fri, Jun 11, 2021 at 07:19:51PM +0500, Илья Шипицин wrote: > William, if you do not have a time, I can try to create github action based > on your cirrus patch ... tomorrow ? > I tried quickly but like Tim I couldn't make it work. I can't spend much time on this, if you are able to make this

Re: [PATCH] CI: cirrus: add alpine linux to the jobs

William, if you do not have a time, I can try to create github action based on your cirrus patch ... tomorrow ? пт, 11 июн. 2021 г. в 19:09, Илья Шипицин : > I'm against expanding cirrus matrix. cirrus is overloaded already, I'm > afraid they will not stay for long time. > using custom images in

Re: [PATCH] CI: cirrus: add alpine linux to the jobs

I'm against expanding cirrus matrix. cirrus is overloaded already, I'm afraid they will not stay for long time. using custom images in github actions is straightforward, have a look centos 6 · chipitsine/haproxy@20fabcd (github.com)

Re: add alpine linux to the CI

William On 6/11/21 4:01 PM, William Lallemand wrote: I couldn't find a way to launch an alpine job easily with github actions so instead I wrote one for cirrus-ci, It will help debugging Docker images and musl problems. I believe GitHub Actions also supports running using a Docker Image. I at

Re: [PATCH] CI: cirrus: add alpine linux to the jobs

William, On 6/11/21 4:01 PM, William Lallemand wrote: This commit adds a CI job to cirrus-ci which builds HAProxy on Alpine Linux, allowing to build and test HAProxy with musl. OpenSSL, PCRE2, Lua 5.3 as well as the prometheus exporter are enabled. GNU grep was purposely installed to run the r

[PATCH] CI: cirrus: add alpine linux to the jobs

This commit adds a CI job to cirrus-ci which builds HAProxy on Alpine Linux, allowing to build and test HAProxy with musl. OpenSSL, PCRE2, Lua 5.3 as well as the prometheus exporter are enabled. GNU grep was purposely installed to run the reg-test script. --- .cirrus.yml | 13 + 1 fi

add alpine linux to the CI

Hello guys, I couldn't find a way to launch an alpine job easily with github actions so instead I wrote one for cirrus-ci, It will help debugging Docker images and musl problems. Example of the run here: https://cirrus-ci.com/task/5985082050609152 I'll push it in the master if that's fine with y