AND OR priority when forming conditions

Hello everyone, I have been using Haproxy for years but I still have trouble understanding this part of the documentation: 7.2. Using ACLs to form conditions A condition is formed as a disjunctive form:    [!]acl1 [!]acl2 ... [!]acln  { or [!]acl1 [!]acl2 ... [!]acln } ... first it does not

Re: [ANNOUNCE] haproxy-2.4.22

Hello, Le 14/02/2023 à 17:52, Tim Düsterhus a écrit : Marc, On 2/14/23 17:44, Marc Gebauer wrote: Listing... Done haproxy/bullseye-backports-2.4 2.4.21-2~bpo11+1 amd64 [upgradable from: 2.4.21-1~bpo11+1] is this the recommend package to use for Debian (because of the version-number 2.4.21

option redispatch, http/tcp

Hello everyone, I'm not sure about something related to the redispatch option. When I search the internet, many people indicate that the redispatch option only works with http mode. But the main purpose of the "redispatch option" is to redispatch to another server when you can't establish a T

src, src_port and session

Hello everyone, Just a simple question, can you confirm that src and src_port are set only once per session ? This seems to be the behaviour when I modify them with set-src and set-src-port but I want to be sure. for example: http-request set-src req.hdr_ip(True-Client-IP) if whatevercondi

Server sent fatal alert: decode_error

Hello everyone, i've made a tls test on ssllabs, and in the report i can see we have this error : "Server sent fatal alert: decode_error" in the hanshake simulation part. it happens essentially with recent platform : Android 8.1/9.0, Chrome 69/70/80, Firefox 73, OpenSSL 1.1.0k/1.1.1c, Safari

Re: http-reuse and Proxy protocol

Hello, Le 23/07/2020 à 14:34, Willy Tarreau a écrit : Hi Arnall, On Tue, Jul 21, 2020 at 01:27:31PM +0200, Arnall wrote: Hello everyone, I remember that in the past it was strongly discouraged to use http-reuse in combination with send-proxy, because of the client IP which is provided by the

http-reuse and Proxy protocol

Hello everyone, I remember that in the past it was strongly discouraged to use http-reuse in combination with send-proxy, because of the client IP which is provided by the proxy protocol. I have this configuration : HA-Proxy version 2.0.14-1~bpo9+1 2020/04/16 - https://haproxy.org/ defaults

Re: Bad date in 1.9.xx SPEC files

Le 13/02/2020 à 18:10, Blair, Steven a écrit : This problem has existed for several iterations and should be obvious to a casual reviewer. Please fix it. I really do not understand why the .spec file was removed in 2.x versions, but if it is intended for 1.9.x, it should at least work. %ch

Re: [ANNOUNCE] haproxy-1.9-dev11

Hello, Le 17/12/2018 à 20:16, Willy Tarreau a écrit : Hi Arnall, On Mon, Dec 17, 2018 at 02:13:31PM +0100, Arnall wrote: don't know if it's related but haproxy.org answers with 400 status right now ! (Windows 10 Chrome/Firefox) Might be, though I can't reproduce it. I'v

Re: [ANNOUNCE] haproxy-1.9-dev11

Le 16/12/2018 à 23:05, Willy Tarreau a écrit : I expected to release this week-end after running it on the haproxy.org servers, but some annoying issues faced in production took some time to get fixed and delayed the release. Things have been quiet now, with 18 hours running without a glitch in

Re: FW: LUA and doing things

Hello, Le 24/09/2018 à 12:29, Franks Andy (IT Technical Architecture Manager) a écrit : Sorry to be a nag, but anyone any ideas with this. Or is it just indicated to regularly parse log files (seems a bit of a hacky solution). Thanks! *From:*Franks Andy (IT Technical Architecture Manager)

Re: Question about haproxy logs

Le 19/04/2018 à 09:35, rai...@ultra-secure.de a écrit : Hi, I have lines like these: Apr 19 09:32:03 lb-prod haproxy[16717]: 127.0.0.1:50898 [19/Apr/2018:09:32:03.174] srv-pub-front-ssl srv-pub-back-ssl/WINSRV 0/0/0/36/290 500 284 - - --VN 3/1/0/1/0 0/0 "POST /SaveStatistics HTTP/1.1" Do

Re: HAProxy 1.7.5: conn_cur value problem with peer stick-table

Le 27/10/2017 à 18:06, Arnall a écrit : Le 27/05/2017 à 08:49, Willy Tarreau a écrit : Hi Maxime, On Fri, May 19, 2017 at 02:28:40PM +0200, Maxime Guillet wrote: 2/ If I launch the same test on both haproxy servers and peers configuration activated, I can see the conn_cur counter always

Re: [ANNOUNCE] haproxy-1.8.0

Le 26/11/2017 à 19:57, Willy Tarreau a écrit : Hi all, After one year of intense development and almost one month of debugging, polishing, and cross-review work trying to prevent our respective coworkers from winning the first bug award, I'm pleased to announce that haproxy 1.8.0 is now official

Re: HAProxy 1.7.5: conn_cur value problem with peer stick-table

Le 27/05/2017 à 08:49, Willy Tarreau a écrit : Hi Maxime, On Fri, May 19, 2017 at 02:28:40PM +0200, Maxime Guillet wrote: 2/ If I launch the same test on both haproxy servers and peers configuration activated, I can see the conn_cur counter always increasing $ ab -n 2000 -c 20 http://10.0.0

bad queue report in stats

Hello everyone, Name: HAProxy Version: 1.7.5-2~bpo8+1 Release_date: 2017/05/27 OS : Debian 8 i have something weird in my stats with this configuration : backend be_abuse     bind-process 1     timeout server 60s     balance roundrobin     hash-balance-factor 0     acl untrusted_country var(re

Re: TCP ACL rules based on host name

Le 22/09/2017 à 03:13, rt3p95qs a écrit : Is it possible to assign TCP (no HTTP) connections to a backend based on an alias haproxy has? For example: HAProxy has 3 alias names, server01.example.com , server02.example.com and server03.

Lua function 'xxxxxx': yield not allowed.

Hello everyone, i use a simple lua script in Haproxy ( HA-Proxy version 1.7.9-1~bpo8+1 2017/08/24 ): - function add_delay(txn)     local default = 200     local delay = txn:get_var("req.delay")     if delay ~= nil then         core.msleep(delay)     else         core.msleep(default)  

Re: stick-table ,show table, use field

ring". Maybe i missunderstand the sentence ? echo "show table " | sudo socat stdio /run/haproxy/admin.sock # table: web_plain, type: ip, size:52428800, used:0 # table: dummy_stick_table, type: string, size:52428800, used:0 Thanks Le 30/03/2017 à 22:50, Bryan Talbot a écrit

stick-table ,show table, use field

Hello everyone, when using socat to show a stick-table i have lines like this : # table: dummy_table, type: ip, size:52428800, used:33207 0x7f202f800720: key=aaa.bbb.ccc.ddd use=0 exp=599440 gpc0=0 conn_rate(5000)=19 conn_cur=0 http_req_rate(1)=55 ../... I understand all the fields exce

Re: http reuse and proxy protocol

Le 03/01/2017 à 18:18, Lukas Tribus a écrit : Hi Arnall, Am 03.01.2017 um 16:15 schrieb Arnall: Is it possible that with "http-reuse always" the yyy.yyy.yyy.yyy request has used the xxx.xxx.xxx.xxx connection between https and http frontend with proxy protocol forwarding xxx.x

http reuse and proxy protocol

Hi everyone, recently we have separated https and http frontend in order to scale well. we are using a nbproc > 1 configuration for ssl offloading : listen web_tls mode http bind *:443 ssl crt whatever.pem process 2 bind *:443 ssl crt whatever.pem process 3 ../.. server web_pla

Re: ssl offloading and send-proxy-v2-ssl

Le 27/12/2016 à 00:35, Patrick Hemmer a écrit : On 2016/12/23 09:28, Arnall wrote: Hi everyone, i'm using a nbproc > 1 configuration for ssl offloading : listen web_tls mode http bind *:443 ssl crt whatever.pem process 2 bind *:443 ssl crt whatever.pem p

Re: ssl offloading and send-proxy-v2-ssl

ps you could use src_is_local. Something like this frontend web_plain acl is_local src_is_local http-response add-header X-External-Protocol https if is_local /Elias On Fri, Dec 23, 2016 at 3:28 PM, Arnall mailto:arnall2...@gmail.com>> wrote: Hi everyo

ssl offloading and send-proxy-v2-ssl

Hi everyone, i'm using a nbproc > 1 configuration for ssl offloading : listen web_tls mode http bind *:443 ssl crt whatever.pem process 2 bind *:443 ssl crt whatever.pem process 3 ../.. server web_plain u...@plain.sock send-proxy-v2-ssl frontend web_plain bind*:80 proce

Re: problem with server and unix socket unix@

t to know if the connection was via TLS or not, but how can i get this information in the plani frontend ? I've tried to use "if { ssl_fc }" but it doesn't work... Le 12/12/2016 à 21:55, Lukas Tribus a écrit : Hello Arnall, you said you tried different users, d

Re: problem with server and unix socket unix@

sock STDIO HTTP/1.1 301 Moved Permanently Server: nginx Date: Mon, 12 Dec 2016 19:12:32 GMT .../... so i really don't know what is wrong in my configuration... Le 12/12/2016 à 19:17, Arnall a écrit : Hello everyone, i got this configuration to offload TLS on multiple process and handle the pla

problem with server and unix socket unix@

Hello everyone, i got this configuration to offload TLS on multiple process and handle the plain http on only one process: global nbproc 3 listen web_tls modehttp bind *:443 ssl crt certif.pem process 2 bind *:443 ssl crt certif.pem process 3 maxconn 10 serve

Re: how to match the URL exactly to avoid url hijacking?

Hello, if the redirection is domain based, you dont have to use "base", path doesn't seem to have any importance in your redirections. you should try and check one of these : acl is_qx963 hdr_dom(host) -i cccd.abc.com acl is_qx1033 hdr_dom(host) -i d.abc.com redirect prefix ht

Re: SC session state with googlebot

Sorry everyone, forget about this message , just a misconfiguration ... Le 01/12/2016 à 15:25, Arnall a écrit : Hello everyone, i have a special case in our logs with googlebot, with some static files, we have a SC-- session state and of course a 503 status code : 66.249.76.63:55140

SC session state with googlebot

Hello everyone, i have a special case in our logs with googlebot, with some static files, we have a SC-- session state and of course a 503 status code : 66.249.76.63:55140 frontend_web frontend_web/ -1/-1/-1/-1/5 503 212 - \- SC-- 2179/2175/0/0/0 0/0 {|static.hostname.tld|Mozilla/5.0_(comp

Re: option dontlognull

Le 08/11/2016 à 16:36, Willy Tarreau a écrit : Hello, On Tue, Nov 08, 2016 at 03:55:04PM +0100, Arnall wrote: Hello everyone, i've made some test on the 'option dontlognull' / 'no option dontlognull' and 'tcp-request deny', because i want to be sure that

option dontlognull

Hello everyone, i've made some test on the 'option dontlognull' / 'no option dontlognull' and 'tcp-request deny', because i want to be sure that IP in blacklist is logged correctly. I'm still not sure about the behavior, if i have "no option dontlognull' i have all denied requests logged, tha

multi process limitations

Hello everyone, could you please tell me if the limitations with multi-process are still true with HAProxy 1.6 : - frontend(s) and associated backend(s) must run on the same process - not compatible with peers section (stick table synchronisation) ( from here : http://blog.haproxy.com/2015/

Linux or FreeBSD ?

Hi Eveyone, just a simple question, is FreeBSD a good choice for Haproxy ? Our Haproxy runs under Debian for years, but the new IT want to put it under FreeBSD. Any cons ? Thanks.

Fastsocket and Haproxy

Hi everyone, do you know this project : https://github.com/fastos/fastsocket "Currently Fastsocket is implemented in the Linux kernel(kernel-2.6.32-431.17.1.el6) of CentOS-6.5. According to our evaluations, Fastsocket increases throughput of Nginx and Haproxy(measured by connections per secon

Re: Error 408 with Chrome

Le 26/05/2014 16:13, Willy Tarreau a écrit : Hi Arnall, On Mon, May 26, 2014 at 11:56:52AM +0200, Arnall wrote: Hi Willy, same problem here with Chrome version 35.0.1916.114 m and : HA-Proxy version 1.4.22 2012/08/09 (Debian 6) Kernel 3.8.13-OVH HA-Proxy version 1.5-dev24-8860dcd 2014/04/26

Re: Error 408 with Chrome

Hi Willy, same problem here with Chrome version 35.0.1916.114 m and : HA-Proxy version 1.4.22 2012/08/09 (Debian 6) Kernel 3.8.13-OVH HA-Proxy version 1.5-dev24-8860dcd 2014/04/26 (Debian GNU/Linux 7.5) Kernel 3.10.13-OVH 408 Request Time-out Your browser didn't send a complete request in time

Re: [ANNOUNCE] haproxy-1.5-dev20

Great news Willy, thanks a lot for all of this, and thanks to all the contributors ! Le 16/12/2013 03:41, Willy Tarreau a écrit : Hi all, here is probably the largest update we ever had, it's composed of 345 patches! Some very difficult changes had to be made and as usual when such changes ha

Re: HaProxy and kernel 3.8

Thanks Lukas, i've made some search on kernel 3.2.x and i've found some articles reporting inconsistent load average on tickless kernels (CONFIG_NO_HZ=y). It seems to be the case here. Thks again. Arnaud. Le 16/05/2013 20:44, Lukas Tribus a écrit : Hi Arnall, looks like the lo

Re: HaProxy and kernel 3.8

kernel 3.2.13 grsec 64: top - 19:13:09 up 6:15, 1 user, load average: 0.03, 0.03, 0.05 Tasks: 105 total, 1 running, 104 sleeping, 0 stopped, 0 zombie Cpu(s): 1.3%us, 2.1%sy, 0.0%ni, 79.7%id, 0.1%wa, 0.0%hi, 16.8%si, 0.0%st Mem: 7914788k total, 3255420k used, 4659368k free,

Re: HaProxy and kernel 3.8

and. %CPU ( %us, %sy ... )is the same than before, only the load average has increased. Thanks. Le 16/05/2013 16:58, Lukas Tribus a écrit : Hi Arnall! Yesterday OVH asked their customers to update the kernel to 3.8.13 ( due to a local linux root exploit in 2.6.37 to 3.8.8 ). I've done th

HaProxy and kernel 3.8

Hello, our servers are hosted at OVH. Yesterday OVH asked their customers to update the kernel to 3.8.13 ( due to a local linux root exploit in 2.6.37 to 3.8.8 ). I've done the update (old kernel = 3.2.13) but now the load of our haproxy servers has increased ( x 4 ). It's still reasonable but

http check : one server in several backend

Hello, in my configuration i have some servers in several backend, i would like to know if it's mandatory to do the server check in every backend, or if one check is enough for all the backend.( if a server is down in one backend it's automatically down in every backend...). example: backend

[no subject]