ND DH PARAMETERS-
I get roughly the same CPS (forcing haproxy to provide only DHE key
exchange with the ciphers keyword) for both versions, which seems logical.
I agree ;-)
--
Cyril Bonté
in this
conditions.
--
Cyril Bonté
Hi Patrick,
Le 23/04/2014 03:25, Patrick Hemmer a écrit :
Any feedback on this?
I can happily provide any additional information if needed.
Didn't you see Lukas' mail ? That's exactly what he asked for ;-)
--
Cyril Bonté
link ;-)
http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#7.3.5-req.hdr_ip
--
Cyril Bonté
The syntax used to document fetching samples with optional arguments was not
always valid. This commit fixes this issue in order to allow an easier parsing
of the documentation.
---
doc/configuration.txt | 38 +++---
1 file changed, 19 insertions(+), 19 deletions(-)
hould probably contain an explicit end
tag (presented as a new section or whatever).
Any idea on this ?
I've just added a footer to the documentation, this should help ;-)
--
Cyril Bonté
expression, you have the expected behavior:
use_backend bk_%[req.fhdr(accept-language),\
language(de;es;fr;en,en),map(language.map)] if TRUE
You're right, I missed the default value for "language" ;-)
--
Cyril Bonté
ue
declared in the map.
This is because sample_conv_q_prefered returns 0 when no matching
language was found. In this case, map() is not called.
Is it possible to always return 1 ?
--
Cyril Bonté
need to provide a matching method (for example "-m str") ?
In this case, the "language" documentation also needs to be updated.
--
Cyril Bonté
# @END ignore-warnings
block if TRUE
block if TRUE
block if TRUE
Please find a quick and dirty patch to illustrate. Is this something
that could be useful ?
--
Cyril Bonté
diff --git a/include/types/global.h b/include/types/global.h
index 669ec23..cb18593 100644
--- a/include/types/global
Hi again,
Le 11/04/2014 21:30, Cyril Bonté a écrit :
I see several issues :
1. In order to not break older configurations, "redirect" will not
support dynamic values, "http-request redirect" does.
2. Avoid spaces between parameters (between map and hdr).
3. Parameters are d
eak older configurations, "redirect" will not
support dynamic values, "http-request redirect" does.
2. Avoid spaces between parameters (between map and hdr).
3. Parameters are declared in the wrong order.
4. The URL is not a header, you can try with "path" instead.
Can you retry with :
http-request redirect location
%[path,map(/opt/local/etc/haproxy/redirect.map)] code 301
--
Cyril Bonté
of Twitter typeahead.js for the search field
- Use of cdn.js to provide those frameworks instead of embedding them.
If you see issues that weren't there before, please give me some
feedbacks in order to fix it.
--
Cyril Bonté
ate whether requests came from
the same session or not. The accept date reported in the logs
corresponds to the end of the previous request, and the request time
corresponds to the time spent waiting for a new request. (...)"
--
Cyril Bonté
chk GET /ping
default-server inter 15s fastinter 1s
server i-6eaf724d 10.230.23.64:80 check observe layer4
server i-84d931a5 10.230.42.8:80 check observe layer4
--
Cyril Bonté
is a second level of proxy in your test. Am I
wrong ?
--
Cyril Bonté
-Transport-Security headers in this
second case ?
--
Cyril Bonté
Le 01/04/2014 23:42, Bertrand Jacquin a écrit :
Hi Cyril,
D'ar meurzh 01 a viz Ebrel 2014 e 23 eur 35, « Cyril Bonté » he deus skrivet :
If bk_local has server UP in the farm, and request look like
https://203.0.113.42/__bar, then everything is fine, request is nicely
handled by bk_
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Thanks.
--
Cyril Bonté
#x27;rand' in ACL expression 'rand()
config line:
acl test_rand rand() ge 10
I've tried a few others:
acl test_rand rand ge 10
acl test_rand rand(100) ge 10
Give a try to the current snapshot ;-)
--
Cyril Bonté
Both of my peers are identical and running Ubuntu 12.04 LTS x86_64 and
HAProxy 1.5-dev22.
Please upgrade to the current snapshot, it should solve your issue :
http://haproxy.1wt.eu/git?p=haproxy.git;a=commit;h=9a60ff9cb60cb11fbf6db932dcfbc3fe810212d8
--
Cyril Bonté
4
Version : 1.4.18-0ubuntu1.2
Do I miss something ?
Yes, haproxy 1.4 doesn't support IPv6 addresses for servers.
http://cbonte.github.io/haproxy-dconv/configuration-1.4.html#server
--
Cyril Bonté
tunnel mode is used for other
accesses than /slideshare).
Btw, don't mix "option http-server-close" and "option httpclose".
--
Cyril Bonté
haproxy log contains the original request, not the rewritten one. If
you want to see the rewritten URL you need to look at the backend server
which is receiving the request.
-Patrick
"
--
Cyril Bonté
dev16 that were fixed in dev17.
--
Cyril Bonté
with :
http-request set-header Host maps.googleapis.com
Otherwise googleapis receives "Host: localhost".
--
Cyril Bonté
alk in https to maps.googleapis.com. For
that, you must add the "ssl" keyword on the server line, and maybe
"verify none" with recent 1.5-dev snapshots.
--
Cyril Bonté
Add a missing "r" on "option http-server-close" and put double-quotes
everywhere to ease keywords parsing.
---
doc/configuration.txt | 22 +++---
1 file changed, 11 insertions(+), 11 deletions(-)
diff --git a/doc/configuration.txt b/doc/configuration.txt
index b6a30de..a8ff839 100
Hi again and sorry for spamming ;-)
Le 19/02/2014 22:51, Cyril Bonté a écrit :
Hi again,
Le 19/02/2014 22:44, Cyril Bonté a écrit :
Also, as a side note, your configuration is not optimal :
- you are using both "option httpclose" and "option http-server-close",
you shou
Hi again,
Le 19/02/2014 22:44, Cyril Bonté a écrit :
Also, as a side note, your configuration is not optimal :
- you are using both "option httpclose" and "option http-server-close",
you should make a choice (or use "option http-keep-alive" in recent
haproxy 1.5
ou should avoid the use of "stats enable" in the defaults section.
[1]
http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#option%20dontlognull
--
Cyril Bonté
A segfault may occur when a peer is parsed while the peers section is invalid,
for example because the peers section name was forgotten in the configuration
file.
Example :
peers
peer LB1 127.0.0.1:1234
peer LB2 127.0.0.1:1235
The parser saves a static pointer on the current section par
Peers with integer stick tables are breaking the keys received. This is due to
the fact that the sender converts the key with htonl() but the receiver doesn't
convert the value back to its original format.
Peers appeared in haproxy-1.5, no backport is needed.
---
src/peers.c | 8 ++--
1 file
backported to haproxy 1.4.
--
Cyril Bonté
ckend will be the active one.
Once "s-active" is DOWN or an entry exists in the "passive" table, the
"passive" backend will be used.
To switch back to the "active" backend :
# echo "clear table passive" | socat stdio /var/run/haproxy.sock
--
Cyril Bonté
o I miss?
Best regards,
Tony
Postfach fast voll? Jetzt kostenlos E-Mail Adresse @t-online.de sichern und
endlich Platz für tausende Mails haben.
http://www.t-online.de/email-kostenlos
--
Cyril Bonté
Le 17/01/2014 21:06, PiBa-NL a écrit :
Though the proper section is a bit harder to find a "search for
keyword" doesn't give any results..
This is in my to do list, I hope to find time to address this soon.
--
Cyril Bonté
lose this bug, that's
a good thing ;-)
--
Cyril Bonté
sl
$ curl http://localhost/
...
epoll_wait(3, {}, 200, 0) = 0
epoll_wait(3, {}, 200, 0) = 0
epoll_wait(3, {}, 200, 0) = 0
epoll_wait(3, {}, 200, 0) = 0
epoll_wait(3, {}, 200, 0) = 0
...
--
Cyril Bonté
top where I can reproduce the
segfault, I confirm it doesn't crash anymore once the patch is applied
(which was predictable from the quick test I made this afternoon).
Let's see if it's OK for Steve too ;-)
--
Cyril Bonté
Hi again Willy,
Le 14/01/2014 00:51, Cyril Bonté a écrit :
I don't know if this is of any help because I don't have enough details
yet, but I jut reproduced segfaults while playing with the configuration
provided by Steve.
To reproduce it on my laptop, it's quite easy : ge
reproduce a segfault, I'll try to make some more tests
tomorrow (only after work). But I believe you'll already find the reason
before ;-)
--
Cyril Bonté
erver ensures that these things are working
I will tried source ip based affinity/stickiness and all worked as expected
(http://blog.exceliance.fr/2011/07/12/send-user-to-the-same-backend-for-both-http-and-https/)
Yes sticking on the source ip is a better idea (even if it is not
perfect for all u
a=commit;h=3759f98d441cc457edf6637c4ba123ca4f42217f
A second one that included a minimal threshold :
http://haproxy.1wt.eu/git?p=haproxy.git;a=commit;h=2c43a1e2f05161cac4f88c9e9c01bd16f1b2cb5b
--
Cyril Bonté
hub.io/haproxy-dconv/configuration-1.5.html#7.1
Without any patch, "req_ssl_sni_end" is the equivalent to "req.ssl_sni
-m end".
(note that several keywords have been deprecated, this is the case for
req_ssl_sni, in preference to req.ssl_sni).
--
Cyril Bonté
nice ! I didn't expect this so fast ;-)
It's applied it on my test server, I can confirm it works well, thanks !
--
Cyril Bonté
totally useless :-)
Same here, then I updated to apply the last patches.
For now, the only thing I've noticed is that when haproxy uses a
keep-alive timeout greater than the one on the backend, the connection
will stay in CLOSE_WAIT state until the haproxy timeout expires.
--
Cyril Bonté
tion level is greater
than 0 too).
_FORTIFY_SOURCE=2 looks to become the default for distribution
packagers. Maybe we could decide to enforce _FORTIFY_SOURCE to 0 in the
Makefile.
--
Cyril Bonté
said.
The important thing was to add :
tcp-request content reject if !HTTP
> Pushing the stick-table and tracking/rejecting operations back to
> backend definition solved my problem.
Indeed, this is another way to wait for HTTP data to be complete, as a
HTTP frontend will use the backend only once the headers are received.
Thanks for sharing.
--
Cyril Bonté
didn't realized that the behaviour
was documented.
Well, I hope that Przemyslaw's issue is now gone, then.
--
Cyril Bonté
, used:1
0xc50fa4: key=1 use=0 exp=177602 http_req_cnt=2
$ curl "localhost:9000/?SID=1"
OK
# table: app, type: integer, size:204800, used:1
0xc50fa4: key=1 use=0 exp=155563 http_req_cnt=3
$ curl "localhost:9000/?SID=1"
curl: (52) Empty reply from server
This is not the right way to fix this, but maybe it can help Willy or
someone at Exceliance to find one.
--
Cyril Bonté
where the
header is added.
--
Cyril Bonté
I'm aware of are those from Cyril Bonté
and concern the accept side. I think a backport to act on the send side
would be harder to implement though you may want to attempt it.
If it's just for an internal policy of deploying only stable versions,
we're still working hard trying
bably prefer "option httpclose" instead of "http-server-close",
depending on your traffic.
--
Cyril Bonté
[1]
http://cbonte.github.io/haproxy-dconv/configuration-1.4.html#option%20http-server-close
[2]
http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#on-marked-down
--
Cyril Bonté
ub.com/cbonte/haproxy-patches/blob/master/proxy-protocol/haproxy-1.4-proxy-protocol.patch
It's a backport of the Proxy Protocol (only the "accept-proxy side") for
HAProxy 1.4.We use it on a lot of platforms even if we plan to ugprade
to HAProxy 1.5 (and we're also about to use the aloha appliance from
Exceliance).
--
Cyril Bonté
s, always the same way. I must say that
at the moment I have no idea yet what the best solution is :-/
Regards,
Willy
--
Cyril Bonté
diff --git a/src/session.c b/src/session.c
index 0a6b130..057cb13 100644
--- a/src/session.c
+++ b/src/session.c
@@ -693,6 +693,10 @@ void session_process_counters(
haproxy 1.4, counters could be updated at the end
of stream_sock_read() (then we should always initialize si->private to
provide a pointer to the current session).
Do you see a better way to do this ? Tell me if you prefer an initial
patch, it's sometimes better than explanations ;-)
--
Cyril Bonté
0.0.0:8086
stats uri /
stats auth github:
stats hide-version
listen monitoring 0.0.0.0:8087
mode health
##
Hoping this helps.
--
Cyril Bonté
short story, after discussing with Willy, we decided not to
include it directly in haproxy. This will let us introduce some
improvements in the configuration file syntax after 1.5 is released.
--
Cyril Bonté
ach time a new stable version of haproxy is available, I update the patch.
Maybe it can help you too.
--
Cyril Bonté
defined by
tune.maxrewrite. By default, half of the buffer is reserved.
http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#tune.maxrewrite
Simon
-Original Message-
From: Cyril Bonté [mailto:cyril.bo...@free.fr]
Sent: 07 June 2013 19:04
To: Simon Green
Cc: 'ha
tter "option http-server-close" (don't forget also to
add a "timeout http-keep-alve").
But honestly, you should really fix the application to prevent those
many headers duplications. You'll always have trouble with such responses.
Thanks in advance,
Simon
--
Cyril Bonté
words, IPs, ...) ?
Are you sure you really want the "ssl_fc" condition here ?
Reference :
http://blog.exceliance.fr/2013/02/26/ssl-offloading-impact-on-web-applications/
Regards
Syed
--
Cyril Bonté
to rename the CloudFlare header (no
changes were required in backends, where varnish and apache+mod_rpaf are
used).
Hope this helps.
--
Cyril Bonté
ve fixed it now in 1.4. In fact 1.5 already does this so no change
was needed there.
Thanks ! That was fast, as usual :-)
I'll provide them a new package which includes this patch.
--
Cyril Bonté
s of TIME_WAIT sockets which cannot be reopened
for 2 minutes.
Don't worry, I prepared them for such a conclusion ;-)
--
Cyril Bonté
hem soon.
Aside of their analysis, I wonder if it's possible to introduce a new
option "check-nolinger". This would let users choose one or the other
behaviour.
--
Cyril Bonté
commit 88c278fadf provided a new input field on the statistics page which was
focused by default. The autofocus prevent to scroll down the page with the
keyboard immediately afterloading it, without the need to leave that field.
It also interfered with "stats refresh" by scrolling up to this field
without
having to leave the box. Also, in case someone uses "stats refresh", it
can become quickly painful : each refresh, the browser will scroll up to
the box, which is annoying when you want to follow some values in the
middle of the statistics page ;-)
Are you OK for this modification ?
--
Cyril Bonté
unless we expressly use the v1.4.23 tag.
It prevents my bot to generate the html documentation for 1.4.23 ;-)
--
Cyril Bonté
.
And thanks to Cyril for pinging me again on this subject which I
initially missed!
Great ! I didn't have time to analyze the issue since my last comment.
I'm happy you found a fix so quickly, because I definitly missed this
update issue and went far from it :-)
--
Cyril Bonté
Hi all,
Le 12/03/2013 12:38, David Coulson a écrit :
On 3/12/13 7:31 AM, Cyril Bonté wrote:
I'm sorry to say that you've certainly met a bug while combining
http-send-name-header (which is a bit tricky in the code) and ssl
ciphering on servers. This is a case that has not been
er outgoing connections ? Disabling it could
be a quick fix to your issue.
--
Cyril Bonté
thub.com/haproxy-dconv/configuration-1.5.html#http-send-name-header
--
Cyril Bonté
requests like :
GET / HTTP/1.1
Host: foo.bar
Also when using layer7 acls, don't forget to use "option httpclose" or
"option http-server-close", otherwise the acls will only match the first
request of a HTTP keepalive connection.
Hope this helps.
--
Cyril Bonté
t one :
http://marc.info/?t=12701162342&r=1&w=2
The issue was fixed in tomcat 6.0.27 and 5.5.29/
Cheers
--
Cyril Bonté
Le 15/01/2013 09:24, Willy Tarreau a écrit :
On Tue, Jan 15, 2013 at 09:09:22AM +0100, Cyril Bonté wrote:
Hi Igor,
Le 15/01/2013 09:00, Igor a écrit :
Hi, conf like:
listen admin
bind 127.0.0.1:11199
stats enable
stats hide-version
stats uri /ha-stats
iated defaults section. Please remove
any password if you have.
Willy
--
Cyril Bonté
k request ;-)
You can have a look to the example provided in the documentation for
more details :
http://cbonte.github.com/haproxy-dconv/configuration-1.4.html#option%20httpchk
Thanks in advance.
-Zachary
--
Cyril Bonté
And I don't talk about frameworks that require something else than
"X-Forwarded-Proto" ;-)
I hope this will help a bit.
--
Cyril Bonté
Le 17/11/2012 11:17, Cyril Bonté a écrit :
Hi Willy,
Since yesterday, the git repository is unavailable, producing "504
Gateway Time-out".
I realize I'm not clear. I'm talking about the git web interface
(http://haproxy.1wt.eu/git/?p=haproxy.git), not the git reposito
ed recently. So, I wonder if
there's not a bug somewhere in the sessions counter. Can you have a look
at this ? Is there really 2 opened connections since yesterday ?
Thanks ;-)
--
Cyril Bonté
implicit in
haproxy :
use_backend server1 if server1_head myip
use_backend server2 if server2_head myip
--
Cyril Bonté
commit 82fe75c1 provided useful details in its log message. We should report
part of them in the documentation to know which algorithms are available.
This patch also makes some formatting cleanups (including a line outside the
compression scope, which exceeded 80 chars).
---
doc/configuration.tx
The compiler emits a warning on free_zlib(), due to the "pool" variable that
can be used unitialized. We now initialize the variable and test its value to
remove this warning.
---
src/compression.c | 10 ++
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/src/compression.c b
Compression algorithms are not always supported depending on build options.
"haproxy -vv" now reports if zlib is supported and lists compression algorithms
also supported.
---
src/compression.c |2 +-
src/haproxy.c | 20
2 files changed, 21 insertions(+), 1 deletion(
the number of bytes sent to the client (after compression or any
other new feature)
- %Bu [u for unmodified] = the number of bytes that should be sent to
the client without any compression (the current %B behaviour)
- and maybe another value to log the compression ratio (%Cr ?).
--
Cyril Bonté
/
--
Cyril Bonté
This patch is invalid, a new one replaces it.
Cheers.
--
Cyril Bonté
This patch is an attempt to prevent sending garbage data when
http-send-name-header replaced existing headers in the request.
http-send-name-header is applied late in the request processing. The buffer is
already ready to be sent to the backend server. When headers are removed, the
data length is
a cleaner patch to Willy, as I made a mistake while moving the code : a
comment line also moved while it shouldn't.
--
Cyril Bonté
on stays in the file, you can
send it off-list to Cyril and I.
Mmmh yes, indeed I could reproduce issues. Michael, is it possible to
retry with the patch attached ?
It's nearly the same as before, except that the delta is calculated
after inserting the new header.
Thanks,
Willy
This patch is an attempt to prevent sending garbage data when
http-send-name-header replaced existing headers in the request.
http-send-name-header is applied late in the request processing. The buffer is
already ready to be sent to the backend server. When headers are removed, the
data length is
Hi again,
Le 01/11/2012 12:25, Willy Tarreau a écrit :
On Thu, Nov 01, 2012 at 12:18:04PM +0100, Cyril Bonté wrote:
I'm making some tests, forging requests. I'm observing something weird
with haproxy-1.4 (not with haproxy-1.5).
Using "http-send-name-header Host", in some co
W, you did not remove the Host header
from the request, so two of them are emitted. Maybe depending
on the request, your server matches one or another value. Would
you please add the following to your configuration to clean the
things up (as disgusting it can look like) :
reqidel ^Host:
Willy
--
Cyril Bonté
tch addresses between square brackets such as [2001:7a8:363c::2] and also
stop before an optional port number. But that's not as much important as what
you fixed so I'm applying your fix now.
I agree, that's why I didn't provide a patch for smp_fetch_url_ip (and
url2sa) immedia
Commit ceb4ac9c states that IPv6 values are accepted by "hdr_ip" acl,
but the code didn't allow it. This patch provides the ability to accept IPv6
values.
---
src/proto_http.c | 23 ++-
1 file changed, 18 insertions(+), 5 deletions(-)
diff --git a/src/proto_http.c b/src/prot
url2sa() mistakenly uses "addr" as a reference. This causes a segfault when
option http_proxy or url_ip are used.
This bug was introduced in haproxy 1.5 and doesn't need to be backported.
---
src/standard.c |4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/standard.c
patch in a few minutes : this bug causes a segfault as
soon as url2sa() is called. It concerns both "option http_proxy" and
"url_ip".
--
Cyril Bonté
401 - 500 of 790 matches
Mail list logo
