ct 10s
>timeout client 1m
>timeout server 1m
>timeout check 10s
>
> frontend pbutik
> [...]
>timeout client 30
> [...]
Look at this timeout ;)
30ms timeout is quite short don’t you think ?
Regards
--
Guillaume Castagnino
ca...@xwing.info / guilla...@castagnino.org
OK, then 3 corrupted, then 3
OK again, then 3 failed, etc…
Thank’s for your attention and the wonderfull product !
--
Guillaume Castagnino
ca...@xwing.info / guilla...@castagnino.org
Le mercredi 02 juillet 2014 18:56:48 Willy Tarreau a écrit :
> Hi guys,
>
> On Wed, Jul 02, 2014 at 05:19:20PM +0200, Guillaume Castagnino wrote:
> > Le mercredi 02 juillet 2014 16:53:06 Lukas Tribus a écrit :
> > > Hi Guillaume,
> > >
> > > > I made
e conforming to the RFC). But I
would like to get the 413 error page issued from the backend, not the
502 from haproxy. And I see no option in haproxy to forward the error
page instead of the 413.
Thanks !
--
Guillaume Castagnino
ca...@xwing.info / guilla...@castagnino.org
early-answer-poc.pl
Description: Perl program
Le mercredi 02 juillet 2014 10:45:57 Guillaume Castagnino a écrit :
> Hi all,
>
> I’m currently facing an issue and I do not figure how to workaround
> it.
>
> - Some big picture:
> I have a backend that receive file uploads. It checks the upload size
> and if the max
around this.
Thanks !
--
Guillaume Castagnino
ca...@xwing.info / guilla...@castagnino.org
Indeed, I can confirm this behaviour when enabling server-side
keepalive.
--
Guillaume Castagnino
ca...@xwing.info / guilla...@castagnino.org
either improve on the score, or
> keep the same score while improving the number of Cipher Suites.
>
> Cheers
>
> Arne
--
Guillaume Castagnino
ca...@xwing.info / guilla...@castagnino.org
if ! secure
> default_backend be_default
>
> backend be_default
> balance roundrobin
> option httpchk
> cookie srv insert postonly indirect
> server civ1 10.2.32.175:443 weight 1 maxconn 512 check cookie one
> server civ2 10.2.32.176:443 weight 1 maxconn 512 check cookie two
>
>
> Any help is much appreciated.
>
> Regards,
>
> Robbert
--
Guillaume Castagnino
ca...@xwing.info / guilla...@castagnino.org
set, that's the philosophy we've always followed. We add
> options to force a desired behaviour and without any option, the
> system sets defaults.
> > However, I will be happy to update the patch to have "v4v6" keyword
> > instead of "v6only".
>
> I did not know it was possible to revert the system behaviour, so yes
> please feel free to send such a patch to let the user force
> IPV6_V6ONLY to zero ! "v4v6" seems appropriate to me too.
>
> Thanks,
> Willy
--
Guillaume Castagnino
ca...@xwing.info / guilla...@castagnino.org
or '*' (v4) and '::' (v6),
keeping the wildcards, and stop having v4 mapped addresses instead of
plain ipv4 in http logs.
Thanks !
--
Guillaume Castagnino
ca...@xwing.info / guilla...@castagnino.org
Le vendredi 23 novembre 2012 14:13:40 Baptiste a écrit :
> Hi Guillaume,
>
> In your ft configuration, just add the directive "option
> socket-stats".
Great, this is the option I missed, thanks !
--
Guillaume Castagnino
ca...@xwing.info / guilla...@castagnino.org
I use several binds splitting
'::' into explicit v4 and v6 binds, I do not get this.
And I found nothing in the doc about this, but I'm probably searching
the wrong keywords.
So how do you configure haproxy to have those lines in the frontend ?
Thanks !
--
Guillaume Ca
; >
> > Could you add a option http-server-close in your frontend???
> >
> > cheers
> >
> > On Wed, Nov 7, 2012 at 1:48 PM, Guillaume Castagnino
wrote:
> >> Hi,
> >>
> >> I just updated my haproxy to the current HEAD
> >>
!
--
Guillaume Castagnino
ca...@xwing.info / guilla...@castagnino.org
global
log 127.0.0.1 local0
maxconn 2000
userhaproxy
group haproxy
daemon
stats socket /var/run/haproxy.sock level admin mode 600
stats timeout 1d
#debug
cy may not be a factor at all.
Do you have played with the "tcp-request inspect-delay " option ?
Unless I'm mistaken, I think it can help you, when doing tcp content
inspection.
Regards,
--
Guillaume Castagnino
ca...@xwing.info / guilla...@castagnino.org
extracting the SSL ID, you extract your client identifier,
but this is more or less the same thing !
regards,
--
Guillaume Castagnino
ca...@xwing.info / guilla...@castagnino.org
---
doc/configuration.txt | 9 -
1 file changed, 9 deletions(-)
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 7be3335..227b50f 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -8085,15 +8085,6 @@ req_ssl_ver
SSL data layer, so this will not work wit
I noticed that the ssl_sni section is duplicated in configuration. Here
is the (very) small fix.
Thanks !
Guillaume Castagnino (1):
DOC: duplicate ssl_sni section
doc/configuration.txt | 9 -
1 file changed, 9 deletions(-)
--
1.7.12
RI. I'm
> > going to look into this.
>
> OK, finally here it is. Tested and works OK. Use it this way :
>
> redirect scheme https if !{ is_ssl }
Hi,
Wow that's wonderfull !!
I will test this asap.
Thanks !
--
Guillaume Castagnino
ca...@xwing.info / guilla...@castagnino.org
o that means one acl + one redirect rule per vhost, as I fear. I think
I will keep my nginx redirect for now, since I want to upgrade *all*
virtualhosts, preferably without bothering to list all of them :)
Ideally, I would like to keep haproxy "vhost agnostic".
Thanks !
--
Guillaume C
host, extracting the domain from the original request:
redirect prefix https://$hdr_dom code 301
>From the doc, I see nothing, but I may miss the good trick :)
Thanks !
--
Guillaume Castagnino
ca...@xwing.info / guilla...@castagnino.org
Le lundi 10 septembre 2012 15:52:23 Willy Tarreau a écrit :
> Hi Guillaume,
>
> On Mon, Sep 10, 2012 at 03:46:26PM +0200, Guillaume Castagnino wrote:
> > Nice !
> >
> > Just set up on my personnal server with 2 wildcard certificates. It
> > seems to work li
:AES128-GCM-
SHA256:RC4:HIGH:!MD5:!aNULL:!EDH prefer-server-ciphers
Thanks, great job !
--
Guillaume Castagnino
ca...@xwing.info / guilla...@castagnino.org
haproxy+ssl, this is 800 MB for only 10k
> connections! And remember, this is still beta-quality code. Don't
> blindly put this in production (eventhough I did it on 1wt.eu :
> https://demo.1wt.eu/). You have been warned!
>
> Please use the links below :
> site index : http://haproxy.1wt.eu/
> sources : http://haproxy.1wt.eu/download/1.5/src/snapshot/
> changelog :
> http://haproxy.1wt.eu/download/1.5/src/snapshot/CHANGELOG Exceliance
> : http://www.exceliance.fr/en/
>
> Have a lot of fun and please report your success/failures,
> Willy
--
Guillaume Castagnino
ca...@xwing.info / guilla...@castagnino.org
2. Use transparent mode.
> 3. Patch haproxy to use IP_FREEBIND option.
What about a 4:
- Add net.ipv4.ip_nonlocal_bind=1 to your sysctl.conf settings. No need to
patch anything
--
Guillaume Castagnino
ca...@xwing.info / guilla...@castagnino.org
x-forwarded-for value across multiple requests.
So we would need to send the header with every request.
>
> My first question is: does anybody see anything wrong with those
> assumptions ?
>
> Then: is there a way to have x-forwarded-for added to each request without
> giving up on server-side keep alive
?
>
>
> Thanks,
> Julien
>
>
>
--
Guillaume Castagnino
ca...@xwing.info / guilla...@castagnino.org
cause the kernel silently drop/ignore some connections without any RST
(usually when the client is behind a NAT)
If your haproxy host uses this parameter, try disabling it !
--
Guillaume Castagnino
ca...@xwing.info / guilla...@castagnino.org
will match all connections that are not
caught by previous "use_backend" rules defined in the current front section.
--
Guillaume Castagnino
g.castagn...@pepperway.fr
Tel : +33148242089
tree which does not exhibit the issue,
> so I'll contact Brad with that.
Here is the last patch Brad provided me against the last grsec (if you want to
check this one) : http://www.grsecurity.net/~spender/blackhole3.diff
But despites this, I always get the same problem.
Guillaume
--
Guillaume Castagnino
g.castagn...@pepperway.fr
Tel : +33148242089
g.info :))
I can of course provide more informations if you need.
Thanks,
Guillaume
--
Guillaume Castagnino
g.castagn...@pepperway.fr
Tel : +33148242089
your feedback,
Guillaume
--
Guillaume Castagnino
g.castagn...@pepperway.fr
Tel : +33148242089
global
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
userhaproxy
group haproxy
daemon
defaults
log global
option httplog
o
32 matches
Mail list logo