Re: OpenSSL Security Advisory

comes out. -3 next, etc. Could something like that be adopted? Thanks, Kevin From: Tim Düsterhus Sent: Thursday, March 25, 2021 11:32 AM To: Paul Lockaby Cc: Lukas Tribus; haproxy Subject: Re: OpenSSL Security Advisory Check twice before you click!

Re: Debugging ssl handshake failures

Thanks Bruno, I'll see if I can get this working. -- Kevin On 2020-09-09 9:41 p.m., Bruno Henc wrote: Hi, I take it that means theres no internal debug logging for the tls errors that we can just expose via logfile? Proof of concept patches are attached with build instructions. Yo

Re: Debugging ssl handshake failures

nal debug logging for the tls errors that we can just expose via logfile? Thanks for the help, -- Kevin On 2020-09-01 10:59 a.m., Bruno Henc wrote: ‐‐‐ Original Message ‐‐‐ On Tuesday, September 1, 2020 6:57 PM, Kevin McArthur wrote: Hi haproxy I'm wondering if there is any

Debugging ssl handshake failures

failures logging but the clients seem to load the pages ok on a subsequent request. Basically I'm just looking for how to debug this a little deeper and log some of the tls protocol events/data. Is this type of logging possible? Thanks -- Kevin Few config items: global     nbthread 8   

[PATCH] BUG/MEDIUM: spoe: Use unique engine_id for all agents in all scopes

ould backport to 2.0 and 1.9. My pleasure Kevin From 512e4aca8e3ffd57fb3f12581ede6d8e8d624319 Mon Sep 17 00:00:00 2001 From: Kevin Zhu Date: Fri, 13 Mar 2020 14:40:46 +0800 Subject: [PATCH] BUG/MEDIUM: spoe: Use unique engine_id for all agents in all scopes When config spoe engine proxys >

[PATCH] BUG/MEDIUM: spoe: dup agent's engine_id string from trash.area

Hi The agent's engine_id forgot to dup from trash, all engine_ids point to the same address "&trash.area", the engine_id changed at run time and will double-free when release agents and trash. Kevin From 674ba1e318cb561a1650db98030e12939e604171 Mon Sep 17 00:00:00 2001 From: K

Fwd: BUG/MEDIUM: http: res redir not work coz exist res contents not truncate

-- Forwarded message - From: Kevin Zhu Date: Thu, 26 Dec 2019 at 19:33 Subject: Re: BUG/MEDIUM: http: res redir not work coz exist res contents not truncate To: Willy Tarreau Hello Willy, sorry for I haven't clarified the issue, contents below here is my testing envire

BUG/MEDIUM: http: res redir not work coz exist res contents not truncate

-redir-not-work-coz-exist-res-cont.patch base on master Best regards. From 19f913c163b4acfa5b0e05afb5079a9c1d38f97a Mon Sep 17 00:00:00 2001 From: Kevin Zhu Date: Tue, 24 Dec 2019 16:39:42 +0800 Subject: [PATCH] BUG/MEDIUM: htx: res redir not work coz exist res contents not truncate --- src/http

Re: BUG/MEDIUM: spoe: engine-id is necessary if not health check

Sorry Crhistopher, have you look at this mail ?😁 On Mon, 2 Sep 2019 at 16:11, Kevin Zhu wrote: > Hi Christopher > > SPOE engine-id is all same when nbproc is more than 1, the clients all > group under same engine, and same stream-id and frame-id frames may come > at > same

BUG/MEDIUM: spoe: engine-id is necessary if not health check

b Mon Sep 17 00:00:00 2001 From: Kevin Zhu Date: Mon, 2 Sep 2019 13:45:34 +0800 Subject: [PATCH] BUG/MEDIUM: spoe: engine-id is necessary if not health check SPOE engine-id is all same when nbproc is more than 1, the clients all group under same engine, and same stream-id and frame-id frames may co

BUG/MEDIUM: spoe: arg len encoded in previous frag frame but len changed

From 342258c94fbe8ed146e8490fb80a2a7c40cb9075 Mon Sep 17 00:00:00 2001 From: Kevin Zhu Date: Fri, 26 Apr 2019 14:00:01 +0800 Subject: [PATCH] BUG/MEDIUM: spoe: arg len encoded in previous frag frame but len changed Fragmented arg will do fetch at every encode time, each fetch may get different r

[PATCH] BUG/MAJOR: spoe: spoe_context shouldn't queue again if fragment send

Hi I think there forgot check if the spoe_context already has fragment msg send before spoe_queue_context, it will segment fault in spoe_release_appctx. Best regards. From 437775b6f4a611324348746e1e673cb9d024c1b0 Mon Sep 17 00:00:00 2001 From: Kevin Zhu Date: Sat, 20 Apr 2019 17:45:21 +0800

[PATCH] BUG/MAJOR: spoe: Rollback frequency counter to sending_rate

cad58af8ee953b97ab5b9d9e7551823890e3da6c Mon Sep 17 00:00:00 2001 From: Kevin Zhu Date: Sat, 13 Apr 2019 15:28:54 +0800 Subject: [PATCH] BUG/MAJOR: spoe: Rollback frequency counter to sending_rate The processing is really difficult to be smaller than processing_per_sec, and most msg will create a new

Re: haproxy1.9, SPOA: too many open files

I'm sorry for my english, there have a typo: multi threads single thread -> multi threads single proc. Pardon me. On Wed, 10 Apr 2019 at 14:44, Kevin Zhu wrote: > > > -- Forwarded message ----- > From: Kevin Zhu > Date: Wed, 10 Apr 2019 at 14:25 > Sub

Fwd: haproxy1.9, SPOA: too many open files

-- Forwarded message - From: Kevin Zhu Date: Wed, 10 Apr 2019 at 14:25 Subject: Re: haproxy1.9, SPOA: too many open files To: Christopher Faulet Thinks reply. OS: CentOS Linux release 7.4 HW: platform: KVM; CPU: Intel Xeon E3-12xx v2 (Ivy Bridge) * 1; mem: 2048M HAProxy

haproxy1.9, SPOA: too many open files

Use haproxy-1.9 and 2.0, SPOA will occure error "too many open file" when benchmark testing, spoa_example have this error too, even enable the async and pipelining. But haproxy 1.8 have no this kind error. Thanks for any help. Best regards

Re: Wrong sha256 checksum for HAProxy 1.8 and 1.9?

Thanks everyone. Confirmed this is working now. Kevin On Tuesday, February 26, 2019, 5:15:58 AM PST, Willy Tarreau wrote: Hi all, On Tue, Feb 26, 2019 at 01:29:54PM +0100, Cyril Bonté wrote: > > De: "Tim Düsterhus" > > À: "Cyril Bonté" , "Will

Wrong sha256 checksum for HAProxy 1.8 and 1.9?

.8.18.tar.gz.sha256haproxy-1.8.18.tar.gz: FAILEDshasum: WARNING: 1 computed checksum did NOT match Thanks,Kevin

Re: forwarded https request missing

www.example.com You must provide the target port on the backend server, see documentation: If unset, the same port the client connected to will be used -- Kevin Decherf - @Kdecherf GPG 0x108ABD75A81E6E2F https://kdecherf.com

[PATCH] BUG/MINOR: tcp_rep.inspect_rules not deinit, add to deinit

Hi Willy, I find tcp_rep.inspect_rule forgot to deinit, the mail attached patch should fix that. Best regards, Kevin Zhu From 217d8ca05633b24404d102b86b189523fc3d8faa Mon Sep 17 00:00:00 2001 From: Kevin Zhu Date: Wed, 30 Jan 2019 16:01:21 +0800 Subject: [PATCH] BUG/MINOR: tcp_rep.inspect_rules

V1.9 SSL engine and ssl-mode-async is unstable

HI HAProxy Team,: I am trying to use Intel qat work with HAProxy-1.9.0, but it work very unstable. and i had other try HAProxy-1.8.16 and it work will, How can i find what is wrong? 1.8.16 and 1.9.0 use same hardwave and system to running and compile, and use the same config file, the attach file i

Thanks for any helps, How can i get whole req body first

Hi, For special purpose, i must get the whole, intergrated req body, then decide drop it or send to backend. But i find the req body is recv to buf, as several parts. Is there any way i can get whole req body first? Thanks for any help. Best regards Kevin Zhu

[PATCHE] Fix a typo in DOC SPOE.txt

Hi, I find a typo in doc/SPOE.txt, The attached patche should fix that. Regards, Kevin Zhu commit 67511bd1ba52572511251be2a91336197449d41d Author: Kevin Zhu Date: Fri Jun 1 09:48:55 2018 +0800 DOC: SPOE.txt: fix a typo diff --git a/doc/SPOE.txt b/doc/SPOE.txt index 9556bc9..2b4cc3b

Re: haproxy startup at boot too quick

Hello, On 8 May 2018 02:32:01 CEST, Bill Waggoner wrote: >Anyway, when the system boots haproxy fails to start. Unfortunately I >forgot to save the systemctl status message but the impression I get is >that it's starting too soon. You can find all past logs of your service using `journalctl -u

Tagging a 1.8 release?

Anyone know approximately when a 1.8-series release is expected? We'd like to put the new TLS upgrades into production but would prefer to use a stable build... -- Kevin

G2E-Global Gaming Expo- ATTENDEES List

with pricing, counts and other deliverables. Thank you and I look forward to hear from you soon. Regards, Kevin J| Inside Sales, USA & Europe| Email <mailto:b...@expolist.us> kev...@expolist.us "If you don't wish to receive emails from us reply back with LEAVE OUT"

Re: Passing SNI value ( ssl_fc_sni ) to backend's verifyhost.

I really think that for most users it will be fine this way as it has been for 5 years, and for me that justifies not trying to go too far for the short term. Fair enough, but don't forget that for the last 5 years folks have just been setting verify none in all the tutorials lol! --

Re: Passing SNI value ( ssl_fc_sni ) to backend's verifyhost.

On 2017-07-28 2:21 PM, Willy Tarreau wrote: On Fri, Jul 28, 2017 at 10:24:47AM -0700, Kevin McArthur wrote: I would propose something like the following: New options: check-ssl-sni (optional) .. set the value to send as sni. Defaults to the value from the server hostname being connected

Re: Passing SNI value ( ssl_fc_sni ) to backend's verifyhost.

a:443 ssl verify required sni ssl_fc_sni ca-file /etc/ssl/certs/ca-certificates.crt check check-ssl check-ssl-ca-file /path/to/local-ca.crt -- Kevin On 2017-07-28 10:04 AM, Kevin McArthur wrote: On 2017-07-28 10:02 AM, Willy Tarreau wrote: On Fri, Jul 28, 2017 at 09:46:12AM -0700,

Re: Passing SNI value ( ssl_fc_sni ) to backend's verifyhost.

On 2017-07-28 10:02 AM, Willy Tarreau wrote: On Fri, Jul 28, 2017 at 09:46:12AM -0700, Kevin McArthur wrote: I think somethings missing here; the check system doesn't seem to be sending the SNI or validating the result. If I do a backend line like: server app2 internal.app2.example.c

Re: Passing SNI value ( ssl_fc_sni ) to backend's verifyhost.

fine, but my server has no tls cert for internal.app2.example.ca and the checks still pass verify. The server side of things tells me the SNI never gets sent on the check connection, hits the default cert (app2, no internal). Could be the same null/default pathway? -- Kevin On 2017-07-28 9:

Re: Passing SNI value ( ssl_fc_sni ) to backend's verifyhost.

Sounds good Willy, where did we leave the issue of the SNI, verifypeer/verifyhost validation and the checks subsystem? -- Kevin On 2017-07-28 3:11 AM, Willy Tarreau wrote: Hi, On Thu, Jul 27, 2017 at 05:17:36AM +0200, Willy Tarreau wrote: On Wed, Jul 26, 2017 at 02:19:19PM -0700, Kevin

Re: Passing SNI value ( ssl_fc_sni ) to backend's verifyhost.

ilar, or change the behavior of verifyhost to match a default rather than be an override. -- Kevin On 2017-07-26 2:15 PM, Willy Tarreau wrote: On Wed, Jul 26, 2017 at 01:04:05PM -0700, Kevin McArthur wrote: Here: In the first example, a valid host, valid sni. Second is valid sni broken

Re: Passing SNI value ( ssl_fc_sni ) to backend's verifyhost.

rn:1 On 2017-07-26 12:49 PM, Willy Tarreau wrote: On Wed, Jul 26, 2017 at 12:28:55PM -0700, Kevin McArthur wrote: No, it needs it to select the certificate to present. Then it should match it against the Host header field, and use the Host header field to select the vhost. The difference is sub

Re: Passing SNI value ( ssl_fc_sni ) to backend's verifyhost.

with ServerName directive. -- Kevin On 2017-07-26 12:26 PM, Willy Tarreau wrote: On Wed, Jul 26, 2017 at 11:49:22AM -0700, Kevin McArthur wrote: I'm still thinking about something like this. What bothers me is that we already have a ton of "check-something" which are specific to ch

Re: Passing SNI value ( ssl_fc_sni ) to backend's verifyhost.

default). But when its a normal client-requested domain name, I need it to verify properly against the client's SNI all the way through. If the client asks for x.example.ca it needs to be secured to the haproxy and the haproxy to the backend needs full security too. The backend needs the SNI va

Re: Passing SNI value ( ssl_fc_sni ) to backend's verifyhost.

specific use case (ie: cert name verification failed against a non- hardcoded value, so fail immediately). It now immediately reports the 503 and you don't have the retries anymore. This patch is working flawlessly. +1 to adding all three patches to master. -- Kevin On 2017-07-26 11:

Re: Passing SNI value ( ssl_fc_sni ) to backend's verifyhost.

Awesome. I'll try this out right now. -- Kevin On 2017-07-26 11:27 AM, Willy Tarreau wrote: On Wed, Jul 26, 2017 at 09:58:57AM -0700, Kevin McArthur wrote: This seems to stop the primary vector. I can still tie up a valid sni with a misconfigured backend, but I'm not sure that

Re: Passing SNI value ( ssl_fc_sni ) to backend's verifyhost.

version that corrects this will run into people needing to generate certificates for internal servers or completely turn off checking. Perhaps a check-ssl-verifypeer and check-ssl-verifyhost setting might make sense to go with check-ssl? -- Kevin On 2017-07-26 9:57 AM, Kevin McArthur wrote

Re: Passing SNI value ( ssl_fc_sni ) to backend's verifyhost.

This seems to stop the primary vector. I can still tie up a valid sni with a misconfigured backend, but I'm not sure that would be a client-controlled condition. Perhaps strict-sni should be defaulted? -- Kevin On 2017-07-26 9:53 AM, Emmanuel Hocdet wrote: Hi Kevin, Le 26 juil. 2

Re: Passing SNI value ( ssl_fc_sni ) to backend's verifyhost.

On 2017-07-26 9:55 AM, Willy Tarreau wrote: On Wed, Jul 26, 2017 at 09:39:03AM -0700, Kevin McArthur wrote: Interesting. I'd probably recommend not pushing this patch out then until this can be fixed as it will be trivial to resource-exploit a haproxy instance that is exhibiting a c

Re: Passing SNI value ( ssl_fc_sni ) to backend's verifyhost.

ries 0 will work for our use case, but I'd hate to think we'd have to give up non-client-controlled retry support entirely (ie for a backend apache restart, retry to another app server...) due to this. -- Kevin On 2017-07-26 9:26 AM, Willy Tarreau wrote: On Wed, Jul 26, 2017 at 09

Re: Passing SNI value ( ssl_fc_sni ) to backend's verifyhost.

icate: certificate verify failed*0005:www-backend-https.clicls[0008:adfd]0005:www-backend-https.closed[0008:adfd] -- Kevin On 2017-07-26 5:19 AM, Christopher Faulet wrote: .Le 25/07/2017 à 19:37, Kevin McArthur a écrit : Hi Willy, I cant replicate your results here I cloned from git and

Re: Passing SNI value ( ssl_fc_sni ) to backend's verifyhost.

On 2017-07-25 10:51 AM, Willy Tarreau wrote: On Tue, Jul 25, 2017 at 10:37:10AM -0700, Kevin McArthur wrote: Hi Willy, I cant replicate your results here I cloned from git and built the package with the debian/ubuntu build scripts from https://launchpad.net/~vbernat/+archive/ubuntu

Re: Passing SNI value ( ssl_fc_sni ) to backend's verifyhost.

erifyhost is not being done... I suspect your test case is failing because the dom4 is totally unknown to the haproxy, whereas in my case, the haproxy has a cert for ssltest-broken but the backend does not. -- Kevin On 2017-07-25 5:26 AM, Willy Tarreau wrote: Hi again Kevin, On Tue, Jul

Re: Passing SNI value ( ssl_fc_sni ) to backend's verifyhost.

lt.example.ca to the haproxy. -- Kevin On 2017-07-24 3:25 PM, Kevin McArthur wrote: Hi Willy, I can confirm the following line does _not_ verify the hostname on the backend. server app2 ssltest.example.ca:443 ssl verify required sni ssl_fc_sni ca-file /etc/ssl/certs/ca-certificates

Re: Passing SNI value ( ssl_fc_sni ) to backend's verifyhost.

certificate (even the default-configured ssltest one) will work on the backend. -- Kevin McArthur On 2017-07-23 9:40 PM, Willy Tarreau wrote: Hi Kevin, On Fri, Jul 21, 2017 at 02:06:52PM -0700, Kevin McArthur wrote: Further... the odd/broken behavior might be being caused related to no sni

Re: Passing SNI value ( ssl_fc_sni ) to backend's verifyhost.

ut verifying the host properly. Can load anotherdomain.example.ca and the sni is passed along properly. Perhaps its the host checks sni support and not this patch that are not working correctly? -- Kevin On 2017-07-21 1:01 PM, Kevin McArthur wrote: Ok finally got around to testing this ou

Re: Passing SNI value ( ssl_fc_sni ) to backend's verifyhost.

config here, but I don't think the patch allows for passing along the actual ssl_fc_scni? -- Kevin On 2017-07-06 7:20 AM, Kevin McArthur wrote: I'll see if I can give this a test. Thanks for adding it to master! -- Kevin On 2017-07-06 6:19 AM, Willy Tarreau wrote: Hi again

Re: Passing SNI value ( ssl_fc_sni ) to backend's verifyhost.

I'll see if I can give this a test. Thanks for adding it to master! -- Kevin On 2017-07-06 6:19 AM, Willy Tarreau wrote: Hi again, I finally merged it in master as commit 2ab8867, it will ease testing (and a test file was provided). Cheers, Willy

Re: [ANNOUNCE] haproxy-1.7.6

Any chance of getting the SNI pass-through to verifyhost supported into the next release? Bit of a security issue.. -- Kevin On 2017-06-16 6:31 AM, William Lallemand wrote: Hi, HAProxy 1.7.6 was released on 2017/06/16. It added 37 new commits after version 1.7.5. As you may know, I'

Re: Passing SNI value ( ssl_fc_sni ) to backend's verifyhost.

So who do I bug to actually get this coded/patched? Not being familiar with the code base myself ;) -- Kevin McArthur On 2017-05-08 3:12 PM, Lukas Tribus wrote: Hello, Am 08.05.2017 um 10:56 schrieb Daniel Schneller: Just my 2c, I very much support Kevin’s argument. Even though we are

Re: Passing SNI value ( ssl_fc_sni ) to backend's verifyhost.

t set, etc) 4. Use cases like CDN proxy of public servers. Think Cloudflare's Full SSL (Strict) setup... -- Kevin On 2017-05-05 7:20 PM, Igor Cicimov wrote: On 6 May 2017 2:04 am, "Kevin McArthur" <mailto:ke...@stormtide.ca>> wrote: When doing tls->haproxy->

Passing SNI value ( ssl_fc_sni ) to backend's verifyhost.

fc_sni However, the "verifyhost ssl_fc_sni" part doesn't work at current. Is there any chance I could get this support patched in? Most folks seem to be either ignoring the backend server validation, setting verify none, or are stripping tls altogether leaving a pretty big secur

Re: ACL & frontend : random behavior / haproxy 1.5.18-1ppp1

2016-06-10 12:50 GMT+02:00 Igor Cicimov : > > > On Fri, Jun 10, 2016 at 7:39 PM, Kevin Maziere > wrote: > >> Hi >> (in english this time,sorry for the noise) >> >> I can't explain a strange behavior of haproxy when using simple acl which >>

ACL & frontend : random behavior / haproxy 1.5.18-1ppp1

Hi (in english this time,sorry for the noise) I can't explain a strange behavior of haproxy when using simple acl which redirect to a specific backend. The frontend in which the ACL and the specific backend is set has also a default frontend. If I curl/wget/chrome/firefox/opera... on the frontend

ACL et frontend : comportement aléatoire / haproxy 1.5.18-1ppp1

Bonjour Je rencontre un problème d'acl et de redirection vers backend que je ne m'explique pas. J'ai un frontend qui envoi par default sur un backend, et en fonction d'une acl sur le hostname il envoi sur un autre backend. Et bien quand je fais un curl/wget/chome/firefox sur ce frontend avec le h

Server-sent event and Haproxy

Hi I'm trying to configure Haproxy to work with server_send events ( https://developer.mozilla.org/fr/docs/Server-sent_events/Using_server-sent_events ) and can't find any working configuration yet. I've tried to set long timeout server and client, to 'option httpclose' on backend, http tunnel-m

RE: KA-BOOM! Hit MaxConn despite higher setting in config file

Except with systemd based distros where its a unit file setting. Thanks, Kevin From: CJ Ess Sent: Saturday, April 02, 2016 6:48:56 PM To: PiBa-NL Cc: HAProxy Subject: Re: KA-BOOM! Hit MaxConn despite higher setting in config file I'm on Linux so I think

Better Environment/LED corn lights,high bay, flood light/ Decorate the world

products passed CE & RoHS, part of our high bay passed SAA. If any need, e-mail me or call me, let's talk more! Best, ______ Kevin Shaw | Skype: kevinshaw1987 | WhatsApp: +8618576470987 E: ke...@szguohui.com P: 86-755-89728329 W: www.guohui-light.com

[PATCH] DOC: specify that stats socket doc (section 9.2) is in management

Commit 44aed90ce102c4136a5eda66d541f6fa79e141e8 moved the stats socket documentation from config to management but the remaining references to section 9.2 were not updated; improve it to be less confusing. Signed-off-by: Kevin Decherf --- doc/configuration.txt | 5 +++-- 1 file changed, 3

Re: NOSRV error

Hi, - Mail original - > De: "Conrad Hoffmann" > À: "Kevin COUSIN" , haproxy@formilux.org > Envoyé: Lundi 5 Octobre 2015 15:49:36 > Objet: Re: NOSRV error > Hi, > > (comments inline) > > On 10/05/2015 03:23 PM, Kevin COUSIN wrote: >&

NOSRV error

balance source server pp-xctl01002-https 172.21.12.8:443 I got the certificate on my server If I use openssl s_client. Regards, Kevin

Re: Capture http connect request information

Le dimanche 14 juin 2015 08:28:06, vous avez écrit : > Hi Kevin, > > On Sat, Jun 13, 2015 at 10:34:07AM +0200, Kevin COUSIN wrote: > > Hi, > > > > Is it possible to capture the CONNECT method information? I try to capture > > the IP and port in http request &quo

Capture http connect request information

Hi, Is it possible to capture the CONNECT method information? I try to capture the IP and port in http request "CONNECT 172.20.69.22:5904" to create an ACL to redirect request to backend. Regards Kevin C.

SPICE Proxy with haproxy

n idea how can I setup ? Thanks a lot -- Kevin

Re: Listening only server within backend

2015-05-28 11:11 GMT+02:00 mkzero : > On Thu, May 28, 2015 at 10:44:21AM +0200, Pavlos Parissis wrote: > >> >> On 28/05/2015 10:14 πμ, Kevin Maziere wrote: >> >>> >>> >>> 2015-05-26 17:02 GMT+02:00 Lukas Tribus >> <mailto:luky...@hotmai

Re: Listening only server within backend

2015-05-26 17:02 GMT+02:00 Lukas Tribus : > > Hi the list > > > > In my backend I've many servers, and I'd like to add some that receive > > a copy of all the requests arriving to the backend. Of course haproxy > > won't reply to them after sending the request. > > I don't find any option for 'ser

Listening only server within backend

Hi the list In my backend I've many servers, and I'd like to add some that receive a copy of all the requests arriving to the backend. Of course haproxy won't reply to them after sending the request. I don't find any option for 'server' in section 5 of the docs, that will allow me to define such '

Re: haproxy locking up on migration from 1.4 to 1.5

sweet.. I found a 1.4.x snapshot via : http://snapshot.debian.org/package/haproxy/1.4.25-1~bpo70%2B1/#haproxy_1.4.25-1:7e:bpo70:2b:1 so I will run with that… this way I can do an apples to apples comparison. Maybe this is a debian issue. On Fri, Jan 2, 2015 at 4:13 PM, Kevin Burton wrote

Re: haproxy locking up on migration from 1.4 to 1.5

BTW.. wheezy back ports still only has 1.5.8… https://packages.debian.org/source/wheezy-backports/haproxy experimental has 1.5.9 though. On Fri, Jan 2, 2015 at 4:08 PM, Kevin Burton wrote: > building up in the browser, >> right? So it doesn't timeout, its just incredebily slow?

Re: haproxy locking up on migration from 1.4 to 1.5

uild the packages from source if necessary. > > OK.. Are there any specific 1.4 -> 1.5 settings we should have changed? > > No, the big change is certainly the default http-mode, but you already > fixed that to http-tunnel. > Yes. So I enabled the tunnel support on 1.5 and that

Re: haproxy locking up on migration from 1.4 to 1.5

there are stale session that don't timeout on the unix > admin socket with "show info", "show sess xy" > OK. > - check with netstat or ss whether there are sessions the should > have been long gone (like from a client ip that is inactive for >

haproxy locking up on migration from 1.4 to 1.5

We’re migrating a production haproxy 1.4 install to 1.5. The problem is that initially, it works fine, but then everything starts locking up. Essentially, one of our backends ends up VERY slow taking a long time to respond to requests and/or responds to them VERY slowly. It seems like it’s retur

HAProxy and MS Remote Desktop Gateway

thing HAproxy cannot process the MSRPC requets. Must I switch to Layer 4 LoadBalacing ? Thanks a lot Kevin C.

Re: Mix option httpchk and ssl-hello-chk

Le 22/09/2014 15:44, Baptiste a écrit : On Mon, Sep 22, 2014 at 3:33 PM, Kevin COUSIN wrote: Hi list, Can I mix the option httpchk and ssl-hello-chk to check the health of an HTTPS website ? Thanks a lot Kevin C. Hi Kevin, No, you can't. It would be easier to answer you

Mix option httpchk and ssl-hello-chk

Hi list, Can I mix the option httpchk and ssl-hello-chk to check the health of an HTTPS website ? Thanks a lot Kevin C.

Re: Spam to this list?

2014-09-05 12:28 GMT+02:00 Nicolas Grilly : > I have no advice on what to do, but I'm a regular reader of the ML and I > receive almost no spam from the ML because it is filtered in a very > efficient way by the Gmail spam filter (I use Gmail). > > That can't be a global solution > On Fri,

using haproxy.socket to add new servers.

ing serverA again: echo "remove server query_backend/serverA" | socat stdio unix-connect:/var/haproxy.socket Extracted from: https://gist.github.com/toddlers/6080314 Dr. Kevin H. Hunt - TransWorks AVP of Infrastructure Security Officer dr.kevin.h...@trnswrks.com 260-487-4610 260-487-4440 Fax

HAproxy crash when reload with systemd

cReload=/bin/bash -c "exec /usr/sbin/haproxy -D -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -sf $MAINPID" Any ideas why it crashed and how fix it ? Regards Kevin C

Re: [PATCH] Fix unhandled connections problem with systemd daemon mode and SO_REUSEPORT.

ago but we were unable to figure out why, so thanks! Seems good to me after a little test. I have just one comment: you should update your patch to use tabs instead of whitespaces like in the source code. Regards, -- Kevin Decherf - @Kdecherf GPG C610 FE73 E706 F968 612B E4B2 108A BD75

Re: Error 408 with Chrome

2014-06-04 18:31 GMT+02:00 Baptiste : > On Wed, Jun 4, 2014 at 6:05 PM, Kevin Maziere > wrote: > > > > > > > > 2014-06-04 17:10 GMT+02:00 Nenad Merdanovic : > >> > >> Hello Kevin, > >> > >> On 06/04/2014 05:05 PM, Willy Tar

Re: Error 408 with Chrome

2014-06-04 17:10 GMT+02:00 Nenad Merdanovic : > Hello Kevin, > > On 06/04/2014 05:05 PM, Willy Tarreau wrote: > > On Wed, Jun 04, 2014 at 04:49:53PM +0200, Kevin Maziere wrote: > >>> Anyway, from the various reports we get, it seems like sending an empty > >>&

Re: Error 408 with Chrome

2014-05-26 16:13 GMT+02:00 Willy Tarreau : > Hi Arnall, > > On Mon, May 26, 2014 at 11:56:52AM +0200, Arnall wrote: > > Hi Willy, > > > > same problem here with Chrome version 35.0.1916.114 m and : > > HA-Proxy version 1.4.22 2012/08/09 (Debian 6) Kernel 3.8.13-OVH > > HA-Proxy version 1.5-dev24-8

Re: Error 408 with Chrome

2014-05-26 12:05 GMT+02:00 Olivier : > 2014-05-26 11:56 GMT+02:00 Arnall : > > Hi Willy, > > > > same problem here with Chrome version 35.0.1916.114 m and : > > HA-Proxy version 1.4.22 2012/08/09 (Debian 6) Kernel 3.8.13-OVH > > HA-Proxy version 1.5-dev24-8860dcd 2014/04/26 (Debian GNU/Linux 7.5)

Re: Error 408 with Chrome

2014-05-26 11:24 GMT+02:00 Baptiste : > On Mon, May 26, 2014 at 11:16 AM, Kevin Maziere > wrote: > > Yes it is. I flush my history and after few click I have the 408 error, > and > > the error in immediat, Chrome is not loading and then showing 408 page. > > Kevin,

Re: Error 408 with Chrome

Hi [Sorry for top-posting] 2014-05-23 16:08 GMT+02:00 Willy Tarreau : > Hi Kevin, > > [guys, please could you stop top-posting, it's a total mess to try to > respond to this thread, I cannot easily take out the useless parts, > thanks]. > > On Fri, May 23, 2014

Re: Error 408 with Chrome

BTW it seems that Chrone on Ubuntu is not affected, but on mac/windows it is. 2014-05-23 15:02 GMT+02:00 Kevin Maziere : > Hi > > So the patch on the dev25 is just adding > s->req->flags &= ~CF_READ_TIMEOUT; > line previous and before aren't exactly the same

Re: Error 408 with Chrome

/2008 408 212 - - cR-- 1/1/0/0/0 0/0 "" And debug line : 2014-05-23T12:56:32+00:00 servername haproxy[23245]: Timeout detected: fe=ipv6-xxx-443 s->flags=0080 txn->flags= req->flags=00c88000 msg->flags= now_ms=690454434 req->analyse_exp=690454433 (-

Re: Error 408 with Chrome

Yes Each error is reported in the browser. Kévin 2014-05-23 14:34 GMT+02:00 Baptiste : > Kevin, > > Do you (still) see 408 errors printed in the browser??? > > Baptiste > > On Fri, May 23, 2014 at 2:17 PM, Kevin Maziere > wrote: > > Hi > > > > I

Re: Error 408 with Chrome

test the second patch asap 2014-05-23 11:50 GMT+02:00 Baptiste : > Well, your log lines says that the response was generated because the > timeout client has expired... > Last suggestion for now would to apply the patch porposed by Willy and > reported by Lukas. > > Bapitste > >

Re: Error 408 with Chrome

9 GMT+02:00 Baptiste : > On Thu, May 22, 2014 at 6:06 PM, Kevin Maziere > wrote: > > Hi > > > > I've haproxy that send a lots of "HTTP/1.1 408" error code when Chrome is > > used > > None with firefox. > > > > After few search on googl

Error 408 with Chrome

Hi I've haproxy that send a lots of "HTTP/1.1 408" error code when Chrome is used None with firefox. After few search on google and the mailing list I found some post regarding haproxy and preconnect, but I don't find any solution. I'm using latest 1.5-dev haproxy release from the ppa: HA-Proxy

Re: Backend ipv6 : server always DOWN

Hi, Thanks for your reply Kévin 2014-03-10 16:17 GMT+01:00 Cyril Bonté : > Hi, > > Le 10/03/2014 15:39, Kevin Maziere a écrit : > >> Hi >> >> I'm trying to use haproxy with ipv6 adresses in my backend, and it >> always fail. Can you confirm that is a

Backend ipv6 : server always DOWN

Hi I'm trying to use haproxy with ipv6 adresses in my backend, and it always fail. Can you confirm that is a no working feature My configuration : backend ipv6 mode http balance roundrobin option forwardfor option httpchk *server test ::1:8080 weight 5 c

Re: Just a simple thought on health checks after a soft reload of HAProxy....

here. Kevin Burke | 415-723-4116 | www.twilio.com On Tue, Jan 28, 2014 at 8:13 AM, Patrick Hemmer wrote: > *From: *Willy Tarreau > *Sent: * 2014-01-25 05:45:11 E > *To: *Patrick Hemmer > *CC: *Malcolm Turnbull , > haproxy@formilux.org > *Subject: *Re: Just a simple thought o

Hosts immediately being marked down on system start

enced this behavior, or can provide insight into the problem? Kevin Burke | 415-723-4116 | www.twilio.com

Re: Crash on removing response header

work. In my case changing Content-Length to Xontent-Length. >> rsprep ^Content-Length:(.*) Xontent-Length:\1 if is_304 The other thing that worked for me was using the built in regular expressions library instead of PCRE. HTH, Kevin On Dec 31, 2013, at 10:02 AM, William Lewis wrote:

Re: Crash on removing response header

work. In my case changing Content-Length to Xontent-Length. >> rsprep ^Content-Length:(.*) Xontent-Length:\1 if is_304 The other thing that worked for me was using the built in regular expressions library instead of PCRE. HTH, Kevin On Dec 31, 2013, at 10:02 AM, William Lewis wrote:

How would I whitelist ip addresses per backend?

will I need to apply it at the frontend for all the backends that I need a whitelist for? Thanks, Kevin

  1   2   >