ModSecurity testing

967195 1575948214.857219 [01] <1> write_frame_cb 1575948214.857648 [01] <1> Frame of 31 bytes send Testing with Haproxy 2.0.10 but same result with 1.8.23. The versions of ModSecurity is 2.9.2 and the OWASP rules v3.0.2 What am I doing wrong? Can anyone provide a request that should confirm if the module is working or not from or share the experience from their own setup? Thanks, Igor

Re: PROXY protocol and check port

Hi, On Tue, Dec 17, 2019 at 2:55 AM Olivier D wrote: > Hello, > > I found what was wrong : I was using "load-server-state-from-file" and > previous config file was using port 80 as server port. > It seems using this instruction loads previous server state but also > previous srv_port. > Is this

Re: ModSecurity testing

Hi Joao, On Sat, Dec 14, 2019 at 11:30 PM Joao Morais wrote: > > > > Em 13 de dez de 2019, à(s) 10:09, Christopher Faulet < > cfau...@haproxy.com> escreveu: > > > > Le 10/12/2019 à 05:24, Igor Cicimov a écrit : > >> > >> Testing with Haproxy 2.

Re: PROXY protocol and check port

Hi Olivier, On Tue, Dec 17, 2019 at 7:20 PM Olivier D wrote: > Hello Igor, > > > Le lun. 16 déc. 2019 à 23:41, Igor Cicimov > a écrit : > >> Hi, >> >> On Tue, Dec 17, 2019 at 2:55 AM Olivier D wrote: >> >>> Hello, >>> >>> I

Termination state IR--

xactly the same backend working fine with frontend in TCP mode using "ssl_sni" like so: frontend fe_https_tcp bind *:8443 mode tcp option tcplog tcp-request connection reject if !{ src -f /etc/haproxy/whitelist.lst } tcp-request inspect-delay 5s tcp-request content accept if { req.ssl_hello_type 1 } use_backend host.mydomain.com if { req.ssl_sni -i host.mydomain.com } Thanks, Igor

Re: Termination state IR--

Hi Christopher, On Wed, Jan 29, 2020 at 7:58 PM Christopher Faulet wrote: > Le 29/01/2020 à 05:14, Igor Cicimov a écrit : > > Hi all, > > > > I'm asking this question here since I read in the docs that if I see > "Ixxx" in > > the session "ter

Alpn in debian/ubuntu ppa 1.8

Hi, I was testing haproxy 1.8 from the ppa repository and noticed it is not build with alpn support so just wonder why? Thanks, Igor

Re: Alpn in debian/ubuntu ppa 1.8

ules are available. Distributor ID:Ubuntu Description:Ubuntu 14.04.5 LTS Release:14.04 Codename:trusty On Fri, Jan 26, 2018 at 12:39 AM, Lukas Tribus wrote: > Hello, > > On 25 January 2018 at 13:26, Igor Cicimov > wrote: > > Hi, > > > > I was testing ha

Re: Alpn in debian/ubuntu ppa 1.8

Hi Lukas, On Fri, Jan 26, 2018 at 1:04 AM, Lukas Tribus wrote: > Hello, > > > On 25 January 2018 at 14:53, Igor Cicimov > wrote: > > > > Hi, > > > > The info below, that openssl version fort he build is little bit oldish > isn't it? > &g

Re: Alpn in debian/ubuntu ppa 1.8

On Fri, Jan 26, 2018 at 1:22 AM, Igor Cicimov < ig...@encompasscorporation.com> wrote: > Hi Lukas, > > On Fri, Jan 26, 2018 at 1:04 AM, Lukas Tribus wrote: > >> Hello, >> >> >> On 25 January 2018 at 14:53, Igor Cicimov >> wrote: >> > >

Re: How can I map bindings to the correct backend?

Hi Pieter, On Thu, Jan 25, 2018 at 3:15 AM, Pieter Vogelaar wrote: > I have the following configuration: > > > > > > frontend default-tcp > > bind 192.168.52.12:5044 > > bind 192.168.52.12: > > bind 192.168.52.12:5556 > > bind 192.168.52.12:5672 > > bind 192.168.52.13:5672 > > mo

Re: How can I map bindings to the correct backend?

On Fri, Jan 26, 2018 at 2:36 AM, Pieter Vogelaar wrote: > It’s TCP layer 4 load balancing, so the HTTP hdr(host) won’t work. > > > > > > Best regards, > > Pieter Vogelaar > > > > *Van: *Igor Cicimov > *Datum: *donderdag 25 januari 2018 om 16:33

Re: Alpn in debian/ubuntu ppa 1.8

Hi Willy, On Fri, Jan 26, 2018 at 3:47 PM, Willy Tarreau wrote: > On Fri, Jan 26, 2018 at 01:26:35AM +1100, Igor Cicimov wrote: > > Or you meant using the haproxy 16.04 image actually. Ok, another option > is > > to compile it myself with the openssl version I have atm. >

Re: Alpn in debian/ubuntu ppa 1.8

Hi Willy, On Fri, Jan 26, 2018 at 6:21 PM, Willy Tarreau wrote: > Hi Igor, > > On Fri, Jan 26, 2018 at 05:07:10PM +1100, Igor Cicimov wrote: > > Hi Willy, > > > > On Fri, Jan 26, 2018 at 3:47 PM, Willy Tarreau wrote: > > > > > On Fri, Jan 26, 20

Re: HAproxy ( + UCARP ) in an Active / Passive setup

On Fri, Jan 26, 2018 at 2:28 PM, TomK wrote: > Hey All, > > We have UCARP and HAproxy configured and setup between two servers. > HAproxy is bound to the UCARP VIP between the nodes. There are four > services per hoer: four on SRV1 (primary) and same four apps on SRV2 > (secondary) We need activ

Re: HAproxy ( + UCARP ) in an Active / Passive setup

On 27 Jan 2018 4:44 pm, "TomK" wrote: On 1/26/2018 7:49 PM, Igor Cicimov wrote: > > On Fri, Jan 26, 2018 at 2:28 PM, TomK tomk...@mdevsys.com>> wrote: > > Hey All, > > We have UCARP and HAproxy configured and setup between two servers. > HApr

Re: haproxy http2 benchmark

On Wed, Jan 31, 2018 at 1:41 PM, 龙红波 wrote: > *hi all,* > *recently we are ready to upgrade to haproxy 1.8，however, when testing > HTTP2, we found a drop in performance，below is the test scenario:* > * haproxy version:* > > HA-Proxy version 1.8.3-205f675 2017/12/30 > Copyright 2

Re: Is it good practice to set up a nginx behind haproxy with h2 or not ?

On Sat, Feb 3, 2018 at 6:02 PM, wrote: > I need to set up haproxy 1.8.3 as a loadbalancer for several nginx > webservers (1.13.x). The haproxy will be set up to support h2 connections. > I am undecided if it is a good idea to setup nginx for h2 also. I > understand that haproxy will be able to ta

Re: Is it good practice to set up a nginx behind haproxy with h2 or not ?

On Mon, Feb 5, 2018 at 12:12 AM, Aleksandar Lazic wrote: > Hi. > > > Am 03-02-2018 10:25, schrieb Igor Cicimov: > > On Sat, Feb 3, 2018 at 6:02 PM, wrote: >> >> I need to set up haproxy 1.8.3 as a loadbalancer for several nginx >>> webservers (1.13.x). T

Re: haproxy 1.8.3 has a very slow tc time after some time of running

On 6 Feb 2018 4:38 am, "Kai Timmer" wrote: Hello, I recently tried to update from v1.6.14 to v1.8.3 but experienced a lot of problems with it. I do hope that I made mistake in my configuration that works in 1.6 but blows up my system up in 1.8. So I'm going to describe my setup/workload and hope

Re: haproxy 1.8.3 has a very slow tc time after some time of running

bytes > Max address space unlimitedunlimitedbytes > Max file locksunlimitedunlimitedlocks > Max pending signals 3140131401signals > Max msgqueue size 819200

Re: Plans for 1.9

Hi Willy,​ On Fri, Feb 9, 2018 at 1:16 AM, Willy Tarreau wrote: Fred plans to bring SSL support to the peers among > other things, and is working on a regression testing suite (yeah!). ​Does this mean it will be possible to share the sessions tickets between the peers?​

Syslog with systemd

I doing wrong? ​Thanks, Igor​

Re: Syslog with systemd

On Wed, Feb 28, 2018 at 3:28 PM, Igor Cicimov < ig...@encompasscorporation.com> wrote: > Hi all, > > I have haproxy 1.7.10-1ppa1~xenial installed on Ubuntu-16.04 and > struggling to enable rsyslog-ing for the service. > > I have rsyslog running and the following haproxy r

Re: Syslog with systemd

On Wed, Feb 28, 2018 at 3:33 PM, Igor Cicimov < ig...@encompasscorporation.com> wrote: > > > On Wed, Feb 28, 2018 at 3:28 PM, Igor Cicimov com> wrote: > >> Hi all, >> >> I have haproxy 1.7.10-1ppa1~xenial installed on Ubuntu-16.04 and >> struggling t

Re: Syslog with systemd

Hi Vincent, On Wed, Feb 28, 2018 at 5:14 PM, Vincent Bernat wrote: > ❦ 28 février 2018 15:50 +1100, Igor Cicimov com> : > > > ​Actually spoke too soon, still have an issue. One of the servers started > > logging there but then stopped and on the other the file is sti

Re: Syslog with systemd

On Wed, Feb 28, 2018 at 5:51 PM, Igor Cicimov < ig...@encompasscorporation.com> wrote: > Hi Vincent, > > On Wed, Feb 28, 2018 at 5:14 PM, Vincent Bernat wrote: > >> ❦ 28 février 2018 15:50 +1100, Igor Cicimov < >> ig...@encompasscorporation.com> : >> &g

Re: Syslog with systemd

Hi Vincent, On Wed, Feb 28, 2018 at 6:18 PM, Vincent Bernat wrote: > ❦ 28 février 2018 17:51 +1100, Igor Cicimov com> : > > >> > ​Actually spoke too soon, still have an issue. One of the servers > started > >> > logging there but then stopped and on

Re: Syslog with systemd

On Wed, Feb 28, 2018 at 9:28 PM, Vincent Bernat wrote: > ❦ 28 février 2018 21:00 +1100, Igor Cicimov com> : > > > ​# ls -l /var/lib/haproxy/dev/log > > srw-rw-rw- 1 root root 0 Feb 28 16:06 /var/lib/haproxy/dev/log > > > > # lsof -n -p $(pidof haproxy) | gre

Re: Syslog with systemd

On Thu, Mar 1, 2018 at 2:08 AM, Vincent Bernat wrote: > ❦ 28 février 2018 22:14 +1100, Igor Cicimov com> : > > > ​Same, no logging:​ > [...] > > Could you strace rsyslogd and check if it is receiving the messages? ​Sure: # pidof rsyslogd 4145 # strace -p 4145 strac

Re: Syslog with systemd

On Thu, Mar 1, 2018 at 5:08 PM, Vincent Bernat wrote: > ❦ 1 mars 2018 09:53 +1100, Igor Cicimov > : > > >> > ​Same, no logging:​ > >> [...] > >> > >> Could you strace rsyslogd and check if it is receiving the messages? > > > > >

Re: Syslog with systemd

On Fri, Mar 2, 2018 at 5:49 PM, Vincent Bernat wrote: > ❦ 2 mars 2018 09:49 +1100, Igor Cicimov > : > > > $ ls -l /var/log/haproxy.log > > -rw-r- 1 syslog adm 48939 Mar 1 20:17 /var/log/haproxy.log > > > > ​and I'm sure this file was automatically c

Re: [ANNOUNCE] haproxy-1.7.1

Hello, does TFO on the server side now implemented? On Wed, Jan 4, 2017 at 2:56 PM, Willy Tarreau wrote: > On Tue, Jan 03, 2017 at 06:21:18PM +0100, Lukas Tribus wrote: >> Hi Igor, >> >> >> Am 16.12.2016 um 12:52 schrieb Igor Pav: >> > Cool, even TLS 1

Re: Can HA-Proxy set an header when he "breaks" stick routing

e problem I'm having is that you don't describe exactly what you're > trying to achieve nor how you want to use that information about the > broken stickiness, so it's very hard for me to try to figure a working > solution. I propose

Re: Can HA-Proxy set an header when he "breaks" stick routing

server name can help. It will have value of Server1 for the first requests that have fell over to Server2 so checking the value will tell you it came from different server. > > Best regards, > > > > Gisle > > > > > > *From: *Igor Cicimov > *Date: *Thursday, 22 M

Re: Can HA-Proxy set an header when he "breaks" stick routing

On Thu, Mar 22, 2018 at 10:42 PM, Igor Cicimov < ig...@encompasscorporation.com> wrote: > Hi, > > On Thu, Mar 22, 2018 at 6:24 PM, Gisle Grimen > wrote: > >> Hi, >> >> >> >> Thank you for your response. >> >> >> >> To be

Re: Question regarding haproxy backend behaviour

On Mon, 16 Apr 2018 6:09 pm Ayush Goyal wrote: > Hi Moemen, > > Thanks for your response. But I think I need to clarify a few things here. > > On Mon, Apr 16, 2018 at 4:33 AM Moemen MHEDHBI > wrote: > >> Hi >> >> On 12/04/2018 19:16, Ayush Goyal wrote: >> >> Hi, >> >> I have a question regarding

Re: HAProxy Healthcheck issue using Virtual hostname

Hi, On Fri, Apr 27, 2018 at 3:03 PM, Sen wrote: > Hi > > I have an app deployed in Pivotal Cloudfoundry (PCF) and to route traffic > to an app in PCF, we have to use application route name (virtual hostname). > > We have PCF in two different datacenters and I need to load balance the > traffic t

Re: HAProxy Healthcheck issue using Virtual hostname

On Fri, May 4, 2018 at 5:01 PM, Lukas Tribus wrote: > Hello Igor, Sen, > > > On 4 May 2018 at 08:46, Igor Cicimov > wrote: > > Have you tried: > > > > option httpchk GET /env HTTP/1.1\r\nHost:\ %[req.hdr(Host)] > > When you are health checking, you don

Re: Haproxy support for handling concurrent requests from different clients

On Fri, 11 May 2018 8:01 pm Mihir Shirali wrote: > Thanks Aleksandar for the help! > I did look up some examples for setting 503 - but all of them (as you've > indicated) seem based on src ip or src header. I'm guessing this is more > suitable for a DOS/DDOS attack? In our deployment, the likeli

error: 'all_threads_mask' undeclared (first use in this function)

Hello! I've tried to create haproxy 1.8.9 RPM package using rpmbuild and got the folowing error: error: 'all_threads_mask' undeclared (first use in this function) Could you please help me to resolve it? rpmbuild -ba ~/rpmbuild/SPECS/haproxy.spec warning: bogus date in %changelog: Tue May 09 2007

Re: tcp-check expect with exclamation mark

Hi Dmitriy, On Thu, Jun 21, 2018 at 12:45 PM, Dmitriy Kuzmin wrote: > Greetings > > I’m using haproxy to load balance readonly queries between redis slaves. > I want to use health check system to exclude slaves from load balancing, > that are in a process of sync with master. > The idea is to lo

Re: cookie insert method secure

ni in essa contenute sono > da considerarsi strettamente riservate. > > This email is confidential, do not use the contents for any purpose > whatsoever nor disclose them to anyone else. If you are not the intended > recipient, you should not copy, modify, dis

Re: cookie insert method secure

On Sun, Jun 24, 2018 at 11:28 PM, mlist wrote: > Hi Igor, > > as I see, this is not true. > > > > I think ssl_fs is just persisted between request and response as this work > fine without setting vars (as for below example), *but never works for > cookie header

Re: TLS handshake works with certificate name mismatch using "verify required" and "verifyhost"

error, please notify the sender immediately > and delete the Message from your system, any use of the Message is > forbidden. Correspondence via e-mail is primarily for information purposes. > RBI neither makes nor accepts legally binding statements via e-mail unless > explicitly agreed otherwise. Information pursuant to § 14 Austrian > Companies Code: Raiffeisen Bank International AG; Registered Office: Am > Stadtpark 9 > <https://maps.google.com/?q=Am+Stadtpark+9&entry=gmail&source=g>, 1030 > Vienna,Austria; Company Register Number: FN 122119m at the Commercial Court > of Vienna (Handelsgericht Wien). > ​Regards, Igor​

Re: TLS handshake works with certificate name mismatch using "verify required" and "verifyhost"

On Fri, Jul 13, 2018 at 11:08 AM, Igor Cicimov < ig...@encompasscorporation.com> wrote: > Hi Martin, > > On Thu, Jul 12, 2018 at 6:55 PM, Martin RADEL < > martin.ra...@rbinternational.com> wrote: > >> Hi all, >> >> >> >> we have a str

Re: TLS handshake works with certificate name mismatch using "verify required" and "verifyhost"

On Fri, Jul 13, 2018 at 11:26 AM, Igor Cicimov < ig...@encompasscorporation.com> wrote: > On Fri, Jul 13, 2018 at 11:08 AM, Igor Cicimov < > ig...@encompasscorporation.com> wrote: > >> Hi Martin, >> >> On Thu, Jul 12, 2018 at 6:55 PM, Martin RADEL <

Re: Help with environment variables in config

On Sat, Jul 21, 2018 at 4:49 PM, jdtommy wrote: > here is my simple `listen` section of the haproxy config file: > > listen graph_front >bind *:8182 >mode tcp >server graph_server graph.server.com:8182 > > this works just fine, but I need the address and port to be a e

Re: Help with environment variables in config

On Sat, Jul 21, 2018 at 7:12 PM, Jonathan Matthews wrote: > On Sat, 21 Jul 2018 at 09:12, jdtommy wrote: > >> I am setting them before I start haproxy in the terminal. I tried both >> starting it as a service and starting directly, but neither worked. It >> still would not forward it along. >> >

Re: haproxy and changing ELB IPs

Hi, On Sat, Aug 4, 2018 at 1:50 AM, K3 wrote: > Hi, > We are running into a problem and would like to hear any advice. > > Our Setup: > We use haproxy 1.7.7 with two backends. > One of the backends is AWS ELB > The haproxy is running on a linux machine in our data center (on premises) > > Proble

Re: haproxy and changing ELB IPs

Hi Lukas, On Sat, Aug 4, 2018 at 11:19 PM, Lukas Tribus wrote: > On Sat, 4 Aug 2018 at 14:21, Igor Cicimov > wrote: > > > > Hi, > > > > On Sat, Aug 4, 2018 at 1:50 AM, K3 wrote: > >> > >> Hi, > >> We are running into a problem and wo

Re: HaProxy question

Hi Jonathan, On Tue, Aug 7, 2018 at 9:43 AM, Jonathan Opperman wrote: > Hi All, > > I am hoping someone can give me some tips and pointers on getting > something working > in haproxy that could do the following: > > I have installed haproxy and put a web server behind it, the proxy has 2 > inter

Re: HaProxy question

On Tue, Aug 7, 2018 at 10:53 AM, Igor Cicimov < ig...@encompasscorporation.com> wrote: > Hi Jonathan, > > On Tue, Aug 7, 2018 at 9:43 AM, Jonathan Opperman > wrote: > >> Hi All, >> >> I am hoping someone can give me some tips and pointers on getting >&g

Re: HaProxy question

Hi Jonathan, I'll keep bottom posting otherwise the thread will become a real mess and very hard to follow historically. On Sun, Aug 12, 2018 at 9:19 PM Jonathan Opperman wrote: > Hi Igor, > > Not 100% sure what you mean here with the redirect to the proxy bind on > that po

Re: Clarification re Timeouts and Session State in the Logs

Hi Daniel, We had similar issue in 2015, and the answer was: server timeout was too short. Simple. On Thu, 23 Aug 2018 9:56 pm Daniel Schneller < daniel.schnel...@centerdevice.com> wrote: > Friendly bump. > I'd volunteer to do some documentation amendments once I understand the > issue better :D

Re: HAProxy keeps using outdated IPs when backend (ELB) address changes

; - > > > -- > Daniel Schneller > Principal Cloud Engineer > > CenterDevice GmbH > Rheinwerkallee 3 > 53227 Bonn > www.centerdevice.com > > __ > Geschäftsführung: Dr. Patrick Peschlow, Dr. Lukas Pustina, Michael > Rosbach, Handelsregister-Nr.: HRB 18655, HR-Gericht: Bonn, > USt-IdNr.: DE-815299431 > > Diese E-Mail einschließlich evtl. beigefügter Dateien enthält vertrauliche > und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige > Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren > Sie bitte sofort den Absender und löschen Sie diese E-Mail und evtl. > beigefügter Dateien umgehend. Das unerlaubte Kopieren, Nutzen oder > Öffnen evtl. beigefügter Dateien sowie die unbefugte Weitergabe > dieser E-Mail ist nicht gestattet. > > > -- Igor Cicimov | DevOps p. +61 (0) 433 078 728 e. ig...@encompasscorporation.com <http://encompasscorporation.com/> w*.* www.encompasscorporation.com a. Level 4, 65 York Street, Sydney 2000

Re: HAProxy listed as Ingress controllers

On Wed, 26 Sep 2018 4:34 am Aleksandar Lazic wrote: > Hi Daniel. > > Thank you also to clarify this topic. > > I strongly suggest to develop a operator and not only a controller, as > this is a more future oriented pattern, imho. > > https://www.startpage.com/do/search?query=kubernetes+operator >

Re: confused by HAProxy log line

The NOSRV can simply mean you have received a request that does not match your backend selection acls, common to bots probing for wordpress login page etc. On Fri, 12 Oct 2018 12:23 am Michał Pasierb wrote: > Hello, > > I did not mention it but all servers in c_backend have a httpchk > configure

Re: apache proxy pass rules in HAproxy

On Wed, Oct 24, 2018 at 11:35 AM Imam Toufique wrote: > Not completely there yet, but I at least got the backend server login > screen to come up with the following: > > frontend > acl host_web3 path_beg /jhub > use_backend web3_cluster if host_web3 > > backend > backend web3_cluster >mode ht

Re: Lots of PR state failed connections with HTTP/2 on HAProxy 1.8.14

On Wed, Oct 24, 2018 at 9:16 AM James Brown wrote: > > I tested enabling HTTP/2 on the frontend for some of our sites today and > immediately started getting a flurry of failures. Browsers (at least Chrome) > showed a lot of SPDY protocol errors and the HAProxy logs had a lot of lines > ending

Re: Lots of PR state failed connections with HTTP/2 on HAProxy 1.8.14

On Wed, 24 Oct 2018 5:06 pm Aleksandar Lazic wrote: > Hi. > > Am 24.10.2018 um 03:02 schrieb Igor Cicimov: > > On Wed, Oct 24, 2018 at 9:16 AM James Brown wrote: > >> > >> I tested enabling HTTP/2 on the frontend for some of our sites today > and immediately

Re: apache proxy pass rules in HAproxy

On Thu, 25 Oct 2018 6:13 pm Imam Toufique wrote: > so I almost got this to work, based on the situation I am in. To > elaborate just a bit, my setup involves a shibboleth SP that I need to > authenticate my application. Since I can't set up the HA proxy node with > shibboleth SP - I had to wrap

Re: apache proxy pass rules in HAproxy

On Thu, Oct 25, 2018 at 6:31 PM Igor Cicimov wrote: > > > On Thu, 25 Oct 2018 6:13 pm Imam Toufique wrote: > >> so I almost got this to work, based on the situation I am in. To >> elaborate just a bit, my setup involves a shibboleth SP that I need to >> authent

Re: apache proxy pass rules in HAproxy

t; authenticate with shibboleth, and then the URL in the browser points to the > backend node. > > For example: > > my proxy address: https://proxy.domain.com/jhub > > after I connect to the backend, the URL turns into - > https://crsplabweb1.domain.com/jhub/tree? > > ...an

Re: apache proxy pass rules in HAproxy

Hi Imam, On Sat, Oct 27, 2018 at 4:42 PM Imam Toufique wrote: > Hi Igor, > > Thanks very much for offering to help! I will do this in sections, > hopefully, I can keep this from being too cluttered. >

Re: apache proxy pass rules in HAproxy

Well you need to point crsplabweb2.example.com to the haproxy IP that's the whole point of it running behind a proxy. Or am I missing something? On Mon, Oct 29, 2018 at 1:28 PM Imam Toufique wrote: > Hi Igor, > > Thank you so much, I will definitely try your suggestions, but I am

Re: apache proxy pass rules in HAproxy

issing something? " > > Well, I am not sure what you meant by that comment above. > > On Sun, Oct 28, 2018 at 8:07 PM Igor Cicimov < > ig...@encompasscorporation.com> wrote: > >> Well you need to point crsplabweb2.example.com to the haproxy IP that's >>

Re: enabling H2 slows down my webapp, how to use keep-alive on backend ssl connection?

Hi Lukas, On Tue, Oct 30, 2018 at 2:42 AM Lukas Tribus wrote: > > Hi, > > > On Sun, 28 Oct 2018 at 23:47, PiBa-NL wrote: > > > > Hi List, > > > > When i enable H2 'alpn h2,http/1.1' on haproxy bind line with offloading > > 'mode http'. The overall loading of a web-application i use takes longer

Re: enabling H2 slows down my webapp, how to use keep-alive on backend ssl connection?

On Tue, Oct 30, 2018 at 10:15 AM Lukas Tribus wrote: > On Mon, 29 Oct 2018 at 23:55, Igor Cicimov > wrote: > > > > However when enabling H2 on the frontend the connection to the > webserver > > > > (which itself is also made with SSL encryption) is made for

Re: haproxy used to redirect sql server with ssl

On Tue, Oct 30, 2018 at 2:45 AM Marcos Gonzalez wrote: > > Hi list > > I'm using haproxy to redirect traffic directly to backend server. We are > looking how to load balance sql servers directly, and this works, but I don't > know how to add ssl support. > > I'm using this config setup and works

OCSP stapling with multiple domains

Hi, # haproxy -v HA-Proxy version 1.8.14-1ppa1~xenial 2018/09/23 Copyright 2000-2018 Willy Tarreau I noticed that in case of multiple domains and OCSP setup: # ls -1 /etc/haproxy/ssl.d/*.ocsp /etc/haproxy/ssl.d/star_domain2_com.crt.ocsp /etc/haproxy/ssl.d/star_domain_com.crt.ocsp /etc/haproxy/s

Re: h2 & server PUSH

On Mon, 12 Nov 2018 4:23 am Louis Chanouha Hello, > > If I'm right (I may have missed some exchanges in mailing), h2 main > improvement in 1.9 will be end2end working. So to have an h2 with Server > Push, we will need to have h2 enabled backends. > > Is a server push initiated by HAProxy based on

Re: OCSP stapling with multiple domains

On Sun, Nov 11, 2018 at 2:48 PM Igor Cicimov wrote: > Hi, > > # haproxy -v > HA-Proxy version 1.8.14-1ppa1~xenial 2018/09/23 > Copyright 2000-2018 Willy Tarreau > > I noticed that in case of multiple domains and OCSP setup: > > # ls -1 /etc/haproxy/ssl.d/

Re: Generic backend in HAProxy config with server options as placeholders

On Thu, Nov 15, 2018 at 1:36 AM Aleksandar Lazic wrote: > Hi Vijay. > > Am 14.11.2018 um 10:14 schrieb Vijay Bais: > > Hello Aleksandar, > > > > We already considered using haproxy maps but we still have to define N > backends > > for corresponding N keys in the map file. > > I'm looking more at

Re: OCSP stapling with multiple domains

Hi Moemen, On Tue, Nov 27, 2018 at 1:24 AM Moemen MHEDHBI wrote: > > > On 11/14/18 1:34 AM, Igor Cicimov wrote: > > On Sun, Nov 11, 2018 at 2:48 PM Igor Cicimov > wrote: >> >> Hi, >> >> # haproxy -v >> HA-Proxy version 1.8.14-1ppa1~xenial

cannot auth squid_kerb_auth farm behind haproxy

Hello everybody, I have a farm of three squid proxies, pointing one of them individualy, in a browser for example, I can authenticate (kerberos authentication via squid_kerb_auth) but when I point the browser to the vip I cannot authenticate. Does anybody have a clue about how can I authenticate vi

effect of adding `cookie` option to server

ter 1s rise 1 fall 1 AND listen helloworld bind :80 mode http option httplog server srv1 10.0.2.15:9494 check inter 1s rise 1 fall 1 cookie srv1 server srv2 10.0.2.15:9495 check inter 1s rise 1 fall 1 cookie srv2 thanks! --igor

Re: How to edit backend members in realtime without HAProxy restart

becomes available again, but every time a backend is added Synapse restarts haproxy * there's no connector yet for plugging Synapse into consul; this would need to be written. --igor On Thu, Jun 19, 2014 at 6:02 PM, Justin Franks wrote: > Hello, > > We are using Consul, written by

Re: Frontend ACL rewrites URL incorrectly to backend

ke a tcp dump of the traffic entering apache. In that way you will find the culprit for sure. Cheers, Igor On Tue, Oct 6, 2015 at 9:22 AM, Daren Sefcik wrote: > As I wrote in my previous emails it is not just a WP problem but several > other sites also that behave weird but some others are ju

Re: HTTP Response Rewriting to Replace Internal IP with FQDN

to bla bla". > > > server Product1.VM0 cookie c check > > > > Thank you. > > -- > > Sincerely, > > Susheel Jalali > > Coscend Communications Solutions > > Elite Premio Complex Suite 200, Pune 411045 Maharashtra India > susheel.jal...@coscend.com > > Web site: www.Coscend

Re: About maxconn and minconn

On Thu, Oct 8, 2015 at 12:18 AM, Dmitry Sivachenko wrote: > Hello, > > I am using haproxy-1.5.14 and sometimes I see the following errors in the > log: > > Oct 7 08:33:03 srv1 haproxy[77565]: unix:1 [07/Oct/2015:08:33:02.428] > MT-front MT_RU_EN-back/ 0/1000/-1/-1/1000 503 212 - - sQ-- > 125/124

Re: About maxconn and minconn

On Thu, Oct 8, 2015 at 11:51 AM, Igor Cicimov < ig...@encompasscorporation.com> wrote: > > > On Thu, Oct 8, 2015 at 12:18 AM, Dmitry Sivachenko > wrote: > >> Hello, >> >> I am using haproxy-1.5.14 and sometimes I see the following errors in the >>

Re: About maxconn and minconn

On Thu, Oct 8, 2015 at 7:15 PM, Dmitry Sivachenko wrote: > > > On 7 окт. 2015 г., at 16:18, Dmitry Sivachenko > wrote: > > > > Hello, > > > > I am using haproxy-1.5.14 and sometimes I see the following errors in > the log: > > > > Oct 7 08:33:03 srv1 haproxy[77565]: unix:1 [07/Oct/2015:08:33:02

Re: [blog] What's new in HAProxy 1.6

On 14/10/2015 9:41 PM, "Baptiste" wrote: > > Hey, > > I summarized what's new in HAProxy 1.6 with some configuration > examples in a blog post to help quick adoption of new features: > http://blog.haproxy.com/2015/10/14/whats-new-in-haproxy-1-6/ > > Baptiste > Awesome, thank you! Igor

Re: Need some help configuring backend health checks

On 30/10/2015 4:48 PM, "Daren Sefcik" wrote: > > So I think those links were the right idea and I have been trying different configurations but am not quite there and am hoping somebody can offer a bit more guidance. > > So when I telnet to the icap server I type in the OPTIONS line followed by (2

Re: questions for haproxy 1.5

On 30/10/2015 11:18 PM, "Labedan, Alain" wrote: > > Hi, > > > > I have HAPROXY in front of servers backend which are load balanced. > > > > - For terminated SSL haproxy, I want HAproxy give the good certificate to the client associated with the good domain . > > I’ve not found how to conf

Re: questions for haproxy 1.5

On 31/10/2015 2:03 AM, "Igor Cicimov" wrote: > > > On 30/10/2015 11:18 PM, "Labedan, Alain" wrote: > > > > Hi, > > > > > > > > I have HAPROXY in front of servers backend which are load balanced. > > > > > > >

Re: Need some help configuring backend health checks

On 31/10/2015 3:14 AM, "Daren Sefcik" wrote: > > > > On Thu, Oct 29, 2015 at 11:15 PM, Igor Cicimov < ig...@encompasscorporation.com> wrote: >> >> >> On 30/10/2015 4:48 PM, "Daren Sefcik" wrote: >> > >> > So I think those

Re: tcp-check with persistent session cookie ?

On 07/11/2015 8:01 AM, "Sébastien ROHAUT" wrote: > > Hi, > > We encountered a big problem this afternoon, which crashed for a while one of our websites, a java (tomcat+lift) application. We are using Haproxy 1.5. > > For our backend, we're doing something like this, using tcp-check because we need

Re: acl regex

On 12/11/2015 5:30 PM, "Guillaume Bourque" < guillaume.bour...@logisoftech.com> wrote: > > Hello Bryan > > I’m running haproxy 1.5.4 and I can’t find any example on how to user req.uri if you could give a examples on how to match a specific query to redirect to another > > From http://domain/pages/

Re: acl regex

eg/?lang=$ > # off acl fr_topurlp_reg(lang\=$,?) -m > found > # off acl fr_topurlp_reg(lang\=$,?) -m > found > > but with no luck > > thanks > > --- > Guillaume Bourque, B.Sc., &g

Re: HAProxy and backend on the same box

On 13/11/2015 1:04 AM, "jaleel" wrote: > > Hello, > > I am trying to setup the following for deployment > > I have 2 servers. > server1: eth0:10.200.2.211 (255.255.252.0) > eth1: 192.168.10.10 (255.255.255.0) > server2: eth0: 10.200.2.242 (255.255.252.0) > eth1: 192.168.20.

Re: Selecting back end from host header

On Sun, Nov 15, 2015 at 1:21 AM, SL wrote: > Hi, > > We have quite a large number of backends, and are selecting which back end > to use based on the host specified in the request. (Note these are not > loadbalanced, we have to target them individually). > > Currently we are doing this with ACLs

Re: Owncloud through Haproxy makes upload not possible

On 20/11/2015 7:23 AM, "Piotr Kubaj" wrote: > > On 11/19/2015 17:01, Janusz Dziemidowicz wrote: > > 2015-11-19 15:45 GMT+01:00 Piotr Kubaj : > >> Now, about RSA vs ECDSA. I simply don't trust ECDSA. There are quite a > >> lot of questions about constants used by ECDSA, which seem to be > >> chosen

Re: SSLv2Hello is disabled

On 02/12/2015 12:41 AM, "Cohen Galit" wrote: > > Hello, > > > > When HAProxy 1.5.9 is trying to sample our servers with this configuration: tcp-check connect port 50443 ssl > > > > Our servers returns an error: > > > > 2015-11-29 09:48:18,155 [StartPoint-IMAP-SSL-Worker(14)] [e8d05153-267f-4378-9a

RE: SSLv2Hello is disabled

On 02/12/2015 10:19 AM, "Lukas Tribus" wrote: > > > On 02/12/2015 12:41 AM, "Cohen Galit" > > mailto:galit.co...@xura.com>> wrote: > > > > > > Hello, > > > > > > > > > > > > When HAProxy 1.5.9 is trying to sample our servers with this > > configuration: tcp-check connect port 50443 ssl > > > > > >

Re: Questions Aboute the PEM Phrase.

On 03/12/2015 6:54 AM, "Jesus Moran" wrote: > > Hello. > > Excelent work whit this tool. > > Today i was integrating haproxy 1.5 whit SSL and was easy and fast, but i wave a litte issue. > > When i create the .key file i add it a phrase. > > > i cerate the certificate with GoDaddy. And Now Alway w

Re: lua authentication

erlist' block > > thx in advance for your time > > Excellent question. One feature I would love to see in haproxy is support for ldap authentication. It would be awesome If that could be done via lua. Thanks, Igor

Re: Official haproxy blog uses a stickiness table of size 1 (just 1, no suffix). Is this OK?

On Mon, Jan 4, 2016 at 10:57 PM, Mike MacCana wrote: > I'm investigating active/passive HAProxy setups and came across the > following from the official HAProxy blog. At http://blog.haproxy > .com/2014/01/17/emulating-activepassing-application-clustering-with- > haproxy/ > > backend bk_app >

Re: Set State to DRAIN vs set weight 0

On Sat, Jan 16, 2016 at 7:36 AM, Alex wrote: > Hello, > > I was testing haproxy version 1.6.3 and I am a bit confused regarding > draining a server. > > According to the documentation: > set server / state [ ready | drain | maint ] > [...] Setting the mode to "drain" only removes the server from

<    1   2   3   4   >