Prior to the change, spoa is installed under DESTDIR with name `bin`
---
Makefile | 1 +
1 file changed, 1 insertion(+)
diff --git a/Makefile b/Makefile
index 5de6135ec7d6..52eb43e5f938 100644
--- a/Makefile
+++ b/Makefile
@@ -68,6 +68,7 @@ spoa: $(OBJS)
$(LD) $(LDFLAGS) -o $@ $^ $(LDLIBS
HAProxy is documented to support gcc >= 3.4 as per INSTALL file, however
hlua.c makes use of c11 only loop initial declarations leading to build
failure when using gcc-4.9.4:
x86_64-unknown-linux-gnu-gcc -Iinclude -Wchar-subscripts -Wcomment -Wformat
-Winit-self -Wmain -Wmissing-braces -Wno-pr
testdir can be a very long directory since it depends on source
directory path, this can lead to failure during tests when UNIX socket
path exceeds maximum allowed length of 97 characters as defined in
str2sa_range().
16:48:14 [ALERT] *** h1debug|(10082) : config : parsing
[/tmp/haregt
spoa server fails to build when python3.8 is not available. If
python3-config --embed fails, the output of the command is registered in
check_python_config. However when it's later used to define
PYTHON_DEFAULT_INC and PYTHON_DEFAULT_LIB it's content does not match
and fallback to python2.7
Conte
When V=1 is used in conjuction with help, the output becomes pretty
difficult to read properly.
$ make TARGET=linux-glibc V=1 help
..
DEBUG_USE_ABORT: use abort() for program termination, see
include/haproxy/bug.h for details
echo; \
if [ -n "" ]; then \
if [ -n "" ]; then \
This is a pretty lame commit in a attempt to use a common wording of
HAProxy used 1319 times compared to HAproxy used 18 times
---
contrib/syntax-highlight/haproxy.vim | 2 +-
doc/SPOE.txt | 2 +-
doc/architecture.txt | 2 +-
doc/internals/htx-api.txt
This is a pretty lame commit in a attempt to use a common wording of
HAProxy used 1319 times compared to HAproxy used 10 times
---
doc/internals/filters.txt | 2 +-
doc/intro.txt | 8
doc/management.txt| 2 +-
examples/haproxy.init | 2 +-
scripts/run-regtests.sh
This is a pretty lame commit in a attempt to use a common wording of
HAProxy used 1319 times compared to HAproxy used 18 times
---
contrib/syntax-highlight/haproxy.vim | 2 +-
doc/SPOE.txt | 2 +-
doc/architecture.txt | 2 +-
doc/internals/htx-api.txt
On Sunday, January 17 2021 at 20:02:47 +0100, Tim Düsterhus wrote:
> Bertrand,
>
> Am 17.01.21 um 19:58 schrieb Bertrand Jacquin:
> > This is a pretty lame commit in a attempt to use a common wording of
> > HAProxy used 1319 times compared to HAproxy used 10 times
>
>
This is a pretty lame commit in a attempt to use a common wording of
HAProxy used 1319 times compared to HA-Proxy used 10 times
---
doc/internals/filters.txt | 2 +-
doc/intro.txt | 8
doc/management.txt| 2 +-
examples/haproxy.init | 2 +-
scripts/run-regtests.sh
On Sunday, January 17 2021 at 20:28:40 +0100, Tim Düsterhus wrote:
> Bertrand,
>
> Am 17.01.21 um 20:19 schrieb Bertrand Jacquin:
> > On Sunday, January 17 2021 at 20:02:47 +0100, Tim Düsterhus wrote:
> >> Bertrand,
> >>
> >> Am 17.01.21 um 19:58 schrie
Hi Willy,
On Wednesday, January 20 2021 at 19:54:09 +0100, Willy Tarreau wrote:
> On Mon, Jan 18, 2021 at 08:47:43AM +0100, William Lallemand wrote:
> > Hello Bertrand,
> >
> > On Sun, Jan 17, 2021 at 06:58:46PM +0000, Bertrand Jacquin wrote:
> > > This is a pret
glibc < 2.10 requires _GNU_SOURCE in order to make use of strsignal(),
otherwise leading to SEGV at runtime.
$ make V=1 TARGET=linux-glibc-legacy USE_THREAD= USE_ACCEPT4=
..
src/mworker.c: In function 'mworker_catch_sigchld':
src/mworker.c:285: warning: implicit declaration of function 'st
hlua_init() uses 'idx' only in openssl related code, while 'i' is used
in shared code and is safe to be reused. This commit replaces the use of
'idx' with 'i'
$ make V=1 TARGET=linux-glibc USE_LUA=1 USE_OPENSSL=
..
cc -Iinclude -O2 -g -Wall -Wextra -Wdeclaration-after-statement -fwrapv
-Wn
Lua requires LLONG_MAX defined with __USE_ISOC99 which is set by
_GNU_SOURCE, not necessarely defined by default on old compiler/glibc.
$ make V=1 TARGET=linux-glibc-legacy USE_THREAD= USE_ACCEPT4= USE_PCRE=1
USE_OPENSSL=1 USE_ZLIB=1 USE_LUA=1
..
cc -Iinclude -O2 -g -Wall -Wextra -Wdeclar
According to INSTALL file, OpenSSL 1.0.2 is still supported by HAProxy,
however OpenSSL 1.0.2 lacking CRYPTO_memcmp(), haproxy does not build:
$ make V=1 TARGET=linux-glibc USE_NS= USE_OPENSSL=1
..
cc -Iinclude -O2 -g -Wall -Wextra -Wdeclaration-after-statement -fwrapv
-Wno-unused-label -
Hi,
On Thursday, January 21 2021 at 22:34:27 +0100, Tim Düsterhus wrote:
> Bertrand,
>
> Note: I was the contributor that added the secure_memcmp converter.
>
> Am 21.01.21 um 22:16 schrieb Bertrand Jacquin:
> > diff --git a/doc/configuration.txt b/doc/configuration.txt
&
On Friday, January 22 2021 at 00:58:06 +0100, Tim Düsterhus wrote:
> Bertrand,
>
> Am 22.01.21 um 00:45 schrieb Bertrand Jacquin:
> >> The strcmp converter is not binary safe. It uses strncmp internally.
> >
> > It is not indeed, what do you think of im
---
INSTALL | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/INSTALL b/INSTALL
index 32c0dd338fb5..7d3cbf4ba5c4 100644
--- a/INSTALL
+++ b/INSTALL
@@ -213,7 +213,7 @@ to forcefully enable it using "USE_LIBCRYPT=1".
4.5) Cryptography
-
For SSL/TLS, it is necess
According to INSTALL file, OpenSSL 1.0.1d is still supported by HAProxy,
however OpenSSL 1.0.2 lacking CRYPTO_memcmp(), haproxy does not build:
$ make V=1 TARGET=linux-glibc USE_NS= USE_OPENSSL=1
..
cc -Iinclude -O2 -g -Wall -Wextra -Wdeclaration-after-statement -fwrapv
-Wno-unused-label
gcc returns non zero code if an option is not supported (tested
from 6.5 to 10.2).
$ gcc -Wfoobar -E -xc - -o /dev/null < /dev/null > /dev/null 2>&1 ; echo $?
1
clang always return 0 if an option in not recognized unless
-Werror is also passed, preventing a correct probing of options
supporte
Hi Lukas,
On Saturday, March 06 2021 at 23:48:52 +0100, Lukas Tribus wrote:
> Hello,
>
> On Sat, 6 Mar 2021 at 21:25, Bertrand Jacquin wrote:
> >
> > gcc returns non zero code if an option is not supported (tested
> > from 6.5 to 10.2).
> >
> > $ gcc -Wf
Hi Willy,
> Another discussion started around an easier support for some modern
> platforms. In issue #1194, Ashley Penney was caught running on AWS's ARM
> instances with the default ARM target optimizations. For having run some
> tests on these machines, I can't say enough how great they are, bu
Doc references ca-sign-passphrase but the source code is referring
ca-sign-pass. Align doc to reality.
---
doc/configuration.txt | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 6d92a4530749..24a222f3d1b9 100644
--- a/doc/confi
This can be useful in order to extend ACL and log format with upstream
proxy information when accept-proxy or accept-netscaler-cip is being
used
---
include/proto/connection.h | 32
include/types/connection.h | 9 -
src/connection.c | 42
Along with a whitespace cleanup and a grammar typo
---
src/ssl_sock.c | 7 +++
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index b14bb8a46e1b..ae6d19f2f69c 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -5144,8 +5144,7 @@ static int bind_p
When accept-proxy or accept-netscaler-cip are being used, this gives the
ability to perform action based on the TCP connections between upstream
proxy and haproxy instead of the connection between the client and the
upstream proxy.
---
doc/configuration.txt | 28
src/proto_tcp.c
When Multi-Cert bundle are used, error is throwned regarding certificate
filename without including certifcate type extension.
---
src/ssl_sock.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 453647bd7e6c..ef03525fc514 100644
--- a/src/ss
This code can never be reached.
---
src/payload.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/src/payload.c b/src/payload.c
index 3a534c377925..a02a86966051 100644
--- a/src/payload.c
+++ b/src/payload.c
@@ -181,9 +181,6 @@ smp_fetch_req_ssl_st_ext(const struct arg *args, struct
sample
When accept-proxy or accept-netscaler-cip are being used, this gives the
ability to log upstream proxy source IP and port.
---
doc/configuration.txt | 4
include/types/log.h | 4
src/log.c | 66 +++
3 files changed, 74 inser
Before this change, trash is being used to create certificate filename
to read in care Mutli-Cert are in used. But then ssl_sock_load_ocsp()
modify trash leading to potential wrong information given in later error
message.
This also blocks any further use of certificate filename for other
usage, l
On Sun, Nov 13, 2016 at 07:48:46PM +0100, Willy Tarreau wrote:
> Hi Bertrand,
>
> On Sun, Nov 13, 2016 at 04:37:07PM +, Bertrand Jacquin wrote:
> > This can be useful in order to extend ACL and log format with upstream
> > proxy information when accept-proxy or accept-n
On 15/12/2016 19:03, Lukas Tribus wrote:
Hi Igor,
Am 14.12.2016 um 20:47 schrieb Igor Pav:
Hi Lukas, in fact, openssl already gets early TLS 1.3 adoption in dev,
will release in 1.1.1, and BoringSSL supports TLSv1.3 already.
That's nice, and in fact since 1.1.1 will be API compatible with 1.
Hi Andreas,
Sorry for the long delay, I was out for a while and miss this email.
To be honest with you, I was expecting to get some weirdness like this.
I'm reaching out Citrix on a side channel to see if different specs for
the protocol exist so I may do the appropriate changes in haproxy to
sup
Since TLS ciphers are not well understand, it is very common parameters
from documentation are used as is. Since RC4 should not be used anymore
I believe it is wiser to show example including stronger ciphers to
avoid deploying unsafe configuration in the wild.
"ALL" is also to avoid since it cont
This is mainly driven by the fact TLSv1.3 will have a successor at some
point.
---
doc/configuration.txt | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/doc/configuration.txt b/doc/configuration.txt
index fe5eb25076c7..f7e1339a3e9b 100644
--- a/doc/configuration.txt
+++ b/d
TS by default. What do you think Bertrand
?
Yep, all of this sounds legit. Please find attache a new patch serie
attempting to address all your concerns.
Cheers,
Bertrand
--
BertrandFrom 10071238c893b49cd43cf447a885e4b6af4cd44c Mon Sep 17 00:00:00 2001
From: Bertrand Jacquin
Date: Sun, 3 Feb 20
---
scripts/run-regtests.sh | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/scripts/run-regtests.sh b/scripts/run-regtests.sh
index ccfdd601acf4..19e8a1564b1b 100755
--- a/scripts/run-regtests.sh
+++ b/scripts/run-regtests.sh
@@ -49,12 +49,12 @@ _help()
Including tex
Hi Andreas,
I got this really side tracked, my apology. Let me take a look at that
this evening again. Some corps need to be unburied.
I'm afraid the patch, as is, will break compatibility with other version
of the CIP protocol, I'd like haproxy to support both of them.
Cheers,
Bertrand
On 07/1
serie applies cleanly on v1.9-dev0-76-g789691778fde but also on
v1.8.1-20-gdd8ea125889d while I only tested it on v1.9.
Cheers,
Bertrand
On 11/12/17 15:04, Bertrand Jacquin wrote:
> Hi Andreas,
>
> I got this really side tracked, my apology. Let me take a look at that
> this evening
Hi Willy,
On 21/12/17 10:08, Willy Tarreau wrote:
> On Thu, Dec 21, 2017 at 11:05:30AM +0100, Andreas Mahnke wrote:
>> Hi Willy,
>>
>> The support of the standard protocol in 1.8 would be nice, because we are
>> planning to migrate to haproxy 1.8 from our self - patched 1.7 instances.
>
> OK. Ber
On 21/12/17 13:28, Willy Tarreau wrote:
> On Thu, Dec 21, 2017 at 10:46:17AM +0000, Bertrand Jacquin wrote:
>> I'm all good with backporting this in 1.8. Feel free to.
>
> Great, now merged. Do not hesitate to report back any issues you
> would notice on your infrastructu
Hi,
I am not sure if the following configuration should be working, but it
looks like it does while the documentation does not specify if I could
be using it. Having a quick look at the source, it does not seem
obvious either. Anyway, I'm just curious to know if the following should
be working:
Hi Willy,
On 30/07/2018 19:55, Willy Tarreau wrote:
On Mon, Jul 30, 2018 at 07:41:33PM +0200, Tim Düsterhus wrote:
Willy,
Am 30.07.2018 um 18:05 schrieb Willy Tarreau:
> A small update happened to the download directory, the sha256 of the
> tar.gz files are now present in addition to the (quit
On 31/07/2018 18:26, Bertrand Jacquin wrote:
Hi Willy,
On 30/07/2018 19:55, Willy Tarreau wrote:
On Mon, Jul 30, 2018 at 07:41:33PM +0200, Tim Düsterhus wrote:
Willy,
Am 30.07.2018 um 18:05 schrieb Willy Tarreau:
> A small update happened to the download directory, the sha256 of the
>
In most cases, "TLSv1.x" naming is used across and documentation, lazy
people tend to grep too much and may not find what they are looking for.
Fixing people is hard.
---
doc/configuration.txt | 2 +-
src/ssl_sock.c| 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/
Hi,
Please find attached a patch to fix some typos in the lua documentation.
Cheers,
--
BertrandFrom a8c24069246fc6ba6e9a956963158596ec4a0a3b Mon Sep 17 00:00:00 2001
From: Bertrand Jacquin
Date: Mon, 10 Sep 2018 21:26:07 +0100
Subject: [PATCH] DOC: Fix typos in lua documentation
---
doc
---
CONTRIBUTING | 6 +++---
include/types/connection.h | 2 +-
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/CONTRIBUTING b/CONTRIBUTING
index b5ba18241c1c..575e63b40039 100644
--- a/CONTRIBUTING
+++ b/CONTRIBUTING
@@ -309,7 +309,7 @@ do not think about them anymore
Hi,
If it can help, I've been in touch with Emeric about SSL handshake
failure since
some times now but it's maybe preferable to use the ML to share
experience.
I'm using the following cipher filter list :
'ALL:!SSLv2:!eNULL:!aNULL:!LOW:!EXPORT:!kECDH:!MD5:@STRENGTH'
The PEM file I used is
$ openssl ciphers -v
'ALL:!SSLv2:!eNULL:!aNULL:!LOW:!EXPORT:!kECDH:!MD5:@STRENGTH' \
| while read C dumb; do
echo -n "# $C "
openssl s_client -connect 176.31.104.63:443 -cipher $C <
/dev/null > /dev/null 2>&1 \
&& echo OK \
|| echo FAIL \
done \
| sort -k 3 \
same logic for use-server and
many other part such as reqadd..
Bertrand
--
Bertrand Jacquin, EXOSEC (http://www.exosec.fr/)
ZAC des Metz - 3 Rue du petit robinson - 78350 JOUY EN JOSAS
Tel: +33 1 30 67 60 65 - Fax: +33 1 75 43 40 70
mailto:bjacq...@exosec.fr
>From bc306e460752244e73ca7c04
> >
> > And it does not work. I am not yet familiar with code to determine why this
> > does not work. Again, the current proposal works well for me but an
> > enhancement should probably consider using maps within dynamic lookup.
> >
> > +1 for the patch.
>
Hi Willy,
I'm getting trouble with that sample configuration when backend has no
server available :
defaults HTTP
mode http
option httplog
log global
frontend ft_public
bind 0.0.0.0:80 name HTTP
bind 0.0.0.0:443 name HTTPS ssl crt foo.pem
acl v-local hdr(Host) 203.0.113.42
acl p-
Hi Cyril,
D'ar meurzh 01 a viz Ebrel 2014 e 23 eur 35, « Cyril Bonté » he deus skrivet :
>
> > If bk_local has server UP in the farm, and request look like
> > https://203.0.113.42/__bar, then everything is fine, request is nicely
> > handled by bk_local/localhost. http://203.0.113.42/__bar is cor
D'ar meurzh 01 a viz Ebrel 2014 e 23 eur 46, « Cyril Bonté » he deus skrivet :
> Le 01/04/2014 23:42, Bertrand Jacquin a écrit :
> > Hi Cyril,
> >
> > D'ar meurzh 01 a viz Ebrel 2014 e 23 eur 35, « Cyril Bonté » he deus
> > skrivet :
> >>
> >&
D'ar merc'her 02 a viz Ebrel 2014 e 00 eur 13, « Cyril Bonté » he deus skrivet :
> Le 01/04/2014 23:56, Bertrand Jacquin a écrit :
> > When bk_local/localhost is UP :
> >
> > $ curl -vk -so /dev/null https://203.0.113.42/__bar/
> > (...)
> >> GET
On 2014-04-02 14:05, Willy Tarreau wrote:
Hi,
On Wed, Apr 02, 2014 at 12:50:08AM +0200, Cyril Bonté wrote:
Le 02/04/2014 00:16, Bertrand Jacquin a écrit :
>>What is adding the Vary and Strict-Transport-Security headers in this
>>second case ?
>
>A missing 'http-resp
Hi Adam,
On 2014-05-21 21:45, Adam Bruehl wrote:
I added the following to one of my front ends.
acl abuse_users src -f /etc/haproxy/abuse_users.lst
timeout http-request 5s if abuse_users
Unfortunately, you cannot use any condition on 'timeout' keyword, they
are simply ignored. There have b
On Mon, Sep 19, 2016 at 10:08:32AM +0200, Christopher Faulet wrote:
> Le 18/09/2016 à 04:17, Bertrand Jacquin a écrit :
> > Today I noticed data corruption when haproxy is used for compression
> > offloading. I bisected twice, and it lead to this specific commit but
> > I'
Hi Christopher,
On 22/09/2016 14:59, Christopher Faulet wrote:
Le 22/09/2016 à 04:05, Bertrand Jacquin a écrit :
On Tue, Sep 20, 2016 at 08:16:09AM +0200, Willy Tarreau wrote:
Hi Bertrand,
On Tue, Sep 20, 2016 at 12:13:32AM +0100, Bertrand Jacquin wrote:
And finally, If you can share with
DeviceAtlas might be installed in a location where a user might not have
enough permissions to write json.o and dac.o
---
Makefile | 4
1 file changed, 4 insertions(+)
diff --git a/Makefile b/Makefile
index 0ce4b325305c..a10d2e4c1040 100644
--- a/Makefile
+++ b/Makefile
@@ -622,8 +622,12 @@
hed a new version of the
patch.
Cheers,
Bertrand
> Cheers.
>
> On 6 October 2016 at 00:39, Bertrand Jacquin wrote:
> > DeviceAtlas might be installed in a location where a user might not have
> > enough permissions to write json.o and dac.o
> > ---
> > Makefile |
Hi,
For the last few days, I've been unable to git clone
https://git.haproxy.org/git/haproxy.git with curl-8.7.1, where I'm
getting the following error:
$ GIT_TRACE=1 git fetch https://git.haproxy.org/git/haproxy.git
19:12:01.277740 git.c:463 trace: built-in: git fetch
http
Hey Willy,
On 2024-04-05 19:44, Willy Tarreau wrote:
Thanks a lot for these details. One thing to have in mind that could
explain that you have not observed this on other servers is that we're
using plain HTTP, we haven't deployed the git-server stuff, so maybe
it triggers a different object tr
On 2024-04-05 20:24, Bertrand Jacquin wrote:
Just let us know if you're interested. We can also first wait for
Stefan
and/or Daniel's analysis of a possible cause for the commit you
bisected
above before hacking too much stuff, though :-)
Let's see! Latest digging seems
Hi,
Since c886fb58eb56 ("MINOR: server/ip: centralize server ip updates"),
there is a regression with server address resolution made against libc
with getaddrinfo(), specifically when returned address are IPv6 address
with % notation which specifies which interface index to
access given address (u
66 matches
Mail list logo
