Hello there,
If you don't know yet, a CVE was published on friday about library log4j,
allowing a remote code execution with a crafted HTTP request.
We would like to filter these requests on HAProxy to lower the exposition.
At peak times, 20% of our web traffic is scanners about this bug !
The o
Hi,
Le lun. 13 déc. 2021 à 19:38, John Lauro a écrit :
> http-request deny deny_status 405 if { url_sub -i "\$\{jndi:" or
> hdr_sub(user-agent) -i "\$\{jndi:" }
> was not catching the bad traffic. I think the escapes were causing issues
> in the matching.
>
> The following did work:
>
Hello,
We are experiencing for the past weeks a segfault on haproxy processes when
reloading haproxy.
Each thread generates a coredump. Fortunately, this is the old process that
crashes, so there is no production impact.
The same behaviour happens with haproxy 2.0.25 compiled with OpenSSL 1.1.1l
Hello,
I've finally updated our load balancer, using HAProxy 2.0, to HAProxy 2.4
\o/
I was motivated by both the EOL on 2.0, and by a recurring segfault
everytime we reloaded. btw, that segfault is now gone with 2.4 :)
I did not update to a newer version because we are still heavy users of
"nbpro
Hi Wily,
That's a bug and it shouldn't be like this.
>
You can find information about this here :
https://www.mail-archive.com/haproxy@formilux.org/msg43291.html
But don't waste too much time on this.
> > For those interested, the (small) necessary config changes were :
> > - option httpchk syn
Hello,
I would like to report a segfault on HAProxy 2.0.11 ; this version has been
running fine for two months, and this morning starting segfaulting over and
over.
Mitigation was performed by adding "no option http-use-htx" on 'defaults'
block.
I know it's not the latest version :) I'll update t
Hello,
Le mer. 19 févr. 2020 à 15:27, Christopher Faulet a
écrit :
> Le 19/02/2020 à 11:35, Olivier D a écrit :
> > Hello,
> >
> > I would like to report a segfault on HAProxy 2.0.11 ; this version has
> been
> > running fine for two months, and this morning starti
Le mer. 19 févr. 2020 à 16:24, Christopher Faulet a
écrit :
> Le 19/02/2020 à 16:05, Olivier D a écrit :
> > A bug was fixed in 2.0.12 that could explain such of crashes. The
> upstream
> > commit id is eec7f8ac0 (or 0ed1e8963 in the 2.0 tree). It is related
> to the
Hello,
With latest haproxy 2.0, you can generate a simple segfault with only
configuration test (haproxy -f test.cfg -c)
Config content :
--
defaults
mode http
backend test
stick-table type ip size 10k expire 1h store http_req_rate(1h) peers
mypeers
peers mypeers
Hello everyone,
I would like to implement a "max concurrent connection" in HAProxy. This is
easy to do at TCP level :
stick-table type ipv6 size 100k expire 30s store conn_cur
http-request track-sc0 src
http-request deny deny_status 429 if { src_conn_cur ge 20 }
But now, I want to
Le ven. 17 avr. 2020 à 20:49, Tim Düsterhus a écrit :
> Olivier,
>
> Am 17.04.20 um 20:22 schrieb Olivier D:
> > My first tries are based on something like this :
> >stick-table type ipv6 size 100k expire 30s store http_req_rate(10s)
> Not sure whether that'
Hello,
Find attached two small patches to improve documentation on "option
forwardfor" and "http-request set-src".
I'm using gmail so I add to attach patches and was not able to send them
directly. If format is wrong, tell me :)
Olivier
From efbc320861c9c5a43219983cfc1073070b3e6622 Mon Sep 17 00
Hello,
Le lun. 20 avr. 2020 à 20:37, Tim Düsterhus a écrit :
> Olivier,
>
> Am 20.04.20 um 20:03 schrieb Olivier D:
> > I'm using gmail so I add to attach patches and was not able to send them
> > directly. If format is wrong, tell me :)
> >
>
> Format
Hi,
Le mar. 21 avr. 2020 à 12:56, Tim Düsterhus a écrit :
> Olivier,
>
> PS: Personal opinion, but I prefer quotes in replies to be shortened as
> much as possible, while still providing context. I don't want to scroll
> through kilobytes of stuff I've already seen :-)
>
;)
Patch updated attac
Hello,
I was creating counter-measures against a DOS attack, but I failed to
understand some numbers I received.
I'm using HAProxy 2.0.14
My (expurged) frontend config is :
listen test
bind X.X.X.X:443
maxconn 65536
rate-limit sessions 128
But during the attack, the following number
Hello,
This morning I tried to upgrade HAProxy 2.0.13 to 2.0.14 but had to
rollback immediately : some backends checks started to fail.
Error reported was : SOCKERR - SSL handshake failure
The backends failing have a specific configuration as follows (I removed
anything unnecessary to trigger the
Hello,
Le mer. 6 mai 2020 à 15:30, Tim Düsterhus a écrit :
> Olivier,
>
> > I was not aware there were any change in the way HAProxy was doing its
> > checks over proxy-protocol in 2.0.14 ... any hint ?
>
> This sounds like this issue we've seen with Dovecot:
> https://www.mail-archive.com/hapro
Hi again,
Le mer. 6 mai 2020 à 17:47, Willy Tarreau a écrit :
> Hi Olivier,
>
> On Wed, May 06, 2020 at 05:29:59PM +0200, Olivier D wrote:
> > > Try applying this commit:
> > >
> > >
> https://github.com/haproxy/haproxy/commit/02c88036a61e09d0676a2b6b408
Hello,
I'm spamming a lot these days :)
I found a strange coredump on HAProxy 2.0.14 that started a few days ago
for no reason. It's not a coredump but a raise().
Stacktrace :
#0 0x7fde8c9f8495 in raise () from /lib64/libc.so.6
#1 0x7fde8c9f9c75 in abort () from /lib64/libc.so.6
#2 0
Hello Willy,
Le ven. 15 mai 2020 à 17:33, Willy Tarreau a écrit :
>
> Is it 100% reproducible and if so can you please share a minimal config
> and reproducer so that we can quickly focus on it ?
>
Unfortunately I was unable to reproduce it. It only happens for several
hours in a row, then stop
Hello,
Le jeu. 28 mai 2020 à 09:17, Willy Tarreau a écrit :
> http-request del-header range if { req.hdr_cnt(range) gt 1 }
>
This will only filter if header "Range" is present multiple times, not this
one :
Range: bytes=0-,0-,0-,0-
Am I correct ?
Olivier
Le jeu. 28 mai 2020 à 09:48, Willy Tarreau a écrit :
> No you're not :-) hdr_cnt() counts *values*. So :
>
> Range: bytes=0-,0-,0-,0-
>
> decomposes as the following values around the comma delimiter:
>
> "bytes=0-", "0-", "0-", "0-"
>
> And actually if you'd send several Range headers with
Hello,
I'm investigating an issue on specific rules for a customer.
The rules are the following :
stick-table type ipv6 size 6 expire 1h store conn_cur,conn_rate(10s)
http-request deny deny_status 429 if { src_conn_cur ge 100 }
http-request deny deny_status 429 if { src_conn_rate
Hello folks,
Just wanted to raise an issue with a compilation error on HAProxy that I
was able to solve by myself. Just wanted to know if this issue is
haproxy-related or compiler-related (and if a fix should be provided in the
future)
Compiling haproxy (1.8.17) failed with this error :
make TAR
Hello,
Le sam. 12 janv. 2019 à 13:19, Willy Tarreau a écrit :
> Hi Olivier,
>
> On Wed, Jan 09, 2019 at 07:23:42PM +0100, Olivier D wrote:
> > Hello folks,
> >
> > Just wanted to raise an issue with a compilation error on HAProxy that I
> > was able to solve
Hi,
Le mer. 12 juin 2019 à 19:19, Willy Tarreau a écrit :
> Hi guys,
>
> On Wed, Jun 12, 2019 at 04:27:42PM +0200, Lukas Tribus wrote:
> (...)
> > I think it's a bad idea.
> >
> > Basically what Tim says (I was interrupted several times while writing
> > this email).
>
> OK, and this morning Wi
Hello,
I'm rewriting a complex HAProxy config file and would like to be sure how
ssl-default-bind-options and bind options work together.
I would like to configure safe options by default, but still allow
less-safe protocols on some frontend. I'm puzzled by "force-X"
documentation (does it really
Hello,
I know I'm reporting an issue with an old version, but I got 2 segfaults
in 48h.
As I only got 3 segfaults with HAProxy in +10 years, I just wanted to make
sure these bugs have been caught and are now fixed.
haproxy -vv output:
HA-Proxy version 1.9.6 2019/03/29 - https://haproxy.org/
Bui
Hello,
I'm rewriting a complex HAProxy config file and would like to be sure how
ssl-default-bind-options and bind options work together.
I would like to configure safe options by default, but still allow
less-safe protocols on some frontend. I'm puzzled by "force-X"
documentation (does it really
Hello all,
I struggle with what seemed a very easy config :
listen test:443
id 20609
bind-process 16
balance source
hash-type consistent
mode tcp
bind x.x.x.x:443
server s1 192.168.x.x:443 id 2158 check weight 5 send-proxy port 80
server s2 192.168.x.x:443 id 2168 c
19 à 18:32, Olivier D a écrit :
> Hello all,
> I struggle with what seemed a very easy config :
>
> listen test:443
> id 20609
> bind-process 16
> balance source
> hash-type consistent
> mode tcp
> bind x.x.x.x:443
> server s1 192.168.x.x:44
Hello Igor,
Le lun. 16 déc. 2019 à 23:41, Igor Cicimov
a écrit :
> Hi,
>
> On Tue, Dec 17, 2019 at 2:55 AM Olivier D wrote:
>
>> Hello,
>>
>> I found what was wrong : I was using "load-server-state-from-file" and
>> previous config file was using
Hello,
Le mar. 17 déc. 2019 à 11:11, Willy Tarreau a écrit :
> Hi Olivier,
>
> On Tue, Dec 17, 2019 at 09:20:21AM +0100, Olivier D wrote:
> > That's not what I was saying. I'm already using "show server state", and
> > that's exactly what leads m
Hello everyone,
Doing a testssl scan on our server, with PFS, the following was returned :
TLS 1.2 sig_algs offered:RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384
RSA-PSS-RSAE+SHA512 RSA+SHA256 RSA+SHA384 RSA+SHA512 RSA+SHA224 RSA+SHA1
TLS 1.3 sig_algs offered:RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+S
Le mer. 25 sept. 2024 à 17:37, Lukas Tribus a écrit :
> > With TLS 1.2 you can see that RSA+SHA1 is available. I was unable to
> find a way to disable it in HAProxy config. Can you point me to the right
> direction ?
>
> sigalgs are documented and its configuration statements are:
>
> client-siga
Hello there !
I developed a lua action for HAProxy (v3.1) that returns a full http
response without any backend.
For this I'm using txn:done{}.
It's working great, with great performances too (+30k/sec queries handled).
But responses are not compressed, and it seems lua responses are not
transitin
Hello, thanks for the quick reply !
Le lun. 31 mars 2025 à 10:35, Willy Tarreau a écrit :
> Compression is disabled when:
> * the request does not advertise a supported compression algorithm in
> the
> "Accept-Encoding" header
> * the response message is not HTTP/1.1 or above
>
Hello,
Le mer. 2 avr. 2025 à 14:00, Christopher Faulet a
écrit :
> Another solution is to set a variable in your lua action to redirect the
> request
> to a lua service if it is set. For instance:
>http-request lua.myscript if !static_content
>http-request use-service my-service.lua if {
Hi,
Le mer. 2 avr. 2025 à 09:10, Christopher Faulet a
écrit :
> In fact, in your case, it is expected to have no compression. You abort
> the
> request analysis, skipping this way the response analysis. It is
> equivalent to
> what happens with an "http-request deny". The compression is performe
Hello everyone,
I'm currently troubleshooting intermittent 520 errors returned by
Cloudflare in front of an HAProxy-based load balancing infrastructure.
These errors are rare—affecting about 0.001% of requests—which makes them
especially tricky to diagnose. According to Cloudflare, a 520 indicate
Hello,
You can try to increase the `tune.maxrewrite` to `2048` and see if the
> issue is
> fixed.
>
Thanks for the feedback. Unfortunately, testing it during 5 days shows no
variation. Nice try though;
Olivier
41 matches
Mail list logo
