@haproxy wrote:

Hello,

We're running the latest 1.5.19 version of HAProxy and have been seeing segfaults since the introduction of a stick table needed to rate limit requests to our 'login' endpoint. We have attackers hitting this at around 1200 req/min. Regardless if there's a current attack, haproxy will crash several times a day, and logs this-
kernel: haproxy[11890]: segfault at 9695000 ip 00007fc839165701 sp 00007ffc748e6a68 error 4 in libc-2.17.so[7fc839016000+1b7000]

Below is the stick table culprit. We know this, because if we comment these lines out, no more crashes. Seems like a pretty simple table, not a lot of room for misconfiguration... This is located in the backend section of our config.

stick-table type ip size 200k expire 5m store gpc0,conn_cur,conn_cnt
acl block_on_path path_beg -i /path/to/login
tcp-request content track-sc1 src if block_on_path
http-request tarpit if { src_conn_cnt ge 15 } block_on_path

If I look at this table at any random time, it seems to average around 4k of the 200k table size, so I think we're probably not filling up our table. Memory/CPU are not a problem. Under an attack, the CPU load can go up to around 80%, no concerns there yet. Here's the table as I write this -

Every 1.0s: echo "show table jboss7_cluster" | sudo socat unix:/var/run/haproxy.stats - Fri Mar 10 19:19:13 2017

table: jboss7_cluster, type: ip, size:204800, used:3127
0x9ef249c: key=1.10.199.35 use=0 exp=2045 gpc0=0 conn_cnt=1 conn_cur=0
0x3c0b89c: key=1.10.199.93 use=0 exp=271280 gpc0=0 conn_cnt=1 conn_cur=0
0x9c9c25c: key=1.32.24.54 use=0 exp=75902 gpc0=0 conn_cnt=1 conn_cur=0
0x460fcbc: key=1.33.107.79 use=0 exp=19818 gpc0=0 conn_cnt=1 conn_cur=0
0x402743c: key=1.52.1.57 use=0 exp=251825 gpc0=0 conn_cnt=1 conn_cur=0
0x2b475cc: key=1.52.240.156 use=0 exp=273221 gpc0=0 conn_cnt=1 conn_cur=0
0xab204bc: key=1.53.181.46 use=0 exp=176877 gpc0=0 conn_cnt=1 conn_cur=0
0x39dbd4c: key=1.54.218.41 use=0 exp=132587 gpc0=0 conn_cnt=1 conn_cur=0
0x2c4a1cc: key=1.55.119.221 use=0 exp=278489 gpc0=0 conn_cnt=1 conn_cur=0
0x75531dc: key=1.224.148.65 use=0 exp=24270 gpc0=0 conn_cnt=1 conn_cur=0
0x6ffb12c: key=1.226.133.132 use=0 exp=164417 gpc0=0 conn_cnt=1 conn_cur=0
0x753220c: key=1.228.23.251 use=0 exp=8600 gpc0=0 conn_cnt=1 conn_cur=0
0x8faf35c: key=1.231.28.2 use=0 exp=293120 gpc0=0 conn_cnt=1 conn_cur=0
0x97e6aac: key=1.232.77.49 use=0 exp=277764 gpc0=0 conn_cnt=1 conn_cur=0
0x3ad418c: key=1.234.141.109 use=0 exp=161023 gpc0=0 conn_cnt=1 conn_cur=0
0x5cb6a8c: key=1.234.144.6 use=0 exp=161278 gpc0=0 conn_cnt=1 conn_cur=0
0x6f0615c: key=1.239.51.214 use=0 exp=279495 gpc0=0 conn_cnt=1 conn_cur=0
0x581343c: key=1.241.19.72 use=0 exp=12058 gpc0=0 conn_cnt=1 conn_cur=0
0x3f9da1c: key=1.252.206.152 use=0 exp=128317 gpc0=0 conn_cnt=1 conn_cur=0
0x351aa3c: key=2.30.243.70 use=0 exp=275506 gpc0=0 conn_cnt=1 conn_cur=0
0xaf3e09c: key=2.32.215.93 use=0 exp=45313 gpc0=0 conn_cnt=1 conn_cur=0
0x9968b1c: key=2.50.152.32 use=0 exp=282299 gpc0=0 conn_cnt=1 conn_cur=0
0x329a0bc: key=2.50.213.122 use=0 exp=183950 gpc0=0 conn_cnt=1 conn_cur=0
0x672051c: key=2.86.52.175 use=0 exp=209063 gpc0=0 conn_cnt=1 conn_cur=0
0x9a6cb5c: key=2.88.139.155 use=0 exp=26832 gpc0=0 conn_cnt=1 conn_cur=0
0x43f2c9c: key=2.91.241.189 use=0 exp=278143 gpc0=0 conn_cnt=1 conn_cur=0
0x29f456c: key=2.95.242.245 use=0 exp=145829 gpc0=0 conn_cnt=1 conn_cur=0
0x900cbfc: key=2.98.44.25 use=0 exp=156035 gpc0=0 conn_cnt=1 conn_cur=0
0x7451ccc: key=2.186.216.19 use=0 exp=186612 gpc0=0 conn_cnt=1 conn_cur=0
0x821808c: key=2.230.145.122 use=0 exp=171511 gpc0=0 conn_cnt=1 conn_cur=0
0x82070cc: key=5.12.16.130 use=0 exp=4488 gpc0=0 conn_cnt=1 conn_cur=0
0x540e29c: key=5.15.211.19 use=0 exp=63660 gpc0=0 conn_cnt=1 conn_cur=0
...
...

I'd be happy to post any additional log info requested. Thanks in advance!

HAP

Posts: 1

Participants: 1

Read full topic

@Washu wrote:

Hi all,

Since we migrate our squid on Haproxy we experiencing high CPU usage on our HaProxy server. Theses Squid are used as proxy web for our users (the VIP of HAPROXY is directly set up on their browser)
We activate muthreading option on 4 vCPU but they are all at 90% at the top of the day.
I've also check that TCP ports are not exhausted.

Compilation option are the following : make TARGET=custom CPU=generic USE_OPENSSL=1 USE_ZLIB=1 USE_PCRE=1 USE_LINUX_SPLICE=1 USE_CPU_AFFINITY=1

We also used Keepalived for high availability in active/passive mode.<img

Can you help me please, we don't have so many connections and I'm sure that HAPROXY can do better ?

You can find bellow the Hardware and Software configuration :

Vmware Esxi 5.5
Linux Red Hat 6.8
4 vCPU
4 Go RAM
20 Go Disk
3 Gigabits interfaces (One for the administration and the two other one for the VIP)

global
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
#log loghost local0 info
maxconn 2000000
chroot /product/haproxy
uid 99
gid 99
daemon
tune.ssl.default-dh-param 2048
nbproc 4
cpu-map 1 0
cpu-map 2 1
cpu-map 3 2
cpu-map 4 3
#debug
#quiet

defaults
log global
option dontlognull
retries 3
option redispatch
maxconn 2000000
timeout connect 5000
timeout client 600000
timeout server 600000

    frontend stats
    bind  xxx.xxx.xxx.xxx:8080
    mode http
    stats enable
    stats uri /stats
    stats realm HAProxy Statistics
    stats auth admin:admin

# Ferme Proxy LAN

frontend proxylan-rewrite
bind xxx.xxx.xxx.xxx:xx
mode http
option http-keep-alive
default_backend proxylan-backend

backend proxylan-backend
mode http
balance source
option prefer-last-server
option http-keep-alive
option forwardfor
server proxylan_1 xxx.xxx.xxx.xxx:xx check
server proxylan_2 xxx.xxx.xxx.xxx:xx check
server proxylan_3 xxx.xxx.xxx.xxx:xx check
server proxylan_4 xxx.xxx.xxx.xxx:xx check

Posts: 4

Participants: 2

Read full topic

@bend66 wrote:

Hey,
I have a problem configuring haproxy.
I have the following scenario.
I have the site site.com that runs behing haproxy and I want to redirect
http[://]site -> https[://]www[dot]site
http[://]www.site -> https[://]www[dot]site
https[://]site ->https[://]www[dot]site

I have two frontends (one for http and one for https)

in frontend-http I have the following:
redirect scheme https code 301 if { hdr(host) -i www[dot]site } !{ssl_fc}
redirect prefix https://www[dot]site code 301 if { { hdr(host) -i site }

but the https[://]site does not work, all other redirections work correclty.

Thanks for the help

PS: sorry for the weird URLs but I can't put URLs (I'm a new user)

Posts: 1

Participants: 1

Read full topic

@mr.proxy wrote:

Hello,

We have two haproxy servers (redundancy) accepting HTTPS. Just tested the SSL security by using https://www.ssllabs.com/ssltest/. We get a B due to the following issues:

"This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B." More info at https://weakdh.org/

"This server accepts RC4 cipher, but only with older browsers. Grade capped to B." More info at https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what

My question is: What do we need to do to fix this issues so that we can get an A?

Please note that we have tried what the suggestions on https://weakdh.org/sysadmin.html, but this broke our haproxy's.

haproxy -v say:
HA-Proxy version 1.5.8 2014/10/31
Copyright 2000-2014 Willy Tarreau w@1wt.eu

Posts: 1

Participants: 1

Read full topic

@alex41 wrote:

Hi All

Do you know how to get the client ip address in https mode ?

Best Regards
Alex

Posts: 1

Participants: 1

Read full topic

@bvoros wrote:

Hello All,

Is it possible to disable client-initiated secure renegotiation when terminating ssl on haproxy?
I am currently using v1.5.

Thanks in advance,

Posts: 2

Participants: 1

Read full topic

@bend66 wrote:

Hi,

I want to run haproxy with multiple backends some of them are compatible with http2 and some of them are not.

I have two front-end one with https one with http.

How can I do that?

Any example ?

Thanks

Posts: 1

Participants: 1

Read full topic

@thedom4302 wrote:

Hi Folks

I have a CCTV DVR I want to use haproxy to reverse proxy. The DVR uses the following ports
TCP554
TCP7070
TCP8554
UDP554
TCP443 (ssl/tls)

Could someone advise how I can set this up. I have a haproxy in production for some websites but these are very simple single port applications.

any advice or configs appreciated!

cheers,
Dom

Posts: 2

Participants: 2

Read full topic

@sopapa wrote:

I have a ssl certificate by comodo (onlñy one site in haproxy) . I have  a problem with ie8 and Windows XP (i know the EOL of this but some computers in the company still uses) . i get http/2: SSL handshake failure in my logs. Any clue?
 My conf.
global

tune.ssl.default-dh-param 2048
    ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
    ssl-default-bind-options no-sslv3 no-tls-tickets
    ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
    ssl-default-server-options no-sslv3 no-tls-tickets

frontend http
    bind :80
    bind :443 ssl crt /etc/ssl/private/certificados.pem
    mode http
      option httplog
    log-format [%sslc]\ [%sslv]\ %ci:%cp\ [id=%ID]\ [%t]\ %f\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ {%hrl}\ {%hsl}\ %{+Q}r

#    redirect scheme https code 301 if { hdr_end(host) -i www.xxx.com } !{ ssl_fc }
    acl host_www hdr(host) -i  www.xxx.com
     use_backend  www.xxx.com if host_www
default_backend www.xxx.com
  http-response set-header Strict-Transport-Security max-age=15768000

backend  www.xxx.com
    mode http
    balance leastconn
    cookie SERVERID insert indirect nocache
    server sweb7002x 10.7.18.182:80 check cookie sweb7002


root@shap7101lx:/etc/ssl# haproxy -v
HA-Proxy version 1.7.3-1~bpo8+1 2017/03/02
Copyright 2000-2017 Willy Tarreau <willy@haproxy.org>

Posts: 3

Participants: 2

Read full topic

@AllertGen wrote:

Hello, everyone.
I'm trying to use this type of log format:

log-format %H\ %ci\ -\ [%t]\ %{+Q}r\ %ST\ -\ %U\ ${+Q}[req.hdr(referer)]\ ${+Q}[req.hdr(user-agent)]\ %{+Q}CC\ %Tq\ %{+Q}s\ NGINX-CACHE-\ "-"

capture request header Referer len 100
capture request header User-Agent len 100

I'm expecting for getting at logs HTTP geaders of referer and user-agent, but I'm getting this part at logs exactly how I did write it at the configuration. What is the right way for logging custom headers to the log (not only standart referer and user-agent, but also any other)?

My version of haproxy is 1.5.4.

Best Regards.

Posts: 1

Participants: 1

Read full topic

@chintanvpatel wrote:

Hello,
I'm running HAproxy with this version

HA-Proxy version 1.7.3 2017/02/28
Copyright 2000-2017 Willy Tarreau willy@haproxy.org

I have this config of haproxy

global
    stats timeout 30s
    maxconn 5001
    
defaults
    option httplog
    option dontlognull
    retries 3
    mode http
    timeout connect 5000
    timeout client  50000
    timeout server  50000
    
frontend https-in
    bind *:443
    log 127.0.0.1 local2
    mode tcp
    option tcplog
    timeout client  3h
    timeout server  3h
    option          clitcpka
    use_backend back_webapp_apache2_php56-443
    
backend back_webapp_apache2_php56-443
    mode tcp
    balance roundrobin
    server host0 10.0.4.59:443 check fall 3 rise 2

So I have one apache backend running at ip 10.0.4.59.

The problem is sometimes I'm getting this error.

https-in https-in/ -1/-1/0 0 SC 0/0/0/0/0 0/0

Sometimes it is working. But connection is not consistent. What can be the issue HAproxy or Apache ? I don't know where to start debug this issue.

Thanks & Regards,
Chintan Patel

Posts: 5

Participants: 3

Read full topic

@crohmann wrote:

Hello HAProxy community!

I configured a tcp-check using send-binary and expect binary.

The check works fine. To make it perfect and according to the protocol, I need to send an individual string or binary for each backend server.

1) Is it possible to configure a check individually for each server in a back-end?

2) Or even better / easier, is it possible somehow to use rand() or reference any dynamic variable in those "tcp-check send" lines?

Thanks in advance for any ideas!
Regards

Christian

Posts: 1

Participants: 1

Read full topic

@crohmann wrote:

Is there a way to make use of the extensibility of the PROXY protocol and to add a TLV-field to the PROXY variables sent to the backend servers? I would like to i.e. generate a random value per request, add that to the access log and also forward this very value to the backend service (speaking / understanding PROXYv2 of cause). This way it's possible to correlate between the incoming request handled and distributed by HAProxy and the corresponding request which is logged on the backend server.

1) Are there config options anywhere?
2) I did not find any LUA API bindings to access the PROXY protocol values.

Thanks in advance,
Regards

Christian

Posts: 3

Participants: 2

Read full topic

@hajime wrote:

I'm trying to set up Hadoop WebHDFS HA with HAProxy.
HDFS is using kerberos / SPNEGO.
I've been trying with various combinations, but getting "HTTP/1.1 403 GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)"

So wondering if this is supposed to work?

Posts: 1

Participants: 1

Read full topic

@giubal wrote:

hello to everyone,

I'm a newbie user and am fighting with the keepalive url issue. In few word I have to verify that my web servers
with "GET /topaz/topaz_api/loadBalancerVerify_centers.jsp" answers "Success".
I tried with httpchk and tcp-check without success, below my attempts:

option httpchk GET /topaz/topaz_api/loadBalancerVerify_centers.jsp
http-check expect rstatus ^Success

option tcp-check send GET /topaz/topaz_api/loadBalancerVerify_centers.jsp
http-check expect rstatus ^Success

at the moment I'm able to work with "fall" and "rise" check option

server gw1 172.18.0.153:443 check inter 10s fall 3 rise 2
server gw2 172.18.0.154:443 check inter 10s fall 3 rise 2

How can I set to have the check the return string to disable the host from the balancing ?

Thanks in advanced

Posts: 1

Participants: 1

Read full topic

@chomps wrote:

Hi,

I have quite an advanced HAP v1.5 config going but can't seem to get to strip away www. from all http requests. I have multiple sub domains all under a wildcard cert and I can not have any www. The structure is as follows:
abc.example.com
def.example.com
ghi.example.com
... etc

This does go on to the ssl part afterwards. This is what I have to strip away any www. first:

http-request add-header X-Host-Redirect yes if { hdr_beg(host) -i www. }
acl host_redirect hdr_cnt(X-Host-Redirect) eq 1
reqirep ^Host:\ www.(.*)$ Host:\ \1 if host_redirect
redirect code 301 scheme http if host_redirect

Then it goes on to the ssl as follows:

frontend 192-168-0-18-80 192.168.0.18:80
redirect scheme https code 301 if { hdr(Host) -i abc.example.com } !{ ssl_fc }
redirect scheme https code 301 if { hdr(Host) -i def.example.com } !{ ssl_fc }
redirect scheme https code 301 if { hdr(Host) -i ghi.example.com } !{ ssl_fc }
....etc

then the acl's and backends.

Could someone please help me understand why I just get a 503 error if I use www.abc.example.com
Thanx in advance.

Posts: 2

Participants: 1

Read full topic

@colinm wrote:

I ran into this issue on 1.6 and so upgraded to 1.7.3 and now it has occurred again. The socket file that HAProxy is supposed to listen on still exists but after some period of time HAProxy is no longer accepting connections from it and the process has to be restarted.

03:26:54 PM root@app1
~ # socat /dev/null UNIX:/var/run/magento/redis-cache.sock || echo DOWN
2017/03/23 15:27:09 socat[6583] E connect(6, AF=1 "/var/run/magento/redis-cache.sock", 35): Connection refused
DOWN
03:27:09 PM root@app1
~ # docker restart redis-cache.lb-2
redis-cache.lb-2
03:27:27 PM root@app1
~ # socat /dev/null UNIX:/var/run/magento/redis-cache.sock || echo DOWN
~ #

I don't know how to reproduce exactly but in this case the process was only about a day old before I noticed it was no longer accepting connections.

Here is my full config:

global
  log 127.0.0.1 local0 notice

defaults
  mode tcp
  log global
  timeout client     1h
  timeout server     1h
  timeout connect 1000

listen stats
  bind *:1936
  mode http
  stats enable
  stats uri /
  stats refresh 60s
  stats show-node
  stats show-legends

frontend redis-unix
  bind /run/magento/redis-cache.sock mode 777
  default_backend redis

frontend redis-tcp
  bind *:6379
  default_backend redis

# The tcp-check will ensure that only reachable master nodes are considered up.
backend redis
  balance first
  option tcplog
  option tcp-check
  tcp-check send info\ replication\r\n
  tcp-check expect string role:master
  default-server inter 5000 downinter 5000 fastinter 1000 rise 2 fall 3 maxconn 256 maxqueue 128
  server node1 10.81.128.1:6379 check
  server node56 10.81.128.56:6379 check

Posts: 2

Participants: 2

Read full topic

@pille wrote:

it would be useful to have a config option / mode where haproxy will fetch a letsencrypt certificate for a domain on first request similar to https://github.com/GUI/lua-resty-auto-ssl

already obtained certificates should be cached and reused until it expires.
edpired certificates should be removed from cache, or renewed.

the first request that needs to fetch a certificate will have a higher latency, but the following should be normal.

the goal is to have a single config directive for that, so it will stay static.

i guess this will only work for SNI clients, but that ok nowadays.
the background is, that we're using wildcard certs and subdomains in DNS.
unfortunately letsencrypt doesn't issue them and maintaining a list on the loadbalancer should be avoided.

basically this is a feature request, as i expect a new config directive handling this.
now sure, whether this may be implemented in lua.

Posts: 2

Participants: 2

Read full topic

@Chris71 wrote:

Hi,
I am getting a general socket error when trying to connect the haproxy backend server using a namespace. It connects fine on the frontend. Both the frontend and backend are using the same namespace but different interfaces. If I perform a wget from inside the namespace, I can retrieve the web page that the backend server is trying to connect too. Anyone got any clues to why the backend server cannot connect.

[WARNING] 082/114316 (15384) : Server b_http_P1234518P/P1234518P is DOWN, reason: Layer4 connection problem, info: "General socket error"

ip netns exec P1234518P wget http_//172.17.55.240:80/portal --no-check-certificate
--2017-03-24 12:31:45-- http_//172.17.55.240/portal
Connecting to 172.17.55.240:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http_//172.17.55.240/portal/ [following]
--2017-03-24 12:31:45-- http_//172.17.55.240/portal/
Reusing existing connection to 172.17.55.240:80.
HTTP request sent, awaiting response... 302 Found
Location: https_//172.17.55.240/portal [following]
--2017-03-24 12:31:45-- https_//172.17.55.240/portal

namespace_list
namespace P1234518P

frontend f_http_P1234518P
mode http
bind 192.168.165.64:80 namespace P1234518P name http_P1234518P
default_backend b_http_P1234518P

backend b_http_P1234518P
mode http
server P1234518P 172.17.55.240:80 namespace P1234518P check

HA-Proxy version 1.7.3 2017/02/28
Copyright 2000-2017 Willy Tarreau willy@haproxy.org

Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -m64 -march=x86-64 -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement
OPTIONS = USE_OPENSSL=1 USE_NS=1

Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built without compression support (neither USE_ZLIB nor USE_SLZ are set)
Compression algorithms supported : identity("identity")
Built with OpenSSL version : OpenSSL 1.0.1t 3 May 2016
Running on OpenSSL version : OpenSSL 1.0.1t 3 May 2016
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built without PCRE support (using libc's regex instead)
Built without Lua support
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with network namespace support

Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
[COMP] compression
[TRACE] trace
[SPOE] spoe

Posts: 1

Participants: 1

Read full topic

@jonasflesch wrote:

Hello.

I would like HAProxy to not only compress responses, but also decompress requests. mod_deflate does this for httpd, see "Input Decompression" section.

How can I achieve this with haproxy?

Posts: 2

Participants: 2

Read full topic