Willy Tarreau | 10 Sep 10:10 2012
Picon

[ANNOUNCE] haproxy 1.5-dev12

Hi all,

So the long-awaited dev12 is here, with native SSL support on both
sides supporting SNI and wildcard certs, that was developped by the
Exceliance team.

We got many useful reports since the last post on the subject, thanks to
all those who contributed some feedback! All known build bugs were fixed.
I won't explain here again what changes were done, it's too long :-)

Since last post, we worked on integrating support for SNI because most of
the responders asked for it. So now it's possible on a "bind" line to load
as many certs as needed, and they'll be matched depending on the domains
they're valid for. Wildcards are supported too. And since certs are loaded
in trees, matching them is cheap even if you're dealing with tens of
thousands of virtual domains.

We have also added some ACLs to match the use of SSL for a connection and
to match presence/value of the SNI extension, as we think it will usually
be needed as well in virtual hosting environments.

Warning, we have changed the SSL config syntax since last version. Since
loading mutiple certs is possible, we now use the word "crt" before the
certs. So that now looks like this :

       bind :443 ssl crt default.pem crt /etc/haproxy/certs.d

SSL aside, there are some other new features such as IPv6 transparent mode,
"base" pattern/acl to match a concatenation of the Host header and the URI, 
"urlp_val" ACL to match a url parameter's value, support for the "nice"
(Continue reading)

Duncan Hall | 10 Sep 11:16 2012

Re: [ANNOUNCE] haproxy 1.5-dev12

On 10/09/12 18:10, Willy Tarreau wrote:
>
> Many bugs were fixes, and many were certainly introduced. If you observe any
> bug, please report it, as I'd rather issue -dev13 quickly with many fixes.

Great work, very much appreciated.

I have rolled 1.5-dev12 into a test environment and noticed that the 
statistics page is now much slower to load. Previously (on 1.5-dev 11 
built 2012/06/04) the time between requesting the stats page and it 
displaying was about 2.5 seconds, this has now jumped to 10 seconds. It 
is not a big problem for me but I thought it was worth mentioning.

I am measuring this with Lori. 
https://addons.mozilla.org/en-US/firefox/addon/lori-life-of-request-info/

Thanks again,

Duncan

Willy Tarreau | 10 Sep 11:23 2012
Picon

Re: [ANNOUNCE] haproxy 1.5-dev12

Hi Duncan,

On Mon, Sep 10, 2012 at 07:16:30PM +1000, Duncan Hall wrote:
> On 10/09/12 18:10, Willy Tarreau wrote:
> >
> >Many bugs were fixes, and many were certainly introduced. If you observe 
> >any
> >bug, please report it, as I'd rather issue -dev13 quickly with many fixes.
> 
> Great work, very much appreciated.
> 
> I have rolled 1.5-dev12 into a test environment and noticed that the 
> statistics page is now much slower to load. Previously (on 1.5-dev 11 
> built 2012/06/04) the time between requesting the stats page and it 
> displaying was about 2.5 seconds, this has now jumped to 10 seconds. It 
> is not a big problem for me but I thought it was worth mentioning.
> 
> I am measuring this with Lori. 
> https://addons.mozilla.org/en-US/firefox/addon/lori-life-of-request-info/

If you were already experiencing 2.5 seconds to load the stats page, then
definitely you have a problem somewhere either in your environment or in
your browser. The load page should be in the order of one millisecond or
less, even for large configs.

Maybe you should take a network capture so that we can check where the
time is lost ?

Regards,
Willy
(Continue reading)

Duncan Hall | 14 Sep 05:34 2012

Re: [ANNOUNCE] haproxy 1.5-dev12

On 10/09/12 19:23, Willy Tarreau wrote:
> Hi Duncan,
>
> On Mon, Sep 10, 2012 at 07:16:30PM +1000, Duncan Hall wrote:
>> On 10/09/12 18:10, Willy Tarreau wrote:
>>> Many bugs were fixes, and many were certainly introduced. If you observe
>>> any
>>> bug, please report it, as I'd rather issue -dev13 quickly with many fixes.
>> Great work, very much appreciated.
>>
>> I have rolled 1.5-dev12 into a test environment and noticed that the
>> statistics page is now much slower to load. Previously (on 1.5-dev 11
>> built 2012/06/04) the time between requesting the stats page and it
>> displaying was about 2.5 seconds, this has now jumped to 10 seconds. It
>> is not a big problem for me but I thought it was worth mentioning.
>>
>> I am measuring this with Lori.
>> https://addons.mozilla.org/en-US/firefox/addon/lori-life-of-request-info/
> If you were already experiencing 2.5 seconds to load the stats page, then
> definitely you have a problem somewhere either in your environment or in
> your browser. The load page should be in the order of one millisecond or
> less, even for large configs.
>
> Maybe you should take a network capture so that we can check where the
> time is lost ?
>
> Regards,
> Willy
>
Willy,
(Continue reading)

Willy Tarreau | 14 Sep 07:07 2012
Picon

Re: [ANNOUNCE] haproxy 1.5-dev12

Hi Duncan,

On Fri, Sep 14, 2012 at 01:34:04PM +1000, Duncan Hall wrote:
> Thanks for your help on this, there was a network issue in the VPN I use 
> to access my dev environment that was causing the delays.

OK, thanks for the feedback.

> One thing I did notice on CentOS 5.8 and 6.3 is that at compile time I 
> now need to use USE_STATIC_PCRE=1 instead of USE_PCRE=1. If I use 
> USE_PCRE=1 it will compile and run but if the conf file references an 
> ssl cert it cannot read the key in the pem file.

That's amazing, it should be totally unrelated. I just checked my libssl
and libcrypto here and none of them makes use of any regex call. This
looks like a nasty side effect.

If you could post a minimal config which reliably reproduces the issue,
including one such pem file (a test one, not yours of course) and report
your build options, we could try on different platforms and try to find
a workaround. USE_STATIC_PCRE is not always an option for everyone.

Regards,
Willy

Duncan Hall | 14 Sep 08:49 2012

Re: [ANNOUNCE] haproxy 1.5-dev12

On 14/09/12 15:07, Willy Tarreau wrote:
>
>> One thing I did notice on CentOS 5.8 and 6.3 is that at compile time I
>> now need to use USE_STATIC_PCRE=1 instead of USE_PCRE=1. If I use
>> USE_PCRE=1 it will compile and run but if the conf file references an
>> ssl cert it cannot read the key in the pem file.
> That's amazing, it should be totally unrelated. I just checked my libssl
> and libcrypto here and none of them makes use of any regex call. This
> looks like a nasty side effect.
>
> If you could post a minimal config which reliably reproduces the issue,
> including one such pem file (a test one, not yours of course) and report
> your build options, we could try on different platforms and try to find
> a workaround. USE_STATIC_PCRE is not always an option for everyone.
>
> Regards,
> Willy
>
Willy,

I can't reproduce it again, lets put it down to user error (it has been 
a very very long week).

If I come across it again I'll repost to the list.

Regards,

Duncan

(Continue reading)

Willy Tarreau | 14 Sep 23:50 2012
Picon

Re: [ANNOUNCE] haproxy 1.5-dev12

Hi Duncan,

On Fri, Sep 14, 2012 at 04:49:58PM +1000, Duncan Hall wrote:
> I can't reproduce it again, lets put it down to user error (it has been 
> a very very long week).

OK, thanks for checking and reporting.

> If I come across it again I'll repost to the list.

You're welcome.

Cheers,
Willy

Guillaume Castagnino | 10 Sep 15:46 2012

Re: [ANNOUNCE] haproxy 1.5-dev12

Nice !

Just set up on my personnal server with 2 wildcard certificates. It 
seems to work like a charm :)

I use this, TLSv1.2 enabled (so using openssl 1.0.1):
	bind :::443 ssl crt /etc/ssl/startssl/haproxy/xwing.info.pem crt 
/etc/ssl/startssl/haproxy/ ciphers ECDHE-RSA-AES128-SHA256:AES128-GCM-
SHA256:RC4:HIGH:!MD5:!aNULL:!EDH prefer-server-ciphers

Thanks, great job !

--

-- 
Guillaume Castagnino
    casta@... / guillaume@...

Willy Tarreau | 10 Sep 15:52 2012
Picon

Re: [ANNOUNCE] haproxy 1.5-dev12

Hi Guillaume,

On Mon, Sep 10, 2012 at 03:46:26PM +0200, Guillaume Castagnino wrote:
> Nice !
> 
> Just set up on my personnal server with 2 wildcard certificates. It 
> seems to work like a charm :)
> 
> I use this, TLSv1.2 enabled (so using openssl 1.0.1):
> 	bind :::443 ssl crt /etc/ssl/startssl/haproxy/xwing.info.pem crt 
> /etc/ssl/startssl/haproxy/ ciphers ECDHE-RSA-AES128-SHA256:AES128-GCM-
> SHA256:RC4:HIGH:!MD5:!aNULL:!EDH prefer-server-ciphers

Nice, thank you for the feedback !

Willy

Baptiste | 10 Sep 16:02 2012
Picon

Re: [ANNOUNCE] haproxy 1.5-dev12

And of course, the article on Exceliance blog:
http://blog.exceliance.fr/2012/09/10/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/

have fun

Guillaume Castagnino | 10 Sep 17:32 2012

Re: [ANNOUNCE] haproxy 1.5-dev12

Le lundi 10 septembre 2012 15:52:23 Willy Tarreau a écrit :
> Hi Guillaume,
> 
> On Mon, Sep 10, 2012 at 03:46:26PM +0200, Guillaume Castagnino wrote:
> > Nice !
> > 
> > Just set up on my personnal server with 2 wildcard certificates. It
> > seems to work like a charm :)
> > 
> > I use this, TLSv1.2 enabled (so using openssl 1.0.1):
> > 	bind :::443 ssl crt /etc/ssl/startssl/haproxy/xwing.info.pem crt
> > 
> > /etc/ssl/startssl/haproxy/ ciphers
> > ECDHE-RSA-AES128-SHA256:AES128-GCM-
> > SHA256:RC4:HIGH:!MD5:!aNULL:!EDH prefer-server-ciphers
> 
> Nice, thank you for the feedback !

Just one precision on the cert.pem content, to achieve the best 
compliance: it seems that haproxy is fine when feeding the full 
certificate chain in the .pem file instead of only the the 
certificate/private key pair (as suggest on the first SSL announce from 
last week). This make clients that do certificate chain verification 
happy:

So cert.pem contains:
- Server certificate
- Intermediate CA 1 certificate
- Intermediate CA 2 certificate
...
(Continue reading)


Gmane