Bon, ça fait plusieurs jours que j'essaie de faire marcher let's encrypt avec haproxy et j'y arrive pas
Je suis le tuto dédié : https://www.haproxy.com/blog/haproxy-and-let-s-encrypt
J'ai donc la config attachée au post (qui ne fait rien d'autre que renvoyer mon thumbprint acme si le chemin demandé contient '/.well-known/acme-challenge')
En http classique ça fonctionne nickel : si je curl sur http://domaine/.well-known/acme-challenge/aeiou il me renvoie aeiou.thumbprint ce qui est ce qu'il faut
Par contre dès que je curl en https j'ai droit à OpenSSL/3.0.13: error:0A000458:SSL routines::tlsv1 unrecognized name
Aidez moi s'il vous plait il fait trop chaud 
#haproxy #LetsEncrypt
#haproxy
0 posts0 participants0 posts today
Replied in thread
@dalohuer2004 @lzambrana Muy bueno! No estoy muy al tanto de docker compose, pero se ve bien.
No conocía #traefik, es un load balancer / reverse proxy? Algo similar a #haproxy ?
También veo a #passbolt más para entornos colaborativos, en lo personal sigo con #keepass, que además lo tengo como proveedor de 2FA.
Igual, algunas passwords de mi DB las he tenido que compartir usando keepass (copy paste), pero son poquitas, ya si fueran más algo como passbolt vendría muy bien.
What I wanted to do:
Move this mastodon instance from its current datacenter location to my homelab.
What I did:
Update all my #proxmox nodes to the latest release, remove #haproxy and #acme packages from #pfsense in favour of a dedicated machine handling it.
That machine, however, still needs an ansible role and playbook to be written, in order to set it up 
Let's gooooo! 
Uff! #OpenSSL has really gone down the hill 
:
“The State of SSL Stacks”, HAProxy (https://www.haproxy.com/blog/state-of-ssl-stacks).
Via HN: https://news.ycombinator.com/item?id=43912164
On Lobsters: https://lobste.rs/s/bqnktb/state_ssl_stacks
HAProxy TechnologiesThe State of SSL StacksThe SSL landscape has shifted dramatically. In this paper, we examine OpenSSL 3.x, BoringSSL, LibreSSL, WolfSSL, and AWS-LC with HAProxy.
Same DNS name for multiple application servers with replication or load balancers or making a service highly available?
Same DNS name for multiple application servers with replication or load balancers or making a service highly available?
#spiceworks #dns #nginx #haproxy #loadbalancing #roundrobin #replication #question #it #networking
Spiceworks Community · Same DNS name for multiple application servers with replication or load balancers or making a service highly available?If I assigning one DNS name to multiple application servers, the record comes back like this: tw5@renegade:~$ dig @192.168.57.1 tw5.helpdesk.com ; <<>> DiG 9.18.30-0ubuntu0.24.04.2-Ubuntu <<>> @192.168.57.1 tw5.helpdesk.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40082 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;tw5...
Continued thread
https://www.mail-archive.com/haproxy@formilux.org/msg45917.html #HAProxy 3.2.0 was released, featuring an experimental ACME client, real QUIC support for OpenSSL 3.5 and a lot of other stuff.
www.mail-archive.com[ANNOUNCE] haproxy-3.2.0
Replied in thread
@jorijn @monospace i did also use nginx and have no hard arguments against it besides "project governance" maybe. but a relevant benefit of using #haproxy in tcp mode is to avoid any double processing of http, which otherwise is prone to desync bugs. tcp mode simply adds/removes the tls pipe, nothing more, nothing less. all the http processing remains in #varnishcache only.
Replied in thread
@jorijn yes, as of today, the recommended way is to use #haproxy as a combined tls onloader/offloader with the PROXY2 protocol such that haproxy has "zero" configuration: see http://varnish-cache.org/docs/trunk/users-guide/vcl-backends.html#connecting-through-a-proxy and .via in http://varnish-cache.org/docs/trunk/reference/vcl-backend.html#vcl-backend-7
this also works with dns: https://github.com/nigoroll/libvmod-dynamic/blob/master/src/vmod_dynamic.vcc
that said, we will do something about this eventually #varnishcache
varnish-cache.orgBackend servers — Varnish version trunk documentation
Did a quick writeup of how I use #anubis behind #haproxy in my #homelab.
https://mktbs.net/blog/2025/05/19/running-anubis-behind-haproxy/
Thanks to @cadey for the project. Support them!
mktbs.netMaking sure you're not a bot!
In case you're interested in running a bleeding edge #reverseproxy with an optimized #SSL library: read this blog post (of mine) on "Compiling HAProxy with WolfSSL":
www.devxy.ioWhere DevOps and Data Science meet 🤝️A guide to compiling HAProxy with WolfSSL for enhanced performance and HTTP/3 support, including detailed build instructions.
Replied in thread
Thank you for all the effort you are putting into this awesome software.
I ran into some weird behaviour of the combination #snac with the official Mastodon app on #iPhone. See attached pic.
The log of my #HAproxy shows
CC: @stefano@bsd.cafe @cheeaun@mastodon.social
I ran into some weird behaviour of the combination #snac with the official Mastodon app on #iPhone. See attached pic.
The log of my #HAproxy shows
May 12 09:50:20 localhost haproxy[56626]: 46.23.94.142:65241 [12/May/2025:09:50:20.039] FE-https~ BE-social.freebsd.amsterdam/social.freebsd.amsterdam 0/0/0/366/367 200 658007 - - ---- 2/2/0/0/0 0/0 "GET https://social.freebsd.amsterdam/api/v1/timelines/home?limit=100 HTTP/2.0"
CC: @stefano@bsd.cafe @cheeaun@mastodon.social
Neskutečná haluz: Na ssl terminaci používám #haproxy s konfigurací:
frontend https
bind *:443 ssl crt /etc/haproxy/ssl/__fallback.pem crt /etc/haproxy/ssl
kam prostřednictvím skriptu https://github.com/VitexSoftware/certbot-haproxy/blob/develop/certbot-haproxy-deploy
hrnu výslednou kombinaci privkey + fullchain .pem
A co se nestalo, jedna doména jako na potvoru ať jsem dělal co jsem dělal měla sice na disku čerstvý certifikát, ale v #https byl expirovaný ....
Po X hodinách zoufalého laborování, reloadování a restartování a vzniku skriptu https://github.com/VitexSoftware/certbot-haproxy/blob/develop/check-haproxy-certs.sh jsem se nasral a celé to rebootnul ...
A server nejenže potom nabootoval, ale dokonce začal posílat správný certifikát ...
Kde to sakra mohlo být zastydlé, že nepomohl ani stop a start haproxy démona ? To mi hlava nebere :(
filesystém je normální /dev/sda2 on / type ext4 (rw,noatime) - m2 terová karta přes JMS583Gen 2 to PCIe Gen3x2 Bridge do USB a zbytek HW je #RPi5 s 8Gb ram
před rebootem jsem koukal i na výpis dmesg a žádné problémy s filesystémem nebo usb jsem tam neviděl
Dans ce (long et très détaillé) article sur l’état des stacks SSL, l’équipe de #haproxy (confirmée par d’autres équipes telles que Curl, Akamai, Microsoft…) tacle lourdement #OpenSSL sur la qualité du code et surtout sur la gouvernance du projet. Ça pique.
https://www.haproxy.com/blog/state-of-ssl-stacks
HAProxy TechnologiesThe State of SSL StacksThe SSL landscape has shifted dramatically. In this paper, we examine OpenSSL 3.x, BoringSSL, LibreSSL, WolfSSL, and AWS-LC with HAProxy.
Long, but great read from #HAProxy on the state of #TLS libraries. Includes some scathing remarks about the #OpenSSL project.
“The development team has degraded their project’s quality, failed to address ongoing issues, and consistently dismissed widespread community requests for even minor improvements.”
“This unfortunate situation considerably hurts QUIC protocol adoption. It even makes it difficult to develop or build test tools to monitor a QUIC server.”
“When some of the project members considered a 32% performance regression ‘pretty near’ the original performance, it signaled to our development team that any meaningful improvement was unlikely.”
“In blunt terms: running OpenSSL 3.0.2 as shipped with Ubuntu 22.04 results in 1/100 of #WolfSSL’s performance on identical hardware! To put this into perspective, you would have to deploy 100 times the number of machines to handle the same traffic, solely because of the underlying SSL library.”
Infosec Exchangeabadidea (@0xabad1dea@infosec.exchange)After heartbleed in 2014, there were a lot of calls to abandon OpenSSL and support alternative libraries because it had written itself into a corner full of holes. I didn’t anticipate that 11 years later, there’d be a call to abandon OpenSSL because it’s written itself into a corner of running at 1% the performance of those very same alternative libraries https://www.haproxy.com/blog/state-of-ssl-stacks
“AWS-LC looks like a very active project with a strong community. […] Even the recently reported performance issue was quickly fixed and released with the next version. […] This is definitely a library that anyone interested in the topic should monitor.”
#OpenSSL #BoringSSL #WolfSSL #AWSLC #HAProxy #OpenSource #FreeSoftware #FOSS #OSS #TLS #QUIC
https://www.haproxy.com/blog/state-of-ssl-stacks
HAProxy TechnologiesThe State of SSL StacksThe SSL landscape has shifted dramatically. In this paper, we examine OpenSSL 3.x, BoringSSL, LibreSSL, WolfSSL, and AWS-LC with HAProxy.
Replied in thread
@f4grx @nixCraft @torproject not really.
- #aws has pretty chunky blocks like /14.
- They don't use #IPv6, only #IPv4.
- Blocking entrie #ASN|s is easy.
I do this with #pfSense & #pfBlockerNG for quite a while…
And the same #blocklist also works for other applications like #nginx, #HAproxy, #httpd, etc.
