CONTENT

CHANGES

Szukaj

#top Przydatne informacje¶

#top Timeout¶

#top Load Balancing with HAProxy¶

Zobacz także Load Balancing with HAProxy dla: Apache | Nginx | Lighttpd | thttpd | HAProxy | Varnish | SQUID
Zobacz także Load Balancing with HAProxy dla: ProFTPd | Pure-FTPd | vsftpd | Dovecot | Postfix | OpenLDAP
Zobacz także Load Balancing with HAProxy dla: pgpool | PostgreSQL | MySQL | Firebird

Więcej informacji w analogicznym zagadnieniu: Apache behind HAProxy (Apache behind HAProxy)
Więcej informacji w analogicznym zagadnieniu: Nginx behind HAProxy (Nginx behind HAProxy)
Więcej informacji w analogicznym zagadnieniu: Lighttpd behind HAProxy (Lighttpd behind HAProxy)
Więcej informacji w analogicznym zagadnieniu: Varnish behind HAProxy (Varnish behind HAProxy)
Więcej informacji w analogicznym zagadnieniu: Dovecot behind HAProxy (Dovecot behind HAProxy)
Więcej informacji w analogicznym zagadnieniu: Postfix behind HAProxy (Postfix behind HAProxy)

#top Apache behind HAProxy¶

Zobacz także Apache behind HAProxy dla: Apache (Apache)

W niniejszej konfiguracji HAProxy odbiera połączenia przychodzące na port 80 i w zależności od rodzaju żądania
przekierowywuje je do Apache prefork na port 81 lub Apache worker na port 82:

# main frontend which proxys to the backends
frontend public_http
	bind        :::80
	# Enable insertion of the X-Forwarded-For header to requests sent to servers
	option  forwardfor except 127.0.0.0/8
	
	acl requ_www         path_beg      -i /www
	acl ah_cen06x64      hdr(host)     -i cen06x64.xen.wbcd.pl
	
	use_backend   bknd_cen06x64_app   if ah_cen06x64 !requ_www
	use_backend   bknd_cen06x64_www   if ah_cen06x64  requ_www
	
	default_backend      bknd_cen06x64_www

# The dynamic backend for app
backend bknd_cen06x64_app
	stats enable
	stats uri     /admin?stats
	stats realm   Haproxy\ Statistics
	stats auth    *****:*****
	stats refresh 5s
	# Define the load balancing algorithm to be used in a backend
	balance     roundrobin
	# Enable HTTP protocol to check on the servers health
	# By default, server health checks only consist in trying to establish a TCP connection
	# When "option httpchk" is specified, a complete HTTP request is sent
	# once the TCP connection is established, and responses 2xx and 3xx are considered valid,
	# while all other ones indicate a server failure, including the lack of any response
	#option      httpchk HEAD /globals.php
	cookie      DYNSRV insert indirect nocache
	server      host_cen06x64_app 10.41.0.58:81
	#check inter 25000

# The static backend backend for /www
backend bknd_cen06x64_www
	stats enable
	stats uri     /admin?stats
	stats realm   Haproxy\ Statistics
	stats auth    *****:*****
	stats refresh 5s
	# Define the load balancing algorithm to be used in a backend
	balance     roundrobin
	# Enable HTTP protocol to check on the servers health
	# By default, server health checks only consist in trying to establish a TCP connection
	# When "option httpchk" is specified, a complete HTTP request is sent
	# once the TCP connection is established, and responses 2xx and 3xx are considered valid,
	# while all other ones indicate a server failure, including the lack of any response
	option      httpchk HEAD /index.html
	server      host_cen06x64_www 10.41.0.58:82
	#check inter 25000

#top Nginx behind HAProxy¶

Zobacz także Nginx behind HAProxy dla: Nginx (Nginx)

W niniejszej konfiguracji HAProxy odbiera połączenia przychodzące na port 80 i przekierowywuje je do Nginx na port 85:

# main frontend which proxys to the backends
frontend public_http
	bind        :::80
	# Enable insertion of the X-Forwarded-For header to requests sent to servers
	option  forwardfor except 127.0.0.0/8
	
	acl requ_www         path_beg      -i /www
	acl ah_cen06x64      hdr(host)     -i cen06x64.xen.wbcd.pl
	
	use_backend   bknd_cen06x64_nginx if ah_cen06x64 !requ_www
	use_backend   bknd_cen06x64_nginx if ah_cen06x64  requ_www
	
	default_backend      bknd_cen06x64_nginx

# The default backend for nginx
backend bknd_cen06x64_nginx
	stats enable
	stats uri     /admin?stats
	stats realm   Haproxy\ Statistics
	stats auth    *****:*****
	stats refresh 5s
	# Define the load balancing algorithm to be used in a backend
	balance     roundrobin
	# Enable HTTP protocol to check on the servers health
	# By default, server health checks only consist in trying to establish a TCP connection
	# When "option httpchk" is specified, a complete HTTP request is sent
	# once the TCP connection is established, and responses 2xx and 3xx are considered valid,
	# while all other ones indicate a server failure, including the lack of any response
	#option      httpchk HEAD /globals.php
	#cookie      DYNSRV insert indirect nocache
	server      host_cen06x64_nginx 10.41.0.58:85
	#check inter 25000

#top Lighttpd behind HAProxy¶

Zobacz także Lighttpd behind HAProxy dla: Lighttpd (Lighttpd)

W niniejszej konfiguracji HAProxy odbiera połączenia przychodzące na port 80 i przekierowywuje je do Lighttpd na port 86:

# main frontend which proxys to the backends
frontend public_http
	bind        :::80
	# Enable insertion of the X-Forwarded-For header to requests sent to servers
	option  forwardfor except 127.0.0.0/8
	
	acl requ_www         path_beg      -i /www
	acl ah_cen06x64      hdr(host)     -i cen06x64.xen.wbcd.pl
	
	use_backend   bknd_cen06x64_lighttpd if ah_cen06x64 !requ_www
	use_backend   bknd_cen06x64_lighttpd if ah_cen06x64  requ_www
	
	default_backend      bknd_cen06x64_lighttpd

# The default backend for lighttpd
backend bknd_cen06x64_lighttpd
	stats enable
	stats uri     /admin?stats
	stats realm   Haproxy\ Statistics
	stats auth    *****:*****
	stats refresh 5s
	# Define the load balancing algorithm to be used in a backend
	balance     roundrobin
	# Enable HTTP protocol to check on the servers health
	# By default, server health checks only consist in trying to establish a TCP connection
	# When "option httpchk" is specified, a complete HTTP request is sent
	# once the TCP connection is established, and responses 2xx and 3xx are considered valid,
	# while all other ones indicate a server failure, including the lack of any response
	#option      httpchk HEAD /globals.php
	#cookie      DYNSRV insert indirect nocache
	server      host_cen06x64_lighttpd 10.41.0.58:86
	#check inter 25000

#top Varnish behind HAProxy¶

Zobacz także Varnish behind HAProxy dla: Varnish (Varnish)

W niniejszej konfiguracji HAProxy odbiera połączenia przychodzące na port 80 i przekierowywuje je do Varnish na port 87:

# main frontend which proxys to the backends
frontend public_http
	bind        :::80
	# Enable insertion of the X-Forwarded-For header to requests sent to servers
	option  forwardfor except 127.0.0.0/8
	
	acl requ_www         path_beg      -i /www
	acl ah_cen06x64      hdr(host)     -i cen06x64.xen.wbcd.pl
	
	use_backend   bknd_cen06x64_varnish if ah_cen06x64 !requ_www
	use_backend   bknd_cen06x64_varnish if ah_cen06x64  requ_www
	
	default_backend      bknd_cen06x64_varnish

# The default backend for lighttpd
backend bknd_cen06x64_varnish
	stats enable
	stats uri     /admin?stats
	stats realm   Haproxy\ Statistics
	stats auth    *****:*****
	stats refresh 5s
	# Define the load balancing algorithm to be used in a backend
	balance     roundrobin
	# Enable HTTP protocol to check on the servers health
	# By default, server health checks only consist in trying to establish a TCP connection
	# When "option httpchk" is specified, a complete HTTP request is sent
	# once the TCP connection is established, and responses 2xx and 3xx are considered valid,
	# while all other ones indicate a server failure, including the lack of any response
	#option      httpchk HEAD /globals.php
	#cookie      DYNSRV insert indirect nocache
	server      host_cen06x64_varnish 10.41.0.58:87
	#check inter 25000

#top Dovecot behind HAProxy¶

Zobacz także Dovecot behind HAProxy dla: Dovecot (Dovecot)

W niniejszej konfiguracji HAProxy odbiera połączenia przychodzące na port 1143 i przekierowywuje je do Dovecot na port 10143:
Dla porównania konfiguracji HAProxy odbiera połączenia przychodzące na port 1243 i przekierowywuje je do Dovecot na standardowy port 143:

frontend public_imap
    bind    :::1143
    # Set the running mode or protocol of the instance
    # tcp    - The instance will work in pure TCP mode.
    # http   - The instance will work in HTTP mode.
    # health - The instance will work in "health" mode. It will just reply "OK" to incoming connections and close the conne
    mode    tcp
    # Enable logging of HTTP request, session state and timers
    option  tcplog
    default_backend bknd_cen060x64_imap

backend bknd_cen060x64_imap
    # Enable the statistics page
    stats enable
    stats uri /admin?stats
    stats realm Haproxy\ Statistics
    stats auth *****:*****
    stats refresh 5s
    # Set the running mode or protocol of the instance
    # tcp    - The instance will work in pure TCP mode.
    # http   - The instance will work in HTTP mode.
    # health - The instance will work in "health" mode. It will just reply "OK" to incoming connections and close the conne
    mode    tcp
    # Define the load balancing algorithm to be used in a backend
    balance leastconn
    retries 1
    stick           store-request src
    stick-table     type ip size 200k expire 30m
    server  host_cen060x64 10.41.0.58:10143 send-proxy-v2

[...]

frontend public_imap2
    bind    :::1243
    # Set the running mode or protocol of the instance
    # tcp    - The instance will work in pure TCP mode.
    # http   - The instance will work in HTTP mode.
    # health - The instance will work in "health" mode. It will just reply "OK" to incoming connections and close the conne
    mode    tcp
    # Enable logging of HTTP request, session state and timers
    option  tcplog
    default_backend bknd_cen060x64_imap2

backend bknd_cen060x64_imap2
    # Enable the statistics page
    stats enable
    stats uri /admin?stats
    stats realm Haproxy\ Statistics
    stats auth *****:*****
    stats refresh 5s
    # Set the running mode or protocol of the instance
    # tcp    - The instance will work in pure TCP mode.
    # http   - The instance will work in HTTP mode.
    # health - The instance will work in "health" mode. It will just reply "OK" to incoming connections and close the conne
    mode    tcp
    # Define the load balancing algorithm to be used in a backend
    balance leastconn
    retries 1
    stick           store-request src
    stick-table     type ip size 200k expire 30m
    server  host_cen060x64 10.41.0.58:143 no-send-proxy no-send-proxy-v2

#top Postfix behind HAProxy¶

Zobacz także Postfix behind HAProxy dla: Postfix (Postfix)

W niniejszej konfiguracji HAProxy odbiera połączenia przychodzące na port 1025 i przekierowywuje je do Postfix na port 20026:
Dla porównania konfiguracji HAProxy odbiera połączenia przychodzące na port 1125 i przekierowywuje je do Postfix na standardowy port 25:

frontend public_smtp
    bind    :::1025
    # Set the running mode or protocol of the instance
    # tcp    - The instance will work in pure TCP mode.
    # http   - The instance will work in HTTP mode.
    # health - The instance will work in "health" mode. It will just reply "OK" to incoming connections and close the conne
    mode    tcp
    # Enable logging of HTTP request, session state and timers
    option  tcplog
    default_backend bknd_cen060x64_smtp

backend bknd_cen060x64_smtp
    # Enable the statistics page
    stats enable
    stats uri /admin?stats
    stats realm Haproxy\ Statistics
    stats auth *****:*****
    stats refresh 5s
    # Set the running mode or protocol of the instance
    # tcp    - The instance will work in pure TCP mode.
    # http   - The instance will work in HTTP mode.
    # health - The instance will work in "health" mode. It will just reply "OK" to incoming connections and close the conne
    mode    tcp
    # Define the load balancing algorithm to be used in a backend
    balance leastconn
    retries 1
    stick           store-request src
    stick-table     type ip size 200k expire 30m
    server  host_cen060x64 10.41.0.58:20026 send-proxy

[...]

frontend public_smtp2
    bind    :::1125
    # Set the running mode or protocol of the instance
    # tcp    - The instance will work in pure TCP mode.
    # http   - The instance will work in HTTP mode.
    # health - The instance will work in "health" mode. It will just reply "OK" to incoming connections and close the conne
    mode    tcp
    # Enable logging of HTTP request, session state and timers
    option  tcplog
    default_backend bknd_cen060x64_smtp2

backend bknd_cen060x64_smtp2
    # Enable the statistics page
    stats enable
    stats uri /admin?stats
    stats realm Haproxy\ Statistics
    stats auth *****:*****
    stats refresh 5s
    # Set the running mode or protocol of the instance
    # tcp    - The instance will work in pure TCP mode.
    # http   - The instance will work in HTTP mode.
    # health - The instance will work in "health" mode. It will just reply "OK" to incoming connections and close the conne
    mode    tcp
    # Define the load balancing algorithm to be used in a backend
    balance leastconn
    retries 1
    stick           store-request src
    stick-table     type ip size 200k expire 30m
    server  host_cen060x64 10.41.0.58:25 no-send-proxy no-send-proxy-v2

#top TLS SNI¶

If a directory name is used instead of a PEM file, then all files found in that directory will be loaded in alphabetic order unless their name ends with '.issuer' or '.ocsp' (reserved extensions). This directive may be specified multiple times in order to load certificates from multiple files or directories. The certificates will be presented to clients who provide a valid TLS Server Name Indication field matching one of their CN or alt subjects. Wildcards are supported, where a wildcard character '*' is used instead of the first hostname component (eg: *.example.org matches www.example.org but not www.sub.example.org).

If no SNI is provided by the client or if the SSL library does not support TLS extensions, or if the client provides an SNI hostname which does not match any certificate, then the first loaded certificate will be presented. This means that when loading certificates from a directory, it is highly recommended to load the default one first as a file or to ensure that it will always be the first one in the directory.

EXAMPLES

frontend public
	bind :443 ssl crt /etc/pki/tls/certs/hostname.pem crt /etc/pki/tls/certs/domain1.pem crt /etc/pki/tls/certs/domain2.pem crt /etc/pki/tls/certs/domain3.pem crt /etc/pki/tls/certs/certpem/
	use_backend host_name_domain1 if { ssl_fc_sni -i domain1.org }
	use_backend host_name_domain2 if { ssl_fc_sni -i domain2.org }
	use_backend host_name_domain3 if { ssl_fc_sni -i domain3.org }
	default_backend host___default
[...]

backend host_name_domain1
[...]

backend host_name_domain2
[...]

backend host_name_domain3
[...]

backend host___default
[...]

frontend public
	bind :443 ssl crt /etc/pki/tls/certs/site.pem
	use_backend host_name_domain1 if { req.ssl_sni -i domain1.net }
	use_backend host_name_domain2 if { req.ssl_sni -i domain2.net }
	use_backend host_name_domain3 if { req.ssl_sni -i domain3.net }
	default_backend host___default
[...]

backend host_name_domain1
[...]

backend host_name_domain2
[...]

backend host_name_domain3
[...]

backend host___default
[...]

#top SNI config¶

frontend public_https
        bind         :::443 ssl crt /etc/pki/tls/certs/cen06x64.xen.wbcd.pl.pem crt /etc/pki/tls/certs/cen06x64a.xen.wbcd.pl.pem crt /etc/pki/tls/certs/cen06x64b.xen.wbcd.pl.pem crt /etc/pki/tls/certs/cen06x64c.xen.wbcd.pl.pem no-sslv3 ciphers "ALL:!ADH:!EXPORT:!SSLv2:!RC4:!RSA:!NULL:!aNULL:!eNULL:!EXP:+HIGH:+TLSv1"
[...]

#top SNI check¶

httprecv --syserrors -w 5 --header="Host: localhost" --SNI=localhost --ca-file=/etc/pki/tls/certs/ca-bundle.crt --starttls --tlsinfo --certcheck-no --certverify --certinfo --body-hide https://10.41.0.58:443/

httprecv: Resolving 10.41.0.58 ... 10.41.0.58 Success
httprecv: Connecting to 10.41.0.58[10.41.0.58]:443 Success
httprecv: CERT:VERIFY: Peer's certificate issuer is unknown
httprecv: CERT:VERIFY: Peer's certificate is NOT trusted
httprecv: CERT[0]:VERIFY: The hostname in the certificate does NOT match '10.41.0.58'
httprecv: CERT[0]:VERIFY: Issuer : C=PL,ST=Mazowieckie,O=Webbot\, Inc.,OU=Webbot Trust Network,CN=Webbot Certification Authority,EMAIL=ssl@wbcd.pl
httprecv: CERT[0]:VERIFY: Subject: C=PL,ST=Mazowieckie,O=Webbot\, Inc.,OU=Webbot Trust Network,CN=cen06x64.xen.wbcd.pl,EMAIL=ssl@wbcd.pl
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Not Before: 2014/04/04 22:33:09
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Not After : 2024/04/01 22:33:09
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Cert expire after 2715 [d] (234615295 [s]))
httprecv: X.509: Version: 3
httprecv: X.509: Serial Number (hex): 0A
httprecv: X.509: Signature Algorithm: RSA-SHA1
httprecv: X.509: Issuer : C=PL,ST=Mazowieckie,O=Webbot\, Inc.,OU=Webbot Trust Network,CN=Webbot Certification Authority,EMAIL=ssl@wbcd.pl
httprecv: X.509: Subject: C=PL,ST=Mazowieckie,O=Webbot\, Inc.,OU=Webbot Trust Network,CN=cen06x64.xen.wbcd.pl,EMAIL=ssl@wbcd.pl
httprecv: X.509: Validity: Not Before: 2014/04/04 22:33:09
httprecv: X.509: Validity: Not After : 2024/04/01 22:33:09
httprecv: X.509: Subject Public Key Info: Public Key Algorithm: RSA (4096 bits)
httprecv: X.509: Extensions: Basic Constraints:  CA:FALSE
httprecv: X.509: Extensions: Key usage:  Digital signature.
httprecv: X.509: Extensions: Key usage:  Key encipherment.
httprecv: X.509: Extensions: Key purpose OIDs: TLS WWW Server.
httprecv: X.509: Extensions: Key purpose OIDs: TLS WWW Client.
https://10.41.0.58:443/ dnsq=0.000, conn=1.011, socktls=0.088, send=0.000, wait=0.019, recv=0.000, summ=1.127, size=10, speed=73044, result=200:HTTP/1.1 200 OK

httprecv --syserrors -w 5 --header="Host: cen06x64a.xen.wbcd.pl" --SNI=cen06x64a.xen.wbcd.pl --ca-file=/etc/pki/tls/certs/ca-bundle.crt --starttls --tlsinfo --certcheck-no --certverify --certinfo --body-hide https://10.41.0.58:443/

httprecv: Resolving 10.41.0.58 ... 10.41.0.58 Success
httprecv: Connecting to 10.41.0.58[10.41.0.58]:443 Success
httprecv: CERT:VERIFY: Peer's certificate issuer is unknown
httprecv: CERT:VERIFY: Peer's certificate is NOT trusted
httprecv: CERT[0]:VERIFY: The hostname in the certificate does NOT match '10.41.0.58'
httprecv: CERT[0]:VERIFY: Issuer : C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Network,CN=cen06x64a.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: CERT[0]:VERIFY: Subject: C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Network,CN=cen06x64a.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Not Before: 2016/10/22 15:19:08
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Not After : 2017/10/22 15:19:08
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Cert expire after 364 [d] (31535213 [s]))
httprecv: CERT[0]:VERIFY: X509v3 Subject Alternative Name:
httprecv: CERT[0]:VERIFY:      DNS:cen06x64a.xen.wbcd.pl, DNS:cen06x64a1.xen.wbcd.pl, DNS:cen06x64a2.xen.wbcd.pl, DNS:cen06x64a3.xen.wbcd.pl,
httprecv: X.509: Version: 3
httprecv: X.509: Serial Number (hex): 00:DB:93:CA:57:E4:68:8F:EC
httprecv: X.509: Signature Algorithm: RSA-SHA256
httprecv: X.509: Issuer : C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Network,CN=cen06x64a.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: X.509: Subject: C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Network,CN=cen06x64a.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: X.509: Validity: Not Before: 2016/10/22 15:19:08
httprecv: X.509: Validity: Not After : 2017/10/22 15:19:08
httprecv: X.509: Subject Public Key Info: Public Key Algorithm: RSA (2048 bits)
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64a.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64a1.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64a2.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64a3.xen.wbcd.pl
httprecv: X.509: Extensions: Basic Constraints:  CA:TRUE
https://10.41.0.58:443/ dnsq=0.000, conn=0.008, socktls=0.247, send=0.001, wait=0.002, recv=0.000, summ=0.357, size=10, speed=20455, result=200:HTTP/1.1 200 OK

httprecv --syserrors -w 5 --header="Host: cen06x64a1.xen.wbcd.pl" --SNI=cen06x64a1.xen.wbcd.pl --ca-file=/etc/pki/tls/certs/ca-bundle.crt --starttls --tlsinfo --certcheck-no --certverify --certinfo --body-hide https://10.41.0.58:443/

httprecv: Resolving 10.41.0.58 ... 10.41.0.58 Success
httprecv: Connecting to 10.41.0.58[10.41.0.58]:443 Success
httprecv: CERT:VERIFY: Peer's certificate issuer is unknown
httprecv: CERT:VERIFY: Peer's certificate is NOT trusted
httprecv: CERT[0]:VERIFY: The hostname in the certificate does NOT match '10.41.0.58'
httprecv: CERT[0]:VERIFY: Issuer : C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Network,CN=cen06x64a.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: CERT[0]:VERIFY: Subject: C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Network,CN=cen06x64a.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Not Before: 2016/10/22 15:19:08
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Not After : 2017/10/22 15:19:08
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Cert expire after 364 [d] (31535207 [s]))
httprecv: CERT[0]:VERIFY: X509v3 Subject Alternative Name:
httprecv: CERT[0]:VERIFY:      DNS:cen06x64a.xen.wbcd.pl, DNS:cen06x64a1.xen.wbcd.pl, DNS:cen06x64a2.xen.wbcd.pl, DNS:cen06x64a3.xen.wbcd.pl,
httprecv: X.509: Version: 3
httprecv: X.509: Serial Number (hex): 00:DB:93:CA:57:E4:68:8F:EC
httprecv: X.509: Signature Algorithm: RSA-SHA256
httprecv: X.509: Issuer : C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Network,CN=cen06x64a.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: X.509: Subject: C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Network,CN=cen06x64a.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: X.509: Validity: Not Before: 2016/10/22 15:19:08
httprecv: X.509: Validity: Not After : 2017/10/22 15:19:08
httprecv: X.509: Subject Public Key Info: Public Key Algorithm: RSA (2048 bits)
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64a.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64a1.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64a2.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64a3.xen.wbcd.pl
httprecv: X.509: Extensions: Basic Constraints:  CA:TRUE
https://10.41.0.58:443/ dnsq=0.000, conn=0.001, socktls=0.264, send=0.001, wait=0.003, recv=0.001, summ=0.390, size=10, speed=19048, result=200:HTTP/1.1 200 OK

httprecv --syserrors -w 5 --header="Host: cen06x64a2.xen.wbcd.pl" --SNI=cen06x64a2.xen.wbcd.pl --ca-file=/etc/pki/tls/certs/ca-bundle.crt --starttls --tlsinfo --certcheck-no --certverify --certinfo --body-hide https://10.41.0.58:443/

httprecv: Resolving 10.41.0.58 ... 10.41.0.58 Success
httprecv: Connecting to 10.41.0.58[10.41.0.58]:443 Success
httprecv: CERT:VERIFY: Peer's certificate issuer is unknown
httprecv: CERT:VERIFY: Peer's certificate is NOT trusted
httprecv: CERT[0]:VERIFY: The hostname in the certificate does NOT match '10.41.0.58'
httprecv: CERT[0]:VERIFY: Issuer : C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Network,CN=cen06x64a.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: CERT[0]:VERIFY: Subject: C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Network,CN=cen06x64a.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Not Before: 2016/10/22 15:19:08
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Not After : 2017/10/22 15:19:08
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Cert expire after 364 [d] (31535200 [s]))
httprecv: CERT[0]:VERIFY: X509v3 Subject Alternative Name:
httprecv: CERT[0]:VERIFY:      DNS:cen06x64a.xen.wbcd.pl, DNS:cen06x64a1.xen.wbcd.pl, DNS:cen06x64a2.xen.wbcd.pl, DNS:cen06x64a3.xen.wbcd.pl,
httprecv: X.509: Version: 3
httprecv: X.509: Serial Number (hex): 00:DB:93:CA:57:E4:68:8F:EC
httprecv: X.509: Signature Algorithm: RSA-SHA256
httprecv: X.509: Issuer : C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Network,CN=cen06x64a.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: X.509: Subject: C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Network,CN=cen06x64a.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: X.509: Validity: Not Before: 2016/10/22 15:19:08
httprecv: X.509: Validity: Not After : 2017/10/22 15:19:08
httprecv: X.509: Subject Public Key Info: Public Key Algorithm: RSA (2048 bits)
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64a.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64a1.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64a2.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64a3.xen.wbcd.pl
httprecv: X.509: Extensions: Basic Constraints:  CA:TRUE
https://10.41.0.58:443/ dnsq=0.000, conn=0.007, socktls=0.282, send=0.001, wait=0.006, recv=0.000, summ=0.392, size=10, speed=20245, result=200:HTTP/1.1 200 OK

httprecv --syserrors -w 5 --header="Host: cen06x64a3.xen.wbcd.pl" --SNI=cen06x64a3.xen.wbcd.pl --ca-file=/etc/pki/tls/certs/ca-bundle.crt --starttls --tlsinfo --certcheck-no --certverify --certinfo --body-hide https://10.41.0.58:443/

httprecv: Resolving 10.41.0.58 ... 10.41.0.58 Success
httprecv: Connecting to 10.41.0.58[10.41.0.58]:443 Success
httprecv: CERT:VERIFY: Peer's certificate issuer is unknown
httprecv: CERT:VERIFY: Peer's certificate is NOT trusted
httprecv: CERT[0]:VERIFY: The hostname in the certificate does NOT match '10.41.0.58'
httprecv: CERT[0]:VERIFY: Issuer : C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Network,CN=cen06x64a.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: CERT[0]:VERIFY: Subject: C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Network,CN=cen06x64a.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Not Before: 2016/10/22 15:19:08
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Not After : 2017/10/22 15:19:08
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Cert expire after 364 [d] (31535195 [s]))
httprecv: CERT[0]:VERIFY: X509v3 Subject Alternative Name:
httprecv: CERT[0]:VERIFY:      DNS:cen06x64a.xen.wbcd.pl, DNS:cen06x64a1.xen.wbcd.pl, DNS:cen06x64a2.xen.wbcd.pl, DNS:cen06x64a3.xen.wbcd.pl,
httprecv: X.509: Version: 3
httprecv: X.509: Serial Number (hex): 00:DB:93:CA:57:E4:68:8F:EC
httprecv: X.509: Signature Algorithm: RSA-SHA256
httprecv: X.509: Issuer : C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Network,CN=cen06x64a.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: X.509: Subject: C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Network,CN=cen06x64a.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: X.509: Validity: Not Before: 2016/10/22 15:19:08
httprecv: X.509: Validity: Not After : 2017/10/22 15:19:08
httprecv: X.509: Subject Public Key Info: Public Key Algorithm: RSA (2048 bits)
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64a.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64a1.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64a2.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64a3.xen.wbcd.pl
httprecv: X.509: Extensions: Basic Constraints:  CA:TRUE
https://10.41.0.58:443/ dnsq=0.000, conn=0.001, socktls=0.229, send=0.000, wait=0.020, recv=0.001, summ=0.342, size=10, speed=18650, result=200:HTTP/1.1 200 OK

httprecv --syserrors -w 5 --header="Host: cen06x64b.xen.wbcd.pl" --SNI=cen06x64b.xen.wbcd.pl --ca-file=/etc/pki/tls/certs/ca-bundle.crt --starttls --tlsinfo --certcheck-no --certverify --certinfo --body-hide https://10.41.0.58:443/

httprecv: Resolving 10.41.0.58 ... 10.41.0.58 Success
httprecv: Connecting to 10.41.0.58[10.41.0.58]:443 Success
httprecv: CERT:VERIFY: Peer's certificate issuer is unknown
httprecv: CERT:VERIFY: Peer's certificate is NOT trusted
httprecv: CERT[0]:VERIFY: The hostname in the certificate does NOT match '10.41.0.58'
httprecv: CERT[0]:VERIFY: Issuer : C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Network,CN=cen06x64b.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: CERT[0]:VERIFY: Subject: C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Network,CN=cen06x64b.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Not Before: 2016/10/22 15:19:11
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Not After : 2017/10/22 15:19:11
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Cert expire after 364 [d] (31535193 [s]))
httprecv: CERT[0]:VERIFY: X509v3 Subject Alternative Name:
httprecv: CERT[0]:VERIFY:      DNS:cen06x64b.xen.wbcd.pl, DNS:cen06x64b1.xen.wbcd.pl, DNS:cen06x64b2.xen.wbcd.pl, DNS:cen06x64b3.xen.wbcd.pl,
httprecv: X.509: Version: 3
httprecv: X.509: Serial Number (hex): 00:82:1E:15:3B:CB:FA:45:6E
httprecv: X.509: Signature Algorithm: RSA-SHA256
httprecv: X.509: Issuer : C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Network,CN=cen06x64b.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: X.509: Subject: C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Network,CN=cen06x64b.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: X.509: Validity: Not Before: 2016/10/22 15:19:11
httprecv: X.509: Validity: Not After : 2017/10/22 15:19:11
httprecv: X.509: Subject Public Key Info: Public Key Algorithm: RSA (2048 bits)
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64b.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64b1.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64b2.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64b3.xen.wbcd.pl
httprecv: X.509: Extensions: Basic Constraints:  CA:TRUE
https://10.41.0.58:443/ dnsq=0.000, conn=0.005, socktls=0.237, send=0.000, wait=0.003, recv=0.001, summ=0.348, size=10, speed=19689, result=200:HTTP/1.1 200 OK

httprecv --syserrors -w 5 --header="Host: cen06x64b1.xen.wbcd.pl" --SNI=cen06x64b1.xen.wbcd.pl --ca-file=/etc/pki/tls/certs/ca-bundle.crt --starttls --tlsinfo --certcheck-no --certverify --certinfo --body-hide https://10.41.0.58:443/

httprecv: Resolving 10.41.0.58 ... 10.41.0.58 Success
httprecv: Connecting to 10.41.0.58[10.41.0.58]:443 Success
httprecv: CERT:VERIFY: Peer's certificate issuer is unknown
httprecv: CERT:VERIFY: Peer's certificate is NOT trusted
httprecv: CERT[0]:VERIFY: The hostname in the certificate does NOT match '10.41.0.58'
httprecv: CERT[0]:VERIFY: Issuer : C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Network,CN=cen06x64b.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: CERT[0]:VERIFY: Subject: C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Network,CN=cen06x64b.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Not Before: 2016/10/22 15:19:11
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Not After : 2017/10/22 15:19:11
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Cert expire after 364 [d] (31535188 [s]))
httprecv: CERT[0]:VERIFY: X509v3 Subject Alternative Name:
httprecv: CERT[0]:VERIFY:      DNS:cen06x64b.xen.wbcd.pl, DNS:cen06x64b1.xen.wbcd.pl, DNS:cen06x64b2.xen.wbcd.pl, DNS:cen06x64b3.xen.wbcd.pl,
httprecv: X.509: Version: 3
httprecv: X.509: Serial Number (hex): 00:82:1E:15:3B:CB:FA:45:6E
httprecv: X.509: Signature Algorithm: RSA-SHA256
httprecv: X.509: Issuer : C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Network,CN=cen06x64b.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: X.509: Subject: C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Network,CN=cen06x64b.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: X.509: Validity: Not Before: 2016/10/22 15:19:11
httprecv: X.509: Validity: Not After : 2017/10/22 15:19:11
httprecv: X.509: Subject Public Key Info: Public Key Algorithm: RSA (2048 bits)
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64b.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64b1.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64b2.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64b3.xen.wbcd.pl
httprecv: X.509: Extensions: Basic Constraints:  CA:TRUE
https://10.41.0.58:443/ dnsq=0.000, conn=0.001, socktls=0.235, send=0.001, wait=0.002, recv=0.001, summ=0.405, size=10, speed=18621, result=200:HTTP/1.1 200 OK

httprecv --syserrors -w 5 --header="Host: cen06x64b2.xen.wbcd.pl" --SNI=cen06x64b2.xen.wbcd.pl --ca-file=/etc/pki/tls/certs/ca-bundle.crt --starttls --tlsinfo --certcheck-no --certverify --certinfo --body-hide https://10.41.0.58:443/

httprecv: Resolving 10.41.0.58 ... 10.41.0.58 Success
httprecv: Connecting to 10.41.0.58[10.41.0.58]:443 Success
httprecv: CERT:VERIFY: Peer's certificate issuer is unknown
httprecv: CERT:VERIFY: Peer's certificate is NOT trusted
httprecv: CERT[0]:VERIFY: The hostname in the certificate does NOT match '10.41.0.58'
httprecv: CERT[0]:VERIFY: Issuer : C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Network,CN=cen06x64b.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: CERT[0]:VERIFY: Subject: C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Network,CN=cen06x64b.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Not Before: 2016/10/22 15:19:11
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Not After : 2017/10/22 15:19:11
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Cert expire after 364 [d] (31535181 [s]))
httprecv: CERT[0]:VERIFY: X509v3 Subject Alternative Name:
httprecv: CERT[0]:VERIFY:      DNS:cen06x64b.xen.wbcd.pl, DNS:cen06x64b1.xen.wbcd.pl, DNS:cen06x64b2.xen.wbcd.pl, DNS:cen06x64b3.xen.wbcd.pl,
httprecv: X.509: Version: 3
httprecv: X.509: Serial Number (hex): 00:82:1E:15:3B:CB:FA:45:6E
httprecv: X.509: Signature Algorithm: RSA-SHA256
httprecv: X.509: Issuer : C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Network,CN=cen06x64b.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: X.509: Subject: C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Network,CN=cen06x64b.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: X.509: Validity: Not Before: 2016/10/22 15:19:11
httprecv: X.509: Validity: Not After : 2017/10/22 15:19:11
httprecv: X.509: Subject Public Key Info: Public Key Algorithm: RSA (2048 bits)
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64b.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64b1.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64b2.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64b3.xen.wbcd.pl
httprecv: X.509: Extensions: Basic Constraints:  CA:TRUE
https://10.41.0.58:443/ dnsq=0.000, conn=0.003, socktls=0.263, send=0.000, wait=0.004, recv=0.001, summ=0.389, size=10, speed=19959, result=200:HTTP/1.1 200 OK

httprecv --syserrors -w 5 --header="Host: cen06x64b3.xen.wbcd.pl" --SNI=cen06x64b3.xen.wbcd.pl --ca-file=/etc/pki/tls/certs/ca-bundle.crt --starttls --tlsinfo --certcheck-no --certverify --certinfo --body-hide https://10.41.0.58:443/

httprecv: Resolving 10.41.0.58 ... 10.41.0.58 Success
httprecv: Connecting to 10.41.0.58[10.41.0.58]:443 Success
httprecv: CERT:VERIFY: Peer's certificate issuer is unknown
httprecv: CERT:VERIFY: Peer's certificate is NOT trusted
httprecv: CERT[0]:VERIFY: The hostname in the certificate does NOT match '10.41.0.58'
httprecv: CERT[0]:VERIFY: Issuer : C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Network,CN=cen06x64b.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: CERT[0]:VERIFY: Subject: C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Network,CN=cen06x64b.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Not Before: 2016/10/22 15:19:11
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Not After : 2017/10/22 15:19:11
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Cert expire after 364 [d] (31535176 [s]))
httprecv: CERT[0]:VERIFY: X509v3 Subject Alternative Name:
httprecv: CERT[0]:VERIFY:      DNS:cen06x64b.xen.wbcd.pl, DNS:cen06x64b1.xen.wbcd.pl, DNS:cen06x64b2.xen.wbcd.pl, DNS:cen06x64b3.xen.wbcd.pl,
httprecv: X.509: Version: 3
httprecv: X.509: Serial Number (hex): 00:82:1E:15:3B:CB:FA:45:6E
httprecv: X.509: Signature Algorithm: RSA-SHA256
httprecv: X.509: Issuer : C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Network,CN=cen06x64b.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: X.509: Subject: C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Network,CN=cen06x64b.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: X.509: Validity: Not Before: 2016/10/22 15:19:11
httprecv: X.509: Validity: Not After : 2017/10/22 15:19:11
httprecv: X.509: Subject Public Key Info: Public Key Algorithm: RSA (2048 bits)
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64b.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64b1.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64b2.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64b3.xen.wbcd.pl
httprecv: X.509: Extensions: Basic Constraints:  CA:TRUE
https://10.41.0.58:443/ dnsq=0.000, conn=0.006, socktls=0.233, send=0.001, wait=0.004, recv=0.001, summ=0.339, size=10, speed=19608, result=200:HTTP/1.1 200 OK

httprecv --syserrors -w 5 --header="Host: cen06x64c.xen.wbcd.pl" --SNI=cen06x64c.xen.wbcd.pl --ca-file=/etc/pki/tls/certs/ca-bundle.crt --starttls --tlsinfo --certcheck-no --certverify --certinfo --body-hide https://10.41.0.58:443/

httprecv: Resolving 10.41.0.58 ... 10.41.0.58 Success
httprecv: Connecting to 10.41.0.58[10.41.0.58]:443 Success
httprecv: CERT:VERIFY: Peer's certificate issuer is unknown
httprecv: CERT:VERIFY: Peer's certificate is NOT trusted
httprecv: CERT[0]:VERIFY: The hostname in the certificate does NOT match '10.41.0.58'
httprecv: CERT[0]:VERIFY: Issuer : C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Network,CN=cen06x64c.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: CERT[0]:VERIFY: Subject: C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Network,CN=cen06x64c.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Not Before: 2016/10/22 15:19:13
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Not After : 2017/10/22 15:19:13
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Cert expire after 364 [d] (31535171 [s]))
httprecv: CERT[0]:VERIFY: X509v3 Subject Alternative Name:
httprecv: CERT[0]:VERIFY:      DNS:cen06x64c.xen.wbcd.pl, DNS:cen06x64c1.xen.wbcd.pl, DNS:cen06x64c2.xen.wbcd.pl, DNS:cen06x64c3.xen.wbcd.pl,
httprecv: X.509: Version: 3
httprecv: X.509: Serial Number (hex): 00:E3:2A:B0:D8:C5:B3:8E:FA
httprecv: X.509: Signature Algorithm: RSA-SHA256
httprecv: X.509: Issuer : C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Network,CN=cen06x64c.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: X.509: Subject: C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Network,CN=cen06x64c.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: X.509: Validity: Not Before: 2016/10/22 15:19:13
httprecv: X.509: Validity: Not After : 2017/10/22 15:19:13
httprecv: X.509: Subject Public Key Info: Public Key Algorithm: RSA (2048 bits)
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64c.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64c1.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64c2.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64c3.xen.wbcd.pl
httprecv: X.509: Extensions: Basic Constraints:  CA:TRUE
https://10.41.0.58:443/ dnsq=0.000, conn=0.001, socktls=0.238, send=0.001, wait=0.003, recv=0.001, summ=0.341, size=10, speed=19949, result=200:HTTP/1.1 200 OK

httprecv --syserrors -w 5 --header="Host: cen06x64c1.xen.wbcd.pl" --SNI=cen06x64c1.xen.wbcd.pl --ca-file=/etc/pki/tls/certs/ca-bundle.crt --starttls --tlsinfo --certcheck-no --certverify --certinfo --body-hide https://10.41.0.58:443/

httprecv: Resolving 10.41.0.58 ... 10.41.0.58 Success
httprecv: Connecting to 10.41.0.58[10.41.0.58]:443 Success
httprecv: CERT:VERIFY: Peer's certificate issuer is unknown
httprecv: CERT:VERIFY: Peer's certificate is NOT trusted
httprecv: CERT[0]:VERIFY: The hostname in the certificate does NOT match '10.41.0.58'
httprecv: CERT[0]:VERIFY: Issuer : C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Network,CN=cen06x64c.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: CERT[0]:VERIFY: Subject: C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Network,CN=cen06x64c.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Not Before: 2016/10/22 15:19:13
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Not After : 2017/10/22 15:19:13
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Cert expire after 364 [d] (31535167 [s]))
httprecv: CERT[0]:VERIFY: X509v3 Subject Alternative Name:
httprecv: CERT[0]:VERIFY:      DNS:cen06x64c.xen.wbcd.pl, DNS:cen06x64c1.xen.wbcd.pl, DNS:cen06x64c2.xen.wbcd.pl, DNS:cen06x64c3.xen.wbcd.pl,
httprecv: X.509: Version: 3
httprecv: X.509: Serial Number (hex): 00:E3:2A:B0:D8:C5:B3:8E:FA
httprecv: X.509: Signature Algorithm: RSA-SHA256
httprecv: X.509: Issuer : C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Network,CN=cen06x64c.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: X.509: Subject: C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Network,CN=cen06x64c.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: X.509: Validity: Not Before: 2016/10/22 15:19:13
httprecv: X.509: Validity: Not After : 2017/10/22 15:19:13
httprecv: X.509: Subject Public Key Info: Public Key Algorithm: RSA (2048 bits)
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64c.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64c1.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64c2.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64c3.xen.wbcd.pl
httprecv: X.509: Extensions: Basic Constraints:  CA:TRUE
https://10.41.0.58:443/ dnsq=0.000, conn=0.005, socktls=0.217, send=0.006, wait=0.002, recv=0.001, summ=0.345, size=10, speed=19800, result=200:HTTP/1.1 200 OK

httprecv --syserrors -w 5 --header="Host: cen06x64c2.xen.wbcd.pl" --SNI=cen06x64c2.xen.wbcd.pl --ca-file=/etc/pki/tls/certs/ca-bundle.crt --starttls --tlsinfo --certcheck-no --certverify --certinfo --body-hide https://10.41.0.58:443/

httprecv: Resolving 10.41.0.58 ... 10.41.0.58 Success
httprecv: Connecting to 10.41.0.58[10.41.0.58]:443 Success
httprecv: CERT:VERIFY: Peer's certificate issuer is unknown
httprecv: CERT:VERIFY: Peer's certificate is NOT trusted
httprecv: CERT[0]:VERIFY: The hostname in the certificate does NOT match '10.41.0.58'
httprecv: CERT[0]:VERIFY: Issuer : C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Network,CN=cen06x64c.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: CERT[0]:VERIFY: Subject: C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Network,CN=cen06x64c.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Not Before: 2016/10/22 15:19:13
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Not After : 2017/10/22 15:19:13
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Cert expire after 364 [d] (31535161 [s]))
httprecv: CERT[0]:VERIFY: X509v3 Subject Alternative Name:
httprecv: CERT[0]:VERIFY:      DNS:cen06x64c.xen.wbcd.pl, DNS:cen06x64c1.xen.wbcd.pl, DNS:cen06x64c2.xen.wbcd.pl, DNS:cen06x64c3.xen.wbcd.pl,
httprecv: X.509: Version: 3
httprecv: X.509: Serial Number (hex): 00:E3:2A:B0:D8:C5:B3:8E:FA
httprecv: X.509: Signature Algorithm: RSA-SHA256
httprecv: X.509: Issuer : C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Network,CN=cen06x64c.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: X.509: Subject: C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Network,CN=cen06x64c.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: X.509: Validity: Not Before: 2016/10/22 15:19:13
httprecv: X.509: Validity: Not After : 2017/10/22 15:19:13
httprecv: X.509: Subject Public Key Info: Public Key Algorithm: RSA (2048 bits)
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64c.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64c1.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64c2.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64c3.xen.wbcd.pl
httprecv: X.509: Extensions: Basic Constraints:  CA:TRUE
https://10.41.0.58:443/ dnsq=0.000, conn=0.004, socktls=0.241, send=0.000, wait=0.004, recv=0.001, summ=0.359, size=10, speed=19639, result=200:HTTP/1.1 200 OK

httprecv --syserrors -w 5 --header="Host: cen06x64c3.xen.wbcd.pl" --SNI=cen06x64c3.xen.wbcd.pl --ca-file=/etc/pki/tls/certs/ca-bundle.crt --starttls --tlsinfo --certcheck-no --certverify --certinfo --body-hide https://10.41.0.58:443/

httprecv: Resolving 10.41.0.58 ... 10.41.0.58 Success
httprecv: Connecting to 10.41.0.58[10.41.0.58]:443 Success
httprecv: CERT:VERIFY: Peer's certificate issuer is unknown
httprecv: CERT:VERIFY: Peer's certificate is NOT trusted
httprecv: CERT[0]:VERIFY: The hostname in the certificate does NOT match '10.41.0.58'
httprecv: CERT[0]:VERIFY: Issuer : C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Network,CN=cen06x64c.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: CERT[0]:VERIFY: Subject: C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Network,CN=cen06x64c.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Not Before: 2016/10/22 15:19:13
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Not After : 2017/10/22 15:19:13
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Cert expire after 364 [d] (31535156 [s]))
httprecv: CERT[0]:VERIFY: X509v3 Subject Alternative Name:
httprecv: CERT[0]:VERIFY:      DNS:cen06x64c.xen.wbcd.pl, DNS:cen06x64c1.xen.wbcd.pl, DNS:cen06x64c2.xen.wbcd.pl, DNS:cen06x64c3.xen.wbcd.pl,
httprecv: X.509: Version: 3
httprecv: X.509: Serial Number (hex): 00:E3:2A:B0:D8:C5:B3:8E:FA
httprecv: X.509: Signature Algorithm: RSA-SHA256
httprecv: X.509: Issuer : C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Network,CN=cen06x64c.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: X.509: Subject: C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Network,CN=cen06x64c.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: X.509: Validity: Not Before: 2016/10/22 15:19:13
httprecv: X.509: Validity: Not After : 2017/10/22 15:19:13
httprecv: X.509: Subject Public Key Info: Public Key Algorithm: RSA (2048 bits)
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64c.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64c1.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64c2.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64c3.xen.wbcd.pl
httprecv: X.509: Extensions: Basic Constraints:  CA:TRUE
https://10.41.0.58:443/ dnsq=0.000, conn=0.001, socktls=0.267, send=0.004, wait=0.028, recv=0.001, summ=0.392, size=10, speed=19602, result=200:HTTP/1.1 200 OK

#top Protocol Secure¶

#top Remove Service Version Information¶

Niedotyczy! HAProxy nie dodaje domyślnie żadnych dodatkowych nagłówków do żądania lub odpowiedzi zdradzających obecność Proxy.
(Dodawanie nagłówka HTTP X-Forwarded-For do żądania wysyłanego do serwera Backend również wymaga włączenia w konfiguracji).

(Zobacz sekcję Signature, HTTP Header Remove)

EXAMPLES

# The public 'http'
frontend public_http
    bind         :::80
[...]
    acl requ_www          path_beg    -i /www
    acl ah_cen06x64       hdr(host)   -i cen06x64.xen.wbcd.pl
    use_backend   bknd_cen06x64_app   if ah_cen06x64 !requ_www
    use_backend   bknd_cen06x64_www   if ah_cen06x64  requ_www



# The dynamic backend for app
backend bknd_cen06x64_app
[...]
    # send real used server name
    rsprep      Server Apache
    rspdel      X-Powered-By
    rspdel      X-Via

# The static backend backend for /www
backend bknd_cen06x64_www
[...]
    # send real used server name
    rsprep      Server Apache
    rspdel      X-Powered-By
    rspdel      X-Via

#top Add HTTP Response Headers Security¶

Zobacz także Add HTTP Response Headers Security dla: Apache | Nginx | Lighttpd | thttpd | HAProxy | Varnish | SQUID
Zobacz także Add HTTP Response Headers Security dla: ProFTPd | Pure-FTPd | vsftpd | Postfix | Dovecot | OpenLDAP
Zobacz także Add HTTP Response Headers Security dla: pgpool | PostgreSQL | MySQL | Firebird

(Zobacz sekcję HTTP Header Add)

Strict-Transport-Security: RFC6797, mozilla.org (mozilla.org),
X-XSS-Protection: RFC-draft, mozilla.org, microsoft.com,
X-Frame-Options: RFC7034, mozilla.org, microsoft.com, microsoft.com,
X-Content-Type-Options: mozilla.org,
Content-Security-Policy: RFC7762, mozilla.org, mozilla.org,

EXAMPLES

# The public 'https'
frontend public_https
    bind         :::443 ssl crt /etc/pki/tls/certs/cen06x64.xen.wbcd.pl.pem no-sslv3 ciphers "ALL:!ADH:!EXPORT:!SSLv2:!RC4:!RSA:!NULL:!aNULL:!eNULL:!MD5"
[...]
    acl requ_www          path_beg    -i /www
    acl ah_cen06x64       hdr(host)   -i cen06x64.xen.wbcd.pl
    use_backend   bknd_cen06x64_app   if ah_cen06x64 !requ_www
    use_backend   bknd_cen06x64_www   if ah_cen06x64  requ_www



# The dynamic backend for app
backend bknd_cen06x64_app
[...]
    rspadd      Strict-Transport-Security:\ max-age=15552000;\ includeSubDomains
    rspadd      X-XSS-Protection:\ 1;\ mode=block
    rspadd      X-Frame-Options:\ SAMEORIGIN
    rspadd      X-Content-Type-Options:\ nosniff
    rspadd      Content-Security-Policy:\ default-src\ 'self'\ cen06x64.xen.wbcd.pl

# The static backend backend for /www
backend bknd_cen06x64_www
[...]
    rspadd      Strict-Transport-Security:\ max-age=15552000;\ includeSubDomains
    rspadd      X-XSS-Protection:\ 1;\ mode=block
    rspadd      X-Frame-Options:\ SAMEORIGIN
    rspadd      X-Content-Type-Options:\ nosniff
    rspadd      Content-Security-Policy:\ default-src\ 'self'\ cen06x64.xen.wbcd.pl

#top TLS Secure¶

#top Disable SSLv2/SSLv3 Protocols¶

#top Disable weak Cipher Suites¶

#top Disable RC4 CipherSuite¶

#top Disable Anonymous CipherSuite¶

#top Disable SSL Compression¶

The openssl packages in Red Hat Enterprise Linux 5 (starting with RHBA-2009:0181 update released in Red Hat Enterprise Linux 5.3) and 6, and also in Fedora, contain a patch that makes the library check if OPENSSL_NO_DEFAULT_ZLIB environment variable is set (can have arbitrary value, even empty string) and disable the default zlib support.

Setting the OPENSSL_NO_DEFAULT_ZLIB environment variable before starting a client or a server application using OpenSSL can be used to disable zlib compression support and hence mitigate this flaw. For example, httpd with mod_ssl has compression enabled by default in Red Hat Enterprise Linux 5 and 6, and hence it is used when client also supports it. Adding the following line to the /etc/sysconfig/httpd file:

export OPENSSL_NO_DEFAULT_ZLIB=1

and restarting the httpd service disables the use of SSL/TLS compression in mod_ssl and the compression will not be negotiated even when connecting client supports it. Note that this environment variable only affects the use of SSL/TLS protocol compression and does not affect the use of HTTP protocol compression implemented by the mod_deflate module.

CVE-2012-4929 SSL/TLS CRIME attack against HTTPS

The MITRE CVE dictionary describes this issue as:

The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack.

Find out more about CVE-2012-4929 from the MITRE CVE dictionary and NIST NVD.

Vulnerability Summary for CVE-2009-1891

The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack.

#top Set custom DH parameters¶

tune.ssl.default-dh-param <number>
Sets the maximum size of the Diffie-Hellman parameters used for generating the ephemeral/temporary Diffie-Hellman key in case of DHE key exchange. The final size will try to match the size of the server's RSA (or DSA) key (e.g, a 2048 bits temporary DH key for a 2048 bits RSA key), but will not exceed this maximum value. Default value if 1024. Only 1024 or higher values are allowed. Higher values will increase the CPU load, and values greater than 1024 bits are not supported by Java 7 and earlier clients. This value is not used if static Diffie-Hellman parameters are supplied via the certificate file.

#top Avoid certificates with Signature Algorithm: SHA1¶

After Jan. 1, 2016, Firefox will present an "Untrusted Connection" error when a newly issued SHA-1 certificate is encountered, and after Jan. 1, 2017, Firefox will present an "Untrusted Connection" error whenever a SHA-1 certificate is encountered at all, according to a Tuesday post.

SHA-1 has been around for nearly two decades, and in recent years researchers have demonstrated SHA-1 mathematical weaknesses that could be exploited given enough time and computing power, Richard Barnes, engineering manager, cryptography and PKI, with Mozilla, told SCMagazine.com in a Wednesday email correspondence.

Mozilla Security Blog

Many of the certificates used by secure websites today are signed using algorithms based on a hash algorithm called SHA-1. The integrity of the hash algorithm used in signing a certificate is a critical element in the security of the certificate. Weaknesses in hash algorithms can lead to situations in which attackers can obtain fraudulent certificates. Mozilla, along with other browser vendors, is working on a plan to phase out support for the SHA-1 hash algorithm.

SHA-1 is nearly twenty years old, and is beginning to show its age. In the last few years, collision attacks undermining some properties of SHA-1 have been getting close to being practical. Collision attacks against the older MD5 hash algorithm have been used to obtain fraudulent certificates, so the improving feasibility of collision attacks against SHA-1 is concerning. In order to avoid the need for a rapid transition should a critical attack against SHA-1 be discovered, we are proactively phasing out SHA-1.

#top STATS SOCKET¶

HAProxy 1.4.19
--------------

rpm -qf /var/lib/haproxy

haproxy-1.4.19-1.el6.i686

HAProxy 1.4.10
--------------

haproxy-1.4.10-1.el5.i386.rpm
haproxy-1.4.10-1.el5.x86_64.rpm
haproxy-1.4.10-1.el6.x86_64.rpm

mkdir -p /var/lib/haproxy
chown nobody:nobody /var/lib/haproxy

#top frontend stats¶

/etc/init.d/haproxy check

'stats' ignored because frontend 'public' has no backend capability

Powyższy komunikat może pojawić się w sytuacji próby umieszczenia dyrektyw aktywujących statystyki w sekcji frontend,
zgodnie z powyższym komunikatem sekcja frontend nie posiada właściwości sekcji backend.

Zmodyfikowany ostatnio: 2018/04/11 23:28:36 (6 lat temu), textsize: 81,4 kB, htmlsize: 107 kB

Zapraszam do komentowania, zgłaszania sugestii, propozycji, własnych przykładów, ...

Dodaj komentarzKomentarze użytkowników