On Tue, Jan 08, 2013 at 05:14:05PM +0100, Baptiste wrote:
sorry, posted too quicly.
you can use the log-format tool to properly format your log line.
that said, I'm not sure that you can remove this char.
Hello,
You can remove the ~ char using log-format.
The default variable used in the
For PCI compliance I need to add the httponly cookie attribute to the
appsession cookie set by IIS 6.0. Any thoughts on how I could accomplish the
rewriting of this cookie using haproxy?
Regards,
Duncan
On 09.01.2013, at 01:15, Baptiste bed...@gmail.com wrote:
Hi,
You should NEVER ever change 2 core stuff in your architecture in the
mean time
First upgrade HAProxy, then later upgrade the kernel So if you
have an issue, it would be easier to track which component triggered
it.
The latest dev version is the most stable and best performing for SSL.
Do you mandatory need splicing?
Can't you simply disable it ??
cheers
On Wed, Jan 9, 2013 at 1:05 PM, Christian Becker
c.bec...@traviangames.com wrote:
On 09.01.2013, at 01:15, Baptiste bed...@gmail.com wrote:
Hi,
You
In the mean time i´ve downgraded to the old kernel, but the performances
issues persist. So this seems to be a issue in haproxy.
This is very strange. In your first mail you reported that your CPU is
spending 30% in userspace and 70% is system. How is your CPU usage now?
You are running the
I have a situation where a backend server defined in HAProxy may be a vip on
our F5.The F5 vip is setup for source persistence. Right now all the
requests to this vip from the haproxy box are all going to one pool member.
Obviously the f5 is seeing the ip of the server and not the true
On 09/01/2013 18:05, DeMarco, Alex
wrote:
I have a situation where a backend server
defined in HAProxy may be a vip on our F5. The F5 vip is
setup for source persistence. Right now all the requests to
You should be able to deal with this by adding more ips to your haproxy box and
configuring 2 backends in haproxy pointing to the same F5 VIP, but with
different source-ips [1].
Remember to configure HAproxy for source persistence as well, if your
application needs it.
[1]
On Thu, Jan 10, 2013 at 2:05 AM, DeMarco, Alex alex.dema...@suny.eduwrote:
I have a situation where a backend server defined in HAProxy may be a
vip on our F5.The F5 vip is setup for source persistence. Right now
all the requests to this vip from the haproxy box are all going to one
Right now it is just a proof of concept idea. Part of the problem is that F5
the we own does not do reverse proxying,. At least not without running an iRule
that no one on their support department will support you on. Unless I am
completely missing something.
- Alex
From: Jeffrey
The following future potential feature would help me use haproxy more for an
upcoming project. I apologize if this is already addressed through existing
features or not considered generally useful.
Implement new type of health checks, call them configuration checks. A
configuration check
On Wed, Jan 9, 2013 at 4:13 PM, Kevin Heatwole ke...@heatwoles.us wrote:
4. Adding new server to backend by having configuration check return new
server configuration.
I don't know about the other features, but this one I think violates the
UNIX philosophy of do one thing and do it well.
I think you might have misunderstood. By adding new server, I mean to add it
as a server in HAProxy configuration. That is, the effect is to add the
server line for the new server into the config file. This has nothing to do
with launching the server in the cloud. It is the reverse of
I understood completely KT. It's perfectly possible to add new lines to the
haproxy config dynamically and automatically using things like puppet.
E.g. my iptables configurations are dyanmically generated as I spin up new
servers, using puppet and the rackspace API. You could do something
I guess I wasn't clear again. I'm not talking about editing the
configuration file and reloading HAProxy.
My suggestion is simply to implement a dynamic interface to the backend servers
so they can change the current behavior of the HAProxy instance (especially in
a load balanced HAProxy
Right, and my point is that you can make it dynamic without changing the
way haproxy itself works. What your asking for seems like making haproxy
itself overcomplicated, especially for people with simple deployments. But
hey, maybe I'm 100% wrong. In fact, let's operate on that assumption.
On
This is interesting
Could you share this irule here
So you have several ways...
First one, which won't work, would to use the proxy protocol...
unfortunatelly, F5 does not support it yet... Maybe an irule could do it,
that said...
second one, would to do transparent proxying on your
You might be right that the best way to do dynamic configuration is to have a
tool from a third-party (or created in house) that does monitoring of the
backend servers and edits the config file itself and reloads haproxy.
I just don't want the hassle of finding such tools or writing my own.
If you need this kind of functionality, you are probably running some kind
of large infrastructure right? Or at least a lot of webservers or backend
servers. You would do well to look into some automation there. There are
plenty of existing tools.
On Wed, Jan 9, 2013 at 5:47 PM, Kevin Heatwole
Hi Christian,
On Wed, Jan 09, 2013 at 03:27:11PM +, Christian Becker wrote:
On 09.01.2013, at 14:55, Lukas Tribus luky...@hotmail.com wrote:
In the mean time i´ve downgraded to the old kernel, but the performances
issues persist. So this seems to be a issue in haproxy.
This is
We use chef and ohai which talks to AWS to calculate node counts for
servers based off tags and metadata. We then have a cookbook that generates
the haproxy.cfg every time chef runs (on a cron). If the file changes we
reload the config which seems to keep the sessions alive.
There are far simpler
On Wed, Jan 09, 2013 at 11:01:40PM +, Steven Acreman wrote:
We use chef and ohai which talks to AWS to calculate node counts for
servers based off tags and metadata. We then have a cookbook that generates
the haproxy.cfg every time chef runs (on a cron). If the file changes we
reload the
I understand your point. The fact is that I am running on a very small budget.
I need the site to scale, but I also need to only use as few servers as
possible (Amazon EC2 instances aren't that cheap unless I can minimize the size
and number of instances used). Although my budget is small, I
Hi Kevin,
On Wed, Jan 09, 2013 at 04:13:28PM -0500, Kevin Heatwole wrote:
(...)
1. Setting new interval time for subsequent configuration checks to the
server.
2. Setting new maxconn or weight for the server (allowing backend to
throttle or increase load for itself).
3. Setting server
❦ 5 janvier 2013 09:06 CET, Willy Tarreau w...@1wt.eu :
Did you get a significant performance gain with padlock ? I've not had
the chance to test one yet. I don't even know if it requires an engine
or not. At least with aes-ni, it's included in the native code, you
don't need the engine
Hi Vincent,
On Thu, Jan 10, 2013 at 12:15:44AM +0100, Vincent Bernat wrote:
??? 5 janvier 2013 09:06 CET, Willy Tarreau w...@1wt.eu :
Did you get a significant performance gain with padlock ? I've not had
the chance to test one yet. I don't even know if it requires an engine
or not. At
Willy,
Thanks for your thoughts. I see that you have thought about these issues much
more than I have. I just wanted to get you some feedback from a potential
haproxy user.
As for your point that I would need to edit the static configuration file
incase of a complete restart of HAProxy, I
Zachary,
I guess I'll have to spend some time researching puppet (and/or chef). Thanks
for the reference.
Kevin
On Jan 9, 2013, at 6:18 PM, Zachary Stern z...@enternewmedia.com wrote:
Case in point for why puppet (and probably also chef) is perfect here.
You can manage the config with
Interesting. Are these implementations still in use ? This seems more
like early experimentations than definitive releases to me. I don't
know if such versions were shipped in any LTS distro, so most likely
they'll quickly disappear. Am I wrong ?
Looks like you are correct. In openssl 1.0.1
On Thu, Jan 10, 2013 at 12:49:19AM +0100, Lukas Tribus wrote:
Interesting. Are these implementations still in use ? This seems more
like early experimentations than definitive releases to me. I don't
know if such versions were shipped in any LTS distro, so most likely
they'll quickly
❦ 10 janvier 2013 00:24 CET, Willy Tarreau w...@1wt.eu :
It depends how AES-NI is compiled in your OpenSSL. On Ubuntu, AES-NI
support is builtin and selected automatically. But if people are using
implementations from Intel for older versions of OpenSSL, the engine
needs to be selected by
Hello,
Not sure what you mean with F5 not seeing the header. tcpdump on the F5 to
verify?
Fix it in F5. This iRule should make persistence based on X-Forwarded-For.
when HTTP_REQUEST {
if {[HTTP::header X-Forwarded-For] != }{
persist uie [HTTP::header X-Forwarded-For] 600
}
}
600 is the
On Thu, Jan 10, 2013 at 03:01:29AM +0100, Vincent Bernat wrote:
??? 10 janvier 2013 00:24 CET, Willy Tarreau w...@1wt.eu :
It depends how AES-NI is compiled in your OpenSSL. On Ubuntu, AES-NI
support is builtin and selected automatically. But if people are using
implementations from
On Thu, Jan 10, 2013 at 07:28:29AM +0100, Pär Åslund wrote:
Hello,
Not sure what you mean with F5 not seeing the header. tcpdump on the F5 to
verify?
Fix it in F5. This iRule should make persistence based on X-Forwarded-For.
when HTTP_REQUEST {
if {[HTTP::header X-Forwarded-For] != }{
34 matches
Mail list logo