Hello Pavlos, An update: Following your guidance, we have successfully transitioned from using 'system V init' to 'systemd' in order to start/stop/reload HAProxy. Thank you for helping us advance with times.
We would appreciate your guidance on why using multiple HAProxy config files in a directory forces us to reset our password to our WebSocket product for us to login? HAPRoxy configuration is in the previously posted message. Sincerely, Hemant K. Sabat -----Original Message----- From: Coscend@HAProxy [mailto:haproxy.insig...@coscend.com] Sent: Saturday, April 8, 2017 4:18 AM To: 'Pavlos Parissis' <pavlos.paris...@gmail.com>; 'haproxy' <haproxy@formilux.org> Subject: RE: Multiple Config Files Use Leads to Lockout Hello Pavlos, Below we have provided both the information you requested. Your guidance would be appreciated. (1) Sanitized version of HAProxy configuration is below. Please help us identify why using multiple HAProxy config files in a directory forces us to reset our password to our WebSocket product for us to login? Single haproxy.cfg file works perfectly with the same configuration. (2) >> May I ask why you are using the SysVinit and not systemd to start haproxy? You are using CentOS 7.2, which uses systemd, Thank you for guiding us to use systemd. Today, we created a haproxy.service executable file in /usr/lib/systemd/system/haproxy.service, but failed to start HAProxy. The haproxy.service file is below. What did we do wrong? ---- HAProxy configuration file (sanitized) ---- global log 127.0.0.1 local2 log-tag haproxy pidfile /var/run/haproxy.pid user haproxy group haproxy nbproc 1 maxconn 5000 spread-checks 5 debug chroot "/usr/local/haproxy-1.7.5/lib" stats socket ""/usr/local/haproxy-1.7.5/lib/haproxy.sock" maxsslconn 256 tune.ssl.default-dh-param 4096 ca-base /etc/pki/CA/ssl.cert crt-base /etc/pki/CA/ssl.key ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS ssl-default-bind-options no-sslv3 no-tls-tickets ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS ssl-default-server-options no-sslv3 no-tls-tickets maxcomprate 1 maxcompcpuusage 50 tune.comp.maxlevel 5 defaults mode http log global option httplog option http-server-close option redispatch retries 3 backlog 10000 timeout client 50000ms timeout connect 5000ms timeout server 50000ms timeout http-keep-alive 10s timeout http-request 15s timeout queue 30s timeout check 10s timeout tarpit 60s default-server inter 3s rise 2 fall 3 option forwardfor option abortonclose maxconn 50000 compression algo gzip compression offload compression type text/html "text/html; charset=utf-8" text/html;charset=utf-8 text/plain text/css text/javascript application/x-javascript application/javascript application/ecmascript application/rss+xml application/atomsvc+xml application/atom+xml application/atom+xml;type=entry application/atom+xml;type=feed application/cmisquery+xml application/cmisallowableactions+xml application/cmisatom+xml application/cmistree+xml application/cmisacl+xml application/msword application/vnd.ms-excel application/vnd.ms-powerpoint image/svg+xml errorfile 400 /usr/local/haproxy-1.7.5/errors/400.http ... frontend webapps-frontend bind *:443 name https ssl crt /etc/pki/CA/pem.ecc log global option forwardfor option httplog clf http-request set-header X-Forwarded-Port %[dst_port] acl host_coscend_http req.hdr(Host) coscend.com acl host_coscend_https req.hdr(Host) coscend.com acl path_subdomain_cc_classic path_beg -i "/CoscendCC" use_backend subdomain_cc_classic-backend if host_coscend_https path_subdomain_cc_classic default_backend webapps-backend backend webapps-backend log global balance roundrobin option http-server-close http-request set-header X-Forwarded-Port %[dst_port] option httpchk HEAD / HTTP/1.1\r\nHost:localhost server Demo <IP>:Port cookie pad-p check backend subdomain_cc_classic-backend timeout tunnel 3600s rspirep ^(Location:)\ http://(.*)$ Location:\ https://\2 server Production <IP>:<Port> cookie cc-p check ----- Using systemd to start HAProxy with following haproxy.service FAILED ------ [Unit] Description=HAProxy Load Balancer After=network.target [Service] Environment="CONFIG=/usr/local/haproxy-1.7.5/conf/haproxy.cfg" "PIDFILE=/var/run/haproxy.pid" "LOCKFILE=/var/lock/subsys/haproxy" ExecStartPre=/usr/local/sbin/haproxy -f $CONFIG -c -q ExecStart=/usr/local/sbin/haproxy-systemd-wrapper -D -V -f $CONFIG -p $PIDFILE ExecReload=/usr/local/sbin/haproxy -f $CONFIG -c -q KillMode=mixed Restart=always [Install] WantedBy=multi-user.target Thank you. Sincerely, Hemant K. Sabat Coscend Communications Solutions Web site: www.Coscend.com ------------------------------------------------------------------ Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education, Telepresence Services, on the fly… ------------------------------------------------------------------ CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages from Coscend Communications Solutions' posted at: http://www.Coscend.com/Terms_and_Conditions.html -----Original Message----- From: Pavlos Parissis [mailto:pavlos.paris...@gmail.com] Sent: Friday, April 7, 2017 3:11 PM To: haproxy.insig...@coscend.com; 'haproxy' <haproxy@formilux.org> Subject: Re: Multiple Config Files Use Leads to Lockout On 07/04/2017 06:00 μμ, Coscend@HAProxy wrote: > Dear HAProxy Community, > > > > We are seeking your guidance with regard to the following issue we are > facing with our HAProxy use. > > > > ------ > > ISSUE > > ------- > > When we use a single monolithic config file (haproxy.cfg), HAPRoxy > launches fine and we are able to access our products that use HTTP/TCP > (WebSockets) and RTMP. > > > > When we launch HAProxy using multiple config files in a directory, > HAProxy launches fine. However, our products do not allow > administrator to login (i.e., locks out). We have to reset the > password to login. Once the admin logs out, again it locks out the > administrator and the password has to be reset to login. > > > > How is using multiple HAProxy config files in a directory connected to > logging in to our WebSocket product? > > > > ---- > > DETAILS > > ---- > > We are running HAProxy as a daemon service. We are using HAProxy init > script from HAProxy’s Github source. /etc/init.d/haproxy has the following > lines: > May I ask why you are using the SysVinit and not systemd to start haproxy? You are using CentOS 7.2, which uses systemd, thus my question. > > > Option 1: When using SINGLE Config FILE > > CFG=haproxy-1.7.5/conf/$BASENAME.cfg > > > > Option 2: When using a config DIRECTORY (conf.modular) with multiple > files in alphanumerical order, namely global, defaults, frontend, > backend, dns resolver and statistics: > > CFG=haproxy-1.7.5/conf.modular > > Without seeing the actual configuration, it would be quite difficult to get a useful response. Can you share a sanitized version of your configuration? Cheers, Pavlos
