Haproxy+yassl experimental
Hi guys, It is experimental and missing a lot of features vs openssl stuff (for benchers only) Multiprocess needs a cyassl patch, i need to clean it and i currently discuss with yassl guys for merge it On monoprocess i observe on AMD Geode LX 800 (500MHz) with TLSv1.1 AES-SHA cipher and 1024 rsa key: 520 con/s (220 for openssl) 37 key/s (29 for openssl) https://github.com/EmericBr/haproxy-yassl/network Regards, Emeric
[PATCH] MEDIUM: tcp: add a v6only option for TCP sockets
With this option enabled, a TCPv6 socket will only listen for IPv6 packets. With this option absent, a TCPv6 socket will accept both IPv6 and IPv4 packets. The system setting (net.ipv6.bindv6only) is ignored because many people disagree with the default proposed by RFC 3493 (which is to listen to both IPv4 and IPv6 by default) because this makes difficult to write a server socket in a truly protocol-independent way. So, on any system, haproxy will bind to both IPv4 and IPv6 sockets by default, unless the v6only option is specified. --- doc/configuration.txt|7 +++ include/types/listener.h |1 + src/proto_tcp.c | 40 +++- 3 files changed, 47 insertions(+), 1 deletion(-) diff --git a/doc/configuration.txt b/doc/configuration.txt index f409407..bd721c8 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -7170,6 +7170,13 @@ user user setting except that the user name is used instead of its uid. This setting is ignored by non UNIX sockets. +v6only + This setting will make the socket listening for IPv6 packets. Another socket + or program can be configured to handle IPv4 packets on the same port. Without + this option, a socket will be able to handle both IPv4 and IPv6 packets, + whatever the default system setting is. This option is ignored if the socket + is configured to listen to an IPv4 address. + verify [none|optional|required] This setting is only available when support for OpenSSL was built in. If set to 'none', client certificate is not requested. This is the default. In other diff --git a/include/types/listener.h b/include/types/listener.h index 0f16986..824956f 100644 --- a/include/types/listener.h +++ b/include/types/listener.h @@ -90,6 +90,7 @@ enum { #define LI_O_ACC_PROXY 0x0040 /* find the proxied address in the first request line */ #define LI_O_UNLIMITED 0x0080 /* listener not subject to global limits (peers stats socket) */ #define LI_O_TCP_FO 0x0100 /* enable TCP Fast Open (linux = 3.6) */ +#define LI_O_IPV6_ONLY 0x0200 /* listen only on IPv6 */ /* Note: if a listener uses LI_O_UNLIMITED, it is highly recommended that it adds its own * maxconn setting to the global.maxsock value so that its resources are reserved. diff --git a/src/proto_tcp.c b/src/proto_tcp.c index 2b8d148..eb831f0 100644 --- a/src/proto_tcp.c +++ b/src/proto_tcp.c @@ -699,6 +699,26 @@ int tcp_bind_listener(struct listener *listener, char *errmsg, int errlen) } } #endif +#if defined(IPV6_V6ONLY) + switch (listener-addr.ss_family) { + case AF_INET: break; + case AF_INET6: + if (listener-options LI_O_IPV6_ONLY) { + int on = 1; + if (setsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY, on, sizeof(on)) == -1) { + msg = cannot enable IPV6_V6ONLY; + err |= ERR_WARN; + } + } else { + int off = 0; + if (setsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY, off, sizeof(off)) == -1) { + msg = cannot disable IPV6_V6ONLY; + err |= ERR_WARN; + } + } + break; + } +#endif if (bind(fd, (struct sockaddr *)listener-addr, listener-proto-sock_addrlen) == -1) { err |= ERR_RETRYABLE | ERR_ALERT; msg = cannot bind socket; @@ -1751,7 +1771,7 @@ static int bind_parse_defer_accept(char **args, int cur_arg, struct proxy *px, s #endif #ifdef TCP_FASTOPEN -/* parse the defer-accept bind keyword */ +/* parse the tfo bind keyword */ static int bind_parse_tfo(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err) { struct listener *l; @@ -1765,6 +1785,21 @@ static int bind_parse_tfo(char **args, int cur_arg, struct proxy *px, struct bin } #endif +#ifdef IPV6_V6ONLY +/* parse the v6only bind keyword */ +static int bind_parse_v6only(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err) +{ + struct listener *l; + + list_for_each_entry(l, conf-listeners, by_bind) { + if (l-addr.ss_family == AF_INET || l-addr.ss_family == AF_INET6) + l-options |= LI_O_IPV6_ONLY; + } + + return 0; +} +#endif + #ifdef TCP_MAXSEG /* parse the mss bind keyword */ static int bind_parse_mss(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err) @@ -1874,6 +1909,9 @@ static struct bind_kw_list bind_kws = { TCP, { }, { #ifdef TCP_FASTOPEN { tfo, bind_parse_tfo, 0 }, /* enable TCP_FASTOPEN of listening socket */ #endif +#ifdef IPV6_V6ONLY + { v6only,bind_parse_v6only, 0 }, /* enable IPV6_V6ONLY of listening socket */ +#endif #ifdef CONFIG_HAP_LINUX_TPROXY { transparent,
Re: [PATCH] MEDIUM: tcp: add a v6only option for TCP sockets
❦ 24 novembre 2012 12:01 CET, Vincent Bernat ber...@luffy.cx : #ifdef TCP_FASTOPEN -/* parse the defer-accept bind keyword */ +/* parse the tfo bind keyword */ static int bind_parse_tfo(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err) I have embedded this change on purpose. Feel free to strip it. -- Make input easy to proofread. - The Elements of Programming Style (Kernighan Plauger)
Re: IPv6 bind
Hi Vincent, I'm cc-ing Marcus Rueckert who first asked me for the feature. On Sat, Nov 24, 2012 at 12:07:23PM +0100, Vincent Bernat wrote: Hi Willy! Since it was an easy one, I have sent you a proposal. Grrr... I just did it too a few minutes ago, sorry for that :-/ The difficulty is to agree on the default behavior. In my patch, I propose an option which enables v6 only when present and v4 and v6 when absent. Other possibilities are : - v6only and v4v6 options which override system defaults and we keep system defaults if we don't have any keyword. A configuration working on distribution X won't work on distribution Y. That's what I've done too. Remember that we don't want to break existing setups, so it is out of question to suddenly change the way configs have been working for years. - v4v6 option and when absent, bind on IPv6 only. I like the later option better but this is the opposite of what we have now. I feel this is risky to let users upgrade and have a V6 only server while they expected to have a V4+V6 server. By doing v4+v6 by default, we break setups relying on system-wide default of v6only but this will be a visible change (HAproxy won't be able to bind the socket). I really want to let the system-wide configuration decide when no option is set, that's the philosophy we've always followed. We add options to force a desired behaviour and without any option, the system sets defaults. However, I will be happy to update the patch to have v4v6 keyword instead of v6only. I did not know it was possible to revert the system behaviour, so yes please feel free to send such a patch to let the user force IPV6_V6ONLY to zero ! v4v6 seems appropriate to me too. Thanks, Willy
Re: problem with sort of caching of use_backend with socket.io and apache
Hi David, On Sat, Nov 24, 2012 at 09:26:56AM -0300, david rene comba lareu wrote: Hi everyone, i'm little disappointed with a problem i'm having trying to configure HAproxy in the way i need, so i need a little of help of you guys, that knows a lot more than me about this, as i reviewed all the documentation and tried several things but nothing worked :(. basically, my structure is: HAproxy as frontend, in 80 port - forwards by default to webserver (in this case is apache, in other machines could be nginx) - depending the domain and the request, forwards to an Node.js app so i have something like this: global log 127.0.0.1 local0 log 127.0.0.1 local1 notice maxconn 4096 user haproxy group haproxy daemon defaults log global modehttp maxconn 2000 contimeout 5000 clitimeout 5 srvtimeout 5 frontend all 0.0.0.0:80 timeout client 5000 default_backend www_backend acl is_soio url_dom(host) -i socket.io #if the request contains socket.io acl is_chat hdr_dom(host) -i chaturl #if the request comes from chaturl.com use_backend chat_backend if is_chat is_soio backend www_backend balance roundrobin option forwardfor # This sets X-Forwarded-For timeout server 5000 timeout connect 4000 server server1 localhost:6060 weight 1 maxconn 1024 check #forwards to apache2 backend chat_backend balance roundrobin option forwardfor # This sets X-Forwarded-For timeout queue 5 timeout server 5 timeout connect 5 server server1 localhost:5558 weight 1 maxconn 1024 check #forward to node.js app my application uses socket.io, so anything that match the domain and has socket.io in the request, should forward to the chat_backend. The problem is that if i load directly from the browser, let say, the socket.io file (it will be something like http://www.chaturl.com/socket.io/socket.io.js) loads perfectly, but then when i try to load index.html (as http://www.chaturl.com/index.html) most of the times, is still redirect to socket.io. after refreshing a few time, it finally loads index.html, but then, doesn't load the socket.io.js file inserted in the file (why it redirect to the apache server, and not the node.js app). so as i said, it sort of caching the request. i tried several ACL combinations, i disabled the domain check, only checking for socket.io but is still the same. Reading again the documentation i tried to use hdr_dir, hdr_dom, with other headers as URI, url, Request (btw, where i can find a list of headers supported by the layer 7 ACL ?). so, nothing worked, if someone could help me, and point me to the right direction, i would be really grateful :D You're missing option http-server-close in your config, so after the first request is done, haproxy switches to tunnel mode and maintains the client-server connection without inspecting anything in it. Regards, Willy
Re: IPv6 bind
+1 from me. -- openSUSE - SUSE Linux is my linux openSUSE is good for you www.opensuse.org
Re: Need more info on compression
Hi Dmitry, On Thu, Nov 22, 2012 at 08:03:26PM +0400, Dmitry Sivachenko wrote: Hello! I was reading docs about HTTP compression support in -dev13 and it is a bit unclear to me how it works. Imagine I have: compression algo gzip compression type text/html text/javascript text/xml text/plain in defaults section. What will haproxy do if: 1) backend server does NOT support compression; Haproxy will compress the matching responses. 2) backend server does support compression; You have two possibilities : - either you just have the lines above, and the server will see the Accept-Encoding header from the client and will compress the response ; in this case, haproxy will see the compressed response and will not compress again ; - or you also have a compression offload line. In this case, haproxy will remove the Accept-Encoding header before passing the request to the server. The server will then *not* compress, and haproxy will compress the response. This is what I'm doing at home because the compressing server is bogus and sometimes emits wrong chunked encoded data! 3) backend server does support compression and there is no these two compression* lines in haproxy config. Then haproxy's normal behaviour remains unchanged, the server compresses if it wants to and haproxy transfers the response unmodified. I think documentation needs to clarify things a bit. Possibly, however I don't know what to clarify nor how, it's always difficult to guess how people will understand a doc :-( Could you please propose some changes ? I would be happy to improve the doc if it helps people understand it. Thanks! Willy
Re: IPv6 bind
Hi, Thanks a lot, this is working perfectly fine :) Le samedi 24 novembre 2012 12:30:38 Willy Tarreau a écrit : Hi Vincent, I'm cc-ing Marcus Rueckert who first asked me for the feature. On Sat, Nov 24, 2012 at 12:07:23PM +0100, Vincent Bernat wrote: Hi Willy! Since it was an easy one, I have sent you a proposal. Grrr... I just did it too a few minutes ago, sorry for that :-/ The difficulty is to agree on the default behavior. In my patch, I propose an option which enables v6 only when present and v4 and v6 when absent. Other possibilities are : - v6only and v4v6 options which override system defaults and we keep system defaults if we don't have any keyword. A configuration working on distribution X won't work on distribution Y. That's what I've done too. Remember that we don't want to break existing setups, so it is out of question to suddenly change the way configs have been working for years. - v4v6 option and when absent, bind on IPv6 only. I like the later option better but this is the opposite of what we have now. I feel this is risky to let users upgrade and have a V6 only server while they expected to have a V4+V6 server. By doing v4+v6 by default, we break setups relying on system-wide default of v6only but this will be a visible change (HAproxy won't be able to bind the socket). I really want to let the system-wide configuration decide when no option is set, that's the philosophy we've always followed. We add options to force a desired behaviour and without any option, the system sets defaults. However, I will be happy to update the patch to have v4v6 keyword instead of v6only. I did not know it was possible to revert the system behaviour, so yes please feel free to send such a patch to let the user force IPV6_V6ONLY to zero ! v4v6 seems appropriate to me too. Thanks, Willy -- Guillaume Castagnino ca...@xwing.info / guilla...@castagnino.org