Re: Problems compiling HAProxy with Lua Support

[Vincent Bernat]

 ❦ 13 juillet 2015 19:16 +0200, "bjun...@gmail.com"  :

> make TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 USE_LUA=yes
> LUA_LIB=/opt/lua53/lib/ LUA_INC=/opt/lua53/include/ LDFLAGS=-ldl
>
>
>
> resulting error:
>
> .
> .
> .
> gcc -ldl -o haproxy src/haproxy.o src/sessionhash.o src/base64.o
> src/protocol.o src/uri_auth.o src/standard.o src/buffer.o src/log.o
> src/task.o src/chunk.o src/channel.o src/listener.o src/lru.o
> src/xxhash.o src/time.o src/fd.o src/pipe.o src/regex.o src/cfgparse.o
> src/server.o src/checks.o src/queue.o src/frontend.o src/proxy.o
> src/peers.o src/arg.o src/stick_table.o src/proto_uxst.o
> src/connection.o src/proto_http.o src/raw_sock.o src/appsession.o
> src/backend.o src/lb_chash.o src/lb_fwlc.o src/lb_fwrr.o src/lb_map.o
> src/lb_fas.o src/stream_interface.o src/dumpstats.o src/proto_tcp.o
> src/applet.o src/session.o src/stream.o src/hdr_idx.o src/ev_select.o
> src/signal.o src/acl.o src/sample.o src/memory.o src/freq_ctr.o
> src/auth.o src/proto_udp.o src/compression.o src/payload.o src/hash.o
> src/pattern.o src/map.o src/namespace.o src/mailers.o src/dns.o
> src/vars.o src/ev_poll.o src/ev_epoll.o src/ssl_sock.o src/shctx.o
> src/hlua.o ebtree/ebtree.o ebtree/eb32tree.o ebtree/eb64tree.o
> ebtree/ebmbtree.o ebtree/ebsttree.o ebtree/ebimtree.o
> ebtree/ebistree.o   -lcrypt  -lz -ldl  -lssl -lcrypto
> -L/opt/lua53/lib/ -llua -lm -L/usr/lib -lpcreposix -lpcre
> /usr/bin/ld: /opt/lua53/lib//liblua.a(loadlib.o): undefined reference
> to symbol 'dlclose@@GLIBC_2.2.5'
> /usr/lib/gcc/x86_64-linux-gnu/4.8/../../../x86_64-linux-gnu/libdl.so:
> error adding symbols: DSO missing from command line
> collect2: error: ld returned 1 exit status
> make: *** [haproxy] Error 1

-ldl where dlclose@@GLIBC_2.2.5 should be after -llua, where this symbol
is used.

I suppose that either -ldl could be added to OPTIONS_LDFLAGS append,
like this is done for -lm. Or USE_DL section could be moved towards the
end. I think the first solution is better since libdl seems to be a
dependency of lua.

Note that this is not an Ubuntu-specific but they enforce --as-needed by
default directly in the linker.

> Only if i change LDFLAGS to the following the build is succesful:
>
>
>
> make TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 USE_LUA=yes
> LUA_LIB=/opt/lua53/lib/ LUA_INC=/opt/lua53/include/
> LDFLAGS=-Wl,--no-as-needed
>
>
>
>
> I'm not aware of the consequences, does anybody have an idea ?

In your case, this is harmless. --as-needed is used mostly to avoid to
pull unneeded dependencies by linking unused symbols. The downside is
that libraries need to be linked in the correct order (a symbol is kept
only if it was previously missing). This is mostly a distro stuff.
-- 
Use self-identifying input.  Allow defaults.  Echo both on output.
- The Elements of Programming Style (Kernighan & Plauger)

Problems compiling HAProxy with Lua Support

[bjun...@gmail.com]

Hi,


i'm trying to build HAProxy 1.6 (git HEAD) with Lua (5.3.1) on Ubuntu 14.04.


This was my first try:


make TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 USE_LUA=yes
LUA_LIB=/opt/lua53/lib/ LUA_INC=/opt/lua53/include/ LDFLAGS=-ldl



resulting error:

.
.
.
gcc -ldl -o haproxy src/haproxy.o src/sessionhash.o src/base64.o
src/protocol.o src/uri_auth.o src/standard.o src/buffer.o src/log.o
src/task.o src/chunk.o src/channel.o src/listener.o src/lru.o
src/xxhash.o src/time.o src/fd.o src/pipe.o src/regex.o src/cfgparse.o
src/server.o src/checks.o src/queue.o src/frontend.o src/proxy.o
src/peers.o src/arg.o src/stick_table.o src/proto_uxst.o
src/connection.o src/proto_http.o src/raw_sock.o src/appsession.o
src/backend.o src/lb_chash.o src/lb_fwlc.o src/lb_fwrr.o src/lb_map.o
src/lb_fas.o src/stream_interface.o src/dumpstats.o src/proto_tcp.o
src/applet.o src/session.o src/stream.o src/hdr_idx.o src/ev_select.o
src/signal.o src/acl.o src/sample.o src/memory.o src/freq_ctr.o
src/auth.o src/proto_udp.o src/compression.o src/payload.o src/hash.o
src/pattern.o src/map.o src/namespace.o src/mailers.o src/dns.o
src/vars.o src/ev_poll.o src/ev_epoll.o src/ssl_sock.o src/shctx.o
src/hlua.o ebtree/ebtree.o ebtree/eb32tree.o ebtree/eb64tree.o
ebtree/ebmbtree.o ebtree/ebsttree.o ebtree/ebimtree.o
ebtree/ebistree.o   -lcrypt  -lz -ldl  -lssl -lcrypto
-L/opt/lua53/lib/ -llua -lm -L/usr/lib -lpcreposix -lpcre
/usr/bin/ld: /opt/lua53/lib//liblua.a(loadlib.o): undefined reference
to symbol 'dlclose@@GLIBC_2.2.5'
/usr/lib/gcc/x86_64-linux-gnu/4.8/../../../x86_64-linux-gnu/libdl.so:
error adding symbols: DSO missing from command line
collect2: error: ld returned 1 exit status
make: *** [haproxy] Error 1




Only if i change LDFLAGS to the following the build is succesful:



make TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 USE_LUA=yes
LUA_LIB=/opt/lua53/lib/ LUA_INC=/opt/lua53/include/
LDFLAGS=-Wl,--no-as-needed




I'm not aware of the consequences, does anybody have an idea ?



---
Bjoern

tcp-request + gpc ACLs

[bjun...@gmail.com]

Hi,

i'm using stick-tables to track requests and block abusers if needed.
Abusers should be blocked only for a short period of time and i want a
stick-table entry to expire.

Therefore, i have to check if the client is already marked as an
abuser and do not track this client.


example config:


frontend fe_http_in

  bind 127.0.0.1:8001

  stick-table type ip size 100k expire 600s store gpc0

  # Not working
  # acl is_overlimit sc0_get_gpc0(fe_http_in) gt 0

  # Working
  # acl is_overlimit src_get_gpc0(fe_http_in) gt 0

  tcp-request connection track-sc0 src if !is_overlimit

  default_backend be


backend be

  ... incrementing gpc0 ( with "sc0_inc_gpc0") ...



If i use "sc0_get_gpc0", the stick-table entry will never expire
because the timer will be resetted (tcp-request connection track-sc0
... seems to ignore this acl).


With "src_get_gpc0" everything works as expected.


Both ACL's are correct and triggered (verified with debug headers
(http-response set-header ...))


What's the difference between these ACL's in conjunction with
"tcp-request connection track-sc0 ..." ?

Is this a bug or intended behaviour ?


---
Bjoern

IP binding and standby health-checks

[Nathan Williams]

Hi all,

I'm hoping I can get some advice on how we can improve our failover setup.

At present, we have an active-standby setup. Failover works really well,
but on the standby, none of the backend servers are marked as "up" since
haproxy is bound to the VIP that is currently on the active member (managed
with keepalived). as a result, there's an initial period of a second or two
after the failover triggers and the standby claims the VIP where the
backend servers have not yet passed a health-check on the new active member.

It seems like the easiest way to sort it out would be if the health-checks
weren't also bound to the VIP so that the standby could complete them
successfully. i do still want the proxied requests bound to the VIP though,
forthe benefit of our backends' real-ip configuration.

is that doable? if not, is there some way to have the standby "follow" the
active-member's view on the backends, or another way i haven't seen yet?

Thanks!

Nathan W

RE: Test HAProxy configuration file

[Lukas Tribus]

> Hi Lukas, 
> 
> the output of haproxy -c is not helpful. 
> "Configuration file is valid“ 

I though thats what you want.


> I need a more verbose output with a complete overview of the configuration. 
> I want to check if options configured in the default or global sections 
> works for all the backends for example. 

There is no such thing. Refer to the documentation to understand how single
options propagate.


Lukas

  

Re: Test HAProxy configuration file

[Erik Schwalbe]

Hi Lukas,

the output of haproxy -c is not helpful.

"Configuration file is valid“

I need a more verbose output with a complete overview of the configuration.
I want to check if options configured in the default or global sections works 
for all the backends for example.

Regards,
Erik 
 

> Am 13.07.2015 um 17:36 schrieb Lukas Tribus :
> 
> Hi Erik,
> 
> 
>> Hi, 
>> 
>> is it possible to show and test the configuration of haproxy 
>> like apache2ctl -S? 
>> I want to check with which configuration options haproxy starts. 
>> 
>> Thanks for help. 
> 
> Yes, see haproxy -h (haproxy -c).
> 
> 
> Lukas
> 
> 


Erik Schwalbe
Canoo Engineering AG
Kirschgartenstrasse 5
CH-4051 Basel

Tel: +41 61 228 94 44
Fax: +41 61 228 94 49

erik.schwa...@canoo.com
http://www.canoo.com
 
Erik Schwalbe
Canoo Engineering AG
Kirschgartenstrasse 5
CH-4051 Basel

Tel: +41 61 228 94 44
Fax: +41 61 228 94 49

erik.schwa...@canoo.com 
http://www.canoo.com 

RE: Test HAProxy configuration file

[Lukas Tribus]

Hi Erik,


> Hi, 
> 
> is it possible to show and test the configuration of haproxy 
> like apache2ctl -S? 
> I want to check with which configuration options haproxy starts. 
> 
> Thanks for help. 

Yes, see haproxy -h (haproxy -c).


Lukas

  

Test HAProxy configuration file

[Erik Schwalbe]

Hi,

is it possible to show and test the configuration of haproxy like apache2ctl -S?
I want to check with which configuration options haproxy starts.

Thanks for help.

Regards,
Erik

Erik Schwalbe
Canoo Engineering AG
Kirschgartenstrasse 5
CH-4051 Basel

Tel: +41 61 228 94 44
Fax: +41 61 228 94 49

erik.schwa...@canoo.com
http://www.canoo.com
 
Erik Schwalbe
Canoo Engineering AG
Kirschgartenstrasse 5
CH-4051 Basel

Tel: +41 61 228 94 44
Fax: +41 61 228 94 49

erik.schwa...@canoo.com 
http://www.canoo.com 

Re: Segfault when parsing a configuration file

[Vincent Bernat]

 ❦ 11 juillet 2015 14:20 +0200, Lukas Tribus  :

> Thanks for the detailed repro. This bug is fixed in release 1.5.10 by commit
> ed061c0590 ("BUG/MEDIUM: config: do not propagate processes between stopped
> processes") [1].
>
> Quoting from the commit:
> "Immo Goltz reported a case of segfault while parsing the config where
> we try to propagate processes across stopped frontends (those with a
> "disabled" statement). The fix is trivial. The workaround consists in
> commenting out these frontends, although not always easy."
>
>
> You can get latest haproxy build for debian here [2].
>
>
> Maybe Vincent could queue this fix for a debian backport?

Yes, we'll do that.
-- 
Let me take you a button-hole lower.
-- William Shakespeare, "Love's Labour's Lost"


signature.asc
Description: PGP signature

[SPAM] Plus de 8000 parfums en soldes jusqu'à -70 pour-cent !

[Place du Parfum par Parfums-actu]

200 Marques de parfums en promo !

Si ce message ne s'affiche pas correctement, consultez sa version [ en ligne. 
]( http://r.blog.parfums-actu.fr/3yy11wlzbpf5jf.html )
[  ]( http://r.blog.parfums-actu.fr/fvs47mfxafpf5jd.html ) [  ]( 
http://r.blog.parfums-actu.fr/fvs47mfxct1f5jd.html ) [  ]( 
http://r.blog.parfums-actu.fr/fvs47mfxf6df5jd.html ) [  ]( 
http://r.blog.parfums-actu.fr/fvs47mfxhjpf5jd.html ) [  ]( 
http://r.blog.parfums-actu.fr/fvs47mfxjx1f5jd.html ) [  ]( 
http://r.blog.parfums-actu.fr/fvs47mfxmadf5jd.html ) [  ]( 
http://r.blog.parfums-actu.fr/fvs47mfxonpf5jd.html ) [  ]( 
http://r.blog.parfums-actu.fr/fvs47mfxr11f5jd.html ) [  ]( 
http://r.blog.parfums-actu.fr/fvs47mfxtedf5jd.html ) [  ]( 
http://r.blog.parfums-actu.fr/fvs47mfxvrpf5jd.html ) [  ]( 
http://r.blog.parfums-actu.fr/5aldejhb3nrpf5jd.html ) [  ]( 
http://r.blog.parfums-actu.fr/5aldejhb3q51f5jd.html ) [  ]( 
http://r.blog.parfums-actu.fr/5aldejhb3sidf5jd.html ) [  ]( 
http://r.blog.parfums-actu.fr/5aldejhb3uvpf5jd.html ) [  ]( 
http://r.blog.parfums-actu.fr/5aldejhb3x91f5jd.html ) [  ]( 
http://r.blog.parfums-actu.fr/5aldejhb3zmdf5jd.html )

Lisa du programme Parfums-Actu vous propose de partir à la découverte des 
meilleures affaires du Web dans les secteurs de la parfumerie et de la 
cosmétique.
Offres de grandes marques, bons plans et astuces, [ Parfums-Actu ]( 
http://r.blog.parfums-actu.fr/5aldejhb41zpf5jd.html ) partage avec vous des 
expériences shopping inédites.

Vous ne souhaitez plus recevoir notre newsletter? Vous pouvez à tout moment 
vous désabonner en cliquant [ ici. ]( 
http://r.blog.parfums-actu.fr/3yy11wlzbpf5jg.html )
© Parfums-Actu 2014

Help with ACL

[Yogesh Sharma]

Hi Team,

I am new to HAProxy ACL and following below blog to create a rule to have
Application safe from DDOS.

http://blog.haproxy.com/2012/10/12/scalable-waf-protection-with-haproxy-and-apache-with-modsecurity/



===
frontend ft_waf
  bind 192.168.10.2:80 name http
  mode http
  log global
  option httplog
  timeout client 25s
  maxconn 1


   stick-table type ip size 1m expire 1m store
gpc0,http_req_rate(10s),http_err_rate(10s)
   tcp-request connection track-sc1 src
   tcp-request connection reject if { sc1_get_gpc0 gt 0 }

  # Abuser means more than 100reqs/10s
   acl abuse sc1_http_req_rate(*ft_web*) ge 100
   acl flag_abuser sc1_inc_gpc0(*ft_web*)
   tcp-request content reject if abuse flag_abuser

   default_backend bk_waf

#When I am using ft_web, I am getting

[ALERT] 193/155117 (6404) : parsing [/etc/haproxy/haproxy.cfg:65] : unable
to find table '*ft_web*' referenced in arg 1 of ACL keyword
'sc1_http_req_rate' in proxy '*ft_web*'.

Once I changed it to ft_waf *(which I think should be because we need acl
on Frontend which is serving public traffic)*, I am getting below Warning:

Starting haproxy: [WARNING] 193/162102 (6657) : parsing acl keyword
'sc1_inc_gpc0(ft_waf)' :
  no pattern to match against were provided, so this ACL will never match.
  If this is what you intended, please add '--' to get rid of this warning.
  If you intended to match only for existence, please use '-m found'.
  If you wanted to force an int to match as a bool, please use '-m bool'.


# WAF farm where users' traffic is routed first
backend bk_waf
  balance roundrobin
  mode http
  log global
  option httplog
  option forwardfor header X-Client-IP
  option httpchk HEAD /waf_health_check HTTP/1.0

  # If the source IP generated 10 or more http request over the defined
period,
  # flag the IP as abuser on the frontend
acl abuse sc1_http_err_rate(*ft_waf*) ge 10
acl flag_abuser sc1_inc_gpc0(*ft_waf*)
tcp-request content reject if abuse flag_abuser

  # Specific WAF checking: a DENY means everything is OK
http-check expect status 403
timeout server 25s
default-server inter 3s rise 2 fall 3
server waf1 192.168.10.15:81 maxconn 100 weight 10 check
server waf2 192.168.10.16:81 maxconn 100 weight 10 check

frontend ft_web
  bind 192.168.10.2:81 name http
  mode http
  log global
  option httplog
  timeout client 25s
  maxconn 1000
  # route health check requests to a specific backend to avoid graph
pollution in ALOHA GUI
  use_backend bk_waf_health_check if { path /waf_health_check }
  default_backend bk_web



Please suggest as what is wrong here.



*Best Regards,*

*__*

*Yogesh Sharma*

"Missing" sessions in haproxy stats

[Nicholas Smit]

Hi,

Apologies if the answer is in the manual, or in the mailing lists, I
couldn't find it.

In my Haproxy config, I have a front-end and several backends. The stats
page is showing stats of sessions, CUR = 1098. (CSV output below)

However, if I add up all the sessions for all its back-ends, I get nowhere
close to that number (54).

Am I misunderstanding the meaning of "sessions - cur" on this page?

Or is http-in front end discarding 95% of incoming sessions because they
don't match a backend? If the latter, I would have though I'd see a bunch
of 503s being returned all the time, which I don't.

I thought subsequently perhaps these could be sessions stuck in TCP_WAIT on
the client side, but that only accounts for 17% - not 95.

In short, what's happening with these other 95% please?

Many thanks for any guidance.
Nik

(Xpost from
http://stackoverflow.com/questions/31186889/missing-haproxy-sessions-in-stats-page
, in case you wish to claim the bounty there).


# pxname,bobname,qcur,qmax,scur,smax
http-in,FRONTEND,,,1098,1254
foo_web_zar_and_ws,bob91,0,0,0,1
foo_web_zar_and_ws,bob83,0,0,1,7
foo_web_zar_and_ws,BACKEND,0,0,1,7
foo_web_ned,bob91,0,0,0,0
foo_web_ned,bob83,0,0,0,0
foo_web_ned,BACKEND,0,0,0,0
foo_web_comms,bob91,0,0,0,2
foo_web_comms,bob83,0,0,0,2
foo_web_comms,BACKEND,0,0,0,2
bla_web_comms,bob10,0,0,9,46
bla_web_comms,bob91,0,0,3,32
bla_web_comms,bob83,0,0,3,62
bla_web_comms,BACKEND,0,0,15,85
bla_web_zar_and_ws,bob91,0,0,5,20
bla_web_zar_and_ws,bob83,0,0,7,36
bla_web_zar_and_ws,BACKEND,0,0,12,45
bla_web_ned,bob91,0,0,0,2
bla_web_ned,bob83,0,0,0,2
bla_web_ned,BACKEND,0,0,0,2
stats,FRONTEND,,,1,5
stats,BACKEND,0,0,0,1

Tailor Made Services For You！— Guzhen Lighting Fair

[Guzhen Lighting Fair]

Tailor Made Services For You！— Guzhen Lighting Fair

Hello haproxy@formilux.org,

看上去似乎您的e-mail软件不支持HTML。
请访问下面的网页使您能够在网页浏览其中阅读这条信息：
http://edm.ubmsinoexpo.com/x/?S7a1MPufa2tuZmb4v8jW0tDMzOR.jq2hgbmRBQAA76

Re: Contribution: change response line

[Baptiste]

On Mon, Jul 13, 2015 at 7:22 AM, Bowen Ni  wrote:
> Hi,
>
> With Lua integration in HAProxy 1.6, one can change the request method,
> path, uri, header, response header etc except response line.

Hi Bowen,

You can already change the fields above using HAProxy 1.6 statements:
http-request and http-response.
  
http://cbonte.github.io/haproxy-dconv/snapshot/configuration-1.6.html#http-request
  
http://cbonte.github.io/haproxy-dconv/snapshot/configuration-1.6.html#http-response

You don't need lua for this, unless your changes are complicated and
you can find a converter which does the transformation you need:
  http://cbonte.github.io/haproxy-dconv/snapshot/configuration-1.6.html#7.3.1


> I'd like to contribute the following methods to allow modification of the
> response line.

Actually, that's right, HAProxy, there are currently no "http-response
set-return-code" in haproxy.

I let the LUA experts answer you on the rest of the mail :)

Baptiste