Re: Help me please
2009/8/27 Vadim Bazilevich bvv2...@gmail.com: Hi friends! I used haproxy in my project. But I have one problem. What I can switch between two backends servers (me need used rule url_sub) if I used haproxy as frontend Define two backends, backend1 and backend10001 and one frontend. In the frontend section do something like this: use_backend backend10001 if url_sub sms And of course you have to define the two ACLs url_sub and sms, which do not appear in your config. -- Jean-Baptiste Quenot http://jbq.caraldi.com/
Re: Stats as counters for graphing
2009/8/7 Karl Pietri k...@slideshare.com: The last couple of days we have had a spike in traffic so it has been queueing, but i can't tell for sure if its just general overloaded during peak or if we have some random large spikes (which would be ok). from other tools i'm pretty sure we are overloaded and so adding new machines, but in either case it would be nice to know for sure. We do graph sessions/connections as a delta and that works well, just was wanting the same for queue. I think you should use RRD, it offers many ways to collect the stats and retrieve data. -- Jean-Baptiste Quenot http://jbq.caraldi.com/
haproxy + stunnel + patch not wroking
Hi, I can't get the patch 'stunnel-4.22-xforwarded-for.diff' being executed successfully with stunnel-4.22 on my solaris box. To be honest, I am a bit loss how to apply this patch . I did the following steps: * cd /var/tmp/stunnel-4.22 * patch -p0 ../stunnel-4.22-xforwarded-for.diff Looks like a unified context diff. File to patch: /var/tmp/stunnel-4.22/src/client.c I don't know to which file should be applied. Looking into the stunnel-4.22-xforwarded-for.diff file, there are some differences with several files. Most of them come from src/client.c. I tried with this file and some other (in different attempts) but I always get many fails: Hunk #1 failed at line 534. 1 out of 1 hunks failed: saving rejects to /var/tmp/stunnel-4.22/src/client.c.rej The next patch looks like a unified context diff. Hunk #1 failed at line 445. 1 out of 1 hunks failed: saving rejects to /var/tmp/stunnel-4.22/src/client.c.rej The next patch looks like a unified context diff. The next patch looks like a unified context diff. Hunk #1 failed at line 53. 1 out of 1 hunks failed: saving rejects to /var/tmp/stunnel-4.22/src/client.c.rej The next patch looks like a unified context diff. Hunk #1 failed at line 765. 1 out of 1 hunks failed: saving rejects to /var/tmp/stunnel-4.22/src/client.c.rej The next patch looks like a unified context diff. Hunk #1 failed at line 227. Hunk #2 failed at line 330. 2 out of 2 hunks failed: saving rejects to /var/tmp/stunnel-4.22/src/client.c.rej done Looking into the file.rej I see the commands are related to the xforwardedfor. Then I compile and install stunnel but it complains with the command: xforwardedfor=yes Any hint on applying the patch will be appreciated! Thanks a lot, Xavi
Re: noob question about stunnel
Sorry my mistake, stunnel 4.22 doesn't already contain the patch but my RPM was compiled with this patch http://haproxy.1wt.eu/download/patches/stunnel-4.22-xforwarded-for.diff I have both a x86 and 64bit versions RPM packaged for CentOS 5.3 if you want them. Duncan Duncan Hall wrote: Have you considered just downloading and compiling stunnel-4.22 it already contains the patch? I see you are using Centos. I have compiled an x86 stunnel-4.22 rpm for CentOS 5.3 perhaps I could email it to you? Regards, Duncan Nelson Serafica wrote: I know this is a stupid question but how do I patch stunnel? I have extract haproxy.tar.gz. cd to that directory and command patch ../stunnel-4.15-xforwarded-for.diff but I encountered an error: [r...@centos haproxy-1.3.20]# patch ../stunnel-4.15-xforwarded-for.diff can't find file to patch at input line 4 Perhaps you should have used the -p or --strip option? The text leading up to this was: -- |diff -ru stunnel-4.15/doc/stunnel.8 stunnel-4.15_patched/doc/stunnel.8 |--- stunnel-4.15/doc/stunnel.8 2005-11-17 11:39:08.0 +0100 |+++ stunnel-4.15_patched/doc/stunnel.8 2006-07-07 09:13:34.0 +0200 -- File to patch: Anyone knows how to resolve the problem?
Re: noob question about stunnel
As requested, http://graphicslib.viator.com/graphicslib/stunnel/stunnel-4.22-5.i386.rpm http://graphicslib.viator.com/graphicslib/stunnel/stunnel-4.22-5.x86_64.rpm http://graphicslib.viator.com/graphicslib/stunnel/stunnel-4.22-5.src.rpm Regards, Duncan Guillaume Bourque wrote: Hi Nelson, 2009/9/3 Nelson Serafica ntseraf...@gmail.com mailto:ntseraf...@gmail.com @Duncan Please email if it could help solve the problem. I have installed stunnel-4.27.tar.gz. Do I still need to patch stunnel-4.15-xforwarded-for.diff (I think so just not sure though). Also, how do I know that port 443 is now listen to stunnel and being forward to haproxy port 80? lsof -n -i :443 this will give you what processe is listenning on port 443 Duncan Hall wrote: Have you considered just downloading and compiling stunnel-4.22 it already contains the patch? I see you are using Centos. I have compiled an x86 stunnel-4.22 rpm for CentOS 5.3 perhaps I could email it to you? -- Guillaume Bourque, B.Sc., consultant, infrastructures technologiques libres 514 576-7638
RE: nf_conntrack: table full, dropping packet.
service iptables stop should take care of it in Centos. Although your lsmod doesn't make sense. It should be showing ip_conntrack and ip_tables and iptable_filter with a standard Centos and iptables. Even dm_multipath and others that you are not interested in would be expected... -Original Message- From: Hank A. Paulson [mailto:h...@spamproof.nospammail.net] Sent: Thursday, September 03, 2009 1:02 PM To: HAproxy Mailing Lists Subject: nf_conntrack: table full, dropping packet. Does anyone know how to get rid of/turn off/kill/remove/exorcise netfilter and/or conntrack? I don't use iptables and it seems to cause a lot of overhead. Does it require a custom compiled kernel? I am using CentOS and Fedora standard precompiled kernels right now. Thank you for any help in this frustrating matter. # lsmod | grep -i ip ipv6 290320 20 sysctl -a | grep -i netfilter net.netfilter.nf_conntrack_generic_timeout = 12 net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 12 net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 12 net.netfilter.nf_conntrack_tcp_timeout_established = 2000 net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 12 net.netfilter.nf_conntrack_tcp_timeout_close_wait = 12 net.netfilter.nf_conntrack_tcp_timeout_last_ack = 12 net.netfilter.nf_conntrack_tcp_timeout_time_wait = 10 net.netfilter.nf_conntrack_tcp_timeout_close = 8 net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 30 net.netfilter.nf_conntrack_tcp_timeout_unacknowledged = 30 net.netfilter.nf_conntrack_tcp_loose = 1 net.netfilter.nf_conntrack_tcp_be_liberal = 0 net.netfilter.nf_conntrack_tcp_max_retrans = 3 net.netfilter.nf_conntrack_udp_timeout = 12 net.netfilter.nf_conntrack_udp_timeout_stream = 18 net.netfilter.nf_conntrack_icmp_timeout = 8 net.netfilter.nf_conntrack_acct = 1 net.netfilter.nf_conntrack_max = 1048576 net.netfilter.nf_conntrack_count = 7645 net.netfilter.nf_conntrack_buckets = 16384 net.netfilter.nf_conntrack_checksum = 1 net.netfilter.nf_conntrack_log_invalid = 0 net.netfilter.nf_conntrack_expect_max = 256 No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.409 / Virus Database: 270.13.73/2338 - Release Date: 09/03/09 05:50:00
Re: session length when using cookies
Hank, thanks for the reply. I was not thinking of app-cookie (i.e. appsession) load balancing at this stage, but just a SERVERID cookie which stores the backend label. I guess the answer is that it depends on what cookies the app uses, and what their expiry date is. But what about source IP persistence as well? How do we configure the timeout for that? Thanks, James On 3 Sep 2009, at 17:47, Hank A. Paulson wrote: if you use haproxy with app-generated-cookie based balancing, it will continue to send requests with that cookie to that backend as long as that cookie exists and that backend is up - afaik. If you look at the cookie in a browser tool, what is the expiration time? If it is not, as long as you want you have to change the expiration time in your CMS that is creating the cookie. On 9/3/09 8:15 AM, James Little wrote: Hi All, I'm looking for some advice on how to achieve lengthly (2 hours+) persistence with cookie insertion. I know that by default the cookies do not expire, but we are concerned here with the actual session duration. For example, say we are dealing with a web-based CMS where the user wants to be logged in for hours, but is not necessarily refreshing the screen frequently. How do we ensure he stays logged in? I'm aware that HAProxy does not support http keep-alive. Is the 'clitimeout' setting the right way to go? Also interested in knowing the *default* persistence timeout. Any pointers greatly appreciated. James
RE: nf_conntrack: table full, dropping packet.
I haven't used fedora much recently. Looks it's compiled into the kernel instead of as a module with fedora, so I think you would have to do a custom kernel to disable the connection tracking. (or switch distros) -Original Message- From: Hank A. Paulson [mailto:h...@spamproof.nospammail.net] Sent: Thursday, September 03, 2009 2:15 PM To: 'HAproxy Mailing Lists' Subject: Re: nf_conntrack: table full, dropping packet. # lsmod Module Size Used by xen_netfront 19808 0 pcspkr 2848 0 xen_blkfront 12404 2 # cat /proc/net/nf_conntrack | wc -l 50916 # service iptables stop (it was never started) # cat /proc/net/nf_conntrack | wc -l 65358 This is Fedora, sorry, not CentOS. the only other thing running is keepalived to manage the ip address for haproxy. On 9/3/09 10:16 AM, John Lauro wrote: service iptables stop should take care of it in Centos. Although your lsmod doesn't make sense. It should be showing ip_conntrack and ip_tables and iptable_filter with a standard Centos and iptables. Even dm_multipath and others that you are not interested in would be expected... -Original Message- From: Hank A. Paulson [mailto:h...@spamproof.nospammail.net] Sent: Thursday, September 03, 2009 1:02 PM To: HAproxy Mailing Lists Subject: nf_conntrack: table full, dropping packet. Does anyone know how to get rid of/turn off/kill/remove/exorcise netfilter and/or conntrack? I don't use iptables and it seems to cause a lot of overhead. Does it require a custom compiled kernel? I am using CentOS and Fedora standard precompiled kernels right now. Thank you for any help in this frustrating matter. # lsmod | grep -i ip ipv6 290320 20 sysctl -a | grep -i netfilter net.netfilter.nf_conntrack_generic_timeout = 12 net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 12 net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 12 net.netfilter.nf_conntrack_tcp_timeout_established = 2000 net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 12 net.netfilter.nf_conntrack_tcp_timeout_close_wait = 12 net.netfilter.nf_conntrack_tcp_timeout_last_ack = 12 net.netfilter.nf_conntrack_tcp_timeout_time_wait = 10 net.netfilter.nf_conntrack_tcp_timeout_close = 8 net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 30 net.netfilter.nf_conntrack_tcp_timeout_unacknowledged = 30 net.netfilter.nf_conntrack_tcp_loose = 1 net.netfilter.nf_conntrack_tcp_be_liberal = 0 net.netfilter.nf_conntrack_tcp_max_retrans = 3 net.netfilter.nf_conntrack_udp_timeout = 12 net.netfilter.nf_conntrack_udp_timeout_stream = 18 net.netfilter.nf_conntrack_icmp_timeout = 8 net.netfilter.nf_conntrack_acct = 1 net.netfilter.nf_conntrack_max = 1048576 net.netfilter.nf_conntrack_count = 7645 net.netfilter.nf_conntrack_buckets = 16384 net.netfilter.nf_conntrack_checksum = 1 net.netfilter.nf_conntrack_log_invalid = 0 net.netfilter.nf_conntrack_expect_max = 256 No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.409 / Virus Database: 270.13.73/2338 - Release Date: 09/03/09 05:50:00 No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.409 / Virus Database: 270.13.73/2338 - Release Date: 09/03/09 05:50:00