Re: [Proposal] Concurrency tuning by adding a limit to http-server-close
On Mon, Aug 29, 2011 at 04:39:27PM +0200, Cyril Bonté wrote: I really like the idea and it could be a great improvement for haproxy. The advantage of this solution is also that it doesn't add another keyword in the long list of possibilities haproxy offers. Indeed, that's also another point. And it's one less parameter admins will have to be taught. Also, what I see in this feature is that it will immediatly fix configurations where timeouts are forgotten (I can't say how many times I've seen instances that didn't set the http-keep-alive timeout, where it's easy to create a DoS). I didn't think about this, but you're perfectly right ! If you're interested in doing this, I'd be glad to merge it and to provide help if needed. We need a struct list fe_idle in the struct proxy and add/remove idle connections there. Of course I'm interested. I can't promise I'll be available for it for the next days but I can start it shortly. Nice, thank you! Don't forget to take a rest, you're on holidays ;-) Cheers, Willy
Re: help with tcp-request content track-sc1
On Sat, Aug 27, 2011 at 5:26 AM, Willy Tarreau w...@1wt.eu wrote: Hi David, On Thu, Aug 25, 2011 at 12:28:43PM -0700, David Birdsong wrote: I've poured over 1.5 docs, and I'm pretty sure this should be possible. Is there a way to extract a header string from an http header and track that in a stick-table of type 'string'? If so, what is the syntax, where does the extraction take place? Right now it's not implemented, as the track-sc1 statement is only available at the TCP stage. I'm clearly thinking about having it before 1.5 is released, because at many places it's much more important than the source IP itself. Ok, thanks for the clarification. Is there a way to cast a header as an ip and track-sc1? In our setup we're terminating SSL in front of haproxy and so only the XFF header has the client ip address. Also, is there any way to concatenate two headers into one string value to track and store? If not, I can concatenate them upstream (close to client), but it'd be nice to keep the logic local to haproxy's config. No this is not possible. We need the pattern extraction feature which has not even started yet for this :-( Regards, Willy
Re: help with tcp-request content track-sc1
On Mon, Aug 29, 2011 at 01:40:53PM -0700, David Birdsong wrote: On Mon, Aug 29, 2011 at 1:36 PM, Willy Tarreau w...@1wt.eu wrote: On Mon, Aug 29, 2011 at 12:22:18PM -0700, David Birdsong wrote: On Sat, Aug 27, 2011 at 5:26 AM, Willy Tarreau w...@1wt.eu wrote: Hi David, On Thu, Aug 25, 2011 at 12:28:43PM -0700, David Birdsong wrote: I've poured over 1.5 docs, and I'm pretty sure this should be possible. Is there a way to extract a header string from an http header and track that in a stick-table of type 'string'? If so, what is the syntax, where does the extraction take place? Right now it's not implemented, as the track-sc1 statement is only available at the TCP stage. I'm clearly thinking about having it before 1.5 is released, because at many places it's much more important than the source IP itself. Ok, thanks for the clarification. Is there a way to cast a header as an ip and track-sc1? In our setup we're terminating SSL in front of haproxy and so only the XFF header has the client ip address. I understand the issue, it's the same everyone is facing when trying to do the same thing unfortunately :-( If you use a patched stunnel version which supports the PROXY protocol, then you can have the client's IP available as soon as tcp-request content rules are processed. Those rules support track-sc1 so you can do what you want at this level. It requires a patch on stunnel however, but it should not be an issue since you appear to be using the XFF We're actually terminating half of our ssl traffic with nginx and the other half with Amazon's elb offering with plans of moving all ssl termination to Amazon in the next week or so. The PROXY protocol should be ported to Amazon's ELB then ;-) Cheers, Willy
Re: help with tcp-request content track-sc1
On Mon, Aug 29, 2011 at 1:46 PM, Willy Tarreau w...@1wt.eu wrote: On Mon, Aug 29, 2011 at 01:40:53PM -0700, David Birdsong wrote: On Mon, Aug 29, 2011 at 1:36 PM, Willy Tarreau w...@1wt.eu wrote: On Mon, Aug 29, 2011 at 12:22:18PM -0700, David Birdsong wrote: On Sat, Aug 27, 2011 at 5:26 AM, Willy Tarreau w...@1wt.eu wrote: Hi David, On Thu, Aug 25, 2011 at 12:28:43PM -0700, David Birdsong wrote: I've poured over 1.5 docs, and I'm pretty sure this should be possible. Is there a way to extract a header string from an http header and track that in a stick-table of type 'string'? If so, what is the syntax, where does the extraction take place? Right now it's not implemented, as the track-sc1 statement is only available at the TCP stage. I'm clearly thinking about having it before 1.5 is released, because at many places it's much more important than the source IP itself. Ok, thanks for the clarification. Is there a way to cast a header as an ip and track-sc1? In our setup we're terminating SSL in front of haproxy and so only the XFF header has the client ip address. I understand the issue, it's the same everyone is facing when trying to do the same thing unfortunately :-( If you use a patched stunnel version which supports the PROXY protocol, then you can have the client's IP available as soon as tcp-request content rules are processed. Those rules support track-sc1 so you can do what you want at this level. It requires a patch on stunnel however, but it should not be an issue since you appear to be using the XFF We're actually terminating half of our ssl traffic with nginx and the other half with Amazon's elb offering with plans of moving all ssl termination to Amazon in the next week or so. The PROXY protocol should be ported to Amazon's ELB then ;-) Agreed, that would be a big help. Anybody know what the ELB's are? Some have speculated their just using Netscalers, but they toss around the word 'instance' in a way that makes me wonder if they're just using ec2 instances. Cheers, Willy
cant get haproxy service to start
Hi Guys, Running on ubuntu 11.4 server I cant get my Haproxy to come onlinewhen i do service haproxy start i get fatal errors my setup i installed haproxy then install heartbeat... i only want to have one nlb and two web servers (windows). do i need heartbeat still?? i added eth0:0 with VIP - 10.4.3.56 when i try to start the haproxy with cfg - global log 127.0.0.1 local0 log 127.0.0.1 local1 notice #log loghostlocal0 info maxconn 4096 #debug #quiet user haproxy group haproxy defaults log global modehttp option httplog option dontlognull retries 3 redispatch maxconn 2000 contimeout 5000 clitimeout 5 srvtimeout 5 listen webfarm 10.4.3.56:80 mode http stats enable stats auth someuser:somepassword balance roundrobin cookie JSESSIONID prefix option httpclose option forwardfor option httpchk HEAD /check.txt HTTP/1.0 server webA 10.4.3.52:80 cookie A check server webB 10.4.3.53:80 cookie B check i cant get it to start please advise...