Re: Please help to configure Haproxy with SSL support
On Fri, Mar 22, 2013 at 6:43 AM, Eswaramoorthy R wrote: > so can we recypher the traffic to tomcat servers using haproxy..? > > any of the following solutions is ok.. > > 1)Haproxy with HTTPS and other two servers with normal HTTP > 2)Haproxy with HTTPS and other two servers also with HTTPS. > > But which of the above solution works ..? > both will works. > I don have any previous experience with Haproxy..Am new to this...Please > pardon me if this is a silly question.. > this is not an HAProxy problem or lack of experience, this is related to architecture... Just decide what you *really* need, then choose the right product. HAProxy or an other one. Don't do the opposite: choose the product then try to arrange your needs to fit the product you chose... > ~Eswar > > > On Fri, Mar 22, 2013 at 10:40 AM, Baptiste wrote: > >> no, as per our explanation and your request, there is a single cert in >> HAProxy. >> Unless you want to recypher traffic to your tomcat servers. >> >> Baptiste >> >> >> On Fri, Mar 22, 2013 at 5:51 AM, Eswaramoorthy R wrote: >> >>> Thanks all so much for your help and also for updating the article:-) >>> >>> I have a doubt...As per your explanation there are totally 3 >>> certificates placed..They are >>> >>>1)haproxy.pem >>>2)cert1 >>>3)cert2 >>> >>> Can you please say to which server each certificate belongs to..? Below >>> is my sample architecture for your reference... >>> >>> [image: Inline image 1] >>> ~ >>> Eswar >>> >>> >>> On Fri, Mar 22, 2013 at 12:54 AM, Robin Lee Powell < >>> rlpow...@cytobank.org> wrote: >>> On Thu, Mar 21, 2013 at 08:02:03PM +0100, Baptiste wrote: > > I actually started with > > http://blog.exceliance.fr/2012/09/10/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/ > > , but that's out of date; the sni options have changed. > > > Hi Robin > > I fixed the article today. :D Thanks so much! -Robin >>> >> > <>
Re: Please help to configure Haproxy with SSL support
so can we recypher the traffic to tomcat servers using haproxy..? any of the following solutions is ok.. 1)Haproxy with HTTPS and other two servers with normal HTTP 2)Haproxy with HTTPS and other two servers also with HTTPS. But which of the above solution works ..? I don have any previous experience with Haproxy..Am new to this...Please pardon me if this is a silly question.. ~Eswar On Fri, Mar 22, 2013 at 10:40 AM, Baptiste wrote: > no, as per our explanation and your request, there is a single cert in > HAProxy. > Unless you want to recypher traffic to your tomcat servers. > > Baptiste > > > On Fri, Mar 22, 2013 at 5:51 AM, Eswaramoorthy R wrote: > >> Thanks all so much for your help and also for updating the article:-) >> >> I have a doubt...As per your explanation there are totally 3 certificates >> placed..They are >> >>1)haproxy.pem >>2)cert1 >>3)cert2 >> >> Can you please say to which server each certificate belongs to..? Below >> is my sample architecture for your reference... >> >> [image: Inline image 1] >> ~ >> Eswar >> >> >> On Fri, Mar 22, 2013 at 12:54 AM, Robin Lee Powell > > wrote: >> >>> On Thu, Mar 21, 2013 at 08:02:03PM +0100, Baptiste wrote: >>> > > I actually started with >>> > > >>> http://blog.exceliance.fr/2012/09/10/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/ >>> > > , but that's out of date; the sni options have changed. >>> > >>> > >>> > Hi Robin >>> > >>> > I fixed the article today. >>> >>> :D Thanks so much! >>> >>> -Robin >>> >>> >> > <>
Re: Please help to configure Haproxy with SSL support
no, as per our explanation and your request, there is a single cert in HAProxy. Unless you want to recypher traffic to your tomcat servers. Baptiste On Fri, Mar 22, 2013 at 5:51 AM, Eswaramoorthy R wrote: > Thanks all so much for your help and also for updating the article:-) > > I have a doubt...As per your explanation there are totally 3 certificates > placed..They are > >1)haproxy.pem >2)cert1 >3)cert2 > > Can you please say to which server each certificate belongs to..? Below is > my sample architecture for your reference... > > [image: Inline image 1] > ~ > Eswar > > > On Fri, Mar 22, 2013 at 12:54 AM, Robin Lee Powell > wrote: > >> On Thu, Mar 21, 2013 at 08:02:03PM +0100, Baptiste wrote: >> > > I actually started with >> > > >> http://blog.exceliance.fr/2012/09/10/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/ >> > > , but that's out of date; the sni options have changed. >> > >> > >> > Hi Robin >> > >> > I fixed the article today. >> >> :D Thanks so much! >> >> -Robin >> >> > <>
Re: Please help to configure Haproxy with SSL support
Thanks all so much for your help and also for updating the article:-) I have a doubt...As per your explanation there are totally 3 certificates placed..They are 1)haproxy.pem 2)cert1 3)cert2 Can you please say to which server each certificate belongs to..? Below is my sample architecture for your reference... [image: Inline image 1] ~ Eswar On Fri, Mar 22, 2013 at 12:54 AM, Robin Lee Powell wrote: > On Thu, Mar 21, 2013 at 08:02:03PM +0100, Baptiste wrote: > > > I actually started with > > > > http://blog.exceliance.fr/2012/09/10/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/ > > > , but that's out of date; the sni options have changed. > > > > > > Hi Robin > > > > I fixed the article today. > > :D Thanks so much! > > -Robin > > <>
Re: Active/active HAProxy
On Thu, 21 Mar 2013 11:00:37 +0100 in , Lukas Tribus Lukas Tribus wrote: > > > It's a point in time dump and restore of the in flight packets. > > Can't dump the details and in flight content of a TCP session if > the host is already dead. You're right. Its primary goal is system update without service interruption. > So either this will work only for manual switchovers (but not for > sudden hardware/software failure; also at this point TCP connection > repair would probably be a solution) or you sync everything in realtime > with the other proxy, but to do that, you will need a huge uplink > between them. You're right in the sense that the requirement for layer 4 LB two nodes synchronization is not just synchronization of some IP headers like in the firewalling case, so the synchronization flow need to transport the whole packets contents. It's tricky to implement : you need to get only the packets from the sockets used inside HAProxy and I'm not familiar with the code in HAProxy : are SOCKET_RAW used and are packets written to a file descriptor ? > > Also, suppose you can implement this through netfilter/pfsync (I've my > doubts about that) and by patching haproxy, how do you avoid that the > "standby" TCP session on proxy 2 interferes with the TCP session prior > to a switchover/failover? I guess you would need additional > kernel hacks. After some sleep and thoughts, the API for netfilter/pfsync will just be an overcomplicated implementation of a packet mirroring system. > > In the end, you will end up spending so much cpu and memory > for standby tcp session and the syncing, that the solution will be > as performant as an active/standby solution and it will increase > the complexity in your load-balancer. Agree for the code complexity and memory usage, not agree for the CPU usage. If HAProxy code already make an extensive usage of raw sockets and write packets to a fd, you just pipeline the fd to the socket especially created for syncing purpose and let the current code handle the fd as it's used to (but I do not know the HAProxy internals). The network load is really a pb then to achieve that. The syncing protocol is then a real headache to minimise race condition and/or out-of-sync case and maintain only the non closed connexion in memory of the backup HAProxy. > > > prefer an proper solution to avoid the renegotiation on > > the client side > > Its a huge and complex task to do, which I didn't see anyone > doing before. If you or your client has the resources to > implement this, please go ahead and tell us how exactly you > did it. Well, I'm going to put in balance the use cases of such a feature and the overall code complexity and of course if the HAProxy community want such a feature given the code complexity added. The first step will be to read the HAProxy code entirely :) The second to deeply think about an effective packets mirroring protocol :) ... > > But for a "would prefer a stateful solution to avoid a TCP RST > + a new TCP handshake when a proxy dies" (so to speak; if iptables > is configured accordingly), I would certainly not do it. > > The benefit of it simply doesn't justify the effort, imho. You're probably right. Time to sleep. Regards, -- Jérôme Benoit aka fraggle La Météo du Net - http://grenouille.com OpenPGP Key ID : 9FE9161D Key fingerprint : 9CA4 0249 AF57 A35B 34B3 AC15 FAA0 CB50 9FE9 161D signature.asc Description: PGP signature
Re: Counting number given session cookies used by sticky load balancer?
Hi, You can use the stick-table for this purpose, using stick-store to refresh the values, like: stick-table type string len 32 size 100k expire 4h # setup the same expiration time as your application stick store-request cookie(JSESSIONID) Then, use socat and bash to count the number of sessions: echo show table | socat /var/run/haproxy.stats - The backend name is used for the table name. Just look for the number right after "used". This requires HAProxy 1.5. Baptiste On Thu, Mar 21, 2013 at 8:06 PM, VERMEERBERGEN Alexandre wrote: > Hello, > > > > I have search a while on the internet before asking this question, surprised > to find nothing close to what I was trying to achieve. > > > > My goal: to monitor the number of concurrent *user* sessions going through a > given haproxy server, using the fact that my user session are identified by > a unique session ID which can be found in session cookies exchanged between > clients and application servers (which are behind haproxy). For example, for > J2EE app server we have JSESSIONID, for PHP server, whatever PHP* cookie, > etc. We already use these cookies to perform session-affinity (or sticky) > load balancing. > > > > Now I have not found a way to get a count of currently distinct session > cookies “known” by haproxy fo sticky r load balancing purposes. > > > Have I missed something obvious, is it non-trivial, or worse, impossible? > > > > Thanks, > > Alex. > > > > > > This email and any attachments are intended solely for the use of the > individual or entity to whom it is addressed and may be confidential and/or > privileged. > > If you are not one of the named recipients or have received this email in > error, > > (i) you should not read, disclose, or copy it, > > (ii) please notify sender of your receipt by reply email and delete this > email and all attachments, > > (iii) Dassault Systemes does not accept or assume any liability or > responsibility for any use of or reliance on this email. > > For other languages, go to http://www.3ds.com/terms/email-disclaimer
Re: Counting number given session cookies used by sticky load balancer?
On 21 March 2013 19:06, VERMEERBERGEN Alexandre wrote: > Hello, > > I have search a while on the internet before asking this question, surprised > to find nothing close to what I was trying to achieve. > > My goal: to monitor the number of concurrent *user* sessions going through a > given haproxy server, using the fact that my user session are identified by > a unique session ID which can be found in session cookies exchanged between > clients and application servers (which are behind haproxy). For example, for > J2EE app server we have JSESSIONID, for PHP server, whatever PHP* cookie, > etc. We already use these cookies to perform session-affinity (or sticky) > load balancing. I can't help with the answer on this, but: Given that an "active" user on a site spends the majority of their time consuming content, not requesting it, are you /sure/ that "sessions in flight right this second" is actually a useful metric? I would suggest that getting your backends to report the number of users who requested content in the last N seconds and then aggregating the data would be more accurate, and marketing-friendly! In the past I've used redis' native object types to support this kind of metric gathering extremely easily. (http://redis.io/commands/zcount for user counts and http://redis.io/commands/zremrangebyscore for "older-than-N-seconds" removal) Of course, if you're just trying to figure out how many users each of your HAProxy instances will support, then this isn't helpful. But then you wouldn't care about distinguishing user1 from user2 - you'd just look at actual simultaneous connections, I guess :-) HTH, Jonathan -- Jonathan Matthews // Oxford, London, UK http://www.jpluscplusm.com/contact.html
Re: Please help to configure Haproxy with SSL support
On Thu, Mar 21, 2013 at 08:02:03PM +0100, Baptiste wrote: > > I actually started with > > http://blog.exceliance.fr/2012/09/10/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/ > > , but that's out of date; the sni options have changed. > > > Hi Robin > > I fixed the article today. :D Thanks so much! -Robin
Counting number given session cookies used by sticky load balancer?
Hello, I have search a while on the internet before asking this question, surprised to find nothing close to what I was trying to achieve. My goal: to monitor the number of concurrent *user* sessions going through a given haproxy server, using the fact that my user session are identified by a unique session ID which can be found in session cookies exchanged between clients and application servers (which are behind haproxy). For example, for J2EE app server we have JSESSIONID, for PHP server, whatever PHP* cookie, etc. We already use these cookies to perform session-affinity (or sticky) load balancing. Now I have not found a way to get a count of currently distinct session cookies "known" by haproxy fo sticky r load balancing purposes. Have I missed something obvious, is it non-trivial, or worse, impossible? Thanks, Alex. This email and any attachments are intended solely for the use of the individual or entity to whom it is addressed and may be confidential and/or privileged. If you are not one of the named recipients or have received this email in error, (i) you should not read, disclose, or copy it, (ii) please notify sender of your receipt by reply email and delete this email and all attachments, (iii) Dassault Systemes does not accept or assume any liability or responsibility for any use of or reliance on this email. For other languages, go to http://www.3ds.com/terms/email-disclaimer
Re: Please help to configure Haproxy with SSL support
> I actually started with > http://blog.exceliance.fr/2012/09/10/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/ > , but that's out of date; the sni options have changed. Hi Robin I fixed the article today. Baptiste
Re: use_backend: brackets/grouping not accepted in condition
Hi Christian, Brackets are for anonymous ACLs only. You seem to use named ACLs with brackets so it can't work. Either you do as you said: use_backend backend_test if request_domain1 allowed_ip_foo or request_domain1 allowed_ip_bar Or with 2 use_backend: use_backend backend_test if request_domain1 allowed_ip_foo use_backend backend_test if request_domain1 allowed_ip_bar Baptiste On Thu, Mar 21, 2013 at 6:25 PM, Christian Ruppert wrote: > Hi Guys, > > I just tried to simplify some rules and I noticed that brackets {} doesn't > work with use_backend while it works fine with default_backend. > > That doesn't work: > use_backend backend_test if request_domain1 { allowed_ip_foo or > allowed_ip_bar } > > That works: > use_backend backend_test if request_domain1 allowed_ip_foo or request_domain1 > allowed_ip_bar > > That works as well: > default_backend backend_main if request_domain2 { allowed_ip_foo or > allowed_ip_bar } > > I could also use multiple use_backend's but using brackets would make it a > lot easier and better readable IMHO. > > https://code.google.com/p/haproxy-docs/wiki/UsingACLs > That also sounds like the brackets should work almost everywhere. > > "Some actions are only performed upon a valid condition. A condition is a > combination of ACLs with operators. 3 operators are supported : > > - AND (implicit) > - OR (explicit with the "or" keyword or the "||" operator) > - Negation with the exclamation mark ("!") > > A condition is formed as a disjunctive form: > >[!]acl1 [!]acl2 ... [!]acln { or [!]acl1 [!]acl2 ... [!]acln } ... > > Such conditions are generally used after an "if" or "unless" statement, > indicating when the condition will trigger the action." > > I would really like to see that fixed. Or is that on purpose? > > Mit freundlichen Grüßen, > Christian Ruppert > > > > Christian Ruppert > Systemadministrator > > Babiel GmbH > Erkrather Str. 224 a > D-40233 Düsseldorf > > Tel: 0211-179349 0 > Fax: 0211-179349 29 > E-Mail: c.rupp...@babiel.com > Internet: http://www.babiel.com > > Geschäftsführer: Georg Babiel, Dr. Rainer Babiel, Harald Babiel Amtsgericht > Düsseldorf HRB 38633 > > ~~ DISCLAIMER ~~~ > > The information transmitted in this electronic mail message may contain > confidential and or privileged materials. Any review, retransmission, > dissemination or other use of or taking of any action in reliance upon, this > information by persons or entities other than the intended recipient is > prohibited. If you receive such e-mails in error, please contact the sender > and delete the material from any computer.
use_backend: brackets/grouping not accepted in condition
Hi Guys, I just tried to simplify some rules and I noticed that brackets {} doesn't work with use_backend while it works fine with default_backend. That doesn't work: use_backend backend_test if request_domain1 { allowed_ip_foo or allowed_ip_bar } That works: use_backend backend_test if request_domain1 allowed_ip_foo or request_domain1 allowed_ip_bar That works as well: default_backend backend_main if request_domain2 { allowed_ip_foo or allowed_ip_bar } I could also use multiple use_backend's but using brackets would make it a lot easier and better readable IMHO. https://code.google.com/p/haproxy-docs/wiki/UsingACLs That also sounds like the brackets should work almost everywhere. "Some actions are only performed upon a valid condition. A condition is a combination of ACLs with operators. 3 operators are supported : - AND (implicit) - OR (explicit with the "or" keyword or the "||" operator) - Negation with the exclamation mark ("!") A condition is formed as a disjunctive form: [!]acl1 [!]acl2 ... [!]acln { or [!]acl1 [!]acl2 ... [!]acln } ... Such conditions are generally used after an "if" or "unless" statement, indicating when the condition will trigger the action." I would really like to see that fixed. Or is that on purpose? Mit freundlichen Grüßen, Christian Ruppert Christian Ruppert Systemadministrator Babiel GmbH Erkrather Str. 224 a D-40233 Düsseldorf Tel: 0211-179349 0 Fax: 0211-179349 29 E-Mail: c.rupp...@babiel.com Internet: http://www.babiel.com Geschäftsführer: Georg Babiel, Dr. Rainer Babiel, Harald Babiel Amtsgericht Düsseldorf HRB 38633 ~~ DISCLAIMER ~~~ The information transmitted in this electronic mail message may contain confidential and or privileged materials. Any review, retransmission, dissemination or other use of or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you receive such e-mails in error, please contact the sender and delete the material from any computer.
Re: Please help to configure Haproxy with SSL support
As a starting point, the short version is: have an haproxy that supports ssl like so: [rlpowell@mtsinai01 ~]$ /opt/haproxy/usr/local/sbin/haproxy -vv | grep -i ssl OPTIONS = USE_OPENSSL=1 USE_PCRE=1 Built with OpenSSL version : OpenSSL 1.0.1c 10 May 2012 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes and use a config line like this: bind 192.168.0.1:443 ssl crt /etc/haproxy/cert.pem ca-file /path/to/bundle.crt I actually started with http://blog.exceliance.fr/2012/09/10/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/ , but that's out of date; the sni options have changed. Lukas is correct, though, in that configuring haproxy is a rather intense project; you probably should let someone else do it if you're not willing to read at least tens of pages of documentation, and possibly much more. -Robin On Thu, Mar 21, 2013 at 03:27:34PM +0100, Lukas Tribus wrote: > > SSL is possible in the 1.5 development branch only. > You can find all the necessary informations on the > website http://haproxy.1wt.eu/ > > > If you need someone guiding you step by step trough the configuration, > I would suggest you acquire commercial support: > > http://www.exceliance.fr/en/haproxy-professional-services > > > > Lukas > > > > > > Date: Thu, 21 Mar 2013 19:35:37 +0530 > > Subject: Please help to configure Haproxy with SSL support > > From: ram.eas...@gmail.com > > To: haproxy@formilux.org > > > > Dear Team, > > > > We are trying to load balance two app servers running on tomcat with > > ssl enabled using HAPROXY , but we couldn’t find proper resources to > > configure the same > > > > Please share us the steps to configure the same which will help us a lot > > > > > > Thank you..! > > > > Regards, > > > > Eswar > > > > >
AW: option httpchk
thanks for your answers It works -Ursprüngliche Nachricht- Von: Baptiste [mailto:bed...@gmail.com] Gesendet: Donnerstag, 21. März 2013 15:19 An: Wolfgang Routschka Betreff: Re: option httpchk Hi, You must provide a method in your HTTP request: GET or HEAD, usually. Baptiste On Thu, Mar 21, 2013 at 2:53 PM, Wolfgang Routschka wrote: > Hello, > > I have a question to configure health checks in haproxy > > default I´m not configure option httpchk in my haproxy configuration. > webserver1 and webserver2 ist answering. (roundrobin balance) webserver1 is > down (service httpd stop) and webserver2 is answering without any problems. > GREAT! > > is it right that haproxy checking without any option only tcp connection? > > Now I want that haproxy says webserver1 is only healthy if I can read url > /index.php and not /index.html for example > > frontend http > bind 192.168.36.59:80 > mode http > option httpclose >default_backend default > > backend default > option httpchk /index.php > server web01 192.168.36.57:80 check > server web02 192.168.36.58:80 check > > Now in my opinion http://192.168.36.59/index.html is wrong and no server is > showing the page. But I can see the page. > > How can I configure a health check for really testing the site like only > http 200 ok is showing the page or only /index.php is correct /index.html > it´s not ok > > Greetings >
RE: Please help to configure Haproxy with SSL support
SSL is possible in the 1.5 development branch only. You can find all the necessary informations on the website http://haproxy.1wt.eu/ If you need someone guiding you step by step trough the configuration, I would suggest you acquire commercial support: http://www.exceliance.fr/en/haproxy-professional-services Lukas > Date: Thu, 21 Mar 2013 19:35:37 +0530 > Subject: Please help to configure Haproxy with SSL support > From: ram.eas...@gmail.com > To: haproxy@formilux.org > > Dear Team, > > We are trying to load balance two app servers running on tomcat with > ssl enabled using HAPROXY , but we couldn’t find proper resources to > configure the same > > Please share us the steps to configure the same which will help us a lot > > > Thank you..! > > Regards, > > Eswar > >
Please help to configure Haproxy with SSL support
Dear Team, We are trying to load balance two app servers running on tomcat with ssl enabled using HAPROXY , but we couldn’t find proper resources to configure the same Please share us the steps to configure the same which will help us a lot Thank you..! Regards, Eswar
option httpchk
Hello, I have a question to configure health checks in haproxy default I´m not configure option httpchk in my haproxy configuration. webserver1 and webserver2 ist answering. (roundrobin balance) webserver1 is down (service httpd stop) and webserver2 is answering without any problems. GREAT! is it right that haproxy checking without any option only tcp connection? Now I want that haproxy says webserver1 is only healthy if I can read url /index.php and not /index.html for example frontend http bind 192.168.36.59:80 mode http option httpclose default_backend default backend default option httpchk /index.php server web01 192.168.36.57:80 check server web02 192.168.36.58:80 check Now in my opinion http://192.168.36.59/index.html is wrong and no server is showing the page. But I can see the page. How can I configure a health check for really testing the site like only http 200 ok is showing the page or only /index.php is correct /index.html it´s not ok Greetings
RE: Active/active HAProxy
> It's a point in time dump and restore of the in flight packets. Can't dump the details and in flight content of a TCP session if the host is already dead. So either this will work only for manual switchovers (but not for sudden hardware/software failure; also at this point TCP connection repair would probably be a solution) or you sync everything in realtime with the other proxy, but to do that, you will need a huge uplink between them. Also, suppose you can implement this through netfilter/pfsync (I've my doubts about that) and by patching haproxy, how do you avoid that the "standby" TCP session on proxy 2 interferes with the TCP session prior to a switchover/failover? I guess you would need additional kernel hacks. In the end, you will end up spending so much cpu and memory for standby tcp session and the syncing, that the solution will be as performant as an active/standby solution and it will increase the complexity in your load-balancer. > prefer an proper solution to avoid the renegotiation on > the client side Its a huge and complex task to do, which I didn't see anyone doing before. If you or your client has the resources to implement this, please go ahead and tell us how exactly you did it. But for a "would prefer a stateful solution to avoid a TCP RST + a new TCP handshake when a proxy dies" (so to speak; if iptables is configured accordingly), I would certainly not do it. The benefit of it simply doesn't justify the effort, imho. Lukas