Re: suggestion - include files
Hi Will, On Sat, Apr 13, 2013 at 05:49:33PM -0700, Will Glass-Husain wrote: Hi, I recently converted over an Apache front end to haproxy. My Apache server was mainly composed of proxies and rewrites to various internal servers, so haproxy was a great alternative. One feature I miss from Apache is the ability to include files (e.g. setting up a folder and including everything in the folder). This is a nice way (for example) of adding redirects for new hosts or apps in a modular fashion. (My setup has half a dozen domain names and about 10 backends). It'd be nice to be able to do Include /etc/haproxy/appinfo.conf Include /etc/haproxy/conf.d/*.conf in the haproxy file to provide this modularity. This was discussed in the past, but this would cause several caveats related to the way haproxy works with sections (eg: one include file changes the current section to a new one, loops, etc). So in the end it was decided that instead of supporting includes, we support loading multiple files at once, each file having complete sections. I'm personally used to do this with a file for the global section and the peers, and the rest for various instances. But it really depends how you want to manage your files. Hoping this helps, Willy
Haproxy 1.4
Hi, thank you so much for your wonderful work, i am currently using it for my final year project. However I have faced problems implementing your work. Current setup VMware player Suse linux 12.2 Haproxy 1.4.23 Apache2 I was able to get the haproxy to work at first, however after editing the config files and running the command /etc/init.d/haproxy restart, haproxy detects my apache servers as down L7STS/404, frontend up and backend down. However accessing the server on firefox works fine, able to display the webpage. Server ip is 192.168.88.97 apache is on 192.168.88.97:80 config is global log 127.0.0.1 local0 log 127.0.0.1 local1 notice #log loghostlocal0 info maxconn 4096 #debug #quiet user haproxy group haproxy defaults log global modehttp option httplog option dontlognull retries 3 redispatch maxconn 2000 contimeout 5000 clitimeout 5 srvtimeout 5 listen webfarm 192.168.0.99:80 mode http stats enable stats auth someuser:somepassword balance roundrobin cookie JSESSIONID prefix option httpclose option forwardfor option httpchk HEAD /check.txt HTTP/1.0 server webA 192.168.88.97:80 cookie A check
Re: Haproxy 1.4
Hi, On Sun, Apr 14, 2013 at 05:08:53PM +0800, Joshua Chee wrote: Hi, thank you so much for your wonderful work, i am currently using it for my final year project. However I have faced problems implementing your work. Current setup VMware player Suse linux 12.2 Haproxy 1.4.23 Apache2 I was able to get the haproxy to work at first, however after editing the config files and running the command /etc/init.d/haproxy restart, haproxy detects my apache servers as down L7STS/404, frontend up and backend down. However accessing the server on firefox works fine, able to display the webpage. This is very likely caused by either a truly missing file from apache's document root (/check.txt in your case), or a problem with a virtual host setting. If your file /check.txt really exists, then maybe you need to pass the Host header in the request this way : option httpchk HEAD /check.txt HTTP/1.0\r\nHost:\ example.com Willy
Re: Haproxy 1.4
Thank you for your very prompt response! Will buy you a cup of coffee when i am home. I dont remember having the file checl.txt, however will check when i am home. What puzzled me is it was working fine before i did the restart. I am very new to this sorry, however what is the check.txt suppose to contain? Also do you have an alternative for wackamole or heartbeat for suse linux? On 14 Apr 2013 17:24, Willy Tarreau w...@1wt.eu wrote: Hi, On Sun, Apr 14, 2013 at 05:08:53PM +0800, Joshua Chee wrote: Hi, thank you so much for your wonderful work, i am currently using it for my final year project. However I have faced problems implementing your work. Current setup VMware player Suse linux 12.2 Haproxy 1.4.23 Apache2 I was able to get the haproxy to work at first, however after editing the config files and running the command /etc/init.d/haproxy restart, haproxy detects my apache servers as down L7STS/404, frontend up and backend down. However accessing the server on firefox works fine, able to display the webpage. This is very likely caused by either a truly missing file from apache's document root (/check.txt in your case), or a problem with a virtual host setting. If your file /check.txt really exists, then maybe you need to pass the Host header in the request this way : option httpchk HEAD /check.txt HTTP/1.0\r\nHost:\ example.com Willy
Re: Haproxy 1.4
On Sun, Apr 14, 2013 at 05:29:13PM +0800, Joshua Chee wrote: Thank you for your very prompt response! Will buy you a cup of coffee when i am home. I dont remember having the file checl.txt, however will check when i am home. What puzzled me is it was working fine before i did the restart. I am very new to this sorry, however what is the check.txt suppose to contain? Nothing special, you can replace it with whatever file already exists. I suppose it did exist in the past and someone removed it not knowing what it was used for. You can as well check /favicon.ico if it exists for example. Also do you have an alternative for wackamole or heartbeat for suse linux? I personally like keepalived which is very well suited to services like haproxy and which combines very well with it. I would strongly recommend it instead of other solutions that are more service-oriented than network oriented. Willy
Re: Haproxy 1.4
Thank you. So check.txt is just an empty txt file? On 14 Apr 2013 17:38, Willy Tarreau w...@1wt.eu wrote: On Sun, Apr 14, 2013 at 05:29:13PM +0800, Joshua Chee wrote: Thank you for your very prompt response! Will buy you a cup of coffee when i am home. I dont remember having the file checl.txt, however will check when i am home. What puzzled me is it was working fine before i did the restart. I am very new to this sorry, however what is the check.txt suppose to contain? Nothing special, you can replace it with whatever file already exists. I suppose it did exist in the past and someone removed it not knowing what it was used for. You can as well check /favicon.ico if it exists for example. Also do you have an alternative for wackamole or heartbeat for suse linux? I personally like keepalived which is very well suited to services like haproxy and which combines very well with it. I would strongly recommend it instead of other solutions that are more service-oriented than network oriented. Willy
RE: Haproxy 1.4
Hi, Thank you. So check.txt is just an empty txt file? Yes. You can test this with curl. Your configuration expects the following request to return 200 OK: curl -I http://192.168.88.97:80/check.txt If this is not happening, either because the file doesn't exist, HEAD request are not allowed or the Apache requires a Host: header due to a vhost configuration, then haproxy will mark the server down. Regards, Lukas
Is this possible in HAPROXY 1.4
Hi All, We have been testing HAPROXY 1.4 on a Cloud environment for a forthcoming implementation, due to the constraints on the cloud providers SLB we decide to look at using something else. So I implemented HAPROXY, and everything seemed to be going smoothly, until we started doing some functional testing. The problems lies with the vendors application which uses Liferay, some of the URL's that the application have hard-coded the links as http, instead of https, so when we try the test the web page just hangs instead of re-directing to the correct page. In a browser trace we see that the request as: http:///servicedesk/controller?docommand=renderradform.., when it should be https:// I have played around with the haproxy configuration using 'redirect location https:// and redirect prefix https:// but without success. On speaking to the vendor, they are aware of this issue, and for their own implementations they have used a physical F5 NLB and re-directed all http traffic over to https. Am I able to do this in HAPROXY 1.4? Many thanks for your time. Best regards Jon --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,690173,690173#msg-690173
RE: Is this possible in HAPROXY 1.4
Hi Jon! I have played around with the haproxy configuration using 'redirect location https:// and redirect prefix https:// but without success. And what exactly is the issue with that? Redirecting is a very basic task haproxy can do without problems. On speaking to the vendor, they are aware of this issue, and for their own implementations they have used a physical F5 NLB and re-directed all http traffic over to https. Redirecting from http to https is not a problem at all. If on the other hand you need to enable SSL on the load-balance or use SSL enabled backends, then you need haproxy 1.5 (which published as development releases). Am I able to do this in HAPROXY 1.4? Redirecting between URL schemes: yes, no problem. Terminating SSL (https) on the load-balancer: not with haproxy 1.4, you need haproxy 1.5 for that. Regards, Lukas
Re: Is this possible in HAPROXY 1.4
Hi Lucas, Thanks for taking the time to respond. It might help explain further how the environment is set-up. The data flow goes: User - Internet - Cloud Firewall - Cloud SLB - DMZ Web Agent - - HAPROXY - Lifreray Application The SSL termination is done at the Cloud SLB end, the traffic is then sent onto the Web Agent and then onto HAPROXY and then out to the application. This mostly works fine, but for some of these functional elements,we get this problem, when we click on some of the sub menu's in the application it fails to load, and the analyzer shows that the user is trying to access the resource using http instead of https. There is no SSL termination performed by HAPROXY, as the traffic is being passed via our SLB Cloud. This is my current configuration: global log 127.0.0.1 local2 chroot /var/lib/haproxy pidfile /var/run/haproxy.pid maxconn 4000 userhaproxy group haproxy daemon stats socket /var/lib/haproxy/stats defaults modehttp log global option httplog option dontlognull option http-server-close option forwardfor except 127.0.0.0/8 option redispatch retries 3 timeout http-request10s timeout queue 1m timeout connect 10s timeout client 1m timeout server 1m timeout http-keep-alive 10s timeout check 10s maxconn 3000 frontend http-openfire bind *:7070 default_backend openfire backend openfire balance roundrobin server :7070 check server :7070 check frontend http-uapi bind *:7080 default_backend uapi backend uapi balance roundrobin server :7080 check server :7080 check frontend http-sec bind *:8080 default_backend sec backend sec balance roundrobin server :8080 check server :8080 check frontend http-wall bind *:9080 default_backend wall backend wall balance roundrobin server :9080 check server :9080 check frontend http-xmpp bind *:9090 default_backend xmpp backend xmpp balance roundrobin server :9090 check server :9090 check frontend http-aim bind *:10080 default_backend aim backend aim balance roundrobin server :10080 check server :10080 check frontend http-servicedesk bind *:8081 default_backend servicedesk backend servicedesk balance roundrobin server :8081 check server :8081 check listen stats :1936 mode http stats enable stats hide-version stats realm Haproxy\ Statistics stats uri / stats auth haproxy: The bit that I am trying to work out concerns the 'backend servicedesk' and how I can make HAPROXY take the http request from the application and turn it into a https request, does this mean I have to install something like STUNNEL and the certificate on the HAPROXY Server in order for it to be https?. What I tried was: frontend unsecured *:80 redirect location https:// - this is resolvable via a hosts file entry to the app1 server. frontend secured *:443 mode http default_backend httpsapp backend httpsapp mode http balance roundrobin server app1 :8081 check server app2 :8081 check But that doesnt seem to affect the outcome of the request. I'm probably being stupid and not understanding what I need to cater for. Thanks again. Jon --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,690173,690196#msg-690196
Re: Can't get client side certificate to work (repost)
Thank you, that did the trick! Such a beginners mistake on my part :) cheers, Tom On Saturday, April 13, 2013 at 7:25 AM, Baptiste wrote: -- Forwarded message -- From: Baptiste bed...@gmail.com (mailto:bed...@gmail.com) Date: Sat, Apr 13, 2013 at 4:23 PM Subject: Re: Can't get client side certificate to work (repost) To: Lukas Tribus luky...@hotmail.com (mailto:luky...@hotmail.com) Cc: Thomas Dudziak tom...@gmail.com (mailto:tom...@gmail.com), haproxy@formilux.org (mailto:haproxy@formilux.org) haproxy@formilux.org (mailto:haproxy@formilux.org) Hi Thomas, I could reproduce the issue and I could also find the fix. Your CA, server and client certificate can't have the same CN! Please update your certificate generation script like below: === export SUBJECT_CA='/C=US/ST=California/L=San Francisco/CN=CA' export SUBJECT_SERVER='/C=US/ST=California/L=San Francisco/CN=www.example.com (http://www.example.com)' export SUBJECT_CLIENT1='/C=US/ST=California/L=San Francisco/CN=client1' # certificate authority creation openssl genrsa -out ca.key 4096 openssl req -new -x509 -days 365 -key ca.key -out ca.crt -subj $SUBJECT_CA # server certificate creation openssl genrsa -out server.key 1024 openssl req -new -key server.key -out server.csr -subj $SUBJECT_SERVER openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt # client certificate creation openssl genrsa -out client.key 1024 openssl req -new -key client.key -out client.csr -subj $SUBJECT_CLIENT1 openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out client.crt cat server.crt server.key server.pem sudo cp server.pem /etc/haproxy/server.pem sudo cp ca.crt /etc/haproxy/ca.crt And it will work as expected: curl -vk --key client.key --cert client.crt https://localhost:4443 * About to connect() to localhost port 4443 (#0) * Trying ::1... Connexion refusée * Trying 127.0.0.1... connected * Connected to localhost (127.0.0.1) port 4443 (#0) * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Request CERT (13): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS handshake, CERT verify (15): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using AES256-SHA * Server certificate: * subject: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd; CN=www.server.com (http://www.server.com) * start date: 2013-04-13 14:16:56 GMT * expire date: 2014-04-13 14:16:56 GMT * common name: www.server.com (http://www.server.com) (does not match 'localhost') * issuer: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd; CN=CA * SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway. GET / HTTP/1.1 User-Agent: curl/7.21.0 (x86_64-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.15 libssh2/1.2.6 Host: localhost:4443 Accept: */* * HTTP 1.0, assume close after body HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html htmlbodyh1503 Service Unavailable/h1 No server is available to handle this request. /body/html * SSLv3, TLS alert, Client hello (1): * Closing connection #0 * SSLv3, TLS alert, Client hello (1): == Baptiste On Sat, Apr 13, 2013 at 9:20 AM, Baptiste bed...@gmail.com (mailto:bed...@gmail.com) wrote: Hi Tom, Sorry I did not have any time to answer you either on the blog or on the ML. I'm very busy at works currently. I'll have a look at your issue on Sunday and hopefully I'll find out the issue. That said, please give a try to Lukas advice :) Baptiste On Fri, Apr 12, 2013 at 8:15 PM, Lukas Tribus luky...@hotmail.com (mailto:luky...@hotmail.com) wrote: Hi Thomas, I'm trying to follow this blog post: http://blog.exceliance.fr/2012/10/03/ssl-client-certificate-management-at-application-level/, but I can't get the client certificate to work with 1.5dev18. Could you try a few older releases, specifically dev12, 13 and 14 (which is around the time that blog post was written). I did not play with client side certificates yet, so I'm not sure how it works exactly, but testing older releases will help to understand whether this is a regression in haproxy or if we need to focus on things like certificate issues, etc. Cheers, Lukas
RE: Is this possible in HAPROXY 1.4
Hi! Cloud Firewall - Cloud SLB - DMZ Web Agent Well, do they all forward TCP port 80 to your haproxy box? There is not much haproxy can do if the http request even doesn't arrive. Configuration would probably look like this (use redirect prefix, not redirect location): frontend unsecured *:80 redirect prefix https://www.example.org Regards, Lukas
Re: suggestion - include files
Thanks - that's helpful. I don't see that in the docs. do Globals apply to the defintiions in all the files? Similarly, can a front end in one file reference a back end in another file? WILL On Sun, Apr 14, 2013 at 12:23 AM, Willy Tarreau w...@1wt.eu wrote: Hi Will, On Sat, Apr 13, 2013 at 05:49:33PM -0700, Will Glass-Husain wrote: Hi, I recently converted over an Apache front end to haproxy. My Apache server was mainly composed of proxies and rewrites to various internal servers, so haproxy was a great alternative. One feature I miss from Apache is the ability to include files (e.g. setting up a folder and including everything in the folder). This is a nice way (for example) of adding redirects for new hosts or apps in a modular fashion. (My setup has half a dozen domain names and about 10 backends). It'd be nice to be able to do Include /etc/haproxy/appinfo.conf Include /etc/haproxy/conf.d/*.conf in the haproxy file to provide this modularity. This was discussed in the past, but this would cause several caveats related to the way haproxy works with sections (eg: one include file changes the current section to a new one, loops, etc). So in the end it was decided that instead of supporting includes, we support loading multiple files at once, each file having complete sections. I'm personally used to do this with a file for the global section and the peers, and the rest for various instances. But it really depends how you want to manage your files. Hoping this helps, Willy -- Forio Online Simulations Will Glass-Husain 415 440-7500x89 wgl...@forio.com www.forio.com
Re: suggestion - include files
On Sun, Apr 14, 2013 at 06:10:37PM -0700, Will Glass-Husain wrote: Thanks - that's helpful. I don't see that in the docs. do Globals apply to the defintiions in all the files? yes. Similarly, can a front end in one file reference a back end in another file? yes, in practice, files files are concatenated when loaded. The only thing is that in order to avoid painful issues, a file must begin with a section (eg: you can't have a file containing just servers for example). Willy