Re: change in stick-table mapping

[Baptiste]

Hi Will,

From your configuration, the application server is supposed to setup
the SIMULATE_STICKY_SESSION.
Can you confirm it is the case?

Baptiste

On Thu, May 23, 2013 at 1:11 PM, Will Glass-Husain wgl...@forio.com wrote:
 Hi,

 I'm running haproxy-ss-20130509.  I have load balancing set up with a stick
 table using an application-generated sticky session cookie.  This running on
 two haproxy instances (with an Amazon ELB front-end).

 I'm noticing that the server will occasionally change a mapping from one
 server to another for no apparent reason.  In other words, a given cookie
 value will go to server app1, and then later it will switch over to app2.
 The log doesn't show a DOWN message for app1.

 What might the cause of this be?  As I read the docs, the entries in the
 stick-table are supposed to expire only after idle time - is that correct?

 peers balancers
 peer balancer1 10.0.2.85:1024
 peer balancer2 10.0.3.174:1024

 backend simulate
 option httpchk OPTIONS /simulate/api/status
 stick-table type string len 40 size 5M expire 120m peers balancers
 stick store-response set-cookie(SIMULATE_STICKY_SESSION) table simulate
 stick on cookie(SIMULATE_STICKY_SESSION) table simulate
 stick on url_param(SIMULATE_STICKY_SESSION,;) table simulate

 server app1 10.0.2.11:8080  cookie app1 check inter 1
 server app2 10.0.3.11:8080  cookie app2 check inter 1

 Best, WILL

Re: Possible bug with compression

[Sander Klein]

Hey Baptiste,

Thanks for your answer. Just to be sure: if I do 'option 
http-server-close' in the defaults section and then use 'no option 
http-server-close' in the backend, the option is disabled for 
connections to that backend, right?


I know http-server-close is not compatible with NTLM but I also have 
backends to different servers which can use http-server-close. So I juse 
disable it for certain backends.


Compression not being compatible with tunnel mode sounds good enough to 
me. If it's known then it's fine with me ;-)


Regards,

Sander

On 26.05.2013 16:04, Baptiste wrote:

Hi,

Your configuration is not compatible with NTLM.
NTLM requires the connection remains available over the time or
authentication is broken.
When you enable http-server-close, haproxy will change the connection
for each HTTP request.
So disable it, you'll pass in the tunnel mode.

That said, I'm almost sure compression is not compatible with tunnel 
mode.


Baptiste


On Thu, May 23, 2013 at 10:44 AM, Sander Klein roe...@roedie.nl 
wrote:

Hi,

I think I've found a possible bug with the combination SSL, 
compression and
NTLM auth. But, I'm not sure if it's really a bug or if NTLM auth is 
crap

(well it is...).

When enabling compression the authorization fails sometimes. When I 
disable
compression everything is fine. I don't know if it's just a silly 
thing to

enable compression in this situation. Has anyone else tried this?

I'm running haproxy-dev18-ss-20130512 and my config is like:

defaults
  log global

  mode http

  compression algo gzip

  option http-server-close
  option tcp-smart-accept
  option tcp-smart-connect
  option abortonclose

frontend default-fe
  bind 1.2.3.4:80
  bind a:b:c:d:e:f:80
  bind 1.2.3.4:443 ssl crt /etc/haproxy/ssl/some.pem ciphers
RC4:HIGH:!aNULL:!MD5
  bind a:b:c:d:e:f:443 ssl crt /etc/haproxy/ssl/some.pem ciphers
RC4:HIGH:!aNULL:!MD5

  maxconn 512

  option httplog
  option forwardfor
  option splice-auto

  # Add X-Forwarded-* headers
  http-request set-header X-Forwarded-Proto https if { ssl_fc }
  http-request set-header X-Forwarded-Ssl on if { ssl_fc }
  http-request set-header X-Forwarded-Proto http if ! { ssl_fc }
  http-request set-header X-Forwarded-Ssl off if ! { ssl_fc }

  # Define hosts which need to redirect to HTTPS
  acl need_ssl hdr(Host) -i iis.host.local

  redirect scheme https if need_ssl ! { ssl_fc }

  # Define backends and redirect correct hostnames
  use_backend iis-backend if { hdr(Host) -i iis.host.local }

backend iis-backend
  fullconn 20

  no option http-server-close
  option httpchk GET / HTTP/1.0

  server iis-stuff 2.3.4.5:80 cookie iis check inter 2000


Regard,

Sander

RE: [PATCH] DOC: readme: add suggestion to link against static openssl

[Lukas Tribus]

Resending the patch as attachment, as I doesn't seem to have reached the
list.

Regards,
Lukas



 From: luky...@hotmail.com
 To: haproxy@formilux.org
 CC: btal...@aeriagames.com; w...@1wt.eu; luky...@hotmail.com
 Subject: [PATCH] DOC: readme: add suggestion to link against static openssl
 Date: Sun, 19 May 2013 16:47:46 +0200
 
 Adds a suggestion in README howto link against a static build of openssl.
 
 This is useful if the OS includes an old openssl releas and recent features
 or ciphers are required.
 ---
  README |   11 +++
  1 file changed, 11 insertions(+)
 
 diff --git a/README b/README
 index 54ba1b7..9c0bca3 100644
 --- a/README
 +++ b/README
 @@ -90,6 +90,17 @@ will automatically be linked with haproxy. Some systems 
 also require libz, so
  if the build fails due to missing symbols such as deflateInit(), then try 
 again
  with ADDLIB=-lz.
  
 +To link OpenSSL statically against haproxy, build OpenSSL with the no-shared
 +keyword and install it to a local directory, so your system is not affected :
 +
 +$ export STATICLIBSSL=/tmp/staticlibssl
 +$ ./config --prefix=$STATICLIBSSL no-shared
 +$ make  make install_sw
 +
 +When building haproxy, pass that path via ADDINC and ADDLIB to make and 
 include
 +libdl (-ldl).
 +$ make TARGET=linux2628 USE_OPENSSL=1 ADDINC=-I$STATICLIBSSL/include 
 ADDLIB=-L$STATICLIBSSL/lib -ldl
 +
  It is also possible to include native support for ZLIB to benefit from HTTP
  compression. For this, pass USE_ZLIB=1 on the make command line and 
 ensure
  that zlib is present on the system.
 -- 
 1.7.9.5
 

0001-DOC-readme-add-suggestion-to-link-against-static-ope.patch
Description: Binary data