Re: change in stick-table mapping
Hi Will, From your configuration, the application server is supposed to setup the SIMULATE_STICKY_SESSION. Can you confirm it is the case? Baptiste On Thu, May 23, 2013 at 1:11 PM, Will Glass-Husain wgl...@forio.com wrote: Hi, I'm running haproxy-ss-20130509. I have load balancing set up with a stick table using an application-generated sticky session cookie. This running on two haproxy instances (with an Amazon ELB front-end). I'm noticing that the server will occasionally change a mapping from one server to another for no apparent reason. In other words, a given cookie value will go to server app1, and then later it will switch over to app2. The log doesn't show a DOWN message for app1. What might the cause of this be? As I read the docs, the entries in the stick-table are supposed to expire only after idle time - is that correct? peers balancers peer balancer1 10.0.2.85:1024 peer balancer2 10.0.3.174:1024 backend simulate option httpchk OPTIONS /simulate/api/status stick-table type string len 40 size 5M expire 120m peers balancers stick store-response set-cookie(SIMULATE_STICKY_SESSION) table simulate stick on cookie(SIMULATE_STICKY_SESSION) table simulate stick on url_param(SIMULATE_STICKY_SESSION,;) table simulate server app1 10.0.2.11:8080 cookie app1 check inter 1 server app2 10.0.3.11:8080 cookie app2 check inter 1 Best, WILL
Re: Possible bug with compression
Hey Baptiste, Thanks for your answer. Just to be sure: if I do 'option http-server-close' in the defaults section and then use 'no option http-server-close' in the backend, the option is disabled for connections to that backend, right? I know http-server-close is not compatible with NTLM but I also have backends to different servers which can use http-server-close. So I juse disable it for certain backends. Compression not being compatible with tunnel mode sounds good enough to me. If it's known then it's fine with me ;-) Regards, Sander On 26.05.2013 16:04, Baptiste wrote: Hi, Your configuration is not compatible with NTLM. NTLM requires the connection remains available over the time or authentication is broken. When you enable http-server-close, haproxy will change the connection for each HTTP request. So disable it, you'll pass in the tunnel mode. That said, I'm almost sure compression is not compatible with tunnel mode. Baptiste On Thu, May 23, 2013 at 10:44 AM, Sander Klein roe...@roedie.nl wrote: Hi, I think I've found a possible bug with the combination SSL, compression and NTLM auth. But, I'm not sure if it's really a bug or if NTLM auth is crap (well it is...). When enabling compression the authorization fails sometimes. When I disable compression everything is fine. I don't know if it's just a silly thing to enable compression in this situation. Has anyone else tried this? I'm running haproxy-dev18-ss-20130512 and my config is like: defaults log global mode http compression algo gzip option http-server-close option tcp-smart-accept option tcp-smart-connect option abortonclose frontend default-fe bind 1.2.3.4:80 bind a:b:c:d:e:f:80 bind 1.2.3.4:443 ssl crt /etc/haproxy/ssl/some.pem ciphers RC4:HIGH:!aNULL:!MD5 bind a:b:c:d:e:f:443 ssl crt /etc/haproxy/ssl/some.pem ciphers RC4:HIGH:!aNULL:!MD5 maxconn 512 option httplog option forwardfor option splice-auto # Add X-Forwarded-* headers http-request set-header X-Forwarded-Proto https if { ssl_fc } http-request set-header X-Forwarded-Ssl on if { ssl_fc } http-request set-header X-Forwarded-Proto http if ! { ssl_fc } http-request set-header X-Forwarded-Ssl off if ! { ssl_fc } # Define hosts which need to redirect to HTTPS acl need_ssl hdr(Host) -i iis.host.local redirect scheme https if need_ssl ! { ssl_fc } # Define backends and redirect correct hostnames use_backend iis-backend if { hdr(Host) -i iis.host.local } backend iis-backend fullconn 20 no option http-server-close option httpchk GET / HTTP/1.0 server iis-stuff 2.3.4.5:80 cookie iis check inter 2000 Regard, Sander
RE: [PATCH] DOC: readme: add suggestion to link against static openssl
Resending the patch as attachment, as I doesn't seem to have reached the list. Regards, Lukas From: luky...@hotmail.com To: haproxy@formilux.org CC: btal...@aeriagames.com; w...@1wt.eu; luky...@hotmail.com Subject: [PATCH] DOC: readme: add suggestion to link against static openssl Date: Sun, 19 May 2013 16:47:46 +0200 Adds a suggestion in README howto link against a static build of openssl. This is useful if the OS includes an old openssl releas and recent features or ciphers are required. --- README | 11 +++ 1 file changed, 11 insertions(+) diff --git a/README b/README index 54ba1b7..9c0bca3 100644 --- a/README +++ b/README @@ -90,6 +90,17 @@ will automatically be linked with haproxy. Some systems also require libz, so if the build fails due to missing symbols such as deflateInit(), then try again with ADDLIB=-lz. +To link OpenSSL statically against haproxy, build OpenSSL with the no-shared +keyword and install it to a local directory, so your system is not affected : + +$ export STATICLIBSSL=/tmp/staticlibssl +$ ./config --prefix=$STATICLIBSSL no-shared +$ make make install_sw + +When building haproxy, pass that path via ADDINC and ADDLIB to make and include +libdl (-ldl). +$ make TARGET=linux2628 USE_OPENSSL=1 ADDINC=-I$STATICLIBSSL/include ADDLIB=-L$STATICLIBSSL/lib -ldl + It is also possible to include native support for ZLIB to benefit from HTTP compression. For this, pass USE_ZLIB=1 on the make command line and ensure that zlib is present on the system. -- 1.7.9.5 0001-DOC-readme-add-suggestion-to-link-against-static-ope.patch Description: Binary data