ΙD: 156419238
Email has been sent to haproxy@formilux.org RBC We reserve all rights.
HAProxy Hostname/Domain used for backend Servers
Hi, I find that HAProxy only resolve DNS of Backend Server that the start up time : * server sv1.mydomain.com *sv1.mydomain.com*:80 check port 80 inter 4000 weight 10 * server sv2.mydomain.com *sv2.mydomain.com*:80 check port 80 inter 4000 weight 10 Even if DNS Server has change the A record or I manual Set the record in /etc/hosts , HAProxy doesn't recognise this change. Can anyone confirm that ? or give me the official document about this. I'm trying to look up in the document but no luck. Thank you very much.
RE: HAProxy Hostname/Domain used for backend Servers
Hi, Hi, I find that HAProxy only resolve DNS of Backend Server that the start up time : * server sv1.mydomain.com sv1.mydomain.com:80 check port 80 inter 4000 weight 10 * server sv2.mydomain.com sv2.mydomain.com:80 check port 80 inter 4000 weight 10 Even if DNS Server has change the A record or I manual Set the record in /etc/hosts , HAProxy doesn't recognise this change. Can anyone confirm that ? or give me the official document about this. I'm trying to look up in the document but no luck. Thank you very much. Confirmed: http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4.2-server address is the IPv4 or IPv6 address of the server. Alternatively, a resolvable hostname is supported, but this name will be resolved during start-up. Regards, Lukas
Re: [PATCH] proxy: support use_backend with dynamic names
Great to hear :)
I do not work anymore in the same environment, so I can not test the
last improvement on this config. it was a generated config file like
you with a a few thousand of backend sharing a dozen of frontend. The
startup time was about 10 to 15 minutes too.
I could rebase my generation code with some factice config just to
test it. I was not using DNS.
Thx willy for these improvements !
On Tue, Apr 1, 2014 at 1:57 AM, Rajat Chopra rcho...@redhat.com wrote:
Hi Steven,
With the patch from Bertrand, you should not need many ACLs I believe.
For the thousands of backends, yes, I did have the issue with huge startup
times, but it has been solved with recent commits from Willy.
'Huge' is relative obviously - it came down from 15minutes or so to 8s, and
for me it is reasonable enough now.
I changed a few things in my config file too and I have posted the
optimizations in the stackoverflow post - e.g. use fullconn 1000 in defaults
and use IP addresses for destinations instead of DNS.
Did you try the latest code from git? Send an example of your config file
otherwise and I am sure the experts on the list will be able to help.
Best,
Rajat
- Original Message -
From: Steven Le Roux ste...@le-roux.info
To: Rajat Chopra rcho...@redhat.com
Cc: haproxy haproxy@formilux.org
Sent: Monday, March 31, 2014 4:04:55 PM
Subject: Re: [PATCH] proxy: support use_backend with dynamic names
Hi !
Since I experienced the same behaviour with a similar configuration, don't
you have a huge startup time due to the ACL parsing ?
--
Steven Le Roux
Le 28 mars 2014 01:59, Rajat Chopra rcho...@redhat.com a écrit :
Hi!
This solution very much solves the problem that I have been facing i.e.
large number of acl rules causing latency in requests. Been in discussions
separately about it and today I got a chance to test out this patch. I
report that it works great! I have been able to route 150k backends with
this and the latency added because of the dynamic lookup is in order of
microseconds (compared to 24ms earlier).
The usage 'use_backend bk_%[hdr(Host)] if TRUE' works for my use-case but
originally I was wondering if one could do a map based lookup for the
backend.
As posted here :
http://stackoverflow.com/questions/22025412/how-to-use-thousands-of-backends-in-haproxy-is-the-new-map-feature-useful-for-t
Most of the issues in the above question are now solved, but I tested this
with the patch -
use_backend bk_%[hdr(Host), map(host_to_backend_map.file)] if TRUE
And it does not work. I am not yet familiar with code to determine why
this does not work. Again, the current proposal works well for me but an
enhancement should probably consider using maps within dynamic lookup.
+1 for the patch.
Thanks.
Rajat
Hi Bertrand,
On Sun, Mar 23, 2014 at 04:18:44PM +0100, Bertrand Jacquin wrote:
Hi,
I did this patch for dev19 some time ago but I am still not sure
whether
it is the best way to do it or not, and did not have the time to
discuss
it since. As the latest changes broke it and forced me to rebase it,
and
it's very useful for us, I'd like to propose it for inclusion before
the
final release if you think it's OK, or to discuss how it should be
done.
Great!
Main purpose wanted to achieve is it be able to use many backends
without the need to declare each routing process from frontend to
backend and instead use generic and dynamic switching when a sane
parameter can be used from user request using the logformat logic. For
example when we have a backend farm dedicated to each 'Host: '
http-header,
it's pain in the ass to have to declare the backend and the relevant
use_backend.
Yes I know there's this request coming from time to time. In fact it
was even planned to work like this before we finally went with ACLs
and use_backend, but we felt it would be a too limited design (eg: no
choice of other routing key).
With the proposed solution, you first need to declare a dynamic
use_backend as the following :
use_backend bk_cust_%[hdr(Host)] if { hdr(Host) -m found }
And then to declare the needed backend. For every new vhost hosted
will only
need to add the backend section to the configuration.
I'm not opposed to the feature at all, in fact I've even been involved
in a discussion about something more or less in this vein recently. But
I'm having some fears about the use of the %[] form in a use_backend
directive. Indeed, this string format was initially done only for
logformat. Then it was adopted for unique-id. Then for all http-request
directives. And we start to see from time to time people trying to use
it in places which have no relation with it (eg: in ACL declaration).
I'm seeing several solutions in fact :
- yours above
- append some argument to
Re: HAProxy Hostname/Domain used for backend Servers
Hi Lukas, Thank you very much. On 01/04/2014 15:24, Lukas Tribus wrote: Hi, Hi, I find that HAProxy only resolve DNS of Backend Server that the start up time : * server sv1.mydomain.com sv1.mydomain.com:80 check port 80 inter 4000 weight 10 * server sv2.mydomain.com sv2.mydomain.com:80 check port 80 inter 4000 weight 10 Even if DNS Server has change the A record or I manual Set the record in /etc/hosts , HAProxy doesn't recognise this change. Can anyone confirm that ? or give me the official document about this. I'm trying to look up in the document but no luck. Thank you very much. Confirmed: http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4.2-server address is the IPv4 or IPv6 address of the server. Alternatively, a resolvable hostname is supported, but this name will be resolved during start-up. Regards, Lukas
Re:List - led light
Hi, My friend, Nice day to you! Here is Amy, Sales representative of Lion-leds.com. We are a large manufacturer of LED lighting in China. If you need the price lists, welcome to contact me and offer you more details: sal...@best-led.com . Warm Regards Amy www.lion-leds.com sal...@lion-leds.com
haproxy ssl questions
Hello,
I have couple of haproxy(1.5dev22 snapshot) ssl related questions:
Is it possible to use mod_ssl compatible optional_no_ca client
cert verify with haproxy:
- is it possible to use ca-ignore-err for this.
(I think apache 2.2.7(mod_ssl) ignores these errors w/optional_no_ca:
#define ssl_verify_error_is_optional(errnum) \
((errnum == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) \
|| (errnum == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) \
|| (errnum == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) \
|| (errnum == X509_V_ERR_CERT_UNTRUSTED) \
|| (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE))
)
- so ca-ignore-err 18,19,20,27,21 should be same as optional_no_ca ?
- or is the correct keyword crt-ignore-err (or both :) ?
Is it possible to send the client certificate to backend server in header
(similar to mod_ssl +ExportCertData / nginx $ssl_client_cert):
- I think something like:
http-request set-header X-SSL-Client-Cert %{+Q}[ssl_c_cert]
- AFAIK currently there's no keyword / code for this ? But would it be
possible to add new smp_fetch_ssl_c_* function for this ?
(I might try to code it myself if this sounds reasonable ?)
- ssl offloading and nbproc:
- is nbproc 1 recommended way to handle ssl offloading if one core
is not able to handle the load ?
- is it possible to use stick tables with nbproc 1:
- for example bind-process 1-3 to ssl enabled frontends and
bind-process 4 for backends - is it possible to use stick tables
on backends ?
- stick table peers with nbproc 1 ?
Thanks,
-Jarno
Re: haproxy ssl questions
Hi Jarno,
some informations available here:
http://blog.exceliance.fr/2013/06/13/ssl-client-certificate-information-in-http-headers-and-logs/
and here:
http://blog.exceliance.fr/2012/10/03/ssl-client-certificate-management-at-application-level/
concerning nbproc, you should makes all your SSL processes to point to
a single HAProxy process in clear where you do your stick-table stuff.
Each frontend and backend must be in the same process, so you must
pass information through the loopback interface between you SSL
frontends and your HTTP with stich-table backends.
Baptiste
On Tue, Apr 1, 2014 at 1:58 PM, Jarno Huuskonen jarno.huusko...@uef.fi wrote:
Hello,
I have couple of haproxy(1.5dev22 snapshot) ssl related questions:
Is it possible to use mod_ssl compatible optional_no_ca client
cert verify with haproxy:
- is it possible to use ca-ignore-err for this.
(I think apache 2.2.7(mod_ssl) ignores these errors w/optional_no_ca:
#define ssl_verify_error_is_optional(errnum) \
((errnum == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) \
|| (errnum == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) \
|| (errnum == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) \
|| (errnum == X509_V_ERR_CERT_UNTRUSTED) \
|| (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE))
)
- so ca-ignore-err 18,19,20,27,21 should be same as optional_no_ca ?
- or is the correct keyword crt-ignore-err (or both :) ?
Is it possible to send the client certificate to backend server in header
(similar to mod_ssl +ExportCertData / nginx $ssl_client_cert):
- I think something like:
http-request set-header X-SSL-Client-Cert %{+Q}[ssl_c_cert]
- AFAIK currently there's no keyword / code for this ? But would it be
possible to add new smp_fetch_ssl_c_* function for this ?
(I might try to code it myself if this sounds reasonable ?)
- ssl offloading and nbproc:
- is nbproc 1 recommended way to handle ssl offloading if one core
is not able to handle the load ?
- is it possible to use stick tables with nbproc 1:
- for example bind-process 1-3 to ssl enabled frontends and
bind-process 4 for backends - is it possible to use stick tables
on backends ?
- stick table peers with nbproc 1 ?
Thanks,
-Jarno
Re: haproxy ssl questions
Hi Baptiste,
On Tue, Apr 01, Baptiste wrote:
Hi Jarno,
some informations available here:
http://blog.exceliance.fr/2013/06/13/ssl-client-certificate-information-in-http-headers-and-logs/
and here:
http://blog.exceliance.fr/2012/10/03/ssl-client-certificate-management-at-application-level/
Thanks. crt-ignore-err 18,19,20,27,21 seems to allow connection with
client certificate that server can't verify.
ExportCertData / nginx $ssl_client_cert: What I would need is the
client certficicate in pem format (this is for java web application
that does it's own certificate checks (shibboleth-idp backchannel
connections)). I guess this is not possible w/out any code changes.
concerning nbproc, you should makes all your SSL processes to point to
a single HAProxy process in clear where you do your stick-table stuff.
Each frontend and backend must be in the same process, so you must
pass information through the loopback interface between you SSL
frontends and your HTTP with stich-table backends.
I'm not sure if I understand you correctly. You don't happen to have
any configuration examples ?
-Jarno
PS. Thank you for your blog posts. Very useful resource.
Baptiste
On Tue, Apr 1, 2014 at 1:58 PM, Jarno Huuskonen jarno.huusko...@uef.fi
wrote:
Hello,
I have couple of haproxy(1.5dev22 snapshot) ssl related questions:
Is it possible to use mod_ssl compatible optional_no_ca client
cert verify with haproxy:
- is it possible to use ca-ignore-err for this.
(I think apache 2.2.7(mod_ssl) ignores these errors w/optional_no_ca:
#define ssl_verify_error_is_optional(errnum) \
((errnum == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) \
|| (errnum == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) \
|| (errnum == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) \
|| (errnum == X509_V_ERR_CERT_UNTRUSTED) \
|| (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE))
)
- so ca-ignore-err 18,19,20,27,21 should be same as optional_no_ca ?
- or is the correct keyword crt-ignore-err (or both :) ?
Is it possible to send the client certificate to backend server in header
(similar to mod_ssl +ExportCertData / nginx $ssl_client_cert):
- I think something like:
http-request set-header X-SSL-Client-Cert %{+Q}[ssl_c_cert]
- AFAIK currently there's no keyword / code for this ? But would it be
possible to add new smp_fetch_ssl_c_* function for this ?
(I might try to code it myself if this sounds reasonable ?)
- ssl offloading and nbproc:
- is nbproc 1 recommended way to handle ssl offloading if one core
is not able to handle the load ?
- is it possible to use stick tables with nbproc 1:
- for example bind-process 1-3 to ssl enabled frontends and
bind-process 4 for backends - is it possible to use stick tables
on backends ?
- stick table peers with nbproc 1 ?
Thanks,
-Jarno
--
Jarno Huuskonen - System Administrator | jarno.huuskonen atsign uef.fi
Univ. of Eastern Finland - Computer Center | Work: +358-40-3552822
PO BOX 1627, 70211 Kuopio, Finland
Haproxy MySQL support
Hi, I am trying to create a panel to create proxies, I was wondering if you will ever add MySQL support for haproxy were you enter something what you want it to configure like then so you can easily create proxies via the database? I am trying to just execute listen Whatever MyServer:3 mode tcp option tcplog maxconn 20 balance roundrobin server Whatever IPV4:3 to the configuration database in PHP, but it's being a pain so it'd be easier to just do it via MySQL. If you have plans for the future for MySQL support, please tell me.
unsubscribe
haproxy intermittently not connecting to backend
We have an issue with haproxy (1.5-dev22-1a34d57) where it is
intermittently not connecting to the backend server. However the
behavior it is exhibiting seems strange.
The reason I say strange is that in one example, it logged that the
client disconnected after ~49 seconds with a connection flags of CC--.
However our config has timeout connect 5000, so it should have timed
out connecting to the backend server after 5 seconds. Additionally we
have retries 3 in the config, so upon timing out, it should have tried
another backend server, but it never did (the retries counter in the log
shows 0).
At the time of this log entry, the backend server is responding
properly. For the ~49 seconds prior to the log entry, the backend server
has taken other requests. The backend server is also another haproxy
(same version).
Here's an example of one such log entry:
198.228.211.13:60848 api~ platform-push/i-84d931a5 49562/0/-1/-1/49563
0/0/0/0/0 0/0 691/212
span class=t style=border-color: rgb(204, 204, 204); font-style: normal;
cursor: pointer;503 CC-- 4F8E-4624 + GET
/1/sync/notifications/subscribe?sync_box_id=12345sender=27B9A93C-F473-4385-A662-352AD34A2453
HTTP/1.1
The log format is defined as:
%ci:%cp\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\
%U/%B\ %ST\ %tsc\ %ID\ +\ %r
Running a show errors on the stats socket did not return any relevant
results.
Here's the relevant portions of the haproxy config. It is not the entire
thing as the whole config is 1,513 lines long.
global
log 127.0.0.1 local0
maxconn 20480
user haproxy
group haproxy
daemon
stats socket /var/run/hapi/haproxy/haproxy.sock level admin
defaults
log global
mode http
option httplog
option dontlognull
option log-separate-errors
retries 3
option redispatch
timeout connect 5000
timeout client 6
timeout server 17
option clitcpka
option srvtcpka
option abortonclose
option splice-auto
monitor-uri /haproxy/ping
stats enable
stats uri /haproxy/stats
stats refresh 15
stats auth user:pass
frontend api
bind *:80
bind *:443 ssl crt /etc/haproxy/server.pem
maxconn 2
option httpclose
option forwardfor
acl internal src 10.0.0.0/8
acl have_request_id req.fhdr(X-Request-Id) -m found
http-request set-nice -100 if internal
http-request add-header X-API-URL %[path] if !internal
http-request add-header X-Request-Timestamp %Ts.%ms
http-request add-header X-Request-Id %[req.fhdr(X-Request-Id)] if
internal have_request_id
http-request set-header X-Request-Id %{+X}o%pid-%rt if !internal ||
!have_request_id
http-request add-header X-API-Host i-4a3b1c6a
unique-id-format %{+X}o%pid-%rt
log-format %ci:%cp\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\
%ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %U/%B\ %ST\ %tsc\ %ID\ +\ %r
default_backend DEFAULT_404
acl rewrite-found req.hdr(X-Rewrite-ID,1) -m found
acl nqXn_path path_reg ^/1/sync/notifications/subscribe/([^\ ?]*)$
acl nqXn_method method OPTIONS GET HEAD POST PUT DELETE TRACE CONNECT
PATCH
http-request set-header X-Rewrite-Id nqXn if !rewrite-found nqXn_path
nqXn_method
acl rewrite-nqXn req.hdr(X-Rewrite-Id) -m str nqXn
use_backend platform-push if rewrite-nqXn
reqrep ^(OPTIONS|GET|HEAD|POST|PUT|DELETE|TRACE|CONNECT|PATCH)\
/1/sync/notifications/subscribe/([^\ ?]*)([\ ?].*|$) \1\
/1/sync/subscribe/\2\3 if rewrite-nqXn
backend platform-push
option httpchk GET /ping
default-server inter 15s fastinter 1s
server i-6eaf724d 10.230.23.64:80 check observe layer4
server i-84d931a5 10.230.42.8:80 check observe layer4
Re: haproxy intermittently not connecting to backend
Apologies, my mail client went stupid. Here's the log entry unmangled:
198.228.211.13:60848 api~ platform-push/i-84d931a5 49562/0/-1/-1/49563
0/0/0/0/0 0/0 691/212 503 CC-- 4F8E-4624 + GET
/1/sync/notifications/subscribe?sync_box_id=12496sender=D7A9F93D-F653-4527-A022-383AD55A1943
HTTP/1.1
-Patrick
*From: *Patrick Hemmer hapr...@stormcloud9.net
*Sent: * 2014-04-01 15:20:15 E
*To: *haproxy@formilux.org
*Subject: *haproxy intermittently not connecting to backend
We have an issue with haproxy (1.5-dev22-1a34d57) where it is
intermittently not connecting to the backend server. However the
behavior it is exhibiting seems strange.
The reason I say strange is that in one example, it logged that the
client disconnected after ~49 seconds with a connection flags of
CC--. However our config has timeout connect 5000, so it should
have timed out connecting to the backend server after 5 seconds.
Additionally we have retries 3 in the config, so upon timing out, it
should have tried another backend server, but it never did (the
retries counter in the log shows 0).
At the time of this log entry, the backend server is responding
properly. For the ~49 seconds prior to the log entry, the backend
server has taken other requests. The backend server is also another
haproxy (same version).
Here's an example of one such log entry:
198.228.211.13:60848 api~ platform-push/i-84d931a5 49562/0/-1/-1/49563
0/0/0/0/0 0/0 691/212
lt;
span class=t style=border-color: rgb(204, 204, 204); font-style: normal;
cursor: pointer;503 CC-- 4F8E-4624 + GET
/1/sync/notifications/subscribe?sync_box_
id=12345sender=27B9A93C-F473-4385-A662-352AD34A2453 HTTP/1.1
The log format is defined as:
%ci:%cp\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ac/%fc/%bc/%sc/%rc\
%sq/%bq\ %U/%B\ %ST\ %tsc\ %ID\ +\ %r
Running a show errors on the stats socket did not return any
relevant results.
Here's the relevant portions of the haproxy config. It is not the
entire thing as the whole config is 1,513 lines long.
global
log 127.0.0.1 local0
maxconn 20480
user haproxy
group haproxy
daemon
stats socket /var/run/hapi/haproxy/haproxy.sock level admin
defaults
log global
mode http
option httplog
option dontlognull
option log-separate-errors
retries 3
option redispatch
timeout connect 5000
timeout client 6
timeout server 17
option clitcpka
option srvtcpka
option abortonclose
option splice-auto
monitor-uri /haproxy/ping
stats enable
stats uri /haproxy/stats
stats refresh 15
stats auth user:pass
frontend api
bind *:80
bind *:443 ssl crt /etc/haproxy/server.pem
maxconn 2
option httpclose
option forwardfor
acl internal src 10.0.0.0/8
acl have_request_id req.fhdr(X-Request-Id) -m found
http-request set-nice -100 if internal
http-request add-header X-API-URL %[path] if !internal
http-request add-header X-Request-Timestamp %Ts.%ms
http-request add-header X-Request-Id %[req.fhdr(X-Request-Id)] if
internal have_request_id
http-request set-header X-Request-Id %{+X}o%pid-%rt if !internal ||
!have_request_id
http-request add-header X-API-Host i-4a3b1c6a
unique-id-format %{+X}o%pid-%rt
log-format %ci:%cp\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\
%ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %U/%B\ %ST\ %tsc\ %ID\ +\ %r
default_backend DEFAULT_404
acl rewrite-found req.hdr(X-Rewrite-ID,1) -m found
acl nqXn_path path_reg ^/1/sync/notifications/subscribe/([^\ ?]*)$
acl nqXn_method method OPTIONS GET HEAD POST PUT DELETE TRACE
CONNECT PATCH
http-request set-header X-Rewrite-Id nqXn if !rewrite-found
nqXn_path nqXn_method
acl rewrite-nqXn req.hdr(X-Rewrite-Id) -m str nqXn
use_backend platform-push if rewrite-nqXn
reqrep ^(OPTIONS|GET|HEAD|POST|PUT|DELETE|TRACE|CONNECT|PATCH)\
/1/sync/notifications/subscribe/([^\ ?]*)([\ ?].*|$) \1\
/1/sync/subscribe/\2\3 if rewrite-nqXn
backend platform-push
option httpchk GET /ping
default-server inter 15s fastinter 1s
server i-6eaf724d 10.230.23.64:80 check observe layer4
server i-84d931a5 10.230.42.8:80 check observe layer4
BUG/FEATURE? http-request always applied if backend not available
Hi Willy,
I'm getting trouble with that sample configuration when backend has no
server available :
defaults HTTP
mode http
option httplog
log global
frontend ft_public
bind 0.0.0.0:80 name HTTP
bind 0.0.0.0:443 name HTTPS ssl crt foo.pem
acl v-local hdr(Host) 203.0.113.42
acl p-admin path_beg /__bar
http-request redirect scheme https code 301 if v-local p-admin ! { ssl_fc }
use_backend bk_local if v-local p-admin
default_backend bk_default
backend bk_local
balance source
option forwardfor except 127.0.0.1/8
server localhost 127.0.0.1:8080 weight 10 maxconn 100 check inter 1000 fall 2
rise 2
backend bk_default
block if TRUE
If bk_local has server UP in the farm, and request look like
https://203.0.113.42/__bar, then everything is fine, request is nicely
handled by bk_local/localhost. http://203.0.113.42/__bar is correctly
redirected.
If bk_local has no server UP in the farm, then the 'http-request
redirect scheme' is always applied instead of a 503 response. I don't
known if this is the really intended result. In the request
(https://203.0.113.42/__bar),
v-local match
p-admin match
! { ssl_fc } does not match
So no redirection should be applied.
I'm using HA-Proxy version 1.5-dev22-1a34d57 2014/02/03
Copyright 2000-2014 Willy Tarreau w...@1wt.eu
Build options :
TARGET = linux2628
CPU = generic
CC = x86_64-pc-linux-gnu-gcc
CFLAGS = -march=native -O2 -pipe -fomit-frame-pointer -fno-strict-aliasing
OPTIONS = USE_LIBCRYPT=1 USE_GETADDRINFO=1 USE_ZLIB=1 USE_OPENSSL=1
USE_PCRE=1 USE_PCRE_JIT=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200
Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.8
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014
Running on OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.33 2013-05-28
PCRE library supports JIT : yes
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT
IP_FREEBIND
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Thanks.
--
Bertrand
Re: BUG/FEATURE? http-request always applied if backend not available
Hi Bertrand,
Le 01/04/2014 23:10, Bertrand Jacquin a écrit :
Hi Willy,
I'm getting trouble with that sample configuration when backend has no
server available :
defaults HTTP
mode http
option httplog
log global
frontend ft_public
bind 0.0.0.0:80 name HTTP
bind 0.0.0.0:443 name HTTPS ssl crt foo.pem
acl v-local hdr(Host) 203.0.113.42
acl p-admin path_beg /__bar
http-request redirect scheme https code 301 if v-local p-admin ! { ssl_fc }
use_backend bk_local if v-local p-admin
default_backend bk_default
backend bk_local
balance source
option forwardfor except 127.0.0.1/8
server localhost 127.0.0.1:8080 weight 10 maxconn 100 check inter 1000 fall
2 rise 2
backend bk_default
block if TRUE
If bk_local has server UP in the farm, and request look like
https://203.0.113.42/__bar, then everything is fine, request is nicely
handled by bk_local/localhost. http://203.0.113.42/__bar is correctly
redirected.
If bk_local has no server UP in the farm, then the 'http-request
redirect scheme' is always applied instead of a 503 response. I don't
known if this is the really intended result. In the request
(https://203.0.113.42/__bar),
I'm not sure to understand. Did you want to write
http://203.0.113.42/__bar just above ?
If it was supposed to be http instead of https, I'd call it a
feature and you can use nbsrv to disable disable redirects when no
server are available.
v-local match
p-admin match
! { ssl_fc } does not match
So no redirection should be applied.
I'm using HA-Proxy version 1.5-dev22-1a34d57 2014/02/03
Copyright 2000-2014 Willy Tarreau w...@1wt.eu
Build options :
TARGET = linux2628
CPU = generic
CC = x86_64-pc-linux-gnu-gcc
CFLAGS = -march=native -O2 -pipe -fomit-frame-pointer -fno-strict-aliasing
OPTIONS = USE_LIBCRYPT=1 USE_GETADDRINFO=1 USE_ZLIB=1 USE_OPENSSL=1
USE_PCRE=1 USE_PCRE_JIT=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200
Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.8
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014
Running on OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.33 2013-05-28
PCRE library supports JIT : yes
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT
IP_FREEBIND
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Thanks.
--
Cyril Bonté
Re: BUG/FEATURE? http-request always applied if backend not available
Hi Cyril, D'ar meurzh 01 a viz Ebrel 2014 e 23 eur 35, « Cyril Bonté » he deus skrivet : If bk_local has server UP in the farm, and request look like https://203.0.113.42/__bar, then everything is fine, request is nicely handled by bk_local/localhost. http://203.0.113.42/__bar is correctly redirected. If bk_local has no server UP in the farm, then the 'http-request redirect scheme' is always applied instead of a 503 response. I don't known if this is the really intended result. In the request (https://203.0.113.42/__bar), I'm not sure to understand. Did you want to write http://203.0.113.42/__bar just above ? No https://203.0.113.42/__bar should not pass 'http-request redirect scheme' as not the all prerequisites are matched. I need the 'http-request redirect scheme' be applied only if request is for the right vhost (v-local) and for the right path (p-admin) and if is not a ssl request. If it was supposed to be http instead of https, I'd call it a feature and you can use nbsrv to disable disable redirects when no server are available. Sure, but I'm more trying to understand that behaviour here. -- Bertrand
Re: BUG/FEATURE? http-request always applied if backend not available
Le 01/04/2014 23:42, Bertrand Jacquin a écrit : Hi Cyril, D'ar meurzh 01 a viz Ebrel 2014 e 23 eur 35, « Cyril Bonté » he deus skrivet : If bk_local has server UP in the farm, and request look like https://203.0.113.42/__bar, then everything is fine, request is nicely handled by bk_local/localhost. http://203.0.113.42/__bar is correctly redirected. If bk_local has no server UP in the farm, then the 'http-request redirect scheme' is always applied instead of a 503 response. I don't known if this is the really intended result. In the request (https://203.0.113.42/__bar), I'm not sure to understand. Did you want to write http://203.0.113.42/__bar just above ? No https://203.0.113.42/__bar should not pass 'http-request redirect scheme' as not the all prerequisites are matched. I need the 'http-request redirect scheme' be applied only if request is for the right vhost (v-local) and for the right path (p-admin) and if is not a ssl request. If it was supposed to be http instead of https, I'd call it a feature and you can use nbsrv to disable disable redirects when no server are available. Sure, but I'm more trying to understand that behaviour here. OK, then I'm not convinced it happened. Do you have some captures that make a https request being redirected ? -- Cyril Bonté
Re: BUG/FEATURE? http-request always applied if backend not available
Le 01/04/2014 23:56, Bertrand Jacquin a écrit :
When bk_local/localhost is UP :
$ curl -vk -so /dev/null https://203.0.113.42/__bar/
(...)
GET /__bar/ HTTP/1.1
User-Agent: curl/7.35.0
Host: 203.0.113.42
Accept: */*
HTTP/1.1 200 OK
Date: Tue, 01 Apr 2014 21:54:46 GMT
* Server Apache is not blacklisted
Server: Apache
Expires: Tue, 01 Apr 2014 21:54:46 +
Cache-Control: no-store, no-cache, must-revalidate, pre-check=0,
post-check=0, max-age=0
Last-Modified: Tue, 01 Apr 2014 21:54:46 +
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Strict-Transport-Security: max-age=16070400
{ [data not shown]
* Connection #0 to host 203.0.113.42 left intact
When bk_local/localhost is DOWN :
$ curl -vk -so /dev/null https://203.0.113.42/__bar/
(...)
GET /__bar/ HTTP/1.1
User-Agent: curl/7.35.0
Host: 203.0.113.42
Accept: */*
HTTP/1.1 301 Moved Permanently
Content-length: 0
Location: https://203.0.113.42/__bar/
Vary: Accept-Encoding
Strict-Transport-Security: max-age=16070400
* Connection #0 to host 203.0.113.42 left intact
What is adding the Vary and Strict-Transport-Security headers in this
second case ?
--
Cyril Bonté
Re: BUG/FEATURE? http-request always applied if backend not available
D'ar merc'her 02 a viz Ebrel 2014 e 00 eur 13, « Cyril Bonté » he deus skrivet :
Le 01/04/2014 23:56, Bertrand Jacquin a écrit :
When bk_local/localhost is UP :
$ curl -vk -so /dev/null https://203.0.113.42/__bar/
(...)
GET /__bar/ HTTP/1.1
User-Agent: curl/7.35.0
Host: 203.0.113.42
Accept: */*
HTTP/1.1 200 OK
Date: Tue, 01 Apr 2014 21:54:46 GMT
* Server Apache is not blacklisted
Server: Apache
Expires: Tue, 01 Apr 2014 21:54:46 +
Cache-Control: no-store, no-cache, must-revalidate, pre-check=0,
post-check=0, max-age=0
Last-Modified: Tue, 01 Apr 2014 21:54:46 +
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Strict-Transport-Security: max-age=16070400
{ [data not shown]
* Connection #0 to host 203.0.113.42 left intact
When bk_local/localhost is DOWN :
$ curl -vk -so /dev/null https://203.0.113.42/__bar/
(...)
GET /__bar/ HTTP/1.1
User-Agent: curl/7.35.0
Host: 203.0.113.42
Accept: */*
HTTP/1.1 301 Moved Permanently
Content-length: 0
Location: https://203.0.113.42/__bar/
Vary: Accept-Encoding
Strict-Transport-Security: max-age=16070400
* Connection #0 to host 203.0.113.42 left intact
What is adding the Vary and Strict-Transport-Security headers in this
second case ?
A missing 'http-response set-header' in the previous copy and paste.
http-response set-header Vary Accept-Encoding
http-response set-header Strict-Transport-Security max-age=16070400 if {
ssl_fc }
--
Bertrand
Re: BUG/FEATURE? http-request always applied if backend not available
Le 02/04/2014 00:16, Bertrand Jacquin a écrit :
What is adding the Vary and Strict-Transport-Security headers in this
second case ?
A missing 'http-response set-header' in the previous copy and paste.
http-response set-header Vary Accept-Encoding
http-response set-header Strict-Transport-Security max-age=16070400 if {
ssl_fc }
Sorry but we're certainly missing something with your configuration.
Even if those set-header were added, they can't be applied to the
redirect with the configuration provided in the example.
It makes me think there is a second level of proxy in your test. Am I
wrong ?
--
Cyril Bonté
