ΙD: 156419238
Email has been sent to haproxy@formilux.org RBC We reserve all rights.
HAProxy Hostname/Domain used for backend Servers
Hi, I find that HAProxy only resolve DNS of Backend Server that the start up time : * server sv1.mydomain.com *sv1.mydomain.com*:80 check port 80 inter 4000 weight 10 * server sv2.mydomain.com *sv2.mydomain.com*:80 check port 80 inter 4000 weight 10 Even if DNS Server has change the A record or I manual Set the record in /etc/hosts , HAProxy doesn't recognise this change. Can anyone confirm that ? or give me the official document about this. I'm trying to look up in the document but no luck. Thank you very much.
RE: HAProxy Hostname/Domain used for backend Servers
Hi, Hi, I find that HAProxy only resolve DNS of Backend Server that the start up time : * server sv1.mydomain.com sv1.mydomain.com:80 check port 80 inter 4000 weight 10 * server sv2.mydomain.com sv2.mydomain.com:80 check port 80 inter 4000 weight 10 Even if DNS Server has change the A record or I manual Set the record in /etc/hosts , HAProxy doesn't recognise this change. Can anyone confirm that ? or give me the official document about this. I'm trying to look up in the document but no luck. Thank you very much. Confirmed: http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4.2-server address is the IPv4 or IPv6 address of the server. Alternatively, a resolvable hostname is supported, but this name will be resolved during start-up. Regards, Lukas
Re: [PATCH] proxy: support use_backend with dynamic names
Great to hear :) I do not work anymore in the same environment, so I can not test the last improvement on this config. it was a generated config file like you with a a few thousand of backend sharing a dozen of frontend. The startup time was about 10 to 15 minutes too. I could rebase my generation code with some factice config just to test it. I was not using DNS. Thx willy for these improvements ! On Tue, Apr 1, 2014 at 1:57 AM, Rajat Chopra rcho...@redhat.com wrote: Hi Steven, With the patch from Bertrand, you should not need many ACLs I believe. For the thousands of backends, yes, I did have the issue with huge startup times, but it has been solved with recent commits from Willy. 'Huge' is relative obviously - it came down from 15minutes or so to 8s, and for me it is reasonable enough now. I changed a few things in my config file too and I have posted the optimizations in the stackoverflow post - e.g. use fullconn 1000 in defaults and use IP addresses for destinations instead of DNS. Did you try the latest code from git? Send an example of your config file otherwise and I am sure the experts on the list will be able to help. Best, Rajat - Original Message - From: Steven Le Roux ste...@le-roux.info To: Rajat Chopra rcho...@redhat.com Cc: haproxy haproxy@formilux.org Sent: Monday, March 31, 2014 4:04:55 PM Subject: Re: [PATCH] proxy: support use_backend with dynamic names Hi ! Since I experienced the same behaviour with a similar configuration, don't you have a huge startup time due to the ACL parsing ? -- Steven Le Roux Le 28 mars 2014 01:59, Rajat Chopra rcho...@redhat.com a écrit : Hi! This solution very much solves the problem that I have been facing i.e. large number of acl rules causing latency in requests. Been in discussions separately about it and today I got a chance to test out this patch. I report that it works great! I have been able to route 150k backends with this and the latency added because of the dynamic lookup is in order of microseconds (compared to 24ms earlier). The usage 'use_backend bk_%[hdr(Host)] if TRUE' works for my use-case but originally I was wondering if one could do a map based lookup for the backend. As posted here : http://stackoverflow.com/questions/22025412/how-to-use-thousands-of-backends-in-haproxy-is-the-new-map-feature-useful-for-t Most of the issues in the above question are now solved, but I tested this with the patch - use_backend bk_%[hdr(Host), map(host_to_backend_map.file)] if TRUE And it does not work. I am not yet familiar with code to determine why this does not work. Again, the current proposal works well for me but an enhancement should probably consider using maps within dynamic lookup. +1 for the patch. Thanks. Rajat Hi Bertrand, On Sun, Mar 23, 2014 at 04:18:44PM +0100, Bertrand Jacquin wrote: Hi, I did this patch for dev19 some time ago but I am still not sure whether it is the best way to do it or not, and did not have the time to discuss it since. As the latest changes broke it and forced me to rebase it, and it's very useful for us, I'd like to propose it for inclusion before the final release if you think it's OK, or to discuss how it should be done. Great! Main purpose wanted to achieve is it be able to use many backends without the need to declare each routing process from frontend to backend and instead use generic and dynamic switching when a sane parameter can be used from user request using the logformat logic. For example when we have a backend farm dedicated to each 'Host: ' http-header, it's pain in the ass to have to declare the backend and the relevant use_backend. Yes I know there's this request coming from time to time. In fact it was even planned to work like this before we finally went with ACLs and use_backend, but we felt it would be a too limited design (eg: no choice of other routing key). With the proposed solution, you first need to declare a dynamic use_backend as the following : use_backend bk_cust_%[hdr(Host)] if { hdr(Host) -m found } And then to declare the needed backend. For every new vhost hosted will only need to add the backend section to the configuration. I'm not opposed to the feature at all, in fact I've even been involved in a discussion about something more or less in this vein recently. But I'm having some fears about the use of the %[] form in a use_backend directive. Indeed, this string format was initially done only for logformat. Then it was adopted for unique-id. Then for all http-request directives. And we start to see from time to time people trying to use it in places which have no relation with it (eg: in ACL declaration). I'm seeing several solutions in fact : - yours above - append some argument to
Re: HAProxy Hostname/Domain used for backend Servers
Hi Lukas, Thank you very much. On 01/04/2014 15:24, Lukas Tribus wrote: Hi, Hi, I find that HAProxy only resolve DNS of Backend Server that the start up time : * server sv1.mydomain.com sv1.mydomain.com:80 check port 80 inter 4000 weight 10 * server sv2.mydomain.com sv2.mydomain.com:80 check port 80 inter 4000 weight 10 Even if DNS Server has change the A record or I manual Set the record in /etc/hosts , HAProxy doesn't recognise this change. Can anyone confirm that ? or give me the official document about this. I'm trying to look up in the document but no luck. Thank you very much. Confirmed: http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4.2-server address is the IPv4 or IPv6 address of the server. Alternatively, a resolvable hostname is supported, but this name will be resolved during start-up. Regards, Lukas
Re:List - led light
Hi, My friend, Nice day to you! Here is Amy, Sales representative of Lion-leds.com. We are a large manufacturer of LED lighting in China. If you need the price lists, welcome to contact me and offer you more details: sal...@best-led.com . Warm Regards Amy www.lion-leds.com sal...@lion-leds.com
haproxy ssl questions
Hello, I have couple of haproxy(1.5dev22 snapshot) ssl related questions: Is it possible to use mod_ssl compatible optional_no_ca client cert verify with haproxy: - is it possible to use ca-ignore-err for this. (I think apache 2.2.7(mod_ssl) ignores these errors w/optional_no_ca: #define ssl_verify_error_is_optional(errnum) \ ((errnum == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) \ || (errnum == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) \ || (errnum == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) \ || (errnum == X509_V_ERR_CERT_UNTRUSTED) \ || (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) ) - so ca-ignore-err 18,19,20,27,21 should be same as optional_no_ca ? - or is the correct keyword crt-ignore-err (or both :) ? Is it possible to send the client certificate to backend server in header (similar to mod_ssl +ExportCertData / nginx $ssl_client_cert): - I think something like: http-request set-header X-SSL-Client-Cert %{+Q}[ssl_c_cert] - AFAIK currently there's no keyword / code for this ? But would it be possible to add new smp_fetch_ssl_c_* function for this ? (I might try to code it myself if this sounds reasonable ?) - ssl offloading and nbproc: - is nbproc 1 recommended way to handle ssl offloading if one core is not able to handle the load ? - is it possible to use stick tables with nbproc 1: - for example bind-process 1-3 to ssl enabled frontends and bind-process 4 for backends - is it possible to use stick tables on backends ? - stick table peers with nbproc 1 ? Thanks, -Jarno
Re: haproxy ssl questions
Hi Jarno, some informations available here: http://blog.exceliance.fr/2013/06/13/ssl-client-certificate-information-in-http-headers-and-logs/ and here: http://blog.exceliance.fr/2012/10/03/ssl-client-certificate-management-at-application-level/ concerning nbproc, you should makes all your SSL processes to point to a single HAProxy process in clear where you do your stick-table stuff. Each frontend and backend must be in the same process, so you must pass information through the loopback interface between you SSL frontends and your HTTP with stich-table backends. Baptiste On Tue, Apr 1, 2014 at 1:58 PM, Jarno Huuskonen jarno.huusko...@uef.fi wrote: Hello, I have couple of haproxy(1.5dev22 snapshot) ssl related questions: Is it possible to use mod_ssl compatible optional_no_ca client cert verify with haproxy: - is it possible to use ca-ignore-err for this. (I think apache 2.2.7(mod_ssl) ignores these errors w/optional_no_ca: #define ssl_verify_error_is_optional(errnum) \ ((errnum == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) \ || (errnum == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) \ || (errnum == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) \ || (errnum == X509_V_ERR_CERT_UNTRUSTED) \ || (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) ) - so ca-ignore-err 18,19,20,27,21 should be same as optional_no_ca ? - or is the correct keyword crt-ignore-err (or both :) ? Is it possible to send the client certificate to backend server in header (similar to mod_ssl +ExportCertData / nginx $ssl_client_cert): - I think something like: http-request set-header X-SSL-Client-Cert %{+Q}[ssl_c_cert] - AFAIK currently there's no keyword / code for this ? But would it be possible to add new smp_fetch_ssl_c_* function for this ? (I might try to code it myself if this sounds reasonable ?) - ssl offloading and nbproc: - is nbproc 1 recommended way to handle ssl offloading if one core is not able to handle the load ? - is it possible to use stick tables with nbproc 1: - for example bind-process 1-3 to ssl enabled frontends and bind-process 4 for backends - is it possible to use stick tables on backends ? - stick table peers with nbproc 1 ? Thanks, -Jarno
Re: haproxy ssl questions
Hi Baptiste, On Tue, Apr 01, Baptiste wrote: Hi Jarno, some informations available here: http://blog.exceliance.fr/2013/06/13/ssl-client-certificate-information-in-http-headers-and-logs/ and here: http://blog.exceliance.fr/2012/10/03/ssl-client-certificate-management-at-application-level/ Thanks. crt-ignore-err 18,19,20,27,21 seems to allow connection with client certificate that server can't verify. ExportCertData / nginx $ssl_client_cert: What I would need is the client certficicate in pem format (this is for java web application that does it's own certificate checks (shibboleth-idp backchannel connections)). I guess this is not possible w/out any code changes. concerning nbproc, you should makes all your SSL processes to point to a single HAProxy process in clear where you do your stick-table stuff. Each frontend and backend must be in the same process, so you must pass information through the loopback interface between you SSL frontends and your HTTP with stich-table backends. I'm not sure if I understand you correctly. You don't happen to have any configuration examples ? -Jarno PS. Thank you for your blog posts. Very useful resource. Baptiste On Tue, Apr 1, 2014 at 1:58 PM, Jarno Huuskonen jarno.huusko...@uef.fi wrote: Hello, I have couple of haproxy(1.5dev22 snapshot) ssl related questions: Is it possible to use mod_ssl compatible optional_no_ca client cert verify with haproxy: - is it possible to use ca-ignore-err for this. (I think apache 2.2.7(mod_ssl) ignores these errors w/optional_no_ca: #define ssl_verify_error_is_optional(errnum) \ ((errnum == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) \ || (errnum == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) \ || (errnum == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) \ || (errnum == X509_V_ERR_CERT_UNTRUSTED) \ || (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) ) - so ca-ignore-err 18,19,20,27,21 should be same as optional_no_ca ? - or is the correct keyword crt-ignore-err (or both :) ? Is it possible to send the client certificate to backend server in header (similar to mod_ssl +ExportCertData / nginx $ssl_client_cert): - I think something like: http-request set-header X-SSL-Client-Cert %{+Q}[ssl_c_cert] - AFAIK currently there's no keyword / code for this ? But would it be possible to add new smp_fetch_ssl_c_* function for this ? (I might try to code it myself if this sounds reasonable ?) - ssl offloading and nbproc: - is nbproc 1 recommended way to handle ssl offloading if one core is not able to handle the load ? - is it possible to use stick tables with nbproc 1: - for example bind-process 1-3 to ssl enabled frontends and bind-process 4 for backends - is it possible to use stick tables on backends ? - stick table peers with nbproc 1 ? Thanks, -Jarno -- Jarno Huuskonen - System Administrator | jarno.huuskonen atsign uef.fi Univ. of Eastern Finland - Computer Center | Work: +358-40-3552822 PO BOX 1627, 70211 Kuopio, Finland
Haproxy MySQL support
Hi, I am trying to create a panel to create proxies, I was wondering if you will ever add MySQL support for haproxy were you enter something what you want it to configure like then so you can easily create proxies via the database? I am trying to just execute listen Whatever MyServer:3 mode tcp option tcplog maxconn 20 balance roundrobin server Whatever IPV4:3 to the configuration database in PHP, but it's being a pain so it'd be easier to just do it via MySQL. If you have plans for the future for MySQL support, please tell me.
unsubscribe
haproxy intermittently not connecting to backend
We have an issue with haproxy (1.5-dev22-1a34d57) where it is intermittently not connecting to the backend server. However the behavior it is exhibiting seems strange. The reason I say strange is that in one example, it logged that the client disconnected after ~49 seconds with a connection flags of CC--. However our config has timeout connect 5000, so it should have timed out connecting to the backend server after 5 seconds. Additionally we have retries 3 in the config, so upon timing out, it should have tried another backend server, but it never did (the retries counter in the log shows 0). At the time of this log entry, the backend server is responding properly. For the ~49 seconds prior to the log entry, the backend server has taken other requests. The backend server is also another haproxy (same version). Here's an example of one such log entry: 198.228.211.13:60848 api~ platform-push/i-84d931a5 49562/0/-1/-1/49563 0/0/0/0/0 0/0 691/212 span class=t style=border-color: rgb(204, 204, 204); font-style: normal; cursor: pointer;503 CC-- 4F8E-4624 + GET /1/sync/notifications/subscribe?sync_box_id=12345sender=27B9A93C-F473-4385-A662-352AD34A2453 HTTP/1.1 The log format is defined as: %ci:%cp\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %U/%B\ %ST\ %tsc\ %ID\ +\ %r Running a show errors on the stats socket did not return any relevant results. Here's the relevant portions of the haproxy config. It is not the entire thing as the whole config is 1,513 lines long. global log 127.0.0.1 local0 maxconn 20480 user haproxy group haproxy daemon stats socket /var/run/hapi/haproxy/haproxy.sock level admin defaults log global mode http option httplog option dontlognull option log-separate-errors retries 3 option redispatch timeout connect 5000 timeout client 6 timeout server 17 option clitcpka option srvtcpka option abortonclose option splice-auto monitor-uri /haproxy/ping stats enable stats uri /haproxy/stats stats refresh 15 stats auth user:pass frontend api bind *:80 bind *:443 ssl crt /etc/haproxy/server.pem maxconn 2 option httpclose option forwardfor acl internal src 10.0.0.0/8 acl have_request_id req.fhdr(X-Request-Id) -m found http-request set-nice -100 if internal http-request add-header X-API-URL %[path] if !internal http-request add-header X-Request-Timestamp %Ts.%ms http-request add-header X-Request-Id %[req.fhdr(X-Request-Id)] if internal have_request_id http-request set-header X-Request-Id %{+X}o%pid-%rt if !internal || !have_request_id http-request add-header X-API-Host i-4a3b1c6a unique-id-format %{+X}o%pid-%rt log-format %ci:%cp\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %U/%B\ %ST\ %tsc\ %ID\ +\ %r default_backend DEFAULT_404 acl rewrite-found req.hdr(X-Rewrite-ID,1) -m found acl nqXn_path path_reg ^/1/sync/notifications/subscribe/([^\ ?]*)$ acl nqXn_method method OPTIONS GET HEAD POST PUT DELETE TRACE CONNECT PATCH http-request set-header X-Rewrite-Id nqXn if !rewrite-found nqXn_path nqXn_method acl rewrite-nqXn req.hdr(X-Rewrite-Id) -m str nqXn use_backend platform-push if rewrite-nqXn reqrep ^(OPTIONS|GET|HEAD|POST|PUT|DELETE|TRACE|CONNECT|PATCH)\ /1/sync/notifications/subscribe/([^\ ?]*)([\ ?].*|$) \1\ /1/sync/subscribe/\2\3 if rewrite-nqXn backend platform-push option httpchk GET /ping default-server inter 15s fastinter 1s server i-6eaf724d 10.230.23.64:80 check observe layer4 server i-84d931a5 10.230.42.8:80 check observe layer4
Re: haproxy intermittently not connecting to backend
Apologies, my mail client went stupid. Here's the log entry unmangled: 198.228.211.13:60848 api~ platform-push/i-84d931a5 49562/0/-1/-1/49563 0/0/0/0/0 0/0 691/212 503 CC-- 4F8E-4624 + GET /1/sync/notifications/subscribe?sync_box_id=12496sender=D7A9F93D-F653-4527-A022-383AD55A1943 HTTP/1.1 -Patrick *From: *Patrick Hemmer hapr...@stormcloud9.net *Sent: * 2014-04-01 15:20:15 E *To: *haproxy@formilux.org *Subject: *haproxy intermittently not connecting to backend We have an issue with haproxy (1.5-dev22-1a34d57) where it is intermittently not connecting to the backend server. However the behavior it is exhibiting seems strange. The reason I say strange is that in one example, it logged that the client disconnected after ~49 seconds with a connection flags of CC--. However our config has timeout connect 5000, so it should have timed out connecting to the backend server after 5 seconds. Additionally we have retries 3 in the config, so upon timing out, it should have tried another backend server, but it never did (the retries counter in the log shows 0). At the time of this log entry, the backend server is responding properly. For the ~49 seconds prior to the log entry, the backend server has taken other requests. The backend server is also another haproxy (same version). Here's an example of one such log entry: 198.228.211.13:60848 api~ platform-push/i-84d931a5 49562/0/-1/-1/49563 0/0/0/0/0 0/0 691/212 lt; span class=t style=border-color: rgb(204, 204, 204); font-style: normal; cursor: pointer;503 CC-- 4F8E-4624 + GET /1/sync/notifications/subscribe?sync_box_ id=12345sender=27B9A93C-F473-4385-A662-352AD34A2453 HTTP/1.1 The log format is defined as: %ci:%cp\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %U/%B\ %ST\ %tsc\ %ID\ +\ %r Running a show errors on the stats socket did not return any relevant results. Here's the relevant portions of the haproxy config. It is not the entire thing as the whole config is 1,513 lines long. global log 127.0.0.1 local0 maxconn 20480 user haproxy group haproxy daemon stats socket /var/run/hapi/haproxy/haproxy.sock level admin defaults log global mode http option httplog option dontlognull option log-separate-errors retries 3 option redispatch timeout connect 5000 timeout client 6 timeout server 17 option clitcpka option srvtcpka option abortonclose option splice-auto monitor-uri /haproxy/ping stats enable stats uri /haproxy/stats stats refresh 15 stats auth user:pass frontend api bind *:80 bind *:443 ssl crt /etc/haproxy/server.pem maxconn 2 option httpclose option forwardfor acl internal src 10.0.0.0/8 acl have_request_id req.fhdr(X-Request-Id) -m found http-request set-nice -100 if internal http-request add-header X-API-URL %[path] if !internal http-request add-header X-Request-Timestamp %Ts.%ms http-request add-header X-Request-Id %[req.fhdr(X-Request-Id)] if internal have_request_id http-request set-header X-Request-Id %{+X}o%pid-%rt if !internal || !have_request_id http-request add-header X-API-Host i-4a3b1c6a unique-id-format %{+X}o%pid-%rt log-format %ci:%cp\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %U/%B\ %ST\ %tsc\ %ID\ +\ %r default_backend DEFAULT_404 acl rewrite-found req.hdr(X-Rewrite-ID,1) -m found acl nqXn_path path_reg ^/1/sync/notifications/subscribe/([^\ ?]*)$ acl nqXn_method method OPTIONS GET HEAD POST PUT DELETE TRACE CONNECT PATCH http-request set-header X-Rewrite-Id nqXn if !rewrite-found nqXn_path nqXn_method acl rewrite-nqXn req.hdr(X-Rewrite-Id) -m str nqXn use_backend platform-push if rewrite-nqXn reqrep ^(OPTIONS|GET|HEAD|POST|PUT|DELETE|TRACE|CONNECT|PATCH)\ /1/sync/notifications/subscribe/([^\ ?]*)([\ ?].*|$) \1\ /1/sync/subscribe/\2\3 if rewrite-nqXn backend platform-push option httpchk GET /ping default-server inter 15s fastinter 1s server i-6eaf724d 10.230.23.64:80 check observe layer4 server i-84d931a5 10.230.42.8:80 check observe layer4
BUG/FEATURE? http-request always applied if backend not available
Hi Willy, I'm getting trouble with that sample configuration when backend has no server available : defaults HTTP mode http option httplog log global frontend ft_public bind 0.0.0.0:80 name HTTP bind 0.0.0.0:443 name HTTPS ssl crt foo.pem acl v-local hdr(Host) 203.0.113.42 acl p-admin path_beg /__bar http-request redirect scheme https code 301 if v-local p-admin ! { ssl_fc } use_backend bk_local if v-local p-admin default_backend bk_default backend bk_local balance source option forwardfor except 127.0.0.1/8 server localhost 127.0.0.1:8080 weight 10 maxconn 100 check inter 1000 fall 2 rise 2 backend bk_default block if TRUE If bk_local has server UP in the farm, and request look like https://203.0.113.42/__bar, then everything is fine, request is nicely handled by bk_local/localhost. http://203.0.113.42/__bar is correctly redirected. If bk_local has no server UP in the farm, then the 'http-request redirect scheme' is always applied instead of a 503 response. I don't known if this is the really intended result. In the request (https://203.0.113.42/__bar), v-local match p-admin match ! { ssl_fc } does not match So no redirection should be applied. I'm using HA-Proxy version 1.5-dev22-1a34d57 2014/02/03 Copyright 2000-2014 Willy Tarreau w...@1wt.eu Build options : TARGET = linux2628 CPU = generic CC = x86_64-pc-linux-gnu-gcc CFLAGS = -march=native -O2 -pipe -fomit-frame-pointer -fno-strict-aliasing OPTIONS = USE_LIBCRYPT=1 USE_GETADDRINFO=1 USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1 USE_PCRE_JIT=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 Encrypted password support via crypt(3): yes Built with zlib version : 1.2.8 Compression algorithms supported : identity, deflate, gzip Built with OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014 Running on OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Built with PCRE version : 8.33 2013-05-28 PCRE library supports JIT : yes Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. Thanks. -- Bertrand
Re: BUG/FEATURE? http-request always applied if backend not available
Hi Bertrand, Le 01/04/2014 23:10, Bertrand Jacquin a écrit : Hi Willy, I'm getting trouble with that sample configuration when backend has no server available : defaults HTTP mode http option httplog log global frontend ft_public bind 0.0.0.0:80 name HTTP bind 0.0.0.0:443 name HTTPS ssl crt foo.pem acl v-local hdr(Host) 203.0.113.42 acl p-admin path_beg /__bar http-request redirect scheme https code 301 if v-local p-admin ! { ssl_fc } use_backend bk_local if v-local p-admin default_backend bk_default backend bk_local balance source option forwardfor except 127.0.0.1/8 server localhost 127.0.0.1:8080 weight 10 maxconn 100 check inter 1000 fall 2 rise 2 backend bk_default block if TRUE If bk_local has server UP in the farm, and request look like https://203.0.113.42/__bar, then everything is fine, request is nicely handled by bk_local/localhost. http://203.0.113.42/__bar is correctly redirected. If bk_local has no server UP in the farm, then the 'http-request redirect scheme' is always applied instead of a 503 response. I don't known if this is the really intended result. In the request (https://203.0.113.42/__bar), I'm not sure to understand. Did you want to write http://203.0.113.42/__bar just above ? If it was supposed to be http instead of https, I'd call it a feature and you can use nbsrv to disable disable redirects when no server are available. v-local match p-admin match ! { ssl_fc } does not match So no redirection should be applied. I'm using HA-Proxy version 1.5-dev22-1a34d57 2014/02/03 Copyright 2000-2014 Willy Tarreau w...@1wt.eu Build options : TARGET = linux2628 CPU = generic CC = x86_64-pc-linux-gnu-gcc CFLAGS = -march=native -O2 -pipe -fomit-frame-pointer -fno-strict-aliasing OPTIONS = USE_LIBCRYPT=1 USE_GETADDRINFO=1 USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1 USE_PCRE_JIT=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 Encrypted password support via crypt(3): yes Built with zlib version : 1.2.8 Compression algorithms supported : identity, deflate, gzip Built with OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014 Running on OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Built with PCRE version : 8.33 2013-05-28 PCRE library supports JIT : yes Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. Thanks. -- Cyril Bonté
Re: BUG/FEATURE? http-request always applied if backend not available
Hi Cyril, D'ar meurzh 01 a viz Ebrel 2014 e 23 eur 35, « Cyril Bonté » he deus skrivet : If bk_local has server UP in the farm, and request look like https://203.0.113.42/__bar, then everything is fine, request is nicely handled by bk_local/localhost. http://203.0.113.42/__bar is correctly redirected. If bk_local has no server UP in the farm, then the 'http-request redirect scheme' is always applied instead of a 503 response. I don't known if this is the really intended result. In the request (https://203.0.113.42/__bar), I'm not sure to understand. Did you want to write http://203.0.113.42/__bar just above ? No https://203.0.113.42/__bar should not pass 'http-request redirect scheme' as not the all prerequisites are matched. I need the 'http-request redirect scheme' be applied only if request is for the right vhost (v-local) and for the right path (p-admin) and if is not a ssl request. If it was supposed to be http instead of https, I'd call it a feature and you can use nbsrv to disable disable redirects when no server are available. Sure, but I'm more trying to understand that behaviour here. -- Bertrand
Re: BUG/FEATURE? http-request always applied if backend not available
Le 01/04/2014 23:42, Bertrand Jacquin a écrit : Hi Cyril, D'ar meurzh 01 a viz Ebrel 2014 e 23 eur 35, « Cyril Bonté » he deus skrivet : If bk_local has server UP in the farm, and request look like https://203.0.113.42/__bar, then everything is fine, request is nicely handled by bk_local/localhost. http://203.0.113.42/__bar is correctly redirected. If bk_local has no server UP in the farm, then the 'http-request redirect scheme' is always applied instead of a 503 response. I don't known if this is the really intended result. In the request (https://203.0.113.42/__bar), I'm not sure to understand. Did you want to write http://203.0.113.42/__bar just above ? No https://203.0.113.42/__bar should not pass 'http-request redirect scheme' as not the all prerequisites are matched. I need the 'http-request redirect scheme' be applied only if request is for the right vhost (v-local) and for the right path (p-admin) and if is not a ssl request. If it was supposed to be http instead of https, I'd call it a feature and you can use nbsrv to disable disable redirects when no server are available. Sure, but I'm more trying to understand that behaviour here. OK, then I'm not convinced it happened. Do you have some captures that make a https request being redirected ? -- Cyril Bonté
Re: BUG/FEATURE? http-request always applied if backend not available
Le 01/04/2014 23:56, Bertrand Jacquin a écrit : When bk_local/localhost is UP : $ curl -vk -so /dev/null https://203.0.113.42/__bar/ (...) GET /__bar/ HTTP/1.1 User-Agent: curl/7.35.0 Host: 203.0.113.42 Accept: */* HTTP/1.1 200 OK Date: Tue, 01 Apr 2014 21:54:46 GMT * Server Apache is not blacklisted Server: Apache Expires: Tue, 01 Apr 2014 21:54:46 + Cache-Control: no-store, no-cache, must-revalidate, pre-check=0, post-check=0, max-age=0 Last-Modified: Tue, 01 Apr 2014 21:54:46 + Transfer-Encoding: chunked Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Strict-Transport-Security: max-age=16070400 { [data not shown] * Connection #0 to host 203.0.113.42 left intact When bk_local/localhost is DOWN : $ curl -vk -so /dev/null https://203.0.113.42/__bar/ (...) GET /__bar/ HTTP/1.1 User-Agent: curl/7.35.0 Host: 203.0.113.42 Accept: */* HTTP/1.1 301 Moved Permanently Content-length: 0 Location: https://203.0.113.42/__bar/ Vary: Accept-Encoding Strict-Transport-Security: max-age=16070400 * Connection #0 to host 203.0.113.42 left intact What is adding the Vary and Strict-Transport-Security headers in this second case ? -- Cyril Bonté
Re: BUG/FEATURE? http-request always applied if backend not available
D'ar merc'her 02 a viz Ebrel 2014 e 00 eur 13, « Cyril Bonté » he deus skrivet : Le 01/04/2014 23:56, Bertrand Jacquin a écrit : When bk_local/localhost is UP : $ curl -vk -so /dev/null https://203.0.113.42/__bar/ (...) GET /__bar/ HTTP/1.1 User-Agent: curl/7.35.0 Host: 203.0.113.42 Accept: */* HTTP/1.1 200 OK Date: Tue, 01 Apr 2014 21:54:46 GMT * Server Apache is not blacklisted Server: Apache Expires: Tue, 01 Apr 2014 21:54:46 + Cache-Control: no-store, no-cache, must-revalidate, pre-check=0, post-check=0, max-age=0 Last-Modified: Tue, 01 Apr 2014 21:54:46 + Transfer-Encoding: chunked Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Strict-Transport-Security: max-age=16070400 { [data not shown] * Connection #0 to host 203.0.113.42 left intact When bk_local/localhost is DOWN : $ curl -vk -so /dev/null https://203.0.113.42/__bar/ (...) GET /__bar/ HTTP/1.1 User-Agent: curl/7.35.0 Host: 203.0.113.42 Accept: */* HTTP/1.1 301 Moved Permanently Content-length: 0 Location: https://203.0.113.42/__bar/ Vary: Accept-Encoding Strict-Transport-Security: max-age=16070400 * Connection #0 to host 203.0.113.42 left intact What is adding the Vary and Strict-Transport-Security headers in this second case ? A missing 'http-response set-header' in the previous copy and paste. http-response set-header Vary Accept-Encoding http-response set-header Strict-Transport-Security max-age=16070400 if { ssl_fc } -- Bertrand
Re: BUG/FEATURE? http-request always applied if backend not available
Le 02/04/2014 00:16, Bertrand Jacquin a écrit : What is adding the Vary and Strict-Transport-Security headers in this second case ? A missing 'http-response set-header' in the previous copy and paste. http-response set-header Vary Accept-Encoding http-response set-header Strict-Transport-Security max-age=16070400 if { ssl_fc } Sorry but we're certainly missing something with your configuration. Even if those set-header were added, they can't be applied to the redirect with the configuration provided in the example. It makes me think there is a second level of proxy in your test. Am I wrong ? -- Cyril Bonté