How to rewirte both URI and Host

[Godbach]

Hi Willy,

If I want to rewrite both Host and URI in request, and they are also in
the match conditions, can HAProxy implement this requirement?

The ACLs are as below:
acl match_host_uri  hdr_reg(Host) www.example.com
ack match_host_uri  /example.html

But the reqrep should be used twice to rewrite both Host and URI
reqrep expresion for rewritting host if  match_host_uri
reqrep expresion for rewritting URI  if  match_host_uri

Since Host has been rewritten in firest reqrep directive, as I know, the
second reqrep will not be executed as the match will fail.

-- 
Best Regards,
Godbach

Re: How to rewirte both URI and Host

[Willy Tarreau]

Hi Godbach,

On Tue, May 13, 2014 at 03:01:58PM +0800, Godbach wrote:
 Hi Willy,
 
 If I want to rewrite both Host and URI in request, and they are also in
 the match conditions, can HAProxy implement this requirement?
 
 The ACLs are as below:
 acl match_host_uri  hdr_reg(Host) www.example.com
 ack match_host_uri  /example.html
 
 But the reqrep should be used twice to rewrite both Host and URI
 reqrep expresion for rewritting host if  match_host_uri
 reqrep expresion for rewritting URI  if  match_host_uri
 
 Since Host has been rewritten in firest reqrep directive, as I know, the
 second reqrep will not be executed as the match will fail.

Indeed. The trick consists in capturing it using capture request header
then apply your rule based on capture.req.hdr(), since this one will not
change during the request.

Regards,
Willy

Re: How to rewirte both URI and Host

[Godbach]

On 2014/5/13 15:05, Willy Tarreau wrote:

Hi Godbach,

On Tue, May 13, 2014 at 03:01:58PM +0800, Godbach wrote:

Hi Willy,

If I want to rewrite both Host and URI in request, and they are also in
the match conditions, can HAProxy implement this requirement?

The ACLs are as below:
acl match_host_uri  hdr_reg(Host) www.example.com
ack match_host_uri  /example.html

But the reqrep should be used twice to rewrite both Host and URI
reqrep expresion for rewritting host if  match_host_uri
reqrep expresion for rewritting URI  if  match_host_uri

Since Host has been rewritten in firest reqrep directive, as I know, the
second reqrep will not be executed as the match will fail.


Indeed. The trick consists in capturing it using capture request header
then apply your rule based on capture.req.hdr(), since this one will not
change during the request.

Regards,
Willy



Hi Willy,

Thank you.

Yes, there are some more caputre and fetch configurations about request 
and response introduced in recent releases. I can capture any header I 
and URI I need, then do the match base on the capture content. The 
requirement can be fulfilled with these new features. Great job.


--
Best Regards,
Godbach

Re: How to rewirte both URI and Host

[Godbach]

On 2014/5/13 16:05, Godbach wrote:

On 2014/5/13 15:05, Willy Tarreau wrote:

Hi Godbach,

On Tue, May 13, 2014 at 03:01:58PM +0800, Godbach wrote:

Hi Willy,

If I want to rewrite both Host and URI in request, and they are also in
the match conditions, can HAProxy implement this requirement?

The ACLs are as below:
acl match_host_uri  hdr_reg(Host) www.example.com
ack match_host_uri  /example.html

But the reqrep should be used twice to rewrite both Host and URI
reqrep expresion for rewritting host if  match_host_uri
reqrep expresion for rewritting URI  if  match_host_uri

Since Host has been rewritten in firest reqrep directive, as I know, the
second reqrep will not be executed as the match will fail.


Indeed. The trick consists in capturing it using capture request header
then apply your rule based on capture.req.hdr(), since this one will not
change during the request.

Regards,
Willy



Hi Willy,

Thank you.

Yes, there are some more caputre and fetch configurations about request
and response introduced in recent releases. I can capture any header I
and URI I need, then do the match base on the capture content. The
requirement can be fulfilled with these new features. Great juser-defined 
chainob.



Hi Willy,

There is still an issue that the ACL will be evaluated maore than one 
times. Is it possbile or reasonable to rewrite more than one time with 
only evaluating ACL once?


The similar cenario like iptables to do all matches once and do more 
actions in user-defined chain:


iptables -N NEW_CHAIN
iptables -A INPUT -p tcp -s x.x.x.x -j NEW_CHAIN
iptalbes -A NEW_CHAIN -j LOG
iptalbes -A NEW_CHAIN -j ACCPET

or we will need two rules both with need to do match as below:
iptables -A INPUT -p tcp -s x.x.x.x -j LOG
iptables -A INPUT -p tcp -s x.x.x.x -j ACCEPT

--
Best Regards,
Godbach

Encore quelques jours, Catmandoo, Rohner, Midland

[ALLSPORTSHOP'PING]

 GOURDE SIGG

 CHAUSSETTES ROHNER

 TEXTLE

 CYCLE

 HIGH TECH

 FITNESS

 OUTDOOR

INSCRIPTION





 Les Frais de port sont offert*
jusqu'au Dimanche 18 Mai !













*offre non valable sur les ventes privées








Vêtements de golf CATMANDOO

(Fournisseur officiel des équipes

Finlandaises de golf  et des J.O.)




Jusqu'à -60%

Jusqu'au Lundi 12 Mai



 




Caméra Full HD  Talkie Walki

MIDLAND

-30 %




Jusqu'au mercredi 14 Mai







Chaussettes de sport ROHNER



Compression Golf à -50%





Jusqu'au Mercredi 14 Mai



 


 


Le plus léger des parapluies BLUNT

(1100mm de diamètre pour 450g)

est à -30%




Jusqu'au Dimanche 11 Mai


  




   
 
Vélo GOCYCLE à assistance électrique avec béquille centrale





Les frais de ports sont offerts sans échéance pour les vélos GOCYCLE


  









   

Toutes les semaines :



NOUVEAUTÉS






 Suivez nous sur FacebookSuivez nos Newsletter




Veuillez me retirer de votre liste de diffusion.

Socket Read Errors and Timeouts on FreeBSD

[John-Paul Bader]

Hey,

after all the patches regarding the SSL crashes we started pushing more 
traffic to haproxy but it did not last very long.


With and without kqueue enabled we're seeing lots of socket errors. The 
backends became unavailable / unreachable as a consequence. L4 health 
checks failed, traffic and CPU Load dropped - so we had to abort the test.


We've tried on different machines, with different backends, with 
different haproxy versions (1.4.18, 1.4.25. 1.5.25) and the behavior was 
always the same on FreeBSD. We looked at netstat and various other 
system statistics but the all seemed alright.


Then we switched to synthetic loadtests and we observed the behavior 
even quicker.


When pointing the loadtesttool directly to our backend, everything was 
fine. Testing on a linux machine was also fine.


Do you have any idea what that could be related to or do you have 
suggestions for debugging this? Since it does not coredump it will be a 
bit harder I guess.


Kind regards,

John-Paul Bader

--
John-Paul Bader | Software Development

www.wooga.com
wooga GmbH | Saarbruecker Str. 38 | D-10405 Berlin
Sitz der Gesellschaft: Berlin; HRB 117846 B
Registergericht Berlin-Charlottenburg
Geschaeftsfuehrung: Jens Begemann, Philipp Moeser

can not set mss on FreeBSD 10

[k simon]

Hi,Lists,
  I found haproxy 1.4.25 can not set mss on FreeBSD 10-stable as below:

# /usr/local/sbin/haproxy -f /opt/etc/haproxy.conf
[WARNING] 132/170407 (71806) : Starting frontend http-in: cannot set MSS

# haproxy -vv
HA-Proxy version 1.4.25 2014/03/27
Copyright 2000-2014 Willy Tarreau w...@1wt.eu

Build options :
  TARGET  = freebsd
  CPU = generic
  CC  = gcc47
  CFLAGS  = -g -Wall -O2 -pipe -msse3 -I/usr/local/include
-L/usr/local/lib -fno-strict-aliasing -DFREEBSD_PORTS
  OPTIONS = USE_TPROXY=1 USE_PCRE=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200

Encrypted password support via crypt(3): yes

Available polling systems :
 kqueue : pref=300,  test result OK
   poll : pref=200,  test result OK
 select : pref=150,  test result OK
Total: 3 (3 usable), will use kqueue.


Regards
Simon

Coredump when parsing previously working config

[John-Paul Bader]

Hey,


a config that worked fine on 1.5-dev24 now coredumps with dev25 from 
2014-05-11


Config:

http://smyck.org/haproxy/haproxy_coredump_cfg.txt

CoreDump

http://smyck.org/haproxy/config_coredump.txt


Kind regards,

John

--
John-Paul Bader | Software Development

www.wooga.com
wooga GmbH | Saarbruecker Str. 38 | D-10405 Berlin
Sitz der Gesellschaft: Berlin; HRB 117846 B
Registergericht Berlin-Charlottenburg
Geschaeftsfuehrung: Jens Begemann, Philipp Moeser

让客户主动回复询盘给你

[mengxingle571]

双喜外贸客户开发软件可以帮您：
1，代替手工，提高效果（把业务员解放出来用在跟进优质客户和询盘）
2，化被动为主动，抢先同行（避开展会，B2B僧多粥少的信息不对称）
3，淘汰三流客人，和优质客人打交道（避开价格战，做有利润的订单）
4，快速成交一批订单（网足够大，总有属于您的那些订单）
5，让全球潜在买家都记住您（对全球目标客人周期主动建立联络，精准推广效
果）
6，让业务团队更稳定（业务员主动创造机会，每天有事做）
7，客户资料，往来邮件，轻松管理（客户资料集中，往来邮件自动形成联系记
录，有效辅导业务团队）
8，轻松启动外贸业务（最容易找到工作入口，NO展会，NO平台，NO手工搜索客
户）
软件演示咨询QQ：25382_09225 添加联系请删除下划线
回复请回复QQ邮箱
双喜让您知道怎么样高效找优质客户



我已邀请您填写表单 未命名的表单。 要填写此表单，请访问：
https://docs.google.com/forms/d/1Toxh2WMXJWzOEqMKggrwhsNBuN12Fr4wm6O6eAF4z9I/viewform?c=0w=1usp=mail_form_link

Re: Socket Read Errors and Timeouts on FreeBSD

[John-Paul Bader]

Hey,

we have already tried and disabled all custom sysctls - the behavior was 
not getting any better unfortunately :/


The whole process locks up, the stats web page does not load anymore and 
like described, we get lots of log entries that no backends are 
available anymore.


I could try to create a ktrace for a synthetic test run like this as it 
happens rather quickly after starting the test.


Kind regards,

John

Willy Tarreau wrote:

Hi John-Paul,

On Tue, May 13, 2014 at 10:56:15AM +0200, John-Paul Bader wrote:

Hey,

after all the patches regarding the SSL crashes we started pushing more
traffic to haproxy but it did not last very long.

With and without kqueue enabled we're seeing lots of socket errors. The
backends became unavailable / unreachable as a consequence. L4 health
checks failed, traffic and CPU Load dropped - so we had to abort the test.

We've tried on different machines, with different backends, with
different haproxy versions (1.4.18, 1.4.25. 1.5.25) and the behavior was
always the same on FreeBSD. We looked at netstat and various other
system statistics but the all seemed alright.

Then we switched to synthetic loadtests and we observed the behavior
even quicker.

When pointing the loadtesttool directly to our backend, everything was
fine. Testing on a linux machine was also fine.

Do you have any idea what that could be related to or do you have
suggestions for debugging this? Since it does not coredump it will be a
bit harder I guess.


Could you please try without your sysctls ? It's very possible that too
short timeouts TCP will prevent your system from re-establishing outgoing
connections from a recently closed source port that was marked free while
it was not for the server.

Best regards,
Willy



--
John-Paul Bader | Software Development

www.wooga.com
wooga GmbH | Saarbruecker Str. 38 | D-10405 Berlin
Sitz der Gesellschaft: Berlin; HRB 117846 B
Registergericht Berlin-Charlottenburg
Geschaeftsfuehrung: Jens Begemann, Philipp Moeser

Explain tune.maxrewrite

[Kobus Bensch]

Hi

We use haproxy at various layers in our setup. We have been seeing 504 
errors in our logs and discovered that it was haproxy that sent it. On 
further investigation we found that on some packets we go over 8k and it 
is during this time that we get the 504. On further reading the haproxy 
docs, we made one change:


tune.maxrewrite 1024

Now we dont see any of the 504 errors anymore and everything is working 
perfectly. After reading the docs, we decided not to implement the 
#tune.bufsize32768   setting as that could have more serious 
implications than just changing the tune.maxrewrite setting.


Q1.  This is really just a further explanation as to why changing 
tune.maxrewrite now enabled packet sizes larger than 8k?
Q2.  What do we change in future if we find the same issue but the 
packet sizes are now greater than 16k?
Q3.  The 8k mentioned above, is that a default setting for the header 
size? If not, what does the 8k refer to? Surely the packets should be 
reconstructed at each end and then passed on.


I have posted the haproxy config we use below.

global
log 127.0.0.1 local0
log 127.0.0.1 local1 debug

chroot  /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4096
uid 99
gid 99
daemon

stats socket /var/lib/haproxy/stats

#tune.bufsize32768
tune.maxrewrite 1024

defaults
modehttp
retries 3
option  redispatch
maxconn 3000
contimeout  5000
clitimeout  5
srvtimeout  5
log global
option  httplog
option  dontlognull
cookie  HTTP insert nocache
balance roundrobin
option  httpclose
option  forwardfor
option  contstats
stats   enable
option  http-server-close
option  abortonclose
option  dontlog-normal
timeout http-request10s
timeout queue   1m
timeout connect 10s
timeout client  1m
timeout server  1m
timeout http-keep-alive 10s
timeout check   10s

frontend dc1ntgxlv01.domain.com_frontend
bind10.11.115.116:443 ssl crt 
/etc/haproxy/wildcard.domain.com.pem ciphers 
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

modehttp
option  httpclose
option  forwardfor
reqadd  X-Forwarded-Proto:\ https
default_backend dc1ntgxlv01.domain.com_backend

backend dc1ntgxlv01.domain.com_backend
modehttp
balance roundrobin
cookie  SERVERID insert indirect nocache httponly secure
server  dc1ntgaix01 dc1ntgaix01.domain.com:443 check cookie 
dc1ntgaix01 ssl crt /etc/haproxy/wildcard.domain.com.pem
server  dc1ntgaix02 dc1ntgaix02.domain.com:443 check cookie 
dc1ntgaix02 ssl crt /etc/haproxy/wildcard.domain.com.pem


frontend dc1ntixlv01.domain.com_frontend
bind10.11.115.118:443 ssl crt 
/etc/haproxy/wildcard.domain1.com.pem ciphers 
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

modehttp
option  httpclose
option  forwardfor
reqadd  X-Forwarded-Proto:\ https
default_backend dc1ntixlv01.domain.com_backend

backend dc1ntixlv01.domain.com_backend
modehttp
balance roundrobin
cookie  SERVERID insert indirect nocache httponly secure
server  dc1ntiaix01 dc1ntiaix01.domain.com:443 check cookie 
dc1ntiaix01 ssl crt /etc/haproxy/wildcard.domain1.com.pem
server  dc1ntiaix02 dc1ntiaix02.domain.com:443 check cookie 
dc1ntiaix02 ssl crt /etc/haproxy/wildcard.domain1.com.pem


frontend dc1ntgblv01.domain.com_frontend
bind10.11.115.119:443 ssl crt 
/etc/haproxy/wildcard.domain.com.pem ciphers 
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

modehttp
option  httpclose
option  forwardfor
reqadd  X-Forwarded-Proto:\ https
default_backend dc1ntgblv01.domain.com_backend

backend dc1ntgblv01.domain.com_backend
modehttp
balance roundrobin
cookie  SERVERID insert indirect nocache httponly secure
server  dc1ntgabs01 dc1ntgabs01.domain.com:443 check cookie 
dc1ntgabs01 ssl crt /etc/haproxy/wildcard.domain.com.pem
server  dc1ntgabs02 dc1ntgabs02.domain.com:443 check cookie 
dc1ntgabs02 ssl crt /etc/haproxy/wildcard.domain.com.pem


frontend dc1ntgrlv01.domain.com_frontend
bind10.11.115.122:443 ssl crt 
/etc/haproxy/wildcard.domain.com.pem 

Re: Socket Read Errors and Timeouts on FreeBSD

[Willy Tarreau]

On Tue, May 13, 2014 at 03:03:39PM +0200, John-Paul Bader wrote:
 Hey,
 
 we have already tried and disabled all custom sysctls - the behavior was 
 not getting any better unfortunately :/
 
 The whole process locks up, the stats web page does not load anymore and 
 like described, we get lots of log entries that no backends are 
 available anymore.
 
 I could try to create a ktrace for a synthetic test run like this as it 
 happens rather quickly after starting the test.

That could help. The only possible reason that comes to my mind for now
would be that for any reason, SO_LINGER would be ignored on fbsd when
haproxy actively closes a connection to a server, preventing the port
from being reusable for the time needed to get rid of the resulting
TIME_WAIT socket. That would be a big problem which could affect other
proxies like squid for example, so I would find it strange.

Do you see any TIME_WAIT sockets on the maching running haproxy, towards
the servers ?

Oh and BTW, are you running with PF ? I have some old memories of PF
abusively randomizing sequence numbers and preventing new connections
from being initiated using a same source port from the came client. It
was so odd that I had to disable it on my home reverse-proxy running
OpenBSD! That is easy to test, simply run pfctl -d to disable it and
test again.

Regards,
Willy

Re: Socket Read Errors and Timeouts on FreeBSD

[John-Paul Bader]

Ah damn it! :) Yes - pf was accidentally re-enabled after a reboot. 
Thank you … will continue doing load tests now.


Kind regards,

John

Willy Tarreau wrote:

On Tue, May 13, 2014 at 03:03:39PM +0200, John-Paul Bader wrote:

Hey,

we have already tried and disabled all custom sysctls - the behavior was
not getting any better unfortunately :/

The whole process locks up, the stats web page does not load anymore and
like described, we get lots of log entries that no backends are
available anymore.

I could try to create a ktrace for a synthetic test run like this as it
happens rather quickly after starting the test.


That could help. The only possible reason that comes to my mind for now
would be that for any reason, SO_LINGER would be ignored on fbsd when
haproxy actively closes a connection to a server, preventing the port
from being reusable for the time needed to get rid of the resulting
TIME_WAIT socket. That would be a big problem which could affect other
proxies like squid for example, so I would find it strange.

Do you see any TIME_WAIT sockets on the maching running haproxy, towards
the servers ?

Oh and BTW, are you running with PF ? I have some old memories of PF
abusively randomizing sequence numbers and preventing new connections
from being initiated using a same source port from the came client. It
was so odd that I had to disable it on my home reverse-proxy running
OpenBSD! That is easy to test, simply run pfctl -d to disable it and
test again.

Regards,
Willy



--
John-Paul Bader | Software Development

www.wooga.com
wooga GmbH | Saarbruecker Str. 38 | D-10405 Berlin
Sitz der Gesellschaft: Berlin; HRB 117846 B
Registergericht Berlin-Charlottenburg
Geschaeftsfuehrung: Jens Begemann, Philipp Moeser

Radios online españolas

[Punto A]

Buenos días,

Aquí tenemos los primeros hilos musicales por 24€/año. Tenga una prueba de 
nuestro servicio en hilos.puntoa.es
¿Prefiere un dispositivo que reciba los hilos musicales en lugar del ordenador? 
¿Necesita unos altavoces? ¿No tiene internet en su negocio? Tenemos una 
solución para hacer que nuestros hilos musicales sea la banda sonora de su día 
a día.
En Punto A trabajamos muy duro para ofrecerle cada día la mejor música al 
precio más bajo y de la forma más cómoda posible. Por ello, le ofrecemos que 
nos escuche durante una semana para que combruebe que un bajo precio no es 
sinónimo de un mal servicio.




Muchas gracias de antemano. 

Un saludo... ¡Y punto!


Música... ¡Y punto!
www.puntoa.es
i...@puntoa.es
(+34) 693 101 640
Calzada Lateral del norte, 22
35014 Las Palmas de Gran Canaria
Spain

Antes de imprimir este mensaje, asegúrese de que es realmente necesario. 
PROTEJA EL MEDIO AMBIENTE
* Si no quiere recibir más email por nuestra parte  pulse aquí

Re: Socket Read Errors and Timeouts on FreeBSD

[k simon]

Hi,Willy,


Oh and BTW, are you running with PF ? I have some old memories of PF
abusively randomizing sequence numbers and preventing new connections
from being initiated using a same source port from the came client. It
was so odd that I had to disable it on my home reverse-proxy running
OpenBSD! That is easy to test, simply run pfctl -d to disable it and
test again.



  I have the similar trouble as John. But I used ipfw instead of pf, as 
of haproxy can not bind mss size on FreeBSD, maybe use pf's scrub rule 
is a good idea.

  BTW, pf has a state named sloopy, it does not check sequence numbers.


Regards
Simon

Re: Socket Read Errors and Timeouts on FreeBSD

[Willy Tarreau]

Hi Simon,

On Tue, May 13, 2014 at 10:59:40PM +0800, k simon wrote:
 Hi,Willy,
 
 Oh and BTW, are you running with PF ? I have some old memories of PF
 abusively randomizing sequence numbers and preventing new connections
 from being initiated using a same source port from the came client. It
 was so odd that I had to disable it on my home reverse-proxy running
 OpenBSD! That is easy to test, simply run pfctl -d to disable it and
 test again.
 
 
   I have the similar trouble as John. But I used ipfw instead of pf, as 
 of haproxy can not bind mss size on FreeBSD, maybe use pf's scrub rule 
 is a good idea.
   BTW, pf has a state named sloopy, it does not check sequence numbers.

It's not a matter of being sloppy or not, but of being excessive in
that it does not even accept valid packets generated by its own TCP
stack! I think that some important transitions are still missing from
its state machine. I remember having reported that issue for the first
time almost 10 years ago, when comparing Netfilter in 2.4.0-pre-something
with PF on OpenBSD 3. I don't know what else to say unfortunately, if
people believe that a firewall should block valid packets just in case,
at least there's no place for such firewalls on my nor my customers'
servers!

Cheers,
Willy

RE: can not set mss on FreeBSD 10

[Lukas Tribus]

Hi Simon,


 Hi,Lists,
 I found haproxy 1.4.25 can not set mss on FreeBSD 10-stable as below:

 # /usr/local/sbin/haproxy -f /opt/etc/haproxy.conf
 [WARNING] 132/170407 (71806) : Starting frontend http-in: cannot set MSS

The set MSS code is straightforward, its your OS' TCP stack that doesn't
let you do this.

Did this work in older release of HAproxy? I don't think so.


Check this out, it seems FreeBSD doesn't support settings MSS on listening
sockets:
http://www.freebsd.org/cgi/query-pr.cgi?pr=144000




Regards,

Lukas

  

unique-id-header with capture request header

[Bryan Talbot]

We have more than 1 proxy tier. The edge proxy generates a unique ID and
the other tiers (and apps in between) log the value and pass it around as a
per-request id.

Middle tier haproxy instances capture and log the unique id using capture
request header which works fine; however, for the edge proxy this doesn't
work since the ID doesn't seem to be available as a request header yet and
a custom log-format must be used instead.

This means that the logs generated by edge and non-edge proxies have a
different format and be parsed specially. Also, a custom log-format must be
maintained just for this purpose.

What's the best way to capture the unique-id generated in a proxy or from a
request and log it in a consistent way?

-Bryan

Re: unique-id-header with capture request header

[Patrick Hemmer]

*From: *Bryan Talbot bryan.tal...@playnext.com
*Sent: * 2014-05-13 11:52:32 E
*To: *HAProxy haproxy@formilux.org
*Subject: *unique-id-header with capture request header

 We have more than 1 proxy tier. The edge proxy generates a unique ID
 and the other tiers (and apps in between) log the value and pass it
 around as a per-request id.

 Middle tier haproxy instances capture and log the unique id using
 capture request header which works fine; however, for the edge proxy
 this doesn't work since the ID doesn't seem to be available as a
 request header yet and a custom log-format must be used instead.

 This means that the logs generated by edge and non-edge proxies have a
 different format and be parsed specially. Also, a custom log-format
 must be maintained just for this purpose.

 What's the best way to capture the unique-id generated in a proxy or
 from a request and log it in a consistent way?

 -Bryan


We do this exact same thing. Unique ID generated on the outside, and
passed around on the inside.
However we use a custom log format on both the internal and external
haproxy so that the format is exactly the same.

External:
unique-id-format %{+X}o%pid-%rt
capture request header X-Request-Id len 12
log-format %ci:%cp\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\
%ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %U/%B\ %ST\ %tsc\
%ID,%[capture.req.hdr(0)]\ +\ %r

Internal:
capture request header X-Request-Id len 12
log-format %ci:%cp\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\
%ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %U/%B\ %ST\ %tsc\ %[capture.req.hdr(0)]\ +\ %r

We capture on external as well as occasionally an internal service will
re-route back through the external, and so it gets a new ID, and we can
correlate the two. But the fields are space delimited, so that even
showing 2 IDs, it's still a single field separated by comma (assuming
some client doesn't pass an invalid value in. but that's also why this
is at the end of the log line)

The other advantage of doing it that the default http log format is
missing %U, which we find useful to have.

-Patrick

Re: can not set mss on FreeBSD 10

[k simon]

Thank you, Lukas. Maybe I can workaround it on the front router.

Regards
Simon

于 14-5-13 23:29, Lukas Tribus 写道:

Hi Simon,



Hi,Lists,
I found haproxy 1.4.25 can not set mss on FreeBSD 10-stable as below:

# /usr/local/sbin/haproxy -f /opt/etc/haproxy.conf
[WARNING] 132/170407 (71806) : Starting frontend http-in: cannot set MSS


The set MSS code is straightforward, its your OS' TCP stack that doesn't
let you do this.

Did this work in older release of HAproxy? I don't think so.


Check this out, it seems FreeBSD doesn't support settings MSS on listening
sockets:
http://www.freebsd.org/cgi/query-pr.cgi?pr=144000




Regards,

Lukas