Re: Using the socket interface to access ACLs
On Wed, Jul 2, 2014 at 6:55 PM, William Jimenez
william.jime...@itsoninc.com wrote:
Hi Baptiste et al.,
Did you see my last comments? Sorry if this is an issue already addressed,
but I wasn't able to find anything on usage specifics in the documentation.
Thanks,
William
On Tue, Jul 1, 2014 at 2:49 PM, William Jimenez
william.jime...@itsoninc.com wrote:
Hi Baptiste
I tried:
# haproxyctl del acl myacl
This command expects two parameters: ACL identifier and key.
then i tried this
# haproxyctl del acl myacl 0
Unknown map identifier. Please use #id or file.
as well as the inverse ('0 myacl')
I do see the acl listed though:
# haproxyctl show acl
# id (file) description
0 (/root/myacl) pattern loaded from file '/root/myacl' used by acl at
file '/etc/haproxy/haproxy.cfg' line 19
1 () acl 'hdr' file '/etc/haproxy/haproxy.cfg' line 19
2 () acl 'src' file '/etc/haproxy/haproxy.cfg' line 21
Also a redirect stmt that uses the aforementioned threw an error when I
defined it like you suggested:
[ALERT] 180/204636 (5765) : parsing [/etc/haproxy/haproxy.cfg:31] : error
detected in frontend 'x' while parsing redirect rule : error in condition:
no such ACL : 'redir_true'.
-William
On Tue, Jul 1, 2014 at 2:42 PM, Baptiste bed...@gmail.com wrote:
On Tue, Jul 1, 2014 at 11:16 PM, William Jimenez
william.jime...@itsoninc.com wrote:
Hi Baptiste, thank you for the response. I'm afraid I still don't
follow.
Say I have the an ACL that I want to toggle from its current state (as
defined in the flat file) to 'always_false'. I can see it exists from
the
output of the 'show acl' command:
# id (file) description
0 () acl 'always_true' file '/etc/haproxy/haproxy.cfg' line 19
So to modify it I assume I would run something using 'add acl'. I
thought
you mentioned it needs to be defined in a file so I tried:
# haproxyctl add acl myacl
'add acl' expects two parameters: ACL identifier and pattern.
where 'myacl' is a file containing:
acl redir_true always_true
Hope that helps clarify the situation. What am I doing wrong?
Thanks in advance,
William
On Tue, Jul 1, 2014 at 2:00 PM, Baptiste bed...@gmail.com wrote:
On Tue, Jul 1, 2014 at 10:54 PM, William Jimenez
william.jime...@itsoninc.com wrote:
Hello
I am trying to modify ACLs via the socket interface. When I try to
do
something like 'get acl', I get an error:
Missing ACL identifier and/or key.
How do I find the ACL identifier or key for a specific ACL? I see
the
list
of ACLs when i do a 'show acl', but unsure which of these values is
the
file
or key:
# id (file) description
0 () acl 'always_true' file '/etc/haproxy/haproxy.cfg' line 19
1 () acl 'src' file '/etc/haproxy/haproxy.cfg' line 20
2 () acl 'src' file '/etc/haproxy/haproxy.cfg' line 21
3 () acl 'src' file '/etc/haproxy/haproxy.cfg' line 22
Thanks
Hi William,
In order to be able to update ACL content, they must load their
content from a file.
The file name will be considered as a 'reference' you can point to
when updating content.
Don't forget to update simultaneously the content from an ACL and from
the flat file to make HAProxy reload reliable :)
Baptiste
--
William Jimenez
Systems Engineer, Operations
ItsOn, Inc.
650-241-8470 {us/pacific}
Hi William,
In your configuration, you should load your acl like this:
acl myacl hdr(Host) -f /path/to/myhosthdr.acl
then your file acl reference will be myhosthdr.acl.
Baptiste
--
William Jimenez
Systems Engineer, Operations
ItsOn, Inc.
650-241-8470 {us/pacific}
--
William Jimenez
Systems Engineer, Operations
ItsOn, Inc.
650-241-8470 {us/pacific}
William:
1. please stop top posting, it's getting hard to follow the thread!
2. please post your config file (or at least the relevant part of it)
with the content of your acl file
My guess is that you're misusing ACLs.
Baptiste
Multiple CPU Cores and Peers
We use SSL so we would want to use Multiple CPU Cores as well. We also use Peers for HA but it seems that peers can't be used in multi-process mode (nbproc 1). We were hoping to use one core for everything except SSL and all remaining cores for SSL. In this case, only solution to I can think of is to use two instances of haproxy, one for SSL with multiple cores and second for load balancing and peers with single core. Is this approach correct? Is there any other alternate? Jai
Re: Multiple CPU Cores and Peers
On Thu, Jul 3, 2014 at 9:03 AM, Jai Gupta j...@vidyamantra.com wrote: We use SSL so we would want to use Multiple CPU Cores as well. We also use Peers for HA but it seems that peers can't be used in multi-process mode (nbproc 1). We were hoping to use one core for everything except SSL and all remaining cores for SSL. In this case, only solution to I can think of is to use two instances of haproxy, one for SSL with multiple cores and second for load balancing and peers with single core. Is this approach correct? Is there any other alternate? Jai Hi Jai, First question is what is the good reason you need to synchronize content of stick-tables using peers? Baptiste
SMPP traffic load balancing
Hi, Can I use HAProxy to load balance SMPP traffic? Best regards, Ahmed Ayoub Chief Architect Mob: +20 (10) 06719983 Email: a.ay...@cequens.commailto:a.ay...@cequens.com | web: www.cequens.comhttp://www.cequens.com/ [http://www.cequens.com/email-signature/logo.jpg] Egypt 21 Mohamed Tawfiq Diab St., Off Makram Ebied St., 1st Floor, Nasr City, 11371, Cairo, Egypt Saudi Arabia Tawuniya Towers, King Fahd Rd. 7th Floor, North Tower P.O. Box 220933 Riyadh, Saudi Arabia Tel: +20 (2) 22734506 Fax: +20 (2) 26718892 Tel: +966 (11) 2181515 Fax: +966 (11) 2181520 [http://www.cequens.com/email-signature/banner.jpg]
RE: SMPP traffic load balancing
Hi, Can I use HAProxy to load balance SMPP traffic? Waiting for your feedback Best regards, Ahmed Ayoub Chief Architect Mob: +20 (10) 06719983 Email: a.ay...@cequens.commailto:a.ay...@cequens.com | web: www.cequens.comhttp://www.cequens.com/ [http://www.cequens.com/email-signature/logo.jpg] From: Ahmed Ayoub Sent: Thursday, July 3, 2014 11:15 AM To: 'haproxy@formilux.org' Subject: SMPP traffic load balancing Hi, Can I use HAProxy to load balance SMPP traffic? Best regards, Ahmed Ayoub Chief Architect Mob: +20 (10) 06719983 Email: a.ay...@cequens.commailto:a.ay...@cequens.com | web: www.cequens.comhttp://www.cequens.com/ [http://www.cequens.com/email-signature/logo.jpg] Egypt 21 Mohamed Tawfiq Diab St., Off Makram Ebied St., 1st Floor, Nasr City, 11371, Cairo, Egypt Saudi Arabia Tawuniya Towers, King Fahd Rd. 7th Floor, North Tower P.O. Box 220933 Riyadh, Saudi Arabia Tel: +20 (2) 22734506 Fax: +20 (2) 26718892 Tel: +966 (11) 2181515 Fax: +966 (11) 2181520 [http://www.cequens.com/email-signature/banner.jpg]
Traduction Interprétation
Bonjour, Un petit message pour vous re-proposer nos services de traduction et d'interprétation en toutes langues. Je vous rappelle que nos traductions sont de qualité et nos tarifs très compétitifs. N'hésitez pas à me faire parvenir directement toutes vos demandes de devis, Bien à vous Aurélien SUPOT - A.Text Work Tel: (0033) 442 933 429 A.Text Work 9 allée Claude Forbin 13100 Aix En Provence France A titre informatif, au cas ou vous auriez également des besoins en interprétation, je vous transmets 6 liens vers les vidéos des derniers évènements interprétés par notre agence. PriceMinister http://url.snd10.ch/url-332909683-1759136-03072014.html Conseil Général du Loiret http://url.snd10.ch/url-332909683-1759137-03072014.html Université du Mans et de Sheffield http://url.snd10.ch/url-332909683-1759138-03072014.html interpretation simultanée Naos group http://url.snd10.ch/url-332909683-1759139-03072014.html Price Minister 2 - Pierre Kosciusko-Morizet http://url.snd10.ch/url-332909683-1759140-03072014.html Interprétation simultanée pour le point presse ITER http://url.snd10.ch/url-332909683-1759141-03072014.html Si vous ne désirez plus recevoir notre lettre d'information, cliquez ici http://url.snd10.ch/332909683/408278/uns-108468-fr-03072014-404097.html
GRAND JEU DE L'ÉTÉ-VPrivées:CATMANDOO-KOTHAI-GEOGRAPHICAL NORWAY-DA ACTIVE
Offres exclusives sur les produits du site Allsportshop Version en ligne | Ajouter Allsportshop à votre carnet d’adresses GRAND JEU DE L'ÉTÉ DU 1er AU 15 JUILLET 2014 1er Prix ACTION CAM MINOX Valeur 248,90€ 2e et 3e Prix Ceinture COMPEX Valeur 79,00€ 4e au 10e Prix Gourde 1L SIGG Valeur 21,50€ Jeu gratuit sans obligation d’achat, organisé par ALLSPORTSHOP, du 01/ 07/14 au 15/07/14, ouvert à toute personne physique à partir de 18 ans, résidant en France métropolitaine, Corse comprise. Le règlement des opérations est envoyé à titre gratuit à toute personne qui en fait la demande à : ALLSPORTSHOP 5 Rue Aristide Berges 21800 SENNECEY LES DIJON. Règlement déposé chez SCP Mias Houssin Le Golf Laleve Kapral étude d’huissiers de justice à Dijon. 10 lots à gagner d'une valeur de 557.40€. VENTES PRIVÉES TEXTILE CYCLE HIGH TECH FITNESS OUTDOOR GLISSE URBAINE BAGAGERIE VENTES PRIVÉES CATMANDOO : Fournisseur officiel des équipes nationales de Finlande pour les JO et le Golf KOTHAI : 2 séries de sacs disponibles : - NBA - Évènements sportifs célèbres CEINTURES SILICONE : 1 Ceinture = 1 boucle sup. offerte GEOGRAPHICAL NORWAY : Collections de polos aux looks sportifs DA ACTIVE : Vêtements féminins pour le fitness Vêtements de golf CATMANDOO Pantalons, Shorts, Polos... pour Homme et Femme Jusqu'à -60% ACCÉDER À LA VENTE Bagagerie Sportive KOTHAI Sacs bandoulière, Sacoches, Pochettes d'ordinateur portable, Portefeuilles -50% ACCÉDER À LA VENTE Boucle supplémentaire offerte Ceintures Silicone Choisissez la couleur de votre boucle supplémentaire offerte 29,90€ 14,95€ ACCÉDER À LA VENTE Polos GEOGRAPHICAL NORWAY Collection de polos au look sportif -50% ACCÉDER À LA VENTE Vêtements Fitness Féminins DA ACTIVE Pantalons de Jogging, Jupes de sport T-Shirts, Débardeurs Jusqu'à -60% ACCÉDER À LA VENTE PROMO ANITA : Grâce à ALLSPORTSHOP.fr profitez de l'offre exceptionnelle, -30% sur la gamme de lingerie sportive et les maillots de bain ANITA COMPEX : Les Électro-stimulateurs musculaires de la marque COMPEX sont en promotion à -25% sur ALLSPORTSHOP.fr Pour l'achat d'un produit COMPEX, recevez 6 électrodes supplémentaires offertes Lingerie féminine de sport ANITA Maillots de bain, Boxers, Soutien-gorges, Culottes d'équitation... -30% VOIR LE PRODUIT Stimulateurs Musculaires COMPEX 6 électrodes supplémentaires offertes -25% VOIR LE PRODUIT ENTREPRISE FRANÇAISE SATISFAIT OU REMBOURSÉ PAIEMENT 100% SÉCURISÉ PAIEMENT PAYPAL PAIEMENT 3D SECURE ALLSPORTSHOP SUR FACEBOOK Consulter la version en ligne Pour être certain de bien recevoir nos messages, ajoutez Allsportshop dans votre carnet d’adresses. Se désinscrire de cette newsletter
Re: SMPP traffic load balancing
On Thu, Jul 3, 2014 at 11:21 AM, Ahmed Ayoub a.ay...@cequens.com wrote: Hi, Can I use HAProxy to load balance SMPP traffic? Waiting for your feedback Best regards, *Ahmed Ayoub* Chief Architect Mob: +20 (10) 06719983 Email: a.ay...@cequens.com | web: www.cequens.com [image: http://www.cequens.com/email-signature/logo.jpg] *From:* Ahmed Ayoub *Sent:* Thursday, July 3, 2014 11:15 AM *To:* 'haproxy@formilux.org' *Subject:* SMPP traffic load balancing Hi, Can I use HAProxy to load balance SMPP traffic? Best regards, *Ahmed Ayoub* Chief Architect Mob: +20 (10) 06719983 Email: a.ay...@cequens.com | web: www.cequens.com [image: http://www.cequens.com/email-signature/logo.jpg] *Egypt* 21 Mohamed Tawfiq Diab St., Off Makram Ebied St., 1st Floor, Nasr City, 11371, Cairo, Egypt *Saudi Arabia * Tawuniya Towers, King Fahd Rd. 7th Floor, North Tower P.O. Box 220933 Riyadh, Saudi Arabia Tel: +20 (2) 22734506 Fax: +20 (2) 26718892 Tel: +966 (11) 2181515 Fax: +966 (11) 2181520 [image: http://www.cequens.com/email-signature/banner.jpg] Hi, Can you define what SMPP is??? Baptiste
Re: SMPP traffic load balancing
Hi, On 03.07.2014 14:01, Baptiste wrote: On Thu, Jul 3, 2014 at 11:21 AM, Ahmed Ayoub a.ay...@cequens.com mailto:a.ay...@cequens.com wrote: Hi, Can I use HAProxy to load balance SMPP traffic? Waiting for your feedback Best regards,** *Ahmed Ayoub* Chief Architect Mob: +20 (10) 06719983 Email: a.ay...@cequens.com mailto:a.ay...@cequens.com | web: www.cequens.com http://www.cequens.com/ http://www.cequens.com/email-signature/logo.jpg *From:*Ahmed Ayoub *Sent:* Thursday, July 3, 2014 11:15 AM *To:* 'haproxy@formilux.org mailto:haproxy@formilux.org' *Subject:* SMPP traffic load balancing Hi, Can I use HAProxy to load balance SMPP traffic? Best regards,** *Ahmed Ayoub* Chief Architect Mob: +20 (10) 06719983 Email: a.ay...@cequens.com mailto:a.ay...@cequens.com | web: www.cequens.com http://www.cequens.com/ http://www.cequens.com/email-signature/logo.jpg *Egypt* 21 Mohamed Tawfiq Diab St., Off Makram Ebied St., 1st Floor, Nasr City, 11371, Cairo, Egypt *Saudi Arabia * Tawuniya Towers, King Fahd Rd. 7th Floor, North Tower P.O. Box 220933 Riyadh, Saudi Arabia Tel: +20 (2) 22734506 Fax: +20 (2) 26718892 Tel: +966 (11) 2181515 Fax: +966 (11) 2181520 http://www.cequens.com/email-signature/banner.jpg__ Hi, Can you define what SMPP is??? SMPP ist short message peer to peer. E.g. jabber makes use of it. Because its TCP HAProxy should be able to cope with it. Baptiste thomas
Re: SMPP traffic load balancing
Hi, On 03.07.2014 14:08, Thomas Heil wrote: Hi, On 03.07.2014 14:01, Baptiste wrote: On Thu, Jul 3, 2014 at 11:21 AM, Ahmed Ayoub a.ay...@cequens.com mailto:a.ay...@cequens.com wrote: Hi, Can I use HAProxy to load balance SMPP traffic? Waiting for your feedback Best regards,** *Ahmed Ayoub* Chief Architect Mob: +20 (10) 06719983 Email: a.ay...@cequens.com mailto:a.ay...@cequens.com | web: www.cequens.com http://www.cequens.com/ http://www.cequens.com/email-signature/logo.jpg *From:*Ahmed Ayoub *Sent:* Thursday, July 3, 2014 11:15 AM *To:* 'haproxy@formilux.org mailto:haproxy@formilux.org' *Subject:* SMPP traffic load balancing Hi, Can I use HAProxy to load balance SMPP traffic? Best regards,** *Ahmed Ayoub* Chief Architect Mob: +20 (10) 06719983 Email: a.ay...@cequens.com mailto:a.ay...@cequens.com | web: www.cequens.com http://www.cequens.com/ http://www.cequens.com/email-signature/logo.jpg *Egypt* 21 Mohamed Tawfiq Diab St., Off Makram Ebied St., 1st Floor, Nasr City, 11371, Cairo, Egypt *Saudi Arabia * Tawuniya Towers, King Fahd Rd. 7th Floor, North Tower P.O. Box 220933 Riyadh, Saudi Arabia Tel: +20 (2) 22734506 Fax: +20 (2) 26718892 Tel: +966 (11) 2181515 Fax: +966 (11) 2181520 http://www.cequens.com/email-signature/banner.jpg__ Hi, Can you define what SMPP is??? SMPP ist short message peer to peer. E.g. jabber makes use of it. Because its TCP HAProxy should be able to cope with it. Huh, thats wrong. SMPP ist not XMPP. I just missed that. But nevertheless HAProxy should be able to do it. Baptiste thomas
RE: SMPP traffic load balancing
This is Short Message Peer to Peer (SMPP) protocol Best regards, Ahmed Ayoub Chief Architect Mob: +20 (10) 06719983 Email: a.ay...@cequens.commailto:a.ay...@cequens.com | web: www.cequens.comhttp://www.cequens.com/ [http://www.cequens.com/email-signature/logo.jpg] From: Baptiste [mailto:bed...@gmail.com] Sent: Thursday, July 3, 2014 2:02 PM To: Ahmed Ayoub Cc: haproxy@formilux.org; ste...@vergic.com; christ...@vergic.com Subject: Re: SMPP traffic load balancing On Thu, Jul 3, 2014 at 11:21 AM, Ahmed Ayoub a.ay...@cequens.commailto:a.ay...@cequens.com wrote: Hi, Can I use HAProxy to load balance SMPP traffic? Waiting for your feedback Best regards, Ahmed Ayoub Chief Architect Mob: +20 (10) 06719983 Email: a.ay...@cequens.commailto:a.ay...@cequens.com | web: www.cequens.comhttp://www.cequens.com/ [http://www.cequens.com/email-signature/logo.jpg] From: Ahmed Ayoub Sent: Thursday, July 3, 2014 11:15 AM To: 'haproxy@formilux.orgmailto:haproxy@formilux.org' Subject: SMPP traffic load balancing Hi, Can I use HAProxy to load balance SMPP traffic? Best regards, Ahmed Ayoub Chief Architect Mob: +20 (10) 06719983 Email: a.ay...@cequens.commailto:a.ay...@cequens.com | web: www.cequens.comhttp://www.cequens.com/ [http://www.cequens.com/email-signature/logo.jpg] Egypt 21 Mohamed Tawfiq Diab St., Off Makram Ebied St., 1st Floor, Nasr City, 11371, Cairo, Egypt Saudi Arabia Tawuniya Towers, King Fahd Rd. 7th Floor, North Tower P.O. Box 220933 Riyadh, Saudi Arabia Tel: +20 (2) 22734506 Fax: +20 (2) 26718892 Tel: +966 (11) 2181515 Fax: +966 (11) 2181520 [http://www.cequens.com/email-signature/banner.jpg] Hi, Can you define what SMPP is??? Baptiste
Re: Using the socket interface to access ACLs
On Tue, 1 Jul 2014 23:00:13 +0200 Baptiste bed...@gmail.com wrote: On Tue, Jul 1, 2014 at 10:54 PM, William Jimenez william.jime...@itsoninc.com wrote: Hello I am trying to modify ACLs via the socket interface. When I try to do something like 'get acl', I get an error: Missing ACL identifier and/or key. How do I find the ACL identifier or key for a specific ACL? I see the list of ACLs when i do a 'show acl', but unsure which of these values is the file or key: # id (file) description 0 () acl 'always_true' file '/etc/haproxy/haproxy.cfg' line 19 1 () acl 'src' file '/etc/haproxy/haproxy.cfg' line 20 2 () acl 'src' file '/etc/haproxy/haproxy.cfg' line 21 3 () acl 'src' file '/etc/haproxy/haproxy.cfg' line 22 Thanks Hi William, In order to be able to update ACL content, they must load their content from a file. The file name will be considered as a 'reference' you can point to when updating content. Don't forget to update simultaneously the content from an ACL and from the flat file to make HAProxy reload reliable :) Baptiste Hi You can modify ACL without file. The identifier is the number prefixed by the char '#', like this: add acl #1 127.0.0.1 get acl is used to debug acl. Thierry
Re: Using the socket interface to access ACLs
On Thu, Jul 3, 2014 at 2:24 PM, Thierry FOURNIER tfourn...@haproxy.com wrote: On Tue, 1 Jul 2014 23:00:13 +0200 Baptiste bed...@gmail.com wrote: On Tue, Jul 1, 2014 at 10:54 PM, William Jimenez william.jime...@itsoninc.com wrote: Hello I am trying to modify ACLs via the socket interface. When I try to do something like 'get acl', I get an error: Missing ACL identifier and/or key. How do I find the ACL identifier or key for a specific ACL? I see the list of ACLs when i do a 'show acl', but unsure which of these values is the file or key: # id (file) description 0 () acl 'always_true' file '/etc/haproxy/haproxy.cfg' line 19 1 () acl 'src' file '/etc/haproxy/haproxy.cfg' line 20 2 () acl 'src' file '/etc/haproxy/haproxy.cfg' line 21 3 () acl 'src' file '/etc/haproxy/haproxy.cfg' line 22 Thanks Hi William, In order to be able to update ACL content, they must load their content from a file. The file name will be considered as a 'reference' you can point to when updating content. Don't forget to update simultaneously the content from an ACL and from the flat file to make HAProxy reload reliable :) Baptiste Hi You can modify ACL without file. The identifier is the number prefixed by the char '#', like this: add acl #1 127.0.0.1 get acl is used to debug acl. Thierry Yes, but acl number is not reliable, since it can change in time. Furthermore, it's easier to update content of a flat file than updating ACL values in HAproxy's configuration. Baptiste
Re: SMPP traffic load balancing
On Thu, Jul 3, 2014 at 2:21 PM, Ahmed Ayoub a.ay...@cequens.com wrote: This is Short Message Peer to Peer (SMPP) protocol Best regards, *Ahmed Ayoub* Chief Architect Mob: +20 (10) 06719983 Email: a.ay...@cequens.com | web: www.cequens.com [image: http://www.cequens.com/email-signature/logo.jpg] *From:* Baptiste [mailto:bed...@gmail.com] *Sent:* Thursday, July 3, 2014 2:02 PM *To:* Ahmed Ayoub *Cc:* haproxy@formilux.org; ste...@vergic.com; christ...@vergic.com *Subject:* Re: SMPP traffic load balancing On Thu, Jul 3, 2014 at 11:21 AM, Ahmed Ayoub a.ay...@cequens.com wrote: Hi, Can I use HAProxy to load balance SMPP traffic? Waiting for your feedback Best regards, *Ahmed Ayoub* Chief Architect Mob: +20 (10) 06719983 Email: a.ay...@cequens.com | web: www.cequens.com [image: http://www.cequens.com/email-signature/logo.jpg] *From:* Ahmed Ayoub *Sent:* Thursday, July 3, 2014 11:15 AM *To:* 'haproxy@formilux.org' *Subject:* SMPP traffic load balancing Hi, Can I use HAProxy to load balance SMPP traffic? Best regards, *Ahmed Ayoub* Chief Architect Mob: +20 (10) 06719983 Email: a.ay...@cequens.com | web: www.cequens.com [image: http://www.cequens.com/email-signature/logo.jpg] *Egypt* 21 Mohamed Tawfiq Diab St., Off Makram Ebied St., 1st Floor, Nasr City, 11371, Cairo, Egypt *Saudi Arabia * Tawuniya Towers, King Fahd Rd. 7th Floor, North Tower P.O. Box 220933 Riyadh, Saudi Arabia Tel: +20 (2) 22734506 Fax: +20 (2) 26718892 Tel: +966 (11) 2181515 Fax: +966 (11) 2181520 [image: http://www.cequens.com/email-signature/banner.jpg] Hi, Can you define what SMPP is??? Baptiste Can you elaborate a bit more??? What are the requirements of this protocol? Here, we know what HAProxy can do but we don't know what SMPP requires. So please explain us its requirements and we'll tell you if HAProxy can match them. Baptiste
Re: Multiple CPU Cores and Peers
On Thu, Jul 3, 2014 at 10:57 AM, Jai Gupta j...@vidyamantra.com wrote: On Thu, Jul 3, 2014 at 12:49 PM, Baptiste bed...@gmail.com wrote: On Thu, Jul 3, 2014 at 9:03 AM, Jai Gupta j...@vidyamantra.com wrote: We use SSL so we would want to use Multiple CPU Cores as well. We also use Peers for HA but it seems that peers can't be used in multi-process mode (nbproc 1). We were hoping to use one core for everything except SSL and all remaining cores for SSL. In this case, only solution to I can think of is to use two instances of haproxy, one for SSL with multiple cores and second for load balancing and peers with single core. Is this approach correct? Is there any other alternate? Jai Hi Jai, First question is what is the good reason you need to synchronize content of stick-tables using peers? Hi Baptiste, We use stick-tables because our application needs sticky sessions (long lived websocket connections) and are using peers because we need HA in event if one haproxy crashes and if needed, we can also distribute load via DNS if multiple haproxy have stick-tables info. For simplicity, we would want to use only one instance of haproxy per node and was hoping haproxy to use multiple cores, at least for ssl. Something similar to http://brokenhaze.com/blog/2014/03/25/how-stack-exchange-gets-the-most-out-of-haproxy/ but becasue we are using peers, haproxy won't allow multi-process mode. I am hoping for a way by which we can limit peers to one core and use multiple cores for other stuff. Baptiste Hi Jay, Could you share with us your stick configuration lines? I mean the stick table + the stick on, stick match, etc... Baptiste
Re: Client Certificate
Hi Lukas,
Thanks you for making this clear. I ended up by adding another public ip
just for SSL Client certificate authentication.
Groeten,
Martin
On Tue, Jul 1, 2014 at 3:17 PM, Lukas Tribus luky...@hotmail.com wrote:
Hi Martin,
Hi,
I'm trying to configure HAProxy so that on one specific domain users
authenticate with a SSL Client certificate.
The Load Balancer has one public IP address and has a frontend
configured which is bind to port 443:
bind *:443 ssl crt ./haproxy/
I selected the correct backend as followed:
use_backend secure_servers if { ssl_fc_sni secure.domain.tld
ssl_fc_has_crt }
default_backend default_servers
When changing bind to verify the ssl certicate all other ssl traffic is
no longer allowed:
bind *:443 ssl crt ./haproxy/ ca-file ./ca.pem verify required
A solution would be to create another frontend with an additional
public IP address but I want to prevent this if possible.
How can I only require a SSL Client certificate on the
secure.domain.tld?
You cannot, this is not currently supported.
The only workaround here is to put another proxying layer in tcp mode in
front of your current deployment, enabling you to switch to a different
backend -- second layer frontend combination according to the SNI value
(req.ssl_sni [1] in this case, since you are not using SSL termination on
the
first proxy tier).
(and you could use the recently implemented abstract namespaces for 1st
tier
backend - 2nd tier frontend connection).
Regards,
Lukas
[1]
http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#7.3.5-req.ssl_sni
Re: SMPP traffic load balancing
See comments inserted below... On Thursday, 2014-07-03 at 07:17:46 PM, Ahmed Ayoub scribbled: [...] *snip* Can you elaborate a bit more??? What are the requirements of this protocol? Here, we know what HAProxy can do but we don't know what SMPP requires. So please explain us its requirements and we'll tell you if HAProxy can match them. The last time I used the SMPP protocol, it was carried over TCP, ergo HAProxy should be fine for load balancing. That said, however... way back when I used this protocol in anger, SMPP connections were very, very long-lived (days or weeks would pass between SYN-SYN/ACK-ACK and a FIN or RST). For those that have not heard of SMPP before, it is a protocol usually used to send bulk SMS messages. In practise, a single SMPP over TCP connection transfers thousands if not millions of SMS messages. You could consider it a back-haul protocol. In my humble opinion, unless the protocol and its use has dramatically changed over the last 10 years, Ahmed, if you need to load balance such long-lived TCP connections via HAProxy, you may want to re-think your system architecture. e.g. a simple DNS round robin setup Cheers! :-) Ben. -- Benjamin Lee mailto:benjamin@realthought.net Melbourne, Australiahttp://www.realthought.net Linux / BSD / GNU tel:+61 4 16 BEN LEE Open Source para nuestro mundo __ Why be difficult when, with a bit of effort, you could be impossible? signature.asc Description: Digital signature
Re: SMPP traffic load balancing
On Thu, Jul 3, 2014 at 3:37 PM, Benjamin Lee benjamin@realthought.net wrote: See comments inserted below... On Thursday, 2014-07-03 at 07:17:46 PM, Ahmed Ayoub scribbled: [...] *snip* Can you elaborate a bit more??? What are the requirements of this protocol? Here, we know what HAProxy can do but we don't know what SMPP requires. So please explain us its requirements and we'll tell you if HAProxy can match them. The last time I used the SMPP protocol, it was carried over TCP, ergo HAProxy should be fine for load balancing. That said, however... way back when I used this protocol in anger, SMPP connections were very, very long-lived (days or weeks would pass between SYN-SYN/ACK-ACK and a FIN or RST). For those that have not heard of SMPP before, it is a protocol usually used to send bulk SMS messages. In practise, a single SMPP over TCP connection transfers thousands if not millions of SMS messages. You could consider it a back-haul protocol. In my humble opinion, unless the protocol and its use has dramatically changed over the last 10 years, Ahmed, if you need to load balance such long-lived TCP connections via HAProxy, you may want to re-think your system architecture. e.g. a simple DNS round robin setup Cheers! :-) Ben. -- Benjamin Lee mailto:benjamin@realthought.net Melbourne, Australiahttp://www.realthought.net Linux / BSD / GNU tel:+61 4 16 BEN LEE Open Source para nuestro mundo __ Why be difficult when, with a bit of effort, you could be impossible? Thanks ben for clarifying. Last question when we speak about load-balancing: does it need any kind of persistence?? Baptiste
HAProxy maxconn value problem
Hi all, I have struggling a haproxy problem. I have 2 xmpp servers, and try to test it with haproxy using Tsung. My haproxy.cfg file is below global log /dev/log local0 info log /dev/log local0 notice #log 127.0.0.1 local0 #log 127.0.0.1 local1 notice #log loghost local0 info maxconn 1 #chroot /usr/share/haproxy uid 99 gid 99 daemon #debug #quiet defaults log global mode http option httplog option dontlognull retries 3 option redispatch maxconn 1 contimeout 5000 clitimeout 5 srvtimeout 5 listen openfire 127.0.0.1:5222 mode tcp option tcplog balance roundrobin maxconn 1 server ubuntu1 10.10.10.40:5222 check port 7070 maxconn 5000 server ubuntu2 10.10.10.42:5223 check port 7070 maxconn 5000 But when i send the command below i get this : [root@network /]# haproxy -vv HA-Proxy version 1.4.24 2013/06/17 Copyright 2000-2013 Willy Tarreau w...@1wt.eu Build options : TARGET = linux2628 CPU = generic CC = gcc CFLAGS = -O2 -g -fno-strict-aliasing OPTIONS = USE_REGPARM=1 USE_PCRE=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 Encrypted password support via crypt(3): yes Available polling systems : sepoll : pref=400, test result OK epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 4 (4 usable), will use sepoll. And Tsung tests cannot pass limit of 2000.. How can i change the value of maxconn, or how can activate the value in haproxy.cfg Thanks in advance..
Question on Health Checks
Is this possible? to do a light check say every 10 sec do a deeper check say every 30 sec on the same set of servers?
Re: Question on Health Checks
On Thu, Jul 3, 2014 at 5:14 PM, jeff saremi jeffsar...@hotmail.com wrote: Is this possible? to do a light check say every 10 sec do a deeper check say every 30 sec on the same set of servers? Hi Jeff, nope, it is not possible. That said, you might be able to perform a light check at 'inter' interval using any check and perform a deeper one using the agent-check at 'agent-inter' period. Baptiste
Re: HAProxy maxconn value problem
Hi Bahri, How can i change the value of maxconn, or how can activate the value in haproxy.cfg Just configure maxconn in the global section. global maxconn XYZ Btw, please read the manual, those things are very well documented [1]. Regards, Lukas [1] http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#maxconn
Very low session rate with simple benchmark setup
Hi all, We have been trying to get better performance from our simple haproxy setup since we encountered issues when getting over 15k session/sec. Our simple test setup to reproduce the issue: * 1 server with 2 CPUs Xeon (E5 core i7) with 6 cores each with hyperthreading on (24 cores total) * 1 Intel I350 Gigabit ethernet interface * CentOS 6.5 kernel 2.6.32-431.11.2.el6.centos.plus.x86_64 * 1 haproxy 1.5.1 recompiled (1.4 from the distribution had the same issues anyway) * 1 nginx on the same host with one simple worker serving a very small static file ( 10 bytes) * 4 client servers running siege with a simple HTTP GET / at concurrency 500 each, in the same VLAN We only get session rate of ~16k per second which seems very low. The interesting symptom is that we get 100% CPU for the haproxy process with very low connection rate. The CPU usage is split this way: 29.3%us, 46.3%sy, 0.0%ni, 0.0%id, 0.0%wa, 0.0%hi, 24.3%si, 0.0%st The very high si and sy seems strange, we focused on soft IRQ config after that to no avail. We tried all the tweaks we could think about: * playing with sysctl (we don't have conntrack, we don't have iptables, tcp settings seems OK) * we tried recompiling the igb driver to get all the options, increasing the rx-usecs setting with ethtool, this reduces the number of hard IRQ (but probably increases latency) but does not impact CPU usage * we looked at the process with strace/perf without much success to get any interesting info The most interesting part: * we did the trick to set the smp_affinity of our eth0 interface to cpu 0 and haproxy on cpu 1 with taskset BUT the soft interrupt CPU stays on cpu 1 (with the haproxy). This is not what is documented from the linux kernel, we dug into the RPS and RFS network features but they are not activated in Centos 6 by default so they should not interfere. I think that we have been looking way too deep in the problem and the solution must be right in front of us. Does anyone have ideas? -- Best, Maxime Brugidou @ Criteo Additional infos: $ haproxy -vv HA-Proxy version 1.5.1 2014/06/24 Copyright 2000-2014 Willy Tarreau w...@1wt.eu Build options : TARGET = linux2628 CPU = native CC = gcc CFLAGS = -O2 -march=native -g -fno-strict-aliasing OPTIONS = USE_LINUX_SPLICE=1 USE_LIBCRYPT=1 USE_PCRE=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 Encrypted password support via crypt(3): yes Built without zlib support (USE_ZLIB not set) Compression algorithms supported : identity Built without OpenSSL support (USE_OPENSSL not set) Built with PCRE version : 7.8 2008-09-05 PCRE library supports JIT : no (USE_PCRE_JIT not set) Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK $ cat /etc/haproxy/haproxy.conf global log /dev/log local1 notice maxconn 8192 user haproxy group haproxy defaults log global modehttp retries 0 timeout client 5s timeout connect 1s timeout server 5s option dontlognull option http-server-close option httpchk GET /admin/status option httplog option redispatch option splice-response balance roundrobin frontend main bind 0.0.0.0:80 maxconn 8192 use_backend test backend test server nginx 127.0.0.1:8081 maxconn 8192
Re: Very low session rate with simple benchmark setup
On Thu, Jul 3, 2014 at 11:00 AM, Maxime Brugidou maxime.brugi...@gmail.com wrote: Hi all, We have been trying to get better performance from our simple haproxy setup since we encountered issues when getting over 15k session/sec. Our simple test setup to reproduce the issue: * 1 server with 2 CPUs Xeon (E5 core i7) with 6 cores each with hyperthreading on (24 cores total) * 1 Intel I350 Gigabit ethernet interface * CentOS 6.5 kernel 2.6.32-431.11.2.el6.centos.plus.x86_64 * 1 haproxy 1.5.1 recompiled (1.4 from the distribution had the same issues anyway) * 1 nginx on the same host with one simple worker serving a very small static file ( 10 bytes) * 4 client servers running siege with a simple HTTP GET / at concurrency 500 each, in the same VLAN We only get session rate of ~16k per second which seems very low. The interesting symptom is that we get 100% CPU for the haproxy process with very low connection rate. Maxime: Some ideas: - what happens if you up the size of the request ? - what results do you get with haproxy 1.4 ? - have you tried gdb -p $(pidof haproxy) --batch --ex set pagination 0 --ex thread apply all bt ? Sometimes a few random stacktrace samples help you stumble upon an idea of where your bottleneck is. -- Sasha Pachev Fast Running Blog. http://fastrunningblog.com Run. Blog. Improve. Repeat.
Re: HAProxy maxconn value problem
Hi Lukas, Hi, please respond to the mailing list! Thanks for reply but i have already set this value in the global section of haproxy.cfg file.. I see. My problem is that it ignores the value i have entered.. Why do you think its ignoring the values? Do you see 503 responses towards the client? Please understand that the haproxy -vv output does NOT reflect what haproxy is doing, but rather what default values have been set at compile time. When you specify maxconn in the configuration, your compile time maxconn value does NOT matter. Stop looking at it. In your case I think your backend or your test client simply cannot go above 2000 requests per second. Regards, Lukas
Re: Very low session rate with simple benchmark setup
On Jul 3, 2014 7:19 PM, Sasha Pachev sa...@asksasha.com wrote: Some ideas: - what happens if you up the size of the request ? We increased the request to more than 2500 bytes and it has an effect on the soft interrupt CPU for the cpu 0 (the one where we pinned the IRQ, not the one where we pinned haproxy). This makes sens since we don't use jumbo frames and we probably double or tripled the number of RX packets. However we arrive in the stunning situation where both cpu 0 and cpu 1 have around 25 to 30% of soft interrupt (at least according to top). This does not affect at all the session rate, stuck to ~16k/s. This makes me thing that the cpu 1 soft interrupt time is really abnormal and that the cpu 0 si time is normal (normal = coming from a hard interrupt on eth0) right? - what results do you get with haproxy 1.4 ? Very similar result, same blocker around ~16k session/s with haproxy at 100% CPU (same pattern with user, sys and si). It all looks like a kernel or hardware or stupid config issue somewhere. - have you tried gdb -p $(pidof haproxy) --batch --ex set pagination 0 --ex thread apply all bt ? Sometimes a few random stacktrace samples help you stumble upon an idea of where your bottleneck is. I ran a couple of them but without much success since i'm not very fluent in this stuff :) from all the stacktraces i got nothing stood out and the code didn't seem blocked somewhere special. Additional note: we get around 300k TIME_WAIT connections but use tw_reuse so it shouldn't be an issue i think
Need help with url rewrite
I have a url that always begins with ww, ie http://domain.tdl/ww/en/..., I want to rewrite the url to include the ww, I tried the below, it works, but changes the path or something, because it cause the resources like css and images to not appear (404), does anyone know how to fix this or do this the right way? acl has_ww_uri path_beg -i /ww reqirep ^([^\ :]*)\ /(.*) \1\ /ww/\2 if !has_ww_uri
Re: Very low session rate with simple benchmark setup
On Thu, Jul 3, 2014 at 8:27 PM, Maxime Brugidou maxime.brugi...@gmail.com wrote: On Jul 3, 2014 7:19 PM, Sasha Pachev sa...@asksasha.com wrote: Some ideas: - what happens if you up the size of the request ? We increased the request to more than 2500 bytes and it has an effect on the soft interrupt CPU for the cpu 0 (the one where we pinned the IRQ, not the one where we pinned haproxy). This makes sens since we don't use jumbo frames and we probably double or tripled the number of RX packets. However we arrive in the stunning situation where both cpu 0 and cpu 1 have around 25 to 30% of soft interrupt (at least according to top). This does not affect at all the session rate, stuck to ~16k/s. This makes me thing that the cpu 1 soft interrupt time is really abnormal and that the cpu 0 si time is normal (normal = coming from a hard interrupt on eth0) right? - what results do you get with haproxy 1.4 ? Very similar result, same blocker around ~16k session/s with haproxy at 100% CPU (same pattern with user, sys and si). It all looks like a kernel or hardware or stupid config issue somewhere. - have you tried gdb -p $(pidof haproxy) --batch --ex set pagination 0 --ex thread apply all bt ? Sometimes a few random stacktrace samples help you stumble upon an idea of where your bottleneck is. I ran a couple of them but without much success since i'm not very fluent in this stuff :) from all the stacktraces i got nothing stood out and the code didn't seem blocked somewhere special. Additional note: we get around 300k TIME_WAIT connections but use tw_reuse so it shouldn't be an issue i think Hi Maxime, First of all, a few questions: - what is the exact reference of your CPU ? - what is the frequency of your CPU ? - what is the command line you run on the client side (siege) - have you disabled irq-balance ? - what type of network interface are you using? (and which driver) - are you benchmarking in keep-alive mode or not? Then a few remarks: - you don't need to enable USE_LINUX_SPLICE=1 USE_LIBCRYPT=1 at compilation time. These options are implicitly enabled by the target you chose (linux2628) - hyperthreading is not useful in your case, you can disable it - you can bind HAProxy process to a core using HAProxy's configuration directive 'cpu-map' (much better than taskset) - splicing is totally counter productive with a so small object, please disable it - option http-server-close was the best mode in HAProxy 1.4. In 1.5, you should prefer 'option http-keep-alive' which may help in case the client and the server are compatible with it - are you sure you CPU network IO binding was right? A few tests you could run: - disable logging and tell us if there is an improvement or not (if yes, how much) - make HAProxy to answer directly without accessing nginx and check if you doubled the performance or not (and report us the result) - run your nginx server on a separated server and tell us the performance you can reach Baptiste
Re: Need help with url rewrite
On Thu, Jul 3, 2014 at 9:38 PM, Jeffrey Scott Flesher Gmail jeffrey.scott.fles...@gmail.com wrote: I have a url that always begins with ww, ie http://domain.tdl/ww/en/..., I want to rewrite the url to include the ww, I tried the below, it works, but changes the path or something, because it cause the resources like css and images to not appear (404), does anyone know how to fix this or do this the right way? acl has_ww_uri path_beg -i /ww reqirep ^([^\ :]*)\ /(.*) \1\ /ww/\2 if !has_ww_uri Hi Jeffrey, Can you clarify a bit your question, cause you're confusing me. please send us an example of what you get in HAProxy and how you want it out after HAProxy has rewritten it. Baptiste
Re: dns resoluton and caching
On Wed, Jul 2, 2014 at 5:03 AM, Yumerefendi, Aydan aydan.yumerefe...@inin.com wrote: We are using haproxy to route traffic to several AWS services that are behind an ELB and noticed the following behavior: - haproxy resolves the ELB address at startup and routes traffic just fine (not sure if haproxy uses the first IP or all resolved IPs and round-robins between them, though) - however, Amazon uses short TTL for ELB DNS entries, 60s or so. If the ELB is modified, due to load, or internal reconfiguration, Amazon can modify the ELB DNS mapping - once the IP(s) mapped to the ELB are completely replaced, relative to the initially resolved ones at startup, haproxy fails to route traffic and returns status 503 Is there a way to configure haproxy to respect DNS TTL when resolving dns names? If not, is there something you can recommend that would allow us to deal with this problem? Our current plan is to stop using DNS for the ELB and instead to use its ip addresses. We'll then periodically do DNS resolutions and once we detect a change, we'll rewrite the configuration and have haproxy reload it. Thanks for you help and for this great product! --aydan Hi, This is not yet available in HAProxy. It's a common request and should be available some day, but no idea when! Baptiste
Re: dns resoluton and caching
Thank you Baptiste. I think it will be very useful feature to add for any service that uses dynamic dns of some sort. Thanks for your reply, Best, ‹aydan On 7/3/14, 4:41 PM, Baptiste bed...@gmail.com wrote: On Wed, Jul 2, 2014 at 5:03 AM, Yumerefendi, Aydan aydan.yumerefe...@inin.com wrote: We are using haproxy to route traffic to several AWS services that are behind an ELB and noticed the following behavior: - haproxy resolves the ELB address at startup and routes traffic just fine (not sure if haproxy uses the first IP or all resolved IPs and round-robins between them, though) - however, Amazon uses short TTL for ELB DNS entries, 60s or so. If the ELB is modified, due to load, or internal reconfiguration, Amazon can modify the ELB DNS mapping - once the IP(s) mapped to the ELB are completely replaced, relative to the initially resolved ones at startup, haproxy fails to route traffic and returns status 503 Is there a way to configure haproxy to respect DNS TTL when resolving dns names? If not, is there something you can recommend that would allow us to deal with this problem? Our current plan is to stop using DNS for the ELB and instead to use its ip addresses. We'll then periodically do DNS resolutions and once we detect a change, we'll rewrite the configuration and have haproxy reload it. Thanks for you help and for this great product! --aydan Hi, This is not yet available in HAProxy. It's a common request and should be available some day, but no idea when! Baptiste
Re: Issue with ssl_c_sha1
Hi, On Wed, Jul 02, 2014 at 02:49:55AM +, Yumerefendi, Aydan wrote: Willy, Thanks for you help. Your suggestion worked! What tripped me was the lack of an example involving ssl_c_sha1 in the documentation. The easiest way to improve would be to the line you sent me to the list of other SSL examples. I added an example according to your suggestion, thanks! Willy
Re: Very low session rate with simple benchmark setup
Hi Maxime, On Thu, Jul 03, 2014 at 07:00:52PM +0200, Maxime Brugidou wrote: Hi all, We have been trying to get better performance from our simple haproxy setup since we encountered issues when getting over 15k session/sec. Our simple test setup to reproduce the issue: * 1 server with 2 CPUs Xeon (E5 core i7) with 6 cores each with hyperthreading on (24 cores total) * 1 Intel I350 Gigabit ethernet interface * CentOS 6.5 kernel 2.6.32-431.11.2.el6.centos.plus.x86_64 * 1 haproxy 1.5.1 recompiled (1.4 from the distribution had the same issues anyway) * 1 nginx on the same host with one simple worker serving a very small static file ( 10 bytes) * 4 client servers running siege with a simple HTTP GET / at concurrency 500 each, in the same VLAN We only get session rate of ~16k per second which seems very low. The interesting symptom is that we get 100% CPU for the haproxy process with very low connection rate. The CPU usage is split this way: 29.3%us, 46.3%sy, 0.0%ni, 0.0%id, 0.0%wa, 0.0%hi, 24.3%si, 0.0%st The very high si and sy seems strange, we focused on soft IRQ config after that to no avail. I'm not surprized. Without pinning, the system will move haproxy to the same CPU as the one delivering the interrupts, leaving very little place for both to coexist. With such workloads it's normal to have a high CPU usage in softirq, as packet processing takes a significant amount of time, more on some drivers than others. The igb driver (i350 is igb, right?) is not among the cheapest ones per packet so I'm not surprized. We tried all the tweaks we could think about: * playing with sysctl (we don't have conntrack, we don't have iptables, tcp settings seems OK) OK great. * we tried recompiling the igb driver to get all the options, increasing the rx-usecs setting with ethtool, this reduces the number of hard IRQ (but probably increases latency) but does not impact CPU usage Past some point, you'll get the driver to enter polling mode and reach 100% CPU. You can also try to increase the number of Tx descriptors to avoid seeing the queue start/stop too fast (which is expensive as well). But NICs tend to be less efficient with many Tx descriptors. * we looked at the process with strace/perf without much success to get any interesting info The most interesting part: * we did the trick to set the smp_affinity of our eth0 interface to cpu 0 and haproxy on cpu 1 with taskset BUT the soft interrupt CPU stays on cpu 1 (with the haproxy). This is not what is documented from the linux kernel, we dug into the RPS and RFS network features but they are not activated in Centos 6 by default so they should not interfere. I'm pretty sure that CPU 1 is the first thread of the first core of the second socket. So you're in the absolute worst situation where all the traffic has to transit through memory, and cache lines are doing ping-pong between the two sockets. The best thing to do is to totally stop the second socket for now. Please just verify with this : grep '' /sys/devices/system/cpu/cpu*topology/phy* Second, disable hyperthreading to ensure you're not running haproxy on one core and the network on the other thread of the same core. You'll be able to re-enable it once you figure what the problem is, but there's no reason for wasting time with these parasits for now. I think that we have been looking way too deep in the problem and the solution must be right in front of us. Does anyone have ideas? Could you check your network card's traffic (ideally on the switch) in terms of bit rate and packet rate in each direction ? At 15khps it depends a lot on the object size, especially when running on gigabit NICs which are easily overloaded. How many concurrent connections are you running with during your tests ? It's easy to reach 100% CPU with no aggregated work if you have too few concurrent requests, simply because you have a lot of small idle places which are not usable for anything else. A few comments below : $ cat /etc/haproxy/haproxy.conf global log /dev/log local1 notice maxconn 8192 user haproxy group haproxy defaults log global Logging to /dev/log generally means a lot of losses (very tiny network buffers on UNIX sockets). So it's likely that haproxy is also sending a lot of alerts that are dropped because you daemonized. That can waste a significant amount of CPU. Also, I tend to say that logging alone consumes 20% of the request rate. But we do better than you on a pentium-M 1.8 GHz with logs enabled. You should try to disable logs first. modehttp retries 0 timeout client 5s timeout connect 1s timeout server 5s option dontlognull option http-server-close option httpchk GET /admin/status option httplog option redispatch option splice-response Splicing will be of no help for small objects. You can try to see if you're network-bound by adding option tcp-smart-connect. It saves one
Re: Need help with url rewrite
I have a URL lets say: http://example.com I want it to be rewritten by haproxy to: http://example.com/ww All I want is for haproxy to rewrite the URL only if it does not have any path, ie http://example.com, then add the ww to it, so it becomes http://example.com/ww I do not have Apache on the server, so not mod_rewrite. I hope this is clear enough, not sure how else to say it. Thanks On Thu, 2014-07-03 at 22:40 +0200, Baptiste wrote: On Thu, Jul 3, 2014 at 9:38 PM, Jeffrey Scott Flesher Gmail jeffrey.scott.fles...@gmail.com wrote: I have a url that always begins with ww, ie http://domain.tdl/ww/en/..., I want to rewrite the url to include the ww, I tried the below, it works, but changes the path or something, because it cause the resources like css and images to not appear (404), does anyone know how to fix this or do this the right way? acl has_ww_uri path_beg -i /ww reqirep ^([^\ :]*)\ /(.*) \1\ /ww/\2 if !has_ww_uri Hi Jeffrey, Can you clarify a bit your question, cause you're confusing me. please send us an example of what you get in HAProxy and how you want it out after HAProxy has rewritten it. Baptiste
Re: Very low session rate with simple benchmark setup
Thanks to Sasha, Baptiste and Willy for helping me On Thu, Jul 3, 2014 at 11:13 PM, Willy Tarreau w...@1wt.eu wrote: The most interesting part: * we did the trick to set the smp_affinity of our eth0 interface to cpu 0 and haproxy on cpu 1 with taskset BUT the soft interrupt CPU stays on cpu 1 (with the haproxy). This is not what is documented from the linux kernel, we dug into the RPS and RFS network features but they are not activated in Centos 6 by default so they should not interfere. I'm pretty sure that CPU 1 is the first thread of the first core of the second socket. So you're in the absolute worst situation where all the traffic has to transit through memory, and cache lines are doing ping-pong between the two sockets. The best thing to do is to totally stop the second socket for now. Please just verify with this : grep '' /sys/devices/system/cpu/cpu*topology/phy* Second, disable hyperthreading to ensure you're not running haproxy on one core and the network on the other thread of the same core. You'll be able to re-enable it once you figure what the problem is, but there's no reason for wasting time with these parasits for now. Actually i checked and the first 6 cores are the first threads of the first socket, then the 6 next are for the second socket then the next 12 cores are the hyperthreads. So all this should not be an issue although you are right i should deactivate hyperthreading anyway to simplify tests. I think that we have been looking way too deep in the problem and the solution must be right in front of us. Does anyone have ideas? Could you check your network card's traffic (ideally on the switch) in terms of bit rate and packet rate in each direction ? At 15khps it depends a lot on the object size, especially when running on gigabit NICs which are easily overload OK so i ran new tests with a separate nginx server (using multipll e workers to handle the load). The bottleneck seem to be clearly on the network stack, especially the number of packets per second. What i did: * got back to the standard igb shipped in the kernel (it gets the 8 virtual channels by default for the NIC) * went back to 4 siege clients trying both with and without keep-alive, using 800 concurrency per siege * removes all the smp_affinity of any IRQ (actually by default everything seem to go to cpu0) * pinned the haproxy process to cpu1 using cpu-map config * set ethtool -C eth0 rx-usecs 500 on both nginx and haproxy hosts (it's 3 by default) * deactivate haproxy logging * deactivated splice * activated tcp-smart-connect and http-keep-alive All in all it got me to around 25k request/sec without keep alive and 39k with keep alive. It also solves the soft-interrupt CPU i was seeing on cpu1. I couldn't check on the switch but used iptraf to get some stats: * with very small packets we get at roughly 200kpacket/sec (100k RX 100k TX) at about 50Mbps * with larger response (a default index.html file for nginx on CentOS EPEL) we almost max out the 1G NIC at around ~800Mbps So now the blocking part is not IRQs anymore (they run at worst at 60% of cpu0, now i get at 100% on cpu1 with haproxy and latency spikes to 100ms (instead of 3ms without load). I am still testing with small packets. The goal is to max out the session per sec not the bandwidth. I can still improve the IRQ part using the 5 cores i have left on the same socket since i have 8 virtual channels i can divide by 4 the number of interrupt per core. However now the bottleneck is the haproxy process at 100% (mostly system). I still think that getting 25krps without keep-alive a very low. For Baptiste questions: - what is the exact reference of your CPU ? - what is the frequency of your CPU ? from DMI (The server is a HP Gen8 DL360e): Version: Intel(R) Xeon(R) CPU E5-2430L 0 @ 2.00GHz Voltage: 1.4 V External Clock: 100 MHz Max Speed: 4800 MHz Current Speed: 2000 MHz Status: Populated, Enabled Upgrade: Socket LGA1356 - what is the command line you run on the client side (siege) siege -b -c 800 -t30S http://my-lb/ (i use .siegerc for keep-alive too) - have you disabled irq-balance ? no - what type of network interface are you using? (and which driver) igb kernel driver version:5.0.5-k - are you benchmarking in keep-alive mode or not? i was not, keep-alive improves performance in terms of requests per second a bit but i try not to use it for now Thanks for all the help, this is really interesting feedback that i got. -- Best, Maxime @ Criteo
Re: SMPP traffic load balancing
On Thursday, 2014-07-03 at 11:45:48 PM, Baptiste scribbled: [...] *snip* Thanks ben for clarifying. Last question when we speak about load-balancing: does it need any kind of persistence?? Baptiste, well, it depends on our definition of persistence. :-) If we consider persistence to be the requirement that multiple [0] connections be routed to one common back-end server [1], then strictly speaking, the SMPP protocol [2] is non-persistent; each SMPP connection is completely independent and does not share any state with any other connection. Cheers! :-) Ben. [0] TCP or whatever [1] because there is common knowledge (e.g. session state) that needs to be shared between multiple connections - yay for HTTP! - :-) [2] as I knew it, and how we used it -- Benjamin Lee mailto:benjamin@realthought.net Melbourne, Australiahttp://www.realthought.net Linux / BSD / GNU tel:+61 4 16 BEN LEE Open Source para nuestro mundo __ Velilind's Laws of Experimentation: (1) If reproducibility may be a problem, conduct the test only once. (2) If a straight line fit is required, obtain only two data points.
Re: Multiple CPU Cores and Peers
On Thu, Jul 3, 2014 at 6:27 PM, Baptiste bed...@gmail.com wrote: On Thu, Jul 3, 2014 at 10:57 AM, Jai Gupta j...@vidyamantra.com wrote: On Thu, Jul 3, 2014 at 12:49 PM, Baptiste bed...@gmail.com wrote: On Thu, Jul 3, 2014 at 9:03 AM, Jai Gupta j...@vidyamantra.com wrote: We use SSL so we would want to use Multiple CPU Cores as well. We also use Peers for HA but it seems that peers can't be used in multi-process mode (nbproc 1). We were hoping to use one core for everything except SSL and all remaining cores for SSL. In this case, only solution to I can think of is to use two instances of haproxy, one for SSL with multiple cores and second for load balancing and peers with single core. Is this approach correct? Is there any other alternate? Jai Hi Jai, First question is what is the good reason you need to synchronize content of stick-tables using peers? Hi Baptiste, We use stick-tables because our application needs sticky sessions (long lived websocket connections) and are using peers because we need HA in event if one haproxy crashes and if needed, we can also distribute load via DNS if multiple haproxy have stick-tables info. For simplicity, we would want to use only one instance of haproxy per node and was hoping haproxy to use multiple cores, at least for ssl. Something similar to http://brokenhaze.com/blog/2014/03/25/how-stack-exchange-gets-the-most-out-of-haproxy/ but becasue we are using peers, haproxy won't allow multi-process mode. I am hoping for a way by which we can limit peers to one core and use multiple cores for other stuff. Baptiste Hi Jay, Could you share with us your stick configuration lines? I mean the stick table + the stick on, stick match, etc... stick-table type string len 12 size 32m expire 7d peers mypeers store server_id stick on hdr(host) Baptiste
Stick Table on Websocket - No stats data in table
We are using stick table with Websocket. Although haproxy stats page shows correct session rate, current session info but all counters are zero in stick table. backend websocket balance leastconn stick-table type string len 12 size 32m expire 7d peers mypeers store server_id,conn_cnt,conn_cur,sess_cnt,http_req_cnt,bytes_in_cnt,bytes_out_cnt stick on hdr(host) default-server on-marked-down shutdown-sessions ## websocket protocol validation acl hdr_connection_upgrade hdr(Connection) -i upgrade acl hdr_upgrade_websocket hdr(Upgrade)-i websocket acl hdr_websocket_key hdr_cnt(Sec-WebSocket-Key) eq 1 acl hdr_websocket_version hdr_cnt(Sec-WebSocket-Version) eq 1 http-request deny if ! hdr_connection_upgrade ! hdr_upgrade_websocket ! hdr_websocket_key ! hdr_websocket_version ## websocket health checking option httpchk GET / HTTP/1.1\r\nHost: abc.com\r\nSec-WebSocket-Version: 13\r\nSec-WebSocket-Key: haproxytest6Lwghaproxyhh\r\nConnection: Upgrade\r\nUpgrade: websocket http-check expect status 101 ## Servers server one x.x.x.x:y check server two x.x.x.x:y check ... ... Stick Table # table: websocket, type: string, size:33554432, used:2 0x1363374: key=159256323654 use=0 exp=604357344 server_id=2 conn_cnt=0 conn_cur=0 sess_cnt=0 http_req_cnt=0 bytes_in_cnt=0 bytes_out_cnt=0 0x137eeb4: key=215334743731 use=0 exp=604523738 server_id=3 conn_cnt=0 conn_cur=0 sess_cnt=0 http_req_cnt=0 bytes_in_cnt=0 bytes_out_cnt=0 Jai
