TPROXY - any functionality lost?
When haproxy is run in TPROXY mode, does it lose any functionality, or can I do all the same things as I can when it's acting in normal proxy mode? I'd like to have my servers see the real source ip but still have the ability to make decisions based on HTTP headers and manipulate those headers. Thanks, Shawn
Re: [PATCH 1/2] BUG/MEDIUM: Do not set agent health to zero if server is disabled in config
Hi Willy, On Mon, Dec 01, 2014 at 09:18:05AM +0900, Simon Horman wrote: On Wed, Nov 12, 2014 at 05:11:27PM +0900, Simon Horman wrote: On Wed, Nov 12, 2014 at 08:22:05AM +0100, Willy Tarreau wrote: Hi Simon, On Wed, Nov 12, 2014 at 03:55:53PM +0900, Simon Horman wrote: disable starts a server in the disabled state, however setting the health of an agent implies that the agent is disabled as well as the server. This is a problem because the state of the agent is not restored if the state of the server is subsequently updated leading to an unexpected state. For example, if a server is started disabled and then the server state is set to ready then without this change show stat indicates that the server is DOWN (agent) when it is expected that the server would be UP if its (non-agent) health check passes. Interesting case. I believe I caused it myself while trying to address a different case : health checks are disabled, only agent checks are enabled, and the server is disabled in the configuration. Could you please check that this use case still works properly with your patch ? I'd rather avoid to see the server continue to show up! Thanks, will do. I was aware you had done some work in this area but I wasn't entirely sure what case you were trying to fix. Thanks for filling in that gap in my knowledge. Hi Willy, I have tested the following scenario which I hope matches the one that you describe: 1. Start haproxy with server disabled in config 2. Disable health checks using: echo disable health VIP_Name/RIP_Name | socat .. 2. Enable server using: echo set server VIP_Name/RIP_Name state ready | socat ... The results are as follows: 1. With this patch applied and agent-check enabled Server status is reported as 2. With this patch applied and agent-check not configured in config Server status is reported as 3. Without this patch applied and agent-check enabled Server status is reported as DOWN (agent) 4. With this patch applied and agent-check not configured in config Server status is reported as My working assumption is that unless the agent-check explicitly marks a backend as down then the backend should not be considered down due to the agent-check. This includes this scenario when the agent-check is not responding. This seems to be reflected in the implementation other than the area of HTTP statistics. As both 1) and 2) are consistent with 4) it seems to me that this patch is correct in the context of the scenario you describe (assuming my test is correct). This seems to have slipped through the cracks. I'm wondering if we could revisit it and the other patch in this series.
What is the hardware requirement for haproxy?
Hi Sir, i want to install haproxy 1.4 on linux system(64 bit),but i do not know the hardware requirement for haproxy. For example ,the cpu requirement,memory requirement. Could you kindly give me suggections ? thanks a lot.
Feature requests: set-cookie dynamic value / urlencode, urldecode
Hi, I am trying to redirect a user to login page if not logged in and redirect the user back to original page after login. The login page is on a different domain than the primary domain where requests are coming. I have a few questions/feature requests related to http-request redirect a) urlencode function - I want to capture the request uri in url parameter while using http-request redirect. However, I can't seem to find a way to encode the value Something like, http-request redirect code 302 location http://sso.domain/login?referer=%[urlencode(capture.req.uri)] I can use capture.req.uri only but that leads to an invalid url since the value is not url encoded. b) urldecode function - Post successful login, I would like to redirect user back to original referer url http-request redirect code 302 location %[urldecode(urlp(referer))] c) set-cookie dynamic value - Based on my tests, set-cookie parameter doesn't take dynamic values. I would like to set the value based on request parameters http-request redirect set-cookie sessionId=%[urlp(sessionId)] location Please let me know if you see value in implementing these features in haproxy. Regards, Vivek
RE: haproxy rpm
Thanks, guys. I added the following to spec in order to stop stripping the haproxy binary and it worked fine: %define __os_install_post %{nil} From: Yuan Long [mailto:yuan.l...@chinanetcloud.com] Sent: Monday, January 19, 2015 6:19 PM To: Tait Clarridge Cc: haproxy@formilux.org; Cohen Galit Subject: Re: haproxy rpm THis was enough for me http://pkgs.org/search/haproxyhttp://cp.mcafee.com/d/k-Kr40UqdEI9EKfccIzztPqqbdQSkkkTzqqbdQSknQTzqqbdSknxPP9J6ZPhOy-Nt5UShQ-k-JkDY0kKp-dfVsSKp-dfVsSyeZd0wM_R-juKCYYeWZOWqbMXC66jhOY-DORQX8EGTd7avaxVZicHs3jq9JwTvASmbI9LLIFCXCM0qNkzjw0ek_oS9UjRqdgYIrbdX3zWM8wGNekd1JzWJEsKr78CzBYS2_id41flER3ONEwyIGrhvdF3dqrHx0yZEt Regards, Long Wu Yuan 龙 武 缘 Sr. Linux Engineer 高级工程师 ChinaNetCloud 云络网络科技(上海)有限公司 | www.ChinaNetCloud.com1238http://www.ChinaNetCloud.com1238 Xietu Lu, X2 Space 1-601, Shanghai, China | 中国上海市徐汇区斜土路1238号X2空 间1-601室 24x7 Support Hotline: +86-400-618-0024 | Office Tel: +86-(21)-6422-1946 We are hiring! http://careers.chinanetcloud.comhttp://cp.mcafee.com/d/5fHCNEe4x0edEI9EKfccIzztPqqbdQSkkkTzqqbdQSknQTzqqbdSknxPP9J6ZPhOy-Nt5UShQ-k-JkDY0kKp-dfVsSKp-dfVsSyeZd0wM_R-juKCYYeWZOWqbMXC66jhOY-DORQX8EGTd7avaxVZicHs3jqpJwTvASmbI9LLIFCXCM0tJz_NFRysEq3r7RrgVsSmrS77Rwh1lysEq3r7RrgVsSehd7bVI5-Aq82uHhG7Bzh15pkSy-ruamS | Customer Portal - https://customer-portal.service.chinanetcloud.com/http://cp.mcafee.com/d/1jWVIe6hASyMCyUYMOOedTdFEITjphhjudFEITjphvjudFEITphu7fcCQrTd7abX5Qnzp7jVjWRivM1iVDUQ_BPqVDUQ_BPq8XQQ233_nVdWWrPMXHTbFEL3Koopd7bPWvbnjIyyHsQsFYG7DR8OJMddICS3t-jpoKMC--OCrKr9PCJhbcITitlvynmH6uDZjUCpm_H4VgQ6SfGSxO-6OPuMU-I28aIjB3gro-Hq7bCNO9EVvdwLQzh0jRqdgYIq88HaCQnPq-xZ On Mon, Jan 19, 2015 at 10:07 PM, Tait Clarridge t...@clarridge.camailto:t...@clarridge.ca wrote: On Mon, Jan 19, 2015 at 8:59 AM, Cohen Galit galit.co...@comverse.commailto:galit.co...@comverse.com wrote: Hi, I have a problem in packaging the haproxy binary into an rpm. I am using a regular cp command in %install section of spec, but I see that after the copying, the file size is changed and I suspect it is corrupted. Can you advice what am I'm doing wrong? Hi Cohen, Have you taken a look at the spec file from a source RPM for Haproxy? Here are some builds from fedora/epel: http://koji.fedoraproject.org/koji/packageinfo?packageID=5025http://cp.mcafee.com/d/FZsSd21J5xd5NVxBAsrKrjhpKCOyyCYrjhpKCOy-CYrjhpKOyYeupdETKqeknSbEL6OeDODRGA_w2BPfNF_bCRPfNF_bCQhTFE467-LOrRQTDxTnKnjhu7sMMOqenDQ-mKDp55mVEVjVkffGhBrwqrodI6XYCONtxdZZBcTsS03aR4psXW5oWJ6EzZFY01MHkhBySSaWh-k7qABJIlQzUq77fTjvdBCZxNZo4gloDa6wSNZmQendzAjhO-r1vF6y0DGQqxVoQghmldELCQo3EEr7a You can click on one of the builds, grab the source RPM and rebuild locally (and tweak if necessary). In my opinion, this is not really a question for the HAProxy mailing list. RPM packaging issues are better suited for your distro development mailing list. Tait “This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: secur...@comverse.com. Thank You.”
Problems about Hot Configuration of Haproxy
Hi,Willy: I am a beginner of Haproxy. Recently I get a problem that hot configuration of haproxy still lead to failed request. I have read the answer from http://stackoverflow.com/questions/21595534/hot-reconfiguration-of-haproxy-s till-lead-to-failed-request-any-suggestions. But the failed requests still exist when I use ApacheBench. Could you please give me some suggestion about the following two question? 1. Can I add or remove servers in backends without restarting a process? If I don't start a haproxy process with -sf keyword, is there a way to add/remove the servers in real time? 2. If the answer of the the first question is no , Can you give me some tips about how to modify the source to achieve it? Thanks! With my best wishes, Hu.Zhang
Re: Problems about Hot Configuration of Haproxy
Please see http://www.mail-archive.com/haproxy@formilux.org/msg06885.html The summary being iptables -I INPUT -p tcp --dport $PORT --syn -j DROP sleep 1 service haproxy restart iptables -D INPUT -p tcp --dport $PORT --syn -j DROP Regards, Vivek On Tue, Jan 20, 2015 at 1:11 AM, hu.zhang hu.zh...@dev.bessystem.com wrote: Hi,Willy: I am a beginner of Haproxy. Recently I get a problem that hot configuration of haproxy still lead to failed request. I have read the answer from http://stackoverflow.com/questions/21595534/hot-reconfiguration-of-haproxy-still-lead-to-failed-request-any-suggestions. But the failed requests still exist when I use ApacheBench. Could you please give me some suggestion about the following two question? 1. Can I add or remove servers in backends without restarting a process? If I don’t start a haproxy process with –sf keyword, is there a way to add/remove the servers in real time? 2. If the answer of the the first question is no , Can you give me some tips about how to modify the source to achieve it? Thanks! With my best wishes, Hu.Zhang
Re: Tproxy issue
On Mon, Jan 19, 2015 at 2:25 PM, Marcello Lorenzi mlore...@sorint.it wrote: Hi All, i'm trying to configure a test Haproxy TPROXY instance on centos 6.5 boxes. The HAproxy has a card connected to 192.168.10.0/24 VLAN and on connected to 192.168.20.0/24. The webserver is only connected to 192.168.20.0/24 VLAN. When I tried to active Tproxy configuration on the HAproxy router all the connections were in SYN_SENT state and on clients I noticed a 503 error related to the missing communication. Could you help me to understand the best configuration for the TPROXY? Thanks, Marcello Hi Marcello, When using TProxy, the traffic from the server to the client must pass through the Load-balancer. Also, the server and the client can't be in the same subnet. Baptiste
Le plus beau bonus est chez ZEturf pour LA course de l'année !
Title: Prix d'Amérique Opodo Si vous ne voyez pas correctement ce message, visualisez notre version en ligne. Pour tre sr de recevoir tous nos emails, ajoutez newslet...@email.zeturf.com votre carnet dadresses Pour ne plus recevoir de messages de notre part, rendez-vous sur cette page. Mot de passe oubli ?| Dsinscription Newsletter | Jeu responsable | Contactez-nous Offre valable pour les nouveaux clients ZEturf sur la réunion de Vincennes le 25 janvier 2015. Voir conditions sur le site. À tout moment, vous disposez d'un droit d'accès, de modification, de rectification et de suppression des données qui vous concernent. Jouer comporte des risques : endettement, isolement Pour être aidé, appelez le 09-74-75-13-13 (appel non surtaxé). Vous devez avoir plus de 18 ans pour jouer sur ZEturf
Tproxy issue
Hi All, i'm trying to configure a test Haproxy TPROXY instance on centos 6.5 boxes. The HAproxy has a card connected to 192.168.10.0/24 VLAN and on connected to 192.168.20.0/24. The webserver is only connected to 192.168.20.0/24 VLAN. When I tried to active Tproxy configuration on the HAproxy router all the connections were in SYN_SENT state and on clients I noticed a 503 error related to the missing communication. Could you help me to understand the best configuration for the TPROXY? Thanks, Marcello
Re: haproxy rpm
On Mon, Jan 19, 2015 at 8:59 AM, Cohen Galit galit.co...@comverse.com wrote: Hi, I have a problem in packaging the haproxy binary into an rpm. I am using a regular cp command in %install section of spec, but I see that after the copying, the file size is changed and I suspect it is corrupted. Can you advice what am I'm doing wrong? Hi Cohen, Have you taken a look at the spec file from a source RPM for Haproxy? Here are some builds from fedora/epel: http://koji.fedoraproject.org/koji/packageinfo?packageID=5025 You can click on one of the builds, grab the source RPM and rebuild locally (and tweak if necessary). In my opinion, this is not really a question for the HAProxy mailing list. RPM packaging issues are better suited for your distro development mailing list. Tait
haproxy rpm
Hi, I have a problem in packaging the haproxy binary into an rpm. I am using a regular cp command in %install section of spec, but I see that after the copying, the file size is changed and I suspect it is corrupted. Can you advice what am I'm doing wrong? Thanks. This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: secur...@comverse.com. Thank You.
Re: haproxy rpm
THis was enough for me http://pkgs.org/search/haproxy Regards, Long Wu Yuan 龙 武 缘 Sr. Linux Engineer 高级工程师 ChinaNetCloud 云络网络科技(上海)有限公司 | www.ChinaNetCloud.com1238 Xietu Lu, X2 Space 1-601, Shanghai, China | 中国上海市徐汇区斜土路1238号X2空 间1-601室 24x7 Support Hotline: +86-400-618-0024 | Office Tel: +86-(21)-6422-1946 We are hiring! http://careers.chinanetcloud.com | Customer Portal - https://customer-portal.service.chinanetcloud.com/ On Mon, Jan 19, 2015 at 10:07 PM, Tait Clarridge t...@clarridge.ca wrote: On Mon, Jan 19, 2015 at 8:59 AM, Cohen Galit galit.co...@comverse.com wrote: Hi, I have a problem in packaging the haproxy binary into an rpm. I am using a regular cp command in %install section of spec, but I see that after the copying, the file size is changed and I suspect it is corrupted. Can you advice what am I'm doing wrong? Hi Cohen, Have you taken a look at the spec file from a source RPM for Haproxy? Here are some builds from fedora/epel: http://koji.fedoraproject.org/koji/packageinfo?packageID=5025 You can click on one of the builds, grab the source RPM and rebuild locally (and tweak if necessary). In my opinion, this is not really a question for the HAProxy mailing list. RPM packaging issues are better suited for your distro development mailing list. Tait
Logging (was New to haproxy questions)
On Saturday, January 17, 2015 11:09:27 PM Baptiste wrote: Hi Benjamin, 1) Logging performance data: A) How long before the page started putting out data? (implying that the server side is done processing, though not necessarily) B) How long did the whole cycle take from initial connection to end of download? Turn on option httplog, these information are available (read the relevant part of the documentation to find where). I know I'm on the right track when I find that what I'm looking for is already in my face. I'd already turned on httplog but missed the Tq, Tw, Tc, Tr, Tt part. Thanks! 2) Is there a way to anti-DDOS based on a cookie? (Really, we want to filter based on user/login but that isn't actually part of the HTTP session, that's determined by the cookie) W You can get inspired by these two articles: http://blog.haproxy.com/2012/02/27/use-a-load-balancer-as-a-first-row-of-def ense-against-ddos/ http://blog.haproxy.com/2013/04/26/wordpress-cms-brute-force-protection-wit h-haproxy/ It applies DDOS protection matching IPs. But HAProxy could perform the same on a cookie. Nice, this is pretty much exactly what I was hoping for! 5) Is there a relatively simple way to get true HA with a redundant load balancer? We have two identical machines side-by-side running EL6 and haproxy, one is a disk dd of the other. In the past we used heartbeat with limited success; pacemaker has been very problematic for us. For now, we're managing manually. We use keepalived a lot :) .. as somebody else said. I'll be checking it out. This has been the smoothest product roll out I think I've seen in a production environment.