Re: haproxy-systemd-wrapper with -sf causes it to exit and print usage info

[Yaron Rosenbaum]

Hi Brian

Thanks!
I wish there was a built-in feature in haproxy to reload on config change. That 
would make a lot of people happy.
Maybe I’ll open an issue for that.

Regarding USR2 - 
1) Are you sure it’s not USR1 ?
2) If I understand correctly, then what you’re saying would cause the unit to 
exit (fail?) (since the main process will exit) and systemd would be expected 
to start another wrapper. Assuming that the worker processes are still there, 
then this is sure to create zombies, which beats the purpose of having a wrapper

Regards,
Yaron Rosenbaum
Founder and CTO
MultiCloud
M +972 54 2346012
www.multicloud.io http://www.multicloud.io/
 On Jan 20, 2015, at 8:47 PM, Bryan Talbot bryan.tal...@playnext.com wrote:
 
 I think that the recommended way to restart when using the wrapper is to 
 signal with a HUP or USR2 to the wrapper which will take care of the 
 soft-restart of haproxy itself.
 
 I believe that a HUP will just cause haproxy to be restarted while the USR2 
 will reload both haproxy and the wrapper binary itself.
 
 The sample unit file in contrib/systemd/haproxy.service.in 
 http://haproxy.service.in/ is:
 
 [Unit]
 Description=HAProxy Load Balancer
 After=network.target
 
 [Service]
 ExecStartPre=@SBINDIR@/haproxy -f /etc/haproxy/haproxy.cfg -c -q
 ExecStart=@SBINDIR@/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg -p 
 /run/haproxy.pid
 ExecReload=/bin/kill -USR2 $MAINPID
 KillMode=mixed
 Restart=always
 
 [Install]
 WantedBy=multi-user.target
 
 
 On Tue, Jan 20, 2015 at 1:38 AM, Yaron Rosenbaum yaron.rosenb...@gmail.com 
 mailto:yaron.rosenb...@gmail.com wrote:
 Hi
 
 Adding the -sf flag to haproxy-systemd-wrapper causes it to exit and print 
 usage info.
 (-sf pid  does the same).
 Haproxy 1.5.8, debian wheezy.
 
 Is this a known issue? am I using it incorrectly?
 I’m assuming a reload would be issuing the same command (with pids after -sf)
 
 Thanks.
 
 root# haproxy-systemd-wrapper -f /opt/multicloud/discovery/haproxy.cfg -D -p 
 /var/run/haproxy.pid  -sf 
 7haproxy-systemd-wrapper: executing /usr/sbin/haproxy -f 
 /opt/multicloud/discovery/haproxy.cfg -D -p /var/run/haproxy.pid -sf -Ds 
 HA-Proxy version 1.5.8 2014/10/31
 Copyright 2000-2014 Willy Tarreau w...@1wt.eu mailto:w...@1wt.eu
 
 Usage : haproxy [-f cfgfile]* [ -vdVD ] [ -n maxconn ] [ -N maxpconn ]
 [ -p pidfile ] [ -m max megs ] [ -C dir ]
 -v displays version ; -vv shows known build options.
 -d enters debug mode ; -db only disables background mode.
 -dM[byte] poisons memory with byte (defaults to 0x50)
 -V enters verbose mode (disables quiet mode)
 -D goes daemon ; -C changes to dir before loading files.
 -q quiet mode : don't display messages
 -c check mode : only check config files and exit
 -n sets the maximum total # of connections (2000)
 -m limits the usable amount of memory (in MB)
 -N sets the default, per-proxy maximum # of connections (2000)
 -L set local peer name (default to hostname)
 -p writes pids of all children to this file
 -de disables epoll() usage even when available
 -dp disables poll() usage even when available
 -dS disables splice usage (broken on old kernels)
 -dV disables SSL verify on servers side
 -sf/-st [pid ]* finishes/terminates old pids. Must be last arguments.
 
 5haproxy-systemd-wrapper: exit, haproxy RC=256
 
 
 (Y)
 
 

DN Single line representation delimiter

[Phillip Decker]

Hello,

I'm writing with regard to the current delimiter used when haproxy passes
the DN as one line from an SSL cert along in the headers to backend servers-

Right now, that seems to be hardcoded to a '/' in the ssl_sock.c file,
in function
ssl_sock_get_dn_oneline(...) on approximately file line 2545: *(p++)='/';

Would anyone mind if we made that a configurable value?  We have multiple
servers which are expecting the DN entries to be delimited with a comma,
',' as per RFC 1779 (part 2.2 - page two).

I'm willing to take a stab at it and submit the diffs, but I acknowledge
that I'm new to this community, and I'm not sure the customs/convention.

Have a great afternoon everyone!

Phillip

Re: Problems about Hot Configuration of Haproxy

[Vincent Bernat]

 ❦ 22 janvier 2015 11:47 +0800, hu.zhang hu.zh...@dev.bessystem.com :

 Thank you for your quick reply. I did a test in this way. I found the
 maximum connection time into 3S. Our client is particularly concerned
 about the http response time. Do you have another way to add/remove
 the servers?
[...]
 Please see http://www.mail-archive.com/haproxy@formilux.org/msg06885.html

 The summary being

 iptables -I INPUT -p tcp --dport $PORT --syn -j DROP
 sleep 1
 service haproxy restart
 iptables -D INPUT -p tcp --dport $PORT --syn -j DROP

You should remove the sleep. If a SYN is received at the very beginning
of the sleep, the next one will be received at the very end (or during
the restart) and the next one one second later hence the 3
seconds. Without the sleep, you should get a maximum connection time of
1s (given the whole set of commands run under one second).
-- 
If one cannot enjoy reading a book over and over again, there is no use
in reading it at all.
-- Oscar Wilde

Re: haproxy-systemd-wrapper with -sf causes it to exit and print usage info

[Yuan Long]

$ /etc/init.d/haproxy
Usage: /etc/init.d/haproxy
{start|stop|status|restart|try-restart|reload|force-reload}
$

Are reload/force-reload not enough.

Regards,

Long Wu Yuan 龙 武 缘
Sr. Linux Engineer 高级工程师
ChinaNetCloud 云络网络科技(上海)有限公司 | www.ChinaNetCloud.com1238 Xietu Lu, X2 Space
1-601, Shanghai, China | 中国上海市徐汇区斜土路1238号X2空 间1-601室

24x7 Support Hotline: +86-400-618-0024 | Office Tel: +86-(21)-6422-1946
We are hiring! http://careers.chinanetcloud.com  | Customer Portal -
https://customer-portal.service.chinanetcloud.com/



On Wed, Jan 21, 2015 at 11:42 PM, Yaron Rosenbaum yaron.rosenb...@gmail.com
 wrote:

 Hi Brian

 Thanks!
 I wish there was a built-in feature in haproxy to reload on config change.
 That would make a lot of people happy.
 Maybe I’ll open an issue for that.

 Regarding USR2 -
 1) Are you sure it’s not USR1 ?
 2) If I understand correctly, then what you’re saying would cause the unit
 to exit (fail?) (since the main process will exit) and systemd would be
 expected to start another wrapper. Assuming that the worker processes are
 still there, then this is sure to create zombies, which beats the purpose
 of having a wrapper

 Regards,

 *Yaron Rosenbaum*Founder and CTO
 *MultiCloud*
 M +972 54 2346012
 *www.multicloud.io http://www.multicloud.io*

 On Jan 20, 2015, at 8:47 PM, Bryan Talbot bryan.tal...@playnext.com
 wrote:

 I think that the recommended way to restart when using the wrapper is to
 signal with a HUP or USR2 to the wrapper which will take care of the
 soft-restart of haproxy itself.

 I believe that a HUP will just cause haproxy to be restarted while the
 USR2 will reload both haproxy and the wrapper binary itself.

 The sample unit file in contrib/systemd/haproxy.service.in is:

 [Unit]
 Description=HAProxy Load Balancer
 After=network.target

 [Service]
 ExecStartPre=@SBINDIR@/haproxy -f /etc/haproxy/haproxy.cfg -c -q
 ExecStart=@SBINDIR@/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg
 -p /run/haproxy.pid
 ExecReload=/bin/kill -USR2 $MAINPID
 KillMode=mixed
 Restart=always

 [Install]
 WantedBy=multi-user.target


 On Tue, Jan 20, 2015 at 1:38 AM, Yaron Rosenbaum 
 yaron.rosenb...@gmail.com wrote:

 Hi

 Adding the -sf flag to haproxy-systemd-wrapper causes it to exit and
 print usage info.
 (-sf pid  does the same).
 Haproxy 1.5.8, debian wheezy.

 Is this a known issue? am I using it incorrectly?
 I’m assuming a reload would be issuing the same command (with pids after
 -sf)

 Thanks.

 root# haproxy-systemd-wrapper -f /opt/multicloud/discovery/haproxy.cfg -D
 -p /var/run/haproxy.pid  -sf
 7haproxy-systemd-wrapper: executing /usr/sbin/haproxy -f
 /opt/multicloud/discovery/haproxy.cfg -D -p /var/run/haproxy.pid -sf -Ds
 HA-Proxy version 1.5.8 2014/10/31
 Copyright 2000-2014 Willy Tarreau w...@1wt.eu

 Usage : haproxy [-f cfgfile]* [ -vdVD ] [ -n maxconn ] [ -N
 maxpconn ]
 [ -p pidfile ] [ -m max megs ] [ -C dir ]
 -v displays version ; -vv shows known build options.
 -d enters debug mode ; -db only disables background mode.
 -dM[byte] poisons memory with byte (defaults to 0x50)
 -V enters verbose mode (disables quiet mode)
 -D goes daemon ; -C changes to dir before loading files.
 -q quiet mode : don't display messages
 -c check mode : only check config files and exit
 -n sets the maximum total # of connections (2000)
 -m limits the usable amount of memory (in MB)
 -N sets the default, per-proxy maximum # of connections (2000)
 -L set local peer name (default to hostname)
 -p writes pids of all children to this file
 -de disables epoll() usage even when available
 -dp disables poll() usage even when available
 -dS disables splice usage (broken on old kernels)
 -dV disables SSL verify on servers side
 -sf/-st [pid ]* finishes/terminates old pids. Must be last
 arguments.

 5haproxy-systemd-wrapper: exit, haproxy RC=256


 (Y)

Re: Problems about Hot Configuration of Haproxy

[hu.zhang]

Hi,Vivek:
Thank you for your quick reply. I did a test in this way. I found the maximum 
connection time into 3S. Our client is particularly concerned about the http 
response time. Do you have another way to add/remove the servers?
Regards,
Hu

-邮件原件-
发件人: Vivek Malik [mailto:vivek.ma...@gmail.com] 
发送时间: 2015年1月20日 15:27
收件人: hu.zhang
抄送: haproxy@formilux.org; w...@1wt.eu
主题: Re: Problems about Hot Configuration of Haproxy

Please see http://www.mail-archive.com/haproxy@formilux.org/msg06885.html

The summary being

iptables -I INPUT -p tcp --dport $PORT --syn -j DROP
sleep 1
service haproxy restart
iptables -D INPUT -p tcp --dport $PORT --syn -j DROP

Regards,
Vivek

On Tue, Jan 20, 2015 at 1:11 AM, hu.zhang hu.zh...@dev.bessystem.com wrote:
 Hi,Willy:

  I am a beginner of Haproxy. Recently I get a problem that hot
 configuration of haproxy still lead to failed request. I have read the
 answer from
 http://stackoverflow.com/questions/21595534/hot-reconfiguration-of-haproxy-still-lead-to-failed-request-any-suggestions.
 But the failed requests still exist when I use ApacheBench. Could you please
 give me some suggestion about the following two question?

 1.   Can I add or remove servers in backends without restarting a
 process? If I don’t start a haproxy process with –sf keyword, is there a way
 to add/remove the servers in real time?

 2.   If the answer of the the first question is no , Can you give me
 some tips about how to modify the source to achieve it?

 Thanks!

  With my best wishes,

  Hu.Zhang

Re: What is the hardware requirement for haproxy?

[Willy Tarreau]

Hi,

On Tue, Jan 20, 2015 at 10:42:01AM -0800, Bryan Talbot wrote:
 The hardware requirements for haproxy itself are very modest and nearly
 anything will work. The requirements really depend on how much and what
 sort of traffic you need to handle. Network card and CPU speed are the most
 important hardware factors for performance though.

That's true. However, I would like to add that along the years, I found
that everyone has a different appreciation of what performance means,
and have very different expectations about the bandwidth, connection rate,
and concurrent connection count. That is what makes it hard to suggest a
sizing for hardware.

What I've observed :
  - people installing their first LB in front of an internal application
server tend to be focused on their application's performance which
sometimes suffers from some complex business-specific processing, and
may consider that a few tens to hundreds of connections per second is
high performance. These people also often expect a lot of hacks in
path or header rewrites because the application was not designed with
a great respect of standards in mind. Any machine that can be found
today with a CPU faster than 100 MHz will fit, even the smallest
USB-powered tiny devices.

  - people who already run a public web site generally consider a load
balancer when their Apache-based or Nginx-based application server
needs a second server. These ones want a load balancer capable of
delivering more than a few thousands of connections per second, and
to saturate the uplink (100 Mbps or 1 Gbps) with average objects
(which depends on their site but often lies around 20-25 kB). A
regular PC will be perfect. Most commonly, the previous server
replaced during the last upgrade is well suited.

  - people who run chat servers are not much interested by the connection
rate (at least they think so) nor the bandwidth, but mostly by concurrent
connections. Such a machine needs a lot of RAM (typically about 33-34 kB
per end-to-end connection including socket buffers). BTW, version 1.6
significantly improves this situation. These users also need to be
aware that on Linux, you're limited to 1M fd per process, thus 500k
connections per process. But that's not all, they need to consider how
long it takes to establish connections (eg: during a VRRP switchover).
Taking 1 million connections in one minute means 16k conns/s. That means
that the CPU should not be neglected either and that some of the dual-
socket machines commonly found with a lot of RAM will require some tuning
to prevent any inter-socket communication which hurts performance a lot.

  - people who run shops often want a lot of SSL and to be able to accept
traffic spikes. These ones may expect in the thousands of SSL connections
per second. This generally means a recent machine (ideally with AES-NI
extensions).

  - people switching away from L4 load balancers tend to focus on their
existing LB's specs and are often mislead with the mapping. L4 LBs often
count terminated connections (TIME-WAIT) like other ones, showing a huge
increase of the concurrent connection count making it hard to pick a new
hardware. Additionally, they report high capacities in connection rates
which may or may not be matched by an L7 LB, and which may or may not be
needed. A rule of thumb is to look at this device's config to find the
TIME-WAIT timeout value, and divide the total number of connections by
this number. It will give the connection rate. Then multiply this
connection rate by the average server's response time (or at least 10
seconds), and it will give the connection count.

  - people serving large objects (video, CDN, ...) mostly consider the
bandwidth. For them, connection rate is low (in the thousands of
connections per second), and the connection count may be high (tens to
hundreds of thousands). The bandwidth usage can reach multiple 10G links.
Such workloads require very specific tuning and benchmarks, as the NICs
need to be tuned, the PCIe, IRQs, process affinity, etc...

Now what to say about numbers (rules of thumb) :
  - if your machine is running with conntrack enabled, multiply the CPU
sizing by about 3 and add about 10% to the RAM sizing.

  - if you really want to have fun with VMs, always experiment and never
believe what the vendor or provider promises you because most of the
time they don't even know what they're offering (eg: untuned conntrack
in the hypervisor blocking traffic, incorrect CPU affinity, vCPUs smaller
than CPUs causing huge latencies or even timeouts, etc).

  - anything below 1000 connections per second can be dealt with using any
machine found on the market today, even the USB dongles running the
slowest ARM or MIPS chips. To give you an idea, the $25 GL.Inet running
a MIPS at 360 

OCSP requests for SSL Client Authentication

[SEPAROVIC, Jason (Jason)** CTR **]

Hi,

Can haproxy be configured to make OCSP requests to an OCSP Responder to check 
certificate status when authenticating a client?
Current support for CRL seems limited in that it’s not realtime and the haproxy 
process must be reloaded whenever a change in CRL number is detected by an 
external process.
Supporting OCSP Requests for SSL client authentication seems like a better 
approach.

Cheers,

Jason

RE: Rebuild Haproxy with new openssl version

[Lukas Tribus]

 I have installed haproxy from ubuntu repo (haproxy version : 1.5.9). 
 Recently Openssl security team released security patches for 
 vulnerability (USN-2459-1). Please let me know how to rebuild the 
 haproxy with newly installed Openssl version. 

Don't rebuild. Just use your operating systems package manager to
update openssl and then restart haproxy.

If you use Ubuntu (since you quote a ubuntu security notice), you
just need to apt-get update  apt-get upgrade and then restart
haproxy.


Only if haproxy is statically linked to openssl, a rebuild would be
required, but then you would already know howto do it because
you would have done it already in the first place.



Regards,

Lukas

  

Re: TPROXY - any functionality lost?

[Baptiste]

On Tue, Jan 20, 2015 at 6:13 PM, Shawn Heisey hapr...@elyograg.org wrote:
 On 1/20/2015 6:12 AM, Thomas Heil wrote:

 On 20.01.2015 03:26, Shawn Heisey wrote:

 When haproxy is run in TPROXY mode, does it lose any functionality, or
 can
 I do all the same things as I can when it's acting in normal proxy mode?
 I'd like to have my servers see the real source ip but still have the
 ability to make decisions based on HTTP headers and manipulate those
 headers.

 No you are not loosing any functionality when running in http mode.


 This is not very clear.  It seems to be saying that I can still do ACLs
 and header mangling, but you mention http mode, when I was asking about
 tproxy.

 To be clear: I'd like to try tproxy so that my servers will see the true
 source IP, but still be able to use ACLs and change the HTTP headers.

 If enabling iptables is necessary for tproxy (which it seems to be), how
 to I additionally tell iptables that I do not want to block any traffic?
  My haproxy server currently is not running a firewall, because it just
 gets in the way.

 Thanks,
 Shawn



Hi Shawn,

Everything is explained here:
http://blog.haproxy.com/2013/09/16/howto-transparent-proxying-and-binding-with-haproxy-and-aloha-load-balancer/

If you can't do it, maybe you should ask the HAProxy experts to help you:
http://haproxy.com/services/haproxy-professional-services/

Baptiste

The Hot Sell Portable waterproof sports camcorder from Winseen

[fieldmonitor004]

Dear Friend,

 

How are you?

 

You got this email because we would like to recommend to you our hottest Mini 
Sports Camera, Nightshot Flashlight DV, HD Car DVR products as follows:

 

1. Portable 1080P Nightshot Flashlight DVF082 with build in dual LED, G-sensor, 
Motion Detection, Recycle video recording function, Rechargeable battery etc.

 

2. 12-megapixel Full HD waterproof sports camcorder S208, with 170° HD 
wide-angle, HDMI output, Web camera, Water-resistant 30 meters, Support Micro 
SD 32GB, large capacity battery etc.

 

3. 2.7 Full HD Touch screen car camera vehicle black box W020, with G-Sensor, 
HDMI,WDR, AV-out, Motion Detection, Night Vision, Packing control etc.

 

Enclosed pls kindly find the newest catalogue with detailed info.,Pls kindly 
advise your interested item and how many pcs you would need, we will quote the 
favorable price for you check.

 

For any questions please feel free to contact me. Samples to test will be 
available.

 

Look forward to your earliest reply！

 

Have a good day!

 

Best regards

Cindy

 

Winseen Industrial Co., Ltd

Add: Baoan District, Shenzhen City, Guangdong, China

Tel : +86-755-185-0305 2588

QQ: 1554388516 Skype: Winseensales01

Email: sale...@winseen.com

winseensale...@hotmail.com 

www.winseen.com

Re: TPROXY - any functionality lost?

[Shawn Heisey]

On 1/21/2015 2:52 AM, Baptiste wrote:
 Everything is explained here:
 http://blog.haproxy.com/2013/09/16/howto-transparent-proxying-and-binding-with-haproxy-and-aloha-load-balancer/
 
 If you can't do it, maybe you should ask the HAProxy experts to help you:
 http://haproxy.com/services/haproxy-professional-services/

I had already seen the blog post you linked ... that blog post does not
answer my initial question about whether I keep all haproxy
functionality when going transparent.  My worry is that it will function
just like ipvs and offer none of haproxy's advanced capability.  Most of
our current load balancing is using ipvs, I am in the process of
migrating to haproxy.

I can do it without spending a lot of money on help, I just need a
little guidance with iptables.  I always turn off iptables because I
have a very large Cisco external firewall handling access control.
Therefore I am a little fuzzy on how to make iptables accept everything
while also doing what haproxy needs.  If I do set up iptables to accept
all traffic, then add the rules on that blog post, will everything work?
 I realize that iptables is outside the scope of this mailing list, so I
am hoping someone can point me to a HOWTO, article, or blog post that
covers it.

The old load balancer system (which I still need to configure) is
CentOS 5.  Can I successfully run transparent mode on a 2.6.18 kernel?
I have a new one running Ubuntu 14, but when I tried to switch
everything to that, ldirectord crashed and took out all the ipvs config
... so my new plan is to reduce the ldirectord config to FTP only, which
requires that I migrate everything else to haproxy first.

I did find something about tproxy and different kernel versions that has
me a little worried.  Specifically the caveats for specific kernel
versions here:

http://wiki.squid-cache.org/Features/Tproxy4#Minimum_Requirements_.28IPv6_and_IPv4.29

One of the caveats mentioned is that 3.x kernels require a different
config than 2.6 kernels for tproxy4.  Which kernel versions are targeted
by the iptables info on that blog post?

One final question, which is very important.  Can I mix transparent
bindings and normal bindings on one haproxy config?  I need to migrate
one frontend at a time, I can't do them all at once.

Thanks,
Shawn