Re: haproxy-systemd-wrapper with -sf causes it to exit and print usage info
Hi Brian Thanks! I wish there was a built-in feature in haproxy to reload on config change. That would make a lot of people happy. Maybe I’ll open an issue for that. Regarding USR2 - 1) Are you sure it’s not USR1 ? 2) If I understand correctly, then what you’re saying would cause the unit to exit (fail?) (since the main process will exit) and systemd would be expected to start another wrapper. Assuming that the worker processes are still there, then this is sure to create zombies, which beats the purpose of having a wrapper Regards, Yaron Rosenbaum Founder and CTO MultiCloud M +972 54 2346012 www.multicloud.io http://www.multicloud.io/ On Jan 20, 2015, at 8:47 PM, Bryan Talbot bryan.tal...@playnext.com wrote: I think that the recommended way to restart when using the wrapper is to signal with a HUP or USR2 to the wrapper which will take care of the soft-restart of haproxy itself. I believe that a HUP will just cause haproxy to be restarted while the USR2 will reload both haproxy and the wrapper binary itself. The sample unit file in contrib/systemd/haproxy.service.in http://haproxy.service.in/ is: [Unit] Description=HAProxy Load Balancer After=network.target [Service] ExecStartPre=@SBINDIR@/haproxy -f /etc/haproxy/haproxy.cfg -c -q ExecStart=@SBINDIR@/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid ExecReload=/bin/kill -USR2 $MAINPID KillMode=mixed Restart=always [Install] WantedBy=multi-user.target On Tue, Jan 20, 2015 at 1:38 AM, Yaron Rosenbaum yaron.rosenb...@gmail.com mailto:yaron.rosenb...@gmail.com wrote: Hi Adding the -sf flag to haproxy-systemd-wrapper causes it to exit and print usage info. (-sf pid does the same). Haproxy 1.5.8, debian wheezy. Is this a known issue? am I using it incorrectly? I’m assuming a reload would be issuing the same command (with pids after -sf) Thanks. root# haproxy-systemd-wrapper -f /opt/multicloud/discovery/haproxy.cfg -D -p /var/run/haproxy.pid -sf 7haproxy-systemd-wrapper: executing /usr/sbin/haproxy -f /opt/multicloud/discovery/haproxy.cfg -D -p /var/run/haproxy.pid -sf -Ds HA-Proxy version 1.5.8 2014/10/31 Copyright 2000-2014 Willy Tarreau w...@1wt.eu mailto:w...@1wt.eu Usage : haproxy [-f cfgfile]* [ -vdVD ] [ -n maxconn ] [ -N maxpconn ] [ -p pidfile ] [ -m max megs ] [ -C dir ] -v displays version ; -vv shows known build options. -d enters debug mode ; -db only disables background mode. -dM[byte] poisons memory with byte (defaults to 0x50) -V enters verbose mode (disables quiet mode) -D goes daemon ; -C changes to dir before loading files. -q quiet mode : don't display messages -c check mode : only check config files and exit -n sets the maximum total # of connections (2000) -m limits the usable amount of memory (in MB) -N sets the default, per-proxy maximum # of connections (2000) -L set local peer name (default to hostname) -p writes pids of all children to this file -de disables epoll() usage even when available -dp disables poll() usage even when available -dS disables splice usage (broken on old kernels) -dV disables SSL verify on servers side -sf/-st [pid ]* finishes/terminates old pids. Must be last arguments. 5haproxy-systemd-wrapper: exit, haproxy RC=256 (Y)
DN Single line representation delimiter
Hello, I'm writing with regard to the current delimiter used when haproxy passes the DN as one line from an SSL cert along in the headers to backend servers- Right now, that seems to be hardcoded to a '/' in the ssl_sock.c file, in function ssl_sock_get_dn_oneline(...) on approximately file line 2545: *(p++)='/'; Would anyone mind if we made that a configurable value? We have multiple servers which are expecting the DN entries to be delimited with a comma, ',' as per RFC 1779 (part 2.2 - page two). I'm willing to take a stab at it and submit the diffs, but I acknowledge that I'm new to this community, and I'm not sure the customs/convention. Have a great afternoon everyone! Phillip
Re: Problems about Hot Configuration of Haproxy
❦ 22 janvier 2015 11:47 +0800, hu.zhang hu.zh...@dev.bessystem.com : Thank you for your quick reply. I did a test in this way. I found the maximum connection time into 3S. Our client is particularly concerned about the http response time. Do you have another way to add/remove the servers? [...] Please see http://www.mail-archive.com/haproxy@formilux.org/msg06885.html The summary being iptables -I INPUT -p tcp --dport $PORT --syn -j DROP sleep 1 service haproxy restart iptables -D INPUT -p tcp --dport $PORT --syn -j DROP You should remove the sleep. If a SYN is received at the very beginning of the sleep, the next one will be received at the very end (or during the restart) and the next one one second later hence the 3 seconds. Without the sleep, you should get a maximum connection time of 1s (given the whole set of commands run under one second). -- If one cannot enjoy reading a book over and over again, there is no use in reading it at all. -- Oscar Wilde
Re: haproxy-systemd-wrapper with -sf causes it to exit and print usage info
$ /etc/init.d/haproxy Usage: /etc/init.d/haproxy {start|stop|status|restart|try-restart|reload|force-reload} $ Are reload/force-reload not enough. Regards, Long Wu Yuan 龙 武 缘 Sr. Linux Engineer 高级工程师 ChinaNetCloud 云络网络科技(上海)有限公司 | www.ChinaNetCloud.com1238 Xietu Lu, X2 Space 1-601, Shanghai, China | 中国上海市徐汇区斜土路1238号X2空 间1-601室 24x7 Support Hotline: +86-400-618-0024 | Office Tel: +86-(21)-6422-1946 We are hiring! http://careers.chinanetcloud.com | Customer Portal - https://customer-portal.service.chinanetcloud.com/ On Wed, Jan 21, 2015 at 11:42 PM, Yaron Rosenbaum yaron.rosenb...@gmail.com wrote: Hi Brian Thanks! I wish there was a built-in feature in haproxy to reload on config change. That would make a lot of people happy. Maybe I’ll open an issue for that. Regarding USR2 - 1) Are you sure it’s not USR1 ? 2) If I understand correctly, then what you’re saying would cause the unit to exit (fail?) (since the main process will exit) and systemd would be expected to start another wrapper. Assuming that the worker processes are still there, then this is sure to create zombies, which beats the purpose of having a wrapper Regards, *Yaron Rosenbaum*Founder and CTO *MultiCloud* M +972 54 2346012 *www.multicloud.io http://www.multicloud.io* On Jan 20, 2015, at 8:47 PM, Bryan Talbot bryan.tal...@playnext.com wrote: I think that the recommended way to restart when using the wrapper is to signal with a HUP or USR2 to the wrapper which will take care of the soft-restart of haproxy itself. I believe that a HUP will just cause haproxy to be restarted while the USR2 will reload both haproxy and the wrapper binary itself. The sample unit file in contrib/systemd/haproxy.service.in is: [Unit] Description=HAProxy Load Balancer After=network.target [Service] ExecStartPre=@SBINDIR@/haproxy -f /etc/haproxy/haproxy.cfg -c -q ExecStart=@SBINDIR@/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid ExecReload=/bin/kill -USR2 $MAINPID KillMode=mixed Restart=always [Install] WantedBy=multi-user.target On Tue, Jan 20, 2015 at 1:38 AM, Yaron Rosenbaum yaron.rosenb...@gmail.com wrote: Hi Adding the -sf flag to haproxy-systemd-wrapper causes it to exit and print usage info. (-sf pid does the same). Haproxy 1.5.8, debian wheezy. Is this a known issue? am I using it incorrectly? I’m assuming a reload would be issuing the same command (with pids after -sf) Thanks. root# haproxy-systemd-wrapper -f /opt/multicloud/discovery/haproxy.cfg -D -p /var/run/haproxy.pid -sf 7haproxy-systemd-wrapper: executing /usr/sbin/haproxy -f /opt/multicloud/discovery/haproxy.cfg -D -p /var/run/haproxy.pid -sf -Ds HA-Proxy version 1.5.8 2014/10/31 Copyright 2000-2014 Willy Tarreau w...@1wt.eu Usage : haproxy [-f cfgfile]* [ -vdVD ] [ -n maxconn ] [ -N maxpconn ] [ -p pidfile ] [ -m max megs ] [ -C dir ] -v displays version ; -vv shows known build options. -d enters debug mode ; -db only disables background mode. -dM[byte] poisons memory with byte (defaults to 0x50) -V enters verbose mode (disables quiet mode) -D goes daemon ; -C changes to dir before loading files. -q quiet mode : don't display messages -c check mode : only check config files and exit -n sets the maximum total # of connections (2000) -m limits the usable amount of memory (in MB) -N sets the default, per-proxy maximum # of connections (2000) -L set local peer name (default to hostname) -p writes pids of all children to this file -de disables epoll() usage even when available -dp disables poll() usage even when available -dS disables splice usage (broken on old kernels) -dV disables SSL verify on servers side -sf/-st [pid ]* finishes/terminates old pids. Must be last arguments. 5haproxy-systemd-wrapper: exit, haproxy RC=256 (Y)
Re: Problems about Hot Configuration of Haproxy
Hi,Vivek: Thank you for your quick reply. I did a test in this way. I found the maximum connection time into 3S. Our client is particularly concerned about the http response time. Do you have another way to add/remove the servers? Regards, Hu -邮件原件- 发件人: Vivek Malik [mailto:vivek.ma...@gmail.com] 发送时间: 2015年1月20日 15:27 收件人: hu.zhang 抄送: haproxy@formilux.org; w...@1wt.eu 主题: Re: Problems about Hot Configuration of Haproxy Please see http://www.mail-archive.com/haproxy@formilux.org/msg06885.html The summary being iptables -I INPUT -p tcp --dport $PORT --syn -j DROP sleep 1 service haproxy restart iptables -D INPUT -p tcp --dport $PORT --syn -j DROP Regards, Vivek On Tue, Jan 20, 2015 at 1:11 AM, hu.zhang hu.zh...@dev.bessystem.com wrote: Hi,Willy: I am a beginner of Haproxy. Recently I get a problem that hot configuration of haproxy still lead to failed request. I have read the answer from http://stackoverflow.com/questions/21595534/hot-reconfiguration-of-haproxy-still-lead-to-failed-request-any-suggestions. But the failed requests still exist when I use ApacheBench. Could you please give me some suggestion about the following two question? 1. Can I add or remove servers in backends without restarting a process? If I don’t start a haproxy process with –sf keyword, is there a way to add/remove the servers in real time? 2. If the answer of the the first question is no , Can you give me some tips about how to modify the source to achieve it? Thanks! With my best wishes, Hu.Zhang
Re: What is the hardware requirement for haproxy?
Hi, On Tue, Jan 20, 2015 at 10:42:01AM -0800, Bryan Talbot wrote: The hardware requirements for haproxy itself are very modest and nearly anything will work. The requirements really depend on how much and what sort of traffic you need to handle. Network card and CPU speed are the most important hardware factors for performance though. That's true. However, I would like to add that along the years, I found that everyone has a different appreciation of what performance means, and have very different expectations about the bandwidth, connection rate, and concurrent connection count. That is what makes it hard to suggest a sizing for hardware. What I've observed : - people installing their first LB in front of an internal application server tend to be focused on their application's performance which sometimes suffers from some complex business-specific processing, and may consider that a few tens to hundreds of connections per second is high performance. These people also often expect a lot of hacks in path or header rewrites because the application was not designed with a great respect of standards in mind. Any machine that can be found today with a CPU faster than 100 MHz will fit, even the smallest USB-powered tiny devices. - people who already run a public web site generally consider a load balancer when their Apache-based or Nginx-based application server needs a second server. These ones want a load balancer capable of delivering more than a few thousands of connections per second, and to saturate the uplink (100 Mbps or 1 Gbps) with average objects (which depends on their site but often lies around 20-25 kB). A regular PC will be perfect. Most commonly, the previous server replaced during the last upgrade is well suited. - people who run chat servers are not much interested by the connection rate (at least they think so) nor the bandwidth, but mostly by concurrent connections. Such a machine needs a lot of RAM (typically about 33-34 kB per end-to-end connection including socket buffers). BTW, version 1.6 significantly improves this situation. These users also need to be aware that on Linux, you're limited to 1M fd per process, thus 500k connections per process. But that's not all, they need to consider how long it takes to establish connections (eg: during a VRRP switchover). Taking 1 million connections in one minute means 16k conns/s. That means that the CPU should not be neglected either and that some of the dual- socket machines commonly found with a lot of RAM will require some tuning to prevent any inter-socket communication which hurts performance a lot. - people who run shops often want a lot of SSL and to be able to accept traffic spikes. These ones may expect in the thousands of SSL connections per second. This generally means a recent machine (ideally with AES-NI extensions). - people switching away from L4 load balancers tend to focus on their existing LB's specs and are often mislead with the mapping. L4 LBs often count terminated connections (TIME-WAIT) like other ones, showing a huge increase of the concurrent connection count making it hard to pick a new hardware. Additionally, they report high capacities in connection rates which may or may not be matched by an L7 LB, and which may or may not be needed. A rule of thumb is to look at this device's config to find the TIME-WAIT timeout value, and divide the total number of connections by this number. It will give the connection rate. Then multiply this connection rate by the average server's response time (or at least 10 seconds), and it will give the connection count. - people serving large objects (video, CDN, ...) mostly consider the bandwidth. For them, connection rate is low (in the thousands of connections per second), and the connection count may be high (tens to hundreds of thousands). The bandwidth usage can reach multiple 10G links. Such workloads require very specific tuning and benchmarks, as the NICs need to be tuned, the PCIe, IRQs, process affinity, etc... Now what to say about numbers (rules of thumb) : - if your machine is running with conntrack enabled, multiply the CPU sizing by about 3 and add about 10% to the RAM sizing. - if you really want to have fun with VMs, always experiment and never believe what the vendor or provider promises you because most of the time they don't even know what they're offering (eg: untuned conntrack in the hypervisor blocking traffic, incorrect CPU affinity, vCPUs smaller than CPUs causing huge latencies or even timeouts, etc). - anything below 1000 connections per second can be dealt with using any machine found on the market today, even the USB dongles running the slowest ARM or MIPS chips. To give you an idea, the $25 GL.Inet running a MIPS at 360
OCSP requests for SSL Client Authentication
Hi, Can haproxy be configured to make OCSP requests to an OCSP Responder to check certificate status when authenticating a client? Current support for CRL seems limited in that it’s not realtime and the haproxy process must be reloaded whenever a change in CRL number is detected by an external process. Supporting OCSP Requests for SSL client authentication seems like a better approach. Cheers, Jason
RE: Rebuild Haproxy with new openssl version
I have installed haproxy from ubuntu repo (haproxy version : 1.5.9). Recently Openssl security team released security patches for vulnerability (USN-2459-1). Please let me know how to rebuild the haproxy with newly installed Openssl version. Don't rebuild. Just use your operating systems package manager to update openssl and then restart haproxy. If you use Ubuntu (since you quote a ubuntu security notice), you just need to apt-get update apt-get upgrade and then restart haproxy. Only if haproxy is statically linked to openssl, a rebuild would be required, but then you would already know howto do it because you would have done it already in the first place. Regards, Lukas
Re: TPROXY - any functionality lost?
On Tue, Jan 20, 2015 at 6:13 PM, Shawn Heisey hapr...@elyograg.org wrote: On 1/20/2015 6:12 AM, Thomas Heil wrote: On 20.01.2015 03:26, Shawn Heisey wrote: When haproxy is run in TPROXY mode, does it lose any functionality, or can I do all the same things as I can when it's acting in normal proxy mode? I'd like to have my servers see the real source ip but still have the ability to make decisions based on HTTP headers and manipulate those headers. No you are not loosing any functionality when running in http mode. This is not very clear. It seems to be saying that I can still do ACLs and header mangling, but you mention http mode, when I was asking about tproxy. To be clear: I'd like to try tproxy so that my servers will see the true source IP, but still be able to use ACLs and change the HTTP headers. If enabling iptables is necessary for tproxy (which it seems to be), how to I additionally tell iptables that I do not want to block any traffic? My haproxy server currently is not running a firewall, because it just gets in the way. Thanks, Shawn Hi Shawn, Everything is explained here: http://blog.haproxy.com/2013/09/16/howto-transparent-proxying-and-binding-with-haproxy-and-aloha-load-balancer/ If you can't do it, maybe you should ask the HAProxy experts to help you: http://haproxy.com/services/haproxy-professional-services/ Baptiste
The Hot Sell Portable waterproof sports camcorder from Winseen
Dear Friend, How are you? You got this email because we would like to recommend to you our hottest Mini Sports Camera, Nightshot Flashlight DV, HD Car DVR products as follows: 1. Portable 1080P Nightshot Flashlight DVF082 with build in dual LED, G-sensor, Motion Detection, Recycle video recording function, Rechargeable battery etc. 2. 12-megapixel Full HD waterproof sports camcorder S208, with 170° HD wide-angle, HDMI output, Web camera, Water-resistant 30 meters, Support Micro SD 32GB, large capacity battery etc. 3. 2.7 Full HD Touch screen car camera vehicle black box W020, with G-Sensor, HDMI,WDR, AV-out, Motion Detection, Night Vision, Packing control etc. Enclosed pls kindly find the newest catalogue with detailed info.,Pls kindly advise your interested item and how many pcs you would need, we will quote the favorable price for you check. For any questions please feel free to contact me. Samples to test will be available. Look forward to your earliest reply! Have a good day! Best regards Cindy Winseen Industrial Co., Ltd Add: Baoan District, Shenzhen City, Guangdong, China Tel : +86-755-185-0305 2588 QQ: 1554388516 Skype: Winseensales01 Email: sale...@winseen.com winseensale...@hotmail.com www.winseen.com
Re: TPROXY - any functionality lost?
On 1/21/2015 2:52 AM, Baptiste wrote: Everything is explained here: http://blog.haproxy.com/2013/09/16/howto-transparent-proxying-and-binding-with-haproxy-and-aloha-load-balancer/ If you can't do it, maybe you should ask the HAProxy experts to help you: http://haproxy.com/services/haproxy-professional-services/ I had already seen the blog post you linked ... that blog post does not answer my initial question about whether I keep all haproxy functionality when going transparent. My worry is that it will function just like ipvs and offer none of haproxy's advanced capability. Most of our current load balancing is using ipvs, I am in the process of migrating to haproxy. I can do it without spending a lot of money on help, I just need a little guidance with iptables. I always turn off iptables because I have a very large Cisco external firewall handling access control. Therefore I am a little fuzzy on how to make iptables accept everything while also doing what haproxy needs. If I do set up iptables to accept all traffic, then add the rules on that blog post, will everything work? I realize that iptables is outside the scope of this mailing list, so I am hoping someone can point me to a HOWTO, article, or blog post that covers it. The old load balancer system (which I still need to configure) is CentOS 5. Can I successfully run transparent mode on a 2.6.18 kernel? I have a new one running Ubuntu 14, but when I tried to switch everything to that, ldirectord crashed and took out all the ipvs config ... so my new plan is to reduce the ldirectord config to FTP only, which requires that I migrate everything else to haproxy first. I did find something about tproxy and different kernel versions that has me a little worried. Specifically the caveats for specific kernel versions here: http://wiki.squid-cache.org/Features/Tproxy4#Minimum_Requirements_.28IPv6_and_IPv4.29 One of the caveats mentioned is that 3.x kernels require a different config than 2.6 kernels for tproxy4. Which kernel versions are targeted by the iptables info on that blog post? One final question, which is very important. Can I mix transparent bindings and normal bindings on one haproxy config? I need to migrate one frontend at a time, I can't do them all at once. Thanks, Shawn