Re: rewrite header http:// to https://
Hello Lukas, Based on the haproxy documentation http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4-reqirep http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4-reqirep I have changed the configuration. Beside changing rspirep, I saw the traffic in wireshark and saw “GET http:/ http://192.168.68.100/….” data. So I also changed the value “Location:” to “Get”. frontend http1 127.0.0.10:1080 default_backend ssl1 backend ssl1 reqirep ^GET\ http://(.*):80(.*) GET\ https://\1:443\2 reqirep ^GET\ http://(.*) GET\ https://\1 server nginx 192.168.68.100:443 ssl verify required ca-file /etc/haproxy/certs/ca.crt crt /etc/haproxy/certs/client.pem And it works now! Thanks for your help! Op 30 mrt. 2015, om 18:03 heeft Lukas Tribus luky...@hotmail.com het volgende geschreven: I have the following configuration: frontend http1 127.0.0.10:1080 rspirep ^Location:\ http://(.*):80(.*) Location:\ https://\1:443\2 rspirep ^Location:\ http://(.*) Location:\ https://\1 default_backend ssl1 backend ssl1 server sslserver 192.168.68.100:443 ssl verify required ca-file /etc/haproxy/certs/ca.crt crt /etc/haproxy/certs/client.pem Everything is going great, except the rewriting part. The requests are sended to the sslserver with the original http:// location. rspirep rewrites HTTP responses, not requests. What *exactly* are you trying to do?
Re: ldap-check with Active Directory
I'm also testing some ldap checks but I see lots of logging and log partitions filling up like crazy. I wonder if it's really doable to check the ldap status in in a gracefull way. 2015-03-31 9:45 GMT+02:00 Neil - HAProxy List maillist-hapr...@iamafreeman.com: Hello I was thinking of updating the ldap-check but I think I've a better idea. Macros (well ish). send-binary 300c0201 # LDAP bind request ROOT simple send-binary 01 # message ID send-binary 6007 # protocol Op send-binary 0201 # bind request send-binary 03 # LDAP v3 send-binary 04008000 # name, simple authentication expect binary 0a0100 # bind response + result code: success send-binary 30050201034200 # unbind request could be in a file named macros/ldap-simple-bind then the option tcp-check-macro ldap-simple-bind would use it, I know this is close to includes. similarly macros/smtp-helo-quit connect port 25 expect rstring ^220 send QUIT\r\n expect rstring ^221 or from http://blog.haproxy.com/2014/06/06/binary-health-check-with-haproxy-1-5-php-fpmfastcgi-probe-example/ # FCGI_BEGIN_REQUEST send-binary 01 # version send-binary 01 # FCGI_BEGIN_REQUEST send-binary 0001 # request id send-binary 0008 # content length send-binary 00 # padding length send-binary 00 # send-binary 0001 # FCGI responder send-binary # flags send-binary # send-binary # # FCGI_PARAMS send-binary 01 # version send-binary 04 # FCGI_PARAMS send-binary 0001 # request id send-binary 0045 # content length send-binary 03 # padding length: padding for content % 8 = 0 send-binary 00 # send-binary 0e03524551554553545f4d4554484f44474554 # REQUEST_METHOD = GET send-binary 0b055343524950545f4e414d452f70696e67 # SCRIPT_NAME = /ping send-binary 0f055343524950545f46494c454e414d452f70696e67 # SCRIPT_FILENAME = /ping send-binary 040455534552524F4F54 # USER = ROOT send-binary 00 # padding # FCGI_PARAMS send-binary 01 # version send-binary 04 # FCGI_PARAMS send-binary 0001 # request id send-binary # content length send-binary 00 # padding length: padding for content % 8 = 0 send-binary 00 # expect binary 706f6e67 # pong (though for items like send-binary 0e03524551554553545f4d4554484f44474554 # REQUEST_METHOD = GET I'd prefer a send-as-binary REQUEST_METHOD = GET ) these and many others could be shipped with haproxy. this seems to make sense to me as they are small contained logical items Neil On 30 March 2015 at 23:02, Baptiste bed...@gmail.com wrote: you should believe it :) On Mon, Mar 30, 2015 at 11:34 PM, Neil - HAProxy List maillist-hapr...@iamafreeman.com wrote: Hello Thanks so much. That worked well, I now get L7OK/0 in 0ms not sure I believe the 0ms but maybe I should Thanks again, Neil On 30 March 2015 at 22:14, Baptiste bed...@gmail.com wrote: On Mon, Mar 30, 2015 at 10:33 PM, Neil - HAProxy List maillist-hapr...@iamafreeman.com wrote: Hello I'm trying to use ldap-check with active directory and the response active directory gives is not one ldap-check is happy to accept when I give a 389 directory backend ldap server all is well, when I use AD I get 'Not LDAPv3 protocol' I've done a little poking about and found that if ((msglen 2) || (memcmp(check-bi-data + 2 + msglen, \x02\x01\x01\x61, 4) != 0)) { set_server_check_status(check, HCHK_STATUS_L7RSP, Not LDAPv3 protocol); is where I'm getting stopped as msglen is 4 Here is tcpdump of 389 directory response (the one that works) 2 packets 21:29:34.195699 IP 389.ldap HAPROXY.57109: Flags [.], ack 15, win 905, options [nop,nop,TS val 856711882 ecr 20393440], length 0 0x: 0050 5688 7042 0064 403b 2700 0800 4500 .PV.pB.d@;'...E. 0x0010: 0034 9d07 4000 3f06 3523 ac1b e955 ac18 .4..@.?.5#...U.. 0x0020: 2810 0185 df15 5cab ffcd 63ba 77d3 8010 (.\...c.w... 0x0030: 0389 2c07 0101 080a 3310 62ca 0137 ..,...3.b..7 0x0040: 2de0 -. 21:29:34.195958 IP 389.ldap HAPROXY.57109: Flags [P.], seq 1:15, ack 15, win 905, options [nop,nop,TS val 856711882 ecr 20393440], length 14 0x: 0050 5688 7042 0064 403b 2700 0800 4500 .PV.pB.d@;'...E. 0x0010: 0042 9d08 4000 3f06 3514 ac1b e955 ac18 .B..@.?.5U.. 0x0020: 2810 0185 df15 5cab ffcd 63ba 77d3 8018 (.\...c.w... 0x0030: 0389 e878 0101 080a 3310 62ca 0137 ...x..3.b..7 0x0040: 2de0 300c 0201 0161 070a 0100 0400 0400 -.0a Here is tcpdump of active directory (broken) 1 packet 21:25:24.519883 IP ADSERVER.ldap HAPROXY.57789: Flags [P.], seq 1:23, ack 15, win 260, options [nop,nop,TS val 1870785 ecr
Re: ldap-check with Active Directory
Hello I was thinking of updating the ldap-check but I think I've a better idea. Macros (well ish). send-binary 300c0201 # LDAP bind request ROOT simple send-binary 01 # message ID send-binary 6007 # protocol Op send-binary 0201 # bind request send-binary 03 # LDAP v3 send-binary 04008000 # name, simple authentication expect binary 0a0100 # bind response + result code: success send-binary 30050201034200 # unbind request could be in a file named macros/ldap-simple-bind then the option tcp-check-macro ldap-simple-bind would use it, I know this is close to includes. similarly macros/smtp-helo-quit connect port 25 expect rstring ^220 send QUIT\r\n expect rstring ^221 or from http://blog.haproxy.com/2014/06/06/binary-health-check-with-haproxy-1-5-php-fpmfastcgi-probe-example/ # FCGI_BEGIN_REQUEST send-binary 01 # version send-binary 01 # FCGI_BEGIN_REQUEST send-binary 0001 # request id send-binary 0008 # content length send-binary 00 # padding length send-binary 00 # send-binary 0001 # FCGI responder send-binary # flags send-binary # send-binary # # FCGI_PARAMS send-binary 01 # version send-binary 04 # FCGI_PARAMS send-binary 0001 # request id send-binary 0045 # content length send-binary 03 # padding length: padding for content % 8 = 0 send-binary 00 # send-binary 0e03524551554553545f4d4554484f44474554 # REQUEST_METHOD = GET send-binary 0b055343524950545f4e414d452f70696e67 # SCRIPT_NAME = /ping send-binary 0f055343524950545f46494c454e414d452f70696e67 # SCRIPT_FILENAME = /ping send-binary 040455534552524F4F54 # USER = ROOT send-binary 00 # padding # FCGI_PARAMS send-binary 01 # version send-binary 04 # FCGI_PARAMS send-binary 0001 # request id send-binary # content length send-binary 00 # padding length: padding for content % 8 = 0 send-binary 00 # expect binary 706f6e67 # pong (though for items like send-binary 0e03524551554553545f4d4554484f44474554 # REQUEST_METHOD = GET I'd prefer a send-as-binary REQUEST_METHOD = GET ) these and many others could be shipped with haproxy. this seems to make sense to me as they are small contained logical items Neil On 30 March 2015 at 23:02, Baptiste bed...@gmail.com wrote: you should believe it :) On Mon, Mar 30, 2015 at 11:34 PM, Neil - HAProxy List maillist-hapr...@iamafreeman.com wrote: Hello Thanks so much. That worked well, I now get L7OK/0 in 0ms not sure I believe the 0ms but maybe I should Thanks again, Neil On 30 March 2015 at 22:14, Baptiste bed...@gmail.com wrote: On Mon, Mar 30, 2015 at 10:33 PM, Neil - HAProxy List maillist-hapr...@iamafreeman.com wrote: Hello I'm trying to use ldap-check with active directory and the response active directory gives is not one ldap-check is happy to accept when I give a 389 directory backend ldap server all is well, when I use AD I get 'Not LDAPv3 protocol' I've done a little poking about and found that if ((msglen 2) || (memcmp(check-bi-data + 2 + msglen, \x02\x01\x01\x61, 4) != 0)) { set_server_check_status(check, HCHK_STATUS_L7RSP, Not LDAPv3 protocol); is where I'm getting stopped as msglen is 4 Here is tcpdump of 389 directory response (the one that works) 2 packets 21:29:34.195699 IP 389.ldap HAPROXY.57109: Flags [.], ack 15, win 905, options [nop,nop,TS val 856711882 ecr 20393440], length 0 0x: 0050 5688 7042 0064 403b 2700 0800 4500 .PV.pB.d@ ;'...E. 0x0010: 0034 9d07 4000 3f06 3523 ac1b e955 ac18 .4..@ .?.5#...U.. 0x0020: 2810 0185 df15 5cab ffcd 63ba 77d3 8010 (.\...c.w... 0x0030: 0389 2c07 0101 080a 3310 62ca 0137 ..,...3.b..7 0x0040: 2de0 -. 21:29:34.195958 IP 389.ldap HAPROXY.57109: Flags [P.], seq 1:15, ack 15, win 905, options [nop,nop,TS val 856711882 ecr 20393440], length 14 0x: 0050 5688 7042 0064 403b 2700 0800 4500 .PV.pB.d@ ;'...E. 0x0010: 0042 9d08 4000 3f06 3514 ac1b e955 ac18 .B..@ .?.5U.. 0x0020: 2810 0185 df15 5cab ffcd 63ba 77d3 8018 (.\...c.w... 0x0030: 0389 e878 0101 080a 3310 62ca 0137 ...x..3.b..7 0x0040: 2de0 300c 0201 0161 070a 0100 0400 0400 -.0a Here is tcpdump of active directory (broken) 1 packet 21:25:24.519883 IP ADSERVER.ldap HAPROXY.57789: Flags [P.], seq 1:23, ack 15, win 260, options [nop,nop,TS val 1870785 ecr 20331021], length 22 0x: 0050 5688 7042 0050 5688 7780 0800 4500 .PV.pB.PV.w...E. 0x0010: 004a 1d7d 4000 8006 34e3 ac18 280d ac18 .J.}@ ...4...(... 0x0020: 2810 0185 e1bd 5a3f 2ae7 3ced 7b5b 8018 (.Z?*..{[.. 0x0030: 0104 1d7a 0101 080a 001c 8bc1 0136 ...z...6 0x0040: 3a0d 3084 0010 0201
Re: ldap-check with Active Directory
Hi Matt, The issue with LDAP, is that it is not a banner protocol. So either you check the TCP port is well bound on the server for a simple L4 check, for L7, you don't have the choice, you must send a message and check the server's result. Baptiste On Tue, Mar 31, 2015 at 9:53 AM, Matt . yamakasi@gmail.com wrote: I'm also testing some ldap checks but I see lots of logging and log partitions filling up like crazy. I wonder if it's really doable to check the ldap status in in a gracefull way. 2015-03-31 9:45 GMT+02:00 Neil - HAProxy List maillist-hapr...@iamafreeman.com: Hello I was thinking of updating the ldap-check but I think I've a better idea. Macros (well ish). send-binary 300c0201 # LDAP bind request ROOT simple send-binary 01 # message ID send-binary 6007 # protocol Op send-binary 0201 # bind request send-binary 03 # LDAP v3 send-binary 04008000 # name, simple authentication expect binary 0a0100 # bind response + result code: success send-binary 30050201034200 # unbind request could be in a file named macros/ldap-simple-bind then the option tcp-check-macro ldap-simple-bind would use it, I know this is close to includes. similarly macros/smtp-helo-quit connect port 25 expect rstring ^220 send QUIT\r\n expect rstring ^221 or from http://blog.haproxy.com/2014/06/06/binary-health-check-with-haproxy-1-5-php-fpmfastcgi-probe-example/ # FCGI_BEGIN_REQUEST send-binary 01 # version send-binary 01 # FCGI_BEGIN_REQUEST send-binary 0001 # request id send-binary 0008 # content length send-binary 00 # padding length send-binary 00 # send-binary 0001 # FCGI responder send-binary # flags send-binary # send-binary # # FCGI_PARAMS send-binary 01 # version send-binary 04 # FCGI_PARAMS send-binary 0001 # request id send-binary 0045 # content length send-binary 03 # padding length: padding for content % 8 = 0 send-binary 00 # send-binary 0e03524551554553545f4d4554484f44474554 # REQUEST_METHOD = GET send-binary 0b055343524950545f4e414d452f70696e67 # SCRIPT_NAME = /ping send-binary 0f055343524950545f46494c454e414d452f70696e67 # SCRIPT_FILENAME = /ping send-binary 040455534552524F4F54 # USER = ROOT send-binary 00 # padding # FCGI_PARAMS send-binary 01 # version send-binary 04 # FCGI_PARAMS send-binary 0001 # request id send-binary # content length send-binary 00 # padding length: padding for content % 8 = 0 send-binary 00 # expect binary 706f6e67 # pong (though for items like send-binary 0e03524551554553545f4d4554484f44474554 # REQUEST_METHOD = GET I'd prefer a send-as-binary REQUEST_METHOD = GET ) these and many others could be shipped with haproxy. this seems to make sense to me as they are small contained logical items Neil On 30 March 2015 at 23:02, Baptiste bed...@gmail.com wrote: you should believe it :) On Mon, Mar 30, 2015 at 11:34 PM, Neil - HAProxy List maillist-hapr...@iamafreeman.com wrote: Hello Thanks so much. That worked well, I now get L7OK/0 in 0ms not sure I believe the 0ms but maybe I should Thanks again, Neil On 30 March 2015 at 22:14, Baptiste bed...@gmail.com wrote: On Mon, Mar 30, 2015 at 10:33 PM, Neil - HAProxy List maillist-hapr...@iamafreeman.com wrote: Hello I'm trying to use ldap-check with active directory and the response active directory gives is not one ldap-check is happy to accept when I give a 389 directory backend ldap server all is well, when I use AD I get 'Not LDAPv3 protocol' I've done a little poking about and found that if ((msglen 2) || (memcmp(check-bi-data + 2 + msglen, \x02\x01\x01\x61, 4) != 0)) { set_server_check_status(check, HCHK_STATUS_L7RSP, Not LDAPv3 protocol); is where I'm getting stopped as msglen is 4 Here is tcpdump of 389 directory response (the one that works) 2 packets 21:29:34.195699 IP 389.ldap HAPROXY.57109: Flags [.], ack 15, win 905, options [nop,nop,TS val 856711882 ecr 20393440], length 0 0x: 0050 5688 7042 0064 403b 2700 0800 4500 .PV.pB.d@;'...E. 0x0010: 0034 9d07 4000 3f06 3523 ac1b e955 ac18 .4..@.?.5#...U.. 0x0020: 2810 0185 df15 5cab ffcd 63ba 77d3 8010 (.\...c.w... 0x0030: 0389 2c07 0101 080a 3310 62ca 0137 ..,...3.b..7 0x0040: 2de0 -. 21:29:34.195958 IP 389.ldap HAPROXY.57109: Flags [P.], seq 1:15, ack 15, win 905, options [nop,nop,TS val 856711882 ecr 20393440], length 14 0x: 0050 5688 7042 0064 403b 2700 0800 4500 .PV.pB.d@;'...E. 0x0010: 0042 9d08 4000 3f06 3514 ac1b e955 ac18 .B..@.?.5U.. 0x0020: 2810 0185 df15 5cab ffcd 63ba 77d3 8018 (.\...c.w... 0x0030: 0389
Re: ldap-check with Active Directory
Hi Baptiste, Yes I've seen it also and never got around large logs. What do most people do, empty logt very often ? 2015-03-31 11:29 GMT+02:00 Baptiste bed...@gmail.com: Hi Matt, The issue with LDAP, is that it is not a banner protocol. So either you check the TCP port is well bound on the server for a simple L4 check, for L7, you don't have the choice, you must send a message and check the server's result. Baptiste On Tue, Mar 31, 2015 at 9:53 AM, Matt . yamakasi@gmail.com wrote: I'm also testing some ldap checks but I see lots of logging and log partitions filling up like crazy. I wonder if it's really doable to check the ldap status in in a gracefull way. 2015-03-31 9:45 GMT+02:00 Neil - HAProxy List maillist-hapr...@iamafreeman.com: Hello I was thinking of updating the ldap-check but I think I've a better idea. Macros (well ish). send-binary 300c0201 # LDAP bind request ROOT simple send-binary 01 # message ID send-binary 6007 # protocol Op send-binary 0201 # bind request send-binary 03 # LDAP v3 send-binary 04008000 # name, simple authentication expect binary 0a0100 # bind response + result code: success send-binary 30050201034200 # unbind request could be in a file named macros/ldap-simple-bind then the option tcp-check-macro ldap-simple-bind would use it, I know this is close to includes. similarly macros/smtp-helo-quit connect port 25 expect rstring ^220 send QUIT\r\n expect rstring ^221 or from http://blog.haproxy.com/2014/06/06/binary-health-check-with-haproxy-1-5-php-fpmfastcgi-probe-example/ # FCGI_BEGIN_REQUEST send-binary 01 # version send-binary 01 # FCGI_BEGIN_REQUEST send-binary 0001 # request id send-binary 0008 # content length send-binary 00 # padding length send-binary 00 # send-binary 0001 # FCGI responder send-binary # flags send-binary # send-binary # # FCGI_PARAMS send-binary 01 # version send-binary 04 # FCGI_PARAMS send-binary 0001 # request id send-binary 0045 # content length send-binary 03 # padding length: padding for content % 8 = 0 send-binary 00 # send-binary 0e03524551554553545f4d4554484f44474554 # REQUEST_METHOD = GET send-binary 0b055343524950545f4e414d452f70696e67 # SCRIPT_NAME = /ping send-binary 0f055343524950545f46494c454e414d452f70696e67 # SCRIPT_FILENAME = /ping send-binary 040455534552524F4F54 # USER = ROOT send-binary 00 # padding # FCGI_PARAMS send-binary 01 # version send-binary 04 # FCGI_PARAMS send-binary 0001 # request id send-binary # content length send-binary 00 # padding length: padding for content % 8 = 0 send-binary 00 # expect binary 706f6e67 # pong (though for items like send-binary 0e03524551554553545f4d4554484f44474554 # REQUEST_METHOD = GET I'd prefer a send-as-binary REQUEST_METHOD = GET ) these and many others could be shipped with haproxy. this seems to make sense to me as they are small contained logical items Neil On 30 March 2015 at 23:02, Baptiste bed...@gmail.com wrote: you should believe it :) On Mon, Mar 30, 2015 at 11:34 PM, Neil - HAProxy List maillist-hapr...@iamafreeman.com wrote: Hello Thanks so much. That worked well, I now get L7OK/0 in 0ms not sure I believe the 0ms but maybe I should Thanks again, Neil On 30 March 2015 at 22:14, Baptiste bed...@gmail.com wrote: On Mon, Mar 30, 2015 at 10:33 PM, Neil - HAProxy List maillist-hapr...@iamafreeman.com wrote: Hello I'm trying to use ldap-check with active directory and the response active directory gives is not one ldap-check is happy to accept when I give a 389 directory backend ldap server all is well, when I use AD I get 'Not LDAPv3 protocol' I've done a little poking about and found that if ((msglen 2) || (memcmp(check-bi-data + 2 + msglen, \x02\x01\x01\x61, 4) != 0)) { set_server_check_status(check, HCHK_STATUS_L7RSP, Not LDAPv3 protocol); is where I'm getting stopped as msglen is 4 Here is tcpdump of 389 directory response (the one that works) 2 packets 21:29:34.195699 IP 389.ldap HAPROXY.57109: Flags [.], ack 15, win 905, options [nop,nop,TS val 856711882 ecr 20393440], length 0 0x: 0050 5688 7042 0064 403b 2700 0800 4500 .PV.pB.d@;'...E. 0x0010: 0034 9d07 4000 3f06 3523 ac1b e955 ac18 .4..@.?.5#...U.. 0x0020: 2810 0185 df15 5cab ffcd 63ba 77d3 8010 (.\...c.w... 0x0030: 0389 2c07 0101 080a 3310 62ca 0137 ..,...3.b..7 0x0040: 2de0 -. 21:29:34.195958 IP 389.ldap HAPROXY.57109: Flags [P.], seq 1:15, ack 15, win 905, options [nop,nop,TS val 856711882 ecr 20393440], length 14 0x: 0050 5688 7042 0064 403b 2700 0800 4500
Re: ldap-check with Active Directory
I think they play with their syslog server to detect a check from real traffic and prevent the syslog server to log the checks. Baptiste On Tue, Mar 31, 2015 at 11:33 AM, Matt . yamakasi@gmail.com wrote: Hi Baptiste, Yes I've seen it also and never got around large logs. What do most people do, empty logt very often ? 2015-03-31 11:29 GMT+02:00 Baptiste bed...@gmail.com: Hi Matt, The issue with LDAP, is that it is not a banner protocol. So either you check the TCP port is well bound on the server for a simple L4 check, for L7, you don't have the choice, you must send a message and check the server's result. Baptiste On Tue, Mar 31, 2015 at 9:53 AM, Matt . yamakasi@gmail.com wrote: I'm also testing some ldap checks but I see lots of logging and log partitions filling up like crazy. I wonder if it's really doable to check the ldap status in in a gracefull way. 2015-03-31 9:45 GMT+02:00 Neil - HAProxy List maillist-hapr...@iamafreeman.com: Hello I was thinking of updating the ldap-check but I think I've a better idea. Macros (well ish). send-binary 300c0201 # LDAP bind request ROOT simple send-binary 01 # message ID send-binary 6007 # protocol Op send-binary 0201 # bind request send-binary 03 # LDAP v3 send-binary 04008000 # name, simple authentication expect binary 0a0100 # bind response + result code: success send-binary 30050201034200 # unbind request could be in a file named macros/ldap-simple-bind then the option tcp-check-macro ldap-simple-bind would use it, I know this is close to includes. similarly macros/smtp-helo-quit connect port 25 expect rstring ^220 send QUIT\r\n expect rstring ^221 or from http://blog.haproxy.com/2014/06/06/binary-health-check-with-haproxy-1-5-php-fpmfastcgi-probe-example/ # FCGI_BEGIN_REQUEST send-binary 01 # version send-binary 01 # FCGI_BEGIN_REQUEST send-binary 0001 # request id send-binary 0008 # content length send-binary 00 # padding length send-binary 00 # send-binary 0001 # FCGI responder send-binary # flags send-binary # send-binary # # FCGI_PARAMS send-binary 01 # version send-binary 04 # FCGI_PARAMS send-binary 0001 # request id send-binary 0045 # content length send-binary 03 # padding length: padding for content % 8 = 0 send-binary 00 # send-binary 0e03524551554553545f4d4554484f44474554 # REQUEST_METHOD = GET send-binary 0b055343524950545f4e414d452f70696e67 # SCRIPT_NAME = /ping send-binary 0f055343524950545f46494c454e414d452f70696e67 # SCRIPT_FILENAME = /ping send-binary 040455534552524F4F54 # USER = ROOT send-binary 00 # padding # FCGI_PARAMS send-binary 01 # version send-binary 04 # FCGI_PARAMS send-binary 0001 # request id send-binary # content length send-binary 00 # padding length: padding for content % 8 = 0 send-binary 00 # expect binary 706f6e67 # pong (though for items like send-binary 0e03524551554553545f4d4554484f44474554 # REQUEST_METHOD = GET I'd prefer a send-as-binary REQUEST_METHOD = GET ) these and many others could be shipped with haproxy. this seems to make sense to me as they are small contained logical items Neil On 30 March 2015 at 23:02, Baptiste bed...@gmail.com wrote: you should believe it :) On Mon, Mar 30, 2015 at 11:34 PM, Neil - HAProxy List maillist-hapr...@iamafreeman.com wrote: Hello Thanks so much. That worked well, I now get L7OK/0 in 0ms not sure I believe the 0ms but maybe I should Thanks again, Neil On 30 March 2015 at 22:14, Baptiste bed...@gmail.com wrote: On Mon, Mar 30, 2015 at 10:33 PM, Neil - HAProxy List maillist-hapr...@iamafreeman.com wrote: Hello I'm trying to use ldap-check with active directory and the response active directory gives is not one ldap-check is happy to accept when I give a 389 directory backend ldap server all is well, when I use AD I get 'Not LDAPv3 protocol' I've done a little poking about and found that if ((msglen 2) || (memcmp(check-bi-data + 2 + msglen, \x02\x01\x01\x61, 4) != 0)) { set_server_check_status(check, HCHK_STATUS_L7RSP, Not LDAPv3 protocol); is where I'm getting stopped as msglen is 4 Here is tcpdump of 389 directory response (the one that works) 2 packets 21:29:34.195699 IP 389.ldap HAPROXY.57109: Flags [.], ack 15, win 905, options [nop,nop,TS val 856711882 ecr 20393440], length 0 0x: 0050 5688 7042 0064 403b 2700 0800 4500 .PV.pB.d@;'...E. 0x0010: 0034 9d07 4000 3f06 3523 ac1b e955 ac18 .4..@.?.5#...U.. 0x0020: 2810 0185 df15 5cab ffcd 63ba 77d3 8010 (.\...c.w... 0x0030: 0389 2c07 0101 080a 3310 62ca 0137 ..,...3.b..7 0x0040: 2de0 -.
Re: ldap-check with Active Directory
I was thinking of updating the ldap-check but I think I've a better idea. Macros (well ish). send-binary 300c0201 # LDAP bind request ROOT simple send-binary 01 # message ID send-binary 6007 # protocol Op send-binary 0201 # bind request send-binary 03 # LDAP v3 send-binary 04008000 # name, simple authentication expect binary 0a0100 # bind response + result code: success send-binary 30050201034200 # unbind request could be in a file named macros/ldap-simple-bind then the option tcp-check-macro ldap-simple-bind would use it, I know this is close to includes. similarly macros/smtp-helo-quit connect port 25 expect rstring ^220 send QUIT\r\n expect rstring ^221 or from http://blog.haproxy.com/2014/06/06/binary-health-check-with-haproxy-1-5-php-fpmfastcgi-probe-example/ # FCGI_BEGIN_REQUEST send-binary 01 # version send-binary 01 # FCGI_BEGIN_REQUEST send-binary 0001 # request id send-binary 0008 # content length send-binary 00 # padding length send-binary 00 # send-binary 0001 # FCGI responder send-binary # flags send-binary # send-binary # # FCGI_PARAMS send-binary 01 # version send-binary 04 # FCGI_PARAMS send-binary 0001 # request id send-binary 0045 # content length send-binary 03 # padding length: padding for content % 8 = 0 send-binary 00 # send-binary 0e03524551554553545f4d4554484f44474554 # REQUEST_METHOD = GET send-binary 0b055343524950545f4e414d452f70696e67 # SCRIPT_NAME = /ping send-binary 0f055343524950545f46494c454e414d452f70696e67 # SCRIPT_FILENAME = /ping send-binary 040455534552524F4F54 # USER = ROOT send-binary 00 # padding # FCGI_PARAMS send-binary 01 # version send-binary 04 # FCGI_PARAMS send-binary 0001 # request id send-binary # content length send-binary 00 # padding length: padding for content % 8 = 0 send-binary 00 # expect binary 706f6e67 # pong (though for items like send-binary 0e03524551554553545f4d4554484f44474554 # REQUEST_METHOD = GET I'd prefer a send-as-binary REQUEST_METHOD = GET ) these and many others could be shipped with haproxy. this seems to make sense to me as they are small contained logical items Neil Hi Neil, Both contributions are interresting! Let's wait for other people feedback. Baptiste
请问有需要松茸、虫草、玛卡、牛肝菌、黑松露等巢穆穑
您好 很高兴写信给你,希望与你希望打开一个业务关系。 我从网上获得贵公司的电子邮件地址。 我们专门从事松茸、虫草、玛卡、牛肝菌、黑松露等食材提供,品质好,很有竞争力的价格。 欲了解更多信息,可以联系我详聊 联系人 :区先生 联系电话 ;13544467741 回复邮箱:huarongwang...@163.com 欢迎来咨询采购! 希望听到你的好消息。
setup https session via proxy remote
Hello, I have the following configuration wich works great: frontend http1 127.0.0.10:1080 default_backend ssl1 backend ssl1 reqirep ^GET\ http://(.*):80(.*) GET\ https://\1:443\2 https:/1:443/2 reqirep ^GET\ http://(.*) GET\ https://\1 https:/1 server nginx 192.168.68.100:443 ssl verify required ca-file /etc/haproxy/certs/ca.crt crt /etc/haproxy/certs/client.pem The backend ssl1 is currently direct connected to the HTTPS-service. But in the production situation there’s a squid proxy server between them. So the backend must connect the HTTPS-service via the squid proxy server. I know in apache I can achieve this by using the ProxyRemote Directive: http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxyremote http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxyremote. How can I achieve this in haproxy? Thanks in advance! Abdelouahed