Help with ACL

[Yogesh Sharma]

Hi Team,

I am new to HAProxy ACL and following below blog to create a rule to have
Application safe from DDOS.

http://blog.haproxy.com/2012/10/12/scalable-waf-protection-with-haproxy-and-apache-with-modsecurity/



===
frontend ft_waf
  bind 192.168.10.2:80 name http
  mode http
  log global
  option httplog
  timeout client 25s
  maxconn 1


   stick-table type ip size 1m expire 1m store
gpc0,http_req_rate(10s),http_err_rate(10s)
   tcp-request connection track-sc1 src
   tcp-request connection reject if { sc1_get_gpc0 gt 0 }

  # Abuser means more than 100reqs/10s
   acl abuse sc1_http_req_rate(*ft_web*) ge 100
   acl flag_abuser sc1_inc_gpc0(*ft_web*)
   tcp-request content reject if abuse flag_abuser

   default_backend bk_waf

#When I am using ft_web, I am getting

[ALERT] 193/155117 (6404) : parsing [/etc/haproxy/haproxy.cfg:65] : unable
to find table '*ft_web*' referenced in arg 1 of ACL keyword
'sc1_http_req_rate' in proxy '*ft_web*'.

Once I changed it to ft_waf *(which I think should be because we need acl
on Frontend which is serving public traffic)*, I am getting below Warning:

Starting haproxy: [WARNING] 193/162102 (6657) : parsing acl keyword
'sc1_inc_gpc0(ft_waf)' :
  no pattern to match against were provided, so this ACL will never match.
  If this is what you intended, please add '--' to get rid of this warning.
  If you intended to match only for existence, please use '-m found'.
  If you wanted to force an int to match as a bool, please use '-m bool'.


# WAF farm where users' traffic is routed first
backend bk_waf
  balance roundrobin
  mode http
  log global
  option httplog
  option forwardfor header X-Client-IP
  option httpchk HEAD /waf_health_check HTTP/1.0

  # If the source IP generated 10 or more http request over the defined
period,
  # flag the IP as abuser on the frontend
acl abuse sc1_http_err_rate(*ft_waf*) ge 10
acl flag_abuser sc1_inc_gpc0(*ft_waf*)
tcp-request content reject if abuse flag_abuser

  # Specific WAF checking: a DENY means everything is OK
http-check expect status 403
timeout server 25s
default-server inter 3s rise 2 fall 3
server waf1 192.168.10.15:81 maxconn 100 weight 10 check
server waf2 192.168.10.16:81 maxconn 100 weight 10 check

frontend ft_web
  bind 192.168.10.2:81 name http
  mode http
  log global
  option httplog
  timeout client 25s
  maxconn 1000
  # route health check requests to a specific backend to avoid graph
pollution in ALOHA GUI
  use_backend bk_waf_health_check if { path /waf_health_check }
  default_backend bk_web



Please suggest as what is wrong here.



*Best Regards,*

*__*

*Yogesh Sharma*

Missing sessions in haproxy stats

[Nicholas Smit]

Hi,

Apologies if the answer is in the manual, or in the mailing lists, I
couldn't find it.

In my Haproxy config, I have a front-end and several backends. The stats
page is showing stats of sessions, CUR = 1098. (CSV output below)

However, if I add up all the sessions for all its back-ends, I get nowhere
close to that number (54).

Am I misunderstanding the meaning of sessions - cur on this page?

Or is http-in front end discarding 95% of incoming sessions because they
don't match a backend? If the latter, I would have though I'd see a bunch
of 503s being returned all the time, which I don't.

I thought subsequently perhaps these could be sessions stuck in TCP_WAIT on
the client side, but that only accounts for 17% - not 95.

In short, what's happening with these other 95% please?

Many thanks for any guidance.
Nik

(Xpost from
http://stackoverflow.com/questions/31186889/missing-haproxy-sessions-in-stats-page
, in case you wish to claim the bounty there).


# pxname,bobname,qcur,qmax,scur,smax
http-in,FRONTEND,,,1098,1254
foo_web_zar_and_ws,bob91,0,0,0,1
foo_web_zar_and_ws,bob83,0,0,1,7
foo_web_zar_and_ws,BACKEND,0,0,1,7
foo_web_ned,bob91,0,0,0,0
foo_web_ned,bob83,0,0,0,0
foo_web_ned,BACKEND,0,0,0,0
foo_web_comms,bob91,0,0,0,2
foo_web_comms,bob83,0,0,0,2
foo_web_comms,BACKEND,0,0,0,2
bla_web_comms,bob10,0,0,9,46
bla_web_comms,bob91,0,0,3,32
bla_web_comms,bob83,0,0,3,62
bla_web_comms,BACKEND,0,0,15,85
bla_web_zar_and_ws,bob91,0,0,5,20
bla_web_zar_and_ws,bob83,0,0,7,36
bla_web_zar_and_ws,BACKEND,0,0,12,45
bla_web_ned,bob91,0,0,0,2
bla_web_ned,bob83,0,0,0,2
bla_web_ned,BACKEND,0,0,0,2
stats,FRONTEND,,,1,5
stats,BACKEND,0,0,0,1

Re: Segfault when parsing a configuration file

[Vincent Bernat]

 ❦ 11 juillet 2015 14:20 +0200, Lukas Tribus luky...@hotmail.com :

 Thanks for the detailed repro. This bug is fixed in release 1.5.10 by commit
 ed061c0590 (BUG/MEDIUM: config: do not propagate processes between stopped
 processes) [1].

 Quoting from the commit:
 Immo Goltz reported a case of segfault while parsing the config where
 we try to propagate processes across stopped frontends (those with a
 disabled statement). The fix is trivial. The workaround consists in
 commenting out these frontends, although not always easy.


 You can get latest haproxy build for debian here [2].


 Maybe Vincent could queue this fix for a debian backport?

Yes, we'll do that.
-- 
Let me take you a button-hole lower.
-- William Shakespeare, Love's Labour's Lost


signature.asc
Description: PGP signature

Problems compiling HAProxy with Lua Support

[bjun...@gmail.com]

Hi,


i'm trying to build HAProxy 1.6 (git HEAD) with Lua (5.3.1) on Ubuntu 14.04.


This was my first try:


make TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 USE_LUA=yes
LUA_LIB=/opt/lua53/lib/ LUA_INC=/opt/lua53/include/ LDFLAGS=-ldl



resulting error:

.
.
.
gcc -ldl -o haproxy src/haproxy.o src/sessionhash.o src/base64.o
src/protocol.o src/uri_auth.o src/standard.o src/buffer.o src/log.o
src/task.o src/chunk.o src/channel.o src/listener.o src/lru.o
src/xxhash.o src/time.o src/fd.o src/pipe.o src/regex.o src/cfgparse.o
src/server.o src/checks.o src/queue.o src/frontend.o src/proxy.o
src/peers.o src/arg.o src/stick_table.o src/proto_uxst.o
src/connection.o src/proto_http.o src/raw_sock.o src/appsession.o
src/backend.o src/lb_chash.o src/lb_fwlc.o src/lb_fwrr.o src/lb_map.o
src/lb_fas.o src/stream_interface.o src/dumpstats.o src/proto_tcp.o
src/applet.o src/session.o src/stream.o src/hdr_idx.o src/ev_select.o
src/signal.o src/acl.o src/sample.o src/memory.o src/freq_ctr.o
src/auth.o src/proto_udp.o src/compression.o src/payload.o src/hash.o
src/pattern.o src/map.o src/namespace.o src/mailers.o src/dns.o
src/vars.o src/ev_poll.o src/ev_epoll.o src/ssl_sock.o src/shctx.o
src/hlua.o ebtree/ebtree.o ebtree/eb32tree.o ebtree/eb64tree.o
ebtree/ebmbtree.o ebtree/ebsttree.o ebtree/ebimtree.o
ebtree/ebistree.o   -lcrypt  -lz -ldl  -lssl -lcrypto
-L/opt/lua53/lib/ -llua -lm -L/usr/lib -lpcreposix -lpcre
/usr/bin/ld: /opt/lua53/lib//liblua.a(loadlib.o): undefined reference
to symbol 'dlclose@@GLIBC_2.2.5'
/usr/lib/gcc/x86_64-linux-gnu/4.8/../../../x86_64-linux-gnu/libdl.so:
error adding symbols: DSO missing from command line
collect2: error: ld returned 1 exit status
make: *** [haproxy] Error 1




Only if i change LDFLAGS to the following the build is succesful:



make TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 USE_LUA=yes
LUA_LIB=/opt/lua53/lib/ LUA_INC=/opt/lua53/include/
LDFLAGS=-Wl,--no-as-needed




I'm not aware of the consequences, does anybody have an idea ?



---
Bjoern

IP binding and standby health-checks

[Nathan Williams]

Hi all,

I'm hoping I can get some advice on how we can improve our failover setup.

At present, we have an active-standby setup. Failover works really well,
but on the standby, none of the backend servers are marked as up since
haproxy is bound to the VIP that is currently on the active member (managed
with keepalived). as a result, there's an initial period of a second or two
after the failover triggers and the standby claims the VIP where the
backend servers have not yet passed a health-check on the new active member.

It seems like the easiest way to sort it out would be if the health-checks
weren't also bound to the VIP so that the standby could complete them
successfully. i do still want the proxied requests bound to the VIP though,
forthe benefit of our backends' real-ip configuration.

is that doable? if not, is there some way to have the standby follow the
active-member's view on the backends, or another way i haven't seen yet?

Thanks!

Nathan W

Re: Problems compiling HAProxy with Lua Support

[Vincent Bernat]

 ❦ 13 juillet 2015 19:16 +0200, bjun...@gmail.com bjun...@gmail.com :

 make TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 USE_LUA=yes
 LUA_LIB=/opt/lua53/lib/ LUA_INC=/opt/lua53/include/ LDFLAGS=-ldl



 resulting error:

 .
 .
 .
 gcc -ldl -o haproxy src/haproxy.o src/sessionhash.o src/base64.o
 src/protocol.o src/uri_auth.o src/standard.o src/buffer.o src/log.o
 src/task.o src/chunk.o src/channel.o src/listener.o src/lru.o
 src/xxhash.o src/time.o src/fd.o src/pipe.o src/regex.o src/cfgparse.o
 src/server.o src/checks.o src/queue.o src/frontend.o src/proxy.o
 src/peers.o src/arg.o src/stick_table.o src/proto_uxst.o
 src/connection.o src/proto_http.o src/raw_sock.o src/appsession.o
 src/backend.o src/lb_chash.o src/lb_fwlc.o src/lb_fwrr.o src/lb_map.o
 src/lb_fas.o src/stream_interface.o src/dumpstats.o src/proto_tcp.o
 src/applet.o src/session.o src/stream.o src/hdr_idx.o src/ev_select.o
 src/signal.o src/acl.o src/sample.o src/memory.o src/freq_ctr.o
 src/auth.o src/proto_udp.o src/compression.o src/payload.o src/hash.o
 src/pattern.o src/map.o src/namespace.o src/mailers.o src/dns.o
 src/vars.o src/ev_poll.o src/ev_epoll.o src/ssl_sock.o src/shctx.o
 src/hlua.o ebtree/ebtree.o ebtree/eb32tree.o ebtree/eb64tree.o
 ebtree/ebmbtree.o ebtree/ebsttree.o ebtree/ebimtree.o
 ebtree/ebistree.o   -lcrypt  -lz -ldl  -lssl -lcrypto
 -L/opt/lua53/lib/ -llua -lm -L/usr/lib -lpcreposix -lpcre
 /usr/bin/ld: /opt/lua53/lib//liblua.a(loadlib.o): undefined reference
 to symbol 'dlclose@@GLIBC_2.2.5'
 /usr/lib/gcc/x86_64-linux-gnu/4.8/../../../x86_64-linux-gnu/libdl.so:
 error adding symbols: DSO missing from command line
 collect2: error: ld returned 1 exit status
 make: *** [haproxy] Error 1

-ldl where dlclose@@GLIBC_2.2.5 should be after -llua, where this symbol
is used.

I suppose that either -ldl could be added to OPTIONS_LDFLAGS append,
like this is done for -lm. Or USE_DL section could be moved towards the
end. I think the first solution is better since libdl seems to be a
dependency of lua.

Note that this is not an Ubuntu-specific but they enforce --as-needed by
default directly in the linker.

 Only if i change LDFLAGS to the following the build is succesful:



 make TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 USE_LUA=yes
 LUA_LIB=/opt/lua53/lib/ LUA_INC=/opt/lua53/include/
 LDFLAGS=-Wl,--no-as-needed




 I'm not aware of the consequences, does anybody have an idea ?

In your case, this is harmless. --as-needed is used mostly to avoid to
pull unneeded dependencies by linking unused symbols. The downside is
that libraries need to be linked in the correct order (a symbol is kept
only if it was previously missing). This is mostly a distro stuff.
-- 
Use self-identifying input.  Allow defaults.  Echo both on output.
- The Elements of Programming Style (Kernighan  Plauger)

tcp-request + gpc ACLs

[bjun...@gmail.com]

Hi,

i'm using stick-tables to track requests and block abusers if needed.
Abusers should be blocked only for a short period of time and i want a
stick-table entry to expire.

Therefore, i have to check if the client is already marked as an
abuser and do not track this client.


example config:


frontend fe_http_in

  bind 127.0.0.1:8001

  stick-table type ip size 100k expire 600s store gpc0

  # Not working
  # acl is_overlimit sc0_get_gpc0(fe_http_in) gt 0

  # Working
  # acl is_overlimit src_get_gpc0(fe_http_in) gt 0

  tcp-request connection track-sc0 src if !is_overlimit

  default_backend be


backend be

  ... incrementing gpc0 ( with sc0_inc_gpc0) ...



If i use sc0_get_gpc0, the stick-table entry will never expire
because the timer will be resetted (tcp-request connection track-sc0
... seems to ignore this acl).


With src_get_gpc0 everything works as expected.


Both ACL's are correct and triggered (verified with debug headers
(http-response set-header ...))


What's the difference between these ACL's in conjunction with
tcp-request connection track-sc0 ... ?

Is this a bug or intended behaviour ?


---
Bjoern

Test HAProxy configuration file

[Erik Schwalbe]

Hi,

is it possible to show and test the configuration of haproxy like apache2ctl -S?
I want to check with which configuration options haproxy starts.

Thanks for help.

Regards,
Erik

Erik Schwalbe
Canoo Engineering AG
Kirschgartenstrasse 5
CH-4051 Basel

Tel: +41 61 228 94 44
Fax: +41 61 228 94 49

erik.schwa...@canoo.com
http://www.canoo.com
 http://www.canoo.com/
Erik Schwalbe
Canoo Engineering AG
Kirschgartenstrasse 5
CH-4051 Basel

Tel: +41 61 228 94 44
Fax: +41 61 228 94 49

erik.schwa...@canoo.com mailto:erik.schwa...@canoo.com
http://www.canoo.com http://www.canoo.com/

RE: Test HAProxy configuration file

[Lukas Tribus]

 Hi Lukas, 
 
 the output of haproxy -c is not helpful. 
 Configuration file is valid“ 

I though thats what you want.


 I need a more verbose output with a complete overview of the configuration. 
 I want to check if options configured in the default or global sections 
 works for all the backends for example. 

There is no such thing. Refer to the documentation to understand how single
options propagate.


Lukas

  

RE: Test HAProxy configuration file

[Lukas Tribus]

Hi Erik,


 Hi, 
 
 is it possible to show and test the configuration of haproxy 
 like apache2ctl -S? 
 I want to check with which configuration options haproxy starts. 
 
 Thanks for help. 

Yes, see haproxy -h (haproxy -c).


Lukas

  

Re: Test HAProxy configuration file

[Erik Schwalbe]

Hi Lukas,

the output of haproxy -c is not helpful.

Configuration file is valid“

I need a more verbose output with a complete overview of the configuration.
I want to check if options configured in the default or global sections works 
for all the backends for example.

Regards,
Erik 
 

 Am 13.07.2015 um 17:36 schrieb Lukas Tribus luky...@hotmail.com:
 
 Hi Erik,
 
 
 Hi, 
 
 is it possible to show and test the configuration of haproxy 
 like apache2ctl -S? 
 I want to check with which configuration options haproxy starts. 
 
 Thanks for help. 
 
 Yes, see haproxy -h (haproxy -c).
 
 
 Lukas
 
 PastedGraphic-3.tiff


Erik Schwalbe
Canoo Engineering AG
Kirschgartenstrasse 5
CH-4051 Basel

Tel: +41 61 228 94 44
Fax: +41 61 228 94 49

erik.schwa...@canoo.com
http://www.canoo.com
 http://www.canoo.com/
Erik Schwalbe
Canoo Engineering AG
Kirschgartenstrasse 5
CH-4051 Basel

Tel: +41 61 228 94 44
Fax: +41 61 228 94 49

erik.schwa...@canoo.com mailto:erik.schwa...@canoo.com
http://www.canoo.com http://www.canoo.com/

Re: Contribution: change response line

[Baptiste]

On Mon, Jul 13, 2015 at 7:22 AM, Bowen Ni bowen1...@gmail.com wrote:
 Hi,

 With Lua integration in HAProxy 1.6, one can change the request method,
 path, uri, header, response header etc except response line.

Hi Bowen,

You can already change the fields above using HAProxy 1.6 statements:
http-request and http-response.
  
http://cbonte.github.io/haproxy-dconv/snapshot/configuration-1.6.html#http-request
  
http://cbonte.github.io/haproxy-dconv/snapshot/configuration-1.6.html#http-response

You don't need lua for this, unless your changes are complicated and
you can find a converter which does the transformation you need:
  http://cbonte.github.io/haproxy-dconv/snapshot/configuration-1.6.html#7.3.1


 I'd like to contribute the following methods to allow modification of the
 response line.

Actually, that's right, HAProxy, there are currently no http-response
set-return-code in haproxy.

I let the LUA experts answer you on the rest of the mail :)

Baptiste

Tailor Made Services For You！— Guzhen Lighting Fair

[Guzhen Lighting Fair]

Tailor Made Services For You！— Guzhen Lighting Fair

Hello haproxy@formilux.org,

看上去似乎您的e-mail软件不支持HTML。
请访问下面的网页使您能够在网页浏览其中阅读这条信息：
http://edm.ubmsinoexpo.com/x/?S7a1MPufa2tuZmb4v8jW0tDMzOR.jq2hgbmRBQAA76