Help with ACL
Hi Team, I am new to HAProxy ACL and following below blog to create a rule to have Application safe from DDOS. http://blog.haproxy.com/2012/10/12/scalable-waf-protection-with-haproxy-and-apache-with-modsecurity/ === frontend ft_waf bind 192.168.10.2:80 name http mode http log global option httplog timeout client 25s maxconn 1 stick-table type ip size 1m expire 1m store gpc0,http_req_rate(10s),http_err_rate(10s) tcp-request connection track-sc1 src tcp-request connection reject if { sc1_get_gpc0 gt 0 } # Abuser means more than 100reqs/10s acl abuse sc1_http_req_rate(*ft_web*) ge 100 acl flag_abuser sc1_inc_gpc0(*ft_web*) tcp-request content reject if abuse flag_abuser default_backend bk_waf #When I am using ft_web, I am getting [ALERT] 193/155117 (6404) : parsing [/etc/haproxy/haproxy.cfg:65] : unable to find table '*ft_web*' referenced in arg 1 of ACL keyword 'sc1_http_req_rate' in proxy '*ft_web*'. Once I changed it to ft_waf *(which I think should be because we need acl on Frontend which is serving public traffic)*, I am getting below Warning: Starting haproxy: [WARNING] 193/162102 (6657) : parsing acl keyword 'sc1_inc_gpc0(ft_waf)' : no pattern to match against were provided, so this ACL will never match. If this is what you intended, please add '--' to get rid of this warning. If you intended to match only for existence, please use '-m found'. If you wanted to force an int to match as a bool, please use '-m bool'. # WAF farm where users' traffic is routed first backend bk_waf balance roundrobin mode http log global option httplog option forwardfor header X-Client-IP option httpchk HEAD /waf_health_check HTTP/1.0 # If the source IP generated 10 or more http request over the defined period, # flag the IP as abuser on the frontend acl abuse sc1_http_err_rate(*ft_waf*) ge 10 acl flag_abuser sc1_inc_gpc0(*ft_waf*) tcp-request content reject if abuse flag_abuser # Specific WAF checking: a DENY means everything is OK http-check expect status 403 timeout server 25s default-server inter 3s rise 2 fall 3 server waf1 192.168.10.15:81 maxconn 100 weight 10 check server waf2 192.168.10.16:81 maxconn 100 weight 10 check frontend ft_web bind 192.168.10.2:81 name http mode http log global option httplog timeout client 25s maxconn 1000 # route health check requests to a specific backend to avoid graph pollution in ALOHA GUI use_backend bk_waf_health_check if { path /waf_health_check } default_backend bk_web Please suggest as what is wrong here. *Best Regards,* *__* *Yogesh Sharma*
Missing sessions in haproxy stats
Hi, Apologies if the answer is in the manual, or in the mailing lists, I couldn't find it. In my Haproxy config, I have a front-end and several backends. The stats page is showing stats of sessions, CUR = 1098. (CSV output below) However, if I add up all the sessions for all its back-ends, I get nowhere close to that number (54). Am I misunderstanding the meaning of sessions - cur on this page? Or is http-in front end discarding 95% of incoming sessions because they don't match a backend? If the latter, I would have though I'd see a bunch of 503s being returned all the time, which I don't. I thought subsequently perhaps these could be sessions stuck in TCP_WAIT on the client side, but that only accounts for 17% - not 95. In short, what's happening with these other 95% please? Many thanks for any guidance. Nik (Xpost from http://stackoverflow.com/questions/31186889/missing-haproxy-sessions-in-stats-page , in case you wish to claim the bounty there). # pxname,bobname,qcur,qmax,scur,smax http-in,FRONTEND,,,1098,1254 foo_web_zar_and_ws,bob91,0,0,0,1 foo_web_zar_and_ws,bob83,0,0,1,7 foo_web_zar_and_ws,BACKEND,0,0,1,7 foo_web_ned,bob91,0,0,0,0 foo_web_ned,bob83,0,0,0,0 foo_web_ned,BACKEND,0,0,0,0 foo_web_comms,bob91,0,0,0,2 foo_web_comms,bob83,0,0,0,2 foo_web_comms,BACKEND,0,0,0,2 bla_web_comms,bob10,0,0,9,46 bla_web_comms,bob91,0,0,3,32 bla_web_comms,bob83,0,0,3,62 bla_web_comms,BACKEND,0,0,15,85 bla_web_zar_and_ws,bob91,0,0,5,20 bla_web_zar_and_ws,bob83,0,0,7,36 bla_web_zar_and_ws,BACKEND,0,0,12,45 bla_web_ned,bob91,0,0,0,2 bla_web_ned,bob83,0,0,0,2 bla_web_ned,BACKEND,0,0,0,2 stats,FRONTEND,,,1,5 stats,BACKEND,0,0,0,1
Re: Segfault when parsing a configuration file
❦ 11 juillet 2015 14:20 +0200, Lukas Tribus luky...@hotmail.com : Thanks for the detailed repro. This bug is fixed in release 1.5.10 by commit ed061c0590 (BUG/MEDIUM: config: do not propagate processes between stopped processes) [1]. Quoting from the commit: Immo Goltz reported a case of segfault while parsing the config where we try to propagate processes across stopped frontends (those with a disabled statement). The fix is trivial. The workaround consists in commenting out these frontends, although not always easy. You can get latest haproxy build for debian here [2]. Maybe Vincent could queue this fix for a debian backport? Yes, we'll do that. -- Let me take you a button-hole lower. -- William Shakespeare, Love's Labour's Lost signature.asc Description: PGP signature
Problems compiling HAProxy with Lua Support
Hi, i'm trying to build HAProxy 1.6 (git HEAD) with Lua (5.3.1) on Ubuntu 14.04. This was my first try: make TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 USE_LUA=yes LUA_LIB=/opt/lua53/lib/ LUA_INC=/opt/lua53/include/ LDFLAGS=-ldl resulting error: . . . gcc -ldl -o haproxy src/haproxy.o src/sessionhash.o src/base64.o src/protocol.o src/uri_auth.o src/standard.o src/buffer.o src/log.o src/task.o src/chunk.o src/channel.o src/listener.o src/lru.o src/xxhash.o src/time.o src/fd.o src/pipe.o src/regex.o src/cfgparse.o src/server.o src/checks.o src/queue.o src/frontend.o src/proxy.o src/peers.o src/arg.o src/stick_table.o src/proto_uxst.o src/connection.o src/proto_http.o src/raw_sock.o src/appsession.o src/backend.o src/lb_chash.o src/lb_fwlc.o src/lb_fwrr.o src/lb_map.o src/lb_fas.o src/stream_interface.o src/dumpstats.o src/proto_tcp.o src/applet.o src/session.o src/stream.o src/hdr_idx.o src/ev_select.o src/signal.o src/acl.o src/sample.o src/memory.o src/freq_ctr.o src/auth.o src/proto_udp.o src/compression.o src/payload.o src/hash.o src/pattern.o src/map.o src/namespace.o src/mailers.o src/dns.o src/vars.o src/ev_poll.o src/ev_epoll.o src/ssl_sock.o src/shctx.o src/hlua.o ebtree/ebtree.o ebtree/eb32tree.o ebtree/eb64tree.o ebtree/ebmbtree.o ebtree/ebsttree.o ebtree/ebimtree.o ebtree/ebistree.o -lcrypt -lz -ldl -lssl -lcrypto -L/opt/lua53/lib/ -llua -lm -L/usr/lib -lpcreposix -lpcre /usr/bin/ld: /opt/lua53/lib//liblua.a(loadlib.o): undefined reference to symbol 'dlclose@@GLIBC_2.2.5' /usr/lib/gcc/x86_64-linux-gnu/4.8/../../../x86_64-linux-gnu/libdl.so: error adding symbols: DSO missing from command line collect2: error: ld returned 1 exit status make: *** [haproxy] Error 1 Only if i change LDFLAGS to the following the build is succesful: make TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 USE_LUA=yes LUA_LIB=/opt/lua53/lib/ LUA_INC=/opt/lua53/include/ LDFLAGS=-Wl,--no-as-needed I'm not aware of the consequences, does anybody have an idea ? --- Bjoern
IP binding and standby health-checks
Hi all, I'm hoping I can get some advice on how we can improve our failover setup. At present, we have an active-standby setup. Failover works really well, but on the standby, none of the backend servers are marked as up since haproxy is bound to the VIP that is currently on the active member (managed with keepalived). as a result, there's an initial period of a second or two after the failover triggers and the standby claims the VIP where the backend servers have not yet passed a health-check on the new active member. It seems like the easiest way to sort it out would be if the health-checks weren't also bound to the VIP so that the standby could complete them successfully. i do still want the proxied requests bound to the VIP though, forthe benefit of our backends' real-ip configuration. is that doable? if not, is there some way to have the standby follow the active-member's view on the backends, or another way i haven't seen yet? Thanks! Nathan W
Re: Problems compiling HAProxy with Lua Support
❦ 13 juillet 2015 19:16 +0200, bjun...@gmail.com bjun...@gmail.com : make TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 USE_LUA=yes LUA_LIB=/opt/lua53/lib/ LUA_INC=/opt/lua53/include/ LDFLAGS=-ldl resulting error: . . . gcc -ldl -o haproxy src/haproxy.o src/sessionhash.o src/base64.o src/protocol.o src/uri_auth.o src/standard.o src/buffer.o src/log.o src/task.o src/chunk.o src/channel.o src/listener.o src/lru.o src/xxhash.o src/time.o src/fd.o src/pipe.o src/regex.o src/cfgparse.o src/server.o src/checks.o src/queue.o src/frontend.o src/proxy.o src/peers.o src/arg.o src/stick_table.o src/proto_uxst.o src/connection.o src/proto_http.o src/raw_sock.o src/appsession.o src/backend.o src/lb_chash.o src/lb_fwlc.o src/lb_fwrr.o src/lb_map.o src/lb_fas.o src/stream_interface.o src/dumpstats.o src/proto_tcp.o src/applet.o src/session.o src/stream.o src/hdr_idx.o src/ev_select.o src/signal.o src/acl.o src/sample.o src/memory.o src/freq_ctr.o src/auth.o src/proto_udp.o src/compression.o src/payload.o src/hash.o src/pattern.o src/map.o src/namespace.o src/mailers.o src/dns.o src/vars.o src/ev_poll.o src/ev_epoll.o src/ssl_sock.o src/shctx.o src/hlua.o ebtree/ebtree.o ebtree/eb32tree.o ebtree/eb64tree.o ebtree/ebmbtree.o ebtree/ebsttree.o ebtree/ebimtree.o ebtree/ebistree.o -lcrypt -lz -ldl -lssl -lcrypto -L/opt/lua53/lib/ -llua -lm -L/usr/lib -lpcreposix -lpcre /usr/bin/ld: /opt/lua53/lib//liblua.a(loadlib.o): undefined reference to symbol 'dlclose@@GLIBC_2.2.5' /usr/lib/gcc/x86_64-linux-gnu/4.8/../../../x86_64-linux-gnu/libdl.so: error adding symbols: DSO missing from command line collect2: error: ld returned 1 exit status make: *** [haproxy] Error 1 -ldl where dlclose@@GLIBC_2.2.5 should be after -llua, where this symbol is used. I suppose that either -ldl could be added to OPTIONS_LDFLAGS append, like this is done for -lm. Or USE_DL section could be moved towards the end. I think the first solution is better since libdl seems to be a dependency of lua. Note that this is not an Ubuntu-specific but they enforce --as-needed by default directly in the linker. Only if i change LDFLAGS to the following the build is succesful: make TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 USE_LUA=yes LUA_LIB=/opt/lua53/lib/ LUA_INC=/opt/lua53/include/ LDFLAGS=-Wl,--no-as-needed I'm not aware of the consequences, does anybody have an idea ? In your case, this is harmless. --as-needed is used mostly to avoid to pull unneeded dependencies by linking unused symbols. The downside is that libraries need to be linked in the correct order (a symbol is kept only if it was previously missing). This is mostly a distro stuff. -- Use self-identifying input. Allow defaults. Echo both on output. - The Elements of Programming Style (Kernighan Plauger)
tcp-request + gpc ACLs
Hi, i'm using stick-tables to track requests and block abusers if needed. Abusers should be blocked only for a short period of time and i want a stick-table entry to expire. Therefore, i have to check if the client is already marked as an abuser and do not track this client. example config: frontend fe_http_in bind 127.0.0.1:8001 stick-table type ip size 100k expire 600s store gpc0 # Not working # acl is_overlimit sc0_get_gpc0(fe_http_in) gt 0 # Working # acl is_overlimit src_get_gpc0(fe_http_in) gt 0 tcp-request connection track-sc0 src if !is_overlimit default_backend be backend be ... incrementing gpc0 ( with sc0_inc_gpc0) ... If i use sc0_get_gpc0, the stick-table entry will never expire because the timer will be resetted (tcp-request connection track-sc0 ... seems to ignore this acl). With src_get_gpc0 everything works as expected. Both ACL's are correct and triggered (verified with debug headers (http-response set-header ...)) What's the difference between these ACL's in conjunction with tcp-request connection track-sc0 ... ? Is this a bug or intended behaviour ? --- Bjoern
Test HAProxy configuration file
Hi, is it possible to show and test the configuration of haproxy like apache2ctl -S? I want to check with which configuration options haproxy starts. Thanks for help. Regards, Erik Erik Schwalbe Canoo Engineering AG Kirschgartenstrasse 5 CH-4051 Basel Tel: +41 61 228 94 44 Fax: +41 61 228 94 49 erik.schwa...@canoo.com http://www.canoo.com http://www.canoo.com/ Erik Schwalbe Canoo Engineering AG Kirschgartenstrasse 5 CH-4051 Basel Tel: +41 61 228 94 44 Fax: +41 61 228 94 49 erik.schwa...@canoo.com mailto:erik.schwa...@canoo.com http://www.canoo.com http://www.canoo.com/
RE: Test HAProxy configuration file
Hi Lukas, the output of haproxy -c is not helpful. Configuration file is valid“ I though thats what you want. I need a more verbose output with a complete overview of the configuration. I want to check if options configured in the default or global sections works for all the backends for example. There is no such thing. Refer to the documentation to understand how single options propagate. Lukas
RE: Test HAProxy configuration file
Hi Erik, Hi, is it possible to show and test the configuration of haproxy like apache2ctl -S? I want to check with which configuration options haproxy starts. Thanks for help. Yes, see haproxy -h (haproxy -c). Lukas
Re: Test HAProxy configuration file
Hi Lukas, the output of haproxy -c is not helpful. Configuration file is valid“ I need a more verbose output with a complete overview of the configuration. I want to check if options configured in the default or global sections works for all the backends for example. Regards, Erik Am 13.07.2015 um 17:36 schrieb Lukas Tribus luky...@hotmail.com: Hi Erik, Hi, is it possible to show and test the configuration of haproxy like apache2ctl -S? I want to check with which configuration options haproxy starts. Thanks for help. Yes, see haproxy -h (haproxy -c). Lukas PastedGraphic-3.tiff Erik Schwalbe Canoo Engineering AG Kirschgartenstrasse 5 CH-4051 Basel Tel: +41 61 228 94 44 Fax: +41 61 228 94 49 erik.schwa...@canoo.com http://www.canoo.com http://www.canoo.com/ Erik Schwalbe Canoo Engineering AG Kirschgartenstrasse 5 CH-4051 Basel Tel: +41 61 228 94 44 Fax: +41 61 228 94 49 erik.schwa...@canoo.com mailto:erik.schwa...@canoo.com http://www.canoo.com http://www.canoo.com/
Re: Contribution: change response line
On Mon, Jul 13, 2015 at 7:22 AM, Bowen Ni bowen1...@gmail.com wrote: Hi, With Lua integration in HAProxy 1.6, one can change the request method, path, uri, header, response header etc except response line. Hi Bowen, You can already change the fields above using HAProxy 1.6 statements: http-request and http-response. http://cbonte.github.io/haproxy-dconv/snapshot/configuration-1.6.html#http-request http://cbonte.github.io/haproxy-dconv/snapshot/configuration-1.6.html#http-response You don't need lua for this, unless your changes are complicated and you can find a converter which does the transformation you need: http://cbonte.github.io/haproxy-dconv/snapshot/configuration-1.6.html#7.3.1 I'd like to contribute the following methods to allow modification of the response line. Actually, that's right, HAProxy, there are currently no http-response set-return-code in haproxy. I let the LUA experts answer you on the rest of the mail :) Baptiste
Tailor Made Services For You!— Guzhen Lighting Fair
Tailor Made Services For You!— Guzhen Lighting Fair Hello haproxy@formilux.org, 看上去似乎您的e-mail软件不支持HTML。 请访问下面的网页使您能够在网页浏览其中阅读这条信息: http://edm.ubmsinoexpo.com/x/?S7a1MPufa2tuZmb4v8jW0tDMzOR.jq2hgbmRBQAA76