Mailer does not work
We compiled from source haproxy-1.6-dev2.tar.gz. New Mailers mechanism does not seems to work, we configured as on manual: mailers apsmailer1 mailer smtp1 mailserver ip:10025 ... ... backend somebackend_https mode http balance roundrobin ... email-alert mailers apsmailer1 email-alert from from mail email-alert to to mail email-alert level info ... We see in haproxy.log server status change: Jul 15 09:42:00 localhost.localdomain haproxy[3342]: Server .../server1 is UP, reason: Layer4 check passed, check duration: 0ms. 2 active and 0 backup servers online. 0 sessions requeued, 0 total in queue. Jul 15 09:42:00 localhost.localdomain haproxy[3342]: Server .../server1 is UP, reason: Layer6 check passed, check duration: 1ms. 2 active and 0 backup servers online. 0 sessions requeued, 0 total in queue. But no mail alerts are sent, no error or warning logged about sending mail. haproxy -f /etc/haproxy/haproxy.cfg -c does not return any error. All seems to be right, but mail alerts are not sent. Roberto
Re: Load Balancing the Load Balancer
On Thu, 9 Jul 2015 14:52:19 + mlist ml...@apsystems.it wrote: Hi, we see there is a new feature of HAProxy, peer and share table (sticky-table). This peer feature can be used to have in synch stick cookie so if one haproxy goes down the other can take over connections ? Yes, the stick table remember and share each which is sticked to which server. You can use any criteria of the connexion, and of course you can use a cookie set by your application. In othe way, HAProxy can put his own cookie in the HTTP response and use it for the persistance. This mode is useful because you don't need to share the stick table and two unconnected haproxy can assure the high avalaibility without loosing the session affinity. There is some HAProxy native feature to have HAProxy nodes configuration in synch automatically or we have to rely on external tools like rsync manually or as we do on LVS a cron job executing a script to synch configuration ? The stick table synchronisation is a native protocol. The configuration or map synchronisation must be done by external tools. What is your choice ? The choice depends of each problem. HAProxy is very rich and permits to solve many LB and HA issues. Generally I prefer the simplest solution able to solve my issues. For the connection limitation, you speak of frontend and per backand server minconn / maxconn ? it isn't right to divide by n (n=numero ov HAProxy) established total and per server connection ? also if this is not perfect we'll have at most always (n * maxconn). This divide guaranty that your serveur will not exceed the limitation. If your server can process 100 connections, you tune the maxconn of your HAProxy to 50 per server. If the first lb process 75 connections, and the second process only 25 (because bad repartition in front of LBs) the first one is limits the connections, and the users requests will be latency, however the limited server does not reach 100 connections. Also... I know that a major pros of L7 load balancing is to manage centrally all phase of the communication (sticky, balancing, etc. ), but in Hybrid Cloud thinking... is not right to can controll the connection up to a certain point and so using some mechanism as L4 load balancer (as LVS) to put in direct communication clients and final servers. At least for communications not rely on sticky (persistent) session, one can alleviate periodic extraordinary high connection rate redirecting connection for some services (L7 acl) in a Public Cloud wihout weigh down our Private Cloud infrastructure ? Probably there is some other way... We do not see at the moment... I don't understand the relation between L4 and L7 load-balancing, and the private and public cloud. Thierry -Original Message- From: Thierry FOURNIER [mailto:thierry.fourn...@arpalert.org] Sent: giovedì 9 luglio 2015 14.51 To: mlist Cc: 'haproxy@formilux.org' Subject: Re: Load Balancing the Load Balancer On Thu, 9 Jul 2015 11:08:58 + mlist ml...@apsystems.it wrote: We have a question about Load Balancing the load balancer... We have as now 2 LVS load balancer in active / passive configuration with keepalived. We want to introduce L7 load balancer (HAProxy) in active / active configuration, so we have not only HA configuration but also load balanced configuration of load balancer. We think we can do that using the two active / passive LVS machine to load balancing request on 2 HAProxy machine, using correctly persistence (LVS) and stickiness (HAProxy) so application / session behave as expected. We do not found such solution on the Internet, do you think this is a bad design ? Hi, this is the classic design, but make sure that the both haproxy configruation are the same (mainly with the stick cookie name and values). You must known that its not really possible to limit the amount of connexions to your servers because the first haproxy don't known the current connexions of the second haproxy. Thierry -- Il messaggio e' stato analizzato alla ricerca di virus o contenuti pericolosi da MailScanner, ed e' risultato non infetto.
Re: ocsp
Hi, nobody knows plz ? On Thu, 9 Jul 2015 13:06:59 +0200, Marc-Antoine marc-antoine.b...@ovh.net wrote : Hi all, I have some problem making ocsp stapling working. here is what i did : I have 8150.pem with chain, cert and key in it. I have 8150.pem.ocsp that seems ok : # openssl ocsp -respin 8150.pem.ocsp -text -CAfile alphassl256.chain OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: 9F10D9EDA5260B71A677124526751E17DC85A62F Produced At: Jul 9 09:47:04 2015 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 84D56BF8098BD307B766D8E1EBAD6596AA6B6761 Issuer Key Hash: F5CDD53C0850F96A4F3AB797DA5683E669D268F7 Serial Number: 11216784E7CA1813F3AD922B60EAF6428EE0 Cert Status: good This Update: Jul 9 09:47:04 2015 GMT Next Update: Jul 9 21:47:04 2015 GMT No error/warn at haproxy launching but not sure haproxy is loading .ocsp file because no notice in log. But nothing in tlsextdebug : echo Q | openssl s_client -connect www.beluc.fr:443 -servername www.beluc.fr -tlsextdebug -status -CApath /etc/ssl/certs [...] OCSP response: no response sent [...] Do you see smth wrong ? What can i do in order to debug ? Regards, -- Marc-Antoine
Re: Mailer does not work
On Wed, Jul 15, 2015 at 9:48 AM, mlist ml...@apsystems.it wrote: We compiled from source haproxy-1.6-dev2.tar.gz. New Mailers mechanism does not seems to work, we configured as on manual: mailers apsmailer1 mailer smtp1 mailserver ip:10025 … … backend somebackend_https mode http balance roundrobin … email-alert mailers apsmailer1 email-alert from from mail email-alert to to mail email-alert level info … We see in haproxy.log server status change: Jul 15 09:42:00 localhost.localdomain haproxy[3342]: Server …/server1 is UP, reason: Layer4 check passed, check duration: 0ms. 2 active and 0 backup servers online. 0 sessions requeued, 0 total in queue. Jul 15 09:42:00 localhost.localdomain haproxy[3342]: Server …/server1 is UP, reason: Layer6 check passed, check duration: 1ms. 2 active and 0 backup servers online. 0 sessions requeued, 0 total in queue. But no mail alerts are sent, no error or warning logged about sending mail. haproxy -f /etc/haproxy/haproxy.cfg –c does not return any error. All seems to be right, but mail alerts are not sent. Roberto Hi Roberto, Could you please take a tcpdump on port 10025 and confirm HAProxy tries to get connected to the SMTP server? Baptiste
FW: SSL offloading in HAProxy
Hello HAProxy team, I see that the SSL offloading for http protocol is already supported ( http://blog.haproxy.com/2012/09/10/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/ ) I would like to know if there is an option of SSL offloading for IMAP protocol. Thanks, Galit From: Avrahami David Sent: Wednesday, July 01, 2015 3:50 PM To: Cohen Galit Cc: Sabban Gili; Meltser Tiran Subject: SSL offloading in HAProxy Hi Galit, Can you please post the below question to HAProxy forum? I see that the SSL offloading for http protocol is already supported ( http://blog.haproxy.com/2012/09/10/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/ ) I would like to know if there is an option of SSL offloading for IMAP protocol. Best Regards, David Avrahami Security SE Tel: +972-3-6452374 Mobile: +972-544382374 Email: david.avrah...@comverse.commailto:david.avrah...@comverse.com This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: secur...@comverse.com. Thank You.
Re: Server IP resolution using DNS in HAProxy
Hey, I don't understand the necessity of the hold valid config option. DNS has something that takes care of this for you called the TTL. Besides if hold valid is shorter then the TTL it would be kind of pointless since the resolvers you are querying won't re-resolve until the TTL expires. Tbh I don't really see the point of configuring the resolvers in haproxy when the OS has perfectly fine working facilities for this? What is the benefit besides possibly causing lookups to happen twice, once from the OS resolving stack and once from haproxies? If you really want exactly the same behavior as described you could always configure a local resolver that queries multiple other resolvers instead of recursing itself. -Robin- Marco Corte wrote on 7/15/2015 08:28: Il 14/07/2015 22:11, Baptiste ha scritto: - when parsing the configuration, HAProxy uses libc functions and resolvers provided by the operating system = if the server can't be resolved at this step, then HAProxy can't start [...] First, we want to fix the error when HAProxy fails starting up because the resolvers pointed by the system can't resolve a server's IP address (but HAProxy resolvers could). The idea here would to create a new flag on the server to tell HAProxy which IP to use. The server would be enabled when the IP has been provided by the expected tool. Hi, Baptiste. Since I am used to IP address I cannot figure out all possible implication of the server name DNS resolution :-) IMHO HAproxy should start in any case if the configuration is valid; only the unresolvable items should be marked as disabled or failing or down or whatever. A wrong DNS entry could stop a otherwise perfectly working configuration. Why not providing an option to start haproxy even if not all servers can be resolved? Your proposal of the init-addr could be useful for a trick: I can set a surely unreacheable address to let haproxy start and then force/wait for the name resolution to have a working server. A NX server state would be very nice. .marcoc
Re: Server IP resolution using DNS in HAProxy
Hello Robin, On 07/15/2015 08:49 AM, Robin Geuze wrote: Tbh I don't really see the point of configuring the resolvers in haproxy when the OS has perfectly fine working facilities for this? What is the benefit besides possibly causing lookups to happen twice, once from the OS resolving stack and once from haproxies? If you really want exactly the same behavior as described you could always configure a local resolver that queries multiple other resolvers instead of recursing itself. Because this would perfectly integrate with things like Consul (https://www.consul.io/docs/agent/dns.html), which are currently very widely used to provide service discovery. -Robin- Regards, -- Nenad Merdanovic | PGP: 0x423edcb2 Linkedin: http://www.linkedin.com/in/nenadmerdanovic
Re: Server IP resolution using DNS in HAProxy
Il 14/07/2015 22:11, Baptiste ha scritto: - when parsing the configuration, HAProxy uses libc functions and resolvers provided by the operating system = if the server can't be resolved at this step, then HAProxy can't start [...] First, we want to fix the error when HAProxy fails starting up because the resolvers pointed by the system can't resolve a server's IP address (but HAProxy resolvers could). The idea here would to create a new flag on the server to tell HAProxy which IP to use. The server would be enabled when the IP has been provided by the expected tool. Hi, Baptiste. Since I am used to IP address I cannot figure out all possible implication of the server name DNS resolution :-) IMHO HAproxy should start in any case if the configuration is valid; only the unresolvable items should be marked as disabled or failing or down or whatever. A wrong DNS entry could stop a otherwise perfectly working configuration. Why not providing an option to start haproxy even if not all servers can be resolved? Your proposal of the init-addr could be useful for a trick: I can set a surely unreacheable address to let haproxy start and then force/wait for the name resolution to have a working server. A NX server state would be very nice. .marcoc
Re: Server IP resolution using DNS in HAProxy
Hey Nenad, Actually a local resolver can take care of that for you as well since every resolver I know allows configuring a different destination on domain basis. Also as described in the first email, the server has to be resolvable via the OS resolving stack as well otherwise haproxy won't start. This means you cannot use custom domains without configuring some sort of custom resolver anyway. -Robin- Nenad Merdanovic wrote on 7/15/2015 08:56: Hello Robin, On 07/15/2015 08:49 AM, Robin Geuze wrote: Tbh I don't really see the point of configuring the resolvers in haproxy when the OS has perfectly fine working facilities for this? What is the benefit besides possibly causing lookups to happen twice, once from the OS resolving stack and once from haproxies? If you really want exactly the same behavior as described you could always configure a local resolver that queries multiple other resolvers instead of recursing itself. Because this would perfectly integrate with things like Consul (https://www.consul.io/docs/agent/dns.html), which are currently very widely used to provide service discovery. -Robin- Regards,
[PATCH] BUG/MINOR: payload: Add volatile flag to smp_fetch_req_ssl_ec_ext
This bug was introduced in 5fc7d7e. No backport to 1.5 needed. Signed-off-by: Nenad Merdanovic nmer...@anine.io --- src/payload.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/payload.c b/src/payload.c index 78f5608..852727a 100644 --- a/src/payload.c +++ b/src/payload.c @@ -161,6 +161,7 @@ smp_fetch_req_ssl_ec_ext(const struct arg *args, struct sample *smp, const char if (ext_type == 10) { smp-type = SMP_T_BOOL; smp-data.uint = 1; + smp-flags = SMP_F_VOLATILE; return 1; } -- 2.1.4
RE: Mailer does not work
At the end of each smtp session, we see a packet with Reset + Acknowledge nits set: tcp.flags = RST + ACK Roberto -Original Message- From: Baptiste [mailto:bed...@gmail.com] Sent: mercoledì 15 luglio 2015 12.01 To: mlist Cc: haproxy@formilux.org Subject: Re: Mailer does not work On Wed, Jul 15, 2015 at 9:48 AM, mlist ml...@apsystems.it wrote: We compiled from source haproxy-1.6-dev2.tar.gz. New Mailers mechanism does not seems to work, we configured as on manual: mailers apsmailer1 mailer smtp1 mailserver ip:10025 … … backend somebackend_https mode http balance roundrobin … email-alert mailers apsmailer1 email-alert from from mail email-alert to to mail email-alert level info … We see in haproxy.log server status change: Jul 15 09:42:00 localhost.localdomain haproxy[3342]: Server …/server1 is UP, reason: Layer4 check passed, check duration: 0ms. 2 active and 0 backup servers online. 0 sessions requeued, 0 total in queue. Jul 15 09:42:00 localhost.localdomain haproxy[3342]: Server …/server1 is UP, reason: Layer6 check passed, check duration: 1ms. 2 active and 0 backup servers online. 0 sessions requeued, 0 total in queue. But no mail alerts are sent, no error or warning logged about sending mail. haproxy -f /etc/haproxy/haproxy.cfg –c does not return any error. All seems to be right, but mail alerts are not sent. Roberto Hi Roberto, Could you please take a tcpdump on port 10025 and confirm HAProxy tries to get connected to the SMTP server? Baptiste -- Il messaggio e' stato analizzato alla ricerca di virus o contenuti pericolosi da MailScanner, ed e' risultato non infetto.
RE: Load Balancing the Load Balancer
Hi, we see there is a new feature of HAProxy, peer and share table (sticky-table). This peer feature can be used to have in synch stick cookie so if one haproxy goes down the other can take over connections ? Yes, the stick table remember and share each which is sticked to which server. You can use any criteria of the connexion, and of course you can use a cookie set by your application. In othe way, HAProxy can put his own cookie in the HTTP response and use it for the persistance. This mode is useful because you don't need to share the stick table and two unconnected haproxy can assure the high avalaibility without loosing the session affinity. So if we'll use share stick table between 2 HAProxy LB we'll do not need cookie to maintain backend server sessions and if we'll use cookie we do not need to share stick table ? in the latter case how the surviving HAProxy know where to route the request to the correct backend server using some haproxy.cfg with some beckend server definition ? What is your choice ? The choice depends of each problem. HAProxy is very rich and permits to solve many LB and HA issues. Generally I prefer the simplest solution able to solve my issues. I mean your choice to take in sync haproxy.cfg file between 2 or more haproxy LB (rsync, custom script, etc.) Also... I know that a major pros of L7 load balancing is to manage centrally all phase of the communication (sticky, balancing, etc. ), but in Hybrid Cloud thinking... is not right to can controll the connection up to a certain point and so using some mechanism as L4 load balancer (as LVS) to put in direct communication clients and final servers. At least for communications not rely on sticky (persistent) session, one can alleviate periodic extraordinary high connection rate redirecting connection for some services (L7 acl) in a Public Cloud wihout weigh down our Private Cloud infrastructure ? Probably there is some other way... We do not see at the moment... I don't understand the relation between L4 and L7 load-balancing, and the private and public cloud. I read something about that but I'm to go deep... some L4 LB (LVS) can work managing first connection and so redirecting communication to the backend, after that source and backend communicate directly without LB analyzing every subsequent packet. This is not so useful in L7 as the culprit is managing every packet to allow complex and correct management of all communication (cookie, stick, acl, ecc), but for some situation such escape can be usefull. I hope I'm clear... but this is no so important as now. Thank you in advance Roberto -Original Message- From: Thierry FOURNIER [mailto:thierry.fourn...@arpalert.org] Sent: mercoledì 15 luglio 2015 11.04 To: mlist Cc: 'haproxy@formilux.org' Subject: Re: Load Balancing the Load Balancer On Thu, 9 Jul 2015 14:52:19 + mlist ml...@apsystems.it wrote: Hi, we see there is a new feature of HAProxy, peer and share table (sticky-table). This peer feature can be used to have in synch stick cookie so if one haproxy goes down the other can take over connections ? Yes, the stick table remember and share each which is sticked to which server. You can use any criteria of the connexion, and of course you can use a cookie set by your application. In othe way, HAProxy can put his own cookie in the HTTP response and use it for the persistance. This mode is useful because you don't need to share the stick table and two unconnected haproxy can assure the high avalaibility without loosing the session affinity. There is some HAProxy native feature to have HAProxy nodes configuration in synch automatically or we have to rely on external tools like rsync manually or as we do on LVS a cron job executing a script to synch configuration ? The stick table synchronisation is a native protocol. The configuration or map synchronisation must be done by external tools. What is your choice ? The choice depends of each problem. HAProxy is very rich and permits to solve many LB and HA issues. Generally I prefer the simplest solution able to solve my issues. For the connection limitation, you speak of frontend and per backand server minconn / maxconn ? it isn't right to divide by n (n=numero ov HAProxy) established total and per server connection ? also if this is not perfect we'll have at most always (n * maxconn). This divide guaranty that your serveur will not exceed the limitation. If your server can process 100 connections, you tune the maxconn of your HAProxy to 50 per server. If the first lb process 75 connections, and the second process only 25 (because bad repartition in front of LBs) the first one is limits the connections, and the users requests will be latency, however the limited server does not reach 100 connections. Also... I know that a major pros of L7 load balancing is to manage centrally all phase of the communication
RE: Mailer does not work
We take a tcpdump. Following the tcp traffic we can see each step. Reproducing manually the mail was sent. Probably HAProxy SMTP communication has an error on the final stage CRLF.CRLF as of that all goes right. Follows manual communication with mmail server reproducing tpcdump smto command seguence. EHLO smtp1 250-MAIL1 Hello [192.168.1.x] 250-SIZE 10485760 250-PIPELINING 250-DSN 250-ENHANCEDSTATUSCODES 250-STARTTLS 250-AUTH 250-8BITMIME 250-XEXCH50 250 XSHADOW MAIL FROM:loadbha1@domain 250 2.1.0 Sender OK RCPT TO:alerts@domain 250 2.1.5 Recipient OK DATA 354 Start mail input; end with CRLF.CRLF From: loadbha1@domain To: alerts@domain Date: Wed, 15 Jul 2015 12:50:48 +0200 (CEST) Subject: [HAproxy Alert] Server backend/webhost1 is DOWN, reason: Layer4 timeout, check duration: 5002ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue Server backend/webhost1 is DOWN, reason: Layer4 timeout, check duration: 5002ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue . 250 2.6.0 7c4f8f74-8d6b-446e-a504-e7a45fc58baf@MAIL [InternalId=293812] Queued mail for delivery Entering manually all these commands we correctly receive the email. Dr. Roberto Cazzato Divisione ICT e Sicurezza Senior IT Designer gsm +39 348 22 00 850 A.P. SYSTEMS s.r.l. 20013 Magenta (Milano) Via Milano 89/91 (ang.Via Cimarosa) Italia - www.apsystems.it tel. +39 02 97226.1 - fax 02 97226.339 -Original Message- From: Baptiste [mailto:bed...@gmail.com] Sent: mercoledì 15 luglio 2015 12.01 To: mlist Cc: haproxy@formilux.org Subject: Re: Mailer does not work On Wed, Jul 15, 2015 at 9:48 AM, mlist ml...@apsystems.it wrote: We compiled from source haproxy-1.6-dev2.tar.gz. New Mailers mechanism does not seems to work, we configured as on manual: mailers apsmailer1 mailer smtp1 mailserver ip:10025 … … backend somebackend_https mode http balance roundrobin … email-alert mailers apsmailer1 email-alert from from mail email-alert to to mail email-alert level info … We see in haproxy.log server status change: Jul 15 09:42:00 localhost.localdomain haproxy[3342]: Server …/server1 is UP, reason: Layer4 check passed, check duration: 0ms. 2 active and 0 backup servers online. 0 sessions requeued, 0 total in queue. Jul 15 09:42:00 localhost.localdomain haproxy[3342]: Server …/server1 is UP, reason: Layer6 check passed, check duration: 1ms. 2 active and 0 backup servers online. 0 sessions requeued, 0 total in queue. But no mail alerts are sent, no error or warning logged about sending mail. haproxy -f /etc/haproxy/haproxy.cfg –c does not return any error. All seems to be right, but mail alerts are not sent. Roberto Hi Roberto, Could you please take a tcpdump on port 10025 and confirm HAProxy tries to get connected to the SMTP server? Baptiste -- Il messaggio e' stato analizzato alla ricerca di virus o contenuti pericolosi da MailScanner, ed e' risultato non infetto.
Re: IP binding and standby health-checks
Hi Baptiste, Sorry for the delayed response, had some urgent things come up that required more immediate attention... thanks again for your continued support. Why not using proxy-protocol between HAProxy and nginx? Sounds interesting; I'd definitely heard of it before, but hadn't looked into it since what we've been doing has been working. My initial impression is that it's a pretty big change from what we're currently doing (looks like it would at least require a brief maintenance to roll out since it requires coordinated change between client and load-balancer), but I'm not fundamentally opposed if there's significant advantages. I'll definitely take a look to see if it satisfies our requirements. I disagree, it would be only 2: the 'real' IP addresses of the load-balancers only. OK, fair point. Maybe it's just being paranoid to think that unless we're explicitly setting the source, we should account for *all* possible sources. The VIP wouldn't be the default route, so we could probably get away with ignoring it. Come to think of it... maybe having keepalived change the default route on the primary and skipping hardcoding the source in haproxy would address what we're aiming for? seems worth further investigation, as I'm not sure whether it supports this out of the box. there is no 0.0.0.0 magic values neither subnet values accepted in nginx XFF module? I wouldn't use 0.0.0.0 whether there is or not, as i wouldn't want it to be that open. It might be a different case for a subnet value, if we were able to put the load-balancer cluster in a separate subnet, but our current situation (managed private openstack deployment) doesn't give us quite that much network control. maybe someday soon with VXLAN or another overlay (of course, that comes with performance penalties, so maybe not). Then instead of using a VIP, you can book 2 IPs in your subnet that could be used, whatever the LB is using. Pre-allocating network IPs from the subnet that aren't permitted to be assigned to anything other than whatever instance is currently filling the load-balancer role would certainly work (I like this idea!); that's actually pretty similar to what we're doing for the internal VIP currently (the external VIP is just an openstack floating IP, aka a DNAT in the underlying infrastructure), and then adding it as an allowed address for the instance-associated network port instance in Neutron's allowed-address-pairs... It'd be an extra step when creating an LB node, but a pretty reasonable one I think, and we're already treating them differently from generic instances anyways... definitely food for thought. HAProxy rocks ! +1 * 100. :) Can you start it up with strace ?? Yep! https://gist.github.com/nathwill/ea52324867072183b695 So far, I still like the source 0.0.0.0 usesrc 10.240.36.13 solution the best, as it seems the most direct and easily understood. Fingers crossed the permissions issue is easily overcome. Cheers, Nathan W On Tue, Jul 14, 2015 at 2:58 PM Baptiste bed...@gmail.com wrote: As for details, it's advantageous for us for a couple of reasons... the realip module in nginx requires that you list trusted hosts which are permitted to set the X-Forwarded-For header before it will set the source address in the logs to the x-forwarded-for address. as a result, using anything other than the VIP means: Why not using proxy-protocol between HAProxy and nginx? http://blog.haproxy.com/haproxy/proxy-protocol/ So you can get rid of X-FF header limitation in nginx. (don't know if proxy-protocol implementation in nginx suffers from the same limitations). - not using the vip means we have to trust 3 addresses instead of 1 to set x-forwarded-for I disagree, it would be only 2: the 'real' IP addresses of the load-balancers only. - we have to update the list of allowed hosts on all of our backends any time we replace a load-balancer node. We're using config management, so it's automated, but that's still more changes than should ideally be necessary to replace a no-data node that we ideally can trash and replace at will. there is no 0.0.0.0 magic values neither subnet values accepted in nginx XFF module? If not, it deserves a patch ! - there's a lag between the time of a change(e.g. node replacement) and the next converge cycle of the config mgmt on the backends, so for some period the backend config will be out of sync, incorrectly trusting IP(s) that may now be associated with another host, or wrongly refusing to set the source ip to the x-forwarded-for address. this is problematic for us, since we have a highly-restricted internal environment, due to our business model (online learn-to-code school) being essentially running untrusted code as a service. Then instead of using a VIP, you can book 2 IPs in your subnet that could be used, whatever the LB is using. So you don't rely on the VIP, whatever the HAProxy box real IP, you configure
1.6-dev2 crashes with certain server hostname
Hi all, this malloc crash occurs with and only with a certain hostname of one of my backends being added to the config. See redirector.domain.tld in the config below. Since this is a production server i had to mask the hostname. As a hint: The hostname does not contain any special characters, just alphabetic a-z characters. Interestingly if i change only a single letter anywhere in the hostname it doesn't crash anymore. Neither does it crash if i use it's IP instead of the hostname. How strange is that!? Also, i am using the same config with 1.5 stable without any problems. The infos: === Running Haproxy 1.6-dev2 === root@master:/# haproxy -d -f /etc/haproxy/haproxy-test.conf haproxy: malloc.c:3096: sYSMALLOc: Assertion `(old_top == (((mbinptr) (((char *) ((av)-bins[((1) - 1) * 2])) - __builtin_offsetof (struct malloc_chunk, fd old_size == 0) || ((unsigned long) (old_size) = (unsigned long)__builtin_offsetof (struct malloc_chunk, fd_nextsize))+((2 * (sizeof(size_t))) - 1)) ~((2 * (sizeof(size_t))) - 1))) ((old_top)-size 0x1) ((unsigned long)old_end pagemask) == 0)' failed. Aborted (core dumped) === Verbose info === root@master:/# haproxy -vv HA-Proxy version 1.6-dev2-ad90f0d 2015/06/17 Copyright 2000-2015 Willy Tarreau wi...@haproxy.org Build options : TARGET = linux2628 CPU = generic CC = gcc CFLAGS = -g -O0 OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 Encrypted password support via crypt(3): yes Built with zlib version : 1.2.7 Compression algorithms supported : identity(identity), deflate(deflate), raw-deflate(deflate), gzip(gzip) Built with OpenSSL version : OpenSSL 1.0.1e 11 Feb 2013 Running on OpenSSL version : OpenSSL 1.0.1e 11 Feb 2013 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Built with PCRE version : 8.30 2012-02-04 PCRE library supports JIT : no (USE_PCRE_JIT not set) Built without Lua support Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. === Core dump debug === root@master:/# gdb haproxy GNU gdb (GDB) 7.4.1-debian Copyright (C) 2012 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type show copying and show warranty for details. This GDB was configured as x86_64-linux-gnu. For bug reporting instructions, please see: http://www.gnu.org/software/gdb/bugs/... Reading symbols from /usr/sbin/haproxy...done. (gdb) core-file core [New LWP 14246] warning: Can't read pathname for load map: Input/output error. Core was generated by `haproxy -d -f /etc/haproxy/haproxy-test.conf'. Program terminated with signal 6, Aborted. #0 0x7faa0ea02165 in raise () from /lib/x86_64-linux-gnu/libc.so.6 (gdb) bt full #0 0x7faa0ea02165 in raise () from /lib/x86_64-linux-gnu/libc.so.6 No symbol table info available. #1 0x7faa0ea053e0 in abort () from /lib/x86_64-linux-gnu/libc.so.6 No symbol table info available. #2 0x7faa0ea45dea in ?? () from /lib/x86_64-linux-gnu/libc.so.6 No symbol table info available. #3 0x7faa0ea48d13 in ?? () from /lib/x86_64-linux-gnu/libc.so.6 No symbol table info available. #4 0x7faa0ea4aa70 in malloc () from /lib/x86_64-linux-gnu/libc.so.6 No symbol table info available. #5 0x004c3398 in pool_refill_alloc (pool=0xcc65d0, avail=2) at src/memory.c:102 ptr = 0x0 failed = 0 #6 0x00411da5 in init_buffer () at src/buffer.c:54 buffer = 0xcc6550 #7 0x00408cb3 in init (argc=0, argv=0x7ffe8fb141f8) at src/haproxy.c:818 arg_mode = 1 tmp = 0x0 cfg_pidfile = 0x0 err_code = 0 wl = 0x720a40 progname = 0x7ffe8fb14931 haproxy change_dir = 0x0 curtime = {tm_sec = 29, tm_min = 39, tm_hour = 23, tm_mday = 15, tm_mon = 6, tm_year = 115, tm_wday = 3, tm_yday = 195, tm_isdst = 0, tm_gmtoff = 0, tm_zone = 0xcc57b0 UTC} #8 0x0040b0e2 in main (argc=4, argv=0x7ffe8fb141d8) at src/haproxy.c:1657 err = 0 retry = 4224192 limit = {rlim_cur = 140731309179056, rlim_max = 13339168} errmsg = \260@\261\217\376\177\000\000\340\374q\000\000\000\000\000\004\000\000\000\000\000\000\000U*\245\017\252\177\000\000\020\227\313\000\000\000\000\000\000\227\313\000\000\000\000\000\350\003\000\000\000\000\000\000\060,
Re: Mailer does not work
unsubscribe 2015-07-15 9:17 GMT-03:00 mlist ml...@apsystems.it: We take a tcpdump. Following the tcp traffic we can see each step. Reproducing manually the mail was sent. Probably HAProxy SMTP communication has an error on the final stage CRLF.CRLF as of that all goes right. Follows manual communication with mmail server reproducing tpcdump smto command seguence. EHLO smtp1 250-MAIL1 Hello [192.168.1.x] 250-SIZE 10485760 250-PIPELINING 250-DSN 250-ENHANCEDSTATUSCODES 250-STARTTLS 250-AUTH 250-8BITMIME 250-XEXCH50 250 XSHADOW MAIL FROM:loadbha1@domain 250 2.1.0 Sender OK RCPT TO:alerts@domain 250 2.1.5 Recipient OK DATA 354 Start mail input; end with CRLF.CRLF From: loadbha1@domain To: alerts@domain Date: Wed, 15 Jul 2015 12:50:48 +0200 (CEST) Subject: [HAproxy Alert] Server backend/webhost1 is DOWN, reason: Layer4 timeout, check duration: 5002ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue Server backend/webhost1 is DOWN, reason: Layer4 timeout, check duration: 5002ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue . 250 2.6.0 7c4f8f74-8d6b-446e-a504-e7a45fc58baf@MAIL [InternalId=293812] Queued mail for delivery Entering manually all these commands we correctly receive the email. Dr. Roberto Cazzato Divisione ICT e Sicurezza Senior IT Designer gsm +39 348 22 00 850 A.P. SYSTEMS s.r.l. 20013 Magenta (Milano) Via Milano 89/91 (ang.Via Cimarosa) Italia - www.apsystems.it tel. +39 02 97226.1 - fax 02 97226.339 -Original Message- From: Baptiste [mailto:bed...@gmail.com] Sent: mercoledì 15 luglio 2015 12.01 To: mlist Cc: haproxy@formilux.org Subject: Re: Mailer does not work On Wed, Jul 15, 2015 at 9:48 AM, mlist ml...@apsystems.it wrote: We compiled from source haproxy-1.6-dev2.tar.gz. New Mailers mechanism does not seems to work, we configured as on manual: mailers apsmailer1 mailer smtp1 mailserver ip:10025 … … backend somebackend_https mode http balance roundrobin … email-alert mailers apsmailer1 email-alert from from mail email-alert to to mail email-alert level info … We see in haproxy.log server status change: Jul 15 09:42:00 localhost.localdomain haproxy[3342]: Server …/server1 is UP, reason: Layer4 check passed, check duration: 0ms. 2 active and 0 backup servers online. 0 sessions requeued, 0 total in queue. Jul 15 09:42:00 localhost.localdomain haproxy[3342]: Server …/server1 is UP, reason: Layer6 check passed, check duration: 1ms. 2 active and 0 backup servers online. 0 sessions requeued, 0 total in queue. But no mail alerts are sent, no error or warning logged about sending mail. haproxy -f /etc/haproxy/haproxy.cfg –c does not return any error. All seems to be right, but mail alerts are not sent. Roberto Hi Roberto, Could you please take a tcpdump on port 10025 and confirm HAProxy tries to get connected to the SMTP server? Baptiste -- Il messaggio e' stato analizzato alla ricerca di virus o contenuti pericolosi da MailScanner, ed e' risultato non infetto. -- Atte Jorge Severino Numero movil Personal: 08-7775834
unsubscribe
unsubscribe
Re: Rewrite cookie path cookie domain
Hi all, I've problem to rewrite cookie path and cookie domain in HAproxy; I've a Nginx configuration but I want to move from Nginx to HAProxy for this proxy pass. This is a Nginx config I want to replace: location /~xxx/ { proxy_cookie_domain ~.* .$site.it; proxy_cookie_path ~.* /~xxx/; proxy_set_headerHost $site.it; proxy_pass http://192.168.1.2/; } I need same function of proxy_cookie_domain and proxy_cookie_path; I found this: http://blog.haproxy.com/2014/04/28/howto-write-apache-proxypass-rules-in-haproxy/ but not work form me. Now I can change cookie path with: rspirep ^(Set-Cookie:.*)\ path=(.*) \1\ path=/~xxx/ I need add also domain, only if exists, but with dynamic hostname; I;ve tried with acl hdr_set_cookie_domain_and_path res.hdr(Set-cookie) -m sub domain= res.hdr(Set-cookie) -m sub path= rspirep ^(Set-Cookie:.*)\ path=(.*) \1\ path=/~xxx/;\ domain=%[hdr(Host)] if hdr_set_cookie_domain_and_path But not work. Anyone can help me? Tnx, rr 2015-07-14 21:34 GMT+02:00 Baptiste bed...@gmail.com: Please repost your question. I can't see it in my mail history. Baptiste On Tue, Jul 14, 2015 at 3:33 PM, rickytato rickytato rickyt...@r2consulting.it wrote: Anyone can help me? I keep using Nginx? 2015-07-07 10:46 GMT+02:00 rickytato rickytato rickyt...@r2consulting.it: 1.5.12 2015-07-06 17:58 GMT+02:00 Aleksandar Lazic al-hapr...@none.at: Dear rickytato rickytato. Am 06-07-2015 15:32, schrieb rickytato rickytato: Hi all, I've problem to rewrite cookie path and cookie domain in HAproxy; I've a Nginx configuration but I want to move from Nginx to HAProxy for this proxy pass. Which Version of haproxy do you use? haproxy -vv ? Cheers Aleks