Re: haproxy can't bind to mysql port
By run I meant you have to start it as root user which you are doing anyway. Can you run: # nc -l -p 80 as root just to confirm you can bind to port 80? If I stop haproxy and run that command this is what I get: [root@ha1:~] #nc -l -p 80 POST /index.php?title=Special%3ARunJobstasks=jobsmaxjobs=1sigexpiry=1437841644signature=2f2d2dbd28afbc4ecf7e1f59708ff018a30427a9 HTTP/1.1 Host: wiki.example.com Connection: Close Content-Length: 0 Odd, since haproxy isnt' running currently. On Sat, Jul 25, 2015 at 12:07 PM, Igor Cicimov ig...@encompasscorporation.com wrote: By run I meant you have to start it as root user which you are doing anyway. Can you run: # nc -l -p 80 as root just to confirm you can bind to port 80? On 25/07/2015 2:10 PM, Igor Cicimov ig...@encompasscorporation.com wrote: You need to run haproxy as root to bind to ports lower than 1024 On 25/07/2015 1:36 PM, Tim Dunphy bluethu...@gmail.com wrote: Hi Yuan, Nice. Do you use selinux in prod. regards, ; Yuan Yep! Actually I use it every chance I get. Prod/stage/dev and my own hobby environments. And right now actually what I was discussing was a hobby environment. And actually if I could bother you guys one more time, I do have one more issue to solve. LOL And this time it's guaranteed not to be an SELinux issue. Because I tried running haproxy with SELInux on and off this time. But what's happening now, is that HA/Proxy is not creating the http port for the 'stats' interface. I've setup stats to listen on port 80. But for some reason that's not happening. Here's my config one more time, with the trouble part in bold: global log 127.0.0.1 local0 notice user haproxy group haproxy defaults log global retries 2 timeout connect 3000 timeout server 5000 timeout client 5000 listen mysql-cluster bind 0.0.0.0:3306 mode tcp option mysql-check user haproxy_check balance roundrobin server mysql-1 52.3.28.48:3306 check server mysql-2 52.2.0.176:3306 check *listen 0.0.0.0:80 http://0.0.0.0:80mode httpstats enable stats uri /stats realm Strictly\ Privatestats auth admin:secret* Currently haproxy is listening on the first port specified* - 3306 - *but not listening on port 80. Observe: [root@ha1:/etc/haproxy] #lsof -i :3306 COMMAND PIDUSER FD TYPE DEVICE SIZE/OFF NODE NAME *haproxy 11653 haproxy4u IPv4 7145270 0t0 TCP *:mysql (LISTEN)* [root@ha1:/etc/haproxy] #lsof -i :80 [root@ha1:/etc/haproxy] # [root@ha1:/etc/haproxy] #telnet localhost 80 Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused Port 80 simply isn't listening. And this time, I can't blame it on SELinux being on: [root@ha1:/etc/haproxy] #getenforce Permissive I've grepped thru /var/log/messages but not turned up any clues to this one. And I really would like to get the stats interface up and running. Any thoughts here? I'm wondering what I can do to get stats working. Thanks, Tim On Fri, Jul 24, 2015 at 10:52 PM, Gmail longwuy...@gmail.com wrote: Nice. Do you use selinux in prod. regards, ; Yuan On 07/25/2015 09:17 AM, Tim Dunphy wrote: Bingo!!! The problem was with SELinux. Not sure what took me so long to think of it...!!! So set the mysql listener back to port 3306. Turned off SELinux with setenforce 0. Then it started right up!!! And port 3306 was listening. Then I consulted with audit2why and saw the following: type=AVC msg=audit(1437786617.963:28856863): avc: denied { name_connect } for pid=29175 comm=haproxy dest=3306 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket Was caused by: The boolean haproxy_connect_any was set incorrectly. Description: Allow haproxy to connect any Allow access by executing: # *setsebool -P haproxy_connect_any 1* I just ran that command you see above in bold, and then all was right with the world. [root@ha1:/etc/haproxy] #systemctl status haproxy haproxy.service - HAProxy Load Balancer Loaded: loaded (/usr/lib/systemd/system/haproxy.service; disabled) Active: active (running) since Sat 2015-07-25 01:14:53 UTC; 33s ago Main PID: 30618 (haproxy-systemd) CGroup: /system.slice/haproxy.service ├─30618 /usr/sbin/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid ├─30619 /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -Ds └─30620 /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -Ds Jul 25 01:14:53 ha1 systemd[1]: Starting HAProxy Load Balancer... Jul 25 01:14:53 ha1 systemd[1]: Started HAProxy Load Balancer. Jul 25 01:14:53 ha1 haproxy-systemd-wrapper[30618]: haproxy-systemd-wrapper: executing /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -Ds
Re: haproxy can't bind to mysql port
By run I meant you have to start it as root user which you are doing anyway. Can you run: # nc -l -p 80 as root just to confirm you can bind to port 80? On 25/07/2015 2:10 PM, Igor Cicimov ig...@encompasscorporation.com wrote: You need to run haproxy as root to bind to ports lower than 1024 On 25/07/2015 1:36 PM, Tim Dunphy bluethu...@gmail.com wrote: Hi Yuan, Nice. Do you use selinux in prod. regards, ; Yuan Yep! Actually I use it every chance I get. Prod/stage/dev and my own hobby environments. And right now actually what I was discussing was a hobby environment. And actually if I could bother you guys one more time, I do have one more issue to solve. LOL And this time it's guaranteed not to be an SELinux issue. Because I tried running haproxy with SELInux on and off this time. But what's happening now, is that HA/Proxy is not creating the http port for the 'stats' interface. I've setup stats to listen on port 80. But for some reason that's not happening. Here's my config one more time, with the trouble part in bold: global log 127.0.0.1 local0 notice user haproxy group haproxy defaults log global retries 2 timeout connect 3000 timeout server 5000 timeout client 5000 listen mysql-cluster bind 0.0.0.0:3306 mode tcp option mysql-check user haproxy_check balance roundrobin server mysql-1 52.3.28.48:3306 check server mysql-2 52.2.0.176:3306 check *listen 0.0.0.0:80 http://0.0.0.0:80mode httpstats enable stats uri /stats realm Strictly\ Privatestats auth admin:secret* Currently haproxy is listening on the first port specified* - 3306 - *but not listening on port 80. Observe: [root@ha1:/etc/haproxy] #lsof -i :3306 COMMAND PIDUSER FD TYPE DEVICE SIZE/OFF NODE NAME *haproxy 11653 haproxy4u IPv4 7145270 0t0 TCP *:mysql (LISTEN)* [root@ha1:/etc/haproxy] #lsof -i :80 [root@ha1:/etc/haproxy] # [root@ha1:/etc/haproxy] #telnet localhost 80 Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused Port 80 simply isn't listening. And this time, I can't blame it on SELinux being on: [root@ha1:/etc/haproxy] #getenforce Permissive I've grepped thru /var/log/messages but not turned up any clues to this one. And I really would like to get the stats interface up and running. Any thoughts here? I'm wondering what I can do to get stats working. Thanks, Tim On Fri, Jul 24, 2015 at 10:52 PM, Gmail longwuy...@gmail.com wrote: Nice. Do you use selinux in prod. regards, ; Yuan On 07/25/2015 09:17 AM, Tim Dunphy wrote: Bingo!!! The problem was with SELinux. Not sure what took me so long to think of it...!!! So set the mysql listener back to port 3306. Turned off SELinux with setenforce 0. Then it started right up!!! And port 3306 was listening. Then I consulted with audit2why and saw the following: type=AVC msg=audit(1437786617.963:28856863): avc: denied { name_connect } for pid=29175 comm=haproxy dest=3306 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket Was caused by: The boolean haproxy_connect_any was set incorrectly. Description: Allow haproxy to connect any Allow access by executing: # *setsebool -P haproxy_connect_any 1* I just ran that command you see above in bold, and then all was right with the world. [root@ha1:/etc/haproxy] #systemctl status haproxy haproxy.service - HAProxy Load Balancer Loaded: loaded (/usr/lib/systemd/system/haproxy.service; disabled) Active: active (running) since Sat 2015-07-25 01:14:53 UTC; 33s ago Main PID: 30618 (haproxy-systemd) CGroup: /system.slice/haproxy.service ├─30618 /usr/sbin/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid ├─30619 /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -Ds └─30620 /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -Ds Jul 25 01:14:53 ha1 systemd[1]: Starting HAProxy Load Balancer... Jul 25 01:14:53 ha1 systemd[1]: Started HAProxy Load Balancer. Jul 25 01:14:53 ha1 haproxy-systemd-wrapper[30618]: haproxy-systemd-wrapper: executing /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -Ds [root@ha1:/etc/haproxy] #lsof -i :3306 COMMAND PIDUSER FD TYPE DEVICE SIZE/OFF NODE NAME haproxy 30620 haproxy1u IPv4 7075172 0t0 TCP ha1.example.com:55499-ec2-52-2-0-xxx.compute-1.amazonaws.com:mysql (SYN_SENT) haproxy 30620 haproxy4u IPv4 7074731 0t0 TCP *:mysql (LISTEN) Thanks for nudging me in the right direction. All I had to hear was the word 'selinux' and from there it all fell into place! Thanks!! Tim On Fri, Jul 24, 2015 at 8:20 PM, Gmail longwuy...@gmail.com wrote: I could be completely wrong here and I am curious to know the answer
Re: haproxy can't bind to mysql port
Also, lsof output shows PID = 11653 and the user/owner/launcher of the process = haproxy. cheers, ; Yuan On 07/26/2015 12:13 AM, Gmail wrote: I am uncertain about syntax but the diff is appname of sorts for the port 80 listener. Someone may comment with more details ; Earlier = *listen 0.0.0.0:80 [ no app name string ] Now= listen jokefire 0.0.0.0:80 [ app name == jokefire and also no astrisk visible ] Maybe attempt restart without any appname and also with/without that asterisk. Deep dives need more awareness. Glad all settled. Cheers, ; Yuan On 07/25/2015 11:51 PM, Tim Dunphy wrote: Yuan, maybe something here http://lnxmon.com/haproxy/ Thanks, ; Yuan I modified a config from your blog that you showed me and came up with this: global log 127.0.0.1 local0 notice maxconn 2000 user haproxy group haproxy defaults log global modehttp option httplog option dontlognull retries 3 option redispatch timeout connect 5000 timeout client 1 timeout server 1 listen jokefire 0.0.0.0:80 mode http stats enable stats uri /haproxy?stats stats realm Strictly\ Private stats auth admin:secret balance roundrobin option httpclose option forwardfor server varnish1 10.10.10.5:80 check server varnish2 10.10.10.6:80 check listen mysql-cluster bind 0.0.0.0:3306 mode tcp balance roundrobin maxconn 5200 option mysql-check user haproxy_root server mysql-1 10.10.10.7:3306 check server mysql-2 10.10.10.8:3306 check And that seemed to work. I can see that both ports are listening now: [root@ha1:/etc/haproxy] #lsof -i :80 -i :3306 COMMAND PIDUSER FD TYPE DEVICE SIZE/OFF NODE NAME haproxy 27136 haproxy4u IPv4 7563913 0t0 TCP *:http (LISTEN) haproxy 27136 haproxy6u IPv4 7563915 0t0 TCP *:mysql (LISTEN) Although I am not aware of the real difference between this and my previous config that allows this to work is. Not a huge issue at this point since it's working. But if anyone wants to take a stab at this, be my guest! Thanks, Tim On Sat, Jul 25, 2015 at 12:15 AM, Gmail longwuy...@gmail.com wrote: maybe something here http://lnxmon.com/haproxy/ Thanks, ; Yuan On 07/25/2015 12:10 PM, Igor Cicimov wrote: You need to run haproxy as root to bind to ports lower than 1024 On 25/07/2015 1:36 PM, Tim Dunphy bluethu...@gmail.com wrote: Hi Yuan, Nice. Do you use selinux in prod. regards, ; Yuan Yep! Actually I use it every chance I get. Prod/stage/dev and my own hobby environments. And right now actually what I was discussing was a hobby environment. And actually if I could bother you guys one more time, I do have one more issue to solve. LOL And this time it's guaranteed not to be an SELinux issue. Because I tried running haproxy with SELInux on and off this time. But what's happening now, is that HA/Proxy is not creating the http port for the 'stats' interface. I've setup stats to listen on port 80. But for some reason that's not happening. Here's my config one more time, with the trouble part in bold: global log 127.0.0.1 local0 notice user haproxy group haproxy defaults log global retries 2 timeout connect 3000 timeout server 5000 timeout client 5000 listen mysql-cluster bind 0.0.0.0:3306 mode tcp option mysql-check user haproxy_check balance roundrobin server mysql-1 52.3.28.48:3306 check server mysql-2 52.2.0.176:3306 check *listen 0.0.0.0:80 http://0.0.0.0:80mode httpstats enable stats uri /stats realm Strictly\ Privatestats auth admin:secret* Currently haproxy is listening on the first port specified* - 3306 - *but not listening on port 80. Observe: [root@ha1:/etc/haproxy] #lsof -i :3306 COMMAND PIDUSER FD TYPE DEVICE SIZE/OFF NODE NAME *haproxy 11653 haproxy4u IPv4 7145270 0t0 TCP *:mysql (LISTEN)* [root@ha1:/etc/haproxy] #lsof -i :80 [root@ha1:/etc/haproxy] # [root@ha1:/etc/haproxy] #telnet localhost 80 Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused Port 80 simply isn't listening. And this time, I can't blame it on SELinux being on: [root@ha1:/etc/haproxy] #getenforce Permissive I've grepped thru /var/log/messages but not turned up any clues to this one. And I really would like to get the stats interface up and running. Any thoughts here? I'm wondering what I can do to get stats working. Thanks, Tim On Fri, Jul 24, 2015 at 10:52 PM, Gmail longwuy...@gmail.com wrote: Nice. Do you use selinux in prod. regards, ; Yuan On 07/25/2015 09:17 AM, Tim Dunphy wrote: Bingo!!! The problem was with SELinux. Not sure what took me so long to think of it...!!! So set the mysql listener back to port 3306. Turned off SELinux with setenforce 0. Then it started right up!!! And port 3306
Re: haproxy can't bind to mysql port
You need to run haproxy as root to bind to ports lower than 1024 I tried running haproxy as root/root: [root@ha1:/etc/haproxy] #egrep user|group haproxy.cfg| grep -v option user root group root Then restarted the service. No difference! [root@ha1:/etc/haproxy] #systemctl restart haproxy [root@ha1:/etc/haproxy] #lsof -i :80 [root@ha1:/etc/haproxy] #getenforce Permissive Thanks for the suggestion anyway! On Sat, Jul 25, 2015 at 12:10 AM, Igor Cicimov ig...@encompasscorporation.com wrote: You need to run haproxy as root to bind to ports lower than 1024 On 25/07/2015 1:36 PM, Tim Dunphy bluethu...@gmail.com wrote: Hi Yuan, Nice. Do you use selinux in prod. regards, ; Yuan Yep! Actually I use it every chance I get. Prod/stage/dev and my own hobby environments. And right now actually what I was discussing was a hobby environment. And actually if I could bother you guys one more time, I do have one more issue to solve. LOL And this time it's guaranteed not to be an SELinux issue. Because I tried running haproxy with SELInux on and off this time. But what's happening now, is that HA/Proxy is not creating the http port for the 'stats' interface. I've setup stats to listen on port 80. But for some reason that's not happening. Here's my config one more time, with the trouble part in bold: global log 127.0.0.1 local0 notice user haproxy group haproxy defaults log global retries 2 timeout connect 3000 timeout server 5000 timeout client 5000 listen mysql-cluster bind 0.0.0.0:3306 mode tcp option mysql-check user haproxy_check balance roundrobin server mysql-1 52.3.28.48:3306 check server mysql-2 52.2.0.176:3306 check *listen 0.0.0.0:80 http://0.0.0.0:80mode httpstats enable stats uri /stats realm Strictly\ Privatestats auth admin:secret* Currently haproxy is listening on the first port specified* - 3306 - *but not listening on port 80. Observe: [root@ha1:/etc/haproxy] #lsof -i :3306 COMMAND PIDUSER FD TYPE DEVICE SIZE/OFF NODE NAME *haproxy 11653 haproxy4u IPv4 7145270 0t0 TCP *:mysql (LISTEN)* [root@ha1:/etc/haproxy] #lsof -i :80 [root@ha1:/etc/haproxy] # [root@ha1:/etc/haproxy] #telnet localhost 80 Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused Port 80 simply isn't listening. And this time, I can't blame it on SELinux being on: [root@ha1:/etc/haproxy] #getenforce Permissive I've grepped thru /var/log/messages but not turned up any clues to this one. And I really would like to get the stats interface up and running. Any thoughts here? I'm wondering what I can do to get stats working. Thanks, Tim On Fri, Jul 24, 2015 at 10:52 PM, Gmail longwuy...@gmail.com wrote: Nice. Do you use selinux in prod. regards, ; Yuan On 07/25/2015 09:17 AM, Tim Dunphy wrote: Bingo!!! The problem was with SELinux. Not sure what took me so long to think of it...!!! So set the mysql listener back to port 3306. Turned off SELinux with setenforce 0. Then it started right up!!! And port 3306 was listening. Then I consulted with audit2why and saw the following: type=AVC msg=audit(1437786617.963:28856863): avc: denied { name_connect } for pid=29175 comm=haproxy dest=3306 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket Was caused by: The boolean haproxy_connect_any was set incorrectly. Description: Allow haproxy to connect any Allow access by executing: # *setsebool -P haproxy_connect_any 1* I just ran that command you see above in bold, and then all was right with the world. [root@ha1:/etc/haproxy] #systemctl status haproxy haproxy.service - HAProxy Load Balancer Loaded: loaded (/usr/lib/systemd/system/haproxy.service; disabled) Active: active (running) since Sat 2015-07-25 01:14:53 UTC; 33s ago Main PID: 30618 (haproxy-systemd) CGroup: /system.slice/haproxy.service ├─30618 /usr/sbin/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid ├─30619 /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -Ds └─30620 /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -Ds Jul 25 01:14:53 ha1 systemd[1]: Starting HAProxy Load Balancer... Jul 25 01:14:53 ha1 systemd[1]: Started HAProxy Load Balancer. Jul 25 01:14:53 ha1 haproxy-systemd-wrapper[30618]: haproxy-systemd-wrapper: executing /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -Ds [root@ha1:/etc/haproxy] #lsof -i :3306 COMMAND PIDUSER FD TYPE DEVICE SIZE/OFF NODE NAME haproxy 30620 haproxy1u IPv4 7075172 0t0 TCP ha1.example.com:55499-ec2-52-2-0-xxx.compute-1.amazonaws.com:mysql (SYN_SENT) haproxy 30620 haproxy4u IPv4 7074731 0t0 TCP *:mysql (LISTEN) Thanks
Re: haproxy can't bind to mysql port
Yuan, maybe something here http://lnxmon.com/haproxy/ Thanks, ; Yuan I modified a config from your blog that you showed me and came up with this: global log 127.0.0.1 local0 notice maxconn 2000 user haproxy group haproxy defaults log global modehttp option httplog option dontlognull retries 3 option redispatch timeout connect 5000 timeout client 1 timeout server 1 listen jokefire 0.0.0.0:80 mode http stats enable stats uri /haproxy?stats stats realm Strictly\ Private stats auth admin:secret balance roundrobin option httpclose option forwardfor server varnish1 10.10.10.5:80 check server varnish2 10.10.10.6:80 check listen mysql-cluster bind 0.0.0.0:3306 mode tcp balance roundrobin maxconn 5200 option mysql-check user haproxy_root server mysql-1 10.10.10.7:3306 check server mysql-2 10.10.10.8:3306 check And that seemed to work. I can see that both ports are listening now: [root@ha1:/etc/haproxy] #lsof -i :80 -i :3306 COMMAND PIDUSER FD TYPE DEVICE SIZE/OFF NODE NAME haproxy 27136 haproxy4u IPv4 7563913 0t0 TCP *:http (LISTEN) haproxy 27136 haproxy6u IPv4 7563915 0t0 TCP *:mysql (LISTEN) Although I am not aware of the real difference between this and my previous config that allows this to work is. Not a huge issue at this point since it's working. But if anyone wants to take a stab at this, be my guest! Thanks, Tim On Sat, Jul 25, 2015 at 12:15 AM, Gmail longwuy...@gmail.com wrote: maybe something here http://lnxmon.com/haproxy/ Thanks, ; Yuan On 07/25/2015 12:10 PM, Igor Cicimov wrote: You need to run haproxy as root to bind to ports lower than 1024 On 25/07/2015 1:36 PM, Tim Dunphy bluethu...@gmail.com wrote: Hi Yuan, Nice. Do you use selinux in prod. regards, ; Yuan Yep! Actually I use it every chance I get. Prod/stage/dev and my own hobby environments. And right now actually what I was discussing was a hobby environment. And actually if I could bother you guys one more time, I do have one more issue to solve. LOL And this time it's guaranteed not to be an SELinux issue. Because I tried running haproxy with SELInux on and off this time. But what's happening now, is that HA/Proxy is not creating the http port for the 'stats' interface. I've setup stats to listen on port 80. But for some reason that's not happening. Here's my config one more time, with the trouble part in bold: global log 127.0.0.1 local0 notice user haproxy group haproxy defaults log global retries 2 timeout connect 3000 timeout server 5000 timeout client 5000 listen mysql-cluster bind 0.0.0.0:3306 mode tcp option mysql-check user haproxy_check balance roundrobin server mysql-1 52.3.28.48:3306 check server mysql-2 52.2.0.176:3306 check *listen 0.0.0.0:80 http://0.0.0.0:80mode httpstats enable stats uri /stats realm Strictly\ Privatestats auth admin:secret* Currently haproxy is listening on the first port specified* - 3306 - *but not listening on port 80. Observe: [root@ha1:/etc/haproxy] #lsof -i :3306 COMMAND PIDUSER FD TYPE DEVICE SIZE/OFF NODE NAME *haproxy 11653 haproxy4u IPv4 7145270 0t0 TCP *:mysql (LISTEN)* [root@ha1:/etc/haproxy] #lsof -i :80 [root@ha1:/etc/haproxy] # [root@ha1:/etc/haproxy] #telnet localhost 80 Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused Port 80 simply isn't listening. And this time, I can't blame it on SELinux being on: [root@ha1:/etc/haproxy] #getenforce Permissive I've grepped thru /var/log/messages but not turned up any clues to this one. And I really would like to get the stats interface up and running. Any thoughts here? I'm wondering what I can do to get stats working. Thanks, Tim On Fri, Jul 24, 2015 at 10:52 PM, Gmail longwuy...@gmail.com wrote: Nice. Do you use selinux in prod. regards, ; Yuan On 07/25/2015 09:17 AM, Tim Dunphy wrote: Bingo!!! The problem was with SELinux. Not sure what took me so long to think of it...!!! So set the mysql listener back to port 3306. Turned off SELinux with setenforce 0. Then it started right up!!! And port 3306 was listening. Then I consulted with audit2why and saw the following: type=AVC msg=audit(1437786617.963:28856863): avc: denied { name_connect } for pid=29175 comm=haproxy dest=3306 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket Was caused by: The boolean haproxy_connect_any was set incorrectly. Description: Allow haproxy to connect any Allow access by executing: # *setsebool -P haproxy_connect_any 1* I just ran that command you see above in bold, and then all was right with the
Re: haproxy can't bind to mysql port
I am uncertain about syntax but the diff is appname of sorts for the port 80 listener. Someone may comment with more details ; Earlier = *listen 0.0.0.0:80 [ no app name string ] Now= listen jokefire 0.0.0.0:80 [ app name == jokefire and also no astrisk visible ] Maybe attempt restart without any appname and also with/without that asterisk. Deep dives need more awareness. Glad all settled. Cheers, ; Yuan On 07/25/2015 11:51 PM, Tim Dunphy wrote: Yuan, maybe something here http://lnxmon.com/haproxy/ Thanks, ; Yuan I modified a config from your blog that you showed me and came up with this: global log 127.0.0.1 local0 notice maxconn 2000 user haproxy group haproxy defaults log global modehttp option httplog option dontlognull retries 3 option redispatch timeout connect 5000 timeout client 1 timeout server 1 listen jokefire 0.0.0.0:80 mode http stats enable stats uri /haproxy?stats stats realm Strictly\ Private stats auth admin:secret balance roundrobin option httpclose option forwardfor server varnish1 10.10.10.5:80 check server varnish2 10.10.10.6:80 check listen mysql-cluster bind 0.0.0.0:3306 mode tcp balance roundrobin maxconn 5200 option mysql-check user haproxy_root server mysql-1 10.10.10.7:3306 check server mysql-2 10.10.10.8:3306 check And that seemed to work. I can see that both ports are listening now: [root@ha1:/etc/haproxy] #lsof -i :80 -i :3306 COMMAND PIDUSER FD TYPE DEVICE SIZE/OFF NODE NAME haproxy 27136 haproxy4u IPv4 7563913 0t0 TCP *:http (LISTEN) haproxy 27136 haproxy6u IPv4 7563915 0t0 TCP *:mysql (LISTEN) Although I am not aware of the real difference between this and my previous config that allows this to work is. Not a huge issue at this point since it's working. But if anyone wants to take a stab at this, be my guest! Thanks, Tim On Sat, Jul 25, 2015 at 12:15 AM, Gmail longwuy...@gmail.com wrote: maybe something here http://lnxmon.com/haproxy/ Thanks, ; Yuan On 07/25/2015 12:10 PM, Igor Cicimov wrote: You need to run haproxy as root to bind to ports lower than 1024 On 25/07/2015 1:36 PM, Tim Dunphy bluethu...@gmail.com wrote: Hi Yuan, Nice. Do you use selinux in prod. regards, ; Yuan Yep! Actually I use it every chance I get. Prod/stage/dev and my own hobby environments. And right now actually what I was discussing was a hobby environment. And actually if I could bother you guys one more time, I do have one more issue to solve. LOL And this time it's guaranteed not to be an SELinux issue. Because I tried running haproxy with SELInux on and off this time. But what's happening now, is that HA/Proxy is not creating the http port for the 'stats' interface. I've setup stats to listen on port 80. But for some reason that's not happening. Here's my config one more time, with the trouble part in bold: global log 127.0.0.1 local0 notice user haproxy group haproxy defaults log global retries 2 timeout connect 3000 timeout server 5000 timeout client 5000 listen mysql-cluster bind 0.0.0.0:3306 mode tcp option mysql-check user haproxy_check balance roundrobin server mysql-1 52.3.28.48:3306 check server mysql-2 52.2.0.176:3306 check *listen 0.0.0.0:80 http://0.0.0.0:80mode httpstats enable stats uri /stats realm Strictly\ Privatestats auth admin:secret* Currently haproxy is listening on the first port specified* - 3306 - *but not listening on port 80. Observe: [root@ha1:/etc/haproxy] #lsof -i :3306 COMMAND PIDUSER FD TYPE DEVICE SIZE/OFF NODE NAME *haproxy 11653 haproxy4u IPv4 7145270 0t0 TCP *:mysql (LISTEN)* [root@ha1:/etc/haproxy] #lsof -i :80 [root@ha1:/etc/haproxy] # [root@ha1:/etc/haproxy] #telnet localhost 80 Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused Port 80 simply isn't listening. And this time, I can't blame it on SELinux being on: [root@ha1:/etc/haproxy] #getenforce Permissive I've grepped thru /var/log/messages but not turned up any clues to this one. And I really would like to get the stats interface up and running. Any thoughts here? I'm wondering what I can do to get stats working. Thanks, Tim On Fri, Jul 24, 2015 at 10:52 PM, Gmail longwuy...@gmail.com wrote: Nice. Do you use selinux in prod. regards, ; Yuan On 07/25/2015 09:17 AM, Tim Dunphy wrote: Bingo!!! The problem was with SELinux. Not sure what took me so long to think of it...!!! So set the mysql listener back to port 3306. Turned off SELinux with setenforce 0. Then it started right up!!! And port 3306 was listening. Then I consulted with audit2why and saw the following: type=AVC msg=audit(1437786617.963:28856863): avc: denied { name_connect } for pid=29175
RE: cookie prefix strange behavior
Hi Willy, any new on the strange cookie behavior ? Also I ask you for haproxy configuration problem cannot I found a solution searching hard on Internet... 1. We want to redirect all non HTTPS request to HTTPS except some request (ex: path_beg based) but we want to have exception like this: If Request = http://dom1/(A) - backend1 (http) If Request = https://dom1/(A) - SSL Termination - backend1 (http) If Request = http://dom1/(NOT A) - Redirect SSL - SSL Termination - backend1 (http) If Request = https://dom1/(NOT A) - SSL Termination - backend1 (http) There are best practice for configuration to avoid redundancy in configuration file but having best performance, 2 front-end + 2 back-end, 2 front-end + 1 back-end, 1 front-end + 1 backend-end ? 2. In a configuration like that in point 1. (with SSL termination with exception) is a good solution to mix backend :80 with :443 servers without a risk for redirection loop ? There is as flow chart of haproxy request-response flow to can evaluate these configurations ? 3. In haproxy.log I see only client request, is there a configuration to see also backend server response or the only solution is to use debugging to see all traffic ? Also, I use on command line haproxy -d to debug, there is a method so we do not need to stop haproxy daemon to use command line to do debugging ? so we can debug changes on production haproxy ? 4. what standard syntax haproxy uses for Regular Expression (perl, POSIX) ? 5. What about client certificates ? I think haproxy can SSL Terminate also client certificates verification, is so ? What about client certificates if backend server have to authenticate client using their certificate, can haproxy manage this situation passing client certificates to backend server ? Thank you in advance. Best Regards Roberto -Original Message- From: Willy Tarreau [mailto:w...@1wt.eu] Sent: lunedì 20 luglio 2015 12.15 To: mlist Cc: 'Baptiste'; haproxy@formilux.org Subject: Re: cookie prefix strange behavior On Mon, Jul 20, 2015 at 09:51:28AM +, mlist wrote: Hi Willy Hi Baptiste, as you can see using prefix or sticky table we found this invalid cookie problem. - Why without haproxy in the middle we do not have this problem ? why a browser send an INVALID cookie ? Because it learned it another way, maybe before you installed haproxy, maybe on a direct connection or anything. I'm sure enough this is not the case. After we get this behavior, we cleaned all cookies. After some testing passing only by haproxy for these domain, we get the problem again, with Chrome and with IE. OK, interesting. - How we can match absence of prefix ? can be done directly by haproxy ? I think haproxy should fix it, yes, otherwise it can continue this way forever. That said, it *will* break existing sessions, but if haproxy applies load balancing, such session will be broken as well. What version is this, 1.6-dev or 1.5 ? What do you mean with: it *will* break existing sessions ? if we load balance web application with haproxy, session coming in must have a cookie inserted/prefixed by haproxy, I'm wrong ? if so any request with an Invalid cookie is INVALID :D so no session will be broken... What I mean is that if the cookie is invalid, haproxy cannot use the cookie to decide what server to send the request to, so it will pick one server in the farm which is not necessarily the right one (in fact it has a (N-1)/N chance of picking a wrong one in a farm of N servers). That's why I think that haproxy should fix this when this happens. Most likely the problem is that once a wrong cookie flows from the client to the server, the server will not emit this cookie anymore so no prefixing will occur. For this reason I think that we should remove the invalid cookies from the requests when running in prefix mode. In order to know exactly how the situation happened, you'll need to look through all the logs affecting the client which exhibited the problem. The cookie flags will indicate when the cookie was inserted/prefixed, present or valid/invalid etc... And maybe we'll find what produces this situation. It is also possible that the cookie is built by the application using javascript. We compiled from source HA-Proxy version 1.6-dev2-25f4e3e 2015/07/10 OK thanks. Do you know if 1.5 also produces the same problem ? It could be a regression, though I don't remember that we ever touched that area recently. Willy -- Il messaggio e' stato analizzato alla ricerca di virus o contenuti pericolosi da MailScanner, ed e' risultato non infetto.
Ce simple petit test va vous permettre de savoir si vous allez être heureux en couple avec cette personne...en réalité c'est vraiment évident !
Ce simple petit test va vous permettre de savoir si vous allez être heureux en couple avec cette personne...en réalité c'est vraiment évident ! Ce simple petit test va vous permettre de savoir si vous allez être heureux en couple avec cette personne...en réalité c'est vraiment évident ! ( http://www.letribunaldunet.fr/?email_id=745user_id=1202116urlpassed=aHR0cDovL3d3dy5sZXRyaWJ1bmFsZHVuZXQuZnIvbmV3c2xldHRlci90ZXN0LWhldXJldXgtY291cGxlLmh0bWw%2FdXRtX3NvdXJjZT13eXNpamEmdXRtX21lZGl1bT1lbWFpbCZ1dG1fY2FtcGFpZ249TmV3c2xldHRlcitxdW90aWRpZW5uZQ%3D%3Dcontroller=statsaction=analysewysija-page=1wysijap=subscriptions ) Nous sommes tous à la recherche de ce fameux bonheur conjugal qui dure...mais on se rend vite compte que c'est un peu plus compliqué qu'on le pense... Cependant, cette fois, vous avez l'impression d'être tombé sur LE BON (ou la bonne d'ailleurs...)..Ô joie, Ô bonheur ! Mais un petit doute persiste dans votre esprit... voilà quelque chose qui vous permettrait … Lire la suite. ( http://www.letribunaldunet.fr/?email_id=745user_id=1202116urlpassed=aHR0cDovL3d3dy5sZXRyaWJ1bmFsZHVuZXQuZnIvbmV3c2xldHRlci90ZXN0LWhldXJldXgtY291cGxlLmh0bWw%2FdXRtX3NvdXJjZT13eXNpamEmdXRtX21lZGl1bT1lbWFpbCZ1dG1fY2FtcGFpZ249TmV3c2xldHRlcitxdW90aWRpZW5uZQ%3D%3Dcontroller=statsaction=analysewysija-page=1wysijap=subscriptions ) 11 méthodes médicales un peu barbares qu’on utilisait autrefois ( http://www.letribunaldunet.fr/?email_id=745user_id=1202116urlpassed=aHR0cDovL3d3dy5sZXRyaWJ1bmFsZHVuZXQuZnIvc2FudGUvZHJvbGVzLWRlLW1ldGhvZGVzLW1lZGljYWxlcy1xdW9uLXV0aWxpc2FpdC1hdXRyZWZvaXMuaHRtbD91dG1fc291cmNlPXd5c2lqYSZ1dG1fbWVkaXVtPWVtYWlsJnV0bV9jYW1wYWlnbj1OZXdzbGV0dGVyK3F1b3RpZGllbm5lcontroller=statsaction=analysewysija-page=1wysijap=subscriptions ) La médecine et la science ont subi des avancées incroyables au cours des dernières années. Pourtant, ça n’a pas toujours été le cas : avant, la médecine était bien approximative. Des maladies ou des maux étaient alors traités de manière peu orthodoxe. On vous laisse juger par vous-même… Heureusement que tout ça a bien évolué ! La cocaïne contre le … Lire la suite. ( http://www.letribunaldunet.fr/?email_id=745user_id=1202116urlpassed=aHR0cDovL3d3dy5sZXRyaWJ1bmFsZHVuZXQuZnIvc2FudGUvZHJvbGVzLWRlLW1ldGhvZGVzLW1lZGljYWxlcy1xdW9uLXV0aWxpc2FpdC1hdXRyZWZvaXMuaHRtbD91dG1fc291cmNlPXd5c2lqYSZ1dG1fbWVkaXVtPWVtYWlsJnV0bV9jYW1wYWlnbj1OZXdzbGV0dGVyK3F1b3RpZGllbm5lcontroller=statsaction=analysewysija-page=1wysijap=subscriptions ) Une dispute entraîne la mort d'un dauphin au parc Astérix ( http://www.letribunaldunet.fr/?email_id=745user_id=1202116urlpassed=aHR0cDovL3d3dy5sZXRyaWJ1bmFsZHVuZXQuZnIvYW5pbWF1eC9kaXNwdXRlLWVudHJhaW5lLW1vcnQtZHVuLWRhdXBoaW4tbWV1cnQtcGFyYy1hc3Rlcml4Lmh0bWw%2FdXRtX3NvdXJjZT13eXNpamEmdXRtX21lZGl1bT1lbWFpbCZ1dG1fY2FtcGFpZ249TmV3c2xldHRlcitxdW90aWRpZW5uZQ%3D%3Dcontroller=statsaction=analysewysija-page=1wysijap=subscriptions ) Le parc Astérix n'est pas seulement destiné aux fans de Goscinny et d'Uderzo, qui y retrouvent leurs héros préférés. Il dispose également d'un delphinarium autrement dit d'un aquarium artificiel à dauphins. Le public peut ainsi profiter une fois par jour dans le parc d'un spectacle de dressage et de jonglage avec les dauphins. Depuis sa création le parc a … Lire la suite. ( http://www.letribunaldunet.fr/?email_id=745user_id=1202116urlpassed=aHR0cDovL3d3dy5sZXRyaWJ1bmFsZHVuZXQuZnIvYW5pbWF1eC9kaXNwdXRlLWVudHJhaW5lLW1vcnQtZHVuLWRhdXBoaW4tbWV1cnQtcGFyYy1hc3Rlcml4Lmh0bWw%2FdXRtX3NvdXJjZT13eXNpamEmdXRtX21lZGl1bT1lbWFpbCZ1dG1fY2FtcGFpZ249TmV3c2xldHRlcitxdW90aWRpZW5uZQ%3D%3Dcontroller=statsaction=analysewysija-page=1wysijap=subscriptions ) La Villette : vous testerez bien le plus grand simulateur de chute libre ? ( http://www.letribunaldunet.fr/?email_id=745user_id=1202116urlpassed=aHR0cDovL3d3dy5sZXRyaWJ1bmFsZHVuZXQuZnIvaW5zb2xpdGUvdmlsbGV0dGUtdGVzdGVyZXotYmllbi1wbHVzLWdyYW5kLXNpbXVsYXRldXItZGUtY2h1dGUtbGlicmUuaHRtbD91dG1fc291cmNlPXd5c2lqYSZ1dG1fbWVkaXVtPWVtYWlsJnV0bV9jYW1wYWlnbj1OZXdzbGV0dGVyK3F1b3RpZGllbm5lcontroller=statsaction=analysewysija-page=1wysijap=subscriptions ) En automne prochain, la Villette va dévoiler un tout nouveau projet : la Vill’up. Ce nouveau complexe offrira de nombreux passe-temps aux habitants : loisirs, shopping et divertissements rythmeront la Vill’up. Mais ce qui est attendu avec le plus d’impatience, c’est bien le plus grand simulateur de chute libre. En effet, le simulateur IFly sera en fait le plus grand simulateur de … Lire la suite. ( http://www.letribunaldunet.fr/?email_id=745user_id=1202116urlpassed=aHR0cDovL3d3dy5sZXRyaWJ1bmFsZHVuZXQuZnIvaW5zb2xpdGUvdmlsbGV0dGUtdGVzdGVyZXotYmllbi1wbHVzLWdyYW5kLXNpbXVsYXRldXItZGUtY2h1dGUtbGlicmUuaHRtbD91dG1fc291cmNlPXd5c2lqYSZ1dG1fbWVkaXVtPWVtYWlsJnV0bV9jYW1wYWlnbj1OZXdzbGV0dGVyK3F1b3RpZGllbm5lcontroller=statsaction=analysewysija-page=1wysijap=subscriptions ) Les femmes auraient besoin de deux fois plus de sommeil, car elles en font deux fois plus que les hommes ! Et oui... (
Alerte Info - Plus de 1200 migrants, en majorité originaires d...
Visualisez cet email dans votre navigateur : http://rfi.nlfrancemm.com/HM?b=wF5obCv9cEpHIWKmESaupDW2Sza2BRpmaqqDk_k1XZgdwXUiXSDqDtbSN9hjhslLc=uCYiQh3IJBQAgg6-f5rY6A --- 25/07/2015 Plus de 1200 migrants, en majorit#233; originaires d#39;Afrique subsaharienne ou de Syrie, d#233;barquent sur les c#244;tes d#39;Italie http://rfi.nlfrancemm.com/HP?b=eTAY19DfiFtMtmemfKaT2el5sD1ke19ffKUfV-mC2Te-V-tFl2p1cgRBT2fO8oadc=ne93k4ByZ1BstuSFE2WOlw lt;pgt;Ces migrants ont #233;t#233; secourus par deux navires, un norv#233;gien et un irlandais op#233;rant dans le cadre de l#39;op#233;ration europ#233;enne Triton, en mer M#233;diterran#233;e. Parmi eux, des enfants et des femmes enceintes rapportent les autorit#233;s italiennes.lt;/pgt;