Re: REg: Connection field in HTTP header is set to close while sending to backend server
Hi Lukas, Thank you for the response. Yes, It is new deployment. I will check 1.5. Regards, Ilan On Fri, Aug 7, 2015 at 6:42 PM, Lukas Tribus luky...@hotmail.com wrote: Hi Baptiste, Thank you very much for the response.That was quick. I tired enabling but got following error, Looks like you're on haproxy 1.4. In your current configuration you are now using tunnel-mode. If this is a new deployment, I would recommend upgrading to haproxy 1.5. Regards, Lukas
RE: REg: Connection field in HTTP header is set to close while sending to backend server
Hi Baptiste, Thank you very much for the response.That was quick. I tired enabling but got following error, Looks like you're on haproxy 1.4. In your current configuration you are now using tunnel-mode. If this is a new deployment, I would recommend upgrading to haproxy 1.5. Regards, Lukas
getting transparent proxy to work.
Hello, this is my first time using the mailing list. I have the following issue.
Followed steps to enable transparent proxy outlined here:
Howto transparent proxying and binding with HAProxy and ALOHA Load-Balancer |
HAProxy Technologies - Aloha Load
Balancerhttp://blog.haproxy.com/2013/09/16/howto-transparent-proxying-and-binding-with-haproxy-and-aloha-load-balancer/
It will not load balance however w/ the following line added:
source 0.0.0.0 usesrc clientip
Here is all the configuration and setup relevent:
bash lsmod | grep -i tproxy
xt_TPROXY 17327 0
nf_defrag_ipv6 34651 2 xt_socket,xt_TPROXY
nf_defrag_ipv4 12729 3 xt_socket,xt_TPROXY,nf_conntrack_ipv4
bashsudo sysctl -p
vm.swappiness = 0
net.ipv4.ip_nonlocal_bind = 1
net.ipv4.ip_forward = 1
bash sudo iptables -L -n -t mangle
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DIVERT tcp -- 0.0.0.0/00.0.0.0/0socket
[...]
Chain DIVERT (1 references)
target prot opt source destination
MARK all -- 0.0.0.0/00.0.0.0/0MARK set 0x1
ACCEPT all -- 0.0.0.0/00.0.0.0/0
bash ip rule show
0: from all lookup local
32762: from all fwmark 0x1 lookup 100
32766: from all lookup main
32767: from all lookup default
bash ip route show table 100
local default dev lo scope host
#haproxy.cfg
frontend layer4-listener
bind *:80 transparent
bind *:443 transparent
bind *:3306
bind *:8080
mode tcp
option tcplog
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
acl is_esp dst 10.10.130.79
acl is_tls dst_port 443
use_backend site_http if is_esp !is_tls
use_backend site_https if is_esp is_tls
backend site_https
mode tcp
option tcpka
option tcp-check
#source 0.0.0.0 usesrc clientip ## load balancing only works when commented out
server site_www1 www1.site.org:443 weight 1 check inter 2000 rise 2 fall 3
server site_www2 www2.site.org:443 weight 1 check inter 2000 rise 2 fall 3
bash haproxy -vv
HA-Proxy version 1.5.4 2014/09/02
Copyright 2000-2014 Willy Tarreau w...@1wt.eu
Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing
OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_PCRE=1
bash uname -r
3.10.0-229.4.2.el7.x86_64
Our network admin was indicated the following:
1. A SYN packet from 10.10.130.31 (haproxy2) to 10.10.130.152 (site on web1)
2. A SYN-ACK packet from web1 back to haproxy2
3. A RST packet from haproxy2 to web1.?
Anyone able/willing to help and/or give insight into this issue?
Thanks
REg: Connection field in HTTP header is set to close while sending to backend server
Hi Support, I configured haproxy to forward request to backend server. I did packet capture between browser and haproxy and noticed that connection field in HTTP header is set to keep-alive. Then I did packet capture between haproxy and backend server, I noticed that connection field in HTTP header is set to close. Could you please tell why haproxy is changing connection field to close when sending request to backend server. I am new to web programming. Please apologize if i did not provide enough information. Thanks for you help in advance. Here is my haproxy configuration, global log /dev/loglocal0 log /dev/loglocal1 notice chroot /var/lib/haproxy user haproxy group haproxy daemon defaults log global modehttp option httplog option dontlognull contimeout 5000 clitimeout 5 srvtimeout 5 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http listen appname 0.0.0.0:8002 mode http stats enable stats uri /haproxy?stats stats realm Strictly\ Private stats auth root:admin123 stats auth root:admin123 balance roundrobin option httpclose option forwardfor server lamp1 127.0.0.1:8001 Regards, Ilan
appending characters to a custom field without intervening spaces
Hi, I need to express something similar to this: http-request set-header X-REQUEST-START t=%[Ts]%[ms]000 (to append three 0s at the end of the timestamp with milliseconds). I have tried with other ways to append the three 0s at the end: http-request set-header X-REQUEST-START t=%Ts%[ms]\x30\x30\x30 and http-request set-header X-REQUEST-START t=%Ts%ms\x30\x30\x30 and no avail either. Thanks for your help! PS: (The background of this question is something like: https://docs.newrelic.com/docs/apm/other-features/request-queueing/configuring-request-queue-reporting#php https://docs.newrelic.com/docs/apm/other-features/request-queueing/request-queue-server-configuration-examples#f5 where microseconds are needed as the value of this header) This is version 1.5.14
L’actualité hebdomadaire par RFI - Mexique: le tout puissant cartel de Sinaloa du...
L’actualité hebdomadaire par RFI - 07/08/2015 Visualisez cet email dans votre navigateur http://rfi.nlfrancemm.com/HM?b=Ix9DssXnb1EtDHc3SnKNbgA_zU9u268Lfc9O4pP0vcWvfPRKmD0JKrDv_v-ON83gc=gOZ-v0LbJwQEBvfq6GEnqQ Mexique: le tout puissant cartel de Sinaloa du «Chapo» Guzman La fuite spectaculaire le 11 juillet dernier d'une prison de haute sécurité mexicaine du chef du cartel de Sinaloa, « El Chapo » Guzman Loera, a relancé la question du contrôle du territoire par les bandes criminelles organisées liées au trafic de drogue, des groupes qui minent la société mexicaine et gangrènent les institutions. Le cartel de Sinaloa en est l'un des plus puissants, non seulement du Mexique mais du continent tout entier. http://rfi.nlfrancemm.com/HP?b=822AHvEJN2UCKOf3rHdDtfxGDSgGiugCkjnWkLa83QCchg6GyYv7FFAvyOGev0bpc=tAjVkvG5Fmvg5JGsk_Pd5w La pénurie d’eau en Iran, un défi impossible à relever? Des contestations dans de grandes villes inquiètent le pouvoir. Elles peuvent se traduire en divorce fatal du pouvoir avec la population. Certains responsables pensent même que la pénurie d’eau devient petit à petit une préoccupation majeure, pour ne pas dire une menace pour la sécurité du régime. http://rfi.nlfrancemm.com/HP?b=tkV5HP2y-B6SYTxg91MV6wdmDWFVoR_4zYWr4Z5Zfb7JfAUr3Gl1SPyiiKJijsQ5c=VdCSN9icJMLTam2Ba294zg La cuisine africaine en quête de nouveaux adeptes en France En France, la cuisine africaine peine à s’imposer auprès du grand public. Pas facile pour les restaurants sénégalais, ivoiriens ou camerounais, de rivaliser avec les cuisines françaises, italiennes ou chinoises. Pourtant, les adresses ne manquent pas et de nouveaux chefs émergent, bien déterminés à faire sortir leur art culinaire du « ghetto ». http://rfi.nlfrancemm.com/HP?b=lBMQQ1PiMsHYOltoj9fZgAgrP_dPMRtbzDrNgg8Chooxuz_VhYdHcp5e_JfQUHTdc=4_T9qSadYX9mdlE_lbLpMQ Les vendeurs à la sauvette sénégalais de Venise Vendeurs à la sauvette, ces Sénégalais proposent de faux sacs de grandes marques à Venise, la cité la plus touristique d’Italie. Ces commerçants ambulants, qui vivent et travaillent ensemble, jouent une partie constante et risquée de cache-cache avec la police. Ils sont prêts à aller en prison pour contrefaçon - pourvu qu’ils puissent envoyer chaque mois quelques centaines d’euros à leurs familles, restées au pays. http://rfi.nlfrancemm.com/HP?b=34GN6_62hvxXCvWLEBg-DNi5FxsTnitk7n0RtNWSbM9Pue-hAtMoZ3BHjDY3FZAJc=05UCzIkZb2hpuC9DXSkgTA Journée internationale du chat, un félin pas comme les autres Birman, européen, chartreux, siamois, les chats sont suffisamment nombreux sur notre planète pour qu’ils aient leur journée. Le 8 août a ainsi été décrété Journée internationale du chat. Si internet est probablement à l’origine de cette célébration qui dure depuis treize ans, l’amour des matous, voire leur vénération, date de plusieurs millénaires… Allergiques à la légèreté, s’abstenir ! http://rfi.nlfrancemm.com/HP?b=k36bdXtXCouO2XDlPK2fKWsekZaudfi6ERu-zf7DnmGFla0-MVC8df3vVaHKjvRyc=d2WfcnbOM1IKZu7NGeKaPw Zimbabwe: mort de Cecil le lion, un scandale international Appels sur l'actualité revient sur la mort du lion Cecil, vedette de la grande réserve de Hwange pour sa crinière noire. Le procès de l'organisateur du safari, au cours duquel le désormais célèbre lion zimbabwéen a été abattu, a été reporté à septembre à la demande de ses défenseurs. Ce responsable de safari de grande chasse et un compatriote zimbabwéen ont été accusés le 28 juillet de braconnage avec un riche client américain. Grand absent de cette audience qui devait se tenir au tribunal de Hwange, en bordure du parc, le chasseur Walter James Palmer a quitté le Zimbabwe bien avant que le scandale n'éclate il y a quelques jours. http://rfi.nlfrancemm.com/HP?b=UJAjfqoB2LTOFjPRyQTH4hI5a8bT85AJibJcwXtChqdVrX9QPJK0NbNvTRZbhcRUc=NylZxy6FfzgN4NaU-qCWxQ Le chantier pharaonique du nouveau Canal de Suez L’Egypte s’apprête à inaugurer ce jeudi 6 août son second Canal de Suez. Des travaux pharaoniques qui ont permis de doubler la voie d’eau internationale sur 72 kilomètres en un an seulement. Des travaux accomplis avec des capitaux et une direction égyptienne et dont les descendants des Pharaons sont fiers. http://rfi.nlfrancemm.com/HP?b=66shpr4e9_TNIh3cRdraad59dL06lO81-6qmDdIKj5sax-hZ4uTBu6pMs7hud-kXc=g4MfKDY2UAxR2wKWtFBzKw Petit manuel du parfait réfugié politique Emprisonné pendant trois mois à cause d’un dessin humoristique, le caricaturiste Mana Neyestani a choisi de fuir son pays, l'Iran, en 2005. Six ans plus tard, il rejoint Paris où il obtient, non sans mal, le statut de réfugié. Depuis, la procédure a été dépoussiérée par une loi votée mi-juillet. Mais le parcours du réfugié risque de continuer à ressembler à celui d'un combattant. C'est ce que montre Mana Neyestani dans un « Petit manuel du parfait réfugié politique » qui vient de paraître chez Ca et là et Arte éditions. Un reportage de Sophie Torlotin.
Re: REg: Connection field in HTTP header is set to close while sending to backend server
Hi Baptiste, Thank you very much for the response.That was quick. I tired enabling but got following error, [ALERT] 218/182924 (17467) : parsing [/etc/haproxy/haproxy.cfg:13] : unknown option 'http-keep-alive'. [ALERT] 218/182924 (17467) : parsing [/etc/haproxy/haproxy.cfg:14] : unknown option 'prefer-last-server'. [ALERT] 218/182924 (17467) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg [ALERT] 218/182924 (17467) : Fatal errors found in configuration. [fail] Looks like the default is keep-alive, so i just removed option httpclose and things are working fine for me. See below the config that produced above error, global log /dev/loglocal0 log /dev/loglocal1 notice chroot /var/lib/haproxy user haproxy group haproxy daemon defaults log global modehttp option httplog *option http-keep-aliveoption prefer-last-server* option dontlognull contimeout 5000 clitimeout 5 srvtimeout 5 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http listen appname 0.0.0.0:8002 mode http stats enable stats uri /haproxy?stats stats realm Strictly\ Private stats auth root:admin123 balance roundrobin option forwardfor server lamp1 127.0.0.1:8001 Thanks again for your quick help. Regards, Ilan On Fri, Aug 7, 2015 at 5:52 PM, Baptiste bed...@gmail.com wrote: On Fri, Aug 7, 2015 at 1:25 PM, ilan ilan@gmail.com wrote: Hi Support, I configured haproxy to forward request to backend server. I did packet capture between browser and haproxy and noticed that connection field in HTTP header is set to keep-alive. Then I did packet capture between haproxy and backend server, I noticed that connection field in HTTP header is set to close. Could you please tell why haproxy is changing connection field to close when sending request to backend server. I am new to web programming. Please apologize if i did not provide enough information. Thanks for you help in advance. Here is my haproxy configuration, global log /dev/loglocal0 log /dev/loglocal1 notice chroot /var/lib/haproxy user haproxy group haproxy daemon defaults log global modehttp option httplog option dontlognull contimeout 5000 clitimeout 5 srvtimeout 5 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http listen appname 0.0.0.0:8002 mode http stats enable stats uri /haproxy?stats stats realm Strictly\ Private stats auth root:admin123 stats auth root:admin123 balance roundrobin option httpclose option forwardfor server lamp1 127.0.0.1:8001 Regards, Ilan Hi Ilian You have this behavior because of option httpclose. Remove it and you'll have connection keep-alive. To make it clear, I would add a option http-keep-alive in the defaults section. And why not adding a option prefer-last-server' which may help keeping the connection alive despite the load-balancing algorithm. Baptiste
Re: REg: Connection field in HTTP header is set to close while sending to backend server
On Fri, Aug 7, 2015 at 1:25 PM, ilan ilan@gmail.com wrote: Hi Support, I configured haproxy to forward request to backend server. I did packet capture between browser and haproxy and noticed that connection field in HTTP header is set to keep-alive. Then I did packet capture between haproxy and backend server, I noticed that connection field in HTTP header is set to close. Could you please tell why haproxy is changing connection field to close when sending request to backend server. I am new to web programming. Please apologize if i did not provide enough information. Thanks for you help in advance. Here is my haproxy configuration, global log /dev/loglocal0 log /dev/loglocal1 notice chroot /var/lib/haproxy user haproxy group haproxy daemon defaults log global modehttp option httplog option dontlognull contimeout 5000 clitimeout 5 srvtimeout 5 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http listen appname 0.0.0.0:8002 mode http stats enable stats uri /haproxy?stats stats realm Strictly\ Private stats auth root:admin123 stats auth root:admin123 balance roundrobin option httpclose option forwardfor server lamp1 127.0.0.1:8001 Regards, Ilan Hi Ilian You have this behavior because of option httpclose. Remove it and you'll have connection keep-alive. To make it clear, I would add a option http-keep-alive in the defaults section. And why not adding a option prefer-last-server' which may help keeping the connection alive despite the load-balancing algorithm. Baptiste
Re: HTTP CONNECT request returns 4XX
Hi Willy, Is there a way we can accomplish this with the http-request lua hook on haproxy? For example, on the process_connect lua function: - Process the HTTP CONNECT method and extract the target server+port- Establish a secure socket connection with the target server+port- Reply the client with HTTP 200 and wrap the connection over ssl- Read the next HTTP command from the client and forward it to the server Thanks for your help! On Thursday, August 6, 2015 10:57 PM, Willy Tarreau w...@1wt.eu wrote: Hi, On Thu, Aug 06, 2015 at 07:25:42PM -0700, Bowen Ni wrote: Hi, I am trying to use HAProxy as a man-in-the-middle proxy for HTTPS traffic. When doing an HTTPS request over HAProxy, it tries to tunnel the HTTPS request using an HTTP CONNECT request and the HTTP CONNECT request is passed to backend server directly. My problem is that the response of the CONNECT request I got from HAProxy is always 4XX. For example: 403 Tunnel Forbidden, 400 Bad Request. I have tried many backends and none of them give me 200. Am I missing anything? It's not haproxy which returns this but the next server which receives the CONNECT request. Haproxy is not a forward proxy, so it will not : - resolve host names in uri to decide where to forward the connection ; - extract the tunnel from a CONNECT request If you want a forward proxy, simply use squid. It's the expert in this role and works pretty well. You can even put haproxy in front of it if you want. Hoping this helps, Willy
