Re: segfault in src/buffer.c
Hi, How can I reproduce the segfault ? Thierry On Mon, 17 Aug 2015 15:00:25 +0200 Marc-Antoine marc-antoine.b...@ovh.net wrote: Hi, Cyril, as you said, if removed txn:close() from the lua script, I don't get segfault anymore. I noticed that if I removed default_backend line from frontend declaration, segfault does not happen even with txn:close() in lua script : frontend fe:80 bind 127.0.0.1:80 acl debugme req.hdr_cnt(X-debug-me) ge 1 http-request lua mirror if debugme #default_backend be Regards, On Sat, 15 Aug 2015 23:56:57 +0200, Cyril Bonté cyril.bo...@free.fr wrote : Hi Marc-Antoine, Le 12/08/2015 19:01, Marc-Antoine a écrit : I forgot lua file content : # cat mylua.lua -- a simple mirror web server -- it generates a response whose body contains the requests headers function mirror(txn) (...) txn:close() end This is the call which produce a segfault later, combined with the haproxy configuration. I give more details below. Marc-Antoine marc-antoine.b...@ovh.net wrote : (...) defaults modehttp (...) frontend fe:80 bind 127.0.0.1:80 acl debugme req.hdr_cnt(X-debug-me) ge 1 http-request lua mirror if debugme default_backend be It looks that currently, mode http doesn't allow a call to txn:close(). To extend the issue, txn:close() won't work for a proxy in HTTP mode for both : http-request lua tcp-request content lua This is due to the stream processing which still execute some request analyzers even if the lua code sends a response and asks to close the transaction. I haven't looked at the code enough yet, but maybe we should try to find a way to notify haproxy to stop the processing once txn:close() is called. This also explains some other segfaults reported in the past : http://comments.gmane.org/gmane.comp.web.haproxy/21136 -- Marc-Antoine
Re: Infinite timeout
Le 18 août 2015 10:41, mihaly.vukov...@t-systems.com a écrit : Hello All, we need to set infinite timeout for a specific listener, the docs says that the infinite timeout can be setup by not defining the timeout value at all. It means that I have to remove the default options, and define the timeouts explicitly in other listeners. My question is, what I have not found in the docs: what if I set the timeout to 0 (zero). Is that equal to infinite? I would mean I can set default values and set to 0 in one speicific listener block. Best Regards, Mihály Vukovics Hi, You could also set 2 defaults sections. One with timeouts, one without. Baptiste
subscribe
Best Regards, Mihály Vukovics Solutions Architect Delivery/SP/Solutions/SA Phone: +36 (1) 381 8033 Mobile: +36 30 566 8946 E-mail: mihaly.vukov...@t-systems.com Internet: www.it-services.hu; www.t-systems.com
Infinite timeout
Hello All, we need to set infinite timeout for a specific listener, the docs says that the infinite timeout can be setup by not defining the timeout value at all. It means that I have to remove the default options, and define the timeouts explicitly in other listeners. My question is, what I have not found in the docs: what if I set the timeout to 0 (zero). Is that equal to infinite? I would mean I can set default values and set to 0 in one speicific listener block. Best Regards, Mihály Vukovics
Haproxy help
Hi, We have configured haproxy with balance roundrobin, added 2 web server web1,web2 and map website.domain.com with haproxy ip when we hit website.domain.com into browser it's working, request is transferring both server. We want to set first 100 hit sent to web1 and rest web2. is it possible? Regards, Vivek Pal.
Re: ocsp
Hi, i did tests you want. see below for answers. On Mon, 20 Jul 2015 17:42:03 +0200, Lukas Tribus luky...@hotmail.com wrote : Hi Lukas, frontend cluster:443 bind 1.2.3.4:443 ssl strict-sni crt /home/provisionning/0.pem crt /home/provisionning/cluster.d default_backend cluster capture request header Host len 255 Can you confirm there is no SSL intercepting device in front of the webserver, like hardware firewalls/UTM and whatnot? yes Could you try with just a single certificate (single crt config pointing to a single certificate file, not a directory)? yes it works fine with crt pointing to a signe certificate file. Can you make the openssl tests from the server, connecting locally without any intermediate devices? i did and results are the same. Regards, Thanks, Lukas -- Marc-Antoine
Re: segfault in src/buffer.c
Hi Thierry, Le 18/08/2015 12:33, Thierry a écrit : Hi, How can I reproduce the segfault ? While I tried to simplify the test to its minimal form, I could see that the segfault doesn't occur in http-keep-alive mode, but does in httpclose or http-server-close mode. Here is the minimal configuration to reproduce the segfault : haproxy.cfg : global lua-load bug.lua listen test bind :9000 mode http option httpclose http-request lua closebug bug.lua : function closebug(txn) txn:close() end -- Cyril Bonté
[SPAM] 香港企業電郵數據庫
香港企業電郵數據庫,100RMB/一萬郵箱 電郵數據庫更新於2015年, 如有需要請加QQ:2969169808 或者電郵:2969169...@qq.com
Re: segfault in src/buffer.c
Hi again Thierry, Le 18/08/2015 22:28, Cyril Bonté a écrit : Hi Thierry, Le 18/08/2015 12:33, Thierry a écrit : Hi, How can I reproduce the segfault ? While I tried to simplify the test to its minimal form, I could see that the segfault doesn't occur in http-keep-alive mode, but does in httpclose or http-server-close mode. Here is the minimal configuration to reproduce the segfault : haproxy.cfg : global lua-load bug.lua listen test bind :9000 mode http option httpclose http-request lua closebug bug.lua : function closebug(txn) txn:close() end Well, to complete the test case, using httpclose or http-server-close, it will segfault only if it requires to change the Connection header in the response. $ echo -ne GET / HTTP/1.1\r\nHost: localhost\r\n\r\n | nc localhost 9000 = segfault Backtrace associated : ... #1 0x00410bc7 in buffer_insert_line2 (b=0x732c00, pos=0x732c35 \r\nache-Control: no-cache\r\nConnection: close\r\nContent-Type: text/html\r\n\r\nhtmlbodyh1503 Service Unavailable/h1\nNo server is available to handle this request.\n/body/html\n, str=0x4b23bf Connection: close, len=len@entry=17) at src/buffer.c:126 #2 0x0044653f in http_header_add_tail2 (msg=msg@entry=0x724a50, hdr_idx=hdr_idx@entry=0x7249f0, text=optimized out, len=17) at src/proto_http.c:508 #3 0x004496c0 in http_change_connection_header (txn=txn@entry=0x7249f0, msg=msg@entry=0x724a50, wanted=4194304) at src/proto_http.c:1984 #4 0x0045147f in http_process_request (s=s@entry=0x724670, req=req@entry=0x724680, an_bit=an_bit@entry=512) at src/proto_http.c:4689 #5 0x0047bcf6 in process_stream (t=optimized out) at src/stream.c:1741 #6 0x00415665 in process_runnable_tasks () at src/task.c:238 #7 0x0040c0c0 in run_poll_loop () at src/haproxy.c:1528 #8 0x00408f66 in main (argc=optimized out, argv=optimized out) at src/haproxy.c:1887 $ echo -ne GET / HTTP/1.1\r\nHost: localhost\r\nConnection: close\r\n\r\n | nc localhost 9000 = OK It won't segfault exactly in the same manner as Marc-Antoine, but it shows that haproxy tries to process the HTTP request and response after txn.close() is called. How about completely removing txn:close() and check a return value for lua function ? 0 : haproxy go to the next steps ; 0 : haproxy stops immediately the session. This could prevent such use cases : txn:close() txn.res:send(test\r\n) txn.http:res_add_header(header, value) -- Cyril Bonté
Re: [PATCH] DOC: match several lua configuration option names to those implemented in code
On Tue, Aug 18, 2015 at 11:32:10PM +0200, Thierry FOURNIER wrote: Hi, Thank you for the doc fix. Patch applied, thanks guys! Willy
[SPAM] Дешевые проекты на Лазурном берегу
болшее информации
Re: Haproxy help
Hi Vivek, You can do this I think with the first scheduler so the option balance first : This is what haproxy doc says: first The first server with available connection slots receives the connection. The servers are chosen from the lowest numeric identifier to the highest (see server parameter id), which defaults to the server's position in the farm. Once a server reaches its maxconn value, the next server is used. It does not make sense to use this algorithm without setting maxconn. The purpose of this algorithm is to always use the smallest number of servers so that extra servers can be powered off during non-intensive hours. This algorithm ignores the server weight, and brings more benefit to long session such as RDP or IMAP than HTTP, though it can be useful there too. In order to use this algorithm efficiently, it is recommended that a cloud controller regularly checks server usage to turn them off when unused, and regularly checks backend queue to turn new servers on when the queue inflates. Alternatively, using http-check send-state may inform servers on the load. Otherwise you may be able to do something based on session rate with ACL's, I used this config once previously : frontend TestVIP 192.168.0.236:80 http://192.168.0.236/ transparent mode http maxconn 4 option accept-invalid-http-request acl max_conn_reached srv_sess_rate(prod/ProdRIP) gt 10 acl prod_dead nbsrv(prod) lt 1 acl whitelist hdr_sub(Cookie) -i SERVERID default_backend prod use_backend prod if whitelist use_backend fallback if max_conn_reached OR prod_dead backend prod mode http balance leastconn option abortonclose option forwardfor option accept-invalid-http-response option http-keep-alive cookie SERVERID insert nocache indirect server ProdRIP 192.168.0.245 weight 100 cookie ProdRIP check port 80 inter 4000 rise 2 fall 2 minconn 0 maxconn 0 backend fallback mode http balance leastconn option abortonclose option forwardfor option accept-invalid-http-response option http-keep-alive server FallbackRIP 192.168.0.246 weight 100 minconn 0 maxconn 0 Regards Aaron West Loadbalancer.org Limited +44 (0)330 380 1064 www.loadbalancer.org On 18 August 2015 at 13:06, vivek pal mr.vivek...@gmail.com wrote: Hi, We have configured haproxy with balance roundrobin, added 2 web server web1,web2 and map website.domain.com with haproxy ip when we hit website.domain.com into browser it's working, request is transferring both server. We want to set first 100 hit sent to web1 and rest web2. is it possible? Regards, Vivek Pal.
La plus grande communauté de femmes célibataires
Les plus belles rencontres sur MecACroquer.Com http://www.dating-meet.com/t/nlc/539584628dd2c7955ce926456240b2ff0100bde050997968d2a47a84478c1db5ff2e3c6.mac http://www.dating-meet.com/t/nlc/539584628dd2c7955ce926456240b2ff0100bde050997968d2a47a84478c1db5ff2e3c6.mac http://www.dating-meet.com/t/nlc/539584628dd2c7955ce926456240b2ff0100bde050997968d2a47a84478c1db5ff2e3c6.mac http://www.dating-meet.com/t/nlc/539584628dd2c7955ce926456240b2ff0100bde050997968d2a47a84478c1db5ff2e3c6.mac http://www.dating-meet.com/t/nlc/539584628dd2c7955ce926456240b2ff0100bde050997968d2a47a84478c1db5ff2e3c6.mac http://www.dating-meet.com/t/nlc/539584628dd2c7955ce926456240b2ff0100bde050997968d2a47a84478c1db5ff2e3c6.mac http://www.dating-meet.com/t/nlc/539584628dd2c7955ce926456240b2ff0100bde050997968d2a47a84478c1db5ff2e3c6.mac http://www.dating-meet.com/t/nlc/539584628dd2c7955ce926456240b2ff0100bde050997968d2a47a84478c1db5ff2e3c6.mac *Site de rencontre généraliste où les femmes ont le pouvoir* Découvrez le site de rencontre MecACroquer ! Un site qui change les codes de la rencontre. Ce sont les femmes qui ont le pouvoir. Osez MecACroquer.Com, un site basé sur le concept du girl power. Les codes de séductions changent, ce sont désormais les femmes qui ont le pouvoir dans le jeu de la séduction. Rejoignez les milliers de célibataires sans plus attendre. Discutez, échangez et rencontrez de nouvelles personnes, qui sait ? Venez rencontrer des célibataires sexy... Inscrivez-vous maintenant sur MecACroquer en moins de 1 minute ! Grâce à MecACroquer, faites les plus belles rencontres ! Laissez vous surprendre par de belles rencontres. Faites toujours plus de rencontres via notre service en ligne. Utilisez et abusez des nombreuses fonctionnalités proposées afin de rencontrer l'amour pour une nuit ou pour la vie. Inscrivez-vous et utilisez notre service de rencontre innovant ! Un problème à l'inscription ? Contactez notre service client : cont...@mecacroquer.com. Vous avez reçu ce mail de notre part car vous avez visité notre site internet récemment. Vous n'avez cependant pas été ajouté à une base de donnée marketing. Veuillez ignorer cet email si vous êtes déjà inscrit. Pour ne plus recevoir de newsletter de notre part, configurer vos alertes et notifications en vous désinscrivant de la newsletter : sur cette page. http://www.mecacroquer.com/emailing/unsubscribe.html?t=lWWVnp_AYgem=Y2tmbG2RoJnR1qLc33WXqNbSzaSt2pOk2Jk
Re: segfault in src/buffer.c
Hi Thierry, using lua file and cfg file i provided in my two first mails and lastest source, you should get segault when doing : # curl http://127.0.0.1 -H X-debug-me: yes Regards, On Tue, 18 Aug 2015 12:33:40 +0200, Thierry t...@thierry.1s.fr wrote : Hi, How can I reproduce the segfault ? Thierry On Mon, 17 Aug 2015 15:00:25 +0200 Marc-Antoine marc-antoine.b...@ovh.net wrote: Hi, Cyril, as you said, if removed txn:close() from the lua script, I don't get segfault anymore. I noticed that if I removed default_backend line from frontend declaration, segfault does not happen even with txn:close() in lua script : frontend fe:80 bind 127.0.0.1:80 acl debugme req.hdr_cnt(X-debug-me) ge 1 http-request lua mirror if debugme #default_backend be Regards, On Sat, 15 Aug 2015 23:56:57 +0200, Cyril Bonté cyril.bo...@free.fr wrote : Hi Marc-Antoine, Le 12/08/2015 19:01, Marc-Antoine a écrit : I forgot lua file content : # cat mylua.lua -- a simple mirror web server -- it generates a response whose body contains the requests headers function mirror(txn) (...) txn:close() end This is the call which produce a segfault later, combined with the haproxy configuration. I give more details below. Marc-Antoine marc-antoine.b...@ovh.net wrote : (...) defaults modehttp (...) frontend fe:80 bind 127.0.0.1:80 acl debugme req.hdr_cnt(X-debug-me) ge 1 http-request lua mirror if debugme default_backend be It looks that currently, mode http doesn't allow a call to txn:close(). To extend the issue, txn:close() won't work for a proxy in HTTP mode for both : http-request lua tcp-request content lua This is due to the stream processing which still execute some request analyzers even if the lua code sends a response and asks to close the transaction. I haven't looked at the code enough yet, but maybe we should try to find a way to notify haproxy to stop the processing once txn:close() is called. This also explains some other segfaults reported in the past : http://comments.gmane.org/gmane.comp.web.haproxy/21136 -- Marc-Antoine -- Marc-Antoine
Re: [PATCH] DOC: match several lua configuration option names to those implemented in code
Hi, Thank you for the doc fix. Thierry On Sun, 16 Aug 2015 16:08:01 +0200 PiBa-NL piba.nl@gmail.com wrote: Hi, Ive found some inconsistencies in the documentation, patch attached. Could you take a look and merge it? Thanks. Regards, PiBa-NL
Re: getting transparent proxy to work.
After changing the default gateway of the web servers to 10.10.130.79 this didnt fix it. The site we were testing on, and then all the other sites as well were unresponsive. So what I was unclear on is if we changed the default gateway to the vip of the test site we were using on the web server, how would the other web sites served from the box work. We have 4 sites on that box all w/ different VIPs for each. So we expected the other sites to fail and perhaps the test site to succeed but this wasnt the case. In the case of the test site traffic was getting to the web server to haproxy but not returning to either haproxy or the workstation making the request. Id just like to clarify I few of my assumptions about this doc: http://blog.haproxy.com/2013/09/16/howto-transparent-proxying-and-binding-with-haproxy-and-aloha-load-balancer/ Linux Kernel requirements You have to ensure your kernel has been compiled with the following options: – CONFIG_NETFILTER_TPROXY – CONFIG_NETFILTER_XT_TARGET_TPROXY this to be done on haproxy boxes (not the webservers), ie: [richv@haproxy2 ~]$ lsmod | grep -i tproxy xt_TPROXY 17327 0 nf_defrag_ipv6 34651 2 xt_socket,xt_TPROXY nf_defrag_ipv4 12729 3 xt_socket,xt_TPROXY,nf_conntrack_ipv4 and: [richv@haproxy2 ~]$ grep -i tproxy /boot/* /boot/config-3.10.0-229.4.2.el7.x86_64:CONFIG_NETFILTER_XT_TARGET_TPROXY=m ** note, im using centos 7. in boot file i see CONFIG_NETFILTER_XT_TARGET_TPROXY in lsmod output only see xt_TPROXY. This is correct, I should see both CONFIG_NETFILTER_TPROXY CONFIG_NETFILTER_XT_TARGET_TPROXY in lsmod output or boot file? sysctl settings The following sysctls must be enabled: – net.ipv4.ip_forward – net.ipv4.ip_nonlocal_bind this to be done on haproxy boxes (not the webservers), ie: [richv@haproxy2 ~]$ sudo sysctl -p vm.swappiness = 0 net.ipv4.ip_nonlocal_bind = 1 net.ipv4.ip_forward = 1 --- iptables rules You must setup the following iptables rules: iptables -t mangle -N DIVERT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT this to be done on haproxy boxes (not the webservers), ie: haproxy2 sudo iptables -L -n -t mangle Chain PREROUTING (policy ACCEPT) target prot opt source destination DIVERT tcp -- 0.0.0.0/00.0.0.0/0socket [...] Chain DIVERT (1 references) target prot opt source destination MARK all -- 0.0.0.0/00.0.0.0/0MARK set 0x1 ACCEPT all -- 0.0.0.0/00.0.0.0/0 IP route rules Then, tell the Operating System to forward packets marked by iptables to the loopback where HAProxy can catch them: ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 this to be done on haproxy boxes (not the webservers), ie: haproxy2 ip rule show 0: from all lookup local 32762: from all fwmark 0x1 lookup 100 32766: from all lookup main 32767: from all lookup default haproxy ip route show table 100 local default dev lo scope host In summary for my setup, everything in that tutorial is to be performed on the haproxy box, not the web servers? From: Baptiste bed...@gmail.com Sent: Friday, August 14, 2015 1:07 AM To: Rich Vigorito Cc: HAProxy Subject: Re: getting transparent proxy to work. temporary just for the troubleshooting period, and validate this is the root of your issue. The definitive solution belongs to you then! Please clarify the rest of your email. I don't understand what IPs or loopbacks you're speaking about. Before going further, please apply the default gateway change and confirm it works after this. Baptiste On Thu, Aug 13, 2015 at 10:28 PM, Rich Vigorito ri...@ocp.org wrote: A couple clarifications. What do you mean by temporary? ... this wouldnt be needed indefinitely? What ive articulated is only one site served through the 2 web servers. Our web servers serve multiple sites, how to accommodate this? Ie couldnt have 5 different IPs in the loopback? From: Baptiste bed...@gmail.com Sent: Wednesday, August 12, 2015 11:41 PM To: Rich Vigorito Cc: HAProxy Subject: Re: getting transparent proxy to work. Hi Rich, so here is your problem. Please temporarily change this default gateway of the web servers to the active VIP: 10.10.130.79. What happens, and what you