Re: [LUA] Lua advanced documentation
On Wed, 28 Oct 2015 21:18:42 +0100 PiBa-NLwrote: > Op 28-10-2015 om 9:28 schreef Thierry FOURNIER: > > Hi List, > > > > I wrote a Lua advanced documentation. This explain the Lua integration > > in HAProxy, the reason of some choices. Some traps and Lua code with > > advanced comments. > > > > This doc is not terminated, but I want to release a first version. I > > will fill the missing points later. > > > > unfortunatelly I have some difficulties to write in english, if anyone > > wants to correct my doc, it will be welcome. > > > > Thank you, > > Thierry > Hi Thierry, > > Thanks for the doc ! Thanks for read it ;) > Ive changed a few words here and there.. Updated doc attached. > Probably there is some more to correct for the more native English > speaking/writing people. > > I haven't tried to check it myself, but didn't see it in either of the > documents how often is a function from core.register_task called? Or > should it contain a loop+sleep ? Perhaps a small example could be added? Ok, this is a good comment ! My explaination was not clear. I will improve the explaination. For your information, the function associated with "core.register_task()" is executed once, if you want that the function does anything each period of time, you can use a core.sleep(). I will add an example. Thierry
[SPAM] le rendez-vous coquin des rencontres sexy!
Title: Sans prise de tete -- le rendez-vous coquin des rencontres sexy! Signaler comme indésirable Si vous avez des difficultés pour visualiser ce message, cliquez ici LE RENDEZ-VOUS COQUIN DES RENCONTRES SEXY! INSCRIPTION GRATUITE! Confidentialité des données : conformément à la Loi Informatique et Libertés du 6 Janvier 1978, vous disposez d'un droit d'accès et de rectification des données vous concernant. Pour ne plus recevoir de messages suivez ce lien.
Re: DNS resolution problem on 1.6.1-1ppa1~trusty
Ok, testing with the latest 0001-BUG-MAJOR-dns-first-DNS-response-packet-not-matching.patch appears to work from the proxy POV but I'm not seeing the update counter incrementing on address changes.
Re: DNS resolution problem on 1.6.1-1ppa1~trusty
On Thu, Oct 29, 2015 at 1:40 PM, Ben Tisdallwrote: > Ok, testing with the latest > 0001-BUG-MAJOR-dns-first-DNS-response-packet-not-matching.patch > appears to work from the proxy POV but I'm not seeing the update > counter incrementing on address changes. Sorry, I'm misinterpreting the test results, please ignore that. One ELB address has remained the same today so it's likely HAProxy has been using that and has not needed to update. -- Ben
haproxy 1.6 with lua in docker
Hi. I have created a Dockerfile which build haproxy with lua and pcre jit, it is based on centos:latest. https://github.com/git001/haproxy I have already opend an Issue in the official Docker haproxy repo. That’s the output ;-) ## haproxy -vv HA-Proxy version 1.6.1 2015/10/20 Copyright 2000-2015 Willy TarreauBuild options : TARGET = linux2628 CPU = generic CC = gcc CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement OPTIONS = USE_LINUX_SPLICE=1 USE_ZLIB=1 USE_OPENSSL=1 USE_LUA=1 USE_PCRE=1 USE_PCRE_JIT=1 USE_TFO=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 Encrypted password support via crypt(3): yes Built with zlib version : 1.2.7 Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip") Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013 Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Built with PCRE version : 8.32 2012-11-30 PCRE library supports JIT : yes Built with Lua version : Lua 5.3.1 Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. ## What's your opinion about slice with docker?! BR aleks
Re: DNS resolution problem on 1.6.1-1ppa1~trusty
On Wed, Oct 28, 2015 at 4:41 PM, Baptistewrote: > So, when you write >if (cname && memcmp(ptr, cname, cnamelen)) >return DNS_UPD_NAME_ERROR; > else if (memcmp(ptr, dn_name, dn_name_len)) > return DNS_UPD_NAME_ERROR; > > your compare cname againt name in current record only if cname is set. > In Ben's case, cname is set and ptr and cname comparison was true, > hence memcmp returned 0. > Since memcmp returns 0, then HAProxy checks the next condition and > compare ptr to dn_name, which lead to return the DNS_UPD_NAME_ERROR > since we're evaluating a cname and ptr points to the CNAME while > dn_name points to the queried name. > > Basically, the code parsed the first response record, the CNAME, then > returned an error because the value of the cname does not match > anymore the name in the A record. > > With the code below, when cname is set, there is no chance you compare > ptr and dn_name... >if (cname) { > if (memcmp(ptr, cname, cnamelen)) { >return DNS_UPD_NAME_ERROR; >} >} > else if (memcmp(ptr, dn_name, dn_name_len)) > return DNS_UPD_NAME_ERROR; Thank you for the careful explanation Baptiste, that riddle was confounding our understanding.
haproxy daemon does not attempt to read ca-file on startup
Hi HAProxy users list, I am running HAProxy version 1.5.12-1 on Ubuntu Precise Pangolin (12.04). I have confirmed that it was compiled with OpenSSL support built in. I have configured an SSL backend thusly: bind 0.0.0.0:443 ssl crt /etc/ssl/private/secondmarket.com.pem ca-file /etc/ssl/private/secondmarket.ca.pem ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 launching haproxy under strace provides no indication that it made an attempt to read the ca-file (although you can clearly see it loading the crt file). strace output is here: http://pastebin.com/RDgAug7E Does anyone know why the ca-file directive is being ignored? Shall I upgrade? Thanks in advance for any adive anyone can proffer. Joseph Hammerman -- -- This message is intended only for the addressee. Please notify sender by e-mail if you are not the intended recipient. If you are not the intended recipient, you may not copy, disclose, or distribute this message or its contents, in either excerpts or in its entirety, to any other person and any such actions may be unlawful. SecondMarket Solutions, Inc. and it subsidiaries ("SecondMarket") is not responsible for any unauthorized redistribution. Securities-related services of SecondMarket are provided through SMTX, LLC (“SMTX”), a wholly owned subsidiary of SecondMarket and a registered broker dealer and member of FINRA/SIPC. SMTX does not accept time sensitive, action-oriented messages or transaction orders, including orders to purchase or sell securities, via e-mail. SMTX reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the SMTX e-mail system and archived in accordance with FINRA and SEC rules and regulations. This message is intended for those with an in-depth understanding of the high risk and illiquid nature of private securities and these assets may not be suitable for you. This message does not represent a solicitation for an order or an offer to buy or sell any security. There is not enough information contained in this message with which to make an investment decision and any information contained herein should not be used as a basis for this purpose. SMTX does not produce in-house research, make recommendations to purchase or sell specific securities, provide investment advisory services, or conduct a general retail business.
ip_nonlocal_bind=1 set but sometimes get "cannot bind socket" on reload (-sf)
Hello, I'm seeing some inconsistent/strange behavior with HAProxy (1.5.14 and 1.6.1) not being able to bind to a socket despite 'net.ipv4.ip_nonlocal_bind = 1' being set. HAProxy starts up without issue initially but after several reloads, the command 'service haproxy reload' starts failing and reports that HAProxy "cannot bind socket" for each of the listens/frontends, even for IPs that ARE on that server. The existing HAProxy process contiues to run without picking up the new changes. After the reload initially fails all subsequent 'service haproxy reload' commands also fail. Running 'service haproxy restart' restarts and immediately binds to the IPs:ports specified in each listen/frontend that it just complained that it could not bind to. Here's some background info. There are two servers (lb-01 and lb-02). Virtual IPs are managed by keepalived (v1.2.19) in two vrrp_instances. Each vrrp_instance contains half of the total virtual IPs. The first vrrp_instance has lb-01 defined as MASTER and lb-02 as BACKUP and the second vrrp_instance has lb-02 defined as MASTER and lb-01 as BACKUP. This allows each server to act as failover for the other server. This was tested extensively while I was adding support for ip rules to keepalived and works without issue. All of HAProxy's configuration is stored in consul (v0.5.2). consul-template (v0.11.1) writes out /etc/haproxy/haproxy.cfg using the data in consul and then consul-template calls 'service haproxy reload'. The OS is CentOS 6.4 and the kernel version is 2.6.32-358.23.2.el6.x86_64. Here is an example of what I'm seeing (actual IPs have been substituted). 192.168.10.0/24 IPs are assigned to eth0 and 192.168.200.0/24 IPs are assigned to eth1. (output is from lb-02) Reloading haproxy: [ALERT] 301/141300 (25939) : Starting proxy haproxy-stats: cannot bind socket [192.168.10.27:80] [ALERT] 301/141300 (25939) : Starting proxy haproxy-fe1: cannot bind socket [192.168.200.100:80] [ALERT] 301/141300 (25939) : Starting proxy haproxy-fe2: cannot bind socket [192.168.200.120:80] [ALERT] 301/141300 (25939) : Starting proxy haproxy-fe3: cannot bind socket [192.168.200.110:80] What's strange is that HAProxy is already listening to these IPs:port so it seems to be some kind of race condition. Of these IPs, 192.168.10.27 is statically assigned to eth0 and is the only IP assigned to that interface. 192.168.200.110 and 192.168.200.120 are assigned to eth1 on lb-02. 192.168.200.100 is assigned to eth1 on lb-01. Without setting 'net.ipv4.ip_nonlocal_bind = 1' I would expect to see "cannot bind socket" for 192.168.200.100 but it doesn't make any sense that HAProxy also reports that it cannot bind on IPs:ports that are assigned to that server. Does anyone have ideas as to why this might occur? Best Regards, Chris Riley
Re: haproxy daemon does not attempt to read ca-file on startup
On Thu, Oct 29, 2015 at 10:39 AM, Joseph Hammerman < jhammer...@secondmarket.com> wrote: > Hi HAProxy users list, > > I am running HAProxy version 1.5.12-1 on Ubuntu Precise Pangolin (12.04). > I have confirmed that it was compiled with OpenSSL support built in. > > I have configured an SSL backend thusly: > > bind 0.0.0.0:443 ssl crt /etc/ssl/private/secondmarket.com.pem ca-file > /etc/ssl/private/secondmarket.ca.pem ciphers > EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 > > launching haproxy under strace provides no indication that it made an > attempt to read the ca-file (although you can clearly see it loading the > crt file). strace output is here: http://pastebin.com/RDgAug7E > > Does anyone know why the ca-file directive is being ignored? Shall I > upgrade? > ca-file is used when validating client certificates. Do you configure anything that requires or expects clients to present a valid certificate? -Bryan
Re: haproxy daemon does not attempt to read ca-file on startup
Hi Brian, I am trying to issue the intermediate certificate so that my trust chain is presented to the browser. Am I using the wrong directive for that purpose? Thanks, Joe Hammerman On Thu, Oct 29, 2015 at 2:33 PM, Bryan Talbotwrote: > On Thu, Oct 29, 2015 at 10:39 AM, Joseph Hammerman < > jhammer...@secondmarket.com> wrote: > >> Hi HAProxy users list, >> >> I am running HAProxy version 1.5.12-1 on Ubuntu Precise Pangolin (12.04). >> I have confirmed that it was compiled with OpenSSL support built in. >> >> I have configured an SSL backend thusly: >> >> bind 0.0.0.0:443 ssl crt /etc/ssl/private/secondmarket.com.pem ca-file >> /etc/ssl/private/secondmarket.ca.pem ciphers >> EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 >> >> launching haproxy under strace provides no indication that it made an >> attempt to read the ca-file (although you can clearly see it loading the >> crt file). strace output is here: http://pastebin.com/RDgAug7E >> >> Does anyone know why the ca-file directive is being ignored? Shall I >> upgrade? >> > > > ca-file is used when validating client certificates. Do you configure > anything that requires or expects clients to present a valid certificate? > > -Bryan > > -- -- This message is intended only for the addressee. Please notify sender by e-mail if you are not the intended recipient. If you are not the intended recipient, you may not copy, disclose, or distribute this message or its contents, in either excerpts or in its entirety, to any other person and any such actions may be unlawful. SecondMarket Solutions, Inc. and it subsidiaries ("SecondMarket") is not responsible for any unauthorized redistribution. Securities-related services of SecondMarket are provided through SMTX, LLC (“SMTX”), a wholly owned subsidiary of SecondMarket and a registered broker dealer and member of FINRA/SIPC. SMTX does not accept time sensitive, action-oriented messages or transaction orders, including orders to purchase or sell securities, via e-mail. SMTX reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the SMTX e-mail system and archived in accordance with FINRA and SEC rules and regulations. This message is intended for those with an in-depth understanding of the high risk and illiquid nature of private securities and these assets may not be suitable for you. This message does not represent a solicitation for an order or an offer to buy or sell any security. There is not enough information contained in this message with which to make an investment decision and any information contained herein should not be used as a basis for this purpose. SMTX does not produce in-house research, make recommendations to purchase or sell specific securities, provide investment advisory services, or conduct a general retail business.
Re: haproxy daemon does not attempt to read ca-file on startup
On Thu, Oct 29, 2015 at 1:43 PM, Joseph Hammerman < jhammer...@secondmarket.com> wrote: > Hi Brian, > > I am trying to issue the intermediate certificate so that my trust chain > is presented to the browser. Am I using the wrong directive for that > purpose? > Yes. The intermediate certs should go in the certificate file along with the private key. So, something like this in your case then: $> cat secondmarket.com.cert authority-intermediate.pem secondmarket.com.key > secondmarket.com.pem You might also want DH parameters in that file too if you enable DH key exchange ciphers. -Bryan > > Thanks, > Joe Hammerman > > On Thu, Oct 29, 2015 at 2:33 PM, Bryan Talbot> wrote: > >> On Thu, Oct 29, 2015 at 10:39 AM, Joseph Hammerman < >> jhammer...@secondmarket.com> wrote: >> >>> Hi HAProxy users list, >>> >>> I am running HAProxy version 1.5.12-1 on Ubuntu Precise Pangolin >>> (12.04). I have confirmed that it was compiled with OpenSSL support built >>> in. >>> >>> I have configured an SSL backend thusly: >>> >>> bind 0.0.0.0:443 ssl crt /etc/ssl/private/secondmarket.com.pem ca-file >>> /etc/ssl/private/secondmarket.ca.pem ciphers >>> EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 >>> >>> launching haproxy under strace provides no indication that it made an >>> attempt to read the ca-file (although you can clearly see it loading the >>> crt file). strace output is here: http://pastebin.com/RDgAug7E >>> >>> Does anyone know why the ca-file directive is being ignored? Shall I >>> upgrade? >>> >> >> >> ca-file is used when validating client certificates. Do you configure >> anything that requires or expects clients to present a valid certificate? >> >> -Bryan >> >> > > > -- > > This message is intended only for the addressee. Please notify sender by > e-mail if you are not the intended recipient. If you are not the intended > recipient, you may not copy, disclose, or distribute this message or its > contents, in either excerpts or in its entirety, to any other person and > any such actions may be unlawful. SecondMarket Solutions, Inc. and it > subsidiaries ("SecondMarket") is not responsible for any unauthorized > redistribution. > > > Securities-related services of SecondMarket are provided through SMTX, LLC > (“SMTX”), a wholly owned subsidiary of SecondMarket and a registered broker > dealer and member of FINRA/SIPC. SMTX does not accept time sensitive, > action-oriented messages or transaction orders, including orders to > purchase or sell securities, via e-mail. SMTX reserves the right to > monitor and review the content of all messages sent to or from this e-mail > address. Messages sent to or from this e-mail address may be stored on the > SMTX e-mail system and archived in accordance with FINRA and SEC rules and > regulations. > > This message is intended for those with an in-depth understanding of the > high risk and illiquid nature of private securities and these assets may > not be suitable for you. This message does not represent a solicitation for > an order or an offer to buy or sell any security. There is not enough > information contained in this message with which to make an investment > decision and any information contained herein should not be used as a basis > for this purpose. SMTX does not produce in-house research, make > recommendations to purchase or sell specific securities, provide investment > advisory services, or conduct a general retail business. >
Re: ip_nonlocal_bind=1 set but sometimes get "cannot bind socket" on reload (-sf)
❦ 29 octobre 2015 15:16 -0400, Chris Riley: > Reloading haproxy: [ALERT] 301/141300 (25939) : Starting proxy > haproxy-stats: cannot bind socket [192.168.10.27:80] > [ALERT] 301/141300 (25939) : Starting proxy haproxy-fe1: cannot bind > socket [192.168.200.100:80] > [ALERT] 301/141300 (25939) : Starting proxy haproxy-fe2: cannot bind > socket [192.168.200.120:80] > [ALERT] 301/141300 (25939) : Starting proxy haproxy-fe3: cannot bind > socket [192.168.200.110:80] What's your kernel version? -- As flies to wanton boys are we to the gods; they kill us for their sport. -- Shakespeare, "King Lear"
[SPAM] L'evidence pour votre retraite
http://lb.notre-reponse.fr/r/?id=t2e633589,207b6c6,207b4b1=haproxy@formilux.org=haproxy@formilux.org Signaler comme indésirable Pour visualiser ce message au format html, cliquez ici : http://lb.notre-reponse.fr/r/?id=t2e633589,207b6c6,207b4b2=%40Jr8f5RO2doknLvXpOZ73s7x%2FAxzasImfHl1mrKkgL5E%3D ou copiez le lien dans votre navigateur Web Conformément à l'article 34 de la loi Informatique et Liberté du 6 janvier 1978, vous disposez d'un droit d'accès, de modification, de rectification et de suppression des données vous concernant.Déclaration CNIL n°1181416 Confidentialité des données : conformément à la Loi Informatique et Libertés du 6 Janvier 1978, vous disposez d'un droit d'accès et de rectification des données vous concernant. Vous recevez cette invitation car vous avez été en contact avec le Service Commercial de CapDecision ou de ses partenaires. Pour ne plus recevoir de messages de CapDecision http://lb.capmail.fr/webApp/unsub?id=%405zTQsPnO5LmFMLM2t77beQ%3D%3D; _label="Lien de désinscription" _type="optout">cliquez ici.
lua TXN.set_tos not work
I have this in config file listen railgun option transparent bind *:5000 transparent server main * source * tcp-request content lua.test tcp-request content reject if LOCALHOST and this in .lua core.register_action("test", { "tcp-req", "http-req" }, function(txn) txn:Info("test") txn:set_mark(0x10) txn:set_tos(0x10) end) then run sudo haproxy -f /etc/haproxy/haproxy.cfg -d and it successfully prints "test" on each connection, but i see every packet TOS is 0, not 0x10. same for mark. HAProxy 1.6.1
Re: Need some help configuring backend health checks
So I think those links were the right idea and I have been trying different configurations but am not quite there and am hoping somebody can offer a bit more guidance. So when I telnet to the icap server I type in the OPTIONS line followed by (2) return key presses and then it returns the ICAP text, below is my telent session output === $ telnet 10.1.4.153 1344 Trying 10.1.4.153... Connected to 10.1.4.153. Escape character is '^]'. OPTIONS icap://127.0.0.1:1344/respmod ICAP/1.0 ICAP/1.0 200 OK ISTAG: "5BDEEEA9-12E4-2" Service: Diladele Web Safety 4.2.0.CBF4 Service-ID: qlproxy Methods: RESPMOD Options-TTL: 3600 Max-Connections: 15000 Allow: 204 Preview: 4096 Transfer-Preview: * Encapsulated: null-body=0 Connection: close Here is what I have tried in the backend configurations option tcp-check tcp-check send OPTIONS\ icap\:\/\/127\.0\.0\.1\:1344\/respmod\ ICAP\/1\.0\r\n\ tcp-check send \r\n tcp-check expect string ICAP\/1\.0\ 200\ OK but it is still not working, I suspect I need to use some type of regex or such. Hoping somebody can help me along with this. TIA.. On Mon, Oct 19, 2015 at 7:42 AM, Daren Sefcikwrote: > Thanks Jarno, I am still not sure how I can apply this to each server > using a different port but will poke around at it and see if I can figure > it out. > > On Mon, Oct 19, 2015 at 1:04 AM, Jarno Huuskonen > wrote: > >> Hi, >> >> On Sun, Oct 18, Daren Sefcik wrote: >> > I have an ICAP server backend with servers that each listen on different >> > ports, can anyone offer some advice on how to configure health checks >> for >> > it? I am currently using basic but that really doesn't help if the >> service >> > is not responding. >> > >> > Here is my haproxy config for the backend: >> > >> > backend HTPL_CONT_FILTER_tcp_ipvANY >> > mode tcp >> > balance roundrobin >> > timeout connect 5 >> > timeout server 5 >> > retries 3 >> > server HTPL-WEB-01_10.1.4.153 10.1.4.153:1344 check inter 5000 weight >> 200 >> > maxconn 200 fastinter 1000 fall 5 >> > server HTPL-WEB-02_10.1.4.154 10.1.4.154:1344 check inter 5000 weight >> 200 >> > maxconn 200 fastinter 1000 fall 5 >> > server HTPL-WEB-02_10.1.4.155_01 10.1.4.155:8102 check inter 5000 >> weight >> > 200 maxconn 200 fastinter 1000 fall 5 >> > server HTPL-WEB-02_10.1.4.155_02 10.1.4.155:8202 check inter 5000 >> weight >> > 200 maxconn 200 fastinter 1000 fall 5 >> >> Do the icap servers (squid+diladele?) respond to something like this: >> https://support.symantec.com/en_US/article.TECH220980.html >> or https://exchange.icinga.org/oldmonex/1733-check_icap.pl/check_icap.pl >> >> Maybe you can use tcp-check to send icap request and look for >> "ICAP/1.0 200" response: >> >> https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#tcp-check%20connect >> http://blog.haproxy.com/2014/01/02/haproxy-advanced-redis-health-check/ >> >> -Jarno >> >> -- >> Jarno Huuskonen >> > >