Re: [LUA] Lua advanced documentation

[Thierry FOURNIER]

On Wed, 28 Oct 2015 21:18:42 +0100
PiBa-NL  wrote:

> Op 28-10-2015 om 9:28 schreef Thierry FOURNIER:
> > Hi List,
> >
> > I wrote a Lua advanced documentation. This explain the Lua integration
> > in HAProxy, the reason of some choices. Some traps and Lua code with
> > advanced comments.
> >
> > This doc is not terminated, but I want to release a first version. I
> > will fill the missing points later.
> >
> > unfortunatelly I have some difficulties to write in english, if anyone
> > wants to correct my doc, it will be welcome.
> >
> > Thank you,
> > Thierry
> Hi Thierry,
> 
> Thanks for the doc !


Thanks for read it ;)


> Ive changed a few words here and there.. Updated doc attached.
> Probably there is some more to correct for the more native English 
> speaking/writing people.
> 
> I haven't tried to check it myself, but didn't see it in either of the 
> documents how often is a function from core.register_task called? Or 
> should it contain a loop+sleep ? Perhaps a small example could be added?


Ok, this is a good comment ! My explaination was not clear. I will
improve the explaination. For your information, the function associated
with "core.register_task()" is executed once, if you want that the
function does anything each period of time, you can use a core.sleep().

I will add an example.

Thierry

[SPAM] le rendez-vous coquin des rencontres sexy!

[Sans prise de tete]

Title: Sans prise de tete -- le rendez-vous coquin des rencontres sexy!







 
   Signaler comme indésirable   
 


 
 
 



  
  Si vous avez des difficultés pour visualiser ce message,
  cliquez ici
  

  




























 












































































































































 













LE RENDEZ-VOUS COQUIN
DES RENCONTRES SEXY!
















 

























































INSCRIPTION GRATUITE!




















































 

































Confidentialité des données : conformément à la Loi Informatique et Libertés du 6 Janvier 1978, vous disposez
d'un droit d'accès et de rectification des données vous concernant. Pour ne plus recevoir de messages suivez ce lien. 

Re: DNS resolution problem on 1.6.1-1ppa1~trusty

[Ben Tisdall]

Ok, testing with the latest
0001-BUG-MAJOR-dns-first-DNS-response-packet-not-matching.patch
appears to work from the proxy POV but I'm not seeing the update
counter incrementing on address changes.

Re: DNS resolution problem on 1.6.1-1ppa1~trusty

[Ben Tisdall]

On Thu, Oct 29, 2015 at 1:40 PM, Ben Tisdall  wrote:
> Ok, testing with the latest
> 0001-BUG-MAJOR-dns-first-DNS-response-packet-not-matching.patch
> appears to work from the proxy POV but I'm not seeing the update
> counter incrementing on address changes.

Sorry, I'm misinterpreting the test results, please ignore that. One
ELB address has remained the same today so it's likely HAProxy has
been using that and has not needed to update.



-- 
Ben

haproxy 1.6 with lua in docker

[Aleksandar Lazic]

Hi.

I have created a Dockerfile which build haproxy with lua and pcre jit, 
it is based on centos:latest.


https://github.com/git001/haproxy
I have already opend an Issue in the official Docker haproxy repo.

That’s the output ;-)

##
haproxy -vv
HA-Proxy version 1.6.1 2015/10/20
Copyright 2000-2015 Willy Tarreau 

Build options :
  TARGET  = linux2628
  CPU = generic
  CC  = gcc
  CFLAGS  = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement
  OPTIONS = USE_LINUX_SPLICE=1 USE_ZLIB=1 USE_OPENSSL=1 USE_LUA=1 
USE_PCRE=1 USE_PCRE_JIT=1 USE_TFO=1


Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 
200


Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.7
Compression algorithms supported : identity("identity"), 
deflate("deflate"), raw-deflate("deflate"), gzip("gzip")

Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.32 2012-11-30
PCRE library supports JIT : yes
Built with Lua version : Lua 5.3.1
Built with transparent proxy support using: IP_TRANSPARENT 
IPV6_TRANSPARENT IP_FREEBIND


Available polling systems :
  epoll : pref=300,  test result OK
   poll : pref=200,  test result OK
 select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.
##

What's your opinion about slice with docker?!

BR aleks

Re: DNS resolution problem on 1.6.1-1ppa1~trusty

[Jesse Hathaway]

On Wed, Oct 28, 2015 at 4:41 PM, Baptiste  wrote:
> So, when you write
>if (cname && memcmp(ptr, cname, cnamelen))
>return DNS_UPD_NAME_ERROR;
>   else if (memcmp(ptr, dn_name, dn_name_len))
> return DNS_UPD_NAME_ERROR;
>
> your compare cname againt name in current record only if cname is set.
> In Ben's case, cname is set and ptr and cname comparison was true,
> hence memcmp returned 0.
> Since memcmp returns 0, then HAProxy checks the next condition and
> compare ptr to dn_name, which lead to return the DNS_UPD_NAME_ERROR
> since we're evaluating a cname and ptr points to the CNAME while
> dn_name points to the queried name.
>
> Basically, the code parsed the first response record, the CNAME, then
> returned an error because the value of the cname does not match
> anymore the name in the A record.
>
> With the code below, when cname is set, there is no chance you compare
> ptr and dn_name...
>if (cname) {
>   if (memcmp(ptr, cname, cnamelen)) {
>return DNS_UPD_NAME_ERROR;
>}
>}
>   else if (memcmp(ptr, dn_name, dn_name_len))
> return DNS_UPD_NAME_ERROR;

Thank you for the careful explanation Baptiste, that riddle was confounding
our understanding.

haproxy daemon does not attempt to read ca-file on startup

[Joseph Hammerman]

Hi HAProxy users list,

I am running HAProxy version 1.5.12-1 on Ubuntu Precise Pangolin (12.04). I
have confirmed that it was compiled with OpenSSL support built in.

I have configured an SSL backend thusly:

bind 0.0.0.0:443 ssl crt /etc/ssl/private/secondmarket.com.pem ca-file
/etc/ssl/private/secondmarket.ca.pem ciphers
EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4

launching haproxy under strace provides no indication that it made an
attempt to read the ca-file (although you can clearly see it loading the
crt file). strace output is here: http://pastebin.com/RDgAug7E

Does anyone know why the ca-file directive is being ignored? Shall I
upgrade?

Thanks in advance for any adive anyone can proffer.
Joseph Hammerman

-- 
 

--

This message is intended only for the addressee. Please notify sender by 
e-mail if you are not the intended recipient. If you are not the intended 
recipient, you may not copy, disclose, or distribute this message or its 
contents, in either excerpts or in its entirety, to any other person and 
any such actions may be unlawful.  SecondMarket Solutions, Inc. and it 
subsidiaries ("SecondMarket") is not responsible for any unauthorized 
redistribution.


Securities-related services of SecondMarket are provided through SMTX, LLC 
(“SMTX”), a wholly owned subsidiary of SecondMarket and a registered broker 
dealer and member of FINRA/SIPC.   SMTX does not accept time sensitive, 
action-oriented messages or transaction orders, including orders to 
purchase or sell securities, via e-mail.  SMTX reserves the right to 
monitor and review the content of all messages sent to or from this e-mail 
address.  Messages sent to or from this e-mail address may be stored on the 
SMTX e-mail system and archived in accordance with FINRA and SEC rules and 
regulations.  

This message is intended for those with an in-depth understanding of the 
high risk and illiquid nature of private securities and these assets may 
not be suitable for you. This message does not represent a solicitation for 
an order or an offer to buy or sell any security.  There is not enough 
information contained in this message with which to make an investment 
decision and any information contained herein should not be used as a basis 
for this purpose. SMTX does not produce in-house research, make 
recommendations to purchase or sell specific securities, provide investment 
advisory services, or conduct a general retail business.

ip_nonlocal_bind=1 set but sometimes get "cannot bind socket" on reload (-sf)

[Chris Riley]

Hello,

I'm seeing some inconsistent/strange behavior with HAProxy (1.5.14 and
1.6.1) not being able to bind to a socket despite
'net.ipv4.ip_nonlocal_bind = 1' being set. HAProxy starts up without issue
initially but after several reloads, the command 'service haproxy reload'
starts failing and reports that HAProxy "cannot bind socket" for each of
the listens/frontends, even for IPs that ARE on that server. The existing
HAProxy process contiues to run without picking up the new changes.

After the reload initially fails all subsequent 'service haproxy reload'
commands also fail. Running 'service haproxy restart' restarts and
immediately binds to the IPs:ports specified in each listen/frontend that
it just complained that it could not bind to.

Here's some background info. There are two servers (lb-01 and lb-02).
Virtual IPs are managed by keepalived (v1.2.19) in two vrrp_instances. Each
vrrp_instance contains half of the total virtual IPs. The first
vrrp_instance has lb-01 defined as MASTER and lb-02 as BACKUP and the
second vrrp_instance has lb-02 defined as MASTER and lb-01 as BACKUP. This
allows each server to act as failover for the other server. This was tested
extensively while I was adding support for ip rules to keepalived and works
without issue. All of HAProxy's configuration is stored in consul (v0.5.2).
consul-template (v0.11.1) writes out /etc/haproxy/haproxy.cfg using the
data in consul and then consul-template calls 'service haproxy reload'. The
OS is CentOS 6.4 and the kernel version is 2.6.32-358.23.2.el6.x86_64.

Here is an example of what I'm seeing (actual IPs have been substituted).
192.168.10.0/24 IPs are assigned to eth0 and 192.168.200.0/24 IPs are
assigned to eth1. (output is from lb-02)

Reloading haproxy: [ALERT] 301/141300 (25939) : Starting proxy
haproxy-stats: cannot bind socket [192.168.10.27:80]
[ALERT] 301/141300 (25939) : Starting proxy haproxy-fe1: cannot bind socket
[192.168.200.100:80]
[ALERT] 301/141300 (25939) : Starting proxy haproxy-fe2: cannot bind socket
[192.168.200.120:80]
[ALERT] 301/141300 (25939) : Starting proxy haproxy-fe3: cannot bind socket
[192.168.200.110:80]

What's strange is that HAProxy is already listening to these IPs:port so it
seems to be some kind of race condition. Of these IPs, 192.168.10.27 is
statically assigned to eth0 and is the only IP assigned to that interface.
192.168.200.110 and 192.168.200.120 are assigned to eth1 on lb-02.
192.168.200.100 is assigned to eth1 on lb-01. Without setting
'net.ipv4.ip_nonlocal_bind = 1' I would expect to see "cannot bind socket"
for 192.168.200.100 but it doesn't make any sense that HAProxy also reports
that it cannot bind on IPs:ports that are assigned to that server.

Does anyone have ideas as to why this might occur?

Best Regards,
Chris Riley

Re: haproxy daemon does not attempt to read ca-file on startup

[Bryan Talbot]

On Thu, Oct 29, 2015 at 10:39 AM, Joseph Hammerman <
jhammer...@secondmarket.com> wrote:

> Hi HAProxy users list,
>
> I am running HAProxy version 1.5.12-1 on Ubuntu Precise Pangolin (12.04).
> I have confirmed that it was compiled with OpenSSL support built in.
>
> I have configured an SSL backend thusly:
>
> bind 0.0.0.0:443 ssl crt /etc/ssl/private/secondmarket.com.pem ca-file
> /etc/ssl/private/secondmarket.ca.pem ciphers
> EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
>
> launching haproxy under strace provides no indication that it made an
> attempt to read the ca-file (although you can clearly see it loading the
> crt file). strace output is here: http://pastebin.com/RDgAug7E
>
> Does anyone know why the ca-file directive is being ignored? Shall I
> upgrade?
>


ca-file is used when validating client certificates. Do you configure
anything that requires or expects clients to present a valid certificate?

-Bryan

Re: haproxy daemon does not attempt to read ca-file on startup

[Joseph Hammerman]

Hi Brian,

I am trying to issue the intermediate certificate so that my trust chain is
presented to the browser. Am I using the wrong directive for that purpose?

Thanks,
Joe Hammerman

On Thu, Oct 29, 2015 at 2:33 PM, Bryan Talbot  wrote:

> On Thu, Oct 29, 2015 at 10:39 AM, Joseph Hammerman <
> jhammer...@secondmarket.com> wrote:
>
>> Hi HAProxy users list,
>>
>> I am running HAProxy version 1.5.12-1 on Ubuntu Precise Pangolin (12.04).
>> I have confirmed that it was compiled with OpenSSL support built in.
>>
>> I have configured an SSL backend thusly:
>>
>> bind 0.0.0.0:443 ssl crt /etc/ssl/private/secondmarket.com.pem ca-file
>> /etc/ssl/private/secondmarket.ca.pem ciphers
>> EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
>>
>> launching haproxy under strace provides no indication that it made an
>> attempt to read the ca-file (although you can clearly see it loading the
>> crt file). strace output is here: http://pastebin.com/RDgAug7E
>>
>> Does anyone know why the ca-file directive is being ignored? Shall I
>> upgrade?
>>
>
>
> ca-file is used when validating client certificates. Do you configure
> anything that requires or expects clients to present a valid certificate?
>
> -Bryan
>
>

-- 
 

--

This message is intended only for the addressee. Please notify sender by 
e-mail if you are not the intended recipient. If you are not the intended 
recipient, you may not copy, disclose, or distribute this message or its 
contents, in either excerpts or in its entirety, to any other person and 
any such actions may be unlawful.  SecondMarket Solutions, Inc. and it 
subsidiaries ("SecondMarket") is not responsible for any unauthorized 
redistribution.


Securities-related services of SecondMarket are provided through SMTX, LLC 
(“SMTX”), a wholly owned subsidiary of SecondMarket and a registered broker 
dealer and member of FINRA/SIPC.   SMTX does not accept time sensitive, 
action-oriented messages or transaction orders, including orders to 
purchase or sell securities, via e-mail.  SMTX reserves the right to 
monitor and review the content of all messages sent to or from this e-mail 
address.  Messages sent to or from this e-mail address may be stored on the 
SMTX e-mail system and archived in accordance with FINRA and SEC rules and 
regulations.  

This message is intended for those with an in-depth understanding of the 
high risk and illiquid nature of private securities and these assets may 
not be suitable for you. This message does not represent a solicitation for 
an order or an offer to buy or sell any security.  There is not enough 
information contained in this message with which to make an investment 
decision and any information contained herein should not be used as a basis 
for this purpose. SMTX does not produce in-house research, make 
recommendations to purchase or sell specific securities, provide investment 
advisory services, or conduct a general retail business.

Re: haproxy daemon does not attempt to read ca-file on startup

[Bryan Talbot]

On Thu, Oct 29, 2015 at 1:43 PM, Joseph Hammerman <
jhammer...@secondmarket.com> wrote:

> Hi Brian,
>
> I am trying to issue the intermediate certificate so that my trust chain
> is presented to the browser. Am I using the wrong directive for that
> purpose?
>

Yes. The intermediate certs should go in the certificate file along with
the private key.

So, something like this in your case then:
$> cat secondmarket.com.cert authority-intermediate.pem secondmarket.com.key
> secondmarket.com.pem


You might also want DH parameters in that file too if you enable DH key
exchange ciphers.

-Bryan




>
> Thanks,
> Joe Hammerman
>
> On Thu, Oct 29, 2015 at 2:33 PM, Bryan Talbot 
> wrote:
>
>> On Thu, Oct 29, 2015 at 10:39 AM, Joseph Hammerman <
>> jhammer...@secondmarket.com> wrote:
>>
>>> Hi HAProxy users list,
>>>
>>> I am running HAProxy version 1.5.12-1 on Ubuntu Precise Pangolin
>>> (12.04). I have confirmed that it was compiled with OpenSSL support built
>>> in.
>>>
>>> I have configured an SSL backend thusly:
>>>
>>> bind 0.0.0.0:443 ssl crt /etc/ssl/private/secondmarket.com.pem ca-file
>>> /etc/ssl/private/secondmarket.ca.pem ciphers
>>> EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
>>>
>>> launching haproxy under strace provides no indication that it made an
>>> attempt to read the ca-file (although you can clearly see it loading the
>>> crt file). strace output is here: http://pastebin.com/RDgAug7E
>>>
>>> Does anyone know why the ca-file directive is being ignored? Shall I
>>> upgrade?
>>>
>>
>>
>> ca-file is used when validating client certificates. Do you configure
>> anything that requires or expects clients to present a valid certificate?
>>
>> -Bryan
>>
>>
>
>
> --
>
> This message is intended only for the addressee. Please notify sender by
> e-mail if you are not the intended recipient. If you are not the intended
> recipient, you may not copy, disclose, or distribute this message or its
> contents, in either excerpts or in its entirety, to any other person and
> any such actions may be unlawful.  SecondMarket Solutions, Inc. and it
> subsidiaries ("SecondMarket") is not responsible for any unauthorized
> redistribution.
>
>
> Securities-related services of SecondMarket are provided through SMTX, LLC
> (“SMTX”), a wholly owned subsidiary of SecondMarket and a registered broker
> dealer and member of FINRA/SIPC.   SMTX does not accept time sensitive,
> action-oriented messages or transaction orders, including orders to
> purchase or sell securities, via e-mail.  SMTX reserves the right to
> monitor and review the content of all messages sent to or from this e-mail
> address.  Messages sent to or from this e-mail address may be stored on the
> SMTX e-mail system and archived in accordance with FINRA and SEC rules and
> regulations.
>
> This message is intended for those with an in-depth understanding of the
> high risk and illiquid nature of private securities and these assets may
> not be suitable for you. This message does not represent a solicitation for
> an order or an offer to buy or sell any security.  There is not enough
> information contained in this message with which to make an investment
> decision and any information contained herein should not be used as a basis
> for this purpose. SMTX does not produce in-house research, make
> recommendations to purchase or sell specific securities, provide investment
> advisory services, or conduct a general retail business.
>

Re: ip_nonlocal_bind=1 set but sometimes get "cannot bind socket" on reload (-sf)

[Vincent Bernat]

 ❦ 29 octobre 2015 15:16 -0400, Chris Riley  :

> Reloading haproxy: [ALERT] 301/141300 (25939) : Starting proxy
> haproxy-stats: cannot bind socket [192.168.10.27:80]
> [ALERT] 301/141300 (25939) : Starting proxy haproxy-fe1: cannot bind
> socket [192.168.200.100:80]
> [ALERT] 301/141300 (25939) : Starting proxy haproxy-fe2: cannot bind
> socket [192.168.200.120:80]
> [ALERT] 301/141300 (25939) : Starting proxy haproxy-fe3: cannot bind
> socket [192.168.200.110:80]

What's your kernel version?
-- 
As flies to wanton boys are we to the gods; they kill us for their sport.
-- Shakespeare, "King Lear"

[SPAM] L'evidence pour votre retraite

[Retraite - Service Public]

http://lb.notre-reponse.fr/r/?id=t2e633589,207b6c6,207b4b1=haproxy@formilux.org=haproxy@formilux.org
 Signaler comme indésirable   


Pour visualiser ce message au format html, cliquez ici :
http://lb.notre-reponse.fr/r/?id=t2e633589,207b6c6,207b4b2=%40Jr8f5RO2doknLvXpOZ73s7x%2FAxzasImfHl1mrKkgL5E%3D
ou copiez le lien dans votre navigateur Web



Conformément à l'article 34 de la loi Informatique et Liberté 
du 6 janvier 1978, vous disposez d'un droit d'accès, de modification, de 
rectification et de suppression 
des données vous concernant.Déclaration CNIL n°1181416 




Confidentialité des données : conformément à la Loi Informatique et 
Libertés
du 6 Janvier 1978, vous disposez d'un droit d'accès et de rectification des
données vous concernant. Vous recevez cette invitation car vous avez été en
contact avec le Service Commercial de CapDecision ou de ses partenaires. Pour ne
plus recevoir de messages de CapDecision
http://lb.capmail.fr/webApp/unsub?id=%405zTQsPnO5LmFMLM2t77beQ%3D%3D; 
_label="Lien de désinscription" _type="optout">cliquez ici.

lua TXN.set_tos not work

[神楽坂玲奈]

I have this in config file

listen railgun
option  transparent
bind *:5000 transparent
server main *
source *
tcp-request content lua.test
tcp-request content reject if LOCALHOST

and this in .lua

core.register_action("test", { "tcp-req", "http-req" }, function(txn)
   txn:Info("test")
   txn:set_mark(0x10)
   txn:set_tos(0x10)
end)

then run

sudo haproxy -f /etc/haproxy/haproxy.cfg -d

and it successfully prints "test" on each connection, but i see every
packet TOS is 0, not 0x10. same for mark.

HAProxy 1.6.1

Re: Need some help configuring backend health checks

[Daren Sefcik]

So I think those links were the right idea and I have been trying different
configurations but am not quite there and am hoping somebody can offer a
bit more guidance.

So when I telnet to the icap server I type in the OPTIONS line followed by
(2) return key presses and then it returns the ICAP text, below is my
telent session output

===

$ telnet 10.1.4.153 1344
Trying 10.1.4.153...
Connected to 10.1.4.153.
Escape character is '^]'.
OPTIONS icap://127.0.0.1:1344/respmod ICAP/1.0

ICAP/1.0 200 OK
ISTAG: "5BDEEEA9-12E4-2"
Service: Diladele Web Safety 4.2.0.CBF4
Service-ID: qlproxy
Methods: RESPMOD
Options-TTL: 3600
Max-Connections: 15000
Allow: 204
Preview: 4096
Transfer-Preview: *
Encapsulated: null-body=0
Connection: close




Here is what I have tried in the backend configurations

option tcp-check
tcp-check send OPTIONS\ icap\:\/\/127\.0\.0\.1\:1344\/respmod\
ICAP\/1\.0\r\n\
tcp-check send \r\n
tcp-check expect string ICAP\/1\.0\ 200\ OK


but it is still not working, I suspect I need to use some type of regex or
such. Hoping somebody can help me along with this.

TIA..


On Mon, Oct 19, 2015 at 7:42 AM, Daren Sefcik 
wrote:

> Thanks Jarno, I am still not sure how I can apply this to each server
> using a different port but will poke around at it and see if I can figure
> it out.
>
> On Mon, Oct 19, 2015 at 1:04 AM, Jarno Huuskonen 
> wrote:
>
>> Hi,
>>
>> On Sun, Oct 18, Daren Sefcik wrote:
>> > I have an ICAP server backend with servers that each listen on different
>> > ports, can anyone offer some advice on how to configure health checks
>> for
>> > it? I am currently using basic but that really doesn't help if the
>> service
>> > is not responding.
>> >
>> > Here is my haproxy config for the backend:
>> >
>> > backend HTPL_CONT_FILTER_tcp_ipvANY
>> > mode tcp
>> > balance roundrobin
>> > timeout connect 5
>> > timeout server 5
>> > retries 3
>> > server HTPL-WEB-01_10.1.4.153 10.1.4.153:1344 check inter 5000  weight
>> 200
>> > maxconn 200 fastinter 1000 fall 5
>> > server HTPL-WEB-02_10.1.4.154 10.1.4.154:1344 check inter 5000  weight
>> 200
>> > maxconn 200 fastinter 1000 fall 5
>> > server HTPL-WEB-02_10.1.4.155_01 10.1.4.155:8102 check inter 5000
>> weight
>> > 200 maxconn 200 fastinter 1000 fall 5
>> > server HTPL-WEB-02_10.1.4.155_02 10.1.4.155:8202 check inter 5000
>> weight
>> > 200 maxconn 200 fastinter 1000 fall 5
>>
>> Do the icap servers (squid+diladele?) respond to something like this:
>> https://support.symantec.com/en_US/article.TECH220980.html
>> or https://exchange.icinga.org/oldmonex/1733-check_icap.pl/check_icap.pl
>>
>> Maybe you can use tcp-check to send icap request and look for
>> "ICAP/1.0 200" response:
>>
>> https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#tcp-check%20connect
>> http://blog.haproxy.com/2014/01/02/haproxy-advanced-redis-health-check/
>>
>> -Jarno
>>
>> --
>> Jarno Huuskonen
>>
>
>