Reloading maps?
Is there any good way to reload a map, short of either (a) reloading haproxy every time the map changes, or (b) feeding the entire map into the control socket as a series of `set map` statements? I've got a map generated by an external program; we're currently doing (b) and it feels a little fragile... -- James Brown Engineer
Re: Bug: DNS changes in 1.7.3+ break UNIX socket stats in daemon mode with resolvers on FreeBSD
On 05/11/2017 01:58 PM, Frederic Lecaille wrote: > I have reproduced (at home) the stats socket issue within a FreeBSD 9.3 VM. > > Replacing your call to close() by fd_delete() which removes the fd from > the fd set used by kevent *and close it* seems to fix at least the stats > socket issue. I do not know if there are remaining ones. > > I did not reproduced the kevent issue revealed by Lukas traces. But I > had other ones : ERR#57 'Socket is not connected' during sendto(). > > I attached a temporary patch to be validated and to let you perhaps > provide a better one as I have not double check everything. Fred, That seems to have fixed the problem for me. With that patch applied, web traffic passes and the UNIX socket responds. Thanks! On 05/10/2017 01:26 PM, Lukas Tribus wrote: > I had to remove Jim from CC, as my outgoing SMTP rejects the pingle.org > DNS configuration (probably doesn't like MX->CNAME). I changed how my MX record was configured, hopefully it is less problematic now. Jim
Re: Passing SNI value ( ssl_fc_sni ) to backend's verifyhost.
So who do I bug to actually get this coded/patched? Not being familiar with the code base myself ;) -- Kevin McArthur On 2017-05-08 3:12 PM, Lukas Tribus wrote: Hello, Am 08.05.2017 um 10:56 schrieb Daniel Schneller: Just my 2c, I very much support Kevin’s argument. Even though we are not (yet) verifying backends — because currently we _are_ in a private LAN — we are planning to deploy parts of our application to public cloud infrastructure soon, so it would be a quite important feature. On 6. May. 2017, at 19:18, Kevin McArthur> wrote: 1. The Snowden leaks and the whole "SSL added and removed here" issue, for example. TLS on internal networks is more important these days due to local network implants and other security issues on LANs. 2. Our use case is actually DigitalOcean where there is "private networking" but it is shared among many customers. Operating without TLS on this semi-private network would be unwise. 3. Most of the public tutorials for re-encrypt bridged TLS are simply incurring TLS overhead while providing no TLS security. (eg SSL on but, verify none enabled, verifyhost not set, etc) 4. Use cases like CDN proxy of public servers. Think Cloudflare's Full SSL (Strict) setup... Haproxy can verify the certificate of backend TLS servers since day 1. The only thing missing is client SNI based backend certificate verification, which yes - since we can pass client SNI to the TLS server - we need to consider for the certificate verification process as well. Regards, Lukas
Re: Bug: DNS changes in 1.7.3+ break UNIX socket stats in daemon mode with resolvers on FreeBSD
Hi, On 05/11/2017 09:51 AM, Baptiste wrote: Hi Lukas, Thanks a lot! So, after the fork(), HAProxy closes the UDP socket (4) and open a new one (1) as expected, that said, the scheduler still points to the old one. Obviously, this behavior doesn't happen on Linux. socket #4 has been closed() but not removed from kevent fd set... I'll see how I can reproduce the issue and then fix it. That said, I'm running a bit out of time for now. I have reproduced (at home) the stats socket issue within a FreeBSD 9.3 VM. Replacing your call to close() by fd_delete() which removes the fd from the fd set used by kevent *and close it* seems to fix at least the stats socket issue. I do not know if there are remaining ones. I did not reproduced the kevent issue revealed by Lukas traces. But I had other ones : ERR#57 'Socket is not connected' during sendto(). I attached a temporary patch to be validated and to let you perhaps provide a better one as I have not double check everything. I hope this will help. Regards, Fred. diff --git a/src/dns.c b/src/dns.c index a118598..cb0a9a9 100644 --- a/src/dns.c +++ b/src/dns.c @@ -1004,7 +1004,7 @@ int dns_init_resolvers(int close_socket) if (close_socket == 1) { if (curnameserver->dgram) { - close(curnameserver->dgram->t.sock.fd); + fd_delete(curnameserver->dgram->t.sock.fd); memset(curnameserver->dgram, '\0', sizeof(*dgram)); dgram = curnameserver->dgram; }
haproxy
Hello, excuseme my english is very bad, i need know how change configuration haproxy pasive/active manually not using keepalived. i need this information for a highscholhomework. thanks. my native lenguaje is spanish.-
Re: haproxy + RDP
Hi Antonio Trujillo Carmona. thanks Antonio Trujillo Carmona have written on Thu, 11 May 2017 12:24:00 +0200: > El 11/05/17 a las 11:23, Aleksandar Lazic escribió: > > Hi Antonio Trujillo Carmona. > > > > Antonio Trujillo Carmona have written on Thu, 11 May 2017 10:22:59 > > +0200: > > > >> Why this configuration don't detect a server down? > > Please can you post the output of haproxy -vv > $ haproxy -vv > HA-Proxy version 1.5.18 2016/05/10 > Copyright 2000-2016 Willy Tarreau> > Build options : > TARGET = linux2628 > CPU = generic > CC = gcc > CFLAGS = -O2 -g -fno-strict-aliasing -DTCP_USER_TIMEOUT=18 > OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 > USE_PCRE=1 > > Default settings : > maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = > 200 > > Encrypted password support via crypt(3): yes > Built with zlib version : 1.2.7 > Compression algorithms supported : identity, deflate, gzip > Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013 > Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013 > OpenSSL library supports TLS extensions : yes > OpenSSL library supports SNI : yes > OpenSSL library supports prefer-server-ciphers : yes > Built with PCRE version : 8.32 2012-11-30 > PCRE library supports JIT : no (USE_PCRE_JIT not set) > Built with transparent proxy support using: IP_TRANSPARENT > IPV6_TRANSPARENT IP_FREEBIND > > Available polling systems : > epoll : pref=300, test result OK >poll : pref=200, test result OK > select : pref=150, test result OK > Total: 3 (3 usable), will use epoll. > > > > Please can you post some logs as you have debug activated. > # haproxy -d -f /etc/haproxy/haproxy.cfg > [WARNING] 130/120716 (27612) : parsing > [/etc/haproxy/haproxy.cfg:165] : 'timeout server' will be ignored > because frontend 'RDP' has no backend capability > [WARNING] 130/120716 (27612) : config : backend 'bk_rdp' uses > tcp-check rules without 'option tcp-check', so the rules are ignored. How about to activate the 'option tcp-check' as mentioned in the Warning? In the config below is it's commented, any reason why? It's also active in the doc which you maybe know. https://www.haproxy.com/doc/aloha/7.0/deployment_guides/microsoft_remote_desktop_services.html Does this changes anything? Regards aleks > Available polling systems : > epoll : pref=300, test result OK >poll : pref=200, test result OK > select : pref=150, test result FAILED > Total: 3 (2 usable), will use epoll. > Using epoll() as the polling mechanism. > [WARNING] 130/120717 (27612) : Server CitrixSF-SSL/CitrixSF03 is DOWN, > reason: Layer4 connection problem, info: "Connection refused", check > duration: 3ms. 1 active and 0 backup servers left. 0 sessions active, > 0 requeued, 0 remaining in queue. > [WARNING] 130/120718 (27612) : Server bk_rdp/gr43sterminal02 is DOWN, > reason: Socket error, check duration: 12ms. 1 active and 0 backup > servers left. 0 sessions active, 0 requeued, 0 remaining in queue. > [WARNING] 130/120719 (27612) : Server bk_rdp/gr43sterminal01 is DOWN, > reason: Layer4 timeout, check duration: 2001ms. 0 active and 0 backup > servers left. 0 sessions active, 0 requeued, 0 remaining in queue. > [ALERT] 130/120719 (27612) : backend 'bk_rdp' has no server available! > > Message from syslogd@localhost at May 11 12:07:19 ... > haproxy[27612]: backend bk_rdp has no server available! > > Message from syslogd@localhost at May 11 12:07:19 ... > haproxy[27612]: backend bk_rdp has no server available! > > > > but : > # nmap gr43sterminal02 -p3389 > > Starting Nmap 6.40 ( http://nmap.org ) at 2017-05-11 12:12 CEST > Nmap scan report for gr43sterminal02 (10.104.23.141) > Host is up (0.00072s latency). > rDNS record for 10.104.23.141: > gr43sterminal02.hvn.sas.junta-andalucia.es PORT STATE SERVICE > 3389/tcp open ms-wbt-server > > This one is up and the other down > > if I comment > # option ssl-hello-chk > > both appear up > # haproxy -d -f /etc/haproxy/haproxy.cfg > [WARNING] 130/121803 (27722) : parsing > [/etc/haproxy/haproxy.cfg:165] : 'timeout server' will be ignored > because frontend 'RDP' has no backend capability > Available polling systems : > epoll : pref=300, test result OK >poll : pref=200, test result OK > select : pref=150, test result FAILED > Total: 3 (2 usable), will use epoll. > Using epoll() as the polling mechanism. > [WARNING] 130/121804 (27722) : Server CitrixSF-SSL/CitrixSF03 is DOWN, > reason: Layer4 connection problem, info: "Connection refused", check > duration: 3ms. 1 active and 0 backup servers left. 0 sessions active, > 0 requeued, 0 remaining in queue. > :gr43stemis01.clicls[:0009] > :gr43stemis01.closed[:0009] > :gr43stemis01.clicls[:000a] > :gr43stemis01.closed[:000a] > :gr43stemis01.clicls[:000b] >
Re: haproxy + RDP
El 11/05/17 a las 11:23, Aleksandar Lazic escribió: > Hi Antonio Trujillo Carmona. > > Antonio Trujillo Carmona have written on Thu, 11 May 2017 10:22:59 > +0200: > >> Why this configuration don't detect a server down? > Please can you post the output of haproxy -vv $ haproxy -vv HA-Proxy version 1.5.18 2016/05/10 Copyright 2000-2016 Willy TarreauBuild options : TARGET = linux2628 CPU = generic CC = gcc CFLAGS = -O2 -g -fno-strict-aliasing -DTCP_USER_TIMEOUT=18 OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_PCRE=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 Encrypted password support via crypt(3): yes Built with zlib version : 1.2.7 Compression algorithms supported : identity, deflate, gzip Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013 Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Built with PCRE version : 8.32 2012-11-30 PCRE library supports JIT : no (USE_PCRE_JIT not set) Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. > Please can you post some logs as you have debug activated. # haproxy -d -f /etc/haproxy/haproxy.cfg [WARNING] 130/120716 (27612) : parsing [/etc/haproxy/haproxy.cfg:165] : 'timeout server' will be ignored because frontend 'RDP' has no backend capability [WARNING] 130/120716 (27612) : config : backend 'bk_rdp' uses tcp-check rules without 'option tcp-check', so the rules are ignored. Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result FAILED Total: 3 (2 usable), will use epoll. Using epoll() as the polling mechanism. [WARNING] 130/120717 (27612) : Server CitrixSF-SSL/CitrixSF03 is DOWN, reason: Layer4 connection problem, info: "Connection refused", check duration: 3ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. [WARNING] 130/120718 (27612) : Server bk_rdp/gr43sterminal02 is DOWN, reason: Socket error, check duration: 12ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. [WARNING] 130/120719 (27612) : Server bk_rdp/gr43sterminal01 is DOWN, reason: Layer4 timeout, check duration: 2001ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. [ALERT] 130/120719 (27612) : backend 'bk_rdp' has no server available! Message from syslogd@localhost at May 11 12:07:19 ... haproxy[27612]: backend bk_rdp has no server available! Message from syslogd@localhost at May 11 12:07:19 ... haproxy[27612]: backend bk_rdp has no server available! but : # nmap gr43sterminal02 -p3389 Starting Nmap 6.40 ( http://nmap.org ) at 2017-05-11 12:12 CEST Nmap scan report for gr43sterminal02 (10.104.23.141) Host is up (0.00072s latency). rDNS record for 10.104.23.141: gr43sterminal02.hvn.sas.junta-andalucia.es PORT STATE SERVICE 3389/tcp open ms-wbt-server This one is up and the other down if I comment # option ssl-hello-chk both appear up # haproxy -d -f /etc/haproxy/haproxy.cfg [WARNING] 130/121803 (27722) : parsing [/etc/haproxy/haproxy.cfg:165] : 'timeout server' will be ignored because frontend 'RDP' has no backend capability Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result FAILED Total: 3 (2 usable), will use epoll. Using epoll() as the polling mechanism. [WARNING] 130/121804 (27722) : Server CitrixSF-SSL/CitrixSF03 is DOWN, reason: Layer4 connection problem, info: "Connection refused", check duration: 3ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. :gr43stemis01.clicls[:0009] :gr43stemis01.closed[:0009] :gr43stemis01.clicls[:000a] :gr43stemis01.closed[:000a] :gr43stemis01.clicls[:000b] :gr43stemis01.closed[:000b] :gr43stemis01.clicls[:000c] :gr43stemis01.closed[:000c] :gr43stemis01.clicls[:000d] :gr43stemis01.closed[:000d] :RDP.accept(0007)=000a from [10.104.24.53:60969] only if I comment #option ssl-hello-chk #tcp-check connect port 3389 ssl it seem work, but I'm afraid that it check server not service, so if server is up but service RDP fail haproxy will not detect it. > >> global >> log 127.0.0.1 local0 debug >> log 127.0.0.1 local1 notice >> log 10.104.16.5 local7 debug >> chroot /var/lib/haproxy >> user haproxy >> group
[PATCH]: CLEANUP/MINOR: retire obsoleted USE_GETSOCKNAME build option
Hello, this is a patch to nuke obsoleted USE_GETSOCKNAME build option. Thanks! 0001-CLEANUP-MINOR-retire-USE_GETSOCKNAME-build-option.patch Description: Binary data
Re: haproxy + RDP
Hi Antonio Trujillo Carmona. Antonio Trujillo Carmona have written on Thu, 11 May 2017 10:22:59 +0200: > Why this configuration don't detect a server down? Please can you post the output of haproxy -vv Please can you post some logs as you have debug activated. > global > log 127.0.0.1 local0 debug > log 127.0.0.1 local1 notice > log 10.104.16.5 local7 debug > chroot /var/lib/haproxy > user haproxy > group haproxy > daemon > node GR43STEMIS01-BALANCEADOR-HA-SSL > > # Para sincronizar las tablas de sesión > peers pares > # disable > peer gr43stemis01 10.107.20.7:1024 > peer gr43stemis02 10.107.20.8:1024 > > defaults > log global > mode http > option dontlognull > option httpchk > retries 3 > option redispatch > maxconn 5000 > timeout connect 50s > timeout client 30min > timeout server 50s > .../... > frontend RDP > mode tcp > bind *:3389 > timeout client 1h > timeout server 1h > tcp-request inspect-delay 5s > tcp-request content accept if RDP_COOKIE > # use_backend bk_rdp > default_backend bk_rdp > > backend bk_rdp > mode tcp > balance leastconn > #balance rdp_coockie > timeout server 1h > timeout connect 4s > log global > stick-table type string len 32 size 10k expire 1h peers pares > stick on rdp_cookie(msthash) > > persist rdp-cookie > # option tcp-check > option ssl-hello-chk > # option tcpka > > tcp-check connect port 3389 ssl > > server gr43sterminal01 10.104.22.142:3389 weight 1 check inter > 2000 rise 2 fall 3 > server gr43sterminal02 10.104.23.141:3389 weight > 1 check inter 2000 rise 2 fall 3 > > > > Thank. > -- > > Antonio Trujillo Carmona > > Técnico de redes y sistemas. > > Subdirección de Tecnologías de la Información y Comunicaciones > > Servicio Andaluz de Salud. Consejería de Salud de la Junta de > Andalucía > > antonio.trujillo.s...@juntadeandalucia.es > > Tel. +34 670947670 747670) > > > >
haproxy + RDP
Why this configuration don't detect a server down? global log 127.0.0.1 local0 debug log 127.0.0.1 local1 notice log 10.104.16.5 local7 debug chroot /var/lib/haproxy user haproxy group haproxy daemon node GR43STEMIS01-BALANCEADOR-HA-SSL # Para sincronizar las tablas de sesión peers pares # disable peer gr43stemis01 10.107.20.7:1024 peer gr43stemis02 10.107.20.8:1024 defaults log global mode http option dontlognull option httpchk retries 3 option redispatch maxconn 5000 timeout connect 50s timeout client 30min timeout server 50s .../... frontend RDP mode tcp bind *:3389 timeout client 1h timeout server 1h tcp-request inspect-delay 5s tcp-request content accept if RDP_COOKIE # use_backend bk_rdp default_backend bk_rdp backend bk_rdp mode tcp balance leastconn #balance rdp_coockie timeout server 1h timeout connect 4s log global stick-table type string len 32 size 10k expire 1h peers pares stick on rdp_cookie(msthash) persist rdp-cookie # option tcp-check option ssl-hello-chk # option tcpka tcp-check connect port 3389 ssl server gr43sterminal01 10.104.22.142:3389 weight 1 check inter 2000 rise 2 fall 3 server gr43sterminal02 10.104.23.141:3389 weight 1 check inter 2000 rise 2 fall 3 Thank. -- Antonio Trujillo Carmona Técnico de redes y sistemas. Subdirección de Tecnologías de la Información y Comunicaciones Servicio Andaluz de Salud. Consejería de Salud de la Junta de Andalucía antonio.trujillo.s...@juntadeandalucia.es Tel. +34 670947670 747670)
Re: Bug: DNS changes in 1.7.3+ break UNIX socket stats in daemon mode with resolvers on FreeBSD
Hi Lukas, Thanks a lot! So, after the fork(), HAProxy closes the UDP socket (4) and open a new one (1) as expected, that said, the scheduler still points to the old one. Obviously, this behavior doesn't happen on Linux. I'll see how I can reproduce the issue and then fix it. That said, I'm running a bit out of time for now. Baptiste
Re: USE_GETSOCKNAME obsoleted?
Hi Dmitry, On Wed, May 10, 2017 at 12:50:15PM +0300, Dmitry Sivachenko wrote: > Hello, > > in Makefile I see some logic around USE_GETSOCKNAME define. > But as far as I see, in sources you use getsockname() unconditionally. > > Is this an obsoleted define which should be removed from Makefile? Ah you're right, I'm seeing it was rendered obsolete in 1.5-dev10 by commit 59b9479 ("BUG/MEDIUM: stream_interface: restore get_src/get_dst") and completely removed by the next cleanup commit. Amusingly, we continnued to add it to new operating system definitions in the makefile. Do you want to submit a cleanup patch ? Thanks, Willy