Re: Configuring HAProxy

2020-02-09 Thread Akshay Mangla 
Hi Aleksandar,

Also find the following file outputs which might be of some use to you .

*[root@lxapp14012 haproxy]# more /usr/lib/systemd/system/haproxy.service*
[Unit]
Description=HAProxy Load Balancer
After=syslog.target network.target

[Service]
EnvironmentFile=/etc/sysconfig/haproxy
ExecStart=/usr/sbin/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg -p
/run/haproxy.pid $OPTIONS
ExecReload=/bin/kill -USR2 $MAINPID
KillMode=mixed

[Install]
WantedBy=multi-user.target

*[root@lxapp14012 ~]# more /run/haproxy.pid*
12552

Also we are using *Oracle Web Tier as Web Servers* in the current scenario.

Regards,
Akshay

On Mon, Feb 10, 2020 at 10:30 AM Akshay Mangla 
wrote:

> Hi Aleksandar,
>
> I have made a few changes to the haproxy.cfg file and following are the
> outputs :-
>
> HAPROXY.cfg
> #-
> # Example configuration for a possible web application.  See the
> # full configuration options online.
> #
> #   http://haproxy.1wt.eu/download/1.4/doc/configuration.txt
> #
> #-
>
> #-
> # Global settings
> #-
> global
> # to have these messages end up in /var/log/haproxy.log you will
> # need to:
> #
> # 1) configure syslog to accept network log events.  This is done
> #by adding the '-r' option to the SYSLOGD_OPTIONS in
> #/etc/sysconfig/syslog
> #
> # 2) configure local2 events to go to the /var/log/haproxy.log
> #   file. A line like the following can be added to
> #   /etc/sysconfig/syslog
> #
> #local2.*   /var/log/haproxy.log
> #
> log 127.0.0.1 local2
>
> chroot  /var/lib/haproxy
> pidfile /var/run/haproxy.pid
> maxconn 4000
> userhaproxy
> group   haproxy
> daemon
>
> # turn on stats unix socket
> stats socket /var/lib/haproxy/stats
>
> #-
> # common defaults that all the 'listen' and 'backend' sections will
> # use if not designated in their block
> #-
> defaults
> modehttp
> log global
> option  httplog
> option  dontlognull
> option http-server-close
> option forwardfor   except 127.0.0.0/8
> option  redispatch
> retries 3
> timeout http-request10s
> timeout queue   1m
> timeout connect 10s
> timeout client  1m
> timeout server  1m
> timeout http-keep-alive 10s
> timeout check   10s
> maxconn 3000
>
> #-
> # main frontend which proxys to the backends
> #-
> frontend  main *:5000
> acl url_static   path_beg   -i /static /images /javascript
> /stylesheets
> acl url_static   path_end   -i .jpg .gif .png .css .js
>
> use_backend static  if url_static
> default_backend app
>
> #-
> # static backend for serving up images, stylesheets and such
> #-
> backend static
> balance roundrobin
> server  static 127.0.0.1:4331 check
>
> #-
> # round robin balancing between the various backends
> #-
> backend app
> balance roundrobin
> server  app1 127.0.0.1:5001 check
> server  app2 127.0.0.1:5002 check
> server  app3 127.0.0.1:5003 check
> server  app4 127.0.0.1:5004 check
>
> frontend haproxy_inbound
> bind *:443 *[CHANGED PORT]*
> default_backend haproxy_httpd
>
> backend haproxy_httpd
> balance roundrobin
> mode http #(NOT NEEDED IF DEFINED IN DEFAULTS)
> option httpchk
> server lxapp14070.dc.corp.telstra.com 10.195.70.12:443 check  * [Host
> and Port Changed]*
> server lxapp14071.dc.corp.telstra.com 10.195.70.13:443 check   *[Host
> and Port Changed] *
>
> 1.*curl -v --max-time 30 127.0.0.1:5001 *
>
> [root@lxapp14012 ~]# curl -v --max-time 30 127.0.0.1:5001
> * About to connect() to 127.0.0.1 port 5001 (#0)
> *   Trying 127.0.0.1...
> * Connection refused
> * Failed connect to 127.0.0.1:5001; Connection refused
> * Closing connection 0
> curl: (7) Failed connect to 127.0.0.1:5001; Connection refused
>
> 2. *curl -v --max-time 30

Re: Configuring HAProxy

2020-02-09 Thread Akshay Mangla 
Hi Aleksandar,

I have made a few changes to the haproxy.cfg file and following are the
outputs :-

HAPROXY.cfg
#-
# Example configuration for a possible web application.  See the
# full configuration options online.
#
#   http://haproxy.1wt.eu/download/1.4/doc/configuration.txt
#
#-

#-
# Global settings
#-
global
# to have these messages end up in /var/log/haproxy.log you will
# need to:
#
# 1) configure syslog to accept network log events.  This is done
#by adding the '-r' option to the SYSLOGD_OPTIONS in
#/etc/sysconfig/syslog
#
# 2) configure local2 events to go to the /var/log/haproxy.log
#   file. A line like the following can be added to
#   /etc/sysconfig/syslog
#
#local2.*   /var/log/haproxy.log
#
log 127.0.0.1 local2

chroot  /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
userhaproxy
group   haproxy
daemon

# turn on stats unix socket
stats socket /var/lib/haproxy/stats

#-
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#-
defaults
modehttp
log global
option  httplog
option  dontlognull
option http-server-close
option forwardfor   except 127.0.0.0/8
option  redispatch
retries 3
timeout http-request10s
timeout queue   1m
timeout connect 10s
timeout client  1m
timeout server  1m
timeout http-keep-alive 10s
timeout check   10s
maxconn 3000

#-
# main frontend which proxys to the backends
#-
frontend  main *:5000
acl url_static   path_beg   -i /static /images /javascript
/stylesheets
acl url_static   path_end   -i .jpg .gif .png .css .js

use_backend static  if url_static
default_backend app

#-
# static backend for serving up images, stylesheets and such
#-
backend static
balance roundrobin
server  static 127.0.0.1:4331 check

#-
# round robin balancing between the various backends
#-
backend app
balance roundrobin
server  app1 127.0.0.1:5001 check
server  app2 127.0.0.1:5002 check
server  app3 127.0.0.1:5003 check
server  app4 127.0.0.1:5004 check

frontend haproxy_inbound
bind *:443 *[CHANGED PORT]*
default_backend haproxy_httpd

backend haproxy_httpd
balance roundrobin
mode http #(NOT NEEDED IF DEFINED IN DEFAULTS)
option httpchk
server lxapp14070.dc.corp.telstra.com 10.195.70.12:443 check  * [Host
and Port Changed]*
server lxapp14071.dc.corp.telstra.com 10.195.70.13:443 check   *[Host
and Port Changed] *

1.*curl -v --max-time 30 127.0.0.1:5001 *

[root@lxapp14012 ~]# curl -v --max-time 30 127.0.0.1:5001
* About to connect() to 127.0.0.1 port 5001 (#0)
*   Trying 127.0.0.1...
* Connection refused
* Failed connect to 127.0.0.1:5001; Connection refused
* Closing connection 0
curl: (7) Failed connect to 127.0.0.1:5001; Connection refused

2. *curl -v --max-time 30 10.195.70.12:443 *

[root@lxapp14012 haproxy]# curl -v --max-time 30 10.195.70.12:443
* About to connect() to 10.195.70.12 port 443 (#0)
*   Trying 10.195.70.12...
* Connected to 10.195.70.12 (10.195.70.12) port 443 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 10.195.70.12:443
> Accept: */*
>
* Empty reply from server
* Connection #0 to host 10.195.70.12 left intact
curl: (52) Empty reply from server

3.*curl -v --max-time 30 10.195.70.13:443 *

[root@lxapp14012 haproxy]# curl -v --max-time 30 10.195.70.13:443* About to
connect() to 10.195.70.13 port 443 (#0)
*   Trying 10.195.70.13...
* Connected to 10.195.70.13 (10.195.70.13) port 443 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 10.195.70.13:443
> Accept: */*
>
* Empty reply from server
* Connection #0 to host 10.195.70.13 left intact
curl: (52) Empty reply from server

Re: Configuring HAProxy

2020-02-09 Thread Aleksandar Lazic 

Hi.

please keep the mailinglist in the loop.

On 06.02.20 10:23, Akshay Mangla wrote:

Hi Aleksandar,

Apologies for sending in the screenshot.


No probs just a hint.


I got the following output when I ran the above commands :-

*1.curl -v --max-time 30 http://127.0.0.1:5001/*

[root@lxapp14012 ~]# curl -v --max-time 30 127.0.0.1:5001 

* About to connect() to 127.0.0.1 port 5001 (#0)
*   Trying 127.0.0.1...
* Connection refused
* Failed connect to 127.0.0.1:5001 ; Connection refused
* Closing connection 0
curl: (7) Failed connect to 127.0.0.1:5001 ; Connection 
refused


Okay you should remove the "backend app" it looks like you don't need it.


*2. curl -v --max-time 30 http://10.195.77.21:7068*
*
*
* About to connect() to 10.195.77.21 port 7068 (#0)
*   Trying 10.195.77.21...
* Connected to 10.195.77.21 (10.195.77.21) port 7068 (#0)
 > GET / HTTP/1.1
 > User-Agent: curl/7.29.0
 > Host: 10.195.77.21:7068 
 > Accept: */*
 >
* Connection #0 to host 10.195.77.21 left intact*
*

*3.curl -v --max-time 30 http://10.195.77.22:7068*
*
*
* About to connect() to 10.195.77.22 port 7068 (#0)
*   Trying 10.195.77.22...
* Connected to 10.195.77.22 (10.195.77.22) port 7068 (#0)
 > GET / HTTP/1.1
 > User-Agent: curl/7.29.0
 > Host: 10.195.77.22:7068 
 > Accept: */*
 >
* Connection #0 to host 10.195.77.22 left intact*
*

*Following is the version of HAProxy*



[root@lxapp14012 ~]# haproxy -vv
HA-Proxy version 1.5.18 2016/05/10


[snipp]

Thanks. you sholuld consider to update it to the latest version.


*Also the outputs of the screenshot sent earlier is as below :-*

[root@lxapp14012 ~]# haproxy -c -f /etc/haproxy/haproxy.cfg
Configuration file is valid

[root@lxapp14012 ~]# haproxy -db -f /etc/haproxy/haproxy.cfg
[WARNING] 036/201733 (14778) : Server static/static is DOWN, reason: Layer4 connection 
problem, info: "Connection refused", check duration: 0ms. 0 active and 0 backup 
servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
[ALERT] 036/201733 (14778) : backend 'static' has no server available!
[WARNING] 036/201733 (14778) : Server app/app1 is DOWN, reason: Layer4 connection 
problem, info: "Connection refused", check duration: 0ms. 3 active and 0 backup 
servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
[WARNING] 036/201734 (14778) : Server app/app2 is DOWN, reason: Layer4 connection 
problem, info: "Connection refused", check duration: 0ms. 2 active and 0 backup 
servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
[WARNING] 036/201734 (14778) : Server app/app3 is DOWN, reason: Layer4 connection 
problem, info: "Connection refused", check duration: 0ms. 1 active and 0 backup 
servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
[WARNING] 036/201734 (14778) : Server app/app4 is DOWN, reason: Layer4 connection 
problem, info: "Connection refused", check duration: 0ms. 0 active and 0 backup 
servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
[ALERT] 036/201734 (14778) : backend 'app' has no server available!


Yes clear there are no servers on the localhost.


[WARNING] 036/201734 (14778) : Server haproxy_httpd/lxapp14058.dc.corp.telstra.com 
 is DOWN, reason: Layer7 invalid response, info: 
"<15><03><03>", check duration: 1ms. 1 active and 0 backup servers left. 0 sessions 
active, 0 requeued, 0 remaining in queue.
[WARNING] 036/201735 (14778) : Server haproxy_httpd/lxapp14059.dc.corp.telstra.com 
 is DOWN, reason: Layer7 invalid response, info: 
"<15><03><03>", check duration: 2ms. 0 active and 0 backup servers left. 0 sessions 
active, 0 requeued, 0 remaining in queue.
[ALERT] 036/201735 (14778) : backend 'haproxy_httpd' has no server available!


Looks like the backend expect https or tcp.

Which protocol expect the servers lxapp*.dc.corp.telstra.com ?


Regards,
Akshay


Regards
Aleks


On Thu, Feb 6, 2020 at 1:43 PM Aleksandar Lazic mailto:al-hapr...@none.at>> wrote:

Hi.

On 06.02.20 07:08, Akshay Mangla wrote:
 > Hi HAProxy Team,
 >
 > I have been trying to install HAProxy on my vm machine and facing some 
difficulties in doing so.
 >
 > Following is the HAProxy config file that we have currently.
 >
 > #-
 > # Example configuration for a possible web application.  See the
 > # full configuration options online.
 > #
 > # http://haproxy.1wt.eu/download/1.4/doc/configuration.txt
 > #
 > #-
 >
 > #-
 > # Global settings
 > #-
 > global
 >      # to have these messages end up in

dns fails to process response / hold valid? (since commit 2.2-dev0-13a9232)

2020-02-09 Thread PiBa-NL 

Hi List, Baptiste,

After updating haproxy i found that the DNS resolver is no longer 
working for me. Also i wonder about the exact effect that 'hold valid' 
should have.
I pointed haproxy to a 'Unbound 1.9.4' dns server that does the 
recursive resolving of the dns request made by haproxy.


Before commit '2.2-dev0-13a9232, released 2020/01/22 (use additional 
records from SRV responses)' i get seemingly proper working resolving of 
server a name.
After this commit all responses are counted as 'invalid' in the socket 
stats.


Attached also a pcap of the dns traffic. Which shows a short capture of 
a single attempt where 3 retries for both A and  records show up. 
There is a additional record of type 'OPT' is present in the response.. 
But the exact same keeps repeating every 5 seconds.
As for 'hold valid' (tested with the commit before this one) it seems 
that the stats page of haproxy shows the server in 'resolution' status 
way before the 3 minute 'hold valid' has passed when i simply disconnect 
the network of the server running the Unbound-DNS server. Though i guess 
that is less important that dns working at all in the first place..


If any additional information is needed please let me know :).

Can you/someone take a look? Thanks in advance.

p.s. i think i read something about a 'vtest' that can test the haproxy 
DNS functionality, if you have a example that does this i would be happy 
to provide a vtest with a reproduction of the issue though i guess it 
will be kinda 'slow' if it needs to test for hold valid timings..


Regards,
PiBa-NL (Pieter)

 haproxy config:

resolvers globalresolvers
    nameserver pfs_routerbox 192.168.0.18:53
    resolve_retries 3
    timeout retry 200
    hold valid 3m
    hold nx 10s
    hold other 15s
    hold refused 20s
    hold timeout 25s
    hold obsolete 30s
    timeout resolve 5s

frontend nu_nl
    bind            192.168.0.19:433 name 192.168.0.19:433   ssl 
crt-list /var/etc/haproxy/nu_nl.crt_list

    mode            http
    log            global
    option            http-keep-alive
    timeout client        3
    use_backend nu.nl_ipvANY

backend nu.nl_ipvANY
    mode            http
    id            2113
    log            global
    timeout connect        3
    timeout server        3
    retries            3
    option            httpchk GET / HTTP/1.0\r\nHost:\ 
nu.nl\r\nAccept:\ */*
    server            nu_nl nu.nl:443 id 2114 ssl check inter 1  
verify none resolvers globalresolvers check-sni nu.nl resolve-prefer ipv4



 haproxy_socket.sh show resolvers
Resolvers section globalresolvers
 nameserver pfs_routerbox:
  sent:    216
  snd_error:   0
  valid:   0
  update:  0
  cname:   0
  cname_error: 0
  any_err: 108
  nx:  0
  timeout: 0
  refused: 0
  other:   0
  invalid: 108
  too_big: 0
  truncated:   0
  outdated:    0

 haproxy -vv
HA-Proxy version 2.2-dev0-13a9232 2020/01/22 - https://haproxy.org/
Status: development branch - not safe for use in production.
Known bugs: https://github.com/haproxy/haproxy/issues?q=is:issue+is:open
Build options :
  TARGET  = freebsd
  CPU = generic
  CC  = cc
  CFLAGS  = -pipe -g -fstack-protector -fno-strict-aliasing 
-fno-strict-aliasing -Wdeclaration-after-statement -fwrapv 
-fno-strict-overflow -Wno-null-dereference -Wno-unused-label 
-Wno-unused-parameter -Wno-sign-compare -Wno-ignored-qualifiers 
-Wno-unused-command-line-argument -Wno-missing-field-initializers 
-Wno-address-of-packed-member -DFREEBSD_PORTS -DFREEBSD_PORTS
  OPTIONS = USE_PCRE=1 USE_PCRE_JIT=1 USE_REGPARM=1 USE_STATIC_PCRE=1 
USE_GETADDRINFO=1 USE_OPENSSL=1 USE_LUA=1 USE_ACCEPT4=1 USE_ZLIB=1


Feature list : -EPOLL +KQUEUE -MY_EPOLL -MY_SPLICE -NETFILTER +PCRE 
+PCRE_JIT -PCRE2 -PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD 
-PTHREAD_PSHARED +REGPARM +STATIC_PCRE -STATIC_PCRE2 +TPROXY 
-LINUX_TPROXY -LINUX_SPLICE +LIBCRYPT -CRYPT_H -VSYSCALL +GETADDRINFO 
+OPENSSL +LUA -FUTEX +ACCEPT4 -MY_ACCEPT4 +ZLIB -SLZ +CPU_AFFINITY -TFO 
-NS -DL -RT -DEVICEATLAS -51DEGREES -WURFL -SYSTEMD -OBSOLETE_LINKER 
-PRCTL -THREAD_DUMP -EVPORTS


Default settings :
  bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with multi-threading support (MAX_THREADS=64, default=2).
Built with OpenSSL version : OpenSSL 1.1.1a-freebsd  20 Nov 2018
Running on OpenSSL version : OpenSSL 1.1.1a-freebsd  20 Nov 2018
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with Lua version : Lua 5.3.5
Built with transparent proxy support using: IP_BINDANY IPV6_BINDANY
Built with PCRE version : 8.43 2019-02-23
Running on PCRE version : 8.43 2019-02-23
PCRE library supports JIT : yes
Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity("identity"), 
deflate("deflate"),