Re: Server weight in server-template and consul dns
Hi, On Mon, Apr 20, 2020 at 10:25 PM Igor Cicimov < ig...@encompasscorporation.com> wrote: > Hi, > > I have the following template in a server backend: > > server-template tomcats 10 _tomcat._tcp.service.consul resolvers consul > resolve-prefer ipv4 check > > This is the SRV records resolution: > > # dig +short @127.0.0.1 -p 8600 _tomcat._tcp.service.consul SRV > 1 10 8080 ip-10-20-3-21.node.dc1.consul. > 1 10 8080 ip-10-20-4-244.node.dc1.consul. > > The server's weight reported by haproxy is 1 where I expected to see 10. > Just to clarify, is this expected or there is a mixup between priority and > weight? > > Thanks, > Igor > > Giving this another try. Maybe Baptiste can help to clarify which part of the SRV record is considered as server weight, the record priority or the record weight? Thanks, Igor
Re: doubt how to compile modsecurity module for HAproxy
Hi Ricardo, On Sun, Apr 26, 2020 at 11:36 AM Ricardo Barbosa wrote: > Hello everyone, everything good? I'm studying how to enable the > modsecurity module, but I don't know how the compilation process is done. > > I found this link > https://github.com/haproxy/haproxy/tree/master/contrib/modsecurity. but I > didn't understand how to do it, I downloaded the source code of haproxy and > in the file called INSTALL, the instructions are to run the make command, > followed by the "TARGET" parameter, using one of the following options: > > linux-glibc, linux-glibc-legacy, solaris, freebsd, openbsd, netbsd, > cygwin, haiku, aix51, aix52, aix72-gcc, osx, generic, custom. > > for example: > > make TARGET=linux-glibc > > however, there is no configure script. to execute and follow the > instructions on the website above. Does anyone have any idea how to do this? > > Best Regards > > This is what I have come up with https://gist.github.com/icicimov/69456f82e60ea6c53feb341f021fd089 Hope can help. Cheers, Igor
random 502's
Hi List,
we've recently upgraded our haproxy from 1.6 to 2.0.13 (and by now to
2.0.14).
After the upgrade our apache in front of the haproxy instance randomly
reports 502's. The requests that result in the 502 are not logged in the
haproxy log. It happens random and sporadically on requests that work well
the next time they run.
I've checked the mailinglist, but can't seem to find anyone with the same
problem on this version.
The cli on the admin sock
show errors
Total events captured on [27/Apr/2020:00:22:55.592] : 0
our hparoxy conf contains :
global
log /dev/loglocal0
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
ssl-default-bind-ciphers
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
log global
modehttp
option httplog
option dontlognull
timeout connect 5000
timeout client 1h
timeout server 1h
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend HTTP_FRONT
bind*:9080
modehttp
option httplog
capture request header X-Forwarded-For len 15
capture request header UNIQUE_ID len 28
maxconn 3000
default_backend HTTP_BACK
backend HTTP_BACK
mode http
balance hdr(X-Forwarded-For)
cookie OIGID insert indirect nocache
option httpclose
option redispatch
retries 3
timeout queue 1m
timeout connect 10s
timeout check 10s
timeout server 10m
server A X.X.X.X:9080 cookie hello1 check
server B X.X.X.Y:9080 cookie hello2 check
our version :
haproxy -vvv
HA-Proxy version 2.0.14-1ppa1~xenial 2020/04/16 - https://haproxy.org/
Build options :
TARGET = linux-glibc
CPU = generic
CC = gcc
CFLAGS = -O2 -g -O2 -fPIE -fstack-protector-strong -Wformat
-Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2
-fno-strict-aliasing -Wdeclaration-after-statement -fwrapv
-Wno-unused-label -Wno-sign-compare -Wno-unused-parameter
-Wno-old-style-declaration -Wno-ignored-qualifiers -Wno-clobbered
-Wno-missing-field-initializers -Wtype-limits
OPTIONS = USE_PCRE2=1 USE_PCRE2_JIT=1 USE_REGPARM=1 USE_OPENSSL=1
USE_LUA=1 USE_ZLIB=1 USE_SYSTEMD=1
Feature list : +EPOLL -KQUEUE -MY_EPOLL -MY_SPLICE +NETFILTER -PCRE
-PCRE_JIT +PCRE2 +PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED
+REGPARM -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE
+LIBCRYPT +CRYPT_H -VSYSCALL +GETADDRINFO +OPENSSL +LUA +FUTEX +ACCEPT4
-MY_ACCEPT4 +ZLIB -SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS
-51DEGREES -WURFL +SYSTEMD -OBSOLETE_LINKER +PRCTL +THREAD_DUMP -EVPORTS
Default settings :
bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Built with multi-threading support (MAX_THREADS=64, default=1).
Built with OpenSSL version : OpenSSL 1.0.2g 1 Mar 2016
Running on OpenSSL version : OpenSSL 1.0.2g 1 Mar 2016
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2
Built with Lua version : Lua 5.3.1
Built with network namespace support.
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT
IP_FREEBIND
Built with zlib version : 1.2.8
Running on zlib version : 1.2.8
Compression algorithms supported : identity("identity"),
deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with PCRE2 version : 10.21 2016-01-12
PCRE2 library supports JIT : yes
Encrypted password support via crypt(3): yes
Built with the Prometheus exporter as a service
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Available multiplexer protocols :
(protocols marked as cannot be specified using 'proto' keyword)
h2 : mode=HTXside=FE|BE mux=H2
h2 : mode=HTTP side=FEmux=H2
: mode=HTXside=FE|BE mux=H1
: mode=TCP|HTTP side=FE|BE mux=PASS
Available services :
prometheus-exporter
Available filters :
[SPOE] spoe
[COMP] compression
[CACHE] cache
[TRACE] trace
hope anyone can give me some pointers on where to look.
thank you!
Yves
Re: Question about your post
Hey there, One week ago I sent you an email regarding guest post opportunity (copy of email below) and I haven’t yet heard back from anyone. You can see an example of the type of content I publish at https://u15478594.ct.sendgrid.net/ls/click?upn=jhcbElUD7UHVoicgwp7mjRwlkY4t5kRPxEb2us-2FHTyg6tfOCbYGoBzvjlbToJVYVM4oeEu7Z-2FxfFRkNJ7CNH-2Fg-3D-3D8XuM_atZgv8CG4vu1bE1cvEwjgsT-2FF4Z-2B-2BSbXSvZcXnytdOiSrGbEpG2s0nSoVOgmYEJbH4RxfVop6FsFlBM7ROlGcnE8Gxbm2pARBLHHJ-2BDoZEHAVcsVEU4ceHO9LmoqgGzAfO9mrKctc069hIhd8SpFVb3Ts5AosXze5bveTuHAzVA9ljh1j7PDKpL-2Fz8GJnpDf3L-2BUuLeIlKgbikor6314aqd-2BFIeQpUg08NR8s7bW4Q32sTvKsRvxcw59zlCoeQgA ( https://u15478594.ct.sendgrid.net/ls/click?upn=jhcbElUD7UHVoicgwp7mjRwlkY4t5kRPxEb2us-2FHTyg6tfOCbYGoBzvjlbToJVYV979eLhA6XojNI46v-2FUYYrw-3D-3DF_fn_atZgv8CG4vu1bE1cvEwjgsT-2FF4Z-2B-2BSbXSvZcXnytdOiSrGbEpG2s0nSoVOgmYEJbj7tGi8qUO37-2Bpg5TlcM85L49xYARWz7Ej7HMm8iPaJw8YAZXKqgf39jMI0xEEsya5Vp-2BDO4-2FrwytZGRQx4UATSuREyphtZPn0qYN051R9FLXiQcv3AShK8qQpv9mvFmMGj341bBXiY9i29vgcMEUedbhufuDtpLF4k2EjnswQtVddk3KtGN0qOVkavANiIWq ) Let me know and I can send across some topic suggestions across. Thanks Jack If you don't want to receive emails like this from me, please let me know here ( https://u15478594.ct.sendgrid.net/ls/click?upn=Z1F2HBX5gvMmihRmc9c-2BavshrTQ47LqQFdC70YyUKUuAvXJvJ9DQersihK68KeFFTfssId3-2FF3meJvG4iSx3NWVUq-2B7y5HnHCnyfmAVruN-2FJnAQFYveIGtTjTGaQTPN2804HGt62G0j6LdXutbCfnppFyIkUuwYfskCkO9HEkLaa3kwA1JN1Y01rzMcwqPyvLkzoxv4awuVkz-2FolEz7yMA-3D-3DhTaY_atZgv8CG4vu1bE1cvEwjgsT-2FF4Z-2B-2BSbXSvZcXnytdOiSrGbEpG2s0nSoVOgmYEJbYj1DsB68zha3v-2F8kiZjkMelQZ0OpDPsNavDVx0n9-2B1vdf1w8jB3oS-2BboOubTmK8rKCbVBhxR2U9qcH8Dw800Ogtx05z-2BFNHReEAB-2BJmURl7DqgTfV5ctUU0xQ17PEyfvpZqYXHVWz6jAJugoYpb-2BrE83Yal7rx0J0dwu3ufO86kmdPPp2WkTHTsqvfCoLJgi ) . -Original Message- Hey there, My name is Jack Foster and I blog over at VPN Geeks. I really like your blog and noticed that you accept guest posts and wondered if you’d be open to accepting one from me. If so please let me know and I will send you several suggested topics that you may like. (If you have a topic you'd really like me to cover just let me know) You can see an example of the type of content I publish at https://u15478594.ct.sendgrid.net/ls/click?upn=jhcbElUD7UHVoicgwp7mjRwlkY4t5kRPxEb2us-2FHTyg6tfOCbYGoBzvjlbToJVYVw2Rollh7OGomydnjXjRyQQ-3D-3DdYCr_atZgv8CG4vu1bE1cvEwjgsT-2FF4Z-2B-2BSbXSvZcXnytdOiSrGbEpG2s0nSoVOgmYEJbfX6uco34B3pQIZ9qZElhGpV-2BimDCkf7Y-2BFpunxDZgFm4yrTn5M1Qd9OOQ9cLsVW9G7E-2BjTQKy7h8uqAWWa08JkZZrtuYxuIcyApH3g3091XO0qMY8jUIumoHqkSTM23BKdvxSMg0hDu1VGywTED4fVf89ApSaNgWIPWcSYIqlm8l-2Feqe9EYWdTXCUpWPsIzC ( https://u15478594.ct.sendgrid.net/ls/click?upn=jhcbElUD7UHVoicgwp7mjRwlkY4t5kRPxEb2us-2FHTyg6tfOCbYGoBzvjlbToJVYV979eLhA6XojNI46v-2FUYYrw-3D-3DbEKO_atZgv8CG4vu1bE1cvEwjgsT-2FF4Z-2B-2BSbXSvZcXnytdOiSrGbEpG2s0nSoVOgmYEJbNFg6Xh5rTEpH9nQcUbt9iFXa-2FwLSjcaZhMl1CUtUkcTQhzBZxmMVAkndV8tOejzn12qYZKK3p2VF-2BSMQTwuvl4vSBFi1YUG7GHmlFctaz5tBQLft-2B4Ml7atuFd5gmYEZ6GD7kO6mdy4u3U19G3git5a4NJbSbJGZhHAz26tgnJXpz-2BXkRsTfW14mzv1MiLSi ) We'd also share it across our social channels :) Regards, Jack If you don't want to receive emails like this from me, please let me know here ( https://u15478594.ct.sendgrid.net/ls/click?upn=Z1F2HBX5gvMmihRmc9c-2BavshrTQ47LqQFdC70YyUKUuAvXJvJ9DQersihK68KeFFTfssId3-2FF3meJvG4iSx3NWVUq-2B7y5HnHCnyfmAVruN-2FJnAQFYveIGtTjTGaQTPN2804HGt62G0j6LdXutbCfnppFyIkUuwYfskCkO9HEkLaa3kwA1JN1Y01rzMcwqPyvLkzoxv4awuVkz-2FolEz7yMA-3D-3DTmAR_atZgv8CG4vu1bE1cvEwjgsT-2FF4Z-2B-2BSbXSvZcXnytdOiSrGbEpG2s0nSoVOgmYEJbuTs8YWHHYImxoSTjh5U4ju3-2BQ-2FwLrnQJpUebUBO1A3WAay0f-2FOBKIVkc-2Bhr5xATlu7swxxJfwyYiABQUeEnoy40gJkfR5oW3u44LFxkNqGiggKZspRmhdlsdlozgrmVASeLYLZ85rJT1juSSQYdt4cYKyYdVzauA-2FoSMaDOzdAHzYWe2BFiT-2FmvStKE3Excm ) .
Re: doubt how to compile modsecurity module for HAproxy
вс, 26 апр. 2020 г. в 06:37, Ricardo Barbosa : > Hello everyone, everything good? I'm studying how to enable the > modsecurity module, but I don't know how the compilation process is done. > > I found this link > https://github.com/haproxy/haproxy/tree/master/contrib/modsecurity. but I > didn't understand how to do it, I downloaded the source code of haproxy and > in the file called INSTALL, the instructions are to run the make command, > followed by the "TARGET" parameter, using one of the following options: > > linux-glibc, linux-glibc-legacy, solaris, freebsd, openbsd, netbsd, > cygwin, haiku, aix51, aix52, aix72-gcc, osx, generic, custom. > > for example: > > make TARGET=linux-glibc > > however, there is no configure script. to execute and follow the > instructions on the website above. Does anyone have any idea how to do this? > indeed there are instructions on the mentioned page (it is README file). it is pity not being clear, can you help to improve it ? > > Best Regards > >
[PATCH] DOC: give a more accuration description of what check does
Hi, here's a documentation patch for the check keyword. regards, Jérôme >From 10e90939d9fd1bd4f1e651d679d0b99e8da91afb Mon Sep 17 00:00:00 2001 From: Jerome Magnin Date: Sun, 26 Apr 2020 14:23:04 +0200 Subject: [PATCH] DOC: give a more accurate description of what check does The documentation for check implies that without an optional l7 check configured, it enables simple tcp checks. What it actually does is check that every configured handshake on the server line can be established. # simple tcp connect backend foo server s1 192.168.0.1:80 check # this does a tcp connect + tls handshake backend foo server s1 192.168.0.1;443 ssl check # simple tcp connect is enough for check success backend foo option tcp-check tcp-check connect server s1 192.168.0.1:443 ssl check --- doc/configuration.txt | 38 +++--- 1 file changed, 27 insertions(+), 11 deletions(-) diff --git a/doc/configuration.txt b/doc/configuration.txt index 676d5a075..faf5a54bc 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -12112,17 +12112,33 @@ ca-file check This option enables health checks on the server. By default, a server is - always considered available. If "check" is set, the server is available when - accepting periodic TCP connections, to ensure that it is really able to serve - requests. The default address and port to send the tests to are those of the - server, and the default source is the same as the one defined in the - backend. It is possible to change the address using the "addr" parameter, the - port using the "port" parameter, the source address using the "source" - address, and the interval and timers using the "inter", "rise" and "fall" - parameters. The request method is define in the backend using the "httpchk", - "smtpchk", "mysql-check", "pgsql-check" and "ssl-hello-chk" options. Please - refer to those options and parameters for more information. See also - "no-check" option. + always considered available. If "check" is set, the server is considered + available when all the handshakes configured on the server line can be + established, or when an optional layer 7 health check succeeds. This is to + ensure that the server is really able to handle requests. The default address + and port to send health checks to are those of the server, and the default + source address is the same as the one defined in the backend. It is possible + to change the destination address using the "addr" parameter, the port using + the "port" parameter, the source address using the "source" parameter, and the + interval and timers using the "inter", "rise" and "fall" parameters. Optional + layer 7 checks can be configured with the "httpchk", "smtpchk", "mysql-check", + "pgsql-check" and "ssl-hello-check" options. When ssl is configured on the + server line, "option tcp-check" and "tcp-check connect" can be used to refrain + from establishing the tls hanshake during health checks. Please refer to those + options and parameters for more information. See also "no-check" and "check-ssl". + + Example: + # simple tcp connect + backend foo +server s1 192.168.0.1:80 check + # this does a tcp connect + tls handshake + backend foo +server s1 192.168.0.1;443 ssl check + # simple tcp connect is enough for check success + backend foo +option tcp-check +tcp-check connect +server s1 192.168.0.1:443 ssl check check-send-proxy This option forces emission of a PROXY protocol line with outgoing health -- 2.26.2
Re: [*EXT*] Re: 404 + VN when enabling h2 in front of keycloak
I give a try to other browsers. Chrome and Brave both fails, even in private browsing. Firefox however succeeded in private browsing but failed in classic browsing, even after clearing all caches. I gave a try to FF75.0 in Windows : it fails both in classic and private browsing. -- Ionel GARDAIS Tech'Advantage CIO - IT Team manager - Mail original - De: "Ionel GARDAIS" À: "Jarno Huuskonen" Cc: "haproxy" Envoyé: Dimanche 26 Avril 2020 11:13:46 Objet: Re: [*EXT*] Re: 404 + VN when enabling h2 in front of keycloak Hi Jarno, Thanks for these pointers. I'm running 2.1.4. keycloak does not say anything : no warnings nor errors. I give a try to no option http-use-hex with no luck : same issue. However, mystery gets deeper : it works with Safari 11.1.2 (I know, got an old OS X) but fails with Firefox 75.0. Safari calls in H2 return HTTP 200 or HTTP 302 with --VR or --VN. Firefox calls are still returning HTTP 404 with --VN. I'll try to dump header for both callers. -- Ionel GARDAIS Tech'Advantage CIO - IT Team manager - Mail original - De: "Jarno Huuskonen" À: "Ionel GARDAIS" , "haproxy" Envoyé: Dimanche 26 Avril 2020 10:43:42 Objet: [*EXT*] Re: 404 + VN when enabling h2 in front of keycloak Hi Ionel, On Sat, 2020-04-25 at 11:22 +0200, Ionel GARDAIS wrote: > I tried to enable h2 in our haproxy setup. What's your haproxy version ? > Most proxied servers work well except Keycloak (SSO solution) > > While everything works fine in HTTP/1.1, Keycloak returns a 404 and > haproxy shows a --VN status in h2. Have tested w/out HTX (no option http-use-htx ( https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#4-option%20http-use-htx )) ? Does keycloak log anything useful ? > As there are two Keycloak servers working in pair, the backend is > defined as > > backend bck-keycloak > cookie AUTH_SESSION_ID prefix > server keycloak 192.168.8.27:8080 check cookie s1 > server keycloak-bck 192.168.8.28:8080 check cookie s2 > > Are their specific tuning required for h2 to work correctly ? Maybe keycloak is case sensitive on some http headers ? Have you tried comparing http/1.1 and http/2 request headers going to keycloak server ? ( https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#h1-case-adjust ) -Jarno -- Jarno Huuskonen -- 232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301 -- 232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301
Re: [*EXT*] Re: 404 + VN when enabling h2 in front of keycloak
Hi Jarno, Thanks for these pointers. I'm running 2.1.4. keycloak does not say anything : no warnings nor errors. I give a try to no option http-use-hex with no luck : same issue. However, mystery gets deeper : it works with Safari 11.1.2 (I know, got an old OS X) but fails with Firefox 75.0. Safari calls in H2 return HTTP 200 or HTTP 302 with --VR or --VN. Firefox calls are still returning HTTP 404 with --VN. I'll try to dump header for both callers. -- Ionel GARDAIS Tech'Advantage CIO - IT Team manager - Mail original - De: "Jarno Huuskonen" À: "Ionel GARDAIS" , "haproxy" Envoyé: Dimanche 26 Avril 2020 10:43:42 Objet: [*EXT*] Re: 404 + VN when enabling h2 in front of keycloak Hi Ionel, On Sat, 2020-04-25 at 11:22 +0200, Ionel GARDAIS wrote: > I tried to enable h2 in our haproxy setup. What's your haproxy version ? > Most proxied servers work well except Keycloak (SSO solution) > > While everything works fine in HTTP/1.1, Keycloak returns a 404 and > haproxy shows a --VN status in h2. Have tested w/out HTX (no option http-use-htx ( https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#4-option%20http-use-htx )) ? Does keycloak log anything useful ? > As there are two Keycloak servers working in pair, the backend is > defined as > > backend bck-keycloak > cookie AUTH_SESSION_ID prefix > server keycloak 192.168.8.27:8080 check cookie s1 > server keycloak-bck 192.168.8.28:8080 check cookie s2 > > Are their specific tuning required for h2 to work correctly ? Maybe keycloak is case sensitive on some http headers ? Have you tried comparing http/1.1 and http/2 request headers going to keycloak server ? ( https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#h1-case-adjust ) -Jarno -- Jarno Huuskonen -- 232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301
Re: 404 + VN when enabling h2 in front of keycloak
Hi Ionel, On Sat, 2020-04-25 at 11:22 +0200, Ionel GARDAIS wrote: > I tried to enable h2 in our haproxy setup. What's your haproxy version ? > Most proxied servers work well except Keycloak (SSO solution) > > While everything works fine in HTTP/1.1, Keycloak returns a 404 and > haproxy shows a --VN status in h2. Have tested w/out HTX (no option http-use-htx ( https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#4-option%20http-use-htx )) ? Does keycloak log anything useful ? > As there are two Keycloak servers working in pair, the backend is > defined as > > backend bck-keycloak > cookie AUTH_SESSION_ID prefix > server keycloak 192.168.8.27:8080 check cookie s1 > server keycloak-bck 192.168.8.28:8080 check cookie s2 > > Are their specific tuning required for h2 to work correctly ? Maybe keycloak is case sensitive on some http headers ? Have you tried comparing http/1.1 and http/2 request headers going to keycloak server ? ( https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#h1-case-adjust ) -Jarno -- Jarno Huuskonen
