Re: understanding reqirep & rspirep
El 16/06/17 a las 10:23, Antonio Trujillo Carmona escribió: > Thank in advance for your great work. > I need to make a rewriter in a url. > We have one toncat app and we need to use it 2 scenario, > application (we can't touch it) work in enviroment aplication/ > so if we use http://www.ourdomain.es/aplication and in haproxy we > redirec it with: > server gesforma-1 10.105.1.17:8080 > it work. > Now we need to instance of that application, so we choose: > > http://www.ourdomain.es/location1/aplication > http://www.ourdomain.es/location2/aplication > and in haproxy: > frontent > .../... > use_backend formacion-loc1 if { path_beg /location1/ } > use_backend formacion-loc2 if { path_beg /location2/ } > .../... > backend formacion-loc1 > mode http > reqirep ^([^\ :]*)\ /location1/aplication[/]?(.*) \1\ > /aplication/\2 > rspirep ^([^\ :]*)\ /aplication[/]?(.*) \1\ > /location1/aplication/\2 > option forwardfor > server gesforma-1 10.105.1.17:8080 check > > backend formacion-loc2 > mode http > reqirep ^([^\ :]*)\ /location2/aplication[/]?(.*) \1\ > /aplication/\2 > rspirep ^([^\ :]*)\ /aplication[/]?(.*) \1\ > /location2/aplication/\2 > option forwardfor > server gesforma-1 10.105.1.17:8081 check > > but it don't work, we access to the right application but all the link > that is there try to get > http://www.ourdomain.es/aplication/ > without location but right now we only accept access with location1 or > location2 > > Is possible what we want?. > I forgot, I have : # haproxy -v HA-Proxy version 1.7.5-2~bpo8+1 2017/05/27 Copyright 2000-2017 Willy Tarreau <wi...@haproxy.org> -- *Antonio Trujillo Carmona* *Técnico de redes y sistemas.* *Subdirección de Tecnologías de la Información y Comunicaciones* Servicio Andaluz de Salud. Consejería de Salud de la Junta de Andalucía _antonio.trujillo.sspa@juntadeandalucia.es_ Tel. +34 670947670 747670)
SOLVEDRe: haproxy + RDP
El 16/05/17 a las 23:17, Aleksandar Lazic escribió: Hi Antonio Trujillo Carmona. Antonio Trujillo Carmona have written on Mon, 15 May 2017 08:40:16 +0200: El 12/05/17 a las 11:55, Aleksandar Lazic escribió: Hi Antonio Trujillo Carmona. Antonio Trujillo Carmona have written on Fri, 12 May 2017 10:23:59 +0200: El 11/05/17 a las 15:06, Aleksandar Lazic escribió: .../ How about to activate the 'option tcp-check' as mentioned in the Warning? In the config below is it's commented, any reason why? It's also active in the doc which you maybe know. https://www.haproxy.com/doc/aloha/7.0/deployment_guides/microsoft_remote_desktop_services.html Does this changes anything? ok cleaing up a liter I try: frontend RDP mode tcp bind *:3389 timeout client 1h tcp-request inspect-delay 5s tcp-request content accept if RDP_COOKIE default_backend bk_rdp # backend bk_rdp mode tcp balance leastconn #balance rdp_coockie timeout server 1h timeout connect 4s log global option tcplog stick-table type string len 32 size 10k expire 1h peers pares stick on rdp_cookie(msthash) # persist rdp-cookie option tcp-check # option ssl-hello-chk # option tcpka tcp-check connect port 3389 ssl # server gr43sterminal01 10.104.22.142:3389 weight 1 check verify none inter 2000 rise 2 fall 3 # server gr43sterminal02 10.104.23.141:3389 weight 1 check verify none inter 2000 rise 2 fall 3 # default-server inter 3s rise 2 fall 3 server gr43sterminal01 10.104.22.142:3389 weight 1 check server gr43sterminal02 10.104.23.141:3389 weight 1 check And I got: [ALERT] 131/100222 (8564) : Proxy 'bk_rdp', server 'gr43sterminal01' [/etc/haproxy/haproxy.cfg:189] verify is enabled by default but no CA file specified. If you're running on a LAN where you're certain to trust the server's certificate, please set an explicit 'verify none' statement on the 'server' line, or use 'ssl-server-verify none' in the global section to disable server-side verifications by default. [ALERT] 131/100222 (8564) : Proxy 'bk_rdp', server 'gr43sterminal02' [/etc/haproxy/haproxy.cfg:190] verify is enabled by default but no CA file specified. If you're running on a LAN where you're certain to trust the server's certificate, please set an explicit 'verify none' statement on the 'server' line, or use 'ssl-server-verify none' in the global section to disable server-side verifications by default. [ALERT] 131/100222 (8564) : Fatal errors found in configuration. So I try adding verify none in server line and haproxy see both server up (but one is down). I try withou ssl: tcp-check connect port 3389 server gr43sterminal01 10.104.22.142:3389 weight 1 check server gr43sterminal02 10.104.23.141:3389 weight 1 check but the result is the same haproxy see both server up (but one is down) only if I leve only option tcp-check (or none) it seem work # # persist rdp-cookie option tcp-check # option ssl-hello-chk # option tcpka # tcp-check connect port 3389 ssl # tcp-check connect port 3389 # server gr43sterminal01 10.104.22.142:3389 weight 1 check verify none inter 2000 rise 2 fall 3 # server gr43sterminal02 10.104.23.141:3389 weight 1 check verify none inter 2000 rise 2 fall 3 # default-server inter 3s rise 2 fall 3 server gr43sterminal01 10.104.22.142:3389 weight 1 check server gr43sterminal02 10.104.23.141:3389 weight 1 check ## output: [WARNING] 131/102105 (8773) : Server bk_rdp/gr43sterminal01 is DOWN, reason: Layer4 timeout, info: " at initial connection step of tcp-check", check duration: 3001ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. So finally it works. Regards Aleks But in that mode it check server available, not service, if RDP service is down haproxy don't detect it. Maybe you will need some tcp-check squence to check the service. http://cbonte.github.io/haproxy-dconv/1.5/configuration.html#4.2-tcp-check%20send http://cbonte.github.io/haproxy-dconv/1.5/configuration.html#4.2-tcp-check%20send-binary I have found a perl script which checks the rdp maybe this will help you to find the right sequence. https://github.com/portcullislabs/rdp-sec-check/blob/master/rdp-sec-check.pl Regards Aleks Finally it work. The configuration last in: # frontend RDP mode tcp bind *:3389 timeout client 1h tcp-request inspect-delay 25s
Re: haproxy + RDP
El 12/05/17 a las 11:55, Aleksandar Lazic escribió: > Hi Antonio Trujillo Carmona. > > Antonio Trujillo Carmona have written on Fri, 12 May 2017 10:23:59 > +0200: > >> El 11/05/17 a las 15:06, Aleksandar Lazic escribió: >>> .../ >>> How about to activate the 'option tcp-check' as mentioned in the >>> Warning? >>> In the config below is it's commented, any reason why? >>> >>> It's also active in the doc which you maybe know. >>> >>> https://www.haproxy.com/doc/aloha/7.0/deployment_guides/microsoft_remote_desktop_services.html >>> >>> Does this changes anything? >> ok cleaing up a liter I try: >> frontend RDP >> mode tcp >> bind *:3389 >> timeout client 1h >> tcp-request inspect-delay 5s >> tcp-request content accept if RDP_COOKIE >> default_backend bk_rdp >> # >> backend bk_rdp >> mode tcp >> balance leastconn >> #balance rdp_coockie >> timeout server 1h >> timeout connect 4s >> log global >> option tcplog >> stick-table type string len 32 size 10k expire 1h peers pares >> stick on rdp_cookie(msthash) >> # persist rdp-cookie >> option tcp-check >> # option ssl-hello-chk >> # option tcpka >> tcp-check connect port 3389 ssl >> >> # server gr43sterminal01 10.104.22.142:3389 weight 1 check >> verify none inter 2000 rise 2 fall 3 >> # server gr43sterminal02 10.104.23.141:3389 weight 1 check >> verify none inter 2000 rise 2 fall 3 >> # >> default-server inter 3s rise 2 fall 3 >> server gr43sterminal01 10.104.22.142:3389 weight 1 check >> server gr43sterminal02 10.104.23.141:3389 weight 1 check >> >> And I got: >> [ALERT] 131/100222 (8564) : Proxy 'bk_rdp', server 'gr43sterminal01' >> [/etc/haproxy/haproxy.cfg:189] verify is enabled by default but no CA >> file specified. If you're running on a LAN where you're certain to >> trust the server's certificate, please set an explicit 'verify none' >> statement on the 'server' line, or use 'ssl-server-verify none' in >> the global section to disable server-side verifications by default. >> [ALERT] 131/100222 (8564) : Proxy 'bk_rdp', server 'gr43sterminal02' >> [/etc/haproxy/haproxy.cfg:190] verify is enabled by default but no CA >> file specified. If you're running on a LAN where you're certain to >> trust the server's certificate, please set an explicit 'verify none' >> statement on the 'server' line, or use 'ssl-server-verify none' in >> the global section to disable server-side verifications by default. >> [ALERT] 131/100222 (8564) : Fatal errors found in configuration. >> >> So I try adding verify none in server line >> >> and haproxy see both server up (but one is down). >> I try withou ssl: >> >> tcp-check connect port 3389 >> server gr43sterminal01 10.104.22.142:3389 weight 1 check >> server gr43sterminal02 10.104.23.141:3389 weight 1 check >> >> but the result is the same haproxy see both server up (but one is >> down) >> >> only if I leve only option tcp-check (or none) it seem work >> >> >> # >> # persist rdp-cookie >> option tcp-check >> # option ssl-hello-chk >> # option tcpka >> # tcp-check connect port 3389 ssl >> # tcp-check connect port 3389 >> >> # server gr43sterminal01 10.104.22.142:3389 weight 1 check >> verify none inter 2000 rise 2 fall 3 >> # server gr43sterminal02 10.104.23.141:3389 weight 1 check >> verify none inter 2000 rise 2 fall 3 >> # >> default-server inter 3s rise 2 fall 3 >> server gr43sterminal01 10.104.22.142:3389 weight 1 check >> server gr43sterminal02 10.104.23.141:3389 weight 1 check >> ## >> >> >> output: >> >> [WARNING] 131/102105 (8773) : Server bk_rdp/gr43sterminal01 is DOWN, >> reason: Layer4 timeout, info: " at initial connection step of >> tcp-check", check duration: 3001ms. 1 active and 0 backup servers >> left. 0 sessions active, 0 requeued, 0 remaining in queue. > So finally it works. > > Regards > Aleks But in that mode it check server available, not service, if RDP service is down haproxy don't detect it. -- *Antonio Trujillo Carmona* *Técnico de redes y sistemas.* *Subdirección de Tecnologías de la Información y Comunicaciones* Servicio Andaluz de Salud. Consejería de Salud de la Junta de Andalucía _antonio.trujillo.sspa@juntadeandalucia.es_ Tel. +34 670947670 747670)
Re: haproxy + RDP
El 11/05/17 a las 15:06, Aleksandar Lazic escribió: > .../ > How about to activate the 'option tcp-check' as mentioned in the > Warning? > In the config below is it's commented, any reason why? > > It's also active in the doc which you maybe know. > > https://www.haproxy.com/doc/aloha/7.0/deployment_guides/microsoft_remote_desktop_services.html > > Does this changes anything? ok cleaing up a liter I try: frontend RDP mode tcp bind *:3389 timeout client 1h tcp-request inspect-delay 5s tcp-request content accept if RDP_COOKIE default_backend bk_rdp # backend bk_rdp mode tcp balance leastconn #balance rdp_coockie timeout server 1h timeout connect 4s log global option tcplog stick-table type string len 32 size 10k expire 1h peers pares stick on rdp_cookie(msthash) # persist rdp-cookie option tcp-check # option ssl-hello-chk # option tcpka tcp-check connect port 3389 ssl # server gr43sterminal01 10.104.22.142:3389 weight 1 check verify none inter 2000 rise 2 fall 3 # server gr43sterminal02 10.104.23.141:3389 weight 1 check verify none inter 2000 rise 2 fall 3 # default-server inter 3s rise 2 fall 3 server gr43sterminal01 10.104.22.142:3389 weight 1 check server gr43sterminal02 10.104.23.141:3389 weight 1 check And I got: [ALERT] 131/100222 (8564) : Proxy 'bk_rdp', server 'gr43sterminal01' [/etc/haproxy/haproxy.cfg:189] verify is enabled by default but no CA file specified. If you're running on a LAN where you're certain to trust the server's certificate, please set an explicit 'verify none' statement on the 'server' line, or use 'ssl-server-verify none' in the global section to disable server-side verifications by default. [ALERT] 131/100222 (8564) : Proxy 'bk_rdp', server 'gr43sterminal02' [/etc/haproxy/haproxy.cfg:190] verify is enabled by default but no CA file specified. If you're running on a LAN where you're certain to trust the server's certificate, please set an explicit 'verify none' statement on the 'server' line, or use 'ssl-server-verify none' in the global section to disable server-side verifications by default. [ALERT] 131/100222 (8564) : Fatal errors found in configuration. So I try adding verify none in server line and haproxy see both server up (but one is down). I try withou ssl: tcp-check connect port 3389 server gr43sterminal01 10.104.22.142:3389 weight 1 check server gr43sterminal02 10.104.23.141:3389 weight 1 check but the result is the same haproxy see both server up (but one is down) only if I leve only option tcp-check (or none) it seem work # # persist rdp-cookie option tcp-check # option ssl-hello-chk # option tcpka # tcp-check connect port 3389 ssl # tcp-check connect port 3389 # server gr43sterminal01 10.104.22.142:3389 weight 1 check verify none inter 2000 rise 2 fall 3 # server gr43sterminal02 10.104.23.141:3389 weight 1 check verify none inter 2000 rise 2 fall 3 # default-server inter 3s rise 2 fall 3 server gr43sterminal01 10.104.22.142:3389 weight 1 check server gr43sterminal02 10.104.23.141:3389 weight 1 check ## output: [WARNING] 131/102105 (8773) : Server bk_rdp/gr43sterminal01 is DOWN, reason: Layer4 timeout, info: " at initial connection step of tcp-check", check duration: 3001ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. -- *Antonio Trujillo Carmona* *Técnico de redes y sistemas.* *Subdirección de Tecnologías de la Información y Comunicaciones* Servicio Andaluz de Salud. Consejería de Salud de la Junta de Andalucía _antonio.trujillo.sspa@juntadeandalucia.es_ Tel. +34 670947670 747670)
Re: haproxy + RDP
El 11/05/17 a las 11:23, Aleksandar Lazic escribió: > Hi Antonio Trujillo Carmona. > > Antonio Trujillo Carmona have written on Thu, 11 May 2017 10:22:59 > +0200: > >> Why this configuration don't detect a server down? > Please can you post the output of haproxy -vv $ haproxy -vv HA-Proxy version 1.5.18 2016/05/10 Copyright 2000-2016 Willy Tarreau <wi...@haproxy.org> Build options : TARGET = linux2628 CPU = generic CC = gcc CFLAGS = -O2 -g -fno-strict-aliasing -DTCP_USER_TIMEOUT=18 OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_PCRE=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 Encrypted password support via crypt(3): yes Built with zlib version : 1.2.7 Compression algorithms supported : identity, deflate, gzip Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013 Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Built with PCRE version : 8.32 2012-11-30 PCRE library supports JIT : no (USE_PCRE_JIT not set) Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. > Please can you post some logs as you have debug activated. # haproxy -d -f /etc/haproxy/haproxy.cfg [WARNING] 130/120716 (27612) : parsing [/etc/haproxy/haproxy.cfg:165] : 'timeout server' will be ignored because frontend 'RDP' has no backend capability [WARNING] 130/120716 (27612) : config : backend 'bk_rdp' uses tcp-check rules without 'option tcp-check', so the rules are ignored. Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result FAILED Total: 3 (2 usable), will use epoll. Using epoll() as the polling mechanism. [WARNING] 130/120717 (27612) : Server CitrixSF-SSL/CitrixSF03 is DOWN, reason: Layer4 connection problem, info: "Connection refused", check duration: 3ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. [WARNING] 130/120718 (27612) : Server bk_rdp/gr43sterminal02 is DOWN, reason: Socket error, check duration: 12ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. [WARNING] 130/120719 (27612) : Server bk_rdp/gr43sterminal01 is DOWN, reason: Layer4 timeout, check duration: 2001ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. [ALERT] 130/120719 (27612) : backend 'bk_rdp' has no server available! Message from syslogd@localhost at May 11 12:07:19 ... haproxy[27612]: backend bk_rdp has no server available! Message from syslogd@localhost at May 11 12:07:19 ... haproxy[27612]: backend bk_rdp has no server available! but : # nmap gr43sterminal02 -p3389 Starting Nmap 6.40 ( http://nmap.org ) at 2017-05-11 12:12 CEST Nmap scan report for gr43sterminal02 (10.104.23.141) Host is up (0.00072s latency). rDNS record for 10.104.23.141: gr43sterminal02.hvn.sas.junta-andalucia.es PORT STATE SERVICE 3389/tcp open ms-wbt-server This one is up and the other down if I comment # option ssl-hello-chk both appear up # haproxy -d -f /etc/haproxy/haproxy.cfg [WARNING] 130/121803 (27722) : parsing [/etc/haproxy/haproxy.cfg:165] : 'timeout server' will be ignored because frontend 'RDP' has no backend capability Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result FAILED Total: 3 (2 usable), will use epoll. Using epoll() as the polling mechanism. [WARNING] 130/121804 (27722) : Server CitrixSF-SSL/CitrixSF03 is DOWN, reason: Layer4 connection problem, info: "Connection refused", check duration: 3ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. :gr43stemis01.clicls[:0009] :gr43stemis01.closed[:0009] :gr43stemis01.clicls[:000a] :gr43stemis01.closed[:000a] :gr43stemis01.clicls[:000b] :gr43stemis01.closed[:000b] :gr43stemis01.clicls[:000c] :gr43stemis01.closed[:000c] :gr43stemis01.clicls[:000d] :gr43stemis01.closed[:000d] :RDP.accept(0007)=000a from [10.104.24.53:60969] only if I comment #option ssl-hello-chk #tcp-check connect port 3389 ssl it seem work, but I'm afraid that it check server not service, so if server is up but service RDP fail haproxy will not detect it. > >> global >> log 127.0.0.1 local0 debug >> log 127.0.0.1 local1 notice >> log 10.104.16.5 local7 d
haproxy + RDP
Why this configuration don't detect a server down? global log 127.0.0.1 local0 debug log 127.0.0.1 local1 notice log 10.104.16.5 local7 debug chroot /var/lib/haproxy user haproxy group haproxy daemon node GR43STEMIS01-BALANCEADOR-HA-SSL # Para sincronizar las tablas de sesión peers pares # disable peer gr43stemis01 10.107.20.7:1024 peer gr43stemis02 10.107.20.8:1024 defaults log global mode http option dontlognull option httpchk retries 3 option redispatch maxconn 5000 timeout connect 50s timeout client 30min timeout server 50s .../... frontend RDP mode tcp bind *:3389 timeout client 1h timeout server 1h tcp-request inspect-delay 5s tcp-request content accept if RDP_COOKIE # use_backend bk_rdp default_backend bk_rdp backend bk_rdp mode tcp balance leastconn #balance rdp_coockie timeout server 1h timeout connect 4s log global stick-table type string len 32 size 10k expire 1h peers pares stick on rdp_cookie(msthash) persist rdp-cookie # option tcp-check option ssl-hello-chk # option tcpka tcp-check connect port 3389 ssl server gr43sterminal01 10.104.22.142:3389 weight 1 check inter 2000 rise 2 fall 3 server gr43sterminal02 10.104.23.141:3389 weight 1 check inter 2000 rise 2 fall 3 Thank. -- Antonio Trujillo Carmona Técnico de redes y sistemas. Subdirección de Tecnologías de la Información y Comunicaciones Servicio Andaluz de Salud. Consejería de Salud de la Junta de Andalucía antonio.trujillo.s...@juntadeandalucia.es Tel. +34 670947670 747670)
Re: ssl & default_backend
El 03/04/17 a las 19:12, PiBa-NL escribió: Hi Antonio, Op 3-4-2017 om 13:29 schreef Antonio Trujillo Carmona: It's well documented that Windows XP with Internet Explorer don't support sni, so I try to redirect call through "default_backend", but I got ERROR-404, it work fine with all other combination of OS/surfer. If I (only for test purpose) comment the four line with "ssiiprovincial" (witch mean all the traffic must be redirected through default_backend) it don't work with any OS/surfer. frontend Aplicaciones bind *:443 mode tcp log global tcp-request inspect-delay 5s tcp-request content accept if { req_ssl_hello_type 1 } # Parametros para utilizar SNI (Server Name Indication) acl aplicaciones req_ssl_sni -i aplicaciones.gra.sas.junta-andalucia.es acl citrixsf req_ssl_sni -i ssiiprovincial.gra.sas.junta-andalucia.es acl citrixsf req_ssl_sni -i ssiiprovincial01.gra.sas.junta-andalucia.es acl citrixsf req_ssl_sni -i ssiiprovincial.hvn.sas.junta-andalucia.es acl citrixsf req_ssl_sni -i ssiiprovincial01.hvn.sas.junta-andalucia.es use_backend CitrixSF-SSL if citrixsf use_backend SevidoresWeblogic-12c-Balanceador-SSL There is no acl for the backend above? so probably the default_backend below will never be reached. Could it be the above backend returns the 404 your seeing? default_backend CitrixSF-SSL Regards, PiBa-NL You are right it's a mistake of make too much probe to get session affinity, in some one moment I eat "if aplicaciones". Thank. -- Antonio Trujillo Carmona Técnico de redes y sistemas. Subdirección de Tecnologías de la Información y Comunicaciones Servicio Andaluz de Salud. Consejería de Salud de la Junta de Andalucía antonio.trujillo.s...@juntadeandalucia.es Tel. +34 670947670 747670)
Re: ssl & default_backend
El 31/03/17 a las 20:26, Lukas Tribus escribió: > Hello Antonio, > > > Am 31.03.2017 um 19:36 schrieb Antonio Trujillo Carmona: >> El 30/03/17 a las 10:51:58, Antonio Trujillo Carmona escribió: >> >>> I'm try to use haproxy for balancing Citrix. >>> >>> I prove with: >>> >>> acl aplicaciones req_ssl_sni -i aplicaciones.gra.sas.junta-andalucia.es >>> acl citrixsf req_ssl_sni -i ssiiprovincial.hvn.sas.junta-andalucia.es >>> >>> use_backend CitrixSF-SSL if citrixsf >>> use_backend SevidoresWeblogic-12c-Balanceador-SSL >>> default_backend CitrixSF-SSL >>> >>> The goal is Wpx witch can't use sni are redirected to CitrixSF-SSL. > > You did not tell us what Wpx is. We also don't know your complete > configuration. > > Please post the complete configuration and the output of haproxy -vv. > > > >>> >>> I try commenting acl req_ssl_sni (right now, I have no Wpx to probe) >>> but >>> I recive. Error-404 Not Found. > > With that statement I don't know which of the above lines you > commented. Can > you explain? > > Haproxy never generates a "404 Not found message", this comes from one > of your > backends. > > > >> >> The issue of get diferent result in be redirected from a use_backend or >> from default_backend occurs in all equipmen, Windows XP,7 or even in >> linux. >> I can't understand it > > I don't understand what you are saying. I suggest you explain in a few > sentences > what you expect from haproxy, and then, explain what the actual result > is. > > > > Lukas > It's well documented that Windows XP with Internet Explorer don't support sni, so I try to redirect call through "default_backend", but I got ERROR-404, it work fine with all other combination of OS/surfer. If I (only for test purpose) comment the four line with "ssiiprovincial" (witch mean all the traffic must be redirected through default_backend) it don't work with any OS/surfer. # haproxy -vv HA-Proxy version 1.5.18 2016/05/10 Copyright 2000-2016 Willy Tarreau <wi...@haproxy.org> Build options : TARGET = linux2628 CPU = generic CC = gcc CFLAGS = -O2 -g -fno-strict-aliasing -DTCP_USER_TIMEOUT=18 OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_PCRE=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 Encrypted password support via crypt(3): yes Built with zlib version : 1.2.7 Compression algorithms supported : identity, deflate, gzip Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013 Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Built with PCRE version : 8.32 2012-11-30 PCRE library supports JIT : no (USE_PCRE_JIT not set) Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. This is my configuration file: # # Fichero configuracion del HAPROXY # global #Este log es especifico para sistemas basados en RED HAT log 127.0.0.1 local2 debug chroot /var/lib/haproxy user haproxy group haproxy daemon node BALANCEADOR-PRINCIPAL #para sincronizar las tablas de sesión peers pares #disable peer gr43stemis01 10.107.20.7:1024 peer gr43stemis02 10.107.20.8:1024 defaults log global modehttp option dontlognull option httpchk retries 3 option redispatch maxconn 5000 timeout connect 5s timeout client 15min timeout server 15s frontend Estadisticas# bind *:80 option httplog mode http stats show-node stats enable # Opcion para redirigir las peticiones que entran por http a https # solo se puede poner en este frontend redirect scheme https if !{ ssl_fc } frontend Aplicaciones bind *:443 mode tcp log global tcp-request inspect-delay 5s tcp-request content accept if { req_ssl_hello_type 1 } # Parametros para utilizar SNI (Server Name Indication) acl aplicaciones req_ssl_sni -i aplicaciones.gra.sas.junta-andalucia.es acl citrixsf req_ssl_sni -i ssiiprovincial.gra.sas.junta-andalucia.es acl citrixsf req_ssl_sni -i ssiiprovincial01.gra.sas.junta-andalucia.es acl citrixsf req_ssl_sni -i ssiiprovincial.hvn.sas.junta-andalucia.es acl citrixsf req
Re: ssl & default_backend
El 30/03/17 a las 10:51:58, Antonio Trujillo Carmona escribió: I'm try to use haproxy for balancing Citrix. I prove with: acl aplicaciones req_ssl_sni -i aplicaciones.gra.sas.junta-andalucia.es acl citrixsf req_ssl_sni -i ssiiprovincial.hvn.sas.junta-andalucia.es use_backend CitrixSF-SSL if citrixsf use_backend SevidoresWeblogic-12c-Balanceador-SSL default_backend CitrixSF-SSL The goal is Wpx witch can't use sni are redirected to CitrixSF-SSL. I try commenting acl req_ssl_sni (right now, I have no Wpx to probe) but I recive. Error-404 Not Found. Why? Thank in advance. -- *Antonio Trujillo Carmona* *Técnico de redes y sistemas.* *Subdirección de Tecnologías de la Información y Comunicaciones* Servicio Andaluz de Salud. Consejería de Salud de la Junta de Andalucía _antonio.trujillo.s...@juntadeandalucia.es [1]_ Tel. +34 670947670 747670) The issue of get diferent result in be redirected from a use_backend or from default_backend occurs in all equipmen, Windows XP,7 or even in linux. I can't understand it Links: -- [1] mailto:_antonio.trujillo.s...@juntadeandalucia.es
ssl & default_backend
I'm try to use haproxy for balancing Citrix. I prove with: acl aplicaciones req_ssl_sni -i aplicaciones.gra.sas.junta-andalucia.es acl citrixsf req_ssl_sni -i ssiiprovincial.hvn.sas.junta-andalucia.es use_backend CitrixSF-SSL if citrixsf use_backend SevidoresWeblogic-12c-Balanceador-SSL default_backend CitrixSF-SSL The goal is Wpx witch can't use sni are redirected to CitrixSF-SSL. I try commenting acl req_ssl_sni (right now, I have no Wpx to probe) but I recive. Error-404 Not Found. Why? Thank in advance. -- *Antonio Trujillo Carmona* *Técnico de redes y sistemas.* *Subdirección de Tecnologías de la Información y Comunicaciones* Servicio Andaluz de Salud. Consejería de Salud de la Junta de Andalucía _antonio.trujillo.sspa@juntadeandalucia.es_ Tel. +34 670947670 747670)
dual check
In a haproxy with ssl-nsi (not terminate ssl). I want to check state of VM witch are under other haproxy, so I need "option httpchk GET /healthcheck" (https://www.mail-archive.com/haproxy@formilux.org/msg24823.html)). or "option httpchk GET /testwebwls/check" (https://www.mail-archive.com/haproxy@formilux.org/msg24829.html) But Ineed to use SSLID to keep Session affinity, so I need "option ssl-hello-chk" Can I use double check?, How do I do it?. Thank. -- *Antonio Trujillo Carmona* *Técnico de redes y sistemas.* *Subdirección de Tecnologías de la Información y Comunicaciones* Servicio Andaluz de Salud. Consejería de Salud de la Junta de Andalucía _antonio.trujillo.sspa@juntadeandalucia.es_ Tel. +34 670947670 747670)
Re: haproxy cascade SOLVED
> >>> Hi, >>> >>> On Fri, Feb 03, Antonio Trujillo Carmona wrote: >>>> All this go fine, but balanced A don't know state of virtual machine but >>>> state of haproxy in server, due this if we stop VM1 and we see state in >>>> balanced A we see VM is OK, that is because Balanced A see then state of >>>> haproxy in server 1 not VM1 status. >>>> >>>> So my question: >>>> In this scenarios: >>>> |S1 [VM 1]| >>>>|Hap-- | >>>> |[balA (haproxy)]| | [VM 3]| >>>> |keepalived |- >>>> |[balB (haproxy)]| |S2 2 [VM 2]| >>>>|Hap-- >>>>| [VM 4]| >>>> How I can pass state of VM to haproxy in balanced A and B?. >>> >>> >>> If I undestand your question correctly you can use monitor-uri and >>> monitor-fail on S1/S2 haproxy. And healthcheck the monitor-uri from >>> balA/balB. >>> (http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#4-monitor-uri >>> http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#nbsrv) >>> >>> So in S1/S2 haproxy: >>> monitor-uri /healthcheck >>> monitor-fail if { nbsrv(your_backend_name) lt 1 } >>> >>> And in balA/balB: >>> option httpchk GET /healthcheck ... >>> http-check expect status 200 >>> >>> (http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#4.2-option%20httpchk) >>> >>> -Jarno >> Ok I can understand the first part for S1/S2, but not the part for >> balA/balB. >> option httpchk GET /healthcheck http-check expect status 200 >> is possible make a http-check within tcp conection? >> We try (prior to ask) with >> option httpchk GET /testwebwls/check >> (we make a processes who return ok and work fine in tho no SSL >> structure), but it don't work, I guess it is due to certificate issue, >> certificate name is "aplicaciones", aplicaciones is pointer by DNS to >> S1/S2 haproxy, S1/S2 try to connect to "10.105.x.x:1443" and certificate >> is not valid for server named "10.105.x.x" only for server named >> "aplicaciones" >> With your proposal in the statics page we see all server down with "LT7RSP" >> >> My configuration filed are: >> >> In BalA/BalB >> # haproxy -v >> HA-Proxy version 1.5.18 2016/05/10 >> # cat /etc/haproxy/haproxy >> >> # >> # Fichero configuracion del HAPROXY >> # >> global >> log 127.0.0.1 local0 debug >> chroot /var/lib/haproxy >> user haproxy >> group haproxy >> daemon >> node BALANCEADOR-PRINCIPAL >> defaults >> log global >> modehttp >> option dontlognull >> option httpchk >> retries 3 >> option redispatch >> maxconn 5000 >> timeout connect 5s >> timeout client 15min >> timeout server 15s >> stats show-node >> stats enable >> >> frontend Jornasist >> bind 10.107.20.9:80 >> option httplog >> mode http >> tcp-request inspect-delay 5s >> tcp-request content accept if { req_ssl_hello_type 1 } >> ##I leve this part in order to have stats >> >> FRONTEND DESTINADO A SSL ## >> >> frontend Aplicaciones >> bind *:443 >> mode tcp >> >> tcp-request inspect-delay 5s >> tcp-request content accept if { req_ssl_hello_type 1 } >> >> acl aplicaciones req_ssl_sni -i aplicaciones.gra.sas.junta-andalucia.es >> acl citrixsf req_ssl_sni -i ssiiprovincial1.gra.sas.junta-andalucia.es >> use_backend CitrixSF-SSL if citrixsf >> use_backend SevidoresWeblogic-12c-Balanceador-SSL >> default_backend SevidoresWeblogic-12c-Balanceador-SSL >> >> >> BACKEND DE LOS SERVIDORES DE WEBLOGIC PRE PRODUCCION # >> ###this part work fine without SSL >> #backend SevidoresWeblogic-12c-Balanceador >> #mode http >> #option httplog >> #stats enable >> ## option forwardfor >> ## cookie JSESSIONID prefix >> #cookie ServerID
Re: haproxy cascade
Ok I miss understood you, option httpchk GET /healthcheck and http-check expect status 200 are in different row, but it don't work neither. >> Hi, >> >> On Fri, Feb 03, Antonio Trujillo Carmona wrote: >>> All this go fine, but balanced A don't know state of virtual machine but >>> state of haproxy in server, due this if we stop VM1 and we see state in >>> balanced A we see VM is OK, that is because Balanced A see then state of >>> haproxy in server 1 not VM1 status. >>> >>> So my question: >>> In this scenarios: >>> |S1 [VM 1]| >>>|Hap-- | >>> |[balA (haproxy)]| | [VM 3]| >>> |keepalived |- >>> |[balB (haproxy)]| |S2 2 [VM 2]| >>>|Hap-- >>>| [VM 4]| >>> How I can pass state of VM to haproxy in balanced A and B?. >> >> >> If I undestand your question correctly you can use monitor-uri and >> monitor-fail on S1/S2 haproxy. And healthcheck the monitor-uri from >> balA/balB. >> (http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#4-monitor-uri >> http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#nbsrv) >> >> So in S1/S2 haproxy: >> monitor-uri /healthcheck >> monitor-fail if { nbsrv(your_backend_name) lt 1 } >> >> And in balA/balB: >> option httpchk GET /healthcheck ... >> http-check expect status 200 >> >> (http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#4.2-option%20httpchk) >> >> -Jarno > Ok I can understand the first part for S1/S2, but not the part for > balA/balB. > option httpchk GET /healthcheck http-check expect status 200 > is possible make a http-check within tcp conection? > We try (prior to ask) with > option httpchk GET /testwebwls/check > (we make a processes who return ok and work fine in tho no SSL > structure), but it don't work, I guess it is due to certificate issue, > certificate name is "aplicaciones", aplicaciones is pointer by DNS to > S1/S2 haproxy, S1/S2 try to connect to "10.105.x.x:1443" and certificate > is not valid for server named "10.105.x.x" only for server named > "aplicaciones" > With your proposal in the statics page we see all server down with "LT7RSP" > > My configuration filed are: > > In BalA/BalB > # haproxy -v > HA-Proxy version 1.5.18 2016/05/10 > # cat /etc/haproxy/haproxy > > # > # Fichero configuracion del HAPROXY > # > global > log 127.0.0.1 local0 debug > chroot /var/lib/haproxy > user haproxy > group haproxy > daemon > node BALANCEADOR-PRINCIPAL > defaults > log global > modehttp > option dontlognull > option httpchk > retries 3 > option redispatch > maxconn 5000 > timeout connect 5s > timeout client 15min > timeout server 15s > stats show-node > stats enable > > frontend Jornasist > bind 10.107.20.9:80 > option httplog > mode http > tcp-request inspect-delay 5s > tcp-request content accept if { req_ssl_hello_type 1 } > ##I leve this part in order to have stats > > FRONTEND DESTINADO A SSL ## > > frontend Aplicaciones > bind *:443 > mode tcp > > tcp-request inspect-delay 5s > tcp-request content accept if { req_ssl_hello_type 1 } > > acl aplicaciones req_ssl_sni -i aplicaciones.gra.sas.junta-andalucia.es > acl citrixsf req_ssl_sni -i ssiiprovincial1.gra.sas.junta-andalucia.es > use_backend CitrixSF-SSL if citrixsf > use_backend SevidoresWeblogic-12c-Balanceador-SSL > default_backend SevidoresWeblogic-12c-Balanceador-SSL > > > BACKEND DE LOS SERVIDORES DE WEBLOGIC PRE PRODUCCION # > ###this part work fine without SSL > #backend SevidoresWeblogic-12c-Balanceador > # mode http > # option httplog > # stats enable > ##option forwardfor > ##cookie JSESSIONID prefix > # cookie ServerID insert nocache indirect > # option httpchk GET /testwebwls/check > # balance roundrobin > > #server ServerManager1-nodo1 10.105.15.112:8001 check inter > 3000 cookie ServerManager1-nodo1 > #server ServerManager2-nodo2 10.105.15.113:8002 check inter > 3000 co
RE:haproxy cascade
> Hi, > > On Fri, Feb 03, Antonio Trujillo Carmona wrote: >> All this go fine, but balanced A don't know state of virtual machine but >> state of haproxy in server, due this if we stop VM1 and we see state in >> balanced A we see VM is OK, that is because Balanced A see then state of >> haproxy in server 1 not VM1 status. >> >> So my question: >> In this scenarios: >> |S1 [VM 1]| >>|Hap-- | >> |[balA (haproxy)]| | [VM 3]| >> |keepalived |- >> |[balB (haproxy)]| |S2 2 [VM 2]| >>|Hap-- >>| [VM 4]| >> How I can pass state of VM to haproxy in balanced A and B?. > > > If I undestand your question correctly you can use monitor-uri and > monitor-fail on S1/S2 haproxy. And healthcheck the monitor-uri from > balA/balB. > (http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#4-monitor-uri > http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#nbsrv) > > So in S1/S2 haproxy: > monitor-uri /healthcheck > monitor-fail if { nbsrv(your_backend_name) lt 1 } > > And in balA/balB: > option httpchk GET /healthcheck ... > http-check expect status 200 > > (http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#4.2-option%20httpchk) > > -Jarno Ok I can understand the first part for S1/S2, but not the part for balA/balB. option httpchk GET /healthcheck http-check expect status 200 is possible make a http-check within tcp conection? We try (prior to ask) with option httpchk GET /testwebwls/check (we make a processes who return ok and work fine in tho no SSL structure), but it don't work, I guess it is due to certificate issue, certificate name is "aplicaciones", aplicaciones is pointer by DNS to S1/S2 haproxy, S1/S2 try to connect to "10.105.x.x:1443" and certificate is not valid for server named "10.105.x.x" only for server named "aplicaciones" With your proposal in the statics page we see all server down with "LT7RSP" My configuration filed are: In BalA/BalB # haproxy -v HA-Proxy version 1.5.18 2016/05/10 # cat /etc/haproxy/haproxy # # Fichero configuracion del HAPROXY # global log 127.0.0.1 local0 debug chroot /var/lib/haproxy user haproxy group haproxy daemon node BALANCEADOR-PRINCIPAL defaults log global modehttp option dontlognull option httpchk retries 3 option redispatch maxconn 5000 timeout connect 5s timeout client 15min timeout server 15s stats show-node stats enable frontend Jornasist bind 10.107.20.9:80 option httplog mode http tcp-request inspect-delay 5s tcp-request content accept if { req_ssl_hello_type 1 } ##I leve this part in order to have stats FRONTEND DESTINADO A SSL ## frontend Aplicaciones bind *:443 mode tcp tcp-request inspect-delay 5s tcp-request content accept if { req_ssl_hello_type 1 } acl aplicaciones req_ssl_sni -i aplicaciones.gra.sas.junta-andalucia.es acl citrixsf req_ssl_sni -i ssiiprovincial1.gra.sas.junta-andalucia.es use_backend CitrixSF-SSL if citrixsf use_backend SevidoresWeblogic-12c-Balanceador-SSL default_backend SevidoresWeblogic-12c-Balanceador-SSL BACKEND DE LOS SERVIDORES DE WEBLOGIC PRE PRODUCCION # ###this part work fine without SSL #backend SevidoresWeblogic-12c-Balanceador # mode http # option httplog # stats enable ## option forwardfor ## cookie JSESSIONID prefix # cookie ServerID insert nocache indirect # option httpchk GET /testwebwls/check # balance roundrobin #server ServerManager1-nodo1 10.105.15.112:8001 check inter 3000 cookie ServerManager1-nodo1 #server ServerManager2-nodo2 10.105.15.113:8002 check inter 3000 cookie ServerManager2-nodo2 #server ServerManager3-nodo1 10.105.15.112:8003 check inter 3000 cookie ServerManager3-nodo1 #server ServerManager4-nodo2 10.105.15.113:8004 check inter 3000 cookie ServerManager4-nodo2 BACKEND DE LOS SERVIDORES DE WEBLOGIC PRE PRODUCCION SSL # backend SevidoresWeblogic-12c-Balanceador-SSL mode tcp balance roundrobin # maximum SSL session ID length is 32 bytes. stick-table type binary len 32 size 30k expire 30m acl clienthello req_ssl_hello_type 1 acl serverhello rep_ssl_hello_type 2 # use tcp content accepts to detects ssl client and server hello.
haproxy cascade
Hello. first thank for your work, and sorry for my bad English. In my work (an hospital) we are trying to pass all the connection to SSL. We have: | [VM 1]| |[balanced A (haproxy + keepalived)]| |server 1 [VM 3]| | |-| |[balanced B (haproxy + keepalived)]| |server 2 [VM 2]| | [VM 4]| All the machine have OEL., server have weblogic (some very similar to tomcat form Oracle) VM are java virtual machine. We have DR (direct rounting response) implemented, in order to reduce traffic in the net. Arequest from the net to port 443 are balancer to server 1 port 8881 or 8883 or server 2 port 8882 or 8884 In order to implemented SSL and don't loss DR we use NSI protocol in the Balanced and install other Haproxy in server to make SSL termination, thus a request from the net to port 443 are balanced to server 1 port 1443 or 3443 or server 2 port 2443 or 4443 and in the server 1 haproxy make termination of SSL and have 2 listen one bind to port 1443 sending it to 127.0.0.1 8881, other bind to port 3443 and sending it to 127.0.0.1:8883. All this go fine, but balanced A don't know state of virtual machine but state of haproxy in server, due this if we stop VM1 and we see state in balanced A we see VM is OK, that is because Balanced A see then state of haproxy in server 1 not VM1 status. So my question: In this scenarios: |S1 [VM 1]| |Hap-- | |[balA (haproxy)]| | [VM 3]| |keepalived |- |[balB (haproxy)]| |S2 2 [VM 2]| |Hap-- | [VM 4]| How I can pass state of VM to haproxy in balanced A and B?. Thank in advanced. --- *Antonio Trujillo Carmona* *Técnico de redes y sistemas.* *Subdirección de Tecnologías de la Información y Comunicaciones* Servicio Andaluz de Salud. Consejería de Salud de la Junta de Andalucía _antonio.trujillo.sspa@juntadeandalucia.es_