[no subject]
-- Professional Virtual Officehttp://www.contactoffice.com
help
-- Professional Virtual Officehttp://www.contactoffice.com
Re: [PATCH v8] MEDIUM: Add port_to_str helper
Hi Lukas, On 16/06/14 14:22, Lukas Tribus wrote: Hi, Maybe a stupid question but if I download version 1.5-dev26, all the latest patches are present in this version or should I apply too? No, dev26 was released May, 28th and doesn't contain any newer code. To get more current code I suggest to use git, you just need 2 commands: initial clone of the repository: ~$ git clone http://git.haproxy.org/git/haproxy.git/ updating the repository: ~/haproxy$ git pull Also, nightly snapshots are build from the repository at [1], if you don't want to use git. Ok, thank you very much, it's very clear ! Kind regards, Christophe
Re: [PATCH v8] MEDIUM: Add port_to_str helper
Hi, Maybe a stupid question but if I download version 1.5-dev26, all the latest patches are present in this version or should I apply too? Thanks for your help. Kind regards, Christophe On 16/06/14 10:11, Willy Tarreau wrote: On Mon, Jun 16, 2014 at 09:39:41AM +0900, Simon Horman wrote: This helper is similar to addr_to_str but tries to convert the port rather than the address of a struct sockaddr_storage. This is in preparation for supporting an external agent check. Signed-off-by: Simon Horman ho...@verge.net.au Thank you Simon, patch applied now! Willy
help
haproxy and mobile devices
Hi, I'd like to know if I need to adapt the haproxy config file for mobile devices? We have a lot of customers who encounter problems with our application and I try to find the problem. Thanks for your help. Kind regards, Christophe
Re: haproxy and mobile devices
Hi, It's a very strange problem. Some of our users have a blank page when they try to connect to our application but no more information (very easy to debug). I think it's in HTTP, not in HTTPS. I continue to test but I've no problem with my iPad. Thanks for your help. Christophe On 16/09/13 16:24, david rene comba lareu shadow.of.sou...@gmail.com wrote: Hi, What problems do you have? i'd have some problems with SSL as on mobile devices (saying that the site is not signed by a trusted authority) doesn't have all the cross root CA for the certificate and i solved it just adding it to the PEM. Regards. 2013/9/16 Christophe Rahier christo...@qualifio.com: Hi, I'd like to know if I need to adapt the haproxy config file for mobile devices? We have a lot of customers who encounter problems with our application and I try to find the problem. Thanks for your help. Kind regards, Christophe
Sessions when a server doesn't answer anymore
Hi, I try to be clear with my question :-) Our haproxy is in front of 3 IIS web servers. When a server is down, haproxy doesn't send any traffic to this server, it's ok. Users needs to log again in our application. When this server comes alive, users who previously logged (via this server) need to log again in our application as if haproxy closed their current session and wants to reconnect them to this server. How can I avoid this? Thanks for your help. Regards, Christophe
Re: Sessions when a server doesn't answer anymore
Hi Chris, In fact, in our case, we need to store Coldfusion sessions … Christophe From: Chris Sarginson ch...@sargy.co.ukmailto:ch...@sargy.co.uk Date: Tuesday 26 March 2013 10:43 To: Christophe Rahier christo...@qualifio.commailto:christo...@qualifio.com Cc: haproxy@formilux.orgmailto:haproxy@formilux.org haproxy@formilux.orgmailto:haproxy@formilux.org Subject: Re: Sessions when a server doesn't answer anymore You would probably need to look at something like this: http://technet.microsoft.com/en-us/library/cc753897(v=ws.10).aspx Storing sessions from IIS in an SQL db will allow them to be accessible from any of your servers. Chris On 26/03/2013 09:16, Christophe Rahier wrote: Hi, I try to be clear with my question :-) Our haproxy is in front of 3 IIS web servers. When a server is down, haproxy doesn't send any traffic to this server, it's ok. Users needs to log again in our application. When this server comes alive, users who previously logged (via this server) need to log again in our application as if haproxy closed their current session and wants to reconnect them to this server. How can I avoid this? Thanks for your help. Regards, Christophe
Re: Sessions when a server doesn't answer anymore
Hi Baptiste, Here's my config file: global daemon maxconn 1 stats socket /var/run/haproxy.sock level admin mode 600 stats timeout 1m log 127.0.0.1 local5 info defaults log global option tcplog option dontlog-normal #option dontlognull retries2 timeout client 90s timeout server 250s timeout connect 30s timeout http-keep-alive 30s frontend Managers-Farm mode http option forwardfor option httplog option http-server-close reqadd X-Forwarded-Proto:\ https bind 192.168.0.3:443 ssl crt /etc/haproxy/keyHA.pem ciphers RC4:HIGH:!aNULL:!MD5 bind 192.168.0.3:80 default_backend Managers backend Managers mode http server Manager01 192.168.0.60:80 check on-marked-down shutdown-sessions server Manager02 192.168.0.61:80 check on-marked-down shutdown-sessions server Manager03 192.168.0.62:80 check on-marked-down shutdown-sessions option httpchk HEAD /cfadmin/ping.cfm HTTP/1.0 stats enable balance source listen info 192.168.0.3:91 mode http balance source stats uri / Thanks for your help. Christophe On 26/03/13 11:11, Baptiste bed...@gmail.com wrote: Hi Christophe, This issue should not happen. Please share your backend configuration here. Baptiste On Tue, Mar 26, 2013 at 10:43 AM, Chris Sarginson ch...@sargy.co.uk wrote: You would probably need to look at something like this: http://technet.microsoft.com/en-us/library/cc753897(v=ws.10).aspx Storing sessions from IIS in an SQL db will allow them to be accessible from any of your servers. Chris On 26/03/2013 09:16, Christophe Rahier wrote: Hi, I try to be clear with my question :-) Our haproxy is in front of 3 IIS web servers. When a server is down, haproxy doesn't send any traffic to this server, it's ok. Users needs to log again in our application. When this server comes alive, users who previously logged (via this server) need to log again in our application as if haproxy closed their current session and wants to reconnect them to this server. How can I avoid this? Thanks for your help. Regards, Christophe
Re: Sessions when a server doesn't answer anymore
Hi Baptiste, Thanks for your help and your analyse. I will test the cookie, I first need to read the documentation :-) Best regards, Christophe On 26/03/13 15:37, Baptiste bed...@gmail.com wrote: backend Managers mode http server Manager01 192.168.0.60:80 check on-marked-down shutdown-sessions server Manager02 192.168.0.61:80 check on-marked-down shutdown-sessions server Manager03 192.168.0.62:80 check on-marked-down shutdown-sessions option httpchk HEAD /cfadmin/ping.cfm HTTP/1.0 stats enable balance source Hi Christophe, There were two main reason why you could observe such behavior: #1 cookie persistence with several server sharing the same cookie value #2 a source IP hash persistence With source hash, you stick a session to a server as long as the number of servers in the farm remains the same. When it changes, then the hash changes and everybody is balanced... A better solution would to use consistent hashing (hash-type consistent). But using this method, you may still balance people connected to the failed server. And balance them back to the server when it wakes up... For source IP persistence, the best solution would to use a round-robin algorithm and a stick table for persistence. that way, when server goes down, you're balanced, that's normal, when the server comes back, only new sessions can reach him. Sticked one remains on their attributed server. Actually, the best would to do cookie based persistence, either through cookie insert or cookie prefix. Baptiste
haproxy and SSL
Hi, Actually, I configured haproxy to decrypt traffic SSL between haproxy and http servers. Of course, it works fine ;-) If I test our config with https://www.ssllabs.com/ssltest, I've this error: BEAST attack Vulnerable INSECURE (more info https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the- beast-attack-on-tls) How would it be possible to correct this issue? I could correct this problem directly on the web servers with this program: https://www.nartac.com/Products/IISCrypto/Default.aspx Thanks for your help. Regards, Christophe
Re: haproxy and SSL
Hi Simon, Thanks I didn't see it. :-) Regards, Christophe De : Simon Dick sim...@irrelevant.orgmailto:sim...@irrelevant.org Date : Tuesday 26 February 2013 10:29 À : Christophe Rahier christo...@qualifio.commailto:christo...@qualifio.com Cc : haproxy@formilux.orgmailto:haproxy@formilux.org haproxy@formilux.orgmailto:haproxy@formilux.org Objet : Re: haproxy and SSL This article may be useful: http://blog.exceliance.fr/2013/01/21/mitigating-the-ssl-beast-attack-using-the-aloha-load-balancer-haproxy/ On 26 February 2013 08:39, Christophe Rahier christo...@qualifio.commailto:christo...@qualifio.com wrote: Hi, Actually, I configured haproxy to decrypt traffic SSL between haproxy and http servers. Of course, it works fine ;-) If I test our config with https://www.ssllabs.com/ssltest, I've this error: BEAST attack Vulnerable INSECURE (more info https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the- beast-attack-on-tls) How would it be possible to correct this issue? I could correct this problem directly on the web servers with this program: https://www.nartac.com/Products/IISCrypto/Default.aspx Thanks for your help. Regards, Christophe
Question about stats screen
Hi, I have a question about the stats screen. Just a small description: we use a Vmware infrastructure. Haproxy is installed on a VM (Debian 6) in front of 13 Windows 2008R2 servers (IIS 7.5) When I see the column Errors - Resp, I can see many errors. I do not understand where the problem is located. Different web servers are not very busy, no problem with disk i/o, nothing special in the network. Here's my configuration file. Thanks for your help. Regards, Christophe global daemon maxconn 1 stats socket /var/run/haproxy.sock level admin mode 600 stats timeout 1m log 192.168.0.2 local0 log 127.0.0.1 local1 notice defaults log global option tcplog option dontlog-normal retries2 timeout client 60s timeout server 150s timeout connect 5s timeout http-keep-alive 10s frontend Players-Farm mode http option forwardfor option httplog option http-server-close bind 192.168.0.2:443 ssl crt /etc/haproxy/keyHA.pem bind 192.168.0.2:80 default_backend Players backend Players mode http server Player1 192.168.0.10:80 check on-marked-down shutdown-sessions server Player2 192.168.0.11:80 check on-marked-down shutdown-sessions server Player3 192.168.0.12:80 check on-marked-down shutdown-sessions server Player4 192.168.0.13:80 check on-marked-down shutdown-sessions server Player5 192.168.0.14:80 check on-marked-down shutdown-sessions server Player6 192.168.0.15:80 check on-marked-down shutdown-sessions server Player7 192.168.0.16:80 check on-marked-down shutdown-sessions server Player8 192.168.0.17:80 check on-marked-down shutdown-sessions server Player9 192.168.0.18:80 check on-marked-down shutdown-sessions server Player10 192.168.0.19:80 check on-marked-down shutdown-sessions option httpchk HEAD /cfadmin/ping.cfm HTTP/1.0 stats enable balance source frontend Managers-Farm #capture response header Location len 64 mode http option forwardfor option httplog option http-server-close reqadd X-Forwarded-Proto:\ https bind 192.168.0.2:444 ssl crt /etc/haproxy/keyHA.pem bind 192.168.0.2:81 default_backend Managers backend Managers mode http server Manager01 192.168.0.60:80 check on-marked-down shutdown-sessions server Manager02 192.168.0.61:80 check on-marked-down shutdown-sessions server Manager03 192.168.0.62:80 check on-marked-down shutdown-sessions #server Manager4 192.168.0.64:80 check on-marked-down shutdown-sessions option httpchk HEAD /cfadmin/ping.cfm HTTP/1.0 stats enable balance source listen info 192.168.0.2:90 mode http balance source stats uri /
Re: Need your help for error message too many redirects
Hi Cyril, Behind haproxy, I have 3 IIS servers. I installed an ISAPI filter called F5XForwardedFor. It's very strange, I don't have any problems with the other frontend/backend in the same instance. I continue to search. Thanks for your help!! Christophe Le 17/12/12 22:13, « Cyril Bonté » cyril.bo...@free.fr a écrit : Hi Christophe, Le 14/12/2012 14:27, Christophe Rahier a écrit : Hi Baptiste, I tried to configure it but I'm not a Linux specialist ;-) Here's what I can find in my log file: Dec 14 14:25:13 lbhatest haproxy[1758]: 212.123.23.228:9163 [14/Dec/2012:14:25:13.233] Managers-Farm~ Managers-Farm/NOSRV -1/-1/-1/-1/39 400 210 - - CR-- 0/0/0/0/0 0/0 {} BADREQ Dec 14 14:25:15 lbhatest haproxy[1758]: 212.123.23.228:9164 [14/Dec/2012:14:25:15.447] Managers-Farm~ Managers-Farm/NOSRV -1/-1/-1/-1/18 400 210 - - CR-- 0/0/0/0/0 0/0 {} BADREQ Does it help you? I'm not sure those logs concern your too many redirects. However, talking about too many redirects, it makes me think of a common issue with applications behind a SSL terminator/accelerator/... It can sometimes become a nightmare for the administrators when the developers provide their application for the first time :-) The rule is quite simple : you have to know what you're running on the backends to know what configuration to apply. Easy to say, I know. As haproxy is the SSL terminator, your web server receives a plain unencrypted HTTP request. Some applications can decide that the HTTP request should be immediatly redirected to an URL prefixed with a https scheme to secure the communication. And here comes the loop. To prevent this, it depends on the application (and other intermediary modules like mod_jk and others). For some applications, simply adding reqadd X-Forwarded-Proto:\ https in the haproxy configuration will solve the issue. In some other cases, adding the header is not sufficient and you have to set an environment variable in apache (assuming you're using it). Example : SetEnvIf X-Forwarded-Proto https HTTPS=on But that's where you have to know what framework is used in your application. There is no standard : I've already met some frameworks where the value is case sensitive, waiting for : HTTPS=ON some others waiting for : HTTPS=On and still some others requiring : HTTPS=1 And I don't talk about frameworks that require something else than X-Forwarded-Proto ;-) I hope this will help a bit. -- Cyril Bonté
Re: Need your help for error message too many redirects
Hi, Finally, after a lot of tests, I identified the problem. I adapted our application and now, all is ok. Thanks for your help and your suggestions. Regards, Christophe Le 18/12/12 10:02, « Christophe Rahier » christo...@qualifio.com a écrit : Hi Cyril, Behind haproxy, I have 3 IIS servers. I installed an ISAPI filter called F5XForwardedFor. It's very strange, I don't have any problems with the other frontend/backend in the same instance. I continue to search. Thanks for your help!! Christophe Le 17/12/12 22:13, « Cyril Bonté » cyril.bo...@free.fr a écrit : Hi Christophe, Le 14/12/2012 14:27, Christophe Rahier a écrit : Hi Baptiste, I tried to configure it but I'm not a Linux specialist ;-) Here's what I can find in my log file: Dec 14 14:25:13 lbhatest haproxy[1758]: 212.123.23.228:9163 [14/Dec/2012:14:25:13.233] Managers-Farm~ Managers-Farm/NOSRV -1/-1/-1/-1/39 400 210 - - CR-- 0/0/0/0/0 0/0 {} BADREQ Dec 14 14:25:15 lbhatest haproxy[1758]: 212.123.23.228:9164 [14/Dec/2012:14:25:15.447] Managers-Farm~ Managers-Farm/NOSRV -1/-1/-1/-1/18 400 210 - - CR-- 0/0/0/0/0 0/0 {} BADREQ Does it help you? I'm not sure those logs concern your too many redirects. However, talking about too many redirects, it makes me think of a common issue with applications behind a SSL terminator/accelerator/... It can sometimes become a nightmare for the administrators when the developers provide their application for the first time :-) The rule is quite simple : you have to know what you're running on the backends to know what configuration to apply. Easy to say, I know. As haproxy is the SSL terminator, your web server receives a plain unencrypted HTTP request. Some applications can decide that the HTTP request should be immediatly redirected to an URL prefixed with a https scheme to secure the communication. And here comes the loop. To prevent this, it depends on the application (and other intermediary modules like mod_jk and others). For some applications, simply adding reqadd X-Forwarded-Proto:\ https in the haproxy configuration will solve the issue. In some other cases, adding the header is not sufficient and you have to set an environment variable in apache (assuming you're using it). Example : SetEnvIf X-Forwarded-Proto https HTTPS=on But that's where you have to know what framework is used in your application. There is no standard : I've already met some frameworks where the value is case sensitive, waiting for : HTTPS=ON some others waiting for : HTTPS=On and still some others requiring : HTTPS=1 And I don't talk about frameworks that require something else than X-Forwarded-Proto ;-) I hope this will help a bit. -- Cyril Bonté
Re: Need your help for error message too many redirects
Hi Baptiste, I tried to configure it but I'm not a Linux specialist ;-) Here's what I can find in my log file: Dec 14 14:25:13 lbhatest haproxy[1758]: 212.123.23.228:9163 [14/Dec/2012:14:25:13.233] Managers-Farm~ Managers-Farm/NOSRV -1/-1/-1/-1/39 400 210 - - CR-- 0/0/0/0/0 0/0 {} BADREQ Dec 14 14:25:15 lbhatest haproxy[1758]: 212.123.23.228:9164 [14/Dec/2012:14:25:15.447] Managers-Farm~ Managers-Farm/NOSRV -1/-1/-1/-1/18 400 210 - - CR-- 0/0/0/0/0 0/0 {} BADREQ Does it help you? Thanks for your help. Christophe Le 12/12/12 14:33, « Baptiste » bed...@gmail.com a écrit : Enable logs in your HAProxy configuration, configure your syslog to collect them and in the end do a tail on your log file :) cheers On Wed, Dec 12, 2012 at 10:15 AM, Christophe Rahier christo...@qualifio.com wrote: Hi Baptiste, Just a stupid question but how can I access this log? Thanks, Christophe Le 12/12/12 07:40, « Baptiste » bed...@gmail.com a écrit : Hi, You seem to have an issue on your server side. Try logging the response Location header and compare it with the requested URL. Your server may be redirecting you to a URL that is still redirected to it. add capture response header Location len 64 in your manager frontend section and share your logs here. cheers On Wed, Dec 12, 2012 at 7:03 AM, Christophe Rahier christo...@qualifio.com wrote: Hi, I'd like to use haproxy with a certificate directly installed on this server. For this, I copied my key_andcert.pem. I use the same haproxy for our application (managers / players) with 2 different official IP. When I try to access to my Players, no problem. When I try to access to my Managers, Chrome returns the error: too many redirects. Please find below my config file. Thanks for your help and sorry for my poor English. Regards, Christophe global daemon maxconn 1 stats socket /var/run/haproxy.sock level admin mode 600 stats timeout 1m log 192.168.0.113 local0 log 127.0.0.1 local1 notice defaults logglobal option dontlognull retries2 timeout client 60s timeout server 150s timeout connect 5s timeout http-keep-alive 10s frontend Players-Farm mode http option forwardfor option httplog option http-server-close bind 192.168.0.113:443 ssl crt /etc/haproxy/key_andcert.pem bind 192.168.0.113:80 default_backend Players backend Players mode http server Player1 192.168.0.10:80 check on-marked-down shutdown-sessions server Player2 192.168.0.11:80 check on-marked-down shutdown-sessions server Player3 192.168.0.12:80 check on-marked-down shutdown-sessions option httpchk HEAD /cfadmin/ping.cfm HTTP/1.0 stats enable balance source frontend Managers-Farm mode http option forwardfor option httplog option http-server-close bind 192.168.0.113:444 ssl crt /etc/haproxy/key_andcert.pem bind 192.168.0.113:81 default_backend Managers backend Managers mode http server Manager01 192.168.0.60:80 check on-marked-down shutdown-sessions server Manager02 192.168.0.61:80 check on-marked-down shutdown-sessions option httpchk HEAD /cfadmin/ping.cfm HTTP/1.0 stats enable balance source listen info 192.168.0.113:90 mode http balance source stats uri /
Re: Help with SSL
Hi Aleks, Thanks for your help, I received your answer yesterday but it was too late for answering, I was too tired :-) I'll check what you proposed. Thanks once again, Christophe Le 04/11/11 09:41, « Aleksandar Lazic » al-hapr...@none.at a écrit : Hi Christophe, On 03.11.2011 22:00, Christophe Rahier wrote: Hello, My config of HAProxy is: -- CUT -- [snipp] -- CUT -- The problem with SSL is that the IP address that I get to the web server is the IP address of the loadbalancer and not the original IP address. This is a big problem for me and it's essential that I can have the right IP address. How can I do, is it possible? I've heard of stunnel but I don't understand how to use it. Thank you in advance for your help, you must use http://www.stunnel.org/static/stunnel.html protocol = proxy in stunnel and use 'accept-proxy' in haproxy http://haproxy.1wt.eu/git?p=3Dhaproxy.git;a=3Dblob;f=3Ddoc/configuration.t x= t;h=3D8aeeb272d0aeca7477bbb634b52181121122b865;hb=3DHEAD#l1580 as bind option http://haproxy.1wt.eu/git?p=3Dhaproxy.git;a=3Dblob;f=3Ddoc/configuration.t x= t;h=3D8aeeb272d0aeca7477bbb634b52181121122b865;hb=3DHEAD#l1453 and the 'option forwardfor' http://haproxy.1wt.eu/git?p=3Dhaproxy.git;a=3Dblob;f=3Ddoc/configuration.t x= t;h=3D8aeeb272d0aeca7477bbb634b52181121122b865;hb=3DHEAD#l3111 haproxy fill automatically the client ip into X-Forwarded-For header field. I assume this from the doc. Please can you tell us if this is right? Hth Aleks PS: do you have received my answer on the stunnel list?
Help with SSL
Hello, My config of HAProxy is: -- CUT -- global log 192.168.0.2 local0 log 127.0.0.1 local1 notice maxconn 10240 defaults logglobal option dontlognull retries2 timeout client 35s timeout server 90s timeout connect 5s timeout http-keep-alive 10s listen WebPlayer-Farm 192.168.0.2:80 mode http option httplog balance source #balance leastconn option forwardfor stats enable option http-server-close server Player4 192.168.0.13:80 check server Player3 192.168.0.12:80 check server Player1 192.168.0.10:80 check server Player2 192.168.0.11:80 check server Player5 192.168.0.14:80 check option httpchk HEAD /checkCF.cfm HTTP/1.0 listen WebPlayer-Farm-SSL 192.168.0.2:443 mode tcp option ssl-hello-chk balance source server Player4 192.168.0.13:443 check server Player3 192.168.0.12:443 check server Player1 192.168.0.10:443 check server Player2 192.168.0.11:443 check server Player5 192.168.0.14:443 check listen Manager-Farm192.168.0.2:81 mode http option httplog balance source option forwardfor stats enable option http-server-close server Manager1 192.168.0.60:80 check server Manager2 192.168.0.61:80 check server Manager3 192.168.0.62:80 check option httpchk HEAD /checkCF.cfm HTTP/1.0 listen Manager-Farm-SSL 192.168.0.2:444 mode tcp option ssl-hello-chk balance source server Manager1 192.168.0.60:443 check server Manager2 192.168.0.61:443 check server Manager3 192.168.0.62:443 check listen info 192.168.0.2:90 mode http balance source stats uri / -- CUT -- The problem with SSL is that the IP address that I get to the web server is the IP address of the loadbalancer and not the original IP address. This is a big problem for me and it's essential that I can have the right IP address. How can I do, is it possible? I've heard of stunnel but I don't understand how to use it. Thank you in advance for your help, Christophe
option httpchk
Hi, In my config file, I check my servers with option httpchk HEAD /checkCF.cfm HTTP/1.0 When the response is not 2xx or 3xx, would it possible to test an other url? Thanks for your help. Regards, Christophe
Re: option httpchk
Hi, What a pity, this could be very useful! Indeed, as Haproxy detects that there is no response, it may perform an another action :-) Christophe Le 31/10/11 13:27, « Baptiste » bed...@gmail.com a écrit : Hi, no :) cheers On Mon, Oct 31, 2011 at 12:15 PM, Christophe Rahier christo...@qualifio.com wrote: Hi, In my config file, I check my servers with option httpchk HEAD /checkCF.cfm HTTP/1.0 When the response is not 2xx or 3xx, would it possible to test an other url? Thanks for your help. Regards, Christophe
Re: option httpchk
I'm agree with you but how can I know that HAProxy detects an error ? Christophe Le 31/10/11 15:30, « Baptiste » bed...@gmail.com a écrit : euh, if there is no response, HAProxy can log it Then, you can then detect it and take the decision you want :) Don't ask HAProxy to reload your webservices, it's a bad idea. On Mon, Oct 31, 2011 at 1:48 PM, Christophe Rahier christo...@qualifio.com wrote: Hi, What a pity, this could be very useful! Indeed, as Haproxy detects that there is no response, it may perform an another action :-) Christophe Le 31/10/11 13:27, « Baptiste » bed...@gmail.com a écrit : Hi, no :) cheers On Mon, Oct 31, 2011 at 12:15 PM, Christophe Rahier christo...@qualifio.com wrote: Hi, In my config file, I check my servers with option httpchk HEAD /checkCF.cfm HTTP/1.0 When the response is not 2xx or 3xx, would it possible to test an other url? Thanks for your help. Regards, Christophe
Re: option httpchk
Hi, Oups, sorry, I didn't see it! Too many things to do in the same time and of course not enough time, I'm lost :-) Christophe Le 31/10/11 15:36, « Aleksandar Lazic » al-hapr...@none.at a écrit : Hi, On 31.10.2011 13:48, Christophe Rahier wrote: Hi, What a pity, this could be very useful! Indeed, as Haproxy detects that there is no response, it may perform an another action :-) How about a backup setup?! http://haproxy.1wt.eu/download/1.4/doc/configuration.txt 5. Server and default-server options ### ... backup When backup is present on a server line, the server is only used in load balancing when all other non-backup servers are unavailable. Requests coming with a persistence cookie referencing the server will always be served though. By default, only the first operational backup server is used, unless the allbackups option is set in the backend. See also the allbackups option. Supported in default-server: No ... ### Cheers Aleks Christophe Le 31/10/11 13:27, « Baptiste » bed...@gmail.com a écrit : Hi, no :) cheers On Mon, Oct 31, 2011 at 12:15 PM, Christophe Rahier christo...@qualifio.com wrote: Hi, In my config file, I check my servers with option httpchk HEAD /checkCF.cfm HTTP/1.0 When the response is not 2xx or 3xx, would it possible to test an other url? Thanks for your help. Regards, Christophe
Re: Caching
Hi, What do you mean when you say running -c? Here's my config file. Thanks for your help. Christophe global log 192.168.0.2 local0 log 127.0.0.1 local1 notice maxconn 10240 defaults logglobal option dontlognull retries2 timeout client 35s timeout server 35s timeout connect 5s timeout http-keep-alive 10s listen WebPlayer-Farm 192.168.0.2:80 mode http option httplog balance source #balance leastconn option forwardfor stats enable option http-server-close server Player1 192.168.0.10:80 check server Player2 192.168.0.11:80 check server Player3 192.168.0.12:80 check server Player4 192.168.0.13:80 check server Player5 192.168.0.14:80 check option httpchk HEAD /checkcf.cfm HTTP/1.0 listen WebPlayer-Farm-SSL 192.168.0.2:443 mode tcp option ssl-hello-chk balance source server Player1 192.168.0.10:443 check server Player2 192.168.0.11:443 check server Player3 192.168.0.12:443 check server Player4 192.168.0.13:443 check server Player5 192.168.0.14:443 check listen Manager-Farm192.168.0.2:81 mode http option httplog balance source option forwardfor stats enable option http-server-close server Manager1 192.168.0.60:80 check server Manager2 192.168.0.61:80 check option httpchk HEAD /testcf/checkcf.cfm HTTP/1.0 listen Manager-Farm-SSL 192.168.0.2:444 mode tcp option ssl-hello-chk balance source server Manager1 192.168.0.60:443 check server Manager2 192.168.0.61:443 check listen info 192.168.0.2:90 mode http balance source stats uri / Le 20/09/11 01:27, « Hank A. Paulson » h...@spamproof.nospammail.net a écrit : You can get weird results like this sometimes if you don't use http-close or any other http closing option on http backends. You should paste your config. Maybe there should be a warning, if there is not already, for that situation - maybe just when running -c. On 9/19/11 5:46 AM, Christophe Rahier wrote: I don't use Apache but IIS. I tried to disable caching on IIS but the problem is still there. There's no proxy, all requests are sent from pfSense. Christophe Le 19/09/11 13:45, « Baptiste »bed...@gmail.com a écrit : hi Christophe, HAProxy is *only* a reverse proxy. No caching functions in it. Have you tried to browse your backend servers directly? Can it be related to your browser's cache? cheers On Mon, Sep 19, 2011 at 1:39 PM, Christophe Rahier christo...@qualifio.com wrote: Hi, Is there a caching system at HAProxy? In fact, we find that when we put online new files (CSS, for example) that they are not addressed directly, it usually takes about ten minutes. Thank you in advance for your help. Christophe
Caching
Hi, Is there a caching system at HAProxy? In fact, we find that when we put online new files (CSS, for example) that they are not addressed directly, it usually takes about ten minutes. Thank you in advance for your help. Christophe
Re: Caching
Hi, I thought the problem was in my browser but when I empty the cache, I've the same problem. To be sure, I tried with an other browser and the problem is the same. When I call my page locally from the server, the result is OK. Christophe Le 19/09/11 13:45, « Baptiste » bed...@gmail.com a écrit : hi Christophe, HAProxy is *only* a reverse proxy. No caching functions in it. Have you tried to browse your backend servers directly? Can it be related to your browser's cache? cheers On Mon, Sep 19, 2011 at 1:39 PM, Christophe Rahier christo...@qualifio.com wrote: Hi, Is there a caching system at HAProxy? In fact, we find that when we put online new files (CSS, for example) that they are not addressed directly, it usually takes about ten minutes. Thank you in advance for your help. Christophe
Re: Establishing connection lasts long
Hi, I noticed the same thing, the problem happens at the first call of the page, After the result is immediate. Christophe Le 13/09/11 13:22, « Tim Korves » t...@whtec.net a écrit : Hi there, we're using haproxy 1.4.15 on a Ubuntu 10.04 box. This box is virtualised, HW-specs: 1 CPU-core (Xeon 2.00GHz), 512MB RAM, 2x 1GBit virtual LAN (these are also two different physical NICs in the HV). Now we've got the problem, that the initial connect through haproxy seems to be delayed. The HTTP-Servers behind haproxy are physical one's and they seem to deliver the page quite a lot faster directly then using haproxy in front. Any ideas or recommendations on checking haproxy to be not the source of the delay? Regards, Tim -- Tim Korves Administrator whTec Teutoburger Straße 309 D-46119 Oberhausen Fon: +49 (40) 70 97 50 35 -0 Fax: +49 (40) 70 97 50 35 -99 SIP: t.kor...@fon.whtec.net --- Service: serv...@whtec.net Buchhaltung: buchhalt...@whtec.net DNS: d...@whtec.net ACHTUNG: Anfragen von BOS bitte über b...@whtec.net Anfragen von NGOs (e.V., gGmbH etc.) bitte über n...@whtec.net
Re: Establishing connection lasts long
Hi, I don't know! It's very strange. When I check the server load, it is almost zero. Christophe Le 13/09/11 13:29, « Tim Korves » t...@whtec.net a écrit : Hi again, I noticed the same thing, the problem happens at the first call of the page, Ok, seems to be a bug? Or what do you think? After the result is immediate. I can confirm that. Any idea? Thanks, Tim Hi there, we're using haproxy 1.4.15 on a Ubuntu 10.04 box. This box is virtualised, HW-specs: 1 CPU-core (Xeon 2.00GHz), 512MB RAM, 2x 1GBit virtual LAN (these are also two different physical NICs in the HV). Now we've got the problem, that the initial connect through haproxy seems to be delayed. The HTTP-Servers behind haproxy are physical one's and they seem to deliver the page quite a lot faster directly then using haproxy in front. Any ideas or recommendations on checking haproxy to be not the source of the delay? Regards, Tim -- Tim Korves Administrator whTec Teutoburger Straße 309 D-46119 Oberhausen Fon: +49 (40) 70 97 50 35 -0 Fax: +49 (40) 70 97 50 35 -99 SIP: t.kor...@fon.whtec.net --- Service: serv...@whtec.net Buchhaltung: buchhalt...@whtec.net DNS: d...@whtec.net ACHTUNG: Anfragen von BOS bitte über b...@whtec.net Anfragen von NGOs (e.V., gGmbH etc.) bitte über n...@whtec.net -- Tim Korves Inhaber / Administrator whTec Teutoburger Straße 309 D-46119 Oberhausen Fon: +49 (40) 70 97 50 35 -0 Fax: +49 (40) 70 97 50 35 -99 SIP: t.kor...@fon.whtec.net --- Service: serv...@whtec.net Buchhaltung: buchhalt...@whtec.net DNS: d...@whtec.net ACHTUNG: Anfragen von BOS bitte über b...@whtec.net Anfragen von NGOs (e.V., gGmbH etc.) bitte über n...@whtec.net
Re: Error 504
Hi Willy, Thank you! I'm just confused now :-) Which values have I to use? global log 192.168.0.2 local0 log 127.0.0.1 local1 notice maxconn 10240 defaults logglobal option dontlognull retries2 clitimeout 35s #srvtimeout 5 contimeout 35s #timeout server 60s timeout http-keep-alive 10s listen WebPlayer-Farm 192.168.0.2:80 mode http option httplog balance source #balance leastconn option forwardfor stats enable option http-server-close server Player1 192.168.0.10:80 check server Player2 192.168.0.11:80 check server Player3 192.168.0.12:80 check server Player4 192.168.0.13:80 check server Player5 192.168.0.14:80 check Thanks for your help. Regards, Christophe Le 12/09/11 06:49, « Willy Tarreau » w...@1wt.eu a écrit : On Sun, Sep 11, 2011 at 11:11:04AM -0700, Christophe Rahier wrote: Hi Cyril, Thanks for your help, I'll adapt my config file. About timeout http-keep-alive, which value do you recommend? Generally, a short one is fine : you want to ensure that all objects from a same page are all fetched without reopening many connections, but you probably don't want to keep these connections open for too long. This means that a few seconds (eg: 5-10) are fine. Regards, Willy
Re: Error 504
Hi Willy, Thank you very much for your help Christophe Le 12/09/11 09:22, « Willy Tarreau » w...@1wt.eu a écrit : On Mon, Sep 12, 2011 at 12:02:55AM -0700, Christophe Rahier wrote: Hi Willy, Thank you! I'm just confused now :-) Which values have I to use? Replace any old form with the newer, this will bring you the following : timeout client 35s timeout server 60s timeout connect 35s(far too large in general, keep it around 5s) timeout http-keep-alive 10s If your servers have long response times because it's overloaded, you might want to consider adding maxconn XXX on the server lines, where XXX is the maximum number of concurrent connections you know it supports without overloading. The excess will be queued. You then also need a timeout for this queue which is close to the max response time : timeout queue 60s global log 192.168.0.2 local0 log 127.0.0.1 local1 notice maxconn 10240 defaults logglobal option dontlognull retries2 clitimeout 35s #srvtimeout 5 contimeout 35s #timeout server 60s timeout http-keep-alive 10s listen WebPlayer-Farm 192.168.0.2:80 mode http option httplog balance source #balance leastconn option forwardfor stats enable option http-server-close server Player1 192.168.0.10:80 check server Player2 192.168.0.11:80 check server Player3 192.168.0.12:80 check server Player4 192.168.0.13:80 check server Player5 192.168.0.14:80 check Regards, Willy
Re: Error 504
Hi Willy, Many thanks for your help, I'll check our application, I think a lot of things could be improved :-) Christophe Le 11/09/11 00:12, « Willy Tarreau » w...@1wt.eu a écrit : Hi Christophe, On Thu, Sep 08, 2011 at 06:54:29AM -0700, Christophe Rahier wrote: Yes ... Is it possible to improve my config? Well, your config already allows a server to take as much as 50 seconds to respond, and still some requests don't respond within this delay. This is really huge and probably nobody will wait that long anyway. It's absolutely required to fix the application. You could make use of halog to report the slowest URLs : halog -ua log-file | less The format is a bit raw but you'll get the URLs sorted by average response time. Quite often when people encounter 504, it only happens on a very small set of URLs, sometimes even only one. Most often this is due to poorly written SQL queries which take ages to complete, but any number of causes is possible of course. Regards, Willy
Re: Error 504
Hi Cyril, Thanks for your help, I'll adapt my config file. About timeout http-keep-alive, which value do you recommend? Christophe Le 11/09/11 13:34, « Cyril Bonté » cyril.bo...@free.fr a écrit : Hi Christophe, Le Jeudi 8 Septembre 2011 05:28:41 Christophe Rahier a écrit : defaults logglobal option dontlognull retries2 clitimeout 5 srvtimeout 5 contimeout 5 timeout server 60s Be careful beacause your configuration provides both the deprecated srvtimeout keyword and timeout server, the latest declared will apply. You should clean up your configuration by using only non deprecated keywords : timeout client, timeout server and timeout connect. It means that your server timeout is not 5 but 60s. Also, because your proxies are using option http-server-close, you should define a timeout http-keep-alive to reduce the ttl of idle keep-alive connections. -- Cyril Bonté
Error 504
Hi, I've a question about this error : 504 Gateway Time-out The server didn't respond in time. What could I check in my config ? I created 2 LB with a virtual IP and all request are coming from the firewall to this IP. I think it's possible, if needed, I can copy my configuration file. Thanks for your help, I'm lost. Regards, Christophe
Re: Error 504
Hi, Here's my config. Webservers are IIS. global log 192.168.0.2 local0 log 127.0.0.1 local1 notice maxconn 10240 defaults logglobal option dontlognull retries2 clitimeout 5 srvtimeout 5 contimeout 5 timeout server 60s listen WebPlayer-Farm 192.168.0.2:80 mode http option httplog balance source #balance leastconn option forwardfor stats enable option http-server-close server Player1 192.168.0.10:80 check server Player2 192.168.0.11:80 check server Player3 192.168.0.12:80 check server Player4 192.168.0.13:80 check listen WebPlayer-Farm-SSL 192.168.0.2:443 mode tcp option ssl-hello-chk balance source server Player1 192.168.0.10:443 check server Player2 192.168.0.11:443 check server Player3 192.168.0.12:443 check server Player4 192.168.0.13:443 check listen Manager-Farm192.168.0.2:81 mode http option httplog balance source option forwardfor stats enable option http-server-close server Manager1 192.168.0.60:80 check server Manager2 192.168.0.61:80 check listen Manager-Farm-SSL 192.168.0.2:444 mode tcp option ssl-hello-chk balance source server Manager1 192.168.0.60:443 check server Manager2 192.168.0.61:443 check listen info 192.168.0.2:90 mode http balance source stats uri / Thanks for your help! Christophe Le 08/09/11 14:16, « Baptiste » bed...@gmail.com a écrit : Hello, you server might be very slow or your server timeout in your conf might be too low. If you can copy/paste your conf and tell us which version you're using and the underlying OS. cheers On Thu, Sep 8, 2011 at 1:35 PM, Christophe Rahier christo...@qualifio.com wrote: Hi, I've a question about this error : 504 Gateway Time-out The server didn't respond in time. What could I check in my config ? I created 2 LB with a virtual IP and all request are coming from the firewall to this IP. I think it's possible, if needed, I can copy my configuration file. Thanks for your help, I'm lost. Regards, Christophe
Re: Error 504
Yes ... Is it possible to improve my config? Le 08/09/11 15:50, « Baptiste » bed...@gmail.com a écrit : I can't see anything weird here. are the backend status OK on the haproxy http stat page? cheers On Thu, Sep 8, 2011 at 2:28 PM, Christophe Rahier christo...@qualifio.com wrote: Hi, Here's my config. Webservers are IIS. global log 192.168.0.2 local0 log 127.0.0.1 local1 notice maxconn 10240 defaults logglobal option dontlognull retries2 clitimeout 5 srvtimeout 5 contimeout 5 timeout server 60s listen WebPlayer-Farm 192.168.0.2:80 mode http option httplog balance source #balance leastconn option forwardfor stats enable option http-server-close server Player1 192.168.0.10:80 check server Player2 192.168.0.11:80 check server Player3 192.168.0.12:80 check server Player4 192.168.0.13:80 check listen WebPlayer-Farm-SSL 192.168.0.2:443 mode tcp option ssl-hello-chk balance source server Player1 192.168.0.10:443 check server Player2 192.168.0.11:443 check server Player3 192.168.0.12:443 check server Player4 192.168.0.13:443 check listen Manager-Farm192.168.0.2:81 mode http option httplog balance source option forwardfor stats enable option http-server-close server Manager1 192.168.0.60:80 check server Manager2 192.168.0.61:80 check listen Manager-Farm-SSL 192.168.0.2:444 mode tcp option ssl-hello-chk balance source server Manager1 192.168.0.60:443 check server Manager2 192.168.0.61:443 check listen info 192.168.0.2:90 mode http balance source stats uri / Thanks for your help! Christophe Le 08/09/11 14:16, « Baptiste » bed...@gmail.com a écrit : Hello, you server might be very slow or your server timeout in your conf might be too low. If you can copy/paste your conf and tell us which version you're using and the underlying OS. cheers On Thu, Sep 8, 2011 at 1:35 PM, Christophe Rahier christo...@qualifio.com wrote: Hi, I've a question about this error : 504 Gateway Time-out The server didn't respond in time. What could I check in my config ? I created 2 LB with a virtual IP and all request are coming from the firewall to this IP. I think it's possible, if needed, I can copy my configuration file. Thanks for your help, I'm lost. Regards, Christophe
Option forward for and IIS
Hi, I installed HAProxy on 2 Debian server for loadbalancing 6 webserver (IIS). All works fine but I've a small problem. In IIS, I added an ISAPI filter to read the X-Forwarded-For value. In the IIS log file, I've a mixed of my loadbalancer IP (192.168.0.3) but also the official IP (xxx.xxx.xxx.xxx), for example: 2011-09-05 13:33:21 192.168.0.61 GET /v8/ - 80 - 87.67.52.233 Opera/9.80+(Macintosh;+Intel+Mac+OS+X+10.7.1;+U;+en)+Presto/2.9.168+Version /11.51 302 0 0 93 2011-09-05 13:33:21 192.168.0.61 GET /v8/login.cfm - 80 - 192.168.0.3 Opera/9.80+(Macintosh;+Intel+Mac+OS+X+10.7.1;+U;+en)+Presto/2.9.168+Version /11.51 200 0 0 140 2011-09-05 13:33:21 192.168.0.61 GET /CFIDE/scripts/cfform.js - 80 - 192.168.0.3 Opera/9.80+(Macintosh;+Intel+Mac+OS+X+10.7.1;+U;+en)+Presto/2.9.168+Version /11.51 200 0 0 46 2011-09-05 13:33:21 192.168.0.61 GET /CFIDE/scripts/masks.js - 80 - 192.168.0.3 Opera/9.80+(Macintosh;+Intel+Mac+OS+X+10.7.1;+U;+en)+Presto/2.9.168+Version /11.51 200 0 0 15 2011-09-05 13:33:21 192.168.0.61 GET /v8/styles.css - 80 - 192.168.0.3 Opera/9.80+(Macintosh;+Intel+Mac+OS+X+10.7.1;+U;+en)+Presto/2.9.168+Version /11.51 200 0 0 31 Do you have an idea? I don't understand where's the problem. Thanks for your help. Christophe
Re: Option forward for and IIS
Hi John, Thanks for your help, it was the problem. I simply added the option http-server-close in my config and it's ok now !! Regards, Christophe De : John Helliwell john.helliw...@gmail.commailto:john.helliw...@gmail.com Date : Tue, 6 Sep 2011 05:16:03 -0700 À : Christophe Rahier christo...@qualifio.commailto:christo...@qualifio.com Cc : haproxy@formilux.orgmailto:haproxy@formilux.org haproxy@formilux.orgmailto:haproxy@formilux.org Objet : Re: Option forward for and IIS I believe your problem is because, for keepalive sessions, HAproxy is only adding an X-Forwarded-For header on the first HTTP transaction of the keepalive session. This can be alleviated by using option http-server-close, which allows keepalive on the client side, but uses Close mode on the server side. The X-Forwarded-For header will then be present on all HTTP transactions. On 6 September 2011 12:59, Christophe Rahier christo...@qualifio.commailto:christo...@qualifio.com wrote: Hi, I installed HAProxy on 2 Debian server for loadbalancing 6 webserver (IIS). All works fine but I've a small problem. In IIS, I added an ISAPI filter to read the X-Forwarded-For value. In the IIS log file, I've a mixed of my loadbalancer IP (192.168.0.3) but also the official IP (xxx.xxx.xxx.xxx), for example: 2011-09-05 13:33:21 192.168.0.61 GET /v8/ - 80 - 87.67.52.233 Opera/9.80+(Macintosh;+Intel+Mac+OS+X+10.7.1;+U;+en)+Presto/2.9.168+Version /11.51 302 0 0 93 2011-09-05 13:33:21 192.168.0.61 GET /v8/login.cfm - 80 - 192.168.0.3tel:80%20-%20192.168.0.3 Opera/9.80+(Macintosh;+Intel+Mac+OS+X+10.7.1;+U;+en)+Presto/2.9.168+Version /11.51 200 0 0 140 2011-09-05 13:33:21 192.168.0.61 GET /CFIDE/scripts/cfform.js - 80 - 192.168.0.3 Opera/9.80+(Macintosh;+Intel+Mac+OS+X+10.7.1;+U;+en)+Presto/2.9.168+Version /11.51 200 0 0 46 2011-09-05 13:33:21 192.168.0.61 GET /CFIDE/scripts/masks.js - 80 - 192.168.0.3 Opera/9.80+(Macintosh;+Intel+Mac+OS+X+10.7.1;+U;+en)+Presto/2.9.168+Version /11.51 200 0 0 15 2011-09-05 13:33:21 192.168.0.61 GET /v8/styles.css - 80 - 192.168.0.3tel:80%20-%20192.168.0.3 Opera/9.80+(Macintosh;+Intel+Mac+OS+X+10.7.1;+U;+en)+Presto/2.9.168+Version /11.51 200 0 0 31 Do you have an idea? I don't understand where's the problem. Thanks for your help. Christophe -- John Helliwell