Re: HAProxy clustering

[Guillaume Bourque]

Hello Marco,

I would be very interest on how you build your harpy config, you must have per 
server settings and then a global config ?

If time permit and if you can share some unusable config I would be very happy 
to look into this..

Thanks 
---
Guillaume Bourque, B.Sc.,
Architecte infrastructures technologiques robustes

> Le 2016-12-16 à 10:42, Marco Corte <ma...@marcocorte.it> a écrit :
> 
> Hi!
> 
> I use keepalived for IP management.
> 
> I use Ansible on another host to deploy the configuration on the haproxy 
> nodes.
> This setup gives me better control on the configuration: it is split in 
> several files on the Ansible host, but assembled to a single config file on 
> the nodes.
> This gives also the opportunity to deploy the configuration on one node only.
> On the Ansible host, the configuration changes are tracked with git.
> 
> I also considered an automatic replication of the config, between the nodes 
> but... I did not like the idea.
> 
> 
> .marcoc
> 

Re: Adding backend server name as request header

[Guillaume Bourque]

Hello 

I looked into the doc to saw that we can put the directive in the backend this 
is what I added to my config

http-send-name-header   X-CustomHeader

But from my user browser I never get this header is there something that I need 
to enable on the global section in order for this to be working ?

HA-Proxy version 1.5.4 2014/09/02
Copyright 2000-2014 Willy Tarreau 

Build options :
  TARGET  = linux2628
  CPU = generic
  CC  = gcc
  CFLAGS  = -O2 -g -fno-strict-aliasing
  OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_PCRE=1

TIA

Guillaume

---
Le 2016-05-12 à 14:29, Dennis Jacobfeuerborn  a écrit :

> This is exactly what I'm looking for, thanks!
> I was looking at the variables in Section 7.3 as I didn't think there
> would be a dedicated directive for this. Apparently I was wrong :)
> 
> Regards,
>  Dennis
> 
> On 12.05.2016 18:48, Mehdi Ahmadi wrote:
>> It may be that your after:
>> ```
>> http-send-name-header X-CustomHeader
>> ```
>> Which would set the ID of the selected server into the header
>> `X-CustomHeader`.
>> See the documentation for further details.
>> http://cbonte.github.io/haproxy-dconv/configuration-1.5.html
>> 
>> 
>> 
>> On Thu, May 12, 2016 at 6:29 PM, Dennis Jacobfeuerborn <
>> denni...@conversis.de> wrote:
>> 
>>> Hi,
>>> I'm wondering if there is a way to add the name of the server chosen for
>>> the request as a request header i.e. if the following server is chosen
>>> for the request:
>>> 
>>> server back1 10.1.0.10:8080 check inter 2
>>> 
>>> then I'd like to receive this header on the 10.1.0.10 system:
>>> 
>>> X-CustomHeader: back1
>>> 
>>> Is this possible?
>>> 
>>> Regards,
>>>  Dennis
>>> 
>>> 
>> 
> 
> 

The simplest way to reach specific backend

[Guillaume Bourque]

Hi all,

We have implement a very simple haproxy 

1 web site on 2 apps server.

Question:

How do you do this, my objective is to have the simplest solution four our QA 
users.

Need:

Our QA team what to reach app1 and app2 to validate each application server.

I know we can do a simple haproxy config that will load balance on a specific 
cookie but not sure is there is an easy way to set those specific cookie in the 
browser (our QA technical level is not very high)

I could have 2 different hostname like this www-app1.domaine and 
www-app2.domain which seem simpler but would know your recommendation on this.


Thanks for your feedback

Guillaume.

Re: acl regex

[Guillaume Bourque]

Hi all,

I should be able to test this in our production setup a few days after I can 
have an rpm ready with the patch we are running on rhel 6.x

Merci Cyril


---
Guillaume Bourque, B.Sc.,


Le 2015-11-24 à 16:58, Cyril Bonté <cyril.bo...@free.fr> a écrit :

> Hi all,
> 
> I revive this thread.
> 
> Le 12/11/2015 09:59, Igor Cicimov a écrit :
>> 
>> 
>> On Thu, Nov 12, 2015 at 6:44 PM, Guillaume Bourque
>> <guillaume.bour...@logisoftech.com
>> <mailto:guillaume.bour...@logisoftech.com>> wrote:
>> 
>>Hi,
>> 
>>thanks for the suggestion but it did not work for me.   I tried
>> 
>>acl fr_top  url_reg/?lang=
>>acl fr_top  url_reg/?lang=$
>> # off acl fr_topurlp_reg(lang\=$,?)
>> -m found
>> # off acl fr_topurlp_reg(lang\=$,?)
>> -m found
>> 
>>but with no luck
> 
> I think that using "urlp" should have done the job but that the 
> implementation in haproxy is not correct for one specific case.
> 
> Currently, haproxy won't match an url parameter if its value is empty. I tend 
> to think it should : an empty value is different from not providing the 
> parameter at all.
> 
> The function "find_next_url_param()" should unconditionally return "1" when a 
> parameter is found, instead of "value_end != value_start" :
> http://www.haproxy.org/git?p=haproxy.git;a=blob;f=src/proto_http.c;h=77a52078d0d0d458ed7f0233dfda87eca247d2c2;hb=HEAD#l11661
> 
> This would allow some rules like :
>acl LANG_FR_NONE urlp_reg(lang) ^(fr)?$
>acl LANG_EN  urlp(lang) en
> 
>http-request redirect location /if { path / } LANG_FR_NONE
>http-request redirect location /en  if { path / } LANG_EN
> 
> 
> If it's ok for everyone, I can provide a small patch (which will also fix 
> some invalid code comments on top of this function).
> 
> 
> -- 
> Cyril Bonté

Re: acl regex

[Guillaume Bourque]

Hi all,

I’m not far but it does not work so any recommendation would be very helpfull

I just need some very simple redirect but after looking into aloa doc the happy 
doc, I can’t find examples that could help me do this, okay I must admit I did 
not sleep for the last 30 hours so that could explain why I can understand what 
I read ;-)


This seem the way to do it, but it do not work for me I’m running haproxy 1.5.4 

>> http-request redirect location /store code 301 if { capture.req.uri lang\= 
>> -m found }


here is what I need to do, I can do path rewrite fine, but the ? is bugging us.

I need to redirect 301 client from this

http://domain.com/?lang=to   
http://domain.com/
http://domain.com/?lang=fr  to   
http://domain.com/
http://domain.com/?lang=en  to   
http://domain.com/en
http://domain.com/pages/magasin.php?lang=fr to   http://domain.com/

It  can be on 3 differents lines I dont want to achieve light speed performance 
I just need to have this working ASAP

So I try with this

http-request redirect location /store code 301 if { capture.req.uri lang= -m 
found }

Or with an acl 

acl fr_topurlp_reg(lang\=$,?) -m found
http-request redirect location http://www.braultetmartineau.com/ code 301 if 
fr_top

Do I need to escape anything in there 

Any advice would be very appreciated

Thanks

---
Guillaume Bourque, B.Sc.,


Le 2015-11-12 à 05:04, Guillaume Bourque <guillaume.bour...@logisoftech.com> a 
écrit :

> Hello Igor,
> 
> thanks a lot still not working 
> 
> would I need to escape the = 
> 
>> http-request redirect location /store code 301 if { capture.req.uri lang\= 
>> -m found }
> 
> 
> Bye
> 
> ---
> Guillaume Bourque, B.Sc.,
> Le 2015-11-12 à 03:59, Igor Cicimov <ig...@encompasscorporation.com> a écrit :
> 
>> 
>> 
>> On Thu, Nov 12, 2015 at 6:44 PM, Guillaume Bourque 
>> <guillaume.bour...@logisoftech.com> wrote:
>> Hi,
>> 
>> thanks for the suggestion but it did not work for me.   I tried
>> 
>>acl fr_top  url_reg/?lang=
>>acl fr_top  url_reg/?lang=$
>> # off acl fr_topurlp_reg(lang\=$,?) -m 
>> found
>> # off acl fr_topurlp_reg(lang\=$,?) -m 
>> found
>> 
>> but with no luck
>> 
>> thanks
>> 
>> ---
>> Guillaume Bourque, B.Sc.,
>> Le 2015-11-12 à 02:18, Igor Cicimov <ig...@encompasscorporation.com> a écrit 
>> :
>> 
>>> 
>>> On 12/11/2015 5:30 PM, "Guillaume Bourque" 
>>> <guillaume.bour...@logisoftech.com> wrote:
>>> >
>>> > Hello Bryan
>>> >
>>> > I’m running haproxy 1.5.4 and I can’t find any example on how to user 
>>> > req.uri if you could give a examples on how to match a specific query to 
>>> > redirect to another 
>>> >
>>> > From http://domain/pages/store.php?lang=fr   to http://domain/store/
>>> >
>>> > That would be great !
>>> >
>>> > TIA
>>> >
>>> >
>>> >
>>> > ---
>>> > Guillaume Bourque, B.Sc.,
>>> >
>>> > Le 2015-11-12 à 00:42, Bryan Talbot <bryan.tal...@ijji.com> a écrit :
>>> >
>>> >> On Wed, Nov 11, 2015 at 8:43 PM, Guillaume Bourque 
>>> >> <guillaume.bour...@logisoftech.com> wrote:
>>> >>>
>>> >>> Hi all,
>>> >>>
>>> >>> I can’t create an acl that will match this
>>> >>>
>>> >>> http://domain/?lang=
>>> >>>
>>> >>> I tried
>>> >>>
>>> >>> acl fr_top  path_reg^/.lang\=$
>>> >>> acl fr_top  path_reg^/\?lang\=$
>>> >>>
>>> >>> acl fr_toppath_beg/?lang\=$
>>> >>>
>>> >>>
>>> >>
>>> >>
>>> >> You can't match the query string with the 'path' matcher. Try 'req.uri' 
>>> >> or 'query' if you're using 1.6. 
>>> >>
>>> >>
>>> >
>>> Try this:
>>> 
>>> acl fr_top  url_reg   /pages/store.php?lang=fr
>>> 
>> 
>> 
>> Ok, my last try :-)
>> 
>> http-request redirect location /store code 301 if { capture.req.uri lang= -m 
>> found }
>> 
>> 
>> 
> 

Re: acl regex

[Guillaume Bourque]

Hourra Aleks,

it’s working thanks a lot

I will try more in deep in a few hour but wanted to tank you as soon as I test 
it 

Again thanks 

---
Guillaume Bourque, B.Sc.,
Le 2015-11-12 à 16:19, Aleksandar Lazic <al-hapr...@none.at> a écrit :

> Hi.
> 
> Am 12-11-2015 21:16, schrieb Guillaume Bourque:
>> Hi all,
>> I’m not far but it does not work so any recommendation would be very
>> helpfull
>> I just need some very simple redirect but after looking into aloa doc
>> the happy doc, I can’t find examples that could help me do this, okay
>> I must admit I did not sleep for the last 30 hours so that could explain
>> why I can understand what I read ;-)
>> This seem the way to do it, but it do not work for me I’m running
>> haproxy 1.5.4
>>>> http-request redirect location /store code 301 if { capture.req.uri
>>>> lang\= -m found }
>> here is what I need to do, I can do path rewrite fine, but the ? is
>> bugging us.
>> I need to redirect 301 client from this
>> http://domain.com/?lang= to http://domain.com/
>> http://domain.com/?lang=fr to http://domain.com/
>> http://domain.com/?lang=en to http://domain.com/en
>> http://domain.com/pages/magasin.php?lang=fr to http://domain.com/
>> It  can be on 3 differents lines I dont want to achieve light speed
>> performance I just need to have this working ASAP
>> So I try with this
>> http-request redirect location /store code 301 if { capture.req.uri
>> lang= -m found }
>> Or with an acl
>> acl fr_topurlp_reg(lang\=$,?) -m found
>> http-request redirect location http://www.braultetmartineau.com/ code
>> 301 if fr_top
>> Do I need to escape anything in there
>> Any advice would be very appreciated
> 
> How about to use a example from this.
> 
> http://git.haproxy.org/?p=haproxy-1.5.git;a=blob;f=examples/acl-content-sw.cfg;h=1872789ac2d1198f4321e77c0dad4f382cc8f206;hb=HEAD
> 
> 
> acl forbidden_uris url_reg -i 
> (\.php\?temppath=|\.php\?setmodules=|[=:]http://)
> block if forbidden_uris
> 
> 
> I would try this, untested.
> 
> acl redir_en  url_reg -i .*lang=en
> acl redir_empty_or_fr url_reg -i .*lang=($|fr)
> 
> redirect location http://domain.com/code 301 if redir_empty_or_fr
> redirect location http://domain.com/en/ code 301 if redir_en
> 
> Cheers
> Aleks
> 
>> Thanks
>> ---
>> Guillaume Bourque, B.Sc.,
>> Le 2015-11-12 à 05:04, Guillaume Bourque
>> <guillaume.bour...@logisoftech.com> a écrit :
>>> Hello Igor,
>>> thanks a lot still not working
>>> would I need to escape the =
>>>> http-request redirect location /store code 301 if { capture.req.uri
>>>> lang\= -m found }
>>> Bye
>>> ---
>>> Guillaume Bourque, B.Sc.,
>>> Le 2015-11-12 à 03:59, Igor Cicimov <ig...@encompasscorporation.com>
>>> a écrit :
>>> On Thu, Nov 12, 2015 at 6:44 PM, Guillaume Bourque
>>> <guillaume.bour...@logisoftech.com> wrote:
>>> Hi,
>>> thanks for the suggestion but it did not work for me.   I tried
>>> acl fr_top  url_reg/?lang=
>>> acl fr_top  url_reg/?lang=$
>>> # off acl fr_topurlp_reg(lang\=$,?)
>>> -m found
>>> # off acl fr_topurlp_reg(lang\=$,?)
>>> -m found
>>> but with no luck
>>> thanks
>>> ---
>>> Guillaume Bourque, B.Sc.,
>>> Le 2015-11-12 à 02:18, Igor Cicimov <ig...@encompasscorporation.com>
>>> a écrit :
>>> On 12/11/2015 5:30 PM, "Guillaume Bourque"
>>> <guillaume.bour...@logisoftech.com> wrote:
>>>> Hello Bryan
>>>> I’m running haproxy 1.5.4 and I can’t find any example on how to
>>> user req.uri if you could give a examples on how to match a specific
>>> query to redirect to another
>>>> From http://domain/pages/store.php?lang=fr   to http://domain/store/
>>>> That would be great !
>>>> TIA
>>>> ---
>>>> Guillaume Bourque, B.Sc.,
>>>> Le 2015-11-12 à 00:42, Bryan Talbot <bryan.tal...@ijji.com> a
>>> écrit :
>>>>> On Wed, Nov 11, 2015 at 8:43 PM, Guillaume Bourque
>>> <guillaume.bour...@logisoftech.com> wrote:
>>>>>> Hi all,
>>>>>> I can’t create an acl that will match this
>>>>>> http://domain/?lang=
>>>>>> I tried
>>>>>> acl fr_top  path_reg^/.lang\=$
>>>>>> acl fr_top  path_reg
>>> ^/\?lang\=$
>>>>>> acl fr_toppath_beg
>>> /?lang\=$
>>>>> You can't match the query string with the 'path' matcher. Try
>>> 'req.uri' or 'query' if you're using 1.6.
>>> Try this:
>>> acl fr_top  url_reg   /pages/store.php?lang=fr
>> Ok, my last try :-)
>> http-request redirect location /store code 301 if { capture.req.uri
>> lang= -m found }

Re: acl regex

[Guillaume Bourque]

Hello Igor,

thanks a lot still not working 

would I need to escape the = 

> http-request redirect location /store code 301 if { capture.req.uri lang\= -m 
> found }


Bye

---
Guillaume Bourque, B.Sc.,
Le 2015-11-12 à 03:59, Igor Cicimov <ig...@encompasscorporation.com> a écrit :

> 
> 
> On Thu, Nov 12, 2015 at 6:44 PM, Guillaume Bourque 
> <guillaume.bour...@logisoftech.com> wrote:
> Hi,
> 
> thanks for the suggestion but it did not work for me.   I tried
> 
>acl fr_top  url_reg/?lang=
>acl fr_top  url_reg/?lang=$
> # off acl fr_topurlp_reg(lang\=$,?) -m 
> found
> # off acl fr_topurlp_reg(lang\=$,?) -m 
> found
> 
> but with no luck
> 
> thanks
> 
> ---
> Guillaume Bourque, B.Sc.,
> Le 2015-11-12 à 02:18, Igor Cicimov <ig...@encompasscorporation.com> a écrit :
> 
>> 
>> On 12/11/2015 5:30 PM, "Guillaume Bourque" 
>> <guillaume.bour...@logisoftech.com> wrote:
>> >
>> > Hello Bryan
>> >
>> > I’m running haproxy 1.5.4 and I can’t find any example on how to user 
>> > req.uri if you could give a examples on how to match a specific query to 
>> > redirect to another 
>> >
>> > From http://domain/pages/store.php?lang=fr   to http://domain/store/
>> >
>> > That would be great !
>> >
>> > TIA
>> >
>> >
>> >
>> > ---
>> > Guillaume Bourque, B.Sc.,
>> >
>> > Le 2015-11-12 à 00:42, Bryan Talbot <bryan.tal...@ijji.com> a écrit :
>> >
>> >> On Wed, Nov 11, 2015 at 8:43 PM, Guillaume Bourque 
>> >> <guillaume.bour...@logisoftech.com> wrote:
>> >>>
>> >>> Hi all,
>> >>>
>> >>> I can’t create an acl that will match this
>> >>>
>> >>> http://domain/?lang=
>> >>>
>> >>> I tried
>> >>>
>> >>> acl fr_top  path_reg^/.lang\=$
>> >>> acl fr_top  path_reg^/\?lang\=$
>> >>>
>> >>> acl fr_toppath_beg/?lang\=$
>> >>>
>> >>>
>> >>
>> >>
>> >> You can't match the query string with the 'path' matcher. Try 'req.uri' 
>> >> or 'query' if you're using 1.6. 
>> >>
>> >>
>> >
>> Try this:
>> 
>> acl fr_top  url_reg   /pages/store.php?lang=fr
>> 
> 
> 
> Ok, my last try :-)
> 
> http-request redirect location /store code 301 if { capture.req.uri lang= -m 
> found }
> 
> 
> 

acl regex

[Guillaume Bourque]

Hi all,

I can’t create an acl that will match this

http://domain/?lang=

I tried

acl fr_top  path_reg^/.lang\=$
acl fr_top  path_reg^/\?lang\=$

acl fr_toppath_beg/?lang\=$

I have a redirect 301 with 

http-request redirect location http://doamine.com/ code 301 if fr_top


I have done other redirect that works fine but no luck with this one

Any help greatly appreciated.

Thanks



---
Guillaume Bourque, B.Sc.,

Re: acl regex

[Guillaume Bourque]

Hi,

thanks for the suggestion but it did not work for me.   I tried

   acl fr_top  url_reg/?lang=
   acl fr_top  url_reg/?lang=$
# off acl fr_topurlp_reg(lang\=$,?) -m found
# off acl fr_topurlp_reg(lang\=$,?) -m found

but with no luck

thanks

---
Guillaume Bourque, B.Sc.,
Le 2015-11-12 à 02:18, Igor Cicimov <ig...@encompasscorporation.com> a écrit :

> 
> On 12/11/2015 5:30 PM, "Guillaume Bourque" 
> <guillaume.bour...@logisoftech.com> wrote:
> >
> > Hello Bryan
> >
> > I’m running haproxy 1.5.4 and I can’t find any example on how to user 
> > req.uri if you could give a examples on how to match a specific query to 
> > redirect to another 
> >
> > From http://domain/pages/store.php?lang=fr   to http://domain/store/
> >
> > That would be great !
> >
> > TIA
> >
> >
> >
> > ---
> > Guillaume Bourque, B.Sc.,
> >
> > Le 2015-11-12 à 00:42, Bryan Talbot <bryan.tal...@ijji.com> a écrit :
> >
> >> On Wed, Nov 11, 2015 at 8:43 PM, Guillaume Bourque 
> >> <guillaume.bour...@logisoftech.com> wrote:
> >>>
> >>> Hi all,
> >>>
> >>> I can’t create an acl that will match this
> >>>
> >>> http://domain/?lang=
> >>>
> >>> I tried
> >>>
> >>> acl fr_top  path_reg^/.lang\=$
> >>> acl fr_top  path_reg^/\?lang\=$
> >>>
> >>> acl fr_toppath_beg/?lang\=$
> >>>
> >>>
> >>
> >>
> >> You can't match the query string with the 'path' matcher. Try 'req.uri' or 
> >> 'query' if you're using 1.6. 
> >>
> >>
> >
> Try this:
> 
> acl fr_top  url_reg   /pages/store.php?lang=fr
> 

Re: acl regex

[Guillaume Bourque]

Hello Bryan

I’m running haproxy 1.5.4 and I can’t find any example on how to user req.uri 
if you could give a examples on how to match a specific query to redirect to 
another 

From http://domain/pages/store.php?lang=fr   to http://domain/store/

That would be great !

TIA



---
Guillaume Bourque, B.Sc.,

Le 2015-11-12 à 00:42, Bryan Talbot <bryan.tal...@ijji.com> a écrit :

> On Wed, Nov 11, 2015 at 8:43 PM, Guillaume Bourque 
> <guillaume.bour...@logisoftech.com> wrote:
> Hi all,
> 
> I can’t create an acl that will match this
> 
> http://domain/?lang=
> 
> I tried
> 
> acl fr_top  path_reg^/.lang\=$
> acl fr_top  path_reg^/\?lang\=$
> 
> acl fr_toppath_beg/?lang\=$
> 
> 
> 
> 
> You can't match the query string with the 'path' matcher. Try 'req.uri' or 
> 'query' if you're using 1.6. 
> 
> 

[SPAM] ssl getting the wrong certificate once in a while

[Guillaume Bourque]

Hi all,

I have a very weird problem and need your help if you have any idea !

here is my very simple setup

...
frontend  www_https
bind169.54.85.244:443 ssl crt 
/etc/pki/tls/certs/www.domain1.com.pem
bind169.54.85.249:443 ssl crt 
/etc/pki/tls/certs/www.domain1.com.pem

http-requestset-header X-Forwarded-Proto https


use_backend wcweb   if url_bm-full

frontend  www_soap
bind169.54.85.244:8000 ssl crt 
/etc/pki/tls/certs/star.domain2.ca.pem
bind169.54.85.249:8000 ssl crt 
/etc/pki/tls/certs/star.domain2.ca.pem

acl wc_soap_portdst_port8000

use_backend wcsoap  if wc_soap_port


When ever I connect on the 8000 port I get the correct cert 75 % of the time 
the rest I’m getting the other certs that should only be on port 443 

Here is how I get the certificate ?

echo|openssl s_client -connect sphsoap100.bmtc.ca:8000 |openssl x509 -text 
-noout 2>&1| grep www.domain1.com

I try with haproxy 1.5.14 ( haproxy-1.5.14-1.el6.src.rpm) and haproxy 1.5.4 
(haproxy-1.5.4-2.el6_7.1.src.rpm)


If I try with openssl on port 443 I always get the correct cert which is the 
first one but for the second one I have less luck ;-(

Any info from you would be great.

Guillaume

---
Guillaume Bourque, B.Sc.,

Re: very small footprint OS+HaProxy

[Guillaume Bourque]

Hi Thomas

We used to install ubuntu jeos 8.0.4 ( just enought OS ) in vmware and it
was using 20 mg ram on the host and not much CPU. I'm pretty sure you have
that on your host. You can allocate 128M ram to the vm and 2 GB of disk.

Now Jeos is part os a ubuntu server install, I never did it with 10.04 but
here is what I found this morning

 'Download the server ISO image http://www.ubuntu.com/getubuntu/download,
boot from it, press F4 on the first screen and select Install a minimal
virtual machine'

You will found haproxy buid for 386 or 64 bit taht you can install in these
vm.

We use that in a production env for for 50-60 user for RDP protocol and it
just work.

YMMV

Guillaume




Le 29 mars 2012 09:05, Thomas Manson dev.mansontho...@gmail.com a écrit :

 Hi,

   In my job, I need to setup some HA setup with two VMWare image running
 on my laptop (16GB of RAM, SSD, Core i7).

   I need a load balancer, but quite often we're using Windows OS for
 convenience, and HAProxy do not run on windows (at least easily).

   So I'd like to now if there is very small footprint (in memory) linux
 with HAProxy on it that I would use for all my tests.


   anybody aware of that?

 Regards,
 Thomas.




-- 
Guillaume Bourque, B.Sc.,
514 576-7638,  http://ca.linkedin.com/in/GuillaumeBourque/fr

Re: erratic X-Forwarded-For patch for stunnel

[Guillaume Bourque]

Aug  5 11:23:54 haproxy[8423]:
192.168.134.222:43926[05/Aug/2011:11:23:54.833] sslsite
sslsite/vexft04 0/0/0/3/3 200 2640 - -
--VN 6/6/1/2/0 0/0 {10.147.28.20} GET /script/espace-admin.js HTTP/1.1
Aug  5 11:23:54 haproxy[8423]:
192.168.134.222:43922[05/Aug/2011:11:23:54.833] sslsite
sslsite/vexft04 2/0/0/1/3 200 945 - -
--VN 6/6/2/3/0 0/0 {} GET /script/recherche/SearchLightWindow.js HTTP/1.1
Aug  5 11:23:54 haproxy[8423]:
192.168.134.222:43924[05/Aug/2011:11:23:54.835] sslsite
sslsite/vexft04 2/0/1/1/4 200 810 - -
--VN 6/6/2/3/0 0/0 {} GET /css/admin/typo.css HTTP/1.1
Aug  5 11:23:54 haproxy[8423]:
192.168.134.222:43928[05/Aug/2011:11:23:54.835] sslsite
sslsite/vexft04 2/0/0/1/3 200 1138 - -
--VN 6/6/2/3/0 0/0 {} GET /css/admin/lists.css HTTP/1.1
Aug  5 11:23:54 haproxy[8423]:
192.168.134.222:43920[05/Aug/2011:11:23:54.833] sslsite
sslsite/vexft04 3/0/1/1/5 200 1617 - -
--VN 6/6/2/3/0 0/0 {} GET /css/admin/layout.css HTTP/1.1
Aug  5 11:23:54 haproxy[8423]:
192.168.134.222:43926[05/Aug/2011:11:23:54.837] sslsite
sslsite/vexft04 2/0/0/1/3 200 2914 - -
--VN 6/6/2/3/0 0/0 {} GET /css/admin/navbar.css HTTP/1.1
Aug  5 11:23:54 haproxy[8423]:
192.168.134.222:43922[05/Aug/2011:11:23:54.837] sslsite
sslsiteo/vexft04 2/0/0/1/3 200 1726 - -
--VN 6/6/1/2/0 0/0 {} GET /css/admin/forms.css HTTP/1.1
Aug  5 11:23:54 haproxy[8423]:
192.168.134.222:43924[05/Aug/2011:11:23:54.839] sslsite
sslsite/vexft04 2/0/0/1/3 200 669 - -
--VN 6/6/3/4/0 0/0 {} GET /css/niftyDeclare.css HTTP/1.1
Aug  5 11:23:54 haproxy[8423]:
192.168.134.222:43889[05/Aug/2011:11:23:54.836] sslsite
sslsite/vexft04 4/0/1/1/6 200 1740 - -
--VN 6/6/3/4/0 0/0 {} GET /css/admin/ventre_general.css HTTP/1.1
Aug  5 11:23:54 haproxy[8423]:
192.168.134.222:43928[05/Aug/2011:11:23:54.839] sslsite
sslsite/vexft04 2/0/1/1/4 200 1662 - -
--VN 6/6/2/3/0 0/0 {} GET /script/aculous/scriptaculous.js?load=effects
HTTP/1.1
Aug  5 11:23:54 haproxy[8423]:
192.168.134.222:43922[05/Aug/2011:11:23:54.841] sslsite
sslsite/vexft04 1/0/0/1/2 200 767 - -
--VN 6/6/1/2/0 0/0 {} GET /script/sifr-config.js HTTP/1.1
Aug  5 11:23:54 haproxy[8423]:
192.168.134.222:43920[05/Aug/2011:11:23:54.839] sslsite
sslsite/vexft04 2/0/0/4/7 200 10291 - -
--VN 6/6/0/1/0 0/0 {} GET /script/sifr.js HTTP/1.1
Aug  5 11:23:54 haproxy[8423]:
192.168.134.222:43920[05/Aug/2011:11:23:54.847] sslsite
sslsite/vexft04 107/0/1/3/112 200 9179 -
- --VN 6/6/0/1/0 0/0 {} GET /script/aculous/effects.js HTTP/1.1
Aug  5 11:23:55 haproxy[8423]:
192.168.134.222:43920[05/Aug/2011:11:23:54.959] sslsite
sslsite/vexft04 325/0/0/2/328 200 16587 -
- --VN 6/6/0/1/0 0/0 {} GET /swf/futura.swf HTTP/1.1
Aug  5 11:23:55 haproxy[8423]:
192.168.134.222:43920[05/Aug/2011:11:23:55.286] sslsite
sslsite/vexft04 568/0/0/1/569 200 774 - -
--VN 6/6/0/1/0 0/0 {} GET /css/sIFR-print.css HTTP/1.1
Aug  5 11:23:55 haproxy[8423]:
192.168.134.222:43920[05/Aug/2011:11:23:55.856] sslsite
sslsite/vexft04 23/0/0/1/24 200 330 - -
--VN 6/6/0/1/0 0/0 {} GET /css/niftyPrint.css HTTP/1.1
Aug  5 11:23:56 haproxy[8423]:
192.168.134.222:43920[05/Aug/2011:11:23:55.881] sslsite
sslsite/vexft04 167/0/1/0/168 200 1392 -
- --VN 6/6/0/1/0 0/0 {} GET /favicon.ico HTTP/1.1
Aug  5 11:24:00 haproxy[8423]:
192.168.134.222:43920[05/Aug/2011:11:23:56.049] sslsite
sslsite/vexft04 4550/0/1/1/4552 403 439 -
- --VN 6/6/0/1/0 0/0 {} GET /admin/ HTTP/1.1
Aug  5 11:24:02 haproxy[8423]:
192.168.134.222:43920[05/Aug/2011:11:24:00.601] sslsite
sslsite/vexft04 1753/0/1/11/1765 200 3800
- - --VN 6/6/0/1/0 0/0 {} GET /admin/AdmInscriptionPro.shtml HTTP/1.1

(the apache log on vexft04 confirmed : some time there is 2 IP in the
X-Forwarded-For, most of the time there is only 192.168.134.222 the IP of
haproxy)

Got no error for patch only some warning in compilation/building :
dpkg-shlibdeps: warning: dependency on libdl.so.2 could be avoided if
debian/stunnel4/usr/bin/stunnel4
debian/stunnel4/usr/lib/stunnel/libstunnel.so were not uselessly linked
against it (they use none of its symbols).

What is done wrong ?

Thank you.

Best regards,

-- 
Damien







-- 
Guillaume Bourque, B.Sc.,
consultant, infrastructures technologiques libres !514 576-7638,
http://ca.linkedin.com/in/GuillaumeBourque/fr

Re: Question concerning option forwardfor and HTTP keep-alive

[Guillaume Bourque]

Hi all,

I'm reading again the documentation here
http://haproxy.1wt.eu/download/1.4/doc/configuration.txt

and I dont see how I can do multiple except,

I know I can use 1 optin forward for in each frontend cause I have multiple
frontend section maybe it's the way to do it ?

It would be nice to add a note in the documentation how we can put mutliple
option  forwardfor  except

Thanks again and sorry for the confusion.

Guillaume

2011/8/4 Willy Tarreau w...@1wt.eu

 On Thu, Aug 04, 2011 at 11:00:39AM -0700, Bryan Talbot wrote:
   option  httplog
   option  log-health-checks
   option  redispatch
   option  forwardfor  except 10.222.0.52
   option  forwardfor  except 10.222.0.53
   option  forwardfor  except 10.222.0.58  # ip of
   haproxy and stunnel box
 
  Does having multiple forwardfor statements like this actually work so
 that
  the x-forwarded-for header isn't added if the connection comes from any
 of
  those hosts (networks)?  I had assumed that if any of the option
  forwardfor rules matched that the header would be added.

 I did not notice, only the last one will be considered.

 Regards,
 Willy




-- 
Guillaume Bourque, B.Sc.,
consultant, infrastructures technologiques libres
514 576-7638,  http://ca.linkedin.com/in/GuillaumeBourque/fr

Re: Question concerning option forwardfor and HTTP keep-alive

[Guillaume Bourque]

Thnaks for the precision.

Maybe we can add some other string and not bother with the stunnel one when
it is there !

Like this:


option forwardfor header X-Forwarded-For-Haproxy

Or I see that It can be a network so this should be fine if all my stunnel
are in this subnet

option forwardfor except 10.222.0.0/27

Again thanks for youre great support Willy.

Guillaume


2011/8/4 Willy Tarreau w...@1wt.eu

 On Thu, Aug 04, 2011 at 02:35:29PM -0400, Guillaume Bourque wrote:
  Hi all,
 
  I'm reading again the documentation here
  http://haproxy.1wt.eu/download/1.4/doc/configuration.txt
 
  and I dont see how I can do multiple except,

 It is not possible, except is an optional field used to refine the
 option. When we later support pattern extraction it will be easier,
 as you'll simply add the header and the client's IP on certain conditions.

  I know I can use 1 optin forward for in each frontend cause I have
 multiple
  frontend section maybe it's the way to do it ?

 If you need to have a different option for each frontend, then yes it
 might be the solution you're looking for.

  It would be nice to add a note in the documentation how we can put
 mutliple
  option  forwardfor  except

 It's really not planned. In fact, option forwardfor was designed to be
 inconditional. With SSL offloaders, it became clear that being able to
 add an exception for the offloader address was needed. But that's still
 it : an exception.

 Regards,
 Willy




-- 
Guillaume Bourque, B.Sc.,
consultant, infrastructures technologiques libres
514 576-7638,  http://ca.linkedin.com/in/GuillaumeBourque/fr

Re: How to check backend servers thru Haproxy?

[Guillaume Bourque]

Hi Willy,

should those two lines

   server srv1 1.1.1.1:80 cookie s1
   server srv2 1.1.1.2:80 cookie s2

be

   server srv1 1.1.1.1:80 http://1.1.1.1/ cookie srv1
   server srv2 1.1.1.2:80 http://1.1.1.2/ cookie srv2

Not sure but since I can't test right now i thought to ask the master  ;-)

thnaks



Yes you can do that using the force-persist statement. The principle
 is that you define with ACLs how to detect that an incoming request is
 in fact one of your tests. That could be an IP address, a user-agent,
 or a cookie for example. Many people like the cookie because you already
 need to force one for the persistence, so if you can force one, you can
 force a second one. When this rule is matched, then haproxy will send
 your request to the server associated with the persistence cookie,
 whatever its state, and will not redispatch the request in case of
 failure. This statement was created exactly for the need you describe
 here.

 So let's consider the following setup :

 listen pub
bind :80
cookie SRV
server srv1 1.1.1.1:80 cookie s1
server srv2 1.1.1.2:80 cookie s2
acl its_me hdr_sub(cookie) TEST=true
force-persist if its_me

 Then you configure your browser to send two cookies :

  SRV=srv1
  TEST=true

 and you send any request you want there. You'll always be sent
 to server1.

 Cheers,
 Willy





-- 
Guillaume Bourque, B.Sc.,
consultant, infrastructures technologiques libres
514 576-7638,  http://ca.linkedin.com/in/GuillaumeBourque/fr

Re: Apache error log problem

[Guillaume Bourque]

Hi Greg

You won't be able to change apache error log format you can only change the
acces log file if my memory is correct.

Maybe John sugeestion of using mod_rpaf would work but I never tried it.

Good luck !


2011/4/7 Greg Connolly g...@dmcontact.com

 I’m having an issue getting the apache error logs to receive the client
 ip’s. the proxy ip is the only one showing up. I have the apache access log
 working using the forward-for but not the error logs. Can anyone shed most
 light in this issue? Here is the current configuration.



 Apache2.conf



 LogFormat %v:%p %{X-Forwarded-For}i %l %u %t \%r\ %s %b \%{Referer}i\
 \%{User-Agent}i\ vhost_combined

 LogFormat %{X-Forwarded-For}i %l %u %t \%r\ %s %b \%{Referer}i\
 \%{User-Agent}i\ combined

 LogFormat %{X-Forwarded-For}i %l %u %t \%r\ %s %b common

 LogFormat %{Referer}i - %U referer

 LogFormat %{User-agent}i agent



 Haproxy.cfg



 listen Test01 10.1.8.52:80

mode http

maxconn 1000

balance roundrobin

cookie JSESSIONID prefix

option httplog

option httpclose

option forwardfor except 10.0.0.0/16

option httpchk HEAD /haproxy_check.txt HTTP/1.0

stick-table type ip size 200k expire 18m

stick on src

server 10.1.109.52 10.1.109.52:80 weight 60 cookie B check

server 10.1.108.52 10.1.108.52:80 weight 40 cookie A check



 Thanks Greg




-- 
Guillaume Bourque, B.Sc.,
consultant, infrastructures technologiques libres
Logisoft Technologies inc.  http://www.logisoftech.com
514 576-7638,  http://ca.linkedin.com/in/GuillaumeBourque/fr

Re: HAProxy Session affinity for PHP web application

[Guillaume Bourque]

Hi Thomas,

We do it like this, haproxy add a cookie, and base on the cookie it will
send it to teh same web server

I'm no haproxy expert but it work for us with a very basic php application.

here are the related config in our haproxy


backend bk-prod
balanceroundrobin
cookie  SERVERID insert indirect nocache
server  lb10-3w-101 172.21.11.101:80 cookie lb11-3w-101
check inter 5s fall 3 maxconn 200 weight 20
server  lb10-3w-102 172.21.11.102:80 cookie lb11-3w-102
check inter 5s fall 3 maxconn 200 weight 20


This will load balance in a round robin way but a second pass from the
same visitor will end up on the same server which will do what you want.

Good luck !



2011/3/11 Thomas Manson dev.mansontho...@gmail.com

 Hi Gabriel,

   I've read that HAProxy is capable of keeping a set of http request
 directed to the same webserver. (I think the feature is called 'Sticky
 Session' on Websphere Cluster)

   I've seen this in the documentation :

 appsession cookie len length timeout holdtime


[request-learn] [prefix] [mode path-parameters|query-string]
  * Define session stickiness on an existing application cookie.*


 I'm just looking for some howto/best practices on this subject.

 Also the shared session with memcache can be a valid option. (I've to dig
 this subject).

 So, can anyone confirm that it's possible or not possible to have a sticky
 session feature with HAProxy  ?
 If possible : howto/best practice?
 If not : well I'll try the memcache solution ;)

 Thanks for your help,
 Regards,
 Thomas.




 On Fri, Mar 11, 2011 at 16:19, Gabriel Sosa sosagabr...@gmail.com wrote:

 this is not an HAProxy related problem

 What you need is to share the session across all webservers. You have
 several ways to do it: memcache, redis, db, filesystem.

 We currently are using memcache for this

 check your php.ini for session.save_handler

 we have something like:

 session.save_handler = memcache
 session.save_path = tcp://mmc-server-01:11211,tcp://mmc-server-02:11211

 some more info: http://php.net/manual/en/session.configuration.php

 Once you do this, haproxy will keep using the same algorithm  to balance
 but webservers will be able to find/reuse the session users were on.

 Saludos



 On Fri, Mar 11, 2011 at 11:37 AM, Thomas Manson 
 dev.mansontho...@gmail.com wrote:

 Hi,

   I've setup HAProxy to loadbalance the traffic across two web servers
 that runs some PHP website (based on JOOMLA, OSCommerce and some other
 solution)

   However I've noticed that the session affinity is not working Out Of
 The BOX (which after 2sec of think is quite logical ;))

   Does anybody have some pointers to configure HAProxy (and if necessary
 PHP) to make this work ?

 Thanks,
 Thomas.




 --
 Gabriel Sosa
 Si buscas resultados distintos, no hagas siempre lo mismo. - Einstein





-- 
Guillaume Bourque, B.Sc.,
consultant, infrastructures technologiques libres
Logisoft Technologies inc.  http://www.logisoftech.com
514 576-7638,  http://ca.linkedin.com/in/GuillaumeBourque/fr

Re: HAProxy Session affinity for PHP web application

[Guillaume Bourque]

Thomas,

I'm no expert here and In our case we don't truss the application ;-)

So the proposed config will insert a cookie base on the name of the web
server for us (put anything you want) and a returning visitor will end on
the same backend base on the haproxy cookie previously inserted.

Now I'm sure haproxy can intercept the application cookie and send it to the
same server, but you will have to test that and look at the doc ;-)

Also in haproxy log you will have all the info for each session, where it
was balance and if a cookie was present or inserted ...

From the doc in the log section search for this:

the third character tells whether the persistence cookie was provided by the
client (only in HTTP mode)


Good luck



2011/3/11 Manson Thomas mansontho...@gmail.com

 Ok that's exactly what I wanted to do.


 The default cookie name in PHP is
 session.name = PHPSESSID

 Is it this cookie name that I should set in HAProxy config ?

 Thomas.

 On Fri, Mar 11, 2011 at 4:55 PM, Guillaume Bourque 
 guillaume.bour...@gmail.com wrote:

 Hi Thomas,

 We do it like this, haproxy add a cookie, and base on the cookie it will
 send it to teh same web server

 I'm no haproxy expert but it work for us with a very basic php
 application.

 here are the related config in our haproxy


 backend bk-prod
 balanceroundrobin
 cookie  SERVERID insert indirect nocache
 server  lb10-3w-101 172.21.11.101:80 cookie lb11-3w-101
 check inter 5s fall 3 maxconn 200 weight 20
 server  lb10-3w-102 172.21.11.102:80 cookie lb11-3w-102
 check inter 5s fall 3 maxconn 200 weight 20


 This will load balance in a round robin way but a second pass from the
 same visitor will end up on the same server which will do what you want.

 Good luck !



 2011/3/11 Thomas Manson dev.mansontho...@gmail.com

 Hi Gabriel,

   I've read that HAProxy is capable of keeping a set of http request
 directed to the same webserver. (I think the feature is called 'Sticky
 Session' on Websphere Cluster)

   I've seen this in the documentation :

 appsession cookie len length timeout holdtime





[request-learn] [prefix] [mode path-parameters|query-string]
  * Define session stickiness on an existing application cookie.*


 I'm just looking for some howto/best practices on this subject.

 Also the shared session with memcache can be a valid option. (I've to dig
 this subject).

 So, can anyone confirm that it's possible or not possible to have a
 sticky session feature with HAProxy  ?
 If possible : howto/best practice?
 If not : well I'll try the memcache solution ;)

 Thanks for your help,
 Regards,
 Thomas.




 On Fri, Mar 11, 2011 at 16:19, Gabriel Sosa sosagabr...@gmail.comwrote:

 this is not an HAProxy related problem

 What you need is to share the session across all webservers. You have
 several ways to do it: memcache, redis, db, filesystem.

 We currently are using memcache for this

 check your php.ini for session.save_handler

 we have something like:

 session.save_handler = memcache
 session.save_path =
 tcp://mmc-server-01:11211,tcp://mmc-server-02:11211

 some more info: http://php.net/manual/en/session.configuration.php

 Once you do this, haproxy will keep using the same algorithm  to balance
 but webservers will be able to find/reuse the session users were on.

 Saludos



 On Fri, Mar 11, 2011 at 11:37 AM, Thomas Manson 
 dev.mansontho...@gmail.com wrote:

 Hi,

   I've setup HAProxy to loadbalance the traffic across two web servers
 that runs some PHP website (based on JOOMLA, OSCommerce and some other
 solution)

   However I've noticed that the session affinity is not working Out Of
 The BOX (which after 2sec of think is quite logical ;))

   Does anybody have some pointers to configure HAProxy (and if
 necessary PHP) to make this work ?

 Thanks,
 Thomas.




 --
 Gabriel Sosa
 Si buscas resultados distintos, no hagas siempre lo mismo. - Einstein





 --
 Guillaume Bourque, B.Sc.,
 consultant, infrastructures technologiques libres
 Logisoft Technologies inc.  http://www.logisoftech.com
 514 576-7638,  http://ca.linkedin.com/in/GuillaumeBourque/fr





-- 
Guillaume Bourque, B.Sc.,
consultant, infrastructures technologiques libres
Logisoft Technologies inc.  http://www.logisoftech.com
514 576-7638,  http://ca.linkedin.com/in/GuillaumeBourque/fr

Re: Haproxy and Plesk

[Guillaume Bourque]

Dennis,

haproxy is use to balance traffic to multiple destination, is this what 
you want to do ?


Not sure what you want to accomplish ?

Bye

Devota a écrit :

Can you please give full rule for below request on haproxy?

Outgoing VIP (source) 10.10.2.1
Destination URL and Port: 193.168.1.2:80, 193.168.1.2:8880, 193.168.1.2:443, 
193.168.1.2:8440 as well as Port 21 and Port 22

I don't have much experience in haproxy. Can you please help me out?

Thanks  Regards
 
Dennis Devota

Savvis Inc
201-472-2821
203-687-8619

-Original Message-
From: Guillaume Bourque [mailto:guillaume.bour...@gmail.com] 
Sent: Monday, February 14, 2011 7:27 PM

To: Devota' Dennis
Cc: haproxy@formilux.org
Subject: Re: Haproxy and Plesk

For sure

you can use a listen like this;

frontend DISPATCH-lb10
bind :80,:81,:8001,:8002,:8881,:8882

This will tell haproxy to listen on all IP for those specific ports

If you check the doc you should have some complete usage examples

Good luck.


Devota a écrit :
  

Hi all,

 

I am looking for way to configure same VIP to support multiples ports 
on haproxy for one physical box.


 

Same physical box has multiple applications (80,443 [SSL],8443 [SSL]). 
I would like use one VIP to support all the ports.


 


Is there way to do on haproxy? Please kindly advice.

 


Thanks  Regards

 


**Dennis Devota**

**Savvis Inc**

**201-472-2821**

**203-687-8619**

 



This message contains information which may be confidential and/or 
privileged. Unless you are the intended recipient (or authorized to 
receive for the intended recipient), you may not read, use, copy or 
disclose to anyone the message or any information contained in the 
message. If you have received the message in error, please advise the 
sender by reply e-mail and delete the message and any attachment(s) 
thereto without retaining any copies.




  



--
Guillaume Bourque, B.Sc.,
consultant, infrastructures technologiques libres !
Logisoft Technologies inc.  http://www.logisoftech.com
514 576-7638, http://ca.linkedin.com/in/GuillaumeBourque/fr

Re: Haproxy and Plesk

[Guillaume Bourque]

For sure

you can use a listen like this;

frontend DISPATCH-lb10
   bind :80,:81,:8001,:8002,:8881,:8882

This will tell haproxy to listen on all IP for those specific ports

If you check the doc you should have some complete usage examples

Good luck.


Devota a écrit :


Hi all,

 

I am looking for way to configure same VIP to support multiples ports 
on haproxy for one physical box.


 

Same physical box has multiple applications (80,443 [SSL],8443 [SSL]). 
I would like use one VIP to support all the ports.


 


Is there way to do on haproxy? Please kindly advice.

 


Thanks  Regards

 


**Dennis Devota**

**Savvis Inc**

**201-472-2821**

**203-687-8619**

 



This message contains information which may be confidential and/or 
privileged. Unless you are the intended recipient (or authorized to 
receive for the intended recipient), you may not read, use, copy or 
disclose to anyone the message or any information contained in the 
message. If you have received the message in error, please advise the 
sender by reply e-mail and delete the message and any attachment(s) 
thereto without retaining any copies.



--
Guillaume Bourque, B.Sc.,
consultant, infrastructures technologiques libres !
Logisoft Technologies inc.  http://www.logisoftech.com
514 576-7638, http://ca.linkedin.com/in/GuillaumeBourque/fr

Re: Stats page giving error sometimes, [X] Action not processed : the buffer couldn't store all the data.

[Guillaume Bourque]

Bonjour Willy !

you should not be desapointed at all, haproxy simply rock, it's only a minor
issue only seen on G chrome and you already have a fix that will probably
solve this.

Again, thanks for this great software !


2011/2/10 Willy Tarreau w...@1wt.eu

 On Tue, Feb 08, 2011 at 05:08:48PM -0500, Guillaume Bourque wrote:
  Cyril,  youre a machine !
 
  I use firefox for now but it will be nice to use chrome too !  And if it
  make things too much complicated to support the new stat option in G
  chrome, well I will stick with firefox no prob at all ;-)

 Oh, I'm disappointed, I finally released 1.4.11 this morning with many
 fixes. I could have merged that too but it's too late now, it will be
 for next version :-/

 Regards,
 Willy




-- 
Guillaume Bourque, B.Sc.,
consultant, infrastructures technologiques libres
Logisoft Technologies inc.  http://www.logisoftech.com
514 576-7638,  http://ca.linkedin.com/in/GuillaumeBourque/fr

Stats page giving error sometimes, [X] Action not processed : the buffer couldn't store all the data.

[Guillaume Bourque]

Hi all,

I'm running haproxy-1.4.10 (haproxy_1.4.10-1~yola~lucid~ppa1_amd64.deb) from
here https://launchpad.net/~yola/+archive/ppa/+buildjob/2125057

All is working fine except that most of the time I can't disable or enable a
single server.  When I try to do so I get this error message

 [X] Action not processed : the buffer couldn't store all the data.

And If I retry it in the next minute it will work,
This is a very simple setup only 2 backend with a total of 6 servers

Here is my Stat config,

listen  Statistiques
bind:
modehttp
stats   hide-version
stats refresh   60s
# permet de mettre les serveurs down ou up a partir de la page des
stats
stats admin if TRUE
stats   enable
stats uri   /stats
stats realm Haproxy\ Statistics
stats auth  yyy:xxx


And here is the log when I try to disable a server

Feb  8 09:27:05 lb10 haproxy[9691]: my-ip:2502 [08/Feb/2011:09:27:05.570]
Statistiques Statistiques/STATS 4/-1/-1/-1/5 303 122 - - PR-- 0/0/0/0/0
0/0 POST /stats HTTP/1.1
Feb  8 09:27:05 lb10 haproxy[9691]: my-ip:1679 [08/Feb/2011:09:27:05.638]
Statistiques Statistiques/STATS 4/-1/-1/-1/63 200 20094 - - PR-- 0/0/0/0/0
0/0 GET /stats;st=EXCD HTTP/1.1
Feb  8 09:27:05 lb10 haproxy[9691]: my-ip:1480 [08/Feb/2011:09:27:05.852]
Statistiques Statistiques/NOSRV 4/-1/-1/-1/5 503 212 - - SC-- 0/0/0/0/0
0/0 GET /favicon.ico HTTP/1.1

I'm running Google chrome v.8.0.552.224 on linux to manage the haproxy stats
page


-- 
Guillaume Bourque, B.Sc.,
consultant, infrastructures technologiques libres
Logisoft Technologies inc.  http://www.logisoftech.com
514 576-7638,  http://ca.linkedin.com/in/GuillaumeBourque/fr

Re: Stats page giving error sometimes, [X] Action not processed : the buffer couldn't store all the data.

[Guillaume Bourque]

Hi all,

I just found out that on Firefox v. 3.6.13 all is working perfectly

So there must be something with google Chrome at least on ubutntu.

Bye

2011/2/8 Guillaume Bourque guillaume.bour...@gmail.com

 Hi all,

 I'm running haproxy-1.4.10 (haproxy_1.4.10-1~yola~lucid~ppa1_amd64.deb)
 from here https://launchpad.net/~yola/+archive/ppa/+buildjob/2125057

 All is working fine except that most of the time I can't disable or enable
 a single server.  When I try to do so I get this error message

  [X] Action not processed : the buffer couldn't store all the data.

 And If I retry it in the next minute it will work,
 This is a very simple setup only 2 backend with a total of 6 servers

 Here is my Stat config,

 listen  Statistiques
 bind:
 modehttp
 stats   hide-version
 stats refresh   60s
 # permet de mettre les serveurs down ou up a partir de la page des
 stats
 stats admin if TRUE
 stats   enable
 stats uri   /stats
 stats realm Haproxy\ Statistics
 stats auth  yyy:xxx


 And here is the log when I try to disable a server

 Feb  8 09:27:05 lb10 haproxy[9691]: my-ip:2502 [08/Feb/2011:09:27:05.570]
 Statistiques Statistiques/STATS 4/-1/-1/-1/5 303 122 - - PR-- 0/0/0/0/0
 0/0 POST /stats HTTP/1.1
 Feb  8 09:27:05 lb10 haproxy[9691]: my-ip:1679 [08/Feb/2011:09:27:05.638]
 Statistiques Statistiques/STATS 4/-1/-1/-1/63 200 20094 - - PR-- 0/0/0/0/0
 0/0 GET /stats;st=EXCD HTTP/1.1
 Feb  8 09:27:05 lb10 haproxy[9691]: my-ip:1480 [08/Feb/2011:09:27:05.852]
 Statistiques Statistiques/NOSRV 4/-1/-1/-1/5 503 212 - - SC-- 0/0/0/0/0
 0/0 GET /favicon.ico HTTP/1.1

 I'm running Google chrome v.8.0.552.224 on linux to manage the haproxy
 stats page


 --
 Guillaume Bourque, B.Sc.,
 consultant, infrastructures technologiques libres
 Logisoft Technologies inc.  http://www.logisoftech.com
 514 576-7638,  http://ca.linkedin.com/in/GuillaumeBourque/fr




-- 
Guillaume Bourque, B.Sc.,
consultant, infrastructures technologiques libres
Logisoft Technologies inc.  http://www.logisoftech.com
514 576-7638,  http://ca.linkedin.com/in/GuillaumeBourque/fr

Re: Stats page giving error sometimes, [X] Action not processed : the buffer couldn't store all the data.

[Guillaume Bourque]

Cyril,  youre a machine !

I use firefox for now but it will be nice to use chrome too !  And if it 
make things too much complicated to support the new stat option in G 
chrome, well I will stick with firefox no prob at all ;-)


thanks.

Guillaume

Cyril Bonté a écrit :

Hi again Guillaume,

Le mardi 8 février 2011 19:20:52, Cyril Bonté a écrit :
  

The problem is that Chrome sends the request in (at least) 2 packets :
a first one for the headers part, a second one for the data but haproxy is
currently limited to one packet.

I'll try to find time to enhance this but can't promise it will be this
week.



Good news, it didn't require a lot of modifications to accept several packets. 
I've updated the code to raise the limit up to the buffer size (I hope it's 
the way it should be done). I've also added the support of the Expect: 100-

Continue Header.

Give me some days to make more tests and clean up the code ;-)

  



--
Guillaume Bourque, B.Sc.,
consultant, infrastructures technologiques libres !
Logisoft Technologies inc.  http://www.logisoftech.com
514 576-7638, http://ca.linkedin.com/in/GuillaumeBourque/fr

Re: Startup delay problem

[Guillaume Bourque]

Hi Guys,

Here' what I tried

Move stunnel startup script at S60stunnel then  haproxy to S61haproxy

Hartbeat is S75heartbeat

That did not help

SO then I created a S62sleep script ;-) I know it's ugly but ot was 
becoming late


The script would sleep for 20 sec the time it take haproxy to see the 
first server up


Then heartbeat com up and has soon as the IP came in service well guess 
what it took another 20 second for the server to came Up in haproxy.


So then (just for a test) I did a sleep 120 sec in my S62sleep script 
guess what after my reboot it took 120 second to start heartbeat but 
then when trafic came in the node another 20 sec befrea haproxy see my 
server up !


So maybe since heartbeat is in the loop I have a arp delay has willy said.

I will be putting a wget in my S62sleep to test haproxy and maybe force 
the haproxy to wake up ;-) then do my sleep 20 seconde before heartbeat 
start and I'll try to tcpdump there.


Also with heartbeat could I put a single mac for my Service IP on my 
both node would that solve this issue that I only see at boot time on my 
2 nodes,


Thanks for any advices ;-)

Mike Hoffs a écrit :

Wait a minute, I did not notice you were running heartbeat. It changes
a lot of things. It's taking the IP over and depending on whether it's
announcing gratuitous ARPs on fail-over and if other equipemnts accept
them, it is possible that you have to wait for a cache to expire somwhere.
Tcpdump will show that a lot better (please get the full captures, not just
screen dumps, as we'll have to dig into the MAC addresses and correlate
them with ARP traffic).



Depending on the network topology, u could ping after the heartbeat taken over 
the ip to the routers from that ip. That solve for us a problem for long term 
arp caches sometimes.

  



--
Guillaume Bourque, B.Sc.,
consultant, infrastructures technologiques libres !
Logisoft Technologies inc.  http://www.logisoftech.com
514 576-7638, http://ca.linkedin.com/in/GuillaumeBourque/fr

Re: Startup delay problem

[Guillaume Bourque]

Hourra ;-)

I found it and as I suspected haproxy had nothnig to do with it

The backend serser are on a different subnet and need a special route 

That route was only added by /etc/rc.local which is executed after all 
the startup script so until that route was added by /etc/rc.local 
haproxy could not connect to those backend 


Noe I have add those route in /etc/sysconfig/network-scripts/route-eth1

And now when haproxy start all backend are there ;-)

Thanks for your support and sorry for this non issue !

Bye

Willy Tarreau a écrit :

Hi Guillaume,

First, thank you for the feedback. I have one question below :

On Sun, Jan 09, 2011 at 12:57:28PM -0500, Guillaume Bourque wrote:
  

Hi Guys,

Here' what I tried

Move stunnel startup script at S60stunnel then  haproxy to S61haproxy

Hartbeat is S75heartbeat

That did not help

SO then I created a S62sleep script ;-) I know it's ugly but ot was 
becoming late


The script would sleep for 20 sec the time it take haproxy to see the 
first server up


Then heartbeat com up and has soon as the IP came in service well guess 
what it took another 20 second for the server to came Up in haproxy.



Are you sure that the switch port to which your LB is connected is not
in blocking mode after the interface gets up ? You can check for that
by pinging anything from the machine. On cisco switches, for instance,
you have to use the portfast option so that the ports immediately
forward. Otherwise the switch blocks for some time, checking for
possible spanning tree frames.

Regards,
Willy

  



--
Guillaume Bourque, B.Sc.,
consultant, infrastructures technologiques libres !
Logisoft Technologies inc.  http://www.logisoftech.com
514 576-7638, http://ca.linkedin.com/in/GuillaumeBourque/fr

Startup delay problem

[Guillaume Bourque]

 server

   capture request  header Host len 20

   # log the amount of data uploaded during a POST

   capture request  header Content-Length len 40

   # log the beginning of the referrer

   capture request  header Referer len 40

backend DomaineClient-PROD

  balanceroundrobin

   cookie SERVERID insert indirect nocache

   option httpchk HEAD /online.txt HTTP/1.0

   server 3w1-mc-prod 10.222.4.98:80 cookie 3w1mcprod check inter 
2000 fall 3 maxconn 254

   server 3w2-mc-prod 10.222.4.113:80 cookie 3w2mcprod check inter 
2000 fall 3 maxconn 254

   server 3w1-mcbkp-prod 10.222.4.99:80 backup check inter 2000 
fall 3 maxconn 254

   option  checkcache # block response if set-cookie  cacheable

   rspidel ^Set-cookie:\ IP=   # do not let this cookie tell our 
internal IP address



Anything obvious that I missed.

What I even try in a last resort ...

Add a startup script that would just do a sleep after haproxy startup so 
that we wait before starting heartbeat that will bring the service ip 
and the rest of the server, but no luck.   We were getting 503 error for 
at leat 10-20 sec before the backend had come up after the sleep period !


Thanks



--
Guillaume Bourque, B.Sc.,
consultant, infrastructures technologiques libres !
Logisoft Technologies inc.  http://www.logisoftech.com
514 576-7638, http://ca.linkedin.com/in/GuillaumeBourque/fr

Re: node frequently goes down on another physical machine

[Guillaume Bourque]

Hi,

first upgrade to a more recent build of haproxy 1.4.x would be better.

Also you should send us more info of your hearbeat config and haproxy so 
that we can understand better your setup.


Bye



Amit Nigam a écrit :
Hi, We have just recently migrated from apache to HAProxy. We are 
having 2 tomcat(TC1 and TC2) nodes along with 2 LB(LB1 LB2) nodes and 
other DB nodes. We created 4 virtual servers out of one physical 
server. Using 2 servers we have 8 nodes.
We are running two HAProxy instances on LB1 and LB2 one each on a 
virtual IP, which is being managed with heartbeat. The problem is when 
LB1 aquires the virtual IP TC2 shows frequent droppings, I can see 
thousands of retries on stats page, while at that time TC1 runs fine. 
When LB2 aquires the IP, TC1 starts dropping the connections. Another 
problem is stat page keeps changing stats related to retries. Even it 
shows number of retries as per earlier times.
I have tried several things including as you suggested 
smart-tcp-connect, foreclose and smart-tcp-connection, but my HAProxy 
build (1.3.16) says unknow options for them.
 
Please help.
 
Thanks,

Amit



--
Guillaume Bourque, B.Sc.,
consultant, infrastructures technologiques libres !
Logisoft Technologies inc.  http://www.logisoftech.com
514 576-7638, http://ca.linkedin.com/in/GuillaumeBourque/fr

Re: Haproxy SMTP loadbalancer + authentication + real sender IP in log ?

[Guillaume Bourque]

Hi,

why dont you create 2 MX record for the smtp hostname that you put on 
your desktop


youre desktop will get 1 of the 2 mx record (ip 192.168.30.196 or 
192.168.30.197) this is all in the SMTP protocol no need for haproxy to 
do this.


Then all your log in postfix will show clients IP and auth will work 
just as usual


Bye


jayesh shinde a écrit :

Hi  ,

I am trying to configure the HAProxy for SMTP load balancing.  The 
same has been configure on my local server as follows , below are the 
content of the /etc/haproxy.cfg



listen smtp 192.168.30.195:25
mode tcp
option tcplog
balance roundrobin

server smtp1 192.168.30.196:25 weight 1 maxconn 5000 check
server smtp2 192.168.40.197:25 weight 1 maxconn 5000 check

On 192.168.30.196 and 192.168.40.197  postfix running on 25 port and 
load is getting balance properly.


My Question :--
===

1) How do I get end users real request IP on 192.168.30.196 and 
192.168.40.197 ?


Currently whenever any end user send the emails from desktop  vai  
192.168.30.195 IP , then I am getting 192.168.30.195 IP in smtp1's  
and smtp2's  maillog  i.e  not the actual desktop sender IP.  How to 
get the desktop IP i.e real  IP in maillog  ?


2)  My desktop user is not getting authenticate from the 
192.168.30.196 and 192.168.40.195 . On the SMTP server I have ldap 
authentication which is running properly.



because of the above 2 problem I can't use the HAProxy in production 
environment.


Can any please guide me how to solve above 2 problem ? I checked 
mailling list and do Google but could not got any positive response.


Your inputs will be valuable for me.

Thanks  Regards
Jayesh Shinde







--
Guillaume Bourque, B.Sc.,
consultant, infrastructures technologiques libres !
Logisoft Technologies inc.  http://www.logisoftech.com
514 576-7638, http://ca.linkedin.com/in/GuillaumeBourque/fr

Re: [ANNOUNCE] haproxy 1.5-dev3

[Guillaume Bourque]

You guy's simply Rock !!!

keep up the very good work.

Bye


Willy Tarreau a écrit :

On Fri, Nov 12, 2010 at 03:51:11PM +0100, Cyril Bonté wrote:
(...)
  

Do you know if keep-alive was involved in any of these tests ?
  

I tried both, It's easier to reproduce without keep-alive.
Actually, I also met the issue with httperf.

My configuration files :
# stunnel.conf
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
foreground=yes
pid=/var/run/stunnel.pid
unix-sockets-dir=/var/run
debug=3

[localhost-uxst]
cert = /home/cbonte/tmp/server.crt
key  = /home/cbonte/tmp/server.key
accept=0.0.0.0:8443
connect=/ssl.sock
TIMEOUTclose = 0
;sendproxy=yes

[localhost-tcp]
cert = /home/cbonte/tmp/server.crt
key  = /home/cbonte/tmp/server.key
accept=0.0.0.0:8444
connect=127.0.0.1:8080
TIMEOUTclose = 1
;sendproxy=yes

# haproxy.conf
global
stats socket /var/run/haproxy.sock

defaults
timeout server 60s
timeout client 60s
timeout connect 10s

listen https-in
bind /var/run/ssl.sock user root mode 600 # accept-proxy
bind :8080

mode http
#option http-server-close
option httpclose
stats enable

server local localhost:80

Using the UNIX Socket 
httperf --server localhost --port 8443 --uri / --rate 100 --num-conn 1000 \

--ssl --num-call 1
= I see a lot of readsocket: Invalid argument (22) in stunnel

Using the TCP Socket 
httperf --server localhost --port 8444 --uri / --rate 100 --num-conn 1000 \

--ssl --num-call 1
= no error message



Thank you Cyril, I'll forward all that material to Emeric in case
he finds a clue about that. I hope we're not hitting buffer size
limits or things like this on the unix sockets :-/

TCP_NODELAY should not be set because it does not exist on the UNIX
sockets, but I don't think there is any relation. More likely it's
a matter of a connection limit or too fast reuse somewhere, and I'm
not used to tune for that !

Thanks !
Willy


  



--
Guillaume Bourque, B.Sc.,
consultant, infrastructures technologiques libres !
Logisoft Technologies inc.  http://www.logisoftech.com
514 576-7638, http://ca.linkedin.com/in/GuillaumeBourque/fr

Re: RDP Cookie Versus MS Load Balancing

[Guillaume Bourque]

John Marrett a écrit :

I'm interested in the newish RDP cookie feature, and how it compares
with the RDP load balancing features that Microsoft themselves offer
(Microsoft Connection Broker / Session Directory?).

Can any users offer comments on why one would use haproxy instead of the
MS native tech, apart from licensing cost concerns?

  
For some of my customers in a virtual environnment the Microsoft product 
did not work well specificly for laptop user.  They where not redirect 
on the same TS after a suspend of there laptop.


Dont know why the MS solution did not work well for them but haproxy 
works for them.


I used these setting in haproxy on 3 sites where we have around 70-100 
RDP users.


balance source
option tcpka

These options force a same client Ip ( laptop ) alway on the same 
backend.  I don't even use the RDP cookie features yet and my customers 
are very happy with it this way.


YMMV

Guillaume


From what I see it looks like the haproxy solution is fairly basic,
though I'm not sure that the MS solution is any better. Some of the
haproxy hashing behaviour seems a little questionable as well.

This page [1] talks about When a failed server was brought back
on-line, users that had been connected to that server would reconnect to
it again - even if they had started a new session on the other server in
the meantime, this also sounds quite distressing NB. For some daft
reason Microsoft restricted the login cookie in RDP to 9 characters! Now
as the domain is usually listed first (mydomain/myusername) the first 9
characters may always be the same and RDP cookie session persistence
wont work. Two work arounds for this are either reduce the length of
your domain name (ouch!) OR use the myusern...@mydomain format when you
log in

It does sound like removing and adding servers will not affect hashing
of existing connections, which is quite desirable.

[1]
http://blog.loadbalancer.org/load-balancing-windows-terminal-server-%E2%
80%93-haproxy-and-rdp-cookies/

-JohnF

  



--
Guillaume Bourque, B.Sc.,
consultant, infrastructures technologiques libres !
Logisoft Technologies inc.  http://www.logisoftech.com
514 576-7638, http://ca.linkedin.com/in/GuillaumeBourque/fr

Re: Haproxy+Nginx SSL Insecurities

[Guillaume Bourque]

Hi John and the list,

Thanks for sharing your config I have a similar one and it work's BUT

In the haprosy log file I get one log entry with flag PR when I hit the SSL
site with port 80

Nov  2 17:09:39 localhost haproxy[10021]:
1.1.1.1:1680[02/Nov/2010:17:09:39.246] DISPATCH-lb2
DISPATCH-lb2/NOSRV 4/-1/-1/-1/4
301 139 - - PR-- 0/0/0/0/0 0/0 {test-ssl.domain.com||} GET / HTTP/1.1

The redirect rule apply and I'm sent over to the https site and all goes
well but I have this one entry in the log

This is my redirect rule in my lb2 frontend section
frontend DISPATCH-lb2
...
redirect prefix https://test-ssl.domain.com code 301 if
url_spprod !secure_port_pprod


Is this a normal behavior ?

Thanks

2010/7/8 John T Skarbek jtsl...@gmail.com

 Hey guys,

 Thanks for the input.  I ended up settling on the following configuration
 type:
 in haproxy:
 listen  something.com
 bind 172.168.1.1:80
 acl acl_port_80 dst_port eq 80
 acl acl_secure hdr(amISecure) YES
 cookie SERVERID insert indirect nocache
 redirect location https://something.com/sslRedirect.htm code 301
 if acl_port_80 !acl_secure
 server www100 172.168.1.100 cookie www100 weight 1 check inter 1s
 fall 3 rise 2
 option httpchk GET /ping.htm HTTP/1.1\r\nHost:something.com
 capture request header X-Forwarded-For len 15

 and in nginx:
 location / {
 proxy_set_header X-Forwarded-For
 $proxy_add_x_forwarded_for;
 proxy_set_header amISecure YES;
 proxy_pass  http://something.com;
 }

 I also wanted to thank you guys for the feedback, I appreciated it.

 John T. Skarbek
 B.S.Computer Science Networking
 Radford University
 jskar...@radford.edu
 434.770.3089
 Radford, VA 24142



 On Sat, Jul 3, 2010 at 12:59 PM, Willy Tarreau w...@1wt.eu wrote:

 On Sat, Jul 03, 2010 at 11:23:16AM -0400, John T Skarbek wrote:
  Chris,
 
  Thanks for responding.  I had thought of the option you mention.
  However I
  discontinued it quickly.  The reason I'm not a big fan, is that those
 header
  values can be hacked quite easily.  Granted the end user (hacker) may
 not
  know the specific value that must hold.  There are even plugins to
 browsers
  that help end users view headers and modify them any which way they
 choose.

 hey, just remove the header from the HTTP proxy ;-)
 Having a front reverse-proxy set the information about SSL is quite common
 anyway. With stunnel, what is common is to forward the deciphered SSL
 traffic to 127.0.0.1, so that haproxy knows for sure it was SSL. There
 is nothing wrong with proceeding that way with nginx.

 Regards,
 Willy





-- 
Guillaume Bourque, B.Sc.,
consultant, infrastructures technologiques libres
Logisoft Technologies inc.  http://www.logisoftech.com
514 576-7638,  http://ca.linkedin.com/in/GuillaumeBourque/fr

Re: rpms for rhel5?

[Guillaume Bourque]

Hi Angelo,

Will you build the 1.4.9 version for x86_64 and i386 would also be great !

thanks

2010/10/25 Angelo Höngens a.hong...@netmatch.nl

 On 25-10-2010 10:54, Pasi Kärkkäinen wrote:
  You might want to add: --define 'dist .el5'
  to your rpmbuild command :)

 Thanks, that looks better :)

 http://files.netmatch.nl/RPMS/haproxy-1.4.8-1.el5.x86_64.rpm

 This building stuff is all quite new to me ;)


 --


 With kind regards,


 Angelo Höngens
 systems administrator

 MCSE on Windows 2003
 MCSE on Windows 2000
 MS Small Business Specialist
 --
 NetMatch
 tourism internet software solutions

 Ringbaan Oost 2b
 5013 CA Tilburg
 +31 (0)13 5811088
 +31 (0)13 5821239

 a.hong...@netmatch.nl
 www.netmatch.nl
 --






-- 
Guillaume Bourque, B.Sc.,
consultant, infrastructures technologiques libres
Logisoft Technologies inc.  http://www.logisoftech.com
514 576-7638,  http://ca.linkedin.com/in/GuillaumeBourque/fr

Question regarding cookie

[Guillaume Bourque]

Hi all,

Let's say I have 2 sites that are served with the same haproxy instance.

If I go direct to site1 all is fine I'm using one of the server of  
site1 backend


If I go direct to site2 all is fine I'm using one of the server of site2 
backend


But from the web site1 if I clic a link to go to site2 in won't work

instance # 1 and #2 share physical server but with diffrent cookie 
because they use different backend some are apache other are tomcat.


What I'm thinking is that if I open a broswer to go directly to site1 or 
2 all is fine since I have no cookie


But If I click to site2 from within site1 well, I probably already have 
cookie for site1 in the request and I end with a FILE not found.


I went to the doc and I'm pretty sure cookie rewrite or similar will 
help me but I would like to have your input on this kind of setup.


cookie SERVERID indirect

or 


cookie SERVERID rewrite

Which should I used  ??

Another one

I use this command to dump http data with tcpdump but I'm sure there is a 
simpler one

tcpdump -s 0 -A -i any 'tcp port 80 and (((ip[2:2] - ((ip[0]0xf)2)) - ((tcp[12]0xf0)2)) != 0)' 


Thanks for your input !

--
Guillaume Bourque, B.Sc.,
consultant, infrastructures technologiques libres !
Logisoft Technologies inc.  http://www.logisoftech.com
514 576-7638, http://ca.linkedin.com/in/GuillaumeBourque/fr

Re: Sharing machine or separate machine?

[Guillaume Bourque]

Hi !

2010/7/6 Christian Jensen christ...@officepools.com

  Thanks for the feedback. I do understand that it is pretty vague.

 If you have the machine directly on the net and all ports off, is the only
 reason to use a cisco to get the VPN or are there other benefits? I come
 from the M$ world where we used ISA server and I understand the positives
 there but also the downsides too.

 With ISA server I got:
 * URL Routing
 * NAT
 * VPN
 * Logging
 * Load Balancing
 * SSL offloading
 and more. I know this forum is not designed specifically for talking about
 Cisco products but does anyone know what the best box for the best price to
 emulate the above features? Is it simply a matter of mixing in other Open
 Source projects and boxes?


Well an open source Box will always beat the M$ equivalent price, will be
more robust and more secure and you won't have to upgrade the hole server if
you decide to upgrade 1 product !

Here is what some are using

* URL Routing  --   haproxy
* NAT --  linux firewall
* VPN -- linux can provide this with openvpn or other vpn server
* Logging  -- well its part of linux  syslog-ng does a good job
* Load Balancing -- haproxy can do that for all http trafic
* SSL offloading -- www.*stunnel*.org/  or nginx

This can be all on 1 server directly connected to the internet if well
configure or behind a cisco or juniper firewall.  some people on the list
will load balance http traffic over 100Mb/sec on 1 normal server hardware
...

It all depends on the size of the object that you will be serving and your
configuration

Good luck !


 I hate adding boxes because your MTBF cuts in half for every component you
 add.

 Thanks!
 Christian

 On 7/6/2010 3:16 AM, Angelo Höngens wrote:

 On 6-7-2010 10:32, Christian Jensen wrote:

  Hi,

 I am setting up a new datacenter and would love to get an opinion...

 We have 3 options:
 1. Build a firewall machine separate from the load balancer machine
 2. Share a machine and have a firewall and haproxy on the same box
 3. Virtualize everything (VMWare, Xen, KVM)

 Please suggest you best choice for firewall if you want - we can use
 anything. Also, if you have any decent experience with any hypervisor,
 please weigh in there too.

 Thanks!
 Christian


 Please suggest a new car for me. I have three options: a pick-up truck,
 a car with a trailer behind it, or a lorry truck. They can all be used
 for transporting cargo, and probably do a good job, but I can't make you
 any suggestions, since perhaps you do other work than I do. :-)

 I can tell you what we do, based on the work we do..

 About firewalls: we mainly use cisco firewalls everywhere (they're also
 good for setting up a site-to-site vpn from your office to your
 datacenter). We have haproxy, varnish and squid machines behind them.

 For some high-volume projects we have some balancers attached directly
 to the net. These balancers have at least 2 network cards, and the
 'public' interface only has port 80 open. SSH and other services only
 listen on the inside interface. In this case you don't really need a
 firewall to close ports.





-- 
Guillaume Bourque, B.Sc.,
consultant, infrastructures technologiques libres
Logisoft Technologies inc.  http://www.logisoftech.com
514 576-7638,  http://ca.linkedin.com/in/GuillaumeBourque/fr

Re: haproxy as a dmz/proxy for other virtual hosts? examples of config files?

[Guillaume Bourque]

Hi,

well you can take any of the examples but with only 1 backend server.  Later
when or if your site grows you will be able to just add a server in the
backend section to balance trafic on more then one http server.

Bye


2010/6/25 hapr...@serverphorums.com

 hello,
 Does anyone have any examples of simple (hopefully) haproxy configurations
 for simple proxy setups with no load balancing?
 basically i would like to have an alternative to mod_proxy.

 We have a number of internal virtual named-hosts on a number of different
 systems internally.
 I want to setup haproxy on a sort of a port 80 and 443 DMZ and re-direct
 virtual names to different servers within our internal network.

 Most of the online documents/forums I've read are more about load-balancing
 than just simple redirects or proxies.

 Thanks
 Tom.

 ---
 posted at http://www.serverphorums.com
 http://www.serverphorums.com/read.php?10,163672,163672#msg-163672




-- 
Guillaume Bourque, B.Sc.,
consultant, infrastructures technologiques libres
Logisoft Technologies inc.  http://www.logisoftech.com
514 576-7638,  http://ca.linkedin.com/in/GuillaumeBourque/fr

Re: HAProxy on GuruPlug-Server

[Guillaume Bourque]

Hello

Have you guys try these boxes ?

http://www.fit-pc.com/web/purchase/order-fit-pc2i/

I'm not related to this company but we have installed ~ 10 of those and 
they are working like a charm with ubuntu server 7 and 8.


Just for fun 

We have chose the one with  a hard drive (fit-PC first version at that 
time) and since its used in critical env for us and without any screen 
and in remote location we were worry of what would happened in case the 
unit lost power, will it reboot ?


So before putting those unit into production we did some power tests ...

I did the power failure test with an X10 device and follow the result in 
Zenoss and the unit did more then 300 power off ( not a clean shutdown 
just power off when fully booted in normal mode) and restart without any 
issue


So we have deploy those unit and for us they do the work ...

Hope not to be too disturbing !

Guillaume

Daniel Storjordet a écrit :

Hi Willy,

Great article.

Glad I did not go through with the order myself.


Daniel Storjordet


On 30.05.2010 18:44, Willy Tarreau wrote:

Hi Daniel,

On Tue, Mar 09, 2010 at 01:40:32PM +0100, Daniel Storjordet wrote:
  

Hi.

Is there any success stories on using HAproxy on a GuruPlug Server
http://www.newit.co.uk/shop/proddetail.php?prod=GuruPlug-Server?

It is said that its speed is approximately the same as a 700Mhz P3.

We are considering placing one of these at one of the large ISP,
reducing the overhead as much as possible, and use it to forward all
traffic to our servers using HAProxy.
 

I finally got my guruplug server plus. To make a long story short,
it's slower than my ALIX (Geode LX 500 MHz), and heats so much that
people are reporting failures after 3 months, and I found that it
was difficult to unplug an RJ45 cable without being burnt by the
metal parts, really ! Two and half internal wires managed to break
just by moving their plug around. It's a massive crap which I would
never let run when I'm not here to monitor it !

For more information, I've put photos here :

http://1wt.eu/articles/guruplug-slow-heater/

Regards,
Willy


   






--
Guillaume Bourque, B.Sc.,
consultant, infrastructures technologiques libres !
514 576-7638

Re: question about transparancy

[Guillaume Bourque]

Hi,

Why dont you use 2 MX record with the same weight

All email will come in to youre 2 servers.

Just my 2¢

Bye


Michiel van Es a écrit :

Hi,

I am running 2 mailservers with ASSP as a spam proxy.
I use haproxy to load balance between the 2 mailservers.
The problem is that the spam filter is seeing every connection coming 
from the load balancer and not the originating ip.
Do you know how I make the connections from my HAproxy load balancer 
to my 2 mailservers transparent?


Kind regards,

Michiel




--
Guillaume Bourque, B.Sc.,
consultant, infrastructures technologiques libres !
514 576-7638

Re: Binding by Hostname

[Guillaume Bourque]

Hi Laurie

are the website ip available on the machine where haproxy run ?  What os 
is used for your haproxy server?


Bye


Laurie Young a écrit :

Hi

I hope someone can help me here...

I'm trying to set up HAproxy to bind two different listeners to 
different hostnames. 


I found this in the docs for the bind command:
address is optional and can be a host name,
so i set up my config file like this

defaults
  modehttp

frontend www
  bind  wildfalcon.com:80 http://wildfalcon.com:80
  timeout client5000

frontend test
  bind www.wildfalcon.com:80 http://www.wildfalcon.com:80
  timeout client   8640

And I get the following error message

Available polling systems :
   poll : pref=200,  test result OK
 select : pref=150,  test result OK
Total: 2 (2 usable), will use poll.
Using poll() as the polling mechanism.
[ALERT] 105/160114 (10091) : Starting frontend www: cannot bind socket
[ALERT] 105/160114 (10091) : Starting frontend test: cannot bind socket

Why can the socket not be bound to (i'm starting as sudo to ensure I 
have permissions)?


Thanks in advance

Laurie

--
Dr Laurie Young
Scrum Master
New Bamboo

Follow me on twitter: @wildfalcon
Follow us on twitter:  @newbamboo

Creating fresh, flexible and fast-growing web applications is our passion.


3rd Floor, Gensurco House,
46A Rosebery Avenue, London, EC1R 4RP

http://www.new-bamboo.co.uk



--
Guillaume Bourque, B.Sc.,
consultant, infrastructures technologiques libres !
514 576-7638

Re: We have been playing around with the new RDP cookie feature in 1.4-dev4 and it works really well...

[Guillaume Bourque]

Hi Malcolm,

I'M using haproxy for  RDP dispatcher but in tcp mode with balance source.

This setup will allow a laptop user which goes in sleep mode to go back 
on the same server when it will wake up 2 hours later.


I would be interested to ear if you have laptop users in your setup and 
if the user will end up on the same backend server after a 1 hour sleep 
period ?  Will the RDP cookie be the same after a wakeup ?


Thanks for sharing this !

Guillaume





Malcolm Turnbull a écrit :

We have been playing around with the new RDP cookie feature in 1.4-dev4
and it works really well...
One of our guys Nick has written a blog about his configuration and 
testing of Windows Terminal Servers with Windows an Linux RDP clients.

We would welcome any feedback from anyone using a similar configuration.

http://blog.loadbalancer.org/
or
http://blog.loadbalancer.org/load-balancing-windows-terminal-server-%E2%80%93-haproxy-and-rdp-cookies/

Thanks.


--
Regards,

Malcolm Turnbull.

Loadbalancer.org Ltd.
Phone: +44 (0)870 443 8779
http://www.loadbalancer.org/



--
Guillaume Bourque, B.Sc.,
consultant, infrastructures technologiques libres !
514 576-7638

Re: Does maxconn parameter take effect in balance source mode

[Guillaume Bourque]

Hi list,

Sorry for the previous post I just saw that the MAX session was 
respected I was looking at the Sessions Total row instead of the Session 
Max row ;-)


Bye


Guillaume Bourque a écrit :

Hello list !

I'm balancing base on the /*source*/ IP and I'm wandering if the 
maxconn parameters take effect in that mode  ?


I just look at my stats page and I see that some server 
rdpfarm,RDP-6 got 63 session while my max is at 25 !


What can i do to limit the sessions to 25 ?

Thanks

Technicals details of this setup.

haproxy version 1.3.14.3-1 on ubuntu server

haproxy.conf
global 
  log 127.0.0.1 local0 
debug  
  stats socket 
/var/run/haproxy-socket-stats  
  maxconn 
4096
  user 
haproxy
  group 
haproxy   


defaults
  log global
  option tcplog   retries 3maxconn 
200  contimeout  5000 clitimeout  
1440

  srvtimeout  1440

...
listen rdpfarm :3389
  mode tcp
  balance source
  # keep alive vers client et le serveur
  option tcpka
  server RDP-1 192.168.1.8 check port 3300 maxconn 25
  server RDP-1 192.168.1.8 check port 3389 backup maxconn 25
  server RDP-2 192.168.1.9 check port 3300 maxconn 25
  server RDP-2 192.168.1.9 check port 3389 backup maxconn 25
  server RDP-3 192.168.1.10 check port 3300 maxconn 25
  server RDP-3 192.168.1.10 check port 3389 backup maxconn 25
  server RDP-4 192.168.1.11 check port 3300 maxconn 25
  server RDP-4 192.168.1.11 check port 3389 backup maxconn 25
  server RDP-5 192.168.1.18 check port 3300 maxconn 25
  server RDP-5 192.168.1.18 check port 3389 backup maxconn 25
  server RDP-6 192.168.1.19 check port 3300 maxconn 25
  server RDP-6 192.168.1.19 check port 3389 backup maxconn 25


stats info

echo show stat | socat unix-connect:/var/run/haproxy-socket-stats 
stdio  # 
pxname,svname,qcur,qmax,scur,smax,slim,stot,bin,bout,dreq,dresp,ereq,econ,eresp,wretr,wredis,status,weight,act,bck,chkfail,chkdown,lastchg,downtime,qlimit,pid,iid,sid,throttle,lbtot,  

rdpfarm,FRONTEND,,,22,52,200,220,10027797,74986951,0,0,0,OPEN,1,2,0,,, 

rdpfarm,RDP-1,0,0,3,9,25,27,1804106,11285858,,0,,0,23,0,,UP,1,1,0,0,0,10352,0,,1,2,1,,27,  

rdpfarm,RDP-1,0,0,0,0,25,0,0,0,,0,,0,0,0,,UP,1,0,1,0,0,10352,0,,1,2,2,,0,  

rdpfarm,RDP-2,0,0,1,3,25,15,189809,2506853,,0,,0,13,0,,UP,1,1,0,0,0,10352,0,,1,2,3,,15,

rdpfarm,RDP-2,0,0,0,0,25,0,0,0,,0,,0,0,0,,UP,1,0,1,0,0,10352,0,,1,2,4,,0,  

rdpfarm,RDP-3,0,0,1,10,25,36,2918859,20265876,,0,,0,35,0,,UP,1,1,0,0,0,10352,0,,1,2,5,,36, 

rdpfarm,RDP-3,0,0,0,0,25,0,0,0,,0,,0,0,0,,UP,1,0,1,0,0,10352,0,,1,2,6,,0,  

rdpfarm,RDP-4,0,0,5,9,25,25,711045,7238983,,0,,0,20,0,,UP,1,1,0,0,0,10352,0,,1,2,7,,25,

rdpfarm,RDP-4,0,0,0,0,25,0,0,0,,0,,0,0,0,,UP,1,0,1,0,0,10352,0,,1,2,8,,0,  

rdpfarm,RDP-5,0,0,4,11,25,54,2356686,17381601,,0,,0,50,0,,UP,1,1,0,0,0,10352,0,,1,2,9,,54, 

rdpfarm,RDP-5,0,0,0,0,25,0,0,0,,0,,0,0,0,,UP,1,0,1,0,0,10352,0,,1,2,10,,0, 

rdpfarm,RDP-6,0,0,8,13,25,63,2047292,16307780,,0,,0,55,0,,UP,1,1,0,0,0,10352,0,,1,2,11,,63,

rdpfarm,RDP-6,0,0,0,0,25,0,0,0,,0,,0,0,0,,UP,1,0,1,0,0,10352,0,,1,2,12,,0, 

rdpfarm,BACKEND,0,0,22,52,200,220,10027797,74986951,0,0,,0,196,0,0,UP,6,6,6,,0,10352,0,,1,2,0,,220,  






--
Guillaume Bourque, B.Sc.,
consultant, infrastructures technologiques libres !
514 576-7638

Re: HAProxy on VMWare ESX/vSphere proxying TS?

[Guillaume Bourque]

Hi Paul,

I'm running haproxy in a ubuntu server vm ( JEOS 8.04 ) on top of vmware
server wich is over centos 64 bit. and and I have the same vm over ESX
environnement.All those vm are in a NO motion configuration ;-)

since we dont have the vmotion licence here how we do it.
 We have 2 identicals vm with haproxy on it and keepalive deamon to make
sure the service Ip is always running on one vm at the time.

In case vm1 goes down vm2 is ready to continue the haproxy trafic.  RDP
client will get dsconnecterd, but they will get auto reconnect to the same
server.  It is not perfect but work pretty well for us it has been running
on 1 site for over 1 years with 80 users and for 2 months on a 200 users
setup.

Voilà

I know I'm not anwsering exactly your question but since I saw nobody else i
tought it would be good to know !

Guillaume.


2009/7/30 Dickson, Paul pdick...@frederickcountymd.gov

 Is anyone out there using HAProxy for terminal services in an ESX/vSphere
 environment?  Have seen the box vmotioned and if so, have you run into any
 issues?  I currently have it setup in a virtual environment and would like
 to keep it that way, but I can¹t have it dropping 200 TS connections if it
 gets vmotioned.  I also don¹t want to restrict it from being vmotioned.
 I¹ve done it a couple times and haven¹t seen any issues but right now I¹m
 only testing with about 10 connections.  As it always happens, once
 something hits production little issues creep out and I can¹t afford to
 have
 that happen;)


 Anyone?


 Paul K. Dickson
 Systems Administrator
 Frederick County Government, IIT
 pdick...@fredco-md.net
 301-600-2399/x12399







-- 
Guillaume Bourque, B.Sc.,
consultant, infrastructures technologiques libres
514 576-7638

Re: Still dropping TS sessions.

[Guillaume Bourque]

Hi Willy,



  But has any one looked at doing a SourceIP persistence which is not a
  hash i.e. a look up table of source IPs?

 We wanted to work on it but don't have the time to do everything, so... one
 thing at a time :-)


Why not just balance base on the source IP it work well for us, maybe I'm
missing something here ;-)


  The maintenance of real servers is almost impossible in hash
  mode...without users on RDP (or other TCP app.) hitting the wrong
  server.

 yes, I know. I would also like to implement a dual source hash LB mode. It
 would do the following :
  - hash source = X, divide by total number of servers, returns Y
 [0..nbsrv-1]
  - if server Y is down, then divide X by number of available servers,
 return Z
[0..nbsrvup-1], and use server Z.

 That way, if you lose a server, only this server's clients are
 redispatched,
 the other ones remain unaffected. This is only true when all servers are up
 and we lose one. Because if only half the servers are up and you lose one,
 about half of the users will move since they're already on the second hash.
 A smarter method would consist in rehashing without the last server as long
 as we get a DOWN server. But it would consume huge amounts of CPU for each
 request and would probably not be much useful anyway.

 At first glance, the algorithm looks very simple, but when you take into
 account the fact that there are already 2 weighted arrays (active and
 backup),
 it becomes less obvious how to implement this (we need 4 arrays now). So
 we'll
 keep that for a later version.

  I might play with the aformentioned trick in the meantime though:
   server TS-1 10.0.0.102 check port 3300
   server TS-1 10.0.0.102 check port 3389 backup
 
  I guess another option with maintenance is to allow a server weight of
  0 (offline for maintenance)

 It's allowed now. It will be in version 1.3.19 tomorrow and it's already in
 development version. And yes, it helps a lot, since it still supports
 persistence (eg: for soft maintenance mode in HTTP).

  and have two options for this:
  1) Kill all connections immediately and move to new server.
  2) Wait for old connections to timeout, and new connections go to new
 server.

 you can do that when you restart haproxy with the new configuration, #1 is
 done with -st $oldpid, and #2 is done with -sf $oldpid.

 Regards,
 Willy




-- 
Guillaume Bourque, B.Sc.,
consultant, infrastructures technologiques libres
514 576-7638

Re: Still dropping TS sessions.

[Guillaume Bourque]

:3389 check port 3389 inter 2000 
fastinter 500 downinter 1
server tslec01  10.14.3.131:3389 check port 3389 inter 2000 
fastinter 500 downinter 1
server tslec02  10.14.3.122:3389 check port 3389 inter 2000 
fastinter 500 downinter 1
server tslec03  10.14.3.133:3389 check port 3389 inter 2000 
fastinter 500 downinter 1
server tslec04  10.14.3.134:3389 check port 3389 inter 2000 
fastinter 500 downinter 1

# Web stats interface
listen  admin_stats 10.14.2.157:8080
modehttp
stats uri   /
stats realm Global\ statistics
stats auth  admin:fakepassword
balance roundrobin



#errorloc502http://192.168.114.58/error502.html

#errorfile503/etc/haproxy/errors/503.http
errorfile400/etc/haproxy/errors/400.http
errorfile403/etc/haproxy/errors/403.http
errorfile408/etc/haproxy/errors/408.http
errorfile500/etc/haproxy/errors/500.http
errorfile502/etc/haproxy/errors/502.http
errorfile503/etc/haproxy/errors/503.http
errorfile504/etc/haproxy/errors/504.http



Paul K. Dickson
Systems Administrator
Frederick County Government, IIT
pdick...@fredco-md.net
301-600-2399/x12399



-- End of Forwarded Message



--
Guillaume Bourque, B.Sc.,
consultant, infrastructures technologiques libres !
514 576-7638

Re: Read stat or info from the socket via perl

[Guillaume Bourque]

Hi,

just do it in bash it works well for me.

Bye


Maria a écrit :

Dear Willy,

I don't have a lot of experience in perl to. As Nagios allows also to do
this via bash or c, I can also use this. My main goal is only to read
this information with a language (supported by nagios) and send them to
nagios server. It does not matter if it is Perl or not.

BTW. I modified a little the code, but I am still not able to read out
this information. Maybe I will try in C code.

i read from the manual that it is possible to write out statistics into
a csv file? Do I specify this in the configuration file?

Thanks

##


#! /usr/bin/perl -w


use strict;
use IO::Socket;
#
use lib /usr/local/nagios/libexec;
#

my $sock = new IO::Socket::UNIX (
Local = /var/run/haproxy.socket.7739.tmp,
Type = SOCK_STREAM,
Listen = 2)
or die 'error on connection.';

next if !$sock;

print $sock show info \012;

print Now printing sockets information \n;
while($sock){
   print;
}

$sock-close;

##



--
Guillaume Bourque, B.Sc.,
consultant, infrastructures technologiques libres !
514 576-7638