Re: HAProxy clustering
Hello Marco, I would be very interest on how you build your harpy config, you must have per server settings and then a global config ? If time permit and if you can share some unusable config I would be very happy to look into this.. Thanks --- Guillaume Bourque, B.Sc., Architecte infrastructures technologiques robustes > Le 2016-12-16 à 10:42, Marco Corte <ma...@marcocorte.it> a écrit : > > Hi! > > I use keepalived for IP management. > > I use Ansible on another host to deploy the configuration on the haproxy > nodes. > This setup gives me better control on the configuration: it is split in > several files on the Ansible host, but assembled to a single config file on > the nodes. > This gives also the opportunity to deploy the configuration on one node only. > On the Ansible host, the configuration changes are tracked with git. > > I also considered an automatic replication of the config, between the nodes > but... I did not like the idea. > > > .marcoc >
Re: Adding backend server name as request header
Hello I looked into the doc to saw that we can put the directive in the backend this is what I added to my config http-send-name-header X-CustomHeader But from my user browser I never get this header is there something that I need to enable on the global section in order for this to be working ? HA-Proxy version 1.5.4 2014/09/02 Copyright 2000-2014 Willy TarreauBuild options : TARGET = linux2628 CPU = generic CC = gcc CFLAGS = -O2 -g -fno-strict-aliasing OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_PCRE=1 TIA Guillaume --- Le 2016-05-12 à 14:29, Dennis Jacobfeuerborn a écrit : > This is exactly what I'm looking for, thanks! > I was looking at the variables in Section 7.3 as I didn't think there > would be a dedicated directive for this. Apparently I was wrong :) > > Regards, > Dennis > > On 12.05.2016 18:48, Mehdi Ahmadi wrote: >> It may be that your after: >> ``` >> http-send-name-header X-CustomHeader >> ``` >> Which would set the ID of the selected server into the header >> `X-CustomHeader`. >> See the documentation for further details. >> http://cbonte.github.io/haproxy-dconv/configuration-1.5.html >> >> >> >> On Thu, May 12, 2016 at 6:29 PM, Dennis Jacobfeuerborn < >> denni...@conversis.de> wrote: >> >>> Hi, >>> I'm wondering if there is a way to add the name of the server chosen for >>> the request as a request header i.e. if the following server is chosen >>> for the request: >>> >>> server back1 10.1.0.10:8080 check inter 2 >>> >>> then I'd like to receive this header on the 10.1.0.10 system: >>> >>> X-CustomHeader: back1 >>> >>> Is this possible? >>> >>> Regards, >>> Dennis >>> >>> >> > >
The simplest way to reach specific backend
Hi all, We have implement a very simple haproxy 1 web site on 2 apps server. Question: How do you do this, my objective is to have the simplest solution four our QA users. Need: Our QA team what to reach app1 and app2 to validate each application server. I know we can do a simple haproxy config that will load balance on a specific cookie but not sure is there is an easy way to set those specific cookie in the browser (our QA technical level is not very high) I could have 2 different hostname like this www-app1.domaine and www-app2.domain which seem simpler but would know your recommendation on this. Thanks for your feedback Guillaume.
Re: acl regex
Hi all, I should be able to test this in our production setup a few days after I can have an rpm ready with the patch we are running on rhel 6.x Merci Cyril --- Guillaume Bourque, B.Sc., Le 2015-11-24 à 16:58, Cyril Bonté <cyril.bo...@free.fr> a écrit : > Hi all, > > I revive this thread. > > Le 12/11/2015 09:59, Igor Cicimov a écrit : >> >> >> On Thu, Nov 12, 2015 at 6:44 PM, Guillaume Bourque >> <guillaume.bour...@logisoftech.com >> <mailto:guillaume.bour...@logisoftech.com>> wrote: >> >>Hi, >> >>thanks for the suggestion but it did not work for me. I tried >> >>acl fr_top url_reg/?lang= >>acl fr_top url_reg/?lang=$ >> # off acl fr_topurlp_reg(lang\=$,?) >> -m found >> # off acl fr_topurlp_reg(lang\=$,?) >> -m found >> >>but with no luck > > I think that using "urlp" should have done the job but that the > implementation in haproxy is not correct for one specific case. > > Currently, haproxy won't match an url parameter if its value is empty. I tend > to think it should : an empty value is different from not providing the > parameter at all. > > The function "find_next_url_param()" should unconditionally return "1" when a > parameter is found, instead of "value_end != value_start" : > http://www.haproxy.org/git?p=haproxy.git;a=blob;f=src/proto_http.c;h=77a52078d0d0d458ed7f0233dfda87eca247d2c2;hb=HEAD#l11661 > > This would allow some rules like : >acl LANG_FR_NONE urlp_reg(lang) ^(fr)?$ >acl LANG_EN urlp(lang) en > >http-request redirect location /if { path / } LANG_FR_NONE >http-request redirect location /en if { path / } LANG_EN > > > If it's ok for everyone, I can provide a small patch (which will also fix > some invalid code comments on top of this function). > > > -- > Cyril Bonté
Re: acl regex
Hi all, I’m not far but it does not work so any recommendation would be very helpfull I just need some very simple redirect but after looking into aloa doc the happy doc, I can’t find examples that could help me do this, okay I must admit I did not sleep for the last 30 hours so that could explain why I can understand what I read ;-) This seem the way to do it, but it do not work for me I’m running haproxy 1.5.4 >> http-request redirect location /store code 301 if { capture.req.uri lang\= >> -m found } here is what I need to do, I can do path rewrite fine, but the ? is bugging us. I need to redirect 301 client from this http://domain.com/?lang=to http://domain.com/ http://domain.com/?lang=fr to http://domain.com/ http://domain.com/?lang=en to http://domain.com/en http://domain.com/pages/magasin.php?lang=fr to http://domain.com/ It can be on 3 differents lines I dont want to achieve light speed performance I just need to have this working ASAP So I try with this http-request redirect location /store code 301 if { capture.req.uri lang= -m found } Or with an acl acl fr_topurlp_reg(lang\=$,?) -m found http-request redirect location http://www.braultetmartineau.com/ code 301 if fr_top Do I need to escape anything in there Any advice would be very appreciated Thanks --- Guillaume Bourque, B.Sc., Le 2015-11-12 à 05:04, Guillaume Bourque <guillaume.bour...@logisoftech.com> a écrit : > Hello Igor, > > thanks a lot still not working > > would I need to escape the = > >> http-request redirect location /store code 301 if { capture.req.uri lang\= >> -m found } > > > Bye > > --- > Guillaume Bourque, B.Sc., > Le 2015-11-12 à 03:59, Igor Cicimov <ig...@encompasscorporation.com> a écrit : > >> >> >> On Thu, Nov 12, 2015 at 6:44 PM, Guillaume Bourque >> <guillaume.bour...@logisoftech.com> wrote: >> Hi, >> >> thanks for the suggestion but it did not work for me. I tried >> >>acl fr_top url_reg/?lang= >>acl fr_top url_reg/?lang=$ >> # off acl fr_topurlp_reg(lang\=$,?) -m >> found >> # off acl fr_topurlp_reg(lang\=$,?) -m >> found >> >> but with no luck >> >> thanks >> >> --- >> Guillaume Bourque, B.Sc., >> Le 2015-11-12 à 02:18, Igor Cicimov <ig...@encompasscorporation.com> a écrit >> : >> >>> >>> On 12/11/2015 5:30 PM, "Guillaume Bourque" >>> <guillaume.bour...@logisoftech.com> wrote: >>> > >>> > Hello Bryan >>> > >>> > I’m running haproxy 1.5.4 and I can’t find any example on how to user >>> > req.uri if you could give a examples on how to match a specific query to >>> > redirect to another >>> > >>> > From http://domain/pages/store.php?lang=fr to http://domain/store/ >>> > >>> > That would be great ! >>> > >>> > TIA >>> > >>> > >>> > >>> > --- >>> > Guillaume Bourque, B.Sc., >>> > >>> > Le 2015-11-12 à 00:42, Bryan Talbot <bryan.tal...@ijji.com> a écrit : >>> > >>> >> On Wed, Nov 11, 2015 at 8:43 PM, Guillaume Bourque >>> >> <guillaume.bour...@logisoftech.com> wrote: >>> >>> >>> >>> Hi all, >>> >>> >>> >>> I can’t create an acl that will match this >>> >>> >>> >>> http://domain/?lang= >>> >>> >>> >>> I tried >>> >>> >>> >>> acl fr_top path_reg^/.lang\=$ >>> >>> acl fr_top path_reg^/\?lang\=$ >>> >>> >>> >>> acl fr_toppath_beg/?lang\=$ >>> >>> >>> >>> >>> >> >>> >> >>> >> You can't match the query string with the 'path' matcher. Try 'req.uri' >>> >> or 'query' if you're using 1.6. >>> >> >>> >> >>> > >>> Try this: >>> >>> acl fr_top url_reg /pages/store.php?lang=fr >>> >> >> >> Ok, my last try :-) >> >> http-request redirect location /store code 301 if { capture.req.uri lang= -m >> found } >> >> >> >
Re: acl regex
Hourra Aleks, it’s working thanks a lot I will try more in deep in a few hour but wanted to tank you as soon as I test it Again thanks --- Guillaume Bourque, B.Sc., Le 2015-11-12 à 16:19, Aleksandar Lazic <al-hapr...@none.at> a écrit : > Hi. > > Am 12-11-2015 21:16, schrieb Guillaume Bourque: >> Hi all, >> I’m not far but it does not work so any recommendation would be very >> helpfull >> I just need some very simple redirect but after looking into aloa doc >> the happy doc, I can’t find examples that could help me do this, okay >> I must admit I did not sleep for the last 30 hours so that could explain >> why I can understand what I read ;-) >> This seem the way to do it, but it do not work for me I’m running >> haproxy 1.5.4 >>>> http-request redirect location /store code 301 if { capture.req.uri >>>> lang\= -m found } >> here is what I need to do, I can do path rewrite fine, but the ? is >> bugging us. >> I need to redirect 301 client from this >> http://domain.com/?lang= to http://domain.com/ >> http://domain.com/?lang=fr to http://domain.com/ >> http://domain.com/?lang=en to http://domain.com/en >> http://domain.com/pages/magasin.php?lang=fr to http://domain.com/ >> It can be on 3 differents lines I dont want to achieve light speed >> performance I just need to have this working ASAP >> So I try with this >> http-request redirect location /store code 301 if { capture.req.uri >> lang= -m found } >> Or with an acl >> acl fr_topurlp_reg(lang\=$,?) -m found >> http-request redirect location http://www.braultetmartineau.com/ code >> 301 if fr_top >> Do I need to escape anything in there >> Any advice would be very appreciated > > How about to use a example from this. > > http://git.haproxy.org/?p=haproxy-1.5.git;a=blob;f=examples/acl-content-sw.cfg;h=1872789ac2d1198f4321e77c0dad4f382cc8f206;hb=HEAD > > > acl forbidden_uris url_reg -i > (\.php\?temppath=|\.php\?setmodules=|[=:]http://) > block if forbidden_uris > > > I would try this, untested. > > acl redir_en url_reg -i .*lang=en > acl redir_empty_or_fr url_reg -i .*lang=($|fr) > > redirect location http://domain.com/code 301 if redir_empty_or_fr > redirect location http://domain.com/en/ code 301 if redir_en > > Cheers > Aleks > >> Thanks >> --- >> Guillaume Bourque, B.Sc., >> Le 2015-11-12 à 05:04, Guillaume Bourque >> <guillaume.bour...@logisoftech.com> a écrit : >>> Hello Igor, >>> thanks a lot still not working >>> would I need to escape the = >>>> http-request redirect location /store code 301 if { capture.req.uri >>>> lang\= -m found } >>> Bye >>> --- >>> Guillaume Bourque, B.Sc., >>> Le 2015-11-12 à 03:59, Igor Cicimov <ig...@encompasscorporation.com> >>> a écrit : >>> On Thu, Nov 12, 2015 at 6:44 PM, Guillaume Bourque >>> <guillaume.bour...@logisoftech.com> wrote: >>> Hi, >>> thanks for the suggestion but it did not work for me. I tried >>> acl fr_top url_reg/?lang= >>> acl fr_top url_reg/?lang=$ >>> # off acl fr_topurlp_reg(lang\=$,?) >>> -m found >>> # off acl fr_topurlp_reg(lang\=$,?) >>> -m found >>> but with no luck >>> thanks >>> --- >>> Guillaume Bourque, B.Sc., >>> Le 2015-11-12 à 02:18, Igor Cicimov <ig...@encompasscorporation.com> >>> a écrit : >>> On 12/11/2015 5:30 PM, "Guillaume Bourque" >>> <guillaume.bour...@logisoftech.com> wrote: >>>> Hello Bryan >>>> I’m running haproxy 1.5.4 and I can’t find any example on how to >>> user req.uri if you could give a examples on how to match a specific >>> query to redirect to another >>>> From http://domain/pages/store.php?lang=fr to http://domain/store/ >>>> That would be great ! >>>> TIA >>>> --- >>>> Guillaume Bourque, B.Sc., >>>> Le 2015-11-12 à 00:42, Bryan Talbot <bryan.tal...@ijji.com> a >>> écrit : >>>>> On Wed, Nov 11, 2015 at 8:43 PM, Guillaume Bourque >>> <guillaume.bour...@logisoftech.com> wrote: >>>>>> Hi all, >>>>>> I can’t create an acl that will match this >>>>>> http://domain/?lang= >>>>>> I tried >>>>>> acl fr_top path_reg^/.lang\=$ >>>>>> acl fr_top path_reg >>> ^/\?lang\=$ >>>>>> acl fr_toppath_beg >>> /?lang\=$ >>>>> You can't match the query string with the 'path' matcher. Try >>> 'req.uri' or 'query' if you're using 1.6. >>> Try this: >>> acl fr_top url_reg /pages/store.php?lang=fr >> Ok, my last try :-) >> http-request redirect location /store code 301 if { capture.req.uri >> lang= -m found }
Re: acl regex
Hello Igor, thanks a lot still not working would I need to escape the = > http-request redirect location /store code 301 if { capture.req.uri lang\= -m > found } Bye --- Guillaume Bourque, B.Sc., Le 2015-11-12 à 03:59, Igor Cicimov <ig...@encompasscorporation.com> a écrit : > > > On Thu, Nov 12, 2015 at 6:44 PM, Guillaume Bourque > <guillaume.bour...@logisoftech.com> wrote: > Hi, > > thanks for the suggestion but it did not work for me. I tried > >acl fr_top url_reg/?lang= >acl fr_top url_reg/?lang=$ > # off acl fr_topurlp_reg(lang\=$,?) -m > found > # off acl fr_topurlp_reg(lang\=$,?) -m > found > > but with no luck > > thanks > > --- > Guillaume Bourque, B.Sc., > Le 2015-11-12 à 02:18, Igor Cicimov <ig...@encompasscorporation.com> a écrit : > >> >> On 12/11/2015 5:30 PM, "Guillaume Bourque" >> <guillaume.bour...@logisoftech.com> wrote: >> > >> > Hello Bryan >> > >> > I’m running haproxy 1.5.4 and I can’t find any example on how to user >> > req.uri if you could give a examples on how to match a specific query to >> > redirect to another >> > >> > From http://domain/pages/store.php?lang=fr to http://domain/store/ >> > >> > That would be great ! >> > >> > TIA >> > >> > >> > >> > --- >> > Guillaume Bourque, B.Sc., >> > >> > Le 2015-11-12 à 00:42, Bryan Talbot <bryan.tal...@ijji.com> a écrit : >> > >> >> On Wed, Nov 11, 2015 at 8:43 PM, Guillaume Bourque >> >> <guillaume.bour...@logisoftech.com> wrote: >> >>> >> >>> Hi all, >> >>> >> >>> I can’t create an acl that will match this >> >>> >> >>> http://domain/?lang= >> >>> >> >>> I tried >> >>> >> >>> acl fr_top path_reg^/.lang\=$ >> >>> acl fr_top path_reg^/\?lang\=$ >> >>> >> >>> acl fr_toppath_beg/?lang\=$ >> >>> >> >>> >> >> >> >> >> >> You can't match the query string with the 'path' matcher. Try 'req.uri' >> >> or 'query' if you're using 1.6. >> >> >> >> >> > >> Try this: >> >> acl fr_top url_reg /pages/store.php?lang=fr >> > > > Ok, my last try :-) > > http-request redirect location /store code 301 if { capture.req.uri lang= -m > found } > > >
acl regex
Hi all, I can’t create an acl that will match this http://domain/?lang= I tried acl fr_top path_reg^/.lang\=$ acl fr_top path_reg^/\?lang\=$ acl fr_toppath_beg/?lang\=$ I have a redirect 301 with http-request redirect location http://doamine.com/ code 301 if fr_top I have done other redirect that works fine but no luck with this one Any help greatly appreciated. Thanks --- Guillaume Bourque, B.Sc.,
Re: acl regex
Hi, thanks for the suggestion but it did not work for me. I tried acl fr_top url_reg/?lang= acl fr_top url_reg/?lang=$ # off acl fr_topurlp_reg(lang\=$,?) -m found # off acl fr_topurlp_reg(lang\=$,?) -m found but with no luck thanks --- Guillaume Bourque, B.Sc., Le 2015-11-12 à 02:18, Igor Cicimov <ig...@encompasscorporation.com> a écrit : > > On 12/11/2015 5:30 PM, "Guillaume Bourque" > <guillaume.bour...@logisoftech.com> wrote: > > > > Hello Bryan > > > > I’m running haproxy 1.5.4 and I can’t find any example on how to user > > req.uri if you could give a examples on how to match a specific query to > > redirect to another > > > > From http://domain/pages/store.php?lang=fr to http://domain/store/ > > > > That would be great ! > > > > TIA > > > > > > > > --- > > Guillaume Bourque, B.Sc., > > > > Le 2015-11-12 à 00:42, Bryan Talbot <bryan.tal...@ijji.com> a écrit : > > > >> On Wed, Nov 11, 2015 at 8:43 PM, Guillaume Bourque > >> <guillaume.bour...@logisoftech.com> wrote: > >>> > >>> Hi all, > >>> > >>> I can’t create an acl that will match this > >>> > >>> http://domain/?lang= > >>> > >>> I tried > >>> > >>> acl fr_top path_reg^/.lang\=$ > >>> acl fr_top path_reg^/\?lang\=$ > >>> > >>> acl fr_toppath_beg/?lang\=$ > >>> > >>> > >> > >> > >> You can't match the query string with the 'path' matcher. Try 'req.uri' or > >> 'query' if you're using 1.6. > >> > >> > > > Try this: > > acl fr_top url_reg /pages/store.php?lang=fr >
Re: acl regex
Hello Bryan I’m running haproxy 1.5.4 and I can’t find any example on how to user req.uri if you could give a examples on how to match a specific query to redirect to another From http://domain/pages/store.php?lang=fr to http://domain/store/ That would be great ! TIA --- Guillaume Bourque, B.Sc., Le 2015-11-12 à 00:42, Bryan Talbot <bryan.tal...@ijji.com> a écrit : > On Wed, Nov 11, 2015 at 8:43 PM, Guillaume Bourque > <guillaume.bour...@logisoftech.com> wrote: > Hi all, > > I can’t create an acl that will match this > > http://domain/?lang= > > I tried > > acl fr_top path_reg^/.lang\=$ > acl fr_top path_reg^/\?lang\=$ > > acl fr_toppath_beg/?lang\=$ > > > > > You can't match the query string with the 'path' matcher. Try 'req.uri' or > 'query' if you're using 1.6. > >
[SPAM] ssl getting the wrong certificate once in a while
Hi all, I have a very weird problem and need your help if you have any idea ! here is my very simple setup ... frontend www_https bind169.54.85.244:443 ssl crt /etc/pki/tls/certs/www.domain1.com.pem bind169.54.85.249:443 ssl crt /etc/pki/tls/certs/www.domain1.com.pem http-requestset-header X-Forwarded-Proto https use_backend wcweb if url_bm-full frontend www_soap bind169.54.85.244:8000 ssl crt /etc/pki/tls/certs/star.domain2.ca.pem bind169.54.85.249:8000 ssl crt /etc/pki/tls/certs/star.domain2.ca.pem acl wc_soap_portdst_port8000 use_backend wcsoap if wc_soap_port When ever I connect on the 8000 port I get the correct cert 75 % of the time the rest I’m getting the other certs that should only be on port 443 Here is how I get the certificate ? echo|openssl s_client -connect sphsoap100.bmtc.ca:8000 |openssl x509 -text -noout 2>&1| grep www.domain1.com I try with haproxy 1.5.14 ( haproxy-1.5.14-1.el6.src.rpm) and haproxy 1.5.4 (haproxy-1.5.4-2.el6_7.1.src.rpm) If I try with openssl on port 443 I always get the correct cert which is the first one but for the second one I have less luck ;-( Any info from you would be great. Guillaume --- Guillaume Bourque, B.Sc.,
Re: very small footprint OS+HaProxy
Hi Thomas We used to install ubuntu jeos 8.0.4 ( just enought OS ) in vmware and it was using 20 mg ram on the host and not much CPU. I'm pretty sure you have that on your host. You can allocate 128M ram to the vm and 2 GB of disk. Now Jeos is part os a ubuntu server install, I never did it with 10.04 but here is what I found this morning 'Download the server ISO image http://www.ubuntu.com/getubuntu/download, boot from it, press F4 on the first screen and select Install a minimal virtual machine' You will found haproxy buid for 386 or 64 bit taht you can install in these vm. We use that in a production env for for 50-60 user for RDP protocol and it just work. YMMV Guillaume Le 29 mars 2012 09:05, Thomas Manson dev.mansontho...@gmail.com a écrit : Hi, In my job, I need to setup some HA setup with two VMWare image running on my laptop (16GB of RAM, SSD, Core i7). I need a load balancer, but quite often we're using Windows OS for convenience, and HAProxy do not run on windows (at least easily). So I'd like to now if there is very small footprint (in memory) linux with HAProxy on it that I would use for all my tests. anybody aware of that? Regards, Thomas. -- Guillaume Bourque, B.Sc., 514 576-7638, http://ca.linkedin.com/in/GuillaumeBourque/fr
Re: erratic X-Forwarded-For patch for stunnel
Aug 5 11:23:54 haproxy[8423]: 192.168.134.222:43926[05/Aug/2011:11:23:54.833] sslsite sslsite/vexft04 0/0/0/3/3 200 2640 - - --VN 6/6/1/2/0 0/0 {10.147.28.20} GET /script/espace-admin.js HTTP/1.1 Aug 5 11:23:54 haproxy[8423]: 192.168.134.222:43922[05/Aug/2011:11:23:54.833] sslsite sslsite/vexft04 2/0/0/1/3 200 945 - - --VN 6/6/2/3/0 0/0 {} GET /script/recherche/SearchLightWindow.js HTTP/1.1 Aug 5 11:23:54 haproxy[8423]: 192.168.134.222:43924[05/Aug/2011:11:23:54.835] sslsite sslsite/vexft04 2/0/1/1/4 200 810 - - --VN 6/6/2/3/0 0/0 {} GET /css/admin/typo.css HTTP/1.1 Aug 5 11:23:54 haproxy[8423]: 192.168.134.222:43928[05/Aug/2011:11:23:54.835] sslsite sslsite/vexft04 2/0/0/1/3 200 1138 - - --VN 6/6/2/3/0 0/0 {} GET /css/admin/lists.css HTTP/1.1 Aug 5 11:23:54 haproxy[8423]: 192.168.134.222:43920[05/Aug/2011:11:23:54.833] sslsite sslsite/vexft04 3/0/1/1/5 200 1617 - - --VN 6/6/2/3/0 0/0 {} GET /css/admin/layout.css HTTP/1.1 Aug 5 11:23:54 haproxy[8423]: 192.168.134.222:43926[05/Aug/2011:11:23:54.837] sslsite sslsite/vexft04 2/0/0/1/3 200 2914 - - --VN 6/6/2/3/0 0/0 {} GET /css/admin/navbar.css HTTP/1.1 Aug 5 11:23:54 haproxy[8423]: 192.168.134.222:43922[05/Aug/2011:11:23:54.837] sslsite sslsiteo/vexft04 2/0/0/1/3 200 1726 - - --VN 6/6/1/2/0 0/0 {} GET /css/admin/forms.css HTTP/1.1 Aug 5 11:23:54 haproxy[8423]: 192.168.134.222:43924[05/Aug/2011:11:23:54.839] sslsite sslsite/vexft04 2/0/0/1/3 200 669 - - --VN 6/6/3/4/0 0/0 {} GET /css/niftyDeclare.css HTTP/1.1 Aug 5 11:23:54 haproxy[8423]: 192.168.134.222:43889[05/Aug/2011:11:23:54.836] sslsite sslsite/vexft04 4/0/1/1/6 200 1740 - - --VN 6/6/3/4/0 0/0 {} GET /css/admin/ventre_general.css HTTP/1.1 Aug 5 11:23:54 haproxy[8423]: 192.168.134.222:43928[05/Aug/2011:11:23:54.839] sslsite sslsite/vexft04 2/0/1/1/4 200 1662 - - --VN 6/6/2/3/0 0/0 {} GET /script/aculous/scriptaculous.js?load=effects HTTP/1.1 Aug 5 11:23:54 haproxy[8423]: 192.168.134.222:43922[05/Aug/2011:11:23:54.841] sslsite sslsite/vexft04 1/0/0/1/2 200 767 - - --VN 6/6/1/2/0 0/0 {} GET /script/sifr-config.js HTTP/1.1 Aug 5 11:23:54 haproxy[8423]: 192.168.134.222:43920[05/Aug/2011:11:23:54.839] sslsite sslsite/vexft04 2/0/0/4/7 200 10291 - - --VN 6/6/0/1/0 0/0 {} GET /script/sifr.js HTTP/1.1 Aug 5 11:23:54 haproxy[8423]: 192.168.134.222:43920[05/Aug/2011:11:23:54.847] sslsite sslsite/vexft04 107/0/1/3/112 200 9179 - - --VN 6/6/0/1/0 0/0 {} GET /script/aculous/effects.js HTTP/1.1 Aug 5 11:23:55 haproxy[8423]: 192.168.134.222:43920[05/Aug/2011:11:23:54.959] sslsite sslsite/vexft04 325/0/0/2/328 200 16587 - - --VN 6/6/0/1/0 0/0 {} GET /swf/futura.swf HTTP/1.1 Aug 5 11:23:55 haproxy[8423]: 192.168.134.222:43920[05/Aug/2011:11:23:55.286] sslsite sslsite/vexft04 568/0/0/1/569 200 774 - - --VN 6/6/0/1/0 0/0 {} GET /css/sIFR-print.css HTTP/1.1 Aug 5 11:23:55 haproxy[8423]: 192.168.134.222:43920[05/Aug/2011:11:23:55.856] sslsite sslsite/vexft04 23/0/0/1/24 200 330 - - --VN 6/6/0/1/0 0/0 {} GET /css/niftyPrint.css HTTP/1.1 Aug 5 11:23:56 haproxy[8423]: 192.168.134.222:43920[05/Aug/2011:11:23:55.881] sslsite sslsite/vexft04 167/0/1/0/168 200 1392 - - --VN 6/6/0/1/0 0/0 {} GET /favicon.ico HTTP/1.1 Aug 5 11:24:00 haproxy[8423]: 192.168.134.222:43920[05/Aug/2011:11:23:56.049] sslsite sslsite/vexft04 4550/0/1/1/4552 403 439 - - --VN 6/6/0/1/0 0/0 {} GET /admin/ HTTP/1.1 Aug 5 11:24:02 haproxy[8423]: 192.168.134.222:43920[05/Aug/2011:11:24:00.601] sslsite sslsite/vexft04 1753/0/1/11/1765 200 3800 - - --VN 6/6/0/1/0 0/0 {} GET /admin/AdmInscriptionPro.shtml HTTP/1.1 (the apache log on vexft04 confirmed : some time there is 2 IP in the X-Forwarded-For, most of the time there is only 192.168.134.222 the IP of haproxy) Got no error for patch only some warning in compilation/building : dpkg-shlibdeps: warning: dependency on libdl.so.2 could be avoided if debian/stunnel4/usr/bin/stunnel4 debian/stunnel4/usr/lib/stunnel/libstunnel.so were not uselessly linked against it (they use none of its symbols). What is done wrong ? Thank you. Best regards, -- Damien -- Guillaume Bourque, B.Sc., consultant, infrastructures technologiques libres !514 576-7638, http://ca.linkedin.com/in/GuillaumeBourque/fr
Re: Question concerning option forwardfor and HTTP keep-alive
Hi all, I'm reading again the documentation here http://haproxy.1wt.eu/download/1.4/doc/configuration.txt and I dont see how I can do multiple except, I know I can use 1 optin forward for in each frontend cause I have multiple frontend section maybe it's the way to do it ? It would be nice to add a note in the documentation how we can put mutliple option forwardfor except Thanks again and sorry for the confusion. Guillaume 2011/8/4 Willy Tarreau w...@1wt.eu On Thu, Aug 04, 2011 at 11:00:39AM -0700, Bryan Talbot wrote: option httplog option log-health-checks option redispatch option forwardfor except 10.222.0.52 option forwardfor except 10.222.0.53 option forwardfor except 10.222.0.58 # ip of haproxy and stunnel box Does having multiple forwardfor statements like this actually work so that the x-forwarded-for header isn't added if the connection comes from any of those hosts (networks)? I had assumed that if any of the option forwardfor rules matched that the header would be added. I did not notice, only the last one will be considered. Regards, Willy -- Guillaume Bourque, B.Sc., consultant, infrastructures technologiques libres 514 576-7638, http://ca.linkedin.com/in/GuillaumeBourque/fr
Re: Question concerning option forwardfor and HTTP keep-alive
Thnaks for the precision. Maybe we can add some other string and not bother with the stunnel one when it is there ! Like this: option forwardfor header X-Forwarded-For-Haproxy Or I see that It can be a network so this should be fine if all my stunnel are in this subnet option forwardfor except 10.222.0.0/27 Again thanks for youre great support Willy. Guillaume 2011/8/4 Willy Tarreau w...@1wt.eu On Thu, Aug 04, 2011 at 02:35:29PM -0400, Guillaume Bourque wrote: Hi all, I'm reading again the documentation here http://haproxy.1wt.eu/download/1.4/doc/configuration.txt and I dont see how I can do multiple except, It is not possible, except is an optional field used to refine the option. When we later support pattern extraction it will be easier, as you'll simply add the header and the client's IP on certain conditions. I know I can use 1 optin forward for in each frontend cause I have multiple frontend section maybe it's the way to do it ? If you need to have a different option for each frontend, then yes it might be the solution you're looking for. It would be nice to add a note in the documentation how we can put mutliple option forwardfor except It's really not planned. In fact, option forwardfor was designed to be inconditional. With SSL offloaders, it became clear that being able to add an exception for the offloader address was needed. But that's still it : an exception. Regards, Willy -- Guillaume Bourque, B.Sc., consultant, infrastructures technologiques libres 514 576-7638, http://ca.linkedin.com/in/GuillaumeBourque/fr
Re: How to check backend servers thru Haproxy?
Hi Willy, should those two lines server srv1 1.1.1.1:80 cookie s1 server srv2 1.1.1.2:80 cookie s2 be server srv1 1.1.1.1:80 http://1.1.1.1/ cookie srv1 server srv2 1.1.1.2:80 http://1.1.1.2/ cookie srv2 Not sure but since I can't test right now i thought to ask the master ;-) thnaks Yes you can do that using the force-persist statement. The principle is that you define with ACLs how to detect that an incoming request is in fact one of your tests. That could be an IP address, a user-agent, or a cookie for example. Many people like the cookie because you already need to force one for the persistence, so if you can force one, you can force a second one. When this rule is matched, then haproxy will send your request to the server associated with the persistence cookie, whatever its state, and will not redispatch the request in case of failure. This statement was created exactly for the need you describe here. So let's consider the following setup : listen pub bind :80 cookie SRV server srv1 1.1.1.1:80 cookie s1 server srv2 1.1.1.2:80 cookie s2 acl its_me hdr_sub(cookie) TEST=true force-persist if its_me Then you configure your browser to send two cookies : SRV=srv1 TEST=true and you send any request you want there. You'll always be sent to server1. Cheers, Willy -- Guillaume Bourque, B.Sc., consultant, infrastructures technologiques libres 514 576-7638, http://ca.linkedin.com/in/GuillaumeBourque/fr
Re: Apache error log problem
Hi Greg You won't be able to change apache error log format you can only change the acces log file if my memory is correct. Maybe John sugeestion of using mod_rpaf would work but I never tried it. Good luck ! 2011/4/7 Greg Connolly g...@dmcontact.com I’m having an issue getting the apache error logs to receive the client ip’s. the proxy ip is the only one showing up. I have the apache access log working using the forward-for but not the error logs. Can anyone shed most light in this issue? Here is the current configuration. Apache2.conf LogFormat %v:%p %{X-Forwarded-For}i %l %u %t \%r\ %s %b \%{Referer}i\ \%{User-Agent}i\ vhost_combined LogFormat %{X-Forwarded-For}i %l %u %t \%r\ %s %b \%{Referer}i\ \%{User-Agent}i\ combined LogFormat %{X-Forwarded-For}i %l %u %t \%r\ %s %b common LogFormat %{Referer}i - %U referer LogFormat %{User-agent}i agent Haproxy.cfg listen Test01 10.1.8.52:80 mode http maxconn 1000 balance roundrobin cookie JSESSIONID prefix option httplog option httpclose option forwardfor except 10.0.0.0/16 option httpchk HEAD /haproxy_check.txt HTTP/1.0 stick-table type ip size 200k expire 18m stick on src server 10.1.109.52 10.1.109.52:80 weight 60 cookie B check server 10.1.108.52 10.1.108.52:80 weight 40 cookie A check Thanks Greg -- Guillaume Bourque, B.Sc., consultant, infrastructures technologiques libres Logisoft Technologies inc. http://www.logisoftech.com 514 576-7638, http://ca.linkedin.com/in/GuillaumeBourque/fr
Re: HAProxy Session affinity for PHP web application
Hi Thomas, We do it like this, haproxy add a cookie, and base on the cookie it will send it to teh same web server I'm no haproxy expert but it work for us with a very basic php application. here are the related config in our haproxy backend bk-prod balanceroundrobin cookie SERVERID insert indirect nocache server lb10-3w-101 172.21.11.101:80 cookie lb11-3w-101 check inter 5s fall 3 maxconn 200 weight 20 server lb10-3w-102 172.21.11.102:80 cookie lb11-3w-102 check inter 5s fall 3 maxconn 200 weight 20 This will load balance in a round robin way but a second pass from the same visitor will end up on the same server which will do what you want. Good luck ! 2011/3/11 Thomas Manson dev.mansontho...@gmail.com Hi Gabriel, I've read that HAProxy is capable of keeping a set of http request directed to the same webserver. (I think the feature is called 'Sticky Session' on Websphere Cluster) I've seen this in the documentation : appsession cookie len length timeout holdtime [request-learn] [prefix] [mode path-parameters|query-string] * Define session stickiness on an existing application cookie.* I'm just looking for some howto/best practices on this subject. Also the shared session with memcache can be a valid option. (I've to dig this subject). So, can anyone confirm that it's possible or not possible to have a sticky session feature with HAProxy ? If possible : howto/best practice? If not : well I'll try the memcache solution ;) Thanks for your help, Regards, Thomas. On Fri, Mar 11, 2011 at 16:19, Gabriel Sosa sosagabr...@gmail.com wrote: this is not an HAProxy related problem What you need is to share the session across all webservers. You have several ways to do it: memcache, redis, db, filesystem. We currently are using memcache for this check your php.ini for session.save_handler we have something like: session.save_handler = memcache session.save_path = tcp://mmc-server-01:11211,tcp://mmc-server-02:11211 some more info: http://php.net/manual/en/session.configuration.php Once you do this, haproxy will keep using the same algorithm to balance but webservers will be able to find/reuse the session users were on. Saludos On Fri, Mar 11, 2011 at 11:37 AM, Thomas Manson dev.mansontho...@gmail.com wrote: Hi, I've setup HAProxy to loadbalance the traffic across two web servers that runs some PHP website (based on JOOMLA, OSCommerce and some other solution) However I've noticed that the session affinity is not working Out Of The BOX (which after 2sec of think is quite logical ;)) Does anybody have some pointers to configure HAProxy (and if necessary PHP) to make this work ? Thanks, Thomas. -- Gabriel Sosa Si buscas resultados distintos, no hagas siempre lo mismo. - Einstein -- Guillaume Bourque, B.Sc., consultant, infrastructures technologiques libres Logisoft Technologies inc. http://www.logisoftech.com 514 576-7638, http://ca.linkedin.com/in/GuillaumeBourque/fr
Re: HAProxy Session affinity for PHP web application
Thomas, I'm no expert here and In our case we don't truss the application ;-) So the proposed config will insert a cookie base on the name of the web server for us (put anything you want) and a returning visitor will end on the same backend base on the haproxy cookie previously inserted. Now I'm sure haproxy can intercept the application cookie and send it to the same server, but you will have to test that and look at the doc ;-) Also in haproxy log you will have all the info for each session, where it was balance and if a cookie was present or inserted ... From the doc in the log section search for this: the third character tells whether the persistence cookie was provided by the client (only in HTTP mode) Good luck 2011/3/11 Manson Thomas mansontho...@gmail.com Ok that's exactly what I wanted to do. The default cookie name in PHP is session.name = PHPSESSID Is it this cookie name that I should set in HAProxy config ? Thomas. On Fri, Mar 11, 2011 at 4:55 PM, Guillaume Bourque guillaume.bour...@gmail.com wrote: Hi Thomas, We do it like this, haproxy add a cookie, and base on the cookie it will send it to teh same web server I'm no haproxy expert but it work for us with a very basic php application. here are the related config in our haproxy backend bk-prod balanceroundrobin cookie SERVERID insert indirect nocache server lb10-3w-101 172.21.11.101:80 cookie lb11-3w-101 check inter 5s fall 3 maxconn 200 weight 20 server lb10-3w-102 172.21.11.102:80 cookie lb11-3w-102 check inter 5s fall 3 maxconn 200 weight 20 This will load balance in a round robin way but a second pass from the same visitor will end up on the same server which will do what you want. Good luck ! 2011/3/11 Thomas Manson dev.mansontho...@gmail.com Hi Gabriel, I've read that HAProxy is capable of keeping a set of http request directed to the same webserver. (I think the feature is called 'Sticky Session' on Websphere Cluster) I've seen this in the documentation : appsession cookie len length timeout holdtime [request-learn] [prefix] [mode path-parameters|query-string] * Define session stickiness on an existing application cookie.* I'm just looking for some howto/best practices on this subject. Also the shared session with memcache can be a valid option. (I've to dig this subject). So, can anyone confirm that it's possible or not possible to have a sticky session feature with HAProxy ? If possible : howto/best practice? If not : well I'll try the memcache solution ;) Thanks for your help, Regards, Thomas. On Fri, Mar 11, 2011 at 16:19, Gabriel Sosa sosagabr...@gmail.comwrote: this is not an HAProxy related problem What you need is to share the session across all webservers. You have several ways to do it: memcache, redis, db, filesystem. We currently are using memcache for this check your php.ini for session.save_handler we have something like: session.save_handler = memcache session.save_path = tcp://mmc-server-01:11211,tcp://mmc-server-02:11211 some more info: http://php.net/manual/en/session.configuration.php Once you do this, haproxy will keep using the same algorithm to balance but webservers will be able to find/reuse the session users were on. Saludos On Fri, Mar 11, 2011 at 11:37 AM, Thomas Manson dev.mansontho...@gmail.com wrote: Hi, I've setup HAProxy to loadbalance the traffic across two web servers that runs some PHP website (based on JOOMLA, OSCommerce and some other solution) However I've noticed that the session affinity is not working Out Of The BOX (which after 2sec of think is quite logical ;)) Does anybody have some pointers to configure HAProxy (and if necessary PHP) to make this work ? Thanks, Thomas. -- Gabriel Sosa Si buscas resultados distintos, no hagas siempre lo mismo. - Einstein -- Guillaume Bourque, B.Sc., consultant, infrastructures technologiques libres Logisoft Technologies inc. http://www.logisoftech.com 514 576-7638, http://ca.linkedin.com/in/GuillaumeBourque/fr -- Guillaume Bourque, B.Sc., consultant, infrastructures technologiques libres Logisoft Technologies inc. http://www.logisoftech.com 514 576-7638, http://ca.linkedin.com/in/GuillaumeBourque/fr
Re: Haproxy and Plesk
Dennis, haproxy is use to balance traffic to multiple destination, is this what you want to do ? Not sure what you want to accomplish ? Bye Devota a écrit : Can you please give full rule for below request on haproxy? Outgoing VIP (source) 10.10.2.1 Destination URL and Port: 193.168.1.2:80, 193.168.1.2:8880, 193.168.1.2:443, 193.168.1.2:8440 as well as Port 21 and Port 22 I don't have much experience in haproxy. Can you please help me out? Thanks Regards Dennis Devota Savvis Inc 201-472-2821 203-687-8619 -Original Message- From: Guillaume Bourque [mailto:guillaume.bour...@gmail.com] Sent: Monday, February 14, 2011 7:27 PM To: Devota' Dennis Cc: haproxy@formilux.org Subject: Re: Haproxy and Plesk For sure you can use a listen like this; frontend DISPATCH-lb10 bind :80,:81,:8001,:8002,:8881,:8882 This will tell haproxy to listen on all IP for those specific ports If you check the doc you should have some complete usage examples Good luck. Devota a écrit : Hi all, I am looking for way to configure same VIP to support multiples ports on haproxy for one physical box. Same physical box has multiple applications (80,443 [SSL],8443 [SSL]). I would like use one VIP to support all the ports. Is there way to do on haproxy? Please kindly advice. Thanks Regards **Dennis Devota** **Savvis Inc** **201-472-2821** **203-687-8619** This message contains information which may be confidential and/or privileged. Unless you are the intended recipient (or authorized to receive for the intended recipient), you may not read, use, copy or disclose to anyone the message or any information contained in the message. If you have received the message in error, please advise the sender by reply e-mail and delete the message and any attachment(s) thereto without retaining any copies. -- Guillaume Bourque, B.Sc., consultant, infrastructures technologiques libres ! Logisoft Technologies inc. http://www.logisoftech.com 514 576-7638, http://ca.linkedin.com/in/GuillaumeBourque/fr
Re: Haproxy and Plesk
For sure you can use a listen like this; frontend DISPATCH-lb10 bind :80,:81,:8001,:8002,:8881,:8882 This will tell haproxy to listen on all IP for those specific ports If you check the doc you should have some complete usage examples Good luck. Devota a écrit : Hi all, I am looking for way to configure same VIP to support multiples ports on haproxy for one physical box. Same physical box has multiple applications (80,443 [SSL],8443 [SSL]). I would like use one VIP to support all the ports. Is there way to do on haproxy? Please kindly advice. Thanks Regards **Dennis Devota** **Savvis Inc** **201-472-2821** **203-687-8619** This message contains information which may be confidential and/or privileged. Unless you are the intended recipient (or authorized to receive for the intended recipient), you may not read, use, copy or disclose to anyone the message or any information contained in the message. If you have received the message in error, please advise the sender by reply e-mail and delete the message and any attachment(s) thereto without retaining any copies. -- Guillaume Bourque, B.Sc., consultant, infrastructures technologiques libres ! Logisoft Technologies inc. http://www.logisoftech.com 514 576-7638, http://ca.linkedin.com/in/GuillaumeBourque/fr
Re: Stats page giving error sometimes, [X] Action not processed : the buffer couldn't store all the data.
Bonjour Willy ! you should not be desapointed at all, haproxy simply rock, it's only a minor issue only seen on G chrome and you already have a fix that will probably solve this. Again, thanks for this great software ! 2011/2/10 Willy Tarreau w...@1wt.eu On Tue, Feb 08, 2011 at 05:08:48PM -0500, Guillaume Bourque wrote: Cyril, youre a machine ! I use firefox for now but it will be nice to use chrome too ! And if it make things too much complicated to support the new stat option in G chrome, well I will stick with firefox no prob at all ;-) Oh, I'm disappointed, I finally released 1.4.11 this morning with many fixes. I could have merged that too but it's too late now, it will be for next version :-/ Regards, Willy -- Guillaume Bourque, B.Sc., consultant, infrastructures technologiques libres Logisoft Technologies inc. http://www.logisoftech.com 514 576-7638, http://ca.linkedin.com/in/GuillaumeBourque/fr
Stats page giving error sometimes, [X] Action not processed : the buffer couldn't store all the data.
Hi all, I'm running haproxy-1.4.10 (haproxy_1.4.10-1~yola~lucid~ppa1_amd64.deb) from here https://launchpad.net/~yola/+archive/ppa/+buildjob/2125057 All is working fine except that most of the time I can't disable or enable a single server. When I try to do so I get this error message [X] Action not processed : the buffer couldn't store all the data. And If I retry it in the next minute it will work, This is a very simple setup only 2 backend with a total of 6 servers Here is my Stat config, listen Statistiques bind: modehttp stats hide-version stats refresh 60s # permet de mettre les serveurs down ou up a partir de la page des stats stats admin if TRUE stats enable stats uri /stats stats realm Haproxy\ Statistics stats auth yyy:xxx And here is the log when I try to disable a server Feb 8 09:27:05 lb10 haproxy[9691]: my-ip:2502 [08/Feb/2011:09:27:05.570] Statistiques Statistiques/STATS 4/-1/-1/-1/5 303 122 - - PR-- 0/0/0/0/0 0/0 POST /stats HTTP/1.1 Feb 8 09:27:05 lb10 haproxy[9691]: my-ip:1679 [08/Feb/2011:09:27:05.638] Statistiques Statistiques/STATS 4/-1/-1/-1/63 200 20094 - - PR-- 0/0/0/0/0 0/0 GET /stats;st=EXCD HTTP/1.1 Feb 8 09:27:05 lb10 haproxy[9691]: my-ip:1480 [08/Feb/2011:09:27:05.852] Statistiques Statistiques/NOSRV 4/-1/-1/-1/5 503 212 - - SC-- 0/0/0/0/0 0/0 GET /favicon.ico HTTP/1.1 I'm running Google chrome v.8.0.552.224 on linux to manage the haproxy stats page -- Guillaume Bourque, B.Sc., consultant, infrastructures technologiques libres Logisoft Technologies inc. http://www.logisoftech.com 514 576-7638, http://ca.linkedin.com/in/GuillaumeBourque/fr
Re: Stats page giving error sometimes, [X] Action not processed : the buffer couldn't store all the data.
Hi all, I just found out that on Firefox v. 3.6.13 all is working perfectly So there must be something with google Chrome at least on ubutntu. Bye 2011/2/8 Guillaume Bourque guillaume.bour...@gmail.com Hi all, I'm running haproxy-1.4.10 (haproxy_1.4.10-1~yola~lucid~ppa1_amd64.deb) from here https://launchpad.net/~yola/+archive/ppa/+buildjob/2125057 All is working fine except that most of the time I can't disable or enable a single server. When I try to do so I get this error message [X] Action not processed : the buffer couldn't store all the data. And If I retry it in the next minute it will work, This is a very simple setup only 2 backend with a total of 6 servers Here is my Stat config, listen Statistiques bind: modehttp stats hide-version stats refresh 60s # permet de mettre les serveurs down ou up a partir de la page des stats stats admin if TRUE stats enable stats uri /stats stats realm Haproxy\ Statistics stats auth yyy:xxx And here is the log when I try to disable a server Feb 8 09:27:05 lb10 haproxy[9691]: my-ip:2502 [08/Feb/2011:09:27:05.570] Statistiques Statistiques/STATS 4/-1/-1/-1/5 303 122 - - PR-- 0/0/0/0/0 0/0 POST /stats HTTP/1.1 Feb 8 09:27:05 lb10 haproxy[9691]: my-ip:1679 [08/Feb/2011:09:27:05.638] Statistiques Statistiques/STATS 4/-1/-1/-1/63 200 20094 - - PR-- 0/0/0/0/0 0/0 GET /stats;st=EXCD HTTP/1.1 Feb 8 09:27:05 lb10 haproxy[9691]: my-ip:1480 [08/Feb/2011:09:27:05.852] Statistiques Statistiques/NOSRV 4/-1/-1/-1/5 503 212 - - SC-- 0/0/0/0/0 0/0 GET /favicon.ico HTTP/1.1 I'm running Google chrome v.8.0.552.224 on linux to manage the haproxy stats page -- Guillaume Bourque, B.Sc., consultant, infrastructures technologiques libres Logisoft Technologies inc. http://www.logisoftech.com 514 576-7638, http://ca.linkedin.com/in/GuillaumeBourque/fr -- Guillaume Bourque, B.Sc., consultant, infrastructures technologiques libres Logisoft Technologies inc. http://www.logisoftech.com 514 576-7638, http://ca.linkedin.com/in/GuillaumeBourque/fr
Re: Stats page giving error sometimes, [X] Action not processed : the buffer couldn't store all the data.
Cyril, youre a machine ! I use firefox for now but it will be nice to use chrome too ! And if it make things too much complicated to support the new stat option in G chrome, well I will stick with firefox no prob at all ;-) thanks. Guillaume Cyril Bonté a écrit : Hi again Guillaume, Le mardi 8 février 2011 19:20:52, Cyril Bonté a écrit : The problem is that Chrome sends the request in (at least) 2 packets : a first one for the headers part, a second one for the data but haproxy is currently limited to one packet. I'll try to find time to enhance this but can't promise it will be this week. Good news, it didn't require a lot of modifications to accept several packets. I've updated the code to raise the limit up to the buffer size (I hope it's the way it should be done). I've also added the support of the Expect: 100- Continue Header. Give me some days to make more tests and clean up the code ;-) -- Guillaume Bourque, B.Sc., consultant, infrastructures technologiques libres ! Logisoft Technologies inc. http://www.logisoftech.com 514 576-7638, http://ca.linkedin.com/in/GuillaumeBourque/fr
Re: Startup delay problem
Hi Guys, Here' what I tried Move stunnel startup script at S60stunnel then haproxy to S61haproxy Hartbeat is S75heartbeat That did not help SO then I created a S62sleep script ;-) I know it's ugly but ot was becoming late The script would sleep for 20 sec the time it take haproxy to see the first server up Then heartbeat com up and has soon as the IP came in service well guess what it took another 20 second for the server to came Up in haproxy. So then (just for a test) I did a sleep 120 sec in my S62sleep script guess what after my reboot it took 120 second to start heartbeat but then when trafic came in the node another 20 sec befrea haproxy see my server up ! So maybe since heartbeat is in the loop I have a arp delay has willy said. I will be putting a wget in my S62sleep to test haproxy and maybe force the haproxy to wake up ;-) then do my sleep 20 seconde before heartbeat start and I'll try to tcpdump there. Also with heartbeat could I put a single mac for my Service IP on my both node would that solve this issue that I only see at boot time on my 2 nodes, Thanks for any advices ;-) Mike Hoffs a écrit : Wait a minute, I did not notice you were running heartbeat. It changes a lot of things. It's taking the IP over and depending on whether it's announcing gratuitous ARPs on fail-over and if other equipemnts accept them, it is possible that you have to wait for a cache to expire somwhere. Tcpdump will show that a lot better (please get the full captures, not just screen dumps, as we'll have to dig into the MAC addresses and correlate them with ARP traffic). Depending on the network topology, u could ping after the heartbeat taken over the ip to the routers from that ip. That solve for us a problem for long term arp caches sometimes. -- Guillaume Bourque, B.Sc., consultant, infrastructures technologiques libres ! Logisoft Technologies inc. http://www.logisoftech.com 514 576-7638, http://ca.linkedin.com/in/GuillaumeBourque/fr
Re: Startup delay problem
Hourra ;-) I found it and as I suspected haproxy had nothnig to do with it The backend serser are on a different subnet and need a special route That route was only added by /etc/rc.local which is executed after all the startup script so until that route was added by /etc/rc.local haproxy could not connect to those backend Noe I have add those route in /etc/sysconfig/network-scripts/route-eth1 And now when haproxy start all backend are there ;-) Thanks for your support and sorry for this non issue ! Bye Willy Tarreau a écrit : Hi Guillaume, First, thank you for the feedback. I have one question below : On Sun, Jan 09, 2011 at 12:57:28PM -0500, Guillaume Bourque wrote: Hi Guys, Here' what I tried Move stunnel startup script at S60stunnel then haproxy to S61haproxy Hartbeat is S75heartbeat That did not help SO then I created a S62sleep script ;-) I know it's ugly but ot was becoming late The script would sleep for 20 sec the time it take haproxy to see the first server up Then heartbeat com up and has soon as the IP came in service well guess what it took another 20 second for the server to came Up in haproxy. Are you sure that the switch port to which your LB is connected is not in blocking mode after the interface gets up ? You can check for that by pinging anything from the machine. On cisco switches, for instance, you have to use the portfast option so that the ports immediately forward. Otherwise the switch blocks for some time, checking for possible spanning tree frames. Regards, Willy -- Guillaume Bourque, B.Sc., consultant, infrastructures technologiques libres ! Logisoft Technologies inc. http://www.logisoftech.com 514 576-7638, http://ca.linkedin.com/in/GuillaumeBourque/fr
Startup delay problem
server capture request header Host len 20 # log the amount of data uploaded during a POST capture request header Content-Length len 40 # log the beginning of the referrer capture request header Referer len 40 backend DomaineClient-PROD balanceroundrobin cookie SERVERID insert indirect nocache option httpchk HEAD /online.txt HTTP/1.0 server 3w1-mc-prod 10.222.4.98:80 cookie 3w1mcprod check inter 2000 fall 3 maxconn 254 server 3w2-mc-prod 10.222.4.113:80 cookie 3w2mcprod check inter 2000 fall 3 maxconn 254 server 3w1-mcbkp-prod 10.222.4.99:80 backup check inter 2000 fall 3 maxconn 254 option checkcache # block response if set-cookie cacheable rspidel ^Set-cookie:\ IP= # do not let this cookie tell our internal IP address Anything obvious that I missed. What I even try in a last resort ... Add a startup script that would just do a sleep after haproxy startup so that we wait before starting heartbeat that will bring the service ip and the rest of the server, but no luck. We were getting 503 error for at leat 10-20 sec before the backend had come up after the sleep period ! Thanks -- Guillaume Bourque, B.Sc., consultant, infrastructures technologiques libres ! Logisoft Technologies inc. http://www.logisoftech.com 514 576-7638, http://ca.linkedin.com/in/GuillaumeBourque/fr
Re: node frequently goes down on another physical machine
Hi, first upgrade to a more recent build of haproxy 1.4.x would be better. Also you should send us more info of your hearbeat config and haproxy so that we can understand better your setup. Bye Amit Nigam a écrit : Hi, We have just recently migrated from apache to HAProxy. We are having 2 tomcat(TC1 and TC2) nodes along with 2 LB(LB1 LB2) nodes and other DB nodes. We created 4 virtual servers out of one physical server. Using 2 servers we have 8 nodes. We are running two HAProxy instances on LB1 and LB2 one each on a virtual IP, which is being managed with heartbeat. The problem is when LB1 aquires the virtual IP TC2 shows frequent droppings, I can see thousands of retries on stats page, while at that time TC1 runs fine. When LB2 aquires the IP, TC1 starts dropping the connections. Another problem is stat page keeps changing stats related to retries. Even it shows number of retries as per earlier times. I have tried several things including as you suggested smart-tcp-connect, foreclose and smart-tcp-connection, but my HAProxy build (1.3.16) says unknow options for them. Please help. Thanks, Amit -- Guillaume Bourque, B.Sc., consultant, infrastructures technologiques libres ! Logisoft Technologies inc. http://www.logisoftech.com 514 576-7638, http://ca.linkedin.com/in/GuillaumeBourque/fr
Re: Haproxy SMTP loadbalancer + authentication + real sender IP in log ?
Hi, why dont you create 2 MX record for the smtp hostname that you put on your desktop youre desktop will get 1 of the 2 mx record (ip 192.168.30.196 or 192.168.30.197) this is all in the SMTP protocol no need for haproxy to do this. Then all your log in postfix will show clients IP and auth will work just as usual Bye jayesh shinde a écrit : Hi , I am trying to configure the HAProxy for SMTP load balancing. The same has been configure on my local server as follows , below are the content of the /etc/haproxy.cfg listen smtp 192.168.30.195:25 mode tcp option tcplog balance roundrobin server smtp1 192.168.30.196:25 weight 1 maxconn 5000 check server smtp2 192.168.40.197:25 weight 1 maxconn 5000 check On 192.168.30.196 and 192.168.40.197 postfix running on 25 port and load is getting balance properly. My Question :-- === 1) How do I get end users real request IP on 192.168.30.196 and 192.168.40.197 ? Currently whenever any end user send the emails from desktop vai 192.168.30.195 IP , then I am getting 192.168.30.195 IP in smtp1's and smtp2's maillog i.e not the actual desktop sender IP. How to get the desktop IP i.e real IP in maillog ? 2) My desktop user is not getting authenticate from the 192.168.30.196 and 192.168.40.195 . On the SMTP server I have ldap authentication which is running properly. because of the above 2 problem I can't use the HAProxy in production environment. Can any please guide me how to solve above 2 problem ? I checked mailling list and do Google but could not got any positive response. Your inputs will be valuable for me. Thanks Regards Jayesh Shinde -- Guillaume Bourque, B.Sc., consultant, infrastructures technologiques libres ! Logisoft Technologies inc. http://www.logisoftech.com 514 576-7638, http://ca.linkedin.com/in/GuillaumeBourque/fr
Re: [ANNOUNCE] haproxy 1.5-dev3
You guy's simply Rock !!! keep up the very good work. Bye Willy Tarreau a écrit : On Fri, Nov 12, 2010 at 03:51:11PM +0100, Cyril Bonté wrote: (...) Do you know if keep-alive was involved in any of these tests ? I tried both, It's easier to reproduce without keep-alive. Actually, I also met the issue with httperf. My configuration files : # stunnel.conf socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 foreground=yes pid=/var/run/stunnel.pid unix-sockets-dir=/var/run debug=3 [localhost-uxst] cert = /home/cbonte/tmp/server.crt key = /home/cbonte/tmp/server.key accept=0.0.0.0:8443 connect=/ssl.sock TIMEOUTclose = 0 ;sendproxy=yes [localhost-tcp] cert = /home/cbonte/tmp/server.crt key = /home/cbonte/tmp/server.key accept=0.0.0.0:8444 connect=127.0.0.1:8080 TIMEOUTclose = 1 ;sendproxy=yes # haproxy.conf global stats socket /var/run/haproxy.sock defaults timeout server 60s timeout client 60s timeout connect 10s listen https-in bind /var/run/ssl.sock user root mode 600 # accept-proxy bind :8080 mode http #option http-server-close option httpclose stats enable server local localhost:80 Using the UNIX Socket httperf --server localhost --port 8443 --uri / --rate 100 --num-conn 1000 \ --ssl --num-call 1 = I see a lot of readsocket: Invalid argument (22) in stunnel Using the TCP Socket httperf --server localhost --port 8444 --uri / --rate 100 --num-conn 1000 \ --ssl --num-call 1 = no error message Thank you Cyril, I'll forward all that material to Emeric in case he finds a clue about that. I hope we're not hitting buffer size limits or things like this on the unix sockets :-/ TCP_NODELAY should not be set because it does not exist on the UNIX sockets, but I don't think there is any relation. More likely it's a matter of a connection limit or too fast reuse somewhere, and I'm not used to tune for that ! Thanks ! Willy -- Guillaume Bourque, B.Sc., consultant, infrastructures technologiques libres ! Logisoft Technologies inc. http://www.logisoftech.com 514 576-7638, http://ca.linkedin.com/in/GuillaumeBourque/fr
Re: RDP Cookie Versus MS Load Balancing
John Marrett a écrit : I'm interested in the newish RDP cookie feature, and how it compares with the RDP load balancing features that Microsoft themselves offer (Microsoft Connection Broker / Session Directory?). Can any users offer comments on why one would use haproxy instead of the MS native tech, apart from licensing cost concerns? For some of my customers in a virtual environnment the Microsoft product did not work well specificly for laptop user. They where not redirect on the same TS after a suspend of there laptop. Dont know why the MS solution did not work well for them but haproxy works for them. I used these setting in haproxy on 3 sites where we have around 70-100 RDP users. balance source option tcpka These options force a same client Ip ( laptop ) alway on the same backend. I don't even use the RDP cookie features yet and my customers are very happy with it this way. YMMV Guillaume From what I see it looks like the haproxy solution is fairly basic, though I'm not sure that the MS solution is any better. Some of the haproxy hashing behaviour seems a little questionable as well. This page [1] talks about When a failed server was brought back on-line, users that had been connected to that server would reconnect to it again - even if they had started a new session on the other server in the meantime, this also sounds quite distressing NB. For some daft reason Microsoft restricted the login cookie in RDP to 9 characters! Now as the domain is usually listed first (mydomain/myusername) the first 9 characters may always be the same and RDP cookie session persistence wont work. Two work arounds for this are either reduce the length of your domain name (ouch!) OR use the myusern...@mydomain format when you log in It does sound like removing and adding servers will not affect hashing of existing connections, which is quite desirable. [1] http://blog.loadbalancer.org/load-balancing-windows-terminal-server-%E2% 80%93-haproxy-and-rdp-cookies/ -JohnF -- Guillaume Bourque, B.Sc., consultant, infrastructures technologiques libres ! Logisoft Technologies inc. http://www.logisoftech.com 514 576-7638, http://ca.linkedin.com/in/GuillaumeBourque/fr
Re: Haproxy+Nginx SSL Insecurities
Hi John and the list, Thanks for sharing your config I have a similar one and it work's BUT In the haprosy log file I get one log entry with flag PR when I hit the SSL site with port 80 Nov 2 17:09:39 localhost haproxy[10021]: 1.1.1.1:1680[02/Nov/2010:17:09:39.246] DISPATCH-lb2 DISPATCH-lb2/NOSRV 4/-1/-1/-1/4 301 139 - - PR-- 0/0/0/0/0 0/0 {test-ssl.domain.com||} GET / HTTP/1.1 The redirect rule apply and I'm sent over to the https site and all goes well but I have this one entry in the log This is my redirect rule in my lb2 frontend section frontend DISPATCH-lb2 ... redirect prefix https://test-ssl.domain.com code 301 if url_spprod !secure_port_pprod Is this a normal behavior ? Thanks 2010/7/8 John T Skarbek jtsl...@gmail.com Hey guys, Thanks for the input. I ended up settling on the following configuration type: in haproxy: listen something.com bind 172.168.1.1:80 acl acl_port_80 dst_port eq 80 acl acl_secure hdr(amISecure) YES cookie SERVERID insert indirect nocache redirect location https://something.com/sslRedirect.htm code 301 if acl_port_80 !acl_secure server www100 172.168.1.100 cookie www100 weight 1 check inter 1s fall 3 rise 2 option httpchk GET /ping.htm HTTP/1.1\r\nHost:something.com capture request header X-Forwarded-For len 15 and in nginx: location / { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header amISecure YES; proxy_pass http://something.com; } I also wanted to thank you guys for the feedback, I appreciated it. John T. Skarbek B.S.Computer Science Networking Radford University jskar...@radford.edu 434.770.3089 Radford, VA 24142 On Sat, Jul 3, 2010 at 12:59 PM, Willy Tarreau w...@1wt.eu wrote: On Sat, Jul 03, 2010 at 11:23:16AM -0400, John T Skarbek wrote: Chris, Thanks for responding. I had thought of the option you mention. However I discontinued it quickly. The reason I'm not a big fan, is that those header values can be hacked quite easily. Granted the end user (hacker) may not know the specific value that must hold. There are even plugins to browsers that help end users view headers and modify them any which way they choose. hey, just remove the header from the HTTP proxy ;-) Having a front reverse-proxy set the information about SSL is quite common anyway. With stunnel, what is common is to forward the deciphered SSL traffic to 127.0.0.1, so that haproxy knows for sure it was SSL. There is nothing wrong with proceeding that way with nginx. Regards, Willy -- Guillaume Bourque, B.Sc., consultant, infrastructures technologiques libres Logisoft Technologies inc. http://www.logisoftech.com 514 576-7638, http://ca.linkedin.com/in/GuillaumeBourque/fr
Re: rpms for rhel5?
Hi Angelo, Will you build the 1.4.9 version for x86_64 and i386 would also be great ! thanks 2010/10/25 Angelo Höngens a.hong...@netmatch.nl On 25-10-2010 10:54, Pasi Kärkkäinen wrote: You might want to add: --define 'dist .el5' to your rpmbuild command :) Thanks, that looks better :) http://files.netmatch.nl/RPMS/haproxy-1.4.8-1.el5.x86_64.rpm This building stuff is all quite new to me ;) -- With kind regards, Angelo Höngens systems administrator MCSE on Windows 2003 MCSE on Windows 2000 MS Small Business Specialist -- NetMatch tourism internet software solutions Ringbaan Oost 2b 5013 CA Tilburg +31 (0)13 5811088 +31 (0)13 5821239 a.hong...@netmatch.nl www.netmatch.nl -- -- Guillaume Bourque, B.Sc., consultant, infrastructures technologiques libres Logisoft Technologies inc. http://www.logisoftech.com 514 576-7638, http://ca.linkedin.com/in/GuillaumeBourque/fr
Question regarding cookie
Hi all, Let's say I have 2 sites that are served with the same haproxy instance. If I go direct to site1 all is fine I'm using one of the server of site1 backend If I go direct to site2 all is fine I'm using one of the server of site2 backend But from the web site1 if I clic a link to go to site2 in won't work instance # 1 and #2 share physical server but with diffrent cookie because they use different backend some are apache other are tomcat. What I'm thinking is that if I open a broswer to go directly to site1 or 2 all is fine since I have no cookie But If I click to site2 from within site1 well, I probably already have cookie for site1 in the request and I end with a FILE not found. I went to the doc and I'm pretty sure cookie rewrite or similar will help me but I would like to have your input on this kind of setup. cookie SERVERID indirect or cookie SERVERID rewrite Which should I used ?? Another one I use this command to dump http data with tcpdump but I'm sure there is a simpler one tcpdump -s 0 -A -i any 'tcp port 80 and (((ip[2:2] - ((ip[0]0xf)2)) - ((tcp[12]0xf0)2)) != 0)' Thanks for your input ! -- Guillaume Bourque, B.Sc., consultant, infrastructures technologiques libres ! Logisoft Technologies inc. http://www.logisoftech.com 514 576-7638, http://ca.linkedin.com/in/GuillaumeBourque/fr
Re: Sharing machine or separate machine?
Hi ! 2010/7/6 Christian Jensen christ...@officepools.com Thanks for the feedback. I do understand that it is pretty vague. If you have the machine directly on the net and all ports off, is the only reason to use a cisco to get the VPN or are there other benefits? I come from the M$ world where we used ISA server and I understand the positives there but also the downsides too. With ISA server I got: * URL Routing * NAT * VPN * Logging * Load Balancing * SSL offloading and more. I know this forum is not designed specifically for talking about Cisco products but does anyone know what the best box for the best price to emulate the above features? Is it simply a matter of mixing in other Open Source projects and boxes? Well an open source Box will always beat the M$ equivalent price, will be more robust and more secure and you won't have to upgrade the hole server if you decide to upgrade 1 product ! Here is what some are using * URL Routing -- haproxy * NAT -- linux firewall * VPN -- linux can provide this with openvpn or other vpn server * Logging -- well its part of linux syslog-ng does a good job * Load Balancing -- haproxy can do that for all http trafic * SSL offloading -- www.*stunnel*.org/ or nginx This can be all on 1 server directly connected to the internet if well configure or behind a cisco or juniper firewall. some people on the list will load balance http traffic over 100Mb/sec on 1 normal server hardware ... It all depends on the size of the object that you will be serving and your configuration Good luck ! I hate adding boxes because your MTBF cuts in half for every component you add. Thanks! Christian On 7/6/2010 3:16 AM, Angelo Höngens wrote: On 6-7-2010 10:32, Christian Jensen wrote: Hi, I am setting up a new datacenter and would love to get an opinion... We have 3 options: 1. Build a firewall machine separate from the load balancer machine 2. Share a machine and have a firewall and haproxy on the same box 3. Virtualize everything (VMWare, Xen, KVM) Please suggest you best choice for firewall if you want - we can use anything. Also, if you have any decent experience with any hypervisor, please weigh in there too. Thanks! Christian Please suggest a new car for me. I have three options: a pick-up truck, a car with a trailer behind it, or a lorry truck. They can all be used for transporting cargo, and probably do a good job, but I can't make you any suggestions, since perhaps you do other work than I do. :-) I can tell you what we do, based on the work we do.. About firewalls: we mainly use cisco firewalls everywhere (they're also good for setting up a site-to-site vpn from your office to your datacenter). We have haproxy, varnish and squid machines behind them. For some high-volume projects we have some balancers attached directly to the net. These balancers have at least 2 network cards, and the 'public' interface only has port 80 open. SSH and other services only listen on the inside interface. In this case you don't really need a firewall to close ports. -- Guillaume Bourque, B.Sc., consultant, infrastructures technologiques libres Logisoft Technologies inc. http://www.logisoftech.com 514 576-7638, http://ca.linkedin.com/in/GuillaumeBourque/fr
Re: haproxy as a dmz/proxy for other virtual hosts? examples of config files?
Hi, well you can take any of the examples but with only 1 backend server. Later when or if your site grows you will be able to just add a server in the backend section to balance trafic on more then one http server. Bye 2010/6/25 hapr...@serverphorums.com hello, Does anyone have any examples of simple (hopefully) haproxy configurations for simple proxy setups with no load balancing? basically i would like to have an alternative to mod_proxy. We have a number of internal virtual named-hosts on a number of different systems internally. I want to setup haproxy on a sort of a port 80 and 443 DMZ and re-direct virtual names to different servers within our internal network. Most of the online documents/forums I've read are more about load-balancing than just simple redirects or proxies. Thanks Tom. --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,163672,163672#msg-163672 -- Guillaume Bourque, B.Sc., consultant, infrastructures technologiques libres Logisoft Technologies inc. http://www.logisoftech.com 514 576-7638, http://ca.linkedin.com/in/GuillaumeBourque/fr
Re: HAProxy on GuruPlug-Server
Hello Have you guys try these boxes ? http://www.fit-pc.com/web/purchase/order-fit-pc2i/ I'm not related to this company but we have installed ~ 10 of those and they are working like a charm with ubuntu server 7 and 8. Just for fun We have chose the one with a hard drive (fit-PC first version at that time) and since its used in critical env for us and without any screen and in remote location we were worry of what would happened in case the unit lost power, will it reboot ? So before putting those unit into production we did some power tests ... I did the power failure test with an X10 device and follow the result in Zenoss and the unit did more then 300 power off ( not a clean shutdown just power off when fully booted in normal mode) and restart without any issue So we have deploy those unit and for us they do the work ... Hope not to be too disturbing ! Guillaume Daniel Storjordet a écrit : Hi Willy, Great article. Glad I did not go through with the order myself. Daniel Storjordet On 30.05.2010 18:44, Willy Tarreau wrote: Hi Daniel, On Tue, Mar 09, 2010 at 01:40:32PM +0100, Daniel Storjordet wrote: Hi. Is there any success stories on using HAproxy on a GuruPlug Server http://www.newit.co.uk/shop/proddetail.php?prod=GuruPlug-Server? It is said that its speed is approximately the same as a 700Mhz P3. We are considering placing one of these at one of the large ISP, reducing the overhead as much as possible, and use it to forward all traffic to our servers using HAProxy. I finally got my guruplug server plus. To make a long story short, it's slower than my ALIX (Geode LX 500 MHz), and heats so much that people are reporting failures after 3 months, and I found that it was difficult to unplug an RJ45 cable without being burnt by the metal parts, really ! Two and half internal wires managed to break just by moving their plug around. It's a massive crap which I would never let run when I'm not here to monitor it ! For more information, I've put photos here : http://1wt.eu/articles/guruplug-slow-heater/ Regards, Willy -- Guillaume Bourque, B.Sc., consultant, infrastructures technologiques libres ! 514 576-7638
Re: question about transparancy
Hi, Why dont you use 2 MX record with the same weight All email will come in to youre 2 servers. Just my 2¢ Bye Michiel van Es a écrit : Hi, I am running 2 mailservers with ASSP as a spam proxy. I use haproxy to load balance between the 2 mailservers. The problem is that the spam filter is seeing every connection coming from the load balancer and not the originating ip. Do you know how I make the connections from my HAproxy load balancer to my 2 mailservers transparent? Kind regards, Michiel -- Guillaume Bourque, B.Sc., consultant, infrastructures technologiques libres ! 514 576-7638
Re: Binding by Hostname
Hi Laurie are the website ip available on the machine where haproxy run ? What os is used for your haproxy server? Bye Laurie Young a écrit : Hi I hope someone can help me here... I'm trying to set up HAproxy to bind two different listeners to different hostnames. I found this in the docs for the bind command: address is optional and can be a host name, so i set up my config file like this defaults modehttp frontend www bind wildfalcon.com:80 http://wildfalcon.com:80 timeout client5000 frontend test bind www.wildfalcon.com:80 http://www.wildfalcon.com:80 timeout client 8640 And I get the following error message Available polling systems : poll : pref=200, test result OK select : pref=150, test result OK Total: 2 (2 usable), will use poll. Using poll() as the polling mechanism. [ALERT] 105/160114 (10091) : Starting frontend www: cannot bind socket [ALERT] 105/160114 (10091) : Starting frontend test: cannot bind socket Why can the socket not be bound to (i'm starting as sudo to ensure I have permissions)? Thanks in advance Laurie -- Dr Laurie Young Scrum Master New Bamboo Follow me on twitter: @wildfalcon Follow us on twitter: @newbamboo Creating fresh, flexible and fast-growing web applications is our passion. 3rd Floor, Gensurco House, 46A Rosebery Avenue, London, EC1R 4RP http://www.new-bamboo.co.uk -- Guillaume Bourque, B.Sc., consultant, infrastructures technologiques libres ! 514 576-7638
Re: We have been playing around with the new RDP cookie feature in 1.4-dev4 and it works really well...
Hi Malcolm, I'M using haproxy for RDP dispatcher but in tcp mode with balance source. This setup will allow a laptop user which goes in sleep mode to go back on the same server when it will wake up 2 hours later. I would be interested to ear if you have laptop users in your setup and if the user will end up on the same backend server after a 1 hour sleep period ? Will the RDP cookie be the same after a wakeup ? Thanks for sharing this ! Guillaume Malcolm Turnbull a écrit : We have been playing around with the new RDP cookie feature in 1.4-dev4 and it works really well... One of our guys Nick has written a blog about his configuration and testing of Windows Terminal Servers with Windows an Linux RDP clients. We would welcome any feedback from anyone using a similar configuration. http://blog.loadbalancer.org/ or http://blog.loadbalancer.org/load-balancing-windows-terminal-server-%E2%80%93-haproxy-and-rdp-cookies/ Thanks. -- Regards, Malcolm Turnbull. Loadbalancer.org Ltd. Phone: +44 (0)870 443 8779 http://www.loadbalancer.org/ -- Guillaume Bourque, B.Sc., consultant, infrastructures technologiques libres ! 514 576-7638
Re: Does maxconn parameter take effect in balance source mode
Hi list, Sorry for the previous post I just saw that the MAX session was respected I was looking at the Sessions Total row instead of the Session Max row ;-) Bye Guillaume Bourque a écrit : Hello list ! I'm balancing base on the /*source*/ IP and I'm wandering if the maxconn parameters take effect in that mode ? I just look at my stats page and I see that some server rdpfarm,RDP-6 got 63 session while my max is at 25 ! What can i do to limit the sessions to 25 ? Thanks Technicals details of this setup. haproxy version 1.3.14.3-1 on ubuntu server haproxy.conf global log 127.0.0.1 local0 debug stats socket /var/run/haproxy-socket-stats maxconn 4096 user haproxy group haproxy defaults log global option tcplog retries 3maxconn 200 contimeout 5000 clitimeout 1440 srvtimeout 1440 ... listen rdpfarm :3389 mode tcp balance source # keep alive vers client et le serveur option tcpka server RDP-1 192.168.1.8 check port 3300 maxconn 25 server RDP-1 192.168.1.8 check port 3389 backup maxconn 25 server RDP-2 192.168.1.9 check port 3300 maxconn 25 server RDP-2 192.168.1.9 check port 3389 backup maxconn 25 server RDP-3 192.168.1.10 check port 3300 maxconn 25 server RDP-3 192.168.1.10 check port 3389 backup maxconn 25 server RDP-4 192.168.1.11 check port 3300 maxconn 25 server RDP-4 192.168.1.11 check port 3389 backup maxconn 25 server RDP-5 192.168.1.18 check port 3300 maxconn 25 server RDP-5 192.168.1.18 check port 3389 backup maxconn 25 server RDP-6 192.168.1.19 check port 3300 maxconn 25 server RDP-6 192.168.1.19 check port 3389 backup maxconn 25 stats info echo show stat | socat unix-connect:/var/run/haproxy-socket-stats stdio # pxname,svname,qcur,qmax,scur,smax,slim,stot,bin,bout,dreq,dresp,ereq,econ,eresp,wretr,wredis,status,weight,act,bck,chkfail,chkdown,lastchg,downtime,qlimit,pid,iid,sid,throttle,lbtot, rdpfarm,FRONTEND,,,22,52,200,220,10027797,74986951,0,0,0,OPEN,1,2,0,,, rdpfarm,RDP-1,0,0,3,9,25,27,1804106,11285858,,0,,0,23,0,,UP,1,1,0,0,0,10352,0,,1,2,1,,27, rdpfarm,RDP-1,0,0,0,0,25,0,0,0,,0,,0,0,0,,UP,1,0,1,0,0,10352,0,,1,2,2,,0, rdpfarm,RDP-2,0,0,1,3,25,15,189809,2506853,,0,,0,13,0,,UP,1,1,0,0,0,10352,0,,1,2,3,,15, rdpfarm,RDP-2,0,0,0,0,25,0,0,0,,0,,0,0,0,,UP,1,0,1,0,0,10352,0,,1,2,4,,0, rdpfarm,RDP-3,0,0,1,10,25,36,2918859,20265876,,0,,0,35,0,,UP,1,1,0,0,0,10352,0,,1,2,5,,36, rdpfarm,RDP-3,0,0,0,0,25,0,0,0,,0,,0,0,0,,UP,1,0,1,0,0,10352,0,,1,2,6,,0, rdpfarm,RDP-4,0,0,5,9,25,25,711045,7238983,,0,,0,20,0,,UP,1,1,0,0,0,10352,0,,1,2,7,,25, rdpfarm,RDP-4,0,0,0,0,25,0,0,0,,0,,0,0,0,,UP,1,0,1,0,0,10352,0,,1,2,8,,0, rdpfarm,RDP-5,0,0,4,11,25,54,2356686,17381601,,0,,0,50,0,,UP,1,1,0,0,0,10352,0,,1,2,9,,54, rdpfarm,RDP-5,0,0,0,0,25,0,0,0,,0,,0,0,0,,UP,1,0,1,0,0,10352,0,,1,2,10,,0, rdpfarm,RDP-6,0,0,8,13,25,63,2047292,16307780,,0,,0,55,0,,UP,1,1,0,0,0,10352,0,,1,2,11,,63, rdpfarm,RDP-6,0,0,0,0,25,0,0,0,,0,,0,0,0,,UP,1,0,1,0,0,10352,0,,1,2,12,,0, rdpfarm,BACKEND,0,0,22,52,200,220,10027797,74986951,0,0,,0,196,0,0,UP,6,6,6,,0,10352,0,,1,2,0,,220, -- Guillaume Bourque, B.Sc., consultant, infrastructures technologiques libres ! 514 576-7638
Re: HAProxy on VMWare ESX/vSphere proxying TS?
Hi Paul, I'm running haproxy in a ubuntu server vm ( JEOS 8.04 ) on top of vmware server wich is over centos 64 bit. and and I have the same vm over ESX environnement.All those vm are in a NO motion configuration ;-) since we dont have the vmotion licence here how we do it. We have 2 identicals vm with haproxy on it and keepalive deamon to make sure the service Ip is always running on one vm at the time. In case vm1 goes down vm2 is ready to continue the haproxy trafic. RDP client will get dsconnecterd, but they will get auto reconnect to the same server. It is not perfect but work pretty well for us it has been running on 1 site for over 1 years with 80 users and for 2 months on a 200 users setup. Voilà I know I'm not anwsering exactly your question but since I saw nobody else i tought it would be good to know ! Guillaume. 2009/7/30 Dickson, Paul pdick...@frederickcountymd.gov Is anyone out there using HAProxy for terminal services in an ESX/vSphere environment? Have seen the box vmotioned and if so, have you run into any issues? I currently have it setup in a virtual environment and would like to keep it that way, but I can¹t have it dropping 200 TS connections if it gets vmotioned. I also don¹t want to restrict it from being vmotioned. I¹ve done it a couple times and haven¹t seen any issues but right now I¹m only testing with about 10 connections. As it always happens, once something hits production little issues creep out and I can¹t afford to have that happen;) Anyone? Paul K. Dickson Systems Administrator Frederick County Government, IIT pdick...@fredco-md.net 301-600-2399/x12399 -- Guillaume Bourque, B.Sc., consultant, infrastructures technologiques libres 514 576-7638
Re: Still dropping TS sessions.
Hi Willy, But has any one looked at doing a SourceIP persistence which is not a hash i.e. a look up table of source IPs? We wanted to work on it but don't have the time to do everything, so... one thing at a time :-) Why not just balance base on the source IP it work well for us, maybe I'm missing something here ;-) The maintenance of real servers is almost impossible in hash mode...without users on RDP (or other TCP app.) hitting the wrong server. yes, I know. I would also like to implement a dual source hash LB mode. It would do the following : - hash source = X, divide by total number of servers, returns Y [0..nbsrv-1] - if server Y is down, then divide X by number of available servers, return Z [0..nbsrvup-1], and use server Z. That way, if you lose a server, only this server's clients are redispatched, the other ones remain unaffected. This is only true when all servers are up and we lose one. Because if only half the servers are up and you lose one, about half of the users will move since they're already on the second hash. A smarter method would consist in rehashing without the last server as long as we get a DOWN server. But it would consume huge amounts of CPU for each request and would probably not be much useful anyway. At first glance, the algorithm looks very simple, but when you take into account the fact that there are already 2 weighted arrays (active and backup), it becomes less obvious how to implement this (we need 4 arrays now). So we'll keep that for a later version. I might play with the aformentioned trick in the meantime though: server TS-1 10.0.0.102 check port 3300 server TS-1 10.0.0.102 check port 3389 backup I guess another option with maintenance is to allow a server weight of 0 (offline for maintenance) It's allowed now. It will be in version 1.3.19 tomorrow and it's already in development version. And yes, it helps a lot, since it still supports persistence (eg: for soft maintenance mode in HTTP). and have two options for this: 1) Kill all connections immediately and move to new server. 2) Wait for old connections to timeout, and new connections go to new server. you can do that when you restart haproxy with the new configuration, #1 is done with -st $oldpid, and #2 is done with -sf $oldpid. Regards, Willy -- Guillaume Bourque, B.Sc., consultant, infrastructures technologiques libres 514 576-7638
Re: Still dropping TS sessions.
:3389 check port 3389 inter 2000 fastinter 500 downinter 1 server tslec01 10.14.3.131:3389 check port 3389 inter 2000 fastinter 500 downinter 1 server tslec02 10.14.3.122:3389 check port 3389 inter 2000 fastinter 500 downinter 1 server tslec03 10.14.3.133:3389 check port 3389 inter 2000 fastinter 500 downinter 1 server tslec04 10.14.3.134:3389 check port 3389 inter 2000 fastinter 500 downinter 1 # Web stats interface listen admin_stats 10.14.2.157:8080 modehttp stats uri / stats realm Global\ statistics stats auth admin:fakepassword balance roundrobin #errorloc502http://192.168.114.58/error502.html #errorfile503/etc/haproxy/errors/503.http errorfile400/etc/haproxy/errors/400.http errorfile403/etc/haproxy/errors/403.http errorfile408/etc/haproxy/errors/408.http errorfile500/etc/haproxy/errors/500.http errorfile502/etc/haproxy/errors/502.http errorfile503/etc/haproxy/errors/503.http errorfile504/etc/haproxy/errors/504.http Paul K. Dickson Systems Administrator Frederick County Government, IIT pdick...@fredco-md.net 301-600-2399/x12399 -- End of Forwarded Message -- Guillaume Bourque, B.Sc., consultant, infrastructures technologiques libres ! 514 576-7638
Re: Read stat or info from the socket via perl
Hi, just do it in bash it works well for me. Bye Maria a écrit : Dear Willy, I don't have a lot of experience in perl to. As Nagios allows also to do this via bash or c, I can also use this. My main goal is only to read this information with a language (supported by nagios) and send them to nagios server. It does not matter if it is Perl or not. BTW. I modified a little the code, but I am still not able to read out this information. Maybe I will try in C code. i read from the manual that it is possible to write out statistics into a csv file? Do I specify this in the configuration file? Thanks ## #! /usr/bin/perl -w use strict; use IO::Socket; # use lib /usr/local/nagios/libexec; # my $sock = new IO::Socket::UNIX ( Local = /var/run/haproxy.socket.7739.tmp, Type = SOCK_STREAM, Listen = 2) or die 'error on connection.'; next if !$sock; print $sock show info \012; print Now printing sockets information \n; while($sock){ print; } $sock-close; ## -- Guillaume Bourque, B.Sc., consultant, infrastructures technologiques libres ! 514 576-7638