Re: Temporary Maintenance frontend for all port 80/443 ?

2016-01-24 Thread Jeff Buchbinder 
The way we've done it has been to add a maintenance server to all of our 
backends, then use the admin socket to iteratively disable all "real" servers 
for our backends. The maintenance server points all requests to your temporary 
page.

Something like:

 server  maintenance 10.0.5.10:80 backup check inter 15000 rise 2 fall 5

The important part is the "backup" attribute, so that no requests hit that 
instance unless all other servers are unavailable.

Thanks,
Jeff


From: Matt . 
Sent: Sunday, January 24, 2016 11:15 AM
To: HAProxy
Subject: Temporary Maintenance frontend for all port 80/443 ?

Hi,

I wondered if it's possible, I seen some examples but was not sure
yet, to let HA proxy running as you do but place a frontend that
listens on 0.0.0.0 and port 80 and 443 and redirect all requests to a
temporary page ?

Maybe even a local page on HAproxy ?

As I'm on pfsense I need to disable all frontends, and that are quite some.

Suggestions are welcome!

Thanks,

Matt

Re: Temporary Maintenance frontend for all port 80/443 ?

2016-01-24 Thread Jeff Buchbinder 
We've tended to disable backend servers for specific backends as part of our 
deployer integration, so it makes a certain amount of sense for us to use the 
same basic methodology to push something into a particular backend. (We also 
don't have to restart haproxy to adjust the configuration, since the 
admin/stats socket allows dynamic "MAINT" mode.)

In case it's useful for anyone, the CLI setup for dealing with this in batch 
(nbproc > 1 with an N+1 cluster of haproxy servers) is here:

https://github.com/jbuchbinder/hactl

I have similar logic built into our software deployer to handle it 
transparently. (I'm not sure if the "backup" attribute for backend servers is 
*supposed* to be used the way we've been using it, but it does a great job of 
routing traffic elsewhere when all servers are either down or in MAINT.)

Thanks,
Jeff


From: Philipp Buehler <e1c1bac6253dc54a1e89ddc046585...@posteo.net>
Sent: Sunday, January 24, 2016 12:20 PM
To: Jeff Buchbinder
Cc: Haproxy
Subject: Re: Temporary Maintenance frontend for all port 80/443 ?

Am 24.01.2016 17:58 schrieb Jeff Buchbinder:
> The way we've done it has been to add a maintenance server to all of
> our backends, then use the admin socket to iteratively disable all
> "real" servers for our backends. The maintenance server points all
> requests to your temporary page.
>
> Something like:
>
>  server  maintenance 10.0.5.10:80 backup check inter 15000 rise 2 fall
> 5

We're doing yet another approach, which is easier to "steer".
Watch closely about the logic ..

frontend whatever
  acl usrnb nbsrv(usr) gt 0
  acl usr_h_nb nbsrv(usr_h) eq 0
  use_backend usr if usrnb usr_h_nb
  use_backend usr_h

backend usr
  server usr usr021:8080 check downinter 3 fastinter 3000 fall 2

backend usr_h
  server helper localhost:8000 check downinter 3 fastinter 3000 fall
2
  option httpchk GET /maint.txt HTTP/1.1\r\nHost:\ hidden

- NO need to fiddle with haproxy.conf and/or restarts of haproxy itself
- regular ops: usrnb is true, usr_h_nb is false (no maint.txt/nginx)
- irr ops: usrnb is false -> use usr_h (which has its own logic for
serving sorry pages)
- maint: "touch maint.txt" -> usr_h_nb is false -> use usr_h (value of
usrnb irrelevant)

FTR; nginx.conf snippet:
 server {
 listen 8000;
 server_name hidden;
 access_log /var/log/nginx/maint.log main;
 location /maint.txt { access_log off; }
 location / {
 sorry-pages-things;
 }
 }

HTH,
--
pb

Patch for 1.5 with SSL to compile properly on OpenBSD

2014-10-06 Thread Jeff Buchbinder 
I have both a patch and build instructions for OpenBSD builds with SSL support 
here:

https://gist.github.com/jbuchbinder/ab33b7528b75fa99fcca

It's a small patch, but is necessary for haproxy 1.5.x to build on that 
platform.

-- 
Jeff Buchbinder
Rave Mobile Safety, Inc
jbuchbin...@ravemobilesafety.com

RE: shellshock and haproxy

2014-09-30 Thread Jeff Buchbinder 
The second line throws a config error, whether you use reqdeny or reqideny, 
complaining that the regex is invalid when running version 1.5.3.

This is the error that comes back from a configuration test:

[ALERT] 272/080419 (29422) : parsing [/etc/haproxy.cfg:295] : 'reqdeny' : 
regular expression '^[^:]+:\s+.*?([^]+){5,}' : regex 
'^[^:]+:\s+.*?([^]+){5,}' is invalid

Which version of haproxy were you able to use that regex with?

--
Jeff Buchbinder
Rave Mobile Safety, Inc
jbuchbin...@ravemobilesafety.com

From: Thomas Heil [h...@terminal-consulting.de]
Sent: Monday, September 29, 2014 8:36 AM
To: haproxy@formilux.org
Subject: shellshock and haproxy

Hi,

To mitigate the shellshock attack we added two lines in our frontends.

--
frontend fe_80
--
reqideny  ^[^:]+:\s*\(\s*\)
reqideny  ^[^:]+:\s+.*?([^]+){5,}
--

and checked this via

--
 curl --referer x() { :; }; ping 127.0.0.1 http://my-haproxy-url/
 curl --referer true EOF EOF EOF EOF EOF EOF EOF EOF
EOF EOF EOF EOF EOF EOF http://my-haproxy-url/
--

Any hints or further sugestions?

cheers
thomas

RE: shellshock and haproxy

2014-09-30 Thread Jeff Buchbinder 
I think it was accidentally left out of my latest build -- thanks!

--
Jeff Buchbinder
Rave Mobile Safety, Inc
jbuchbin...@ravemobilesafety.com

From: Lukas Tribus [luky...@hotmail.com]
Sent: Tuesday, September 30, 2014 11:30 AM
To: Jeff Buchbinder
Cc: haproxy@formilux.org
Subject: RE: shellshock and haproxy

Hi Jeff,


 [ALERT] 272/080419 (29422) : parsing [/etc/haproxy.cfg:295] : 'reqdeny' : 
 regular expression '^[^:]+:\s+.*?([^]+){5,}' : regex 
 '^[^:]+:\s+.*?([^]+){5,}' is invalid

 Which version of haproxy were you able to use that regex with?

Make sure you compiled haproxy with PCRE (USE_PCRE=1).


Regards,
Lukas

RE: [PATCH] Proxied stats admin forms fix (UPDATED PATCH ATTACHED)

2014-08-29 Thread Jeff Buchbinder 
Done. New patch attached.

--
Jeff Buchbinder
Principal Engineer / Interim Director of Infrastructure
Rave Mobile Safety, Inc
work: 508.848.2484
mobile: 860.838.3355
jbuchbin...@ravemobilesafety.com

From: Cyril Bonté [cyril.bo...@free.fr]
Sent: Friday, August 29, 2014 4:00 PM
To: Jeff Buchbinder
Cc: haproxy@formilux.org
Subject: Re: [PATCH] Proxied stats admin forms fix

Hi Jeff,

Le 29/08/2014 19:50, Jeff Buchbinder a écrit :
 When the haproxy stats interface is being proxied (in the case I was working 
 with, by apache's httpd), the formed absolute urls in the admin-level stats 
 console does does not work properly.

I can't remember where I identified corner cases, but that was at the
early beginning of the work on the administration forms, so maybe it
doesn't exist anymore (after some tests, I still can't find one anymore).
So it should be OK with your patch, but you'll need to update it because
it introduces a compilation warning.

 The default action for a form is the current URL, so it stands to reason 
 that taking the action parameter out of the form elements will allow these 
 forms to function as-intended in either proxied or non-proxied environments.

 Patch attached.

Can you update your patch to :
- remove the extra argument (scope_txt) in the first call to chunk_appendf()
- add a description directly in your patch, this will save some time to
Willy ;-)


--
Cyril Bonté
Patch for not using relative URLs for admin forms. This allows proxied instances
of the stats admin interface to continue to function, as the default FORM
action is to submit to the current URL.

Submitter: Jeff Buchbinder jbuchbin...@ravemobilesafety.com

diff --git a/src/dumpstats.c b/src/dumpstats.c
index 3855e09..2d3cbbe 100644
--- a/src/dumpstats.c
+++ b/src/dumpstats.c
@@ -3631,11 +3631,7 @@ static void stats_dump_html_px_hdr(struct stream_interface *si, struct proxy *px
 		}
 
 		chunk_appendf(trash,
-			  form action=\%s%s%s%s\ method=\post\,
-			  uri-uri_prefix,
-			  (appctx-ctx.stats.flags  STAT_HIDE_DOWN) ? ;up : ,
-			  (appctx-ctx.stats.flags  STAT_NO_REFRESH) ? ;norefresh : ,
-			  scope_txt);
+			  form method=\post\);
 	}
 
 	/* print a new table */
@@ -4139,10 +4135,7 @@ static void stats_dump_html_info(struct stream_interface *si, struct uri_auth *u
 	scope_txt[appctx-ctx.stats.scope_len] = '\0';
 
 	chunk_appendf(trash,
-		  liform method=\GET\ action=\%s%s%s\Scope : input value=\%s\ name=\ STAT_SCOPE_INPUT_NAME \ size=\8\ maxlength=\%d\ tabindex=\1\//form\n,
-		  uri-uri_prefix,
-		  (appctx-ctx.stats.flags  STAT_HIDE_DOWN) ? ;up : ,
-		  (appctx-ctx.stats.flags  STAT_NO_REFRESH) ? ;norefresh : ,
+		  liform method=\GET\Scope : input value=\%s\ name=\ STAT_SCOPE_INPUT_NAME \ size=\8\ maxlength=\%d\ tabindex=\1\//form\n,
 		  (appctx-ctx.stats.scope_len  0) ? scope_txt : ,
 		  STAT_SCOPE_TXT_MAXLEN);

1.5.3: Potential issue with request mangling

2014-08-21 Thread Jeff Buchbinder 
I have been experiencing an odd phenomena which appears to indicate that 
haproxy is mangling certain requests with version 1.5.3. It looks as though '%' 
is being reencoded as '%25', such that encodings like '%3D' are being reencoded 
as '%253D', etc. I'm using a backend/frontend separated setup. I'm including a 
sanitized version of the config below.

Is there any reason that anyone can divine to explain why that mangling might 
be occurring? The same product configuration (without specific application 
pools) was implemented with 1.4.x without any issues.

frontend fe_qa_product_http
bind x.x.x.x:80
redirect scheme https if !{ ssl_fc }
# Remove X-Powered-By header
rspidel ^X-Powered-By:.*$

frontend fe_qa_product_https
bind x.x.x.x:443 ssl crt /etc/ssl/qa.pem
reqadd X-Forwarded-Proto:\ https
acl is_a path_beg -i /a/
acl is_b path_beg -i /b/
default_backend be_qa_default
use_backend be_qa_a if is_a
use_backend be_qa_b if is_b
# Remove X-Powered-By header
rspidel ^X-Powered-By:.*$
option  accept-invalid-http-request
option  accept-invalid-http-response
# Strip JSESSIONID from static resources
reqirep (.*)(\.css);jsession=.* \1\2
reqirep (.*)(\.js);jsession=.* \1\2
reqirep (.*)(\.jpg);jsession=.* \1\2
reqirep (.*)(\.png);jsession=.* \1\2
reqirep (.*)(\.wav);jsession=.* \1\2

backend be_qa_default
balance leastconn
option httpclose
option forwardfor
cookie JSESSIONID prefix
option httpchk /about.html
server srv1 10.0.x.x:80 check inter 1 rise 2 fall 5
server srv2 10.0.x.x:80 check inter 1 rise 2 fall 5

backend be_qa_a
balance leastconn
option httpclose
option forwardfor
cookie JSESSIONID prefix
option httpchk /a/about.html
server srv1 10.0.x.x:80 check inter 1 rise 2 fall 5
server srv2 10.0.x.x:80 check inter 1 rise 2 fall 5

backend be_qa_b
balance leastconn
option httpclose
option forwardfor
cookie JSESSIONID prefix
option httpchk /b/about.html
server srv1 10.0.x.x:80 check inter 1 rise 2 fall 5
server srv2 10.0.x.x:80 check inter 1 rise 2 fall 5

-- 
Jeff Buchbinder
Rave Mobile Safety, Inc
jbuchbin...@ravemobilesafety.com

RE: git clone hangs

2014-04-09 Thread Jeff Buchbinder 
There's a mirror at https://github.com/haproxy/haproxy if the main repo is 
hanging. It's usually not more than a day or so out of date.

--
Jeff Buchbinder
Principal Engineer / Interim Director of Infrastructure
Rave Mobile Safety, Inc
work: 508.848.2484
mobile: 860.838.3355
jbuchbin...@ravemobilesafety.com

From: shouldbe q931 [shouldbeq...@gmail.com]
Sent: Wednesday, April 09, 2014 1:36 PM
To: haproxy@formilux.org
Cc: Lukas Tribus
Subject: Re: git clone hangs

On Mon, Feb 10, 2014 at 10:01 AM, Lukas Tribus luky...@hotmail.com wrote:
 Hi,

 It doesn't hang, it just needs a long time (hours, probably) if
 you clone from scratch.


Doing a git pull just now, the bandwidth utilisation _peaked_ at
20kb/s (on a 40Mb connection ~26ms away)

reminds me of being on dialup...

Re: Create Backed by Unix Socket

2012-02-06 Thread Jeff Buchbinder 
There is an API text file in the root of the git repo with some more 
information. I try to keep it sync'd with Willy's upstream copy.

carlo flores ca...@petalphile.com wrote:



John,

Where's the documentation for your patch?  I'm up for playing with this neat 
idea even if we don't use it in Prod.

Might hook in some suff to haproxyctl if you can output a version 
number/patch/something so the ctl script can recognize when someone is using 
this version...

On Mon, Feb 6, 2012 at 4:39 PM, Jeff Buchbinder 
jbuchbin...@ravemobilesafety.commailto:jbuchbin...@ravemobilesafety.com 
wrote:
The api patch I have been working on at https://github.com/jbuchbinder/haproxy 
has that functionality, but needs more testing.

Willy has said that he has no plans to include this patch, primarily due to the 
potential for configuration issues in dynamically configured frontends, 
backends, etc.

Thanks,
Jeff

Ivan Ator ivanat...@gmail.commailto:ivanat...@gmail.com wrote:


Going from the documentation, there doesn't appear to be functionality
for creating/destroying backends.

Personally, I have accomplished your task by creating a series of
scripts for maintaining the configuration file and reloading it while live.

On 2/6/2012 3:21 PM, Dziuba, Ted wrote:
 Hi,

 I am wondering if it possible to create an haproxy backend
 programmatically, using the unix socket facility. I see that you can
 enable and disable existing back-ends, but I want to add a new one. This
 is my use case:

 HTTP server starts on a host, binding to port 0

 HTTP server announces itself to a load balancer, asking to be put into
 the pool

 Load balancer acknowledges HTTP server and starts sending it traffic

 Thanks,

 Ted

 ---

 Ted Dziuba

 Co-Founder, Milo.com

 t...@milo.commailto:t...@milo.com

RE: git clone hangs?

2011-11-21 Thread Jeff Buchbinder 
From: Mark Lamourine [markll...@redhat.com]
Sent: Monday, November 21, 2011 2:31 PM
To: haproxy@formilux.org
Subject: git clone hangs?

I'm trying to clone http://git.1wt.eu/git/haproxy.git and my clone operation 
seems to hang.

I've been using git for a while, but usually with ssh+git.  Is there something 
I should be doing differently?:

git clone http://git.1wt.eu/git/haproxy.git haproxy_git
Cloning into haproxy_git...
long time no output
^C

If you need, I have a clone/fork on github. The forked changes don't appear 
unless you -DUSE_API, so it's safe to us it, if you have to.

https://github.com/jbuchbinder/haproxy

The direct pull location is git://github.com/jbuchbinder/haproxy.git

--
Jeff Buchbinder
Principal Engineer / Interim Director of Infrastructure
Rave Mobile Safety, Inc
jbuchbin...@ravemobilesafety.com

haproxy API patch

2011-08-14 Thread Jeff Buchbinder 
I've been working on an API patch, where certain functionality is
exposed over the stats HTTP service. The fork where I have been
working on this is available here:

https://github.com/jbuchbinder/haproxy

The full patch (which I imported from my old working tree) is here, if
you want to see just the changes:

https://github.com/jbuchbinder/haproxy/commit/0f924468977fc71f2530837e3e44cf47fc00fd0f

Documentation is available here:

https://github.com/jbuchbinder/haproxy/blob/master/README.API

It was recently suggested that I attempt to get this patch included
upstream.

-- 
Jeff Buchbinder
Principal Engineer / Interim Director of Infrastructure
Rave Mobile Safety, Inc
m: 860.838.3355
jbuchbin...@ravemobilesafety.com

RE: [ANNOUNCE] haproxy 1.5-dev3

2010-11-14 Thread Jeff Buchbinder 
On 11/11/2010 06:34 PM, Willy Tarreau wrote:
 Now you know where to get it :
site index  : http://haproxy.1wt.eu/
sources : http://haproxy.1wt.eu/download/1.5/src/devel/
changelog   : http://haproxy.1wt.eu/download/1.5/src/CHANGELOG
stunnel patches : http://haproxy.1wt.eu/download/patches/


OpenBSD 4.3 builds for this release (and hopefully future releases) are here:

http://www.mediafire.com/?u1m9uwiuo7af5

-- 
Jeff Buchbinder
Principal Engineer / Interim Director of Infrastructure
Rave Mobile Safety, Inc
jbuchbin...@ravemobilesafety.com

Re: [ANNOUNCE] haproxy-1.4.0

2010-02-26 Thread Jeff Buchbinder 

Willy Tarreau wrote:

I'm obviously interested in any problem report :-)
  
Build on OpenBSD 4.3 seems to fail unless #include common/compat.h 
is commented out of the src/lb_*.c files. This seemed to be the case on 
both the i386 and amd64 targets I was building on.


--
Jeff Buchbinder
Senior Infrastructure Engineer
Rave Mobile Safety, Inc
jbuchbin...@ravemobilesafety.com

Re: [ANNOUNCE] haproxy-1.4.0

2010-02-26 Thread Jeff Buchbinder 

Willy Tarreau wrote:

I'm obviously interested in any problem report :-)
  
One other OpenBSD build problem that I saw was that OBJS in Makefile.bsd 
seems to be missing:


src/auth.o src/stick_table.o src/pattern.o

to build properly. Once those are back in the OBJS list (and the 
previous fix has been made of commenting out the compat.h references), 
haproxy does build successfully on OpenBSD 4.3 and 4.4.


--
Jeff Buchbinder
Senior Infrastructure Engineer
Rave Mobile Safety, Inc
work: 508.848.2484
mobile: 860.617.5750
jbuchbin...@ravemobilesafety.com

Re: [ANNOUNCE] haproxy-1.4.0

2010-02-26 Thread Jeff Buchbinder 

Willy Tarreau wrote:

Could you please check if the following patch is enough to fix it ?
I think it should in fact.

Thanks,
Willy

diff --git a/include/common/compat.h b/include/common/compat.h
index 3c939ce..9eecdfb 100644
--- a/include/common/compat.h
+++ b/include/common/compat.h
@@ -23,8 +23,8 @@
 #define _COMMON_COMPAT_H
 
 /* This is needed on Linux for Netfilter includes */

-#include sys/socket.h
 #include sys/types.h
+#include sys/socket.h
 #include common/config.h
 #include common/standard.h
  
With that patch it does seem to build the files that were getting stuck 
before under OpenBSD 4.3.


--
Jeff Buchbinder
Senior Infrastructure Engineer
Rave Mobile Safety, Inc
work: 508.848.2484
mobile: 860.617.5750
jbuchbin...@ravemobilesafety.com

Re: [ANNOUNCE] haproxy-1.4.0

2010-02-26 Thread Jeff Buchbinder 

Willy Tarreau wrote:

On Fri, Feb 26, 2010 at 03:57:16PM -0500, Jeff Buchbinder wrote:
  
With that patch it does seem to build the files that were getting stuck 
before under OpenBSD 4.3.



Excellent, thanks very much Jeff for your quick response,
I'm applying the patch now.
  
Much appreciated. Between that patch and the Makefile.bsd change, I 
think it's set to build out of the box on OpenBSD.


--
Jeff Buchbinder
Senior Infrastructure Engineer
Rave Mobile Safety, Inc
work: 508.848.2484
mobile: 860.617.5750
jbuchbin...@ravemobilesafety.com

Re: [ANNOUNCE] haproxy 1.3.19

2009-07-28 Thread Jeff Buchbinder 

1.3.19 packaged for NSLU2 available here:

http://www.mediafire.com/file/iujzbmynjwl/haproxy_1.3.19-1_armeb.ipk

--
Jeff Buchbinder
Senior Infrastructure Engineer
Rave Wireless, Inc
jbuchbin...@ravewireless.com

Chunked HTTP traffic

2009-07-27 Thread Jeff Buchbinder 
I'm having a strange issue with haproxy, involving a client who is using 
HTTP/1.1 chunking with requests, but is rudely not allowing fallback 
to HTTP/1.0 behavior. (They're using Apache Coyote, if that makes any 
difference).


Any attempt to grab data from them results in something like this from 
java's HttpClient (since wget doesn't support chunking):


2009/07/27 14:24:38:189 EDT [DEBUG] header -  User-Agent: Jakarta 
Commons-HttpClient/3.1[\r][\n]
2009/07/27 14:24:38:190 EDT [DEBUG] header -  Host: 
(redacted):9080[\r][\n]

2009/07/27 14:24:38:190 EDT [DEBUG] header -  [\r][\n]
2009/07/27 14:24:38:275 EDT [DEBUG] header -  HTTP/1.1 200 OK[\r][\n]
2009/07/27 14:24:38:276 EDT [DEBUG] header -  HTTP/1.1 200 OK[\r][\n]
2009/07/27 14:24:38:281 EDT [DEBUG] header -  Server: 
Apache-Coyote/1.1[\r][\n]
2009/07/27 14:24:38:282 EDT [DEBUG] header -  Content-Type: 
text/xml[\r][\n]
2009/07/27 14:24:38:283 EDT [DEBUG] header -  Transfer-Encoding: 
chunked[\r][\n]
2009/07/27 14:24:38:284 EDT [DEBUG] header -  Date: Mon, 27 Jul 2009 
18:24:38 GMT[\r][\n]

2009/07/27 14:24:38:285 EDT [DEBUG] header -  [\r][\n]
HTTP/1.1 200 OK
2009/07/27 14:24:38:297 EDT [DEBUG] content -  2
2009/07/27 14:24:38:298 EDT [DEBUG] content -  0
2009/07/27 14:24:38:299 EDT [DEBUG] content -  0
2009/07/27 14:24:38:299 EDT [DEBUG] content -  0
2009/07/27 14:24:38:300 EDT [DEBUG] content -  [\r]
2009/07/27 14:24:38:300 EDT [DEBUG] content -  [\n]

It obviously wants an additional request for the first 2000 bytes of 
data, but the client just sits there, even though HttpClient supports 
chunking. Has anyone else seen behavior like this?


I have tried messing with the client and server timeout values, but it 
always seems to produce the same result.


--
Jeff Buchbinder
Senior Infrastructure Engineer
Rave Wireless, Inc
jbuchbin...@ravewireless.com

Federating haproxy servers

2009-06-26 Thread Jeff Buchbinder 
Are there any plans to allow federating of haproxy servers, so that they 
can (for example) cut down on the number of duplicate health checks? 
Currently we run two carp'd OpenBSD firewalls running haproxy, and the 
second firewall currently duplicates all health checks for our 
applications, which is less than ideal.


--
Jeff Buchbinder
Senior Infrastructure Engineer
Rave Wireless, Inc
jbuchbin...@ravewireless.com

Re: R: R: Transparent proxy

2009-05-11 Thread Jeff Buchbinder 

Willy Tarreau wrote:

do you mean that the OpenBSD supports a linux-compatible tproxy ? I was
not aware of this, because for me, tproxy is 100% linux-specific.

Do you know what versions provide it (if so) and how to detect whether it's
supported ?
  
I've seen a bunch of pf+squid magic to do it, but I think that tinyproxy 
(https://www.banu.com/tinyproxy) supports transparent proxying, at least 
for HTTP.


Not sure if that's of any help.

--
Jeff Buchbinder
Senior Infrastructure Engineer
Rave Wireless, Inc
work: 508.848.2484
mobile: 860.617.5750
jbuchbin...@ravewireless.com