Re: Temporary Maintenance frontend for all port 80/443 ?
The way we've done it has been to add a maintenance server to all of our backends, then use the admin socket to iteratively disable all "real" servers for our backends. The maintenance server points all requests to your temporary page. Something like: server maintenance 10.0.5.10:80 backup check inter 15000 rise 2 fall 5 The important part is the "backup" attribute, so that no requests hit that instance unless all other servers are unavailable. Thanks, Jeff From: Matt .Sent: Sunday, January 24, 2016 11:15 AM To: HAProxy Subject: Temporary Maintenance frontend for all port 80/443 ? Hi, I wondered if it's possible, I seen some examples but was not sure yet, to let HA proxy running as you do but place a frontend that listens on 0.0.0.0 and port 80 and 443 and redirect all requests to a temporary page ? Maybe even a local page on HAproxy ? As I'm on pfsense I need to disable all frontends, and that are quite some. Suggestions are welcome! Thanks, Matt
Re: Temporary Maintenance frontend for all port 80/443 ?
We've tended to disable backend servers for specific backends as part of our deployer integration, so it makes a certain amount of sense for us to use the same basic methodology to push something into a particular backend. (We also don't have to restart haproxy to adjust the configuration, since the admin/stats socket allows dynamic "MAINT" mode.) In case it's useful for anyone, the CLI setup for dealing with this in batch (nbproc > 1 with an N+1 cluster of haproxy servers) is here: https://github.com/jbuchbinder/hactl I have similar logic built into our software deployer to handle it transparently. (I'm not sure if the "backup" attribute for backend servers is *supposed* to be used the way we've been using it, but it does a great job of routing traffic elsewhere when all servers are either down or in MAINT.) Thanks, Jeff From: Philipp Buehler <e1c1bac6253dc54a1e89ddc046585...@posteo.net> Sent: Sunday, January 24, 2016 12:20 PM To: Jeff Buchbinder Cc: Haproxy Subject: Re: Temporary Maintenance frontend for all port 80/443 ? Am 24.01.2016 17:58 schrieb Jeff Buchbinder: > The way we've done it has been to add a maintenance server to all of > our backends, then use the admin socket to iteratively disable all > "real" servers for our backends. The maintenance server points all > requests to your temporary page. > > Something like: > > server maintenance 10.0.5.10:80 backup check inter 15000 rise 2 fall > 5 We're doing yet another approach, which is easier to "steer". Watch closely about the logic .. frontend whatever acl usrnb nbsrv(usr) gt 0 acl usr_h_nb nbsrv(usr_h) eq 0 use_backend usr if usrnb usr_h_nb use_backend usr_h backend usr server usr usr021:8080 check downinter 3 fastinter 3000 fall 2 backend usr_h server helper localhost:8000 check downinter 3 fastinter 3000 fall 2 option httpchk GET /maint.txt HTTP/1.1\r\nHost:\ hidden - NO need to fiddle with haproxy.conf and/or restarts of haproxy itself - regular ops: usrnb is true, usr_h_nb is false (no maint.txt/nginx) - irr ops: usrnb is false -> use usr_h (which has its own logic for serving sorry pages) - maint: "touch maint.txt" -> usr_h_nb is false -> use usr_h (value of usrnb irrelevant) FTR; nginx.conf snippet: server { listen 8000; server_name hidden; access_log /var/log/nginx/maint.log main; location /maint.txt { access_log off; } location / { sorry-pages-things; } } HTH, -- pb
Patch for 1.5 with SSL to compile properly on OpenBSD
I have both a patch and build instructions for OpenBSD builds with SSL support here: https://gist.github.com/jbuchbinder/ab33b7528b75fa99fcca It's a small patch, but is necessary for haproxy 1.5.x to build on that platform. -- Jeff Buchbinder Rave Mobile Safety, Inc jbuchbin...@ravemobilesafety.com
RE: shellshock and haproxy
The second line throws a config error, whether you use reqdeny or reqideny, complaining that the regex is invalid when running version 1.5.3. This is the error that comes back from a configuration test: [ALERT] 272/080419 (29422) : parsing [/etc/haproxy.cfg:295] : 'reqdeny' : regular expression '^[^:]+:\s+.*?([^]+){5,}' : regex '^[^:]+:\s+.*?([^]+){5,}' is invalid Which version of haproxy were you able to use that regex with? -- Jeff Buchbinder Rave Mobile Safety, Inc jbuchbin...@ravemobilesafety.com From: Thomas Heil [h...@terminal-consulting.de] Sent: Monday, September 29, 2014 8:36 AM To: haproxy@formilux.org Subject: shellshock and haproxy Hi, To mitigate the shellshock attack we added two lines in our frontends. -- frontend fe_80 -- reqideny ^[^:]+:\s*\(\s*\) reqideny ^[^:]+:\s+.*?([^]+){5,} -- and checked this via -- curl --referer x() { :; }; ping 127.0.0.1 http://my-haproxy-url/ curl --referer true EOF EOF EOF EOF EOF EOF EOF EOF EOF EOF EOF EOF EOF EOF http://my-haproxy-url/ -- Any hints or further sugestions? cheers thomas
RE: shellshock and haproxy
I think it was accidentally left out of my latest build -- thanks! -- Jeff Buchbinder Rave Mobile Safety, Inc jbuchbin...@ravemobilesafety.com From: Lukas Tribus [luky...@hotmail.com] Sent: Tuesday, September 30, 2014 11:30 AM To: Jeff Buchbinder Cc: haproxy@formilux.org Subject: RE: shellshock and haproxy Hi Jeff, [ALERT] 272/080419 (29422) : parsing [/etc/haproxy.cfg:295] : 'reqdeny' : regular expression '^[^:]+:\s+.*?([^]+){5,}' : regex '^[^:]+:\s+.*?([^]+){5,}' is invalid Which version of haproxy were you able to use that regex with? Make sure you compiled haproxy with PCRE (USE_PCRE=1). Regards, Lukas
RE: [PATCH] Proxied stats admin forms fix (UPDATED PATCH ATTACHED)
Done. New patch attached. -- Jeff Buchbinder Principal Engineer / Interim Director of Infrastructure Rave Mobile Safety, Inc work: 508.848.2484 mobile: 860.838.3355 jbuchbin...@ravemobilesafety.com From: Cyril Bonté [cyril.bo...@free.fr] Sent: Friday, August 29, 2014 4:00 PM To: Jeff Buchbinder Cc: haproxy@formilux.org Subject: Re: [PATCH] Proxied stats admin forms fix Hi Jeff, Le 29/08/2014 19:50, Jeff Buchbinder a écrit : When the haproxy stats interface is being proxied (in the case I was working with, by apache's httpd), the formed absolute urls in the admin-level stats console does does not work properly. I can't remember where I identified corner cases, but that was at the early beginning of the work on the administration forms, so maybe it doesn't exist anymore (after some tests, I still can't find one anymore). So it should be OK with your patch, but you'll need to update it because it introduces a compilation warning. The default action for a form is the current URL, so it stands to reason that taking the action parameter out of the form elements will allow these forms to function as-intended in either proxied or non-proxied environments. Patch attached. Can you update your patch to : - remove the extra argument (scope_txt) in the first call to chunk_appendf() - add a description directly in your patch, this will save some time to Willy ;-) -- Cyril Bonté Patch for not using relative URLs for admin forms. This allows proxied instances of the stats admin interface to continue to function, as the default FORM action is to submit to the current URL. Submitter: Jeff Buchbinder jbuchbin...@ravemobilesafety.com diff --git a/src/dumpstats.c b/src/dumpstats.c index 3855e09..2d3cbbe 100644 --- a/src/dumpstats.c +++ b/src/dumpstats.c @@ -3631,11 +3631,7 @@ static void stats_dump_html_px_hdr(struct stream_interface *si, struct proxy *px } chunk_appendf(trash, - form action=\%s%s%s%s\ method=\post\, - uri-uri_prefix, - (appctx-ctx.stats.flags STAT_HIDE_DOWN) ? ;up : , - (appctx-ctx.stats.flags STAT_NO_REFRESH) ? ;norefresh : , - scope_txt); + form method=\post\); } /* print a new table */ @@ -4139,10 +4135,7 @@ static void stats_dump_html_info(struct stream_interface *si, struct uri_auth *u scope_txt[appctx-ctx.stats.scope_len] = '\0'; chunk_appendf(trash, - liform method=\GET\ action=\%s%s%s\Scope : input value=\%s\ name=\ STAT_SCOPE_INPUT_NAME \ size=\8\ maxlength=\%d\ tabindex=\1\//form\n, - uri-uri_prefix, - (appctx-ctx.stats.flags STAT_HIDE_DOWN) ? ;up : , - (appctx-ctx.stats.flags STAT_NO_REFRESH) ? ;norefresh : , + liform method=\GET\Scope : input value=\%s\ name=\ STAT_SCOPE_INPUT_NAME \ size=\8\ maxlength=\%d\ tabindex=\1\//form\n, (appctx-ctx.stats.scope_len 0) ? scope_txt : , STAT_SCOPE_TXT_MAXLEN);
1.5.3: Potential issue with request mangling
I have been experiencing an odd phenomena which appears to indicate that haproxy is mangling certain requests with version 1.5.3. It looks as though '%' is being reencoded as '%25', such that encodings like '%3D' are being reencoded as '%253D', etc. I'm using a backend/frontend separated setup. I'm including a sanitized version of the config below. Is there any reason that anyone can divine to explain why that mangling might be occurring? The same product configuration (without specific application pools) was implemented with 1.4.x without any issues. frontend fe_qa_product_http bind x.x.x.x:80 redirect scheme https if !{ ssl_fc } # Remove X-Powered-By header rspidel ^X-Powered-By:.*$ frontend fe_qa_product_https bind x.x.x.x:443 ssl crt /etc/ssl/qa.pem reqadd X-Forwarded-Proto:\ https acl is_a path_beg -i /a/ acl is_b path_beg -i /b/ default_backend be_qa_default use_backend be_qa_a if is_a use_backend be_qa_b if is_b # Remove X-Powered-By header rspidel ^X-Powered-By:.*$ option accept-invalid-http-request option accept-invalid-http-response # Strip JSESSIONID from static resources reqirep (.*)(\.css);jsession=.* \1\2 reqirep (.*)(\.js);jsession=.* \1\2 reqirep (.*)(\.jpg);jsession=.* \1\2 reqirep (.*)(\.png);jsession=.* \1\2 reqirep (.*)(\.wav);jsession=.* \1\2 backend be_qa_default balance leastconn option httpclose option forwardfor cookie JSESSIONID prefix option httpchk /about.html server srv1 10.0.x.x:80 check inter 1 rise 2 fall 5 server srv2 10.0.x.x:80 check inter 1 rise 2 fall 5 backend be_qa_a balance leastconn option httpclose option forwardfor cookie JSESSIONID prefix option httpchk /a/about.html server srv1 10.0.x.x:80 check inter 1 rise 2 fall 5 server srv2 10.0.x.x:80 check inter 1 rise 2 fall 5 backend be_qa_b balance leastconn option httpclose option forwardfor cookie JSESSIONID prefix option httpchk /b/about.html server srv1 10.0.x.x:80 check inter 1 rise 2 fall 5 server srv2 10.0.x.x:80 check inter 1 rise 2 fall 5 -- Jeff Buchbinder Rave Mobile Safety, Inc jbuchbin...@ravemobilesafety.com
RE: git clone hangs
There's a mirror at https://github.com/haproxy/haproxy if the main repo is hanging. It's usually not more than a day or so out of date. -- Jeff Buchbinder Principal Engineer / Interim Director of Infrastructure Rave Mobile Safety, Inc work: 508.848.2484 mobile: 860.838.3355 jbuchbin...@ravemobilesafety.com From: shouldbe q931 [shouldbeq...@gmail.com] Sent: Wednesday, April 09, 2014 1:36 PM To: haproxy@formilux.org Cc: Lukas Tribus Subject: Re: git clone hangs On Mon, Feb 10, 2014 at 10:01 AM, Lukas Tribus luky...@hotmail.com wrote: Hi, It doesn't hang, it just needs a long time (hours, probably) if you clone from scratch. Doing a git pull just now, the bandwidth utilisation _peaked_ at 20kb/s (on a 40Mb connection ~26ms away) reminds me of being on dialup...
Re: Create Backed by Unix Socket
There is an API text file in the root of the git repo with some more information. I try to keep it sync'd with Willy's upstream copy. carlo flores ca...@petalphile.com wrote: John, Where's the documentation for your patch? I'm up for playing with this neat idea even if we don't use it in Prod. Might hook in some suff to haproxyctl if you can output a version number/patch/something so the ctl script can recognize when someone is using this version... On Mon, Feb 6, 2012 at 4:39 PM, Jeff Buchbinder jbuchbin...@ravemobilesafety.commailto:jbuchbin...@ravemobilesafety.com wrote: The api patch I have been working on at https://github.com/jbuchbinder/haproxy has that functionality, but needs more testing. Willy has said that he has no plans to include this patch, primarily due to the potential for configuration issues in dynamically configured frontends, backends, etc. Thanks, Jeff Ivan Ator ivanat...@gmail.commailto:ivanat...@gmail.com wrote: Going from the documentation, there doesn't appear to be functionality for creating/destroying backends. Personally, I have accomplished your task by creating a series of scripts for maintaining the configuration file and reloading it while live. On 2/6/2012 3:21 PM, Dziuba, Ted wrote: Hi, I am wondering if it possible to create an haproxy backend programmatically, using the unix socket facility. I see that you can enable and disable existing back-ends, but I want to add a new one. This is my use case: HTTP server starts on a host, binding to port 0 HTTP server announces itself to a load balancer, asking to be put into the pool Load balancer acknowledges HTTP server and starts sending it traffic Thanks, Ted --- Ted Dziuba Co-Founder, Milo.com t...@milo.commailto:t...@milo.com
RE: git clone hangs?
From: Mark Lamourine [markll...@redhat.com] Sent: Monday, November 21, 2011 2:31 PM To: haproxy@formilux.org Subject: git clone hangs? I'm trying to clone http://git.1wt.eu/git/haproxy.git and my clone operation seems to hang. I've been using git for a while, but usually with ssh+git. Is there something I should be doing differently?: git clone http://git.1wt.eu/git/haproxy.git haproxy_git Cloning into haproxy_git... long time no output ^C If you need, I have a clone/fork on github. The forked changes don't appear unless you -DUSE_API, so it's safe to us it, if you have to. https://github.com/jbuchbinder/haproxy The direct pull location is git://github.com/jbuchbinder/haproxy.git -- Jeff Buchbinder Principal Engineer / Interim Director of Infrastructure Rave Mobile Safety, Inc jbuchbin...@ravemobilesafety.com
haproxy API patch
I've been working on an API patch, where certain functionality is exposed over the stats HTTP service. The fork where I have been working on this is available here: https://github.com/jbuchbinder/haproxy The full patch (which I imported from my old working tree) is here, if you want to see just the changes: https://github.com/jbuchbinder/haproxy/commit/0f924468977fc71f2530837e3e44cf47fc00fd0f Documentation is available here: https://github.com/jbuchbinder/haproxy/blob/master/README.API It was recently suggested that I attempt to get this patch included upstream. -- Jeff Buchbinder Principal Engineer / Interim Director of Infrastructure Rave Mobile Safety, Inc m: 860.838.3355 jbuchbin...@ravemobilesafety.com
RE: [ANNOUNCE] haproxy 1.5-dev3
On 11/11/2010 06:34 PM, Willy Tarreau wrote: Now you know where to get it : site index : http://haproxy.1wt.eu/ sources : http://haproxy.1wt.eu/download/1.5/src/devel/ changelog : http://haproxy.1wt.eu/download/1.5/src/CHANGELOG stunnel patches : http://haproxy.1wt.eu/download/patches/ OpenBSD 4.3 builds for this release (and hopefully future releases) are here: http://www.mediafire.com/?u1m9uwiuo7af5 -- Jeff Buchbinder Principal Engineer / Interim Director of Infrastructure Rave Mobile Safety, Inc jbuchbin...@ravemobilesafety.com
Re: [ANNOUNCE] haproxy-1.4.0
Willy Tarreau wrote: I'm obviously interested in any problem report :-) Build on OpenBSD 4.3 seems to fail unless #include common/compat.h is commented out of the src/lb_*.c files. This seemed to be the case on both the i386 and amd64 targets I was building on. -- Jeff Buchbinder Senior Infrastructure Engineer Rave Mobile Safety, Inc jbuchbin...@ravemobilesafety.com
Re: [ANNOUNCE] haproxy-1.4.0
Willy Tarreau wrote: I'm obviously interested in any problem report :-) One other OpenBSD build problem that I saw was that OBJS in Makefile.bsd seems to be missing: src/auth.o src/stick_table.o src/pattern.o to build properly. Once those are back in the OBJS list (and the previous fix has been made of commenting out the compat.h references), haproxy does build successfully on OpenBSD 4.3 and 4.4. -- Jeff Buchbinder Senior Infrastructure Engineer Rave Mobile Safety, Inc work: 508.848.2484 mobile: 860.617.5750 jbuchbin...@ravemobilesafety.com
Re: [ANNOUNCE] haproxy-1.4.0
Willy Tarreau wrote: Could you please check if the following patch is enough to fix it ? I think it should in fact. Thanks, Willy diff --git a/include/common/compat.h b/include/common/compat.h index 3c939ce..9eecdfb 100644 --- a/include/common/compat.h +++ b/include/common/compat.h @@ -23,8 +23,8 @@ #define _COMMON_COMPAT_H /* This is needed on Linux for Netfilter includes */ -#include sys/socket.h #include sys/types.h +#include sys/socket.h #include common/config.h #include common/standard.h With that patch it does seem to build the files that were getting stuck before under OpenBSD 4.3. -- Jeff Buchbinder Senior Infrastructure Engineer Rave Mobile Safety, Inc work: 508.848.2484 mobile: 860.617.5750 jbuchbin...@ravemobilesafety.com
Re: [ANNOUNCE] haproxy-1.4.0
Willy Tarreau wrote: On Fri, Feb 26, 2010 at 03:57:16PM -0500, Jeff Buchbinder wrote: With that patch it does seem to build the files that were getting stuck before under OpenBSD 4.3. Excellent, thanks very much Jeff for your quick response, I'm applying the patch now. Much appreciated. Between that patch and the Makefile.bsd change, I think it's set to build out of the box on OpenBSD. -- Jeff Buchbinder Senior Infrastructure Engineer Rave Mobile Safety, Inc work: 508.848.2484 mobile: 860.617.5750 jbuchbin...@ravemobilesafety.com
Re: [ANNOUNCE] haproxy 1.3.19
1.3.19 packaged for NSLU2 available here: http://www.mediafire.com/file/iujzbmynjwl/haproxy_1.3.19-1_armeb.ipk -- Jeff Buchbinder Senior Infrastructure Engineer Rave Wireless, Inc jbuchbin...@ravewireless.com
Chunked HTTP traffic
I'm having a strange issue with haproxy, involving a client who is using HTTP/1.1 chunking with requests, but is rudely not allowing fallback to HTTP/1.0 behavior. (They're using Apache Coyote, if that makes any difference). Any attempt to grab data from them results in something like this from java's HttpClient (since wget doesn't support chunking): 2009/07/27 14:24:38:189 EDT [DEBUG] header - User-Agent: Jakarta Commons-HttpClient/3.1[\r][\n] 2009/07/27 14:24:38:190 EDT [DEBUG] header - Host: (redacted):9080[\r][\n] 2009/07/27 14:24:38:190 EDT [DEBUG] header - [\r][\n] 2009/07/27 14:24:38:275 EDT [DEBUG] header - HTTP/1.1 200 OK[\r][\n] 2009/07/27 14:24:38:276 EDT [DEBUG] header - HTTP/1.1 200 OK[\r][\n] 2009/07/27 14:24:38:281 EDT [DEBUG] header - Server: Apache-Coyote/1.1[\r][\n] 2009/07/27 14:24:38:282 EDT [DEBUG] header - Content-Type: text/xml[\r][\n] 2009/07/27 14:24:38:283 EDT [DEBUG] header - Transfer-Encoding: chunked[\r][\n] 2009/07/27 14:24:38:284 EDT [DEBUG] header - Date: Mon, 27 Jul 2009 18:24:38 GMT[\r][\n] 2009/07/27 14:24:38:285 EDT [DEBUG] header - [\r][\n] HTTP/1.1 200 OK 2009/07/27 14:24:38:297 EDT [DEBUG] content - 2 2009/07/27 14:24:38:298 EDT [DEBUG] content - 0 2009/07/27 14:24:38:299 EDT [DEBUG] content - 0 2009/07/27 14:24:38:299 EDT [DEBUG] content - 0 2009/07/27 14:24:38:300 EDT [DEBUG] content - [\r] 2009/07/27 14:24:38:300 EDT [DEBUG] content - [\n] It obviously wants an additional request for the first 2000 bytes of data, but the client just sits there, even though HttpClient supports chunking. Has anyone else seen behavior like this? I have tried messing with the client and server timeout values, but it always seems to produce the same result. -- Jeff Buchbinder Senior Infrastructure Engineer Rave Wireless, Inc jbuchbin...@ravewireless.com
Federating haproxy servers
Are there any plans to allow federating of haproxy servers, so that they can (for example) cut down on the number of duplicate health checks? Currently we run two carp'd OpenBSD firewalls running haproxy, and the second firewall currently duplicates all health checks for our applications, which is less than ideal. -- Jeff Buchbinder Senior Infrastructure Engineer Rave Wireless, Inc jbuchbin...@ravewireless.com
Re: R: R: Transparent proxy
Willy Tarreau wrote: do you mean that the OpenBSD supports a linux-compatible tproxy ? I was not aware of this, because for me, tproxy is 100% linux-specific. Do you know what versions provide it (if so) and how to detect whether it's supported ? I've seen a bunch of pf+squid magic to do it, but I think that tinyproxy (https://www.banu.com/tinyproxy) supports transparent proxying, at least for HTTP. Not sure if that's of any help. -- Jeff Buchbinder Senior Infrastructure Engineer Rave Wireless, Inc work: 508.848.2484 mobile: 860.617.5750 jbuchbin...@ravewireless.com