Re: OpenBSD/2.1.0 - weird syslogging?
Am 03.12.2019 07:22 schrieb Willy Tarreau: I suspect that on other platforms, logging 0 characters from a NULL pointer is OK and results in nothing being emitted while on OpenBSD it still checks the pointer's validity before detecting it doesn't need it, resulting in the error. Could you please try to change the last line Aleks pointed like this: -(int)host.data, host.area, sep, ""); +(int)host.data, host.area ? host.area : "", sep, ""); I suspect it will be enough. Indeed, this does the job! Thanks. -- pb
Re: OpenBSD/2.1.0 - weird syslogging?
Am 01.12.2019 12:00 schrieb Aleksandar Lazic: just a wild guess have you set "log-send-hostname" if not can you set it and tell us if anything is changed. http://cbonte.github.io/haproxy-dconv/2.1/configuration.html#log-send-hostname I had not, but made me curious. So I did some tcpdump on it and can "confirm" that without this option the hostname is missing in the syslog message. Logging is now mute instead of errors, but I would rather blame my setup on this. Thanks for this pointer already -- pb
OpenBSD/2.1.0 - weird syslogging?
Hello, just build 2.1.0 on OpenBSD.. while the actual processing (fe->be) works, I am getting quite some weird logging (in /var/log/messages) per http-request: Nov 30 23:01:05 tyo haproxy: vfprintf %s NULL in ">%s %2d %02d:%02d:%02d %.*s%*s" syslog.conf pretty straight forward: *.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none /var/log/messages #default local0.*/var/log/haproxy with syslog config in haproxy.cfg log 127.0.0.1 local0 debug I am confused.. this is a plain test/sandbox (working on "new" monitoring), so can do whatever needed on tracing and such. PS: logging is the same for HTTP or HTTPS (just in case libressl..) tyo# haproxy -vv HA-Proxy version 2.1.0 2019/11/25 - https://haproxy.org/ Status: stable branch - will stop receiving fixes around Q1 2021. Known bugs: http://www.haproxy.org/bugs/bugs-2.1.0.html Build options : TARGET = openbsd CPU = generic CC = cc CFLAGS = -O2 -pipe -fno-strict-aliasing OPTIONS = USE_PCRE=1 USE_OPENSSL=1 Feature list : -EPOLL +KQUEUE -MY_EPOLL -MY_SPLICE -NETFILTER +PCRE -PCRE_JIT -PCRE2 -PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED -REGPARM -STATIC_PCRE -STATIC_PCRE2 +TPROXY -LINUX_TPROXY -LINUX_SPLICE -LIBCRYPT -CRYPT_H -VSYSCALL -GETADDRINFO +OPENSSL -LUA -FUTEX +ACCEPT4 -MY_ACCEPT4 -ZLIB -SLZ -CPU_AFFINITY -TFO -NS -DL -RT -DEVICEATLAS -51DEGREES -WURFL -SYSTEMD -OBSOLETE_LINKER -PRCTL -THREAD_DUMP -EVPORTS Default settings : bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 Built with multi-threading support (MAX_THREADS=64, default=1). Built with OpenSSL version : LibreSSL 2.8.2 Running on OpenSSL version : LibreSSL 2.8.2 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 Built with transparent proxy support using: SO_BINDANY Built with PCRE version : 8.41 2017-07-05 Running on PCRE version : 8.41 2017-07-05 PCRE library supports JIT : no (USE_PCRE_JIT not set) Encrypted password support via crypt(3): yes Built without compression support (neither USE_ZLIB nor USE_SLZ are set). Compression algorithms supported : identity("identity") Available polling systems : kqueue : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use kqueue. Available multiplexer protocols : (protocols marked as cannot be specified using 'proto' keyword) h2 : mode=HTTP side=FE|BE mux=H2 fcgi : mode=HTTP side=BEmux=FCGI : mode=HTTP side=FE|BE mux=H1 : mode=TCPside=FE|BE mux=PASS Available services : none Available filters : [SPOE] spoe [CACHE] cache [FCGI] fcgi-app [TRACE] trace [COMP] compression TIA, -- pb
AW: Mode TCP and acl to choose backend
Hi Jarno, thanks a lot for your hint. I had two issues. I missed "mode tcp" also in the backend and additionally your tip works perfectly without acl but with the "use_backend special if {src 10.0.0.1 10.0.0.2} " statement. Thanks Philipp -- --- DI Mag. Philipp Kolmann mail: philipp.kolm...@tuwien.ac.at Technische Universitaet Wien web: www.it.tuwien.ac.at IT Solutions - Applications tel: +43(1)58801-42011 Operngasse 11, A-1040 Wien DVR: 0005886 --- Von: Jarno Huuskonen Gesendet: Montag, 28. Oktober 2019 17:52 An: Kolmann, Philipp Cc: haproxy@formilux.org; Klasek, Johann Betreff: Re: Mode TCP and acl to choose backend Hi, On Mon, Oct 28, Philipp Kolmann wrote: > I load-balance TCP Port 25 on a haproxy. This works perfect. > > Now I need to check, if the connection is coming for a special host, then a > different backend smtp server should be used. I thought I could use acl and > use_backend but this seems only to work for http connections. What does special host mean in this context ? Is it something you can get from layer4 (src,src_port,dst,dst_port) or something from for example SMTP protocol ? > Has anyone a tip how to achieve this with mode tcp? If you can get special host from layer4 then for example: use_backend specialhost if { dst 10.10.10.10 } might work. -Jarno -- Jarno Huuskonen smime.p7s Description: S/MIME Cryptographic Signature
Mode TCP and acl to choose backend
Hi, I load-balance TCP Port 25 on a haproxy. This works perfect. Now I need to check, if the connection is coming for a special host, then a different backend smtp server should be used. I thought I could use acl and use_backend but this seems only to work for http connections. Has anyone a tip how to achieve this with mode tcp? Thanks Philipp -- --- DI Mag. Philipp Kolmann mail: philipp.kolm...@tuwien.ac.at Technische Universitaet Wien web: www.it.tuwien.ac.at IT Solutions - Applications tel: +43(1)58801-42011 Operngasse 11, A-1040 Wien DVR: 0005886 --- smime.p7s Description: S/MIME Cryptographic Signature
Re: HAproxy transparent proxy and IPv6
Hi, I did some more testing and found the reason why it didn't work: I have added the required ip cmds: post-up ip rule add fwmark 1 lookup 100 post-up ip route add local 0.0.0.0/0 dev lo table 100 post-up ip route add local ::/0 dev lo table 100 ip rule add fwmark 1 lookup 100 only adds the fwmark for IPv4 rule table... ip -6 rule add fwmark 1 lookup 100 did the trick. Maybe that helps somebody else in the future. The whole ip-up/down looks like this now: post-up ip rule add fwmark 1 lookup 100 post-up ip -6 rule add fwmark 1 lookup 100 post-up ip route add local 0.0.0.0/0 dev lo table 100 post-up ip -6 route add local ::/0 dev lo table 100 pre-down ip -6 route del local ::/0 dev lo table 100 pre-down ip route del local 0.0.0.0/0 dev lo table 100 pre-down ip -6 route del from all fwmark 1 lookup 100 pre-down ip route del from all fwmark 1 lookup 100 Thanks Philipp smime.p7s Description: S/MIME Cryptographic Signature
HAproxy transparent proxy and IPv6
Hi, I have setup my test-HAproxy-env according to https://www.haproxy.com/blog/howto-transparent-proxying-and-binding-with-haproxy-and-aloha-load-balancer/ I have setup the Firewall Rules for ipv4 and v6. TEST testha1:~/svnconfig/etc/iptables# iptables -t mangle -vL Chain PREROUTING (policy ACCEPT 163K packets, 291M bytes) pkts bytes target prot opt in out source destination 374K 68M DIVERT tcp -- any any anywhere anywhere socket Chain DIVERT (1 references) pkts bytes target prot opt in out source destination 374K 68M MARK all -- any any anywhere anywhere MARK set 0x1 374K 68M ACCEPT all -- any any anywhere anywhere TEST testha1:~/svnconfig/etc/iptables# ip6tables -t mangle -vL Chain PREROUTING (policy ACCEPT 409K packets, 788M bytes) pkts bytes target prot opt in out source destination 373K 75M DIVERT tcp any any anywhere anywhere socket Chain DIVERT (1 references) pkts bytes target prot opt in out source destination 373K 75M MARK all any any anywhere anywhere MARK set 0x1 373K 75M ACCEPT all any any anywhere anywhere I have added the required ip cmds: post-up ip rule add fwmark 1 lookup 100 post-up ip route add local 0.0.0.0/0 dev lo table 100 post-up ip route add local ::/0 dev lo table 100 listen mail-test-submission bind 128.130.xx.yy:587 transparent name submission mode tcp source 0.0.0.0 usesrc clientip log-format %ci:%cp\ [%t]\ %ft\ %s\ %si:%sp\ %Tw/%Tc/%Tt\ %B\ %ts\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq balance leastconn That works like a charm. In IPv6 I set it up accordingly: listen mail-test-v6-submission bind 2001:629:xx:yy::zz:587 transparent name submission mode tcp source [::] usesrc clientip log-format %ci:%cp\ [%t]\ %ft\ %s\ %si:%sp\ %Tw/%Tc/%Tt\ %B\ %ts\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq balance leastconn There with the source line it fails to connect. I see on the outside interface a Syn, Syn->Ack, Ack TCP flow, but on the inside (HAproxy to application Server) I see only Syn, Syn-Ack, Syn, Syn-Ack traffic. HAproxy (1.8.19-1, Debian Buster) is running as root. Anyone has such a setup running and may be able to help. I haven't found any hints on this problem... Thanks Philipp -- --- DI Mag. Philipp Kolmann mail: philipp.kolm...@tuwien.ac.at Technische Universitaet Wien web: www.it.tuwien.ac.at IT Solutions - Applications tel: +43(1)58801-42011 Operngasse 11, A-1040 Wien DVR: 0005886 --- smime.p7s Description: S/MIME Cryptographic Signature
server - Add Port to with range
Hi, I need to reverse proxy a range of TCP ports via HAproxy. It works just fine, but now I have a list of open Ports in the Webinterface with no idea which port is which: listen xx bind 0.1.2.3:8100-8150 transparent name repos mode tcp timeout client 12h log-format %ci:%cp\ [%t]\ %ft\ %s\ %si:%sp\ %Tw/%Tc/%Tt\ %B\ %ts\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq option tcp-check tcp-check connect port 8100 server name 172.1.2.3 maxconn 1 check I see 51 lines with 'name' in the statistics report. I searched the docs but couldn't find a possibility to add the port to the name. My Idea would be to be able to specify server name-%p 172.1.2.3 maxconn 1 check and in the statistics it would read name-8100 name-8101 etc... Is this already possible? Thanks Philipp -- --- DI Mag. Philipp Kolmann mail: philipp.kolm...@tuwien.ac.at Technische Universitaet Wien web: www.it.tuwien.ac.at IT Solutions - Applications tel: +43(1)58801-42011 Operngasse 11, A-1040 Wien DVR: 0005886 --- smime.p7s Description: S/MIME Cryptographic Signature
Re: Adding Configuration parts via File
Hi Jarno, On 3/8/19 4:57 PM, Jarno Huuskonen wrote: Yes(probably:), something like this might work for you: acl is_redirect_match path,map_beg(redir.map) -m found http-request redirect code 302 location %[path,map_beg(redir.map)] if is_redirect_match Thanks a lot for your help. That works fantastic! Philipp -- --- DI Mag. Philipp Kolmann mail: philipp.kolm...@tuwien.ac.at Technische Universitaet Wien web: www.it.tuwien.ac.at IT Solutions - Applications tel: +43(1)58801-42011 Operngasse 11, A-1040 Wien DVR: 0005886 --- smime.p7s Description: S/MIME Cryptographic Signature
Re: Adding Configuration parts via File
On 3/8/19 2:50 PM, Patrick Hemmer wrote: You can use external files in two cases. See the following blog articles: https://www.haproxy.com/blog/introduction-to-haproxy-acls/ (search for "acl file") https://www.haproxy.com/blog/introduction-to-haproxy-maps/ Hi, thanks for the hint with the maps. This looks quite promising for my other issue I am facing: acl mandant_IT_email path_beg -i /it/Service-One http-request redirect code 302 location "/long/URL/84" if mandant_IT_email Is there any possibility to achive such a redirect if path_beg via maps? http-request redirect code 302 location *value* if path_beg *key * Thanks Philipp ** smime.p7s Description: S/MIME Cryptographic Signature
Re: Adding Configuration parts via File
Hi Bruno, On 3/8/19 2:26 PM, Bruno Henc wrote: I don't think there is a capability to include a list of ACLs. However, you can load the ip addresses once via the -f parameter: acl is_admin src -f /etc/haproxy/admin_ip_list.txt Thanks that sounds like a solution for my IP List issue... I do have to admit that including ACLs is a neat idea. Alternatively, global ACLs would be nice. Well I have another use case where including a file would be very handy: We have some short-cuts that we want to generate from our application and redirect to the long-urls via HAproxy: acl mandant_IT_email path_beg -i /it/service1 acl mandant_IT_email path_beg -i /it/serviceOne acl mandant_IT_email path_beg -i /it/Service-1 acl mandant_IT_email path_beg -i /it/Service-One http-request redirect code 302 location "/long/URL/84" if mandant_IT_email acl mandant_IT path_beg -i /comp1 acl mandant_IT path_beg -i /comp acl mandant_IT path_beg -i /compName http-request redirect code 302 location "/long/URL/1" if mandant_IT These ACLs we would love to generate from our Database into a file which gets used by HAproxy include statement. Does this workaround solve your use case? Regarding the IP Adresses it works as expected. The include statement (or whatever) still would be very welcome for other things but IP lists. Thanks for the hint, Philipp smime.p7s Description: S/MIME Cryptographic Signature
Adding Configuration parts via File
Hi, I have ACLs for Source-IPs for Admins for several services. These ACLs are identical for multiple listener-sections. Would it be possible to have a file with several acl snipplets and source that at the proper section of the config file multiple times? I haven't found anything in the docs that would make this possible. My wished Setup: admin_acl.conf: acl is_admin src 10.0.0.1 acl is_admin src 10.0.0.2 acl is_admin src 10.0.0.3 acl is_admin src 10.0.0.4 haproxy.cfg: listen service1 bind 10.1.0.10:80 include admin_acl.conf more parameters ... listen service2 bind 10.1.0.20:80 include admin_acl.conf more parameters ... listen service3 bind 10.1.0.30:80 include admin_acl.conf more parameters ... The admin_acl needs to be maintained only once and can be used multiple times. Is this already possible? Could such an include option be made for the config files? thanks Philipp -- --- DI Mag. Philipp Kolmann mail: philipp.kolm...@tuwien.ac.at Technische Universitaet Wien web: www.it.tuwien.ac.at IT Solutions - Applications tel: +43(1)58801-42011 Operngasse 11, A-1040 Wien DVR: 0005886 --- smime.p7s Description: S/MIME Cryptographic Signature
RESEND [PATCH] Testing/ Minor: Add a testcase for my multi-port + multi-server listener
Hi, I had a patch for my issue with multi-port + multi-server listener that got fixed in 1.7.10 that seems to have gotten forgotten. I add this patch again. Thanks for considering adding it to the test cases. thanks Philipp -- --- DI Mag. Philipp Kolmann mail: philipp.kolm...@tuwien.ac.at Technische Universitaet Wien web: www.it.tuwien.ac.at IT Solutions - Applications tel: +43(1)58801-42011 Wiedner Hauptstr. 8-10, A-1040 WienDVR: 0005886 --- From 944610de46bb3b23d514a12699690fd2acffc2a2 Mon Sep 17 00:00:00 2001 From: Philipp Kolmann <phil...@kolmann.at> Date: Tue, 24 Oct 2017 11:32:22 +0200 Subject: [PATCH] Add a testcase for my multi-port + multi-server listener issue --- tests/tcp-check.cfg | 11 +++ 1 file changed, 11 insertions(+) diff --git a/tests/tcp-check.cfg b/tests/tcp-check.cfg index 16d2836e..56aba53c 100644 --- a/tests/tcp-check.cfg +++ b/tests/tcp-check.cfg @@ -13,6 +13,17 @@ listen stats bind : stats uri / +listen multi-tcp-check +bind :80 +mode tcp +option tcp-check +tcp-check connect port 9001 +tcp-check connect port 9002 + +server server1 127.0.0.1: check +server server2 127.0.0.2: check +server server3 127.0.0.3: check + backend tcp9000 option tcp-check server srv 127.0.0.1:9000 check inter 1s -- 2.11.0 smime.p7s Description: S/MIME Cryptographic Signature
Re: server template feature
Am 23.02.2018 09:57 schrieb Aleksandar Lazic: Can I run something like this? ``` server-template units 1-40 "10.0.8.${num}":"1000${num}" maxconn 2 check ``` Because I haven't seen that the iterator is exported maybe it's not possible. As I see it from docs and the haproxy-blog*, there's no usable iterator like that. The blog only leverages this via the stats-API. *) https://www.haproxy.com/blog/dynamic-configuration-haproxy-runtime-api/ Scroll down to 'Dynamically Scaling Backend Servers' Maybe something hiding behind unwritten docs? ;-) HTH/ciao -- pb
[PATCH] Add a testcase for my multi-port + multi-server listener
Hi, I had a patch for my issue with multi-port + multi-server listener that got fixed in 1.7.10 that seems to have gotten forgotten. I add this patch again. Thanks for considering adding it to the test cases. thanks Philipp -- --- DI Mag. Philipp Kolmann mail: philipp.kolm...@tuwien.ac.at Technische Universitaet Wien web: www.it.tuwien.ac.at IT Solutions - Applications tel: +43(1)58801-42011 Wiedner Hauptstr. 8-10, A-1040 WienDVR: 0005886 --- From 944610de46bb3b23d514a12699690fd2acffc2a2 Mon Sep 17 00:00:00 2001 From: Philipp Kolmann <phil...@kolmann.at> Date: Tue, 24 Oct 2017 11:32:22 +0200 Subject: [PATCH] Add a testcase for my multi-port + multi-server listener issue --- tests/tcp-check.cfg | 11 +++ 1 file changed, 11 insertions(+) diff --git a/tests/tcp-check.cfg b/tests/tcp-check.cfg index 16d2836e..56aba53c 100644 --- a/tests/tcp-check.cfg +++ b/tests/tcp-check.cfg @@ -13,6 +13,17 @@ listen stats bind : stats uri / +listen multi-tcp-check +bind :80 +mode tcp +option tcp-check +tcp-check connect port 9001 +tcp-check connect port 9002 + +server server1 127.0.0.1: check +server server2 127.0.0.2: check +server server3 127.0.0.3: check + backend tcp9000 option tcp-check server srv 127.0.0.1:9000 check inter 1s -- 2.11.0 smime.p7s Description: S/MIME Cryptographic Signature
Re: Haproxy 1.8 version help
Am 03.01.2018 17:39 schrieb Lukas Tribus: To compile Haproxy 1.8 with threads, at least GCC 4.7 is needed. CentOs 6 only ships GCC 4.4.7, therefor compilation fails. Waaah, thanks for telling before I tried to rush 1.8 to customer :-P Rather not in the mood to make a build-VM with 4.7+ on C6 .. :-} *hint* ciao -- pb
Re: Debian upgrade to haproxy 1.7.5: tcp-check fails with Socket error, info: "No port available for the TCP connection"
On 10/04/17 11:38, kolm...@zid.tuwien.ac.at wrote: I test also 1.7.9 debian backported and it still fails. Is my configuration so out of this world? I would prefer not to have a sepereate listener for every port I route through haproxy. Hi, I tested last 1.8.dev3 today and my error with multiple ports beeing in tcp-check is not there anymore. I bisected the code and found the commit, that fixed my problem: f411cce456dabbe3cf6637f2bb11435af0499ae7 is the first fixed commit commit f411cce456dabbe3cf6637f2bb11435af0499ae7 Author: Willy Tarreau <w...@1wt.eu> Date: Wed Oct 4 16:21:19 2017 +0200 MINOR: checks: don't create then kill a dummy connection before tcp-checks When tcp-checks are in use, a connection starts to be created, then it's destroyed so that tcp-check can recreate its own. Now we directly move to tcpcheck_main() when it's detected that tcp-check is in use. :04 04 a4695d29907baeac642ae68e1f7d8776d8b93aea 66a28a0fb9257f20e8513d5c28ca99cb0bd66b72 M src @Willy: thanks for taking a look at this issue. Is it possible to backport the changes to tcp-check to 1.7? Additionally I added a multi-port, multi-host listener to the tcp-check test config. See attached patch file. thanks Philipp -- --- DI Mag. Philipp Kolmann mail: philipp.kolm...@tuwien.ac.at Technische Universitaet Wien web: www.zid.tuwien.ac.at Zentraler Informatikdienst (ZID) tel: +43(1)58801-42011 Wiedner Hauptstr. 8-10, A-1040 WienDVR: 0005886 --- >From 944610de46bb3b23d514a12699690fd2acffc2a2 Mon Sep 17 00:00:00 2001 From: Philipp Kolmann <phil...@kolmann.at> Date: Tue, 24 Oct 2017 11:32:22 +0200 Subject: [PATCH] Add a testcase for my multi-port + multi-server listener issue --- tests/tcp-check.cfg | 11 +++ 1 file changed, 11 insertions(+) diff --git a/tests/tcp-check.cfg b/tests/tcp-check.cfg index 16d2836e..56aba53c 100644 --- a/tests/tcp-check.cfg +++ b/tests/tcp-check.cfg @@ -13,6 +13,17 @@ listen stats bind : stats uri / +listen multi-tcp-check +bind :80 +mode tcp +option tcp-check +tcp-check connect port 9001 +tcp-check connect port 9002 + +server server1 127.0.0.1: check +server server2 127.0.0.2: check +server server3 127.0.0.3: check + backend tcp9000 option tcp-check server srv 127.0.0.1:9000 check inter 1s -- 2.11.0
HAProxy and Exchange 2016 MAPI/RPC over HTTP
discover path_beg -i /Autodiscover/Autodiscover.xml acl path_activesync path_beg -i /Microsoft-Server-ActiveSync acl path_ews path_beg -i /ews/ acl path_owa path_beg -i /owa/ acl path_oa path_beg -i /rpc/rpcproxy.dll acl path_ecp path_beg -i /ecp/ acl path_oab path_beg -i /oab/ acl path_mapi path_beg -i /mapi/ acl path_check path_end -i HealthCheck.htm http-request deny if path_check http-request redirect scheme https code 302 unless ssl_connection http-request redirect location /owa/ code 302 if path_slash host_mail use_backend autodiscover if path_autodiscover use_backend activesync if path_activesync use_backend ews if path_ews use_backend owa if path_owa use_backend oa if path_oa use_backend ecp if path_ecp use_backend oab if path_oab use_backend mapi if path_mapi default_backend default backend activesync option httpchk GET /Microsoft-Server-ActiveSync/HealthCheck.htm http-check expect string 200\ OK server exch01 xxx:443 ssl verify none maxconn 1000 weight 10 check server exch02 xxx:443 ssl verify none maxconn 1000 weight 10 check backend autodiscover option httpchk GET /Autodiscover/HealthCheck.htm http-check expect string 200\ OK server exch01 xxx:443 ssl verify none maxconn 1000 weight 10 check server exch02 xxx:443 ssl verify none maxconn 1000 weight 10 check backend ecp option httpchk GET /ECP/HealthCheck.htm http-check expect string 200\ OK server exch01 xxx:443 ssl verify none maxconn 1000 weight 10 check server exch02 xxx:443 ssl verify none maxconn 1000 weight 10 check backend ews option httpchk GET /EWS/HealthCheck.htm http-check expect string 200\ OK server exch01 xxx:443 ssl verify none maxconn 1000 weight 10 check server exch02 xxx:443 ssl verify none maxconn 1000 weight 10 check backend mapi balance source option httpchk GET /mapi/HealthCheck.htm http-check expect string 200\ OK option http-keep-alive option prefer-last-server timeout server 600s server exch01 xxx:443 ssl verify none maxconn 1000 weight 10 check server exch02 xxx:443 ssl verify none maxconn 1000 weight 10 check backend oab option httpchk GET /OAB/HealthCheck.htm http-check expect string 200\ OK server exch01 xxx:443 ssl verify none maxconn 1000 weight 10 check server exch02 xxx:443 ssl verify none maxconn 1000 weight 10 check backend oa balance source option httpchk GET /RPC/HealthCheck.htm http-check expect string 200\ OK option http-keep-alive option prefer-last-server timeout server 600s server exch01 xxx:443 ssl verify none maxconn 1000 weight 10 check server exch02 xxx:443 ssl verify none maxconn 1000 weight 10 check backend owa option httpchk GET /owa/HealthCheck.htm http-check expect string 200\ OK server exch01 xxx:443 ssl verify none maxconn 1000 weight 10 check server exch02 xxx:443 ssl verify none maxconn 1000 weight 10 check backend default timeout server 60s server exch01 xxx:443 ssl verify none maxconn 1000 weight 10 check server exch02 xxx:443 ssl verify none maxconn 1000 weight 10 check hope someone can help I'm googling and experimenting for weeks now but it seems like everybody is using Exchange 2013 and that people that are telling they have a working configuration won't post it. Thanks in advance Regards Philipp
Re: Debian upgrade to haproxy 1.7.5: tcp-check fails with Socket error, info: "No port available for the TCP connection"
Hi Lukas, On 06/19/17 21:23, Lukas Tribus wrote: Am 19.06.2017 um 11:27 schrieb Philipp Kolmann: This config works in 1.5.8 but fails to tcp-check in 1.7.5. The errors in the logfile look like this: Jun 19 10:52:57 testha2 haproxy[5042]: Server mail-exchtest-smtp/mbx13a is DOWN, reason: Socket error, info: "No port available for the TCP connection", check duration: 0ms. 3 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. Bug introduced in 95db2bcfee ("MAJOR: check: find out which port to use for health check at run time"), the AF check in line 1521 does not trigger in this case ("tcp-check connect port" configuration). Partially reverting the check to the old one appears to work, but that's probably not the correct fix. diff --git a/src/checks.c b/src/checks.c index 1af862e..5a34609 100644 --- a/src/checks.c +++ b/src/checks.c @@ -1518,7 +1518,7 @@ static int connect_conn_chk(struct task *t) conn->addr.to = s->addr; } - if ((conn->addr.to.ss_family == AF_INET) || (conn->addr.to.ss_family == AF_INET6)) { + if (check->port) { int i = 0; i = srv_check_healthcheck_port(check); thanks for the patch. I added the changed line and rebuilt the debian Package. Now the Ports come up again. A quick config workaround, that reduces the check to a single port consist in adding "port 25" to each server configuration (after the check keyword). Adding the Port works for the SMTP Setup. For IMAP, where the Port is SSL enabled it still fails: listen mail-exchtest-imap bind 128.130.xx.yy:143 transparent name imap bind 128.130.xx.yy:993 transparent name imaps mode tcp log-format %ci:%cp\ [%t]\ %ft\ %s\ %si:%sp\ %Tw/%Tc/%Tt\ %B\ %ts\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq #balance roundrobin #stick-table type ip size 20k peers testha-cluster #stick on src maxconn 8765 option tcp-check default-server inter 3s rise 2 fall 3 tcp-check connect port 143 tcp-check expect string *\ OK tcp-check connect port 993 ssl tcp-check expect string *\ OK server mbx13a 128.130.xx.yy1: maxconn 5000 check ca-file /etc/ssl/certs/ca-certificates.crt port 993 server mbx13b 128.130.xx.yy2: maxconn 5000 check ca-file /etc/ssl/certs/ca-certificates.crt port 993 server mbx13c 128.130.xx.yy3: maxconn 5000 check ca-file /etc/ssl/certs/ca-certificates.crt port 993 server mbx13d 128.130.xx.yy4: maxconn 5000 check ca-file /etc/ssl/certs/ca-certificates.crt port 993 Jun 29 16:11:26 testha2 haproxy[11469]: Server mail-exchtest-imap/mbx13d is DOWN, reason: Socket error, info: "TCPCHK error establishing connection at step 3", check duration: 4ms. 3 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. Jun 29 16:11:26 testha2 haproxy[11469]: Server mail-exchtest-imap/mbx13b is DOWN, reason: Socket error, info: "TCPCHK error establishing connection at step 3", check duration: 4ms. 2 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. Jun 29 16:11:26 testha2 haproxy[11469]: Server mail-exchtest-imap/mbx13a is DOWN, reason: Socket error, info: "TCPCHK error establishing connection at step 3", check duration: 4ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. Jun 29 16:11:26 testha2 haproxy[11469]: Server mail-exchtest-imap/mbx13c is DOWN, reason: Socket error, info: "TCPCHK error establishing connection at step 3", check duration: 4ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. Jun 29 16:11:26 testha2 haproxy[11469]: proxy mail-exchtest-imap has no server available! Thanks Philipp -- --- DI Mag. Philipp Kolmann mail: kolm...@zid.tuwien.ac.at Technische Universitaet Wien web: www.zid.tuwien.ac.at Zentraler Informatikdienst (ZID) tel: +43(1)58801-42011 Wiedner Hauptstr. 8-10, A-1040 WienDVR: 0005886 ---
RE: Rewriting/redirecting part of URL
Am 29.06.2017 13:32 schrieb Mark Holmes: This worked perfectly - thanks again Philipp - but now the goalposts have moved slightly... So what I need to do is If a request comes in for www.old.com/audi/thesite/pages I'd like to redirect to www.new.com/audi/thesite/pages maintaining everything after the first / But if a request comes in for www.old.com/somethingelse I don't want to redirect, it should just end up on www.old.com/somethingelse So basically, anything /audi gets redirected maintaining everything after / Everything else doesn't get redirected. I can feel some kind or Regex situation here... Grateful for any suggestions. just more acl - now on the path. acl audimeh path_beg /audi acl oldthings hdr(host) -i old.com http-request redirect prefix https://new.com if oldthings audimeh -- pb
Re: Rewriting/redirecting part of URL
Am 28.06.2017 19:20 schrieb Mark Holmes: Note that /audi/page/whatever will change all the time - essentially, I want to preserve whatever comes after the first /, just rewriting the domain part I feel bad for "Audi" (shouts from an ex-Daimler one.. :D ) now. With 1.6 you can just do that with 'http-request' and 'prefix': acl oldthings hdr(host) -i old.com http-request redirect prefix https://new.com if oldthings HTH, -- pb
Debian upgrade to haproxy 1.7.5: tcp-check fails with Socket error, info: "No port available for the TCP connection"
Hi, I have tested the Debian upgrade from jessie to strech on a test-box and now my config doens't work anymore with haproxy 1.7.5. I also tested it an a jessie box with backported haproxy 1.7.5. I see the same error there. My config for looks like this: global log /dev/loglocal0 log /dev/loglocal1 notice chroot /var/lib/haproxy user haproxy group haproxy daemon stats socket /var/run/haproxy-admin.sock user root group root mode 0600 level admin stats socket /var/run/haproxy.sock user root group nagios mode 0660 stats bind-process 1 maxconn 4 tune.bufsize24576 tune.chksize24576 ssl-default-bind-ciphers ECDHE+aRSA+AES256+GCM+SHA384:ECDHE+aRSA+AES128+GCM+SHA256:ECDHE+aRSA+AES256+SHA384:ECDHE+aRSA+AES128+SHA256:ECDHE+aRSA+AES256+SHA:ECDHE+aRSA+AES128+SHA:AES256+GCM+SHA384:AES128+GCM+SHA256:AES128+SHA256:AES256+SHA256:DHE+aRSA+AES128+SHA:HIGH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4 ssl-default-bind-options no-sslv3 no-tls-tickets tune.ssl.default-dh-param 2048 defaults log global modehttp option httplog option dontlognull option socket-stats option redispatch # Try another server in case of connection failure option contstats # Enable continuous traffic statistics updates option abortonclose timeout client 7200s #alctl: client inactivity timeout server 7200s #alctl: server inactivity timeout timeout connect 5s # 5 seconds max to connect or to stay in queue timeout queue 30s # 30 seconds max queued on load balancer peers testha-cluster peer testha1 128.130.xx.yy1:1024 peer testha2 128.130.xx.yy2:1024 listen mail-exchtest-smtp bind 128.130.xx.yy6:25 transparent name smtp bind 128.130.xx.yy6:587 transparent name submission mode tcp log-format %ci:%cp\ [%t]\ %ft\ %s\ %si:%sp\ %Tw/%Tc/%Tt\ %B\ %ts\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq balance roundrobin stick-table type ip size 20k peers testha-cluster stick on src maxconn 8765 option tcp-check tcp-check connect port 25 tcp-check expect string 220 tcp-check connect port 587 tcp-check expect string 220 server mbx13a 128.130.xx.zz1: maxconn 5000 check server mbx13b 128.130.xx.zz2: maxconn 5000 check server mbx13c 128.130.xx.zz3: maxconn 5000 check server mbx13d 128.130.xx.zz4: maxconn 5000 check This config works in 1.5.8 but fails to tcp-check in 1.7.5. The errors in the logfile look like this: Jun 19 10:52:57 testha2 haproxy[5042]: Server mail-exchtest-smtp/mbx13a is DOWN, reason: Socket error, info: "No port available for the TCP connection", check duration: 0ms. 3 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. Jun 19 10:52:57 testha2 haproxy[5042]: Server mail-exchtest-smtp/mbx13b is DOWN, reason: Socket error, info: "No port available for the TCP connection", check duration: 0ms. 2 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. Jun 19 10:52:57 testha2 haproxy[5042]: Server mail-exchtest-smtp/mbx13c is DOWN, reason: Socket error, info: "No port available for the TCP connection", check duration: 0ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. Jun 19 10:52:57 testha2 haproxy[5042]: Server mail-exchtest-smtp/mbx13d is DOWN, reason: Socket error, info: "No port available for the TCP connection", check duration: 0ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. Jun 19 10:52:57 testha2 haproxy[5042]: proxy mail-exchtest-smtp has no server available! I haven't found any messages with this bug and how to fix it, Thanks Philipp -- --- DI Mag. Philipp Kolmann mail: kolm...@zid.tuwien.ac.at Technische Universitaet Wien web: www.zid.tuwien.ac.at Zentraler Informatikdienst (ZID) tel: +43(1)58801-42011 Wiedner Hauptstr. 8-10, A-1040 WienDVR: 0005886 ---
Re: License questions
Am 20.05.2016 16:12 schrieb Aleksandar Lazic: Maybe off topic and just for my curiosity 'why'. Lazy developers. Oh so shiny to get client-ip and other info "for free" from the ajp-listener/container. Next to any jboss/tomcat app I get on the table "suffers" from this. There are one/some that added ajp to nginx - and it's a major pain. We have faced a lot of problems with ajp with jboss & tomcat after switching to http(s) most of the issues was gone, jfyi ;-). Beloved ajp ping/pong exhausting the container? :) Oh - please DO NOT add AJP to haproxy :-) ciao -- pb
Re: Proposal: auto-reload of ACL files
Am 29.04.2016 17:27 schrieb Chad Lavoie: HAProxy sockets support "add acl " to add an ACL entry or "add map" to add to a map. Can be used with "clear acl"/"clear map" to empty the table first to refresh them completely. See https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#9.2-add%20acl for details. If how to use that isn't clear I can provide an example. Oh, almost there, would love to see an example. (damn, 1.6.html has no chapter-9 anymore) Yet, looks like this would render my proposal to void (always good!). ciao -- pb
Proposal: auto-reload of ACL files
Hi, I quite like not to reload haproxy every here and there (stats and races..) and make quite some use of 'acl foo .. -f aclfile'. Now feature-creep mounts and aclfile shall be build/extended "on demand" (think of something along fail2ban). Besides losing stats, that can grow into a problem if multiple events within very short times start to reload haproxy. Following problems with rereading aclfile automatically by haproxy come to mind: - doing it for every request: disk IO killer - doing it at fixed intervals: might no suite for "every" use-case (and if many aclfiles around, disk IO again) - passing an option per acl line likely be a parser hell - more exotic foobars My modest proposal would go like that - for starters :) : - (global) option 'timeout aclfiles 300': will reload "special" aclfile every 300s - aclfile introduced by -F (instead -f) will flag it as "special" which leaves a somewhat race when the special file is written while the reload happens. Maybe better: as above, but plus: - a flagfile like aclfile.RELOAD has to be present at the 300s mark Or, in a totally different approach, do what OpenBSD's pf(4) can do, have a "table" that can be manipulated via admin-socket. Thoughts about it? -- pb
Re: Temporary Maintenance frontend for all port 80/443 ?
Am 24.01.2016 17:58 schrieb Jeff Buchbinder: The way we've done it has been to add a maintenance server to all of our backends, then use the admin socket to iteratively disable all "real" servers for our backends. The maintenance server points all requests to your temporary page. Something like: server maintenance 10.0.5.10:80 backup check inter 15000 rise 2 fall 5 We're doing yet another approach, which is easier to "steer". Watch closely about the logic .. frontend whatever acl usrnb nbsrv(usr) gt 0 acl usr_h_nb nbsrv(usr_h) eq 0 use_backend usr if usrnb usr_h_nb use_backend usr_h backend usr server usr usr021:8080 check downinter 3 fastinter 3000 fall 2 backend usr_h server helper localhost:8000 check downinter 3 fastinter 3000 fall 2 option httpchk GET /maint.txt HTTP/1.1\r\nHost:\ hidden - NO need to fiddle with haproxy.conf and/or restarts of haproxy itself - regular ops: usrnb is true, usr_h_nb is false (no maint.txt/nginx) - irr ops: usrnb is false -> use usr_h (which has its own logic for serving sorry pages) - maint: "touch maint.txt" -> usr_h_nb is false -> use usr_h (value of usrnb irrelevant) FTR; nginx.conf snippet: server { listen 8000; server_name hidden; access_log /var/log/nginx/maint.log main; location /maint.txt { access_log off; } location / { sorry-pages-things; } } HTH, -- pb
Re: [PATCH] Support statistics in multi-process mode
Hi Willi, On 09/14/15 12:17, Willy Tarreau wrote: OK I now found a moment to spare some time on your patch. During my first lecture I didn't understand that it relied on SIGUSR2 to aggregate counters. I'm seeing several issues with that approach : I never had the intent to look like I did the patch. The original mail is from Hiep Nguyen, hie...@vccloud.vn (CCed). I just wanted to re-raise the topic again, since the mail from Hiep seemed to have drowned and I am interested in this feature. @Hiep: Please look at Willi's suggestions. Thanks Philipp -- --- DI Mag. Philipp Kolmann mail: kolm...@zid.tuwien.ac.at Technische Universitaet Wien web: www.zid.tuwien.ac.at Zentraler Informatikdienst (ZID) tel: +43(1)58801-42011 Wiedner Hauptstr. 8-10, A-1040 WienDVR: 0005886 ---
Re: [PATCH] Support statistics in multi-process mode
Hi Willy, I saw once a message that you forgot about this patch, but never saw any comment on this ever again: On 04/24/15 12:34, root wrote: From: HiepNV <hie...@vccloud.vn> Signed-off-by: root <hie...@vccloud.vn> --- Makefile | 4 +- include/proto/shm_proxy.h | 28 +++ src/dumpstats.c | 59 ++- src/haproxy.c | 48 - src/shm_proxy.c | 439 ++ 5 files changed, 571 insertions(+), 7 deletions(-) create mode 100644 include/proto/shm_proxy.h create mode 100644 src/shm_proxy.c http://comments.gmane.org/gmane.comp.web.haproxy/21470 Could you please recheck, if that would be a possible feature? thanks Philipp -- --- DI Mag. Philipp Kolmann mail: kolm...@zid.tuwien.ac.at Technische Universitaet Wien web: www.zid.tuwien.ac.at Zentraler Informatikdienst (ZID) tel: +43(1)58801-42011 Wiedner Hauptstr. 8-10, A-1040 WienDVR: 0005886 ---
Config-Snippet: provide sorry, we're back later page to general public, but allow administrative access to backend
Hello, likely that we are not alone with the following requirement: - provide a sorry-page (maintenance) if backends are unavailable - have the ability to still access the backend servers from certain ip-addresses (administration after deployment..) - no restarts of haproxy ;-) (since this is for several backends chosen by path, there's an additional acl, but i left the repetitions for other backends) ###haproxy.conf frontend main acl backend_usr url_beg /usrpath1 /usrpath2 acl usrnb nbsrv(be_usr) gt 0 acl usr_h_nb nbsrv(be_usr_h) eq 0 acl maints src -f /etc/haproxy/maint_ips.lst use_backend be_usr if backend_usr usrnb usr_h_nb use_backend labl_usr_h if backend_usr usrnb maints default_backend be_maint backend be_usr server usr0 172.23.42.80:8000 check backend be_usr_h server usr0 172.23.42.80:8000 check option httpchk GET /maint.txt HTTP/1.1\r\nHost:\ hidden backend be_maint option httpchk GET /ok.txt HTTP/1.0 server maint localhost:8008 check so the logic is along this: - normal operation: be_usr is UP; be_usr_h is DOWN (no maint.txt available) - failure/sorry: be_usr* is DOWN - be_maint - maintenance/sorry status: return 200/OK for maint.txt - be_usr_h is now UP, which violates the first use_backend statement, effectivly using be_maint now for everyone whose src-addr isnt in 'maints'-list and if the backend be_usr is actually up. Works for me -- looking for comments, improvements or yelling ;-) --double-p
Override maintainance setting for special source IP
Hi, we use HAproxy infront of a Exchange 2010 System to balance the load. It works very well. Now we have an issue with one HubTransport Server in the Exchange Farm. I have set this Server to maintainance via admin socket: echo disable server mail-intern/htc1 | socat stdio /var/run/haproxy-admin.sock Config: listen mail-intern bind 128.130.30.55:25 transparent name smtp bind 128.130.30.55:80 transparent name http bind 128.130.30.55:135 transparent name loc-srv bind 128.130.30.55:143 transparent name imap bind 128.130.30.55:443 transparent name https bind 128.130.30.55:587 transparent name submission bind 128.130.30.55:993 transparent name imaps bind 128.130.30.55:60001 transparent name RPC_60001 bind 128.130.30.55:60002 transparent name RPC_60002 mode tcp maxconn 1 log-format %ci:%cp\ [%t]\ %ft\ %s\ %si:%sp\ %Tw/%Tc/%Tt\ %B\ %ts\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq balance leastconn stick-table type ip size 10240k expire 60m peers ha-cluster stick on src server htc1 128.130.30.51: maxconn 1 check server htc2 128.130.30.52: maxconn 1 check All clients are now redirected to htc2 and don't see the troublesome htc1. We now would like to debug this issue and specify special source ip addresses that get routet to the htc1 in maintainance mode. Is this possible? thanks Philipp -- --- DI Mag. Philipp Kolmann mail: kolm...@zid.tuwien.ac.at Technische Universitaet Wien web: www.zid.tuwien.ac.at Zentraler Informatikdienst (ZID) tel: +43(1)58801-42011 Wiedner Hauptstr. 8-10, A-1040 WienDVR: 0005886 ---
Re: Override maintainance setting for special source IP
Hi Baptiste, Am 10.12.14 um 12:37 schrieb Baptiste: Which version of HAProxy are you running? In 1.5, you can do: use-server htc1 if { src 10.0.0.1 } add as many IPs as needed. Yes I am on 1.5 already. This use-Server directive is specified in the config file? or can I push this change via amdin-socket? thanks Philipp -- --- DI Mag. Philipp Kolmann mail: kolm...@zid.tuwien.ac.at Technische Universitaet Wien web: www.zid.tuwien.ac.at Zentraler Informatikdienst (ZID) tel: +43(1)58801-42011 Wiedner Hauptstr. 8-10, A-1040 WienDVR: 0005886 ---
Re: Modify http response code
Am 10.12.2014 14:55 schrieb Dennis Jacobfeuerborn: Hi, is there a way to modify the http code of a response? Right now I use a backup server to deliver a static maintenance page but I want it to be delivered with a 503 code instead of 200. Is there a way to modify the response code like this? I did this approach, e.g. using a dedicated backend instead of 'backup'. Shortened snippet, but you'd get the idea. frontend man default_backend man-maint acl www1nb nbsrv(man-www1) gt 0 use_backend man-www1 if www1 www1nb backend man-maint rsprep ^HTTP/1.1\ 200\ OK HTTP/1.0\ 503\ Service\ Unavailable server local_maint localhost:8001
Re: mixup in stats summary (4xx/5xx)?
If you missed it: http://marc.info/?l=haproxym=141561304511354w=2 Anyone? Am 10.11.2014 10:49 schrieb Philipp: Hello, this is confusing me and maybe someone could shed some light (or reasoning) into the count/sums for the http-responses from frontend and backends.
mixup in stats summary (4xx/5xx)?
Hello, this is confusing me and maybe someone could shed some light (or reasoning) into the count/sums for the http-responses from frontend and backends. I've verfied this over several days on two machines - both running 1.5.8. The numbers are taken with one call to the stats socket, so there shouldnt be a race and since I took them several times over days, I doubt that in first place. Both frontends have the same configuration two use one backend, it's only two frontends because of non-SNI for the second one. There's nothing fancy like errorloc or similar; also no 'backup' server in the game. Numbers (fixed width font will help for formatting): #.pxnamesvname..hrsp_2xx.hrsp_3xx.hrsp_4xx.hrsp_5xx ssl-de-pub..FRONTEND1654865..235773...122367...189 ssl-cz-pub..FRONTEND.294862...245461504720 be1-livengx-gf21.839557..1276721833382 be2-livengx-gf22.760222..1308581839759 bend-live...BACKEND.1599779..25853037021...209 Observerations: hrsp_2xx and 3xx from be1-live+be2-live sum up to the number of bend-live. hrsp_4xx sums to something smaller (always) than in bend-live. hrsp_5xx bend-live sum always matches the sum of the FRONTENDs. That's puzzling most. I've read chapter 9 in wall-of-text up+down and cant reason it from that. Two questions: - why the higher count for bend-live on hrsp_4xx? - why is hrsp_5xx the sum from the frontends? Like being said, that's not just a lucky match. TIA. --Philipp
Session counter doesnt increase for stats socket
Hi, I have several haproxy installations running on HAProxy version 1.5.4, released 2014/09/02 (debian packet) and I see no counting up on the stats socket session counter. The Bytes-counter count up on every reload, but the sessions total stay and don't get updated on every reload (as I was used to have). listen stats bind 128.130.XX.XX:80 name IPv4 bind 2001:629:XX::XX:80 transparent name IPv6 mode http stats enable stats realm Haproxy\ Statistics stats uri / acl stats-access src 127.0.0.1 acl stats-access src 128.130.XX.XX acl stats-access src 2001:629:XX::XX # wspk.zid http-request deny if ! stats-access thanks Philipp -- --- DI Mag. Philipp Kolmann mail: kolm...@zid.tuwien.ac.at Technische Universitaet Wien web: www.zid.tuwien.ac.at Zentraler Informatikdienst (ZID) tel: +43(1)58801-42011 Wiedner Hauptstr. 8-10, A-1040 WienDVR: 0005886 ---
Re: [ANNOUNCE] haproxy-1.5.0
Am 19.06.2014 21:54 schrieb Willy Tarreau: Today is a great day, the reward of 4 years of hard work. I'm announcing the release of HAProxy 1.5.0. A *BIG* Thank-You to all of those who contributed to this major milestone. Customers will be so happy to learn that their over-a-year-in-production software is now labelled 'production-ready' ;-))) Keep up the work, but maybe smaller steps to future releases would be nice ;-).
Re: SAProuter behind HAproxy
Hi Lukas, On 05/15/14 20:12, Lukas Tribus wrote: I can login in the SAP-Gui and a connection is established: May 15 10:10:54 ha1 haproxy[2294]: 128.130.YY.61:50947 [15/May/2014:10:10:54.680] router-zap router-12a 128.130.XXX.63:3299 1/30/86 3306 -- 0/0/0/0/0 0/0 and then the connection is dropped and I see an error in the GUI: May 15 10:12:04 ha1 haproxy[2294]: 128.130.YY.61:50948 [15/May/2014:10:10:54.789] router-zap router-12a 128.130.XXX.63:3299 1/0/69959 19629 sD 0/0/0/0/0 0/0 sD means (from the docs [1]): The server did not send nor acknowledge any data for as long as the timeout server setting during the data phase. This is often caused by too short timeouts on L4 equipments before the server (firewalls, load-balancers, ...), as well as keep-alive sessions maintained between the client and the server expiring first on haproxy. Does the description ring any bell (firewall with short timeouts, etc)? Still, its strange, because timeout server is configured with 2 hours in your case. Well strange thing is, that between HAproxy and the SAProuter box (windows machine) is no firewall or anything. Same subnet. If the client connects directly to the SAProuter windows box, everything works as expected So I doubt that the issue behinde the SAProuter, but somewhere within HAproxy, or some config Can you: - post the output of ./haproxy -vv root@ha1:~# haproxy -vv HA-Proxy version 1.5-dev24-8860dcd 2014/04/26 Copyright 2000-2014 Willy Tarreau w...@1wt.eu Build options : TARGET = linux2628 CPU = generic CC = gcc CFLAGS = -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 Encrypted password support via crypt(3): yes Built with zlib version : 1.2.8 Compression algorithms supported : identity, deflate, gzip Built with OpenSSL version : OpenSSL 1.0.1g 7 Apr 2014 Running on OpenSSL version : OpenSSL 1.0.1e 11 Feb 2013 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Built with PCRE version : 8.30 2012-02-04 PCRE library supports JIT : no (USE_PCRE_JIT not set) Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. - do a show errors [2] on the admin socket after a failure Nothing shown here :( root@ha1:~# echo show errors | socat stdio /var/run/haproxy-admin.sock Total events captured on [16/May/2014:09:01:22.717] : 0 root@ha1:~# - provide a tcpdump capture of the backend session (full packets with -s0, but mind proprietary and authentication data) I have attached the dmp of tcpdump -s0 -w haproxy.backend.dmp host router-12a.zap.tuwien.ac.at or host router-12b.zap.tuwien.ac.at Thanks Philipp -- --- DI Mag. Philipp Kolmann mail: kolm...@zid.tuwien.ac.at Technische Universitaet Wien web: www.zid.tuwien.ac.at Zentraler Informatikdienst (ZID) tel: +43(1)58801-42011 Wiedner Hauptstr. 8-10, A-1040 WienDVR: 0005886 --- haproxy.backend.dmp.gz Description: application/gzip
Re: SAProuter behind HAproxy
On 05/16/14 09:19, Cyril Bonté wrote: Hi, Le 15/05/2014 20:12, Lukas Tribus a écrit : Still, its strange, because timeout server is configured with 2 hours in your case. I answer quickly and will look at this thread tonight too, but this is not true : the configuration is confusing because it declares timeout client 7200s #alctl: client inactivity then srvtimeout 5 Philipp, please remove this second one from your configuration. Mercy Cyril, I didn't see that line. It was in the original debian package and it slipped when I added my custom lines... Now it seems stable. And the 50 secs were quite the right timeout, then it happened. At least the fast check now suggests, that it works now as expected. Thanks a lot, Philipp -- --- DI Mag. Philipp Kolmann mail: kolm...@zid.tuwien.ac.at Technische Universitaet Wien web: www.zid.tuwien.ac.at Zentraler Informatikdienst (ZID) tel: +43(1)58801-42011 Wiedner Hauptstr. 8-10, A-1040 WienDVR: 0005886 ---
SAProuter behind HAproxy
Hi, has anyone achieved to load-balance a SAProuter behind a HAproxy? SAProuter is a little peace of Software, that takes the a TCP session on Port 3299 and forwards it to the backend SAP-ERP Systems. It has one frontend IP and one TCP Port. As far as I see it, it should be quite easy to put HAproxy before this setup? I have the following config: global log /dev/loglocal0 log /dev/loglocal1 notice chroot /var/lib/haproxy user haproxy group haproxy daemon stats socket /var/run/haproxy.sock user root group nagios mode 0660 stats socket /var/run/haproxy-admin.sock user root group root mode 0600 level admin stats bind-process 1 maxconn 4 tune.bufsize24576 tune.chksize24576 defaults log global modehttp option httplog option dontlognull option socket-stats option redispatch # Try another server in case of connection failure option contstats # Enable continuous traffic statistics updates option abortonclose timeout client 7200s #alctl: client inactivity timeout server 7200s #alctl: server inactivity timeout timeout connect 5s # 5 seconds max to connect or to stay in queue timeout queue 30s # 30 seconds max queued on load balancer srvtimeout 5 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http listen stats bind 128.130.XXX.61:80 mode http stats enable stats realm Haproxy\ Statistics stats uri / acl stats-access src 127.0.0.1 block if ! stats-access peers zapha-cluster peer ha1 128.130.XXX.61:1024 peer ha2 128.130.XXX.62:1024 listen router-zap bind 128.130.XXX.60:3299 transparent name saprouter mode tcp log-format %ci:%cp\ [%t]\ %ft\ %s\ %si:%sp\ %Tw/%Tc/%Tt\ %B\ %ts\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq balance roundrobin stick-table type ip size 20k peers zapha-cluster stick on src maxconn 8765 server router-12a 128.130.XXX.63: maxconn 5000 check server router-12b 128.130.XXX.64: maxconn 5000 check I can login in the SAP-Gui and a connection is established: May 15 10:10:54 ha1 haproxy[2294]: 128.130.YY.61:50947 [15/May/2014:10:10:54.680] router-zap router-12a 128.130.XXX.63:3299 1/30/86 3306 -- 0/0/0/0/0 0/0 and then the connection is dropped and I see an error in the GUI: May 15 10:12:04 ha1 haproxy[2294]: 128.130.YY.61:50948 [15/May/2014:10:10:54.789] router-zap router-12a 128.130.XXX.63:3299 1/0/69959 19629 sD 0/0/0/0/0 0/0 Has anyone an idea, if this setup is possible? thanks Philipp -- --- DI Mag. Philipp Kolmann mail: kolm...@zid.tuwien.ac.at Technische Universitaet Wien web: www.zid.tuwien.ac.at Zentraler Informatikdienst (ZID) tel: +43(1)58801-42011 Wiedner Hauptstr. 8-10, A-1040 WienDVR: 0005886 ---
Re: haproxy for ajp (tomcat)?
Am 25.04.2014 19:19 schrieb Paul Hirose: I was wondering if anyone uses haproxy for http - ajp (tomcat) Dont go there, the proposed gains of AJP over HTTP are not relevant today. It's been a while so I dont have the numbers around any more, but we did some thorough testing of apache/ajp against nginx/http and unless you have a very small link to the backend (tomcat/jboss) the overall response time differs only by academic measures. BUT you need to test it, esp. for cases like https/http offloading. AJP includes some headers automatically and the web-container and application may rely on that.
Re: Recommended strategy for running 1.5 in production
Am 16.04.2014 17:40 schrieb Willy Tarreau: I think you summarized very well how to carefully use a development version in prod. That requires a bit of care, but with that you can get both nice features and quick fixes. Indeed :) After 1.5 is released, I'd like to switch to a faster and more regular release cycle with less constraints on the features. And with above said: I, personally, give a rats a** if a version is called alpha, rc123, -dev or whatever fancy version string it has. Test the thing and find out the hairy bits after it hits production :-) I was sooo often burned by oh, finally release and then it was worse then the RC before the actual release whatsoever. My kudos to Willy and the other developers of haproxy, awesome work overall AND in the nitbits :-).
Fwd: Re: Recommended strategy for running 1.5 in production
Missed the reply-to :) Originalnachricht Thanks for the data point, Philipp. If you resend your reply to the list, that might be useful for people other than just me :-) J On 15 April 2014 09:26, Philipp e1c1bac6253dc54a1e89ddc046585...@posteo.net wrote: Am 14.04.2014 23:27 schrieb Jonathan Matthews: What do /you/ do, fellow sysadmins? How do you run, upgrade and maintain confidence in your chosen version of 1.5 in production? We run 1.5-dev19 (2013/06/17) in production. The last restart was 28days ago and the two peers cluster delivered around 100GB of traffic with some 25 million http/200 in this period (as of hatop). I had no visible bug since installing this version and thus I am not upgrading :-). (on a sidenote, no openssl 1.0.1 so not bleeding ;-) )
Re: FYI: OpenSSL's CVE-2014-0160
Am 08.04.2014 10:31 schrieb duncan hall: You can test if you are vulnerable here: http://filippo.io/Heartbleed/ Or test yourself (without leaking information to some website): http://s3.jspenguin.org/ssltest.py RHEL/Centos has an update (cherrypick fix) to 1.0.1e-16.el6_5.7
reqrep with a match/backref into Host: header?
Hi, current functional setup: frontend f acl ssfc_dev hdr(host) -m str dev.example.com acl ssfc_img hdr(host) -m str img.example.com [..] reqrep ^GET[\ \t]*/(.*) GET\ /dev.example.com/\1 if ssfc_dev reqrep ^GET[\ \t]*/(.*) GET\ /img.example.com/\1 if ssfc_img the backend webserver treats that accordingly. So far so good.. but given that this list will grow over time, it'll be a bit of a pain to manage this. Is there any way to make that happen by dynamic matches instead of a 1:1 acl/reqrep pairing? Generating such a config isnt that much of a problem, but it lacks elegancy in my eyes ;-) TIA
GIT RSS and ATOM feeds links
Hi Willy, thanks a lot for haproxy. It's a great piece of software. I wanted to add the RSS feed [1] of the git log to my browser which works fine. Only issue is that that the link references to port 81: linkhttp://git.1wt.eu:81/web?p=haproxy.git;a=commitdiff;h=472b1ee115f45129ea3fc19e26f85b3ec9715abe/link but this port is not open. If you got some seconds to spare maybe you could fix this. thanks Philipp [1] http://git.1wt.eu/web?p=haproxy.git;a=rss -- --- DI Mag. Philipp Kolmann mail: kolm...@zid.tuwien.ac.at Technische Universitaet Wien web: www.zid.tuwien.ac.at Zentraler Informatikdienst (ZID) tel: +43(1)58801-42011 Wiedner Hauptstr. 8-10, A-1040 WienDVR: 0005886 ---
Re: IPv6 vrrp and bind transparent
On 2013-03-27 11:22, Lukas Tribus wrote: What kernel are you running? You need at least 2.6.37 to do this with non-local IPv6 binds. Thanks to Lukas and Emeric, that was exactly the issue. Thanks for pointing me to the right direction. Philipp
IPv6 vrrp and bind transparent
Hi, I am new to the list. Please excuse if this has been discussed before, but I didn't find it in the archives. I have 2 linux boxes sharing ipv4 addressess for high available LDAP Access to our AD infrastructure with keepalived and then forwarding the requests to our 3 AD Servers. With ipv4 it works without issues: listen dc-intern-ldap bind 128.130.30.20:389 transparent mode tcp option tcplog log global balance leastconn server dc01 128.130.30.21:389 maxconn 5000 check server dc02 128.130.30.22:389 maxconn 5000 check server dc03 128.130.30.23:389 maxconn 5000 check if 128.130.30.20 is not assiged on the secondary node, nothing fails. when keepalived switches over, everything works as expected. with 1.5-dev13 I read the ipv6 transparent works now as well: listen dc-intern-ldap-v6 bind 2001:629:1005:30::20:389 transparent mode tcp option tcplog log global balance leastconn server dc01 2001:629:1005:30::21:389 maxconn 5000 check server dc02 2001:629:1005:30::22:389 maxconn 5000 check server dc03 2001:629:1005:30::23:389 maxconn 5000 check Sadly, this fails on the secondary server, since 2001:629:1005:30::20 is not currently active: Starting haproxy: haproxy[ALERT] 085/083351 (31506) : Starting proxy dc-intern-ldap-v6: cannot bind socket [2001:629:1005:30::20:389] failed! Have I don't something wrong? I would like to also provide IPv6 access to our LDAP infrastructure (and www later on as well). thanks Philipp