Re: HaProxy X-Frame-Options with SAMEORIGIN & ALLOW-FROM

[Thomas Heil]

Hi,


On 16.03.2017 08:51, Jarno Huuskonen wrote:
> Hi,
> 
> On Thu, Mar 16, Devendra Joshi wrote:
>> Any one one know how to set X-Frame-Options with SAMEORIGIN & ALLOW-FROM in
>> HaProxy
>>
>> I added one setting in haproxy config file but showing error.
>>
>> acl main_site req.hdr(Host) http://www.abc.com
>> http-response add-header X-Frame-Options:\ ALLOW-FROM\ http://oms.abc.com if
>> main_site
>> http-response add-header X-Frame-Options:\ SAMEORIGIN if ! main_site
> 
> http-response add-header X-Frame-Options ALLOW-FROM\ http://oms.abc.com if 
> main_site
> http-response add-header X-Frame-Options SAMEORIGIN if ! main_site
> (https://cbonte.github.io/haproxy-dconv/1.5/configuration.html#4-http-response)
> 
> (but AFAIK the request acl won't work on http-response rule).

Just for your info. In haproxy 1.6 and higher you can do something like this
--
frontend fe_default

..

capture request header Host len 128

http-request set-var(txn.Host) req.hdr(Host)
acl main_site var(txn.Host) -m dom -i www.abc.com

http-response set-header X-Frame-Options 'http://oms.abc.com' if {
capture.req.hdr(0) -m found } main_site
http-response set-header X-Frame-Options 'SAMEORIGIN' if {
capture.req.hdr(0) -m found } main_site
---

cheers,
thomas


> 
> -Jarno
> 
>>
>> Error is :
>> [ALERT] 074/100716 (29069) : parsing [/opt/haproxy-ssl/haproxy.cfg:42]:
>> 'http-response add-header' expects exactly 2 arguments.
>> [ALERT] 074/100716 (29069) : parsing [/opt/haproxy-ssl/haproxy.cfg:43]:
>> 'http-response add-header' expects exactly 2 arguments.
>>
>> Please suggest what syntax should i use for this.
>> I am using HA-Proxy version 1.5.14
> 

Re: SSL acl

[Thomas Heil]

Hi,

On 05.01.2017 18:51, Steven De Roover wrote:
> Dear
> 
> I have router running OpenWRT, which has haproxy 1.5.14-13 running.
> 

which release are you running? 1.5.14-13 is somewhat old.

> My main goal for using haproxy is having a reverse proxy to handle all
> my (sub)domains.

should be possible.

> 
> Now, I also wanted to start using SSL certificates. However, I cannot
> seem to configure ACL's to let decide which server to use.
> 

> The documentation states to use "ssl_fc_sni".  Is that correct?
> 
if you have more than one certifcate, then ists correct.


> Is this something I should manage to get working, with this version of
> haproxy?

Would you please so kind and share your config and give us the output
for haproxy -vv ?


> 
> With best regards
> Steven De Roover

cheers,
thomas

Re: problem building haproxy 1.6.9 on ar71xx

[Thomas Heil]

Hi,

On 14.11.2016 18:26, Willy Tarreau wrote:
> Hi Thomas,
> 
> On Fri, Nov 11, 2016 at 05:33:55PM +0100, Thomas Heil wrote:
>>> Lede has OPENSSL_WITH_DEPRECATED menuconfig [1], which defaults to yes
>>> (so a default LEDE build should be fine).
>>>
>>> Can you confirm your config has OPENSSL_WITH_DEPRECATED = y?
>>>
>>
>> Wow, nice hint. Well I added OPENSSL_WITH_DEPRECATED as depency now
>>
>>> Also can you post the output of "openssl version -a" please? That would
>>> have to come from the executable though; so on the destination machine
>>> in your cross-compile situation.
>>>
>>>
>> will do that later.
> (...)
> 
> And for what it's worth, we do use haproxy-1.6 and openssl-1.0.2 on
> the GL-iNet platform without any problem. It's ath79-based, which is
> nothing more than an updated ar71xx (a mips-24kc as well, AR9331 to
> be exact). We do it on our own distro however, building openssl for
> OS "linux-generic32". So I think Lukas is right, you might be missing
> some deprecated stuff.

indeed, that was the solution. I recently pushed the new package and the
buildbots
are happy now.

> 
> Also you may want to check if openwrt's openssl doesn't have some patches
> to strip down the resulting libraries by removing useless stuff, which
> would cause the issue you're facing.
> 

Ive checked it, but the issue was that we need OPENSSL_DEPRECATED=y

> Cheers,
> Willy
> 
> 
thanks you

cheers
thomas

Re: problem building haproxy 1.6.9 on ar71xx

[Thomas Heil]

Hey Lukas,

On 10.11.2016 23:03, Lukas Tribus wrote:
> Hi Thomas,
> 
> 
> Am 10.11.2016 um 22:20 schrieb Thomas Heil:
>>
>>> Also see:
>>> https://www.openssl.org/docs/man1.1.0/crypto/ERR_remove_state.html
>>>
>> hmm. did i read correctly, that this function does nothing?
> 
> It does nothing in openssl 1.1.0, as it isn't required in that branch.
> However it is required in earlier openssl branches, like 1.0.1 or 1.0.2
> though. So in your case (1.0.2) it's badly needed.
> 

understood thanks.

> 
> 
>>
>>>
>>>> OpenSSL version is 1.0.2j.
>>> I assume this is a non-standard build, maybe with the no-deprecated
>>> option or something?
>>>
>> Could you define standard build? Iam cross compiling with th Lede /
>> OpenWrt.
> 
> 
> Lede has OPENSSL_WITH_DEPRECATED menuconfig [1], which defaults to yes
> (so a default LEDE build should be fine).
> 
> Can you confirm your config has OPENSSL_WITH_DEPRECATED = y?
> 

Wow, nice hint. Well I added OPENSSL_WITH_DEPRECATED as depency now

> Also can you post the output of "openssl version -a" please? That would
> have to come from the executable though; so on the destination machine
> in your cross-compile situation.
> 
> 
will do that later.
> 
> 
> Regards,
> Lukas
> 

thx. and a nice weekend
> 
> [1]
> https://github.com/lede-project/source/commit/db11695aa66ac49b8a52f97059697f52b6a3a893
> 
> 
> 
> 
> 

thomas

Re: problem building haproxy 1.6.9 on ar71xx

[Thomas Heil]

Hey,
On 10.11.2016 19:13, Lukas Tribus wrote:
> Hi,
> 
> 
> Am 10.11.2016 um 18:27 schrieb Thomas Heil:
>> Hi,
>>
>> Iam facing a problem when building haproxy 1.6.9 with ssl for mips_24kc
>> with musl 1.1.15.
>> Openssl was building fine, but the function "ERR_remove_state(0)" does
>> not exist but
>> ERR_remove_thread_state(0); is available.
>>
>> So does anybody know whats the difference between?
> 
> Also see:
> https://www.openssl.org/docs/man1.1.0/crypto/ERR_remove_state.html
> 
hmm. did i read correctly, that this function does nothing?
> 
> ERR_remove_state() was deprecated in OpenSSL 1.0.0
> ERR_remove_thread_state() was deprecated in OpenSSL 1.1.0
> 
> 
> By just switching from one call to the other we break 0.9.8
> compatibility, which is kind-of OK for haproxy 1.7 but not at all for
> haproxy 1.6.
> 

ah okay.

> 
> 
>> OpenSSL version is 1.0.2j.
> 
> I assume this is a non-standard build, maybe with the no-deprecated
> option or something?
> 

Could you define standard build? Iam cross compiling with th Lede / OpenWrt.

> Deprecated calls are still supposed to work; and OpenSSL 1.0.2 is widely
> used.

I dont think so.

> In fact, I assume haproxy 1.7-dev6 with openssl 1.1.0 support still
> builds fine even with ERR_remove_state(), otherwise Dirkjan would have
> patched this already.
> 

So maybe its a cross compiling issue. I just want to be sure.

> 
> 
> Lukas
> 
> 
cheers
thomas
> 
> 
> 
> 

actual state of http/2

[Thomas Heil]

Hi,

Can somebody tell me whats the actual implementation state of http/2. I
read that h2 is useable in tcp mode with alpn. Is sni in this
combination possible, because we need to
save public ip adresses?

Is there any comparison in case of speed for http/1.1 and http/2 ?

thanks for the help,

cheers
thomas

how to put stick tables values and src_conn_rate into headers

[Thomas Heil]

Hi,

I would like to put the actual value from a stick tables into a request
header. this way i could inform the backend e.g how many connections
this ip allready made.

The same I would like to do e.g for src_conn_rate and http_req_rate.

To protect the backend I can write rules defines the upper limit for for
the backend

e.g.
--
 tcp-request connection reject if { src_http_req_rate ge 30 }
---

The goal is, that the backend can decide to block or to allow the
request based on the information that came from haproxy.

Is this possible?

cheers
thomas

Re: gcc 5.4 haproxy lua

[Thomas Heil]

Hi,

On 15.07.2016 13:23, Thomas Heil wrote:
> Hi
> 
> With gcc 5.4 and haproxy 1.6.7 I get the following errors.
> 
> --
> src/hlua.o: In function `hlua_yield':
> hlua.c:(.text+0xdd): undefined reference to `lua_yieldk'
> src/hlua.o: In function `hlua_hook':
> hlua.c:(.text+0x14f): undefined reference to `lua_isyieldable'
> hlua.c:(.text+0x1b9): undefined reference to `lua_yieldk'
> src/hlua.o: In function `hlua_sleep_yield':
> hlua.c:(.text+0x925): undefined reference to `lua_tointegerx'
> hlua.c:(.text+0x945): undefined reference to `lua_yieldk'
> src/hlua.o: In function `hlua_load':
> hlua.c:(.text+0x170b): undefined reference to `luaL_loadfilex'
> hlua.c:(.text+0x172e): undefined reference to `lua_pcallk'
> src/hlua.o: In function `hlua_lua2arg':
> hlua.c:(.text+0x18b8): undefined reference to `lua_tointegerx'
> src/hlua.o: In function `hlua_lua2smp':
> --
> 
> Can somebody advice me which library is missing here or do we need
> another include?


there was a problem that an older lua version was allready in the
include path. so except some warnings gcc 5.4 is fine with haproxy 1.5
and 1.6.

sorry for the noise.


> 
> cheers
> 

gcc 5.4 haproxy lua

[Thomas Heil]

Hi

With gcc 5.4 and haproxy 1.6.7 I get the following errors.

--
src/hlua.o: In function `hlua_yield':
hlua.c:(.text+0xdd): undefined reference to `lua_yieldk'
src/hlua.o: In function `hlua_hook':
hlua.c:(.text+0x14f): undefined reference to `lua_isyieldable'
hlua.c:(.text+0x1b9): undefined reference to `lua_yieldk'
src/hlua.o: In function `hlua_sleep_yield':
hlua.c:(.text+0x925): undefined reference to `lua_tointegerx'
hlua.c:(.text+0x945): undefined reference to `lua_yieldk'
src/hlua.o: In function `hlua_load':
hlua.c:(.text+0x170b): undefined reference to `luaL_loadfilex'
hlua.c:(.text+0x172e): undefined reference to `lua_pcallk'
src/hlua.o: In function `hlua_lua2arg':
hlua.c:(.text+0x18b8): undefined reference to `lua_tointegerx'
src/hlua.o: In function `hlua_lua2smp':
--

Can somebody advice me which library is missing here or do we need
another include?

cheers

-- 
Thomas

Re: Postfix Dovecot with HAproxy

[Thomas Heil]

Hi Lukas,

On 14.10.2015 15:25, Lukas Erlacher wrote:
> Hello,
> 
>> you cant use port 465, please use port 25. The SMTPS is ancient and not
>> support via proxy protocol. Iam refering to your listen port.
> 
> you may remember me asking after this a month ago. PROXY protocol + tls
> wrapped mode in postfix not working was a bug and is fixed in the latest
> postfix release (and backported down to 2.9):
> http://www.postfix.org/announcements/postfix-3.0.3.html
> 

I remember quite good.

> Of course, this release, being merely three days old, has yet to
> propagate to distributions.
> 

Big thanks for the good news and the bug report at postfix. I think the
right way would be
to open a bug report for the "distributions" and send them a patch they
can appy?


> Best,
> Luke
> 
> 

cheers
thomas

Re: Postfix Dovecot with HAproxy

[Thomas Heil]

Hi,

On 13.10.2015 17:28, Michael JOIGNY wrote:
> Hi Everyone,
> 
> I wouldlike to set up a postfix-dovecot with HA using HAproxy but im
> facing issues.
> 
> I've followed this documentation :
> 
> http://wiki2.dovecot.org/HAProxy (pour dovecot)
>
> http://blog.haproxy.com/2012/06/30/efficient-smtp-relay-infrastructure-with-postfix-and-load-balancers/
> (pour postfix)
> 
> Package's version :
> 
> dovecot : 2:2.2.19 (>= 2.2.19 pour proxy protocol)
> haproxy : 1.5.14
> postfix : 2.11.2-1 (>2.10 pour postscreen)
> 
> A part of my configuration  :
> 
> ##HAPROXY
> #postfix
> listen smtp
> bind mail.xx.xx:465
> balance roundrobin
> timeout client 1m
> timeout connect 5s
> no option http-server-close
> mode tcp
> option smtpchk
> option tcplog
> server tst tst.xxx:10465 send-proxy
> server tst2 tst2.xxx:10465 send-proxy
> server tst3 tst3.xxx:10465 send-proxy
> 

you cant use port 465, please use port 25. The SMTPS is ancient and not
support via proxy protocol. Iam refering to your listen port.

--
 listen smtp
bind mail.xx.xx:25
..
 server tst tst.xxx:10465 send-proxy
--

> #dovecot
> listen imap
> bind mail.xxx.xx:993
> timeout client 1m
> no option http-server-close
> balance leastconn
> stick store-request src
> stick-table type ip size 200k expire 30m
> mode tcp
> option tcplog
> server tst tst.xxx:10993 send-proxy-v2
> server tst2tst2.xxx:10993 send-proxy-v2
> server tst3 tst3.xxx:10993 send-proxy-v2
> 
> ##POSTFIX
> 
> postix main.cf
> #Haproxy proxy protocol
> postscreen_upstream_proxy_protocol = haproxy
> 
> postfix master.cf
> #haproxy
> 10465 inet n – n – 1 postscreen
> smtpd pass – – n – – smtpd
> S
> 
> ##DOVECOT
> 
> haproxy_timeout = 5 secs
> haproxy_trusted_networks = x.x.x.x
> inet_listener imap_haproxy {
> haproxy = yes
> port = 10993
>   }
>  

here you are missing the ssl=yes keyword.

--
conf.d/10-master.conf
-
haproxy_trusted_networks = x.x.x.x

service imap-login {
  inet_listener imap {
port = 143
  }
  inet_listener imaps {
port = 993
ssl = yes
  }
  inet_listener imap_haproxy {
port = 10143
haproxy = yes
  }
  inet_listener imaps_haproxy {
port = 10993
ssl = yes
haproxy = yes
  }

--

> With my mail client :
> 
> With an IMAP connection, logs below, i don't understand why my login is
> empty ...
> 
> dovecot: imap-login: Disconnected: Too many invalid commands (no auth
> attempts in 0 secs): *user=<>*, rip=mon_ip_publique,
> lip=ip_publique_haproxy, session= xxx
> 
> With a SMTP connection, logs below, i have a timeout.
> 
> postfix/postscreen[16654]: CONNECT from [my public ip]:49942 to [my
> haproxy public ip]:465
> postfix/postscreen[16654]: PREGREET 166 after 0 from [mon ip
> publique]:49942:
> \22\3\1\161\1\157\3\3+0E\b\213\131\177\173>\r/\213\177i\223k”FjA#\144\145\153\vP\\\155HL\190
> 

it seems postscreen does not understand the proxy protocol.

> If someone could help me, thanks.
> 
> Kind regards.
> -- 

cheers
thomas

Re: Haproxy and postfix SMTPS - can't get haproxy and postfix talking to each other

[Thomas Heil]

Hi

> Am 07.09.2015 um 08:58 schrieb Lukas Erlacher :
> 
> Hi,
> 
>>> Other than that it makes no difference.
>> 
>> I think the problem is the entry in /etc/postfix/master.cf
> 
> What do you think the problem is?
> 
I say that the postfix config is the problem.
>> 
>>> I think I'm going to just emulate SMTPS by terminating SSL in haproxy
>>> and forwarding it to port 25...
>> 
>> but then you need tproxy i think to preserve the client ip
> 
> Well, I misspoke - I am forwarding it to a smtp service with -o 
> smtpd_upstream_proxy_protocol=haproxy set.
> 
> Best,
> Luke
> 

Re: Haproxy and postfix SMTPS - can't get haproxy and postfix talking to each other

[Thomas Heil]

Hi,

On 07.09.2015 12:11, Lukas Erlacher wrote:
> Hi,
> 
>> I say that the postfix config is the problem.
> 
> Well what do you mean by that? Can you reproduce the problem? 

Yes, I can reproduce the problem.

Can you
> make a postfix config with smtpd_tls_wrappermode=yes and
> smtpd_upstream_proxy_protocol=haproxy that works?
> 

Yes, here it is

--
10464 inet n   -   n   -   -   smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_reject_unlisted_recipient=no
  -o smtpd_upstream_proxy_protocol=haproxy
--

I had to add
--
 -o smtpd_tls_security_level=encrypt
--


Could you verify that old clients that use smtps can use it successfuly?


> Best,
> Luke
> 


cheers,
thomas

Re: Haproxy and postfix SMTPS - can't get haproxy and postfix talking to each other

[Thomas Heil]

Hi,


On 04.09.2015 11:01, Lukas Erlacher wrote:
> Hi,
> 
> using your configuration gives me this warnung:
> 
> [WARNING] 246/103726 (16071) : [/usr/sbin/haproxy.main()] FD limit
> (85535) too low for maxconn=65000/maxsock=130032. Please raise
> 'ulimit-n' to 130032 or more to avoid any trouble.


Just adapt
--
maxconn 65000
ulimit-n 85535
--

to your favorite values and you're fine.

> 
> Other than that it makes no difference.
> 

I think the problem is the entry in /etc/postfix/master.cf


> I think I'm going to just emulate SMTPS by terminating SSL in haproxy
> and forwarding it to port 25...

but then you need tproxy i think to preserve the client ip

> 
> Best,
> Luke
> 
>>
>> Well I created a very simple config.
>>
>> /etc/haproxy.cfg
>> global
>>  maxconn 65000
>>  ulimit-n 85535
>>  uid 0
>>  gid 0
>>  daemon
>>  stats socket /var/run/haproxy.stat level admin
>>
>>  nbproc 1
>>
>>  cpu-map all 1 2
>>  ssl-server-verify none
>>
>>  tune.ssl.default-dh-param 2048
>>
>> defaults
>>  modetcp
>>  no option http-server-close
>>  timeout connect 5000
>>  timeout client  5
>>  timeout server  5
>>
>> listen app1
>>  bind :8080
>>  mode http
>>  stats enable
>>  stats uri /
>>  maxconn 200
>>
>>
>> frontend ft_smtps
>>  bind :465
>>  timeout client 1m
>>  default_backend bk_postfix_smtps
>>
>> backend bk_postfix_smtps
>>  option tcp-check
>>  timeout server 1m
>>  timeout connect 5s
>>  server mail-1 172.1.1.21:10464 send-proxy check
>>
>> /etc/postfix/master.cf on 172.1.1.21
>> 10464 inet  n   -   n   -   -   smtpd
>>-o smtpd_tls_wrappermode=yes
>>-o smtpd_sasl_auth_enable=yes
>>-o smtpd_client_restrictions=permit_sasl_authenticated,reject
>>-o smtpd_upstream_proxy_protocol=haproxy
>>
>>
>> Would you mind trying ?
>>
>> 10464 inet n - n - - smtpd
>>
>> instead of
>>
>> 10464 inet n - - - - smtpd
>>
>> For haproxy...
>>
>> The only differnce is that you use chroot and user haproxy.. Cou,ld you
>> please try with the default and global section in the minimal example?
>>
>>
>> cheers
>> thomas
>>
>>
> 

Re: Haproxy and postfix SMTPS - can't get haproxy and postfix talking to each other

[Thomas Heil]

Hi,

On 31.08.2015 13:44, Lukas Erlacher wrote:
> Hi,
> 
>>
>> Could be send your complete config and remove private information? Could
>> you also please give us the output of haproxy -vv?
>>
> 
> Full config: http://ix.io/ky6

thanks.
> 
> haproxy -vv:
> 
> HA-Proxy version 1.5.3 2014/07/25
> Copyright 2000-2014 Willy Tarreau 
> 
> Build options :
>   TARGET  = linux2628
>   CPU = generic
>   CC  = gcc
>   CFLAGS  = -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat
> -Werror=format-security -D_FORTIFY_SOURCE=2
>   OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1
> 
> Default settings :
>   maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200
> 
> Encrypted password support via crypt(3): yes
> Built with zlib version : 1.2.8
> Compression algorithms supported : identity, deflate, gzip
> Built with OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014
> Running on OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014
> OpenSSL library supports TLS extensions : yes
> OpenSSL library supports SNI : yes
> OpenSSL library supports prefer-server-ciphers : yes
> Built with PCRE version : 8.31 2012-07-06
> PCRE library supports JIT : no (USE_PCRE_JIT not set)
> Built with transparent proxy support using: IP_TRANSPARENT
> IPV6_TRANSPARENT IP_FREEBIND
> 
> Available polling systems :
>   epoll : pref=300,  test result OK
>poll : pref=200,  test result OK
>  select : pref=150,  test result OK
> Total: 3 (3 usable), will use epoll.
> 
> 
looks good to me

> Best,
> Luke
> 

Well I created a very simple config.

/etc/haproxy.cfg
global
maxconn 65000
ulimit-n 85535
uid 0
gid 0
daemon
stats socket /var/run/haproxy.stat level admin

nbproc 1

cpu-map all 1 2
ssl-server-verify none

tune.ssl.default-dh-param 2048

defaults
modetcp
no option http-server-close
timeout connect 5000
timeout client  5
timeout server  5

listen app1
bind :8080
mode http
stats enable
stats uri /
maxconn 200


frontend ft_smtps
bind :465
timeout client 1m
default_backend bk_postfix_smtps

backend bk_postfix_smtps
option tcp-check
timeout server 1m
timeout connect 5s
server mail-1 172.1.1.21:10464 send-proxy check

/etc/postfix/master.cf on 172.1.1.21
10464 inet  n   -   n   -   -   smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_upstream_proxy_protocol=haproxy


Would you mind trying ?

10464 inet n - n - - smtpd

instead of

10464 inet n - - - - smtpd

For haproxy...

The only differnce is that you use chroot and user haproxy.. Cou,ld you
please try with the default and global section in the minimal example?


cheers
thomas

Re: Haproxy and postfix SMTPS - can't get haproxy and postfix talking to each other

[Thomas Heil]

Hi,

On 31.08.2015 12:12, Danijel Starman wrote:
> Hi Lukas,
> 
> On Mon, Aug 31, 2015 at 9:57 AM, Lukas Erlacher  > wrote:
> 
> Hey,
> 
> like I wrote in my follow-up mail I already figured out that ssl
> termination won't work.
> 
> This is my configuration now:
> 
> frontend ft_smtps
> bind xxx.xxx.42.4:465
> timeout client 1m
> log global
> option tcplog
> default_backend bk_postfix_smtps
> 
> 
> You are missing:  mode tcp unless you have it defined in your deafults.
> 


Could be send your complete config and remove private information? Could
you also please give us the output of haproxy -vv?



cheers
thomas

Re: Haproxy and postfix SMTPS - can't get haproxy and postfix talking to each other

[Thomas Heil]

Hi,

On 28.08.2015 12:23, Lukas Erlacher wrote:
 Hello,
 
 firstly, I am aware that SMTPS is deprecated and should not be used. But
 I have to support legacy infrastructure and the person who can tell me
 that it is fine to turn off SMTPS isn't around atm, so I'm trying to
 make this work.

so you just have another port to take care about it.

 
 I have a postfix server with SMTPS, this is the master.cf configuration:
 
 10464 inet  n   -   -   -   -   smtpd
   -o smtpd_tls_wrappermode=yes
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_upstream_proxy_protocol=haproxy
 

Hey cool, I was not aware that smtpd also supports haproxy's proxy
protocol. But I can confirm you modifications in in master.cf are correct.

 This is the haproxy configuration:
 
 frontend ft_smtps
 bind 0.0.0.0 ssl crt haproxy.combined.key.pem
 timeout client 1m
 log global
 option tcplog
 default_backend bk_postfix_smtps
 

This wont work I think. You should just be fine with bind :465
--
  bind :465
  mode tcp
  maxconn 2000
..

default ...
--

 backend bk_postfix_smtps
 option smtpchk HELO localhost
 log global
 option tcplog
 timeout server 1m
 timeout connect 5s
 server mailbackend mail:10464 ssl verify none send-proxy check
 

option smtpcheck wont work with ssl, so please remove it.
please try a server line like
--
server mailbackend mail:10464 send-proxy check-send-proxy check port
10464 rise 1 fall 1 inter 1000
--


 I get this message from haproxy:
 
 Aug 28 12:15:53 haproxy haproxy[1962]: message repeated 3 times: [
 Server bk_postfix_smtps/mailbackend is DOWN, reason: Layer6 timeout,
 check duration: 2001ms. 0 active and 0 backup servers left. 0 sessions
 active, 0 requeued, 0 remaining in queue.]

indeed, this should be caused by option smtpcheck.

 
 And this from the postfix:
 
 Aug 28 12:15:51 mail postfix-from-user/smtpd[16561]: connect from
 haproxy[XXX.XXX.42.4]
 Aug 28 12:15:53 mail postfix-from-user/smtpd[16561]: SSL_accept error
 from haproxy[XXX.XXX.42.4]: Connection reset by peer
 Aug 28 12:15:53 mail postfix-from-user/smtpd[16561]: lost connection
 after CONNECT from haproxy[XXX.XXX.42.4]

this sound like you dont speak ssl to postfix.

 
 Any idea?
 
 I've also tried setting it up without ssl termination, which doesn't
 work - I am assuming the PROXY protocol can't work without termination.


indeed, do it without ssl termination, just pure tcp and proxy protocol.

 Best
 Luke
 
 

cheers,
thomas

Re: Upcomming varnish with proxy protocol

[Thomas Heil]

Hey,

On 06.08.2015 23:50, Aleksandar Lazic wrote:
 Hi all.
 
 That's cool ;-)
 
 https://www.varnish-cache.org/docs/trunk/whats-new/changes.html#proxy-protocol-support

That are good news. Iam sad that there is still no support that varnish
can also use the proxy protocol as a client. This way proxy chains could
benefit and the x-forwarded-for hell comes to an end.

A proxy chain could look like this client = haproxy = varnish =
haproxy = backend with the ability to to avoid caching this results to
haproxy =backend

Imagine that varnish could also substitute with nginx (naxsi), apache
(mod_security).

 
 
 Maybe this will substitute the x-forwarded-for in the future.
 
 Cheers Aleks
 
 
thanks for the news...

cheers
thomas

Re: Browser using wrong/weak ssl cipher only with haproxy

[Thomas Heil]

Hi,

On 21.02.2015 13:45, Dennis Jacobfeuerborn wrote:
 Hi,
 I noticed that when I use my browser (latest Firefox) to connect to
 haproxy then it will select an RC4 based cipher even though better
 options are available. When I make a connection to e.g.
 https://www.google.com/ the browser uses the correct cipher instead
 (stronger and the first in the list provided by the server).

 Both my haproxy and google.com advertise the exact same cipher list:

 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
 TLS_ECDHE_RSA_WITH_RC4_128_SHA
 TLS_DHE_RSA_WITH_AES_128_CBC_SHA
 TLS_DHE_DSS_WITH_AES_128_CBC_SHA
 TLS_DHE_RSA_WITH_AES_256_CBC_SHA
 TLS_RSA_WITH_AES_128_CBC_SHA
 TLS_RSA_WITH_AES_256_CBC_SHA
 TLS_RSA_WITH_3DES_EDE_CBC_SHA
 TLS_RSA_WITH_RC4_128_SHA
 TLS_RSA_WITH_RC4_128_MD5

 The cipher options I'm using in the haproxy config are:
 ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5
 :!aNULL:!eNULL:!NULL:!DH:!EDH:!AESGCM no-sslv3
Could you please try:

no-tls-tickets ciphers
EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+  
aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!MEDIUM:!SEED:!3DES:!CAMELLIA:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4
no-sslv3

and tell us if this works better. I just disabled the RC4 ciphers.

 When I connect to haproxy the client uses:
 TLS_ECDHE_RSA_WITH_RC4_128_SHA

 When I connect to google.com the client uses:
 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

 According to https://www.ssllabs.com/ssltest/viewMyClient.html the
 browser supports:

 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)   Forward Secrecy128
 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   Forward Secrecy  128
 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)   Forward Secrecy   256
 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)   Forward Secrecy   128
 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   Forward Secrecy 128
 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   Forward Secrecy 256
 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)   WEAK  128
 TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)   WEAK128
 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   Forward Secrecy 128
 TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x32)   Forward Secrecy2128
 TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   Forward Secrecy 256
 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   128
 TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   256
 TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)   112
 TLS_RSA_WITH_RC4_128_SHA (0x5)   WEAK 128
 TLS_RSA_WITH_RC4_128_MD5 (0x4)   WEAK 128

 So my question is why isn't the connection to haproxy not using the
 better and advertised cipher? Is there an additional setting that need
 to be made to make this work as expected?
Lets see how it works without RC4.
 Regards,
   Dennis



cheers
thomas

Re: TPROXY - any functionality lost?

[Thomas Heil]

Hi,

On 20.01.2015 03:26, Shawn Heisey wrote:
 When haproxy is run in TPROXY mode, does it lose any functionality, or can
 I do all the same things as I can when it's acting in normal proxy mode?
 I'd like to have my servers see the real source ip but still have the
 ability to make decisions based on HTTP headers and manipulate those
 headers.
No you are not loosing any functionality when running in http mode.

 Thanks,
 Shawn






cheers
thomas

Re: Multiple backend sets

[Thomas Heil]

Hi,

On 03.01.2015 16:31, Ram Chander wrote:
 Hi,

 I have a requirement like below:

 Consider there are two sets of backends.  Each has some servers in it
 One is default , other is backup
 Haproxy should try second set  if  first  set  returns 404.

You mean all servers in the first backend return 404? If so, the option
http-check disable-on-404
is your best friend.

I assume you have two backends backend be_one and backend be_two.

In the frontend section you need to declare an acl like

--
acl be_one_available nbsrv(be_one) ge 1

use_backend be_two if ! be_one_available
default_backend be_one
--


 This is similar to try_files in nginx . Is this possible ?

HAProxy does not deal with files.
 Request to help. Thanks.

 Regards,
 Ram


cheers,
thomas

Re: Multiple backend sets

[Thomas Heil]

Hi,
On 05.01.2015 12:18, Pavlos Parissis wrote:
 On 05/01/2015 12:04 μμ, Thomas Heil wrote:
 Hi,

 On 03.01.2015 16:31, Ram Chander wrote:
 Hi,

 I have a requirement like below:

 Consider there are two sets of backends.  Each has some servers in it
 One is default , other is backup
 Haproxy should try second set  if  first  set  returns 404.
 You mean all servers in the first backend return 404? If so, the option
 http-check disable-on-404
 is your best friend.

 I assume you have two backends backend be_one and backend be_two.

 In the frontend section you need to declare an acl like

 --
 acl be_one_available nbsrv(be_one) ge 1

 use_backend be_two if ! be_one_available
 default_backend be_one
 --

 I suspect that Ram wants HAProxy to 'catch' 404 responses for normal
 traffic and not for a health-check response.
so as HAProxy doest not have any glue about files, this is not possible.
 Cheers,
 Pavlos



thomas

Re: no-sslv3 option not working

[Thomas Heil]

Hi,

On 30.10.2014 19:13, Emeric Brun wrote:
 On 10/21/2014 05:43 PM, John Leach wrote:
 On 21/10/14 16:05, Ryan O'Hara wrote:
 On Tue, Oct 21, 2014 at 04:56:31PM +0200, Thomas Heil wrote:
 Hi,

 On 21.10.2014 16:26, John Leach wrote:
 Hi,

 I'm trying to disable sslv3 with the no-sslv3 bind option, but it's
 not working.

 The option is accepted and the restart is successful, but sslv3 is
 still
 accepted:

 $ openssl s_client -ssl3 -connect localhost:443

   New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
   Server public key is 1024 bit
   Secure Renegotiation IS supported
   Compression: NONE
   Expansion: NONE
   SSL-Session:
   Protocol  : SSLv3
   Cipher: DHE-RSA-AES256-SHA
   Session-ID:
 D74EC1760F565669B7CD8D21636D05AABC9E047DAC94133E62240B3824EB8176
   Session-ID-ctx:
   Master-Key:
 11417200F033C2B542B4FA3A7DC3C00214EFE92C7709FD406014D047D75DBA40573447ED5808962211AF323860367DEE

   Key-Arg   : None
   PSK identity: None
   PSK identity hint: None
   SRP username: None
   Start Time: 1413900818

 double checked with nmap.

 Tested with haproxy 1.5.3 and 1.5.4 on Ubuntu 14.10, Fedora 20 and
 Centos 7.

 Config is as simple as:


frontend myfrontend
  bind 0.0.0.0:443 ssl crt /etc/haproxy/mycert.pem no-sslv3
  default_backend mybackend
  reqadd X-Forwarded-Proto:\ https
 Ive checked your config on centos 7 with the official version 1.5.2
 and
 it works.

 I also tried 1.5.2 on RHEL7 and it also works.

 thanks for the sanity checks.

 Looking more closely (on Ubuntu 14.04), I just changed certificates and
 SSLv3 is indeed disabled now, as expected.

 I was originally testing with this 1024bit sha1 self-signed junk cert,
 which seems to force SSLv3 to be enabled despite being explicitly
 disable in the config:

 Certificate:
  Data:
  Version: 1 (0x0)
  Serial Number: 12227704756894696610 (0xa9b188b0f51004a2)
  Signature Algorithm: sha1WithRSAEncryption
  Issuer: C=GB, ST=Some-State, O=Internet Widgits Pty Ltd
  Validity
  Not Before: Oct 17 16:50:51 2014 GMT
  Not After : Mar  1 16:50:51 2836 GMT
  Subject: C=GB, ST=Some-State, O=Internet Widgits Pty Ltd
  Subject Public Key Info:
  Public Key Algorithm: rsaEncryption
  Public-Key: (1024 bit)


 Whereas this new cert is a 2048bit sha512 cert, which allows SSLv3 to be
 disabled (tls 1.1 is working fine).

 Certificate:
  Data:
  Version: 3 (0x2)
  Serial Number: 980730 (0xef6fa)
  Signature Algorithm: sha512WithRSAEncryption
  Issuer: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing
 Authority/emailAddress=supp...@cacert.org
  Validity
  Not Before: May  4 11:23:10 2014 GMT
  Not After : Oct 31 11:23:10 2014 GMT
  Subject: CN=johnleach.co.uk
  Subject Public Key Info:
  Public Key Algorithm: rsaEncryption
  Public-Key: (2048 bit)
  Modulus:

 So looks like the choice of certificate/key can transparently force
 SSLv3 to be re-enabled. Can anyone else confirm? junk self-signed cert
 attached.

 Thanks,

 John.
 -- 
 http://brightbox.com




 Hi,

 This bug appears when the certificate does not present any CommonName
 in subject nor DNS aliases (i doubt about the validity of this kind of
 certificate).

 We will fix it soon, but it is not critical.

thanks for clarification.
 Emeric





cheers
thomas

Re: change backend for an existing connection?

[Thomas Heil]

Hi,

On 29.10.2014 23:09, Tom Keyser wrote:
 Along this same vein...

 We're using HAProxy to execute seamless mid-day deployments of
 high-volume critical services. The http-server-close option is set.
 The backend of an example service is like so:

   serversvr2 192.168.1.19:80 http://192.168.1.19:80 check
   serversvr2_staging 192.168.1.19:8080 http://192.168.1.19:8080
 disabled check

 Our deployment system is configured to copy new binaries to the
 svr2_staging server, then use the stats socket to change the
 svr2_staging state to ready and the svr2 state to drain. My
 question is how can I be sure all existing sessions to the svr2 server
 are closed before I start copying binaries to it?

One idea that comes into my mind is to use a stick table and and poll as
long as there are server_id that belongs to a server
that should be upgraded.
The worse case would be polling as long as the expire timeout for the
stick-table.


 On Wed, Oct 29, 2014 at 12:06 PM, Baptiste bed...@gmail.com
 mailto:bed...@gmail.com wrote:

 On Fri, Oct 24, 2014 at 4:37 PM, Ian Cooke i...@informatic.io
 mailto:i...@informatic.io wrote:
  Hi,
 
  Can haproxy change the backend for an existing session?  I have
 a stateless
  client/server and I thought 'redispatch' did what I want but it
 seems that's
  only for the initial connection.  What I'd like is for a client
 that's
  already been connected to maintain the frontend's connection but
 change the
  session's backend server if the one it's connected to goes down.
 
  Thanks,
  Ian

 Hi,

 maybe http-server-close is the option you're looking for.

 Baptiste




 -- 

cheers,
thomas

Re: no-sslv3 option not working

[Thomas Heil]

Hi,

On 21.10.2014 16:26, John Leach wrote:
 Hi,

 I'm trying to disable sslv3 with the no-sslv3 bind option, but it's
 not working.

 The option is accepted and the restart is successful, but sslv3 is still
 accepted:

 $ openssl s_client -ssl3 -connect localhost:443

  New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
  Server public key is 1024 bit
  Secure Renegotiation IS supported
  Compression: NONE
  Expansion: NONE
  SSL-Session:
  Protocol  : SSLv3
  Cipher: DHE-RSA-AES256-SHA
  Session-ID:
 D74EC1760F565669B7CD8D21636D05AABC9E047DAC94133E62240B3824EB8176
  Session-ID-ctx:
  Master-Key:
 11417200F033C2B542B4FA3A7DC3C00214EFE92C7709FD406014D047D75DBA40573447ED5808962211AF323860367DEE
  Key-Arg   : None
  PSK identity: None
  PSK identity hint: None
  SRP username: None
  Start Time: 1413900818

 double checked with nmap.

 Tested with haproxy 1.5.3 and 1.5.4 on Ubuntu 14.10, Fedora 20 and Centos 7.

 Config is as simple as:


   frontend myfrontend
 bind 0.0.0.0:443 ssl crt /etc/haproxy/mycert.pem no-sslv3
 default_backend mybackend
 reqadd X-Forwarded-Proto:\ https
Ive checked your config on centos 7 with the official version 1.5.2 and
it works.
--
# openssl s_client -ssl3 -connect 127.0.0.1:443
CONNECTED(0003)
139825192679328:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert
handshake failure:s3_pkt.c:1257:SSL alert number 40
139825192679328:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl
handshake failure:s3_pkt.c:596:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : SSLv3
Cipher: 
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg   : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1413903320
Timeout   : 7200 (sec)
Verify return code: 0 (ok)
---



 I've also tried disabling tls too, and that seems to have no effect either.

 Lots of people are recommending this as a fix against the POODLE vuln,
 so it's quite critical! Any thoughts?
Could you post haproxy -vv?
Where does you package come from? Did you compile it by yourself?

 Thanks,

 John.
 --
 http://brightbox.com




cheers
thomas

Re: is it possible to SSL offloading and then re-pack as SSL?

[Thomas Heil]

Hi,

On 16.10.2014 22:36, Lukas Tribus wrote:
 I want to do haproxy 1.5 SSL offloading, filter/processing some headers  
 and then re-send as SSL? 
 Yes, it is.


 Lukas
Have a look at
http://blog.haproxy.com/2013/02/26/ssl-offloading-impact-on-web-applications/
 


cheers
thomas

shellshock and haproxy

[Thomas Heil]

Hi,

To mitigate the shellshock attack we added two lines in our frontends.

--
frontend fe_80
--
reqideny  ^[^:]+:\s*\(\s*\)
reqideny  ^[^:]+:\s+.*?([^]+){5,}
--

and checked this via

--
 curl --referer x() { :; }; ping 127.0.0.1 http://my-haproxy-url/
 curl --referer true EOF EOF EOF EOF EOF EOF EOF EOF
EOF EOF EOF EOF EOF EOF http://my-haproxy-url/
--

Any hints or further sugestions?

cheers
thomas

Re: use_backend map failing me

[Thomas Heil]

Hi,

On 19.09.2014 15:12, Baptiste wrote:
 On Fri, Sep 19, 2014 at 3:09 PM, Klavs Klavsen k...@vsen.dk wrote:
 dooh.. point to correct file and things work.. :)

 Hi,

 I like your config :)

 Baptiste



Maybe this is somewhat better
--
use_backend
bk_%[hdr(host),lower,map(/etc/haproxy/haproxy-backends.map)] if TRUE
--
because its case insensitive about the hostname.

cheers
thomas

Re: Recommended SSL ciphers and settings

[Thomas Heil]

Hi,


On 09.09.2014 11:43, pablo platt wrote:
 I've tried both options and I'm still not getting A+.

 Unfortunately, I can't ask the user what the error is.
 If I'll run into this again, I'll try to get this info.

To reach A+ you need

rspadd Strict-Transport-Security:\ max-age=31536000;\
includeSubDomains if ssl-proxy
ssl-proxy means here the connection is ssl.

and a cipher list like
--
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:
 
EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4
--

Together it should work.

As you can see we have no longer RC4 ciphers,

cheers
thomas

 Thanks

 On Mon, Sep 8, 2014 at 9:46 AM, Jarno Huuskonen
 jarno.huusko...@uef.fi mailto:jarno.huusko...@uef.fi wrote:

 Hi,

 On Sun, Sep 07, pablo platt wrote:
  Hi,
 
  I'm using haproxy to terminate SSL and it works for most of my
 users.
  I have alphassl wildcard certificate.
  I'm using SSL to improve WebSockets and RTMP connections of port
 443.
  I don't have sensitive data or e-commerce.
 
  I have one user that see a warning in Chrome and can't use my
 website.

 Do you know what warning chrome gives to that user ?

  Is it possible that this the warning is because an antivirus is
 not happy
  with the default ciphers or other ssl settings?
 
  When running a test https://sslcheck.globalsign.com/en_US I'm
 getting:
  Sessions may be vulnerable to BEAST attack
  Server has not enabled HTTP Strict-Transport-Security
  Server has SSL v3 enabled
  Server is using RC4-based ciphersuites which have known
 vulnerabilities
  Server configuration does not meet FIPS guidelines
  Server does not have OCSP stapling configured
  Server has not yet upgraded to a Extended Validation certificate
  Server does not have SPDY enabled
 
  I found one suggestion:
  bind 10.0.0.9:443 http://10.0.0.9:443 name https ssl crt
 /path/to/domain.pem ciphers
  RC4:HIGH:!aNULL:!MD5
 
 
 http://blog.haproxy.com/2013/01/21/mitigating-the-ssl-beast-attack-using-the-aloha-load-balancer-haproxy/
 
  And another:
  bind 0.0.0.0:443 http://0.0.0.0:443 ssl crt /etc/cert.pem
 nosslv3 prefer-server-ciphers
  ciphers RC4-SHA:AES128-SHA:AES256-SHA
 
  Both gives me other warnings.

 What other warnings ? (Does haproxy give you warnings/errors or client
 browsers) ?

 Perhaps you could try ciphersuite from:
 https://wiki.mozilla.org/Security/Server_Side_TLS

 for example in global:
 ssl-default-bind-ciphers ...

 or on bind:
 bind 0.0.0.0:443 http://0.0.0.0:443 ssl crt /path/to/crt ciphers ...

 To enable ocsp stapling see haproxy config:
 http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.1-crt
 
 http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#9.2-set%20ssl%20ocsp-response

 -Jarno

 --
 Jarno Huuskonen




-- 
Thomas Heil
-
Email: h...@terminal-consulting.de
Tel:   0176 / 44555622
--

Re: [PATCH 0/4] build fixes for boringssl

[Thomas Heil]

Hi,

On 18.08.2014 18:45, Lukas Tribus wrote:
 Hi,


 Have you run any performance benchmark against those SSL libraries?
 No, I didn't.


 In fact the boringssl build is not optimized for production use, it
 would need some manual changes before building.
What about polarssl or cyassl ? Whats your opinion about that if you
going to reduce footprint (e.g. size if the lib)
 LibreSSL should be quite ok, here's a benchmark with nginx:
 https://www.mare-system.de/blog/page/1405201517/
mare-systems do a good job, but they only focus on ninx. But if you take
a closer look at ningx you will see that you have
to pay for some features. Recently I packaged nginx again for OpenWrt
and saw these nasty things. Maybe we could write an blog post about
configuring haproxy to achive an A+ at ssllabs and
explain the drawbacks that comes with it? E.g. Kicking Support for older
browsers like ie on Windows XP?

The same thing can also be achieved with stud and openssl in conjunction
with haproxy.


 Regards,

 Lukas

just my 2 cents,

thomas

Re: 100% CPU after upgraded to 1.6dev

[Thomas Heil]

Hi,

On 18.07.2014 19:22, Igor wrote:
 Hi, I use git commit e63a1eb290a1c407453dbcaa16535c85a1904f9e, 1.5.2
 same result like git version.
When I look at your config, my educated guess would be commit
60d7aeb6e1450995e721d01f48f60b7db4c44e2b.

 Bests,
 -Igor


 On Sat, Jul 19, 2014 at 1:07 AM, Lukas Tribus luky...@hotmail.com wrote:
 Hi Igor,


 Hi,

 Had upgrade from 1.5dev 21 to 1.6dev, the CPU usage became insane to
 100%, in dev21, it's about 0%. Config file:
 https://gist.github.com/0c21a67c7be1e7a62a2f
 Is 1.5.2 stable affected as well? What exact commit are you using
 in 1.6dev (please post haproxy -vv output)?



 Regards,

 Lukas



cherrs
thomas

Re: Binaries for HAProxy.

[Thomas Heil]

Hi,


On 16.07.2014 16:07, Kuldip Madnani wrote:
 My Linux Distribution is : 

 Red Hat Enterprise Linux Server release 6.3 (Santiago)

As far as I know redhat or centos 6.x has only haproxy 1.4 packages in
his repo. You might want to use
my repo at http://nd-build-01.linux-appliance.net/repos/centos/haproxy/

Just put
http://nd-build-01.linux-appliance.net/repos/centos/haproxy/haproy-centos-6x.repo
under /etc/yum.repos.d/
and issue yum install haproxy.

After that you should have 1.5.2 on you box.

 On Wed, Jul 16, 2014 at 9:03 AM, Mathew Levett
 mat...@loadbalancer.org mailto:mat...@loadbalancer.org wrote:

 Hi Kuldip,

 I think you may need to provide a little more information, it may
 be that your Linux distribution may already have haproxy in their
 repository. However the information supplied does not really show
 what your running.  Do you know the distribution name?

 If its Debian then something like 'apt-get install haproxy' may be
 all you need, RedHat based distros may use yum so 'yum install
 haproxy'.  however its also not that hard to compile the latest
 version from source and is well documented in the download file.

 Usually on a list like this you need to supply as much information
 as possible so the people here can help.

 Kind Regards,

 Mathew


 On 16 July 2014 14:50, Kuldip Madnani k.madnan...@gmail.com
 mailto:k.madnan...@gmail.com wrote:

 Hi,

 Where can i find the compiled binaries for haproxy.My system
 configuration is this :

 $ uname -a
 Linux  2.6.32-279.22.1.el6.x86_64 #1 SMP Sun Jan 13 09:21:40
 EST 2013 x86_64 x86_64 x86_64 GNU/Linux

 Thanks  Regards,
 Kuldip



cheers,
thomas

Re: Binaries for HAProxy.

[Thomas Heil]

Hi,

On 16.07.2014 16:14, Kobus Bensch wrote:
 Hi

 I have built my own RPM with a spec file and it works great. I can
 share the rpm if anybody is interested

I would be interestet. Can you share your source rpm?


 Kobus Bensch

 *Address:*  
 *Phone:**
 **Email:* 22  24 | Frederick Sanger Road | Guildford | Surrey | GU2 7YD
 0207 871 3890
 kobus.ben...@trustpayglobal.com mailto:kobus.ben...@trustpayglobal.com





 On 16 July 2014 15:07, Kuldip Madnani k.madnan...@gmail.com
 mailto:k.madnan...@gmail.com wrote:

 My Linux Distribution is : 

 Red Hat Enterprise Linux Server release 6.3 (Santiago)


 On Wed, Jul 16, 2014 at 9:03 AM, Mathew Levett
 mat...@loadbalancer.org mailto:mat...@loadbalancer.org wrote:

 Hi Kuldip,

 I think you may need to provide a little more information, it
 may be that your Linux distribution may already have haproxy
 in their repository. However the information supplied does not
 really show what your running.  Do you know the distribution
 name?

 If its Debian then something like 'apt-get install haproxy'
 may be all you need, RedHat based distros may use yum so 'yum
 install haproxy'.  however its also not that hard to compile
 the latest version from source and is well documented in the
 download file.

 Usually on a list like this you need to supply as much
 information as possible so the people here can help.

 Kind Regards,

 Mathew


 On 16 July 2014 14:50, Kuldip Madnani k.madnan...@gmail.com
 mailto:k.madnan...@gmail.com wrote:

 Hi,

 Where can i find the compiled binaries for haproxy.My
 system configuration is this :

 $ uname -a
 Linux  2.6.32-279.22.1.el6.x86_64 #1 SMP Sun Jan 13
 09:21:40 EST 2013 x86_64 x86_64 x86_64 GNU/Linux

 Thanks  Regards,
 Kuldip





 Trustpay Global Limited is an authorised Electronic Money Institution
 regulated by the Financial Conduct Authority registration number
 900043. Company No 07427913 Registered in England and Wales with
 registered address 130 Wood Street, London, EC2V 6DL, United Kingdom.

 For further details please visit our website at www.trustpayglobal.com
 http://www.trustpayglobal.com.

 The information in this email and any attachments are confidential and
 remain the property of Trustpay Global Ltd unless agreed by contract.
 It is intended solely for the person to whom or the entity to which it
 is addressed. If you are not the intended recipient you may not use,
 disclose, copy, distribute, print or rely on the content of this email
 or its attachments. If this email has been received by you in error
 please advise the sender and delete the email from your system.
 Trustpay Global Ltd does not accept any liability for any personal
 view expressed in this message.


cheers,
thomas

Re: SMPP traffic load balancing

[Thomas Heil]

Hi,

On 03.07.2014 14:01, Baptiste wrote:



 On Thu, Jul 3, 2014 at 11:21 AM, Ahmed Ayoub a.ay...@cequens.com
 mailto:a.ay...@cequens.com wrote:

 Hi,

  

 Can I use HAProxy to load balance SMPP traffic?

  

 Waiting for your feedback

  

 Best regards,**

  

 *Ahmed Ayoub*

 Chief Architect

  

 Mob: +20 (10) 06719983 

 Email: a.ay...@cequens.com mailto:a.ay...@cequens.com   |  web:
 www.cequens.com http://www.cequens.com/

  

 http://www.cequens.com/email-signature/logo.jpg

  

 *From:*Ahmed Ayoub
 *Sent:* Thursday, July 3, 2014 11:15 AM
 *To:* 'haproxy@formilux.org mailto:haproxy@formilux.org'
 *Subject:* SMPP traffic load balancing

  

 Hi,

  

 Can I use HAProxy to load balance SMPP traffic?

  

 Best regards,**

  

 *Ahmed Ayoub*

 Chief Architect

  

 Mob: +20 (10) 06719983 

 Email: a.ay...@cequens.com mailto:a.ay...@cequens.com   |  web:
 www.cequens.com http://www.cequens.com/

  

 http://www.cequens.com/email-signature/logo.jpg

  

 *Egypt*

 21 Mohamed Tawfiq Diab St.,

 Off Makram Ebied St., 1st Floor,

 Nasr City, 11371,

 Cairo, Egypt

   

 *Saudi Arabia *

 Tawuniya Towers, King Fahd Rd.

 7th Floor,  North Tower

 P.O. Box 220933

 Riyadh, Saudi Arabia

 Tel:  +20 (2) 22734506   

 Fax: +20 (2) 26718892

  

   

 Tel:  +966 (11) 2181515

 Fax: +966 (11) 2181520

  

 http://www.cequens.com/email-signature/banner.jpg__

  




 Hi,

 Can you define what SMPP is???


SMPP ist short message peer to peer. E.g. jabber makes use of it.
Because its TCP HAProxy should
be able to cope with it.

 Baptiste
thomas

Re: SMPP traffic load balancing

[Thomas Heil]

Hi,

On 03.07.2014 14:08, Thomas Heil wrote:
 Hi,

 On 03.07.2014 14:01, Baptiste wrote:



 On Thu, Jul 3, 2014 at 11:21 AM, Ahmed Ayoub a.ay...@cequens.com
 mailto:a.ay...@cequens.com wrote:

 Hi,

  

 Can I use HAProxy to load balance SMPP traffic?

  

 Waiting for your feedback

  

 Best regards,**

  

 *Ahmed Ayoub*

 Chief Architect

  

 Mob: +20 (10) 06719983 

 Email: a.ay...@cequens.com mailto:a.ay...@cequens.com   |  web:
 www.cequens.com http://www.cequens.com/

  

 http://www.cequens.com/email-signature/logo.jpg

  

 *From:*Ahmed Ayoub
 *Sent:* Thursday, July 3, 2014 11:15 AM
 *To:* 'haproxy@formilux.org mailto:haproxy@formilux.org'
 *Subject:* SMPP traffic load balancing

  

 Hi,

  

 Can I use HAProxy to load balance SMPP traffic?

  

 Best regards,**

  

 *Ahmed Ayoub*

 Chief Architect

  

 Mob: +20 (10) 06719983 

 Email: a.ay...@cequens.com mailto:a.ay...@cequens.com   |  web:
 www.cequens.com http://www.cequens.com/

  

 http://www.cequens.com/email-signature/logo.jpg

  

 *Egypt*

 21 Mohamed Tawfiq Diab St.,

 Off Makram Ebied St., 1st Floor,

 Nasr City, 11371,

 Cairo, Egypt

  

 *Saudi Arabia *

 Tawuniya Towers, King Fahd Rd.

 7th Floor,  North Tower

 P.O. Box 220933

 Riyadh, Saudi Arabia

 Tel:  +20 (2) 22734506   

 Fax: +20 (2) 26718892

  

  

 Tel:  +966 (11) 2181515

 Fax: +966 (11) 2181520

  

 http://www.cequens.com/email-signature/banner.jpg__

  




 Hi,

 Can you define what SMPP is???


 SMPP ist short message peer to peer. E.g. jabber makes use of it.
 Because its TCP HAProxy should
 be able to cope with it.

Huh, thats wrong. SMPP ist not XMPP. I just missed that. But
nevertheless HAProxy should be able to do it.

 Baptiste
 thomas 

Re: ssl compression

[Thomas Heil]

Hi,

On 23.06.2014 18:32, Vincent Bernat wrote:
  ❦ 23 juin 2014 18:14 +0200, Markus Rietzler w...@mrietzler.de :

 to switch off tls compression (because of beast/crime attack) with tls
 v1.0 and compression.  can i deactivate it in haproxy too?
You should not add add a new thread to a existing one.
 haproxy disables SSL compression and there is no flag to enable
 it. However, disabling SSL compression is not available in OpenSSL
 0.9.8. Which version of OpenSSL are you using?

Please have a look at
http://blog.haproxy.com/2013/01/21/mitigating-the-ssl-beast-attack-using-the-aloha-load-balancer-haproxy/
If you need support for PFS too, then try  lines like this
--
frontend fe_443
bind :443 name https ssl crt /etc/haproxy/certs/mycert.pem
ciphers
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
mode http
--
and in the global section
--
tune.ssl.default-dh-param private key length but min 1024
--
After that check your site again.


cheers,
thomas

Re: [ANNOUNCE] haproxy-1.5.0

[Thomas Heil]

On 20.06.2014 18:07, Ryan O'Hara wrote:
 On Fri, Jun 20, 2014 at 07:14:39AM +0200, Willy Tarreau wrote:
 On Fri, Jun 20, 2014 at 03:35:55AM +0300, Eliezer Croitoru wrote:
 On 06/19/2014 10:54 PM, Willy Tarreau wrote:
 Don't forget to offer a beer to your distro packagers who make your life
 easier. It's hard to list them all, but if you don't build from sources,
 you're likely running a package made and maintained by one of these people 
 :
   - debian: Vincent Bernat, Apollon Oikonomopoulos, Prach Pongpanich
   - Fedora: Ryan O'hara
   - OpenSuSE: Marcus Rückert
   - other? just report yourself!
 Congrats!!

 And with a question:
 Who is the maintainer of CentOS RPMs?
 I could be wrong, but my understanding is that Ryan's packages are used
 in RHEL as well, so probably you have them automatically in CentOS ?
 That is correct. The latest RHEL release has haproxy 1.4.24, so that
 is what will be in CentOS.
What needs to be done to upgrade it to 1.5.0? I think the official way
could save a lot of
time because there is no need that everbody builds his own RPM.
 If nobody will build it for CentOS in the next month or two I will might 
 build it.
 Please double-check with Ryan first to ensure there's no double work.
 If you want haproxy 1.5 on CentOS in the near future, there are other means 
 to build
 packages. I could build 1.5 against el6 in copr if you like.
What do you mean by against el7 in copr ?
 Ryan



cheers
thomas

oscp and others

[Thomas Heil]

Hi,

I think dnssec and DANE could be an alternate path for checking
certificates even for HAPRoxy.
Of course dnssec is a burden but after that it can be very useful.

How do you think about it?

cheers,

Thomas
--

Re: Configuring HAProxy to send X_FORWARDED_FOR and X_REAL_IP at the same time.

[Thomas Heil]

Hi,
On 26.05.2014 12:16, Daniel Todorov wrote:
 Hello Baptiste,

 can i extract the info from other header, because we using cloudflare
 infront of HAProxy?

You can also do things like,
--
http-request add-header X-Orig-IP %[req.hdr(X-Forwarded-For)]
--

this would add header X-Orig-IP with the values from X-Forwarded-For


 Best Regards,


 On Mon, May 26, 2014 at 12:15 PM, Baptiste bed...@gmail.com
 mailto:bed...@gmail.com wrote:

 On Mon, May 26, 2014 at 10:03 AM, Daniel Todorov
 leinad...@gmail.com mailto:leinad...@gmail.com wrote:
  Hello,
 
  I'm working for company which have software based on both
 headers, and if
  one of them is missing, the software is not working properly. I
 find a way
  to configure HAProxy to send each of them but separated. I need
 to find
  solution which will make HAProxy to send both. Can I use reqadd or
  http-request add-header/set-header to set a the second header?
 
  Best Regards,
  Daniel Todorov

 Hi Daniel

 Yes, you can use http-request add-header to add headers. You can
 extract source IP address using the acl 'src'.

 Baptiste

Re: Problem with last commit

[Thomas Heil]

Hi,

On 17.05.2014 04:01, Willy Tarreau wrote:
 Hi guys,

 On Fri, May 16, 2014 at 11:34:45PM +0200, Thomas Heil wrote:
 So HAProxy crashes as soon as acl tries to use
 acl ex_de hdr_reg(host) -i www\.example\.de
 Ok, so its probably about the modifications in src/pattern.c.
 No it was in
 #
 -diff --git a/src/cfgparse.c b/src/cfgparse.c
 -index 9ec69a1..eb7ec20 100644
  a/src/cfgparse.c
 -+++ b/src/cfgparse.c
 -@@ -1578,8 +1578,6 @@ static int create_cond_regex_rule(const char
 *file, int line,
 -   if (dir == SMP_OPT_DIR_REQ  warnif_misplaced_reqxxx(px, file,
 line, cmd))
 -   err_code |= ERR_WARN;
 -
 --  free(errmsg);
 --  return err_code;
 -  err:
 -   free(errmsg);
 -   free(preg);
 #
 That's really strange, it looks like a double free or something like this!

 Hmmm wait a minute, there's a bug here. preg is of type regex_t. It cannot be
 freed with free(), but it needs a regfree() instead.

 So it's likely that the move of free(errmsg) has slightly modified the code
 path and helped the second free corrupt the memory better.

 Thomas, could you please confirm that the attached patch (untested) fixes it
 for you ? We might have a longstanding bug here.

 Thanks,
 Willy

The patch works. No crashes anymore. Thanks a lot,

cheers,
thomas

Re: Problem with last commit

[Thomas Heil]

Hi,

On 17.05.2014 16:58, Willy Tarreau wrote:
 Hi Thomas,

 On Sat, May 17, 2014 at 03:12:40PM +0200, Thomas Heil wrote:
 The patch works. No crashes anymore. Thanks a lot,
 Thanks for confirming, however the fix is still not good (regfree
 may only be called with a non-null pointer, and still needs free()
 to be run afterwards). Could you please check with this one instead :

   free(errmsg);
 - free(preg);
 + if (preg) {
 + regfree(preg);
 + free(preg);
 + }
Ive tried with this patch
-b
Index: haproxy-1.5-dev25/src/cfgparse.c
===
--- haproxy-1.5-dev25.orig/src/cfgparse.c
+++ haproxy-1.5-dev25/src/cfgparse.c
@@ -1580,7 +1580,10 @@ static int create_cond_regex_rule(const

  err:
free(errmsg);
-   free(preg);
+   if (preg) {
+   regfree(preg);
+   free(preg);
+   }  
return err_code;
 }
--

but this leads to a segmentation fault.  I wonder why nobody else runs
in that issue.

 Thanks,
 Willy


thanks
thomas

Re: Problem with last commit

[Thomas Heil]

Hi,

On 15.05.2014 22:36, Lukas Tribus wrote:
  backtrace full
This was somewhat complex. Iam using OpenWrt for HAProxy with eglibc.
Nevertheless here is the trace

ymbol file not found for linux-vdso.so.1
Reading symbols from /lib/libcrypt.so.1...done.
Loaded symbols for /lib/libcrypt.so.1
Reading symbols from /usr/lib/libz.so.1...done.
Loaded symbols for /usr/lib/libz.so.1
Reading symbols from /usr/lib/libssl.so.1.0.0...done.
Loaded symbols for /usr/lib/libssl.so.1.0.0
Reading symbols from /usr/lib/libcrypto.so.1.0.0...done.
Loaded symbols for /usr/lib/libcrypto.so.1.0.0
Reading symbols from /usr/lib/libpcreposix.so.0...done.
Loaded symbols for /usr/lib/libpcreposix.so.0
Reading symbols from /usr/lib/libpcre.so.0...done.
Loaded symbols for /usr/lib/libpcre.so.0
Reading symbols from /lib/libc.so.6...BFD: /lib/libc.so.6: invalid
relocation type 37
BFD: BFD (GNU Binutils) 2.18.50 assertion fail elf64-x86-64.c:278
BFD: /lib/libc.so.6: invalid relocation type 37
BFD: BFD (GNU Binutils) 2.18.50 assertion fail elf64-x86-64.c:278
BFD: /lib/libc.so.6: invalid relocation type 37
BFD: BFD (GNU Binutils) 2.18.50 assertion fail elf64-x86-64.c:278
BFD: /lib/libc.so.6: invalid relocation type 37
BFD: BFD (GNU Binutils) 2.18.50 assertion fail elf64-x86-64.c:278
BFD: /lib/libc.so.6: invalid relocation type 37
BFD: BFD (GNU Binutils) 2.18.50 assertion fail elf64-x86-64.c:278
done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/libdl.so.2...done.
Loaded symbols for /lib/libdl.so.2
Reading symbols from /lib/libgcc_s.so.1...done.
Loaded symbols for /lib/libgcc_s.so.1
Reading symbols from /lib/ld-linux-x86-64.so.2...done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
Core was generated by `haproxy -f /etc/haproxy.cfg'.
Program terminated with signal 11, Segmentation fault.
[New process 7297]
#0  0x6448acdbfceb in regexec (preg=0x2f737e0, string=0x2fe7b44
Host: www.example.de, nmatch=10, pmatch=0x6a0600, eflags=0) at
pcreposix.c:194
194 pcreposix.c: No such file or directory.
in pcreposix.c
(gdb) bt full
#0  0x6448acdbfceb in regexec (preg=0x2f737e0, string=0x2fe7b44
Host: www.example.de, nmatch=10, pmatch=0x6a0600, eflags=0) at
pcreposix.c:194
rc = value optimized out
so = value optimized out
eo = value optimized out
options = Unhandled dwarf expression opcode 0x9f

--

So HAProxy crashes as soon as acl tries to use
acl ex_de hdr_reg(host) -i www\.example\.de


cheers
thomas

Re: Problem with last commit

[Thomas Heil]

Hi,

On 16.05.2014 20:28, Lukas Tribus wrote:
 Hi Thomas,



 This was somewhat complex. I am using OpenWrt for HAProxy with eglibc.
 I see. Are you using local gdb on this box or are you transferring
 executable and core to another box and backtracing there?

Yes, Iam using a local gdb on the box and i backtrace the file on the box.

 So HAProxy crashes as soon as acl tries to use
 acl ex_de hdr_reg(host) -i www\.example\.de
 Ok, so its probably about the modifications in src/pattern.c.
No it was in
#
-diff --git a/src/cfgparse.c b/src/cfgparse.c
-index 9ec69a1..eb7ec20 100644
 a/src/cfgparse.c
-+++ b/src/cfgparse.c
-@@ -1578,8 +1578,6 @@ static int create_cond_regex_rule(const char
*file, int line,
-   if (dir == SMP_OPT_DIR_REQ  warnif_misplaced_reqxxx(px, file,
line, cmd))
-   err_code |= ERR_WARN;
-
--  free(errmsg);
--  return err_code;
-  err:
-   free(errmsg);
-   free(preg);
#

So it look like free(errmsg); causes my headache.


 (gdb) bt full
 #0 0x6448acdbfceb in regexec (preg=0x2f737e0, string=0x2fe7b44
 Host: www.example.de, nmatch=10, pmatch=0x6a0600, eflags=0) at
 pcreposix.c:194
 rc = value optimized out
 so = value optimized out
 eo = value optimized out
 options = Unhandled dwarf expression opcode 0x9f
 Mmmmh, I think there is a problem with gdb here [1].
When you deal with cross compiling errors are common.

 Anyway, since you confirmed it works when reverting Dirkjan's 07fcaaa4cd8
 (MINOR: fix a few memory usage errors), lets CC him and Willy.

 I just hope we didn't uncover some sleeping bugs in eglibc or pcre.


 Btw, does it work when you compile without PCRE (using libc's regexp
 implementation instead)?

I cant work without PCRE because we use a lot of pcre aware acl's.

 Regards,

 Lukas



 [1] http://stackoverflow.com/questions/608361/unhandled-dwarf-expression

 

Let me add that even upgrading pcre does not change anything and that
this setup is working for about two years
without big issues although iam using a grsec kernel and eglibc.

cheers
thomas

Problem with last commit

[Thomas Heil]

Hi,

In the last commit for HAProxy 1.5dev25,
0014-MINOR-fix-a-few-memory-usage-errors, the process crashes
when the first connect comes in.

--
Thu May 15 18:44:21 2014 kern.info kernel: [589854.655404]
haproxy[22649] general protection ip:6a8279b89ceb sp:775da6be3cb0
error:0 in libpcreposix.so.0.0.0[6a8279b89000+2000]
Thu May 15 18:44:21 2014 kern.alert kernel: [589854.657224] grsec: From
172.16.37.22: Segmentation fault occurred at(nil) in
/usr/sbin/haproxy[haproxy:22649] uid/euid:0/0 gid/egid:0/0, parent
/sbin/procd[procd:1] uid/euid:0/0 gid/egid:0/0
Thu May 15 18:44:21 2014 kern.alert kernel: [589854.660039] grsec: From
172.16.37.22: denied resource overstep by requesting 4096 for
RLIMIT_CORE against limit 0 for /usr/sbin/haproxy[haproxy:22649]
uid/euid:0/0 gid/egid:0/0, parent /sbin/procd[procd:1] uid/euid:0/0
gid/egid:0/0

Thu May 15 18:45:05 2014 kern.info kernel: [589899.112620]
haproxy[22720] general protection ip:749bf70ebceb sp:7ada274869f0
error:0 in libpcreposix.so.0.0.0[749bf70eb000+2000]
Thu May 15 18:45:05 2014 kern.alert kernel: [589899.114595] grsec: From
172.16.37.21: Segmentation fault occurred at(nil) in
/usr/sbin/haproxy[haproxy:22720] uid/euid:0/0 gid/egid:0/0, parent
/sbin/procd[procd:1] uid/euid:0/0 gid/egid:0/0
Thu May 15 18:45:05 2014 kern.alert kernel: [589899.117478] grsec: From
172.16.37.21: denied resource overstep by requesting 4096 for
RLIMIT_CORE against limit 0 for /usr/sbin/haproxy[haproxy:22720]
uid/euid:0/0 gid/egid:0/0, parent /sbin/procd[procd:1] uid/euid:0/0
gid/egid:0/0
--
when i remove the patch HAProxy is running fine.

This is the actual output of haproxy -vv

--
 haproxy -vv
HA-Proxy version 1.5-dev25-patch14-a339395 2014/05/10
Copyright 2000-2014 Willy Tarreau w...@1wt.eu

Build options :
  TARGET  = linux2628
  CPU = generic
  CC  = x86_64-openwrt-linux-gnu-gcc
  CFLAGS  = -O2 -march=x86-64 -pipe -fomit-frame-pointer
-fno-align-jumps -fno-align-functions -fno-align-labels -fno-align-loops
-pipe -fomit-frame-pointer -fhonour-copts -DBUFSIZE=16384
-DMAXREWRITE=1030 -DSYSTEM_MAXCONN=165530
  OPTIONS = USE_LINUX_SPLICE=1 USE_LINUX_TPROXY=1 USE_ZLIB=yes
USE_REGPARM=1 USE_OPENSSL=1 USE_PCRE=1

Default settings :
  maxconn = 165530, bufsize = 16384, maxrewrite = 1030, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.7
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014
Running on OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.11 2010-12-10
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with transparent proxy support using: IP_TRANSPARENT
IPV6_TRANSPARENT IP_FREEBIND

Available polling systems :
  epoll : pref=300,  test result OK
   poll : pref=200,  test result OK
 select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.
--

My system is using eglibc and a grsecurity enabled kernel. Has anybody a
simmilar problem?

cheers,
thomas

Re: Recommended strategy for running 1.5 in production

[Thomas Heil]

Hi,

On 18.04.2014 08:24, Willy Tarreau wrote:
 On Thu, Apr 17, 2014 at 10:30:45AM -0500, Ryan O'Hara wrote:
 On Wed, Apr 16, 2014 at 11:12:07PM +0100, Kobus Bensch wrote:
 I use haproxy on centos. So I build a RPM i then use in spacewalk to
 first roll out to test, then post testing to production.
 I can add el6 to my copr build if you need an rpm build. Currently I'm
 only building 1.5-dev22 in copr for F20, but it should be too much
 trouble add el6.
 Just to save you one package, I managed to fix the chunked-encoded
 compression so I'm planning on issuing dev23 this week-end :-)
Having compression also for chunked-encoded would help a lot. This is a
long awaited feature.
Iam curious about it.

 Willy



cheers,
thomas

Re: handle error on haproxy

[Thomas Heil]

Hi,

On 15.04.2014 12:57, jogendar kushwaha wrote:
 Hi Team,

 I have install haproxy load balancer and it working fine. But some
issue occur in load balancer.
 1. If any error occur in response from web server, error like 40X, 50X
then haproxy load balancer forward request to previous or  next server.
Is it possible in zen load balancer or not ? if yes than how ?

No this is not possible. This kind of feature from zen has also serveral
downsides.
First, it would break persistence. Then zen has to save the request and
dispatch him until all servers in the
farm are tried. Sometimes 404 or 403 Errors are a normal behavior, e.g.
Pages that should not be accessed from outside.

Please also take a look at
http://haproxy.1wt.eu/download/1.5/doc/configuration.txt there are
options persist and redispatch.


 Thanks in advance

cheers
thomas

Re: [PATCH] proxy: support use_backend with dynamic names

[Thomas Heil]

Hi,

On 31.03.2014 10:45, Willy Tarreau wrote:
 On Thu, Mar 27, 2014 at 08:57:09PM -0400, Rajat Chopra wrote:
 Hi!
This solution very much solves the problem that I have been facing i.e. 
 large number of acl rules causing latency in requests. Been in discussions 
 separately about it and today I got a chance to test out this patch. I 
 report that it works great! I have been able to route 150k backends with 
 this and the latency added because of the dynamic lookup is in order of 
 microseconds (compared to 24ms earlier).


 The usage 'use_backend bk_%[hdr(Host)] if TRUE' works for my use-case but 
 originally I was wondering if one could do a map based lookup for the 
 backend.
 As posted here :
 http://stackoverflow.com/questions/22025412/how-to-use-thousands-of-backends-in-haproxy-is-the-new-map-feature-useful-for-t

 Most of the issues in the above question are now solved, but I tested this 
 with the patch -
 use_backend bk_%[hdr(Host), map(host_to_backend_map.file)] if TRUE

 And it does not work. I am not yet familiar with code to determine why this 
 does not work. Again, the current proposal works well for me but an 
 enhancement should probably consider using maps within dynamic lookup.

 +1 for the patch.
 OK so in the absence of any other comment, I just merged it.
Could you add an example of such an /etc/haproxy/static/proxy.pac.cust1
file?
 thanks!
 Willy



cheers,
thomas

Re: Generating a haproxy cluster

[Thomas Heil]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,
On 24.03.2014 17:40, Juan Pablo Lorier wrote:
 Hi,

 I'm trying to create a high available solution of load balancers and I
 found haproxy that looks like all I need. The only thing I'm not shure
 is if I can create a cluster of haproxy server as a built in function of
 haproxy (all docs I find refer of a cluster of web servers, not the load
 balancers) or if it's like nginx that need to manage HA with pacemaker
 or somthing like that.
Its like nginx. You would need to manage either with pacemaker or
keepalived.
There is no built-in high availability.
In case of pacemaker you could setup:
 - floating ip and lsb service haproxy (in case of failover you should
just clone the
   lsb ressource to all nodes, so that haproxy is running on all nodes
all the time.
 - cluster_ip and lsb service haproxy. if your environment supports it
In case of keepalived:
 - create a master slave VIP and ensure that haproxy is running. if it fails
   let keepalived do a switchover to the over node, hopefully haproxy
runs there.

 Regards,

 Juan Pablo Lorier



cheers
thomas


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJTMGLBAAoJEOH/xsXYK8GtfC8P/Rhp7nh9gnhx80A9gBddNkDL
IcfukVhPeYrKtn5ZFzWeHyKilPU3AX7XPACWVU9BQ55+wdF74ZbZMCcd7gQ/9DNt
9LmyhwWqQhanb2JkDyFJR/DpZXNo9nHqF6q5w948KlOp7AvQRzHzgp7VlXG9Kkj3
i7Kmgl7qYGWyFrrCQKsjgv+ZzYDjgUrQAkLZPy6Rv1WYnOqP33MRtQmbjo2zLH+8
uiOz0b0SWYHurWWDM9JwIVjymKG2OApupPk4hT3hLm5xiBv866bNVHfyT2VO+3SV
95G8DRs/73jFCElutbxBcHQGT95pcQ1Dcj4VI2Kq2yH7tm7lTX5tEhbRrnTIC2cN
u33q5NfzBaAiIBQBz/JowZdrnqoPcfQ8eyQqhzKWzscL5Aq72A+A+UYGASq9vxdI
ND7ybDyf1pZw6wkPzlLeRsvldFmvtNsR4a7+IxU6YSK6dBRk4V5F5irdcOx6v7zv
b2sIbVA5f8tXu1Yy//jQeJlF0WFRGoOghBqItz+xalTypshn2C1c8uAUykhKatof
gyRlg4Kk0wPVq1A1awP+GWNdJKSw82WpN+eeV+VrSX5KYToGVIww+Mk/Jqtz0bR0
KNBOG2sggwQz1NwavxC5PkNgjdVu3LU41I0JT2u23eMcY3MA3daX357HeDr4lN9t
tH07VV9PMpbOQ93wa4sP
=R6lh
-END PGP SIGNATURE-

Re: 1.5-dev22 crash with kernel messages, 1.4.18 is fine

[Thomas Heil]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,

On 28.02.2014 01:33, Federico Iezzi wrote:
 Guys we fix these problems using a kernel = 3.8
 With Ubuntu 12.04.4 we are using Kernel 3.8 and 3.11 from Canonical
official repository with out any issue. With 3.5 and stock 3.2 we had a
lot trouble.
I can confirm that 3.4.80+ is running fine even with grsec.

 Regards,
 Federico
 Il giorno 27/feb/2014, alle ore 13:01, Sander Klein roe...@roedie.nl
ha scritto:

 Hi,

 I can confirm that using grsec kernel with haproxy can sometimes be a
bit tricky.

 For instance, 3.2.54 with grsec crashes with me after ~8 hours while
3.2.55 and 3.2.52 with grsec do not. Kernels with grsec just need more
testing because their stability can vary.

 Greets,

 Sander


 On 27.02.2014 11:29, Cedric Maion wrote:
 I agree that it does indeed look like a kernel issue (in the intel eth
 driver?), however 1.5 is doing something new that triggers this.
 Any idea of a significant 1.4 - 1.5 change that can affect what is
 happening in the kernel?
 This kernel is indeed not the stock Ubuntu kernel, but the default one
 provided by the hosting company (OVH in that case)... I would really
 like not having to recompile the kernel and play too much with the
 production environment (sadly this issue never popped in my dev  lab
 environments).
 So any haproxy related idea would be very welcome...!
 On Thu, Feb 27, 2014 at 11:06:38AM +0100, Lukas Tribus wrote:
 Hi,
 Just upgraded a production node from 1.4.18 to 1.5-dev22.
 Ran fine for a couple of minutes then crashed with the following
kernel
 messages:

 WARNING: at mm/page_alloc.c:2107 __alloc_pages_nodemask+0x1fd/0x790()
 Hardware name: X9SRE/X9SRE-3F/X9SRi/X9SRi-3F
 Pid: 23190, comm: haproxy Not tainted 3.2.13-grsec--grs-ipv6-64 #1
 Call Trace:
 [810f1ded] ? __alloc_pages_nodemask+0x1fd/0x790
 [81089f3b] warn_slowpath_common+0x7b/0xc0
 [81089f95] warn_slowpath_null+0x15/0x20
 [810f1ded] __alloc_pages_nodemask+0x1fd/0x790
 Thats definitely a kernel issue.
 Are you building your own kernel? That doesn't look like the default
 Ubuntu kernel.
 I would suggest to upgrade your kernel to 3.2.55 (of course use an
 updated grsec patch as well). If that doesn't fix the issue, try
 vanilla 3.2.55 (no grsec).
 If the issue persists, report it upstream (either to lkml/netdev or
 grsec, depending whether the vanilla 3.2.55 has the issue or not).
 Regards,
 Lukas






-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJTEJa1AAoJEOH/xsXYK8GtvyoQAJXsMyEVXbQWOaa+53MvmA1C
aNs4TruU/Qj3kUZweczH+E/61MWknY7otcOWXHNvrLJkdx2FiLbUSQw6RwnpYcpZ
l6qHBwwx029Al9MNn6uAcTbrAKghx/vgfjYxbtsmExMMbM/el/07GEp/jOMsi5zp
1pkSY9MjbqqlexjTmwKXxkPbp/kIROLRD9CNznCTO8L6j3OYES/b+k7nkXcNWZ6P
OnSswuGvcMNAQtNyzybel1I0nKn7wHfJsApaDlF5IkYXfBc2zotlAvYL1e54uYGx
CqZKpKBcNylzSpC/jFoOSn3ypL2CgJ3OttVeHDLSRPWIUkhrVSGgO2Kl43EhATA2
4mC/RRxOEthmtetsHP9RNU0Pe/igpy/D32o8pOG6E8NyiED9Z7ZfriOIHavoIsbo
FnQ8Lc/BgLYVrsRnbsYFBcv9ODI2D39ROu1Glqrf1jl/t1IkuWKtZQEuKDoQjaVd
khHk4lqpabO/4u13T78n6EoI0DRuUDst+eIsAOiG/5vTnZERGORyGzeXb6JI1V7G
xf6m5f92syA4dqSa7mmtjFxlTa5QaaQqup/kwEL1hjoB5vJyrVP81OCA9xGHnMFG
7OoEl3I1M1L5OJ8msIyA1uehMpbF7O/c8Snr5JY6AZ/X3c8L/vQHUTmlilf+QCmu
s54PVuLFtQlciQ87U7IR
=vU8c
-END PGP SIGNATURE-

memory usage with 1.5dev21

[Thomas Heil]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,

We are running in haproxy 1.5dev21 commit
fa7fc95e16fae8b30f2522f59bb945c596e48419. I see very high memory
usage just after 5 days.
- --
  uptime5d 14h 48m
  children  0
  memory kilobytes  1345720
  memory kilobytes total1345720
- --

Is this a known problem?

cheers
thomas
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJS4QrjAAoJEOH/xsXYK8GtYsYP/jAGtHaUrGoDt6r2i3hwsBQy
fGanuLYkFcWCWN1sSG4exUOX2o1jJbpkDg1d5fvyTuoBhOhkOBc5JuOcna7EC3Wy
8kgBHe6gIqLaYAfG/2lZ/RX6XhvyJeSUC8JRqAeNIZAmt0gqtAfxujMEn5ES2DM8
3z8/MMTISQdBv/opBeXtOPEARxqkzo3IbjxZUFfxXPBV7tQNiyth6Hhap4A3g505
VQmxaOcNQ65zpQ1X3fAoRHzYqq9pE/AfOPb2Q3zge5hKaEIKH2iD1Zdkmqg+Iqu6
WeLXhJVaehSxT18xfJ2J62tWdxALJoBjof4khHfrhLoSxlvI08ob/GrgjBDHwnAX
V++avQl08D83cdLHw0De0ln7NKcug2yltj5OY6gcaah9mzn3CUdQX9P/VaWKIm2e
RqNohkk+zwDQNPqUOzF8TJIa8QnoYUHkbuOH4pTzFsMit7hopPRV/AVjkyVN5PRJ
cd+1F/D/XlOzplMKz2+nQ/1rZdz4oqqa1sy4RviVeRZCJg+uKdzIs+3q2sXQzRye
VJHY4MbHFE+sj+OS/dqHIBL3Vs4HYpCowZA3MM1UsKKfcbayX3XSpt1Gh86bUuGT
qRnob6d42ZwnY8nIQDJadpMjSk6h8Gt/2hb3ZG5/pUrY96tt8e9v34nCMbnJl/Et
I3SXuzh0gX2FxvHZZgwN
=A89l
-END PGP SIGNATURE-

Re: memory usage with 1.5dev21

[Thomas Heil]

Hi,

On 23.01.2014 16:43, Baptiste wrote:
 Hi Thomas,

 Please share your configuration (anonymized).


Ive attached the config.
 Baptiste

thanks,
thomas
 On Thu, Jan 23, 2014 at 1:28 PM, Thomas Heil
 h...@terminal-consulting.de wrote:

 Hi,

 We are running in haproxy 1.5dev21 commit
 fa7fc95e16fae8b30f2522f59bb945c596e48419. I see very high memory
 usage just after 5 days.

global
maxconn 65000
ulimit-n 65535
uid 0
gid 0
daemon
## tune.pipesize 524288 # only in 1.5
tune.bufsize 33668
tune.maxrewrite 1024
#stats socket /var/run/haproxy.stat level admin
stats socket /var/run/haproxy.stat level admin

nbproc 1

#Loging
#log 172.24.4.39   local0
#log 172.24.4.39   local1 notice
#Logging

cpu-map all 1 2


defaults
maxconn 4
retries 10
option  redispatch
no option  http-server-close
no option  forceclose
option http-keep-alive
option prefer-last-server
option  tcp-smart-accept
option  tcp-smart-connect

#Logging
log global
#log-format %{+Q}o\ %{-Q}Ci\ -\ -\ [%T]\ %r\ %st\ %B\ \\\ \\\ %Cp\ 
\%ms\ %ft\ %b\ %s\ \%Tq\ %Tw\ %Tc\ %Tr\ %Tt\ %tsc\ %ac\ %fc\ \%bc\ %sc\ %rc\ 
%sq\ %bq\ %cc\ %cs\ \%hrl\ %hsl\ \%hr
#Logging

contimeout  15s
clitimeout  30s
srvtimeout  60s
userlist L1
group G1 users tiger,scott
user tiger insecure-password hello groups G1
user scott insecure-password hello groups G1

userlist L2
group G2 users a
user a insecure-password b groups G2


listen app1
bind :8080
mode http
maxconn 200
stats enable
#stats hide-version
stats uri /
#stats auth  admin:spawn
#stats admin if TRUE

frontend rtmp-80
bind 1.2.3.92:80
no option forceclose
no option http-server-close
no option http-keep-alive
no option prefer-last-server
mode tcp
maxconn 4000
#Logging
option tcplog
default_backend rtmp-over-http

frontend bread-84
bind 172.24.4.2:84,172.24.4.3:84,172.24.4.4:84,127.0.0.1:84
mode http
#option http-pretend-keepalive
#option forceclose
#option httpclose
option  accept-invalid-http-request
reqidel ^X-Forwarded-For:.*
maxconn 2

monitor-uri /haproxycheck

#Logging
log global
option  httplog
option logasap
#
# log the name of the virtual server
capture request header Host len 50
capture request header Content-Length len 10
capture request header Accept-Language len 50
capture request header Referer len 200
capture request header User-Agent len 200
capture response header Server len 30
capture response header Content-Length len 10
capture response header Cache-Control len 8
capture response header Via len 20
capture response header Location len 20
capture cookie JSESSIONID len 32
capture response header X-Cache-Hits len 10
capture response header X-Cacheable len 10
capture response header X-Cache len 5
capture response header Content-Encoding len 10
capture response header Cache-Control len 200
capture response header Last-Modified len 200
#Logging
default_backend bk_bread

frontend bread-80-82-varnish
bind 
172.24.4.2:82,172.24.4.3:82,172.24.4.4:82,1.2.3.71:82,1.2.3.72:82,1.2.3.73:82,127.0.0.1:82
bind 1.2.3.70:80

#proxy
bind 127.0.0.1:85 accept-proxy id 100
acl ssl-proxy so_id 100
reqidel ^X-Forwarded-For:.*
reqadd x-forwarded-proto:\ https if ssl-proxy
#proxy

mode http
option  accept-invalid-http-request
maxconn 2

monitor-uri /haproxycheck

#Logging
log global
option  httplog
option logasap
#
capture request header Host len 50
capture request header Content-Length len 10
capture request header Accept-Language len 50
capture request header Referer len 200
capture request header User-Agent len 200
capture response header Server len 30
capture response header Content-Length len 10
capture response header Cache-Control len 8
capture response header Via len 20
capture response header Location len 20
capture cookie JSESSIONID len 32
capture response header X-Cache-Hits len 10

Problem with commit 4448925930655dec57847ed41a34a24a8169d053

[Thomas Heil]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,

Iam running HAPRoxy with eglibc and commit
4448925930655dec57847ed41a34a24a8169d053, aka
BUILD/MINOR: listener: remove a glibc warning on accept4() introduces an
fatal error on building.

The message I get is
- --
include  -DCONFIG_HAPROXY_VERSION=\1.5-dev21-patch29-6b07bf7\
-DCONFIG_HAPROXY_DATE=\2013/12/17\ -c -o src/listener.o src/listener.c
In file included from src/listener.c:18:0:
include/common/accept4.h:61:8: error: static declaration of 'accept4'
follows non-static declaration
In file included from include/common/accept4.h:29:0,
 from src/listener.c:18:
/srv/owrt/trunk/staging_dir/toolchain-x86_64_gcc-4.7-linaro_eglibc-2.15/lib/gcc/x86_64-openwrt-linux-gnu/4.7.1/../../../../x86_64-openwrt-linux-gnu/sys-include/sys/socket.h:222:12:
note: previous declaration of 'accept4' was here
make[3]: *** [src/listener.o] Error 1
make[3]: Leaving directory
- --

It seems that its not a good idea to include _GNU_SOURCE within eglibc,
because then the prototype
for accept4 is defined as
- --
220This function is a cancellation point and therefore not marked with
221__THROW.  */
222 extern int accept4 (int __fd, __SOCKADDR_ARG __addr,
223 socklen_t *__restrict __addr_len, int __flags);
224 #endif
- --

I can just remove the corresponding patch. Any other ideas?

cheers
thomas
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJS1oWpAAoJEOH/xsXYK8GtligP/iIfrk/8TzeRcHZ6p/+xqFza
GJ31ltHKayKzvp+rbcrCl0p9jOuJGD0d2x5rVDWfeapz5vfin+FdyDBdgKG7sm4z
urq1/sz0MvwoJEyqhkur0zYt6FY97B1S6a1NhZ+SLvC/QkOvQNIlnlho4tTcFkWr
xiVCF9NRTvP48YRZysi2DgVHYbQXLDlur1wpv3CKL9/wJ9TRqvafVvflvcEswvGR
yXOFxZLiBpTCo28YNxIgE725sUJm1mrJthAdv36aDBPFTm5pMCJnGwt1CPp8cWBi
Kc/VowVC4OvTOvEGV1+TB7LLgSPhWRbAcHOQUBbP6ECM0IMWBux5lFUEr/EP0gH/
h7oVqYxMiDeq4lswt3JxcYjYwgMJF9CD1DZLXlkRpiOVYUnVoMNIWznvDFV2hHWt
mVCGG5t+EUxBKiiF9/jvt6QtDHdZyibFsvC7sSuEhO6iSrUVvz6JXzLe00Doqznw
CXWlGL0GsNqmuW+O9u5rdWqhWiITkrtqNCoP2CgrASXvA2CzeWYYKfVDzM9o/uDd
67A6S/vNAZKXJmhp5igTdj80AJvIshFKZHAAwiVVbysHkhCDJ26yAyYb0nCQsuQB
ZIksDXewh96IPFu0FeT+xQ9qjW5rMPeFMjr6Ffd6fP80BWsI1sW7dYPLszAG9nJl
b+5ZsLTbi3BQ610ihr9W
=F676
-END PGP SIGNATURE-

Re: http-keep-alive broken?

[Thomas Heil]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,

On 31.12.2013 00:50, Lukas Tribus wrote:
 Hi,



 Subject: http-keep-alive broken?

 Hi,

 I'm using haproxy ss-20131229 to reverse proxy some windows iis server
 with ntlm-auth enabled (one of them being exchange 2012).

 While I understood that using 'option http-keep-alive' would make
 ntlm-auth work, it doesn't work for me. Are there still some issue with
 http-keep-alive and ntlm-auth?

 Honestly I would just use the default tunnel mode for this, so I don't
 have to think about the NTLM crap when choosing keep-alive/load-balancing
 parameters.

 If you would like to combine NTLM-auth plus keep-alive, I'd propose
enabling:
  option prefer-last-server


http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4.2-option%20prefer-last-server

Yeah that could do the trick. Please also try to set http-keep-alive in
the frontend section.


 Regards,

 Lukas  


cheers
thomas

- -- 
Thomas Heil
- -
Email: h...@terminal-consulting.de
Tel:   0176 / 44555622
- --

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJSwipzAAoJEOH/xsXYK8GtrPoP/3y9GbSEKUvFTZBuZw3RzDSB
mdSWLqJG2fqjziBrAa3HgvoL+4JwyqZ3hUTQ0w0bgv4Nd3vWwfo39crRUMhTjawZ
ooFrpHSMPqb01RfTGlI9xSERnvRBZHGwRpMb2yPKRC8Gt+AYgzhb3YeDr0DGClpe
Uq1I3KiAo6SRM9FNWK/p0HDthPU47/+xu/oDG1v/xyQWDqRPNLsSs810rjcjpW2N
MMqyEOR7OIA5mSM9QkYfCSBkBqyuKcdtrld5fTa0zSgB4zzINn8Yc1k+HOudQoSZ
Ib0uakjd+frhM2WXa5oey/CKl4RxzTVCBCCF+vLnefnShkJWbSioz/5oBBAeJWz6
TrTN0zJtUgZef29PQ4S4q4Z3amXq2/kH7URlysFx9H0LIDpwV49MgVmXGKc7G2ZY
CtEdr6KLH0DyUE8pTesnNhq4nMBYnb1nnrNSX79FQYq1Z7kyZtIq5gq/oEqTU9cL
XmrTcfxhMg26aB7b/gLydkh8dzHrYJn5wPw2uTL3q3W+KMnAUW6tjJpizIy4yN15
cwfdXuqHq2Gjh0o0HqtvWdNUglM1GQocLBftQoL209/gzn+G0vEEK+dGNQ1SfH0T
zNzQh8poCKUY3bAHVbQnDaRDgV0XqalVMS62iEZgnkOOVmmz/0e796nNtaEiinKM
Zkzo7GCTVBeUgDKC9UOt
=oX0F
-END PGP SIGNATURE-

Re: proxy protocol for varnish 3.0.5

[Thomas Heil]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,

On 30.12.2013 19:00, Baptiste wrote:
 On Mon, Dec 30, 2013 at 6:36 PM, Emmanuel Hocdet m...@gandi.net wrote:

 Hi,

 I have made a patch to add proxy protocol to V arnish  3.0
 you can find it at  http://varnish.hocdet.net

 Emmanuel


 Brilliant!!!
 I'm going to play with it soon :)

 Baptiste

If we could combine this with http-keep-alive to speed up things, what a
wonderful world this could be.


Thomas

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJSwiq+AAoJEOH/xsXYK8GtnT4P/RAn0WxdLFMYMMP34kuYRlAX
0RoBAJAQl1l+s62GlSBnx5iNwdF41NJcCVJsSSmvOMOTkYchKvtARrU3YXUv37HF
O2UMwAL5csKj1rFbMobqBSDbagDHfTab3Wbeis60qUPCj6WbtPdn+EnvAHflWdtn
Ck3ZXZHD0+oFM7aqsxSMg15obJr/+tlbFgbJNY2MYQ4sRxHduLmxsovRBq8qY8RP
NAscQxmacD4sNTITLKNVDryTqbKdWVaViShGd1ZE5RwpFt63VEd6VpcPqej2t3vr
jTCQrXvCWFnyWS8JIL3Gxja11erD/o/HQZOD7DsFvEcm/hbKvZc4CFLoeu2K/XCz
tknEFb1pJDQcWrNixbfTVID9Pb0ra1cA2TjWVKWLrGghSTV/u3wH/eVnldwtmMx7
K8gRHZ4z7HsPbgg/a8fJV6vOb7JVrziWRNmo84gv6oxoLbmzG6lw7V1QZZJF7mWz
Ej794M0pvccGuw2gUkQ6BjcfNJRmbIFNawT8wE1FQA0BWkFu2dspsI+MIZYhXDJ0
VjdS2bryq4HOt3IkVNmBQXPt0qj77y5yuU0k9aZNkQxiIVfaaUJmhYxrAPMI4i4m
7zv2thiN01JehdISN4AbA4ILPvM1A/K+h1YhRZ+85DEM3GGNgIwMCQuB2a7TWh6l
cCnZb6YFgrmiUsOjQAjU
=tYqu
-END PGP SIGNATURE-

question about server keepalive

[Thomas Heil]

Hi,

I have a question according to the new feature *server-side keep-alive*
in 1.5dev20 and higher and how does it work with
content switching. By enabling this feature, is content switching still
working properly? According
to the exceliance memo aloha_load_balancer_http_connection_mode_memo2 I
prefer using server-close, so that
http keepalive is allowed on the client side but disabled on the server
side.

In my default section I have the following parameters:

-
no option httpclose
option http-server-close
no option forceclose
-

So headers are analyzed and body is scanned. Iam unsure how to use
*server-side keep-alive *because I cannot find this option in
http://haproxy.1wt.eu/download/1.5/doc/configuration.txt

Any suggestions?

cheers
thomas

Re: question about server keepalive

[Thomas Heil]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,

On 18.12.2013 22:41, Baptiste wrote:
 On Wed, Dec 18, 2013 at 10:19 PM, Thomas Heil
 h...@terminal-consulting.de wrote:
 Hi,

 I have a question according to the new feature server-side keep-alive in
 1.5dev20 and higher and how does it work with
 content switching. By enabling this feature, is content switching still
 working properly? According
 to the exceliance memo aloha_load_balancer_http_connection_mode_memo2 I
 prefer using server-close, so that
 http keepalive is allowed on the client side but disabled on the server
 side.

 In my default section I have the following parameters:

 -
 no option httpclose
 option http-server-close
 no option forceclose
 -

 So headers are analyzed and body is scanned. Iam unsure how to use
 server-side keep-alive because I cannot find this option in
 http://haproxy.1wt.eu/download/1.5/doc/configuration.txt

 Any suggestions?

 cheers
 thomas


 Hi Thomas,

 More information here:

http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4-option%20http-keep-alive

 Baptiste

Yes thank you. I totally missed this part in the documentation. Sorry
for the noise.

cheers
thomas
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJSshbOAAoJEOH/xsXYK8Gt8pkP/A8EJkySH1UwKijIgRkFiWA1
6/zqZWkdG8wzAVX6RY4U6O+/4huDD+KGvER/MaRBHpo5pGenPXWLYBSj3Baf/VnA
dpowTeWEsqYejcIPPS0LQSB3zmI7eLtEChvopJ6InyGt9igBlLy+AE2Ym6vfb1sw
zZLK3mFd4/Yxy6cFD5K3+KnPsRpeDdnHEn16ueUhxo+mDcRZ3iLXFmHoxC8TbKQs
WaxihOjO48Dus788gQEptFrfrRX3jy2/gmjcMLiUZ7QzTP1O3dzASzwf3aWSzgWC
6kRIf6MfuhwMI6L8oMS7oZSd+RDjiHa8qAqZ8zxLSuCZ3ciqDNYcfy33TBOuppF5
+ndZvFmu/+Q73/hAwaSH+qGC6KDYHfP+kPl6UWws7mlYJfDtiAg65nFUAIbOAvtH
ySRf68/1smpe7YfpjHKSLlBMlNdlL85Qfp7aknOedcfa4RlgJshrhZPRF+HV/6X1
1utimeHlFUkf8QeK4kKMy2NmjpsPH9B55bUyXnqNQ6J6nxNgtVHd72cDDsn7omWK
1JjwprtIkX05CyaxsQtvZiw0HyRUjweGHYRMUHuxmweXMZA/Z7W2HLQObgtGdm8y
kMZZ7odEZHKaceLPEeFMUbKRePTdUtU57SwX+zRouL0NJRgtr2PuEuZ9QCKqBQCx
WsFk5y0/OFoBat18zkx8
=zNoC
-END PGP SIGNATURE-

Re: SSL client mode

[Thomas Heil]

Hi,

On 08.12.2013 21:34, Igor wrote:
 Hi, it may like stunnel's client mode.

 In haproxy, we may get like this to terminate SSL server to HTTP server.

 listen http
  bind: 80
  mode ssl-client
  use-server sslsrv 127.0.0.1:443
I think this should work
--
listen http :80
  mode http
  server sslsrv 127.0.0.1:443 ssl
--

As Lukas mentioned haproxy-devel has a builtin for client ssl mode.

cheers
thomas
 Bests,
 -Igor


 On Mon, Dec 9, 2013 at 4:25 AM, Lukas Tribus luky...@hotmail.com wrote:
 Hi Igor,

 For testing and bench purpose, client mode like stud[1] would be
 useful, any plan to implement this feature?
 Not sure what that means, can you elaborate on the use case?

 SSL encrypted backend connections are already supported.


 Regards,
 Lukas



-- 
Thomas Heil
-
! note my new number !
Skype: phiber.sun
Email: h...@terminal-consulting.de
Tel:   0176 / 44555622
--

Re: New bug?

[Thomas Heil]

Hi,

On 09.12.2013 20:14, Igor wrote:
 Hi, after upgraded to haproxy-ss-20131207, haproxy failed to start due
 to the errors:

 [ALERT] 343/024837 (19081) : parsing [/etc/haproxy/conf.conf:15] :
 error detected while parsing a 'rspideny' condition : missing args for
 fetch method 'table_cnt' in sample expression 'table_cnt'.

 [ALERT] 343/024837 (19081) : parsing [/etc/haproxy/conf.conf:19] :
 error detected while parsing ACL 'too_fast' : missing args for fetch
 method 'fe_sess_rate' in sample expression 'fe_sess_rate'.

 [ALERT] 343/024837 (19081) : parsing [/etc/haproxy/conf.conf:23] :
 'tcp-request content accept' : error detected in frontend
 'zorayoyo9881' while parsing 'if' condition : no such ACL : 'too_fast'
Could you please send us the output of
haproxy -vv
and maybe your config after cleaning up any confidential data?

 Bests,
 -Igor

cheers
thomas

Re: Log format: use host name instead of IP

[Thomas Heil]

Hi,

On 03.12.2013 11:36, Jürgen Haas wrote:
 Anyone who could help me with this one, please?

I think you are want to log the Host Header? If so please try
--
frontend section
..
capture request header Host len 50
--

cheers
thomas

 On 28.11.2013 14:27, Jürgen Haas wrote:
  Hi all,

  Not sure if I'm facing a HaProxy or a Syslog issue here. It's
  about the log file format where all my log files like syslog or
  error.log from apache are showing the host name as the second field
  where HaProxy's log file shows the IP address 127.0.0.1.

  Example of syslog: Nov 28 14:17:01 txr1 CRON[31410]: (root) CMD
  (...)

  Example of haproxy.log: Nov 28 13:31:56 127.0.0.1 haproxy[28786]:
  ..

  So the first example uses txr1 where the second uses
  127.0.0.1.

  My haproxy config files is simply defined like this:

  global daemon log txr1:514 local0 warning 

  defaults log global option httplog option dontlog-normal option
  dontlognull 

  What am I doing wrong? Can it be fixed or changed so that I get
  the host name also in the haproxy log?

  Reason being is that I forward all logs to a log aggregator and
  they group the logs by host. If stuff is grouped by 127.0.0.1 it
  doesn't make a lot of sense because that could beany host.


  Thanks Jürgen





-- 
Thomas Heil
-
! note my new number !
Skype: phiber.sun
Email: h...@terminal-consulting.de
Tel:   0176 / 44555622
--

Re: Log format: use host name instead of IP

[Thomas Heil]

Hi,

On 03.12.2013 17:03, Jürgen Haas wrote:
 No, I want to have the hostname of the server which is running HaProxy
 in the log instead of 127.0.0.1

According to http://haproxy.1wt.eu/download/1.5/doc/configuration.txt
log-send-hostname [string] could be what you want.

cheers
thomas


 On 03.12.2013 15:27, Thomas Heil wrote:
  Hi,

  On 03.12.2013 11:36, Jürgen Haas wrote:
  Anyone who could help me with this one, please?
 
  I think you are want to log the Host Header? If so please try --
  frontend section .. capture request header Host len 50 --

  cheers thomas

  On 28.11.2013 14:27, Jürgen Haas wrote:
  Hi all,
 
  Not sure if I'm facing a HaProxy or a Syslog issue here. It's
  about the log file format where all my log files like syslog
  or error.log from apache are showing the host name as the
  second field where HaProxy's log file shows the IP address
  127.0.0.1.
 
  Example of syslog: Nov 28 14:17:01 txr1 CRON[31410]: (root)
  CMD (...)
 
  Example of haproxy.log: Nov 28 13:31:56 127.0.0.1
  haproxy[28786]: ..
 
  So the first example uses txr1 where the second uses
  127.0.0.1.
 
  My haproxy config files is simply defined like this:
 
  global daemon log txr1:514 local0 warning 
 
  defaults log global option httplog option dontlog-normal
  option dontlognull 
 
  What am I doing wrong? Can it be fixed or changed so that I
  get the host name also in the haproxy log?
 
  Reason being is that I forward all logs to a log aggregator
  and they group the logs by host. If stuff is grouped by
  127.0.0.1 it doesn't make a lot of sense because that could
  beany host.
 
 
  Thanks Jürgen
 
 
 
 

  -- Thomas Heil - ! note my new number ! Skype: phiber.sun Email:
  heil-bgnlbvq18kq8r51topun21kkb15w2...@public.gmane.org Tel:   0176
  / 44555622 --





-- 
Thomas Heil
-
! note my new number !
Skype: phiber.sun
Email: h...@terminal-consulting.de
Tel:   0176 / 44555622
--

Re: maxconn issue on openbsd 5.3

[Thomas Heil]

Hi,


On 08.10.2013 01:49, Sven Liedtke wrote:
 Hi,

 i seem to have issues getting haproxy to run with more then maxconn
 1024 on openbsd 5.3

You have to change Makefile.bsd
--
SMALL_OPTS = -DBUFSIZE=8030 -DMAXREWRITE=1030 -DSYSTEM_MAXCONN=1024
--
e.g to
--
SMALL_OPTS = -DBUFSIZE=16060 -DMAXREWRITE=10300 -DSYSTEM_MAXCONN=65530
--

Dont forget to make clean.

 Even though i have:

 root@proxytest [haproxy] # sysctl | grep maxfiles
 kern.maxfiles=2

 root@proxytest [haproxy] # ulimit -n
 2

 and in haproxy.cfg:
 global
 log /dev/log local0 debug
 log /dev/log local1 info
 maxconn 4096
 #chroot /usr/share/haproxy
 user root
 group wheel
 daemon

 This is happening with 1.4.24 and 1.5-dev19

 Anyone an idea?

and maybe some ulimits
--
ulimit -d 3048576
ulimit -f 138192
ulimit -n 165500
ulimit -u 165500
--

and some sysctl values
--
kern.maxfiles=90001
kern.maxproc=90001
kern.maxlocksperuid=11
kern.maxclusters=11
kern.somaxconn=32001
--

Be careful with pcre. Maybe you have to REGEX=... to whatever is working.

If you use pf the dont use scrub. Its nearly the same like using conntrack
with Linux.

 Regards,
 Sven


hope that helps you a bit.

cheers
thomas

Re: maxconn issue on openbsd 5.3

[Thomas Heil]

Hi,

 Am 08.10.2013 um 03:10 schrieb Sven Liedtke senzli...@gmail.com:
 
 Hi,
 
 thanks for the help, but it seems that didnt fix it.
 I changed the Makefile.bsd as advised and with the new build
 i at least dont get the error message anymore when i try
 maxconn anything higher then 1024.
 I also applied the sysctl and ulimit changes.
 
 The problem is when i run apachebench against the haproxy it still
 starts to choke when its hitting maxconn 1024 levels.
 
could you please your config?

 While that is happening cpu load is at 5%.
 
 I have three backend servers from which i know they each can sustain
 about 5000 concurrent connections with ease so its not the backend either.
 
 This is the output of haproxy -vv
 
 root@proxytest [haproxy-1.5-dev19] # haproxy -vv
 HA-Proxy version 1.5-dev19 2013/06/17
 Copyright 2000-2013 Willy Tarreau w...@1wt.eu
 
 Build options :
  TARGET  = openbsd
  CPU = native
  CC  = gcc
 
 Default settings :
  maxconn = 65530, bufsize = 8030, maxrewrite = 10300, maxpollevents = 200
 
 Encrypted password support via crypt(3): no
 Built without zlib support (USE_ZLIB not set)
 Compression algorithms supported : identity
 Built without OpenSSL support (USE_OPENSSL not set)
 Built with PCRE version : 8.31 2012-07-06
 PCRE library supports JIT : no (USE_PCRE_JIT not set)
 Built with transparent proxy support using: SO_BINDANY
 
 Available polling systems :
 kqueue : pref=300,  test result OK
   poll : pref=200,  test result OK
 select : pref=150,  test result OK
 Total: 3 (3 usable), will use kqueue.
 
looks okay for me
 
 On 10/7/2013 6:17 PM, Thomas Heil wrote:
 Hi,
 
 
 On 08.10.2013 01:49, Sven Liedtke wrote:
 Hi,
 
 i seem to have issues getting haproxy to run with more then maxconn
 1024 on openbsd 5.3
 You have to change Makefile.bsd
 --
 SMALL_OPTS = -DBUFSIZE=8030 -DMAXREWRITE=1030 -DSYSTEM_MAXCONN=1024
 --
 e.g to
 --
 SMALL_OPTS = -DBUFSIZE=16060 -DMAXREWRITE=10300 -DSYSTEM_MAXCONN=65530
 --
 
 Dont forget to make clean.
 
 Even though i have:
 
 root@proxytest [haproxy] # sysctl | grep maxfiles
 kern.maxfiles=2
 
 root@proxytest [haproxy] # ulimit -n
 2
 
 and in haproxy.cfg:
 global
 log /dev/log local0 debug
 log /dev/log local1 info
 maxconn 4096
 #chroot /usr/share/haproxy
 user root
 group wheel
 daemon
 
 This is happening with 1.4.24 and 1.5-dev19
 
 Anyone an idea?
 and maybe some ulimits
 --
 ulimit -d 3048576
 ulimit -f 138192
 ulimit -n 165500
 ulimit -u 165500
 --
 
 and some sysctl values
 --
 kern.maxfiles=90001
 kern.maxproc=90001
 kern.maxlocksperuid=11
 kern.maxclusters=11
 kern.somaxconn=32001
 --
 
 Be careful with pcre. Maybe you have to REGEX=... to whatever is working.
 
 If you use pf the dont use scrub. Its nearly the same like using conntrack
 with Linux.
 
 Regards,
 Sven
 hope that helps you a bit.
 
 cheers
 thomas
 
 
 

Re: Balancing between multiple backends from a single frontend?

[Thomas Heil]

Hi,

How about this approach?

backend be_1_and_be_2
   balance roundrobin
   mode http
   server 01 127.0.0.1:81 track BE_1/server1 send-proxy maxconn 4
   server 02 127.0.0.1:82 track BE_2/server3 send-proxy maxconn 4

frontend fe_be_1
bind 127.0.0.1:81 accept-proxy id 1
mode http
default_backend BE_1

frontend fe_be_2
bind 127.0.0.1:82 accept-proxy id 2
mode http
default_backend BE_2

backend BE_1
server server1 1.2.3.1 maxconn 2
server server2 1.2.3.2 maxconn 2

backend BE_2
server server3 1.2.3.3 maxconn 2
server server4 1.2.3.4 maxconn 2


cheers,
thomas

On 12.09.2013 19:27, Baptiste wrote:
 backend BE_1
 server server1 1.2.3.1 maxconn 2
 server server2 1.2.3.2 maxconn 2

 backend BE_2
 server server3 1.2.3.3 maxconn 2
 server server4 1.2.3.4 maxconn 2

 frontend FE_1
 default_backend BE_1

 frontend FE_2
 default_backend BE_2

 So far so good, but now I need to add another frontend that balances
 between all 4 servers, something like:

 frontend FE_1
 default_backend BE_1
 default_backend BE_2

Re: Load Balance individual requests

[Thomas Heil]

Hi

did you know this one 
http://www.exceliance.fr/sites/default/files/biblio/appnotes_0061_lync_2010_deployment_guide_en.pdf

cheers

Thomas Heil


Am 28.08.2013 um 21:29 schrieb Ozgur Tas o...@morrisonhershfield.com:

 We are just using to load balance a Front-End pool in Lync 2010.
 
 Each local Lync branch servers have one failover pool assigned, which is the 
 load balanced pool at datacenter (2 servers at datacenter).  And these two 
 front end servers is load-balanced using haproxy ( ports 80, 443, 8080, 4443 
 ).
 
 ~~~some info:
 The following settings should be configured on your hardware load balancer to 
 properly load balance requests for Lync Web Services:
 •For internal Web Services virtual IPs (VIPs), set source_addr persistence 
 (internal port 80, 443) on the hardware load balancer. For Lync Server 2010, 
 source_addr persistence indicates that multiple connections coming from a 
 single IP address are always sent to one server to maintain session state.
 •For external Web Services virtual IPs (VIPs), set cookie-based persistence 
 on a per port basis for external ports 4443, 8080 on the hardware load 
 balancer. For Lync Server 2010, cookie-based persistence indicates that 
 multiple connections from a single client are always sent to one server to 
 maintain session state. To configure cookie-based persistence, the load 
 balancer must decrypt and re-encrypt SSL traffic. Therefore, any certificate 
 assigned to the external web service FQDN must also be assigned the 4443 VIP 
 of the hard load balancer.
 ◦Cookies must not be set to HTTP only.
 ◦Cookies must not be configured with an expiration time.
 ◦Cookies must be configured to filter on ‘MS WSMAN’.
 ◦Cookies must be set in every HTTP response for which the incoming HTTP 
 request did not have a cookie, regardless of whether a previous HTTP response 
 on that same TCP connection had already obtained a cookie. If the Load 
 Balancer optimizes cookie insert to only occur once per TCP connection, that 
 optimization MUST NOT be used.
 •If a reverse proxy is used, set the Forward host header to True in the 
 reverse proxy publishing rule for port 4443. This will ensure that the 
 original URL is forwarded to the target web server.
 ~~~
 :  
 http://blogs.technet.com/b/nexthop/archive/2011/11/03/hardware-load-balancer-requirements-for-lync-server-2010.aspx
 
 -Original Message-
 From: Lukas Tribus [mailto:luky...@hotmail.com] 
 Sent: Wednesday, August 28, 2013 1:41 PM
 To: Kevin C
 Cc: haproxy@formilux.org
 Subject: RE: Load Balance individual requests
 
 Yes, link use SIP and HTTPS.
 
 HAProxy can't load balance UDP based SIP.
 
 
 
 The documentation says tha HAproxy must load balance individual 
 requests within a TCP session and make persistence with a cookie.
 
 This implies however that HAProxy has to offload SSL. So the certificate 
 needs to be installed on the HAProxy box.
 
 
 Lukas 

Re: haproxy is not rewriting the Host header in subsequent request

[Thomas Heil]

Hi,

On 01.07.2013 09:31, Hudec Peter wrote:
 Hi all,

 I'm trying to replace the nginx setup with the haprixy which seems to be
 more suitable for our purposes.

 In our setup there are several development servers hidden behind the HA
 PROXY. The development dserver are the copy of the template. On the NGINX
 I'm doit Host header rewrite

 client --- www04.devel.domain.com --- nginx  www.devel.domain.com
 - www04.dev.(server)

 Each of the devel server is able to handle domain www.devel.domain.com,
 the nginx is rewtiting the

 Nginx configuration looks like /only relevant parts .../
 server {
   server_name www04.devel.domain.com;
 proxy_redirect off;
   proxy_set_header   Host www.devel.domain.com;
   proxy_set_header   X-Real-IP$remote_addr;
   proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
   proxy_set_header   X-Forwarded-Proto $scheme;


 location / {
   proxy_pass http://backend_domain_www_servers_devel04;
   proxy_redirect http://www.devel.domain.com/ https://$host/;
   }
 }

 For HAPROXY I tried this

 backend devel-web04
   reqrep ^Host:   Host:\ www.devel.domain.com
   rspirep ^(.*)www.devel.domain.com(.*) \1www04.devel.domain.com\2
   server  web04.dev 192.168.30.79:80 maxconn 32


 The problem is, that only the first request si rewritten from
 www04.devel.domain.com to www.devel.domain.com. All subsequent request did
 not pass the rewrite rule.


 Please could some figure me out, where is the problem?
Looks like you forgot option http-server-close. This way HAProxy works
in tunnel mode.
Try to put it into
--
defaults
..
option http-server-close
..



   Best regards
   Peter Hudec

cheers
thomas

question about sni

[Thomas Heil]

Hi,

I would like to evaluate SNI. Is there a possibility to log errors from
clients, so we could get a feeling
how many clients cannot cope with SNI?


thanks,
thomas

Re: question about sni

[Thomas Heil]

Hi,

On 27.06.2013 15:51, Baptiste wrote:
 Hi,

 You can log the SNI: log-format %[ssl_fc_sni]
I 'll try that.
tanks a lot.
 Baptiste

thomas
 On Thu, Jun 27, 2013 at 2:41 PM, Thomas Heil
 h...@terminal-consulting.de wrote:
 Hi,

 I would like to evaluate SNI. Is there a possibility to log errors from
 clients, so we could get a feeling
 how many clients cannot cope with SNI?


 thanks,
 thomas

Re: Redirect traffic to https

[Thomas Heil]

Hi,

On 26.06.2013 11:50, Ciprian Roman wrote:
 Hi guys,

 I am using the 1.4 version of HAProxy to balance a list of
 applications served from different domains. I want to use only https,
 so I want to redirect all http requests to https.

 In the documentation I saw how to redirect to a specific prefix, but I
 want to do that for all domains, so that when a new domain is needed,
 I don't have to update the HAProxy documentation.

We do it like this:
--
frontend fe_foo_bar
bind 141.1.1.2:80
#traffic to port 80
bind 127.0.0.1:10447 id 11
#traffic from stunnel, stud or pound
acl ssl-proxy so_id 11
acl acl_foo_bar hdr_reg(host) -i ^www\.foo-bar.*
redirect prefix https://www.foo-bar.de if acl_foo_bar !ssl-proxy
--


 Also, I want to redirect urls like: https://mydomain.com to
 https://mydomain.com/login_page. I have tried to use path_beg, but I
 don't know how to specify the empty path.

now you would declare something like this

--
acl empty_prefix path_reg ^/*$
redirect code 302 prefix /login.page   if empty_prefix
--

and ensure that this would happen only if https is selected like this
-
acl empty_prefix path_reg ^/*$
redirect code 302 prefix /login.page   if empty_prefix ssl-proxy
-


 Can you give me some pointers for these two tasks?

 Regards,
 Ciprian

hope that helps,

cheers
thomas

Re: keepalive + content-switching

[Thomas Heil]

Hi,

On 26.06.2013 11:38, bjun...@gmail.com wrote:
 Hi folks,


 we want to use http keep-alive + content-switching with HAProxy.


 I would like to ask if it's safe to use content-switching with http
 keep-alive when we use option http-server-close ?

This szenario is called server-close. You need to set the following:
--
 no option httpclose
 option http-server-close
 no option forceclose
--


 We want to use content-switching with standard matching criteria's (
 hdr_dom(host), url_reg ).

This will still work with the above. Detailed information can be found
under
http://www.exceliance.fr/sites/default/files/biblio/aloha_load_balancer_http_connection_mode_memo2.pdf



 HAProxy 1.4.24

 ---
 Bjoern


cheers,
thomas

Re: Redirect traffic to https

[Thomas Heil]

Hi,

On 26.06.2013 15:44, Ciprian Roman wrote:
 Hi,

 I want to avoid something like this:

acl acl_foo_bar hdr_reg(host) -i ^www\.foo-bar.*
redirect prefix https://www.foo-bar.de https://www.foo-bar.de/ if
 acl_foo_bar !ssl-proxy

This is possible with haproxy 1.5dev13 and higher
-
http-request redirect scheme https if !{ ssl_fc }
-
 If I have 10 different domains I will have 10 sections like that. Is
 it possible to make those two commands generic?

 Thanks for the empty_prefix solution, it works.


you could use a dummy backend e.g. with lighttpd that just redirects
everything and point your http requests to it.

 Regards,
 Ciprian

cheers
thomas

 On Wed, Jun 26, 2013 at 2:51 PM, Thomas Heil
 h...@terminal-consulting.de mailto:h...@terminal-consulting.de wrote:

 Hi,

 On 26.06.2013 11 tel:26.06.2013%2011:50, Ciprian Roman wrote:
  Hi guys,
 
  I am using the 1.4 version of HAProxy to balance a list of
  applications served from different domains. I want to use only
 https,
  so I want to redirect all http requests to https.
 
  In the documentation I saw how to redirect to a specific prefix,
 but I
  want to do that for all domains, so that when a new domain is
 needed,
  I don't have to update the HAProxy documentation.
 
 We do it like this:
 --
 frontend fe_foo_bar
 bind 141.1.1.2:80 http://141.1.1.2:80
 #traffic to port 80
 bind 127.0.0.1:10447 http://127.0.0.1:10447 id 11
 #traffic from stunnel, stud or pound
 acl ssl-proxy so_id 11
 acl acl_foo_bar hdr_reg(host) -i ^www\.foo-bar.*
 redirect prefix https://www.foo-bar.de if acl_foo_bar
 !ssl-proxy
 --


  Also, I want to redirect urls like: https://mydomain.com to
  https://mydomain.com/login_page. I have tried to use path_beg, but I
  don't know how to specify the empty path.
 
 now you would declare something like this

 --
 acl empty_prefix path_reg ^/*$
 redirect code 302 prefix /login.page   if empty_prefix
 --

 and ensure that this would happen only if https is selected like this
 -
 acl empty_prefix path_reg ^/*$
 redirect code 302 prefix /login.page   if empty_prefix ssl-proxy
 -


  Can you give me some pointers for these two tasks?
 
  Regards,
  Ciprian

 hope that helps,

 cheers
 thomas

sticky persistence jsessionid

[Thomas Heil]

Hi,

I have the following settings in a backend
--
balance uri
hash-type consistent
#appsession JSESSIONID len 120 timeout 360min request-learn

stick-table type string len 32 size 1M expire 360m
stick store-response set-cookie(JSESSIONID)

stick on cookie(JSESSIONID) if { hdr_sub(Cookie) JSESSIONID }
stick on url_param(JSESSIONID,;) if { url_sub JSESSIONID }
stick on url_param(jsessionid,;) if { url_sub jsessionid }
--

This works well for the first hour but then it seems that persistence
doesnt work anymore. Is there anything wrong
with this config?

Iam running haproxy 1.5dev18patch56.

The output of haproxy -vv is
--
root@ww-router-01:~# haproxy -vv
HA-Proxy version 1.5-dev18-patch56 2013/06/10
Copyright 2000-2013 Willy Tarreau w...@1wt.eu

Build options :
  TARGET  = linux2628
  CPU = generic
  CC  = x86_64-openwrt-linux-gnu-gcc
  CFLAGS  = -O2 -march=x86-64 -pipe -fomit-frame-pointer
-fno-align-jumps -fno-align-functions -fno-align-labels -fno-align-loops
-pipe -fomit-frame-pointer -fhonour-copts -DBUFSIZE=16384
-DMAXREWRITE=1030 -DSYSTEM_MAXCONN=165530
  OPTIONS = USE_LINUX_SPLICE=1 USE_LINUX_TPROXY=1 USE_ZLIB=yes
USE_REGPARM=1 USE_OPENSSL=1 USE_PCRE=1

Default settings :
  maxconn = 165530, bufsize = 16384, maxrewrite = 1030, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.7
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 1.0.1e 11 Feb 2013
Running on OpenSSL version : OpenSSL 1.0.1e 11 Feb 2013
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.11 2010-12-10
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with transparent proxy support using: IP_TRANSPARENT
IPV6_TRANSPARENT IP_FREEBIND

Available polling systems :
  epoll : pref=300,  test result OK
   poll : pref=200,  test result OK
 select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.
--

Any hints or suggestions?

cheers
thomas

Re: sticky persistence jsessionid

[Thomas Heil]

Hi,

On 25.06.2013 15:18, Baptiste wrote:
 Hi Thomas,

 Have you enabled http-close or http-server-close option?
Yes, in the default section

defaults   
option  http-server-close
option  forceclose

Thomas
 Baptiste

 On Tue, Jun 25, 2013 at 3:05 PM, Thomas Heil
 h...@terminal-consulting.de wrote:
 Hi,

 I have the following settings in a backend
 --
 balance uri
 hash-type consistent
 #appsession JSESSIONID len 120 timeout 360min request-learn

 stick-table type string len 32 size 1M expire 360m
 stick store-response set-cookie(JSESSIONID)

 stick on cookie(JSESSIONID) if { hdr_sub(Cookie) JSESSIONID }
 stick on url_param(JSESSIONID,;) if { url_sub JSESSIONID }
 stick on url_param(jsessionid,;) if { url_sub jsessionid }
 --

 This works well for the first hour but then it seems that persistence
 doesnt work anymore. Is there anything wrong
 with this config?

 Iam running haproxy 1.5dev18patch56.

 The output of haproxy -vv is
 --
 root@ww-router-01:~# haproxy -vv
 HA-Proxy version 1.5-dev18-patch56 2013/06/10
 Copyright 2000-2013 Willy Tarreau w...@1wt.eu

 Build options :
   TARGET  = linux2628
   CPU = generic
   CC  = x86_64-openwrt-linux-gnu-gcc
   CFLAGS  = -O2 -march=x86-64 -pipe -fomit-frame-pointer
 -fno-align-jumps -fno-align-functions -fno-align-labels -fno-align-loops
 -pipe -fomit-frame-pointer -fhonour-copts -DBUFSIZE=16384
 -DMAXREWRITE=1030 -DSYSTEM_MAXCONN=165530
   OPTIONS = USE_LINUX_SPLICE=1 USE_LINUX_TPROXY=1 USE_ZLIB=yes
 USE_REGPARM=1 USE_OPENSSL=1 USE_PCRE=1

 Default settings :
   maxconn = 165530, bufsize = 16384, maxrewrite = 1030, maxpollevents = 200

 Encrypted password support via crypt(3): yes
 Built with zlib version : 1.2.7
 Compression algorithms supported : identity, deflate, gzip
 Built with OpenSSL version : OpenSSL 1.0.1e 11 Feb 2013
 Running on OpenSSL version : OpenSSL 1.0.1e 11 Feb 2013
 OpenSSL library supports TLS extensions : yes
 OpenSSL library supports SNI : yes
 OpenSSL library supports prefer-server-ciphers : yes
 Built with PCRE version : 8.11 2010-12-10
 PCRE library supports JIT : no (USE_PCRE_JIT not set)
 Built with transparent proxy support using: IP_TRANSPARENT
 IPV6_TRANSPARENT IP_FREEBIND

 Available polling systems :
   epoll : pref=300,  test result OK
poll : pref=200,  test result OK
  select : pref=150,  test result OK
 Total: 3 (3 usable), will use epoll.
 --

 Any hints or suggestions?

 cheers
 thomas

Re: sticky persistence jsessionid

[Thomas Heil]

Hi Lukas,

On 25.06.2013 17:25, Lukas Tribus wrote:
 Hi Thomas,

 This works well for the first hour but then it seems that persistence
 doesnt work anymore.
 Perhaps the jsessionid cookie is valid for only one hour? Perhaps the
 server doesn't update the cookie's expiration date/time on every request,
 so 1 hour after login the cookie is flushed and a new jsessionid is
 assigned?
the cookie is valid until the browser ist closed.
 You will have to analyze what happens on layer 7 (and compare it with
 your stick tables if necessary, but they seem to have a expiration
 of 6 hours, so it doesn't match the 1 hour problem).

well you re right. But do you see anything wrong in my config?


 Regards,

 Lukas   
cheers
thomas

Re: GIT clone fails, how to proceed?

[Thomas Heil]

Hi,

On 23.06.2013 15:55, Willy Tarreau wrote:
 Guys, I found a workaround which seems to be working quit ewell at the
 moment. For some reason the kernel seems to ignore the max TCP window
 size when GSO is enabled on the interface, resulting in hundreds of kB
 in flight which take ages to recover in case of losses = haproxy sees
 nothing move and finally times out. Disabling GSO on that interface
 completely fixed the issue, now the socket's send queues are reasonable
 and match the configuration and I've not seen a timeout for the last
 hour. There were always a few per hour previously that I always attributed
 to the clients!

 So I think it's really fixed now.
I can confirm that.
Thanks a lot.
 Cheers,
 Willy




thomas

Re: further tweaking SSL score on the SSL LABS test

[Thomas Heil]

Hi,


On 20.06.2013 19:20, shouldbe q931 wrote:
 ciphers RC4-SHA:AES128-SHA:AES256-SHA
The problem with this cipher choice as well as with
'|RC4:HIGH:!aNULL:!MD5' is that now the browser uses RC4 maximum 128BIt.
So AES256-SHA is never used by the
browser. (|TLS_RSA_WITH_AES_256_CBC_SHA)

If this would work it should raise your score.

cheers
thomas

Re: HAProxy for failover

[Thomas Heil]

Hi,

There was a nice tutorial at
http://www.alexwilliams.ca/blog/2009/08/10/using-haproxy-for-mysql-failover-and-redundancy/

But instead of doing such complex things, please try if galera cluster
for mysql is suitable for you.

cheers
thomas

On 06/18/13 13:51, Nenad Merdanovic wrote:
 Hello,

 There is no nice way of doing this in HAproxy that would show you that
 the server is down (in the Web GUI for example). You can only check
 where the traffic is going using the socket or the Web GUI and if the
 failover occured you will see traffic going to the 'backup' server.

 If you are using a single HAproxy node you can just put rise 999 on
 the server line for the master and it would be enough.

 If not, your only hope is HAproxy 1.5-dev and using stick tables with peers:

 In your MySQL backend you would add:
 stick-table type ip size 10k peers mylbs
 stick on dst

 And add another section:

 peers mylbs
 peer peer1 10.0.0.1:1234
 peer peer2 10.0.0.2;1234
   ...

 Cleanest way of doing this, as discussed with Willy, would be to create
 a health agent on each MySQL server that would be 'intelligent' and
 aware of what's going on. Then you would send checks to it instead of
 MySQL and it would reply depending on the current status. I will likely
 create one in the near future for my own needs, so will share it here.

 Hope this helps.
 On 06/18/2013 01:38 PM, Jayadevan M wrote:
 Hello all,

  

 I am using HAProxy for MYSQL failover. It is a MySQL master-slave
 replication environment. When master is UP, all reads and writes go to
 master. In case the master is down, reads and writes will go to the
 slave. Once the master is down and HAProxy redirects all reads/writes to
 the slave, we do not want any writes/reads to go to the master even if
 it comes up automatically. We want to ensure that there will be some
 kind of manual intervention before a master, once marked down, gets
 requests again. Is this possible?

  

  

 Regards,

 Jayadevan

  



 DISCLAIMER: The information in this e-mail and any attachment is
 intended only for the person to whom it is addressed and may contain
 confidential and/or privileged material. If you have received this
 e-mail in error, kindly contact the sender and destroy all copies of the
 original communication. IBS makes no warranty, express or implied, nor
 guarantees the accuracy, adequacy or completeness of the information
 contained in this email or any attachment and is not liable for any
 errors, defects, omissions, viruses or for resultant loss or damage, if
 any, direct or indirect.
 Regards,

Re: Question about HTTP load balancing using HAProxy

[Thomas Heil]

Hi

On 03.06.2013 23:36, Ali Majdzadeh wrote:
 Hello All,
 I am totally new to HAProxy. What I am looking for is a solution for
 HTTP load balancing and according to what I have read about HAProxy, I
 think this is the right choice.
There are a lot of cases where haproxy is fine.
 Concerning HTTP, HAProxy is session-aware.
HAProxy supports different methods for persistence, e.g. Cookie insertion.

 Does this mean that all the requests initiated from a specific client
 goes only to a specific back-end server?
That is what persistence should do.

 What happens if suddenly the back-end server fails? For example,
 suppose that a user is downloading a file from a back-end web server
 and the same file exists on another back-end web server.
I think it will cause the download to be aborted, but Iam not 100% sure.
You can tell haproxy to break persistence in the case of a failure.

 The load on these two servers is balanced by HAProxy. Now, what
 happens if the first web server dies whilst the file is being
 downloaded? Does the download continues from the second server from
 where it was interrupted? I am not sure whether I have got the correct
 understanding of session-awareness feature in HAProxy. I do appreciate
 your comments.
session awareness needs to be done at application level, e.g. you could
have a central memcache or datebase that stores your session data. In
case of a failure, the next
request could go to another server, which explicitly breaks persistence.
But because you have a central session store that doesnt matter.

Please have a look at http://code.google.com/p/haproxy-docs/wiki/redispatch

As I sad earlier, If you have a download and the server dies, this will
cause the download to be aborted. And this has nothing to do with
session awareness.

 Thanks in advance.
  
 *Ali Majdzadeh Kohbanani*
 *Managing Director*
 *Abshar Data Processing*

 *Tel:+982144160700
 *
 *Tel/Fax: +982144160701
 *
 *Cell:+989123614728*
 *majdza...@abshar.biz mailto:majdza...@abshar.biz
 *
 *http://www.abshar.biz*

cheers,
thomas

Re: 1.5-dev .spec File Issues

[Thomas Heil]

Hi Clayton,


On 06.05.2013 17:39, Clayton Keller wrote:
 When attempting to build from the latest 1.5-dev18 haproxy.spec file I
 receive the following error:

 # rpmbuild -bb haproxy.spec
 error: line 3: Illegal char '-' in: Version: 1.5-dev18

What was the source of this spec?

 I have attached a patch which allowed me to properly execute the
 rpmbuild. Unfortunately, this requires more static related references
 in the file which would need modified with each releasee.

 I'm not sure if you'd like to include these modifications at this time
 or not. Or, if there is a better way to handle this I'd be happy to do
 so in another way.

 Clay

If you dont have a problem with it, maybe you try
--
https://github.com/heil/centos/blob/master/packages/rpmbuild/SPECS/haproxy-devel.spec
--

In this spec also the latest patches are included, so you can add or
remove some if needed.

cheers
thomas

Re: do I still need nginx for static file serving?

[Thomas Heil]

Hi,

On 22.04.2013 23:51, Bryan Talbot wrote:
 Since haproxy is not a webserver (it's a reverse proxy), you still
 need a webserver to actually serve content and run the application.

Indeed. I would prefer using varnish serving static files, so you can
cache them in memory.
thomas
 -Bryan


 On Mon, Apr 22, 2013 at 2:28 PM, S Ahmed sahmed1...@gmail.com
 mailto:sahmed1...@gmail.com wrote:

 My backend servers run jetty, and currently I am using nginx that
 runs on port 80 to route traffic to the backend that runs on e.g.
 port 8081.

 I also using nginx to serve the static files for the folder:

 /assets/

 So all requests that have this folder do net get proxied to jetty
 on port 8081, but nginx servers the static files.

 If I use haproxy now, do I still need to run nginx to service
 static files or is this something haproxy can do just as effeciently?

 I'd rather reduce the # of services I have to manage :)

Re: Problems integrating HA1.4 with keepalived

[Thomas Heil]

Hi Joshua,

You are a bit off topic. Please ask for details with keepalived on
keepalived mailinglist.

On 04/18/13 20:42, Joshua Chee wrote:
 update:
 not very smart with http_get as haproxy is configured to RR between
 apache. Thus if 1 apache is down, it will still reflect as real server
 down, which is not how i want it, i only want it to be down only when
 all apache of the webfarm is down.

The just let haproxy check the apache servers and check the haproxy
servers from lvs/keepalived.
Every haproxy could have the following:
  acl backends_avail 
  monitor-uri /haproxycheck
  monitor fail if ! backends_avail

now you can query the haproxy ones and check that /haproxycheck return
200OK.
To integrate that into keepalived you could something like

..
HTTP_GET {
url {
path /haproxycheck
status_code 200
}
connect_timeout 10
connect_port 80
..
in every real server.

 == lvs(keepalived1:) == NAT == haproxy1,haproxy2
  haproxy1 == apache1,
apache2, apache3, apache4

 == lvs(keepalived2:) == NAT haproxy1,haproxy2
  haproxy1 == apache1,
apache2, apache3, apache4

lvs, haproxy and the apache servers should run on seperate machines.

 the vrrp_script is checking if haproxy is running in process which is
 good if haproxy crashes, however would be similar to TCP_CHECK on
 haproxy(transparent proxy).


If HAProxy is running on both machines, as it is for keepalived you only
need a failover if the machines crashes.

 On 19 April 2013 02:26, Joshua Chee chee...@gmail.com
 mailto:chee...@gmail.com wrote:

 ok able to get vrrp to detect webfarms down by http_get on vrrp,
 however still unable to change the state or reduce the priority of
 MASTER

 global_defs {
notification_email {
 x...@.com mailto:x...@.com
}
notification_email_from x...@.com mailto:x...@.com
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id LVS_XX
 }

 vrrp_script chk_haproxy {
script killall -0 haproxy
interval 2
weight 2

 }

 vrrp_instance loadbalance1 {
 state MASTER
 interface eth0
 virtual_router_id 51
 priority 101
 advert_int 1
 smtp_alert
 authentication {
 auth_type PASS
 auth_pass somepassword
 }
 virtual_ipaddress {
 192.168.88.95
 }
 track_script {
  chk_haproxy
 }
 }

 virtual_server 192.168.88.95 80 {
 delay_loop 6
 lb_algo rr
 lb_kind NAT
 nat_mask 255.255.255.0
 persistence_timeout 50
 protocol TCP

real_server 192.168.88.96 80 {
 weight 1
 #   TCP_CHECK {
 #  connect_port 80
 #  connect_timeout 3
 #   }
 HTTP_GET {
url {
 path /index.html
 digest a1be24adde652800a4ec1c4e129d6014
}
 connect_timeout 10
 connect_port 80
 }
}
 }

As far as I can see, you may have a problem with your priorities. If the
haproxy process
is not running, your new priority would be 101-2. So the other machine
should
have a priority of 100.
check this out with tcpdump -i ethx vrrp -vv


 On 19 April 2013 02:02, Joshua Chee chee...@gmail.com
 mailto:chee...@gmail.com wrote:

   shared IP=192.168.88.95

 ||

 keepalived1   keepalived2

 ||

 haproxy1  haproxy2

 192.168.88.96:80 http://192.168.88.96:80  192.168.88.97:80 
 http://192.168.88.97:80
 | |

 ||||

 apache1  apache2  apache3   apache4

 192.168.88.96:8080 http://192.168.88.96:8080
 192.168.88.97:8080 http://192.168.88.97:8080

  192.168.88.96:8090 http://192.168.88.96:8090 
 192.168.88.97:8090 http://192.168.88.97:8090



 On 19 April 2013 01:42, Joshua Chee chee...@gmail.com
 mailto:chee...@gmail.com wrote:

 I am running 2VRRP and 2HA. Each VRRP is linked to 1 HA
 and each HA is linked to 2 apache webserver.

 I am only able to make the vrrp failover when i stop the
 vrrp service, not able to do that when i stop the haproxy
 service or stop all apache services.

 Is there a way for haproxy to stop or reflect when all its
 webfarms are down?

 I am trying to run a script in vrrp as per alot of guides,
 vrrp_script chk_haproxy{
script killall -0 haproxy
interval 2
weight 2
 }

 [...]
 

backport d16a1b2a818359e8c3ade85f789e66ed7ca9488c

[Thomas Heil]

Hi,

Its mentioned that commit d16a1b2a818359e8c3ade85f789e66ed7ca9488c
should be backported to 1.4.
The patch applies without problems and as far as I can see it doesnt
create a problem.

regards,
thomas

Re: haproxy-dev18 http-request

[Thomas Heil]

Hi,

Why not using something like,

reqidel ^X-Forwarded-Proto:.*
reqadd X-Forwarded-Proto:\ https if { ssl_fc }
reqadd X-Forwarded-Proto:\ http if ! { ssl_fc }

cheers
thomas

On 03.04.2013 12:26, Baptiste wrote:
 Ah sorry, I misread!

http-request set-header X-Frontend-SSL %[ssl_fc] https 

 %[ssl_fc] will be 0 in case of HTTP and 1 in case of SSL.

 You can't setup an ACL after the set-header directive.

 Baptiste


 On Wed, Apr 3, 2013 at 12:09 PM, Sander Klein roe...@roedie.nl
 mailto:roe...@roedie.nl wrote:

 Hmmm, nope, it still doesn't work

 I did:


 http-request set-header X-Forwarded-Proto https if { ssl_fc }
 http-request set-header X-Forwarded-Ssl on if { ssl_fc }
 http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
 http-request set-header X-Forwarded-Ssl off if !{ ssl_fc }

 But this still gives me:

 Reloading haproxy: haproxy[ALERT] 092/120655 (9669) : parsing
 [/etc/haproxy/haproxy.cfg:221]: 'http-request set-header' expects
 exactly 2 arguments.
 [ALERT] 092/120655 (9669) : Error(s) found in configuration file :
 /etc/haproxy/haproxy.cfg
  failed!

 Greets,

 Sander


 On 03.04.2013 11:38, Baptiste wrote:

 Hi,

 You want to use anonymous ACLs which requires brackets '{' and
 '}', like:

 http-request set-header X-Forwarded-Proto https if { ssl_fc }

 Baptiste

 On Wed, Apr 3, 2013 at 11:15 AM, Sander Klein
 roe...@roedie.nl mailto:roe...@roedie.nl wrote:

 Hi,

 I try to do the following in my haproxy (dev18) config:

 http-request set-header X-Forwarded-Proto https if ssl_fc
 http-request set-header X-Forwarded-Ssl on if ssl_fc

 http-request set-header X-Forwarded-Proto http  if ! ssl_fc
 http-request set-header X-Forwarded-Ssl off if ! ssl_fc

 But, when I reload I get:

 Reloading haproxy: haproxy[ALERT] 092/110441 (22291) :
 parsing [/etc/haproxy/haproxy.cfg:221]: 'http-request
 set-header' expects exactly 2 arguments.
 [ALERT] 092/110441 (22291) : Error(s) found in
 configuration file : /etc/haproxy/haproxy.cfg
  failed!

 I'm a bit at a loss here, since I saw an example somewhere
 on the Exceliance site and if I read the haproxy
 configuration manual it states:

 http-request { allow | deny | tarpit | auth [realm
 realm] | redirect rule |
   add-header name fmt | set-header name
 fmt }
  [ { if | unless } condition ]

 I might be interpreting this wrong, but the way I read it
 using the if statement with set-header is legal to use in
 the config. Am I wrong?

 Greets,

 Sander

Re: Stickiness lost after failover

[Thomas Heil]

Hi David,

On 03.04.2013 13:10, David Coulson wrote:

 On 4/3/13 5:36 AM, Baptiste wrote:
 Better using stick tables with store-response and store-request to
 replace your appsession configuration.
 Is there a configuration example of this method somewhere? Google
 didn't turn up much for me.

 David


Here is one

peers frontends
peer wrt-34-38-r1 192.168.1.2:1099
peer wrt-34-38-r2 192.168.1.3:1099


backend be_default
balance roundrobin
stick on cookie(PHPSESSID)
stick-table type string size 32k peers frontends expire 24h
stick store-response set-cookie(PHPSESSID)
mode http

please adopt the peer declaration to your needs. The name should match
the hostname of the machines.

cheers
thomas

Re: Problem with ss-20130402

[Thomas Heil]

Hi,

On 02.04.2013 20:49, Sander Klein wrote:
 Replying to myself again...

 On 02.04.2013 16:59, Sander Klein wrote:
 Hi!,

 On 02.04.2013 16:16, Sander Klein wrote:

 When using this config with ss-20130402 I do not get any traffic to
 cluster1-2. I didn't have enough time to do a proper debug since I was
 doing it in production ;-) I might have a better look at it this
 evening. It works fine with ss-20130125.

 Just tried ss-20130326 and this one works good. So I think there's
 some kind of regression in between 20130326 and 20130402.

 Any ideas how to start debugging this?

 While wiresharking around a bit it seems the connection to the backend
 servers just 'hangs'. There's no traffic flowing at all. Just thought
 I'd share it here in case anybody cares ;-)

Of course, it matters. As you explained the problem should be arround
patch 86  up to 101. How does you haproxy -vv
look like? Do you use compression or SSL? Could you eliminate Patch
91,92 and 98?

cheers
thomas

 Greets,

 Sander




-- 
Thomas Heil
-
! note my new number !
Skype: phiber.sun
Email: h...@terminal-consulting.de
Tel:   0176 / 44555622
--

Re: Question about logging HTTP Auth username

[Thomas Heil]

Hi,

On 13.03.2013 18:32, Simon Dick wrote:
 Is it possible in the haproxy logs to log the HTTP username if it's
 sent across in an HTTP request?

I think you can only do this
--
capture request header Authorization len 200
--

 I know I could log the whole header but that doesn't strile me as
 being a good idea... :)

There is no option to extract values from a header line. So you have to
tranform the log later with other tools.

cheers
thomas

Re: mod_realip for haproxy

[Thomas Heil]

Hi,

On 11.03.2013 20:56, Maxime Ducharme wrote:
 Hello

 Is there any option like mod_realip in nginx but for haproxy ?

this could be done with
--
option forwardfor header X-Real-IP
--

 We have a situation where we could have haproxy behind a load balancer
 and would like to be able to use per-ip acl or rate limits. We need
 src to be same as the IP location in a header sent by the front load
 balancer

If haproxy sees the original IP and the service behind haproxy also
needs to the the original IP, you should use
haproxy tproxy snat. Most of the tools cant cope with the Header
X-Real-IP or X-Forwarded-For.

 Thanks

cheers
thomas

Re: strange behavior with version 1.4.22

[Thomas Heil]

Hi,

On 11.03.2013 21:23, Saul Waizer wrote:
 Hello List,

 I am experiencing some erratic behavior on 2 fresh installs (V 1.4.22)
 that I've never seen before. Basically the haproxy is taking 100% of
 cpu, there is nothing running on the box and there is no traffic going
 through it, yet the load average is 8 and and cpu is constantly
 hitting 100%. I have the same installation/configuration running on
 20+ servers and never experienced this before, nothing on the logs
 either...here is the relevant information:

Crazy. Could we take a look at your config? I had a similar problem
years ago, when using the option transparent.

 HA-Proxy version 1.4.22 2012/08/09
 Copyright 2000-2012 Willy Tarreau w...@1wt.eu mailto:w...@1wt.eu

 Build options :
   TARGET  = linux26
   CPU = generic
   CC  = gcc
   CFLAGS  = -O2 -g -fno-strict-aliasing
   OPTIONS = USE_PCRE=1

 Default settings :
   maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200

 Encrypted password support via crypt(3): yes

 Available polling systems :
  sepoll : pref=400,  test result OK
   epoll : pref=300,  test result OK
poll : pref=200,  test result OK
  select : pref=150,  test result OK
 Total: 4 (4 usable), will use sepoll.

 Linux ip-x.x.x.x 2.6.21.7-2.fc8xen #1 SMP Fri Feb 15 12:34:28 EST 2008
 x86_64 x86_64 x86_64 GNU/Linux

 CentOS release 5.4 (Final)

 Any suggestions are greatly appreciated.

 Thank You


cheers
thomas

Re: Per-server reqirep within backend

[Thomas Heil]

Hi,

On 03/11/13 20:58, David Coulson wrote:
 I am trying to setup HAProxy as a reverse-proxy for a nasty application that 
 really wants the Host: header on the backend request to match the hostname of 
 the backend system - It's a off-the-shelf app, so there is no opportunity to 
 make modifications to this.

 So far I've got a rspirep to strip out 301/302 Location headers and put in 
 the HAProxy instance hostname, but on the backend I still have to replace 
 Host: with the backend server name. With only one backend server and a hard 
 coded reqirep header it works, however somehow I need a per-server reqirep 
 substitution. 
As you allready noticed, you cant do that directly.
 Other option would be to define to separate backends and balance between 
 those, but not sure how to do that either.
Yes thats right. But normally you cant balance of multiple backends,
except you play with proxy chainging.
 Here is relevant part of my haproxy.cfg:

 global
 user haproxy
 group haproxy
 log 127.0.0.1 local2
 daemon
 stats socket /var/run/haproxy.stat mode 600 level admin
 maxconn 4
 ulimit-n 81000
 chroot /var/lib/haproxy
 pidfile /var/run/haproxy.pid
 crt-base /etc/haproxy/ssl

 backend console-selfservice
 reqirep ^Host Host:\ rhesprodapp01.domain.com:7004
 server rhesprodapp01 10.250.52.216:7004 check ssl
 #   server rhesprodapp02 10.250.52.217:7004 check ssl


 frontend myapp
 timeout client 8640
 modehttp
 option  httpclose
 option  forwardfor
 balance source
 bind :443 ssl crt domain.com.crt  ciphers 
 ECDHE-RSA-AES256-SHA:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM
 default_backend console-selfservice
 rspirep ^Location:\s*https://([^/]*)/(.*)$ Location:\ 
 https://myapp.domain.com/\2


 Any suggestions?
Ive created a config, that hopefully shows you the right direction.

---snipp---
global
maxconn 65000
ulimit-n 65535
uid 0
gid 0
daemon
stats socket /var/run/haproxy.stat level admin
   nbproc 1

defaults
maxconn 4
retries 10
option  redispatch
option  http-server-close
option  forceclose
option  tcp-smart-accept
option  tcp-smart-connect

contimeout  15s
clitimeout  30s
srvtimeout  60s

listen app1
bind :8080
mode http
maxconn 200
stats enable
stats uri /

frontend www-80
bind :80
mode http
option  accept-invalid-http-request
reqidel ^X-Forwarded-For:.*
maxconn 2
option forwardfor
default_backend  be_default

frontend fe_01
bind 127.0.0.1:81 accept-proxy id 1
mode http
reqirep ^Host:\  Host:\ one
option forwardfor
default_backend be_01

frontend fe_02
bind 127.0.0.1:82 accept-proxy id 2
mode http
option forwardfor
reqirep ^Host:\  Host:\ two
default_backend be_02
   
backend be_01
balance roundrobin
mode http
server 01 172.18.4.39:80 check maxconn 10 id 01

backend be_02
balance roundrobin
mode http
server 02 172.18.4.41:80 check maxconn 10 id 02

backend be_default
balance roundrobin
mode http
server 01 127.0.0.1:81 track be_01/01 send-proxy maxconn 10
server 02 127.0.0.1:82 track be_02/02 send-proxy maxconn 10
--snipp--


 David

thomas

Re: Lots of TIME_WAITs and slow response time

[Thomas Heil]

Hi,

On 08.03.2013 10:24, Alexandru Florescu wrote:
 erformance so far. I'll check again later when the traffic peaks but
 so far it seems fine.
 2) Indeed the network connection was saturated when doing the test and
 that explains the 5% of requests that were taking 3+ seconds on the
 live server
 while this not happening on the test server.
 Thank you for pointing this out, it looks like I may need a 1GB
 connection :D
 3) Not sure if it is related: I noticed that on the frontend

Could you enable haproxy-logging?

cheers
thomas

Re: Lots of TIME_WAITs and slow response time

[Thomas Heil]

Hi,

On 07.03.2013 17:14, Alexandru Florescu wrote:
 On 03/07/2013 05:46 PM, Lukas Tribus wrote:
 When I try with tw_recycle = 0 then I start to get a lot of TIME_WAIT 
 connections and performance degrades quite quickly so I cannot remove it 
Dont use it!
 for now
 This indicates you are running out of source ports and it is
 probably why the latency increases with the number of simultaneous 
 connections.
 By source ports you mean exactly what?
 It may be that but as you've seen in my sysctl.conf I already added this
 net.ipv4.ip_local_port_range = 1025 65000

that you would need more ip addresses haproxy can bind to and issue
requests from there.
 Can you please:
 - check dmesg for kernel errors/warnings while benchmarking
 there isn't a new message since 2 hours when I did the latest changes
 so no much help there.
 - run vmstat 1 while benchmarking and post the result
 here it is, it was taken while mid testing with ab so half is with ab
 half after ab finished
 /procs ---memory-- ---swap-- -io -system--
 cpu//
 // r  b   swpd   free   buff  cache   si   sobibo   in   cs us
 sy id wa//
 // 1  0  0 235612 105460 15796400 0 0 11545 6428 
 5 21 74  0//
 // 0  0  0 235200 105460 15796400 0 0 12896 7497 
 8 18 74  0//
 // 1  0  0 234824 105460 15796400 0 0 14740 8578 
 4 28 68  0//
 // 1  0  0 235292 105460 15796400 0 0 10976 6423 
 1 18 81  0//
 // 1  0  0 235420 105460 15796400 0 0 9668 5898  3
 20 77  0//
 // 1  0  0 234296 105460 15796400 0 0 12969 8001 
 2 25 73  0//
 // 1  0  0 234672 105460 15796400 0 0 13888 8529 
 3 23 74  0//
 // 0  0  0 235076 105460 15796400 0 0 8081 4717  3
 18 79  0//
 // 1  0  0 235516 105460 15796400 0 0 8465 5026  0
 13 87  0//
 // 0  0  0 235004 105460 15796400 0 0 8770 5223  2
 18 80  0//
 // 0  0  0 235100 105460 15796400 0 0 8635 4921  1
 18 81  0//
 // 0  0  0 234904 105460 15796400 0 0 9532 5805  3
 21 76  0//
 // 0  0  0 234696 105460 15796400 0 0 11013 6468 
 3 20 77  0//
 // 0  0  0 235728 105460 15796400 0 0 9707 5185  3
 14 83  0/

 - specify the exact version and build config (haproxy -vv)
 /# haproxy -vv//
 //HA-Proxy version 1.5-dev17 2012/12/28//
 //Copyright 2000-2012 Willy Tarreau w...@1wt.eu//
 //
 //Build options ://
 //  TARGET  = linux26//
 //  CPU = native//
 //  CC  = gcc//
 //  CFLAGS  = -m64 -march=x86-64 -O2 -march=native -g
 -fno-strict-aliasing//
 //  OPTIONS = USE_OPENSSL=1 USE_STATIC_PCRE=1//
 //
 //Default settings ://
 //  maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents
 = 200//
 //
 //Encrypted password support via crypt(3): yes//
 //Built without zlib support (USE_ZLIB not set)//
 //Compression algorithms supported : identity//
 //Built with OpenSSL version : OpenSSL 0.9.8o 01 Jun 2010//
 //OpenSSL library supports TLS extensions : yes//
 //OpenSSL library supports SNI : yes//
 //OpenSSL library supports prefer-server-ciphers : yes//
 //
 //Available polling systems ://
 //  epoll : pref=300,  test result OK//
 //   poll : pref=200,  test result OK//
 // select : pref=150,  test result OK//
 //Total: 3 (3 usable), will use epoll.//
 //
 //
 /
 - specify exact linux kernel release (uname -a)
 # uname -a
 Linux HAproxy 2.6.32-5-amd64 #1 SMP Sun Sep 23 10:07:46 UTC 2012
 x86_64 GNU/Linux


 I'm not sure if it helps in your environment, but could you try the
 option nolinger in the backend?
 I added it, not much of a difference from what I can see.

 Thank you so much for your assistance on this matter,
 Alex

Okay, so can you give us more specs about the hardware you are using?
(haproxy, nginx ...), how they are connected
and what type of network cards work in this machines?

cheers
thomas

Re: Lots of TIME_WAITs and slow response time

[Thomas Heil]

Hi,

On 06.03.2013 16:27, Alexandru Florescu wrote:

 Hi,
 I have a 3 server architecture, a HAproxy that sends balanced traffic
 to 2 Nginx servers.

 I noticed that if I run ab -n 1000 -c 100 directly on the Nginx
 server I get response times between 40 and 80ms
 If I run the same test via HAproxy I receive results between 120 and
 4000ms. And this is I get lucky as I can even wait for 30seconds to
 get all the replies back from HAproxy server.

Well 120 up to 200ms would be okay, but 4000ms is not. Could you disable
Firewalling, e.g. unload all neccessary modules on the HAProxy Machine?

 I've been struggling to tune the kernel params and other things for
 days now but I still cannot make this work properly.
 I noticed that on HAproxy server I have all the time at least 20K
 TIME_WAIT connections ( netstat -a -n|grep TIME_WAIT|wc -l)
 while on the Nginx servers that number is about 600 for each one.

TIME_WAITS are usually not a problem. Please look at the nice guide
(
http://www.exceliance.fr/en/ART-2006-making%20applications%20scalable%20with%20LB.pdf
)

 I suspect that is because of this that the service doesn't always
 perform well but I would surely appreciate any advice from you.
 Also, let me know what kernel params or configuration files you might
 need me to share with you in order to get a better understanding.

Would you mind, share your sysctl settings?
 Thank you,
 Alex


cheers
thomas

Re: CSS not displayed

[Thomas Heil]

Hi,

On 06.03.2013 16:58, Olivier Desport wrote:
 I've found the solution. I have enabled the line EXTRAOPTS=-de -m 16
 in /etc/default/haproxy. It works when this line is commented.

That means, you gave haproxy only 16MB of memory for his hard work. 
Maybe this was not enough.

 Thanks for your help.



 Le 23/01/2013 17:13, shouldbe q931 a écrit :
 Hi Olivier,

 Just to recap, you have a webserver in subnet A, you have a HAProxy
 instance in subnet B

 When you connect to the webserver directly, CSS works
 When you connect to the webserver via HAProxy, CSS fails

 You have now added a HAProxy instance in subnet A
 When you connect via the HAProxy instance in subnet A CSS works

 I have noticed that you are using

 acl acl_web hdr(host) -i mysite.mydomain.com http://mysite.mydomain.com
 use_backend web if acl_web

 I have inferred from this that you have more acls configured in the
 frontend, and that you have more then one backend.

 When you setup the HAProxy instance in subnet A, did you scp/rsync
 the config over and just change the bind IP address, or did you only
 use the relevant sections of the confg ?

 I wonder if there is another ACL that is causing the issue ?

 I would also be tempted to change the HAProy config on the instance
 in subnet B to point at the HAProxy in subnet A, then test connecting
 via the HAProxy instance in subnet B

 If the two HAProxy configurations are identical apart from the bind
 IP address and the backend server address and this works, then I
 would investigate if there are any IP restrictions configured on the
 web server, if it fails, then I would suggest further investigation
 on the HAProxy instance in subnet B

 Cheers

Re: CSS not displayed

[Thomas Heil]

Hi,

On 22.01.2013 15:57, Olivier Desport wrote:
 I use Haproxy with two web servers. The CSS are not well displayed
 (images, fonts...). The look of the page is different every time I
 refresh ! It works correctly when Haproxy is not used. Is there
 something to set up in haproxy or Apache configurations ?

 Some lines of my haproxy.cfg :

 modehttp

 option httpclose
 option http-server-close

 frontend http_in 192.168.1.5:80

 option httplog
 option dontlognull
 option forwardfor

 acl acl_web hdr(host) -i mysite.mydomain.com
 use_backend web if acl_web

 backend web
 stats enable
balance source
cookie SERVERID insert nocache indirect
server web-1 web-1.mydomain.com:80 cookie W1 check inter 1000
 maxconn 250 maxqueue 50
 server web-2 web-2.mydomain.com:80 cookie W2 check inter 1000
 maxconn 250 maxqueue 50
 option httpchk HEAD /_check.html HTTP/1.0



Please try with a default section that holds:

defaults
option  http-server-close
option  forceclose

I think you're missing http-server-close on backend web

cheers
thomas

Re: Unusually high cpu usage after upgrade to 1.5dev17

[Thomas Heil]

Hi,

On 08.01.2013 18:41, Christian Becker wrote:
 Hello,

 today we´ve upgraded one of our loadbalancers to linux kernel 3.7.1 and 
 haproxy 1.5 dev 17 - coming from kernel 3.0.1 and haproxy 1.5 dev 7.

 After the upgrade, the system is delivering traffic as usual and we don´t see 
 any traffic issues. But now there are constantly 4 CPUs 100% busy with about 
 30 % user and 70 % system load.

 We haven´t seen this behaviour in the past. Additionally we get the following 
 messages every couple of minutes:

 Jan  8 18:30:59 srv11 kernel: [ 3878.272003] [ cut here 
 ]
 Jan  8 18:30:59 srv11 kernel: [ 3878.295572] WARNING: at net/ipv4/tcp.c:1330 
 tcp_cleanup_rbuf+0x4d/0xfc()
 Jan  8 18:30:59 srv11 kernel: [ 3878.319107] Hardware name: System x3690 X5 
 -[7148Z68]-
 Jan  8 18:30:59 srv11 kernel: [ 3878.340686] cleanup rbuf bug: copied 
 7B02E4F6 seq 7B01F558 rcvnxt 7B02E4F6
 Jan  8 18:30:59 srv11 kernel: [ 3878.363160] Modules linked in: 8021q garp 
 stp llc nls_utf8 nls_cp437 vfat fat acpi_cpufreq snd_pcm cdc_ether usbnet mii 
 coretemp kvm_intel kvm snd_timer snd crc32c_intel evdev joydev hid_generic 
 soundcore microcode snd_page_alloc serio_raw pcspkr mperf tpm_tis processor 
 ioatdma lpc_ich i2c_i801 tpm shpchp mfd_core tpm_bios pci_hotplug i2c_core 
 dca thermal_sys button ext4 mbcache jbd2 crc16 dm_mod sg sr_mod cdrom sd_mod 
 crc_t10dif ata_generic usbhid hid uhci_hcd ata_piix libata megaraid_sas 
 ehci_hcd bnx2 usbcore scsi_mod usb_common be2net
 Jan  8 18:30:59 srv11 kernel: [ 3878.513462] Pid: 30307, comm: haproxy 
 Tainted: GW3.7.1 #1
 Jan  8 18:30:59 srv11 kernel: [ 3878.540064] Call Trace:
 Jan  8 18:30:59 srv11 kernel: [ 3878.564947]  [8103ef70] ? 
 warn_slowpath_common+0x78/0x8c
 Jan  8 18:30:59 srv11 kernel: [ 3878.591417]  [8103f023] ? 
 warn_slowpath_fmt+0x45/0x4a
 Jan  8 18:30:59 srv11 kernel: [ 3878.617965]  [812d3e02] ? 
 tcp_cleanup_rbuf+0x4d/0xfc
 Jan  8 18:30:59 srv11 kernel: [ 3878.645352]  [812d4034] ? 
 tcp_read_sock+0x183/0x194
 Jan  8 18:30:59 srv11 kernel: [ 3878.670621]  [812d487d] ? 
 tcp_sendpage+0x45b/0x45b
 Jan  8 18:30:59 srv11 kernel: [ 3878.696935]  [812d4118] ? 
 tcp_splice_read+0xd3/0x223
 Jan  8 18:30:59 srv11 kernel: [ 3878.721845]  [8112d9ae] ? 
 sys_splice+0x345/0x3bf
 Jan  8 18:30:59 srv11 kernel: [ 3878.746239]  [813651a9] ? 
 system_call_fastpath+0x16/0x1b
 Jan  8 18:30:59 srv11 kernel: [ 3878.770749] ---[ end trace 91a60bafa2f9d85e 
 ]---
This looks like your nic cause problems. What nic type is it?
 This is our global configuration and one of the most busy threads (about 1k 
 requests/s):

 global
   daemon
   maxconn 131072
   spread-checks 2
   stats socket /var/run/haproxy.sock
   nbproc 34

 defaults
   mode http
   option splice-response
   option splice-request
   timeout connect 5000ms
   timeout client 3ms
   timeout server 30ms
   timeout http-request 2ms
 #  option forceclose

 frontend marketing-in
   bind ip:80
   default_backend marketing
   maxconn 32768
   option http-server-close
   option forwardfor
   reqidel ^X-Forwarded-For:.*
   bind-process 17
 backend marketing
   stats enable
   stats uri uri
   stats auth user
   option httpchk GET /server_up.php
   http-check expect rstring ^OK$
   balance roundrobin
   server web1 ip1:80 maxconn 4096 check port 80 inter 1 fastinter 2000
   server web2 ip2:80 maxconn 4096 check port 80 inter 1 fastinter 2000
   server web3 ip3:80 maxconn 4096 check port 80 inter 1 fastinter 2000
   server web4 ip4:80 maxconn 4096 check port 80 inter 1 fastinter 2000
   server sorry sorry:80 check backup

 Additionally this are the build options before and now:

 HA-Proxy version 1.5-dev7 2011/09/10
 Copyright 2000-2011 Willy Tarreau w...@1wt.eu

 Build options :
   TARGET  = linux26
   CPU = generic
   CC  = gcc
   CFLAGS  = -O2 -g -fno-strict-aliasing -march=core2 -m64
   OPTIONS = USE_LINUX_SPLICE=1 USE_LINUX_TPROXY=1 USE_STATIC_PCRE=1

 Default settings :
   maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200

 Encrypted password support via crypt(3): yes

 Available polling systems :
  sepoll : pref=400,  test result OK
   epoll : pref=300,  test result OK
poll : pref=200,  test result OK
  select : pref=150,  test result OK
 Total: 4 (4 usable), will use sepoll.

 Note: This is not dev17 anymore - this is todays snapshot
You could easily add something like
VERSION=1.5.dev17-patch...  to make, then you know at every time what
kind of snapshot it was.

 HA-Proxy version 1.5-dev17 2012/12/28
 Copyright 2000-2012 Willy Tarreau w...@1wt.eu

 Build options :
   TARGET  = linux2628
   CPU = generic
   CC  = gcc
   CFLAGS  = -O2 -g -fno-strict-aliasing -march=core2 -m64
   OPTIONS = USE_LINUX_SPLICE=1 USE_LINUX_TPROXY=1 USE_LIBCRYPT=1 USE_ZLIB=1 
 USE_OPENSSL=1 USE_STATIC_PCRE=1

 Default settings :
   maxconn = 2000, bufsize = 16384, 

Re: Unusually high cpu usage after upgrade to 1.5dev17

[Thomas Heil]

Hi,

On 08.01.2013 19:32, Christian Becker wrote:
 Hi Thomas,

 thanks for your quick reply!

 This looks like your nic cause problems. What nic type is it? 
 The Server is using Emulex Corporation OneConnect 10Gb NIC (be2net driver).

I saw you have nbproc 34 in the global section. Thats really huge. May I
ask what Processor and how many cores it have?
 You could easily add something like
 VERSION=1.5.dev17-patch...  to make, then you know at every time what
 kind of snapshot it was.
 Already did that, new versions are now build with a snapshot date ;)

 A unstable kernel. You use latest and greatest on you own risk.
 We´ve picked the kernel since it is officially marked as stable, but i agree, 
 that it is very new and possibly unstable/buggy.

 Got some other news: 

 After removing the option splice-response and option splice-request the cpu 
 load instantly dropped to a almost normal level. So i guess there are either 
 in haproxy or in the kernel some splice issues.
In the latest snapshots today they were some improvements regarding tcp
splicing.
 I´m currently building a new kernel with different preemtion settings, i 
 guess this could also be a cause.

 If this won´t helps either, i´ll try to downgrade the kernel tomorrow to 3.7 
 or maybe lower.

 Regards,
 Christian





cheers
thomas

Re: SYN_RECEIVED / SMTP / Transparent mode

[Thomas Heil]

Hi,

On 06.12.2012 16:53, Ozgur Tas wrote:
 Haproxy 1.4.22  on CENTOS 6.3 (kernel 2.6.32-279.14.1 ) on HYPER-V  (with 
 Hyper-V integration)
 -
I know Centos a little bit and can confirm that this is working.
 Hi,
 I'm trying to get transparent proxy working, however looking at my TDC38 
 (hub) server for connections on port 25, I do see the correct client IP 
 (10.10.0.223) where im telneting from on port 25, but just shows 
 SYN_RECEIVED, does not establish a connection.  Been looking for a solution 
 for a while and cannot find an answer.   (iptables is disabled and not 
 looking to use it on my setup).
Without iptables you wont get tproxy aka transparent proxy to work. On
the machine where the haproxy runs you need firewall rules like
this.
--
#dns
-A RH-Firewall-1-INPUT -p tcp --dport 25 -j ACCEPT
#
-A RH-Firewall-1-INPUT -m udp -p udp --dport 1194 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
*mangle
-N DIVERT
-A PREROUTING -p tcp -m socket -j DIVERT
-A DIVERT -j MARK --set-mark 1
-A DIVERT -j ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-I POSTROUTING -d 0/0 -j MASQUERADE -o eth0
COMMIT
--
Where eth0 is the external and eth1 the internal interface

in /etc/rc.local I have these lines
--
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
--
All traffic was running through tproxy needs to be routed locally back
to haproxy.
 Thanks,
 Oz

 On TDC38(10.10.0.63 - hub server)
 C:\netstat -ano | findstr 223
   TCP10.10.0.63:25  10.10.0.223:47217  SYN_RECEIVED4044   
  ( -- here)
   TCP10.10.0.63:443 10.10.0.107:56223  ESTABLISHED 4
   TCP10.10.0.63:59531   10.10.0.107:42231  ESTABLISHED 3652
   TCP10.10.0.63:59531   10.10.0.107:44223  ESTABLISHED 3652
   TCP10.10.0.64:338910.10.0.223:60206  ESTABLISHED 5072
 =

 HAPROXY config::

 global
 #uid 99
 #gid 99
 daemon
 stats socket /var/run/haproxy.stat mode 600 level admin
 maxconn 4
 ulimit-n 81000
 pidfile /var/run/haproxy.pid

 defaults
  #log global
  mode http
  retries 3
 contimeout  4000
 clitimeout  360
 srvtimeout  360
 balance roundrobin
 option tcp-smart-accept
 option tcp-smart-connect

 frontend ft_smtp
   mode tcp
   bind 0.0.0.0:25 
   #source 0.0.0.0 usesrc clientip
   #log global
   #option tcplog
   #tcp-request inspect-delay 30s
   #acl content_present req_len gt 0
   #tcp-request content reject if content_present
   default_backend bk_smtp
on the frontend you dont need any source 0.0.0.0 line.
 backend bk_smtp
   mode tcp
   balance roundrobin
   source 0.0.0.0 usesrc clientip
   log global
   option tcplog
   option smtpchk HELO morrisonhershfield.com
   default-server inter 3s rise 2 fall 3
   server TDC38 10.10.0.63:25 check

 listen stats :7000
 stats   enable
   stats show-node TDCLB01
   stats show-desc MASTER node for Exchange#stats hide-version
   #stats realm Haproxy\ Statistics
 stats   uri /
 stats refresh 5s
 option  httpclose




Please ensure that client TDC38 10.10.0.63 uses the haproxy machine as
the default gateway.

hope this helps you,

cheers
thomas

Re: Keep servers' state and stick-tables when reload?

[Thomas Heil]

Hi,

On 06.11.2012 23:39, Willy Tarreau wrote:
  not yet retained, this was discussed long ago, at least
 we'd like to have the ability to pass a flag to haproxy pointing to a
 file which contains a dump of the last state. It would be very convenient
 for scripts :
This sounds very promising because i have a lot of setups where reloads
are painful when using relaxed service checks. So short
after reload it could happen that requests go to a server which was
marked as down. But now it takes some time for the checks
to reflect the right state.

Will this feature be avail in 1.4 too?

cheers
thomas

Re: Graceful handling of garbage collecting servers?

[Thomas Heil]

Hi,

On 23.10.2012 13:55, Finn Arne Gangstad wrote:
 Hi,

 We're running haproxy in front of many services that are written in
 Java. From time to time, the Java applications need to pause for a
 while and do garbage collection. It would be extremely beneficial if
 haproxy could be configured to redispatch all requests that are
 currently in limbo on a GCing server to some other server.

 haproxy.cfg typically looks like this:

 frontend
   timeout http-request 30s
   maxconn 10
   ...

 backend
   balance roundrobin
   server s1 ... maxconn 10
   server s2 ... maxconn 10
   server s3 ... maxconn 10
   ..

 Each request is a reasonably simple GET request that typically takes
 10-20ms to process. This works great until a server needs to GC, then
 the query will hang for a few seconds.
Iam not quit sure, but I think you can play with timeout server and
option redispatch and retries, so that when GC occours the request would be
redispatched to the next server in the backend.

 Tanks
 Finn Arne



thomas

Re: How to run Haproxy on multiple CPU core

[Thomas Heil]

Hi,

On 21.10.2012 17:04, freak 16 wrote:
 Hi all,

 How can I run Haproxy on multiple cores? My objective is to run
 Haproxy such that it can service large no of connections (say, in five
 or six digit  figures eg 1, 5, 10) at a time (per sec).

1 up to 10 should be possible on the right hardware, also with
nbproc = 1. How did you run you performance benchmark?

 Will that require any special configuration m/c? I have 8 core m/c
 (Desktop). Should I need to change my Haproxy host m/c?

Of course.
 Right now my haproxy is not able to serve more than 500 conn/sec
 with total no of 50 conn. Is this a issue with haproxy or the host
 m/c?


Thats very few. Please try to unload all firewall related modules and
try again. Have a look at the cpu usage HAProxy consumes and
try running with nbproc =1.

 Thnx

cheers
thomas

Re: Badrequest in 1.5-dev12

[Thomas Heil]

Hi,

If this is error 400. Maybe your Get Request become too long.
Would you mind try increasing your buffsize but leaving maxrewrite on 1024.
e.g

--
global
   tune.bufsize 32678
   tune.maxrewrite 1024
--

cheers,
thomas


On 21.09.2012 18:17, Alexey Vlasov wrote:
 [21/Sep/2012:20:12:41.265] frontend backend_pool610 (#15): invalid request
   backend backend_pool610 (#15), server NONE (#-1), event #0
   src xx.xx.143.35:37769, session #71, session flags 0x0080
   HTTP msg state 26, msg flags 0x, tx flags 0x
   HTTP chunk len 0 bytes, HTTP body len 0 bytes
   buffer flags 0x00808002, out 0 bytes, total 913 bytes
   pending 913 bytes, wrapping at 16384, error at position 23:

   0  GET /phpinfo.php?PATH=/РР°СалР
   00034+ ѕРі/pid=42 HTTP/1.1

   00057  Host: test-l24-apache-aux4.p2

   00092  User-Agent: Opera/9.80 (Windows NT 6.1; WOW64; U; ru) Presto/2.10.289
   00162+ Version/12.02

   00177  Accept: text/html, application/xml;q=0.9, application/xhtml+xml, 
 image
   00247+ /png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
   00315+

   00316  Accept-Language: ru,ru-RU;q=0.9,en;q=0.8

   00358  Accept-Encoding: gzip, deflate

   00390  Cookie: 
 __ptca=137351919.6tcw1SGtta9M.1334637172.1334637172.1334637172
   00460+ .1; __ptv_3S8nQr=6tcw1SGtta9M; __pti_3S8nQr=6tcw1SGtta9M; 
 __ptcz=13735
   00530+ 1919.1334637172.1.0.ptmcsr=(direct)|ptmcmd=(none)|ptmccn=(direct)

   00597  X-FORWARDED-URI: /%D0%9A%D0%B0%D1%82%D0%B0%D0%BB%D0%BE%D0%B3/pid=42
   00666+

   00667  X-FORWARDED-REQUEST: GET 
 /%D0%9A%D0%B0%D1%82%D0%B0%D0%BB%D0%BE%D0%B3/
   00737+ pid=42 HTTP/1.1

   00754  X-Forwarded-For: xx.x.248.121

   00787  X-Forwarded-Host: test-l24-apache-aux4.p2

   00834  X-Forwarded-Server: www.test-l24-apache-aux4.p2

   00887  Connection: Keep-Alive

   00911

 On Fri, Sep 21, 2012 at 04:00:00PM +0200, Baptiste wrote:
 Hi,

 could you run a show error on haproxy stats socket?
 It will tell you exactly where the error is located.

 cheers

 On Fri, Sep 21, 2012 at 2:50 PM, Alexey Vlasov ren...@renton.name wrote:
 Hi.

 By using the given below scheme:
 =
 apache (fe) - haproxy - apache (PHP)
 =
 and the rule in .htaccess

 =
 RewriteEngine On
 RewriteCond %{REQUEST_URI} ^(.*)/(.*)$
 RewriteCond %2 !\.
 RewriteRule ^(.*)$ /phpinfo.php?PATH=%1/%2 [QSA,L]
 =
 haproxy gives badrequest.

 Log from apache (fe):
 =
 xx.xx.248.121 - - [20/Sep/2012:16:08:51 +0400] GET
 /%D0%9A%D0%B0%D1%82%D0%B0%D0%BB%D0%BE%D0%B3/pid=42 HTTP/1.1 400 90 -
 Opera/9.80 (Windows NT 6.1; WOW64; U; ru) Presto/2.10.289
 Version/12.02
 =

 haproxy:
 =
 Sep 20 16:08:51 l24 haproxy_aux4_pools[18980]: xx.xx.143.35:36564
 [20/Sep/2012:16:08:51.744] backend_pool610 backend_pool610/NOSRV
 -1/-1/-1/-1/0 400 187 - - PR-- 1/0/0/0/10 0/0 {} BADREQ
 =

 My haproxy.conf:
 =
 global
 daemon
 userhaproxy
 group   haproxy
 chroot  /var/empty
 maxconn 4096
 ulimit-n32000
 stats socket /var/lib/haproxy/haproxy_aux4.sock level admin mode 600

 defaults
 log 127.0.0.1 local5 notice
 modehttp
 retries 10
 maxconn 2000
 timeout client 5
 timeout connect 5000
 timeout server 5m
 balance roundrobin
 option  forwardfor except xx.xx.143.35/32
 option  http-server-close
 stats   enable
 stats   uri /aouwl3j?stats

 listen  backend_pool610   xx.xx.143.35:9610
 option  httplog
 log 127.0.0.1 local6
 cookie  SERVERID
 option  httpchk
 capture request header Host len 40
 server  pool610 xx.xx.143.35:8610 weight 255 cookie pool4 check inter 
 800  fall 3 rise 2 maxconn 500
 server  pool3   xx.xx.143.35:8101 weight   1 cookie pool1 check inter 
 2000 fall 3 rise 2 maxconn 250
 server  pool4   xx.xx.143.35:8102 backup
 =

 There's no such 400 error in version 1.4.

 --
 BRGDS. Alexey Vlasov.