Re: How to turn on/off maintenance page in a smart way?
Yes, it did solve the issue, THANK YOU!! :) --- unai On 2013-04-08 00:39, Baptiste wrote: Hi, I'm glad I was able to help you. If it solved your issue, please answer back with the ML in Cc. so google will archive it and everybody can use this tip as well. Baptiste. On Mon, Apr 8, 2013 at 7:32 AM, Unai Rodriguez wrote: Thank you Baptiste!! --- unai On 2013-04-02 00:55, Baptiste wrote: Hi, You can either use the disable-on-404 health checking option or using HAProxy socket to disable servers temporarly (I mean temporarly because the UNIX socket applies changes in running HAProxy process, not in its startup configuration file). You could then have a few simple acl matching the number of available servers in a farm (this also may mean you must have a backend by application). use_backend maintenance_page if is_app1 nb_srv(bk_app1) eq 0 use_backend bk_app1if is_app1 now, just create a bash script to loop through the HAProxy unix stat socket to disable the servers: echo "disable server bk_app1/srv1" | socat /var/run/haproxy.socket - Baptiste On Tue, Apr 2, 2013 at 8:42 AM, Unai Rodriguez wrote: Dear List, We have a number of applications behind HAProxy. Sometimes we need to put one of the applications in maintenance mode (i.e. display a "This page is under maintenance banner"). We achieve that with the following rules: acl is_app1 hdr(host) app1.example.com acl is_app2 hdr(host) app2.example.com acl is_app3 hdr(host) app3.example.com acl is_app4 hdr(host) app4.example.com acl is_app5 hdr(host) app5.example.com acl is_app6 hdr(host) app6.example.com acl is_app7 hdr(host) app7.example.com acl is_app8 hdr(host) app8.example.com acl is_app9 hdr(host) app9.example.com acl is_app0 hdr(host) app0.example.com use_backend maintenance_page if is_app1 #use_backend maintenance_page if is_app2 #use_backend maintenance_page if is_app3 #use_backend maintenance_page if is_app4 #use_backend maintenance_page if is_app5 #use_backend maintenance_page if is_app6 #use_backend maintenance_page if is_app7 #use_backend maintenance_page if is_app8 #use_backend maintenance_page if is_app9 #use_backend maintenance_page if is_app0 Currently what we do is comment/uncomment lines manually and reload HAProxy when wanting to put app1, app2, app3... under maintenance. This is somewhat error prone and we are looking for a way of doing this in a more sophisticated manner. Ideally someone should be able to login on a simple web page, click a button and enable/disable applications as needed. We used to do that in the past by having several HAProxy configurations but now this would mean to have 100 config files to cover all different posibilities. What ACLs can be used so that HAProxy does NOT need to be reloaded? We haven't been able to find matching criteria that depends on the existance of a file locally for example (or some other environment variable). I guess we could serve HTTP 200 or HTTP 503 for example (to put appX on/off) but is there a more elegant/better way? Thank you so much -- unai
How to turn on/off maintenance page in a smart way?
Dear List, We have a number of applications behind HAProxy. Sometimes we need to put one of the applications in maintenance mode (i.e. display a "This page is under maintenance banner"). We achieve that with the following rules: acl is_app1 hdr(host) app1.example.com acl is_app2 hdr(host) app2.example.com acl is_app3 hdr(host) app3.example.com acl is_app4 hdr(host) app4.example.com acl is_app5 hdr(host) app5.example.com acl is_app6 hdr(host) app6.example.com acl is_app7 hdr(host) app7.example.com acl is_app8 hdr(host) app8.example.com acl is_app9 hdr(host) app9.example.com acl is_app0 hdr(host) app0.example.com use_backend maintenance_page if is_app1 #use_backend maintenance_page if is_app2 #use_backend maintenance_page if is_app3 #use_backend maintenance_page if is_app4 #use_backend maintenance_page if is_app5 #use_backend maintenance_page if is_app6 #use_backend maintenance_page if is_app7 #use_backend maintenance_page if is_app8 #use_backend maintenance_page if is_app9 #use_backend maintenance_page if is_app0 Currently what we do is comment/uncomment lines manually and reload HAProxy when wanting to put app1, app2, app3... under maintenance. This is somewhat error prone and we are looking for a way of doing this in a more sophisticated manner. Ideally someone should be able to login on a simple web page, click a button and enable/disable applications as needed. We used to do that in the past by having several HAProxy configurations but now this would mean to have 100 config files to cover all different posibilities. What ACLs can be used so that HAProxy does NOT need to be reloaded? We haven't been able to find matching criteria that depends on the existance of a file locally for example (or some other environment variable). I guess we could serve HTTP 200 or HTTP 503 for example (to put appX on/off) but is there a more elegant/better way? Thank you so much -- unai
Re: HAProxy isn't balancing/distributing 127.0.0.1 requests
Would you please provide your haproxy config? -- unai On Thursday, January 24, 2013 at 7:06 PM, James Bensley wrote: > Hi All, > > I have Pound Proxy and HAProxy on the same box; HTTPS requests come > into Pound, Pound then passes them using plan text HTTP to HAProxy > listening on 127.0.0.1, HAProxy then balances the connections across > the back end servers. Plain text HTTP requests that come into the box > and go strait to HAProxy, no Pound, I am just suing Pound for some > HTTPS shenanigans. > > I can see in my logs that all requests from 127.0.0.1 (so HTTPS > requests via Pound) are always sent to the same back end server > (server2). HTTP requests that come from all different IPs directly > into HAProxy are being balanced over back end server1 and server2. I > assume this is possibly because 127.0.0.1 always passes through the > balancing hash algorithm (or whatever HAProxy uses) and comes out with > the same value each time. > > Is there anything I can do about this? > > Kind regards, > James. > >
Re: Tactics for load balancing all connections
Yes that works in the way I mentioned (cookies then source IP) Sent from mobile, please excuse brevity/typos. - Reply message - From: "James Bensley" To: Subject: Tactics for load balancing all connections Date: Fri, Jan 18, 2013 03:19 Hi Unai, Well that is what I have in the configuration, as I included in my first email, but will this actually work? Does HAProxy support listing more than one mechanism at once? If so, is there some sort of priority list on which I can see the order they are used in? Many thanks, James.
Re: Tactics for load balancing all connections
If you use load balance source and then cookies HAProxy will load balance based on the cookies and if they are not there (i.e. not supported by the client) then based on source IP. I think this is what you want right? Sent from mobile, please excuse brevity/typos. - Reply message - From: "Jonathan Matthews" To: Subject: Tactics for load balancing all connections Date: Thu, Jan 17, 2013 20:39 On 17 January 2013 12:24, James Bensley wrote: > Howdy All, > > I wondered if anyone could entertain me with some ideas and thoughts > on being able to load balance all connections that pass through > HAProxy, perhaps by using more that one method, to "catch all" > connections (I have a single box set up in mind which is troubling > me). I have placed a snippet of the config below. We are inserting a > cooking to the request, either s1 for server1 or s2 for server2 so > that customers are having sticky sessions with the web servers. For > customers that don't support cookies, the servers redirect the user to > a different URL that carries the session ID in the URL all throughout > the session (an SSL session is terminated in front of HAProxy, so > HAProxy is HTTP only below).In the cookie-less scenario we would like > to use source IP based balancing; whilst this isn't the most even > distribution of traffic, it will be a minority of traffic. > > So, can I enable two balancing techniques? Is there a way of having > priority based balancing so cookies are preferred, failing that, > source IP? From the fine documentation: --- appsession [snip] When an application cookie is defined in a backend, HAProxy will check when the server sets such a cookie, and will store its value in a table, and associate it with the server's identifier. Up to characters from the value will be retained. On each connection, haproxy will look for this cookie both in the "Cookie:" headers, and as a URL parameter (depending on the mode used). If a known value is found, the client will be directed to the server associated with this value. Otherwise, the load balancing algorithm is applied. --- The "otherwise" caveat sounds like what you're looking for. Jonathan -- Jonathan Matthews // Oxford, London, UK http://www.jpluscplusm.com/contact.html
Re: Session stickiness based on appsession. JSESSIONID twice on some log lines.
On 2013-01-16 16:49, Baptiste wrote: Hi, Please remove the "cookie JSESSIONID prefix" line from your configuration. Yes, THAT WORKS, thank you so much!!!
Session stickiness based on appsession. JSESSIONID twice on some log lines.
Dear All, I'm trying to have session stickiness based on an application cookie (i.e. JSESSIONID) through the following configuration: listen bpm_weblogics_prod bind 10.124.32.176:8090 balance roundrobin option httpclose capture cookie JSESSIONID= len 30 cookie JSESSIONID prefix appsession JSESSIONID len 30 timeout 3h request-learn server 10.124.4.236:8001 10.124.4.236:8001 check inter 3200 rise 2 fall 3 server 10.124.4.237:8002 10.124.4.237:8002 check inter 3200 rise 2 fall 3 This fails sometimes, like the following log snippet shows: --- [line #1] Jan 16 11:51:21 localhost haproxy[12314]: 10.124.32.182:56573 [16/Jan/2013:11:51:21.608] bpm_weblogics_prod bpm_weblogics_prod/10.124.4.237:8002 0/0/0/54/62 200 5759 - JSESSIONID=hLLcQ2kGjFF5KBWBsD2 --NP 53/1/1/1/0 0/0 "GET /bpm/workspace/ HTTP/1.1" [line #2] Jan 16 11:51:22 localhost haproxy[12314]: 10.124.32.182:56574 [16/Jan/2013:11:51:21.787] bpm_weblogics_prod bpm_weblogics_prod/10.124.4.236:8001 0/0/0/244/254 302 1113 JSESSIONID=hLLcQ2kGjFF5KBWBsD2 JSESSIONID=hLLcQ2kGjFF5KBWBsD2 --IP 53/1/1/0/0 0/0 "GET /bpm/workspace/?_afrLoop=7215946588586104&_afrWindowMode=0&_afrWindowId=null HTTP/1.1" [line #3] Jan 16 11:51:23 localhost haproxy[12314]: 10.124.32.190:59517 [16/Jan/2013:11:51:23.916] bpm_weblogics_prod bpm_weblogics_prod/10.124.4.237:8002 0/0/0/10/59 200 271952 JSESSIONID=hLLcQ2kGjFF5KBWBsD2 - --VN 55/2/2/2/0 0/0 "GET /bpm/workspace/adf/styles/cache/fusion-desktop-fek81w-en-ltr-gecko-macos-cmp.css HTTP/1.1" [line #4] Jan 16 11:51:24 localhost haproxy[12314]: 10.124.32.190:59519 [16/Jan/2013:11:51:24.001] bpm_weblogics_prod bpm_weblogics_prod/10.124.4.237:8002 0/0/0/6/9 200 14830 JSESSIONID=hLLcQ2kGjFF5KBWBsD2 - --VN 58/3/3/3/0 0/0 "GET /bpm/workspace/adf/jsLibs/resources/LocaleElements_en_US1_2_12_3_3.js?loc=en_US HTTP/1.1" --- As you can see requests on lines #1, #3 and #4 connect to backend #2 (10.124.4.237:8002) while the request on line #2 connects to backend #1 (10.124.4.236:8001). I find interesting that line #2 shows JSESSIONID twice (i.e.: JSESSIONID=hLLcQ2kGjFF5KBWBsD2 JSESSIONID=hLLcQ2kGjFF5KBWBsD2) and I'm not sure if this is indicative or something that's wrong, isn't it? Could anyone point out what's wrong with the configuration? Thank you so much -- unai
HAProxy in front of Oracle database
Dear List, I've been happily using HAProxy for several years on a variety of scenarios however I've been unable to find any references online with regard to placing HAProxy in front of Oracle database. From my understanding this should be possible (and I've done this with MySQL) but I would like to ask if any of you has any comments/insights/recommendations and/or could point me to a document that covers this. THANK YOU SO MUCH -- unai
Re: Performance on an Atom D510 Dual Core 1.66GHz
Thank you so much for the information Willy. unai On Tue, Jul 27, 2010 at 1:27 PM, Willy Tarreau wrote: > On Tue, Jul 27, 2010 at 12:23:59AM +0800, Unai Rodriguez wrote: >> Dear All, >> >> I am thinking of setting an HAProxy on Atom D510 Dual Core 1.66GHz. Am >> I supposed to face performance issues? Anyone got experience with >> HAProxy running on similar hardware? Would it be possible to share >> some approximate numbers on what that hardware would be able to >> handle? > > OK so here are a few results of haproxy 1.4.8 running on Atom D510 (64-bit) > without keep-alive : > > 6400 hits/s on 0-bytes objets > 6200 hits/s on 1kB objects (86 Mbps) > 5700 hits/s on 2kB objects (130 Mbps) > 5250 hits/s on 4kB objects (208 Mbps) > 3300 hits/s on 8kB objects (250 Mbps) > 2000 hits/s on 16kB objects (300 Mbps) > 1300 hits/s on 32kB objects (365 Mbps) > 800 hits/s on 64kB objects (450 Mbps) > 480 hits/s on 128kB objects (535 Mbps) > 250 hits/s on 256kB objects (575 Mbps) > 135 hits/s on 512kB objects (610 Mbps) > > > This requires binding the NIC's interrupt on one core and binding haproxy > to the other core. That way, it leaves about 20% total idle on the NIC's > core. Otherwise, the system tends to put haproxy on the same core as the > NIC and the results are approximately half of that. > > Quick tests with keep-alive enabled report 7400 hits/s instead of 6400 > for the empty file test, and 600 instead of 5250 for the 4kB file, thus > minor savings. > > In fact it makes a quite nice cheap fanless load balancer :-) > > Regards, > Willy > >
Performance on an Atom D510 Dual Core 1.66GHz
Dear All, I am thinking of setting an HAProxy on Atom D510 Dual Core 1.66GHz. Am I supposed to face performance issues? Anyone got experience with HAProxy running on similar hardware? Would it be possible to share some approximate numbers on what that hardware would be able to handle? Thank you so much. With Best Wishes, Unai Rodriguez
Re: Issues filtering URLs (i.e. Layer 7 filtering).
Dear Holger, Thank you so so much!!! Our setup works now smoothly after trying your suggestion :-) With Best Wishes, unai > Most likely, your issue will be resolved by issuing option httpclose > into your frontend section (or option forceclose in certain cases - see > the documentation for that) (...)
Issues filtering URLs (i.e. Layer 7 filtering).
Dear All, I am using HAProxy 1.3.15.2 on Debian Linux 5.0 (Lenny) and trying to do the following frontend-backend mapping based on ACLs: a) URLs containing /cas/ connect to backend casbe b) Any other, connect to iis This is my configuration: ... frontend f1 10.123.16.195:80 mode http default_backend iis acl cas path_beg -i /cas/ use_backend casbe if cas backend casbe mode http server 10.123.12.108:80 10.123.12.108:80 check inter 5000 rise 2 fall 3 backend iis modehttp server 10.123.16.124:80 10.123.16.124:80 check inter 5000 rise 2 fall 3 ... Now here is the issue... If I open a http://xxx/cas/ URL it will usually work fine. If I keep refreshing the browser a random number of times (from 5 to 50 times) using Ctrl + F5 it will eventually display a page not found error (HTTP 404). Looking at the logs I see that HAProxy is connecting me to the wrong backend server (a.k.a. iis) instead of casbe. Something that I have noticed is the issue is easier to replicate using Google Chrome 2.0.172.33 than Firefox 3.5. Has anyone experienced something similar? Thank you so much, unai
Re: Balancing OpenLDAP
How about writing a bash script that checks LDAP status somehow and have this script managed by xinetd? The script should return "HTTP/1.1 200 OK\r\n" if the LDAP server is fine or something else if not (e.g. "HTTP/1.1 503 Service Unavailable\r\n"). Xinetd could be configured in such a way that the script is invoked upon connecting to a defined port, let's say 9200. Then, we could have on the HAProxy configuration something like this: listen LDAP IP:389 modetcp option httpchk server ldap_srv1 ip:389 check port 9200 inter 5000 rise 3 fall 3 What would you think of that approach? unai Willy Tarreau wrote: On Mon, Jan 19, 2009 at 10:16:46PM +0100, Jordi Espasa wrote: Jordi's question got me thinking. Does haproxy support externally scripted healthchecks? If not, this would be useful for implementing a variety of healthchecks that aren't built into haproxy. Yes. It would be a very cool feature. No it does not. Yes it would be cool, but it's somewhat incompatible with chroot. The possible long-term solutions include : - shared library support, in order to load external plugins, including complex health-checks plugins ; - performing the checks in an independant process. That would be very nice since it would allow better support for multi-process usage. Another solution would be to state that chroot is incompatible with external scripts, and let the user make a choice. Maybe we can try to think about the required parameters for an external script, and see how that could be implemented. We might even reuse some parts of what I had developped for Keepalived (VRRP tracking scripts). It was quite advanced (cache of last result, etc...), and keepalived's and haproxy's architectures are quite similar. Now, speaking about the LDAP checks, I was about to implement one in the past due to a customer's need, and finally let go because the customer was not interested due to some aspects which were not covered (detection of end of replication). So right now there's no LDAP check. Regards, willy