Re: and response header based on presence of request header
On Fri, Nov 28, 2014 at 2:10 PM, Pavlos Parissis pavlos.paris...@gmail.com wrote: Hi, I want HAProxy to add a response header if request includes a specific header. I implemented the logic [1] but I get the following parsing [/etc/haproxy/haproxy.cfg:77] : acl 'lb_debug' will never match because it only involves keywords that are incompatible with 'frontend http-response header rule' [WARNING] 331/135906 (6390) : config : log format ignored for proxy 'haproxy' since it has no log address. Found few references on Internet and if I understood them correctly it fails because at the moment rspadd is evaluated HAProxy doesn't know request information like headers. Am I right? and if I am right , do we have solution? Willy mentioned in a similar thread about a dirty way to get it but I failed to find it. [1] frontend foo_bar_com capture request header User-Agent len 120 capture request header Host len 32 bind 10.189.200.1:80 acl lb_debug req.hdr(LBBEBUG) -i true rspadd LBNODENAME:\ haproxylb-201.lhr4.qds.booking.com if lb_debug default_backend foo_bar_com backend foo_bar_com default-server inter 10s option httpchk GET / HTTP/1.1\r\nHost:\ foo.bar.com\r\nUser-Agent:\ HAProxy server server1 10.12.10.65:80 check Cheers, Pavlos Hi Pavlos, This is not doable yet in HAProxy. Inbound and outbound traffic are uncorrelated from each other. It means once the request has been forwarded to the server, HAProxy don't have it anymore, so it can't match it once the response comes. mmmhh thinking while writing this email. This may work. Put this in your frontend, after your existing capture request directives: capture request header X-Blah len 5 http-response set-header X-Found Yes if { capture.req.hdr(2) -i true } NOTE to you and to everyone: this is a dirty hack. Use it for debugging purpose only. Hopefully we'll have session variables in HAProxy soon and you could replace such type of configuration. Baptiste
Re: and response header based on presence of request header
Please read: capture request header LBBEBUG len 5 http-response set-header LBNODENAME your server hostname here if { capture.req.hdr(2) -i true } instead of ugly X-Blah and X-Found Baptiste
Re: rewritting headers on the fly using CORS
On Fri, Nov 28, 2014 at 3:09 PM, Charles Bijon bijon.char...@gmail.com wrote: Hi, I wonder if when using the header rewrite for CORS if - we can simplify keeping the origin in a variable on the fly and of course with a list of acl for accept this domain or - that one is forced to use a different backend to each domain. example: in the backend using : rspadd Access-Control-Allow-Origin: $(hdr(origin)) But I do not know if this concept of variable is possible with haproxy. Today, i am using one backend for each origin domain with different way of rspadd Access-Control-Allow-Origin: X that will be not funny to manage. Regards, Charles Hi Charles, What is CORS ??? What should $origin return? The content of a HTTP header called Origin? Or something else? Baptiste
Re: add response header based on presence of request header
Thanks for solution Baptise but why is it consider a dirty hack? I must assume that it may cause problems in a more complex setups. Hi Pavlos, I considered it as a dirty hack because I derouted a feature from its original purpose and I knew there will be features in new release that would dedicated to what you want to do. And so, you should have update your configuration accordingly. That's what Willy mentionned: http-request capture rules from 1.6. Baptiste
Re: Set header with value extracted from path
On Thu, Dec 4, 2014 at 12:09 AM, Ryan rnidef...@gmail.com wrote: When I received URL's with the following format: /1/a/b/c I rewrite the URL removing the digit like so: /v2.0.0/a/b/c And I need to set a header with the value of the digit I replaced, i.e.: X-ID: 1 Is it possible to do this within haproxy? I am able to reqrep the original url, and set an ACL to be used with an http-request add-header directive, but I dont know how to extract the url value and either save it for use in the add-header, or to write a format string in the add-header directive that will do this. I'm playing around with something like this but not having much luck: acl url_id path_reg ^/([0-9]+)/.*$ http-request add-header X_ID %[path_reg(^/([0-9]+)/.*$)] if url_id Any ideas? Thanks, Ryan Hi Rian, Either there is a bug in the code or the documentation is inacurate, in chapter 7.3.6 HTTP samples. The document says we can fetch content using a sample called path and all its derivatives, including path_reg. Actually, when I add the following in my conf: http-request set-header X-blah %[path_reg .*] I have a configuration parsing error because of the slash. When I backslash it: http-request set-header X-blah %[path_reg\ .*] The configuration is valid (from a syntax point of view) but HAProxy doesn't do anything. So in your case, I would do this for now: acl url_id path_reg ^/([0-9]+)/.*$ http-request set-header X_ID %[path] if url_id http-request replace-value X_ID ^/([0-9]+)/.*$ \1 if { req.hdr(X_ID) -m found } should do the trick. Baptiste
Re: Haproxy for sso internal web failure
On Fri, Dec 5, 2014 at 9:15 AM, 瞿盛熙 smashp...@gmail.com wrote: Hi, Sir: I'm a fresh man on HAproxy. we use HAproxy for LB the accessing web site. So, Haproxy is at front, in its backend there are two proxy servers. However, we find if setting Haproxy's VIP in web browser's proxy settings, then the SSO for company internal web site will be failed. If using backend proxy directly in web browser, then SSO is working. below is the haproxy.cfg section for configuring proxy LB. I just want to know if this SSO failure can be avoid by changing some settings in Haproxy or not. Thanks. #- # vip:8080 -- proxy:8080 #- frontend LBproxy bind 10.64.8.8:8080 mode http option httpclose option forwardfor except 127.0.0.0/8 default_backend SGproxy B/R Sean Hi, If you don't give us any information on how your SSO works, we can't help you. If I were you I would start by removing option httpclose. Baptiste
Re: eliminate per-server queuing?
On Thu, Dec 4, 2014 at 11:50 PM, Daniel Lieberman dlieber...@bitpusher.com wrote: We have a situation where our app servers sometimes get into a bad state, and hitting a working server is more important than enforcing persistence. Generally the number of connections to a bad server grows rapidly, so we've set a maxconn value on the server line which effectively takes a server out of the pool when the bad state occurs. If we fill up the connection slots, the server is almost definitely bad, so we'd rather not queue at all. Since maxqueue 0 means unlimited, it looks like the minimum queue size is 1. Is that right? Is there any way to enforce a redispatch whenever we're at maxconn, without any connections getting queued? Thanks, -Daniel hi Daniel, We can do this :) I just need to know how you do persistence currently. Please send us your simplest frontend and backend configuration. Baptiste
Re: for help about haproxy + tproxy
On Fri, Dec 5, 2014 at 9:09 AM, 均华 wpk...@gmail.com wrote: I am sorry to trouble you... but I have not any idea about Haproxy + TPROXY now.. when i want to use Haproxy + TPROXY be the transparent balancing server , I have try all the sample on all websites ,but no one is worked... can you tell me how to use the Haproxy + TPROXY (like the picture below)? Hi, At least, your scheme looks good. Please have a look at the link below and let me know what you don't understand: http://blog.haproxy.com/2013/09/16/howto-transparent-proxying-and-binding-with-haproxy-and-aloha-load-balancer/ Baptiste
Re: Three questions about stick-tables and request rate limiting
Hi Dennis, Answering inline in your email. Question 1: Is there a better way to reset the gpc0 counter other than waiting for the stick-table entry to expire? In my test if I hit haproxy with the load-testing tool apache bench to trigger the 10 req/s limit for two seconds and then follow that up with a pattern of 1 req/s for a minute these requests will never succeed because gpc0 is greater than zero, will never reset and the stick-table entry will never expire because the timer will always get reset by the 1 req/s pattern so the user is effectively locked out forever even though he is no longer exceeding the request/s limit. Wouldn't it be better to reset the gpc0 counter to zero once http_req_rate has dropped below 10 again to not create this kind of perma-block? yes, you can, there is a sample called sc0_clr_gpc0 whose purpose is to clear the value of gpc0. an other solution would not to measure gpc0 itself but its growing rate using sc0_gpc0_rate. growing would be very low with 1 request per minute. Question 2: When I use wrk instead of ab it seems the request limiting doesn't work at all. What wrk does is it doesn't create new connections for each request but only creates a bunch of connections initially and then sends all requests using these permanent connections. These are a couple of stick-table dumps I did after starting the wrk test: 0xe5e854: key=10.99.0.1 use=10 exp=7791 gpc0=15771 conn_cur=10 http_req_rate(1)=15780 0xe5e854: key=10.99.0.1 use=10 exp=7247 gpc0=19767 conn_cur=10 http_req_rate(1)=19776 0xe5e854: key=10.99.0.1 use=10 exp=6727 gpc0=23606 conn_cur=10 http_req_rate(1)=23615 0xe5e854: key=10.99.0.1 use=10 exp=6247 gpc0=26718 conn_cur=10 http_req_rate(1)=26727 0xe5e854: key=10.99.0.1 use=10 exp=5823 gpc0=29760 conn_cur=10 http_req_rate(1)=29769 0xe5e854: key=10.99.0.1 use=10 exp=5424 gpc0=32622 conn_cur=10 http_req_rate(1)=32631 0xe5e854: key=10.99.0.1 use=10 exp=4967 gpc0=35964 conn_cur=10 http_req_rate(1)=35973 0xe5e854: key=10.99.0.1 use=10 exp=4567 gpc0=38779 conn_cur=10 http_req_rate(1)=38788 Notice how the http_req_rate keeps going up as does the gpc0 counter yet wrk doesn't report any failed requests and a result of several thousand requests per second. The impression I get here is that this configuration doesn't *really* limit the number of requests but only the number of connections based on the request rate which is semantically a bit different and still allows a potential abuser to send as many requests as he wants as long as he keeps using an existing connection. Is this impressions correct and is the a way to truly limit the number of requests/s even when no new connections are made? instead of flagging a request, you can simply deny it. HAProxy will then close the TCP connection and the user won't be allowed to establish a new one. Question 3: As you can see in the configuration I'm using a https frontend that proxies the traffic to the http frontend so that I can get the combined stats in the single-process http frontend while still being able to put the https frontend on independent processes to distribute the load among cores. What I noticed though is that when I do the above tests on the SSL frontend I don't get any stick-table entries in the regular http frontend. Apparently the proxied connection aren't registered by the stick-table. Is there a way to get these connections to show up as well or do I have to copy+paste the stick-table and abuse settings and keep them manually in sync between the two frontends? There should be no difference between SSL and clear traffic. I can reproduce the behavior: there might a bug when passing through a unix socket. As a workaround, you can failover to a loopback IP address. In order to populate a blacklist between clear and SSL frontends, you can use the 'http-response add-acl'. Hope this helps. Baptiste
Re: Disable HTTP logging for specific backend in HAProxy
On Mon, Dec 8, 2014 at 1:29 PM, Jonathan Matthews cont...@jpluscplusm.com wrote: On 7 December 2014 at 20:54, Alexander Minza alexander.mi...@gmail.com wrote: How does one adjust logging level or disable logging altogether for specific backends in HAProxy? In the example below, both directives http-request set-log-level err and no log seem to have no effect - the logs are swamped with lines of successful HTTP status 200 OK records. [snip] backend static http-request set-log-level err no log Are you /absolutely/ sure that these log lines aren't being emitted by the frontend or listener through which your backend must have received the request? Are you expecting that no log to percolate back to the frontend? I don't /think/ it works that way ... (though I've not tested). [ As an aside, the way I read what you've written above is mark *all* logs from the static backend as err level. Whereas your global section's log /dev/log local1 notice line says log everything that is notice-or-more-sever to /dev/log. I know you're no log looks like it should override this logging, but I just thought I'd mention it as it looks a little odd. ] Regards, Jonathan Hi Alexander, You don't disable logging in a backend, since the frontend is responsible to generate the log line. If you don't want to log static content, you can do something like this: acl static ###put your acl rule here http-request set-log-level silent if static Baptiste
Re: Disable HTTP logging for specific backend in HAProxy
On Mon, Dec 8, 2014 at 10:20 PM, Alexander Minza alexander.mi...@gmail.com wrote: Alexander Minza alexander.minza@... writes: However, I would like to log just the errors, thus after setting the log level to err it seems that it is logging again all the requests, not just those resulting in a HTTP error from the backend response. Adding the following lines to the backend config section: no log log /dev/log local1 err does not seem to have any effect - the log is still populated with HTTP 200 OK requests. There is a nice option called dontlog-normal which logs only errors. http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#option%20dontlog-normal Baptiste
Re: connection pooling
On Tue, Dec 9, 2014 at 10:04 PM, Pavlos Parissis pavlos.paris...@gmail.com wrote: Hi, It has been mentioned that 1.5 version doesn't support connection pooling, meaning that 1 TCP session to a backend server can serve multiple HTTP requests originated from than 1 client. Do you guys have plans to introduce this functionality in 1.6 release? Cheers, Pavlos Hi Pavlos, I'm speaking on behalf of Willy, so he may complete my answer. I don't know if this will be available in 1.6, but in order to support HTTP/2.0, HAProxy will have to support connection pooling. Baptiste
Re: eliminate per-server queuing?
On Fri, Dec 5, 2014 at 7:20 PM, Daniel Lieberman dlieber...@bitpusher.com wrote: On Dec 5, 2014, at 5:21 AM, Baptiste bed...@gmail.com wrote: On Thu, Dec 4, 2014 at 11:50 PM, Daniel Lieberman dlieber...@bitpusher.com wrote: We have a situation where our app servers sometimes get into a bad state, and hitting a working server is more important than enforcing persistence. Generally the number of connections to a bad server grows rapidly, so we've set a maxconn value on the server line which effectively takes a server out of the pool when the bad state occurs. If we fill up the connection slots, the server is almost definitely bad, so we'd rather not queue at all. Since maxqueue 0 means unlimited, it looks like the minimum queue size is 1. Is that right? Is there any way to enforce a redispatch whenever we're at maxconn, without any connections getting queued? Thanks, -Daniel hi Daniel, We can do this :) I just need to know how you do persistence currently. Please send us your simplest frontend and backend configuration. Baptiste We do cookie-based persistence, but also use balance source to use consistent backends on browsers which don't support cookies (relevant for a significant fraction of the mobile users of this app). (In our case, switching app servers results an annoying UI quirk, but doesn't break the session.) Here's one of the relevant fe/be configs (lightly sanitized): frontend service1 bind 1.2.3.4:80 bind 1.2.3.4:81 accept-proxy bind-process 1 default_backend service1 backend service1 bind-process 1 balance source hash-type consistent wt6 avalanche option forwardfor option http-server-close option http-pretend-keepalive option httplog option httpchk GET /healthCheck.htm HTTP/1.1\r\nHost:\ example.com cookie SERVERID insert indirect server app1 app1:8080 cookie app1 maxconn 25 maxqueue 5 weight 100 check server app2 app2:8080 cookie app2 maxconn 25 maxqueue 5 weight 100 check [and many more app servers] Thanks, -Daniel Hi Daniel, Here is my proposition: In your frontend, you monitor the cookie and the number of established connections to the server. You switch to an other farm with an other algorithm when the server is full. This farm will choose an other server and a new cookie will be generated, compatible with the service one. That said, there may be collisions (the round robin algorithm could redirect you to the server already chosen by the source IP hash). Second issue, if the client doesn't send any cookie, then it will bypass the rules :/ An alternative to the way below would to use a use-server rule in the service1 backend, but it would have the limitation as above + a snowbowl effect since all the traffic from a server would be forced to go to a single alternative one. frontend service1 bind 1.2.3.4:80 bind 1.2.3.4:81 accept-proxy bind-process 1 use_backend bk_roundrobin if { req.cook(SERVERID) app1 } { srv_conn(service1/app1) ge 25 } use_backend bk_roundrobin if { req.cook(SERVERID) app2 } { srv_conn(service1/app2) ge 25 } default_backend service1 backend service1 bind-process 1 balance source hash-type consistent wt6 avalanche option forwardfor option http-server-close option http-pretend-keepalive option httplog option httpchk GET /healthCheck.htm HTTP/1.1\r\nHost:\ example.com cookie SERVERID insert indirect server app1 app1:8080 cookie app1 maxconn 25 maxqueue 5 weight 100 check server app2 app2:8080 cookie app2 maxconn 25 maxqueue 5 weight 100 check backend bk_roundrobin bind-process 1 balance roundrobin option forwardfor option http-server-close option http-pretend-keepalive option httplog option httpchk GET /healthCheck.htm HTTP/1.1\r\nHost:\ example.com cookie SERVERID insert indirect server app1 app1:8080 cookie app1 maxconn 25 maxqueue 5 weight 100 check server app2 app2:8080 cookie app2 maxconn 25 maxqueue 5 weight 100 check
Re: connection pooling
On Wed, Dec 10, 2014 at 10:10 AM, Aleksandar Lazic al-hapr...@none.at wrote: Hi. Am 09-12-2014 22:04, schrieb Pavlos Parissis: Hi, It has been mentioned that 1.5 version doesn't support connection pooling, meaning that 1 TCP session to a backend server can serve multiple HTTP requests originated from than 1 client. Do you guys have plans to introduce this functionality in 1.6 release? There is something like a Roadmap for 1.6 from 2014-07-25 http://marc.info/?t=14063093641r=1w=2 Cheers, Pavlos C A Well, given the experience of 'http-keep-alive', Willy doesn't want to promise any feature for any version any more :) So it may happen in 1.6, or later. Baptiste
Re: Override maintainance setting for special source IP
On Wed, Dec 10, 2014 at 12:34 PM, Philipp Kolmann kolm...@zid.tuwien.ac.at wrote: Hi, we use HAproxy infront of a Exchange 2010 System to balance the load. It works very well. Now we have an issue with one HubTransport Server in the Exchange Farm. I have set this Server to maintainance via admin socket: echo disable server mail-intern/htc1 | socat stdio /var/run/haproxy-admin.sock Config: listen mail-intern bind 128.130.30.55:25 transparent name smtp bind 128.130.30.55:80 transparent name http bind 128.130.30.55:135 transparent name loc-srv bind 128.130.30.55:143 transparent name imap bind 128.130.30.55:443 transparent name https bind 128.130.30.55:587 transparent name submission bind 128.130.30.55:993 transparent name imaps bind 128.130.30.55:60001 transparent name RPC_60001 bind 128.130.30.55:60002 transparent name RPC_60002 mode tcp maxconn 1 log-format %ci:%cp\ [%t]\ %ft\ %s\ %si:%sp\ %Tw/%Tc/%Tt\ %B\ %ts\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq balance leastconn stick-table type ip size 10240k expire 60m peers ha-cluster stick on src server htc1 128.130.30.51: maxconn 1 check server htc2 128.130.30.52: maxconn 1 check All clients are now redirected to htc2 and don't see the troublesome htc1. We now would like to debug this issue and specify special source ip addresses that get routet to the htc1 in maintainance mode. Is this possible? thanks Philipp -- --- DI Mag. Philipp Kolmann mail: kolm...@zid.tuwien.ac.at Technische Universitaet Wien web: www.zid.tuwien.ac.at Zentraler Informatikdienst (ZID) tel: +43(1)58801-42011 Wiedner Hauptstr. 8-10, A-1040 WienDVR: 0005886 --- Hi Philip, Which version of HAProxy are you running? In 1.5, you can do: use-server htc1 if { src 10.0.0.1 } add as many IPs as needed. Baptiste
Re: Override maintainance setting for special source IP
On Wed, Dec 10, 2014 at 1:39 PM, Philipp Kolmann kolm...@zid.tuwien.ac.at wrote: Hi Baptiste, Am 10.12.14 um 12:37 schrieb Baptiste: Which version of HAProxy are you running? In 1.5, you can do: use-server htc1 if { src 10.0.0.1 } add as many IPs as needed. Yes I am on 1.5 already. This use-Server directive is specified in the config file? or can I push this change via amdin-socket? You must set it by configuration file, but you can update its content by the stats socket or an HTTP request: http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#add%20acl http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#http-request (http-request add-acl) Cheers
Re: HAProxy and LDAP authentication
On Wed, Dec 10, 2014 at 2:44 PM, LAGARDE ANTOINE alaga...@ch-bourgoin.fr wrote: Hi, I've been browsing the mailing list and the documentation but I didn't find a way to authenticate users using LDAP (and not userlist in configuration) I used to have an apache reverse proxying my zimbra mail server that doens't work anymore with 8.5.1GA. I used to have in my httpd.conf : AuthType Basic AuthName Blablabla AuthBasicProvider ldap AuthLDAPBindDN CN=xx,CN=Users,DC=xx,DC=local AuthLDAPBindPassword neverguess AuthLDAPURL ldap://someip:port/dc=xx,dc=local?sAMAccountName?sub?(objectClass=*) NONE Require ldap-group CN=g_somegroup,OU=SomeOU,DC=xx,DC=local Is there a way to get a similar behavior in HAProxy ? Cordialement, -- Antoine LAGARDE Technicien Supérieur Informatique Référent équipe système - CIL Centre Hospitalier Pierre Oudot 30 Avenue du Médipole 38300 BOURGOIN-JALLIEU Tél : 04.69.15.70.39 Fax : 04.69.15.71.00 a.laga...@ch-bourgoin.fr Hi Antoine, HAProxy can't do this, unfortunately. Baptiste
Re: Modify http response code
On Wed, Dec 10, 2014 at 2:55 PM, Dennis Jacobfeuerborn denni...@conversis.de wrote: Hi, is there a way to modify the http code of a response? Right now I use a backup server to deliver a static maintenance page but I want it to be delivered with a 503 code instead of 200. Is there a way to modify the response code like this? Regards, Dennis Hi Dennis, Yes you can using rspirep. Baptiste
Re: Modify http response code
On Wed, Dec 10, 2014 at 3:06 PM, Philipp e1c1bac6253dc54a1e89ddc046585...@posteo.net wrote: Am 10.12.2014 14:55 schrieb Dennis Jacobfeuerborn: Hi, is there a way to modify the http code of a response? Right now I use a backup server to deliver a static maintenance page but I want it to be delivered with a 503 code instead of 200. Is there a way to modify the response code like this? I did this approach, e.g. using a dedicated backend instead of 'backup'. Shortened snippet, but you'd get the idea. frontend man default_backend man-maint acl www1nb nbsrv(man-www1) gt 0 use_backend man-www1 if www1 www1nb backend man-maint rsprep ^HTTP/1.1\ 200\ OK HTTP/1.0\ 503\ Service\ Unavailable server local_maint localhost:8001 I would rather use: rspirep ^HTTP/1\..\ 200\ OK HTTP/1.0\ 503\ Service\ Unavailable\r\nConnection:\ Close Baptiste
Re: using HAProxy in front of SSO
On Wed, Dec 10, 2014 at 5:35 AM, Vivek Malik vivek.ma...@gmail.com wrote: Hi, AFAIK, Haproxy doesn't have a subrequest feature. However, there are other design solutions possible to make Haproxy as SSO filter. I am using Haproxy is a similar fashion. I have coded my SSO to notify Haproxy whenever a new SSO authentication session is added. Haproxy adds that session id to the map. When a request comes to Haproxy, it checks the map for the session id. If session id is not present, haproxy is set to respond with 302 to the login page. You can do the same with a stick_table too instead of a map. However, you will need in_table(table) function which is only present in 1.6-devel as of now. Regards, Vivek A safer alternative would to use HAProxy Enterprise. It embeds all necessary features in a stable (and supported) HAProxy: http://haproxy.com/doc/hapee/1.5/introduction.html#backported-features Baptiste On Tue, Dec 9, 2014 at 6:54 PM, Patrick Kaeding pkaed...@launchdarkly.com wrote: Hello I'm interested in using HAProxy as my external-facing proxy, in front of my applications. I want to implement an SSO application to handle authentication (similar to what is described here: http://dejanglozic.com/2014/10/07/sharing-micro-service-authentication-using-nginx-passport-and-redis/). Nginx has the ngx_http_auth_request_module (http://nginx.org/en/docs/http/ngx_http_auth_request_module.html), which looks like it would work well, but I am wondering if I can do this with HAProxy, and not need Nginx as a second layer in front of my applicaitons. Can HAProxy make subrequests to determine how to handle the incoming request? Are there any resources I should check out to help with this? Thanks! -- Patrick Kaeding pkaed...@launchdarkly.com
Re: 1.5.9 crashes every 4 hours, like clockwork
On Thu, Dec 11, 2014 at 4:22 PM, cyril.bo...@free.fr wrote: Le 11/12/2014 16:20, cyril.bo...@free.fr a écrit : 1am, 5am, 9am, 1pm, 5pm, 9pm 1.5.9 = coincidence ? This really make me think of a script. I mean a script *issue* ;-) -- Cyril Bonté mhh David may have enabled the global 'autokill' feature. Baptiste
Re: Multiprocess and backends
On Wed, Dec 17, 2014 at 10:39 PM, Pavlos Parissis pavlos.paris...@gmail.com wrote: Hi, I remember someone( maybe Baptiste) saying that in multi process mode backends will be picked up by the process which frontend is bound to. But, I found not to be the case in 1.5.9. I also remember that this works only when you have 1to1 relationship between frontend and backends, which is my case. In the following output of stat sockets I see both backends to be monitored by both processes. If I bind graphite_example.com_SSL backend to the some process as the graphite_example.com_SSL frontend, it works as expected where graphite_example.com_SSL is monitored only by process 2. It isn't a problem to use bind-process in backend settings and I am just asking out of curiosity. Cheers, Pavlos echo 'show stat'|nc -U /var/lib/haproxy/stats1 haproxy,FRONTEND,,,0,0,5,0,0,0,0,0,0,OPEN,1,2,00,0,2000 haproxy,BACKEND,0,0,0,0,5000,0,0,0,0,0,,0,0,0,0,UP,0,0,0,,0,19,0,,1,2,0,,0, graphite_example.com,FRONTEND,,,0,1,5,6,1008,7290,0,0,0,OPEN,,, graphite_example.com,server-101.example.com,0,0,0,1,,3,504,3645,,0,,0,0, graphite_example.com,server-102.example.com,0,0,0,1,,3,504,3645,,0,,0, graphite_example.com,BACKEND,0,0,0,1,5000,6,1008,7290,0,0,,0,0,0,0,UP,2,2,0 graphite_example.com_SSL,server-103.example.com,0,0,0,0,,0,0,0,,0,,0,0,0 graphite_example.com_SSL,server-104.example.com,0,0,0,0,,0,0,0,,0,,0,0, graphite_example.com_SSL,BACKEND,0,0,0,0,5000,0,0,0,0,0,,0,0,0,0,UP,2,2, echo 'show stat'|nc -U /var/lib/haproxy/stats2 haproxy,FRONTEND,,,0,1,5,1,122,1955,0,0,0,OPEN,2,2,00, haproxy,BACKEND,0,0,0,0,5000,0,122,1955,0,0,,0,0,0,0,UP,0,0,0,,0,28,0,,2,2 graphite_example.com,server-101.example.com,0,0,0,0,,0,0,0,,0,,0,0,0,0,U graphite_example.com,server-102.example.com,0,0,0,0,,0,0,0,,0,,0,0,0,0,U graphite_example.com,BACKEND,0,0,0,0,5000,0,0,0,0,0,,0,0,0,0,UP,2,2,0,,0,2 graphite_example.com_SSL,FRONTEND,,,0,0,5,0,0,0,0,0,0,OPEN graphite_example.com_SSL,server-103.example.com,0,0,0,0,,0,0,0,,0,,0,0,0 graphite_example.com_SSL,server-104.example.com,0,0,0,0,,0,0,0,,0,,0,0,0 graphite_example.com_SSL,BACKEND,0,0,0,0,5000,0,0,0,0,0,,0,0,0,0,UP,2,2,0, global log 127.0.0.1 local2 chroot /var/lib/haproxy pidfile /var/run/haproxy.pid maxconn 10 userhaproxy group haproxy daemon stats socket /var/lib/haproxy/stats uid 0 gid 0 mode 0440 level admin ssl-server-verify none tune.ssl.default-dh-param 2048 stats socket /var/lib/haproxy/stats1 uid 0 gid 0 mode 0440 level admin process 1 stats socket /var/lib/haproxy/stats2 uid 0 gid 0 mode 0440 level admin process 2 nbproc 2 cpu-map 1 0 cpu-map 2 1 defaults maxconn 5 rate-limit sessions 2000 modehttp log global option contstats option tcplog option httplog no option dontlognull option tcp-smart-accept option tcp-smart-connect option http-keep-alive option redispatch balance roundrobin timeout http-request15s timeout http-keep-alive 15s retries 2 timeout queue 1m timeout connect 10s timeout client 15s timeout server 15s timeout check 5s option forwardfor header F5SourceIP listen haproxy bind :8080 stats uri / stats show-node stats refresh 10s stats show-legends no log frontend graphite_example.com bind 10.189.200.1:80 bind-process 1 default_backend graphite_example.com backend graphite_example.com #bind-process 1 default-server inter 10s option httpchk GET / HTTP/1.1\r\nHost:\ graphite.example.com\r\nUser-Agent:\ HAProxy server server-101.example.com 10.96.70.65:80 check server server-102.example.com 10.96.70.66:80 check frontend graphite_example.com_SSL bind 10.189.200.1:443 ssl crt /somepath/pem bind-process 2 default_backend graphite_example.com_SSL backend graphite_example.com_SSL default-server inter 10s #bind-process 2 option httpchk GET / HTTP/1.1\r\nHost:\ graphite.example.com\r\nUser-Agent:\ HAProxy server server-103.example.com 10.96.70.109:443 ssl check check-ssl server server-104.example.com 10.96.70.160:443 ssl check check-ssl Hi Pavlos, Your test is not relevant. Since you have no bind-process on your SSL backend, HAProxy starts it up on both proceses you started up. Please try adding a bind-process 1 in your SSL backend and report us the result. Baptiste
Re: HProxy - HTTPS for Stats
On Mon, Dec 29, 2014 at 11:00 AM, Yosef Amir amir.yo...@comverse.com wrote: Hi , I would like to configure stats in haproxy.config file. For http is working great. How can I configure the HAProxy stats to use HTTPS ? Does it supported? My current lab configuration for stats is : listen stats :8050 mode http stats admin if TRUE # LOCALHOST stats show-legends stats uri /admin?stats #default is /haproxy?stats stats refresh 5s stats realm HAProxy\ Statistics #the \ sign stands for space userlist stats-auth group readonly users haproxy user haproxy insecure-password haproxy Thanks Amir Yosef This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: secur...@comverse.com. Thank You. Hi Yosef, You can simply bind the port using SSL and point to your certificate: listen stats bind :8050 ssl crt /path/to/crt [...] Baptiste
Re: HProxy - HTTPS for Stats
Hi Yosef, Please keep the ML in Cc. You first need to compile HAProxy to support SSL. Use the USE_OPENSSL compilation directive. Baptiste On Mon, Dec 29, 2014 at 2:25 PM, Yosef Amir amir.yo...@comverse.com wrote: Hi, I get the following error : # haproxy -f /etc/haproxy/haproxy.cfg [ALERT] 362/160119 (16836) : parsing [/etc/haproxy/haproxy.cfg:49] : 'bind :8050' unknown keyword 'ssl'. Registered keywords : [ TCP] defer-accept [ TCP] interface arg [ TCP] mss arg [ TCP] v4v6 [ TCP] v6only [ TCP] transparent (not supported) [STAT] level arg [UNIX] gid arg [UNIX] group arg [UNIX] mode arg [UNIX] uid arg [UNIX] user arg [ ALL] accept-proxy [ ALL] backlog arg [ ALL] id arg [ ALL] maxconn arg [ ALL] name arg [ ALL] nice arg [ ALL] process arg [ALERT] 362/160119 (16836) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg [ALERT] 362/160119 (16836) : Fatal errors found in configuration. Thanks Amir Yosef -Original Message- From: Baptiste [mailto:bed...@gmail.com] Sent: Monday, December 29, 2014 12:59 PM To: Yosef Amir Cc: haproxy@formilux.org; Cohen Galit Subject: Re: HProxy - HTTPS for Stats On Mon, Dec 29, 2014 at 11:00 AM, Yosef Amir amir.yo...@comverse.com wrote: Hi , I would like to configure stats in haproxy.config file. For http is working great. How can I configure the HAProxy stats to use HTTPS ? Does it supported? My current lab configuration for stats is : listen stats :8050 mode http stats admin if TRUE # LOCALHOST stats show-legends stats uri /admin?stats #default is /haproxy?stats stats refresh 5s stats realm HAProxy\ Statistics #the \ sign stands for space userlist stats-auth group readonly users haproxy user haproxy insecure-password haproxy Thanks Amir Yosef This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: secur...@comverse.com. Thank You. Hi Yosef, You can simply bind the port using SSL and point to your certificate: listen stats bind :8050 ssl crt /path/to/crt [...] Baptiste This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: secur...@comverse.com. Thank You.
Re: HProxy - HTTPS for Stats
By default, HAProxy will use the openssl library installed on your system. Don't forget to install the openssl dev packages as well. And also, you have to create a self signed certificate and to put it somewhere in your server (use the 'crt' keyword to point to it). Baptiste On Mon, Dec 29, 2014 at 5:01 PM, Yosef Amir amir.yo...@comverse.com wrote: I would like that HAProxy will use the OPENSSL already installed on my Linux. I don't want to bring the SSL libs with HAProxy . Assuming I compiled HAProxy using USE_OPENSSL=1: Does it mean HAProxy will link to local OPENSSL on my Linux ? Does stats configuration with SSL (as you sent in previous mail) will work ? (listen stats bind :8050 ssl crt /path/to/crt) -Original Message- From: Baptiste [mailto:bed...@gmail.com] Sent: Monday, December 29, 2014 4:02 PM To: Yosef Amir; HAProxy Subject: Re: HProxy - HTTPS for Stats Hi Yosef, Please keep the ML in Cc. You first need to compile HAProxy to support SSL. Use the USE_OPENSSL compilation directive. Baptiste On Mon, Dec 29, 2014 at 2:25 PM, Yosef Amir amir.yo...@comverse.com wrote: Hi, I get the following error : # haproxy -f /etc/haproxy/haproxy.cfg [ALERT] 362/160119 (16836) : parsing [/etc/haproxy/haproxy.cfg:49] : 'bind :8050' unknown keyword 'ssl'. Registered keywords : [ TCP] defer-accept [ TCP] interface arg [ TCP] mss arg [ TCP] v4v6 [ TCP] v6only [ TCP] transparent (not supported) [STAT] level arg [UNIX] gid arg [UNIX] group arg [UNIX] mode arg [UNIX] uid arg [UNIX] user arg [ ALL] accept-proxy [ ALL] backlog arg [ ALL] id arg [ ALL] maxconn arg [ ALL] name arg [ ALL] nice arg [ ALL] process arg [ALERT] 362/160119 (16836) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg [ALERT] 362/160119 (16836) : Fatal errors found in configuration. Thanks Amir Yosef -Original Message- From: Baptiste [mailto:bed...@gmail.com] Sent: Monday, December 29, 2014 12:59 PM To: Yosef Amir Cc: haproxy@formilux.org; Cohen Galit Subject: Re: HProxy - HTTPS for Stats On Mon, Dec 29, 2014 at 11:00 AM, Yosef Amir amir.yo...@comverse.com wrote: Hi , I would like to configure stats in haproxy.config file. For http is working great. How can I configure the HAProxy stats to use HTTPS ? Does it supported? My current lab configuration for stats is : listen stats :8050 mode http stats admin if TRUE # LOCALHOST stats show-legends stats uri /admin?stats #default is /haproxy?stats stats refresh 5s stats realm HAProxy\ Statistics #the \ sign stands for space userlist stats-auth group readonly users haproxy user haproxy insecure-password haproxy Thanks Amir Yosef This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: secur...@comverse.com. Thank You. Hi Yosef, You can simply bind the port using SSL and point to your certificate: listen stats bind :8050 ssl crt /path/to/crt [...] Baptiste This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: secur...@comverse.com. Thank You. This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: secur...@comverse.com. Thank You.
Re: haproxy + tproxy problem
Hi Zbynek, Have you changed the default gateway of your server? traffic from server to client must pass through HAProxy box. In your case, I guess HAProxy sends a SYN to the server and the servers sends the S/A to the client directly, bypassing HAProxy. Baptiste On Mon, Jan 26, 2015 at 1:24 PM, Zbyněk Rozman zbynek.roz...@stable.cz wrote: Hi, we are currently facing problem with connection clogging with this configuration. The client after a while (random number of requests ~few hundreds) reaches timeout connect settings on backend server - proxy returns 503 Service Unavailable No server is available to handle this request. Other clients on different IPs are connecting to server just fine. Strace on haproxy when its not working shows just: Resource temporarily unavailable. After a while it starts working again for random number of requests and then 503 occurs again. When switched to another backend server it starts working again. Switching back to broken backend - still request timeouts for affected clients. It looks like it is only affecting clients behind public IP address with high traffic. We have tried to change various sysctl settings, with no success so far. When we remove the haproxy setting source 0.0.0.0 usesrc clientip all works just fine without clogging - so it looks like its tproxy problem, but we are unable to find solution. *** backend server uname -a: Linux backend 2.6.32-504.3.3.el6.x86_64 #1 SMP Wed Dec 17 01:55:02 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux *** haproxy -vv HA-Proxy version 1.5.8 2014/10/31 Copyright 2000-2014 Willy Tarreau w...@1wt.eu Build options : TARGET = linux26 CPU = generic CC = gcc CFLAGS = -O2 -g -fno-strict-aliasing OPTIONS = USE_LINUX_TPROXY=1 USE_REGPARM=1 USE_OPENSSL=1 USE_PCRE=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 Encrypted password support via crypt(3): yes Built without zlib support (USE_ZLIB not set) Compression algorithms supported : identity Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013 Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Built with PCRE version : 7.8 2008-09-05 PCRE library supports JIT : no (USE_PCRE_JIT not set) Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. *** haproxy server uname -a Linux haproxy-test 2.6.32-504.3.3.el6.x86_64 #1 SMP Wed Dec 17 01:55:02 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux *** haproxy server settings: iptables -t mangle -N DIVERT iptables -t mangle -A PREROUTING -p tcp --sport 80 -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp --sport 81 -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp --sport 82 -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp --sport 443 -m socket -j DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 sysctl -w net.ipv4.ip_forward=1 sysctl -w net.ipv4.ip_nonlocal_bind=1 *** haproxy.cfg: frontend front bind IP:80 mode http default_backend WWW capture cookie SERVERID len 32 capture request header Content-Length len 10 reqadd X-Forwarded-Proto:\ http timeout connect 6s backend WWW server srvA192.168.1.1:80 weight 1 check source 0.0.0.0 usesrc clientip *** sysctl.cfg: kernel.shmmax = 4294967295 kernel.shmall = 268435456 net.ipv4.ip_nonlocal_bind = 1 net.ipv4.ip_forward = 1 net.ipv4.tcp_slow_start_after_idle=0 net.nf_conntrack_max = 20 net.netfilter.nf_conntrack_tcp_timeout_established = 1800 net.core.rmem_max=16777216 net.core.wmem_max=16777216 net.ipv4.tcp_rmem=4096 87380 16777216 net.ipv4.tcp_wmem=4096 65536 16777216 net.core.netdev_max_backlog = 3 net.ipv4.tcp_max_syn_backlog = 8192 net.ipv4.ip_local_port_range = 1024 65535 net.core.somaxconn = 4 net.ipv4.tcp_max_tw_buckets = 144 net.ipv4.tcp_synack_retries = 2 net.ipv4.tcp_syn_retries = 2 -- S pozdravem Zbyněk Rozman Linux System Administrator zbynek.roz...@stable.cz 480 020 191 Stable.cz s.r.o. | www.stable.cz Skelná 29, 466 02, Jablonec nad Nisou Tel.: 480 020 191, fax: 480 020 091 napoveda.stable.cz www.stable.cz | www.otoman.cz | www.kvapem.cz | www.multak.cz
Re: haproxy + tproxy problem
what does dmesg says then? Or errors logged by HAProxy? You may have some iptables issues or source port exhaustion. Baptiste On Mon, Jan 26, 2015 at 2:53 PM, Zbyněk Rozman zbynek.roz...@stable.cz wrote: Hi Babtiste, yes we do have change that: [root@srvA ~]# cat /etc/sysconfig/network-scripts/route-eth0 default via 192.168.1.254 dev eth0 table 700 [root@srvA ~]# cat /etc/sysconfig/network-scripts/rule-eth0 from 192.168.1.1 lookup 700 The setup is working just fine, for a while. When we try to overwhelm the proxy with thousands of requests from single IP (within same network or outside, doesnt matter) it gets stuck after a while. Then again turning off tproxy settings (source 0.0.0.0 usesrc clientip) solves the problem and all starts working again. V Mon, 26 Jan 2015 13:57:24 +0100 Baptiste bed...@gmail.com napsáno: Hi Zbynek, Have you changed the default gateway of your server? traffic from server to client must pass through HAProxy box. In your case, I guess HAProxy sends a SYN to the server and the servers sends the S/A to the client directly, bypassing HAProxy. Baptiste On Mon, Jan 26, 2015 at 1:24 PM, Zbyněk Rozman zbynek.roz...@stable.cz wrote: Hi, we are currently facing problem with connection clogging with this configuration. The client after a while (random number of requests ~few hundreds) reaches timeout connect settings on backend server - proxy returns 503 Service Unavailable No server is available to handle this request. Other clients on different IPs are connecting to server just fine. Strace on haproxy when its not working shows just: Resource temporarily unavailable. After a while it starts working again for random number of requests and then 503 occurs again. When switched to another backend server it starts working again. Switching back to broken backend - still request timeouts for affected clients. It looks like it is only affecting clients behind public IP address with high traffic. We have tried to change various sysctl settings, with no success so far. When we remove the haproxy setting source 0.0.0.0 usesrc clientip all works just fine without clogging - so it looks like its tproxy problem, but we are unable to find solution. *** backend server uname -a: Linux backend 2.6.32-504.3.3.el6.x86_64 #1 SMP Wed Dec 17 01:55:02 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux *** haproxy -vv HA-Proxy version 1.5.8 2014/10/31 Copyright 2000-2014 Willy Tarreau w...@1wt.eu Build options : TARGET = linux26 CPU = generic CC = gcc CFLAGS = -O2 -g -fno-strict-aliasing OPTIONS = USE_LINUX_TPROXY=1 USE_REGPARM=1 USE_OPENSSL=1 USE_PCRE=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 Encrypted password support via crypt(3): yes Built without zlib support (USE_ZLIB not set) Compression algorithms supported : identity Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013 Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Built with PCRE version : 7.8 2008-09-05 PCRE library supports JIT : no (USE_PCRE_JIT not set) Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. *** haproxy server uname -a Linux haproxy-test 2.6.32-504.3.3.el6.x86_64 #1 SMP Wed Dec 17 01:55:02 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux *** haproxy server settings: iptables -t mangle -N DIVERT iptables -t mangle -A PREROUTING -p tcp --sport 80 -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp --sport 81 -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp --sport 82 -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp --sport 443 -m socket -j DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 sysctl -w net.ipv4.ip_forward=1 sysctl -w net.ipv4.ip_nonlocal_bind=1 *** haproxy.cfg: frontend front bind IP:80 mode http default_backend WWW capture cookie SERVERID len 32 capture request header Content-Length len 10 reqadd X-Forwarded-Proto:\ http timeout connect 6s backend WWW server srvA192.168.1.1:80 weight 1 check source 0.0.0.0 usesrc clientip *** sysctl.cfg: kernel.shmmax = 4294967295 kernel.shmall = 268435456 net.ipv4.ip_nonlocal_bind = 1 net.ipv4.ip_forward = 1 net.ipv4.tcp_slow_start_after_idle=0 net.nf_conntrack_max = 20
Re: Problem with string negation in httpcheck-expect
Le 26 janv. 2015 13:43, Sébastien ROHAUT sebastien.rohaut@gmail.com a écrit : Hi, We're encountering a problem with a http-check expect ! string. here is a sample of our check url : { hostname:toto, type:backend, isHealthy:true, healthStatus:Healthy, healthyServices:2, unhealthyServices:0, services:[{ name:Elasticsearch, isServiceHealthy:true, serviceHealthStatus:Healthy, message:ES Cluster status is GREEN },{ name:ZooKeeper, isServiceHealthy:true, serviceHealthStatus:Healthy, message:ZK Cluster is available }], belisariusRelease:96 } For the http-check, we want to test the value of healthStatus, which can be Healthy, Unhealthy, DegradedMode. Our server must be put out of the backend only if value is Unhealthy. So, we tried this : http-check expect ! string healthStatus:Unhealthy But it doesn't work as expected. In fact, whatever we put, if we use negation (we didn't tried with something else than string), it doesn't work. We event tried with toto (which we be never here), it's the same : the server is always excluded from the backend's pool. At the end, we used to put a rstring : http-check expect rstring healthStatus:(Healthy|DegradedMode) and it seems to work. What is the problem ? Are we doing something bad, or perhaps we don't understand the meaning of the negation ? Thank you for your help. Sébastien Rohaut Hi, What does your option httpchk look like? Baptiste
Re: [PATCH/RFC 0/8] Email Alerts
On Tue, Feb 3, 2015 at 4:59 PM, Pavlos Parissis pavlos.paris...@gmail.com wrote: On 01/02/2015 03:15 μμ, Willy Tarreau wrote: Hi Simon, On Fri, Jan 30, 2015 at 11:22:52AM +0900, Simon Horman wrote: Hi Willy, Hi All, the purpose of this email is to solicit feedback on an implementation of email alerts for haproxy the design of which is based on a discussion in this forum some months ago. It would be great if we could use something like this acl low_capacity nbsrv(foo_backend) lt 2 mail alert if low_capacity In some environments you only care to wake up the on-call sysadmin if you are real troubles and not because 1-2 servers failed. Nice work, Pavlos This might be doable using monitor-uri and monitor fail directives in a dedicated listen section which would fail if number of server in a monitored farm goes below a threshold. That said, this is a dirty hack. Baptiste
Re: HAProxy 1.5.10 on FreeBSD 9.3 - status page questions
On Wed, Feb 4, 2015 at 11:16 AM, Tobias Feldhaus tobias.feldh...@wooga.net wrote: Hi, we are running HAProxy 1.5.10 on FreeBSD 9.3 (no packet filter is enabled). The only purpose of HAProxy in our setup is to fail over to a second backend if the primary one goes down. We tested this by creating artificial load via the wrk loadtest tool (settings: --latency -t6 -c300 -d60s) and taking the primary backend down (by simply shutting down its jail). In the logs we can see that HAProxy is recognizing the backend failure: Feb 3 16:20:26 haproxy-tracker-one haproxy[41648]: Proxy KAFKA_BACKEND started. Feb 3 16:20:54 haproxy-tracker-one haproxy[41649]: Server KAFKA_BACKEND/KAFKA_PRIMARY is DOWN, reason: Layer4 connection problem, info: Connection refused, check duration: 0ms. 0 active and 1 backup servers left. Running on backup. 0 sessions active, 0 requeued, 0 remaining in queue. However, the status page [http://puu.sh/fslRT/850b363386.png] shows the KAFKA_SECONDARY backup system still in blue and not in green (Is this how it is supposed to look?) and the number of Bytes In and Out stay 0. We can see the traffic reaching the KAFKA_SECONDARY backup system, after the PRIMARY one turns red, but is this the expected behavior and look of the status page? Thank you very much for the clarification. Tobi Hi Tobias, This is not an expected behavior. Have you tried clicking on the Refresh Now button on the top right corner of the stats page?. The problem looks more global, since you have no statistics at all in your frontend and your main server as well. Could you share your configuration and the output of haproxy -vv ? Baptiste
Re: SSL Performance increase?
On Thu, Feb 5, 2015 at 2:03 PM, Jarno Huuskonen jarno.huusko...@uef.fi wrote: Hi, On Thu, Feb 05, Klavs Klavsen wrote: Jarno Huuskonen wrote on 02/05/2015 01:28 PM: Hi, On Thu, Feb 05, Klavs Klavsen wrote: Hi guys, I'm testing our haproxy setup in regards to SSL performance - by simply using ab, and fetching a favicon.ico file.. over http haproxy delivers 3.000 req/s. over https haproxy delivers 511 req/s. Hi, 3000 req/s in clear is low and a so rounded number is not normal :) Move (far far) away from this provider. You're wasting your time investigating perfomance issue while the limitation is in the hypervisor and multitenancy of your supplier. Baptiste
Re: SSL Performance increase?
On Thu, Feb 5, 2015 at 4:54 PM, Klavs Klavsen k...@vsen.dk wrote: Baptiste wrote on 02/05/2015 04:44 PM: [CUT] 3000 req/s in clear is low and a so rounded number is not normal :) Move (far far) away from this provider. You're wasting your time investigating perfomance issue while the limitation is in the hypervisor and multitenancy of your supplier. it's running on vmware 5.5 on local hardware - nowhere else to go :( If I set haproxy to just send a 301 response (ie. not relay to varnish delivering the favicon.ico) - I get approx 15k req/s.. this is very low We can get more than 50K conn/s in our VMWare lab using our HAProxy based ALOHA appliance. you must have an issue somwhere. Baptiste
Re: Setting uuid cookies not for sticky sessions
On Thu, Feb 5, 2015 at 5:24 PM, Alberto alberto-hap4...@ggsys.net wrote: I have multiple back ends using different stacks. All I need is to ensure that every client gets a unique cookie. They don't need to be used for sticky sessions. Pretty much all the examples I find are for hard coding, prefixing and/or for sticky session purposes. Is there a way to get haproxy just set a simple uuid cookie if one isn't there? Thanks, Alberto Hi Alberto, You may be able to do something with the http-response set-header and the rand fetch. Baptiste
Re: tcp-response inspect-delay with WAIT_END
On Thu, Feb 5, 2015 at 10:22 PM, Chris k...@adobe.com wrote: Hello, We have some complex logic in our application that will at times determine that the response to a specific query should be delayed. Currently this is handled in the application with a short (~100ms) sleep. We would like to move this delay in response to the load balancer. I have tried to do this by adding a response header as a flag for HAProxy to act on and adding configuration like the following to the backend: acl trigger_delay res.hdr(response-delay) -m found tcp-response inspect-delay 100ms tcp-response content accept unless trigger_delay tcp-response content accept if WAIT_END With the above configuration, the response is delayed until the client times out (2 minutes) regardless of how trigger_delay evaluates. The following configurations exhibit the same behavior: tcp-response inspect-delay 100ms tcp-response content accept if WAIT_END - or - acl trigger_delay res.hdr(response-delay) -m found tcp-response inspect-delay 100ms tcp-response content accept unless trigger_delay It seems that either a header-based ACL or WAIT_END cause any tcp-response inpect-delay to timeout. It does not seem to matter if the header-based ACL returns true or false. Are they not compatible with a response delay? Ideally when we encounter the delay flag in the response of the app server, we would also add the src to a stick-table for reference in delaying subsequent incoming connections from that IP (maybe the next, say 5 minutes or so). Is this possible/reasonable? Thank you, Chris Hi Chris, Could you let us know why exactly you need to delay responses??? Because here you propose a response (which doesn't work) to a problem you're facing without explaining us the problem. So it's hard to help. Baptiste
Re: Tproxy issue
On Mon, Jan 19, 2015 at 2:25 PM, Marcello Lorenzi mlore...@sorint.it wrote: Hi All, i'm trying to configure a test Haproxy TPROXY instance on centos 6.5 boxes. The HAproxy has a card connected to 192.168.10.0/24 VLAN and on connected to 192.168.20.0/24. The webserver is only connected to 192.168.20.0/24 VLAN. When I tried to active Tproxy configuration on the HAproxy router all the connections were in SYN_SENT state and on clients I noticed a 503 error related to the missing communication. Could you help me to understand the best configuration for the TPROXY? Thanks, Marcello Hi Marcello, When using TProxy, the traffic from the server to the client must pass through the Load-balancer. Also, the server and the client can't be in the same subnet. Baptiste
Re: New to haproxy questions
Hi Benjamin, 1) Logging performance data: A) How long before the page started putting out data? (implying that the server side is done processing, though not necessarily) B) How long did the whole cycle take from initial connection to end of download? Turn on option httplog, these information are available (read the relevant part of the documentation to find where). 2) Is there a way to anti-DDOS based on a cookie? (Really, we want to filter based on user/login but that isn't actually part of the HTTP session, that's determined by the cookie) W You can get inspired by these two articles: http://blog.haproxy.com/2012/02/27/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/ http://blog.haproxy.com/2013/04/26/wordpress-cms-brute-force-protection-with-haproxy/ It applies DDOS protection matching IPs. But HAProxy could perform the same on a cookie. 5) Is there a relatively simple way to get true HA with a redundant load balancer? We have two identical machines side-by-side running EL6 and haproxy, one is a disk dd of the other. In the past we used heartbeat with limited success; pacemaker has been very problematic for us. For now, we're managing manually. We use keepalived a lot :) Baptiste
Re: No TCP RST on tcp-request connection reject
On Wed, Jan 14, 2015 at 5:00 PM, Christian Ruppert c.rupp...@babiel.com wrote: Hey guys, just a thought... wouldn't it make sense to add an option to tcp-request connection reject to disable the actual TCP RST? So, an attacker tries to (keep) open a lot of ports: a) HAProxy (configured with rate limiting etc.) does a tcp-request connection reject which ends up as a TCP RST. The attacker gets the RST and immediately again b) the same as a) but the socket will be closed on the server side but no RST, nothing will be sent back to the remote side. The connections on the remote side will be kept open until timeout. Wouldn't it make sense to implement an option for b) so it can be used during major attacks or so? Hi Christian, Have you had a look at tarpit related options from HAProxy? You can slowdown the attack thanks to it. Baptiste
Re: TPROXY - any functionality lost?
On Tue, Jan 20, 2015 at 6:13 PM, Shawn Heisey hapr...@elyograg.org wrote: On 1/20/2015 6:12 AM, Thomas Heil wrote: On 20.01.2015 03:26, Shawn Heisey wrote: When haproxy is run in TPROXY mode, does it lose any functionality, or can I do all the same things as I can when it's acting in normal proxy mode? I'd like to have my servers see the real source ip but still have the ability to make decisions based on HTTP headers and manipulate those headers. No you are not loosing any functionality when running in http mode. This is not very clear. It seems to be saying that I can still do ACLs and header mangling, but you mention http mode, when I was asking about tproxy. To be clear: I'd like to try tproxy so that my servers will see the true source IP, but still be able to use ACLs and change the HTTP headers. If enabling iptables is necessary for tproxy (which it seems to be), how to I additionally tell iptables that I do not want to block any traffic? My haproxy server currently is not running a firewall, because it just gets in the way. Thanks, Shawn Hi Shawn, Everything is explained here: http://blog.haproxy.com/2013/09/16/howto-transparent-proxying-and-binding-with-haproxy-and-aloha-load-balancer/ If you can't do it, maybe you should ask the HAProxy experts to help you: http://haproxy.com/services/haproxy-professional-services/ Baptiste
Re: vip haproxy
On Thu, Feb 12, 2015 at 10:13 AM, Mathieu Sergent mathieu.sergent...@gmail.com wrote: Hi, I would know how many vip can be supported by a HAProxy ? I read a lot of docs and forums, and i never found the answer. Regards, Mathieu Hi Mathieu, HAProxy itself does not impose any limits on frontends and binds. Your hardware knows the limit :) Baptiste
Re: tcp check health checks with expect fail sometimes
On Fri, Feb 13, 2015 at 12:40 AM, Cyril Bonté cyril.bo...@free.fr wrote: Hi, Le 12/02/2015 21:23, chris...@endlessnow.com a écrit : Is there a problem with health checks and haproxy? Again, using a machine gun approach on the health check service, we see no problems, but for whatever reason, occasionally (maybe 1 out 10, could be more), the haproxy tcp expect fails. Using tcpdump, seems we're getting the right return though. Can you share that tcpdump? That one is harder to share, difficult to sanitize. We're using haproxy 1.15 without pcre expressions. There is no such release. What release are you running exactly? Dyslexia I guess... I meant 1.5.10 Management is saying we're going to drop haproxy for nginx-plus because of this problem so last chance if anyone has any ideas on this. Why not changing Management ? ;-) I think you're not using healthchecks the right way. Prefer option httpchk to option tcp-check combined tcp-check send, and prefer http-check expect instead of tcp-check expect. Also, try to upgrade to haproxy 1.5.11 or at least, add a Connection: close header in your check. http://www.haproxy.org/git?p=haproxy-1.5.git;a=commit;h=a448e16da00374b39ae30d6f5595d4060b140f17 Last, keep in mind that haproxy will only check strings that feet in the buffer. Without any logs, it's difficult to say which case you're encountering. (have a feeling that unless an idea and/or fix comes today, that it will too late though... but feel free to respond anyhow maybe it will help somebody else!) -- Cyril Bonté The feeling I have is that the issue is at the network layer, so switching to an other product won't fix anything ;) Chris, just drop me a mail in private with a tcpdump of the error. also haproxy should report the reason of the fail in a log line, which can be easily anonymized. Please share with us these logs information. Baptiste
Re: tcp check health checks with expect fail sometimes
On Thu, Feb 12, 2015 at 9:23 PM, chris...@endlessnow.com wrote: Is there a problem with health checks and haproxy? Again, using a machine gun approach on the health check service, we see no problems, but for whatever reason, occasionally (maybe 1 out 10, could be more), the haproxy tcp expect fails. Using tcpdump, seems we're getting the right return though. Can you share that tcpdump? That one is harder to share, difficult to sanitize. We're using haproxy 1.15 without pcre expressions. There is no such release. What release are you running exactly? Dyslexia I guess... I meant 1.5.10 Management is saying we're going to drop haproxy for nginx-plus because of this problem so last chance if anyone has any ideas on this. if your managers are willing to pay, why not ordering HAProxy Enterprise Edition then ??? http://haproxy.com/products/haproxy-enterprise-edition/ And half day of HAProxy prof services to get your problem fixed? http://haproxy.com/services/haproxy-professional-services/
Re: Logging to file when HAProxy failed to start
Guys, This is not an HAProxy related question, but more a system question. simply test your configuration with -c and redirect stderr to a text file in /var/log/ and you're done! Baptiste On Tue, Feb 17, 2015 at 2:57 PM, Cohen Galit galit.co...@comverse.com wrote: Hello HAProxy team, We will appreciate your answer for the question below. Thanks, Galit _ From: Yosef Amir Sent: Tuesday, February 10, 2015 5:08 PM To: HAProxy Cc: Cohen Galit; Yosef Amir Subject: Logging to file when HAProxy failed to start Hi , Currently, When HAproxy failed to initial (E.G invalid haproxy.cfg options) it write the error to the screen. Is there option that HAproxy will write to log file when it failed to initial? Example: [root@proxy-au2 ~]# haproxy -f /usr/cti/conf/haproxy/haproxy.cfg [ALERT] 040/172141 (12460) : Starting proxy HAProxy_DirectDeposit: cannot bind socket [0.0.0.0:50025] In this example: HAProxy alert - cannot bind socket. How can I get this kind of alerts that stop HAProxy from starting to write log file ? Thanks Amir Yosef This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: secur...@comverse.com. Thank You.
Re: http-check string and rerturn code != 200 behaviour
On Mon, Feb 16, 2015 at 9:29 PM, Sébastien ROHAUT sebastien.rohaut@gmail.com wrote: Hi, I'm using an http-check expect string to test the presence of a certain string in the body response. Like this option httpchk GET /mycheck HTTP/1.1\r\nHost:\ myhost.xx\r\nConnection:\ close http-check expect ! string healthStatus:Unhealthy When the backend is not accessible, our nginx returns a default page, with a 5XX return code. In this case (return code != 200), it should be considered as an error, and the associated serveur should be removed from the server. It's not the case : HAProxy only check the string, and says it's OK. Question : How to check the string AND check the return code ? I want my server to be removed if string is absent OR if return code is != 200 ! Thank you, Sébastien Rohaut Hi Sébastien, You can write such séquence using tcp-check, sending your HTTP request with tcp-check send and matching with two consecutive tcp-check expect rules: tcp-check expect string HTTP/1.1\ 200\ OK tcp-check expect ! string healthStatus:Unhealthy Baptiste
Re: Load Problem with v1.5.5+
We can verify this quickly : - using haproxy 1.5.5 and later, remove option http-server-close. It will default to option http-keep-alive, and see if it's better. Don't forget to enable option prefer-last-server as well to ensure you'll keep the same connection. Baptiste
Re: http-check string and rerturn code != 200 behaviour
On Tue, Feb 17, 2015 at 10:12 AM, Sébastien ROHAUT sebastien.rohaut@gmail.com wrote: Hi, Thank you for your answer. I changed my configuration like this : tcp-check send GET\ /mycheck\ HTTP/1.1\r\nHost:\ myhost\r\nConnection:\ close\r\n tcp-check send \r\n tcp-check expect string HTTP/1.1\ 200\ OK tcp-check expect ! string healthStatus:Unhealthy And it works very well. Even in SSL. You now have my eternal gratitude :) Sébastien Rohaut Sébastien, Thanks for your feedback! If you don't mind, I'm going to post a blog article on blog.haproxy.com with this tip :) Baptiste
Re: http-check string and rerturn code != 200 behaviour
On Tue, Feb 17, 2015 at 10:29 AM, Sébastien ROHAUT sebastien.rohaut@gmail.com wrote: Of course ! A very good idea ! But the better should be to accept multiple http-heck expect :) There is a feature request to turn the httpchk as the current tcp-check way of working with multiple matching rules and simple header addition. That said should not be there for 1.6... Baptiste
Re: Cookies not being set consistently
insert a cookie if the client sent a valid cookie for a valid server. Remove the 'indirect' keyword and HAProxy will send a cookie for all requests. Baptiste
Re: SPDY with Apache mod_spdy
On Tue, Jan 27, 2015 at 7:21 PM, Erwin Schliske erwin.schli...@sevenval.com wrote: Hello, actually I have the task to setup a system with Haproxy balancing a Apache with mod_spdy enabled. I don't have a problem with ssl-offloading, but I cannot find out how to serve spdy enabled clients. I have tried several howtos like http://www.igvita.com/2012/10/31/simple-spdy-and-npn-negotiation-with-haproxy/ My config is: listen spdytest modetcp bind X.X.X.X:443 ssl crt /etc/haproxy/ssl/example.com.pem no-sslv3 npn spdy/2 server backend1 10.X.X.X:1443 ssl All tutorials I've found use Nginx as webserver, which can serve spdy without ssl. But this is not the case with Apache mod_spdy. It needs https as proto. Does someone have a hint what I'm doing wrong? Thanks. Hi Erwin, HAProxy does not send the ALPN (or NPN) SSL extension to the server side with your configuration. Simply failover to a SSL forward configuration: listen spdytest modetcp bind X.X.X.X:443 server backend1 10.X.X.X:1443 Baptiste
Re: Health Probes not working with http-send-name-header
On Mon, Jan 12, 2015 at 9:03 PM, Srinivas Kotaru kotar...@gmail.com wrote: Baptiste bedis9@... writes: On Thu, Jan 8, 2015 at 10:16 PM, Srinivas Kotaru kotarusv@... wrote: Srinivas Kotaru kotarusv at ... writes: I hit similar issue of below post. Any solution yet? http://serverdown.ttwait.com/que/594669 Sample backend sales_cluster http-send-name-header Host balance roundrobin option httpchk HEAD /pingpong.html HTTP/1.1\r\n http-check expect ! rstatus ^5 cookie SERVERID insert indirect nocache server app1.example.com app1hello-:80 check cookie server1 server app2.example.com app1hello-:80 check cookie server2 with above config, HAProxy sending right Host headers like app1.example.com and app2.example.com but httpchk not sending any valid host header. I cannot put both app1.example.com and app2.example.com in same httpchk statement. hi From the doc, it is said nowhere that this header should be sent during health check. There is a very dirty workaround to do what you want: is to offload monitoring into a dedicated backend (one per server). Baptiste Baptiste It really doesn't my problem. I have lot of clients. I can't build another monitoring solution on top of it for each stack. Even you do that, it becomes manual failover per app basis. with above example I can only check heath of one application even though it has 2 servers. if second goes down, without proper health checkes, HAProxy still send clietn traffic to 2nd server and get 503 errors. The olnly solution I can think off 1. http-send-name-header should send appropriate Host header to probes ( Or) 2. I shoud be abel to send 2 or more httpchk host headers rather than 1. which is current limitation. If I can set httpchk at server level rather backend level, it solve the problem Srinivas Kotaru so what you want ot do is content switching: one application per backend (hence a single server in your backend) with a dedicated health check and route only http requests related to this application. you don't need load-balancing at all! Baptiste
Re: Stick table and http headers
On Wed, Jan 7, 2015 at 4:27 PM, Mathias Bogaert mathias.boga...@gmail.com wrote: Hi, Does this seem right? acl HAS_CF_CONNECTING_IP hdr_cnt(CF-Connecting-IP) eq 1 acl HAS_X_FORWARDED_FOR hdr_cnt(x-forwarded-for) eq 1 tcp-request content track-sc0 hdr_ip(CF-Connecting-IP,-1) if HTTP HAS_CF_CONNECTING_IP tcp-request content track-sc0 hdr_ip(x-forwarded-for,-1) if HTTP !HAS_CF_CONNECTING_IP HAS_X_FORWARDED_FOR So use CF-Connecting-IP if present, X-Forwarded-For else. Thanks, Mathias Hi Mathias, I've not run your conf, but it sounds good. Baptiste
Re: rspitarpit ?
On Wed, Jan 7, 2015 at 5:18 PM, Jim Freeman jfree...@gmail.com wrote: We're getting some congestion from blind-shooting (or maybe just stupid-shooting) scrapers who make (mostly bad) requests, with occasional successes. We'd like to tarpit unsuccessful responses. Any experience on how to accomplish that ? ( A rspitarpit directive would be awesome ) Kudos on an awesome tool, ...jfree hi Jim, you can count http response errors then decide to trigger a tarpit if you go over a threshold. An example can be found in this blog article, about load-balancing WAF: http://blog.haproxy.com/2012/10/16/high-performance-waf-platform-with-naxsi-and-haproxy/ Look for the http_err_rate keyword. Baptiste
Re: Health Probes not working with http-send-name-header
On Thu, Jan 8, 2015 at 10:16 PM, Srinivas Kotaru kotar...@gmail.com wrote: Srinivas Kotaru kotarusv@... writes: I hit similar issue of below post. Any solution yet? http://serverdown.ttwait.com/que/594669 Sample backend sales_cluster http-send-name-header Host balance roundrobin option httpchk HEAD /pingpong.html HTTP/1.1\r\n http-check expect ! rstatus ^5 cookie SERVERID insert indirect nocache server app1.example.com app1hello-:80 check cookie server1 server app2.example.com app1hello-:80 check cookie server2 with above config, HAProxy sending right Host headers like app1.example.com and app2.example.com but httpchk not sending any valid host header. I cannot put both app1.example.com and app2.example.com in same httpchk statement. hi From the doc, it is said nowhere that this header should be sent during health check. There is a very dirty workaround to do what you want: is to offload monitoring into a dedicated backend (one per server). Baptiste
Re: SSL Performance Issues with Exchange 2010
Hi Tod, Thanks for your feedback. This was a pleasure to help you because you were polite (saying 'hi', 'please' and 'thanks') and you explained clearly all the steps you've already done. Many people just post a mail without even a 'hello', ask their question and never give any feedback... In the blog article, I did not mention the global section because it is not visible by our customer in our appliances. That said, I should update the article as proposed. Baptiste On Wed, Feb 11, 2015 at 3:55 AM, Tod Schmidt tschmi...@yahoo.com wrote: Wow, thanks for that response. That makes total sense since I knew it couldn't be coincidence that the active connections kept running at 2000 in the log file. I actually read the entire manual trying to make sure I had at least a passing knowledge of all the parameters but I read it through before really understanding that haproxy runs as a single process so that critical bit didn't jump out at me (maxconn under the global section). One question though, in your blog posting here referencing Exchange 2013 proxying ( http://blog.haproxy.com/2012/12/17/microsoft-exchange-2013-load-balancing-with-haproxy/) you have a maxconn on the backend of 1 but no matching global maxconnn setting, would you not also be limited to 2000 instances in this case? You have the backlog set but with so many clients using outlook/android/iphone and the msprpc prtocol that hang on to 2 connections apiece wouldn't that make it impossible to ever get close to 1 connections? Also, I assume this also means that http-no-delay is unnecessary to set and it would be better to just set more appropriate timeouts? And again, thanks for the response. I should have asked weeks ago, but I always like to make sure I have done my own research before bothering anyone else. I imagine this is something you have pointed out many times to many people just starting with haproxy. Thanks, Tod - Original Message - From: Baptiste bed...@gmail.com To: Tod Schmidt tschmi...@yahoo.com Cc: Lukas Tribus luky...@hotmail.com; haproxy@formilux.org haproxy@formilux.org Sent: Tuesday, February 10, 2015 4:58 PM Subject: Re: SSL Performance Issues with Exchange 2010 tod, You're missing a global section and a maxconn into this section. By default, HAProxy allows only 2000 connection on the process and you're running our of free connections. Please add this in your production server and report us how it works: global maxconn 2 Baptiste
Re: SSL Performance Issues with Exchange 2010
tod, You're missing a global section and a maxconn into this section. By default, HAProxy allows only 2000 connection on the process and you're running our of free connections. Please add this in your production server and report us how it works: global maxconn 2 Baptiste
Re: Hardware planning for SSL-heavy haproxy servers
On Mon, Feb 9, 2015 at 9:50 PM, Shawn Heisey hapr...@elyograg.org wrote: On 2/9/2015 1:08 PM, Baptiste wrote: could you define what you mean by heavy ? What type of web application do you host? How many req / conn per second do you expect? When doing SSL, the CPU is not enough, the memory also matters. I would plan on 16 or 32GB of RAM for the machine, more if you think it would be necessary. I really don't know what my request rate will be. Most of our traffic doesn't go through haproxy yet, it is being handled as TCP redirection by the Linux virtual server. One of our busier sites (not currently SSL) is being handled by haproxy. With an uptime of 24 days, haproxy says that the front-end max request rate is 238. The max request rates on the three back end servers are 245, 137, and 197. Now I'm going to toss around some numbers randomly in an attempt to guess, and I expect these estimates to be quite a lot higher than reality: For planning purposes, let's imagine that we'll eventually see a normal traffic rate ten times as high as we see currently on that one site, all of which will be encrypted to the Internet, with at about a third of it also encrypted on the back end. Paranoid customers are SO MUCH FUN. For capacity planning purposes, let's say that peak traffic could be two or three times that. What kind of hardware and haproxy config would do that? Thanks, Shawn Hi Shawn, A single CPU core (choose the fastest one with AESNI enabled) can easily handle you current traffic and meet also the requirements of your capacity planning. From a memory point of view, 16G sounds more than enough for your traffic expectation. To get some configuration tips, you can browse http://fr.slideshare.net/ssl247/webinar-ssl-en from slide 18th for HAProxy tips (that said, many useful information in the slide before). Baptiste
Re: Hardware planning for SSL-heavy haproxy servers
On Mon, Feb 9, 2015 at 8:27 PM, Shawn Heisey hapr...@elyograg.org wrote: What should be my goal when buying hardware for haproxy if I am planning to secure everything with TLS/SSL terminated by haproxy? Due to customer requirements, many of the back-end connections will also be encrypted. Other than getting the latest processor architecture I can find at the highest possible clock speed, what should I be looking for in a CPU/motherboard combo? It will most likely be Dell server hardware because it is priced well and rackmounts easily. I would really prefer a 1U rack server with hardware redundancy to a beige box, but if a beige box would hit the requirements a lot better, I would consider that route. One specific thing that I am wondering about is running haproxy with multiple processes. Is that well-supported and stable config (especially for SSL), or should I be looking for a CPU with a higher clock speed but a smaller number of cores, and run single-process? I already know from other discussions that reporting and monitoring is not as straightforward with multiple processes. Thanks, Shawn Shawn, could you define what you mean by heavy ? What type of web application do you host? How many req / conn per second do you expect? When doing SSL, the CPU is not enough, the memory also matters. Baptiste
Re: SSL Performance Issues with Exchange 2010
On Tue, Feb 10, 2015 at 4:19 PM, Tod Schmidt tschmi...@yahoo.com wrote: I have haproxy installed as a load balancer in front of two Exchange 2010 CAS servers for SSL offloading and I am running into significant performance problems (unuseable) after about 1000 concurrent connections. CPU never goes over ~30%, concurrent connections are about ~1800 when it is falling down, memory usage is relatively low. When it is running around 800 everything seems to work fine. Everything works well in testing, it's only when I test moving our production traffic to haproxy do I see problems. Basically the site stops accepting connections at that point. If I restart haproxy it work but only for a short time before becoming unresponsive. I have looked at various tcp OS optimizations without much hope or any success. A basic count, something like netstat -an| wc -l shows about 58K connections. The only thing I found that I think may be causing this is Outlook Anywhere/RPC over HTTPS. I did not find the option for http-no-delay until after testing so I am wondering if this one setting could cause this type of behaviour? I am assuming it might since connections are hanging until the client timeout. I had not seen this referenced in any of the example exchange 2010 or 2013 configs. I am just wondering if I am on the right track or if anyone else can share their experience with offloading exchange ssl connections including Outlook Anywhere clients. Here are the relevant parts of my config. Note I did NOT have http-no-delay set. This is in place for testing for our next maintenance window. defaults # option http-server-close # set Connection: close to inspect all HTTP traffic option http-keep-alive # This is actually the default and keeps the connection # open to both client and serve option http-no-delay # forward packets immediately, needed for RPC over HTTPS option dontlognull# Do not log connections with no requests option redispatch # Try another server in case of connection failure option contstats # Enable continuous traffic statistics updates retries 3 # Try to connect up to 3 times in case of failure timeout connect 5s # 5 seconds max to connect or to stay in queue timeout client 300s# 5 minute timeout for clients timeout server 300s# 5 minute timeout for servers timeout http-keep-alive 1s # 1 second max for the client to post next request timeout http-request 15s # 15 seconds max for the client to send a request timeout queue 30s # 30 seconds max queued on load balancer timeout tarpit 1m # tarpit hold tim backlog 1 # Size of SYN backlog queue frontend vs_owa_DOMAIN_https bind IP.IP.IP.IP:80 name vs_owa_DOMAIN_http bind IP.IP.IP.IP:443 name vs_owa_DOMAIN_https ssl crt /etc/ssl/certs/email.DOMAIN.org.pem mode http log global option httplog capture request header User-Agent len 64 capture request header Host len 32 option forwardfor # add X-Forwarded-For to headers log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%sslv/%sslc/%[ssl_fc_sni]/%[ssl_fc_session_id]}\ %{+Q}r maxconn 5000 http-request redirect scheme https code 302 if !{ ssl_fc } http-request redirect location /owa/ code 302 if { hdr(Host) WEBMAIL_VIRTUAL_HOST } { path / } default_backend pool_owa_DOMAIN_http backend pool_owa_DOMAIN_http balance roundrobin mode http log global option prefer-last-server option httplog option forwardfor option redispatch stick-table type ip size 10240k expire 30m stick on src default-server inter 3s rise 2 fall 3 cookie SERVERID insert indirect nocache server SRV1 IP.IP.IP.14:80 maxconn 2000 weight 10 check cookie srv1 server SRV2 IP.IP.IP.26:80 maxconn 2000 weight 10 check cookie srv2 Hi Tod, I don't understand something. Do you have a performance issue or a connection problem under load? can you share the latest log lines generated by your HAProxy? Both traffic and events. Baptiste
Re: send/accept-proxy over unix socket not working
On Wed, Mar 18, 2015 at 1:07 PM, Lukas Tribus luky...@hotmail.com wrote: Date: Wed, 18 Mar 2015 01:49:47 +0100 From: denni...@conversis.de To: luky...@hotmail.com; jarno.huusko...@uef.fi CC: haproxy@formilux.org Subject: Re: send/accept-proxy over unix socket not working On 13.03.2015 18:44, Lukas Tribus wrote: What version of haproxy are you using ? (And what OS) ? In the first frontend I set: server clear /var/lib/haproxy/test send-proxy In the second frontend I set: bind /var/lib/haproxy/test accept-proxy Are you able to connect to the /var/lib/haproxy/test socket with netcat or socat ? And/or do you have chroot in haproxy.cfg ? Also if you drop privileges, check permission with the haproxy user. If supported by your kernel, you could use abstract namespaces instead. According to the documentation abstract namespaces are not recommended when using nbproc 1. The reason I'm dealing with unix sockets at all is that I want to get around the problem of losing the stick table content on reload I posted about in another mail. The idea is to run two instances. One with nbproc 1 for ssl offloading and that forwards the requests to the second instance that is using nbproc = 1 and contains the http frontend and a backend. In theory this should allow me to reload the config of the backend instance without losing the stick table content. I'm using chroot /var/lib/haproxy but the behavior is the same without this directive. Either way a socket gets created as /var/lib/haproxy/test as intended but for some reason I keep getting 503 when using a unix socket but everything works fine when using abstract namespaces or an ip address. I've attached the configuration and the debug output in case that helps to pinpoint the issue. Comment user and group and run haproxy as root. If thats works, it means you have a permission problem. Lukas Hi He has a permission problem! That's what I mentionned with the user parameter on the bind line.. Actually, HAProxy starts up as root and create the socket with root user, then it drops it switches to user haproxy, group haproxy (according to your conf). This user is not allowed to access the socket, since there is no write allowed for others. To fix your issue, simply update your bind line: bind /var/lib/haproxy/test accept-proxy user haproxy group haproxy Same on server line: server clear /var/lib/haproxy/test send-proxy user haproxy group haproxy Hope this helps. Baptiste
Re: Haproxy 1.5 ssl redirect
Hi Sean, You may find some useful information here: http://blog.haproxy.com/2014/04/28/howto-write-apache-proxypass-rules-in-haproxy/ and here: http://blog.haproxy.com/2013/02/26/ssl-offloading-impact-on-web-applications/ Baptiste On Wed, Mar 18, 2015 at 3:39 PM, Sean Patronis spatro...@add123.com wrote: Thanks for the link. That looks promising, but testing did not change anything and I am waiting on the developers to give me some indication of what headers they may expect. Maybe we can tackle this a different way since we know it works in apache. I am attempting to replace the following VirtualHost in apache and put it into haproxy: ## [test.test123.com] VirtualHost 10.0.60.5:443 ServerName test.test123.com SSLEngine on SSLProtocol all -SSLv3 SSLHonorCipherOrder On SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:!RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM:!SSLV2:!eNULL ProxyPassReverse / http://10.0.60.5/ ProxyPass / http://10.0.60.5/ /VirtualHost what haproxy frontend settings do I need to make this match whatever apache and mod_proxy is doing? 10.0.60.5:80 is already in haproxy I think the problem may be that there are some headers getting set by ProxyPass and ProxyPassReverse that I am not setting in haproxy. More specifically, I think that the apache ProxyPassReverse is rewiting the problem URI to https, and haproxy is not. --Sean Patronis Auto Data Direct Inc. 850.877.8804 On 03/17/2015 06:24 PM, Cyril Bonté wrote: Hi, Le 17/03/2015 20:42, Sean Patronis a écrit : Unfortunately that did not fix it. I mirrored your config and the problem still exists. I am not quite sure how the URL is getting built on the backend (the developers say it is all relative URL/URI), but whatever haproxy is doing, it is doing it differently than apache (with mod_proxy). Just for fun, I swapped back the ssl termination to apache to prove that is does not have an issue (once it passes through apache for ssl, it still goes through Haproxy and all of the backends/acl etc). My goal in all of this was to ditch apache and go all haproxy on the front end. Any other ideas? Have a look at this answer : http://permalink.gmane.org/gmane.comp.web.haproxy/10361 I assume that your application is not aware of an SSL termination, so you have to notify it with the right configuration, which depends on your backends softwares. Can you provide some information on them ? --Sean Patronis Auto Data Direct Inc. 850.877.8804 On 03/17/2015 11:51 AM, Scott McKeown|redIT wrote: Hi Sean, I've got a setup that is somewhat like what you are after. I have however, done it in a very dirrerent way for this very same reason. Example below: global log /dev/log local4 debug maxconn 4096 daemon tune.ssl.default-dh-param 2048 ssl-default-bind-ciphers ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA:HIGH:!RC4:!MD5:!aNULL:!EDH ssl-default-bind-options no-sslv3 ssl-default-server-ciphers ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA:HIGH:!RC4:!MD5:!aNULL:!EDH ssl-default-server-options no-sslv3 defaults log global option httplog retries 3 timeout client 5 timeout connect 5 timeout server 5 listen http-in bind x.x.x.x:80 mode http default_backend www_redit listen https-in bind x.x.x.x:443 ssl crt /etc/certs/server_2015.pem mode http acl samson_vpn_gateway src 10.8.0.1 acl missing_nagios_slash path_reg -i ^/nagios3[^/]*$ acl missing_cacti_slash path_reg -i ^/cacti[^/]*$ acl missing_dradis_slash path_reg -i ^/customers[^/]*$ redirect code 301 prefix / drop-query append-slash if missing_nagios_slash redirect code 301 prefix / drop-query append-slash if missing_cacti_slash redirect code 301 prefix / drop-query append-slash if missing_dradis_slash acl is_nagios path_reg -i /nagios3/ acl is_cacti path_reg -i /cacti/ acl is_dradis path_reg -i /customers/ #VPN Access Only use_backend services if is_nagios samson_vpn_gateway use_backend services if is_cacti samson_vpn_gateway use_backend dradis if is_dradis default_backend corp_site listen corp_site mode http log global option httpclose source 0.0.0.0 usesrc clientip option forwardfor server websites01 172.16.0.10:80 check inter 3000 fall 3 server services1 172.16.0.5:80 check inter 3000 fall 3 listen www_redit mode http redirect scheme https This should do the trick for you you may want to try putting your reqrep in or play around with the acl list and re-test with your Headers but I've got mine built
Re: Support For Postfix
Hi, thanks for the reply 2.9.6 Proxy protocol is available in Postfix since version 2.10: http://blog.haproxy.com/haproxy/proxy-protocol/ Baptiste
Re:
On Mon, Mar 16, 2015 at 10:44 AM, Fraj KALLEL frajkal...@gmail.com wrote: Hello, I use haproxy v1.4 as load balancer in front of 2 web servers (webA and webB). webA has more resource (RAM, CPU, HDD) than webB, and I used roundrobin as algorithm of balance. This is the config file of the haproxy. global log 127.0.0.1 local0 log 127.0.0.1 local1 notice #log loghostlocal0 info maxconn 4096 #debug #quiet user haproxy group haproxy defaults log global modehttp option httplog option dontlognull retries 3 option redispatch maxconn 2000 timeout connect 5000ms timeout queue5000ms timeout client 25m timeout server 25m listen webfarm 192.168.1.28:80 mode http stats enable stats auth stelb:abcder balance roundrobin appsession PHPSESSID len 64 timeout 3h request-learn prefix option httpclose option forwardfor option httpchk HEAD /check.txt HTTP/1.0 acl white_list src 127.0.0.1 192.168.1.0/24 http-request allow if white_list http-request deny acl restricted_page path_beg /images server webA 192.168.1.23:80 cookie A check server webB 192.168.1.24:80 cookie B check After periode of utilization I find that webA receive more traffic than webB while by definition roundrobin algorithm assign to each process in equal portions and in circular order, handling all processes without priority (also known as cyclic executive). Is this a normal compotement ? Thanks. Sincerly yours, Fraj KALLEL Hi Fraj, This is normal and this is due to persistence. More information on this blog post: http://blog.haproxy.com/2012/03/29/load-balancing-affinity-persistence-sticky-sessions-what-you-need-to-know/ There is no rule, either A or B could get more requests. Baptiste
Re: Support For Postfix
Let me rephrase this: your version of postfix is too old and does not include the proxy protocol. Please use postfix 2.10 or above. Baptiste On Mon, Mar 16, 2015 at 4:26 PM, adcd gmail adcd...@gmail.com wrote: I read this but I dont understand how it is related to postfix not knowing this config parameter maybe the compiled version doesnt include this? On Mon, 16 Mar 2015 14:52:37 +0200, Baptiste bed...@gmail.com wrote: Hi, thanks for the reply 2.9.6 Proxy protocol is available in Postfix since version 2.10: http://blog.haproxy.com/haproxy/proxy-protocol/ Baptiste -- Using Opera's mail client: http://www.opera.com/mail/
Re: building haproxy with lua support
On Tue, Mar 17, 2015 at 1:51 AM, Joe Williams williams@gmail.com wrote: List, I seem to be running into issues building haproxy with lua support using HEAD. Any thoughts? joe@ubuntu:~/haproxy$ make DEBUG=-ggdb CFLAGS=-O0 TARGET=linux2628 USE_LUA=yes LUA_LIB=/opt/lua53/lib/ LUA_INC=/opt/lua53/include/ LDFLAGS=-ldl snip /opt/lua53/lib//liblua.a(loadlib.o): In function `lookforfunc': loadlib.c:(.text+0x502): undefined reference to `dlsym' loadlib.c:(.text+0x549): undefined reference to `dlerror' loadlib.c:(.text+0x576): undefined reference to `dlopen' loadlib.c:(.text+0x5ed): undefined reference to `dlerror' /opt/lua53/lib//liblua.a(loadlib.o): In function `gctm': loadlib.c:(.text+0x781): undefined reference to `dlclose' collect2: error: ld returned 1 exit status make: *** [haproxy] Error 1 joe@ubuntu:~/haproxy$ /opt/lua53/bin/lua -v Lua 5.3.0 Copyright (C) 1994-2015 Lua.org, PUC-Rio Thanks! -Joe Hi Joe, You're missing an LDFLAGS=-ldl. More information on this blog page, including some quickstart code example: http://blog.haproxy.com/2015/03/12/haproxy-1-6-dev1-and-lua/ Baptiste
Re: lua api
On Tue, Mar 17, 2015 at 8:04 PM, Joe Williams williams@gmail.com wrote: List, I am trying to figure out how to use the new lua API. After reading https://raw.githubusercontent.com/yuxans/haproxy/master/doc/lua-api/index.rst it still isn't clear to me how to get the client IP of a connection. Is information about the socket available inside lua? If so, any suggestions on how to access it? I am hoping to get the IP address from each HTTP request and do some processing on it. Thanks! -Joe Joe, It's not really clear in the documentation, but I put an example of an HAProxy fetch called in a lua script: http://blog.haproxy.com/2015/03/12/haproxy-1-6-dev1-and-lua/ Bascally, in your lua script, you can recover the client Ip address like this: local clientip = txn.f:src() Baptiste
Re: Haproxy Consuing CPU 100% : need a fix
On Thu, Mar 19, 2015 at 8:03 AM, Willy Tarreau w...@1wt.eu wrote: Hello, On Thu, Mar 19, 2015 at 11:04:54AM +0530, Saurabh Tiwari wrote: Hello, we are facing issue of haproxy consuming 100% CPU , we tried different tunings on haproxy cfg . But only solution remains is of making the nbproc 1, which is not a permanent solution. _Pasting the common config section:_ global maxconn 28 nbproc 1 userhaproxy group haproxy chroot /var/lib/haproxy stats socket/var/run/haproxy.sock defaults modehttp balance roundrobin maxconn 275000 timeout connect 5000 timeout server 5 timeout client 5 timeout http-keep-alive 5s timeout http-request15s retries 3 option redispatch option abortonclose option tcp-smart-accept option tcp-smart-connect #option splice-auto listen stats self.prv:x0x0x stats enable stats uri / Your config is truncated, you only list the stats page, I guess you're not running at 100% with a stats page only, so would you please post your complete config (remove any password or sensitive info, hide IP addresses if you wish). Please also give some information such as the request and/or connection rate, traffic type (mostly SSL, etc). Kindly suggest, any solution possible. We need fix badly , do not wish to migrate to nginx just for this reason. That doesn't make sense, if you switch from one product to another every time you're facing a configuration problem, you can switch often! If you need features that you only find in nginx, sure you'd rather switch, but if the features you need are in haproxy, in general you should get better performance here so switching will make the situation worse. Willy Hi, We also need your HAProxy version, a screenshot of the stats page when HAProxy is running at 100%, some log lines, more information on your server (HW, VM, capacity, etc...). Baptiste
Re: Haproxy Consuing CPU 100% : need a fix
On Thu, Mar 19, 2015 at 1:37 PM, Saurab t saurabh.tiwari@gmail.com wrote: Hello Willy, Thanks you for your kind response. Here are the information required Haproxy version : HA-Proxy version 1.5.8 2014/10/31 Copyright 2000-2014 Willy Tarreau w...@1wt.eu If this can help As you have already responded to two other scenarios : http://www.serverphorums.com/read.php?10,1075864 http://t55696.web-haproxy.webtalks.info/100-cpu-load-t55696.html how can we exactly trace if we have issue similar. ELSE : Attached is the haproxy config. Kindly guide us. Thanks a lot in advance. Even small suggestions are very much appreciated. Thanks Regards Saurab On 3/19/2015 12:33 PM, Willy Tarreau wrote: Hello, On Thu, Mar 19, 2015 at 11:04:54AM +0530, Saurabh Tiwari wrote: Hello, we are facing issue of haproxy consuming 100% CPU , we tried different tunings on haproxy cfg . But only solution remains is of making the nbproc 1, which is not a permanent solution. _Pasting the common config section:_ global maxconn 28 nbproc 1 userhaproxy group haproxy chroot /var/lib/haproxy stats socket/var/run/haproxy.sock defaults modehttp balance roundrobin maxconn 275000 timeout connect 5000 timeout server 5 timeout client 5 timeout http-keep-alive 5s timeout http-request15s retries 3 option redispatch option abortonclose option tcp-smart-accept option tcp-smart-connect #option splice-auto listen stats self.prv:x0x0x stats enable stats uri / Your config is truncated, you only list the stats page, I guess you're not running at 100% with a stats page only, so would you please post your complete config (remove any password or sensitive info, hide IP addresses if you wish). Please also give some information such as the request and/or connection rate, traffic type (mostly SSL, etc). Kindly suggest, any solution possible. We need fix badly , do not wish to migrate to nginx just for this reason. That doesn't make sense, if you switch from one product to another every time you're facing a configuration problem, you can switch often! If you need features that you only find in nginx, sure you'd rather switch, but if the features you need are in haproxy, in general you should get better performance here so switching will make the situation worse. Willy You have not given any hints about your environment... I mean VM, hw, details on cpu/ram/nic, etc... Also, please remove this statement: option http-server-close replace by the two following ones: option http-keep-alive option prefer-last-server Baptiste
Re: Haproxy Consuing CPU 100% : need a fix
On Thu, Mar 19, 2015 at 2:22 PM, Saurab t saurabh.tiwari@gmail.com wrote: Apologies, here is the information; METAL SERVER Kernel : 2.6.32-431.el6.x86_64 OS: Centos 6.5 Ram : 32073 CPU : Architecture: x86_64 CPU op-mode(s):32-bit, 64-bit Byte Order:Little Endian CPU(s):24 On-line CPU(s) list: 0-23 Thread(s) per core:2 Core(s) per socket:6 Socket(s): 2 NUMA node(s): 2 Vendor ID: GenuineIntel CPU family:6 Model: 62 Stepping: 4 CPU MHz: 2099.992 BogoMIPS: 4199.40 Virtualization:VT-x L1d cache: 32K L1i cache: 32K L2 cache: 256K L3 cache: 15360K NUMA node0 CPU(s): 0-5,12-17 NUMA node1 CPU(s): 6-11,18-23 --- NIC : Speed: 1000Mb/s and Duplex: Full [each public and private ] total : 2GiGs Also, please remove this statement: option http-server-close replace by the two following ones: option http-keep-alive option prefer-last-server Any Specific Reason for it. Kindly let us know reason to replace. We're still missing a screenshot of your stats page when HAProxy is running at 100% of CPU... Note: your CPU is quite slow ! Have you disabled iptables, irqbalance, pin your network interrupts and HAProxy to different CPU cores also, I've heard that some people get much better performance from centos 7.x, thanks to its kernel 3.10... concerning http-keep-alive and prefer-last-server, these options instruct HAProxy to keep connections opened on the server side for a specific client traffic. In such case, there will be much less small packets on the network and no need to close and open connections between each HTTP request. You should get much better performance, but it depends on your traffic pattern. Baptiste On Thu, Mar 19, 2015 at 6:30 PM, Baptiste bed...@gmail.com wrote: On Thu, Mar 19, 2015 at 1:37 PM, Saurab t saurabh.tiwari@gmail.com wrote: Hello Willy, Thanks you for your kind response. Here are the information required Haproxy version : HA-Proxy version 1.5.8 2014/10/31 Copyright 2000-2014 Willy Tarreau w...@1wt.eu If this can help As you have already responded to two other scenarios : http://www.serverphorums.com/read.php?10,1075864 http://t55696.web-haproxy.webtalks.info/100-cpu-load-t55696.html how can we exactly trace if we have issue similar. ELSE : Attached is the haproxy config. Kindly guide us. Thanks a lot in advance. Even small suggestions are very much appreciated. Thanks Regards Saurab On 3/19/2015 12:33 PM, Willy Tarreau wrote: Hello, On Thu, Mar 19, 2015 at 11:04:54AM +0530, Saurabh Tiwari wrote: Hello, we are facing issue of haproxy consuming 100% CPU , we tried different tunings on haproxy cfg . But only solution remains is of making the nbproc 1, which is not a permanent solution. _Pasting the common config section:_ global maxconn 28 nbproc 1 userhaproxy group haproxy chroot /var/lib/haproxy stats socket/var/run/haproxy.sock defaults modehttp balance roundrobin maxconn 275000 timeout connect 5000 timeout server 5 timeout client 5 timeout http-keep-alive 5s timeout http-request15s retries 3 option redispatch option abortonclose option tcp-smart-accept option tcp-smart-connect #option splice-auto listen stats self.prv:x0x0x stats enable stats uri / Your config is truncated, you only list the stats page, I guess you're not running at 100% with a stats page only, so would you please post your complete config (remove any password or sensitive info, hide IP addresses if you wish). Please also give some information such as the request and/or connection rate, traffic type (mostly SSL, etc). Kindly suggest, any solution possible. We need fix badly , do not wish to migrate to nginx just for this reason. That doesn't make sense, if you switch from one product to another every time you're facing a configuration problem, you can switch often! If you need features that you only find in nginx, sure you'd rather switch, but if the features you need are in haproxy, in general you should get better performance here so switching will make the situation worse. Willy You have not given any hints about your environment... I mean VM, hw, details on cpu/ram/nic, etc... Also, please remove this statement: option http-server-close replace by the two following ones: option http-keep-alive option prefer-last-server Baptiste
RE: send/accept-proxy over unix socket not working
Le 13 mars 2015 18:45, Lukas Tribus luky...@hotmail.com a écrit : What version of haproxy are you using ? (And what OS) ? In the first frontend I set: server clear /var/lib/haproxy/test send-proxy In the second frontend I set: bind /var/lib/haproxy/test accept-proxy Are you able to connect to the /var/lib/haproxy/test socket with netcat or socat ? And/or do you have chroot in haproxy.cfg ? Also if you drop privileges, check permission with the haproxy user. If supported by your kernel, you could use abstract namespaces instead. Lukas Hi, In most cases this is due to either chroot or rights on the socket. Check the user and mode parameters of both your bind and server descritption. Also ensure the unix socket is available in a chroot environment, if any. Baptiste
Re: frequent NOSRV/SC log hits behind AWS ELB
On Tue, Mar 10, 2015 at 11:48 AM, Roland RoLaNd r_o_l_a_...@hotmail.com wrote: Hello, i am running haproxy version: 1.5.11 on EC2 instances behind an AWS load balancer lately i am noticing a lot of 503 forbidden logs with SC as termination state due to nosrv error my backend servers(which are behind an ELB of their own) are all healthy and responsive moreover i set a loop that checks port 80 between haproxy and backend servers; and it never failed; it was checking the connection every 10 ms this is a log sample: Mar 10 10:33:50 api haproxy[1056]: 172.16.100.169:15235 [10/Mar/2015:10:33:50.905] API API/NOSRV 8/-1/-1/-1/8 503 213 - - SC-- 79/79/0/0/0 0/0 {177.103.215.19|Dalvik/1.6.0 (Linux; U; Android 4.4.4; XT1032 Build/KXB21.14-L1.} POST /api/v2.3/androidevent?buildnumber=1.10 HTTP/1.1 and this is my current config: global log /dev/loglocal0 log /dev/loglocal1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin stats timeout 30s user haproxy group haproxy maxconn 65000 daemon # Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private # Default ciphers to use on SSL-enabled listening sockets. # For more information, see ciphers(1SSL). ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL ssl-default-bind-options no-sslv3 defaults log global modehttp option httplog option dontlognull timeout connect 1 timeout client 5 timeout server 5 # users which we are redrecting no where, example rejected will die in 50 ms timeout tarpit 50 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http balance roundrobin # keeps keep alive between client and proxy but disable it between proxy and backedn option http-server-close option forwardfor option redispatch retries 99 frontend API bind *:80 maxconn 6 # Blacklist: Deny access to some IPs before anything else is checked tcp-request content reject if { src -f /etc/haproxy/blacklist.lst } http-request set-header X-custom-http-scheme %[hdr(X-Forwarded-Proto)] stick-table type ip size 500k expire 30s store conn_cur,conn_rate(10s),http_req_rate(10s),http_err_rate(10s) option http-server-close # elb logs pubc ips capture request header X-Forwarded-For len 50 capture request header User-Agent len 64 acl network_allowed src x.x.x.x acl restricted_page path_beg /restricted http-request deny if restricted_page !network_allowed # direct uris to propper elb acl uri_api path_beg /api acl uri_wdev path_beg /wdev acl uri_staging path_beg /staging use_backend api if uri_api use_backend wdev if uri_wdev use_backend staging if uri_staging default_backend API backend API server API ELB_CNAME:80 check backend wdev server wdev ELB_CNAME:80 check backend staging server staging ELB_CNAME:80 check Hi Roland, This is by ELB design... It can change its IP address based on the load... When this arrives, the only workaround is to reload HAProxy. Soon, HAProxy will perform DNS resolution to kept updated on the fly of server IP address changes. Baptiste
Re: limiting conn-curs per-ip using x-forwarded-for
Hi, some useful examples can be taken from this blog post: http://blog.haproxy.com/2012/02/27/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/ Just replace src by hdr(X-Forwarded-For). Baptiste On Tue, Mar 24, 2015 at 5:58 PM, Jarno Huuskonen jarno.huusko...@uef.fi wrote: Hi, On Tue, Mar 24, Klavs Klavsen wrote: I now have: stick-table type string size 100k store conn_cur,gpc0 stick store-request hdr(X-Forwarded-For,-1) tcp-request content track-sc2 hdr(X-Forwarded-For) acl allowed sc2_conn_cur lt 2 block unless allowed tcp-request inspect-delay ? Most of the examples seem to use inspect-delay: http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4.2-tcp-request%20content shouldn't the key - be the x-forwarded-for header? Have you checked that the requests have (one) x-forwarded-for header ? hdr(X-Forwarded-For) = first header, and hdr(X-Forwarded-For,-1) = last header. (http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#7.3.6-req.hdr) And is the haproxy ip the only one thats in the stick table ? -Jarno -- Jarno Huuskonen
Re: using backend node details in acls/response manipulation
Hi Martin, HAProxy can report an 'id' of a backend and of a server. You can give a try to this: http-response set-header X-Backend-Info %[be_id]/%[srv_id] if { src 10.0.0.0/24 } It should add the following header if the first server of the first backend was used: X-Backend-Info: 1/1 IDs can be forced in HAProxy's configuration using the directive 'id'. You may even be able to convert a backend id to a string using a map: http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#map Baptiste On Tue, Mar 24, 2015 at 8:36 PM, Martin Nikolov martin.martinniko...@gmail.com wrote: Hi guys, I'm wondering if it is possible to use things like selected backend node's ip, name or port as variables. My goal is to set a header in the http response with the selected backend's details to a certain set of source ip addresses (hence the acl, which is the easy part). I searched in the documentation, but was not able to find a solution. Thanks in advance. Regards.
Re: using a fetcher in wrong context, performance tip
On Mon, Mar 30, 2015 at 10:11 PM, Pavlos Parissis pavlos.paris...@gmail.com wrote: Hi all, During a stress test I discovered a drop of 5% performance at rate of 380K req/s when the following 3 statements were added in a frontend where HTTPS is not used http-request add-header X-Cipher-Name %sslc http-request add-header X-Cipher-Version %sslv http-request add-header X-Cipher-Bits %[ssl_fc_use_keysize] Here is the stress result # wrk --timeout 3s --latency -c 1000 -d 5m -t 24 http://10.190.3.1/ Running 5m test @ http://10.190.3.1/ 24 threads and 1000 connections Thread Stats Avg Stdev Max ± Stdev Latency 2.31ms 815.14us 27.06ms 74.32% Req/Sec16.98k 2.25k 32.00k85.12% Latency Distribution 50%2.43ms 75%2.71ms 90%3.15ms 99%3.88ms 115019521 requests in 5.00m, 16.50GB read Socket errors: connect 0, read 0, write 0, timeout 13264 Requests/sec: 383420.54 Transfer/sec: 56.31MB After I removed only the ssl_fc_use_keysize fetcher http-request add-header X-Cipher-Bits %[ssl_fc_use_keysize] performance was improved by 5%, see below # wrk --timeout 3s --latency -c 1000 -d 5m -t 24 http://10.190.3.1/ Running 5m test @ http://10.190.3.1/ 24 threads and 1000 connections Thread Stats Avg Stdev Max ± Stdev Latency 2.12ms 831.01us 206.61ms 74.86% Req/Sec17.88k 2.22k 31.56k80.62% Latency Distribution 50%2.30ms 75%2.62ms 90%2.88ms 99%3.72ms 120947683 requests in 5.00m, 17.35GB read Socket errors: connect 0, read 0, write 0, timeout 17255 Requests/sec: 403180.76 Transfer/sec: 59.21MB When I added it back but with a condition if traffic is HTTPS performance at that high rate of request was increased http-request add-header X-Cipher-Bits %[ssl_fc_use_keysize] if https_traffic stress results: # wrk --timeout 3s --latency -c 1000 -d 5m -t 24 http://10.190.3.1/ Running 5m test @ http://10.190.3.1/ 24 threads and 1000 connections Thread Stats Avg Stdev Max ± Stdev Latency 2.07ms 823.41us 32.08ms 75.64% Req/Sec17.86k 2.27k 29.56k81.81% Latency Distribution 50%2.27ms 75%2.54ms 90%2.76ms 99%3.80ms 120945989 requests in 5.00m, 17.35GB read Socket errors: connect 0, read 0, write 0, timeout 19828 Requests/sec: 403177.77 Transfer/sec: 59.21MB I also added the same condition for other 2 variables accessed as log formatters and the performance was improved even more stress results with http-request add-header X-Cipher-Name %sslc if https_traffic http-request add-header X-Cipher-Version %sslv if https_traffic http-request add-header X-Cipher-Bits %[ssl_fc_use_keysize] if https_traffic # wrk --timeout 3s --latency -c 1000 -d 5m -t 24 http://10.190.3.1/ Running 5m test @ http://10.190.3.1/ 24 threads and 1000 connections Thread Stats Avg Stdev Max ± Stdev Latency 2.12ms9.64ms 607.23ms 99.79% Req/Sec19.43k 3.28k 33.56k82.82% Latency Distribution 50%1.95ms 75%2.20ms 90%2.41ms 99%3.36ms 131646991 requests in 5.00m, 18.88GB read Socket errors: connect 0, read 0, write 0, timeout 30179 Requests/sec: 438828.20 Transfer/sec: 64.45MB Lesson learned here is to either condition all your statements or pay attention at the context you apply a logic. Cheers, Pavlos Hey Just to highlight the most important point, from my point of view: Requests/sec: 438828.20 nice job man! Baptiste
Re: ldap-check with Active Directory
you should believe it :) On Mon, Mar 30, 2015 at 11:34 PM, Neil - HAProxy List maillist-hapr...@iamafreeman.com wrote: Hello Thanks so much. That worked well, I now get L7OK/0 in 0ms not sure I believe the 0ms but maybe I should Thanks again, Neil On 30 March 2015 at 22:14, Baptiste bed...@gmail.com wrote: On Mon, Mar 30, 2015 at 10:33 PM, Neil - HAProxy List maillist-hapr...@iamafreeman.com wrote: Hello I'm trying to use ldap-check with active directory and the response active directory gives is not one ldap-check is happy to accept when I give a 389 directory backend ldap server all is well, when I use AD I get 'Not LDAPv3 protocol' I've done a little poking about and found that if ((msglen 2) || (memcmp(check-bi-data + 2 + msglen, \x02\x01\x01\x61, 4) != 0)) { set_server_check_status(check, HCHK_STATUS_L7RSP, Not LDAPv3 protocol); is where I'm getting stopped as msglen is 4 Here is tcpdump of 389 directory response (the one that works) 2 packets 21:29:34.195699 IP 389.ldap HAPROXY.57109: Flags [.], ack 15, win 905, options [nop,nop,TS val 856711882 ecr 20393440], length 0 0x: 0050 5688 7042 0064 403b 2700 0800 4500 .PV.pB.d@;'...E. 0x0010: 0034 9d07 4000 3f06 3523 ac1b e955 ac18 .4..@.?.5#...U.. 0x0020: 2810 0185 df15 5cab ffcd 63ba 77d3 8010 (.\...c.w... 0x0030: 0389 2c07 0101 080a 3310 62ca 0137 ..,...3.b..7 0x0040: 2de0 -. 21:29:34.195958 IP 389.ldap HAPROXY.57109: Flags [P.], seq 1:15, ack 15, win 905, options [nop,nop,TS val 856711882 ecr 20393440], length 14 0x: 0050 5688 7042 0064 403b 2700 0800 4500 .PV.pB.d@;'...E. 0x0010: 0042 9d08 4000 3f06 3514 ac1b e955 ac18 .B..@.?.5U.. 0x0020: 2810 0185 df15 5cab ffcd 63ba 77d3 8018 (.\...c.w... 0x0030: 0389 e878 0101 080a 3310 62ca 0137 ...x..3.b..7 0x0040: 2de0 300c 0201 0161 070a 0100 0400 0400 -.0a Here is tcpdump of active directory (broken) 1 packet 21:25:24.519883 IP ADSERVER.ldap HAPROXY.57789: Flags [P.], seq 1:23, ack 15, win 260, options [nop,nop,TS val 1870785 ecr 20331021], length 22 0x: 0050 5688 7042 0050 5688 7780 0800 4500 .PV.pB.PV.w...E. 0x0010: 004a 1d7d 4000 8006 34e3 ac18 280d ac18 .J.}@...4...(... 0x0020: 2810 0185 e1bd 5a3f 2ae7 3ced 7b5b 8018 (.Z?*..{[.. 0x0030: 0104 1d7a 0101 080a 001c 8bc1 0136 ...z...6 0x0040: 3a0d 3084 0010 0201 0161 8400 :.0a 0x0050: 070a 0100 0400 0400 this was discussed but not finished before see http://www.serverphorums.com/read.php?10,394453 I can see the string \02\01\01\61 is there but not in the correct place Anyone have any ideas about fixing this so that both (and possibly other) ldap implementations work? Thanks, Neil Hi Neil Yes you can switch to the tcp-check checking method. I works with binary protocols as well. Here is what I use for the AD in my lab: option tcp-check tcp-check connect port 389 tcp-check send-binary 300c0201 # LDAP bind request ROOT simple tcp-check send-binary 01 # message ID tcp-check send-binary 6007 # protocol Op tcp-check send-binary 0201 # bind request tcp-check send-binary 03 # LDAP v3 tcp-check send-binary 04008000 # name, simple authentication tcp-check expect binary 0a0100 # bind response + result code: success tcp-check send-binary 30050201034200 # unbind request You could add the same sequence for LDAPs on port 636: tcp-check connect port 636 ssl tcp-check send-binary 300c0201 # LDAP bind request ROOT simple tcp-check send-binary 01 # message ID tcp-check send-binary 6007 # protocol Op tcp-check send-binary 0201 # bind request tcp-check send-binary 03 # LDAP v3 tcp-check send-binary 04008000 # name, simple authentication tcp-check expect binary 0a0100 # bind response + result code: success tcp-check send-binary 30050201034200 # unbind request Note for myself: put this tip on the blog.. Baptiste
Re: ldap-check with Active Directory
On Mon, Mar 30, 2015 at 10:33 PM, Neil - HAProxy List maillist-hapr...@iamafreeman.com wrote: Hello I'm trying to use ldap-check with active directory and the response active directory gives is not one ldap-check is happy to accept when I give a 389 directory backend ldap server all is well, when I use AD I get 'Not LDAPv3 protocol' I've done a little poking about and found that if ((msglen 2) || (memcmp(check-bi-data + 2 + msglen, \x02\x01\x01\x61, 4) != 0)) { set_server_check_status(check, HCHK_STATUS_L7RSP, Not LDAPv3 protocol); is where I'm getting stopped as msglen is 4 Here is tcpdump of 389 directory response (the one that works) 2 packets 21:29:34.195699 IP 389.ldap HAPROXY.57109: Flags [.], ack 15, win 905, options [nop,nop,TS val 856711882 ecr 20393440], length 0 0x: 0050 5688 7042 0064 403b 2700 0800 4500 .PV.pB.d@;'...E. 0x0010: 0034 9d07 4000 3f06 3523 ac1b e955 ac18 .4..@.?.5#...U.. 0x0020: 2810 0185 df15 5cab ffcd 63ba 77d3 8010 (.\...c.w... 0x0030: 0389 2c07 0101 080a 3310 62ca 0137 ..,...3.b..7 0x0040: 2de0 -. 21:29:34.195958 IP 389.ldap HAPROXY.57109: Flags [P.], seq 1:15, ack 15, win 905, options [nop,nop,TS val 856711882 ecr 20393440], length 14 0x: 0050 5688 7042 0064 403b 2700 0800 4500 .PV.pB.d@;'...E. 0x0010: 0042 9d08 4000 3f06 3514 ac1b e955 ac18 .B..@.?.5U.. 0x0020: 2810 0185 df15 5cab ffcd 63ba 77d3 8018 (.\...c.w... 0x0030: 0389 e878 0101 080a 3310 62ca 0137 ...x..3.b..7 0x0040: 2de0 300c 0201 0161 070a 0100 0400 0400 -.0a Here is tcpdump of active directory (broken) 1 packet 21:25:24.519883 IP ADSERVER.ldap HAPROXY.57789: Flags [P.], seq 1:23, ack 15, win 260, options [nop,nop,TS val 1870785 ecr 20331021], length 22 0x: 0050 5688 7042 0050 5688 7780 0800 4500 .PV.pB.PV.w...E. 0x0010: 004a 1d7d 4000 8006 34e3 ac18 280d ac18 .J.}@...4...(... 0x0020: 2810 0185 e1bd 5a3f 2ae7 3ced 7b5b 8018 (.Z?*..{[.. 0x0030: 0104 1d7a 0101 080a 001c 8bc1 0136 ...z...6 0x0040: 3a0d 3084 0010 0201 0161 8400 :.0a 0x0050: 070a 0100 0400 0400 this was discussed but not finished before see http://www.serverphorums.com/read.php?10,394453 I can see the string \02\01\01\61 is there but not in the correct place Anyone have any ideas about fixing this so that both (and possibly other) ldap implementations work? Thanks, Neil Hi Neil Yes you can switch to the tcp-check checking method. I works with binary protocols as well. Here is what I use for the AD in my lab: option tcp-check tcp-check connect port 389 tcp-check send-binary 300c0201 # LDAP bind request ROOT simple tcp-check send-binary 01 # message ID tcp-check send-binary 6007 # protocol Op tcp-check send-binary 0201 # bind request tcp-check send-binary 03 # LDAP v3 tcp-check send-binary 04008000 # name, simple authentication tcp-check expect binary 0a0100 # bind response + result code: success tcp-check send-binary 30050201034200 # unbind request You could add the same sequence for LDAPs on port 636: tcp-check connect port 636 ssl tcp-check send-binary 300c0201 # LDAP bind request ROOT simple tcp-check send-binary 01 # message ID tcp-check send-binary 6007 # protocol Op tcp-check send-binary 0201 # bind request tcp-check send-binary 03 # LDAP v3 tcp-check send-binary 04008000 # name, simple authentication tcp-check expect binary 0a0100 # bind response + result code: success tcp-check send-binary 30050201034200 # unbind request Note for myself: put this tip on the blog.. Baptiste
Re: ldap-check with Active Directory
Hi Matt, The issue with LDAP, is that it is not a banner protocol. So either you check the TCP port is well bound on the server for a simple L4 check, for L7, you don't have the choice, you must send a message and check the server's result. Baptiste On Tue, Mar 31, 2015 at 9:53 AM, Matt . yamakasi@gmail.com wrote: I'm also testing some ldap checks but I see lots of logging and log partitions filling up like crazy. I wonder if it's really doable to check the ldap status in in a gracefull way. 2015-03-31 9:45 GMT+02:00 Neil - HAProxy List maillist-hapr...@iamafreeman.com: Hello I was thinking of updating the ldap-check but I think I've a better idea. Macros (well ish). send-binary 300c0201 # LDAP bind request ROOT simple send-binary 01 # message ID send-binary 6007 # protocol Op send-binary 0201 # bind request send-binary 03 # LDAP v3 send-binary 04008000 # name, simple authentication expect binary 0a0100 # bind response + result code: success send-binary 30050201034200 # unbind request could be in a file named macros/ldap-simple-bind then the option tcp-check-macro ldap-simple-bind would use it, I know this is close to includes. similarly macros/smtp-helo-quit connect port 25 expect rstring ^220 send QUIT\r\n expect rstring ^221 or from http://blog.haproxy.com/2014/06/06/binary-health-check-with-haproxy-1-5-php-fpmfastcgi-probe-example/ # FCGI_BEGIN_REQUEST send-binary 01 # version send-binary 01 # FCGI_BEGIN_REQUEST send-binary 0001 # request id send-binary 0008 # content length send-binary 00 # padding length send-binary 00 # send-binary 0001 # FCGI responder send-binary # flags send-binary # send-binary # # FCGI_PARAMS send-binary 01 # version send-binary 04 # FCGI_PARAMS send-binary 0001 # request id send-binary 0045 # content length send-binary 03 # padding length: padding for content % 8 = 0 send-binary 00 # send-binary 0e03524551554553545f4d4554484f44474554 # REQUEST_METHOD = GET send-binary 0b055343524950545f4e414d452f70696e67 # SCRIPT_NAME = /ping send-binary 0f055343524950545f46494c454e414d452f70696e67 # SCRIPT_FILENAME = /ping send-binary 040455534552524F4F54 # USER = ROOT send-binary 00 # padding # FCGI_PARAMS send-binary 01 # version send-binary 04 # FCGI_PARAMS send-binary 0001 # request id send-binary # content length send-binary 00 # padding length: padding for content % 8 = 0 send-binary 00 # expect binary 706f6e67 # pong (though for items like send-binary 0e03524551554553545f4d4554484f44474554 # REQUEST_METHOD = GET I'd prefer a send-as-binary REQUEST_METHOD = GET ) these and many others could be shipped with haproxy. this seems to make sense to me as they are small contained logical items Neil On 30 March 2015 at 23:02, Baptiste bed...@gmail.com wrote: you should believe it :) On Mon, Mar 30, 2015 at 11:34 PM, Neil - HAProxy List maillist-hapr...@iamafreeman.com wrote: Hello Thanks so much. That worked well, I now get L7OK/0 in 0ms not sure I believe the 0ms but maybe I should Thanks again, Neil On 30 March 2015 at 22:14, Baptiste bed...@gmail.com wrote: On Mon, Mar 30, 2015 at 10:33 PM, Neil - HAProxy List maillist-hapr...@iamafreeman.com wrote: Hello I'm trying to use ldap-check with active directory and the response active directory gives is not one ldap-check is happy to accept when I give a 389 directory backend ldap server all is well, when I use AD I get 'Not LDAPv3 protocol' I've done a little poking about and found that if ((msglen 2) || (memcmp(check-bi-data + 2 + msglen, \x02\x01\x01\x61, 4) != 0)) { set_server_check_status(check, HCHK_STATUS_L7RSP, Not LDAPv3 protocol); is where I'm getting stopped as msglen is 4 Here is tcpdump of 389 directory response (the one that works) 2 packets 21:29:34.195699 IP 389.ldap HAPROXY.57109: Flags [.], ack 15, win 905, options [nop,nop,TS val 856711882 ecr 20393440], length 0 0x: 0050 5688 7042 0064 403b 2700 0800 4500 .PV.pB.d@;'...E. 0x0010: 0034 9d07 4000 3f06 3523 ac1b e955 ac18 .4..@.?.5#...U.. 0x0020: 2810 0185 df15 5cab ffcd 63ba 77d3 8010 (.\...c.w... 0x0030: 0389 2c07 0101 080a 3310 62ca 0137 ..,...3.b..7 0x0040: 2de0 -. 21:29:34.195958 IP 389.ldap HAPROXY.57109: Flags [P.], seq 1:15, ack 15, win 905, options [nop,nop,TS val 856711882 ecr 20393440], length 14 0x: 0050 5688 7042 0064 403b 2700 0800 4500 .PV.pB.d@;'...E. 0x0010: 0042 9d08 4000 3f06 3514 ac1b e955 ac18 .B..@.?.5U.. 0x0020: 2810 0185 df15 5cab ffcd 63ba 77d3 8018 (.\...c.w... 0x0030: 0389
Re: ldap-check with Active Directory
I think they play with their syslog server to detect a check from real traffic and prevent the syslog server to log the checks. Baptiste On Tue, Mar 31, 2015 at 11:33 AM, Matt . yamakasi@gmail.com wrote: Hi Baptiste, Yes I've seen it also and never got around large logs. What do most people do, empty logt very often ? 2015-03-31 11:29 GMT+02:00 Baptiste bed...@gmail.com: Hi Matt, The issue with LDAP, is that it is not a banner protocol. So either you check the TCP port is well bound on the server for a simple L4 check, for L7, you don't have the choice, you must send a message and check the server's result. Baptiste On Tue, Mar 31, 2015 at 9:53 AM, Matt . yamakasi@gmail.com wrote: I'm also testing some ldap checks but I see lots of logging and log partitions filling up like crazy. I wonder if it's really doable to check the ldap status in in a gracefull way. 2015-03-31 9:45 GMT+02:00 Neil - HAProxy List maillist-hapr...@iamafreeman.com: Hello I was thinking of updating the ldap-check but I think I've a better idea. Macros (well ish). send-binary 300c0201 # LDAP bind request ROOT simple send-binary 01 # message ID send-binary 6007 # protocol Op send-binary 0201 # bind request send-binary 03 # LDAP v3 send-binary 04008000 # name, simple authentication expect binary 0a0100 # bind response + result code: success send-binary 30050201034200 # unbind request could be in a file named macros/ldap-simple-bind then the option tcp-check-macro ldap-simple-bind would use it, I know this is close to includes. similarly macros/smtp-helo-quit connect port 25 expect rstring ^220 send QUIT\r\n expect rstring ^221 or from http://blog.haproxy.com/2014/06/06/binary-health-check-with-haproxy-1-5-php-fpmfastcgi-probe-example/ # FCGI_BEGIN_REQUEST send-binary 01 # version send-binary 01 # FCGI_BEGIN_REQUEST send-binary 0001 # request id send-binary 0008 # content length send-binary 00 # padding length send-binary 00 # send-binary 0001 # FCGI responder send-binary # flags send-binary # send-binary # # FCGI_PARAMS send-binary 01 # version send-binary 04 # FCGI_PARAMS send-binary 0001 # request id send-binary 0045 # content length send-binary 03 # padding length: padding for content % 8 = 0 send-binary 00 # send-binary 0e03524551554553545f4d4554484f44474554 # REQUEST_METHOD = GET send-binary 0b055343524950545f4e414d452f70696e67 # SCRIPT_NAME = /ping send-binary 0f055343524950545f46494c454e414d452f70696e67 # SCRIPT_FILENAME = /ping send-binary 040455534552524F4F54 # USER = ROOT send-binary 00 # padding # FCGI_PARAMS send-binary 01 # version send-binary 04 # FCGI_PARAMS send-binary 0001 # request id send-binary # content length send-binary 00 # padding length: padding for content % 8 = 0 send-binary 00 # expect binary 706f6e67 # pong (though for items like send-binary 0e03524551554553545f4d4554484f44474554 # REQUEST_METHOD = GET I'd prefer a send-as-binary REQUEST_METHOD = GET ) these and many others could be shipped with haproxy. this seems to make sense to me as they are small contained logical items Neil On 30 March 2015 at 23:02, Baptiste bed...@gmail.com wrote: you should believe it :) On Mon, Mar 30, 2015 at 11:34 PM, Neil - HAProxy List maillist-hapr...@iamafreeman.com wrote: Hello Thanks so much. That worked well, I now get L7OK/0 in 0ms not sure I believe the 0ms but maybe I should Thanks again, Neil On 30 March 2015 at 22:14, Baptiste bed...@gmail.com wrote: On Mon, Mar 30, 2015 at 10:33 PM, Neil - HAProxy List maillist-hapr...@iamafreeman.com wrote: Hello I'm trying to use ldap-check with active directory and the response active directory gives is not one ldap-check is happy to accept when I give a 389 directory backend ldap server all is well, when I use AD I get 'Not LDAPv3 protocol' I've done a little poking about and found that if ((msglen 2) || (memcmp(check-bi-data + 2 + msglen, \x02\x01\x01\x61, 4) != 0)) { set_server_check_status(check, HCHK_STATUS_L7RSP, Not LDAPv3 protocol); is where I'm getting stopped as msglen is 4 Here is tcpdump of 389 directory response (the one that works) 2 packets 21:29:34.195699 IP 389.ldap HAPROXY.57109: Flags [.], ack 15, win 905, options [nop,nop,TS val 856711882 ecr 20393440], length 0 0x: 0050 5688 7042 0064 403b 2700 0800 4500 .PV.pB.d@;'...E. 0x0010: 0034 9d07 4000 3f06 3523 ac1b e955 ac18 .4..@.?.5#...U.. 0x0020: 2810 0185 df15 5cab ffcd 63ba 77d3 8010 (.\...c.w... 0x0030: 0389 2c07 0101 080a 3310 62ca 0137 ..,...3.b..7 0x0040: 2de0 -. 21:29
Re: ldap-check with Active Directory
I was thinking of updating the ldap-check but I think I've a better idea. Macros (well ish). send-binary 300c0201 # LDAP bind request ROOT simple send-binary 01 # message ID send-binary 6007 # protocol Op send-binary 0201 # bind request send-binary 03 # LDAP v3 send-binary 04008000 # name, simple authentication expect binary 0a0100 # bind response + result code: success send-binary 30050201034200 # unbind request could be in a file named macros/ldap-simple-bind then the option tcp-check-macro ldap-simple-bind would use it, I know this is close to includes. similarly macros/smtp-helo-quit connect port 25 expect rstring ^220 send QUIT\r\n expect rstring ^221 or from http://blog.haproxy.com/2014/06/06/binary-health-check-with-haproxy-1-5-php-fpmfastcgi-probe-example/ # FCGI_BEGIN_REQUEST send-binary 01 # version send-binary 01 # FCGI_BEGIN_REQUEST send-binary 0001 # request id send-binary 0008 # content length send-binary 00 # padding length send-binary 00 # send-binary 0001 # FCGI responder send-binary # flags send-binary # send-binary # # FCGI_PARAMS send-binary 01 # version send-binary 04 # FCGI_PARAMS send-binary 0001 # request id send-binary 0045 # content length send-binary 03 # padding length: padding for content % 8 = 0 send-binary 00 # send-binary 0e03524551554553545f4d4554484f44474554 # REQUEST_METHOD = GET send-binary 0b055343524950545f4e414d452f70696e67 # SCRIPT_NAME = /ping send-binary 0f055343524950545f46494c454e414d452f70696e67 # SCRIPT_FILENAME = /ping send-binary 040455534552524F4F54 # USER = ROOT send-binary 00 # padding # FCGI_PARAMS send-binary 01 # version send-binary 04 # FCGI_PARAMS send-binary 0001 # request id send-binary # content length send-binary 00 # padding length: padding for content % 8 = 0 send-binary 00 # expect binary 706f6e67 # pong (though for items like send-binary 0e03524551554553545f4d4554484f44474554 # REQUEST_METHOD = GET I'd prefer a send-as-binary REQUEST_METHOD = GET ) these and many others could be shipped with haproxy. this seems to make sense to me as they are small contained logical items Neil Hi Neil, Both contributions are interresting! Let's wait for other people feedback. Baptiste
Re: Complete rewrite of HAProxy in Lua
I'll have to find a way to code buffer overflows in LUA! Baptiste
Re: Agent-check not working with backend HTTPS
On Wed, Apr 1, 2015 at 4:13 PM, Claudio Ruggieri claudio.ruggi...@inetworking.it wrote: Hi all, I have a problem with agent-check, in my haproxy installation. Ubuntu Server 14.04 LTS with haproxy 1.5.3-1~ubuntu14.04.1 HAProxy is configured with 2 backends: one http e one https. Agent-check is a script bash that simply return a percentage. HTTP backend works fine. HTTPS backend doesn't work. In the web Statistic Report I see no weight is updated and I don't have errors in log. This is the HTTPS backend configuration: backend application-https description HTTPS Application backend cookie SRV insert indirect maxidle 24h maxlife 24h server rp1-test-https 192.168.170.181:443 maxconn 100 weight 100 fall 2 rise 2 check inter 2s agent-check agent-port 4321 agent-inter 5s cookie rp1-test-https ssl verify none server rp2-test-https 192.168.170.182:443 maxconn 100 weight 100 fall 2 rise 2 check inter 2s agent-check agent-port 4321 agent-inter 5s cookie rp2-test-https ssl verify none Any idea? Hi Claudio, What does a tcpdump on port 4321 tells you? and what type of content do you see from the server to haproxy in the packet captured? Baptiste
Re: Availability of HAProxy on Windows Server
Use hyperv and a linux VM inside. It works pretty well :) Baptiste On Fri, Mar 27, 2015 at 12:50 PM, Simon Dick sim...@irrelevant.org wrote: I'm afraid Windows isn't a supported platform, please see http://www.haproxy.org/#plat On 26 March 2015 at 21:38, Abhijit Damle abhijit.da...@beca.com wrote: Hi, Do you have any version of HAProxy supported on Windows Server editions (server 2008, server 2012 etc). if so from where can I download it? Thanks and regards, Abhijit Damle Senior Software Engineer Beca www.beca.com --- NOTICE: This email, if it relates to a specific contract, is sent on behalf of the Beca company which entered into the contract. Please contact the sender if you are unsure of the contracting Beca company or visit our web page http://www.beca.com for further information on the Beca Group. If this email relates to a specific contract, by responding you agree that, regardless of its terms, this email and the response by you will be a valid communication for the purposes of that contract, and may bind the parties accordingly. This e-mail together with any attachments is confidential, may be subject to legal privilege and may contain proprietary information, including information protected by copyright. If you are not the intended recipient, please do not copy, use or disclose this e-mail; please notify us immediately by return e-mail and then delete this e-mail. ---
Re: RTMP offloading
Matt, I won't do your configuration since I have no idea what you want to do. Share what you did exactly, share more information about the issues (logs, etc...) and we may help. Baptiste On Sun, Mar 29, 2015 at 3:53 PM, Matt . yamakasi@gmail.com wrote: Hi, I have tried all, also TCP, I'm configuring it using pfsense so I need to grab it from there. Do you have a small example of what should work ? I can paste that to pfsense to than. In my app I just should connect rtmps to port 443 on ha, offload and connect to normal rtmp 1935 again was my idea ? Thanks so far! Cheers, Matt 2015-03-29 15:47 GMT+02:00 Baptiste bed...@gmail.com: On Sun, Mar 29, 2015 at 1:05 PM, Matt . yamakasi@gmail.com wrote: Hi Guys, I'm trying to offload a rtmp connection where I connect using rtmps to ha proxy and offload the ssl layer there. In some strange way I can't get it working but I can with other services the same way. Is RTMP a hard one in this case ? Thanks, Matt Hi, Are you using mode tcp ? could you share your configuration? any error message provided by any equipement involved in your setup? Baptiste
Re: RTMP offloading
frontend rtmp_https bindxxx.xxx.xxx.xxx:443 name xxx.xxx.xxx.xxx:443 ssl crt /var/etc/haproxy/mycert.pem modetcp log global maxconn 9 timeout client 60 use_backend rtmpbackend_tcp_ipvANY if default_backend rtmpbackend_tcp_ipvANY backend rtmpbackend_tcp_ipvANY modetcp balance leastconn timeout connect 3 timeout server 3 retries 3 option httpchk GET / server rtmp-01 172.16.5.11:443 check-ssl check inter 1000 weight 100 verify none server rtmp-02 172.16.5.12:443 check-ssl check inter 1000 weight 100 verify none Weren't you supposed to connect on port 1935 where traffic is unciphered? Can you confirm wether traffic is ciphered or not on server's port 443 ?? (you seem to be mixing clear traffic over a connection which expect ciphered traffic on the server side). Does haproxy says the servers are UP (logs, stats page, etc...) Baptiste
Re: RTMP offloading
On Sun, Mar 29, 2015 at 1:05 PM, Matt . yamakasi@gmail.com wrote: Hi Guys, I'm trying to offload a rtmp connection where I connect using rtmps to ha proxy and offload the ssl layer there. In some strange way I can't get it working but I can with other services the same way. Is RTMP a hard one in this case ? Thanks, Matt Hi, Are you using mode tcp ? could you share your configuration? any error message provided by any equipement involved in your setup? Baptiste
Re: route by destination IP address
Hi, No HAProxy won't do this. Instead, if you could explain us clearly what is your problem, we may be able to help you. For now you just explain what you tried to achieve. Baptiste On Sun, Mar 29, 2015 at 3:33 PM, Abdelouahed Haitoute ahaito...@rinis.nl wrote: I think I've found the issue. During test, I'm visiting a hostname http://example/. But the acl condition req.hdr_ip(host) will only work if I visit http://192.168.0.1/. Is it possible to let haproxy resolve the domain name and then check the IP address? Op 29 mrt. 2015, om 14:04 heeft Abdelouahed Haitoute ahaito...@rinis.nl het volgende geschreven: Hello, I'm trying to route http-requests based on destination IP address. I've got the following configuration, but unfortunately its not working: frontend proxy :3128 acl host_destip req.hdr_ip(host) 192.168.0.1 use_backend a if host_destip default_backend b I'm expecting all http-traffic with destination IP address 192.168.0.1 to go to backend a, but its using the default_backend. Any help is welcome.
Re: http-request set-map key as fixed string
On Sat, Feb 28, 2015 at 9:03 AM, Baptiste bed...@gmail.com wrote: On Sat, Feb 28, 2015 at 8:42 AM, Vivek Malik vivek.ma...@gmail.com wrote: Hi Baptise, Using set-map on the stats socket gives the expected result (except that I can't use functions there). set map motion.map monday 12345 did set the map with key monday and value as 12345. I found that http-request set-map(motion.map) monday %[date] doesn't work, but http-request set-map(motion.map) %t does work. Using %T, %TL, %t works as expected but %[date] doesn't. Moreover, I am getting crazy results when I try to use http-request set-map(motion.map) monday %[src]. Using this makes both key and value as src. BTW, I am using HA-Proxy version 1.5.11 2015/01/31 Copyright 2000-2015 Willy Tarreau w...@1wt.eu Build options : TARGET = linux2628 CPU = generic CC = gcc CFLAGS = -O2 -g -fno-strict-aliasing OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_STATIC_PCRE=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 Encrypted password support via crypt(3): yes Built with zlib version : 1.2.8 Compression algorithms supported : identity, deflate, gzip Built with OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014 Running on OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Built with PCRE version : 8.31 2012-07-06 PCRE library supports JIT : no (USE_PCRE_JIT not set) Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. Hi Vivek, I can reproduce the bug, I'm digging into it. Baptiste I was able to isolate the bug here: src/proto_http.c:3490. For some reason, when the first argument is a raw string and the second is a fetch, then the first argument ('key') is erased after build_logline returns on line 3490. If second argument is a string, then no problem: http-request set-map(/tmp/motion.map) monday monday== works as expected http-request set-map(/tmp/motion.map) %[date()] monday == works as expected http-request set-map(/tmp/motion.map) monday %[date()] == bug as reported by vivek I won't be able to go further on this bug today. If I can't during the week-end, and nobody did, I'll talk to Willy on Monday. Baptiste
Re: Balancing requests and backup servers
On Fri, Feb 27, 2015 at 12:04 PM, Dmitry Sivachenko trtrmi...@gmail.com wrote: On 27 февр. 2015 г., at 11:52, Baptiste bed...@gmail.com wrote: On Fri, Feb 27, 2015 at 9:02 AM, Dmitry Sivachenko trtrmi...@gmail.com wrote: On 27 февр. 2015 г., at 2:56, Baptiste bed...@gmail.com wrote: On Thu, Feb 26, 2015 at 3:58 PM, Dmitry Sivachenko trtrmi...@gmail.com wrote: Hello! Given the following configuration backend BC option allbackups server s1 maxconn 30 check server s2 maxconn 30 check server s3 maxconn 30 check server b1 maxconn 30 check backup server b2 maxconn 30 check backup imagine that s1, s2 and s3 have 30 active sessions and (tcp) checks succeed. Hi Dmitry. Let me answer inline: 1) subsequent requests will be balanced between b1 and b2 because s1, s2 and s3 reached it's maxconn nope, they'll be queued on the backend until one of the server has a free slot b1 and b2 will be used when ALL s1, s2 and s3 will be operationnaly DOWN. Okay, then how can I achieve the described setup? I want to balance requests between s1, s2, s3 until they have less than N active sessions and route extra requests to b1 and b2. Two solutions: - use balance first load-balancing algorithm and remove the backup keyword - create 2 backends, one with 3 servers, one with two, use the 'queue' fetch to get the number of queued request on backend1 and route to backend 2 if the number is greater than 0. BTW what if I have maxqueue 1 in default-server? If queue is full for all servers will that backend use backup servers? Hi, no, backup servers will be used only when all active servers are DOWN. Baptiste
Re: http-request set-map key as fixed string
On Sat, Feb 28, 2015 at 8:42 AM, Vivek Malik vivek.ma...@gmail.com wrote: Hi Baptise, Using set-map on the stats socket gives the expected result (except that I can't use functions there). set map motion.map monday 12345 did set the map with key monday and value as 12345. I found that http-request set-map(motion.map) monday %[date] doesn't work, but http-request set-map(motion.map) %t does work. Using %T, %TL, %t works as expected but %[date] doesn't. Moreover, I am getting crazy results when I try to use http-request set-map(motion.map) monday %[src]. Using this makes both key and value as src. BTW, I am using HA-Proxy version 1.5.11 2015/01/31 Copyright 2000-2015 Willy Tarreau w...@1wt.eu Build options : TARGET = linux2628 CPU = generic CC = gcc CFLAGS = -O2 -g -fno-strict-aliasing OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_STATIC_PCRE=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 Encrypted password support via crypt(3): yes Built with zlib version : 1.2.8 Compression algorithms supported : identity, deflate, gzip Built with OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014 Running on OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Built with PCRE version : 8.31 2012-07-06 PCRE library supports JIT : no (USE_PCRE_JIT not set) Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. Hi Vivek, I can reproduce the bug, I'm digging into it. Baptiste
Re: How to track 503's
On Fri, Feb 27, 2015 at 8:23 PM, Daniel Dubovik ddubo...@godaddy.com wrote: Hello all! I am wanting to use HAProxy to detect if I receive a certain status code from a backend web server (say, a 503 error or some such) while processing a request. If I do receive it, track the request, so subsequent requests to the domain will behave differently (specifically, go to a different backend that has a different load balancing method, or different servers that can handle their load. Is there a way I can do this in HAProxy? Stick-tables don't let me track requests based on the response, only on the request information, so that doesn't seem like it would work, but seems like the only place that it would fit? Thanks! Dan Hi Daniel, Something not clear in your request is that do you want to route ALL traffic after an error, or only the traffic from a single user? You may use the 'stick store-response' when an error is returned by the server and track it when traffic comes in with the in_table fetch. This may require you to switch to HAProxy 1.6-dev. Baptiste
Re: Lua patchset merged
I love it ! Just wrote, as a proof of concept, a forward proxy... That said, it seems my lua script is blocking... I mean, if the remote server is slow to deliver the response, then HAProxy doesn't process any other request or response. Baptiste
[FIX] [LUA] missing ifdef related to Openssl
a couple of missing ifdef for openssl prevent to build LUA without SSL enabled. This patch fix it. Baptiste 0002-FIX-missing-ifdef-related-to-SSL-when-enabling-LUA.patch Description: Binary data
[FIX] [LUA] segfault in txn.get_headers
When we try to execute the txn.get_headers function in a TCP mode frontend or backend, then HAProxy segfaults. Baptiste 0001-fix-a-segfault-in-txn.get_headers.patch Description: Binary data
Re: Balancing requests and backup servers
On Fri, Feb 27, 2015 at 9:02 AM, Dmitry Sivachenko trtrmi...@gmail.com wrote: On 27 февр. 2015 г., at 2:56, Baptiste bed...@gmail.com wrote: On Thu, Feb 26, 2015 at 3:58 PM, Dmitry Sivachenko trtrmi...@gmail.com wrote: Hello! Given the following configuration backend BC option allbackups server s1 maxconn 30 check server s2 maxconn 30 check server s3 maxconn 30 check server b1 maxconn 30 check backup server b2 maxconn 30 check backup imagine that s1, s2 and s3 have 30 active sessions and (tcp) checks succeed. Hi Dmitry. Let me answer inline: 1) subsequent requests will be balanced between b1 and b2 because s1, s2 and s3 reached it's maxconn nope, they'll be queued on the backend until one of the server has a free slot b1 and b2 will be used when ALL s1, s2 and s3 will be operationnaly DOWN. Okay, then how can I achieve the described setup? I want to balance requests between s1, s2, s3 until they have less than N active sessions and route extra requests to b1 and b2. Two solutions: - use balance first load-balancing algorithm and remove the backup keyword - create 2 backends, one with 3 servers, one with two, use the 'queue' fetch to get the number of queued request on backend1 and route to backend 2 if the number is greater than 0. 2) nbsrv(BC) will be still equal to 3 because checks for s1, s2 and s3 still succeed nope, nbsrv is 5, since b1 and b2 should be counted as well. In fact backup server does NOT count in nbsrv(), I am not sure if it is a bug or a feature. My bad :) This must be by design Baptiste
Re: Lua patchset merged
how do you pass arguments to a lua function? Imagine I want to call the following lua function: function download (host, file) Baptiste
Re: Lua patchset merged
Great news, congratulation Thierry! Baptiste
Re: Lua patchset merged
A few ifdef missing when SSL is not compiled in HAProxy: diff --git a/src/hlua.c b/src/hlua.c index a0e4d91..3d69c5d 100644 --- a/src/hlua.c +++ b/src/hlua.c @@ -1542,6 +1542,7 @@ __LJMP static int hlua_socket_connect(struct lua_State *L) return 0; } +#ifdef USE_OPENSSL __LJMP static int hlua_socket_connect_ssl(struct lua_State *L) { struct hlua_socket *socket; @@ -1551,6 +1552,7 @@ __LJMP static int hlua_socket_connect_ssl(struct lua_State *L) socket-s-target = socket_ssl.obj_type; return MAY_LJMP(hlua_socket_connect(L)); } +#endif __LJMP static int hlua_socket_setoption(struct lua_State *L) { @@ -3563,7 +3565,9 @@ void hlua_init(void) lua_pushstring(gL.T, __index); lua_newtable(gL.T); +#ifdef USE_OPENSSL hlua_class_function(gL.T, connect_ssl, hlua_socket_connect_ssl); +#endif hlua_class_function(gL.T, connect, hlua_socket_connect); hlua_class_function(gL.T, send,hlua_socket_send); hlua_class_function(gL.T, receive, hlua_socket_receive); Baptiste On Sun, Mar 1, 2015 at 6:22 PM, Cyril Bonté cyril.bo...@free.fr wrote: Hi Tierry, Huge work ! I've not played with it yet, but I've already compiled it successfully ;-) Some early feedbacks : - It appears that the code requires at least LUA 5.2. - Maybe we'll have to work on the Makefile to ease the compilation. For example, on debian, I have to add -llua5.2 instead of -llua - There's a small typo in an error message (hlua.c:423) : Malformad argument mask instead of Malformed argument mask for the hlua_lua2arg_check() function. I'll send a patch later for that. - Talking about hlua_lua2arg_check(), There are 2 other points : 1. The function comments has some typos. While trying to fix them, I'm realizing I don't understand the comment and I'm not sure to rewrite it correctly. Can you have a look at it ? 2. I think we can have a buffer overflow with the following test : if (idx = ARGM_NBARGS argp[idx].type != ARGT_STOP) The calling function (hlua_run_sample_fetch) already allows a same buffer overflow : struct arg args[ARGM_NBARGS]; and args[i].type = ARGT_STOP; where `i' can be equal to ARGM_NBARGS. - As it is done for other libraries, maybe we can add the compiled version of LUA when haproxy -vv is called. I'll also send a patch for that. - Still about the version : maybe we can add a #error when LUA_VERSION_NUM is not defined or less than 502 : # LUA 5.0.x : not devined # LUA 5.1.x : equal to 501 # LUA 5.2.x : equal to 502 # LUA 5.3.x : equal to 503 I think I'll try some LUA scripts before the end of the week-end (which is approaching too quickly) ;-) -- Cyril Bonté
Re: NOSRV/BADREQ from some Java based clients
On Sat, Feb 21, 2015 at 12:39 AM, NuSkooler nuskoo...@gmail.com wrote: We have been in the process of deploying HAProxy as a SSL terminator between our client software and back end services. In the testing phases, everything is working great and looking good with one exception: Some old client software that utilizes a Java SSL implementation fail to connect and we end up with logs like this: [20/Feb/2015:15:49:51.632] https_frontend~ https_frontend/NOSRV -1/-1/-1/-1/23 400 187 - - CR-- 0/0/0/0/0 0/0 BADREQ Without HAProxy in the mix, these same clients connect up to our Mochiweb services (via SSL) just fine. Additionally, our newer clients that are OpenSSL based communicate with HAProxy (termination) - Mochiweb (via HTTP) just fine as well. From what I can tell, it appears as though we may have a combination of two bad things: 1) Clients sending some sort of non-standard handshake 3) Mochiweb has been allowing it. Some additional gritty details: * socat 'show errors' shows 0 errors * The same bad clients fail to connect to a OpenSSL s_server (logs below) Since we can't even properly connect to s_server, that may be the end of the road for those clients. However, I'm hoping there may be something that could be configured to allow them through HAProxy. Below is a s_server log. Note the read failure at the end. A similar capture in the view of Wireshark is below that. Lastly, *with* HAProxy when the NOSRV/BADREQ is issued, the client is sent a encrypted 400 Bad Request. Any help/tips appreciated! This represents a large client base that unfortunately cannot be updated for the time being. If we cannot go through HAProxy directly, the next step is to figure out a way to route old clients around it :( Hi, Since HAProxy returns a 400, it means that the issue is above the SSL connection. You should enable HAProxy's stats socket and run the following command on it right after a 400 has been emitted: show errors Then HAProxy will print you why it has blocked the request and why it considered this request was not HTTP compliant. Baptiste
Re: MIB
Hi Mathieu, There is no such MIB for HAProxy. Baptiste On Wed, Feb 25, 2015 at 4:17 PM, Mathieu Sergent mathieu.sergent...@gmail.com wrote: Hi, I want to know if a MIB for HAProxy is available ? Regards, Mathieu
Re: Integrating a third party library
and 2. how could we write a new function in HAProxy which takes a buffer of data in entry and can return a string (or buffer of data) I think that what you want to implement is a sample fetch function. For example, take a look at the recently introduced req.hdr_names function, which iterates over all request headers and produces a string that can be used to build a log line, another header or whatever. I think it will be straightforward enough for you to understand how to implement this with your lib. Best regards, Willy Hi Willy, I think a converter is more suited here. I mean, a fetch can't take a buffer issued from the result of an other fetch... The idea would to configure it something like http-request set-header Foobar req.hdr(HEADER),mikefunction(parameters if required) Mike, in such case, you want to have a look at this file: http://git.haproxy.org/?p=haproxy.git;a=blob_plain;f=src/sample.c;hb=HEAD and with the upper and lower and any other converter functions. Baptiste
Re: Balancing requests and backup servers
On Thu, Feb 26, 2015 at 3:58 PM, Dmitry Sivachenko trtrmi...@gmail.com wrote: Hello! Given the following configuration backend BC option allbackups server s1 maxconn 30 check server s2 maxconn 30 check server s3 maxconn 30 check server b1 maxconn 30 check backup server b2 maxconn 30 check backup imagine that s1, s2 and s3 have 30 active sessions and (tcp) checks succeed. Hi Dmitry. Let me answer inline: 1) subsequent requests will be balanced between b1 and b2 because s1, s2 and s3 reached it's maxconn nope, they'll be queued on the backend until one of the server has a free slot b1 and b2 will be used when ALL s1, s2 and s3 will be operationnaly DOWN. 2) nbsrv(BC) will be still equal to 3 because checks for s1, s2 and s3 still succeed nope, nbsrv is 5, since b1 and b2 should be counted as well. Baptiste
Re: peer replication reset values of stick tables
On Thu, Feb 26, 2015 at 4:08 PM, Aurélien Bras aurelien.b...@gmail.com wrote: Hi, I have an issue configuring peer replication with stick tables. Here is my setup : peers mypeers peer cldev-lb 10.1.1.101:1024 backend b_35902 stick-table type ip size 1k store bytes_out_rate(30),bytes_in_rate(30),bytes_out_cnt,bytes_in_cnt peers mypeers tcp-request content track-sc2 dst When reloading haproxy I can see, the learning process fetching data on port 1024, and then the key still remain after, but all counter is reseted : Before the reload : echo show table b_35902 | socat /var/run/haproxy/admin.sock stdio # table: b_35902, type: ip, size:1024, used:1 0xd82e08: key=172.18.5.5 use=0 exp=0 bytes_in_cnt=3088 bytes_in_rate(30)=3088 bytes_out_cnt=14570 bytes_out_rate(30)=14570 After : echo show table b_35902 | socat /var/run/haproxy/admin.sock stdio # table: b_35902, type: ip, size:1024, used:1 0x175ae08: key=172.18.5.5 use=0 exp=0 bytes_in_cnt=0 bytes_in_rate(30)=0 bytes_out_cnt=0 bytes_out_rate(30)=0 Is it normal ? My goal is to keep theses counters across reload. Thanks for help. Regards. Aurélien Hi Aurélien, Yes, this is normal and by design. Baptiste