Re: HAProxy - Server Timeout and Client Timeout

2018-06-05 Thread Andrew Smalley
HI Michael We often see the client/server timeouts requiring to be raised as you have found, A good default value for client/server timeouts are below and I include the connect timeout too in milliseconds timeout connect 4000 timeout client 42000 timeout server 43000 Say for example you run a

Re: Haproxy SSO

2018-05-09 Thread Andrew Smalley
urn...@arpalert.org> wrote: > On Wed, 9 May 2018 22:02:49 +0100 > Andrew Smalley <asmal...@loadbalancer.org> wrote: > >> Hi Thierry >> >> I saw the packetengine here >> https://www.haproxy.com/documentation/aloha/9-5/packetshield/sso/ > > > Ok. There

Re: Haproxy SSO

2018-05-09 Thread Andrew Smalley
4 / +44 (0)330 380 1064 asmal...@loadbalancer.org Leave a Review | Deployment Guides | Blog On 9 May 2018 at 22:01, <thierry.fourn...@arpalert.org> wrote: > On Wed, 9 May 2018 21:51:13 +0100 > Andrew Smalley <asmal...@loadbalancer.org> wrote: > >> Hi Thierry, >>

Haproxy SSO

2018-05-09 Thread Andrew Smalley
Hi Thierry, I split the thread as I changed subject to SSO part way through, I apologize for that. Your references to SPOA/SPOE Engines were liked very much. I see the SPOA examples in the source code just now in the link you provided

Re: WAF with HA Proxy.

2018-05-09 Thread Andrew Smalley
t of the body size analysed is the size of HAProxy buffer (default > 16kB, but for my own usage, I configure 1MB) > > > The response is not analysed. > > > BR, > Thierry > > > On 9 May 2018, at 21:40, Andrew Smalley <asmal...@loadbalancer.org> wrote: > >

Re: WAF with HA Proxy.

2018-05-09 Thread Andrew Smalley
Hi Mark Actually as far as I understand the Haproxy implementation of mod_security integration is not with Lua but with SPOA https://www.haproxy.org/download/1.7/doc/SPOE.txt Andruw Smalley Loadbalancer.org Ltd. www.loadbalancer.org +1 888 867 9504 / +44 (0)330 380 1064

Re: Question on Caching.

2018-04-30 Thread Andrew Smalley
Ltd. www.loadbalancer.org +1 888 867 9504 / +44 (0)330 380 1064 asmal...@loadbalancer.org Leave a Review | Deployment Guides | Blog On 28 April 2018 at 06:48, Willy Tarreau <w...@1wt.eu> wrote: > Hi Andrew, > > On Thu, Apr 26, 2018 at 10:06:00PM +0100, Andrew Smalley wrote: &

Question on Caching.

2018-04-26 Thread Andrew Smalley
Hello Haproxy mailing list I have been looking at caching technology and have found this https://github.com/jiangwenyuan/nuster/ It claims to be a v1.7 / v1.8 branch fully compatible with haproxy and indeed based on haproxy with the added capibility of having a really fast cache as described

Re: slowly move connections away from failed real server to remaining real server.

2018-02-14 Thread Andrew Smalley
...@loadbalancer.org Leave a Review | Deployment Guides | Blog On 14 February 2018 at 17:55, Shawn Heisey <hapr...@elyograg.org> wrote: > On 2/13/2018 7:49 AM, Andrew Smalley wrote: >> We have had a request and not sure if there is any way to implement this. >> >> Simpl

Re: slowly move connections away from failed real server to remaining real server.

2018-02-13 Thread Andrew Smalley
are on the working real server. Andruw Smalley Loadbalancer.org Ltd. www.loadbalancer.org +1 888 867 9504 / +44 (0)330 380 1064 asmal...@loadbalancer.org Leave a Review | Deployment Guides | Blog On 13 February 2018 at 17:21, Moemen MHEDHBI <mmhed...@haproxy.com> wrote: > > > On 13/02/201

slowly move connections away from failed real server to remaining real server.

2018-02-13 Thread Andrew Smalley
Hi, We have had a request and not sure if there is any way to implement this. Simply think of two real servers being loadbalanced. one fails all the connections are moved to the remaining server overloading it. What we want is for the traffic from the failed real server to be moved to the

Re: haproxy-1.8 in Fedora

2018-01-05 Thread Andrew Smalley
Hi Ryan Copr is an easy-to-use automatic build system providing a package repository as its output. Start with making your own repository in these three steps: choose a system and architecture you want to build for provide Copr with src.rpm packages available online let Copr do all the work and

Re: 1.8 resolvers - start vs. run

2017-12-29 Thread Andrew Smalley
Hello Jim. I've seen the thread and that you're "befuddled" a little about the use of DNS., Think of it this way, with the resolvers in HAProxy you can resolve the real server names of real server pool, this may be very dynamic in nature and separate to /etc/resolve.conf Now imagine a farm of

Re: issue with namesapce for backend

2017-12-28 Thread Andrew Smalley
P_SYS_ADMIN > capability in the target user namespace if it isn't root: > > http://man7.org/linux/man-pages/man2/setns.2.html > > > > On Thu, Dec 28, 2017 at 12:28 PM, Andrew Smalley > <asmal...@loadbalancer.org> wrote: > > > > Hello Senthil >

Re: issue with namesapce for backend

2017-12-28 Thread Andrew Smalley
Hello Senthil You asked if you can run haproxy as a non root user. Yes you can but only for ports above 1024, ports below 1024 and port 80 as per your config will require root privileges to bind to the port. Andruw Smalley Loadbalancer.org Ltd. www.loadbalancer.org

Re: Traffic delivered to disabled server when cookie persistence is enabled after upgrading to 1.8.1

2017-12-20 Thread Andrew Smalley
:55, Andrew Smalley <asmal...@loadbalancer.org> wrote: > Greg > > its just been pointed out your cookies are wrong, they would usually > match your server name. > I would change this > > server server-1-google www.google.com:80 check cookie google > server server-

Re: Traffic delivered to disabled server when cookie persistence is enabled after upgrading to 1.8.1

2017-12-20 Thread Andrew Smalley
-sessions Andruw Smalley Loadbalancer.org Ltd. www.loadbalancer.org +1 888 867 9504 / +44 (0)330 380 1064 asmal...@loadbalancer.org Leave a Review | Deployment Guides | Blog On 20 December 2017 at 20:52, Andrew Smalley <asmal...@loadbalancer.org> wrote: > Hi Greg > > Apologies

Re: Traffic delivered to disabled server when cookie persistence is enabled after upgrading to 1.8.1

2017-12-20 Thread Andrew Smalley
checks" > > Best regards, > Greg > > On Wed, Dec 20, 2017 at 8:29 PM, Andrew Smalley > <asmal...@loadbalancer.org> wrote: >> Hi Greg >> >> You say traffic still goes to the real server when in MAINT mode, >> Assuming you mean DRAIN Mode and n

Re: Traffic delivered to disabled server when cookie persistence is enabled after upgrading to 1.8.1

2017-12-20 Thread Andrew Smalley
Hi Greg You say traffic still goes to the real server when in MAINT mode, Assuming you mean DRAIN Mode and not HALTED then this is expected. Existing connections still goto a server while DRAINING but no new connections will get there. If the real server is HALTED then no traffic gets to it.

Re: Websocket metrics

2017-11-14 Thread Andrew Smalley
Hi Claus Below is a blog on the haproxy website about websockets, I apologies if it does not have the information you need https://www.haproxy.com/blog/websockets-load-balancing-with-haproxy/ Andruw Smalley Loadbalancer.org Ltd. www.loadbalancer.org +1 888 867 9504 / +44 (0)330 380 1064

Re: Error in `haproxy': munmap_chunk(): invalid pointer:

2017-11-08 Thread Andrew Smalley
Hi Tim Can you try a make install first please or mkdir -p '/etc/haproxy/state/ so the state directory exists and then re-test. The above is a guess, can you supply the build commands and clarify this line in the config " bind :::80 v4v6" ? Dont you want to "bind *:80" and use IPv4 only Andruw

Re: HAProxy dont Support sslv2 Confirmation

2017-11-06 Thread Andrew Smalley
Hello Jean >From what I read SSLv2 is unused and SSLv3 can be enabled with a warning as shown below force-sslv3 : Enforces the use of SSL protocol version SSLv3. Note Not recommended on Internet because of the poodle vulnerability: https://poodle.io/ ​SSLv2 has not been used on the internet

Re: X-Forwarded-For Balancing

2017-07-26 Thread Andrew Smalley
19:42, Trenton Dyck <trenton.d...@uxpsystems.com> wrote: > Andrew, > > > > Thanks for this suggestion! When you say ‘move the XFF header back’ and > you have a second stick on parameter what is the behavior you expect? Will > it use src ip if no X-Forwarded-For header

Re: X-Forwarded-For Balancing

2017-07-25 Thread Andrew Smalley
er-org-inc-/new-review> | Deployment Guides <https://www.loadbalancer.org/?category=resources=deployment-guides&?gclid=ES2017> | Blog <https://www.loadbalancer.org/?category=blog&?gclid=ES2017> On 25 July 2017 at 17:54, Andrew Smalley <asmal...@loadbalancer.org> wrote:

Re: X-Forwarded-For Balancing

2017-07-25 Thread Andrew Smalley
Hi Trenton I hope the below example will help you with X-Forward-For + Stick table + replication listen VIP_Name bind 192.168.100.50:65435 transparent mode http balance roundrobin option forwardfor if-none stick on hdr(X-Forwarded-For,-1) # Note the ,-1 is to move the XFF

Re: Does anyone heard about DPDK

2017-07-15 Thread Andrew Smalley
HI Aleksandar I've only ever seen Intel's DPDK being used really with OpenVSwitch and am not sure how it would help haproxy (Not that I am the best person to say if its good for haproxy) Andrew Smalley Loadbalancer.org Ltd. www.loadbalancer.org +1 888 867 9504 / +44 (0)330 380 1064 asmal

Re: help for configuration between http and tcp mode

2017-07-08 Thread Andrew Smalley
192.168.246.17:8086 mode http option dontlognull TCP Mode will work with any connection however HTTP will only work with unencrypted HTTP Type traffic as it is application aware. Also TCP Mode is really Layer4 and non application aware. Andrew Smalley Loadbalancer.org Ltd. www.loadbalancer.org <ht

Re: How to forward HTTP / HTTPS to different backend proxy servers

2017-07-02 Thread Andrew Smalley
I would like to ask why you have non ssl and ssl traffic on the same port? while it seems it is possible it is not the right way to do it. On 2 Jul 2017 23:37, "Igor Cicimov" wrote: On 3 Jul 2017 8:35 am, "Igor Cicimov" wrote:

Re: How can we start haproxy in Linux

2017-07-02 Thread Andrew Smalley
​Hello ​ S ​abeer You will find that information in the link I provided in my previous reply. Also could you please keep your reply's to the mailing list so all can see please.​ On 2 Jul 2017 4:39 p.m., "Sabeer Basheer" <sabeerkbash...@gmail.com> wrote: > Hi Andrew

Re: How can we start haproxy in Linux

2017-06-30 Thread Andrew Smalley
Sabeer The command will kill haproxy by pid number kill $(cat /var/run/haproxy.pid) However a more basic understanding of haproxy will help https://www.haproxy.com/doc/hapee/1.5/administration/init.html Andrew Smalley Loadbalancer.org Ltd. www.loadbalancer.org <https://www.loadbalancer.

Re: Reg: HAProxy 1.6.12 on RHEL7.2 (MAXCONN in FRONT-END/LISTEN BLOCK)

2017-06-28 Thread Andrew Smalley
content track-sc0 hdr(Authorization) if METH_POST document_request is_upload use_backend 429_slow_down if mark_seen too_many_uploads_by_user backend be_429_slow_down timeout tarpit 2s errorfile 500 /etc/haproxy/errorfiles/429.http http-request tarpit Andrew Smalley Loadbalancer.org Ltd

Re: Reg: HAProxy 1.6.12 on RHEL7.2 (MAXCONN in FRONT-END/LISTEN BLOCK)

2017-06-27 Thread Andrew Smalley
... I am sure there is a way where there is a will! Andrew Smalley Loadbalancer.org Ltd. www.loadbalancer.org <https://www.loadbalancer.org/?gclid=ES2017> <https://plus.google.com/+LoadbalancerOrg> <https://twitter.com/loadbalancerorg> <http://www.linkedin.com/company

Re: MySQL layer7 balancing

2017-06-11 Thread Andrew Smalley
ht 100 check inter 4000 rise 2 fall 2 minconn 0 maxconn 0 on-marked-down shutdown-sessions server Read3 192.168.0.14 weight 100 check inter 4000 rise 2 fall 2 minconn 0 maxconn 0 on-marked-down shutdown-sessions Andrew Smalley Loadbalancer.org www.loadbalancer.org <https://www

Re: HAProxy for Centos 7

2017-04-25 Thread Andrew Smalley
access. You could of-course spin up a VM on your desktop and compile manually or using the below RPMSPEC file https://github.com/ITV/rpm-haproxy But sadly yet again you will not be able to install or start the service as root without access. Regards Andrew Smalley Loadbalancer.org Ltd

Re: haproxy deleting domain socket on graceful reload if backlog overflows

2017-04-12 Thread Andrew Smalley
live and active/ready to handle connections. Also there is a SYN_BLOCK firewall rule required during the reload? I ask because we have had no reports of such a race condition. ​ Regards Andrew Smalley Loadbalancer.org Ltd. On 12 April 2017 at 23:34, James Brown <jbr...@easypost.com>

Re: haproxy deleting domain socket on graceful reload if backlog overflows

2017-04-12 Thread Andrew Smalley
haproxy instance has no more clients left it dies silently leaving all the clients on the new haproxy instance. This is expected behavior as you want the first haproxy to die when the last client leaves. Regards Andrew Smalley Loadbalancer.org Ltd. On 12 April 2017 at 19:32, James Brown <

Re: add header into http-request redirect

2017-02-26 Thread Andrew Smalley
on a more apposite solution. http://serverfault.com/questions/671916/inject-header-in-haproxy-redirect- function Regards Andrew Smalley Loadbalancer.org Ltd. On 26 February 2017 at 17:45, Michael Ezzell <mich...@ezzell.net> wrote: > > > On Feb 26, 2017 12:14, "Andrew Small

Re: add header into http-request redirect

2017-02-26 Thread Andrew Smalley
Sorry, forgot to include the list. Please share your config so I can see what you are doing? Regards Andrew Smalley Loadbalancer.org Ltd. On 26 February 2017 at 17:32, Bartek Radziszewski <b...@radziszewski.com> wrote: > Andrew, > > Thanks for your answer. Just tested one

Re: add header into http-request redirect

2017-02-26 Thread Andrew Smalley
t;max-age=15552000; includeSubDomains; preload;" acl force src 127.0.0.1 # ip of haproxy reqadd X-Forwarded-Proto:\ https if force redirect scheme https code 301 if !force Regards Andrew Smalley Loadbalancer.org Ltd. On 26 February 2017 at 17:07, Bartek Radzi

Re: add header into http-request redirect

2017-02-26 Thread Andrew Smalley
Hello Bartek I assumed it was haproxy related and as such my example will work. However I hope the link below helps you get going with NGINX https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/ Regards Andrew Smalley Loadbalancer.org Ltd. On 26 February 2017 at 16:47

Re: add header into http-request redirect

2017-02-26 Thread Andrew Smalley
2 minconn 0 maxconn 0 on-marked-down shutdown-sessions Regards Andrew Smalley Loadbalancer.org Ltd. On 26 February 2017 at 16:18, Bartek Radziszewski <b...@radziszewski.com> wrote: > Hi, > > It’s possible to add Strict-Transport-Security header into 301 redirect > (ht

Re: https://www.haproxy.org SEC_ERROR_REVOKED_CERTIFICATE

2017-02-23 Thread Andrew Smalley
Hi All I confirm I get the same and Firefox will not even let me visit the site. Thankfully the http://blog.haproxy.com/ is non ssl so is still available. Regards Andrew Smalley Loadbalancer.org Ltd. On 23 February 2017 at 21:21, James Stroehmann < james.stroehm...@proquest.com>

Re: Status code "-1" in logs

2017-01-19 Thread Andrew Smalley
Hello John Thank you for your clarification, I guess its an easy mistake to make when you see a 503 and assume its the error when I knew you were talking about the "-1" issue. Regards Andrew Smalley Loadbalancer.org Ltd. On 19 January 2017 at 00:24, Skarbek, John <john.s

Re: Status code "-1" in logs

2017-01-18 Thread Andrew Smalley
re information could be provided with a valid configuration I hope this helps? I took the information from the Documents available here http://www.haproxy.org/download/1.8/doc/configuration.txt Regards Andrew Smalley Loadbalancer.org Ltd. On 18 January 2017 at 21:04, Skarbek, John <john.skar...

Re: Can I specify a wildcard redirect

2016-10-27 Thread Andrew Smalley
ation %[capture.req.uri,regsub(^/de,)] if { path_beg /de }" looks even better. ​ Regards Andrew Smalley Loadbalancer.org Ltd. ​https://www.loadbalancer.org/​ On 27 October 2016 at 12:03, Michael Ezzell <mich...@ezzell.net> wrote: > On Oct 27, 2016 6:41 AM, "Jürgen Haas" <

Re: Can I specify a wildcard redirect

2016-10-27 Thread Andrew Smalley
hope that helps? I am not sure there is much more I can share here with regard your request. Regards Andrew Smalley Loadbalancer.org Ltd. On 27 October 2016 at 10:21, Jürgen Haas <juer...@paragon-es.de> wrote: > Hi Andrew, > > I'm responding directly as your message went

Re: Can I specify a wildcard redirect

2016-10-25 Thread Andrew Smalley
how it works on its own. Regards Andrew Smalley Loadbalancer.org Ltd. On 25 October 2016 at 15:18, Jürgen Haas <jurgenh...@paragon-es.de> wrote: > Thanks Andrew, > > That's the same regex that I have in my backend definition. But I also > need the ACLs to make sure that

Re: Can I specify a wildcard redirect

2016-10-25 Thread Andrew Smalley
/(.*) \1\ /\2 Regards Andrew Smalley Loadbalancer.org Ltd. On 25 October 2016 at 10:35, Jürgen Haas <jurgenh...@paragon-es.de> wrote: > Hi Andrew, > > just not having luck with this. Here is my rule which is certainly used > when e.g. calling https://www.arocom.de/de/team but i

Re: Can I specify a wildcard redirect

2016-10-24 Thread Andrew Smalley
Hello Jürgen In that case I think you will want something like acl de_url path_beg /de reqrep ^([^\ :]*)\ /de/\d+/(.+)/? \1\ /\2 redirect prefix / code 301 if de_url Regards Andrew Smalley Loadbalancer.org Ltd. On 24 October 2016 at 10:19, Jürgen Haas <jurgenh...@para

Re: Can I specify a wildcard redirect

2016-10-24 Thread Andrew Smalley
www.domain.com redirect code 301 location http://www.domain.com/ if is_domain is_de Regards Andrew Smalley Loadbalancer.org Ltd. On 24 October 2016 at 09:53, Jürgen Haas <jurgenh...@paragon-es.de> wrote: > Hi all, > > one of my clients is looking for a wildcard redirect to get r

Re: HaProxy for SFTP load balancing

2016-10-18 Thread Andrew Smalley
192.168.100.101:22 weight 100 check port 22 inter 4000 rise 2 fall 2 minconn 0 maxconn 0 on-marked-down shutdown-sessions Regards Andrew Smalley Loadbalancer.org Ltd. On 18 October 2016 at 15:16, <malreddy.t...@abinnovative.com> wrote: > Hi Andrew, > > > > We need High

Re: HaProxy for SFTP load balancing

2016-10-06 Thread Andrew Smalley
maxconn 4 server RIP_ 192.168.100.0:80 weight RIP_Name check inter 4000 rise 2 fall 2 minconn 100 maxconn 0 on-marked-down shutdown-sessions I hope this helps? Regards Andrew Smalley Loadbalancer.org Ltd. On 6 October 2016 at 15:07, vi...@abinnovative.com <

Re: PEM file question

2016-09-28 Thread Andrew Smalley
--- You then tell haproxy to use the combined pem file for SSL termination. I hope this helps. Regards Andrew Smalley Loadbalancer.org Ltd. On 28 September 2016 at 16:13, robert johnson <robert.john...@intertek.com> wrote: > Hi Guys, > > I tried searching the mailing list wit

Re: Certificate Authentication failing Outlook 2016

2016-07-12 Thread Andrew Smalley
Hello Alberto I think you will want something like this. If the client does not have an SSL Cert in their browser they will not be able to connect. http://blog.haproxy.com/2012/10/03/ssl-client-certificate-management-at-application-level/ Regards Andrew Smalley Loadbalancer.org http

Re: TLS version by hostname

2016-06-09 Thread Andrew Smalley
Hi Ed Id say what you are asking is a no with a single vip. However if you chain a vip with all ssl tls allowed on the first vip with an acl Then rather than your backend being real servers make the backend 2 more vips one with the tls version and another without that would work very well for

Re: HAproxy and ftp_put response "504 Timeout"

2016-05-16 Thread Andrew Smalley
its not working Regards Andrew Smalley Loadbalancer.org http://www.loadbalancer.org On 16 May 2016 at 14:35, Info (ITpartner.ee) <i...@itpartner.ee> wrote: > Well yes, internal php script makes a call to some outside FTP server, >

Re: HAproxy and ftp_put response "504 Timeout"

2016-05-16 Thread Andrew Smalley
Juri Your welcome. I made an assumption that you would need to also loadbalance port 21 for ftp. Is your php script making a call to an external service or is it behind haproxy? Regards Andrew Smalley Loadbalancer.org http://www.loadbalancer.org On 16 May 2016 at 14:24, Info (ITpartner.ee

Re: HAproxy and ftp_put response "504 Timeout"

2016-05-16 Thread Andrew Smalley
check frontend ftp_front bind *:21 default_backend ftp_back backend ftp_back mode tcp balance roundrobin server admin 192.168.11.254:21 <http://192.168.11.254:80> check Regards Andrew Smalley Loadbalancer.org http://www.loadbalancer.org On 16 May 2016 at 14:02

Re: Q: about HTTP/2

2016-04-01 Thread Andrew Smalley
Hello Baptiste, We have been asked questions about HTTP/2 but it does not seem to be a block when we say its not fully supported in Layer7 Regards Andrew Smalley Loadbalancer.org http://www.loadbalancer.org On 1 April 2016 at 11:25, Baptiste <bed...@gmail.com> wrote: > On Fri, Ap