On Thu, Jan 10, 2013 at 07:28:29AM +0100, Pär Åslund wrote:
> Hello,
>
> Not sure what you mean with F5 not seeing the header. tcpdump on the F5 to
> verify?
>
> Fix it in F5. This iRule should make persistence based on X-Forwarded-For.
>
> when HTTP_REQUEST {
> if {[HTTP::header X-Forwarded-For
On Thu, Jan 10, 2013 at 03:01:29AM +0100, Vincent Bernat wrote:
> ??? 10 janvier 2013 00:24 CET, Willy Tarreau :
>
> >> It depends how AES-NI is compiled in your OpenSSL. On Ubuntu, AES-NI
> >> support is builtin and selected automatically. But if people are using
> >> implementations from Intel
Hello,
Not sure what you mean with F5 not seeing the header. tcpdump on the F5 to
verify?
Fix it in F5. This iRule should make persistence based on X-Forwarded-For.
when HTTP_REQUEST {
if {[HTTP::header X-Forwarded-For] != ""}{
persist uie [HTTP::header X-Forwarded-For] 600
}
}
600 is the persi
❦ 10 janvier 2013 00:24 CET, Willy Tarreau :
>> It depends how AES-NI is compiled in your OpenSSL. On Ubuntu, AES-NI
>> support is builtin and selected automatically. But if people are using
>> implementations from Intel for older versions of OpenSSL, the engine
>> needs to be selected by hand.
On Thu, Jan 10, 2013 at 12:49:19AM +0100, Lukas Tribus wrote:
>
> > Interesting. Are these implementations still in use ? This seems more
> > like early experimentations than definitive releases to me. I don't
> > know if such versions were shipped in any LTS distro, so most likely
> > they'll qui
> Interesting. Are these implementations still in use ? This seems more
> like early experimentations than definitive releases to me. I don't
> know if such versions were shipped in any LTS distro, so most likely
> they'll quickly disappear. Am I wrong ?
Looks like you are correct. In openssl 1.0
Zachary,
I guess I'll have to spend some time researching puppet (and/or chef). Thanks
for the reference.
Kevin
On Jan 9, 2013, at 6:18 PM, Zachary Stern wrote:
> Case in point for why puppet (and probably also chef) is perfect here.
>
> You can manage the config with puppet, and have the s
Willy,
Thanks for your thoughts. I see that you have thought about these issues much
more than I have. I just wanted to get you some feedback from a potential
haproxy user.
As for your point that I would need to edit the static configuration file
incase of a complete restart of HAProxy, I wo
Hi Vincent,
On Thu, Jan 10, 2013 at 12:15:44AM +0100, Vincent Bernat wrote:
> ??? 5 janvier 2013 09:06 CET, Willy Tarreau :
>
> > Did you get a significant performance gain with padlock ? I've not had
> > the chance to test one yet. I don't even know if it requires an engine
> > or not. At lea
Case in point for why puppet (and probably also chef) is perfect here.
You can manage the config with puppet, and have the service "subscribe" to
the config file, so that it autorestarts or reloads every time puppet
changes is.
On Wed, Jan 9, 2013 at 6:14 PM, Willy Tarreau wrote:
> Hi Kevin,
>
❦ 5 janvier 2013 09:06 CET, Willy Tarreau :
> Did you get a significant performance gain with padlock ? I've not had
> the chance to test one yet. I don't even know if it requires an engine
> or not. At least with aes-ni, it's included in the native code, you
> don't need the engine (and the pe
Hi Kevin,
On Wed, Jan 09, 2013 at 04:13:28PM -0500, Kevin Heatwole wrote:
(...)
> 1. Setting new interval time for subsequent configuration checks to the
> server.
> 2. Setting new maxconn or weight for the server (allowing backend to
> "throttle" or "increase" load for itself).
> 3. Setting
I understand your point. The fact is that I am running on a very small budget.
I need the site to scale, but I also need to only use as few servers as
possible (Amazon EC2 instances aren't that cheap unless I can minimize the size
and number of instances used). Although my budget is small, I
On Wed, Jan 09, 2013 at 11:01:40PM +, Steven Acreman wrote:
> We use chef and ohai which talks to AWS to calculate node counts for
> servers based off tags and metadata. We then have a cookbook that generates
> the haproxy.cfg every time chef runs (on a cron). If the file changes we
> reload th
We use chef and ohai which talks to AWS to calculate node counts for
servers based off tags and metadata. We then have a cookbook that generates
the haproxy.cfg every time chef runs (on a cron). If the file changes we
reload the config which seems to keep the sessions alive.
There are far simpler
Hi Christian,
On Wed, Jan 09, 2013 at 03:27:11PM +, Christian Becker wrote:
> On 09.01.2013, at 14:55, Lukas Tribus wrote:
>
> >
> >> In the mean time i´ve downgraded to the old kernel, but the performances
> >> issues persist. So this seems to be a issue in haproxy.
> >
> > This is very s
If you need this kind of functionality, you are probably running some kind
of large infrastructure right? Or at least a lot of webservers or backend
servers. You would do well to look into some automation there. There are
plenty of existing tools.
On Wed, Jan 9, 2013 at 5:47 PM, Kevin Heatwole w
You might be right that the best way to do dynamic configuration is to have a
tool from a third-party (or created in house) that does monitoring of the
backend servers and edits the config file itself and reloads haproxy.
I just don't want the hassle of finding such tools or writing my own. Ma
This is interesting
Could you share this irule here
So you have several ways...
First one, which won't work, would to use the proxy protocol...
unfortunatelly, F5 does not support it yet... Maybe an irule could do it,
that said...
second one, would to do transparent proxying on your HAProx
Right, and my point is that you can make it dynamic without changing the
way haproxy itself works. What your asking for seems like making haproxy
itself overcomplicated, especially for people with simple deployments. But
hey, maybe I'm 100% wrong. In fact, let's operate on that assumption.
On Wed
I guess I wasn't clear again. I'm not talking about "editing" the
configuration file and reloading HAProxy.
My suggestion is simply to implement a dynamic interface to the backend servers
so they can change the current behavior of the HAProxy instance (especially in
a load balanced HAProxy bac
I understood completely KT. It's perfectly possible to add new lines to the
haproxy config dynamically and automatically using things like puppet.
E.g. my iptables configurations are dyanmically generated as I spin up new
servers, using puppet and the rackspace API. You could do something
similar,
I think you might have misunderstood. By "adding new server", I mean to add it
as a server in HAProxy configuration. That is, the effect is to add the
"server" line for the new server into the config file. This has nothing to do
with launching the server in the cloud. It is the reverse of ma
On Wed, Jan 9, 2013 at 4:13 PM, Kevin Heatwole wrote:
> 4. Adding new server to backend by having configuration check return new
> server configuration.
>
I don't know about the other features, but this one I think violates the
UNIX philosophy of "do one thing and do it well". There are already
The following future potential feature would help me use haproxy more for an
upcoming project. I apologize if this is already addressed through existing
features or not considered generally useful.
Implement new type of health checks, call them "configuration checks". A
configuration check wo
Right now it is just a proof of concept idea. Part of the problem is that F5
the we own does not do reverse proxying,. At least not without running an iRule
that no one on their support department will support you on. Unless I am
completely missing something.
- Alex
From: Jeffrey '
On Thu, Jan 10, 2013 at 2:05 AM, DeMarco, Alex wrote:
> I have a situation where a backend server defined in HAProxy may be a
> vip on our F5.The F5 vip is setup for source persistence. Right now
> all the requests to this vip from the haproxy box are all going to one
> pool member. Obviou
You should be able to deal with this by adding more ips to your haproxy box and
configuring 2 backends in haproxy pointing to the same F5 VIP, but with
different source-ips [1].
Remember to configure HAproxy for source persistence as well, if your
application needs it.
[1]
http://cbonte.git
On 09/01/2013 18:05, DeMarco, Alex
wrote:
I have a situation where a backend server
defined in HAProxy may be a vip on our F5. The F5 vip is
setup for source persistence. Right now all the requests to
I have a situation where a backend server defined in HAProxy may be a vip on
our F5.The F5 vip is setup for source persistence. Right now all the
requests to this vip from the haproxy box are all going to one pool member.
Obviously the f5 is seeing the ip of the server and not the true cl
> In the mean time i´ve downgraded to the old kernel, but the performances
> issues persist. So this seems to be a issue in haproxy.
This is very strange. In your first mail you reported that your CPU is
spending 30% in userspace and 70% is system. How is your CPU usage now?
You are running the
The latest dev version is the most stable and best performing for SSL.
Do you mandatory need splicing?
Can't you simply disable it ??
cheers
On Wed, Jan 9, 2013 at 1:05 PM, Christian Becker
wrote:
>
> On 09.01.2013, at 01:15, Baptiste wrote:
>
>> Hi,
>>
>> You should NEVER ever change 2 core s
Hi,
You can use the respirep feature:
rspirep ^Set-Cookie:\ (appsession.*)Set-Cookie:\ \1; HttpOnly
should do the trick.
It should even be compatible with NTLM.
Could you please give it a try and let me now if it works??
cheers
On Wed, Jan 9, 2013 at 12:51 PM, duncan hall wrote:
> For PC
On 09.01.2013, at 01:15, Baptiste wrote:
> Hi,
>
> You should NEVER ever change 2 core stuff in your architecture in the
> mean time
> First upgrade HAProxy, then later upgrade the kernel So if you
> have an issue, it would be easier to track which component triggered
> it.
> In your ca
For PCI compliance I need to add the httponly cookie attribute to the
appsession cookie set by IIS 6.0. Any thoughts on how I could accomplish the
rewriting of this cookie using haproxy?
Regards,
Duncan
On Tue, Jan 08, 2013 at 05:14:05PM +0100, Baptiste wrote:
> sorry, posted too quicly.
> you can use the log-format tool to properly format your log line.
>
> that said, I'm not sure that you can remove this char.
>
Hello,
You can remove the ~ char using log-format.
The default variable used in
36 matches
Mail list logo
