Le 21/02/2012 20:20, Cyril Bonté a écrit :
You could optimize your configuration by merging the 2 listen parts to
share the maxconn limits.
In you case, it could be something like :
listen http_https
bind 0.0.0.0:80
bind 0.0.0.0:81
mode http
cookie WEBSERVERID insert
option httplog
balance
;-)
--
Cyril Bonté
), and couldn't reproduce your issue : in both cases,
requests are rate limited.
Are you alone during your tests or is there huge traffic with a lot of IPs ?
--
Cyril Bonté
no
more connections.
Note that this is not true on FreeBSD for example, where haproxy has to
completely shutdown the connections during the reload.
--
Cyril Bonté
300 - 400.
Seems strange to me.
Thank you for any help you can give me.
Best regards
Sebastian
--
Cyril Bonté
the configuration, your line stat refresh s is
wrong and ineffective (missing numbers for the refresh, which currently
disables the action, but could implies a bug in future versions).
--
Cyril Bonté
request on the faulty backend (with
curl for example) when it is detected down, probably you'll see the same
issue, or it could be slow.
Maybe your ephemeral port range is too short.
Can you provide some sysctl values such as net.inet.ip.portrange.* ?
--
Cyril Bonté
options will solve each question ;-)
Thanks for your time,
Lyle
--
Cyril Bonté
in front of haproxy,
configured to receive incoming HTTPS request on port 443 and forward the
plain text HTTP request to haproxy on port 80.
Hope this helps.
--
Cyril Bonté
of 55 seconds, block all further
calls for the next 5 seconds.
Can I do this? And if I do, it should limit my bandwidth then correct?
(...)
--
Cyril Bonté
in the apache configuration. This is not
necessarly something heavily known.
Example :
ServerName https://someserver.somedomain
It will enforce such redirects to use an https url.
http://httpd.apache.org/docs/2.2/mod/core.html#servername
--
Cyril Bonté
. I had to increase the constant to 4096 (capture of
full UA, and Referer are costly).
Best regards,
--
Damien
--
Cyril Bonté
n'imprimer ce
mail qu'en cas de nécessité
--
Cyril Bonté
- Mail original -
De: Benoit GEORGELIN (web4all) benoit.george...@web4all.fr
À: Cyril Bonté cyril.bo...@free.fr
Cc: haproxy@formilux.org
Envoyé: Jeudi 3 Novembre 2011 10:47:57
Objet: Re: Haproxy 502 errors, all the time on specific sites or backend
Humm very interesting
in these ports, only haproxy.
Thanks
--
Cyril Bonté
in the global section of your configuration.
Once this works, you can also try to use -sf instead of -st.
Hope this helps.
--
Cyril Bonté
maxconn 900 cookie srv1
check inter 2000 fall 3
server lb-srv2 lb-srv2.private:82 maxconn 900 cookie srv2
check inter 2000 fall 3
---
--
Cyril Bonté
scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
__
--
Cyril Bonté
as data and won't be analyzed.
--
Cyril Bonté
Le jeudi 29 septembre 2011 10:28:54, Dan Cryer a écrit :
Unsubscribe
--
Cyril Bonté
in kernel 2.6.39.3 and later.
Kernel bugzilla is down right now but the bug is referenced here :
https://bugzilla.kernel.org/show_bug.cgi?id=42012
From the netdev archive, a patch has been proposed to fix the regression :
http://www.spinics.net/lists/netdev/msg173766.html
--
Cyril Bonté
/result_aaa/
Isn't it a 404 ?
--
Cyril Bonté
timeout server 30
Maybe this can help you for the next steps ;-)
--
Cyril Bonté
haproxy is not retrying
the TCP connection before returning a 502 - I thought that the option
redispatch and retries 10 would ensure another go.
option redispatch works for server that are down. If the request has already
been sent to a server, haproxy can't resent it to a new one.
--
Cyril
.
--
Cyril Bonté
-server-close, you should
define a timeout http-keep-alive to reduce the ttl of idle keep-alive
connections.
--
Cyril Bonté
? This would explain you don't see them if those clients didn't send any data
for 5 seconds (as defined by your timeout).
timeout http-request 5s
--
Cyril Bonté
Hi Willy and the list,
I couldn't find time for haproxy for some weeks. Now I'm on holidays, I try to
review some patches I had on my test machine.
One of them is the possibility to limit the number of HTTP keep-alive
connections to allow a better concurrency between clients.
I propose to add
-81,5-82,5-83,5-84,5-85,5-86,5-87,5-88,5-89,5-90,5-91,5-92,5-93,5-94,5-95,5-96,5-97
It will check byte=0-
then 5-0
then 5-1
then ...
--
Cyril Bonté
know what the cause of that is, but I hope you are able to
restore this.
From the haproxy statistics, it looks like the main server is currently down
and the backup is not really up to date :
http://demo.1wt.eu/
--
Cyril Bonté
known late in
the request processus, after the headers manipulation, which makes your
condition never match.
Sorry to say that you can't do it like this.
--
Cyril Bonté
:\ 172.31.0.118
server node2 172.31.0.118:85
This is just some ideas (not tested), or you can try to add some conditions
directly in your apache configuration.
Hope this helps.
--
Cyril Bonté
-variables.html#sysvar_max_connect_errors
--
Cyril Bonté
the sockets.
See this thread where we first discussed about that issue :
http://www.mail-archive.com/haproxy@formilux.org/msg04836.html
And a bug report in the kernel where the regression was discussed :
https://bugzilla.kernel.org/show_bug.cgi?id=32832
--
Cyril Bonté
I've started to work on a fix and can try to send a patch soon.
In the same idea, they don't use timeout http-request but it looks like the
same issue exists.
--
Cyril Bonté
Hi again,
I answer to myself ;-)
Le lundi 20 juin 2011 19:12:25, Cyril Bonté a écrit :
While auditing a server today, I encountered an issue with the HTTP
keep-alive timeout. It just didn't work and connections stayed alive for 5
minutes (their client/server timeout).
The fact
timeout http-keep-alive 3s
timeout http-request 3s
--
Cyril Bonté
was to provide a warning.
But well, it doesn't prevent 1.4.16 to be released, as you said it works as
designed and it can be fixed quite easily in the configuration ;-)
--
Cyril Bonté
to be published :-)
I'll try to restart this development as soon as possible and submit a minimal
version of the converter. Then it will be possible to enhance it
incrementally.
--
Cyril Bonté
available in the last
snapshot).
--
Cyril Bonté
--
Cyril Bonté
As reported by Lauri-Alo Adamson, version 1.5-dev6 doesn't support
stick-tables with a binary type.
This issue was introduced in the commit 4f92d32 where a line was erroneously
deleted, and is 1.5-specific.
---
src/stick_table.c |1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff
^([^\ ]*)\ /uri/list/([^\ ]*)\ (.*) \1\ /service/list?key=%22\2%22\ \3
This should rewrite the following line :
GET /uri/list/foo HTTP/1.0
as :
GET /service/list?key=%22foo%22 HTTP/1.0
--
Cyril Bonté
option http-server-close
(which enables client HTTP keepalive and allows to analyze each request of a
connection).
With option http-server-close, you can also have a look at timeout
http-keep-alive and option http-pretend-keepalive.
--
Cyril Bonté
can confirm it comes from this
kernel patch, as soon as I remove the TCPF_CLOSE flag condition from the
kernel, haproxy is able to rebind the ports on reload.
--
Cyril Bonté
to be responsible of that behaviour:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=c191a836a908d1dd6b40c503741f91b914de3348
Hope this helps.
--
Cyril Bonté
=64e9c90e69cd8b0fe8dd60024ccbe528705fbd8f
--
Cyril Bonté
?
At first glance, I cannot spot anything wrong.
I think there's a bug in the function acl_fetch_src_conn_cur() :
its code contains return acl_fetch_conn_cnt(...)
where it probably should be return acl_fetch_conn_cur(...)
Sorry, I can't test it tonight but maybe this can help you.
--
Cyril Bonté
is already working on it.
--
Cyril Bonté
As reported by Bryan Talbot, enabling and disabling a server in a disabled
proxy causes a segfault.
Changing the weight can also cause a similar segfault.
---
src/dumpstats.c | 18 ++
1 files changed, 18 insertions(+), 0 deletions(-)
diff --git a/src/dumpstats.c
Similar to the stats socket bug, we must check that the proxy is not disabled
before trying to enable/disable a server.
Even if a disabled proxy is not displayed, someone can inject a faulty proxy
name in the POST parameters. So, we must ensure that no disabled proxy can be
used.
---
if it works).
--
Cyril Bonté
it be due to a HTTP keep-alived
connection ?
--
Cyril Bonté
connector : please replace
enableLookup by enableLookups, that should do the trick ;-)
--
Cyril Bonté
with your cookie stickiness.
--
Cyril Bonté
.
Nevermind, it's now ready ;-) I'll send the patch just after this mail.
--
Cyril Bonté
Some browsers send POST requests in several packets, which was not supported
by the stats admin function.
This patch allows to wait for more data when they are not fully received
(we are still limited to a certain size defined by the buffer size minus its
reserved space).
It also adds support for
was writing this mail, I've seen that every requests are now OK, I've
you fixed something ?
--
Cyril Bonté
This patch provides some statistics about the conditions used in the
configuration. The main goal is to have a debugging tool to track
misconfigurations or to understand how the rules are applied.
The statistics are available on the UNIX socket with the below command :
show conds
Counters can
0 0 1-1-1-2 !METH_OPTIONS
1-1-2-0 [OR]
0.00 0 0 1-1-2-1 METH_POST
0.00 0 0 1-1-2-2 missing_cl
I hope it's clear enough for a first approach ;-)
--
Cyril Bonté
, support for -f was
added in 1.4-dev1:
- [MEDIUM] config: support loading multiple configuration files
am i missing something?
Oh ok, this is not the same -f at all. The one you quote is for the command
line options, to explode the haproxy configuration file in several ones.
--
Cyril Bonté
will follow in a few minutes ;-)
--
Cyril Bonté
Since haproxy 1.4.9, combining option httpclose and option
http-pretend-keepalive can leave the connections opened until the backend
keep-alive timeout is reached, providing bad performances.
The same can occur when the proxy is in tunnel mode.
This patch ensures that the server side connection
with this change, I'll apply it that way.
It's OK for me, all the tests passed with nginx in front of haproxy with this
update (and also using ab).
I think that a 1.4.12 will be needed, considering we already had a report
for this issue :-/
1.4.11, or I missed something :-)
--
Cyril Bonté
effect. With this patch, a forced close is applied
in that case too.
If it's ok for you, I'll resend the updated patch in a correct way.
--
Cyril Bonté
Le mercredi 15 décembre 2010 10:09:19, Willy Tarreau a écrit :
On Wed, Dec 15, 2010 at 09:01:32AM +0100, Cyril Bonté wrote:
(...)
The idea is to check each proxy in the scope of the stats and compare
their bind-process mask with the current stats proxy.
I would do something simpler : only
on
the original script provided in the debian package with a few lines modified
to recursively find .cfg files in the conf.d directory (maybe it's not the
last version but here is the idea).
--
Cyril Bonté
haproxy.debian-multi.init
Description: application/shellscript
section. I guess
there's one (with mode http) and depending on what is in it (or not), it may
explain things.
Are you sure you are using option httpclose or option http-server-close ?
Without that, reqirep and your acls will only work on the first request of a
connection.
--
Cyril Bonté
:
use_backend apache_fooh if bot fooh
use_backend apache_fooc if fooc
use_backend apache_foothumb if foothumb
use_backend apache_foo if foo
= foo must match only if fooc or foothumb didn't.
--
Cyril Bonté
balance leastconn
server server8080 10.10.14.127:8080 check
server server8081 10.10.14.127:8081 backup check
backend apache
balance leastconn
server server8080 10.10.14.127:8080 check
server server8081 10.10.14.127:8081 check
--
Cyril Bonté
Hi again,
Le jeudi 16 décembre 2010 03:26:54, Cyril Bonté a écrit :
Well, in your examples I noticed 2 things :
- some path_beg are wrong (missing a / at the beginning)
(...)
Argh, sorry for the spam, but after viewing your mail sources, I've discovered
that my mailer is broken since several
Le jeudi 16 décembre 2010 06:21:08, Shawn Heisey a écrit :
On 12/15/2010 9:20 PM, Shawn Heisey wrote:
On 12/15/2010 7:50 PM, Cyril Bonté wrote:
This configuration
should work (fixed the acl and merged all the reqirep in the
frontend) :
The things that match /foo* can't use the tomcat
should be httpclose instead of http_close
---
doc/configuration.txt |2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 18c4047..fc1a901 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -3328,7 +3328,7 @@
During the documentation of the ignore-persist keyword, I documented an
invalid option ignore-persist and forgot to remove it. It's time to fix it.
---
doc/configuration.txt | 24
1 files changed, 0 insertions(+), 24 deletions(-)
diff --git a/doc/configuration.txt
Using haproxy in multi-process mode (nbproc 1), some features can be
not fully compatible or not work at all. haproxy will now display a warning on
startup for :
- appsession
- sticking rules
- stats / stats admin
- stats socket
- peers (fatal error in that case)
---
doc/configuration.txt | 41
one process-number.
There are maybe some other (and better) solutions, discussion is opened ;-)
--
Cyril Bonté
Le mercredi 8 décembre 2010 13:11:10, Craig a écrit :
Am 06.12.2010 22:31, Cyril Bonté wrote:
I don't know if you still need them, but as I'll also need them soon,
I've rediffed both patches.
You'll find in attachment :
- stunnel-4.34-listen-queue.diff
- stunnel-4.34-xforwared
Hi all,
For my needs, I've updated the sendproxy patch for stunnel 4.34 and prepared
another one to backport the PROXY protocol in haproxy 1.4.10.
Maybe it can interest someone else than me.
--
Cyril Bonté
diff -ru haproxy-1.4.10/doc/configuration.txt haproxy-1.4.10-accept-proxy/doc
is for SERVER 1
Next request will be OK because request-learn previously repaired the session
hash and could be like this :
### Request 4 ###
Process : 2
Client cookie : JSESSIONID=HZEEB54EBF02B24933A0825
Server retrieved (session hash entry) : SERVER 1
Server cookie : none
--
Cyril Bonté
Hi Joe,
Le lundi 4 octobre 2010 21:42:09, Joe Williams a écrit :
Anyone have updated patches for stunnel 4.34, specifically for the listen
queue length and X-Forwarded-For? The patches on the haproxy site don't
seem to work.
I don't know if you still need them, but as I'll also need them
--
Cyril Bonté
Le dimanche 28 novembre 2010 10:39:49, Hank A. Paulson a écrit :
Looks good in my limited test cases, headers are gone regardless of
ordering of del statements, but in your notes:
I've also replayed the tests I made on friday and all of them are now OK with
the patch.
--
Cyril Bonté
servers configurations today.
I'll have to debug that !
Cheers,
Willy
--
Cyril Bonté
1--ssl --num-call 1
without any problem, which was not the case before.
Now, as it's shared with the stats, I don't know what to do.
Should we use the listener backlog value for both or should we keep 0 for the
stats ?
--
Cyril Bonté
by uxst_bind_listener(). Probably that it will be easier
to move its code there and get rid of the function.
Do you want to send a patch with that ?
OK to send a patch, just the time to merge create_uxst_socket() in
uxst_bind_listener(), then, and doing some tests ;-)
--
Cyril Bonté
Hi again Willy,
you'll find the patch to fix the listen backlog for unix sockets.
I split it in 2 patches to let you decide if create_uxst_socket() can disappear
;-)
[PATCH 1/2] [MINOR] unix sockets : inherits the backlog size from the listener
[PATCH 2/2] [CLEANUP] unix sockets : move
Since unix sockets are supported for bind, the default backlog size was not
enough to accept the traffic. The size is now inherited from the listener
to behave like the tcp listeners.
This also affects the stats socket backlog, which is now determined by
stats maxconn.
---
src/proto_uxst.c |
The code of create_uxst_socket() is moved in uxst_bind_listener() so that we
don't need to pass a lot of parameters, as it was only called there.
---
src/proto_uxst.c | 183 +-
1 files changed, 84 insertions(+), 99 deletions(-)
diff --git
+3949,7 @@
s-rep-lr -= s-req-size;
s-req-analysers |= s-listener-analysers;
+ s-req-analysers = ~AN_REQ_DECODE_PROXY;
s-rep-analysers = 0;
http_silent_debug(__LINE__, s);
I'll make some tests on the other features soon.
--
Cyril Bonté
Le vendredi 12 novembre 2010 15:05:40, Willy Tarreau a écrit :
On Fri, Nov 12, 2010 at 02:07:22PM +0100, Cyril Bonté wrote:
- support for binding to UNIX socket on the accept side. Haproxy can
now receive connections over a UNIX socket. This is particularly
useful when
18627 : abc4JPQflUaXrbKuuQaXs.1 = server2 (created)
At the last line, when I access the page with
jsessionid=abc_LqOuNI2_ldhwqQaXs.1, The haproxy give me an new JSESSIONID.
In fact, this is not haproxy but your backend server.
--
Cyril Bonté
Le vendredi 12 novembre 2010 18:16:15, Cyril Bonté a écrit :
Also, as you're manipulating headers, you need option httpclose or
option server-close, else only the first request of a connection will be
modified/analysed.
please read option http-server-close ;-)
--
Cyril Bonté
the user wouldn't have lost the session).
This can't always happen but can help reduce the risk.
I hope I was clear enough, after a long day it's not always easy to explain
things ;-)
--
Cyril Bonté
Hi Willy,
Please find 2 patches to try to improve some error messages,
and a small cleanup.
[MINOR] config: detect options not supported due to compilation options
[MINOR] startup: print the proxy socket which caused an error
[CLEANUP] Remove unneeded chars allocation
--
Cyril Bonté
Add the address and port to the error message of the proxy socket that caused
the error. This can be helpful when several listening addresses are used in a
proxy.
---
src/proxy.c | 26 ++
1 files changed, 22 insertions(+), 4 deletions(-)
diff --git a/src/proxy.c
Some arrays used to log addresses add some more bytes for ports but this space
is never used.
---
src/dumpstats.c |2 +-
src/log.c|2 +-
src/proto_http.c |4 ++--
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/dumpstats.c b/src/dumpstats.c
index
can't help you much more but I hope this results will give you some points
of comparison. What is the hardware of your Virtualbox server ?
--
Cyril Bonté
(...)
Those options are not for haproxy itself but for halog (see the directory
contrib/halog in the sources archive) ;-)
--
Cyril Bonté
and which haproxy version
was running ?
For simple tests, I've already played with haproxy in VirtualBox, kvm and
openVZ, but never met such differences. But that can depend on your tests.
btw, I still have my VirtualBox VM's available, so I can try to reproduce your
tests.
--
Cyril Bonté
ip:port maxconn 100 maxqueue 1 track
b_mysitetocheck/server3
--
Cyril Bonté
501 - 600 of 687 matches
Mail list logo