ocumentation:
> LR The request was intercepted and locally handled by HAProxy. Generally
> it means that this was a redirect or a stats request.
All the best,
Holger
--
Holger JUST (he/him)
Hi Praveen,
There are several fixes for segfaults which might occur in your version
of HAProxy. Before checking anything else, you should upgrade to the
latest version of HAProxy 1.8 (currently 1.8.12).
See http://www.haproxy.org/bugs/bugs-1.8.4.html for bugs fixed in this
version compared to
Hi Mildis (and this time the list too),
Mildis wrote:
> Is there a simple way to limit TLS domain fronting by forcing SNI and Host
> header to be the same ?
> Maybe add an optional parameter like "strict_sni_host" ?
You can do a little trick here to enforce this without having to rely on
Hi Rajesh,
Rajesh Kolli wrote:
> i am getting this error if i use mailers section in my configuration.
The ability to send mail alerts (and thus to configure this with a
mailers section) was added in HAProxy 1.6. If you use an older version,
this feature is not yet available to you.
Once you
Hi Stefan
Stefan Sticht wrote:
> I also can test the webserver directly bypassing the haproxy completely
> (apache2.4 on webserver has "KeepAlive Off” configured)
> $ ab -v 1 -c 10 -n 1000 http://10.27.100.45/test/index.html | grep -e
> Requests -e Complete -e Failed
> Complete requests:
Hi Daniel,
Daniel Schneller wrote:
> root@haproxy-1:~# curl -s http://127.0.0.1:8881
> Aug 1 15:12:55 haproxy-1 haproxy[3049]: 127.0.0.1:45875
> [01/Aug/2017:15:12:55.198] "0"
>
> While the first three are expected, the last one confuses me. Why would
> leaving the header out result in “0”
Hi Mats,
Mats Eklund wrote:
> I am running a load balanced Tomcat application on Openshift Online
> v2, with HAProxy ver. 1.4.22 as load balancer.
With your current config, HAProxy will add a "Connection: close" header
to responses. However, since you mentioned you are running this in an
Hi Willy,
Willy Tarreau wrote:
> The thing is that we normally don't backport any feature anymore to
> stable branches due to the terrible experience in 1.4 where too much
> riskless stuff was backported, then fixed, then removed etc... making
> each subsequent version a pain for certain users.
>
Hi Willy,
thanks for applying the patch!
Willy Tarreau wrote:
> Thanks for the warning, much appreciated. It made me re-read it after
> applying it. But your code is fine, no problem detected! So you're
> becoming a C programmer ;-)
Yeah, we will see about that :)
>> Once verified, I think
Hi Ari,
Aristedes Maniatis wrote:
> In the manual [1] there is an example for using reqrep with syntax
> like this:
>
> # replace "/static/" with "/" at the beginning of any request path.
> reqrep ^([^\ :]*)\ /static/(.*) \1\ /\2
>
> [...]
>
> Firstly, is there no better/cleaner way to
Hi Tim.
Tim Düsterhus wrote:
> I basically want an ACL that matches if 'hdr(host) == ssl_fc_sni' to use
> programming language terminology.
This is not directly possible right now using haproxy ACLs since they
are only ablle to to compare a dynamic value (the fetch) to a static
value. There is
d, I think this converter can be safely added to the
supported stable versions of HAProxy.
Cheers,
Holger
>From b6d63d491a82d9297b649b0a4bf043b93e8161ad Mon Sep 17 00:00:00 2001
From: Holger Just <he...@holgerjust.de>
Date: Sat, 6 May 2017 00:56:53 +0200
Subject: [PATCH] MINOR: sample
Hi Krishna,
Krishna Kumar (Engineering) wrote:
> Thanks for your response. However, I want to restrict the requests
> per second either at the frontend or backend, not session rate. I
> may have only 10 connections from clients, but the backends can
> handle only 100 RPS. How do I deny or delay
Hi Krishna,
Krishna Kumar (Engineering) wrote:
> What is the way to rate limit on the entire service, without caring
> about which client is hitting it? Something like "All RPS should be <
> 1000/sec"?
You can set a rate limit per frontend (in a frontend section):
rate-limit sessions 1000
Hi Alexander,
Alexander Lebedev wrote:
> I want to implement CSRF check with haproxy.
> I want to check cookie value matched the header value and deny request
> if they're didn't equal.
The ACLs are only equipped to compare a dynamic value (e.g. from a
fetch) with a statically define value. It
Hi Patrick,
Patrick Kaeding wrote:
> I have one frontend, listening on port 443, and two backends, which send
> traffic to either port 5050 or 5051. The haproxy stats screen is
> showing many more frontend connections than backend (in one case, 113k
> on the frontend, 97k on one backend, and 3k
Hi Gabor,
Gabor Lekeny wrote:
> I would like to create a service which balances the HTTP requests on
> many servers without passing through the traffic on the proxy:
> actually it would redirect (HTTP 3xx) to the target server.
You might be able to use the redir parameter [1] on the server line
Hi Christopher,
Christopher Faulet wrote:
> You did well to reopen the issue. And you're right, this bug is similar
> to the one on redirect rules. I submitted a patch and it will be merged
> soon by Willy (see "[PATCH] 2 fixes for replace-header rules").
Thank you for the fix!
Best,
Holger
irect". However, I couldn't reproduce my
issue when `http-request redirect`, neither with the patch nor without
so it might also be a red herring.
Regards,
Holger
Holger Just wrote:
> Hi there,
>
> I observed some strange behavior when trying to use a `http-response
> replace-header` ru
Hi Atha,
Atha Kouroussis wrote:
> Output from ab against haproxy:
> Concurrency Level: 200
> Time per request: 49.986 [ms] (mean)
If you check these numbers, you'll notice that with a time of 49 ms per
request and 200 concurrent requests, you;ll end up at exactly 4000
requests /
Hi Willy,
Recently, you updated the SSL certificate of haproxy.org,
git.haproxy.org, ... to a new certificate from StartSSL.
Unfortunately, recently, there was an incident of several misissued
certificates by this CA as well as shady business decisions involving
WoSign which resulted in Chrome
Hey Willy,
Willy Tarreau wrote:
> I absolutely despise systemd and each time I have to work on the
> wrapper I feel like I'm going to throw up. So for me working on this
> crap is a huge pain each time. But I'm really fed up with seeing
> people having problems in this crazy environment because
Hi there,
I observed some strange behavior when trying to use a `http-response
replace-header` rule. As soon as I start using fetched samples in the
replace-fmt string, the resulting header value is garbled or empty
(depending on the HAProxy version).
Please consider the config in the attachment
Hi Mariusz,
Mariusz Gronczewski wrote:
> we've come to the point when we have to start using nbproc > 1 (mostly
> because going SSL-only in coming months) and as I understand I have
> to bind each process to separate admin socket and then repeat every
> command for each process, and in case of
Hi Takada,
Takada Shigeomi wrote:
> global
> lua-load get_backend.lua
>
> listen example
> mode tcp
> bind :3-5
> server MYSERVER %[lua.backend]
> ---
>
> ---ERROR CONTENT--
> [ALERT] 194/145111 (21636) : parsing [haproxy.cfg:20] : 'server
Hi Willy,
Willy Tarreau wrote:
>> At first I was thinking whether we could track the response status in stick
>> table, then it may be neat. but currently there isn't `http-response
>> track-sc?` directive. can it?
>
> Interesting. No it isn't, just because I think we never found a valid
> use
Hi Olivier,
Olivier Doucet wrote:
> Is there a way to not present the first loaded certificate and refuse
> connection instead ?
You can use the strict-sni argument on the bind line to force the client
to speak SNI and refuse the TLS handshake otherwise.
See the documentation for details at
Hi Willy et al.,
> Thank you for this report, it helps. How often does it happen, and/or after
> how long on average after you start it ? What's your workload ? Do you use
> SSL, compression, TCP and/or HTTP mode, peers synchronization, etc ?
Yesterday, we upgraded from 1.5.14 to 1.5.18 and now
Hi Hugo
Hugo Delval wrote:
> global
> # [...]
> chroot /var/lib/haproxy
>
> # [...]
>
> backend web-backend
> balance roundrobin
> option external-check
> external-check path "/usr/bin:/bin:/tmp"
> external-check command /bin/true
> server web1 127.0.0.1:80 check
>
Hi,
when navigating to a directory of the downloads section on haproxy.org
while omitting the trailing slash, e.g.
http://www.haproxy.org/download/1.5
the response is a 301 redirect to
http://www.haproxy.org:81/download/1.5/
which I assume is generated by the backend Apache by adding
Hi Aleks,
Aleksandar Lazic wrote:
> My conclusion is that with or without " the ${...} is not substituted,
> at least in the bind line.
>From your output, it looks like you are using an older version of
HAProxy. The behavior of quoted strings in the config changed in HAProxy
1.6. It appears you
Hi Aleks,
Aleksandar Lazic wrote:
> ### bind :${ROUTER_SERVICE_HTTP_PORT}
> ${ROUTER_SERVICE_HTTP_PORT_BIND_OPTONS} ###
>
> It's look to me that this is not possible.
To quote from Section 2.3 of configuration.txt:
> Those variables are interpreted only within double quotes. Variables
> are
Hi Lukas,
Lukas Tribus wrote:
>>> I don't see it. Can you please elaborate what exact commit ID your are
>>> refering to?
>> You are probably refering to the github fork, which is as always outdated,
>> and where line 2539 points to the local definition of SSL_OP_SINGLE_DH_USE:
>> #ifndef
Hi Lukas,
Lukas Tribus wrote:
> I don't see it. Can you please elaborate what exact commit ID your are
> refering to?
I was looking at
http://git.haproxy.org/?p=haproxy.git;a=blob;f=src/src/ssl_sock.c;h=5cec6a4cd6ce5d16f9564e60fa57b24c46112bac;hb=HEAD#l2539
> As far as I an see we do the exact
Hi there,
following CVE-2016-0701, the OpenSSL project switched the behavior of
the SSL_OP_SINGLE_DH_USE flag to a no-op and forcefully enabled the
feature. This results in OpenSSL always generating a new DH parameters
for each handshake which can protect the private DH exponent from
certain
rds,
Holger
From 32cf0c931f0c4bfd3ea687aa7399e4f95626b6ad Mon Sep 17 00:00:00 2001
From: Holger Just <he...@holgerjust.de>
Date: Fri, 22 Jan 2016 19:23:43 +0100
Subject: [PATCH] BUG/MINOR: Correct weekdays in http_date converter
Days of the week as returned by gmtime(3) are defined as the numbe
Hi,
Willy Tarreau wrote:
> As explained above, it's because a keep-alive enabled client must implement
> the ability to replay requests for which it didn't get a response because
> the connection died. In fact we're forwarding to the client what we saw on
> the server side so that the client can
Hi Willy,
It seems that the loadbalancer or DNS configuration of haproxy.org is
broken right now. When navigating to http://haproxy.org, only Willy's
personal website, normally reachable at http://1wt.eu is returned.
haproxy.org currently resolves to 195.154.117.161 and
2001:7a8:363c:2::2. The
Hi Willy,
Willy Tarreau wrote:
> Some virtual host routing needs to be fixed there. For now the PSU was
> replaced and everything's OK.
Thanks for the quick turnaround! A+ support. Would buy again :)
Best,
Holger
Hi BLN,
bln prasad wrote:
I'm not sure why health check is failing if it's localhost on few
systems and this is observed with only 1.5.14 version.
ideally there should not be any difference between localhost and
127.0.0.1 right.
Localhost can resolve to several different IPs, including
*
sure on their own that the data required to update the
stick table entry is still available?
Thank you for your feedback.
--Holger
Holger Just wrote:
Hello all,
with HAProxy 1.5.11, we have implemented rate limiting based on some
aspects of the request (Host header, path, ...). In our
Hi Andy,
Please always CC the mailing list so that others can help you too and
can learn from the discussion.
Franks Andy (IT Technical Architecture Manager) wrote:
Hi Holger,
Sorry, I will elaborate a bit more!
We are going to implement Microsoft exchange server 2010 (sp3) over two
AD
Hi Andy,
Franks Andy (IT Technical Architecture Manager) wrote:
Quick question – can anyone think of a way to change a server’s weight
based on some criteria, for example source IP address? It would be so
useful when dealing with a common service that has two distinct sites,
and rules in
server responses?
* If this is not possible right now, would it be feasible to implement
the possibility to track responses similar to what is possible with
requests right now?
Thank you for your feedback,
Holger Just
Hi,
Зайцев Сергей Александрович wrote:
So the question is - is the a way to synchronized HaProxy's
configuration with ZooKeeper ( somehow ).
Airbnb uses a tool called Synapse [1] as part of their Smartstack
platform [2]. It integrates HAProxy and zookeeper to provide high
availability by using
Hi Bernhard,
Bernhard Weißhuhn wrote:
When downloading the tar.gz, the chef client sends :80 as part of the host
header (which is legal from my understanding of the rfc).
This header reliably results in a 404, whereas leaving out the port number
results in a successful download:
This
Annika Wickert wrote:
- Include possibility in configfile to maintain one configfile for each
backend / frontend pair
There are several scripts out there which concat files in a well-known
directory structure together to form a single final config file. These
can be used in your init script
Hello all,
we see some strange errors in our logs after having introduced HAProxy
1.5 snapshot 20130611 before our nginx.
It seems like HAProxy sometimes (seldom) inserts a rather random byte as
the second byte of a GET request line on SSL requests. Some (anonymized)
log lines follow:
Hi Lukas,
Lukas Tribus wrote:
sounds like a tricky issue ...
indeed :)
- has the Windows 7 box all the latest patches from MS?
Yes.
- any reason not to use openssl1.0.1e?
I couldn't get it to compile, or in fact, I could compile it, but it
would break at the `make test` step and I
Hi there,
Wolfgang Routschka wrote:
One question about the script. What means config in line 20
HAPROXY_CONFIG=/usr/local/sbin/haproxy-config.py
Configurationfile is setting on line 17
the haproxy-init script in that repo is basically the init script from
the HAProxy Debian package from
Hi
Michael Glenney wrote:
We do something similar with chef where we've turned each backend
config associated with an application into json and can dynamically
build configs based on an application list. Completely avoiding using
a template.
In my HAProxy Chef cookbook[1], I have defined
Hi there,
after half a day of debugging (and subsequently kicking myself), I
finally noticed that whenever HAProxy (1.5-dev12 in this case)
encounters an unknown option on a bind line, it will error out with this
message irregardless of OpenSSL being enabled or not:
[ALERT] 296/194609
On 2012-07-29 12:56, Reve wrote:
How about parsing the same thing but if those have been posted as post, not
get.
When POSTing data, it will be transmitted in the request body. As the
body size can be of an arbitrary size and caching and potentially
parsing it would be a really complex, slow
Reve,
On 2012-07-28 19:46, Reve wrote:
let's say I have this URL
/blah?x1=5x2=-5y1=-1y2=50
I want to go to a different set of backends if
x10, y10 - backends set 1
x10, y10 - backends set 2
x10, y10 - backends set 3
x10, y10 - backends set 4
You can't actually parse the URL and match
Hey,
On 2012-02-01 17:41, habeeb rahman wrote:
When there is X-Forwarded-For added by the client(I used chrome rest
client) I can see haproxy is sending two X-Forwarded-For to the backend
instead of appending the values.
One is client sent and the other one is the one haproxy created newly.To
On 2012-02-01 20:00, habeeb rahman wrote:
I know that apache comma separates the values for X-Forwarded-For and I
thought haproxy behaves the same.
Both types are semantically the same. So for an application, it
shouldn't matter if you get these headers
X-Forwarded-For: 10.10.10.10
Hi Joe,
On 2012-01-09 14:25, Joseph Hardeman wrote:
I was wondering if anyone has a way to parse the logs and present them
in a friendly format? Such as with AWStats or another log parser.
There is Logstash [1] which includes patterns for parsing the HAProxy
HTTP log format. It can either
Damien,
you can use the track keyword on the server line to define which server
to, well, track. Find an example below:
backend foo
server foo1 1.2.3.4 check
backend bar
server bar1 1.2.3.4 track foo/foo1
--Holger
On 2011-12-21 12:28, Damien Churchill wrote:
Hi there,
Apologies if
On 2011-11-07 21:32, Erik Torlen wrote:
If you get a burst against 3 active backend servers they will take
care of all the request and connections. The clients that are active
will then get a persistence sessions against 1 of these 3 servers. It
will take ~5min to scale up a new server so
On 2011-10-17 14:48, Ist Conne wrote:
HAProxy is supported cookie-based persistence.
But, cookie-based Load balancing has a patented F5 Networks.
http://www.google.com/patents/about?id=3MYLEBAJ
Without being a lawyer, I'd play the prior art card as HAProxy supported
cookie based
Rhys,
HAProxy resolves IPs of backend servers only once during startup. As new
EC2 instances get an new IP on every startup, HAProxy doesn't find your
new instance. Because of that, it is generally discouraged to use
hostnames in backend sepcifications.
You have basically two ways to solve that:
Jens,
Many people have a script that builds a working configuration file from
various bits and pieces. As the actual needed configuration typically
isn't something which follows a common path but depends on the
environment and the actual applications and a thousand other bits, there
isn't a
Hi Damien,
On 2011-07-04 14:34, Damien Hardy wrote:
Does anyone have ever done the regex to parse the haproxy apachelog.
(we want to inject logs in hbase via flume :)
although it's not directly targeted for Java, but written in Python, but
I have already posted my approach of parsing the
Alan,
On 2011-06-15 19:54, Alan Gutierrez wrote:
I'd like to use HAProxy to implement a simple proxy that can perform
failover for a pair of PostgreSQL configured as master/slave with
PostgreSQL 9.0 streaming replication to replicate the master to the
slave. Only the master is active for
Habeeb,
given your Apache does actually insert/append an X-Forwarded-For header
you can use this statement instead of balance source in HAProxy:
balance hdr(X-Forwarded-For)
This has a few caveats you should be aware. Users can set the
X-Forwarded-Header themselves (which is done by some
Sorry for the impersonation. My virtual identity setup got a bit overly
excited and made an aweful mess in the whole room. Guess I need some
napkins now...
--Holger
Hi Dave,
On 2010-05-04 18:55, Dave Pascoe wrote:
Is there a way in haproxy 1.4 to perform the equivalent function that
these Apache directives perform?
SetEnv downgrade-1.0 1
SetEnv force-response-1.0 1
i.e., force haproxy to downgrade to HTTP/1.0 even though the client is
HTTP/1.1
On 2010-04-28 19:10, Alex Forrow wrote:
We're looking to upgrade our HAProxy hardware soon. Does anyone have any
recommendations on the things we should be looking for? e.g. Are there
any NICs we should use/avoid?
Hi Alex,
I'm just writing down here what comes to my mind. Sorry if it looks a
Hi Mikołaj,
On 2010-04-13 12:47, Mikołaj Radzewicz wrote:
I was trying to configure custom error pages on haproxy but after
waisting a lot of time I'm not successful. I wanted to serve it all
the time as my backends give it to the clients.
if I understand you correct you want to check if one
Hi Matt,
On 2010-04-07 14:34, Matt wrote:
If I wanted to change the error return code submitted by haproxy (not
the backend server) is this possible? i.e. change haproxy to return a
502 when it's going to return a 504?
You could (ab)use the errorfile parameter and have haproxy send
arbitrary
Hi Greg,
On 2010-03-20 6:52 AM, Greg Gard wrote:
i remember somewhere in the archives mention of a plan to make health
checks get queued like any other request. did that happen in 1.4.x
branch with all the work to health checks. i searched the archives,
but didn't turn up what i remembered.
Hi Willy,
On 2010-03-02 23:43, Willy Tarreau wrote:
I could get the same errors on my ultra5 under solaris 8
which correctly builds 1.3. I finally tracked that down to
the #define XOPEN_SOURCE 500 in auth.c. If I remove it,
everything builds as before.
just for the archives: 1.3 also
Hi Willy,
On 2010-02-28 07:29, Willy Tarreau wrote:
Could you please try to add the two following lines at the top of the
3 faulty files (types/session.h, types/proxy.h, types/protocols.h) :
#include sys/types.h
#include sys/socket.h
I think it should fix the build.
Thanks for your
Hi all,
On 2010-02-26 16:02, Willy Tarreau wrote:
I'm obviously interested in any problem report :-)
I'm trying to compile Haproxy 1.4 on Opensolaris Build 133 (i386 on a
Core i7). This however fails.
make TARGET=solaris CPU=i686 USE_STATIC_PCRE=1
SMALL_OPTS=-I/usr/include/pcre
[...]
gcc
On 2010-02-06 10:55, Willy Tarreau wrote:
reqrep ([^\ ]*)\ /action.register\?([^]*)*param2=bar(.*) \1\
/newaction\?\2param2=bar\3
This does it. Looks like your Regex Kung Fu is stronger than mine. But
well, it was late :)
--Holger
On 2010-02-04 21:15, Sriram Chavali wrote:
I am trying to rewrite URLs using haproxy's reqirep directive. The url that I
am trying to rewrite is of the pattern
/action/register?param1=fooparam2=barparam3=baz
The URL that I want to be rewritten is
/newaction?param1=fooparam2=barparam3=baz
Hi
On 2010-02-02 16:19, Anthony D wrote:
I understand that HAproxy can do L7 header manipulation, however I read
in the manual that it doesn't touch the data contents. Are there any
plans for adding this option?
I can not speak for Willy, but as content manipulation (and also some
kinds of
Hi Harvey
On 2010-01-28 00:42, Harvey Yau wrote:
I've been trying to use ACLs to block or choose a backend based on
source IP address. It works perfectly in mode HTTP, but fails miserably
in mode TCP. Is there something obvious that I'm missing or is this a bug?
mode tcp
acl myips src
Hi Craig,
(sorry, for double posting, missed the correct button...)
On 10.01.10 11:01, Craig Carl wrote:
Does anyone know where I can find a /etc/init.d/haproxy script for
Debian?
The simplest approach would probably be to use the one shipped with the
official Haproxy package for Debian.
Hi,
On 07.12.09 20:49, Israel Garcia wrote:
Hi,
A simple question, is there any web interface to administer haproxy via web?
A simple answer: Nope, at least no free one I have heard of. Maybe you
could find something from loadbalancer.org
However, I am currently looking into developing a
On 07.12.09 23:19, Anthony Urso wrote:
Hi:
I am looking for advice on the best way to load-balance HTTP and HTTPS
traffic such that once a session is established with either protocol,
haproxy continues to send new requests from that session to the same
web server.
Is this a common use
On 14.07.2009 18:12 Uhr, Jeremy wrote:
Is it possible to use 'reqirep' to i.e. rewrite a Host header, only if a
certain ACL matches? As far as I can tell it doesn't look like you can
combine ACL's with the req* header manipulation commands but I just
wanted to double check.
Jeremy,
On 09.07.2009 7:15 Uhr, Willy Tarreau wrote:
As I said in earlier mail, I have implemented the multiple file loading
in 1.4-dev :
http://haproxy.1wt.eu/git?p=haproxy.git;a=commit;h=5d01a63b7862235fdd3119cb29d5a0cfd04edb91
If many people are interested, I know it will be quite easy to
Pedro Mata-Mouros Fonseca wrote:
This is my first post into this mailing list, been following it for a
few days. So, greetings from Portugal. I have a small doubt: I have a
few backend sections defined in my haproxy.conf, one of each is composed
of server1 to 4 - and all of them using the
On 17.06.2009 19:59 Uhr, Karthik Pattabhiraman wrote:
We use HAProxy 1.3.17 for our setup. We faced an issue where the
requests were redirected to a wrong cluster. We are still not able to
figure out why this happened and would really appreciate any help.
Please find attached a sample
On 17.06.2009 1:29 Uhr, Yves Accad wrote:
Please let me know any
detail I need to provide you to help troubleshooting the issue.
Yves,
Unfortunately your descriptions are rather vague and my crystal ball is
still getting fixed by the mechanics. Sorry...
To help you in the meantime, would you
On 15.06.2009 6:36 Uhr, Timh Bergström wrote:
Hello Holger,
If nothing else, I would be interested in this script.
Cheers,
Timh
So, after checking with my chief about opensourcing our stuff I can
finally conclude: Yes we can! :)
You can find the script at
On 15.06.2009 19:24 Uhr, Karl Pietri wrote:
Due to some strange things we are doing with our logging we have a bunch
of info in the response headers that would be nice to strip out before
sending to the client. Is this possible in haproxy?
Essentially we are logging things like the user_id
On 12.06.2009 23:08 Uhr, Joe Williams wrote:
I looked through the docs but didn't see anything. Is it possible to
include config files from the main config file? So you could do
something similar to a vhosts.d directory in Apache or Nginx.
Hello Joe!
Unfortunately, this is not supported by
89 matches
Mail list logo
