servers use
configuration that allows clients to switch between servers).
-Jarno
--
Jarno Huuskonen
Hi,
On Thu, Feb 05, Klavs Klavsen wrote:
> Jarno Huuskonen wrote on 02/05/2015 01:28 PM:
> >Hi,
> >
> >On Thu, Feb 05, Klavs Klavsen wrote:
> >>Hi guys,
> >>
> >>I'm testing our haproxy setup in regards to SSL performance - by
> >>si
haproxy actually hitting a
> bottleneck.. I did try to do the https test from 2 clients
> simultaneously- and then they just get half the req/s - so total is
> the same.
>
> What should I look at, to improve https performance in haproxy?
--
Jarno Huuskonen
nginx you can easily substitute the
> loadbalancer ip with the ip of the client.
Or if you're running apache 2.4 then it should come with
mod_remoteip: http://httpd.apache.org/docs/current/mod/mod_remoteip.html
And for tomcat there's:
https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html
-Jarno
--
Jarno Huuskonen
Hi,
On Thu, Jan 15, Shawn Heisey wrote:
> On 1/15/2015 1:30 PM, Shawn Heisey wrote:
> > Let's say that I have a server named 'friday' in my backend, and it has
> > "cookie friday" on the server line. Let's also say that the web server
> > sets the JSESSIONID with that server name in it, like this
Hi,
On Tue, Jan 13, Pavlos Parissis wrote:
> Hoi,
>
> I am trying to return a specific 200 response when URL matches a ACL but I get
> back 503. Where is my mistake?
>
> frontend mpla
> acl robots.txt path_beg /robots.txt
>
> use_backend bk_robots if robots.txt
>
> default_backend
HTTP/1.1
Host: your.service.hostname
or do you need to use ssl to get a response:
openssl s_client -connect 9.30.71.70:8445
GET / HTTP/1.1
Host: your.service.hostname
)
If your backend servers use ssl on ports 8445/8443 then you'll need
that "ssl" on server config line:
http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.2-ssl
-Jarno
--
Jarno Huuskonen
;m
> pretty sure the primitive used to decode base64 doesn't care about
> line returns.
Copied the SSLValve.java to a simple standalone prog and looks like
java CertificateFactory/generateCertificate doesn't seem to care if
the base64 has newlines or not.
> You could also try:
>
> http-request add-header ssl_client_cert
> 1234567890123456789012345678%[ssl_c_der,base64]12345678901234567890123456
> # without space
>
> It should work!
Yes, it also seems to work :)
-Jarno
--
Jarno Huuskonen
ss a quick and dirty test to see if the SSLValve accepts the base64
without newlines would be to copy the SSLValve.java to quick standalone prog.
-Jarno
--
Jarno Huuskonen
mail-archive.com/haproxy@formilux.org/msg13875.html)
-Jarno
--
Jarno Huuskonen
p://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.2-track
so something like:
backend BE_abc
option httpchk HEAD /check.txt HTTP/1.0
...
server s1 ip:port ... check ...
server s2 ip:port ... check ...
backend BE_xyz
...
server s1 ip:port ... track BE_abc/s1
server s2 ip:port ... track BE_abc/s2
...
-Jarno
--
Jarno Huuskonen
er mbH
> Emil-Figge-Straße 76-80
> 44227 Dortmund
>
> Tel: +49.231.9742.355
> Fax: +49.231.9742.356
> http://www.getit.de
>
> Amtsgericht Dortmund, HRB-Nr. 26548
>
> Geschäftsführung:
> Dr. Thomas Krämerkämper (Vorsitzender)
> Christoph Hecker
--
Jarno Huuskonen
2-stick%20on
Then balance source or balance roundrobin + stick on src should do the trick
I don't think you'll need all three.
Cheers,
-Jarno
--
Jarno Huuskonen
been using version 1.4 from the Ubuntu repository and already updated to
> current 1.5, in which these exceptions come at a later point during the
> intialization process, however they still exist.
>
> Can anybody help me here? How can I better debug this? Do you need any more
> data to help?
>
> Thank you in advance.
>
> Kind regards
> Dennis
>
--
Jarno Huuskonen
k-table type ip
> stick on src
> ...also makes no difference. Same errorneous behaviour.
Do you see any entries in the stick table ? Something like
echo "show table service_2_inside" | nc -U /path/to/stats.socket
(or with socat instead of nc -U).
-Jarno
--
Jarno Huuskonen
> server App_101 10.10.10.101:80 cookie app101 check
> server App_102 10.10.10.102:80 cookie app102 check
--
Jarno Huuskonen
th/to/crt ciphers ...
To enable ocsp stapling see haproxy config:
http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.1-crt
http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#9.2-set%20ssl%20ocsp-response
-Jarno
--
Jarno Huuskonen
veTimeout="6" (and tomcat connector takes the timeout
in ms (not sec like httpd)). I've changed this to 6000. I'll report
if this fixes the problem.
Thanks again Lukas and Remi for looking into this !
-Jarno
--
Jarno Huuskonen
arlier packet capture between haproxy <-> tomcat, I'll see
if I can find the failed request in the packet capture.
Maybe I should try to disable keep-alive between haproxy<->tomcat
(option http-server-close and tomcat http connector) and see if this
makes any difference.
-Jarno
--
Jarno Huuskonen
proxy[22814]: client.ip:63722
[29/Aug/2014:16:01:58.647] HTTPS_idp~ HTTPS_idp/idp_in 41/4/132 3343 --
0/0/0/0/0 0/0\n", 140, MSG_DONTWAIT|MSG_NOSIGNAL, {sa_family=AF_INET,
sin_port=htons(514), sin_addr=inet_addr("127.0.0.1")}, 16) = 140
-Jarno
--
Jarno Huuskonen
16:01:57.336804 s
enSSL 1.0.1e-fips 11 Feb 2013
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.32 2012-11-30
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with transparent proxy support using: IP_TRANSPARENT
IPV6_TRANSPARENT IP_FREEBIND
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Thanks,
-Jarno
--
Jarno Huuskonen
http-check disable-on-404
modehttp
option redispatch
timeout server 4s
timeout connect 1500ms
timeout check 2s
retries 1
default-server inter 3s downinter 20s rise 2 error-limit 8 on-error
fail-check
server shib1 tomcat.ip1:8080 id 1 maxconn 256 check observe layer7
server shib2 tomcat.ip2:8080 id 2 maxconn 256 check observe layer7
--
Jarno Huuskonen
ost is_nagios_host1
use-server host2 if is_nagios_host is_nagios_host2
server host1 ...
server host2 ...
Maybe something similar could work for you (using url instead of
User-Agent) ?
-Jarno
--
Jarno Huuskonen
; server s1 10.0.0.126:8080 weight 6 check cookie s1
>
> Could anyone help me on this please?
Is version 1.5.3 compiled with openssl ? (haproxy -vv)
-Jarno
--
Jarno Huuskonen
re probably
redundant.
Does your web/cas servers send the CASTGC cookie with secure flag ?
Have you tried with tcpdump (on haproxy server) to see what the
webservers / browser send/receive ?
> 3. Below is our HAProxy's partial debug log :
If you need persistence, does your httplog show that all requests
that shoud go to same server actually go there ?
-Jarno
--
Jarno Huuskonen
oid anything that requires user interaction / manual labor).
(I guess instead of uefspnego cookie we could add a string to User-Agent,
I assume this is possible with group policy, but I guess changing UA
makes it a bit easier to track our users).
All ideas welcome.
-Jarno
--
Jarno Huuskonen
s alphabetically the latest in
> the folder is returned (and incorrect).
Have you tried with:
openssl s_client -servername subdomain.domain.tld -connect \
subdomain.domain.tld:443
(with -servername openssl s_client should send SNI information:
-servername host - Set TLS extension servername in ClientHello)
-Jarno
--
Jarno Huuskonen
timeouts / acl / etc.
cookie JSESSIONID prefix httponly secure maxidle 30m
default-server inter 5s downinter 15s rise 2 error-limit 13 on-error
fail-check
server tomcat1 ip.add.res:8080 id 1 cookie t1 maxconn 75 check observe
layer7
server tomcat2 ip.add.res2:8080 id 1 cookie t2
efe-204.foo.com examplefe-204.foo.com:443 check
> check-ssl disabled
--
Jarno Huuskonen
le 502 should go to the backend that handles only
the upload --> so haproxy doesn't send the fake 413 error for "real"
502 errors.
-Jarno
--
Jarno Huuskonen
Atest19
CN=client19.local
(not really a real world example ... :)
--
Jarno Huuskonen
Hello,
On Fri, May 09, Willy Tarreau wrote:
> So basically the output format could be built using this string :
>
> ssl_c_cert,pem(CERTIFICATE)
What kind of argument the CERTIFICATE should be ? ARGT_STR / ARGT_UINT ?
> With :
>- ssl_c_cert outputting raw binary
>- pem(type) being t
Hi Willy,
On Fri, May 09, Willy Tarreau wrote:
> > This patch should be compatible with apache/mod_ssl
> > (RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s")
> > (newlines in the pem cert are replaced with space chars).
>
> I'm wondering whether there is a risk that this same cert could b
On Fri, May 09, Ram R wrote:
> listen site
> bind :443 ssl crt /etc/haproxy/site.pem
> balance roundrobin
>
> option httplog
> option forwardfor
> option ssl-hello-chk
> option httpchk GET /health_monitor.jsp HTTP/1.0
> http-check expect string OK
>
> appsession JSESSIONID len 52
Hello,
This is a patch (proposal) to include ssl_c_cert keyword to add client
certificate (in pem format) to backend requests. This is useful for
offloading ssl for applications that need access to client certificate
(for example with something like tomcat sslvalve:
http://tomcat.apache.org/tomcat
Hi,
On Tue, Apr 29, david rene comba lareu wrote:
> Hi,
>
> for some reason, i can't install the CA certificate correctly in haproxy
>
> my config is like this:
>
> bind *:443 ssl crt /home/scripts/CA/www.domain.com.pem ca-file
> /home/scripts/CA/rapidsslCA.crt
>
> i already tried with the pri
Hello,
Here's a small patch that fixes a few typos in
configuration.txt (and one in haproxy.1).
Patch is for haproxy-ss-20140401 but should apply to
haproxy-ss-20140411.
-Jarno
--
Jarno Huuskonen
diff --git a/configuration.txt b/configuration.txt
index df030d9..3f1a0df 100644
Hello,
On Tue, Apr 08, Rafaela wrote:
> Tks Lukas!
>
> The threads of the list, it is not possible to climb HAproxy horizontally,
> how to maintain availability is using the vrrp (master and slave) or dns
> round robin (despite losing a part of traffic if you do not have to check).
> Correct?
> M
. Thank you for your blog posts. Very useful resource.
> Baptiste
>
>
> On Tue, Apr 1, 2014 at 1:58 PM, Jarno Huuskonen
> wrote:
> > Hello,
> >
> > I have couple of haproxy(1.5dev22 snapshot) ssl related questions:
> >
> > Is it possible to use mod_ssl compati
Hello,
I have couple of haproxy(1.5dev22 snapshot) ssl related questions:
Is it possible to use mod_ssl compatible "optional_no_ca" client
cert verify with haproxy:
- is it possible to use "ca-ignore-err" for this.
(I think apache 2.2.7(mod_ssl) ignores these errors w/optional_no_ca:
#define
Hi,
On Wed, Mar 26, Sander Klein wrote:
> Hi
>
> On 24.03.2014 18:35, Andy Walker wrote:
> >For what it's worth, haproxy can be running on a server, and listening
> >on IP addresses that aren't actually associated with that server. In
> >linux, just make sure NET.IPV4.IP_NONLOCAL_BIND is set to 1
: fix freezes
> during compression") or other commits).
Recent 1.5-dev21 snapshots also work with ssl connection to backend
servers. I think haproxy-ss-20140118 and
BUG/MAJOR: ssl: fix breakage caused by recent fix abf08d9
fixed this for me.
Thanks,
-Jarno
--
Jarno Huuskonen
Hi,
I'm testing haproxy-1.5-dev19/21 to lb php application(apache/moodle 2.6)
moodle is setup to use shibboleth-authentication
(https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfiguration).
Login is all https (client -> haproxy -> apache+mod_ssl):
Login works (haproxy-ss-20131228
201 - 243 of 243 matches
Mail list logo