Re: It seems HTTP header string exact match failed
On Mon, Dec 23, 2013 at 8:49 AM, Delta Yeh delta@gmail.com wrote: In my test of 1.5dev21, I found the following acl failed: acl my_host req.hdr(host) -m str www.mytest.com use_backend www if my_host and result in an 503 error(because there is no default backend). I tried : 1. my_host req.hdr(host) -m beg www.mytest.com 2. my_host req.hdr(host) -m end www.mytest.com 3. my_host req.hdr(host) -m sub www.mytest.com and all of them works OK. I test it with wget http://www.mytest.com/; The haproxy debug output is : failed case: 0001:ap.accept(0005)=0006 from [127.0.0.1:41462] 0001:ap.clireq[0006:]: GET / HTTP/1.0 0001:ap.clihdr[0006:]: User-Agent: Wget/1.12 (linux-gnu) 0001:ap.clihdr[0006:]: Accept: */* 0001:ap.clihdr[0006:]: Host: www.mytest.com 0001:ap.clihdr[0006:]: Connection: Keep-Alive 0001:ap.clicls[0006:] 0001:ap.closed[0006:] success case: 0001:ap.accept(0005)=0006 from [127.0.0.1:41460] 0001:ap.clireq[0006:]: GET / HTTP/1.0 0001:ap.clihdr[0006:]: User-Agent: Wget/1.12 (linux-gnu) 0001:ap.clihdr[0006:]: Accept: */* 0001:ap.clihdr[0006:]: Host: www.mytest.com 0001:ap.clihdr[0006:]: Connection: Keep-Alive 0001:www.srvrep[0006:0007]: HTTP/1.1 200 OK 0001:www.srvhdr[0006:0007]: Date: Mon, 23 Dec 2013 07:40:30 GMT 0001:www.srvhdr[0006:0007]: Server: Apache/2.2.8 (Win32) mod_python/3.3.1 Python/2.5.4 0001:www.srvhdr[0006:0007]: Last-Modified: Tue, 20 Aug 2013 09:18:56 GMT 0001:www.srvhdr[0006:0007]: ETag: 1fb2d-440-4e45d8be15ee8 0001:www.srvhdr[0006:0007]: Accept-Ranges: bytes 0001:www.srvhdr[0006:0007]: Content-Length: 1088 0001:www.srvhdr[0006:0007]: Connection: close 0001:www.srvhdr[0006:0007]: Content-Type: text/html 0001:www.srvcls[0006:0007] 0001:www.clicls[0006:0007] 0001:www.closed[0006:0007] BR, DeltaY Hi Delta, What happens without the -m str ? Just give a try to: acl my_host req.hdr(host) www.mytest.com use_backend www if my_host Baptiste
Re: It seems HTTP header string exact match failed
without -m str, haproxy report error when start:
[ALERT] 356/175131 (2416) : parsing [/etc/haproxy/conf/dev21.conf:37] :
error detected while parsing ACL 'my_host' : matching method must be
specified first (using '-m') when using a sample fetch of this type
('req.hdr').
[ALERT] 356/175131 (2416) : parsing [/etc/haproxy/conf/dev21.conf:39] :
error detected while parsing switching rule : no such ACL : 'my_host'.
2013/12/23 Baptiste bed...@gmail.com
On Mon, Dec 23, 2013 at 8:49 AM, Delta Yeh delta@gmail.com wrote:
In my test of 1.5dev21, I found the following acl failed:
acl my_host req.hdr(host) -m str www.mytest.com
use_backend www if my_host
and result in an 503 error(because there is no default backend).
I tried :
1. my_host req.hdr(host) -m beg www.mytest.com
2. my_host req.hdr(host) -m end www.mytest.com
3. my_host req.hdr(host) -m sub www.mytest.com
and all of them works OK.
I test it with wget http://www.mytest.com/;
The haproxy debug output is :
failed case:
0001:ap.accept(0005)=0006 from [127.0.0.1:41462]
0001:ap.clireq[0006:]: GET / HTTP/1.0
0001:ap.clihdr[0006:]: User-Agent: Wget/1.12 (linux-gnu)
0001:ap.clihdr[0006:]: Accept: */*
0001:ap.clihdr[0006:]: Host: www.mytest.com
0001:ap.clihdr[0006:]: Connection: Keep-Alive
0001:ap.clicls[0006:]
0001:ap.closed[0006:]
success case:
0001:ap.accept(0005)=0006 from [127.0.0.1:41460]
0001:ap.clireq[0006:]: GET / HTTP/1.0
0001:ap.clihdr[0006:]: User-Agent: Wget/1.12 (linux-gnu)
0001:ap.clihdr[0006:]: Accept: */*
0001:ap.clihdr[0006:]: Host: www.mytest.com
0001:ap.clihdr[0006:]: Connection: Keep-Alive
0001:www.srvrep[0006:0007]: HTTP/1.1 200 OK
0001:www.srvhdr[0006:0007]: Date: Mon, 23 Dec 2013 07:40:30 GMT
0001:www.srvhdr[0006:0007]: Server: Apache/2.2.8 (Win32)
mod_python/3.3.1 Python/2.5.4
0001:www.srvhdr[0006:0007]: Last-Modified: Tue, 20 Aug 2013 09:18:56
GMT
0001:www.srvhdr[0006:0007]: ETag: 1fb2d-440-4e45d8be15ee8
0001:www.srvhdr[0006:0007]: Accept-Ranges: bytes
0001:www.srvhdr[0006:0007]: Content-Length: 1088
0001:www.srvhdr[0006:0007]: Connection: close
0001:www.srvhdr[0006:0007]: Content-Type: text/html
0001:www.srvcls[0006:0007]
0001:www.clicls[0006:0007]
0001:www.closed[0006:0007]
BR,
DeltaY
Hi Delta,
What happens without the -m str ?
Just give a try to:
acl my_host req.hdr(host) www.mytest.com
use_backend www if my_host
Baptiste
Re: SSL and keep-alive
On Sun, Dec 22, 2013 at 11:51 PM, Jean-Baptiste Quenot j...@caraldi.com wrote:
global
log 127.0.0.1 local2 info
maxconn 4096
user haproxy
group haproxy
daemon
defaults
log global
modehttp
option httplog
option dontlognull
retries 3
option redispatch
maxconn 2000
contimeout 5000
clitimeout 15
srvtimeout 15
listen ocw
bind 0.0.0.0:80
redirect scheme https if !{ ssl_fc }
listen ocw_ssl
bind 0.0.0.0:443 ssl crt /etc/haproxy/haproxy-mysite.pem
use_backend ocw1
backend ocw1
server ocw1 192.168.1.1:8069
Is anything ringing a bell to you? Anything I could do for the app to be
more responsive in HTTPS?
Hi Jean-Baptiste
You're right, your HAProxy is in tunnel mode, which means it let the
client and the server negociate the keep-alive mode.
Obviously, they did not.
There is nothing you can do in HAProxy.
Maybe try starting HAProxy in debug mode and see the headers and HTTP
version exchanged between the client and the server.
Baptiste
RE: It seems HTTP header string exact match failed
Hi! In my test of 1.5dev21, I found the following acl failed: acl my_host req.hdr(host) -m str www.mytest.com use_backend www if my_host and result in an 503 error(because there is no default backend). I tried : 1. my_host req.hdr(host) -m beg www.mytest.com 2. my_host req.hdr(host) -m end www.mytest.com 3. my_host req.hdr(host) -m sub www.mytest.com and all of them works OK. So, only -m str fails silently, but -m beg/end/sub works ok? I don't see this behaviour here, can you give us the full configuration (without confidential stuff) and make sure all your backends are up? Also, does the same configuration work in an older release for you? How does haproxy -vv looks like? Regards, Lukas
RE: SSL and keep-alive
Hi! Is anything ringing a bell to you? Anything I could do for the app to be more responsive in HTTPS? [...] You're right, your HAProxy is in tunnel mode, which means it let the client and the server negociate the keep-alive mode. Obviously, they did not. Correct. In case you origin server doesn't support keep-alive, you may be achieve better performance when using option http-server-close [1]. Early adopters may even try the (very new) option http-keep-alive [2]. Anyway, in this case you have to take a look at the client and the server, as Baptiste mentioned. Maybe you have some limitation in your javascript code on the client side, or maybe there is a limitation in the server application. Take a wireshark trace and decode SSL with your private key, then you will be able to understand what side is closing the request. Regards, Lukas [1] http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#option%20http-server-close [2] http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4.2-option%20http-keep-alive
Bia Cravol - Personagens em Biscuit Volume 7 e 8 - Frete Gratis
Title: PERSONAGENS EM BISCUIT COM BIA CRAVOL - VOLUME 7 E 8 - FRETE GRATIS Caso no esteja conseguindo visualizar a mensagem, clique aqui ou acesse - www.arteemdvd.com.br Para no receber mais nossos informativos simplesmente responda est mensagem trocando o ASSUNTO por DESCADASTRO ou, se preferir, clique aqui para solicitar o imediato descadastramento de nosso sistema de newsletter. Ainda, por medida de segurana voc tambm pode criar um regra em cliente de e-mails, eliminando automaticamente qualquer mensagem que seja disparada por impre...@arteemdvd.com.
O Chef mais =??Q?simp=E1tico?= da TV quer visitar sua cozinha!
Title: COZINHA MAGICA DE JURANDYR AFFONSO - NOVOS CURSOS EM DVD COM FRETE GRATIS Caso no esteja conseguindo visualizar a mensagem, clique aqui ou acesse - www.arteemdvd.com.br Para no receber mais nossos informativos simplesmente responda est mensagem trocando o ASSUNTO por DESCADASTRO ou, se preferir, clique aqui para solicitar o imediato descadastramento de nosso sistema de newsletter. Ainda, por medida de segurana voc tambm pode criar um regra em cliente de e-mails, eliminando automaticamente qualquer mensagem que seja disparada por impre...@arteemdvd.com.
RE: Outgoing connection set-mark patch proposal
Hi, backend transparent-cache1 option transparent option tcp-smart-connect source 10.0.253.26 usesrc clientip set-mark 0x11 Doesn't the following configuration achieve what you are trying to do? backend transparent-cache1 option transparent option tcp-smart-connect source 10.0.253.26 usesrc clientip http-request set-mark 0x11 http-response set-mark 0x11 Regards, Lukas
RE: Outgoing connection set-mark patch proposal
Hi As far as i know it will set mark only for client side connections, but not connections to backend. On 2013-12-23 14:32, Lukas Tribus wrote: Hi, backend transparent-cache1 option transparent option tcp-smart-connect source 10.0.253.26 usesrc clientip set-mark 0x11 Doesn't the following configuration achieve what you are trying to do? backend transparent-cache1 option transparent option tcp-smart-connect source 10.0.253.26 usesrc clientip http-request set-mark 0x11 http-response set-mark 0x11 Regards, Lukas
Re: Outgoing connection set-mark patch proposal
Hi Denys, the way for http-request is from client to server. Baptiste On Mon, Dec 23, 2013 at 1:49 PM, Denys Fedoryshchenko nuclear...@nuclearcat.com wrote: Hi As far as i know it will set mark only for client side connections, but not connections to backend. On 2013-12-23 14:32, Lukas Tribus wrote: Hi, backend transparent-cache1 option transparent option tcp-smart-connect source 10.0.253.26 usesrc clientip set-mark 0x11 Doesn't the following configuration achieve what you are trying to do? backend transparent-cache1 option transparent option tcp-smart-connect source 10.0.253.26 usesrc clientip http-request set-mark 0x11 http-response set-mark 0x11 Regards, Lukas
Re: Outgoing connection set-mark patch proposal
To be more clear: There is client side, which is client to haproxy. And there is server side, which is haproxy to server. My patch implement mark for server side, while http-request/http-response as i see in source code only for client side. On 2013-12-23 15:04, Baptiste wrote: Hi Denys, the way for http-request is from client to server. Baptiste On Mon, Dec 23, 2013 at 1:49 PM, Denys Fedoryshchenko nuclear...@nuclearcat.com wrote: Hi As far as i know it will set mark only for client side connections, but not connections to backend. On 2013-12-23 14:32, Lukas Tribus wrote: Hi, backend transparent-cache1 option transparent option tcp-smart-connect source 10.0.253.26 usesrc clientip set-mark 0x11 Doesn't the following configuration achieve what you are trying to do? backend transparent-cache1 option transparent option tcp-smart-connect source 10.0.253.26 usesrc clientip http-request set-mark 0x11 http-response set-mark 0x11 Regards, Lukas
Re: disable backend through socket
On Sun, Dec 22, 2013 at 05:05:16PM -0500, Patrick Hemmer wrote: No. As I said, I want to disable the backend. http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4.2-disabled That doesn't really work for backends since they don't decide to get traffic. At least if a config accepts to start with the disabled keyword in a backend and this backend is referenced in a frontend, I have no idea what it does behind the scenes. I'm not even sure the backend is completely initialized. Ah, ok. I can live with that :-) What do you want to do exactly ? Do you just want to disable the health checks ? It's unclear what result you're seeking in fact. I was just looking to disable backends without restarting the service. Nothing more. Nothing less. Currenly when I want to disable a backend I just update the config and reload haproxy. Not a big deal. Was just hoping that since frontends and servers could both be enabled/disabled through the socket, that backends could too. The reason why I don't want to disable individual servers is that we have an automated process which enables disables servers. If a backend is disabled, then I don't want a server to automatically get enabled and start taking traffic. By disabling the backend, we prevent this scenario. Willy Thank you -Patrick
Re: HAProxy Next?
If anyone wants me to rebase sflow/haproxy against the latest trunk or a specific release, let me know. Neil -- Neil McKee InMon Corp. http://www.inmon.com On Tue, Dec 17, 2013 at 1:01 AM, Annika Wickert a.wick...@traviangames.comwrote: Hi Hi! - sflow output Can't log-format already do this? Sure, but it might be a better integration in the rest of networking infrastructure if sflow is supported. FYI, Neil Mckee has a fork available with sflow support: http://marc.info/?t=13673552702r=1w=2 http://blog.sflow.com/2013/05/haproxy.html https://github.com/sflow/haproxy I know ;). So it would be nice to merge to code in the official release :). Regards, Lukas Regards, Annika
RE: Outgoing connection set-mark patch proposal
Hi, To be more clear: There is client side, which is client to haproxy. And there is server side, which is haproxy to server. My patch implement mark for server side, while http-request/http-response as i see in source code only for client side. Yes, I see. Currently, the features set-mark and set-tos need to be set with the http-request/http-response command. This can be confusing and the result is indeed not always what one would expect or desire (even though the documentation is not wrong). Regardless whether we set set-mark or set-tos in the frontend or the backend, in http-request or http-response, the setsockopt() call is always about the frontend HTTP session only - the only difference being that the frontend acts before the backend and http-request acts before http-response. We can't: - influence the backend HTTP session - influence traffic when we are not intercepting HTTP (TCP mode) - influence the first packet (if we route backend traffic differently based on tos/mark, the first SYN may already need correct tos/nfmark marking, otherwise it may be forwarded on the wrong interface and subsequently dropped) Imho the features set-mark and set-tos, and possibly also set-nice need to be moved from the http-request/response layer out to the main layer of configuration, where we have things like block and redirect, so that we can: - combine them with ACLs - make them work in TCP mode - implement them to work with backend TCP sessions - allow set-tos/set-mark to take effect before the SYN packet leaves the box While your patch fixes your particular use case, Denys, I think we should try the improve the whole situation. Willy, was there a specific use-case when you implement those features? Any thoughts about this? Regards, Lukas
RE: acl based removing request headers
Hi,
we are using 1.5dev19 and I like to know is there option to use acl and
reqidel.
What I want. Remove accept-encoding gzip, deflate when matched acl. Because
I know that client is broken. And I want to set gzip compression globaly on.
Please check the documentation, you should find everything you need:
reqidel search [{if | unless} cond] (ignore case)
http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4-reqidel
Remember to use mode http and avoid the tunneling mode (read the docs
about option http-server-close).
Regards,
Lukas
Re: Outgoing connection set-mark patch proposal
Hi guys, sorry for not responding earlier. On Mon, Dec 23, 2013 at 11:02:34PM +0100, Lukas Tribus wrote: To be more clear: There is client side, which is client to haproxy. And there is server side, which is haproxy to server. My patch implement mark for server side, while http-request/http-response as i see in source code only for client side. Yes, I see. Currently, the features set-mark and set-tos need to be set with the http-request/http-response command. This can be confusing and the result is indeed not always what one would expect or desire (even though the documentation is not wrong). Regardless whether we set set-mark or set-tos in the frontend or the backend, in http-request or http-response, the setsockopt() call is always about the frontend HTTP session only - the only difference being that the frontend acts before the backend and http-request acts before http-response. Indeed that's a good point. We can't: - influence the backend HTTP session - influence traffic when we are not intercepting HTTP (TCP mode) - influence the first packet (if we route backend traffic differently based on tos/mark, the first SYN may already need correct tos/nfmark marking, otherwise it may be forwarded on the wrong interface and subsequently dropped) Imho the features set-mark and set-tos, and possibly also set-nice need to be moved from the http-request/response layer out to the main layer of configuration, where we have things like block and redirect, so that we can: - combine them with ACLs - make them work in TCP mode - implement them to work with backend TCP sessions - allow set-tos/set-mark to take effect before the SYN packet leaves the box While your patch fixes your particular use case, Denys, I think we should try the improve the whole situation. I agree with your points. I know that William has already started to factor out all the tcp/http actions but that's a tedious work. In an ideal world, we should be able to merge almost all of them. Willy, was there a specific use-case when you implement those features? Any thoughts about this? Yes, the purpose was precisely to affect traffic to the client depending on the request. For example, a non-authenticated visitor might use a different QoS setting or even be routed via a different link. I'm not using these features myself and I don't even remember whom I discussed with before implementing them given they were trivial. I would have no problem with starting to rename them (remember we're still in -dev) so that they're set-frontend-mark, set-frontend-tos or whatever shorter form we could imagine, then propagate them to TCP rules and finally have the same set for the other side. Regards, Willy
Re: HAProxy Next?
+1 cent from me 2013/12/24 Neil McKee neil.mc...@inmon.com If anyone wants me to rebase sflow/haproxy against the latest trunk or a specific release, let me know. Neil -- Neil McKee InMon Corp. http://www.inmon.com On Tue, Dec 17, 2013 at 1:01 AM, Annika Wickert a.wick...@traviangames.com wrote: Hi Hi! - sflow output Can't log-format already do this? Sure, but it might be a better integration in the rest of networking infrastructure if sflow is supported. FYI, Neil Mckee has a fork available with sflow support: http://marc.info/?t=13673552702r=1w=2 http://blog.sflow.com/2013/05/haproxy.html https://github.com/sflow/haproxy I know ;). So it would be nice to merge to code in the official release :). Regards, Lukas Regards, Annika
