Haproxy core utilization

[Haim Ari]

Hello,

i noticed that sometimes (if i monitor the server using top for a few minutes)
one haproxy process seem to have 99% utilization while the other three are 
about 25%

How can i avoid this behavior ?
(how can i force haproxy not to use core 0)

Ubuntu 12.04.5 LTS
Haproxy 1.5.9
nproc 4




--

Haim Ari / SysOps Manager

M: 972.584563032 / T: 972.722288367

[cid:part1.02070805.07060601@startapp.com]

HAProxy for Statis IP redundancy

[Mitchell Gurspan]

Hi - 

Would you be able to tell me if HAProxy can be used to solve the following
problem?

 

 

I host an iis 7.5) windows site on a comcast business static IP (in office).
the internet goes down sometimes and I'd like redundancy. 

 

I cant find the proper way to add a second internet provider/static IP for
failover when the primary line goes down.

 

I thought maybe DNS round robin but it looks like an IIS site cannot have
multiple bindings for this

 

Any thoughts? Is there a standard architecture or method for Internet
connectivity redundancy for one website on one server ? Cost is an issue. 

 

Thanks!

 

Mitchell

Visualjobmatch.com

 

[PATCH] DOC: match several lua configuration option names to those implemented in code

[PiBa-NL]

Hi,
Ive found some inconsistencies in the documentation, patch attached.
Could you take a look and merge it? Thanks.
Regards,
PiBa-NL
From 007f377f637dbafc47cb77f6650e4df55e08b608 Mon Sep 17 00:00:00 2001
From: Pieter Baauw piba.nl@gmail.com
Date: Sun, 16 Aug 2015 15:26:24 +0200
Subject: [PATCH] DOC: match several lua configuration option names to those
 implemented in code

---
 doc/configuration.txt |  2 +-
 doc/lua-api/index.rst | 18 +-
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 424b31d..83f337d 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -1456,7 +1456,7 @@ It is possible to send email alerts when the state of 
servers changes.
 If configured email alerts are sent to each mailer that is configured
 in a mailers section. Email is sent to mailers using SMTP.
 
-mailer mailersect
+mailers mailersect
   Creates a new mailer list with the name mailersect. It is an
   independent section which is referenced by one or more proxies.
 
diff --git a/doc/lua-api/index.rst b/doc/lua-api/index.rst
index 26641ba..8671f3e 100644
--- a/doc/lua-api/index.rst
+++ b/doc/lua-api/index.rst
@@ -514,7 +514,7 @@ Channel class
   If the buffer cant receive more data, a 'nil' value is returned.
 
   :param class_channel channel: The manipulated Channel.
-  :returns: a string containig the avalaiable line or nil.
+  :returns: a string containing the available line or nil.
 
 .. js:function:: Channel.set(channel, string)
 
@@ -579,21 +579,21 @@ HTTP class
 
This class contain all the HTTP manipulation functions.
 
-.. js:function:: HTTP.req_get_header(http)
+.. js:function:: HTTP.req_get_headers(http)
 
   Returns an array containing all the request headers.
 
   :param class_http http: The related http object.
   :returns: array of headers.
-  :see: HTTP.res_get_header()
+  :see: HTTP.res_get_headers()
 
-.. js:function:: HTTP.res_get_header(http)
+.. js:function:: HTTP.res_get_headers(http)
 
   Returns an array containing all the response headers.
 
   :param class_http http: The related http object.
   :returns: array of headers.
-  :see: HTTP.req_get_header()
+  :see: HTTP.req_get_headers()
 
 .. js:function:: HTTP.req_add_header(http, name, value)
 
@@ -661,9 +661,9 @@ HTTP class
   :param class_http http: The related http object.
   :param string name: The header name.
   :param string value: The header value.
-  :see: HTTP.req_set_header()
+  :see: HTTP.req_rep_header()
 
-.. js:function:: HTTP.req_replace_header(http, name, regex, replace)
+.. js:function:: HTTP.req_rep_header(http, name, regex, replace)
 
   Matches the regular expression in all occurrences of header field name
   according to regex, and replaces them with the replace argument. The
@@ -674,9 +674,9 @@ HTTP class
   :param string name: The header name.
   :param string regex: The match regular expression.
   :param string replace: The replacement value.
-  :see: HTTP.res_replace_header()
+  :see: HTTP.res_rep_header()
 
-.. js:function:: HTTP.res_replace_header(http, name, regex, string)
+.. js:function:: HTTP.res_rep_header(http, name, regex, string)
 
   Matches the regular expression in all occurrences of header field name
   according to regex, and replaces them with the replace argument. The
-- 
1.9.5.msysgit.1

[PATCH] BUILD: add USE_LUA to BUILD_OPTIONS when it's used

[Cyril Bonté]

haproxy -vv doesn't indicate that USE_LUA was specified at compilation time.
This is caused by the Makefile, which doesn't update BUILD_OPTIONS.
---
 Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Makefile b/Makefile
index 6ab7d54..63ac6ef 100644
--- a/Makefile
+++ b/Makefile
@@ -595,6 +595,7 @@ endif
 ifneq ($(USE_LUA),)
 check_lua_lib = $(shell echo int main(){} | $(CC) -o /dev/null -x c - $(2) 
-l$(1) 2/dev/null  echo $(1))
 
+BUILD_OPTIONS   += $(call ignore_implicit,USE_LUA)
 OPTIONS_CFLAGS  += -DUSE_LUA $(if $(LUA_INC),-I$(LUA_INC))
 LUA_LD_FLAGS := $(if $(LUA_LIB),-L$(LUA_LIB))
 ifeq ($(LUA_LIB_NAME),)
-- 
2.5.0

[PATCH] MINOR cfgparse: Correct the mailer warning text to show the right names to the user

[PiBa-NL]

Hi Guys,

Patch attached to correct the mailer warning text to show the right 
names to the user.


Regards,
PiBa-NL
From aa2cccdf5e95d2850692ec8189fc9ed20a586575 Mon Sep 17 00:00:00 2001
From: Pieter Baauw piba.nl@gmail.com
Date: Mon, 17 Aug 2015 00:45:05 +0200
Subject: [PATCH] MINOR cfgparse: Correct the mailer warning text to show the
 right names to the user

---
 src/cfgparse.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/cfgparse.c b/src/cfgparse.c
index 98ccd5d..34d029b 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -7319,9 +7319,9 @@ int check_config_validity()
if (curproxy-email_alert.set) {
if (!(curproxy-email_alert.mailers.name  
curproxy-email_alert.from  curproxy-email_alert.to)) {
Warning(config : 'email-alert' will be ignored for 
%s '%s' (the presence any of 
-   'email-alert from', 'email-alert level' 
'email-alert mailer', 
-   'email-alert hostname', or 'email-alert 
to' 
-   requrires each of 'email-alert from', 
'email-alert mailer' and 'email-alert' 
+   'email-alert from', 'email-alert level' 
'email-alert mailers', 
+   'email-alert myhostname', or 'email-alert 
to' 
+   requires each of 'email-alert from', 
'email-alert mailers' and 'email-alert to' 
to be present).\n,
proxy_type_str(curproxy), curproxy-id);
err_code |= ERR_WARN;
-- 
1.9.5.msysgit.1

Re: HAProxy for Statis IP redundancy

[Igor Cicimov]

On 16/08/2015 11:21 PM, Mitchell Gurspan mitch...@visualjobmatch.com
wrote:

 Hi –

 Would you be able to tell me if HAProxy can be used to solve the
following problem?





 I host an iis 7.5) windows site on a comcast business static IP (in
office). the internet goes down sometimes and I’d like redundancy.



 I cant find the proper way to add a second internet provider/static IP
for failover when the primary line goes down.



 I thought maybe DNS round robin but it looks like an IIS site cannot have
multiple bindings for this



 Any thoughts? Is there a standard architecture or method for Internet
connectivity redundancy for one website on one server ? Cost is an issue.



 Thanks!



 Mitchell

 Visualjobmatch.com

Can't see what this has to do with haproxy this is something you setup in
your infrastructure. Get a router with two WAN ports each connected to
different ISP. For DYI you can set linux box as router with iptables and
policy routing. Google will show you many exmples how to do it.

Re: IP address ACLs

[CJ Ess]

Sounds good. If I use the external file, will HAProxy reload it if the
modification timestamp changes? Or do I need to explicitly send a reload
signal?


On Sat, Aug 15, 2015 at 3:39 AM, Baptiste bed...@gmail.com wrote:

 Hi,

 there is no performance drop of loading from a file or directly in the
 config file.
 That said, if you have multiple ACLs with the same name loading many
 IPs, then you'll perform as many lookups as you have ACLs... While
 loading content from a file would perform a single lookup.
 Anyway, there should not be any noticeable performance impact, since
 IP lookup is very quick in HAProxy (a few hundred of nano second in a
 tree of 1.000.000 IPs).

 Concerning comments, any string after a dash '#' is considered as a
 comment and not loaded in the ACL.

 Baptiste


 On Sat, Aug 15, 2015 at 8:28 AM, Nathan Williams nath.e.w...@gmail.com
 wrote:
  We use a file for about 40 cidr blocks, and don't have any problems with
  load speed. Presumably large means more than that, though.
 
  We use comments as well, but they have to be at the beginning of their
 own
  line, not tagged on after the address.
 
 
  On Fri, Aug 14, 2015, 9:09 PM CJ Ess zxcvbn4...@gmail.com wrote:
 
  When doing a large number of IP based ACLs in HAProxy, is it more
  efficient to load the ACLs from a file with the -f argument? Or is just
 as
  good to use multiple ACL statements in the cfg file?
 
  If I did use a file with the -f parameter, is it possible to put
 comments
  in the file?
 
 

Re: Regarding using HAproxy for rate limiting

[Amol]

Hi Baptiste,I tried to read about SC0 and SRC, but i am not quite sure what i 
would gain by changing SRC to SCO for the acl paramters? did u have some 
example to explain?
Thanks 

  From: Amol mandm_z...@yahoo.com
 To: Baptiste bed...@gmail.com 
Cc: HAproxy Mailing Lists haproxy@formilux.org 
 Sent: Friday, August 14, 2015 2:06 PM
 Subject: Re: Regarding using HAproxy for rate limiting
   
Hi Baptiste,Yes sorry i might have confused you with some questions but to 
answer your questions
 here, the question is: what kiils your server exactly?
A high number of queries from a single users or whatever the number of users?
I'm trying to understand what you need...Yes i am trying to protect against 
high number of requests from a single user who can use API's or even 
mis-configure API's to generate high load.
reposting the configuration 

frontend www-https
   bind xx.xx.xx.xx:443 ssl crt .pem ciphers AES128+EECDH:AES128+EDH 
no-sslv3 no-tls-tickets

   # Table definition  
   stick-table type ip size 100k expire 30s store 
gpc0,conn_cur,conn_rate(3s),http_req_rate(10s),http_err_rate(10s)
   
   # Allow clean known IPs to bypass the filter
   tcp-request connection accept if { src -f /etc/haproxy/whitelist.lst }
   
   # this is sending data defined in the stick-table and storing it the 
stick-table since by default nothing is restored in it
   tcp-request connection track-sc0 src
   
   # Shut the new connection as long as the client has already 40 opened 
   tcp-request connection reject if { src_conn_cur ge 40 }
   
   # if someone has more than 40 connections in over a period of 3 seconds, 
REJECT
   tcp-request connection reject if { src_conn_rate ge 40 }
   
   # tracking connections that are not rejected from clients that don't have 10 
connections/don't have 10 connections/3 seconds
   #tcp-request connection reject if { src_get_gpc0 gt 0 }

   acl abuse_err src_http_err_rate ge 10
   acl flag_abuser_err src_inc_gpc0 ge 0
   acl abuse src_http_req_rate ge 250
   #acl flag_abuser src_inc_gpc0 ge 0
   #tcp-request content reject if abuse_err flag_abuser_err
   #tcp-request content reject if abuse flag_abuser

   use_backend backend_slow_down if abuse flag_abuser
   use_backend backend_slow_down if abuse_err flag_abuser_err
   default_backend www-backend

backend www-backend
       balance leastconn
       cookie BALANCEID insert indirect nocache secure httponly
       option httpchk HEAD /xxx.php HTTP/1.0
       redirect scheme https if !{ ssl_fc }
       server A1 xx.xx.xx.xx:80 cookie A check 
      server A2 yy.yy.yy.yy:80 cookie B check

backend backend_slow_down
      timeout tarpit 2s
      errorfile 500 /etc/haproxy/errors/429.http
      http-request tarpit

--
Yes i will check out the difference between SC0 and SRC paramters in config
regarding this .
 What i am doing here is that if the http_req_rate  250 then i want to send
 them to a another backend which gives them a rate limiting message or if the
 number of concurrent connections are  4, then i want to rate limit their
 usage and allow on 40 connections to come in.
i was trying to make 2 points i guess i should have been more clear...So i was 
saying that based on my config i am trying to achieve 2 things 

1) to rate limit a client with high number of http requests in a certain time 
span (http_req_rate)2) to rate limit a client with high number of concurrent 
connections in the certain time span. (src_conn_cur and src_conn_rate )

Thanks once again for looking into this.



 

 From: Baptiste bed...@gmail.com
 To: Amol mandm_z...@yahoo.com 
Cc: HAproxy Mailing Lists haproxy@formilux.org 
 Sent: Friday, August 14, 2015 1:40 PM
 Subject: Re: Regarding using HAproxy for rate limiting
   
Hi Amol,

On Fri, Aug 14, 2015 at 4:16 PM, Amol mandm_z...@yahoo.com wrote:
 Hello,
 I am been trying to configure my Haproxy for rate limiting our customer
 usage, and wanted to know/understand some of my options
 what i am trying to achieve is to throttle any clients requests/api calls
 that can take lead to high load and can kill my servers.

here, the question is: what kiils your server exactly?
A high number of queries from a single users or whatever the number of users?
I'm trying to understand what you need...


 First of all here is my configuration i have so far from reading a few
 articles

 frontend www-https
    bind xx.xx.xx.xx:443 ssl crt .pem ciphers AES128+EECDH:AES128+EDH
 no-sslv3 no-tls-tickets

    # Table definition
    stick-table type ip size 100k expire 30s store
 gpc0,conn_cur,conn_rate(3s),http_req_rate(10s),http_err_rate(10s)
    # Allow clean known IPs to bypass the filter
    tcp-request connection accept if { src -f /etc/haproxy/whitelist.lst }
    # this is sending data  defined in the stick-table and storing it the
 stick-table since by default nothing is restored in it
    tcp-request connection track-sc0 src
    # Shut the new connection as long as the client has already 10 opened
    tcp-request 

Re: Forwarding issue

[Roman Gelfand]

Thanks for your help.  So, it appears that in certain instances a POST is
done using relative path or URN.  The question is how do I tell haproxy
that this is related to the original url that is found on the certificate.
Meaning, this part I need to change so that the forwarding is done based on
CN in certificate.  Or, perhaps, there is another way to do it.
use_backend bk_remail_cert if { ssl_fc_sni remail.mydomain.com } # content
switching based on SNI



On Thu, Aug 13, 2015 at 12:21 AM Jeff Palmer j...@palmerit.net wrote:

 The NOSRV in the logs you posted, means that haproxy doesn't believe
 there is a server available on the backend to fulfull the request.

 The first request hits the bk_remail_cert backend,  but the next two
 requests don't,  my guess is that the requests don't match your
 use_backend requirements,  and you don't have a default_backend set
 for the request to fall through. thus, the NOSRV logs.




 On Wed, Aug 12, 2015 at 10:58 PM, Roman Gelfand rgelfa...@gmail.com
 wrote:
  I am not seeing a response to the following post. The apache backend
 server
  show now trace of the post request, below.
 
  Aug 12 22:43:43 localhost haproxy[15606]: 38.105.236.253:59539
  [12/Aug/2015:22:43:12.935] farm_test_ssl~ bk_remail_cert/remail
  26582/0/1/3530/30113 200 1229 - -  1/1/0/0/0 0/0 POST
  /services/ajax.php/imp/poll HTTP/1.1
  Aug 12 22:43:44 localhost haproxy[15606]: 107.107.59.175:29935
  [12/Aug/2015:22:43:44.289] farm_test_ssl~ farm_test_ssl/NOSRV
  -1/-1/-1/-1/86 503 212 - - SC-- 1/1/0/0/0 0/0 POST
  /Microsoft-Server-ActiveSync?Cmd=SyncUser=ruser%40mydomain.com
 DeviceId=SEC15CCC18A02315DeviceType=SAMSUNGSMG900A
  HTTP/1.1
  Aug 12 22:43:57 localhost haproxy[15606]: 107.107.59.175:17798
  [12/Aug/2015:22:43:57.550] farm_test_ssl~ farm_test_ssl/NOSRV
  -1/-1/-1/-1/88 503 212 - - SC-- 1/1/0/0/0 0/0 POST
  /Microsoft-Server-ActiveSync?Cmd=SyncUser=ruser%40mydomain.com
 DeviceId=SEC15CCC18A02315DeviceType=SAMSUNGSMG900A
  HTTP/1.1
 
 
  this is the front-end back-end configuration
 
  frontend farm_test_ssl
mode  http
bind 0.0.0.0:443 ssl crt crt /etc/ssl/certs/remail.pem
use_backend bk_remail_cert if { ssl_fc_sni remail.mydomain.com } #
 content
  switching based on SNI
 
  backend bk_remail_cert
mode http
server remail 192.168.8.166:80 check
http-request set-header X-Forwarded-Proto https if  { ssl_fc }
 
 
 
  On Wed, Aug 12, 2015 at 5:12 PM Jeff Palmer j...@palmerit.net wrote:
 
  Describing the issues you think it's causing fire haproxy would also be
  helpful.
 
  On Aug 12, 2015 4:37 PM, Baptiste bed...@gmail.com wrote:
 
  On Wed, Aug 12, 2015 at 6:34 PM, Roman Gelfand rgelfa...@gmail.com
  wrote:
   Why would the following apache directives cause problems for haproxy.
  
   RewriteRule ^/Microsoft-Server-ActiveSync /rpc.php
   [PT,L,QSA]
   RewriteRule .* -
   [E=HTTP_MS_ASPROTOCOLVERSION:%{HTTP:Ms-Asprotocolversion}]
   RewriteRule .* -
   [E=HTTP_X_MS_POLICYKEY:%{HTTP:X-Ms-Policykey}]
   RewriteRule .* -
   [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
  
   Thanks in advance
 
 
  First, you say 'hi'
 
  Second, you explain your problem and whayt those apache rules are
  supposed to do, what type of application are they applied to and how
  this application is supposed to work.
 
  Without a bit of context, it is impossible to help!
 
  Baptiste
 
 



 --
 Jeff Palmer
 https://PalmerIT.net

Re: [PATCH] BUILD: add USE_LUA to BUILD_OPTIONS when it's used

[Willy Tarreau]

On Sun, Aug 16, 2015 at 08:27:38PM +0200, Cyril Bonté wrote:
 haproxy -vv doesn't indicate that USE_LUA was specified at compilation time.
 This is caused by the Makefile, which doesn't update BUILD_OPTIONS.

Patch applied, thank you Cyril.

Willy