LB Layout Question
Hi There, I've setup a few small load balanced environments with haproxy usually 2 LB's, 2+ webservers, 1 db server. However, I now have a client who needs the above but with an aditional file storage server for user uploads. So I'm arranging for an extra dedicated server with several TB that will be on private network with the 2 webservers. The client uses a custom coded CMS which allows for a path to be specified for an upload folder for user file storage. Any simple advice for the best method to connect a file server to the web servers? I'm guessing an an NFS share from the 2 webservers to the 1 fileserver. However, from a bit of research with load balanced magento setups there seems to be a lot of negative comments about using NFS in this way.
Re: HTTP Request still gets response from the server with weight 0 and src persistence
Hi Baptiste
Thanks for your replying.
I am using the balance roundrobin algorithm and sticking on src, not the
the balance source algorithm. The configuration has been presented in my
first mail as below:
backend pool
balance roundrobin.
stick-table type ip size 200k expire 600s
stick on src
server 1 10.128.7.1:80 id 1 cookie srv1 weight 1 maxconn 0
slowstart 0s
server 2 10.128.7.2:80 id 2 cookie srv2 weight 1 maxconn 0
slowstart 0s
Best Regards,
Godbach
On 2013/5/29 13:35, Baptiste wrote:
Hi Godbach,
Before reading HAProxy source code, it worths reading its
configuration guide for the options you use.
IE, the balance source algorithm would tell you that:
This algorithm is static by default, which means that changing a
server's weight on the fly will have no effect, but this can be
changed using hash-type.
Please update your configuration following the recommandation above
and let us know your feedback.
Baptiste
On Wed, May 29, 2013 at 5:22 AM, Godbach nylzhao...@gmail.com wrote:
Hi, all
It is expected that new http request will not get response from the
server of which weight was changed to 0. It cannot work well with
persistence on src but work well without the persistence in lastest
snapshot.
There are two servers in my backend, and persistence on src ip has been
enabled in backend. The configuration in backend as below:
backend pool
balance roundrobin.
stick-table type ip size 200k expire 600s
stick on src
server 1 10.128.7.1:80 id 1 cookie srv1 weight 1 maxconn 0
slowstart 0s
server 2 10.128.7.2:80 id 2 cookie srv2 weight 1 maxconn 0
slowstart 0s
During continuous http requset with the same client, the stick table as
below:
# table: pool, type: ip, size:204800, used:1
0x17d2284: key=172.22.16.250 use=0 exp=599095 server_id=1
Then I set weight of server 1 to 0 use command as below:
set weight pool/1 0
And I get the weight of server 1 with command:
get weight pool/1
The result is
0 (initial 1)
So I think I have set the weight of sever1 to 0 successfully. But the
response still comes from server 1 which server 2 is expected. And the
stick table keeps the same.
I review the code of process_sticking_rules() in session.c. The codes
when server is found as below:
1403 ptr = stktable_data_ptr(rule-table.t, ts,
STKTABLE_DT_SERVER_ID);
1404 node =
eb32_lookup(px-conf.used_server_id, stktable_data_cast(ptr, server_id));
1405 if (node) {
1406 struct server *srv;
1407
1408 srv = container_of(node, struct server,
conf.id);
1409 if ((srv-state SRV_RUNNING) ||
1410 (px-options PR_O_PERSIST) ||
1411 (s-flags SN_FORCE_PRST)) {
1412 s-flags |= SN_DIRECT | SN_ASSIGNED;
1413 s-target = srv-obj_type;
1414 }
1415 }
1416 }
1417 stktable_touch(rule-table.t, ts, 1);
Line 1409 used (srv-state SRV_RUNNING) to check the server status.
If I used srv_is_usable() to instead such as below:
-if ((srv-state SRV_RUNNING) ||
+if (srv_is_usable(srv-state, srv-eweight) ||
The new request will get response from server 2 once the weight of
server 1 is set to 0. But it seems to be just a workaround.
Since the manual of haproxy about 'set weight' says that:
A typical usage of this command is to disable a server during an update
by setting its weight to zero.
I am wondering that whether the flag SRV_RUNNING of server should be
cleared or not when its weight is set to 0.
--
Best Regards,
Godbach
--
Best Regards,
Godbach
Re: LB Layout Question
Hi Syd, I'm guessing an an NFS share from the 2 webservers to the 1 fileserver. However, from a bit of research with load balanced magento setups there seems to be a lot of negative comments about using NFS in this way. It's always better to avoid NFS as it introduce a point of failure. Sometimes just syncing the files on both servers with rsync / unison / snapshots / whatever is preferable (it strongly depends on the number of files and the number of file changes). A crashy NFS server can leave inconsistent mount points on the webservers . Anyway it works but you must qualify your server and client version and setups before turning it in production. Avoid lockd unless it's absolutely necessary, enable jumbo frames, find the good rsize, wsize, check and recheck your disks health, your raids settings, your IO performances. If possible, use varnish on the web servers for caching static content or serve the static files directly from the file server using nginx. Never forget that NFS is slow. Joris 2013/5/29 Syd s...@summerwinter.com: Hi There, I've setup a few small load balanced environments with haproxy usually 2 LB's, 2+ webservers, 1 db server. However, I now have a client who needs the above but with an aditional file storage server for user uploads. So I'm arranging for an extra dedicated server with several TB that will be on private network with the 2 webservers. The client uses a custom coded CMS which allows for a path to be specified for an upload folder for user file storage. Any simple advice for the best method to connect a file server to the web servers? I'm guessing an an NFS share from the 2 webservers to the 1 fileserver. However, from a bit of research with load balanced magento setups there seems to be a lot of negative comments about using NFS in this way.
Block clients based on header in real time?
Hello, I'm looking for a solution for blocking users based on a header, x-forwarded-for. I have yet an acl for this but is it possible to update the list of ips without restart haproxy? Thanks,
403 - Forbidden: Access is denied with IIS7
Hi all, I am using HAProxy 1.4.23. I am getting *sometimes* following error while trying to access status page of HAProxy 403 - Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied. This problem not coming while the target webserver running on Windows 2008 or Linux. PLease share your suggestions regarding how to overcome this issue. It is observed that HTTP request log of web server showing logs related to / ?stats requests. I am expecting this request should be processed at haproxy layer and should not be forwarded to web server. This is just an observation. HAProxy Configuration is as follows global daemon maxconn 256 defaults mode http timeout connect 5000ms timeout client 5ms timeout server 5ms frontend http-in bind *:80 default_backend servers backend servers server server1 10.132.69.53:9459 check inter 500 fall 3 rise 2 stats uri /?stats Regards, Prasad.
Re: 403 - Forbidden: Access is denied with IIS7
Hi Prasad. You're in tunnel mode, so I guess the stats URI pass through haproxy without being analyzed. Maybe you need tunnel mode because of NTLM, and so the only way to have access to the stats URL would to use a different frontend/backend dedicated to stats only on a different port. Or maybe setup a different Host header. You're browser is supposed to use different TCP connection to the same HAProxy for each hostname you're using. Baptiste On Wed, May 29, 2013 at 2:27 PM, K G V S Prasad kpra...@cordys.com wrote: Hi all, I am using HAProxy 1.4.23. I am getting sometimes following error while trying to access status page of HAProxy 403 - Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied. This problem not coming while the target webserver running on Windows 2008 or Linux. PLease share your suggestions regarding how to overcome this issue. It is observed that HTTP request log of web server showing logs related to / ?stats requests. I am expecting this request should be processed at haproxy layer and should not be forwarded to web server. This is just an observation. HAProxy Configuration is as follows global daemon maxconn 256 defaults mode http timeout connect 5000ms timeout client 5ms timeout server 5ms frontend http-in bind *:80 default_backend servers backend servers server server1 10.132.69.53:9459 check inter 500 fall 3 rise 2 stats uri /?stats Regards, Prasad.
Re: HTTP Request still gets response from the server with weight 0 and src persistence
AH, sorry, my mistake.
I read your mail too quickly.
Baptiste
On Wed, May 29, 2013 at 9:18 AM, Godbach nylzhao...@gmail.com wrote:
Hi Baptiste
Thanks for your replying.
I am using the balance roundrobin algorithm and sticking on src, not the the
balance source algorithm. The configuration has been presented in my first
mail as below:
backend pool
balance roundrobin.
stick-table type ip size 200k expire 600s
stick on src
server 1 10.128.7.1:80 id 1 cookie srv1 weight 1 maxconn 0
slowstart 0s
server 2 10.128.7.2:80 id 2 cookie srv2 weight 1 maxconn 0
slowstart 0s
Best Regards,
Godbach
On 2013/5/29 13:35, Baptiste wrote:
Hi Godbach,
Before reading HAProxy source code, it worths reading its
configuration guide for the options you use.
IE, the balance source algorithm would tell you that:
This algorithm is static by default, which means that changing a
server's weight on the fly will have no effect, but this can be
changed using hash-type.
Please update your configuration following the recommandation above
and let us know your feedback.
Baptiste
On Wed, May 29, 2013 at 5:22 AM, Godbach nylzhao...@gmail.com wrote:
Hi, all
It is expected that new http request will not get response from the
server of which weight was changed to 0. It cannot work well with
persistence on src but work well without the persistence in lastest
snapshot.
There are two servers in my backend, and persistence on src ip has been
enabled in backend. The configuration in backend as below:
backend pool
balance roundrobin.
stick-table type ip size 200k expire 600s
stick on src
server 1 10.128.7.1:80 id 1 cookie srv1 weight 1 maxconn 0
slowstart 0s
server 2 10.128.7.2:80 id 2 cookie srv2 weight 1 maxconn 0
slowstart 0s
During continuous http requset with the same client, the stick table as
below:
# table: pool, type: ip, size:204800, used:1
0x17d2284: key=172.22.16.250 use=0 exp=599095 server_id=1
Then I set weight of server 1 to 0 use command as below:
set weight pool/1 0
And I get the weight of server 1 with command:
get weight pool/1
The result is
0 (initial 1)
So I think I have set the weight of sever1 to 0 successfully. But the
response still comes from server 1 which server 2 is expected. And the
stick table keeps the same.
I review the code of process_sticking_rules() in session.c. The codes
when server is found as below:
1403 ptr = stktable_data_ptr(rule-table.t, ts,
STKTABLE_DT_SERVER_ID);
1404 node =
eb32_lookup(px-conf.used_server_id, stktable_data_cast(ptr,
server_id));
1405 if (node) {
1406 struct server *srv;
1407
1408 srv = container_of(node, struct server,
conf.id);
1409 if ((srv-state SRV_RUNNING) ||
1410 (px-options PR_O_PERSIST) ||
1411 (s-flags SN_FORCE_PRST)) {
1412 s-flags |= SN_DIRECT | SN_ASSIGNED;
1413 s-target = srv-obj_type;
1414 }
1415 }
1416 }
1417 stktable_touch(rule-table.t, ts, 1);
Line 1409 used (srv-state SRV_RUNNING) to check the server status.
If I used srv_is_usable() to instead such as below:
-if ((srv-state SRV_RUNNING) ||
+if (srv_is_usable(srv-state, srv-eweight) ||
The new request will get response from server 2 once the weight of
server 1 is set to 0. But it seems to be just a workaround.
Since the manual of haproxy about 'set weight' says that:
A typical usage of this command is to disable a server during an update
by setting its weight to zero.
I am wondering that whether the flag SRV_RUNNING of server should be
cleared or not when its weight is set to 0.
--
Best Regards,
Godbach
--
Best Regards,
Godbach
Re: Block clients based on header in real time?
Hi, With latest HAProxy version, you could use a stick table and insert IPs in the stick table through HAProxy socket. Then you can ban all IPs from the stick table. Baptiste On Wed, May 29, 2013 at 1:05 PM, Ricardo Fraile rfra...@yahoo.es wrote: Hello, I'm looking for a solution for blocking users based on a header, x-forwarded-for. I have yet an acl for this but is it possible to update the list of ips without restart haproxy? Thanks,
Re: HTTP Request still gets response from the server with weight 0 and src persistence
Hi Baptiste
It doesn't matter. :-)
When the weight of server is set to 0 with the balance roundrobin
algorithm, srv-eweight is update to 0 and
fwrr_update_server_weight() (lb_fwrr.c) will be called as below:
static void fwrr_update_server_weight(struct server *srv)
{
...
old_state = srv_is_usable(srv-prev_state, srv-prev_eweight);
new_state = srv_is_usable(srv-state, srv-eweight);
if (!old_state !new_state) {
srv-prev_state = srv-state;
srv-prev_eweight = srv-eweight;
return;
}
else if (!old_state new_state) {
fwrr_set_server_status_up(srv);
return;
}
else if (old_state !new_state) {
fwrr_set_server_status_down(srv);
return;
}
...
}
Since srv-eweight is 0, new_state should be also 0, then
fwrr_set_server_status_down() will be called.
At the end the server will be remove from weight tree by
fwrr_dequeue_srv() and lb_tree by fwrr_remove_from_tree().
But the srv-state has not been updated, still keeps in SRV_RUNNING. As
a result, when the same server is selected by
sticking rules, it will be used again.
AH, sorry, my mistake.
I read your mail too quickly.
Baptiste
On Wed, May 29, 2013 at 9:18 AM, Godbach nylzhao...@gmail.com wrote:
Hi Baptiste
Thanks for your replying.
I am using the balance roundrobin algorithm and sticking on src, not the the
balance source algorithm. The configuration has been presented in my first
mail as below:
backend pool
balance roundrobin.
stick-table type ip size 200k expire 600s
stick on src
server 1 10.128.7.1:80 id 1 cookie srv1 weight 1 maxconn 0
slowstart 0s
server 2 10.128.7.2:80 id 2 cookie srv2 weight 1 maxconn 0
slowstart 0s
Best Regards,
Godbach
On 2013/5/29 13:35, Baptiste wrote:
Hi Godbach,
Before reading HAProxy source code, it worths reading its
configuration guide for the options you use.
IE, the balance source algorithm would tell you that:
This algorithm is static by default, which means that changing a
server's weight on the fly will have no effect, but this can be
changed using hash-type.
Please update your configuration following the recommandation above
and let us know your feedback.
Baptiste
On Wed, May 29, 2013 at 5:22 AM, Godbach nylzhao...@gmail.com wrote:
Hi, all
It is expected that new http request will not get response from the
server of which weight was changed to 0. It cannot work well with
persistence on src but work well without the persistence in lastest
snapshot.
There are two servers in my backend, and persistence on src ip has been
enabled in backend. The configuration in backend as below:
backend pool
balance roundrobin.
stick-table type ip size 200k expire 600s
stick on src
server 1 10.128.7.1:80 id 1 cookie srv1 weight 1 maxconn 0
slowstart 0s
server 2 10.128.7.2:80 id 2 cookie srv2 weight 1 maxconn 0
slowstart 0s
During continuous http requset with the same client, the stick table as
below:
# table: pool, type: ip, size:204800, used:1
0x17d2284: key=172.22.16.250 use=0 exp=599095 server_id=1
Then I set weight of server 1 to 0 use command as below:
set weight pool/1 0
And I get the weight of server 1 with command:
get weight pool/1
The result is
0 (initial 1)
So I think I have set the weight of sever1 to 0 successfully. But the
response still comes from server 1 which server 2 is expected. And the
stick table keeps the same.
I review the code of process_sticking_rules() in session.c. The codes
when server is found as below:
1403 ptr = stktable_data_ptr(rule-table.t, ts,
STKTABLE_DT_SERVER_ID);
1404 node =
eb32_lookup(px-conf.used_server_id, stktable_data_cast(ptr,
server_id));
1405 if (node) {
1406 struct server *srv;
1407
1408 srv = container_of(node, struct server,
conf.id);
1409 if ((srv-state SRV_RUNNING) ||
1410 (px-options PR_O_PERSIST) ||
1411 (s-flags SN_FORCE_PRST)) {
1412 s-flags |= SN_DIRECT | SN_ASSIGNED;
1413 s-target = srv-obj_type;
1414 }
1415 }
1416 }
1417 stktable_touch(rule-table.t, ts, 1);
Line 1409 used (srv-state SRV_RUNNING) to check the server status.
If I used srv_is_usable() to instead such as below:
-if ((srv-state SRV_RUNNING) ||
+if (srv_is_usable(srv-state, srv-eweight) ||
The new request will get response from server 2 once the weight of
server 1 is set to 0. But it seems to be just a workaround.
Since the manual of haproxy about 'set weight' says that:
A typical usage of this command is to disable
Re: HTTP Request still gets response from the server with weight 0 and src persistence
Actually, this is the purpose of dropping a weight to 0: being able to
maintain sticky sessions.
If you want to shutdown rudely your server, preventing everybody to
access it, use the disable keyword.
Baptiste
On Wed, May 29, 2013 at 5:55 PM, Godbach nylzhao...@gmail.com wrote:
Hi Baptiste
It doesn't matter. :-)
When the weight of server is set to 0 with the balance roundrobin algorithm,
srv-eweight is update to 0 and
fwrr_update_server_weight() (lb_fwrr.c) will be called as below:
static void fwrr_update_server_weight(struct server *srv)
{
...
old_state = srv_is_usable(srv-prev_state, srv-prev_eweight);
new_state = srv_is_usable(srv-state, srv-eweight);
if (!old_state !new_state) {
srv-prev_state = srv-state;
srv-prev_eweight = srv-eweight;
return;
}
else if (!old_state new_state) {
fwrr_set_server_status_up(srv);
return;
}
else if (old_state !new_state) {
fwrr_set_server_status_down(srv);
return;
}
...
}
Since srv-eweight is 0, new_state should be also 0, then
fwrr_set_server_status_down() will be called.
At the end the server will be remove from weight tree by fwrr_dequeue_srv()
and lb_tree by fwrr_remove_from_tree().
But the srv-state has not been updated, still keeps in SRV_RUNNING. As a
result, when the same server is selected by
sticking rules, it will be used again.
AH, sorry, my mistake.
I read your mail too quickly.
Baptiste
On Wed, May 29, 2013 at 9:18 AM, Godbach nylzhao...@gmail.com wrote:
Hi Baptiste
Thanks for your replying.
I am using the balance roundrobin algorithm and sticking on src, not the
the
balance source algorithm. The configuration has been presented in my
first
mail as below:
backend pool
balance roundrobin.
stick-table type ip size 200k expire 600s
stick on src
server 1 10.128.7.1:80 id 1 cookie srv1 weight 1 maxconn
0
slowstart 0s
server 2 10.128.7.2:80 id 2 cookie srv2 weight 1 maxconn
0
slowstart 0s
Best Regards,
Godbach
On 2013/5/29 13:35, Baptiste wrote:
Hi Godbach,
Before reading HAProxy source code, it worths reading its
configuration guide for the options you use.
IE, the balance source algorithm would tell you that:
This algorithm is static by default, which means that changing a
server's weight on the fly will have no effect, but this can be
changed using hash-type.
Please update your configuration following the recommandation above
and let us know your feedback.
Baptiste
On Wed, May 29, 2013 at 5:22 AM, Godbach nylzhao...@gmail.com wrote:
Hi, all
It is expected that new http request will not get response from the
server of which weight was changed to 0. It cannot work well with
persistence on src but work well without the persistence in lastest
snapshot.
There are two servers in my backend, and persistence on src ip has been
enabled in backend. The configuration in backend as below:
backend pool
balance roundrobin.
stick-table type ip size 200k expire 600s
stick on src
server 1 10.128.7.1:80 id 1 cookie srv1 weight 1 maxconn
0
slowstart 0s
server 2 10.128.7.2:80 id 2 cookie srv2 weight 1 maxconn
0
slowstart 0s
During continuous http requset with the same client, the stick table as
below:
# table: pool, type: ip, size:204800, used:1
0x17d2284: key=172.22.16.250 use=0 exp=599095 server_id=1
Then I set weight of server 1 to 0 use command as below:
set weight pool/1 0
And I get the weight of server 1 with command:
get weight pool/1
The result is
0 (initial 1)
So I think I have set the weight of sever1 to 0 successfully. But the
response still comes from server 1 which server 2 is expected. And the
stick table keeps the same.
I review the code of process_sticking_rules() in session.c. The codes
when server is found as below:
1403 ptr = stktable_data_ptr(rule-table.t, ts,
STKTABLE_DT_SERVER_ID);
1404 node =
eb32_lookup(px-conf.used_server_id, stktable_data_cast(ptr,
server_id));
1405 if (node) {
1406 struct server *srv;
1407
1408 srv = container_of(node, struct
server,
conf.id);
1409 if ((srv-state SRV_RUNNING) ||
1410 (px-options PR_O_PERSIST) ||
1411 (s-flags SN_FORCE_PRST)) {
1412 s-flags |= SN_DIRECT |
SN_ASSIGNED;
1413 s-target = srv-obj_type;
1414 }
1415 }
1416 }
1417 stktable_touch(rule-table.t, ts, 1);
Line 1409 used (srv-state SRV_RUNNING) to check the
Re: HTTP Request still gets response from the server with weight 0 and src persistence
Hi Baptiste Yeah, I got it. Thank you very much for your explanation. Best Regards, Godbach Actually, this is the purpose of dropping a weight to 0: being able to maintain sticky sessions. If you want to shutdown rudely your server, preventing everybody to access it, use the disable keyword. Baptiste
Re: Haproxy issues with rspirep
Hi Syed,
Le 29/05/2013 21:12, s...@siezeconsulting.com a écrit :
Hello,
rspirep ^Location:\ http://(.*):80(.*) Location:\ https://\1:443\2 if { ssl_fc }
The above works but the following doesn't (Location URL is unchanged ) why ?
rspirep ^Location:\ http://(.*):80(.*) Location:\ http://172.17.25.100:8080\2
if { ssl_fc }
There's a lack of details. One configuration line is not enough to
understand what you want to achieve. It will be hard to help you.
Can you explain your needs and provide your whole configuration (please
remove any sensitive data, such as passwords, IPs, ...) ?
Are you sure you really want the ssl_fc condition here ?
Reference :
http://blog.exceliance.fr/2013/02/26/ssl-offloading-impact-on-web-applications/
Regards
Syed
--
Cyril Bonté
Re: Haproxy issues with rspirep
What version? I had a similar issue with dev17.
Sent from my iPad
On May 29, 2013, at 3:12 PM, s...@siezeconsulting.com
s...@siezeconsulting.com wrote:
Hello,
rspirep ^Location:\ http://(.*):80(.*) Location:\ https://\1:443\2 if {
ssl_fc }
The above works but the following doesn't (Location URL is unchanged ) why ?
rspirep ^Location:\ http://(.*):80(.*) Location:\
http://172.17.25.100:8080\2 if { ssl_fc }
Reference :
http://blog.exceliance.fr/2013/02/26/ssl-offloading-impact-on-web-applications/
Regards
Syed
Re: Haproxy issues with rspirep
Hi Cyril ,
Sorry for the brevity .
Haproxy IP = 172.17.25.100 ( fiction IP for clarity)
Application server hostname = openamHost
Application server IP = 172.17.25.101
Url for ssl offload access https://192.168.0.1/sso/Login
Configured haproxy to ssl offload a tomcat based application running on port
8080 (OpenAm specifically).
SSL offload happens , traffic is sent to port 8080 but the application sends a
redirect URL in return as the following
Problematic URL : http://172.17.25.99:80/sso/Login
I used the following directive in the frontend of the haproxy configuration
rspirep ^Location:\ http://(.*):80(.*) nbsp;Location:\
http://172.17.25.100:8080\2 if { ssl_fc }
Generic problem : Haproxy would capture i assumed the problematic URL and
replace it with whatever happens to be my custom URL?
nbsp;Specific requirement: The application is wrongly sending the redirect URL
, I would ideally want to capture any HTTP url and convert into nbsp;nbsp;
HTTPS so that haproxy can again re-route it to port 8080 after decryption each
time.
Finally my simple requirement is to be able to control rewriting URLs at
haproxy .
haproxy.cfg
frontend secured *:443
mode tcp
SSL CERT BLAH BLAH
rspirep ^Location:\ http://(.*):80(.*) nbsp;Location:\
http://172.17.25.100:8080\2 if { ssl_fc }
nbsp;default_backend app
#-
# round robin balancing between the various backends
#-
backend app
mode tcp
balance roundrobin
server app1 172.17.25.101:8080 check
Hope i haven't complicated the problem this time :-)
Regards
Syed
From: Cyril Bonté lt;cyril.bo...@free.frgt;
Sent: Thu, 30 May 2013 01:15:45
To: s...@siezeconsulting.com lt;s...@siezeconsulting.comgt;
Cc: haproxy@formilux.org lt;haproxy@formilux.orggt;
Subject: Re: Haproxy issues with rspirep
Hi Syed,
Le 29/05/2013 21:12, s...@siezeconsulting.com a æcopy;crit :
gt; Hello,
gt;
gt; rspirep ^Location:\ http://(.*):80(.*) Location:\ https://\1:443\2 if {
ssl_fc }
gt;
gt; The above works but the following doesn't (Location URL is unchanged ) why
?
gt;
gt; rspirep ^Location:\ http://(.*):80(.*) nbsp;Location:\
http://172.17.25.100:8080\2 if { ssl_fc }
There's a lack of details. One configuration line is not enough to
understand what you want to achieve. It will be hard to help you.
Can you explain your needs and provide your whole configuration (please
remove any sensitive data, such as passwords, IPs, ...) ?
Are you sure you really want the ssl_fc condition here ?
gt;
gt;
gt; Reference :
gt;
http://blog.exceliance.fr/2013/02/26/ssl-offloading-impact-on-web-applications/
gt;
gt;
gt; Regards
gt; Syed
--
Cyril Bontæcopy;
Re: Haproxy issues with rspirep
Agreed since all requests coming in are ssl on port 443 , if {ssl_fc} isn't
requirednbsp; i guess.
From: Cyril Bonté lt;cyril.bo...@free.frgt;
Sent: Thu, 30 May 2013 01:15:45
To: s...@siezeconsulting.com lt;s...@siezeconsulting.comgt;
Cc: haproxy@formilux.org lt;haproxy@formilux.orggt;
Subject: Re: Haproxy issues with rspirep
Hi Syed,
Le 29/05/2013 21:12, s...@siezeconsulting.com a æcopy;crit :
gt; Hello,
gt;
gt; rspirep ^Location:\ http://(.*):80(.*) Location:\ https://\1:443\2 if {
ssl_fc }
gt;
gt; The above works but the following doesn't (Location URL is unchanged ) why
?
gt;
gt; rspirep ^Location:\ http://(.*):80(.*) nbsp;Location:\
http://172.17.25.100:8080\2 if { ssl_fc }
There's a lack of details. One configuration line is not enough to
understand what you want to achieve. It will be hard to help you.
Can you explain your needs and provide your whole configuration (please
remove any sensitive data, such as passwords, IPs, ...) ?
Are you sure you really want the ssl_fc condition here ?
gt;
gt;
gt; Reference :
gt;
http://blog.exceliance.fr/2013/02/26/ssl-offloading-impact-on-web-applications/
gt;
gt;
gt; Regards
gt; Syed
--
Cyril Bontæcopy;
Re: Haproxy issues with rspirep
Hi David,
dev18
From: David Coulson lt;da...@davidcoulson.netgt;
Sent: Thu, 30 May 2013 01:34:31
To: s...@siezeconsulting.com lt;s...@siezeconsulting.comgt;
Cc: haproxy@formilux.org lt;haproxy@formilux.orggt;
Subject: Re: Haproxy issues with rspirep
What version? I had a similar issue with dev17.nbsp;
Sent from my iPad
On May 29, 2013, at 3:12 PM, s...@siezeconsulting.com
lt;s...@siezeconsulting.comgt; wrote:
Hello,
rspirep ^Location:\ http://(.*):80(.*)nbsp; Location:\
https://\1:443\2nbsp;nbsp; ifnbsp; { ssl_fc }
The above works but the following doesn't (Location URL is unchanged ) why ?
rspirep ^Location:\ http://(.*):80(.*)nbsp; Location:\
http://172.17.25.100:8080\2nbsp;nbsp; ifnbsp; { ssl_fc }
Reference :
http://blog.exceliance.fr/2013/02/26/ssl-offloading-impact-on-web-applications/
Regards
Syed
Re: Haproxy issues with rspirep
Does rspirep work with tcp? Does it not need to be using HTTP mode?
David
On May 29, 2013, at 4:28 PM, s...@siezeconsulting.com wrote:
Hi Cyril ,
Sorry for the brevity .
Haproxy IP = 172.17.25.100 ( fiction IP for clarity)
Application server hostname = openamHost
Application server IP = 172.17.25.101
Url for ssl offload access https://192.168.0.1/sso/Login
Configured haproxy to ssl offload a tomcat based application running on port
8080 (OpenAm specifically).
SSL offload happens , traffic is sent to port 8080 but the application sends
a redirect URL in return as the following
Problematic URL : http://172.17.25.99:80/sso/Login
I used the following directive in the frontend of the haproxy configuration
rspirep ^Location:\ http://(.*):80(.*) Location:\
http://172.17.25.100:8080\2 if { ssl_fc }
Generic problem : Haproxy would capture i assumed the problematic URL and
replace it with whatever happens to be my custom URL?
Specific requirement: The application is wrongly sending the redirect URL ,
I would ideally want to capture any HTTP url and convert into
HTTPS so that haproxy can again re-route it to port 8080 after decryption
each time.
Finally my simple requirement is to be able to control rewriting URLs at
haproxy .
haproxy.cfg
frontend secured *:443
mode tcp
SSL CERT BLAH BLAH
rspirep ^Location:\ http://(.*):80(.*) Location:\
http://172.17.25.100:8080\2 if { ssl_fc }
default_backend app
#-
# round robin balancing between the various backends
#-
backend app
mode tcp
balance roundrobin
server app1 172.17.25.101:8080 check
Hope i haven't complicated the problem this time :-)
Regards
Syed
From: Cyril Bonté cyril.bo...@free.fr
Sent: Thu, 30 May 2013 01:15:45
To: s...@siezeconsulting.com s...@siezeconsulting.com
Cc: haproxy@formilux.org haproxy@formilux.org
Subject: Re: Haproxy issues with rspirep
Hi Syed,
Le 29/05/2013 21:12, s...@siezeconsulting.com a æcopy;crit :
Hello,
rspirep ^Location:\ http://(.*):80(.*) Location:\ https://\1:443\2 if {
ssl_fc }
The above works but the following doesn't (Location URL is unchanged ) why ?
rspirep ^Location:\ http://(.*):80(.*) Location:\
http://172.17.25.100:8080\2 if { ssl_fc }
There's a lack of details. One configuration line is not enough to
understand what you want to achieve. It will be hard to help you.
Can you explain your needs and provide your whole configuration (please
remove any sensitive data, such as passwords, IPs, ...) ?
Are you sure you really want the ssl_fc condition here ?
Reference :
http://blog.exceliance.fr/2013/02/26/ssl-offloading-impact-on-web-applications/
Regards
Syed
--
Cyril Bontæcopy;
Re: Haproxy issues with rspirep
Yes http it is in my confignbsp; too and not tcp (Away from my server ,hence
sent an unedited config for your quick reference) -apologies.
From: David Coulson lt;da...@davidcoulson.netgt;
Sent: Thu, 30 May 2013 02:10:35
To: s...@siezeconsulting.com
Cc: Cyril Bont lt;cyril.bo...@free.frgt;, haproxy@formilux.org
lt;haproxy@formilux.orggt;
Subject: Re: Haproxy issues with rspirep
Does rspirep work with tcp? Does it not need to be using HTTP mode?
David
On May 29, 2013, at 4:28 PM, s...@siezeconsulting.com wrote:Hi Cyril ,
Sorry for the brevity .
Haproxy IP = 172.17.25.100 ( fiction IP for clarity)
Application server hostname = openamHost
Application server IP = 172.17.25.101
Url for ssl offload access https://192.168.0.1/sso/Login
Configured haproxy to ssl offload a tomcat based application running on port
8080 (OpenAm specifically).
SSL offload happens , traffic is sent to port 8080 but the application sends a
redirect URL in return as the following
Problematic URL : http://172.17.25.99:80/sso/Login
I used the following directive in the frontend of the haproxy configuration
rspirep ^Location:\ http://(.*):80(.*) nbsp;Location:\ if { ssl_fc }
Generic problem : Haproxy would capture i assumed the problematic URL and
replace it with whatever happens to be my= custom= url?
nbsp;Specific requirement: The application is wrongly sending the redirect URL
, I would ideally want to capture any HTTP url and convert into nbsp;nbsp;
HTTPS so that haproxy can again re-route it to port 8080 after decryption each
time.
Finally my simple requirement is to be able to control rewriting URLs at
haproxy .
haproxy.cfg
if { ssl_fc }
nbsp;default_backend app
#-
# round robin balancing between the various backends
#-
backend app
mode tcp
balance roundrobin
server app1 172.17.25.101:8080 check
Hope i haven't complicated the problem this time :-)
Regards
Syed
From: Cyril Bonté if { ssl_fc }
There's a lack of details. One configuration line is not enough to
understand what you want to achieve. It will be hard to help you.
Can you explain your needs and provide your whole configuration (please
remove any sensitive data, such as passwords, IPs, ...) ?
Are you sure you really want the ssl_fc condition here ?
gt;
gt;
gt; Reference :
gt;
http://blog.exceliance.fr/2013/02/26/ssl-offloading-impact-on-web-applications/
gt;
gt;
gt; Regards
gt; Syed
--
Cyril Bontæcopy;
Query
Hi Sir, I am new to Haproxy,I have developed application on java with server as tomcat and deployed in Ec2 and OpenShift small gear.So want to scale my application and web potals with Haproxy with minimum of 80 hits/s.So please guide me. Best Regards MOHAMMED AYAZ AHMED Software Engineer Mobile:919036478068 Skype:md.ayazahmed Linkedin:in.linkedin.com/pub/mohammed-ayaz-ahmed/44/b00/17a/
Subscribe
Hello
Help with kQueue
De: Fred Pedrisa [mailto:fredhp...@hotmail.com] Enviada em: quinta-feira, 30 de maio de 2013 02:09 Para: 'haproxy@formilux.org' Assunto: Help with kQueue Hello, Guys. Sorry for disturbing, and for the first e-mail I sent, I thought it was an automated mailing list, requiring to subscribe J. Anyways here is my interesting issue ! When I start haproxy with -vv -d -c switchs, I get this interesting result : # /proxy/haproxy -vv -c -f l2cr.cfg Available polling systems : kqueue : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use kqueue. But if I try it, with -V -d #proxy/haproxy -V -d -f /proxy/lr.cfg -n 8192 Available polling systems : select : pref=150, test result OK kqueue : disabled, test result OK poll : disabled, test result OK Total: 3 (1 usable), will use select. Using select() as the polling mechanism. This is what happens, it default to select without any reason, and in the config file, I don't have any of these global switchs to force this situation :/ Do you wonder what could cause it ? I am using FreeBSD ! Thanks, Fred
