LB Layout Question
Hi There, I've setup a few small load balanced environments with haproxy usually 2 LB's, 2+ webservers, 1 db server. However, I now have a client who needs the above but with an aditional file storage server for user uploads. So I'm arranging for an extra dedicated server with several TB that will be on private network with the 2 webservers. The client uses a custom coded CMS which allows for a path to be specified for an upload folder for user file storage. Any simple advice for the best method to connect a file server to the web servers? I'm guessing an an NFS share from the 2 webservers to the 1 fileserver. However, from a bit of research with load balanced magento setups there seems to be a lot of negative comments about using NFS in this way.
Re: HTTP Request still gets response from the server with weight 0 and src persistence
Hi Baptiste Thanks for your replying. I am using the balance roundrobin algorithm and sticking on src, not the the balance source algorithm. The configuration has been presented in my first mail as below: backend pool balance roundrobin. stick-table type ip size 200k expire 600s stick on src server 1 10.128.7.1:80 id 1 cookie srv1 weight 1 maxconn 0 slowstart 0s server 2 10.128.7.2:80 id 2 cookie srv2 weight 1 maxconn 0 slowstart 0s Best Regards, Godbach On 2013/5/29 13:35, Baptiste wrote: Hi Godbach, Before reading HAProxy source code, it worths reading its configuration guide for the options you use. IE, the balance source algorithm would tell you that: This algorithm is static by default, which means that changing a server's weight on the fly will have no effect, but this can be changed using hash-type. Please update your configuration following the recommandation above and let us know your feedback. Baptiste On Wed, May 29, 2013 at 5:22 AM, Godbach nylzhao...@gmail.com wrote: Hi, all It is expected that new http request will not get response from the server of which weight was changed to 0. It cannot work well with persistence on src but work well without the persistence in lastest snapshot. There are two servers in my backend, and persistence on src ip has been enabled in backend. The configuration in backend as below: backend pool balance roundrobin. stick-table type ip size 200k expire 600s stick on src server 1 10.128.7.1:80 id 1 cookie srv1 weight 1 maxconn 0 slowstart 0s server 2 10.128.7.2:80 id 2 cookie srv2 weight 1 maxconn 0 slowstart 0s During continuous http requset with the same client, the stick table as below: # table: pool, type: ip, size:204800, used:1 0x17d2284: key=172.22.16.250 use=0 exp=599095 server_id=1 Then I set weight of server 1 to 0 use command as below: set weight pool/1 0 And I get the weight of server 1 with command: get weight pool/1 The result is 0 (initial 1) So I think I have set the weight of sever1 to 0 successfully. But the response still comes from server 1 which server 2 is expected. And the stick table keeps the same. I review the code of process_sticking_rules() in session.c. The codes when server is found as below: 1403 ptr = stktable_data_ptr(rule-table.t, ts, STKTABLE_DT_SERVER_ID); 1404 node = eb32_lookup(px-conf.used_server_id, stktable_data_cast(ptr, server_id)); 1405 if (node) { 1406 struct server *srv; 1407 1408 srv = container_of(node, struct server, conf.id); 1409 if ((srv-state SRV_RUNNING) || 1410 (px-options PR_O_PERSIST) || 1411 (s-flags SN_FORCE_PRST)) { 1412 s-flags |= SN_DIRECT | SN_ASSIGNED; 1413 s-target = srv-obj_type; 1414 } 1415 } 1416 } 1417 stktable_touch(rule-table.t, ts, 1); Line 1409 used (srv-state SRV_RUNNING) to check the server status. If I used srv_is_usable() to instead such as below: -if ((srv-state SRV_RUNNING) || +if (srv_is_usable(srv-state, srv-eweight) || The new request will get response from server 2 once the weight of server 1 is set to 0. But it seems to be just a workaround. Since the manual of haproxy about 'set weight' says that: A typical usage of this command is to disable a server during an update by setting its weight to zero. I am wondering that whether the flag SRV_RUNNING of server should be cleared or not when its weight is set to 0. -- Best Regards, Godbach -- Best Regards, Godbach
Re: LB Layout Question
Hi Syd, I'm guessing an an NFS share from the 2 webservers to the 1 fileserver. However, from a bit of research with load balanced magento setups there seems to be a lot of negative comments about using NFS in this way. It's always better to avoid NFS as it introduce a point of failure. Sometimes just syncing the files on both servers with rsync / unison / snapshots / whatever is preferable (it strongly depends on the number of files and the number of file changes). A crashy NFS server can leave inconsistent mount points on the webservers . Anyway it works but you must qualify your server and client version and setups before turning it in production. Avoid lockd unless it's absolutely necessary, enable jumbo frames, find the good rsize, wsize, check and recheck your disks health, your raids settings, your IO performances. If possible, use varnish on the web servers for caching static content or serve the static files directly from the file server using nginx. Never forget that NFS is slow. Joris 2013/5/29 Syd s...@summerwinter.com: Hi There, I've setup a few small load balanced environments with haproxy usually 2 LB's, 2+ webservers, 1 db server. However, I now have a client who needs the above but with an aditional file storage server for user uploads. So I'm arranging for an extra dedicated server with several TB that will be on private network with the 2 webservers. The client uses a custom coded CMS which allows for a path to be specified for an upload folder for user file storage. Any simple advice for the best method to connect a file server to the web servers? I'm guessing an an NFS share from the 2 webservers to the 1 fileserver. However, from a bit of research with load balanced magento setups there seems to be a lot of negative comments about using NFS in this way.
Block clients based on header in real time?
Hello, I'm looking for a solution for blocking users based on a header, x-forwarded-for. I have yet an acl for this but is it possible to update the list of ips without restart haproxy? Thanks,
403 - Forbidden: Access is denied with IIS7
Hi all, I am using HAProxy 1.4.23. I am getting *sometimes* following error while trying to access status page of HAProxy 403 - Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied. This problem not coming while the target webserver running on Windows 2008 or Linux. PLease share your suggestions regarding how to overcome this issue. It is observed that HTTP request log of web server showing logs related to / ?stats requests. I am expecting this request should be processed at haproxy layer and should not be forwarded to web server. This is just an observation. HAProxy Configuration is as follows global daemon maxconn 256 defaults mode http timeout connect 5000ms timeout client 5ms timeout server 5ms frontend http-in bind *:80 default_backend servers backend servers server server1 10.132.69.53:9459 check inter 500 fall 3 rise 2 stats uri /?stats Regards, Prasad.
Re: 403 - Forbidden: Access is denied with IIS7
Hi Prasad. You're in tunnel mode, so I guess the stats URI pass through haproxy without being analyzed. Maybe you need tunnel mode because of NTLM, and so the only way to have access to the stats URL would to use a different frontend/backend dedicated to stats only on a different port. Or maybe setup a different Host header. You're browser is supposed to use different TCP connection to the same HAProxy for each hostname you're using. Baptiste On Wed, May 29, 2013 at 2:27 PM, K G V S Prasad kpra...@cordys.com wrote: Hi all, I am using HAProxy 1.4.23. I am getting sometimes following error while trying to access status page of HAProxy 403 - Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied. This problem not coming while the target webserver running on Windows 2008 or Linux. PLease share your suggestions regarding how to overcome this issue. It is observed that HTTP request log of web server showing logs related to / ?stats requests. I am expecting this request should be processed at haproxy layer and should not be forwarded to web server. This is just an observation. HAProxy Configuration is as follows global daemon maxconn 256 defaults mode http timeout connect 5000ms timeout client 5ms timeout server 5ms frontend http-in bind *:80 default_backend servers backend servers server server1 10.132.69.53:9459 check inter 500 fall 3 rise 2 stats uri /?stats Regards, Prasad.
Re: HTTP Request still gets response from the server with weight 0 and src persistence
AH, sorry, my mistake. I read your mail too quickly. Baptiste On Wed, May 29, 2013 at 9:18 AM, Godbach nylzhao...@gmail.com wrote: Hi Baptiste Thanks for your replying. I am using the balance roundrobin algorithm and sticking on src, not the the balance source algorithm. The configuration has been presented in my first mail as below: backend pool balance roundrobin. stick-table type ip size 200k expire 600s stick on src server 1 10.128.7.1:80 id 1 cookie srv1 weight 1 maxconn 0 slowstart 0s server 2 10.128.7.2:80 id 2 cookie srv2 weight 1 maxconn 0 slowstart 0s Best Regards, Godbach On 2013/5/29 13:35, Baptiste wrote: Hi Godbach, Before reading HAProxy source code, it worths reading its configuration guide for the options you use. IE, the balance source algorithm would tell you that: This algorithm is static by default, which means that changing a server's weight on the fly will have no effect, but this can be changed using hash-type. Please update your configuration following the recommandation above and let us know your feedback. Baptiste On Wed, May 29, 2013 at 5:22 AM, Godbach nylzhao...@gmail.com wrote: Hi, all It is expected that new http request will not get response from the server of which weight was changed to 0. It cannot work well with persistence on src but work well without the persistence in lastest snapshot. There are two servers in my backend, and persistence on src ip has been enabled in backend. The configuration in backend as below: backend pool balance roundrobin. stick-table type ip size 200k expire 600s stick on src server 1 10.128.7.1:80 id 1 cookie srv1 weight 1 maxconn 0 slowstart 0s server 2 10.128.7.2:80 id 2 cookie srv2 weight 1 maxconn 0 slowstart 0s During continuous http requset with the same client, the stick table as below: # table: pool, type: ip, size:204800, used:1 0x17d2284: key=172.22.16.250 use=0 exp=599095 server_id=1 Then I set weight of server 1 to 0 use command as below: set weight pool/1 0 And I get the weight of server 1 with command: get weight pool/1 The result is 0 (initial 1) So I think I have set the weight of sever1 to 0 successfully. But the response still comes from server 1 which server 2 is expected. And the stick table keeps the same. I review the code of process_sticking_rules() in session.c. The codes when server is found as below: 1403 ptr = stktable_data_ptr(rule-table.t, ts, STKTABLE_DT_SERVER_ID); 1404 node = eb32_lookup(px-conf.used_server_id, stktable_data_cast(ptr, server_id)); 1405 if (node) { 1406 struct server *srv; 1407 1408 srv = container_of(node, struct server, conf.id); 1409 if ((srv-state SRV_RUNNING) || 1410 (px-options PR_O_PERSIST) || 1411 (s-flags SN_FORCE_PRST)) { 1412 s-flags |= SN_DIRECT | SN_ASSIGNED; 1413 s-target = srv-obj_type; 1414 } 1415 } 1416 } 1417 stktable_touch(rule-table.t, ts, 1); Line 1409 used (srv-state SRV_RUNNING) to check the server status. If I used srv_is_usable() to instead such as below: -if ((srv-state SRV_RUNNING) || +if (srv_is_usable(srv-state, srv-eweight) || The new request will get response from server 2 once the weight of server 1 is set to 0. But it seems to be just a workaround. Since the manual of haproxy about 'set weight' says that: A typical usage of this command is to disable a server during an update by setting its weight to zero. I am wondering that whether the flag SRV_RUNNING of server should be cleared or not when its weight is set to 0. -- Best Regards, Godbach -- Best Regards, Godbach
Re: Block clients based on header in real time?
Hi, With latest HAProxy version, you could use a stick table and insert IPs in the stick table through HAProxy socket. Then you can ban all IPs from the stick table. Baptiste On Wed, May 29, 2013 at 1:05 PM, Ricardo Fraile rfra...@yahoo.es wrote: Hello, I'm looking for a solution for blocking users based on a header, x-forwarded-for. I have yet an acl for this but is it possible to update the list of ips without restart haproxy? Thanks,
Re: HTTP Request still gets response from the server with weight 0 and src persistence
Hi Baptiste It doesn't matter. :-) When the weight of server is set to 0 with the balance roundrobin algorithm, srv-eweight is update to 0 and fwrr_update_server_weight() (lb_fwrr.c) will be called as below: static void fwrr_update_server_weight(struct server *srv) { ... old_state = srv_is_usable(srv-prev_state, srv-prev_eweight); new_state = srv_is_usable(srv-state, srv-eweight); if (!old_state !new_state) { srv-prev_state = srv-state; srv-prev_eweight = srv-eweight; return; } else if (!old_state new_state) { fwrr_set_server_status_up(srv); return; } else if (old_state !new_state) { fwrr_set_server_status_down(srv); return; } ... } Since srv-eweight is 0, new_state should be also 0, then fwrr_set_server_status_down() will be called. At the end the server will be remove from weight tree by fwrr_dequeue_srv() and lb_tree by fwrr_remove_from_tree(). But the srv-state has not been updated, still keeps in SRV_RUNNING. As a result, when the same server is selected by sticking rules, it will be used again. AH, sorry, my mistake. I read your mail too quickly. Baptiste On Wed, May 29, 2013 at 9:18 AM, Godbach nylzhao...@gmail.com wrote: Hi Baptiste Thanks for your replying. I am using the balance roundrobin algorithm and sticking on src, not the the balance source algorithm. The configuration has been presented in my first mail as below: backend pool balance roundrobin. stick-table type ip size 200k expire 600s stick on src server 1 10.128.7.1:80 id 1 cookie srv1 weight 1 maxconn 0 slowstart 0s server 2 10.128.7.2:80 id 2 cookie srv2 weight 1 maxconn 0 slowstart 0s Best Regards, Godbach On 2013/5/29 13:35, Baptiste wrote: Hi Godbach, Before reading HAProxy source code, it worths reading its configuration guide for the options you use. IE, the balance source algorithm would tell you that: This algorithm is static by default, which means that changing a server's weight on the fly will have no effect, but this can be changed using hash-type. Please update your configuration following the recommandation above and let us know your feedback. Baptiste On Wed, May 29, 2013 at 5:22 AM, Godbach nylzhao...@gmail.com wrote: Hi, all It is expected that new http request will not get response from the server of which weight was changed to 0. It cannot work well with persistence on src but work well without the persistence in lastest snapshot. There are two servers in my backend, and persistence on src ip has been enabled in backend. The configuration in backend as below: backend pool balance roundrobin. stick-table type ip size 200k expire 600s stick on src server 1 10.128.7.1:80 id 1 cookie srv1 weight 1 maxconn 0 slowstart 0s server 2 10.128.7.2:80 id 2 cookie srv2 weight 1 maxconn 0 slowstart 0s During continuous http requset with the same client, the stick table as below: # table: pool, type: ip, size:204800, used:1 0x17d2284: key=172.22.16.250 use=0 exp=599095 server_id=1 Then I set weight of server 1 to 0 use command as below: set weight pool/1 0 And I get the weight of server 1 with command: get weight pool/1 The result is 0 (initial 1) So I think I have set the weight of sever1 to 0 successfully. But the response still comes from server 1 which server 2 is expected. And the stick table keeps the same. I review the code of process_sticking_rules() in session.c. The codes when server is found as below: 1403 ptr = stktable_data_ptr(rule-table.t, ts, STKTABLE_DT_SERVER_ID); 1404 node = eb32_lookup(px-conf.used_server_id, stktable_data_cast(ptr, server_id)); 1405 if (node) { 1406 struct server *srv; 1407 1408 srv = container_of(node, struct server, conf.id); 1409 if ((srv-state SRV_RUNNING) || 1410 (px-options PR_O_PERSIST) || 1411 (s-flags SN_FORCE_PRST)) { 1412 s-flags |= SN_DIRECT | SN_ASSIGNED; 1413 s-target = srv-obj_type; 1414 } 1415 } 1416 } 1417 stktable_touch(rule-table.t, ts, 1); Line 1409 used (srv-state SRV_RUNNING) to check the server status. If I used srv_is_usable() to instead such as below: -if ((srv-state SRV_RUNNING) || +if (srv_is_usable(srv-state, srv-eweight) || The new request will get response from server 2 once the weight of server 1 is set to 0. But it seems to be just a workaround. Since the manual of haproxy about 'set weight' says that: A typical usage of this command is to disable
Re: HTTP Request still gets response from the server with weight 0 and src persistence
Actually, this is the purpose of dropping a weight to 0: being able to maintain sticky sessions. If you want to shutdown rudely your server, preventing everybody to access it, use the disable keyword. Baptiste On Wed, May 29, 2013 at 5:55 PM, Godbach nylzhao...@gmail.com wrote: Hi Baptiste It doesn't matter. :-) When the weight of server is set to 0 with the balance roundrobin algorithm, srv-eweight is update to 0 and fwrr_update_server_weight() (lb_fwrr.c) will be called as below: static void fwrr_update_server_weight(struct server *srv) { ... old_state = srv_is_usable(srv-prev_state, srv-prev_eweight); new_state = srv_is_usable(srv-state, srv-eweight); if (!old_state !new_state) { srv-prev_state = srv-state; srv-prev_eweight = srv-eweight; return; } else if (!old_state new_state) { fwrr_set_server_status_up(srv); return; } else if (old_state !new_state) { fwrr_set_server_status_down(srv); return; } ... } Since srv-eweight is 0, new_state should be also 0, then fwrr_set_server_status_down() will be called. At the end the server will be remove from weight tree by fwrr_dequeue_srv() and lb_tree by fwrr_remove_from_tree(). But the srv-state has not been updated, still keeps in SRV_RUNNING. As a result, when the same server is selected by sticking rules, it will be used again. AH, sorry, my mistake. I read your mail too quickly. Baptiste On Wed, May 29, 2013 at 9:18 AM, Godbach nylzhao...@gmail.com wrote: Hi Baptiste Thanks for your replying. I am using the balance roundrobin algorithm and sticking on src, not the the balance source algorithm. The configuration has been presented in my first mail as below: backend pool balance roundrobin. stick-table type ip size 200k expire 600s stick on src server 1 10.128.7.1:80 id 1 cookie srv1 weight 1 maxconn 0 slowstart 0s server 2 10.128.7.2:80 id 2 cookie srv2 weight 1 maxconn 0 slowstart 0s Best Regards, Godbach On 2013/5/29 13:35, Baptiste wrote: Hi Godbach, Before reading HAProxy source code, it worths reading its configuration guide for the options you use. IE, the balance source algorithm would tell you that: This algorithm is static by default, which means that changing a server's weight on the fly will have no effect, but this can be changed using hash-type. Please update your configuration following the recommandation above and let us know your feedback. Baptiste On Wed, May 29, 2013 at 5:22 AM, Godbach nylzhao...@gmail.com wrote: Hi, all It is expected that new http request will not get response from the server of which weight was changed to 0. It cannot work well with persistence on src but work well without the persistence in lastest snapshot. There are two servers in my backend, and persistence on src ip has been enabled in backend. The configuration in backend as below: backend pool balance roundrobin. stick-table type ip size 200k expire 600s stick on src server 1 10.128.7.1:80 id 1 cookie srv1 weight 1 maxconn 0 slowstart 0s server 2 10.128.7.2:80 id 2 cookie srv2 weight 1 maxconn 0 slowstart 0s During continuous http requset with the same client, the stick table as below: # table: pool, type: ip, size:204800, used:1 0x17d2284: key=172.22.16.250 use=0 exp=599095 server_id=1 Then I set weight of server 1 to 0 use command as below: set weight pool/1 0 And I get the weight of server 1 with command: get weight pool/1 The result is 0 (initial 1) So I think I have set the weight of sever1 to 0 successfully. But the response still comes from server 1 which server 2 is expected. And the stick table keeps the same. I review the code of process_sticking_rules() in session.c. The codes when server is found as below: 1403 ptr = stktable_data_ptr(rule-table.t, ts, STKTABLE_DT_SERVER_ID); 1404 node = eb32_lookup(px-conf.used_server_id, stktable_data_cast(ptr, server_id)); 1405 if (node) { 1406 struct server *srv; 1407 1408 srv = container_of(node, struct server, conf.id); 1409 if ((srv-state SRV_RUNNING) || 1410 (px-options PR_O_PERSIST) || 1411 (s-flags SN_FORCE_PRST)) { 1412 s-flags |= SN_DIRECT | SN_ASSIGNED; 1413 s-target = srv-obj_type; 1414 } 1415 } 1416 } 1417 stktable_touch(rule-table.t, ts, 1); Line 1409 used (srv-state SRV_RUNNING) to check the
Re: HTTP Request still gets response from the server with weight 0 and src persistence
Hi Baptiste Yeah, I got it. Thank you very much for your explanation. Best Regards, Godbach Actually, this is the purpose of dropping a weight to 0: being able to maintain sticky sessions. If you want to shutdown rudely your server, preventing everybody to access it, use the disable keyword. Baptiste
Re: Haproxy issues with rspirep
Hi Syed, Le 29/05/2013 21:12, s...@siezeconsulting.com a écrit : Hello, rspirep ^Location:\ http://(.*):80(.*) Location:\ https://\1:443\2 if { ssl_fc } The above works but the following doesn't (Location URL is unchanged ) why ? rspirep ^Location:\ http://(.*):80(.*) Location:\ http://172.17.25.100:8080\2 if { ssl_fc } There's a lack of details. One configuration line is not enough to understand what you want to achieve. It will be hard to help you. Can you explain your needs and provide your whole configuration (please remove any sensitive data, such as passwords, IPs, ...) ? Are you sure you really want the ssl_fc condition here ? Reference : http://blog.exceliance.fr/2013/02/26/ssl-offloading-impact-on-web-applications/ Regards Syed -- Cyril Bonté
Re: Haproxy issues with rspirep
What version? I had a similar issue with dev17. Sent from my iPad On May 29, 2013, at 3:12 PM, s...@siezeconsulting.com s...@siezeconsulting.com wrote: Hello, rspirep ^Location:\ http://(.*):80(.*) Location:\ https://\1:443\2 if { ssl_fc } The above works but the following doesn't (Location URL is unchanged ) why ? rspirep ^Location:\ http://(.*):80(.*) Location:\ http://172.17.25.100:8080\2 if { ssl_fc } Reference : http://blog.exceliance.fr/2013/02/26/ssl-offloading-impact-on-web-applications/ Regards Syed
Re: Haproxy issues with rspirep
Hi Cyril , Sorry for the brevity . Haproxy IP = 172.17.25.100 ( fiction IP for clarity) Application server hostname = openamHost Application server IP = 172.17.25.101 Url for ssl offload access https://192.168.0.1/sso/Login Configured haproxy to ssl offload a tomcat based application running on port 8080 (OpenAm specifically). SSL offload happens , traffic is sent to port 8080 but the application sends a redirect URL in return as the following Problematic URL : http://172.17.25.99:80/sso/Login I used the following directive in the frontend of the haproxy configuration rspirep ^Location:\ http://(.*):80(.*) nbsp;Location:\ http://172.17.25.100:8080\2 if { ssl_fc } Generic problem : Haproxy would capture i assumed the problematic URL and replace it with whatever happens to be my custom URL? nbsp;Specific requirement: The application is wrongly sending the redirect URL , I would ideally want to capture any HTTP url and convert into nbsp;nbsp; HTTPS so that haproxy can again re-route it to port 8080 after decryption each time. Finally my simple requirement is to be able to control rewriting URLs at haproxy . haproxy.cfg frontend secured *:443 mode tcp SSL CERT BLAH BLAH rspirep ^Location:\ http://(.*):80(.*) nbsp;Location:\ http://172.17.25.100:8080\2 if { ssl_fc } nbsp;default_backend app #- # round robin balancing between the various backends #- backend app mode tcp balance roundrobin server app1 172.17.25.101:8080 check Hope i haven't complicated the problem this time :-) Regards Syed From: Cyril Bonté lt;cyril.bo...@free.frgt; Sent: Thu, 30 May 2013 01:15:45 To: s...@siezeconsulting.com lt;s...@siezeconsulting.comgt; Cc: haproxy@formilux.org lt;haproxy@formilux.orggt; Subject: Re: Haproxy issues with rspirep Hi Syed, Le 29/05/2013 21:12, s...@siezeconsulting.com a æcopy;crit : gt; Hello, gt; gt; rspirep ^Location:\ http://(.*):80(.*) Location:\ https://\1:443\2 if { ssl_fc } gt; gt; The above works but the following doesn't (Location URL is unchanged ) why ? gt; gt; rspirep ^Location:\ http://(.*):80(.*) nbsp;Location:\ http://172.17.25.100:8080\2 if { ssl_fc } There's a lack of details. One configuration line is not enough to understand what you want to achieve. It will be hard to help you. Can you explain your needs and provide your whole configuration (please remove any sensitive data, such as passwords, IPs, ...) ? Are you sure you really want the ssl_fc condition here ? gt; gt; gt; Reference : gt; http://blog.exceliance.fr/2013/02/26/ssl-offloading-impact-on-web-applications/ gt; gt; gt; Regards gt; Syed -- Cyril Bontæcopy;
Re: Haproxy issues with rspirep
Agreed since all requests coming in are ssl on port 443 , if {ssl_fc} isn't requirednbsp; i guess. From: Cyril Bonté lt;cyril.bo...@free.frgt; Sent: Thu, 30 May 2013 01:15:45 To: s...@siezeconsulting.com lt;s...@siezeconsulting.comgt; Cc: haproxy@formilux.org lt;haproxy@formilux.orggt; Subject: Re: Haproxy issues with rspirep Hi Syed, Le 29/05/2013 21:12, s...@siezeconsulting.com a æcopy;crit : gt; Hello, gt; gt; rspirep ^Location:\ http://(.*):80(.*) Location:\ https://\1:443\2 if { ssl_fc } gt; gt; The above works but the following doesn't (Location URL is unchanged ) why ? gt; gt; rspirep ^Location:\ http://(.*):80(.*) nbsp;Location:\ http://172.17.25.100:8080\2 if { ssl_fc } There's a lack of details. One configuration line is not enough to understand what you want to achieve. It will be hard to help you. Can you explain your needs and provide your whole configuration (please remove any sensitive data, such as passwords, IPs, ...) ? Are you sure you really want the ssl_fc condition here ? gt; gt; gt; Reference : gt; http://blog.exceliance.fr/2013/02/26/ssl-offloading-impact-on-web-applications/ gt; gt; gt; Regards gt; Syed -- Cyril Bontæcopy;
Re: Haproxy issues with rspirep
Hi David, dev18 From: David Coulson lt;da...@davidcoulson.netgt; Sent: Thu, 30 May 2013 01:34:31 To: s...@siezeconsulting.com lt;s...@siezeconsulting.comgt; Cc: haproxy@formilux.org lt;haproxy@formilux.orggt; Subject: Re: Haproxy issues with rspirep What version? I had a similar issue with dev17.nbsp; Sent from my iPad On May 29, 2013, at 3:12 PM, s...@siezeconsulting.com lt;s...@siezeconsulting.comgt; wrote: Hello, rspirep ^Location:\ http://(.*):80(.*)nbsp; Location:\ https://\1:443\2nbsp;nbsp; ifnbsp; { ssl_fc } The above works but the following doesn't (Location URL is unchanged ) why ? rspirep ^Location:\ http://(.*):80(.*)nbsp; Location:\ http://172.17.25.100:8080\2nbsp;nbsp; ifnbsp; { ssl_fc } Reference : http://blog.exceliance.fr/2013/02/26/ssl-offloading-impact-on-web-applications/ Regards Syed
Re: Haproxy issues with rspirep
Does rspirep work with tcp? Does it not need to be using HTTP mode? David On May 29, 2013, at 4:28 PM, s...@siezeconsulting.com wrote: Hi Cyril , Sorry for the brevity . Haproxy IP = 172.17.25.100 ( fiction IP for clarity) Application server hostname = openamHost Application server IP = 172.17.25.101 Url for ssl offload access https://192.168.0.1/sso/Login Configured haproxy to ssl offload a tomcat based application running on port 8080 (OpenAm specifically). SSL offload happens , traffic is sent to port 8080 but the application sends a redirect URL in return as the following Problematic URL : http://172.17.25.99:80/sso/Login I used the following directive in the frontend of the haproxy configuration rspirep ^Location:\ http://(.*):80(.*) Location:\ http://172.17.25.100:8080\2 if { ssl_fc } Generic problem : Haproxy would capture i assumed the problematic URL and replace it with whatever happens to be my custom URL? Specific requirement: The application is wrongly sending the redirect URL , I would ideally want to capture any HTTP url and convert into HTTPS so that haproxy can again re-route it to port 8080 after decryption each time. Finally my simple requirement is to be able to control rewriting URLs at haproxy . haproxy.cfg frontend secured *:443 mode tcp SSL CERT BLAH BLAH rspirep ^Location:\ http://(.*):80(.*) Location:\ http://172.17.25.100:8080\2 if { ssl_fc } default_backend app #- # round robin balancing between the various backends #- backend app mode tcp balance roundrobin server app1 172.17.25.101:8080 check Hope i haven't complicated the problem this time :-) Regards Syed From: Cyril Bonté cyril.bo...@free.fr Sent: Thu, 30 May 2013 01:15:45 To: s...@siezeconsulting.com s...@siezeconsulting.com Cc: haproxy@formilux.org haproxy@formilux.org Subject: Re: Haproxy issues with rspirep Hi Syed, Le 29/05/2013 21:12, s...@siezeconsulting.com a æcopy;crit : Hello, rspirep ^Location:\ http://(.*):80(.*) Location:\ https://\1:443\2 if { ssl_fc } The above works but the following doesn't (Location URL is unchanged ) why ? rspirep ^Location:\ http://(.*):80(.*) Location:\ http://172.17.25.100:8080\2 if { ssl_fc } There's a lack of details. One configuration line is not enough to understand what you want to achieve. It will be hard to help you. Can you explain your needs and provide your whole configuration (please remove any sensitive data, such as passwords, IPs, ...) ? Are you sure you really want the ssl_fc condition here ? Reference : http://blog.exceliance.fr/2013/02/26/ssl-offloading-impact-on-web-applications/ Regards Syed -- Cyril Bontæcopy;
Re: Haproxy issues with rspirep
Yes http it is in my confignbsp; too and not tcp (Away from my server ,hence sent an unedited config for your quick reference) -apologies. From: David Coulson lt;da...@davidcoulson.netgt; Sent: Thu, 30 May 2013 02:10:35 To: s...@siezeconsulting.com Cc: Cyril Bont lt;cyril.bo...@free.frgt;, haproxy@formilux.org lt;haproxy@formilux.orggt; Subject: Re: Haproxy issues with rspirep Does rspirep work with tcp? Does it not need to be using HTTP mode? David On May 29, 2013, at 4:28 PM, s...@siezeconsulting.com wrote:Hi Cyril , Sorry for the brevity . Haproxy IP = 172.17.25.100 ( fiction IP for clarity) Application server hostname = openamHost Application server IP = 172.17.25.101 Url for ssl offload access https://192.168.0.1/sso/Login Configured haproxy to ssl offload a tomcat based application running on port 8080 (OpenAm specifically). SSL offload happens , traffic is sent to port 8080 but the application sends a redirect URL in return as the following Problematic URL : http://172.17.25.99:80/sso/Login I used the following directive in the frontend of the haproxy configuration rspirep ^Location:\ http://(.*):80(.*) nbsp;Location:\ if { ssl_fc } Generic problem : Haproxy would capture i assumed the problematic URL and replace it with whatever happens to be my= custom= url? nbsp;Specific requirement: The application is wrongly sending the redirect URL , I would ideally want to capture any HTTP url and convert into nbsp;nbsp; HTTPS so that haproxy can again re-route it to port 8080 after decryption each time. Finally my simple requirement is to be able to control rewriting URLs at haproxy . haproxy.cfg if { ssl_fc } nbsp;default_backend app #- # round robin balancing between the various backends #- backend app mode tcp balance roundrobin server app1 172.17.25.101:8080 check Hope i haven't complicated the problem this time :-) Regards Syed From: Cyril Bonté if { ssl_fc } There's a lack of details. One configuration line is not enough to understand what you want to achieve. It will be hard to help you. Can you explain your needs and provide your whole configuration (please remove any sensitive data, such as passwords, IPs, ...) ? Are you sure you really want the ssl_fc condition here ? gt; gt; gt; Reference : gt; http://blog.exceliance.fr/2013/02/26/ssl-offloading-impact-on-web-applications/ gt; gt; gt; Regards gt; Syed -- Cyril Bontæcopy;
Query
Hi Sir, I am new to Haproxy,I have developed application on java with server as tomcat and deployed in Ec2 and OpenShift small gear.So want to scale my application and web potals with Haproxy with minimum of 80 hits/s.So please guide me. Best Regards MOHAMMED AYAZ AHMED Software Engineer Mobile:919036478068 Skype:md.ayazahmed Linkedin:in.linkedin.com/pub/mohammed-ayaz-ahmed/44/b00/17a/
Subscribe
Hello
Help with kQueue
De: Fred Pedrisa [mailto:fredhp...@hotmail.com] Enviada em: quinta-feira, 30 de maio de 2013 02:09 Para: 'haproxy@formilux.org' Assunto: Help with kQueue Hello, Guys. Sorry for disturbing, and for the first e-mail I sent, I thought it was an automated mailing list, requiring to subscribe J. Anyways here is my interesting issue ! When I start haproxy with -vv -d -c switchs, I get this interesting result : # /proxy/haproxy -vv -c -f l2cr.cfg Available polling systems : kqueue : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use kqueue. But if I try it, with -V -d #proxy/haproxy -V -d -f /proxy/lr.cfg -n 8192 Available polling systems : select : pref=150, test result OK kqueue : disabled, test result OK poll : disabled, test result OK Total: 3 (1 usable), will use select. Using select() as the polling mechanism. This is what happens, it default to select without any reason, and in the config file, I don't have any of these global switchs to force this situation :/ Do you wonder what could cause it ? I am using FreeBSD ! Thanks, Fred