HAProxy network design

Hello, I have a question about the network design. I think there are two options: one arm vs two arm For performance critical applications I think it's better to use one arm. In several howto's on the web there are no informations about direct-routing and loopback ip. When my real-servers

Re: haproxy return 502 if loadbalance a fortiweb WAF protected website

Hello, On 12/30/2013 06:54 AM, Delta Yeh wrote: Hi, In one of my setup, I failed to loadbalance a fortiweb WAF protected website. Haproxy return 502, but the browser works OK. With the help of wireshark, I notice that the response header returned by fortiweb WAF is not RFC

Re: haproxy return 502 if loadbalance a fortiweb WAF protected website

Thanks you. I have tried 'option accept-invalid-http-response' both in frontend and backend, but it doesn't help. 2013/12/30 Nenad Merdanovic ni...@nimzo.info Hello, On 12/30/2013 06:54 AM, Delta Yeh wrote: Hi, In one of my setup, I failed to loadbalance a fortiweb WAF protected

proxy protocol for varnish 3.0.5

Hi, I have made a patch to add proxy protocol to Varnish 3.0 you can find it at http://varnish.hocdet.net Emmanuel

Re: haproxy return 502 if loadbalance a fortiweb WAF protected website

Hi Delta, Normal, the returned response is too crappy!!! Your only solution is to switch to TCP mode. Baptiste On Mon, Dec 30, 2013 at 4:16 PM, Delta Yeh delta@gmail.com wrote: Thanks you. I have tried 'option accept-invalid-http-response' both in frontend and backend, but it doesn't

Re: proxy protocol for varnish 3.0.5

On Mon, Dec 30, 2013 at 6:36 PM, Emmanuel Hocdet m...@gandi.net wrote: Hi, I have made a patch to add proxy protocol to V arnish 3.0 you can find it at http://varnish.hocdet.net Emmanuel Brilliant!!! I'm going to play with it soon :) Baptiste

SNI suffix matching support (req_ssl_sni_end) for HaProxy 1.5 [patch enclosed]

Hi, We recently needed an ACL to match a request's SNI host against a suffix (i.e. create an ACL to match *.my.domain.com against the SNI hostname). I was surprised to find out that req_ssl_sni had no search wrappers like _end and _reg. I saw that adding them was really trivial (kudos!) and I

Re: SNI suffix matching support (req_ssl_sni_end) for HaProxy 1.5 [patch enclosed]

Hi Noam, Le 30/12/2013 19:38, Noam Liran a écrit : Hi, We recently needed an ACL to match a request's SNI host against a suffix (i.e. create an ACL to match *.my.domain.com against the SNI hostname). I was surprised to find out that req_ssl_sni had no search wrappers like _end and _reg. I

UDP loadbalancing

Hi, I know haproxy doesn't do UDP loadbalancing, but I figured someone here might now A nice tool which can doe this for me. (If haproxy could do it it would have been nice though... ;-) ) I've looked at pen but it doesn't seem to do IPV6. LVS can do the trick but I need to reconfigure a

http-keep-alive broken?

Hi, I'm using haproxy ss-20131229 to reverse proxy some windows iis server with ntlm-auth enabled (one of them being exchange 2012). While I understood that using 'option http-keep-alive' would make ntlm-auth work, it doesn't work for me. Are there still some issue with http-keep-alive and

RE: proxy protocol for varnish 3.0.5

Hi, I have made a patch to add proxy protocol to Varnish 3.0 you can find it at http://varnish.hocdet.net Nice! Btw, is there any patch available for apache? Google search with the apache, haproxy, proxy keywords isn't very helpful, as you can immagine ... We need more exotic names for

RE: haproxy return 502 if loadbalance a fortiweb WAF protected website

Hi, HTTP/1.1 200 OK Date: Mon, 30 Dec 2013 05:40:02 GMT X MicrosoftOfficeWebServer: 5.0_Pub X XXX Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 73803 !DOCTYPE html PUBLIC

RE: UDP loadbalancing

Hi, Hi, I know haproxy doesn't do UDP loadbalancing, but I figured someone here might now A nice tool which can doe this for me. (If haproxy could do it it would have been nice though... ;-) ) I've looked at pen but it doesn't seem to do IPV6. LVS can do the trick but I need to

RE: http-keep-alive broken?

Hi, Subject: http-keep-alive broken? Hi, I'm using haproxy ss-20131229 to reverse proxy some windows iis server with ntlm-auth enabled (one of them being exchange 2012). While I understood that using 'option http-keep-alive' would make ntlm-auth work, it doesn't work for me. Are there

Re: http-keep-alive broken?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, On 31.12.2013 00:50, Lukas Tribus wrote: Hi, Subject: http-keep-alive broken? Hi, I'm using haproxy ss-20131229 to reverse proxy some windows iis server with ntlm-auth enabled (one of them being exchange 2012). While I understood

Re: proxy protocol for varnish 3.0.5

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, On 30.12.2013 19:00, Baptiste wrote: On Mon, Dec 30, 2013 at 6:36 PM, Emmanuel Hocdet m...@gandi.net wrote: Hi, I have made a patch to add proxy protocol to V arnish 3.0 you can find it at http://varnish.hocdet.net Emmanuel

It seemed haproxy dev21 server side keepalive does not works with tproxy.

Hi, For proxy, server side keepalive works OK. But it seemed haproxy dev21 server side keepalive does not work with tproxy. The config is : backend www source 0.0.0.0 usesrc hdr_ip(X-Real-IP) server SERVER 1.2.3.4:80 no option http-server-close option http-keep-alive no

Re: haproxy return 502 if loadbalance a fortiweb WAF protected website

Hi Lukas, I know the response is crappy like Baptiste said. But as a reverse proxy, nginx works OK for this website, it would be better if haproxy also works for such website. The debug output of wget is: ---request begin--- GET / HTTP/1.0 User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64;

Re: It seemed haproxy dev21 server side keepalive does not works with tproxy.

Hi, On Tue, Dec 31, 2013 at 01:58:57PM +0800, Delta Yeh wrote: Hi, For proxy, server side keepalive works OK. But it seemed haproxy dev21 server side keepalive does not work with tproxy. The config is : backend www source 0.0.0.0 usesrc hdr_ip(X-Real-IP) server SERVER

Re: It seemed haproxy dev21 server side keepalive does not works with tproxy.

Hi Willy, Good to know it is an known limitation for 1.5dev21, hope good news from 1.5 final in near future. Thank you and the team for haproxy. Happy New Year!! BR, DeltaY 2013/12/31 Willy Tarreau w...@1wt.eu Hi, On Tue, Dec 31, 2013 at 01:58:57PM +0800, Delta Yeh wrote: Hi,

Re: haproxy return 502 if loadbalance a fortiweb WAF protected website

On Tue, Dec 31, 2013 at 02:04:02PM +0800, Delta Yeh wrote: Hi Lukas, I know the response is crappy like Baptiste said. But as a reverse proxy, nginx works OK for this website, it would be better if haproxy also works for such website. The debug output of wget is: Could you please

Re: proxy protocol for varnish 3.0.5

On Tue, Dec 31, 2013 at 03:23:59AM +0100, Thomas Heil wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, On 30.12.2013 19:00, Baptiste wrote: On Mon, Dec 30, 2013 at 6:36 PM, Emmanuel Hocdet m...@gandi.net wrote: Hi, I have made a patch to add proxy protocol to V arnish

Re: proxy protocol for varnish 3.0.5

On Tue, Dec 31, 2013 at 12:34:43AM +0100, Lukas Tribus wrote: Hi, I have made a patch to add proxy protocol to Varnish 3.0 you can find it at http://varnish.hocdet.net Nice! Btw, is there any patch available for apache? Google search with the apache, haproxy, proxy keywords isn't

Re: http-keep-alive broken?

On Tue, Dec 31, 2013 at 03:22:43AM +0100, Thomas Heil wrote: While I understood that using 'option http-keep-alive' would make ntlm-auth work, it doesn't work for me. Are there still some issue with http-keep-alive and ntlm-auth? Honestly I would just use the default tunnel mode for

Re: UDP loadbalancing

On Tue, Dec 31, 2013 at 12:44:26AM +0100, Lukas Tribus wrote: Hi, Hi, I know haproxy doesn't do UDP loadbalancing, but I figured someone here might now A nice tool which can doe this for me. (If haproxy could do it it would have been nice though... ;-) ) I've looked at pen but

Re: HAProxy network design

Hello, On Mon, Dec 30, 2013 at 10:27:52AM +0100, Willi Fehler wrote: Hello, I have a question about the network design. I think there are two options: one arm vs two arm For performance critical applications I think it's better to use one arm. In several howto's on the web there are