Re: Problem with commit 4448925930655dec57847ed41a34a24a8169d053

[Willy Tarreau]

Hi Thomas,

On Wed, Jan 15, 2014 at 01:57:13PM +0100, Thomas Heil wrote:
 
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 Hi,
 
 Iam running HAPRoxy with eglibc and commit
 4448925930655dec57847ed41a34a24a8169d053, aka
 BUILD/MINOR: listener: remove a glibc warning on accept4() introduces an
 fatal error on building.

I got it as well yesterday when nuilding for x86_64 and fixed it with
commit 2317976 (BUILD: listener: fix recent accept4() again).

Thanks,
Willy

Difference frontend/backend to listen?

[Florian Engelmann]

Hi,

I got two configurations the should do the same. One is based on a 
frontend/backend layout the second does it with just listen. The listen 
configuratiuon is working fine but the fontend/backend causes a problem 
on the backend. It looks like some request string is missing because the 
customer application is not able to resolve some lookup which seems to 
be header related. Is anybody able to tell me whats the difference in 
these two configurations?




global
log /dev/loglocal6
#log /dev/log   local6 notice
chroot /var/lib/haproxy
user haproxy
group haproxy
daemon
maxconn 5
stats socket /var/run/haproxy.sock mode 600 level admin
stats timeout 2m

defaults
log global
modehttp
option dontlognull
option dontlog-normal
retries 2
option redispatch
timeout connect 5000
timeout client 5
timeout server 12
timeout http-request 5000
timeout http-keep-alive 5000
option http-server-close
http-check disable-on-404
http-send-name-header X-Target-Server
default-server minconn 1024 maxconn 4096
monitor-net 192.168.xxx.xxx/32

listen application9000 0.0.0.0:9000
  balance leastconn
  mode tcp
  option tcplog
  option httpchk GET /check.php HTTP/1.0
  http-check expect string Hello World
  server xcmsphp01.xxx 10.0.4.4:9000 check port 80
  server xcmsphp02.xxx 10.0.4.7:9000 check port 80
  server xcmsphp03.xxx 10.0.4.3:9000 check port 80

listen application80 0.0.0.0:80
  balance roundrobin
  option forwardfor
  option  httplog
  monitor-uri /haproxymon
  option httpchk GET /index.html HTTP/1.1\r\nHost:\ 
monitoring\r\nConnection:\ close

  http-check expect string Welcome home
  acl site_dead nbsrv lt 2
  monitor fail  if site_dead
  server xcmsfrontend01.xxx 10.2.2.1:80 check
  server xcmsfrontend02.xxx 10.2.2.2:80 check




global
log /dev/loglocal6
#log /dev/log   local6 notice
chroot /var/lib/haproxy
user haproxy
group haproxy
daemon
maxconn 5
stats socket /var/run/haproxy.sock mode 600 level admin
stats timeout 2m

defaults
log global
modehttp
option dontlognull
option dontlog-normal
retries 2
option redispatch
timeout connect 5000
timeout client 5
timeout server 12
timeout http-request 5000
timeout http-keep-alive 5000
default-server minconn 1024 maxconn 4096
monitor-net 192.168.xxx.xxx/32


frontend http-in
  bind *:80
  option http-server-close
  option forwardfor
  option httplog
  monitor-uri /haproxymon
  acl site_dead nbsrv(http-out) lt 2
  monitor fail if site_dead
  default_backend http-out

backend http-out
  balance roundrobin
  http-send-name-header X-Target-Server
  option forwardfor
  option http-server-close
  #option accept-invalid-http-response
  http-check disable-on-404
  option httpchk GET /index.html HTTP/1.1\r\nHost:\ 
monitoring\r\nConnection:\ close

  http-check expect string Welcome home
  server xcmsfrontend01.xxx 10.2.2.1:80 check
  server xcmsfrontend02.xxx 10.2.2.2:80 check

frontend php-in
  bind *:9000
  mode tcp
  option tcplog
  http-send-name-header X-Target-Server
  default_backend php-out

backend php-out
  balance leastconn
  mode tcp
  option tcplog
  http-send-name-header X-Target-Server
  option httpchk GET /up.php HTTP/1.0
  http-check expect string Hello World
  server xcmsphp01.xxx 10.0.4.4:9000 check port 80
  server xcmsphp02.xxx 10.0.4.7:9000 check port 80
  server xcmsphp03.xxx 10.0.4.3:9000 check port 80



Regards,
Florian

haproxy-1.5-dev21 and firefox POST (shibboleth-sp) problems

[Jarno Huuskonen]

Hi,

I'm testing haproxy-1.5-dev19/21 to lb php application(apache/moodle 2.6)

moodle is setup to use shibboleth-authentication
(https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfiguration).

Login is all https (client - haproxy - apache+mod_ssl):

Login works (haproxy-ss-20131228) ok on IE, chrome and safari, but fails
with firefox.

When I changed the the connection from haproxy to apache to
use http (no https (removed ssl from server line)) I managed to
capture packet logs on the apache host.

Chrome+haproxy sends whole request to apache (and it works), but
with firefox+haproxy apache sees request like this:

POST /Shibboleth.sso/SAML2/POST HTTP/1.1
Host: mdl26.uef.fi
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101
Firefox/24.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fi,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://idp.uef.fi/idp/profile/SAML2/Redirect/SSO
Cookie: __utma=cookie cleanedup;
MoodleSessionmdl26=moodle session cookie cleaned;
_shibstate_1389859501_c8b0=cookie removed;
Content-Type: application/x-www-form-urlencoded
Content-Length: 13099
X-Forwarded-For: 10.0.28.54
Connection: close

RelayState=cookie%3A1389859501_c8b0SAMLResponse=PD94bWwg
... here's about 7500 bytes from the SAMLResponse
mxPREw4bW1QdW9LdzM5V2dxNktiTU8vdWZ2WVlhelpETzh4T2pPawpBVEtlN0szTUtReVh2MS9UdnpDeUFYVzB5S0hMbVBQQlM0ZlRjRG1yZHTTP/1.1
500 Internal Server Error

Date: Thu, 16 Jan 2014 08:05:14 GMT
Server: Apache
Expires: Wed, 01 Jan 1997 12:00:00 GMT
Cache-Control: private,no-store,no-cache,max-age=0
Content-Length: 966
Connection: close
Content-Type: text/html; charset=UTF-8

--- HERE I removed most of the HTML ---
p class=erroropensaml#58;#58;BindingException at
(https#58;//mdl26.uef.fi/Shibboleth.sso/SAML2/POST)/p

pUnable to decode base64 in POST binding message./p
/body
/html
05acXphQjI5aXd5Wlk1V1ZkRFc5Y0xEc0  rest of the SAMLResponse

So it looks like that firefox+haproxy sends only partial SAMLResponse
to apache and sends the rest after apache/shibboleth sp sends back error 500.

If I use older 1.5-dev snapshot (haproxy-ss-20131031) then login
works on firefox (same config).

With latest snapshot haproxy-ss-20140116 the ssl backend doesn't work at
all. All requests get 408 error from haproxy.

Here's my test config:
global
log /dev/log local2 info

chroot  /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 8000
userhaproxy
group   haproxy
daemon

spread-checks   3

# turn on stats unix socket
stats socket /var/lib/haproxy/stats
stats timeout 2m

defaults
modehttp
log global
option  httplog
option  dontlognull
option  redispatch
no option   accept-invalid-http-request
no option   accept-invalid-http-response
retries 3
timeout http-request10s
timeout queue   30s
timeout connect 4s
timeout client  1m
timeout server  1m
timeout http-keep-alive 10s
timeout check   10s
maxconn 8192
no option   socket-stats

frontend  http_mdl
bind 10.0.0.201:80 name demo3
bind 10.0.0.202:80 name demo4

option tcp-smart-accept
option contstats
option forwardfor   except 127.0.0.0/8

errorfile 403 /etc/haproxy/errors/403.html
errorfile 504 /etc/haproxy/errors/504.html

default_backend BE_http

frontend https_mdl
bind 10.0.0.201:443 name demo3ssl ssl crt /etc/haproxy/demo3.pem
bind 10.0.0.202:443 name demo4ssl ssl crt /etc/haproxy/demo4.pem

option forceclose
option contstats
option forwardfor   except 127.0.0.0/8

errorfile 403 /etc/haproxy/errors/403.html
errorfile 504 /etc/haproxy/errors/504.html

default_backend BE_http-ssl

backend BE_http
balance roundrobin
option tcp-smart-connect
option httpchk HEAD / HTTP/1.0\r\n
http-check disable-on-404
no option persist

stats enable
stats realm removed
stats auth  info:removed
stats uri   /statsuri #removed
stats hide-version 
stats refresh   120s

default-server inter 5s downinter 15s rise 2 error-limit 10 fall 2 on-error 
fail-check
server  mdldemo1 10.0.0.151:80 check observe layer7
server  mdldemo2 10.0.0.152:80 check observe layer7

backend BE_http-ssl
option forceclose
timeout server 120s # long timeout to receive shib error w/firefox
default-server inter 15s downinter 20s rise 2

server  mdldemo1 10.0.0.151:443 maxconn 256 ssl force-sslv3 check
# second server disabled for testing (also stick on src removed for
# testing).
#server  mdldemo2 10.0.0.152:443 maxconn 256 ssl force-sslv3 check

URL path in backend servers

[Rakesh G K]

Hello,
Is it possible to forward an incoming request to the *backend *by retaining
the URL path in *http *mode?.
Using *ACLs *I was able to categorize the incoming requests to different
rulesets, but on using a specific *backend *for a certain URL parth, I
could not figure out how to send the request to the underlying server
*with *the URL path?.

I figured out how to redirect a request, but that is not what I wanted.

So, if HAProxy receives a request on, say *http://192.168.5.10:80/url/path
http://192.168.5.10/url/path* , I want the request to be sent to the
underlying server as*http://133.168.5.20:80/url/path
http://133.168.5.20/url/path.*

Does anyone know how to do this?. Any help is much appreciated!.

PS: Question on ServerFault :
http://serverfault.com/questions/566862/haproxy-url-pattern-forwarding

Thanks,
Rakesh

Re: URL path in backend servers

[Jonathan Matthews]

Rakesh -

I replied to your identical question about this, yesterday, suggesting
what you could do to help yourself diagnose your problem. Please don't
start new threads for the same question.

Jonathan

How to test HAProxy ?

[Tony Reix]

Hi

I'm involved in testing the port of HAProxy 1.4 (.24) on Ubuntu on PPC/LE.
For now, I've found nothing about how to check that the basic features and the 
important features of HAProxy do work fine in this environment.
  The README file says nothing about testing.
  The Makefile file provides no test or tests entry.
  The examples directory does not contain explanations and instructions for 
testing.
  The tests directory does not contain explanations and instructions for 
testing.
I do not have time to get skills about HAProxy or about any tool that makes use 
of HAProxy. I simply need to get configuration and test instructions.

What do you suggest/recommend me to do for testing the most important features 
of HAProxy, in 1 week, knowing that I know nothing about HAProxy ?

Thanks

Tony

Re: Difference frontend/backend to listen?

[PiBa-NL]

Hi Florian,

Found a a minor difference, not sure if it is the issue.?
 - The 9000 backend checks up.php versus check.php.
 - Also I don't think http-send-name-header does anything in 'tcp mode'..

If thats not it, maybe someone else has a clue. :)
p.s. You might want to configure a stats page to see if servers are 
properly checked as 'up' by haproxy.


Greets PiBa-NL

Florian Engelmann schreef op 16-1-2014 12:29:
Hi, 



I got two configurations the should do the same. One is based on a 
frontend/backend layout the second does it with just listen. The 
listen configuratiuon is working fine but the fontend/backend causes a 
problem on the backend. It looks like some request string is missing 
because the customer application is not able to resolve some lookup 
which seems to be header related. Is anybody able to tell me whats the 
difference in these two configurations?




global
log /dev/loglocal6
#log /dev/loglocal6 notice
chroot /var/lib/haproxy
user haproxy
group haproxy
daemon
maxconn 5
stats socket /var/run/haproxy.sock mode 600 level admin
stats timeout 2m

defaults
log global
modehttp
option dontlognull
option dontlog-normal
retries 2
option redispatch
timeout connect 5000
timeout client 5
timeout server 12
timeout http-request 5000
timeout http-keep-alive 5000
option http-server-close
http-check disable-on-404
http-send-name-header X-Target-Server
default-server minconn 1024 maxconn 4096
monitor-net 192.168.xxx.xxx/32

listen application9000 0.0.0.0:9000
  balance leastconn
  mode tcp
  option tcplog
  option httpchk GET /check.php HTTP/1.0
  http-check expect string Hello World
  server xcmsphp01.xxx 10.0.4.4:9000 check port 80
  server xcmsphp02.xxx 10.0.4.7:9000 check port 80
  server xcmsphp03.xxx 10.0.4.3:9000 check port 80

listen application80 0.0.0.0:80
  balance roundrobin
  option forwardfor
  option  httplog
  monitor-uri /haproxymon
  option httpchk GET /index.html HTTP/1.1\r\nHost:\ 
monitoring\r\nConnection:\ close

  http-check expect string Welcome home
  acl site_dead nbsrv lt 2
  monitor fail  if site_dead
  server xcmsfrontend01.xxx 10.2.2.1:80 check
  server xcmsfrontend02.xxx 10.2.2.2:80 check




global
log /dev/loglocal6
#log /dev/loglocal6 notice
chroot /var/lib/haproxy
user haproxy
group haproxy
daemon
maxconn 5
stats socket /var/run/haproxy.sock mode 600 level admin
stats timeout 2m

defaults
log global
modehttp
option dontlognull
option dontlog-normal
retries 2
option redispatch
timeout connect 5000
timeout client 5
timeout server 12
timeout http-request 5000
timeout http-keep-alive 5000
default-server minconn 1024 maxconn 4096
monitor-net 192.168.xxx.xxx/32


frontend http-in
  bind *:80
  option http-server-close
  option forwardfor
  option httplog
  monitor-uri /haproxymon
  acl site_dead nbsrv(http-out) lt 2
  monitor fail if site_dead
  default_backend http-out

backend http-out
  balance roundrobin
  http-send-name-header X-Target-Server
  option forwardfor
  option http-server-close
  #option accept-invalid-http-response
  http-check disable-on-404
  option httpchk GET /index.html HTTP/1.1\r\nHost:\ 
monitoring\r\nConnection:\ close

  http-check expect string Welcome home
  server xcmsfrontend01.xxx 10.2.2.1:80 check
  server xcmsfrontend02.xxx 10.2.2.2:80 check

frontend php-in
  bind *:9000
  mode tcp
  option tcplog
  http-send-name-header X-Target-Server

Wont work in tcpmode

default_backend php-out

backend php-out
  balance leastconn
  mode tcp
  option tcplog
  http-send-name-header X-Target-Server

Wont work for tcp mode.

option httpchk GET /up.php HTTP/1.0

Should this be check.php v.s. up.php?

http-check expect string Hello World
  server xcmsphp01.xxx 10.0.4.4:9000 check port 80
  server xcmsphp02.xxx 10.0.4.7:9000 check port 80
  server xcmsphp03.xxx 10.0.4.3:9000 check port 80



Regards,
Florian

issue with acl pattern -m match on a string starting with space or containing a comma, with 1.5-dev21

[PiBa-NL]

Hi,

Using HAProxy 1.5-dev21 i'm having trouble getting it to match my 
user-agent with an acl that uses -m pattern matching..


The browser is Chrome 31.0.1650.63 which sends useragent string:

Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like 
Gecko) Chrome/32.0.1700.76 Safari/537.36


My test ACLs, of which only ACL21 and ACL31 are matched with the result 
below:

*ACLexact*= A
*ACLbeg*= B, 1
*ACLend*= C, 1

I would expect at least 2 the ACLbeg acls and ACL2 to be also matched, 
also i dont understand why ACL32 is not matched as the leading space 
seems to be correctly escaped.?


The acl's used/tried..:

reqadd ACLexact:\ A
reqadd ACLbeg:\ B
reqadd ACLend:\ C
acl ACL1 hdr(User-Agent) Mozilla/5.0\ (Windows\ NT\ 6.1;\ WOW64)\ 
AppleWebKit/537.36\ (KHTML\,\ like\ Gecko)\ Chrome/32.0.1700.76\ 
Safari/537.36

reqadd ACLexact:\ 1 if ACL1
acl ACL2 hdr(User-Agent) -m str Mozilla/5.0\ (Windows\ NT\ 6.1;\ WOW64)\ 
AppleWebKit/537.36\ (KHTML\,\ like\ Gecko)\ Chrome/32.0.1700.76\ 
Safari/537.36

reqadd ACLexact:\ 2 if ACL2

acl ACL21 hdr(User-Agent) -m beg Mozilla/5.0\ (Windows\ NT\ 6.1;\ 
WOW64)\ AppleWebKit/537.36\ (KHTML

reqadd ACLbeg:\ 1 if ACL21
acl ACL22 hdr(User-Agent) -m beg Mozilla/5.0\ (Windows\ NT\ 6.1;\ 
WOW64)\ AppleWebKit/537.36\ (KHTML,

reqadd ACLbeg:\ 2 if ACL22
acl ACL23 hdr(User-Agent) -m beg Mozilla/5.0\ (Windows\ NT\ 6.1;\ 
WOW64)\ AppleWebKit/537.36\ (KHTML\,

reqadd ACLbeg:\ 3 if ACL23

acl ACL31 hdr(User-Agent) -m end like\ Gecko)\ Chrome/32.0.1700.76\ 
Safari/537.36

reqadd ACLend:\ 1 if ACL31
acl ACL32 hdr(User-Agent) -m end \ like\ Gecko)\ Chrome/32.0.1700.76\ 
Safari/537.36

reqadd ACLend:\ 2 if ACL32
acl ACL33 hdr(User-Agent) -m end ,\ like\ Gecko)\ Chrome/32.0.1700.76\ 
Safari/537.36

reqadd ACLend:\ 3 if ACL33
acl ACL34 hdr(User-Agent) -m end \,\ like\ Gecko)\ Chrome/32.0.1700.76\ 
Safari/537.36

reqadd ACLend:\ 4 if ACL34


HAPROXY Version used:
HA-Proxy version 1.5-dev21-6b07bf7 +2013/12/17
Copyright 2000-2013 Willy Tarreau w...@1wt.eu
Build options :
  TARGET  = freebsd
  CPU = generic
  CC  = cc
  CFLAGS  = -O2 -pipe -fno-strict-aliasing -DFREEBSD_PORTS
  OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_OPENSSL=1 USE_STATIC_PCRE=1

Did i do something wrong, or can you give it a test.? Thanks.

Thanks for the great product!
Greets PiBa-NL

Re: Bug report for latest dev release, 1.5.21, segfault when using http expect string x and large 404 page (includes GDB output)

[Cyril Bonté]

Hi Willy,

Le 15/01/2014 01:08, Willy Tarreau a écrit :

On Tue, Jan 14, 2014 at 12:25:37PM -0800, Steve Ruiz wrote:

Patched and confirmed in our environment that this is now working / seems
to have fixed the issue. Thanks!


Great, many thanks to you both guys. We've got rid of another pretty
old bug, these are the ones that make me the happiest once fixed!

I'm currently unpacking my laptop to push the fix so that it appears
in todays snapshot.

Excellent work!


I fear there are some more work to do on this patch.
I made some tests on ssl and it looks to be broken since this commit :-(

The shortest configuration I could find to reproduce the issue is :
  listen test
bind 0.0.0.0:443 ssl crt cert.pem
mode http
timeout server 5s
timeout client 5s

When a request is received by haproxy, the cpu raises to 100% in a 
epoll_wait loop (timeouts are here to prevent an unlimited loop).


$ curl -k https://localhost/
...
epoll_wait(3, {{EPOLLIN, {u32=5, u64=5}}}, 200, 0) = 1
epoll_wait(3, {{EPOLLIN, {u32=5, u64=5}}}, 200, 0) = 1
epoll_wait(3, {{EPOLLIN, {u32=5, u64=5}}}, 200, 0) = 1
epoll_wait(3, {{EPOLLIN, {u32=5, u64=5}}}, 200, 0) = 1
epoll_wait(3, {{EPOLLIN, {u32=5, u64=5}}}, 200, 0) = 1
...
The same issue occurs when a server is declared.

The same also occurs when the proxy is in clear http and a server is in 
https :

  listen test
bind 0.0.0.0:80
mode http
timeout server 5s
timeout client 5s
server ssl_backend 127.0.0.1:443 ssl

$ curl http://localhost/
...
epoll_wait(3, {}, 200, 0)   = 0
epoll_wait(3, {}, 200, 0)   = 0
epoll_wait(3, {}, 200, 0)   = 0
epoll_wait(3, {}, 200, 0)   = 0
epoll_wait(3, {}, 200, 0)   = 0
...


--
Cyril Bonté

optimizing TLS time to first byte

[Ilya Grigorik]

Hey all.

I've spent some time looking into HAProxy (1.5-dev21) + TLS performance and
stumbled across a few areas where I think we could make some improvements.
In particular I'm interested in time to first byte, as that's a critical
piece for interactive traffic: time to first paint in browsers, time to
first frame for video, etc.

-

(1) Certificates that exceed 4KB require an extra RTT even with IW10: HA
ships the first 4KB then pauses and waits for client ACK before proceeding
to send remainder of the certificate. At a minimum, this results in an
extra handshake RTT. You can see this in action here:

WPT run: 
*http://www.webpagetest.org/result/140116_VW_3bd95a5cfb7e667498ef13b59639b9bf/2/details/
http://www.webpagetest.org/result/140116_VW_3bd95a5cfb7e667498ef13b59639b9bf/2/details/*

tcpdump:
http://www.webpagetest.org/result/140116_VW_3bd95a5cfb7e667498ef13b59639b9bf/2.cap


I believe this is the same exact issue as fixed in nginx here:
https://github.com/nginx/nginx/commit/e52bddaaa90e64b2291f6e58ef1a2cff71604f6a#diff-0584d16332cf0d6dd9adb990a3c76a0cR539

-

(2) HA allows you to tune max_record_size - yay. That said, using a static
value introduces an inherent tradeoff between latency and throughput --
smaller records are good for latency, but hurt server throughput by adding
bytes and CPU overhead. It would be great if we could implement a smarter
strategy:

http://mailman.nginx.org/pipermail/nginx-devel/2013-December/004703.html
http://mailman.nginx.org/pipermail/nginx-devel/2014-January/004748.html

Would love to hear any thoughts on this. The advantage of above strategy is
that it can give you good performance out-of-the-box and without
sacrificing performance for different kinds of traffic (which is especially
relevant for a proxy...).

Ilya

Re: Bug report for latest dev release, 1.5.21, segfault when using http expect string x and large 404 page (includes GDB output)

[Steve Ruiz]

Cyril is correct - I simply waited for a segfault, but didn't actually test
through the load balancer. I'm using SSL on haproxy, and yes, when I try to
hit a web page behind haproxy, CPU spins at 100% for a good while.

Steve Ruiz
Manager - Hosting Operations
Mirth
ste...@mirth.com ste...@mirthcorp.com


On Thu, Jan 16, 2014 at 1:48 PM, Cyril Bonté cyril.bo...@free.fr wrote:

 Hi Willy,

 Le 15/01/2014 01:08, Willy Tarreau a écrit :

  On Tue, Jan 14, 2014 at 12:25:37PM -0800, Steve Ruiz wrote:

 Patched and confirmed in our environment that this is now working / seems
 to have fixed the issue. Thanks!


 Great, many thanks to you both guys. We've got rid of another pretty
 old bug, these are the ones that make me the happiest once fixed!

 I'm currently unpacking my laptop to push the fix so that it appears
 in todays snapshot.

 Excellent work!


 I fear there are some more work to do on this patch.
 I made some tests on ssl and it looks to be broken since this commit :-(

 The shortest configuration I could find to reproduce the issue is :
   listen test
 bind 0.0.0.0:443 ssl crt cert.pem
 mode http
 timeout server 5s
 timeout client 5s

 When a request is received by haproxy, the cpu raises to 100% in a
 epoll_wait loop (timeouts are here to prevent an unlimited loop).

 $ curl -k https://localhost/
 ...
 epoll_wait(3, {{EPOLLIN, {u32=5, u64=5}}}, 200, 0) = 1
 epoll_wait(3, {{EPOLLIN, {u32=5, u64=5}}}, 200, 0) = 1
 epoll_wait(3, {{EPOLLIN, {u32=5, u64=5}}}, 200, 0) = 1
 epoll_wait(3, {{EPOLLIN, {u32=5, u64=5}}}, 200, 0) = 1
 epoll_wait(3, {{EPOLLIN, {u32=5, u64=5}}}, 200, 0) = 1
 ...
 The same issue occurs when a server is declared.

 The same also occurs when the proxy is in clear http and a server is in
 https :
   listen test
 bind 0.0.0.0:80
 mode http
 timeout server 5s
 timeout client 5s
 server ssl_backend 127.0.0.1:443 ssl

 $ curl http://localhost/
 ...
 epoll_wait(3, {}, 200, 0)   = 0
 epoll_wait(3, {}, 200, 0)   = 0
 epoll_wait(3, {}, 200, 0)   = 0
 epoll_wait(3, {}, 200, 0)   = 0
 epoll_wait(3, {}, 200, 0)   = 0
 ...


 --
 Cyril Bonté


-- 
CONFIDENTIALITY NOTICE: The information contained in this electronic 
transmission may be confidential. If you are not an intended recipient, be 
aware that any disclosure, copying, distribution or use of the information 
contained in this transmission is prohibited and may be unlawful. If you 
have received this transmission in error, please notify us by email reply 
and then erase it from your computer system.

sFlow patch for upstream

[Łukasz Jagiełło]

Hi,

Base on original sFlow patch:
https://github.com/sflow/haproxy/commit/b0058a4b344bb61d05182db291f76453eaaea301

I've made patch for patch :) to work with upstream HAProxy version.
https://github.com/ljagiello/haproxy/commit/1a93d1ff693388dd96a0428fc28e43dae8ee4267

If anyone is also using it.

Cheers
-- 
Łukasz Jagiełło
lukaszatjagiellodotorg

how to force curernt session when active is down

[Andrei Chevenkov]

Hi,

I am pretty new to haproxy and trying to do ha setup for rabbitmq.

Setup is pretyt simple:

listen rabbitmq 192.168.69.106:5672
 modetcp
 balance leastconn
 option  tcplog
 option  tcpka
 server  rabbit01 192.168.69.107:5672 check inter 1000 downinter 5000 fall
1 on-error mark-down
 server  rabbit02 192.168.69.108:5672 check inter 1000 downinter 5000 fall
1 on-error mark-down backup

Everything seems to work well, but I noticed one strange behaviour. If I
gracefully shut down rabbit01, message producer (client) connected to
192.168.69.106:5672 notices broken connection pretty much straight away,
attempts a reconnect, hits rabbit02 and all is well.

However if I simply turn off rabbit01, message producer (client) notices
broken connection only in around 30 seconds or so. And while the break is
undetected it keeps pushing messages thinking there is still someone on
another side.

Now, from the statistic report I can see that as soon as I turn off the
box, rabbit01 is marked as DOWN, but its Sessions Current is still set
to 1? In the logs this comes up pretty much immediately after the hard turn
off:

Jan 17 17:13:51 prodlb01 haproxy[38459]: Server rabbitmq/rabbit01 is DOWN,
reason: Layer4 timeout, check duration: 1008ms. 0 active and 1 backup
servers left. Running on backup. 1 sessions active, 0 requeued, 0 remaining
in queue.

After around 30 seconds, the connection is detected as broken and failover
happens successfully. At that time  Sessions Current  is set to 0 fo
rabbit01.

Tried option  nolinger and option  abortonclose, but no luck.

Any help would be much appreciated...

Cheers,
Andrei

Re: how to force curernt session when active is down

[Dmitriy Samsonov]

Hi!

That's related to rabbiit's default heartbeat timeout. You can set it to
lower value when connecting. Also there is a way to check if message was
actually delivered to the broker, take a look at rabbiit's docs.


пятница, 17 января 2014 г. пользователь Andrei Chevenkov написал:

 Hi,

 I am pretty new to haproxy and trying to do ha setup for rabbitmq.

 Setup is pretyt simple:

 listen rabbitmq 192.168.69.106:5672
  modetcp
  balance leastconn
  option  tcplog
  option  tcpka
  server  rabbit01 192.168.69.107:5672 check inter 1000 downinter 5000
 fall 1 on-error mark-down
  server  rabbit02 192.168.69.108:5672 check inter 1000 downinter 5000
 fall 1 on-error mark-down backup

 Everything seems to work well, but I noticed one strange behaviour. If I
 gracefully shut down rabbit01, message producer (client) connected to
 192.168.69.106:5672 notices broken connection pretty much straight away,
 attempts a reconnect, hits rabbit02 and all is well.

 However if I simply turn off rabbit01, message producer (client) notices
 broken connection only in around 30 seconds or so. And while the break is
 undetected it keeps pushing messages thinking there is still someone on
 another side.

 Now, from the statistic report I can see that as soon as I turn off the
 box, rabbit01 is marked as DOWN, but its Sessions Current is still set
 to 1? In the logs this comes up pretty much immediately after the hard turn
 off:

 Jan 17 17:13:51 prodlb01 haproxy[38459]: Server rabbitmq/rabbit01 is DOWN,
 reason: Layer4 timeout, check duration: 1008ms. 0 active and 1 backup
 servers left. Running on backup. 1 sessions active, 0 requeued, 0 remaining
 in queue.

 After around 30 seconds, the connection is detected as broken and failover
 happens successfully. At that time  Sessions Current  is set to 0 fo
 rabbit01.

 Tried option  nolinger and option  abortonclose, but no luck.

 Any help would be much appreciated...

 Cheers,
 Andrei

Re: how to force curernt session when active is down

[Andrei Chevenkov]

Dmitry, thank you for the reply, but I would imagine that haproxy would
close all sessions on the DOWN nodes, regardless of the type of client
connecting and the protocol? Can this be enforced?

I did implement producer ack, but that slows down publishes big time. Have
also tried heartbeat and that did help, but this is initiated by the client
and I would like to see if haproxy can manage this. I.e. close all sessions
on a node that is marked as DOWN.
On 17/01/2014 8:09 pm, Dmitriy Samsonov dmitriy.samso...@gmail.com
wrote:

 Hi!

 That's related to rabbiit's default heartbeat timeout. You can set it to
 lower value when connecting. Also there is a way to check if message was
 actually delivered to the broker, take a look at rabbiit's docs.


 пятница, 17 января 2014 г. пользователь Andrei Chevenkov написал:

 Hi,

 I am pretty new to haproxy and trying to do ha setup for rabbitmq.

 Setup is pretyt simple:

 listen rabbitmq 192.168.69.106:5672
  modetcp
  balance leastconn
  option  tcplog
  option  tcpka
  server  rabbit01 192.168.69.107:5672 check inter 1000 downinter 5000
 fall 1 on-error mark-down
  server  rabbit02 192.168.69.108:5672 check inter 1000 downinter 5000
 fall 1 on-error mark-down backup

 Everything seems to work well, but I noticed one strange behaviour. If I
 gracefully shut down rabbit01, message producer (client) connected to
 192.168.69.106:5672 notices broken connection pretty much straight away,
 attempts a reconnect, hits rabbit02 and all is well.

 However if I simply turn off rabbit01, message producer (client)
 notices broken connection only in around 30 seconds or so. And while the
 break is undetected it keeps pushing messages thinking there is still
 someone on another side.

 Now, from the statistic report I can see that as soon as I turn off the
 box, rabbit01 is marked as DOWN, but its Sessions Current is still set
 to 1? In the logs this comes up pretty much immediately after the hard turn
 off:

 Jan 17 17:13:51 prodlb01 haproxy[38459]: Server rabbitmq/rabbit01 is
 DOWN, reason: Layer4 timeout, check duration: 1008ms. 0 active and 1 backup
 servers left. Running on backup. 1 sessions active, 0 requeued, 0 remaining
 in queue.

 After around 30 seconds, the connection is detected as broken and
 failover happens successfully. At that time  Sessions Current  is set to
 0 fo rabbit01.

 Tried option  nolinger and option  abortonclose, but no luck.

 Any help would be much appreciated...

 Cheers,
 Andrei