Re: Help with dynamic backend selection
On Sat, May 10, 2014 at 07:58:25AM +0200, Willy Tarreau wrote: May I ask about the ETA on this? It's too early for me to know, I need to go down deep into the ebtrees first to see if longest match is compatible with strings storage-wise, then I need to study how patterns are built as trees to see how to do that as well. Possibly it's just one or two days of work once I understand everything. OK in the end it was extremely easy :-) Thierry has done an amazing job at making the pattern management very modular, because I just changed the index and lookup to try in a tree first with a different algorithm and that works fine! So we don't care about the compatibility between regular string match and beginning. So that's pushed into git now if you want to give it a try. Willy
Balle TITLEIST Pro V1/V1x, Pour améliorer votre score Putting Alley
Si ce message ne s'affiche pas correctement consultez-le en ligne SUPER PROMO À PARTIR DE 1,99€ LA BALLE TITLEIST PRO V1 / PRO V1X Balles d'occasion ou balles recyclées Pour améliorer votre Putting: Deux allées réversibles pour varier le niveau d’entraînement (2.5cm et 1.25cm) 49€ au lieu de 69€ Découvrez PUTTING ALLEY sur YouTube Recevez nos Newsletter Suivez-nous sur Facebook Veuillez me retirer de votre liste de diffusion.
Bye, bye
We are sorry that you decided to opt-out. We confirm that this email account haproxy@formilux.org has un-subscribed.
Re: RFC: removal of bsd and osx Makefiles
Hi Lukas, On Fri, May 09, 2014 at 10:32:39PM +0200, Lukas Tribus wrote: Since there seemed to be no objection, I'd rather remove them before the release. Do you already have a patch ready for this or should I get rid of them now (and update the README) ? Agreed. I didn't prepare a patch for this yet, so you can go ahead. OK done :-) Willy
Re: NTLM and URL routing
Hi, On Thu, May 08, 2014 at 06:22:11PM +0200, Lukas Tribus wrote: Hi, Hello, I have few backends which are routed to regarding of URL path. Also one of servers uses NTLM. As it was written on many places NTLM can only function with tunnel mode enabled. I understand that, but have some other backends that does not work good unless there is option http-server-close enabled. So without http-server-close i get following problems in logs,as well as page not being rendered properly in browser: May 7 16:15:05 66.129.115.238:41881 [07/May/2014:16:12:08.885] http_in 30_26/30_26 0/0/0/3/177114 200 785093 - - cD-- 3/3/3/3/0 0/0 GET /scripts/jquery.prettyPhoto.j s HTTP/1.1 May 7 16:15:06 66.129.115.238:41883 [07/May/2014:16:12:08.892] http_in 30_26/30_26 0/0/0/2/177113 200 341923 - - cD-- 2/2/2/2/0 0/0 GET /scripts/tt-script.js HTTP/1. 1 May 7 16:15:06 66.129.115.238:41880 [07/May/2014:16:12:08.885] http_in 30_26/30_26 0/0/0/1/177729 200 870078 - - cD-- 1/1/1/1/0 0/0 GET /css/prettyPhoto.css HTTP/1.1 May 7 16:15:13 66.129.115.238:41882 [07/May/2014:16:12:08.892] http_in 30_26/30_26 0/0/0/2/184680 200 616817 - - cD-- 0/0/0/0/0 0/0 GET /scripts/loopedslider.js HTTP /1.1 and on other hand, there is problem with NTLM authentication when http-server-close is enabled? Any thoughts on this and experiences would be helpful. Can you post the complete configuration? My suggestion is to enable http-server-close only on the non-NTLM backend, and leave the NTLM backend as is (in tunnel mode). That means do not specify the mode in frontend, default or global sections. Not sure about the problem with tunnel mode. I would suggest to upgrade to 1.4.25, before troubleshooting any further. I'd go further, if both NTLM and server-close are needed, then you really need keep-alive and will have to switch to 1.5. Don't forget that getting rid of this mess that is NTLM was the primary motivation for server-side keep-alive, so you won't easily get out of it with 1.4. Regards, Willy
Re: NTLM and URL routing
NTLM an server-close are mutually incompatible. As Willy stated, best solution for you is to use http-keep-alive mode and upgrade to haproxy 1.5. Baptiste On Sat, May 10, 2014 at 1:38 PM, Willy Tarreau w...@1wt.eu wrote: Hi, On Thu, May 08, 2014 at 06:22:11PM +0200, Lukas Tribus wrote: Hi, Hello, I have few backends which are routed to regarding of URL path. Also one of servers uses NTLM. As it was written on many places NTLM can only function with tunnel mode enabled. I understand that, but have some other backends that does not work good unless there is option http-server-close enabled. So without http-server-close i get following problems in logs,as well as page not being rendered properly in browser: May 7 16:15:05 66.129.115.238:41881 [07/May/2014:16:12:08.885] http_in 30_26/30_26 0/0/0/3/177114 200 785093 - - cD-- 3/3/3/3/0 0/0 GET /scripts/jquery.prettyPhoto.j s HTTP/1.1 May 7 16:15:06 66.129.115.238:41883 [07/May/2014:16:12:08.892] http_in 30_26/30_26 0/0/0/2/177113 200 341923 - - cD-- 2/2/2/2/0 0/0 GET /scripts/tt-script.js HTTP/1. 1 May 7 16:15:06 66.129.115.238:41880 [07/May/2014:16:12:08.885] http_in 30_26/30_26 0/0/0/1/177729 200 870078 - - cD-- 1/1/1/1/0 0/0 GET /css/prettyPhoto.css HTTP/1.1 May 7 16:15:13 66.129.115.238:41882 [07/May/2014:16:12:08.892] http_in 30_26/30_26 0/0/0/2/184680 200 616817 - - cD-- 0/0/0/0/0 0/0 GET /scripts/loopedslider.js HTTP /1.1 and on other hand, there is problem with NTLM authentication when http-server-close is enabled? Any thoughts on this and experiences would be helpful. Can you post the complete configuration? My suggestion is to enable http-server-close only on the non-NTLM backend, and leave the NTLM backend as is (in tunnel mode). That means do not specify the mode in frontend, default or global sections. Not sure about the problem with tunnel mode. I would suggest to upgrade to 1.4.25, before troubleshooting any further. I'd go further, if both NTLM and server-close are needed, then you really need keep-alive and will have to switch to 1.5. Don't forget that getting rid of this mess that is NTLM was the primary motivation for server-side keep-alive, so you won't easily get out of it with 1.4. Regards, Willy
Re: about pcre
Hi Simon, The following compilation directive should do the trick for you USE_PCRE=1. Baptiste On Wed, May 7, 2014 at 10:31 AM, k simon chio1...@gmail.com wrote: Hi,Lists, I found I can not share the same regex txt for haproxy and squid. And I noticed that haproxy use OS libc's regex by default, and can change it with compile parameters REGEX=pcre. Should I recompile haproxy and share the same regex txt? Regards Simon
[ANNOUNCE] haproxy-1.5-dev25
Hi all, we're almost done! Now the bind-process mess is fixed so that we now support per-listener process binding using the process bind keyword, which ensures that we won't need to change the config format during the stable release if we want to slightly improve it. And that allows us to have one stats socket per process, finally! As most of you might have been following recently, four important issues were fixed since dev24. One could cause crashes on out-of-memory. Another one concerns FreeBSD where the shared session cache could have been used without locking, causing random crashes as well. The recent fixes for HTTP request body forwarding randomly caused pauses when using balance url_param. Last, arguments -i and -n were ignored on ACLs since dev23. Some low hanging fruits from the roadmap were done as well. Half-closed timeouts are now supported, so it will be possible to quickly get rid of dead connections even with long tunnel timeouts. Unix sockets are now supported on the server side, as well as abstract namespace sockets on Linux. This allows backends and frontend to connect together without consuming TCP ports. The old unmaintained BSD and OSX Makefiles were removed, so BSD users will have to use GNU make, which most of them already use anyway since the BSD makefile did not implement half of the 1.5 features. Version 2 of the PROXY protocol was implemented on the server side. A few other minor improvements were made, as seen in the changelog below. What's missing before 1.5-final ? Only the started updates to the agent- check. Maybe by now we'll have fixed peers to support running with nbproc greater than one, but I don't fix this as a top priority considering that the real priority is to stabilize the API (and agent-check is part of the API). As usual, bug reports were of high quality and very useful, so I'm addressing a big thanks to all those involved! Ah, I have set up git.haproxy.org on the formilux.org server and updated the README to reference it instead of git.1wt.eu, hoping it will avoid some of the disappointment some people have experienced with the slow master server. On a side note, Patrick Hemmer informed me that spamcop is currently blacklisting the mailing list server as spam sender. Since there's no spontaneous e-mails sent from there, I suspect that someone subscribed one of their traps. I contacted them just in case we'd have a response. So if you're having difficulties receiving some of the mails from the ML, you'll probably need to whitelist the server's address (88.191.124.161) or disable spamcop as I did for dnsbl which was abusively blocking gmail. Have a nice week-end, Willy --- Usual links below : Site index : http://haproxy.1wt.eu/ Sources : http://haproxy.1wt.eu/download/1.5/src/devel/ Changelog: http://haproxy.1wt.eu/download/1.5/src/CHANGELOG Cyril's HTML doc : http://cbonte.github.com/haproxy-dconv/configuration-1.5.html And the changelog : 2014/05/10 : 1.5-dev25 - MEDIUM: connection: Implement and extented PROXY Protocol V2 - MINOR: ssl: clean unused ACLs declarations - MINOR: ssl: adds fetchs and ACLs for ssl back connection. - MINOR: ssl: merge client's and frontend's certificate functions. - MINOR: ssl: adds ssl_f_sha1 fetch to return frontend's certificate fingerprint - MINOR: ssl: adds sample converter base64 for binary type. - MINOR: ssl: convert to binary ssl_fc_unique_id and ssl_bc_unique_id. - BUG/MAJOR: ssl: Fallback to private session cache if current lock mode is not supported. - MAJOR: ssl: Change default locks on ssl session cache. - BUG/MINOR: chunk: Fix function chunk_strcmp and chunk_strcasecmp match a substring. - MINOR: ssl: add global statement tune.ssl.force-private-cache. - MINOR: ssl: remove fallback to SSL session private cache if lock init fails. - BUG/MEDIUM: patterns: last fix was still not enough - MINOR: http: export the smp_fetch_cookie function - MINOR: http: generic pointer to rule argument - BUG/MEDIUM: pattern: a typo breaks automatic acl/map numbering - BUG/MAJOR: patterns: -i and -n are ignored for inlined patterns - BUG/MINOR: proxy: unsafe initialization of HTTP transaction when switching from TCP frontend - BUG/MINOR: http: log 407 in case of proxy auth - MINOR: http: rely on the message body parser to send 100-continue - MEDIUM: http: move reqadd after execution of http_request redirect - MEDIUM: http: jump to dedicated labels after http-request processing - BUG/MINOR: http: block rules forgot to increment the denied_req counter - BUG/MINOR: http: block rules forgot to increment the session's request counter - MEDIUM: http: move Connection header processing earlier - MEDIUM: http: remove even more of the spaghetti in the request path - MINOR: http: silently support the block action for http-request - CLEANUP: proxy: rename block_cond to block_rules
haproxy 1.5-dev25 ssl_fc_npn issue
Since upgrading to haproxy 1.5-dev25 I am getting the following error when trying to detect if the SPDY/3.1 protocol is being used: error detected while parsing ACL 'npn_spdy' : unknown matching method 'spdy/3.1' when parsing ACL expression. The config in question: bind :443 ssl crt /path/to/cert.pem npn http/1.1,spdy/3.1 ... acl npn_spdy ssl_fc_npn -mi spdy/3.1 use_backend spdy if npn_spdy default_backend http This worked fine in dev24 but isn't working in dev25. Any ideas? -- Kura t: @kuramanga [https://twitter.com/kuramanga] w: https://kura.io/ [https://kura.io/] g: @kura [http://git.io/kura]
Re: haproxy 1.5-dev24: 100% CPU Load or Core Dumped
On 07 мая 2014 г., at 18:24, Emeric Brun eb...@exceliance.fr wrote: Hi All, I suspect FreeBSD to not support process shared mutex (supported in both linux and solaris). I've just made a patch to add errors check on mutex init, and to fallback on SSL private session cache in error case. Hello, BTW, nginx does support shared SSL session cache on FreeBSD (probably by other means). May be it is worth to borrow their method rather than falling back to private cache?
Re: haproxy 1.5-dev24: 100% CPU Load or Core Dumped
On Sun, May 11, 2014 at 12:19:45AM +0400, Dmitry Sivachenko wrote: On 07 ?? 2014 ??., at 18:24, Emeric Brun eb...@exceliance.fr wrote: Hi All, I suspect FreeBSD to not support process shared mutex (supported in both linux and solaris). I've just made a patch to add errors check on mutex init, and to fallback on SSL private session cache in error case. Hello, BTW, nginx does support shared SSL session cache on FreeBSD (probably by other means). May be it is worth to borrow their method rather than falling back to private cache? We finally ended up getting rid of pthreads there and simply using spinlocks. The difference of performance is not even measurable since the cache is not used that often. Willy
Re: [ANNOUNCE] haproxy-1.5-dev25
Hi Willy,
I wonder if I found a bug or if HAProxy's behavior has changed in a
recent release.
I'm using:
# /opt/haproxy/sbin/haproxy -vv
HA-Proxy version 1.5-dev25 2014/05/10
Copyright 2000-2014 Willy Tarreau w...@1wt.eu
Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing
OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200
Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.3.4
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 1.0.1g 7 Apr 2014
Running on OpenSSL version : OpenSSL 1.0.1g 7 Apr 2014
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.02 2010-03-19
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with transparent proxy support using: IP_TRANSPARENT
IPV6_TRANSPARENT IP_FREEBIND
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
In my configuration, I have the following log-format directive:
log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\
%CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\
{%sslv,%sslc,%[ssl_fc_sni],%[ssl_fc_session_id]}\
%[capture.req.method]\ %[capture.req.hdr(0)]%[capture.req.uri]\
%[capture.res.ver]
The fetch ssl_fc_session_id just return weird characters in my log entries:
May 10 23:15:37 localhost haproxy[10282]: 88.160.139.122:51802
[10/May/2014:23:15:35.225] ft_www~ bk_wiki/centos5_www
1828/0/0/237/2065 200 5352 - - 11/10/0/1/0 0/0
{wiki.bedis.eu|Mozilla/5.0 (X11; Linux x86_64; rv:29.0) Gecko/20100101
Firefox/|gzip, deflate}
{TLSv1,ECDHE-RSA-AES256-SHA,wiki.bedis.eu,0�#006sU#177.^��XP#005
�V��CͶ�lgL�#004#026} GET wiki.bedis.eu/index HTTP/1.1
I used to have such type of string before:
{TLSv1.1,ECDHE-RSA-AES256-SHA,wiki.bedis.eu,E0CF269B6D688FA360C267FF021D7654601DD2D630944681A49EB42605FD49DB}
But I can't say when this change occured, because I don't update and
watch my log every day :)
Note: from the doc, I can read that ssl_fc_session_id is supposed to be binary.
Baptiste
On Sat, May 10, 2014 at 3:44 PM, Willy Tarreau w...@1wt.eu wrote:
Hi all,
we're almost done!
Now the bind-process mess is fixed so that we now support per-listener
process binding using the process bind keyword, which ensures that
we won't need to change the config format during the stable release if
we want to slightly improve it. And that allows us to have one stats
socket per process, finally!
As most of you might have been following recently, four important issues
were fixed since dev24. One could cause crashes on out-of-memory. Another
one concerns FreeBSD where the shared session cache could have been used
without locking, causing random crashes as well. The recent fixes for HTTP
request body forwarding randomly caused pauses when using balance url_param.
Last, arguments -i and -n were ignored on ACLs since dev23.
Some low hanging fruits from the roadmap were done as well. Half-closed
timeouts are now supported, so it will be possible to quickly get rid of
dead connections even with long tunnel timeouts. Unix sockets are now
supported on the server side, as well as abstract namespace sockets on
Linux. This allows backends and frontend to connect together without
consuming TCP ports. The old unmaintained BSD and OSX Makefiles were
removed, so BSD users will have to use GNU make, which most of them
already use anyway since the BSD makefile did not implement half of the
1.5 features. Version 2 of the PROXY protocol was implemented on the
server side. A few other minor improvements were made, as seen in the
changelog below.
What's missing before 1.5-final ? Only the started updates to the agent-
check. Maybe by now we'll have fixed peers to support running with nbproc
greater than one, but I don't fix this as a top priority considering that
the real priority is to stabilize the API (and agent-check is part of the
API).
As usual, bug reports were of high quality and very useful, so I'm
addressing a big thanks to all those involved!
Ah, I have set up git.haproxy.org on the formilux.org server and updated
the README to reference it instead of git.1wt.eu, hoping it will avoid
some of the disappointment some people have experienced with the slow
master server.
On a side note, Patrick Hemmer informed me that spamcop is currently
blacklisting the mailing list server as spam sender. Since there's no
spontaneous e-mails sent from there, I suspect that someone subscribed
one of their traps. I contacted them just in case we'd have a response.
So if you're having difficulties receiving some of the mails from the
ML, you'll probably
Re: [ANNOUNCE] haproxy-1.5-dev25
Hi Baptiste,
Le 10/05/2014 23:20, Baptiste a écrit :
(...)
In my configuration, I have the following log-format directive:
log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\
%CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\
{%sslv,%sslc,%[ssl_fc_sni],%[ssl_fc_session_id]}\
%[capture.req.method]\ %[capture.req.hdr(0)]%[capture.req.uri]\
%[capture.res.ver]
The fetch ssl_fc_session_id just return weird characters in my log entries:
May 10 23:15:37 localhost haproxy[10282]: 88.160.139.122:51802
[10/May/2014:23:15:35.225] ft_www~ bk_wiki/centos5_www
1828/0/0/237/2065 200 5352 - - 11/10/0/1/0 0/0
{wiki.bedis.eu|Mozilla/5.0 (X11; Linux x86_64; rv:29.0) Gecko/20100101
Firefox/|gzip, deflate}
{TLSv1,ECDHE-RSA-AES256-SHA,wiki.bedis.eu,0�#006sU#177.^��XP#005
�V��CͶ�lgL�#004#026} GET wiki.bedis.eu/index HTTP/1.1
I used to have such type of string before:
{TLSv1.1,ECDHE-RSA-AES256-SHA,wiki.bedis.eu,E0CF269B6D688FA360C267FF021D7654601DD2D630944681A49EB42605FD49DB}
But I can't say when this change occured, because I don't update and
watch my log every day :)
Note: from the doc, I can read that ssl_fc_session_id is supposed to be binary.
I think the behaviour has changed since dev23. I've not tested to verify
it but it may be related to the 2 commits :
http://haproxy.1wt.eu/git?p=haproxy.git;a=commit;h=e87cac16cc082fa43d5f65dd68e1244add7871c6
http://haproxy.1wt.eu/git?p=haproxy.git;a=commit;h=2f49d6d17be8825a2c64ed89434d85959b8000f8
Using %[ssl_fc_session_id,hex] should restore your behaviour.
--
Cyril Bonté
Re: [ANNOUNCE] haproxy-1.5-dev25
On Sat, May 10, 2014 at 11:37 PM, Cyril Bonté cyril.bo...@free.fr wrote: I think the behaviour has changed since dev23. I've not tested to verify it but it may be related to the 2 commits : http://haproxy.1wt.eu/git?p=haproxy.git;a=commit;h=e87cac16cc082fa43d5f65dd68e1244add7871c6 http://haproxy.1wt.eu/git?p=haproxy.git;a=commit;h=2f49d6d17be8825a2c64ed89434d85959b8000f8 Using %[ssl_fc_session_id,hex] should restore your behaviour. -- Cyril Bonté Hi Cyril, I confirm it works :) I'll propose some updates for the documentation later, cause some examples may lead to questions like mine. Baptiste
