Re: abortonclose for established connections?
Hi Ludovico, On Fri, Apr 17, 2015 at 08:24:43PM -0700, Ludovico Cavedon wrote: Hi, I am trying to find a solution to the following issue. I have a client A that sends hundreds of HTTP requests per second to server B running ha-proxy 1.5.3. Server B/haproxy forwards them to server C. Some of these request are long-polling: server C will receive the request and hang for a very long time (even hours potentially). Client A may decide to give up on long-polling request, close the connection and forget about it. However, haproxy will keep the connection state half-open, assuming the client is still there waiting for data. On client A the connection state will go to FIN_WAIT2, and will be forgotten after 60 seconds. After a while, client A will happen reuse the source port for a new connection, and send a SYN packet. On server B, however, the connection is still there in CLOSE_WAIT. I am trying to find a way to avoid this from happening. Ideally I would like haproxy to close the connection completely if the client closes its side. abortonclose seemed the right option, but it looks like it works only if the FIN arrives before the connection to server C has not been established yet. The statement from [1] sounded promising: In 1.5 we have even improved that a bit further for users of long-polling requests. When option abortonclose is set, if the client closes the send side, then haproxy forwards this closing event to the server. however it does not seem to happen in my case. What am I doing wrong? Does it have to do with the fact that connection to server C are reused/persistent? Is there maybe a way to tell haproxy to close the client connection if there is no keepalive? You're not necessarily doing anything wrong, it's fairly possible there's a bug or an inconsistency between multiple options. I'll have to retry here with your config, because the statement you quoted indeed indicates that we should get a better behaviour. I won't do it immediately because I'm still stuck fixing the things I recently broke before merging that into 1.6. In the mean time I would appreciate it if you could retry with 1.5.11 to verify if you see the close being forwarded or not, because maybe it's due to a bug that was fixed since 1.5.3. Thanks, Willy
E cigarette Sigelei 150W
Hi Dear The Original Sigelei 150W 5-9:72$ 10-29:70$ 30-200:68$ latest catalog will be send if you need Skype:sunvick01
Access control for stats page
Is there a way to setup an ACL for the haproxy stats page? We do have authentication set up for the URL, but we would feel better if we could limit access to a white list of local networks. Is there a way to do that?
Re: Backend status changes continuously
On 21/04/2015 6:00 PM, Krishna Kumar (Engineering) krishna...@flipkart.com wrote: Hi all, While running the command: : ab -n 10 -c 1000 192.168.122.110:80/256 , the haproxy stats page shows the 4 different backend servers changing status between Active up, going down, Active or backup down, Down, Backup down, going UP, sometimes all 4 backends are in DOWN state. The result is very poor performance reported by 'ab' as compared to running directly against a single backend. What could be the reason for this continuous state change? root@HAPROXY:~# haproxy -vv HA-Proxy version 1.5.8 2014/10/31 Copyright 2000-2014 Willy Tarreau w...@1wt.eu Build options : TARGET = linux2628 CPU = generic CC = gcc CFLAGS = -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 Encrypted password support via crypt(3): yes Built with zlib version : 1.2.7 Compression algorithms supported : identity, deflate, gzip Built with OpenSSL version : OpenSSL 1.0.1e 11 Feb 2013 Running on OpenSSL version : OpenSSL 1.0.1k 8 Jan 2015 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Built with PCRE version : 8.30 2012-02-04 PCRE library supports JIT : no (USE_PCRE_JIT not set) Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. Thanks, - Krishna Kumar http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#inter
Re: Backend status changes continuously
Hi Krishna, Maybe you could be more verbose on your application, architecture, etc... also which haproxy version, share your configuration, etc... Cause we can't answer you, I'm sorry! Baptiste On Tue, Apr 21, 2015 at 9:59 AM, Krishna Kumar (Engineering) krishna...@flipkart.com wrote: Hi all, While running the command: : ab -n 10 -c 1000 192.168.122.110:80/256, the haproxy stats page shows the 4 different backend servers changing status between Active up, going down, Active or backup down, Down, Backup down, going UP, sometimes all 4 backends are in DOWN state. The result is very poor performance reported by 'ab' as compared to running directly against a single backend. What could be the reason for this continuous state change? root@HAPROXY:~# haproxy -vv HA-Proxy version 1.5.8 2014/10/31 Copyright 2000-2014 Willy Tarreau w...@1wt.eu Build options : TARGET = linux2628 CPU = generic CC = gcc CFLAGS = -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 Encrypted password support via crypt(3): yes Built with zlib version : 1.2.7 Compression algorithms supported : identity, deflate, gzip Built with OpenSSL version : OpenSSL 1.0.1e 11 Feb 2013 Running on OpenSSL version : OpenSSL 1.0.1k 8 Jan 2015 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Built with PCRE version : 8.30 2012-02-04 PCRE library supports JIT : no (USE_PCRE_JIT not set) Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. Thanks, - Krishna Kumar
[SPAM] Ray-Ban Sunglasses Only €19.84
oVýѯ\ó½}Çs]i×ßëxi¯v×À¨×§µ©z×±·úej)Ü ªìz
Backend status changes continuously
Hi all, While running the command: : ab -n 10 -c 1000 192.168.122.110:80/256, the haproxy stats page shows the 4 different backend servers changing status between Active up, going down, Active or backup down, Down, Backup down, going UP, sometimes all 4 backends are in DOWN state. The result is very poor performance reported by 'ab' as compared to running directly against a single backend. What could be the reason for this continuous state change? root@HAPROXY:~# haproxy -vv HA-Proxy version 1.5.8 2014/10/31 Copyright 2000-2014 Willy Tarreau w...@1wt.eu Build options : TARGET = linux2628 CPU = generic CC = gcc CFLAGS = -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 Encrypted password support via crypt(3): yes Built with zlib version : 1.2.7 Compression algorithms supported : identity, deflate, gzip Built with OpenSSL version : OpenSSL 1.0.1e 11 Feb 2013 Running on OpenSSL version : OpenSSL 1.0.1k 8 Jan 2015 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Built with PCRE version : 8.30 2012-02-04 PCRE library supports JIT : no (USE_PCRE_JIT not set) Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. Thanks, - Krishna Kumar
VENTE FLASH : 80 pourcent d'économies à saisir
Afficher la version web. (http://trk.mix.uneoffredeouf.com/view/5kH-kwV3.php) | Me désinscrire. (http://trk.mix.uneoffredeouf.com/usb/5kH-kwV3.php) | Signaler comme courrier indésirable. (mailto:ab...@dgcnit.fr)  http://trk.mix.uneoffredeouf.com/tk/5kH-kwV3-cmj.php Bonjour, Vente Flash de folie dans votre boutique préférée ! Pendant quelques jours seulement, découvrez une sélection de nos best sellers à prix bradés. Lingerie, toys, articles fantaisie, bien-être ... Les premiers arrivés seront les premiers servis, alors ne perdez pas une minute et saisissez LA bonne affaire du moment. Visitez notre boutique maintenant, le stock s'épuise et le temps joue contre vous ! http://trk.mix.uneoffredeouf.com/tk/5kH-kwV3-cmj.php http://trk.mix.uneoffredeouf.com/tk/5kH-kwV3-cmj.php http://trk.mix.uneoffredeouf.com/tk/5kH-kwV3-cmj.php http://trk.mix.uneoffredeouf.com/tk/5kH-kwV3-cmj.php http://trk.mix.uneoffredeouf.com/tk/5kH-kwV3-cmg.php http://trk.mix.uneoffredeouf.com/tk/5kH-kwV3-cmg.php http://trk.mix.uneoffredeouf.com/tk/5kH-kwV3-cmg.php http://trk.mix.uneoffredeouf.com/tk/5kH-kwV3-cmg.php http://trk.mix.uneoffredeouf.com/tk/5kH-kwV3-cmh.php http://trk.mix.uneoffredeouf.com/tk/5kH-kwV3-cmh.php http://trk.mix.uneoffredeouf.com/tk/5kH-kwV3-cmi.php http://trk.mix.uneoffredeouf.com/tk/5kH-kwV3-cmi.php http://trk.mix.uneoffredeouf.com/tk/5kH-kwV3-cmj.php http://trk.mix.uneoffredeouf.com/tk/5kH-kwV3-cmj.php http://trk.mix.uneoffredeouf.com/tk/5kH-kwV3-cmj.php Espaces Promos, 12 rue Camille Desmoulins, 92300 Levallois Perret. Conformément à l'article 34 de la loi Informatique et Liberté du 6 janvier 1978, vous disposez d'un droit d'accès, de modification, de rectification et de suppression des données vous concernant en adressant votre demande à quot;rep...@dgcnit.frquot;. Déclaration CNIL - 1642645
Re: Access control for stats page
Hello Yep there is Have a frontend Send say /hastats to a hastats backend have the backend have its stats URL be /hastats too Set the acls in the frontend I'll post a config example in a bit. Neil On 21 Apr 2015 20:09, CJ Ess zxcvbn4...@gmail.com wrote: Is there a way to setup an ACL for the haproxy stats page? We do have authentication set up for the URL, but we would feel better if we could limit access to a white list of local networks. Is there a way to do that?
Re: Access control for stats page
heres are some relevent snips I run this in with same address as the service frontend SSL ... acl url_hastats url_beg /hastats acl location_trusted src 123.123.123.0/24 acl magic_cookie_trusted hdr_sub(cookie) magicforthissiteonly=foobar_SHA1value_etc use_backend hastats if url_hastats location_trusted use_backend hastats if url_hastats magic_cookie_trusted deny if url_hastats ... backend hastats mode http stats uri /hastats stats realm Service\ Loadbalancer stats show-desc br/font color='GoldenRod ' size='5'url.domain: Service Loadbalancer/fontbr/font color='blue' size='3'running on hostnamebr/ config version/font stats show-legends stats auth admin:password stats admin if TRUE On 21 April 2015 at 21:04, Neil - HAProxy List maillist-hapr...@iamafreeman.com wrote: Hello Yep there is Have a frontend Send say /hastats to a hastats backend have the backend have its stats URL be /hastats too Set the acls in the frontend I'll post a config example in a bit. Neil On 21 Apr 2015 20:09, CJ Ess zxcvbn4...@gmail.com wrote: Is there a way to setup an ACL for the haproxy stats page? We do have authentication set up for the URL, but we would feel better if we could limit access to a white list of local networks. Is there a way to do that?
Re: Access control for stats page
Very cool, thank you for the snippets! On Tue, Apr 21, 2015 at 6:55 PM, Neil - HAProxy List maillist-hapr...@iamafreeman.com wrote: heres are some relevent snips I run this in with same address as the service frontend SSL ... acl url_hastats url_beg /hastats acl location_trusted src 123.123.123.0/24 acl magic_cookie_trusted hdr_sub(cookie) magicforthissiteonly=foobar_SHA1value_etc use_backend hastats if url_hastats location_trusted use_backend hastats if url_hastats magic_cookie_trusted deny if url_hastats ... backend hastats mode http stats uri /hastats stats realm Service\ Loadbalancer stats show-desc br/font color='GoldenRod ' size='5'url.domain: Service Loadbalancer/fontbr/font color='blue' size='3'running on hostnamebr/ config version/font stats show-legends stats auth admin:password stats admin if TRUE On 21 April 2015 at 21:04, Neil - HAProxy List maillist-hapr...@iamafreeman.com wrote: Hello Yep there is Have a frontend Send say /hastats to a hastats backend have the backend have its stats URL be /hastats too Set the acls in the frontend I'll post a config example in a bit. Neil On 21 Apr 2015 20:09, CJ Ess zxcvbn4...@gmail.com wrote: Is there a way to setup an ACL for the haproxy stats page? We do have authentication set up for the URL, but we would feel better if we could limit access to a white list of local networks. Is there a way to do that?
Re: Backend status changes continuously
Hi Baptists, Sorry I didn't provide more details earlier. -- 1. root@HAPROXY:~# haproxy -vv HA-Proxy version 1.5.8 2014/10/31 Copyright 2000-2014 Willy Tarreau w...@1wt.eu Build options : TARGET = linux2628 CPU = generic CC = gcc CFLAGS = -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 Encrypted password support via crypt(3): yes Built with zlib version : 1.2.7 Compression algorithms supported : identity, deflate, gzip Built with OpenSSL version : OpenSSL 1.0.1e 11 Feb 2013 Running on OpenSSL version : OpenSSL 1.0.1k 8 Jan 2015 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Built with PCRE version : 8.30 2012-02-04 PCRE library supports JIT : no (USE_PCRE_JIT not set) Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. -- 2. Configuration file: global daemon maxconn 6 quiet nbproc 2 maxpipes 16384 user haproxy group haproxy stats socket /var/run/haproxy.sock mode 600 level admin stats timeout 2m defaults option dontlognull option forwardfor option http-server-close retries 3 option redispatch maxconn 6 option splice-auto option prefer-last-server timeout connect 5000ms timeout client 5ms timeout server 5ms frontend www-http bind *:80 reqadd X-Forwarded-Proto:\ http default_backend www-backend frontend www-https bind *:443 ssl crt /etc/ssl/private/haproxy.pem ciphers AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH rspadd Strict-Transport-Security:\ max-age=31536000 reqadd X-Forwarded-Proto:\ https default_backend www-backend userlist stats-auth group adminusers admin user admininsecure-password admin group readonlyusers user user userinsecure-password user backend www-backend mode http maxconn 6 stats enable stats uri /stats acl AUTHhttp_auth(stats-auth) acl AUTH_ADMINhttp_auth(stats-auth) admin stats http-request auth unless AUTH balance roundrobin option prefer-last-server option forwardfor option splice-auto option splice-request option splice-response compression offload compression algo gzip compression type text/html text/plain text/javascript application/javascript application/xml text/css application/octet-stream server nginx-1 192.168.122.101:80 maxconn 15000 cookie S1 check server nginx-2 192.168.122.102:80 maxconn 15000 cookie S2 check server nginx-3 192.168.122.103:80 maxconn 15000 cookie S3 check server nginx-4 192.168.122.104:80 maxconn 15000 cookie S4 check -- 3. A 24 processor Ubuntu system starts 2 nginx VM's (KVM, 2 vcpu, 1GB), and 1 haproxy VM (KVM, 2 vcpu, 1GB). 'ab' runs on the host and tests with either the haproxy VM, or directly to one of the 2 nginx VM's. Sometimes during the test, I also see many nf_conntrack: table full, dropping packet messages on the host system. Thanks. - Krishna On Tue, Apr 21, 2015 at 1:29 PM, Krishna Kumar (Engineering) krishna...@flipkart.com wrote: Hi all, While running the command: : ab -n 10 -c 1000 192.168.122.110:80/256 , the haproxy stats page shows the 4 different backend servers changing status between Active up, going down, Active or backup down, Down, Backup down, going UP, sometimes all 4 backends are in DOWN state. The result is very poor performance reported by 'ab' as compared to running directly against a single backend. What could be the reason for this continuous state change? root@HAPROXY:~# haproxy -vv HA-Proxy version 1.5.8 2014/10/31 Copyright 2000-2014 Willy Tarreau w...@1wt.eu Build options : TARGET = linux2628 CPU = generic CC = gcc CFLAGS = -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 Encrypted password support via crypt(3): yes Built with zlib version : 1.2.7 Compression algorithms supported : identity, deflate, gzip Built with OpenSSL version : OpenSSL 1.0.1e 11 Feb 2013 Running on OpenSSL version : OpenSSL
Re: forwardfor in 1.6
Hello Reinis,
On Fri, Apr 17, 2015 at 02:01:19PM +0300, Reinis Rozitis wrote:
Hello,
has something changed regarding 'forwardfor' in latst 1.6 versions?
I was running and oldish snapshot '1.6-dev0-9654e57 2014/11/18' with:
defaults
option forwardfor header X-Real-IP
But now after upgrading to '1.6-dev1-af2fd58 2015/04/14' with the exactly
same configuration it broke - the header isn't passed anymore so had to
revert back.
Sniffed with tcpdump and indeed there are no headers with the (real)client
ip anymore.
I have additional http-request set-header HTTPS %[ssl_fc] - which is still
passed fine.
Am I missing something?
No, you found a bug I introduced with this patch :
350f487 CLEANUP: session: simplify references to
chn_{prod,cons}(s-{req,res})
I was extremely careful as it touched a large part of the code but I
managed to fail at it here :
@@ -4347,7 +4347,7 @@ int http_process_request(struct session *s, struct
channel *req, int an_bit)
{
struct http_txn *txn = s-txn;
struct http_msg *msg = txn-req;
- struct connection *cli_conn = objt_conn(chn_prod(req)-end);
+ struct connection *cli_conn = objt_conn(s-si[1].end);
It should be s-si[0].end and not [1]. The result is that cli_conn is NULL
so the front connection doesn't exist, it has no address and the header is
not appended.
I've just fixed it now and attached the patch so that you can apply it
right now.
Thanks for reporting this!
Willy
From ee335e65dc8f4ac691d4e5be7b0c3c98e6ec83e4 Mon Sep 17 00:00:00 2001
From: Willy Tarreau w...@1wt.eu
Date: Tue, 21 Apr 2015 18:15:13 +0200
Subject: BUG/MEDIUM: http: properly retrieve the front connection
Commit 350f487 (CLEANUP: session: simplify references to
chn_{prod,cons}(s-{req,res}))
introduced a regression causing the cli_conn to be picked from the server
side instead of the client side, so the XFF header is not appended anymore
since the connection is NULL.
Thanks to Reinis Rozitis for reporting this bug. No backport is needed
as it's 1.6-specific.
---
src/proto_http.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/proto_http.c b/src/proto_http.c
index 377160b..d20225a 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -4343,7 +4343,7 @@ int http_process_request(struct stream *s, struct channel
*req, int an_bit)
struct session *sess = s-sess;
struct http_txn *txn = s-txn;
struct http_msg *msg = txn-req;
- struct connection *cli_conn = objt_conn(s-si[1].end);
+ struct connection *cli_conn = objt_conn(strm_sess(s)-origin);
if (unlikely(msg-msg_state HTTP_MSG_BODY)) {
/* we need more data */
--
1.7.12.1
Re: [PATCH] CLEANUP/MINOR: doc: Fix L4TOUT typo in documentation
On Thu, Apr 16, 2015 at 11:13:21AM -0800, Jason Harvey wrote: Please see attached. applied, thank you Jason. Willy
