Indoor decoration of first choice-2015 new RD puck lights

2015-06-15 Thread june 

  
  
Dear Sir, 
our 4W paten puck lights: 1 Sharp COB leds 
 2 6063 pure aluminum as heatsink material 
 3 CRI82,up to 100lm/W 
 4 high temperature teflon wire#22 
 5 PF0.95,CE listed driver 

 for more details, please kindly let us know. 


B.RGDS 
June 
www.sunriseleds.com

Re: Capture http connect request information

2015-06-15 Thread Kevin C 
Le dimanche 14 juin 2015 08:28:06, vous avez écrit :
 Hi Kevin,
 
 On Sat, Jun 13, 2015 at 10:34:07AM +0200, Kevin COUSIN wrote:
  Hi,
  
  Is it possible to capture the CONNECT method information? I try to capture
  the IP and port in http request CONNECT 172.20.69.22:5904 to create an
  ACL to redirect request to backend.
 
 Normally you can since it's the URL of the request, so the url
 sample fetch method will return it.
 
 Regards,
 Willy
Thanks for the reply. I thing I want to use HAproxy like a proxy here, not a 
reverse proxy (see http://www.ovirt.org/Features/Spice_Proxy). Can HAproxy be 
used like a proxy (like squid) ?

Regards
-- 
Kevin

Re: LuaSocket problem with HAProxy

2015-06-15 Thread Thierry FOURNIER 
 Hello list,

 I’m using HAProxy-1.6 with Lua. My use case involves a Lua extension
 library LuaSocket and I’m having problems configuring HAProxy to use
 LuaSocket.

 When I use LuaSocket directly in Lua everything works fine:

 [bowen ~]$ lua

 Lua 5.3.0  Copyright (C) 1994-2015 Lua.org, PUC-Rio

 require(socket)

 table: 0x22faef0



 However there are some problems when I use LuaSocket in a Lua file loaded
 by HAProxy.

 My config looks like:

 global

 lua-load hello.lua

 …

 …

 My hello.lua is very simple:

 require(“socket”)

 It’s throwing the following error:

 [bowen ~]$ haproxy -f config -c

 [ALERT] 162/193812 (5636) : parsing [config:2] : lua runtime error: error
 loading module 'socket.core' from file
 '/usr/local/lib/lua/5.3/socket/core.so':

 /usr/local/lib/lua/5.3/socket/core.so: undefined symbol: lua_getmetatable

 My environment is linux 2.6.32. LuaSocket was installed via LuaRocks

 Any ideas? Thanks in advance.


Hi,

I suppose that your problem is from HAProxy. I suppose that HAproxy
doesn't export its own symbols, and doesn't embbed unused symbols
from the lib lua.

In other way, how that you try can't work with HAProxy, because the
executed LUA code must be non blocking, and the LuaSocket provides
blocking acces to the network.

I suggest that you try to use the embedded HAProxy Socket. The HAProxy
Socket have the same API than the Lua Socket. Look for the documentation
of the Lua API in HAProxy:

   doc/lua-api/index.rst

or If you have sphynx installed, you can try a make html to build the
HTML API documention.

Thierry


 Best,
 Bowen

Re: Capture http connect request information

2015-06-15 Thread Willy Tarreau 
On Mon, Jun 15, 2015 at 12:00:44PM +0200, Kevin C wrote:
 Le dimanche 14 juin 2015 08:28:06, vous avez écrit :
  Hi Kevin,
  
  On Sat, Jun 13, 2015 at 10:34:07AM +0200, Kevin COUSIN wrote:
   Hi,
   
   Is it possible to capture the CONNECT method information? I try to capture
   the IP and port in http request CONNECT 172.20.69.22:5904 to create an
   ACL to redirect request to backend.
  
  Normally you can since it's the URL of the request, so the url
  sample fetch method will return it.
  
  Regards,
  Willy
 Thanks for the reply. I thing I want to use HAproxy like a proxy here, not a 
 reverse proxy (see http://www.ovirt.org/Features/Spice_Proxy). Can HAproxy be 
 used like a proxy (like squid) ?

No it's not possible. However you can install it in front of squid. That's
quite common for outgoing proxy farms.

Willy

RE: Does haproxy use lt or et mode of epoll ?

2015-06-15 Thread Lukas Tribus 
 Subject: Does haproxy use lt or et mode of epoll ? 
 
 thanks 

Level-triggered, if I understand the following commit correctly:

http://www.haproxy.org/git?p=haproxy.git;a=commit;h=6c11bd2f89eb043fd493d77b784198e90e0a01b2


Lukas

Using ACLs to toggle IP tracking

2015-06-15 Thread Brendon Colby 
Greetings,

I've been trying to implement some changes to our config but it's not
working like I am expecting it to work. I'd really appreciate some
input on this to see what I am doing wrong here.

Oh and by the way, one thing I discovered last week is that if you are
behind a CDN like CloudFlare, they will sometimes pass v6 IPs in the
X-Forwarded-For header. If you're tracking this header using an ipv4
stick table, haproxy appears to convert this IP to 0.0.0.0 and funnels
all v6 requests into this one entry in the stick table. This was
matching some throtting ACLs and causing problems for me. What I did
was switch the stick table to ipv6, which appears to work fine for
both v4 and v6 IPs.

Basically what I've been wanting to do is increment gpc0 to 1 on
abusive IPs and sending them directly to the appropriate backend
depending on the type of abuse. I then want to stop tracking the IP
until it expires out of the stick table. In other words, if a user
hits a throttling threshold, I want them to be blocked outright for a
period of time. Example:

frontend http-in
acl kill sc0_inc_gpc0 gt 0

stick-table type ipv6 size 250k expire 1m store
http_err_rate(60s),http_req_rate(60s),conn_cur

tcp-request inspect-delay 10s

# Tracks the last IP in the X-Forwarded-For header if it's not in
either the whitelist or blacklist
# XXX the IP is still tracked and gpc0 increments even if kill is true!
tcp-request content track-sc0 req.hdr_ip(X-Forwarded-For) if
!whitelist_hdr !blacklist_hdr !kill

acl ease_up sc0_http_req_rate gt 1800

# There are other use_backend keywords above this line for
blacklisted IPs, etc.
# kill gets evaluated here as expected, incrementing gpc0 only
if the request rate is too high
use_backend ease-up if ease_up kill

default_backend servers

Using this config, haproxy increments the kill acl when the request
rate exceeds 1800 as expected. What I'm confused about is why gpc0
continues to increment and the expire time gets reset on subsequent
requests, even when kill evaluates to true.

It's as if haproxy tracks the IP before it evaluates the kill ACL,
so this ACL can NOT be used to stop tracking the IP.

I can kind of understand if this is the case (please correct me if I'm
wrong). I wondered if maybe incrementing gpc0 caused the IP to be
tracked and the expire timer to be reset, so the other thing I tried
was doing:

acl kill sc0_inc_gpc0 gt 0
acl really_kill sc0_get_gpc0 gt 0

# IP still continues to be tracked, even if really_kill evaluates to true!
tcp-request content track-sc0 req.hdr_ip(X-Forwarded-For) if
!whitelist_hdr !blacklist_hdr !really_kill

acl ease_up sc0_http_req_rate gt 1800

use_backend ease-up if ease_up really_kill

# Testing to see if evaluating kill causes the IP to be tracked
use_backend ease-up if ease_up kill

# other use_backend statements below this


The only change here from the above config is that gpc0 increments to
1 and that's it. The request is directed to the ease-up backend before
below use_backend statements evaluate kill, which is what I'd
expect. What's confusing me is that, again, the IP continues to be
tracked even if really_kill is true.

So what appears to be the case is that certain ACLs can't be used to
disable tracking an IP. The blacklist/whitelist ACLs work just fine,
but anything incrementing or even accessing gpc0 does not work,
because it appears that the tracking happens before the evaluation of
the ACL. Please correct me if I'm wrong here.

I'm thinking the only way to do this is to somehow use sc0_clr_gpc0 in
a backend after the request rate (or whatever abuse parameter) drops
below a threshold. It doesn't appear that I will be able to just allow
the IP to expire out of the stick table using ACLs. If anyone has any
input on how to better structure my config please let me know!


Here is my haproxy info:

Running on Debian 7.8.

HA-Proxy version 1.5.12 2015/05/02
Copyright 2000-2015 Willy Tarreau w...@1wt.eu

Build options :
  TARGET  = linux2628
  CPU = generic
  CC  = gcc
  CFLAGS  = -O2 -g -fno-strict-aliasing
  OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_STATIC_PCRE=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.7
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 1.0.1e 11 Feb 2013
Running on OpenSSL version : OpenSSL 1.0.1e 11 Feb 2013
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.30 2012-02-04
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with transparent proxy support using: IP_TRANSPARENT
IPV6_TRANSPARENT IP_FREEBIND

Available polling systems :
  epoll : pref=300,  test result OK
   poll : pref=200,  test result OK
 select : pref=150,  test result OK
Total: 3 (3 usable), will use

CE RoHS approved 10w/20w/30w/50w rgb led floodlight

2015-06-15 Thread kathy 

  
  
Hello, 


  200W IP65 Mean well led high bay  
  
50W led high bay Mean Well driver 43$usd  
  100W led high bay Mean Well driver 72$usd 
  200W led high bay Mean Well driver 148$usd 
  
  We supply led lamp with high quality and competitive price. Hope to cooperate with you.
  
  Best Regards
  --
  Kathy Wu
  Skype: kathystar11
  JIN WANG Optoelectronics Co., Limited
  T: 0086 0755 33165048 |

HAProxy Stats and SSL Problems

2015-06-15 Thread Matthew Cox 

Hello,

I've been trying to diagnose an odd issue with HAProxy (1.5.x) 
statistics and SSL. I'm seeing clients having problems with the SSL 
negotiation. When digging with openssl, there seems to be a clear text 
http 1.x response which causes the negotiation to fail:


$ openssl s_client -debug -connect lb.com:44300
CONNECTED(0003)
write to 0x7f96a3504c70 [0x7f96a3804200] (130 bytes = 130 (0x82))
 - 80 80 01 03 01 00 57 00-00 00 20 00 00 39 00 00   ..W... ..9..
0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0   8..5
0020 - 00 00 33 00 00 32 00 00-2f 00 00 9a 00 00 99 00   ..3..2../...
0030 - 00 96 03 00 80 00 00 05-00 00 04 01 00 80 00 00   
0040 - 15 00 00 12 00 00 09 06-00 40 00 00 14 00 00 11   .@..
0050 - 00 00 08 00 00 06 04 00-80 00 00 03 02 00 80 00   
0060 - 00 ff 79 2a 0a d7 d8 37-c8 50 b6 f7 c3 8e ce 96   ..y*...7.P..
0070 - cf 2b d9 b8 92 c5 6f 1f-74 7f c0 d1 22 46 71 7a   .+o.t...Fqz
0080 - e2 b4 ..
read from 0x7f96a3504c70 [0x7f96a3809800] (7 bytes = 7 (0x7))
 - 48 54 54 50 2f 31 2e  HTTP/1.
1371:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown 
protocol:/SourceCache/OpenSSL098/OpenSSL098-52.20.2/src/ssl/s23_clnt.c:618:


$ telnet lb.com 44300
Trying X.X.X.X...
Connected to X.X.X.X.
Escape character is '^]'.
GET /
HTTP/1.0 403 Forbidden
Cache-Control: no-cache
Connection: close
Content-Type: text/html

htmlbodyh1403 Forbidden/h1
Request forbidden by administrative rules.
/body/html


The proxy log doesn't have anything that helps me understand what's 
going on:



Jun 15 16:47:44 lb.com haproxy[430]: X.X.X.X:55877 
[15/Jun/2015:16:47:44.967] stats stats/NOSRV -1/-1/-1/-1/0 400 187 - - 
PR-- 0/0/0/0/3 0/0 BADREQ



The pertinent configuration sections are:


global
log 127.0.0.1local1 info
maxconn 10240
chroot /usr/share/haproxy
user haproxy
group haproxy
daemon

# local stats sockets for read access - change operator to 
admin for r/w

stats socket /var/run/haproxy/haproxy.sock mode 0600 level operator

# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private

# Default ciphers to use on SSL-enabled listening sockets.
ssl-default-bind-ciphers 
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

# Set global SSL bind options
ssl-default-bind-options no-sslv3 no-tls-tickets

tune.ssl.default-dh-param 2048

ssl-server-verify none

defaults
log   global
mode  http
optionhttplog
optiondontlognull
retries   3
optionredispatch
maxconn   10240

# Mime types from here:
# 
http://blogs.alfresco.com/wp/developer/2013/11/13/haproxy-for-alfresco/

# and here
# http://serverfault.com/questions/575744/nginx-mime-types-and-gzip
compression algo gzip
compression type text/plain text/html text/html;charset=utf-8 
text/css text/javascript application/json


listen stats :44300
bind *:44300 ssl crt /etc/ssl/private/the.pem.withkey.pem
mode http
http-request deny if !{ ssl_fc }
stats enable
stats refresh 5s
stats uri /stats
stats realm proxies
stats show-node
stats show-legends
option httplog
option contstats
acl auth_ok_stats http_auth(users_stats)
http-request auth if !auth_ok_stats


Does anyone have any insight?

Thank you in advance,
Matt

Re: HAProxy Stats and SSL Problems

2015-06-15 Thread PiBa-NL 

Matthew Cox schreef op 15-6-2015 om 20:05:

Hello,

I've been trying to diagnose an odd issue with HAProxy (1.5.x) 
statistics and SSL. I'm seeing clients having problems with the SSL 
negotiation. When digging with openssl, there seems to be a clear text 
http 1.x response which causes the negotiation to fail:


$ openssl s_client -debug -connect lb.com:44300
CONNECTED(0003)
write to 0x7f96a3504c70 [0x7f96a3804200] (130 bytes = 130 (0x82))
 - 80 80 01 03 01 00 57 00-00 00 20 00 00 39 00 00   ..W... ..9..
0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0   8..5
0020 - 00 00 33 00 00 32 00 00-2f 00 00 9a 00 00 99 00   ..3..2../...
0030 - 00 96 03 00 80 00 00 05-00 00 04 01 00 80 00 00   
0040 - 15 00 00 12 00 00 09 06-00 40 00 00 14 00 00 11   .@..
0050 - 00 00 08 00 00 06 04 00-80 00 00 03 02 00 80 00   
0060 - 00 ff 79 2a 0a d7 d8 37-c8 50 b6 f7 c3 8e ce 96   ..y*...7.P..
0070 - cf 2b d9 b8 92 c5 6f 1f-74 7f c0 d1 22 46 71 7a   .+o.t...Fqz
0080 - e2 b4 ..
read from 0x7f96a3504c70 [0x7f96a3809800] (7 bytes = 7 (0x7))
 - 48 54 54 50 2f 31 2e  HTTP/1.
1371:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown 
protocol:/SourceCache/OpenSSL098/OpenSSL098-52.20.2/src/ssl/s23_clnt.c:618:


$ telnet lb.com 44300
Trying X.X.X.X...
Connected to X.X.X.X.
Escape character is '^]'.
GET /
HTTP/1.0 403 Forbidden
Cache-Control: no-cache
Connection: close
Content-Type: text/html

htmlbodyh1403 Forbidden/h1
Request forbidden by administrative rules.
/body/html


The proxy log doesn't have anything that helps me understand what's 
going on:



Jun 15 16:47:44 lb.com haproxy[430]: X.X.X.X:55877 
[15/Jun/2015:16:47:44.967] stats stats/NOSRV -1/-1/-1/-1/0 400 187 - 
- PR-- 0/0/0/0/3 0/0 BADREQ



The pertinent configuration sections are:


global
log 127.0.0.1 local1 info
maxconn 10240
chroot /usr/share/haproxy
user haproxy
group haproxy
daemon

# local stats sockets for read access - change operator to 
admin for r/w

stats socket /var/run/haproxy/haproxy.sock mode 0600 level operator

# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private

# Default ciphers to use on SSL-enabled listening sockets.
ssl-default-bind-ciphers 
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

# Set global SSL bind options
ssl-default-bind-options no-sslv3 no-tls-tickets

tune.ssl.default-dh-param 2048

ssl-server-verify none

defaults
log   global
mode  http
optionhttplog
optiondontlognull
retries   3
optionredispatch
maxconn   10240

# Mime types from here:
# 
http://blogs.alfresco.com/wp/developer/2013/11/13/haproxy-for-alfresco/

# and here
# http://serverfault.com/questions/575744/nginx-mime-types-and-gzip
compression algo gzip
compression type text/plain text/html text/html;charset=utf-8 
text/css text/javascript application/json


listen stats :44300

Remove the port like:
listen stats

bind *:44300 ssl crt /etc/ssl/private/the.pem.withkey.pem
mode http
http-request deny if !{ ssl_fc }
stats enable
stats refresh 5s
stats uri /stats
stats realm proxies
stats show-node
stats show-legends
option httplog
option contstats
acl auth_ok_stats http_auth(users_stats)
http-request auth if !auth_ok_stats


Does anyone have any insight?

Thank you in advance,
Matt

Re: Receiving HTTP responses to TCP pool

2015-06-15 Thread PiBa-NL 

CJ Ess schreef op 15-6-2015 om 20:52:
This one has me stumped - I'm trying to proxy SMTP connections however 
I'm getting an HTTP response when I try to connect to port 25 (even 
though I've done mode tcp).


This is the smallest subset that reproduced the problem - I can make 
this work by doing mode tcp in the default section and then doing 
mode http in all of the http frontends (not shown). But doing 'mode 
http' as default and then 'mode tcp' in the smtp frontend definition 
seems to not work and I'm not certain why.


global
  daemon
  maxconn 10240
  log 127.0.0.1 local0
  log 127.0.0.1 local1 notice
  stats socket /var/run/haproxy.sock user root group root mode 600 
level admin

  stats timeout 2m

defaults
  log global
  modehttp
  timeout client 30s
  timeout server 30s
  timeout connect 4s
  option  socket-stats

frontend mainfrontend
  bind *:25
  mode tcp
  maxconn 10240
  option smtpchk EHLO example.com http://example.com
  default_backend mxpool

backend mxpool

add:
mode tcp

  balance roundrobin
  server mailparser-xxx 172.0.0.51:25 http://172.0.0.51:25 check 
port 25 weight 20 maxconn 10240
  server mailparser-yyy 172.0.0.67:25 http://172.0.0.67:25 check 
port 25 weight 20 maxconn 10240

Re: HAProxy Stats and SSL Problems

2015-06-15 Thread Baptiste 
As stated by Piba-nl, your error is here:

 listen stats :44300
 bind *:44300 ssl crt /etc/ssl/private/the.pem.withkey.pem

When you declare your listen section like this, it is equivalent to:

 listen stats
 bind  :44300
 bind *:44300 ssl crt /etc/ssl/private/the.pem.withkey.pem

Which means that 2 listening sockets will get the traffic, one
deciphering the traffic, and the other one not...

Simply remove the ':44300' from your listen section definition.

Baptiste

Receiving HTTP responses to TCP pool

2015-06-15 Thread CJ Ess 
This one has me stumped - I'm trying to proxy SMTP connections however I'm
getting an HTTP response when I try to connect to port 25 (even though I've
done mode tcp).

This is the smallest subset that reproduced the problem - I can make this
work by doing mode tcp in the default section and then doing mode http
in all of the http frontends (not shown). But doing 'mode http' as default
and then 'mode tcp' in the smtp frontend definition seems to not work and
I'm not certain why.

global
  daemon
  maxconn 10240
  log 127.0.0.1 local0
  log 127.0.0.1 local1 notice
  stats socket /var/run/haproxy.sock user root group root mode 600 level
admin
  stats timeout 2m

defaults
  log global
  modehttp
  timeout client 30s
  timeout server 30s
  timeout connect 4s
  option  socket-stats

frontend mainfrontend
  bind *:25
  mode tcp
  maxconn 10240
  option smtpchk EHLO example.com
  default_backend mxpool

backend mxpool
  balance roundrobin
  server mailparser-xxx 172.0.0.51:25 check port 25 weight 20 maxconn 10240
  server mailparser-yyy 172.0.0.67:25 check port 25 weight 20 maxconn 10240

RE: haproxy stats page returns 503 error

2015-06-15 Thread Lukas Tribus 
Hi Atul,


 Hi, 
 
 
 
 using a browser to query the stats from haproxy, I'm facing a non 
 consistent behavior where about One time every 2 attempts I get a 503 
 error. 
 
 
 
 Can you please let me know how to correct this.

Can you provide configuration and logs of the failed request?



Lukas