Indoor decoration of first choice-2015 new RD puck lights
Dear Sir, our 4W paten puck lights: 1 Sharp COB leds 2 6063 pure aluminum as heatsink material 3 CRI82,up to 100lm/W 4 high temperature teflon wire#22 5 PF0.95,CE listed driver for more details, please kindly let us know. B.RGDS June www.sunriseleds.com
Re: Capture http connect request information
Le dimanche 14 juin 2015 08:28:06, vous avez écrit : Hi Kevin, On Sat, Jun 13, 2015 at 10:34:07AM +0200, Kevin COUSIN wrote: Hi, Is it possible to capture the CONNECT method information? I try to capture the IP and port in http request CONNECT 172.20.69.22:5904 to create an ACL to redirect request to backend. Normally you can since it's the URL of the request, so the url sample fetch method will return it. Regards, Willy Thanks for the reply. I thing I want to use HAproxy like a proxy here, not a reverse proxy (see http://www.ovirt.org/Features/Spice_Proxy). Can HAproxy be used like a proxy (like squid) ? Regards -- Kevin
Re: LuaSocket problem with HAProxy
Hello list, Iâm using HAProxy-1.6 with Lua. My use case involves a Lua extension library LuaSocket and Iâm having problems configuring HAProxy to use LuaSocket. When I use LuaSocket directly in Lua everything works fine: [bowen ~]$ lua Lua 5.3.0 Copyright (C) 1994-2015 Lua.org, PUC-Rio require(socket) table: 0x22faef0 However there are some problems when I use LuaSocket in a Lua file loaded by HAProxy. My config looks like: global lua-load hello.lua ⦠⦠My hello.lua is very simple: require(âsocketâ) Itâs throwing the following error: [bowen ~]$ haproxy -f config -c [ALERT] 162/193812 (5636) : parsing [config:2] : lua runtime error: error loading module 'socket.core' from file '/usr/local/lib/lua/5.3/socket/core.so': /usr/local/lib/lua/5.3/socket/core.so: undefined symbol: lua_getmetatable My environment is linux 2.6.32. LuaSocket was installed via LuaRocks Any ideas? Thanks in advance. Hi, I suppose that your problem is from HAProxy. I suppose that HAproxy doesn't export its own symbols, and doesn't embbed unused symbols from the lib lua. In other way, how that you try can't work with HAProxy, because the executed LUA code must be non blocking, and the LuaSocket provides blocking acces to the network. I suggest that you try to use the embedded HAProxy Socket. The HAProxy Socket have the same API than the Lua Socket. Look for the documentation of the Lua API in HAProxy: doc/lua-api/index.rst or If you have sphynx installed, you can try a make html to build the HTML API documention. Thierry Best, Bowen
Re: Capture http connect request information
On Mon, Jun 15, 2015 at 12:00:44PM +0200, Kevin C wrote: Le dimanche 14 juin 2015 08:28:06, vous avez écrit : Hi Kevin, On Sat, Jun 13, 2015 at 10:34:07AM +0200, Kevin COUSIN wrote: Hi, Is it possible to capture the CONNECT method information? I try to capture the IP and port in http request CONNECT 172.20.69.22:5904 to create an ACL to redirect request to backend. Normally you can since it's the URL of the request, so the url sample fetch method will return it. Regards, Willy Thanks for the reply. I thing I want to use HAproxy like a proxy here, not a reverse proxy (see http://www.ovirt.org/Features/Spice_Proxy). Can HAproxy be used like a proxy (like squid) ? No it's not possible. However you can install it in front of squid. That's quite common for outgoing proxy farms. Willy
RE: Does haproxy use lt or et mode of epoll ?
Subject: Does haproxy use lt or et mode of epoll ? thanks Level-triggered, if I understand the following commit correctly: http://www.haproxy.org/git?p=haproxy.git;a=commit;h=6c11bd2f89eb043fd493d77b784198e90e0a01b2 Lukas
Using ACLs to toggle IP tracking
Greetings, I've been trying to implement some changes to our config but it's not working like I am expecting it to work. I'd really appreciate some input on this to see what I am doing wrong here. Oh and by the way, one thing I discovered last week is that if you are behind a CDN like CloudFlare, they will sometimes pass v6 IPs in the X-Forwarded-For header. If you're tracking this header using an ipv4 stick table, haproxy appears to convert this IP to 0.0.0.0 and funnels all v6 requests into this one entry in the stick table. This was matching some throtting ACLs and causing problems for me. What I did was switch the stick table to ipv6, which appears to work fine for both v4 and v6 IPs. Basically what I've been wanting to do is increment gpc0 to 1 on abusive IPs and sending them directly to the appropriate backend depending on the type of abuse. I then want to stop tracking the IP until it expires out of the stick table. In other words, if a user hits a throttling threshold, I want them to be blocked outright for a period of time. Example: frontend http-in acl kill sc0_inc_gpc0 gt 0 stick-table type ipv6 size 250k expire 1m store http_err_rate(60s),http_req_rate(60s),conn_cur tcp-request inspect-delay 10s # Tracks the last IP in the X-Forwarded-For header if it's not in either the whitelist or blacklist # XXX the IP is still tracked and gpc0 increments even if kill is true! tcp-request content track-sc0 req.hdr_ip(X-Forwarded-For) if !whitelist_hdr !blacklist_hdr !kill acl ease_up sc0_http_req_rate gt 1800 # There are other use_backend keywords above this line for blacklisted IPs, etc. # kill gets evaluated here as expected, incrementing gpc0 only if the request rate is too high use_backend ease-up if ease_up kill default_backend servers Using this config, haproxy increments the kill acl when the request rate exceeds 1800 as expected. What I'm confused about is why gpc0 continues to increment and the expire time gets reset on subsequent requests, even when kill evaluates to true. It's as if haproxy tracks the IP before it evaluates the kill ACL, so this ACL can NOT be used to stop tracking the IP. I can kind of understand if this is the case (please correct me if I'm wrong). I wondered if maybe incrementing gpc0 caused the IP to be tracked and the expire timer to be reset, so the other thing I tried was doing: acl kill sc0_inc_gpc0 gt 0 acl really_kill sc0_get_gpc0 gt 0 # IP still continues to be tracked, even if really_kill evaluates to true! tcp-request content track-sc0 req.hdr_ip(X-Forwarded-For) if !whitelist_hdr !blacklist_hdr !really_kill acl ease_up sc0_http_req_rate gt 1800 use_backend ease-up if ease_up really_kill # Testing to see if evaluating kill causes the IP to be tracked use_backend ease-up if ease_up kill # other use_backend statements below this The only change here from the above config is that gpc0 increments to 1 and that's it. The request is directed to the ease-up backend before below use_backend statements evaluate kill, which is what I'd expect. What's confusing me is that, again, the IP continues to be tracked even if really_kill is true. So what appears to be the case is that certain ACLs can't be used to disable tracking an IP. The blacklist/whitelist ACLs work just fine, but anything incrementing or even accessing gpc0 does not work, because it appears that the tracking happens before the evaluation of the ACL. Please correct me if I'm wrong here. I'm thinking the only way to do this is to somehow use sc0_clr_gpc0 in a backend after the request rate (or whatever abuse parameter) drops below a threshold. It doesn't appear that I will be able to just allow the IP to expire out of the stick table using ACLs. If anyone has any input on how to better structure my config please let me know! Here is my haproxy info: Running on Debian 7.8. HA-Proxy version 1.5.12 2015/05/02 Copyright 2000-2015 Willy Tarreau w...@1wt.eu Build options : TARGET = linux2628 CPU = generic CC = gcc CFLAGS = -O2 -g -fno-strict-aliasing OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_STATIC_PCRE=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 Encrypted password support via crypt(3): yes Built with zlib version : 1.2.7 Compression algorithms supported : identity, deflate, gzip Built with OpenSSL version : OpenSSL 1.0.1e 11 Feb 2013 Running on OpenSSL version : OpenSSL 1.0.1e 11 Feb 2013 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Built with PCRE version : 8.30 2012-02-04 PCRE library supports JIT : no (USE_PCRE_JIT not set) Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use
CE RoHS approved 10w/20w/30w/50w rgb led floodlight
Hello, 200W IP65 Mean well led high bay 50W led high bay Mean Well driver 43$usd 100W led high bay Mean Well driver 72$usd 200W led high bay Mean Well driver 148$usd We supply led lamp with high quality and competitive price. Hope to cooperate with you. Best Regards -- Kathy Wu Skype: kathystar11 JIN WANG Optoelectronics Co., Limited T: 0086 0755 33165048 |
HAProxy Stats and SSL Problems
Hello, I've been trying to diagnose an odd issue with HAProxy (1.5.x) statistics and SSL. I'm seeing clients having problems with the SSL negotiation. When digging with openssl, there seems to be a clear text http 1.x response which causes the negotiation to fail: $ openssl s_client -debug -connect lb.com:44300 CONNECTED(0003) write to 0x7f96a3504c70 [0x7f96a3804200] (130 bytes = 130 (0x82)) - 80 80 01 03 01 00 57 00-00 00 20 00 00 39 00 00 ..W... ..9.. 0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5 0020 - 00 00 33 00 00 32 00 00-2f 00 00 9a 00 00 99 00 ..3..2../... 0030 - 00 96 03 00 80 00 00 05-00 00 04 01 00 80 00 00 0040 - 15 00 00 12 00 00 09 06-00 40 00 00 14 00 00 11 .@.. 0050 - 00 00 08 00 00 06 04 00-80 00 00 03 02 00 80 00 0060 - 00 ff 79 2a 0a d7 d8 37-c8 50 b6 f7 c3 8e ce 96 ..y*...7.P.. 0070 - cf 2b d9 b8 92 c5 6f 1f-74 7f c0 d1 22 46 71 7a .+o.t...Fqz 0080 - e2 b4 .. read from 0x7f96a3504c70 [0x7f96a3809800] (7 bytes = 7 (0x7)) - 48 54 54 50 2f 31 2e HTTP/1. 1371:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/SourceCache/OpenSSL098/OpenSSL098-52.20.2/src/ssl/s23_clnt.c:618: $ telnet lb.com 44300 Trying X.X.X.X... Connected to X.X.X.X. Escape character is '^]'. GET / HTTP/1.0 403 Forbidden Cache-Control: no-cache Connection: close Content-Type: text/html htmlbodyh1403 Forbidden/h1 Request forbidden by administrative rules. /body/html The proxy log doesn't have anything that helps me understand what's going on: Jun 15 16:47:44 lb.com haproxy[430]: X.X.X.X:55877 [15/Jun/2015:16:47:44.967] stats stats/NOSRV -1/-1/-1/-1/0 400 187 - - PR-- 0/0/0/0/3 0/0 BADREQ The pertinent configuration sections are: global log 127.0.0.1local1 info maxconn 10240 chroot /usr/share/haproxy user haproxy group haproxy daemon # local stats sockets for read access - change operator to admin for r/w stats socket /var/run/haproxy/haproxy.sock mode 0600 level operator # Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private # Default ciphers to use on SSL-enabled listening sockets. ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS # Set global SSL bind options ssl-default-bind-options no-sslv3 no-tls-tickets tune.ssl.default-dh-param 2048 ssl-server-verify none defaults log global mode http optionhttplog optiondontlognull retries 3 optionredispatch maxconn 10240 # Mime types from here: # http://blogs.alfresco.com/wp/developer/2013/11/13/haproxy-for-alfresco/ # and here # http://serverfault.com/questions/575744/nginx-mime-types-and-gzip compression algo gzip compression type text/plain text/html text/html;charset=utf-8 text/css text/javascript application/json listen stats :44300 bind *:44300 ssl crt /etc/ssl/private/the.pem.withkey.pem mode http http-request deny if !{ ssl_fc } stats enable stats refresh 5s stats uri /stats stats realm proxies stats show-node stats show-legends option httplog option contstats acl auth_ok_stats http_auth(users_stats) http-request auth if !auth_ok_stats Does anyone have any insight? Thank you in advance, Matt
Re: HAProxy Stats and SSL Problems
Matthew Cox schreef op 15-6-2015 om 20:05: Hello, I've been trying to diagnose an odd issue with HAProxy (1.5.x) statistics and SSL. I'm seeing clients having problems with the SSL negotiation. When digging with openssl, there seems to be a clear text http 1.x response which causes the negotiation to fail: $ openssl s_client -debug -connect lb.com:44300 CONNECTED(0003) write to 0x7f96a3504c70 [0x7f96a3804200] (130 bytes = 130 (0x82)) - 80 80 01 03 01 00 57 00-00 00 20 00 00 39 00 00 ..W... ..9.. 0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5 0020 - 00 00 33 00 00 32 00 00-2f 00 00 9a 00 00 99 00 ..3..2../... 0030 - 00 96 03 00 80 00 00 05-00 00 04 01 00 80 00 00 0040 - 15 00 00 12 00 00 09 06-00 40 00 00 14 00 00 11 .@.. 0050 - 00 00 08 00 00 06 04 00-80 00 00 03 02 00 80 00 0060 - 00 ff 79 2a 0a d7 d8 37-c8 50 b6 f7 c3 8e ce 96 ..y*...7.P.. 0070 - cf 2b d9 b8 92 c5 6f 1f-74 7f c0 d1 22 46 71 7a .+o.t...Fqz 0080 - e2 b4 .. read from 0x7f96a3504c70 [0x7f96a3809800] (7 bytes = 7 (0x7)) - 48 54 54 50 2f 31 2e HTTP/1. 1371:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/SourceCache/OpenSSL098/OpenSSL098-52.20.2/src/ssl/s23_clnt.c:618: $ telnet lb.com 44300 Trying X.X.X.X... Connected to X.X.X.X. Escape character is '^]'. GET / HTTP/1.0 403 Forbidden Cache-Control: no-cache Connection: close Content-Type: text/html htmlbodyh1403 Forbidden/h1 Request forbidden by administrative rules. /body/html The proxy log doesn't have anything that helps me understand what's going on: Jun 15 16:47:44 lb.com haproxy[430]: X.X.X.X:55877 [15/Jun/2015:16:47:44.967] stats stats/NOSRV -1/-1/-1/-1/0 400 187 - - PR-- 0/0/0/0/3 0/0 BADREQ The pertinent configuration sections are: global log 127.0.0.1 local1 info maxconn 10240 chroot /usr/share/haproxy user haproxy group haproxy daemon # local stats sockets for read access - change operator to admin for r/w stats socket /var/run/haproxy/haproxy.sock mode 0600 level operator # Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private # Default ciphers to use on SSL-enabled listening sockets. ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS # Set global SSL bind options ssl-default-bind-options no-sslv3 no-tls-tickets tune.ssl.default-dh-param 2048 ssl-server-verify none defaults log global mode http optionhttplog optiondontlognull retries 3 optionredispatch maxconn 10240 # Mime types from here: # http://blogs.alfresco.com/wp/developer/2013/11/13/haproxy-for-alfresco/ # and here # http://serverfault.com/questions/575744/nginx-mime-types-and-gzip compression algo gzip compression type text/plain text/html text/html;charset=utf-8 text/css text/javascript application/json listen stats :44300 Remove the port like: listen stats bind *:44300 ssl crt /etc/ssl/private/the.pem.withkey.pem mode http http-request deny if !{ ssl_fc } stats enable stats refresh 5s stats uri /stats stats realm proxies stats show-node stats show-legends option httplog option contstats acl auth_ok_stats http_auth(users_stats) http-request auth if !auth_ok_stats Does anyone have any insight? Thank you in advance, Matt
Re: Receiving HTTP responses to TCP pool
CJ Ess schreef op 15-6-2015 om 20:52: This one has me stumped - I'm trying to proxy SMTP connections however I'm getting an HTTP response when I try to connect to port 25 (even though I've done mode tcp). This is the smallest subset that reproduced the problem - I can make this work by doing mode tcp in the default section and then doing mode http in all of the http frontends (not shown). But doing 'mode http' as default and then 'mode tcp' in the smtp frontend definition seems to not work and I'm not certain why. global daemon maxconn 10240 log 127.0.0.1 local0 log 127.0.0.1 local1 notice stats socket /var/run/haproxy.sock user root group root mode 600 level admin stats timeout 2m defaults log global modehttp timeout client 30s timeout server 30s timeout connect 4s option socket-stats frontend mainfrontend bind *:25 mode tcp maxconn 10240 option smtpchk EHLO example.com http://example.com default_backend mxpool backend mxpool add: mode tcp balance roundrobin server mailparser-xxx 172.0.0.51:25 http://172.0.0.51:25 check port 25 weight 20 maxconn 10240 server mailparser-yyy 172.0.0.67:25 http://172.0.0.67:25 check port 25 weight 20 maxconn 10240
Re: HAProxy Stats and SSL Problems
As stated by Piba-nl, your error is here: listen stats :44300 bind *:44300 ssl crt /etc/ssl/private/the.pem.withkey.pem When you declare your listen section like this, it is equivalent to: listen stats bind :44300 bind *:44300 ssl crt /etc/ssl/private/the.pem.withkey.pem Which means that 2 listening sockets will get the traffic, one deciphering the traffic, and the other one not... Simply remove the ':44300' from your listen section definition. Baptiste
Receiving HTTP responses to TCP pool
This one has me stumped - I'm trying to proxy SMTP connections however I'm getting an HTTP response when I try to connect to port 25 (even though I've done mode tcp). This is the smallest subset that reproduced the problem - I can make this work by doing mode tcp in the default section and then doing mode http in all of the http frontends (not shown). But doing 'mode http' as default and then 'mode tcp' in the smtp frontend definition seems to not work and I'm not certain why. global daemon maxconn 10240 log 127.0.0.1 local0 log 127.0.0.1 local1 notice stats socket /var/run/haproxy.sock user root group root mode 600 level admin stats timeout 2m defaults log global modehttp timeout client 30s timeout server 30s timeout connect 4s option socket-stats frontend mainfrontend bind *:25 mode tcp maxconn 10240 option smtpchk EHLO example.com default_backend mxpool backend mxpool balance roundrobin server mailparser-xxx 172.0.0.51:25 check port 25 weight 20 maxconn 10240 server mailparser-yyy 172.0.0.67:25 check port 25 weight 20 maxconn 10240
RE: haproxy stats page returns 503 error
Hi Atul, Hi, using a browser to query the stats from haproxy, I'm facing a non consistent behavior where about One time every 2 attempts I get a 503 error. Can you please let me know how to correct this. Can you provide configuration and logs of the failed request? Lukas