Re: http-reuse and Proxy protocol
Hello, Le 23/07/2020 à 14:34, Willy Tarreau a écrit : Hi Arnall, On Tue, Jul 21, 2020 at 01:27:31PM +0200, Arnall wrote: Hello everyone, I remember that in the past it was strongly discouraged to use http-reuse in combination with send-proxy, because of the client IP which is provided by the proxy protocol. I have this configuration : HA-Proxy version 2.0.14-1~bpo9+1 2020/04/16 - https://haproxy.org/ defaults http-reuse always backend abuse timeout server 60s balance roundrobin hash-balance-factor 0 server s_abuse u...@abuse.sock send-proxy-v2 maxconn 4 listen l_abuse bind u...@abuse.sock accept-proxy http-request set-var(req.delay) int(500) http-request lua.add_delay server 192.168.000.aaa:80 maxconn 1 server 192.168.000.bbb:80 maxconn 1 server z 192.168.000.ccc:80 maxconn 1 Is it OK ? Because i have no warning when verifying the configuration, or should i add a "http-reuse never" in "backend abuse" ? It is now properly dealt with, by marking the connection private, which means it will not be shared at all. So what you'll see simply is that there is no reuse for connections employing send-proxy. So your config is safe, but you will just not benefit from the reuse. Anyway it's generally not a good idea to use proxy protocol over HTTP from an HTTP-aware agent. Better use Forward/X-Forwarded-for that passes the info per request and that nowadays everyone can consume. Regards, Willy Thank you for the answers/tips ! The abuse flow is an exception, for the regular flow we use indeed "forwardfor" in order to be able to use http-reuse with Varnish. Regards. -- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus
Re: http-reuse and Proxy protocol
On Mon, Jul 27, 2020 at 01:47:44PM +0200, Lukas Tribus wrote: > On Mon, 27 Jul 2020 at 13:14, Willy Tarreau wrote: > > > However on a unix domain socket like this we never had this issue in > > > the first place, as connection-reuse cannot be used on it by > > > definition, correct? > > > > No, it doesn't change anything. We consider the connection, the protocol > > family it uses is irrelevant. > > I don't know why, but I always wrongly assumed that a unix domain > socket can only be datagram sockets, while really it's up to the > application. And of course we use a stream sockets. Probably because you've long being used to seeing dgram sockets for logging. There is something related to unix sockets though, which is that we can't as cleanly rebind them upon reload (there's a non-atomic unlink/rename step). So a high connection-rate workload will notice a few connection retries upon reloads. And IIRC for ABNS sockets it's a bit worse as it's not possible to rebind them in parallel so we're back to the good old mode where the new process signals the old one asking to temporarily unbind so that it can bind in turn. I don't know if FD-passing method works there :-/ Willy
Re: http-reuse and Proxy protocol
On Mon, 27 Jul 2020 at 13:14, Willy Tarreau wrote: > > However on a unix domain socket like this we never had this issue in > > the first place, as connection-reuse cannot be used on it by > > definition, correct? > > No, it doesn't change anything. We consider the connection, the protocol > family it uses is irrelevant. I don't know why, but I always wrongly assumed that a unix domain socket can only be datagram sockets, while really it's up to the application. And of course we use a stream sockets. Glad I could eliminate this wrong assumption :) Lukas
Re: http-reuse and Proxy protocol
Hi Lukas, On Mon, Jul 27, 2020 at 12:58:29PM +0200, Lukas Tribus wrote: > Hello, > > > On Thu, 23 Jul 2020 at 14:34, Willy Tarreau wrote: > > > defaults > > > http-reuse always > > > > > > backend abuse > > > timeout server 60s > > > balance roundrobin > > > hash-balance-factor 0 > > > server s_abuse u...@abuse.sock send-proxy-v2 maxconn 4 > > > > > > listen l_abuse > > > bind u...@abuse.sock accept-proxy > > > http-request set-var(req.delay) int(500) > > > http-request lua.add_delay > > > server 192.168.000.aaa:80 maxconn 1 > > > server 192.168.000.bbb:80 maxconn 1 > > > server z 192.168.000.ccc:80 maxconn 1 > > > > > > Is it OK ? Because i have no warning when verifying the configuration, or > > > should i add a "http-reuse never" in "backend abuse" ? > > > > It is now properly dealt with, by marking the connection private, which > > means it will not be shared at all. So what you'll see simply is that > > there is no reuse for connections employing send-proxy. So your config > > is safe, but you will just not benefit from the reuse. > > > > Anyway it's generally not a good idea to use proxy protocol over HTTP > > from an HTTP-aware agent. Better use Forward/X-Forwarded-for that passes > > the info per request and that nowadays everyone can consume. > > However on a unix domain socket like this we never had this issue in > the first place, as connection-reuse cannot be used on it by > definition, correct? No, it doesn't change anything. We consider the connection, the protocol family it uses is irrelevant. Regards, Willy
Re: http-reuse and Proxy protocol
Hello, On Thu, 23 Jul 2020 at 14:34, Willy Tarreau wrote: > > defaults > > http-reuse always > > > > backend abuse > > timeout server 60s > > balance roundrobin > > hash-balance-factor 0 > > server s_abuse u...@abuse.sock send-proxy-v2 maxconn 4 > > > > listen l_abuse > > bind u...@abuse.sock accept-proxy > > http-request set-var(req.delay) int(500) > > http-request lua.add_delay > > server 192.168.000.aaa:80 maxconn 1 > > server 192.168.000.bbb:80 maxconn 1 > > server z 192.168.000.ccc:80 maxconn 1 > > > > Is it OK ? Because i have no warning when verifying the configuration, or > > should i add a "http-reuse never" in "backend abuse" ? > > It is now properly dealt with, by marking the connection private, which > means it will not be shared at all. So what you'll see simply is that > there is no reuse for connections employing send-proxy. So your config > is safe, but you will just not benefit from the reuse. > > Anyway it's generally not a good idea to use proxy protocol over HTTP > from an HTTP-aware agent. Better use Forward/X-Forwarded-for that passes > the info per request and that nowadays everyone can consume. However on a unix domain socket like this we never had this issue in the first place, as connection-reuse cannot be used on it by definition, correct? Lukas