Re: Specific kind of 404 handling

[Andrew Smalley]

Hi Shawn

Thank you for your response saying you got everything working with
default errorfiles on a 404 error. .

Happy to see that resolved the issues for you.

Andruw Smalley

Loadbalancer.org Ltd.

www.loadbalancer.org

+1 888 867 9504 / +44 (0)330 380 1064
asmal...@loadbalancer.org

Leave a Review | Deployment Guides|Blog

Andruw Smalley

Loadbalancer.org Ltd.

www.loadbalancer.org

+1 888 867 9504 / +44 (0)330 380 1064
asmal...@loadbalancer.org

Leave a Review | Deployment Guides|Blog



On Mon, 28 Mar 2022 at 15:01, Shawn Heisey  wrote:
>
> On 3/28/22 03:21, Andrew Smalley wrote:
> > Now the unknown host header,, you want this.com and the user requests
> > that.com and now what do we do? add a host header? reject by host
> > header
>
> Handling invalid host headers like I want was already done, by the
> default virtualhost in Apache.
>
> I managed to get everything working exactly how I want it to work, by
> changing my google searches a little bit and finding some howto guides.
> It was pretty easy in the end.  I removed the 404 redirect in Apache and
> in haproxy.cfg made the following changes.
>
> A new section:
>
> http-errors myerrors
>  errorfile 404 /etc/haproxy/errors/404.http
>
> And under my frontend:
>
> frontend web
>  errorfiles myerrors
>  http-response return  status 404  default-errorfiles  if { status 404 }
>
> Thanks,
> Shawn
>
>

Re: Specific kind of 404 handling

[Andrew Smalley]

Hi Shawn


If I read your question right then you wan to serve other content on
an error, say 404 as a not found,.

haproxy has the ability to serve either error files of its own or
use_server or use_backend on error as an ACL

Below is an example error file and these need to be crafted, ill add a
link to them at the end


frontend www
...
default_backend nomatch

backend nomatch
errorfile 503 /var/www/http/404.http


OR you an use an ACL to get a similar result

frontend www
  ...
  default_backend no-match

backend no-match
  mode http
  http-request deny deny_status 400


http://cbonte.github.io/haproxy-dconv/1.9/configuration.html#4-http-request


Now the unknown host header,, you want this.com and the user requests
that.com and now what do we do? add a host header? reject by host
header

ill request a serverfault page for that and ask your forgiveness here
for not typing it all out for you ;) someone already did that for me
below

https://serverfault.com/questions/876871/configure-haproxy-to-include-host-headers-for-different-backends

Here at loadbalancer.org we have also been asked of a way to send the
host header as the real server label/name to the backend, this may
also work for you

listen example_vs
bind 172.31.31.103:80 transparent
id 680753459
mode http
**http-send-name-header Host**
balance leastconn
cookie SERVERID maxidle 30m maxlife 12h insert secure attr
"SameSite=None" attr "HttpOnly" nocache indirect
server backup 127.0.0.1:9081 backup  non-stick
option http-keep-alive
timeout http-request 5s
option forwardfor
timeout tunnel 1h
option redispatch
option abortonclose
maxconn 4
server **host.loadbalancer.org** 172.31.31.103:80 id 1387952112
weight 100  cookie host.loadbalancer.org  check port 80 inter 4000
rise 2  fall 2  slowstart 8000 minconn 0  maxconn 0  on-marked-down
shutdown-sessions


Where I added ** ** this shows where haproxy gets the hostname and
sends to host.loadbalancer.org with that hostname.

Now the custom error files, haproxy has a wonderful page which shows
how to do these

https://www.haproxy.com/blog/serve-dynamic-custom-error-pages-with-haproxy/

If I missed anything or if you have any further questions do not hesitate to ask



Andruw Smalley

Loadbalancer.org Ltd.

www.loadbalancer.org

+1 888 867 9504 / +44 (0)330 380 1064
asmal...@loadbalancer.org

Leave a Review | Deployment Guides|Blog

Andruw Smalley

Loadbalancer.org Ltd.

www.loadbalancer.org

+1 888 867 9504 / +44 (0)330 380 1064
asmal...@loadbalancer.org

Leave a Review | Deployment Guides|Blog



On Sat, 26 Mar 2022 at 23:50, Shawn Heisey  wrote:
>
> I would like to do a specific kind of 404 handling.  I did look for a
> way to do this before asking here.  I bet it's out there, I just haven't
> found the right search keywords.
>
> I have a virtualhost in Apache ... it is the first virtualhost in
> /etc/apache2/sites-enabled, configured without ServerName or ServerAlias
> so it is the default virtualhost that handles any hostname that is not
> specified in another virtualhost.  If somebody types an incorrect
> hostname in a URL that happens to point at my server, Apache gives them
> my 404 page, without changing the URL they entered.  Examples:
>
> https://unknown.elyograg.org/
> https://rand.elyograg.org/
> https://mickeymouse.elyograg.org/donaldduck
>
> I have 404 handling in Apache as well, so if an invalid URL path is
> specified on a valid hostname, they also get that page.  But in those
> cases, it is accomplished with a redirect to
> https://unknown.elyograg.org, so the URL changes in the user's browser.
>
> I would like to make it so that the presentation of the 404 page is
> always seamless, not a redirect.
>
> I have haproxy in front of all my websites, and various things including
> Apache 2.4 on port 81 behind that.  Can haproxy do what I'm after?  Can
> Apache?  Can it be accomplished with some combination of configs in both?
>
> Thanks,
> Shawn
>
>

Re: HAPROXY CAN NOT POINT IN TO PORT 5000 OF PATRONI

[Andrew Smalley]

>From the look of  your configuration you are using  HTTP Mode, for
PostgreSQL, you will need a TCP VIP

I noted this because of the HTTP check

try using  "mode tcp"

Andruw Smalley

Loadbalancer.org Ltd.

www.loadbalancer.org

+1 888 867 9504 / +44 (0)330 380 1064
asmal...@loadbalancer.org

Leave a Review | Deployment Guides|Blog

Andruw Smalley

Loadbalancer.org Ltd.

www.loadbalancer.org

+1 888 867 9504 / +44 (0)330 380 1064
asmal...@loadbalancer.org

Leave a Review | Deployment Guides|Blog



On Wed, 21 Apr 2021 at 16:25, Jarno Huuskonen  wrote:
>
> Hi,
>
> On Wed, 2021-04-21 at 21:55 +0700, thủy bùi wrote:
> > Dear HAproxy dev,I have install all the requirement of HAproxy into the
> > system alongside with patroni and etcd, but finding error while call into
> > port 5000.
> > The information is provided as below.
> > Please help me find out the issue.
> > I have running HAproxy successfully
> >
> > But unable to connect to my database throught port 5000
> >
> >
> > psql: error: server closed the connection unexpectedly
> > This probably means the server terminated abnormally
> > before or while processing the request.
> > What is your configuration?
> >
> ...
>
> Does haproxy run when you run it from cli
> (haproxy -d -f /path/to/yourconfig.cfg) ?
>
> And do you have errors in your logs ?
>
> > Linux postgre02 3.10.0-1160.21.1.el7.x86_64 #1 SMP Tue Mar 16 18:28:22 UTC
> > 2021 x86_64 x86_64 x86_64 GNU/Linux
>
> Looks like you're running on CentOS/RHEL 7 ? Do you have selinux enabled
> (getenforce) ? You'll probably need to allow haproxy to connect to all ports
> (or allow required ports). (setsebool -P haproxy_connect_any=On might help).
>
> (Your logs should show if connections are denied).
>
> -Jarno
>
> --
> Jarno Huuskonen

Re: HAProxy - Server Timeout and Client Timeout

[Andrew Smalley]

HI Michael

We often see the client/server timeouts requiring to be raised as you
have found,

A good default value for client/server timeouts are below and I include the
connect timeout too in milliseconds

timeout connect 4000
timeout client 42000
timeout server 43000

Say for example you run a long report on a website, maybe it will take
5 or 10 min's to
complete so you would raise the server timeout to match the required
maximum timeout where possible
allowing for the report to run and the server, not timeout.

I hope this helps


Andruw Smalley

Loadbalancer.org Ltd.

www.loadbalancer.org
+1 888 867 9504 / +44 (0)330 380 1064
asmal...@loadbalancer.org

Leave a Review | Deployment Guides | Blog


On 5 June 2018 at 20:11, Martel, Michael H.  wrote:
> Greetings!
>
> We're running HAproxy 1.5.18 on RedHat Enterprise 7.4, as the load balancer 
> for our LMS (Moodle).  We have found that the course backup feature in Moodle 
> will return a 5xx error on some backups.  We have determined that the 
> "timeout server" value needed to be increased.
>
> Initially we were using a "timeout client 1m" and "timeout server 1m" .  
> Adjusting the server to "timeout server 12m" fixes the problem and does not 
> appear to introduce any other issues in our testing.
>
> I can't see any reason that I should have the "timeout client" and the 
> "timeout server" set to the same value.
>
> Is there anything I should watch out for after increasing the "timeout 
> server" by such a large amount ?
>
> Thanks!
>
>
>
> Michael
>
> --
>
>   o-
>Michael H. Martel  | Director of Data Center Administration
>michael.mar...@vsc.edu | Systems and Security Administrator
>Vermont State Colleges | PH:802-224-3010 FX:802-224-3035
>
>

Re: Haproxy SSO

[Andrew Smalley]

Hi Thierry

Thank you for your reply confirming that portion is for HAPEE only,



Andruw Smalley

Loadbalancer.org Ltd.

www.loadbalancer.org
+1 888 867 9504 / +44 (0)330 380 1064
asmal...@loadbalancer.org

Leave a Review | Deployment Guides | Blog


On 9 May 2018 at 22:17,  <thierry.fourn...@arpalert.org> wrote:
> On Wed, 9 May 2018 22:02:49 +0100
> Andrew Smalley <asmal...@loadbalancer.org> wrote:
>
>> Hi Thierry
>>
>> I saw the packetengine here
>> https://www.haproxy.com/documentation/aloha/9-5/packetshield/sso/
>
>
> Ok. There are "HAProxy Technologies" softwares. Do not hesitate
> to contact the company for more information. These components are
> not available with opensource HAProxy.
>
> Thierry
>
>
>> It looks like it's a HAPEE thing only thou.   "sudo apt install
>> hapee--spoa-sso" part way down the page
>> Andruw Smalley
>>
>> Loadbalancer.org Ltd.
>>
>> www.loadbalancer.org
>> +1 888 867 9504 / +44 (0)330 380 1064
>> asmal...@loadbalancer.org
>>
>> Leave a Review | Deployment Guides | Blog
>>
>>
>> On 9 May 2018 at 22:01,  <thierry.fourn...@arpalert.org> wrote:
>> > On Wed, 9 May 2018 21:51:13 +0100
>> > Andrew Smalley <asmal...@loadbalancer.org> wrote:
>> >
>> >> Hi Thierry,
>> >>
>> >> I split the thread as I changed subject to SSO part way through, I
>> >> apologize for that.
>> >>
>> >> Your references to SPOA/SPOE Engines were liked very much. I see the
>> >> SPOA examples in the source code just now in the link you provided
>> >>
>> >> https://www.mail-archive.com/haproxy@formilux.org/msg29093.html
>> >>
>> >> However the HAproxy makes reference to "packetengine", can I ask what
>> >> this is (is it the python part of SSO)
>> >
>> >
>> > I don't known. Where do you see a reference to "packetengine" ?
>> >
>> > Thierry
>> >
>> >
>> >> Andruw Smalley
>> >>
>> >> Loadbalancer.org Ltd.
>> >>
>> >> www.loadbalancer.org
>> >> +1 888 867 9504 / +44 (0)330 380 1064
>> >> asmal...@loadbalancer.org
>> >>
>> >> Leave a Review | Deployment Guides | Blog
>> >>
>>

Re: Haproxy SSO

[Andrew Smalley]

Hi Thierry

I saw the packetengine here
https://www.haproxy.com/documentation/aloha/9-5/packetshield/sso/

It looks like it's a HAPEE thing only thou.   "sudo apt install
hapee--spoa-sso" part way down the page
Andruw Smalley

Loadbalancer.org Ltd.

www.loadbalancer.org
+1 888 867 9504 / +44 (0)330 380 1064
asmal...@loadbalancer.org

Leave a Review | Deployment Guides | Blog


On 9 May 2018 at 22:01,  <thierry.fourn...@arpalert.org> wrote:
> On Wed, 9 May 2018 21:51:13 +0100
> Andrew Smalley <asmal...@loadbalancer.org> wrote:
>
>> Hi Thierry,
>>
>> I split the thread as I changed subject to SSO part way through, I
>> apologize for that.
>>
>> Your references to SPOA/SPOE Engines were liked very much. I see the
>> SPOA examples in the source code just now in the link you provided
>>
>> https://www.mail-archive.com/haproxy@formilux.org/msg29093.html
>>
>> However the HAproxy makes reference to "packetengine", can I ask what
>> this is (is it the python part of SSO)
>
>
> I don't known. Where do you see a reference to "packetengine" ?
>
> Thierry
>
>
>> Andruw Smalley
>>
>> Loadbalancer.org Ltd.
>>
>> www.loadbalancer.org
>> +1 888 867 9504 / +44 (0)330 380 1064
>> asmal...@loadbalancer.org
>>
>> Leave a Review | Deployment Guides | Blog
>>

Haproxy SSO

[Andrew Smalley]

Hi Thierry,

I split the thread as I changed subject to SSO part way through, I
apologize for that.

Your references to SPOA/SPOE Engines were liked very much. I see the
SPOA examples in the source code just now in the link you provided

https://www.mail-archive.com/haproxy@formilux.org/msg29093.html

However the HAproxy makes reference to "packetengine", can I ask what
this is (is it the python part of SSO)


Andruw Smalley

Loadbalancer.org Ltd.

www.loadbalancer.org
+1 888 867 9504 / +44 (0)330 380 1064
asmal...@loadbalancer.org

Leave a Review | Deployment Guides | Blog

Re: WAF with HA Proxy.

[Andrew Smalley]

Hello Thierry

Thank you for your response saying it is the SPOE engine that does
mod_security integration and not the almost correct SPOA that I said.

Can I ask how haproxy does the SSO with the SPOE/SPOA Engine?


Andruw Smalley

Loadbalancer.org Ltd.

www.loadbalancer.org
+1 888 867 9504 / +44 (0)330 380 1064
asmal...@loadbalancer.org

Leave a Review | Deployment Guides | Blog


On 9 May 2018 at 21:04, Thierry Fournier <thierry.fourn...@arpalert.org> wrote:
> Hi,
>
> I confirm: the modsecurity i done throught SPOE.
>
> The limitation are:
>
> The limit of the body size analysed is the size of HAProxy buffer (default
> 16kB, but for my own usage, I configure 1MB)
>
>
> The response is not analysed.
>
>
> BR,
> Thierry
>
>
> On 9 May 2018, at 21:40, Andrew Smalley <asmal...@loadbalancer.org> wrote:
>
> Hi Mark
>
> Actually as far as I understand the Haproxy implementation of
> mod_security integration is not with Lua but with SPOA
>
> https://www.haproxy.org/download/1.7/doc/SPOE.txt
> Andruw Smalley
>
> Loadbalancer.org Ltd.
>
> www.loadbalancer.org
> +1 888 867 9504 / +44 (0)330 380 1064
> asmal...@loadbalancer.org
>
> Leave a Review | Deployment Guides | Blog
>
>
> On 9 May 2018 at 20:36, Mark Lakes <mla...@signalsciences.com> wrote:
>
> RIght, via lua module it integrates with haproxy.
> -mark
>
>
>
>
> Mark Lakes
> Sr Software Engineer
> (555) 555-
> Winner: InfoWorld Technology of the Year 2018
>
>
> On Wed, May 9, 2018 at 11:43 AM, Jonathan Matthews <cont...@jpluscplusm.com>
> wrote:
>
>
> On Wed, 9 May 2018 at 18:43, Mark Lakes <mla...@signalsciences.com> wrote:
>
>
> For commercial purposes, see Signal Sciences Next Gen WAF solution:
> https://www.signalsciences.com/waf-web-application-firewall/
>
>
>
> That page says it supports "Nginx, Nginx Plus, Apache and IIS". Does it
> integrate with HAProxy? Via what mechanism?
>
> J
>
> --
> Jonathan Matthews
> London, UK
> http://www.jpluscplusm.com/contact.html
>
>
>
>
>

Re: WAF with HA Proxy.

[Andrew Smalley]

Hi Mark

Actually as far as I understand the Haproxy implementation of
mod_security integration is not with Lua but with SPOA

https://www.haproxy.org/download/1.7/doc/SPOE.txt
Andruw Smalley

Loadbalancer.org Ltd.

www.loadbalancer.org
+1 888 867 9504 / +44 (0)330 380 1064
asmal...@loadbalancer.org

Leave a Review | Deployment Guides | Blog


On 9 May 2018 at 20:36, Mark Lakes  wrote:
> RIght, via lua module it integrates with haproxy.
> -mark
>
>
>
>
> Mark Lakes
> Sr Software Engineer
> (555) 555-
> Winner: InfoWorld Technology of the Year 2018
>
>
> On Wed, May 9, 2018 at 11:43 AM, Jonathan Matthews 
> wrote:
>>
>> On Wed, 9 May 2018 at 18:43, Mark Lakes  wrote:
>>>
>>> For commercial purposes, see Signal Sciences Next Gen WAF solution:
>>> https://www.signalsciences.com/waf-web-application-firewall/
>>
>>
>> That page says it supports "Nginx, Nginx Plus, Apache and IIS". Does it
>> integrate with HAProxy? Via what mechanism?
>>
>> J
>>
>> --
>> Jonathan Matthews
>> London, UK
>> http://www.jpluscplusm.com/contact.html
>
>

Re: Question on Caching.

[Andrew Smalley]

Hi Willy

Thank you for you for your detailed reply explaining why you think only the
favicon cache is sensible and that a full-blown cache within Haproxy
is not the best of ideas although interesting.

I will continue the search for a viable yet small cache.



Andruw Smalley

Loadbalancer.org Ltd.

www.loadbalancer.org
+1 888 867 9504 / +44 (0)330 380 1064
asmal...@loadbalancer.org

Leave a Review | Deployment Guides | Blog


On 28 April 2018 at 06:48, Willy Tarreau <w...@1wt.eu> wrote:
> Hi Andrew,
>
> On Thu, Apr 26, 2018 at 10:06:00PM +0100, Andrew Smalley wrote:
>> Hello Haproxy mailing list
>>
>> I have been looking at caching technology and have found this
>>
>> https://github.com/jiangwenyuan/nuster/
>>
>> It claims to be a v1.7  / v1.8 branch fully compatible with haproxy
>> and indeed based on haproxy with the added capibility of having a
>> really fast cache as described here
>> https://github.com/jiangwenyuan/nuster/wiki/Web-cache-server-performance-benchmark:-nuster-vs-nginx-vs-varnish-vs-squid
>>
>> It looks interesting but I would love some feedback please
>
> It's indeed interesting. By the way it's only for 1.7 as the 1.8 branch also
> contains 1.7. First, he found that nginx's primary job is not to be a cache
> (just like haproxy is not), and that in the end, only squid and varnish are
> real caches.
>
> Second, he focuses on performance. It's not new for many of us that haproxy
> rocks here, being 3 times faster than nginx in single core and 3 times faster
> than varnish using 12 cores is easily expected since haproxy never makes any
> single I/O access. He could even have compared with the small object cache
> in 1.8.
>
> But there's an important point which is missed there : manageability.
> Varnish is a real cache and made for being manageable and flexible. It
> probably has its own shortcomings, but it does the job perfectly for those
> who need a fully manageable cache. Putting a full-blown cache into haproxy
> is not a good idea in my opinion. A load balancer must be mostly stateless
> so that it can be killed, rebooted or tweaked. Implementing a full-blown
> cache into it seriously affects this capacity. It may even require some
> reloads just to flush the cache, while a load balancer should never have
> to be touched for no reason, especially when it's shared between multiple
> customers.
>
> The reason I was OK with the "favicon cache" in haproxy is that I noticed
> that when placing haproxy in front of varnish, we wasted more CPU and time
> processing the connection between haproxy and varnish than delivering a
> very small object from memory. And others had noticed that before, seeing
> certain configs use dummy backends with "errorfile 503" to deliver very
> small objects. So I thought that a short-lived, tiny objects cache saving
> us from having to connect to varnish would benefit both components without
> adding any requirement for cache maintenance. It's really where I draw the
> line between what is acceptable in haproxy and what is not. The day someone
> asks here if we can implement a cache flush on the CLI will indicate we've
> gone too far already, and we purposely refrained from implementing it.
>
> With this said, I can understand why some people would like to have more,
> especially when seeing the performance numbers on the site above. Possibly
> that we should think how to make it easier for these people to maintain
> their code without having to rebase too much (eg they may need some extra
> register functions or hooks to avoid patching the core).
>
> Regards,
> Willy

Question on Caching.

[Andrew Smalley]

Hello Haproxy mailing list

I have been looking at caching technology and have found this

https://github.com/jiangwenyuan/nuster/

It claims to be a v1.7  / v1.8 branch fully compatible with haproxy
and indeed based on haproxy with the added capibility of having a
really fast cache as described here
https://github.com/jiangwenyuan/nuster/wiki/Web-cache-server-performance-benchmark:-nuster-vs-nginx-vs-varnish-vs-squid

It looks interesting but I would love some feedback please


Andruw Smalley

Loadbalancer.org Ltd.

www.loadbalancer.org
+1 888 867 9504 / +44 (0)330 380 1064
asmal...@loadbalancer.org

Leave a Review | Deployment Guides | Blog

Re: slowly move connections away from failed real server to remaining real server.

[Andrew Smalley]

Hello Shawn

Thank you for your reply.

It is pretty much a verification of what we thought this end.

Ill go back to the customer and let them know what Microsoft suggest
is not possible.

Andruw Smalley

Loadbalancer.org Ltd.

www.loadbalancer.org
+1 888 867 9504 / +44 (0)330 380 1064
asmal...@loadbalancer.org

Leave a Review | Deployment Guides | Blog


On 14 February 2018 at 17:55, Shawn Heisey <hapr...@elyograg.org> wrote:
> On 2/13/2018 7:49 AM, Andrew Smalley wrote:
>> We have had a request and not sure if there is any way to implement this.
>>
>> Simply think of two real servers being loadbalanced. one fails all the
>> connections are moved to the remaining server overloading it.
>>
>> What we want is for the traffic from the failed real server to be
>> moved to the remaining real server without overloading it. IE Move a
>> few connections at a time so the last server is not overloaded.
>
> The following is my understanding of how things work and what you have
> said.  If I have made any errors, I hope somebody will point them out.
>
> As far as I am aware, there is no way to "move" an existing connection
> from one backend server to another.  That would require special support
> from both haproxy and the back end software.  To my knowledge, that
> capability does not exist.  So existing connections at the moment of
> failure are going to get closed down and the application (which may be a
> browser) will need to try again.
>
> There isn't anything gradual about load shifting in the event of a
> failure.  Existing connections will be dropped and new connections will
> be sent to whatever servers remain.
>
> When planning your capacity, it's prudent to take failures into account.
>  Failures *are* going to happen.  They might be unplanned, such as a
> motherboard failure or a datacenter outage, or they may be planned, so
> you can upgrade software on the back end.
>
> If one server failing means that there is not enough remaining capacity
> to handle the load, then you need more capacity, which may require more
> servers.  Ideally the remaining servers would handle the load without
> users ever noticing any change, but in many environments it is
> acceptable for performance to be a little worse until the failed server
> is returned to service.
>
> Thanks,
> Shawn
>

Re: slowly move connections away from failed real server to remaining real server.

[Andrew Smalley]

Hello Moemen

Thank you for your reply.

Indeed we have already thought of the MAXCONN values.

Any other thoughts?

The aim is to move clients from a failed server slowly much like the
feature where a real server comes back online and slowly the weight is
raised until all connections are on the working real server.

Andruw Smalley

Loadbalancer.org Ltd.

www.loadbalancer.org
+1 888 867 9504 / +44 (0)330 380 1064
asmal...@loadbalancer.org

Leave a Review | Deployment Guides | Blog


On 13 February 2018 at 17:21, Moemen MHEDHBI <mmhed...@haproxy.com> wrote:
>
>
> On 13/02/2018 15:49, Andrew Smalley wrote:
>> Hi,
> Hi Andrew,
>
>>
>> We have had a request and not sure if there is any way to implement this.
>>
>> Simply think of two real servers being loadbalanced. one fails all the
>> connections are moved to the remaining server overloading it.
>>
>> What we want is for the traffic from the failed real server to be
>> moved to the remaining real server without overloading it. IE Move a
>> few connections at a time so the last server is not overloaded.
>>
>> Anyone know how this can be done?
>
> Setting the right maxconn value for the server would not be sufficient
> here ? So the extra traffic due to the failed server will be queued.
>
>
>>
>>
>> Andruw Smalley
>>
>> Loadbalancer.org Ltd.
>>
>> www.loadbalancer.org
>> +1 888 867 9504 / +44 (0)330 380 1064
>> asmal...@loadbalancer.org
>>
>> Leave a Review | Deployment Guides | Blog
>>
>
> --
> Moemen MHEDHBI
>
>

slowly move connections away from failed real server to remaining real server.

[Andrew Smalley]

Hi,

We have had a request and not sure if there is any way to implement this.

Simply think of two real servers being loadbalanced. one fails all the
connections are moved to the remaining server overloading it.

What we want is for the traffic from the failed real server to be
moved to the remaining real server without overloading it. IE Move a
few connections at a time so the last server is not overloaded.

Anyone know how this can be done?


Andruw Smalley

Loadbalancer.org Ltd.

www.loadbalancer.org
+1 888 867 9504 / +44 (0)330 380 1064
asmal...@loadbalancer.org

Leave a Review | Deployment Guides | Blog

Re: haproxy-1.8 in Fedora

[Andrew Smalley]

Hi Ryan

Copr is an easy-to-use automatic build system providing a package
repository as its output.

Start with making your own repository in these three steps:

choose a system and architecture you want to build for
provide Copr with src.rpm packages available online
let Copr do all the work and wait for your new repo

NOTE: Copr is not yet officially supported by Fedora Infrastructure.

https://copr.fedorainfracloud.org/

It has useful user contributed builds. I've found it useful for
packages compiled with dependency in the past.


Andruw Smalley

Loadbalancer.org Ltd.

www.loadbalancer.org
+1 888 867 9504 / +44 (0)330 380 1064
asmal...@loadbalancer.org

Leave a Review | Deployment Guides | Blog


On 5 January 2018 at 21:12, Aleksandar Lazic  wrote:
> Hi Ryan.
>
> -- Originalnachricht --
> Von: "Ryan O'Hara" 
> An: haproxy@formilux.org
> Gesendet: 05.01.2018 17:19:15
> Betreff: haproxy-1.8 in Fedora
>
>> Just wanted to inform Fedora users that haproxy-1.8.3 is now in the master
>> branch and built for Rawhide. I will not be updating haproxy to 1.8 in
>> current stable releases of Fedora since I received some complaints about
>> doing major updates (eg. 1.6 to 1.7) is previous stables releases. That
>> said, the source rpm will build on Fedora 27. If there is enough interest, I
>> can build haproxy-1.8 in copr and provide a repository for current stable
>> Fedora releases.
>
> I don't know what 'copr' is but how about to add the haproxy 1.8 into the
> software collection similar like nginx 1.8 and apache httpd 2.4 ?
>
> The customer then is able to use haproxy 1.8 with the software collection
> subscription.
>
>>
>> Ryan
>
> Best regards
> aleks
>
>

Re: 1.8 resolvers - start vs. run

[Andrew Smalley]

Hello Jim.

I've seen the thread and that you're "befuddled" a little about the use of DNS.,

Think of it this way, with the resolvers in HAProxy you can resolve
the real server names of real server pool, this may be very dynamic in
nature and separate to /etc/resolve.conf

Now imagine a farm of Haproxy servers with different resolves
configured internally, but you want the Haproxy instance to have
public DNS resolved while there may be many split horizon dns
available and maybe not public. Haproxy then ensures it uses the DNS
servers you want it to and not the system resolver

Personally and this is just an opinion I think the Haproxy resolver is
and should be separate to /etc/resolv.conf


Andruw Smalley

Loadbalancer.org Ltd.

www.loadbalancer.org
+1 888 867 9504 / +44 (0)330 380 1064
asmal...@loadbalancer.org

Leave a Review | Deployment Guides | Blog


On 29 December 2017 at 21:26, Lukas Tribus  wrote:
> Hi Jim,
>
>
> On Fri, Dec 29, 2017 at 10:14 PM, Jim Freeman  wrote:
>> Looks like libresolv 's res_ninit() parses out /etc/resolv.conf 's
>> nameservers [resolv.h], so haproxy won't have to parse it either ...
>>
>> Will keep poking.
>
> Do give it some time to discuss the implementation here first though,
> before you invest a lot of time in a specific direction (especially if
> you link to new libraries).
>
> CC'ing Baptise and Willy.
>
>
>
> cheers,
> lukas
>

Re: issue with namesapce for backend

[Andrew Smalley]

Hi Lukas

Thank you for the correction. I didn't even think about using CAP_SYS_ADMIN
to give a standard user more privs.

Out of interest would CAP_NET_BIND_SERVICE
​not ​
be a better choice than giving haproxy full admin rights
​, just allow it to bind to ports <1024​



"setcap" - set Linux capabilities on a file. Useful for giving executables
permissions to capabilities that are normally restricted to the root user;

like binding to a port below port 1024 without the need to run as root. Or
to give wireshark permissions to capture packets without needing to be run
as root.

The example below allows
​haproxy to connect below port 1024 without being root.



*setcap cap_net_bind_service=+ep /usr/local/sbin/haproxy*

Andruw Smalley

Loadbalancer.org Ltd.
www.loadbalancer.org <https://www.loadbalancer.org/?gclid=ES2017>

<https://plus.google.com/+LoadbalancerOrg>
<https://twitter.com/loadbalancerorg>
<http://www.linkedin.com/company/3191352?trk=prof-exp-company-name>
<https://www.loadbalancer.org/?category=company=overview&?gclid=ES2017>
<https://www.loadbalancer.org/?gclid=ES2017>
+1 888 867 9504 / +44 (0)330 380 1064
asmal...@loadbalancer.org

Leave a Review
<http://collector.reviews.io/loadbalancer-org-inc-/new-review> | Deployment
Guides
<https://www.loadbalancer.org/?category=resources=deployment-guides&?gclid=ES2017>
| Blog <https://www.loadbalancer.org/?category=blog&?gclid=ES2017>

On 28 December 2017 at 15:04, Lukas Tribus <lu...@ltri.eu> wrote:

> Hello,
>
>
> On 28 December 2017 at 11:24, Senthil Naidu
> <sent...@netmagicsolutions.com> wrote:
> >
> > Hi,
> >
> > Is there any way to run haproxy as non-root with  backend configured
> inside the
> > namespace  as seen below but the same shows “general socket error” , if
> we run
> > the same by removing the user and group from haproxy and run the same as
> root
> > the the same works fine.
>
> The call is setns(2) and the process needs the CAP_SYS_ADMIN
> capability in the target user namespace if it isn't root:
>
> http://man7.org/linux/man-pages/man2/setns.2.html
>
>
>
> On Thu, Dec 28, 2017 at 12:28 PM, Andrew Smalley
> <asmal...@loadbalancer.org> wrote:
> >
> > Hello Senthil
> >
> > You asked if you can run haproxy as a non root user.
> >
> > Yes you can but only for ports above 1024, ports below 1024 and port 80
> as per your config will require root privileges to bind to the port.
>
> The question was with namespaces on the backend, which require
> additional capabilities, see above.
>
> Also you can run haproxy with ports bound below 1024 and then
> downgrade privileges: as haproxy first binds to the ports and only
> then drops the privileges. This works just fine and is actually the
> recommended configuration.
>
> Limitations like this mostly impact connections to backend servers,
> where sockets are opened on demand (after haproxy downgraded
> privileges). Things like namespaces, TOS settings, etc.
>
>
>
>
> Regards,
> Lukas
>

Re: issue with namesapce for backend

[Andrew Smalley]

Hello Senthil

You asked if you can run haproxy as a non root user.

Yes you can but only for ports above 1024, ports below 1024 and port 80 as
per your config will require root privileges to bind to the port.


Andruw Smalley

Loadbalancer.org Ltd.
www.loadbalancer.org 






+1 888 867 9504 / +44 (0)330 380 1064
asmal...@loadbalancer.org

Leave a Review
 | Deployment
Guides

| Blog 

On 28 December 2017 at 11:24, Senthil Naidu 
wrote:

> Hi,
>
>
>
> Is there any way to run haproxy as non-root with  backend configured
> inside the namespace  as seen below but the same shows “general socket
> error” , if we run the same by removing the user and group from haproxy and
> run the same as root the the same works fine.
>
>
>
> Regards
>
> Senthil
>
>
>
>
>
> global
>
> maxconn 1
>
> log 127.0.0.1 local0 notice
>
> log 127.0.0.1 local1 notice
>
> chroot /usr/haproxy
>
> user haproxy
>
> group haproxy
>
> daemon
>
>
>
> frontend  HTTP
>
> bind 10.14.14.21:80 namespace red
>
> mode http
>
> log global
>
> option httplog
>
> option httpclose
>
> option forwardfor
>
> maxconn 2000
>
> timeout client 180s
>
> default_backend  HTTPBACK
>
>
>
> backend HTTPBACK
>
> balance roundrobin
>
> mode http
>
> log global
>
> option httplog
>
> option httpchk HEAD /
>
> fullconn  2000
>
> timeout server 180s
>
> default-server inter 3s rise 2 fall 3 slowstart 0
>
> server RHEL64 10.14.14.4:80 weight 12 maxconn 2000 check namespace red
>
>
> Senthil Naidu
> Deputy General Manager - IT Engineering
> IT Engineering
> Netmagic (An NTT Communications Company)
> * Direct:* +91 22 40090100
> *Cell:* 7738784713
> *Email:* sent...@netmagicsolutions.com
>
> 
>  *NTT
> Communications Named a Leader in 'Gartner Magic Quadrant for Managed Hybrid
> Cloud Hosting, Asia/Pacific 2017', for Third Year in a Row.
> *
>
>
> *Data Center Services
> | Hosted IT
> Infrastructure
> 
> | Cloud Services
> | Managed
> Services
>  |
> Infrastructure Application
>  | Network Services
>  *
> 
>

Re: Traffic delivered to disabled server when cookie persistence is enabled after upgrading to 1.8.1

[Andrew Smalley]

Also our cookie line looks as below

 cookie SERVERID maxidle 30m maxlife 12h insert nocache indirect
Andruw Smalley

Loadbalancer.org Ltd.

www.loadbalancer.org
+1 888 867 9504 / +44 (0)330 380 1064
asmal...@loadbalancer.org

Leave a Review | Deployment Guides | Blog


On 20 December 2017 at 20:55, Andrew Smalley <asmal...@loadbalancer.org> wrote:
> Greg
>
> its just been pointed out your cookies are wrong, they would usually
> match your server name.
> I would change this
>
>   server server-1-google www.google.com:80 check cookie google
>   server server-2-yahoo www.yahoo.com:80 check cookie yahoo
>
>
> to this
>
>   server server-1-google www.google.com:80 check cookie server-1-google
>   server server-2-yahoo www.yahoo.com:80 check cookie server-2-yahoo
>
>
> We use something like this as a default server line
>
> server RIP_Name 172.16.1.1  weight 100  cookie RIP_Name  check port
> 80 inter 4000  rise 2  fall 2  minconn 0  maxconn 0  on-marked-down
> shutdown-sessions
> Andruw Smalley
>
> Loadbalancer.org Ltd.
>
> www.loadbalancer.org
> +1 888 867 9504 / +44 (0)330 380 1064
> asmal...@loadbalancer.org
>
> Leave a Review | Deployment Guides | Blog
>
>
> On 20 December 2017 at 20:52, Andrew Smalley <asmal...@loadbalancer.org> 
> wrote:
>> Hi Greg
>>
>> Apologies  I was confused with the terminology we use here,
>>
>> Indeed MAINT should be the same as our HALT feature,
>>
>> Maybe you can share your config and we can see what's wrong?
>>
>>
>> Andruw Smalley
>>
>> Loadbalancer.org Ltd.
>>
>> www.loadbalancer.org
>> +1 888 867 9504 / +44 (0)330 380 1064
>> asmal...@loadbalancer.org
>>
>> Leave a Review | Deployment Guides | Blog
>>
>>
>> On 20 December 2017 at 20:45, Greg Nolle <greg.no...@voidbridge.com> wrote:
>>> Hi Andrew,
>>>
>>> I can’t find any reference to a “HALTED” status in the manual. I’m
>>> *not* referring to “DRAIN” though (which I would expect to behave as
>>> you describe), I’m referring to "MAINT", i.e. disabling the backend
>>> server. Here’s the snippet from the management manual to clarify what
>>> I’m referring to:
>>>
>>>> “Setting the state to “maint” disables any traffic to the server as well 
>>>> as any health checks"
>>>
>>> Best regards,
>>> Greg
>>>
>>> On Wed, Dec 20, 2017 at 8:29 PM, Andrew Smalley
>>> <asmal...@loadbalancer.org> wrote:
>>>> Hi Greg
>>>>
>>>> You say traffic still goes to the real server when in MAINT mode,
>>>> Assuming you mean DRAIN Mode and not HALTED then this is expected.
>>>>
>>>> Existing connections still goto a server while DRAINING but no new
>>>> connections will get there.
>>>>
>>>> If the real server is HALTED then no traffic gets to it.
>>>>
>>>>
>>>> Andruw Smalley
>>>>
>>>> Loadbalancer.org Ltd.
>>>>
>>>> www.loadbalancer.org
>>>> +1 888 867 9504 / +44 (0)330 380 1064
>>>> asmal...@loadbalancer.org
>>>>
>>>> Leave a Review | Deployment Guides | Blog
>>>>
>>>>
>>>> On 20 December 2017 at 20:26, Greg Nolle <greg.no...@voidbridge.com> wrote:
>>>>> When cookie persistence is used, it seems that the status of the
>>>>> servers in the backend is ignored in v1.8.1. I try marking as MAINT a
>>>>> backend server for which my browser has been given a cookie but
>>>>> subsequent requests still go to that server (as verified in the
>>>>> stats). The same issue happens when I use a stick table.
>>>>>
>>>>> I’ve included a simple example config where this happens at the
>>>>> bottom. The exact same config in v1.7.9 gives the expected behaviour
>>>>> that new requests are migrated to a different active backend server.
>>>>>
>>>>> Any ideas?
>>>>>
>>>>> Many thanks,
>>>>> Greg
>>>>>
>>>>> defaults
>>>>>   mode http
>>>>>   option redispatch
>>>>>   retries 3
>>>>>   timeout queue 20s
>>>>>   timeout client 50s
>>>>>   timeout connect 5s
>>>>>   timeout server 50s
>>>>>
>>>>> listen stats
>>>>>   bind :1936
>>>>>   stats enable
>>>>>   stats uri /
>>>>>   stats hide-version
>>>>>   stats admin if TRUE
>>>>>
>>>>> frontend main
>>>>>   bind :9080
>>>>>   default_backend main
>>>>>
>>>>> backend main
>>>>>   balance leastconn
>>>>>   cookie SERVERID insert indirect nocache
>>>>>   server server-1-google www.google.com:80 check cookie google
>>>>>   server server-2-yahoo www.yahoo.com:80 check cookie yahoo
>>>>>
>>>>

Re: Traffic delivered to disabled server when cookie persistence is enabled after upgrading to 1.8.1

[Andrew Smalley]

Greg

its just been pointed out your cookies are wrong, they would usually
match your server name.
I would change this

  server server-1-google www.google.com:80 check cookie google
  server server-2-yahoo www.yahoo.com:80 check cookie yahoo


to this

  server server-1-google www.google.com:80 check cookie server-1-google
  server server-2-yahoo www.yahoo.com:80 check cookie server-2-yahoo


We use something like this as a default server line

  server RIP_Name 172.16.1.1  weight 100  cookie RIP_Name  check port
80 inter 4000  rise 2  fall 2  minconn 0  maxconn 0  on-marked-down
shutdown-sessions
Andruw Smalley

Loadbalancer.org Ltd.

www.loadbalancer.org
+1 888 867 9504 / +44 (0)330 380 1064
asmal...@loadbalancer.org

Leave a Review | Deployment Guides | Blog


On 20 December 2017 at 20:52, Andrew Smalley <asmal...@loadbalancer.org> wrote:
> Hi Greg
>
> Apologies  I was confused with the terminology we use here,
>
> Indeed MAINT should be the same as our HALT feature,
>
> Maybe you can share your config and we can see what's wrong?
>
>
> Andruw Smalley
>
> Loadbalancer.org Ltd.
>
> www.loadbalancer.org
> +1 888 867 9504 / +44 (0)330 380 1064
> asmal...@loadbalancer.org
>
> Leave a Review | Deployment Guides | Blog
>
>
> On 20 December 2017 at 20:45, Greg Nolle <greg.no...@voidbridge.com> wrote:
>> Hi Andrew,
>>
>> I can’t find any reference to a “HALTED” status in the manual. I’m
>> *not* referring to “DRAIN” though (which I would expect to behave as
>> you describe), I’m referring to "MAINT", i.e. disabling the backend
>> server. Here’s the snippet from the management manual to clarify what
>> I’m referring to:
>>
>>> “Setting the state to “maint” disables any traffic to the server as well as 
>>> any health checks"
>>
>> Best regards,
>> Greg
>>
>> On Wed, Dec 20, 2017 at 8:29 PM, Andrew Smalley
>> <asmal...@loadbalancer.org> wrote:
>>> Hi Greg
>>>
>>> You say traffic still goes to the real server when in MAINT mode,
>>> Assuming you mean DRAIN Mode and not HALTED then this is expected.
>>>
>>> Existing connections still goto a server while DRAINING but no new
>>> connections will get there.
>>>
>>> If the real server is HALTED then no traffic gets to it.
>>>
>>>
>>> Andruw Smalley
>>>
>>> Loadbalancer.org Ltd.
>>>
>>> www.loadbalancer.org
>>> +1 888 867 9504 / +44 (0)330 380 1064
>>> asmal...@loadbalancer.org
>>>
>>> Leave a Review | Deployment Guides | Blog
>>>
>>>
>>> On 20 December 2017 at 20:26, Greg Nolle <greg.no...@voidbridge.com> wrote:
>>>> When cookie persistence is used, it seems that the status of the
>>>> servers in the backend is ignored in v1.8.1. I try marking as MAINT a
>>>> backend server for which my browser has been given a cookie but
>>>> subsequent requests still go to that server (as verified in the
>>>> stats). The same issue happens when I use a stick table.
>>>>
>>>> I’ve included a simple example config where this happens at the
>>>> bottom. The exact same config in v1.7.9 gives the expected behaviour
>>>> that new requests are migrated to a different active backend server.
>>>>
>>>> Any ideas?
>>>>
>>>> Many thanks,
>>>> Greg
>>>>
>>>> defaults
>>>>   mode http
>>>>   option redispatch
>>>>   retries 3
>>>>   timeout queue 20s
>>>>   timeout client 50s
>>>>   timeout connect 5s
>>>>   timeout server 50s
>>>>
>>>> listen stats
>>>>   bind :1936
>>>>   stats enable
>>>>   stats uri /
>>>>   stats hide-version
>>>>   stats admin if TRUE
>>>>
>>>> frontend main
>>>>   bind :9080
>>>>   default_backend main
>>>>
>>>> backend main
>>>>   balance leastconn
>>>>   cookie SERVERID insert indirect nocache
>>>>   server server-1-google www.google.com:80 check cookie google
>>>>   server server-2-yahoo www.yahoo.com:80 check cookie yahoo
>>>>
>>>

Re: Traffic delivered to disabled server when cookie persistence is enabled after upgrading to 1.8.1

[Andrew Smalley]

Hi Greg

Apologies  I was confused with the terminology we use here,

Indeed MAINT should be the same as our HALT feature,

Maybe you can share your config and we can see what's wrong?


Andruw Smalley

Loadbalancer.org Ltd.

www.loadbalancer.org
+1 888 867 9504 / +44 (0)330 380 1064
asmal...@loadbalancer.org

Leave a Review | Deployment Guides | Blog


On 20 December 2017 at 20:45, Greg Nolle <greg.no...@voidbridge.com> wrote:
> Hi Andrew,
>
> I can’t find any reference to a “HALTED” status in the manual. I’m
> *not* referring to “DRAIN” though (which I would expect to behave as
> you describe), I’m referring to "MAINT", i.e. disabling the backend
> server. Here’s the snippet from the management manual to clarify what
> I’m referring to:
>
>> “Setting the state to “maint” disables any traffic to the server as well as 
>> any health checks"
>
> Best regards,
> Greg
>
> On Wed, Dec 20, 2017 at 8:29 PM, Andrew Smalley
> <asmal...@loadbalancer.org> wrote:
>> Hi Greg
>>
>> You say traffic still goes to the real server when in MAINT mode,
>> Assuming you mean DRAIN Mode and not HALTED then this is expected.
>>
>> Existing connections still goto a server while DRAINING but no new
>> connections will get there.
>>
>> If the real server is HALTED then no traffic gets to it.
>>
>>
>> Andruw Smalley
>>
>> Loadbalancer.org Ltd.
>>
>> www.loadbalancer.org
>> +1 888 867 9504 / +44 (0)330 380 1064
>> asmal...@loadbalancer.org
>>
>> Leave a Review | Deployment Guides | Blog
>>
>>
>> On 20 December 2017 at 20:26, Greg Nolle <greg.no...@voidbridge.com> wrote:
>>> When cookie persistence is used, it seems that the status of the
>>> servers in the backend is ignored in v1.8.1. I try marking as MAINT a
>>> backend server for which my browser has been given a cookie but
>>> subsequent requests still go to that server (as verified in the
>>> stats). The same issue happens when I use a stick table.
>>>
>>> I’ve included a simple example config where this happens at the
>>> bottom. The exact same config in v1.7.9 gives the expected behaviour
>>> that new requests are migrated to a different active backend server.
>>>
>>> Any ideas?
>>>
>>> Many thanks,
>>> Greg
>>>
>>> defaults
>>>   mode http
>>>   option redispatch
>>>   retries 3
>>>   timeout queue 20s
>>>   timeout client 50s
>>>   timeout connect 5s
>>>   timeout server 50s
>>>
>>> listen stats
>>>   bind :1936
>>>   stats enable
>>>   stats uri /
>>>   stats hide-version
>>>   stats admin if TRUE
>>>
>>> frontend main
>>>   bind :9080
>>>   default_backend main
>>>
>>> backend main
>>>   balance leastconn
>>>   cookie SERVERID insert indirect nocache
>>>   server server-1-google www.google.com:80 check cookie google
>>>   server server-2-yahoo www.yahoo.com:80 check cookie yahoo
>>>
>>

Re: Traffic delivered to disabled server when cookie persistence is enabled after upgrading to 1.8.1

[Andrew Smalley]

Hi Greg

You say traffic still goes to the real server when in MAINT mode,
Assuming you mean DRAIN Mode and not HALTED then this is expected.

Existing connections still goto a server while DRAINING but no new
connections will get there.

If the real server is HALTED then no traffic gets to it.


Andruw Smalley

Loadbalancer.org Ltd.

www.loadbalancer.org
+1 888 867 9504 / +44 (0)330 380 1064
asmal...@loadbalancer.org

Leave a Review | Deployment Guides | Blog


On 20 December 2017 at 20:26, Greg Nolle  wrote:
> When cookie persistence is used, it seems that the status of the
> servers in the backend is ignored in v1.8.1. I try marking as MAINT a
> backend server for which my browser has been given a cookie but
> subsequent requests still go to that server (as verified in the
> stats). The same issue happens when I use a stick table.
>
> I’ve included a simple example config where this happens at the
> bottom. The exact same config in v1.7.9 gives the expected behaviour
> that new requests are migrated to a different active backend server.
>
> Any ideas?
>
> Many thanks,
> Greg
>
> defaults
>   mode http
>   option redispatch
>   retries 3
>   timeout queue 20s
>   timeout client 50s
>   timeout connect 5s
>   timeout server 50s
>
> listen stats
>   bind :1936
>   stats enable
>   stats uri /
>   stats hide-version
>   stats admin if TRUE
>
> frontend main
>   bind :9080
>   default_backend main
>
> backend main
>   balance leastconn
>   cookie SERVERID insert indirect nocache
>   server server-1-google www.google.com:80 check cookie google
>   server server-2-yahoo www.yahoo.com:80 check cookie yahoo
>

Re: Websocket metrics

[Andrew Smalley]

Hi Claus

Below is a blog on the haproxy website about websockets, I apologies
if it does not have the information you need

https://www.haproxy.com/blog/websockets-load-balancing-with-haproxy/



Andruw Smalley

Loadbalancer.org Ltd.

www.loadbalancer.org
+1 888 867 9504 / +44 (0)330 380 1064
asmal...@loadbalancer.org

Leave a Review | Deployment Guides | Blog


On 14 November 2017 at 14:18, Claus Strommer  wrote:
>
> Hi,
>
> I'm looking for recommendations on best practices for collecting metrics and 
> performing analytics on websocket connections through HAProxy.  I'm already 
> capturing the http log which serves me well for http traffic, but since 
> websockets get upgraded to TCP connections I'm losing the kind of atomicity 
> I'm used to.  Is there anything I can do with HAProxy to sample frames from a 
> websocket, or am I going to have to go more low-level and do layer 2 traffic 
> capture?

Re: Error in `haproxy': munmap_chunk(): invalid pointer:

[Andrew Smalley]

Hi Tim

Can you try a make install first please or mkdir -p
'/etc/haproxy/state/ so the state directory exists and then re-test.

The above is a guess, can you supply the build commands and clarify
this line in the config " bind :::80 v4v6" ? Dont you want to "bind
*:80" and use IPv4 only
Andruw Smalley

Loadbalancer.org Ltd.

www.loadbalancer.org
+1 888 867 9504 / +44 (0)330 380 1064
asmal...@loadbalancer.org

Leave a Review | Deployment Guides | Blog


On 9 November 2017 at 00:00, Tim Düsterhus  wrote:
> Hi
>
> I get the following crash when running:
>
> [timwolla@/t/h/haproxy-1.8-rc2]./haproxy -V
> HA-Proxy version 1.8-rc2-a8d8d6e 2017/11/03
> Copyright 2000-2017 Willy Tarreau 
>
> with the configuration at the bottom of this email as follows:
>
> root@node42:/tmp/haproxy/haproxy-1.8-rc2# ./haproxy -W -f
> /tmp/haproxy/haproxy-1.8-rc2/haproxy.cfg
> [WARNING] 312/004845 (31835) : Can't open server state file
> '/etc/haproxy/state/global': No such file or directory
> [WARNING] 312/004845 (31835) : Can't open server state file
> '/etc/haproxy/state/global': No such file or directory
>
> and then killing the master process using a SIGHUP:
>
>> *** Error in `./haproxy': munmap_chunk(): invalid pointer: 
>> 0x00515028 ***
>> === Backtrace: =
>> /lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7fda72bbc7e5]
>> /lib/x86_64-linux-gnu/libc.so.6(cfree+0x1a8)[0x7fda72bc9698]
>> ./haproxy[0x4a28d0]
>> ./haproxy[0x4a2c4e]
>> ./haproxy[0x4a2f57]
>> ./haproxy[0x40b16f]
>> /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7fda72b65830]
>> ./haproxy[0x40c149]
>> === Memory map: 
>> 0040-00532000 r-xp  08:03 2765518
>> /tmp/haproxy/haproxy-1.8-rc2/haproxy
>> 00731000-00732000 r--p 00131000 08:03 2765518
>> /tmp/haproxy/haproxy-1.8-rc2/haproxy
>> 00732000-00749000 rw-p 00132000 08:03 2765518
>> /tmp/haproxy/haproxy-1.8-rc2/haproxy
>> 00749000-0074e000 rw-p  00:00 0
>> 01d7f000-01de3000 rw-p  00:00 0  
>> [heap]
>> 7fda7272b000-7fda72741000 r-xp  08:03 528903 
>> /lib/x86_64-linux-gnu/libgcc_s.so.1
>> 7fda72741000-7fda7294 ---p 00016000 08:03 528903 
>> /lib/x86_64-linux-gnu/libgcc_s.so.1
>> 7fda7294-7fda72941000 rw-p 00015000 08:03 528903 
>> /lib/x86_64-linux-gnu/libgcc_s.so.1
>> 7fda72941000-7fda72944000 r-xp  08:03 533578 
>> /lib/x86_64-linux-gnu/libdl-2.23.so
>> 7fda72944000-7fda72b43000 ---p 3000 08:03 533578 
>> /lib/x86_64-linux-gnu/libdl-2.23.so
>> 7fda72b43000-7fda72b44000 r--p 2000 08:03 533578 
>> /lib/x86_64-linux-gnu/libdl-2.23.so
>> 7fda72b44000-7fda72b45000 rw-p 3000 08:03 533578 
>> /lib/x86_64-linux-gnu/libdl-2.23.so
>> 7fda72b45000-7fda72d05000 r-xp  08:03 533590 
>> /lib/x86_64-linux-gnu/libc-2.23.so
>> 7fda72d05000-7fda72f05000 ---p 001c 08:03 533590 
>> /lib/x86_64-linux-gnu/libc-2.23.so
>> 7fda72f05000-7fda72f09000 r--p 001c 08:03 533590 
>> /lib/x86_64-linux-gnu/libc-2.23.so
>> 7fda72f09000-7fda72f0b000 rw-p 001c4000 08:03 533590 
>> /lib/x86_64-linux-gnu/libc-2.23.so
>> 7fda72f0b000-7fda72f0f000 rw-p  00:00 0
>> 7fda72f0f000-7fda72f7d000 r-xp  08:03 541796 
>> /lib/x86_64-linux-gnu/libpcre.so.3.13.2
>> 7fda72f7d000-7fda7317d000 ---p 0006e000 08:03 541796 
>> /lib/x86_64-linux-gnu/libpcre.so.3.13.2
>> 7fda7317d000-7fda7317e000 r--p 0006e000 08:03 541796 
>> /lib/x86_64-linux-gnu/libpcre.so.3.13.2
>> 7fda7317e000-7fda7317f000 rw-p 0006f000 08:03 541796 
>> /lib/x86_64-linux-gnu/libpcre.so.3.13.2
>> 7fda7317f000-7fda73399000 r-xp  08:03 529753 
>> /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
>> 7fda73399000-7fda73598000 ---p 0021a000 08:03 529753 
>> /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
>> 7fda73598000-7fda735b4000 r--p 00219000 08:03 529753 
>> /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
>> 7fda735b4000-7fda735c rw-p 00235000 08:03 529753 
>> /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
>> 7fda735c-7fda735c3000 rw-p  00:00 0
>> 7fda735c3000-7fda73621000 r-xp  08:03 524697 
>> /lib/x86_64-linux-gnu/libssl.so.1.0.0
>> 7fda73621000-7fda73821000 ---p 0005e000 08:03 524697 
>> /lib/x86_64-linux-gnu/libssl.so.1.0.0
>> 7fda73821000-7fda73825000 r--p 0005e000 08:03 524697 
>> /lib/x86_64-linux-gnu/libssl.so.1.0.0
>> 7fda73825000-7fda7382c000 rw-p 00062000 08:03 524697 
>> /lib/x86_64-linux-gnu/libssl.so.1.0.0
>> 7fda7382c000-7fda73844000 r-xp  

Re: HAProxy dont Support sslv2 Confirmation

[Andrew Smalley]

Hello Jean

>From what I read SSLv2 is unused and SSLv3 can be enabled with a warning as
shown below

force-sslv3 :

Enforces the use of SSL protocol version SSLv3.

Note

Not recommended on Internet because of the poodle vulnerability:
https://poodle.io/


​SSLv2 has not been used on the internet in quite a while now and as per
the warning SSLv3 is unused by default but can be turned on.


https://www.haproxy.com/documentation/aloha/7-0/haproxy/tls/


Andruw Smalley

Loadbalancer.org Ltd.

www.loadbalancer.org
+1 888 867 9504 / +44 (0)330 380 1064
asmal...@loadbalancer.org

Leave a Review | Deployment Guides | Blog


On 6 November 2017 at 11:25, Jean Martinelli 
wrote:
>
> Hello
>
> HAProxy does not support native sslv2 enabled. Could you confirm? Is
there a documentation link for reference?
>
>
>
> Att
>
> Jean Martinelli
> Consultoria
>
>
>
> +55 (47) 99948-6156 | +55 (47) 3035-3777
> jean.martine...@teiko.com.br
>
> http://www.teiko.com.br/

Re: X-Forwarded-For Balancing

[Andrew Smalley]

Hi Trenton

Here we use the stick on src ( Source IP ) and X-Forward-For method so we
can stick on both criteria

Also the -1 to move the XFF IP back, Imagine there are 2 or 3 proxy's all
inserting X-Forward-For the -1 could also be -2 or -3 etc to move the ip
forward in the list

192.168.100.12 172.16.21.20 172.31.31.2

-1 would put the red address like this

172.16.21.20 172.31.31.2

I hope that all makes sense


Andruw Smalley

Loadbalancer.org Ltd.
www.loadbalancer.org <https://www.loadbalancer.org/?gclid=ES2017>

<https://plus.google.com/+LoadbalancerOrg>
<https://twitter.com/loadbalancerorg>
<http://www.linkedin.com/company/3191352?trk=prof-exp-company-name>
<https://www.loadbalancer.org/?category=company=overview&?gclid=ES2017>
<https://www.loadbalancer.org/?gclid=ES2017>
+1 888 867 9504 / +44 (0)330 380 1064
asmal...@loadbalancer.org

Leave a Review
<http://collector.reviews.io/loadbalancer-org-inc-/new-review> | Deployment
Guides
<https://www.loadbalancer.org/?category=resources=deployment-guides&?gclid=ES2017>
| Blog <https://www.loadbalancer.org/?category=blog&?gclid=ES2017>

On 25 July 2017 at 19:42, Trenton Dyck <trenton.d...@uxpsystems.com> wrote:

> Andrew,
>
>
>
> Thanks for this suggestion!  When you say ‘move the XFF header back’ and
> you have a second stick on parameter what is the behavior you expect? Will
> it use src ip if no X-Forwarded-For header is present (our desired
> behavior)?
>
>
>
> Thanks,
>
> Trent
>
>
>
> *From:* Andrew Smalley [mailto:asmal...@loadbalancer.org]
> *Sent:* Tuesday, July 25, 2017 12:54 PM
> *To:* Trenton Dyck
> *Cc:* Aleksandar Lazic; haproxy@formilux.org
> *Subject:* Re: X-Forwarded-For Balancing
>
>
>
> Hi Trenton
>
> I hope the below example will help you with X-Forward-For + Stick table +
> replication
>
> listen VIP_Name
>
> bind 192.168.100.50:65435 transparent
>
> mode http
>
> balance roundrobin
>
> option forwardfor if-none
>
> stick on hdr(X-Forwarded-For,-1)  # Note the ,-1 is to move the XFF 
> header back one place in the list.
>
> stick on src
>
> stick-table type string len 64 size 10240k expire 30m peers 
> loadbalancer_replication
>
> server backup 127.0.0.1:9081 backup  non-stick
>
> option http-keep-alive
>
> timeout http-request 5s
>
> option redispatch
>
> option abortonclose
>
> maxconn 4
>
> server RIP_Name 192.168.100.200:80  weight 100  check  inter 500  rise 1  
> fall 1  minconn 0  maxconn 0  on-marked-down shutdown-sessions
>
> server RIP_Name-1 192.168.100.255:80  weight 100  check  inter 500  rise 
> 1  fall 1  minconn 0  maxconn 0  on-marked-down shutdown-sessions
>
>
> Andruw Smalley
>
> Loadbalancer.org Ltd.
>
> www.loadbalancer.org <https://www.loadbalancer.org/?gclid=ES2017>
>
> <https://plus.google.com/+LoadbalancerOrg>
> <https://twitter.com/loadbalancerorg>
> <http://www.linkedin.com/company/3191352?trk=prof-exp-company-name>
> <https://www.loadbalancer.org/?category=company=overview&?gclid=ES2017>
>
> <https://www.loadbalancer.org/?gclid=ES2017>
>
> +1 888 867 9504 / +44 (0)330 380 1064
>
> asmal...@loadbalancer.org
>
> Leave a Review
> <http://collector.reviews.io/loadbalancer-org-inc-/new-review> | Deployment
> Guides
> <https://www.loadbalancer.org/?category=resources=deployment-guides&?gclid=ES2017>
> | Blog <https://www.loadbalancer.org/?category=blog&?gclid=ES2017>
>
>
>
> On 25 July 2017 at 17:36, Trenton Dyck <trenton.d...@uxpsystems.com>
> wrote:
>
> Hi Alek,
>
> I want to balance via round-robin, but I want stick-tables to use the
> X-Forwarded-For header instead of src ip.  It makes sense in our use case
> because a vast majority of our clients are behind a NAT and have the same
> source IP, but the X-Forwarded-For header is unique to them.
>
> Thanks,
> Trent
>
>
> -Original Message-
> From: Aleksandar Lazic [mailto:al-hapr...@none.at]
> Sent: Tuesday, July 25, 2017 11:20 AM
> To: Trenton Dyck
> Cc: haproxy@formilux.org
> Subject: Re: X-Forwarded-For Balancing
>
> Hi Trenton,
>
> Trenton Dyck wrote on 25.07.2017:
>
> > Hi,
> >
> > Is it possible to balance, via X-Forwarded-For header?  We have come
> > across an issue with sticky-sessions and server weight that I can't
> > seem to find the answer to online (Unbalanced traffic).  I think
> > stick-tables with this acl option  would be nice to have for a future
> version.
>
> http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#4-balance
>
> Something like this
>
> balance hdr(X-Forwarded-For)
>
> Does it make sense to balance based on this header?!
> What's the issue you want to solve?
>
> What do you mean with "stick-tables with this acl option"?
>
> > Please keep met CCed for responses since I'm not subscribed.
> >
> > Thanks,
> >
> > Trent
>
> --
> Best Regards
> Aleks
>
>
>

Re: X-Forwarded-For Balancing

[Andrew Smalley]

I just wanted to add a quick apology for the HTML footer.

Andruw Smalley

Loadbalancer.org Ltd.
www.loadbalancer.org <https://www.loadbalancer.org/?gclid=ES2017>

<https://plus.google.com/+LoadbalancerOrg>
<https://twitter.com/loadbalancerorg>
<http://www.linkedin.com/company/3191352?trk=prof-exp-company-name>
<https://www.loadbalancer.org/?category=company=overview&?gclid=ES2017>
<https://www.loadbalancer.org/?gclid=ES2017>
+1 888 867 9504 / +44 (0)330 380 1064
asmal...@loadbalancer.org

Leave a Review
<http://collector.reviews.io/loadbalancer-org-inc-/new-review> | Deployment
Guides
<https://www.loadbalancer.org/?category=resources=deployment-guides&?gclid=ES2017>
| Blog <https://www.loadbalancer.org/?category=blog&?gclid=ES2017>

On 25 July 2017 at 17:54, Andrew Smalley <asmal...@loadbalancer.org> wrote:

> Hi Trenton
>
> I hope the below example will help you with X-Forward-For + Stick table +
> replication
>
> listen VIP_Name
> bind 192.168.100.50:65435 transparent
> mode http
> balance roundrobin
> option forwardfor if-none
> stick on hdr(X-Forwarded-For,-1)  # Note the ,-1 is to move the XFF 
> header back one place in the list.
> stick on src
> stick-table type string len 64 size 10240k expire 30m peers 
> loadbalancer_replication
> server backup 127.0.0.1:9081 backup  non-stick
> option http-keep-alive
> timeout http-request 5s
> option redispatch
> option abortonclose
> maxconn 4
> server RIP_Name 192.168.100.200:80  weight 100  check  inter 500  rise 1  
> fall 1  minconn 0  maxconn 0  on-marked-down shutdown-sessions
> server RIP_Name-1 192.168.100.255:80  weight 100  check  inter 500  rise 
> 1  fall 1  minconn 0  maxconn 0  on-marked-down shutdown-sessions
>
>
> Andruw Smalley
>
> Loadbalancer.org Ltd.
> www.loadbalancer.org <https://www.loadbalancer.org/?gclid=ES2017>
>
> <https://plus.google.com/+LoadbalancerOrg>
> <https://twitter.com/loadbalancerorg>
> <http://www.linkedin.com/company/3191352?trk=prof-exp-company-name>
> <https://www.loadbalancer.org/?category=company=overview&?gclid=ES2017>
> <https://www.loadbalancer.org/?gclid=ES2017>
> +1 888 867 9504 / +44 (0)330 380 1064
> asmal...@loadbalancer.org
>
> Leave a Review
> <http://collector.reviews.io/loadbalancer-org-inc-/new-review> | Deployment
> Guides
> <https://www.loadbalancer.org/?category=resources=deployment-guides&?gclid=ES2017>
> | Blog <https://www.loadbalancer.org/?category=blog&?gclid=ES2017>
>
> On 25 July 2017 at 17:36, Trenton Dyck <trenton.d...@uxpsystems.com>
> wrote:
>
>> Hi Alek,
>>
>> I want to balance via round-robin, but I want stick-tables to use the
>> X-Forwarded-For header instead of src ip.  It makes sense in our use case
>> because a vast majority of our clients are behind a NAT and have the same
>> source IP, but the X-Forwarded-For header is unique to them.
>>
>> Thanks,
>> Trent
>>
>> -Original Message-
>> From: Aleksandar Lazic [mailto:al-hapr...@none.at]
>> Sent: Tuesday, July 25, 2017 11:20 AM
>> To: Trenton Dyck
>> Cc: haproxy@formilux.org
>> Subject: Re: X-Forwarded-For Balancing
>>
>> Hi Trenton,
>>
>> Trenton Dyck wrote on 25.07.2017:
>>
>> > Hi,
>> >
>> > Is it possible to balance, via X-Forwarded-For header?  We have come
>> > across an issue with sticky-sessions and server weight that I can't
>> > seem to find the answer to online (Unbalanced traffic).  I think
>> > stick-tables with this acl option  would be nice to have for a future
>> version.
>>
>> http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#4-balance
>>
>> Something like this
>>
>> balance hdr(X-Forwarded-For)
>>
>> Does it make sense to balance based on this header?!
>> What's the issue you want to solve?
>>
>> What do you mean with "stick-tables with this acl option"?
>>
>> > Please keep met CCed for responses since I'm not subscribed.
>> >
>> > Thanks,
>> >
>> > Trent
>>
>> --
>> Best Regards
>> Aleks
>>
>>
>>
>

Re: X-Forwarded-For Balancing

[Andrew Smalley]

Hi Trenton

I hope the below example will help you with X-Forward-For + Stick table +
replication

listen VIP_Name
bind 192.168.100.50:65435 transparent
mode http
balance roundrobin
option forwardfor if-none
stick on hdr(X-Forwarded-For,-1)  # Note the ,-1 is to move the
XFF header back one place in the list.
stick on src
stick-table type string len 64 size 10240k expire 30m peers
loadbalancer_replication
server backup 127.0.0.1:9081 backup  non-stick
option http-keep-alive
timeout http-request 5s
option redispatch
option abortonclose
maxconn 4
server RIP_Name 192.168.100.200:80  weight 100  check  inter 500
rise 1  fall 1  minconn 0  maxconn 0  on-marked-down shutdown-sessions
server RIP_Name-1 192.168.100.255:80  weight 100  check  inter 500
 rise 1  fall 1  minconn 0  maxconn 0  on-marked-down
shutdown-sessions


Andruw Smalley

Loadbalancer.org Ltd.
www.loadbalancer.org 






+1 888 867 9504 / +44 (0)330 380 1064
asmal...@loadbalancer.org

Leave a Review
 | Deployment
Guides

| Blog 

On 25 July 2017 at 17:36, Trenton Dyck  wrote:

> Hi Alek,
>
> I want to balance via round-robin, but I want stick-tables to use the
> X-Forwarded-For header instead of src ip.  It makes sense in our use case
> because a vast majority of our clients are behind a NAT and have the same
> source IP, but the X-Forwarded-For header is unique to them.
>
> Thanks,
> Trent
>
> -Original Message-
> From: Aleksandar Lazic [mailto:al-hapr...@none.at]
> Sent: Tuesday, July 25, 2017 11:20 AM
> To: Trenton Dyck
> Cc: haproxy@formilux.org
> Subject: Re: X-Forwarded-For Balancing
>
> Hi Trenton,
>
> Trenton Dyck wrote on 25.07.2017:
>
> > Hi,
> >
> > Is it possible to balance, via X-Forwarded-For header?  We have come
> > across an issue with sticky-sessions and server weight that I can't
> > seem to find the answer to online (Unbalanced traffic).  I think
> > stick-tables with this acl option  would be nice to have for a future
> version.
>
> http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#4-balance
>
> Something like this
>
> balance hdr(X-Forwarded-For)
>
> Does it make sense to balance based on this header?!
> What's the issue you want to solve?
>
> What do you mean with "stick-tables with this acl option"?
>
> > Please keep met CCed for responses since I'm not subscribed.
> >
> > Thanks,
> >
> > Trent
>
> --
> Best Regards
> Aleks
>
>
>

Re: Does anyone heard about DPDK

[Andrew Smalley]

HI Aleksandar

I've only ever seen Intel's DPDK being used really with OpenVSwitch
and am not sure how it would help haproxy (Not that I am the best
person to say if its good for haproxy)

Andrew Smalley

Loadbalancer.org Ltd.

www.loadbalancer.org
+1 888 867 9504 / +44 (0)330 380 1064
asmal...@loadbalancer.org

Leave a Review | Deployment Guides | Blog


On 15 July 2017 at 10:32, Aleksandar Lazic <al-hapr...@none.at> wrote:
> Hi,
>
> Network acceleration with DPDK
> https://lwn.net/Articles/725254/
>
> --
> Best Regards
> Aleks
>
>

Re: help for configuration between http and tcp mode

[Andrew Smalley]

Hello M

Looking at your configuration you are trying to use HTTPS/TCP/SSL
Connection for HTTP

frontend https_influxdb
  bind 192.168.246.17:8086 ssl crt /data/ssl_certs no-sslv3 ciphers
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:
ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-
RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:
DHE-RSA-AES128-SHA:DES-CBC3-SHA:!NULL:!aNULL:!RC4:!RC2:!
MEDIUM:!LOW:!EXPORT:!DES:!MD5:!PSK:!3DES
  mode http
  option dontlognull

I would make this assuming port 8086 is a HTTP Connection

frontend https_influxdb
  bind 192.168.246.17:8086
  mode http
  option dontlognull


TCP Mode will work with any connection however HTTP will only work with
unencrypted HTTP Type traffic as it is application aware.

Also TCP Mode is really Layer4 and non application aware.

Andrew Smalley

Loadbalancer.org Ltd.
www.loadbalancer.org <https://www.loadbalancer.org/?gclid=ES2017>

<https://plus.google.com/+LoadbalancerOrg>
<https://twitter.com/loadbalancerorg>
<http://www.linkedin.com/company/3191352?trk=prof-exp-company-name>
<https://www.loadbalancer.org/?category=company=overview&?gclid=ES2017>
<https://www.loadbalancer.org/?gclid=ES2017>
+1 888 867 9504 / +44 (0)330 380 1064
asmal...@loadbalancer.org

Leave a Review
<http://collector.reviews.io/loadbalancer-org-inc-/new-review> | Deployment
Guides
<https://www.loadbalancer.org/?category=resources=deployment-guides&?gclid=ES2017>
| Blog <https://www.loadbalancer.org/?category=blog&?gclid=ES2017>

On 8 July 2017 at 21:19, M <m...@mannu.net> wrote:

> Hi,
>
> I don't understand why http mode is no able provide a backend server
> whereas at same time tcp mode is able to do it.
>
> I am trying to setup Haproxy in front of an Influxdb database running on
> HTTPS.
>
> When frontend is configured on http mode, requests are failing with NOSRV
> error.
> When fronted is configure on tcp mod, requests are working.
>
> Example below with http mode on tcp/8086 port and tcp mode on tcp/8087
> with same backend:
>
> #curl -G https://influxdb-drp.example.net:8086/query -u admin:''
> --data-urlencode "q=SHOW DATABASES"
> 503 Service Unavailable
> No server is available to handle this request.
> 
>
> Haproxy log showing NOSRV and SC:
> Jul  8 19:59:44 kalinga haproxy[26228]: 192.168.246.17:52946
> [08/Jul/2017:19:59:44.661] https_influxdb~ https_influxdb/ -1/-1/136
> 212 SC 0/0/0/0/0 0/0
>
>
> #curl -G https://influxdb-drp.example.net:8087/query -u admin:''
> --data-urlencode "q=SHOW DATABASES"
> {"results":[{"statement_id":0,"series":[{"name":"databases",
> "columns":["name"],"values":[["_internal"]]}]}]}
>
> Haproxy log:
> Jul  8 20:00:16 kalinga haproxy[26228]: 192.168.246.17:37142
> [08/Jul/2017:20:00:16.672] https_influxdb_tcp~ influxdb-drp.example.net/
> https_8086 0/2/123 332 -- 1/1/0/0/0 0/0
>
> Haproxy configuration file:
>
> 
> ---
>
> global
> log /dev/log local1 debug
> maxconn 4096
> debug
> tune.ssl.default-dh-param 4096
>
> defaults
> log global
> modetcp
> option  tcplog
> retries 3
> option redispatch
> maxconn 4000
> timeout connect 5000ms
> timeout client 5ms
> timeout server 5ms
>
> frontend https_influxdb
>   bind 192.168.246.17:8086 ssl crt /data/ssl_certs no-sslv3 ciphers
> ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:
> ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-
> RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:
> DHE-RSA-AES128-SHA:DES-CBC3-SHA:!NULL:!aNULL:!RC4:!RC2:!
> MEDIUM:!LOW:!EXPORT:!DES:!MD5:!PSK:!3DES
>   mode http
>   option dontlognull
>
>   reqadd X-Forwarded-Proto:\ https
>
>   option http-server-close
>   option forwardfor
>
>   acl host_influxdb-drp.example.net hdr(host) -i influxdb-drp.example.net
>   use_backend influxdb-drp.example.net if host_influxdb-drp.example.net
>
> frontend https_influxdb_tcp
>   bind 192.168.246.17:8087 ssl crt /data/ssl_certs no-sslv3 ciphers
> ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:
> ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-
> RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:
> DHE-RSA-AES128-SHA:DES-CBC3-SHA:!NULL:!aNULL:!RC4:!RC2:!
> MEDIUM:!LOW:!EXPORT:!DES:!MD5:!PSK:!3DES
>   mode tcp
>   option dontlognull
>   option http-server-close
>   option tcplog
>
>   default_backend influxdb-drp.example.net
>
> backend influxdb-drp.example.net
>   mode http
>   server https_8086 127.0.0.1:8086 check ssl verify none
>
> 
> ---
>
> How can I configure Haproxy to work on http mode?
>
> M.
>

Re: How to forward HTTP / HTTPS to different backend proxy servers

[Andrew Smalley]

I would like to ask why you have non ssl and ssl traffic on the same port?
while it seems it is possible it is not the right way to do it.


On 2 Jul 2017 23:37, "Igor Cicimov"  wrote:



On 3 Jul 2017 8:35 am, "Igor Cicimov" 
wrote:



On 3 Jul 2017 6:47 am, "Daren Sefcik"  wrote:

On Sat, Jul 1, 2017 at 4:39 PM, Igor Cicimov  wrote:

>
>
> On 29 Jun 2017 2:46 am, "Daren Sefcik"  wrote:
>
> On Wed, Jun 28, 2017 at 8:12 AM, Olivier Doucet 
> wrote:
>
>> Hi,
>>
>>
>> 2017-06-28 16:47 GMT+02:00 Daren Sefcik :
>>
>>> Hi, I have searched for an answer to this and tried several things but
>>> cannot seem to figure it out so am hoping someone can point me in the right
>>> direction. I have different backend proxy servers (squid) setup to handle
>>> specifically HTTP and HTTPS traffic but cannot figure out how to tell
>>> haproxy to tell the difference and send appropriately.
>>>
>>> For example, I have
>>>
>>> frontend proxy_servers
>>> backend http_proxies
>>> backend https_proxies
>>>
>>> how can I tell frontend to send all http traffic to backend http_proxies
>>> and all https traffic to https_backend? I have tried using dst_port 443 and
>>> the acl https ssl_fc but nothing seems to distinguish https traffic.
>>>
>>
>> Well, it should work. Send a copy of your config to see what's wrong in
>> it.
>>
>> Olivier
>>
>>
>>
>>>
>>> TIA...
>>>
>>
>>
> Here is an example, it continues to direct all https traffic to the web
> proxy and not the streaming media one.
>
> frontend HTPL_PROXY
>   bind10.1.4.105:8181 name 10.1.4.105:8181
>   modehttp
>   log global
>   option  http-server-close
>   option  forwardfor
>   acl https ssl_fc
>   http-request set-header X-Forwarded-Proto http if !https
>   http-request set-header X-Forwarded-Proto https if https
>   maxconn 9
>   timeout client  1
>   option tcp-smart-accept
>   acl is_youtube  hdr_sub(host) -i youtube.com
>   acl is_netflix  hdr_sub(host) -i netflix.com
>   acl is_nflixvideo   hdr_sub(host) -i nflxvideo.net
>   acl is_googlevideo  hdr_sub(host) -i googlevideo.com
>   acl is_google   hdr_sub(host) -i google.com
>   acl is_pandora  hdr_sub(host) -i pandora.com
>   acl is_httpsdst_port eq 443
>   use_backend HTPL_STREAMING_MEDIA_PROXY_http_ipvANY  if  is_youtube
>   use_backend HTPL_STREAMING_MEDIA_PROXY_http_ipvANY  if  is_netflix
>   use_backend HTPL_STREAMING_MEDIA_PROXY_http_ipvANY  if  is_nflixvideo
>   use_backend HTPL_STREAMING_MEDIA_PROXY_http_ipvANY  if  is_googlevideo
>   use_backend HTPL_STREAMING_MEDIA_PROXY_http_ipvANY  if  is_pandora
>   use_backend HTPL_STREAMING_MEDIA_PROXY_http_ipvANY  if  is_https
>   default_backend HTPL_WEB_PROXY_http_ipvANY
>
> Obviously dst_port 443 method can not work since you are listening on port
> 8181. Since both protocols are on same port you can try in tcp mode:
>
> mode tcp
> option tcplog
> bind *:8181
>
> tcp-request inspect-delay 5s
> acl is_ssl req.ssl_hello_type 1
>
>

Thank you, I have tried that with the below config and it still sends all
traffic to the default backend instead of my ssl backend, any other ideas?

frontend HTPL_PROXY
bind10.1.4.105:8181 name 10.1.4.105:8181

modetcp
log global
maxconn 9
timeout client  1
option tcp-smart-accept
tcp-request inspect-delay 5s
acl is_ssl  req.ssl_hello_type 1
use_backend HTPL_SSL_PROXY_tcp_ipvANY  if  is_ssl
default_backend HTPL_WEB_PROXY_tcp_ipvANY

Only explenation i can see is that no ssl traffik is hitting haproxy at
least not on port 8181

Or the ip it is bind to

Re: How can we start haproxy in Linux

[Andrew Smalley]

​Hello ​
S
​abeer

You will find that information in the link I provided in my previous reply.

Also could you please keep your reply's to the mailing list so all can see
please.​


On 2 Jul 2017 4:39 p.m., "Sabeer Basheer" <sabeerkbash...@gmail.com> wrote:

> Hi Andrew Smalley,
>
> Thanks for your fast support.
> Sorry to disturb you again :), It will be a great help, if you give an
> exact command to start and stop haproxy as referred to my attachment
> (currently running in our server).
>
>
> Regards,
> SABEER
>
>
> On Friday, June 30, 2017, Andrew Smalley <asmal...@loadbalancer.org>
> wrote:
>
>> Sabeer
>>
>> The command will kill haproxy by pid number
>>
>> kill $(cat /var/run/haproxy.pid)
>>
>> However a more basic understanding of haproxy will help
>>
>> https://www.haproxy.com/doc/hapee/1.5/administration/init.html
>>
>>
>> Andrew Smalley
>>
>> Loadbalancer.org Ltd.
>> www.loadbalancer.org <https://www.loadbalancer.org/?gclid=ES2017>
>>
>> <https://plus.google.com/+LoadbalancerOrg>
>> <https://twitter.com/loadbalancerorg>
>> <http://www.linkedin.com/company/3191352?trk=prof-exp-company-name>
>> <https://www.loadbalancer.org/?category=company=overview&?gclid=ES2017>
>> <https://www.loadbalancer.org/?gclid=ES2017>
>> +1 888 867 9504 / +44 (0)330 380 1064
>> asmal...@loadbalancer.org
>>
>> Leave a Review
>> <http://collector.reviews.io/loadbalancer-org-inc-/new-review> | Deployment
>> Guides
>> <https://www.loadbalancer.org/?category=resources=deployment-guides&?gclid=ES2017>
>> | Blog <https://www.loadbalancer.org/?category=blog&?gclid=ES2017>
>>
>> On 30 June 2017 at 15:47, Sabeer Basheer <sabeerkbash...@gmail.com>
>> wrote:
>>
>>> Hi team,
>>>
>>> I am new to haproxy and linux, could you please help me by telling how
>>> can we stop/start haroxy in Linux server ( Service haproxy start or haproxy
>>> with -f conf file option). I am here by attaching the screenshot of
>>> currently running process of haproxy in my machine.
>>> Please give me a exact command to stop/start the haproxy from my
>>> attachment.
>>>
>>> Regards,
>>> Sabeer
>>>
>>>
>>> --
>>> With Regards...
>>> •´ ¸.•*´¨)  ¸.•*¨)
>>> (¸.•´(¸.•*   .♪♪♪Sabeer K Basheer
>>> 8089111246
>>>
>>
>>
>
> --
> With Regards...
> •´ ¸.•*´¨)  ¸.•*¨)
> (¸.•´(¸.•*   .♪♪♪Sabeer K Basheer
> 8089111246
>

Re: How can we start haproxy in Linux

[Andrew Smalley]

Sabeer

The command will kill haproxy by pid number

kill $(cat /var/run/haproxy.pid)

However a more basic understanding of haproxy will help

https://www.haproxy.com/doc/hapee/1.5/administration/init.html


Andrew Smalley

Loadbalancer.org Ltd.
www.loadbalancer.org <https://www.loadbalancer.org/?gclid=ES2017>

<https://plus.google.com/+LoadbalancerOrg>
<https://twitter.com/loadbalancerorg>
<http://www.linkedin.com/company/3191352?trk=prof-exp-company-name>
<https://www.loadbalancer.org/?category=company=overview&?gclid=ES2017>
<https://www.loadbalancer.org/?gclid=ES2017>
+1 888 867 9504 / +44 (0)330 380 1064
asmal...@loadbalancer.org

Leave a Review
<http://collector.reviews.io/loadbalancer-org-inc-/new-review> | Deployment
Guides
<https://www.loadbalancer.org/?category=resources=deployment-guides&?gclid=ES2017>
| Blog <https://www.loadbalancer.org/?category=blog&?gclid=ES2017>

On 30 June 2017 at 15:47, Sabeer Basheer <sabeerkbash...@gmail.com> wrote:

> Hi team,
>
> I am new to haproxy and linux, could you please help me by telling how can
> we stop/start haroxy in Linux server ( Service haproxy start or haproxy
> with -f conf file option). I am here by attaching the screenshot of
> currently running process of haproxy in my machine.
> Please give me a exact command to stop/start the haproxy from my
> attachment.
>
> Regards,
> Sabeer
>
>
> --
> With Regards...
> •´ ¸.•*´¨)  ¸.•*¨)
> (¸.•´(¸.•*   .♪♪♪Sabeer K Basheer
> 8089111246
>

Re: Reg: HAProxy 1.6.12 on RHEL7.2 (MAXCONN in FRONT-END/LISTEN BLOCK)

[Andrew Smalley]

Hi Vel

Form what you describe the example using the tarpit feature may help you
taken from here
https://blog.codecentric.de/en/2014/12/haproxy-http-header-rate-limiting/

frontend fe_api_ssl
  bind 192.168.0.1:443 ssl crt /etc/haproxy/ssl/api.pem no-sslv3 ciphers ...
  default_backend be_api

  tcp-request inspect-delay 5s

  acl document_request path_beg -i /v2/documents
  acl is_upload hdr_beg(Content-Type) -i multipart/form-data
  acl too_many_uploads_by_user sc0_gpc0_rate() gt 100
  acl mark_seen sc0_inc_gpc0 gt 0

  stick-table type string size 100k store gpc0_rate(60s)

  tcp-request content track-sc0 hdr(Authorization) if METH_POST
document_request is_upload

  use_backend 429_slow_down if mark_seen too_many_uploads_by_user

backend be_429_slow_down
  timeout tarpit 2s
  errorfile 500 /etc/haproxy/errorfiles/429.http
  http-request tarpit



Andrew Smalley

Loadbalancer.org Ltd.
www.loadbalancer.org <https://www.loadbalancer.org/?gclid=ES2017>

<https://plus.google.com/+LoadbalancerOrg>
<https://twitter.com/loadbalancerorg>
<http://www.linkedin.com/company/3191352?trk=prof-exp-company-name>
<https://www.loadbalancer.org/?category=company=overview&?gclid=ES2017>
<https://www.loadbalancer.org/?gclid=ES2017>
+1 888 867 9504 / +44 (0)330 380 1064
asmal...@loadbalancer.org

Leave a Review
<http://collector.reviews.io/loadbalancer-org-inc-/new-review> | Deployment
Guides
<https://www.loadbalancer.org/?category=resources=deployment-guides&?gclid=ES2017>
| Blog <https://www.loadbalancer.org/?category=blog&?gclid=ES2017>

On 28 June 2017 at 10:01, Velmurugan Dhakshnamoorthy <dvel@gmail.com>
wrote:

> Hi Lukas,
> Thanks for your response in length. As I mentioned earlier, I was not
> aware that the people from discourse forum and this email d-list group are
> same. I am 100% new to HAProxy.
>
> Let me explain my current situation in-detail in this email thread, Kindly
> check if you or other people from the group can guide me.
>
> Our requirement to use HAProxy is NOT to load balance back-end (Weblogic
> 12c) servers, we have a singe backend instance (ex: PIA1), our server
> capacity is not high to handle the heavy traffic during peak load, the peak
> load occurs only 2 times in a year, that's a reason we are not scaling up
> our server resources as they will be idle majority of the time.
>
> we would like to use HAProxy to throttle http/tcp connections during the
> peak load, so that weblogic backed will not go to Out-Of-Memory
> state/PeopleSoft will not crash.
>
> To achieve http throttling,when setting maxconn to back end , HAProxy
> queue up further connections and releases once the active http connections
> become idle,however how weblogic works is, once the PeopleSoft URL is
> accessed and user is authenticated , cookie will be inserted to browser and
> cookie will be active by default 20 minutes, which mean even if user does
> not navigate and do anything inside the application, cookie session state
> will be retained in weblogic java heap. weblogic allocates small amount of
> memory in order to retain each active sessions (though memory allocation
> increase/decrease dynamically based on various business functionality i).
> as per current capacity , weblogic can retain only 100 session state ,
> which means, I don't want to forward any further connections to weblogic
> until some of the sessions from 100 are released (by default the session
> will be released when user clicks explicitly on signout button or
> inactivity timeout reaches 20 minutes).
>
> according to my understanding, maxconn in back-end throttles connections
> and releases to back-end as and when tcp connection status changed to idle,
> but though connections are idle, logout/signout not occurred from
> PeopleSoft, so that still session state are maintained in weblogic and not
> released and cannot handle further connections.
>
> that's reason, I am setting the maxconn in front end and keeping HTTP
> alive option ON, so that I can throttle connections at front end itself.
> According to my POC, setting maxconn in front-end behaves differently than
> setting in back-end, when it is on front-end, it hold further connections
> in kernel , once the existing http connections are closed, it allows
> further connections inside, in this I dont see any performance issue for
> existing connections.
>
> for your information HAProxy and Weblogic are residing in a same single VM.
>
> please let me know if my above understanding is correct about maxconn. Is
> there any understanding gap ? is there any way to achieve my requirement
> differently?
>
> when decided to use maxconn in front-end, the connection queuing for few
> milli seconds and seconds are OK, but when connections are queued in
> minute

Re: Reg: HAProxy 1.6.12 on RHEL7.2 (MAXCONN in FRONT-END/LISTEN BLOCK)

[Andrew Smalley]

Lukas

Why is this triple posting? Surely he asked questions in a nice way in more
than one location and deserves the right answer and not a flame down here.

It is about helping people after all I hope!


Vel,  ill have a look at your question in more detail tomorrow and see if I
can not figure an ACL to deal with the issue.


Personally if you need to set a front-end or back-end limit I would leave
it on what your back-ends can handle and if persistence is not required on
the first visit then maybe the client accessing the website can set some
other header to enable the persistence later...

I am sure there is a way where there is a will!




Andrew Smalley

Loadbalancer.org Ltd.
www.loadbalancer.org <https://www.loadbalancer.org/?gclid=ES2017>

<https://plus.google.com/+LoadbalancerOrg>
<https://twitter.com/loadbalancerorg>
<http://www.linkedin.com/company/3191352?trk=prof-exp-company-name>
<https://www.loadbalancer.org/?category=company=overview&?gclid=ES2017>
<https://www.loadbalancer.org/?gclid=ES2017>
+1 888 867 9504 / +44 (0)330 380 1064
asmal...@loadbalancer.org

Leave a Review
<http://collector.reviews.io/loadbalancer-org-inc-/new-review> | Deployment
Guides
<https://www.loadbalancer.org/?category=resources=deployment-guides&?gclid=ES2017>
| Blog <https://www.loadbalancer.org/?category=blog&?gclid=ES2017>

On 28 June 2017 at 00:53, Velmurugan Dhakshnamoorthy <dvel@gmail.com>
wrote:

> Apologize,  my intent is not to annoy anyone,  I came across one of the
> post from Willy explaining the different  behaviour when setting maxconn in
> front-end and back-end,  just want to check if anyone else has done this
> kind of  custom message display when setting maxconn in front-end as we are
> in the cut over phase,  I am not aware this email group and discourse forum
> are same.
>
>
> Apologies again.
>
>
> On Jun 28, 2017 12:34 AM, "Lukas Tribus" <lu...@gmx.net> wrote:
>
> Hello,
>
>
> Am 27.06.2017 um 12:04 schrieb Velmurugan Dhakshnamoorthy:
> > Dear,
> > The HAProxy 1.6.12 has been implemented on Red Hat Linux 7.2(3.10) and
> we have set the maxconn to 100 in listen block(front-end). Our objective is
> to queue connections more than 100 into linux kernel syn log until the
> established connection are freed.
> >
> > while user connections > 100 in queue, we would like to display some
> kind of custom browser message to end users, so that they will know if
> slowness is due to heavy traffic and intentional, is there any way to
> display custom message while connections are queued.
> >
> > your help is much appreciated. Please let me know for any further
> details.
> >
> > HAProxy 1.6.12
> > RHEL 7.2
> > Weblogic 12c (back end server)
>
>
> You are triple cross-posting now, nice!
>
> http://discourse.haproxy.org/t/regarding-maxconn-parameter-i
> n-backend-for-connection-queueing/1320/8
>
> http://discourse.haproxy.org/t/custom-display-message-when-s
> etting-maxconn-in-front-end-listen-block/1382
>
>
>
> Is there anything that has been answered 3 times already, or do you just
> like to annoy other people?
>
>
>

Re: MySQL layer7 balancing

[Andrew Smalley]

HI Louis

You asked about loadbalancing MySQL.

What we suggest is two separate VIP's in TCP Mode on port 3306

One will be your Write VIP and the other will be your Read VIP

Below is an example configuration with a ReadWriteMaster Server along with
read and write only servers in each VIP - You may not want a real server
with ReadWriteMaster but I have included this as an example as I wanted my
master server to be both read and write and the replication master. You may
not opt for a multimaster but here is a link to set that up

https://dev.mysql.com/doc/refman/5.7/en/mysql-cluster-replication-multi-master.html

Its worth noting the option "option mysql-check user checkuser post-41"
which will attempt to connect to MySQL real servers with user "checkuser"


Now your application will connect to 192.168.0.99 for writes and
192.168.0.100 for reads. I hope this all makes sense

listen MySQL_Write
bind 192.168.0.99:3306 transparent
mode tcp
balance leastconn
stick on src
stick-table type ip size 10240k expire 30m peers loadbalancer_replication
server backup 127.0.0.1:9081 backup  non-stick
option mysql-check user checkuser post-41
option redispatch
option abortonclose
maxconn 4
email-alert mailers email_mailer
server ReadWriteMaster 192.168.0.50  weight 100  check  inter 4000
 rise 2  fall 2  minconn 0  maxconn 0  on-marked-down
shutdown-sessions server Write1 172.16.0.10  weight 100  check
inter 4000  rise 2  fall 2  minconn 0  maxconn 0  on-marked-down
shutdown-sessions
server Write2 172.16.0.11  weight 100  check  inter 4000  rise 2
fall 2  minconn 0  maxconn 0  on-marked-down shutdown-sessions

listen MySQL_Read
bind 192.168.0.100:3306 transparent
mode tcp
balance leastconn
stick on src
stick-table type ip size 10240k expire 30m peers loadbalancer_replication
server backup 127.0.0.1:9081 backup  non-stick
option mysql-check user checkuser post-41
option redispatch
option abortonclose
maxconn 4
email-alert mailers email_mailer
server ReadWriteMaster 192.168.0.50  weight 100  check  inter 4000
 rise 2  fall 2  minconn 0  maxconn 0  on-marked-down
shutdown-sessions server Read1 192.168.0.12  weight 100  check
inter 4000  rise 2  fall 2  minconn 0  maxconn 0  on-marked-down
shutdown-sessions
server Read2 192.168.0.13  weight 100  check  inter 4000  rise 2
fall 2  minconn 0  maxconn 0  on-marked-down shutdown-sessions
server Read3 192.168.0.14  weight 100  check  inter 4000  rise 2
fall 2  minconn 0  maxconn 0  on-marked-down shutdown-sessions


Andrew Smalley

Loadbalancer.org
www.loadbalancer.org <https://www.loadbalancer.org?gclid=ES2017>

<https://plus.google.com/+LoadbalancerOrg>
<https://twitter.com/loadbalancerorg>
<http://www.linkedin.com/company/3191352?trk=prof-exp-company-name>
<https://www.loadbalancer.org/?category=company=overview&?gclid=ES2017>
<https://www.loadbalancer.org?gclid=ES2017>
+1 888 867 9504 / +44 (0)330 380 1064
asmal...@loadbalancer.org

Leave a Review
<http://collector.reviews.io/loadbalancer-org-inc-/new-review> | Deployment
Guides
<https://www.loadbalancer.org/?category=resources=deployment-guides&?gclid=ES2017>
| Blog <https://www.loadbalancer.org/?category=blog&?gclid=ES2017>

On 11 June 2017 at 17:51, Olivier Doucet <webmas...@ajeux.com> wrote:

> Hi,
>
>
> 2017-06-11 17:37 GMT+02:00 Luis Daniel Lucio Quiroz <
> luis.daniel.lu...@gmail.com>:
>
>> Hi
>>
>> I'm new on the ML but not to haproxy. After googling I don't find what
>> I'm looking for. Maybe one of you knows it.
>>
>> I would like to force a specific MySQL server for writing operations
>> first policy (aka insert,update, delete) and let use round robin policy for
>> reading operations.
>>
>> Is this possible with haproxy?
>>
>
> Not with HAProxy. It does not understand MySQL L7, only HTTP.
>
> You can take a look at ProxySQL, MaxScale or MySQL Proxy for what you
> would like to achieve.
> A compare chart is available here : http://www.proxysql.com/compare
>
> Olivier
>
>

Re: HAProxy for Centos 7

[Andrew Smalley]

Hello  Manojkumar

I see you have requested haproxy 1.6 for CentOS 7 as you dont have root
access.

It is possible to configure and build in your own home directory, however
without root access you will not be able to start it as a non privileged
user and use ports below 1024 as this requires root access.

You could of-course spin up a VM on your desktop and compile manually or
using the below RPMSPEC file

https://github.com/ITV/rpm-haproxy

But sadly yet again you will not be able to install or start the service as
root without access.



Regards

Andrew Smalley

Loadbalancer.org Ltd.



On 25 April 2017 at 16:39, Manojkumar Gupta <mgu...@lendingclub.com> wrote:

> Hello,
>
>
>
> Please can you share the binary compiled copy of HAProxy for Centos 7,
> v1.6 or above.
>
>
>
> I don’t have root access and when using generic platform there are
> multiple packages that I need as dependency and without root its hard to
> get it compiled from source.
>
>
>
> I appreciate your help in advance. I need DNS resolvers to be configured.
>
>
>
> Regards,
>
> Manoj.
>
>
>
>
> DISCLAIMER: The information transmitted is intended only for the person or
> entity to which it is addressed and may contain confidential and/or
> privileged material. Any review, re-transmission, dissemination or other
> use of, or taking of any action in reliance upon this information by
> persons or entities other than the intended recipient is prohibited except
> as set forth below. If you received this in error, please contact the
> sender and destroy any copies of this document and any attachments. Email
> sent or received by LendingClub Corporation, its subsidiaries and
> affiliates is subject to archival, monitoring and/or review by and/or
> disclosure to someone other than the recipient.
>

Re: haproxy deleting domain socket on graceful reload if backlog overflows

[Andrew Smalley]

HI James

Thank you for your reply.

I do not see how the old haproxy being on a separate PID could do anything
with a socket created by a new PID.

​Do you bring up your new instance with real servers in a maintenance
state? this seems to be required to do a correct handover before making
them live and active/ready to handle connections.

Also there is a SYN_BLOCK firewall rule required during the reload? I ask
because we have had no reports of such a race condition.

​




Regards

Andrew Smalley

Loadbalancer.org Ltd.



On 12 April 2017 at 23:34, James Brown <jbr...@easypost.com> wrote:

> Hi Andrew:
>
> Thanks for you feedback, but I'm describing a very specific bug wherein
> the old haproxy will unlink the new haproxy's bound unix domain socket upon
> reload due to a race condition in the domain socket cleanup code if a
> listen overflow occurs while the graceful is in process.
>
> On Wed, Apr 12, 2017 at 11:39 AM, Andrew Smalley <
> asmal...@loadbalancer.org> wrote:
>
>> HI James
>>
>> When you do a graceful reload of haproxy this is what happens.
>>
>> 1. the old process will accept no more connections and the stats page is
>> stopped and so is the socket
>> 2. a new haproxy instance is started where new clients get connected to,
>> and this has the live socket
>> 3. when the old haproxy instance has no more clients left it dies
>> silently leaving all the clients on the new haproxy instance.
>>
>> This is expected behavior as you want the first haproxy to die when the
>> last client leaves.
>>
>>
>> Regards
>>
>> Andrew Smalley
>>
>> Loadbalancer.org Ltd.
>>
>>
>>
>> On 12 April 2017 at 19:32, James Brown <jbr...@easypost.com> wrote:
>>
>>> This just hit us again on a different set of load balancers... if
>>> there's a listen socket overflow on a domain socket during graceful,
>>> haproxy completely deletes the domain socket and becomes inaccessible.
>>>
>>> On Tue, Feb 21, 2017 at 6:47 PM, James Brown <jbr...@easypost.com>
>>> wrote:
>>>
>>>> Under load, we're sometimes seeing a situation where HAProxy will
>>>> completely delete a bound unix domain socket after a reload.
>>>>
>>>> The "bad flow" looks something like the following:
>>>>
>>>>
>>>>- haproxy is running on pid A, bound to /var/run/domain.sock (via a
>>>>bind line in a frontend)
>>>>- we run `haproxy -sf A`, which starts a new haproxy on pid B
>>>>- pid B binds to /var/run/domain.sock.B
>>>>- pid B moves /var/run/domain.sock.B to /var/run/domain.sock (in
>>>>uxst_bind_listener)
>>>>- in the mean time, there are a zillion connections to
>>>>/var/run/domain.sock and pid B isn't started up yet; backlog is 
>>>> exhausted
>>>>- pid B signals pid A to shut down
>>>>- pid A runs the destroy_uxst_socket function and tries to connect
>>>>to /var/run/domain.sock to see if it's still in use. The connection 
>>>> fails
>>>>(because the backlog is full). Pid A unlinks /var/run/domain.sock.
>>>>Everything is sad forever now.
>>>>
>>>> I'm thinking about just commenting out the call to destroy_uxst_socket
>>>> since this is all on a tmpfs and we don't really care if spare sockets are
>>>> leaked when/if we change configuration in the future. Arguably, the
>>>> solution should be something where we don't overflow the listen socket at
>>>> all; I'm thinking about also binding to a TCP port on localhost and just
>>>> using that for the few seconds it takes to reload (since otherwise we run
>>>> out of ephemeral sockets to 127.0.0.1); it still seems wrong for haproxy to
>>>> unlink the socket, though.
>>>>
>>>> This has proven extremely irritating to reproduce (since it only occurs
>>>> if there's enough load to fill up the backlog on the socket between when
>>>> pid B starts up and when pid A shuts down), but I'm pretty confident that
>>>> what I described above is happening, since periodically on reloads the
>>>> domain socket isn't there and this code fits.
>>>>
>>>> Our configs are quite large, so I'm not reproducing them here. The
>>>> reason we bind on a domain socket at all is because we're running two sets
>>>> of haproxies — one in multi-process mode doing TCP-mode SSL termination
>>>> pointing back over a domain socket to a single-process haproxy applying all
>>>> of our actual config.
>>>>
>>>> --
>>>> James Brown
>>>> Systems ​
>>>> Engineer
>>>>
>>>
>>>
>>>
>>> --
>>> James Brown
>>> Engineer
>>>
>>
>>
>
>
> --
> James Brown
> Engineer
>

Re: haproxy deleting domain socket on graceful reload if backlog overflows

[Andrew Smalley]

HI James

When you do a graceful reload of haproxy this is what happens.

1. the old process will accept no more connections and the stats page is
stopped and so is the socket
2. a new haproxy instance is started where new clients get connected to,
and this has the live socket
3. when the old haproxy instance has no more clients left it dies silently
leaving all the clients on the new haproxy instance.

This is expected behavior as you want the first haproxy to die when the
last client leaves.


Regards

Andrew Smalley

Loadbalancer.org Ltd.



On 12 April 2017 at 19:32, James Brown <jbr...@easypost.com> wrote:

> This just hit us again on a different set of load balancers... if there's
> a listen socket overflow on a domain socket during graceful, haproxy
> completely deletes the domain socket and becomes inaccessible.
>
> On Tue, Feb 21, 2017 at 6:47 PM, James Brown <jbr...@easypost.com> wrote:
>
>> Under load, we're sometimes seeing a situation where HAProxy will
>> completely delete a bound unix domain socket after a reload.
>>
>> The "bad flow" looks something like the following:
>>
>>
>>- haproxy is running on pid A, bound to /var/run/domain.sock (via a
>>bind line in a frontend)
>>- we run `haproxy -sf A`, which starts a new haproxy on pid B
>>- pid B binds to /var/run/domain.sock.B
>>- pid B moves /var/run/domain.sock.B to /var/run/domain.sock (in
>>uxst_bind_listener)
>>- in the mean time, there are a zillion connections to
>>/var/run/domain.sock and pid B isn't started up yet; backlog is exhausted
>>- pid B signals pid A to shut down
>>- pid A runs the destroy_uxst_socket function and tries to connect to
>>/var/run/domain.sock to see if it's still in use. The connection fails
>>(because the backlog is full). Pid A unlinks /var/run/domain.sock.
>>Everything is sad forever now.
>>
>> I'm thinking about just commenting out the call to destroy_uxst_socket
>> since this is all on a tmpfs and we don't really care if spare sockets are
>> leaked when/if we change configuration in the future. Arguably, the
>> solution should be something where we don't overflow the listen socket at
>> all; I'm thinking about also binding to a TCP port on localhost and just
>> using that for the few seconds it takes to reload (since otherwise we run
>> out of ephemeral sockets to 127.0.0.1); it still seems wrong for haproxy to
>> unlink the socket, though.
>>
>> This has proven extremely irritating to reproduce (since it only occurs
>> if there's enough load to fill up the backlog on the socket between when
>> pid B starts up and when pid A shuts down), but I'm pretty confident that
>> what I described above is happening, since periodically on reloads the
>> domain socket isn't there and this code fits.
>>
>> Our configs are quite large, so I'm not reproducing them here. The reason
>> we bind on a domain socket at all is because we're running two sets of
>> haproxies — one in multi-process mode doing TCP-mode SSL termination
>> pointing back over a domain socket to a single-process haproxy applying all
>> of our actual config.
>>
>> --
>> James Brown
>> Systems ​
>> Engineer
>>
>
>
>
> --
> James Brown
> Engineer
>

Re: add header into http-request redirect

[Andrew Smalley]

I did it again, Sometimes I blame my tools but I wish google would reply to
all, all the time - Apologies Michael

Hello Bartek, Michael,

Actually on further reading what you are trying to do is incorrect
according to the URL at the end of my reply.

It's not possible for any browser that has ever seen the redirect. It is
cached indefinitely. A 301 redirect should only be used when you are
retiring a site permanently, and even then it's a bad idea - you loose
visibility of the traffic still hitting the old site.

The link suggests this "So change it to a 302 redirect before you do
anything else."

Haproxy is not a webserver. It has no means to generate a header contains
dynamic data - if you really want a date header, use a webserver. There are
several lightweight ones capable of this task.

Alternatively tell us why you *need* such a header and we might be able to
advise on a more apposite solution.


http://serverfault.com/questions/671916/inject-header-in-haproxy-redirect-
function

Regards

Andrew Smalley

Loadbalancer.org Ltd.



On 26 February 2017 at 17:45, Michael Ezzell <mich...@ezzell.net> wrote:

>
>
> On Feb 26, 2017 12:14, "Andrew Smalley" <asmal...@loadbalancer.org> wrote:
>
> Hello Bartek
>
> I think the portion of my example you wanted is below
>
> In my example I have a redirect from http to https and as such there is a
> acl force src if my local ip address
>
> Here I add the HSTS and then redirect 301 as you wanted.
>
> http-response set-header Strict-Transport-Security "max-age=15552000; 
> includeSubDomains; preload;"
>
>
> Andrew, I don't think http-response  is going to be processed
> when the request results in a redirect generated internally by HAProxy...
> is it?  The response isn't really from a back-end, so I wouldn't expect
> those rules to fire.
>

Re: add header into http-request redirect

[Andrew Smalley]

Sorry, forgot to include the list.

Please share your config so I can see what you are doing?

Regards

Andrew Smalley

Loadbalancer.org Ltd.



On 26 February 2017 at 17:32, Bartek Radziszewski <b...@radziszewski.com>
wrote:

> Andrew,
>
> Thanks for your answer. Just tested one more time your example and
> unfortunately there is missing Strict-Transport-Security header during 301
> redirect:
>
> curl -I https://xxx.com/dupa
> HTTP/1.1 301 Moved Permanently
> Content-length: 0
> Location: https://www.xxx.com/dupa
> Connection: close
>
> Bartek
>
>
> On 26 Feb 2017, at 18:12, Andrew Smalley <asmal...@loadbalancer.org>
> wrote:
>
> Hello Bartek
>
> I think the portion of my example you wanted is below
>
> In my example I have a redirect from http to https and as such there is a
> acl force src if my local ip address
>
> Here I add the HSTS and then redirect 301 as you wanted.
>
> http-response set-header Strict-Transport-Security "max-age=15552000; 
> includeSubDomains; preload;"
> acl force src 127.0.0.1 # ip of haproxy
>     reqadd X-Forwarded-Proto:\ https if force
> redirect scheme https code 301 if !force
>
>
> Regards
>
> Andrew Smalley
>
> Loadbalancer.org Ltd.
>
>
>
> On 26 February 2017 at 17:07, Bartek Radziszewski <b...@radziszewski.com>
> wrote:
>
>> it's haproxy related.
>> How to add header info 301 redirect?
>>
>> On 26 Feb 2017, at 17:54, Andrew Smalley <asmal...@loadbalancer.org>
>> wrote:
>>
>> Hello Bartek
>>
>> I assumed it was haproxy related and as such my example will work.
>> However I hope the link below helps you get going with NGINX
>>
>> https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
>>
>> Regards
>>
>> Andrew Smalley
>>
>> Loadbalancer.org <http://loadbalancer.org/> Ltd.
>>
>>
>>
>> On 26 February 2017 at 16:47, Bartek Radziszewski <b...@radziszewski.com>
>> wrote:
>>
>>> Hi Andrew,
>>> ‘
>>> Thanks for your answer. Unfortunately your example is not solving my
>>> issue.
>>>
>>> I need to add header Strict-Transport-Security into 301 redirect - i
>>> made it already on nginx:
>>>
>>> curl -I https://www.xxx.com
>>> HTTP/1.1 301 Moved Permanently
>>> Server: nginx
>>> Date: Sun, 26 Feb 2017 16:10:59 GMT
>>> Content-Type: text/html
>>> Content-Length: 178
>>> Connection: keep-alive
>>> Location: https://xxx.com/
>>> Strict-Transport-Security: max-age=31556926; includeSubDomains
>>>
>>> but don’t know how to do it on haproxy.
>>>
>>> Thanks,
>>> Bartek
>>>
>>> On 26 Feb 2017, at 17:39, Andrew Smalley <asmal...@loadbalancer.org>
>>> wrote:
>>>
>>> Hello Bartek
>>>
>>> I hope the example below helps with adding a http-response for HSTS /
>>> Strict-Transport-Security
>>>
>>>
>>> listen hsts_example
>>> bind 192.168.0.231:80 transparent
>>> mode http
>>> http-response set-header Strict-Transport-Security "max-age=15552000; 
>>> includeSubDomains; preload;"
>>> balance leastconn
>>> option forwardfor if-none
>>> stick on hdr(X-Forwarded-For,-1)
>>> stick on src
>>> stick-table type string len 64 size 10240k expire 30m peers 
>>> loadbalancer_replication
>>> server backup 127.0.0.1:9081 backup source 0.0.0.0 non-stick
>>> source 0.0.0.0 usesrc clientip
>>> option http-keep-alive
>>> option redispatch
>>> option abortonclose
>>> maxconn 4
>>> acl force src 192.168.0.250 54.77.60.1
>>> reqadd X-Forwarded-Proto:\ https if force
>>> redirect scheme https code 301 if !force
>>> server RIP_Name 10.0.1.1  weight 100  check port 80 inter 4000  rise 2  
>>> fall 2  minconn 0  maxconn 0  on-marked-down shutdown-sessions
>>>
>>>
>>> Regards
>>>
>>> Andrew Smalley
>>>
>>> Loadbalancer.org <http://loadbalancer.org/> Ltd.
>>>
>>>
>>>
>>> On 26 February 2017 at 16:18, Bartek Radziszewski <b...@radziszewski.com>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> It’s possible to add Strict-Transport-Security header into 301 redirect
>>>> (http-request redirect code 301) ?
>>>>
>>>> Thanks,
>>>> Bartek
>>>>
>>>
>>>
>>>
>>
>
>

Re: add header into http-request redirect

[Andrew Smalley]

Hello Bartek

I think the portion of my example you wanted is below

In my example I have a redirect from http to https and as such there is a
acl force src if my local ip address

Here I add the HSTS and then redirect 301 as you wanted.

http-response set-header Strict-Transport-Security
"max-age=15552000; includeSubDomains; preload;"
acl force src 127.0.0.1 # ip of haproxy
reqadd X-Forwarded-Proto:\ https if force
redirect scheme https code 301 if !force


Regards

Andrew Smalley

Loadbalancer.org Ltd.



On 26 February 2017 at 17:07, Bartek Radziszewski <b...@radziszewski.com>
wrote:

> it's haproxy related.
> How to add header info 301 redirect?
>
> On 26 Feb 2017, at 17:54, Andrew Smalley <asmal...@loadbalancer.org>
> wrote:
>
> Hello Bartek
>
> I assumed it was haproxy related and as such my example will work. However
> I hope the link below helps you get going with NGINX
>
> https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
>
> Regards
>
> Andrew Smalley
>
> Loadbalancer.org Ltd.
>
>
>
> On 26 February 2017 at 16:47, Bartek Radziszewski <b...@radziszewski.com>
> wrote:
>
>> Hi Andrew,
>> ‘
>> Thanks for your answer. Unfortunately your example is not solving my
>> issue.
>>
>> I need to add header Strict-Transport-Security into 301 redirect - i
>> made it already on nginx:
>>
>> curl -I https://www.xxx.com
>> HTTP/1.1 301 Moved Permanently
>> Server: nginx
>> Date: Sun, 26 Feb 2017 16:10:59 GMT
>> Content-Type: text/html
>> Content-Length: 178
>> Connection: keep-alive
>> Location: https://xxx.com/
>> Strict-Transport-Security: max-age=31556926; includeSubDomains
>>
>> but don’t know how to do it on haproxy.
>>
>> Thanks,
>> Bartek
>>
>> On 26 Feb 2017, at 17:39, Andrew Smalley <asmal...@loadbalancer.org>
>> wrote:
>>
>> Hello Bartek
>>
>> I hope the example below helps with adding a http-response for HSTS /
>> Strict-Transport-Security
>>
>>
>> listen hsts_example
>> bind 192.168.0.231:80 transparent
>> mode http
>> http-response set-header Strict-Transport-Security "max-age=15552000; 
>> includeSubDomains; preload;"
>> balance leastconn
>> option forwardfor if-none
>> stick on hdr(X-Forwarded-For,-1)
>> stick on src
>> stick-table type string len 64 size 10240k expire 30m peers 
>> loadbalancer_replication
>> server backup 127.0.0.1:9081 backup source 0.0.0.0 non-stick
>> source 0.0.0.0 usesrc clientip
>> option http-keep-alive
>> option redispatch
>> option abortonclose
>> maxconn 4
>> acl force src 192.168.0.250 54.77.60.1
>> reqadd X-Forwarded-Proto:\ https if force
>> redirect scheme https code 301 if !force
>> server RIP_Name 10.0.1.1  weight 100  check port 80 inter 4000  rise 2  
>> fall 2  minconn 0  maxconn 0  on-marked-down shutdown-sessions
>>
>>
>> Regards
>>
>> Andrew Smalley
>>
>> Loadbalancer.org Ltd.
>>
>>
>>
>> On 26 February 2017 at 16:18, Bartek Radziszewski <b...@radziszewski.com>
>> wrote:
>>
>>> Hi,
>>>
>>> It’s possible to add Strict-Transport-Security header into 301 redirect
>>> (http-request redirect code 301) ?
>>>
>>> Thanks,
>>> Bartek
>>>
>>
>>
>>
>

Re: add header into http-request redirect

[Andrew Smalley]

Hello Bartek

I assumed it was haproxy related and as such my example will work. However
I hope the link below helps you get going with NGINX

https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/

Regards

Andrew Smalley

Loadbalancer.org Ltd.



On 26 February 2017 at 16:47, Bartek Radziszewski <b...@radziszewski.com>
wrote:

> Hi Andrew,
> ‘
> Thanks for your answer. Unfortunately your example is not solving my issue.
>
> I need to add header Strict-Transport-Security into 301 redirect - i made
> it already on nginx:
>
> curl -I https://www.xxx.com
> HTTP/1.1 301 Moved Permanently
> Server: nginx
> Date: Sun, 26 Feb 2017 16:10:59 GMT
> Content-Type: text/html
> Content-Length: 178
> Connection: keep-alive
> Location: https://xxx.com/
> Strict-Transport-Security: max-age=31556926; includeSubDomains
>
> but don’t know how to do it on haproxy.
>
> Thanks,
> Bartek
>
> On 26 Feb 2017, at 17:39, Andrew Smalley <asmal...@loadbalancer.org>
> wrote:
>
> Hello Bartek
>
> I hope the example below helps with adding a http-response for HSTS /
> Strict-Transport-Security
>
>
> listen hsts_example
> bind 192.168.0.231:80 transparent
> mode http
> http-response set-header Strict-Transport-Security "max-age=15552000; 
> includeSubDomains; preload;"
> balance leastconn
> option forwardfor if-none
> stick on hdr(X-Forwarded-For,-1)
> stick on src
> stick-table type string len 64 size 10240k expire 30m peers 
> loadbalancer_replication
> server backup 127.0.0.1:9081 backup source 0.0.0.0 non-stick
> source 0.0.0.0 usesrc clientip
> option http-keep-alive
> option redispatch
> option abortonclose
> maxconn 4
> acl force src 192.168.0.250 54.77.60.1
> reqadd X-Forwarded-Proto:\ https if force
> redirect scheme https code 301 if !force
> server RIP_Name 10.0.1.1  weight 100  check port 80 inter 4000  rise 2  
> fall 2  minconn 0  maxconn 0  on-marked-down shutdown-sessions
>
>
> Regards
>
> Andrew Smalley
>
> Loadbalancer.org Ltd.
>
>
>
> On 26 February 2017 at 16:18, Bartek Radziszewski <b...@radziszewski.com>
> wrote:
>
>> Hi,
>>
>> It’s possible to add Strict-Transport-Security header into 301 redirect
>> (http-request redirect code 301) ?
>>
>> Thanks,
>> Bartek
>>
>
>
>

Re: add header into http-request redirect

[Andrew Smalley]

Hello Bartek

I hope the example below helps with adding a http-response for HSTS /
Strict-Transport-Security


listen hsts_example
bind 192.168.0.231:80 transparent
mode http
http-response set-header Strict-Transport-Security
"max-age=15552000; includeSubDomains; preload;"
balance leastconn
option forwardfor if-none
stick on hdr(X-Forwarded-For,-1)
stick on src
stick-table type string len 64 size 10240k expire 30m peers
loadbalancer_replication
server backup 127.0.0.1:9081 backup source 0.0.0.0 non-stick
source 0.0.0.0 usesrc clientip
option http-keep-alive
option redispatch
option abortonclose
maxconn 4
acl force src 192.168.0.250 54.77.60.1
reqadd X-Forwarded-Proto:\ https if force
redirect scheme https code 301 if !force
server RIP_Name 10.0.1.1  weight 100  check port 80 inter 4000
rise 2  fall 2  minconn 0  maxconn 0  on-marked-down shutdown-sessions


Regards

Andrew Smalley

Loadbalancer.org Ltd.



On 26 February 2017 at 16:18, Bartek Radziszewski <b...@radziszewski.com>
wrote:

> Hi,
>
> It’s possible to add Strict-Transport-Security header into 301 redirect
> (http-request redirect code 301) ?
>
> Thanks,
> Bartek
>

Re: https://www.haproxy.org SEC_ERROR_REVOKED_CERTIFICATE

[Andrew Smalley]

Hi All

I confirm I get the same and Firefox will not even let me visit the site.

Thankfully the http://blog.haproxy.com/ is non ssl so is still available.

Regards

Andrew Smalley

Loadbalancer.org Ltd.



On 23 February 2017 at 21:21, James Stroehmann <
james.stroehm...@proquest.com> wrote:

> I am getting errors when using https://www.haproxy.org. It appears this
> is because you are using a startcom certificate:
>
>
>
> * Issuer   *"StartCom Class 1 DV Server CA"
> ("StartCom Ltd." from "IL")
>
>
>
> The major browsers have stopped trusting startcom and wosign certificates.
> Here is some more information:
>
> https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-
> startcom-certificates/
>
> https://security.googleblog.com/2016/10/distrusting-
> wosign-and-startcom.html
>
> https://support.apple.com/en-us/HT202858
>
>
>
>
>
> [https://letsencrypt.org/ appears to be a free, trusted alternative that
> supports haproxy https://certbot.eff.org/#centosrhel7-haproxy.
> Disclaimer: I have not used them]
>
>
>
>
>
>
>
>
>
>
>
>
>
>

Re: Status code "-1" in logs

[Andrew Smalley]

Hello John

Thank you for your clarification,

I guess its an easy mistake to make when you see a 503 and assume its the
error when I knew you were talking about the "-1" issue.



Regards

Andrew Smalley

Loadbalancer.org Ltd.



On 19 January 2017 at 00:24, Skarbek, John <john.skar...@ca.com> wrote:

> Hey Andrew,
>
> On January 18, 2017 at 16:11:55, Andrew Smalley (asmal...@loadbalancer.org)
> wrote:
>
> Hello John
>
> The problem is you are getting a 503 error or no servers available.
>
>503  when no server was available to handle the request, or in response to
> monitoring requests which match the "monitor fail" condition
>
>
> Just for clarification here, the position of 503 is in the spot where the
> size of the data transfer is.  So unless there's some awkward parsing, this
> 503 is not the error code in this case.  I don't have custom log
> configurations, so I'm sitting here assuming that the -1 is where the
> status code ought to be.  5 positions of timing sperated by a '/', all of
> which look kinda legit considering the termination state.  Followed by a
> status code, in my case -1, followed by 'bytes read', in my case 503.
>
>
>
> And the CDNN is actually two errors CD and NN
>
>   CD   The client unexpectedly aborted during data transfer. This can be
>   caused by a browser crash, by an intermediate equipment between the
>   client and haproxy which decided to actively break the connection,
>   by network routing issues between the client and haproxy, or by a
>   keep-alive session between the server and the client terminated 
> first
>   by the client.
>
>NN   No cookie was provided by the client, none was inserted in the
>   response. For instance, this can be in insert mode with "postonly"
>   set on a GET request.
>
> More information could be provided with a valid configuration
>
> I hope this helps?
>
> I took the information from the Documents available here
> http://www.haproxy.org/download/1.8/doc/configuration.txt
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.haproxy.org_download_1.8_doc_configuration.txt=DwMFaQ=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0=8IlWeJZqFtf8Tvx1PDV9NsLfM_M0oNfzEXXNp-tpx74=b87qjQFK8K4apKyQD1BRDmLyeFvTP-6Rdt37uvE26rI=GiiC4TVdGbzFCfZGDkpcTywIdoCnM1Kgv4suMqOzD4g=>
>
> Regards
>
> Andrew Smalley
>
> Loadbalancer.org
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__Loadbalancer.org=DwQFaQ=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0=8IlWeJZqFtf8Tvx1PDV9NsLfM_M0oNfzEXXNp-tpx74=b87qjQFK8K4apKyQD1BRDmLyeFvTP-6Rdt37uvE26rI=9VAKw6fPcw4bgwa4ZZ5g30iBgrU8I87s2NLj9RtNS8k=>
>  Ltd.
>
>
>
> On 18 January 2017 at 21:04, Skarbek, John <john.skar...@ca.com> wrote:
>
>> Good Morning,
>>
>> I was spying on my logs and something out of the ordinary popped out at
>> me. We are getting a status code of -1. The status CDNN is odd enough as
>> it is… Why would this be?
>>
>> Jan 18 13:47:18 example.com 
>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__example.com=DwMFaQ=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0=8IlWeJZqFtf8Tvx1PDV9NsLfM_M0oNfzEXXNp-tpx74=b87qjQFK8K4apKyQD1BRDmLyeFvTP-6Rdt37uvE26rI=rVGKpj8lBzmpcsTWBeR-JR-YDkcA08JRHUsWpYebjsY=>
>>  Jan 18 20:47:18 haproxy[23541]: 10.0.0.1:24550 
>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__10.0.0.1-3A24550=DwMFaQ=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0=8IlWeJZqFtf8Tvx1PDV9NsLfM_M0oNfzEXXNp-tpx74=b87qjQFK8K4apKyQD1BRDmLyeFvTP-6Rdt37uvE26rI=OmZiLVKEJIeEmXvJsOVrjzEQXFB3hK697UGrmvHIwa0=>
>>  [18/Jan/2017:20:47:16.412] fe~ be/10.1.0.1:3001 
>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__10.1.0.1-3A3001=DwMFaQ=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0=8IlWeJZqFtf8Tvx1PDV9NsLfM_M0oNfzEXXNp-tpx74=b87qjQFK8K4apKyQD1BRDmLyeFvTP-6Rdt37uvE26rI=JAiA9z8KsgcL3oroTfHr9RRyoCD6Awkvs-6rgfQA--Q=>
>>  282/0/1490/-1/1824 -1 503 - - CDNN 2296/96/12/4/0 0/0 "GET /healthcheck 
>> HTTP/1.1"
>> Jan 18 13:44:01 example.com 
>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__example.com=DwMFaQ=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0=8IlWeJZqFtf8Tvx1PDV9NsLfM_M0oNfzEXXNp-tpx74=b87qjQFK8K4apKyQD1BRDmLyeFvTP-6Rdt37uvE26rI=rVGKpj8lBzmpcsTWBeR-JR-YDkcA08JRHUsWpYebjsY=>
>>  Jan 18 20:44:01 haproxy[23445]: 10.0.0.1:2650 
>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__10.0.0.1-3A2650=DwMFaQ=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0=8IlWeJZqFtf8Tvx1PDV9NsLfM_M0oNfzEXXNp-tpx74=b87qjQFK8K4apKyQD1BRDmLyeFvTP-6Rdt37uvE26rI=RneYJ3UQM4mmeZ5AWk23jTZmS9Y3JhjhsJ_9jBME3FM=>
>>  [18/Jan/2017:20:43:59.295] fe~ be/10.1.0.1:3001 
>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__10.1.0.1-3A3001=DwMFaQ=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0=8IlWeJZqFtf8Tvx1PDV9NsLfM_M0oNfzEXXNp-tpx74=b87qjQFK8K4apKyQD1BRDmLyeFvTP-6Rdt37uvE26rI=JAiA9z8KsgcL3oroTfHr9RRyoCD6Awkvs-6rgfQA--Q=>
>>  501/0/1349/-1/2079 -1 503 - - CDNN 2249/86/6/1/0 0/0 "GET /healthcheck 
>> HTTP/1.1"
>>
>>
>
>

Re: Status code "-1" in logs

[Andrew Smalley]

Hello John

The problem is you are getting a 503 error or no servers available.

   503  when no server was available to handle the request, or in response to
monitoring requests which match the "monitor fail" condition

And the CDNN is actually two errors CD and NN

  CD   The client unexpectedly aborted during data transfer. This can be
  caused by a browser crash, by an intermediate equipment between the
  client and haproxy which decided to actively break the connection,
  by network routing issues between the client and haproxy, or by a
  keep-alive session between the server and the client terminated first
  by the client.

   NN   No cookie was provided by the client, none was inserted in the
  response. For instance, this can be in insert mode with "postonly"
  set on a GET request.

More information could be provided with a valid configuration

I hope this helps?

I took the information from the Documents available here
http://www.haproxy.org/download/1.8/doc/configuration.txt

Regards

Andrew Smalley

Loadbalancer.org Ltd.



On 18 January 2017 at 21:04, Skarbek, John <john.skar...@ca.com> wrote:

> Good Morning,
>
> I was spying on my logs and something out of the ordinary popped out at
> me. We are getting a status code of -1. The status CDNN is odd enough as
> it is… Why would this be?
>
> Jan 18 13:47:18 example.com Jan 18 20:47:18 haproxy[23541]: 10.0.0.1:24550 
> [18/Jan/2017:20:47:16.412] fe~ be/10.1.0.1:3001 282/0/1490/-1/1824 -1 503 - - 
> CDNN 2296/96/12/4/0 0/0 "GET /healthcheck HTTP/1.1"
> Jan 18 13:44:01 example.com Jan 18 20:44:01 haproxy[23445]: 10.0.0.1:2650 
> [18/Jan/2017:20:43:59.295] fe~ be/10.1.0.1:3001 501/0/1349/-1/2079 -1 503 - - 
> CDNN 2249/86/6/1/0 0/0 "GET /healthcheck HTTP/1.1"
>
>

Re: Can I specify a wildcard redirect

[Andrew Smalley]

​
Jurgen

following the rules I shared, maybe a different curl command or option
shows you better. this is using the same rule I previously provided

curl --head shows the information you have not been seeing.

[root@home htdocs]# curl --head http://192.168.0.99/
HTTP/1.1 200 OK
Date: Thu, 27 Oct 2016 11:10:47 GMT
Server: Apache/2.4.23 (Fedora) OpenSSL/1.0.2j-fips PHP/5.6.27
X-Powered-By: PHP/5.6.27
Content-Type: text/html; charset=UTF-8

[root@home htdocs]# curl --head http://192.168.0.99/de
HTTP/1.1 301 Moved Permanently
Content-length: 0
Location: /de

[root@home htdocs]# curl --head http://192.168.0.99/de/index.php
HTTP/1.1 200 OK
Date: Thu, 27 Oct 2016 11:10:52 GMT
Server: Apache/2.4.23 (Fedora) OpenSSL/1.0.2j-fips PHP/5.6.27
X-Powered-By: PHP/5.6.27
Content-Type: text/html; charset=UTF-8
X-Via: TEST


​However Michael's suggestion of "http-request redirect code 301 location
%[capture.req.uri,regsub(^/de,)] if { path_beg /de }" looks even better.
​

Regards

Andrew Smalley

Loadbalancer.org Ltd.
​https://www.loadbalancer.org/​




On 27 October 2016 at 12:03, Michael Ezzell <mich...@ezzell.net> wrote:

> On Oct 27, 2016 6:41 AM, "Jürgen Haas" <jurgenh...@paragon-es.de> wrote:
> >
> > Thanks Andrew,
> >
> > I still believe that your example is not redirecting, it is forwarding
> > to the Apache server which responds with a 200 and the same content as
> > before.
> >
> > But what we're loking for is a redirect which isn't the case here.
>
> It seems like you are looking for something like this:
>
> http-request redirect code 301 location %[capture.req.uri,regsub(^/de,)]
> if { path_beg /de }
>
> Requires 1.6 or later.
>


Regards

Andrew Smalley

Loadbalancer.org Ltd.



On 27 October 2016 at 12:03, Michael Ezzell <mich...@ezzell.net> wrote:

> On Oct 27, 2016 6:41 AM, "Jürgen Haas" <jurgenh...@paragon-es.de> wrote:
> >
> > Thanks Andrew,
> >
> > I still believe that your example is not redirecting, it is forwarding
> > to the Apache server which responds with a 200 and the same content as
> > before.
> >
> > But what we're loking for is a redirect which isn't the case here.
>
> It seems like you are looking for something like this:
>
> http-request redirect code 301 location %[capture.req.uri,regsub(^/de,)]
> if { path_beg /de }
>
> Requires 1.6 or later.
>

Re: Can I specify a wildcard redirect

[Andrew Smalley]

Hello Jürgen

I have what is below which as I say seems to work and redirects to
/something when /de/something is provided and at the bottom I have a couple
of tests.

I've also put the response back in the list as I must have clicked reply
not reply to all.


frontend http
bind 192.168.0.99:80 transparent
  mode http
  acl url_de path_beg /de
  use_backend de-backend if url_de
  default_backend web-backend

backend web-backend
   balance roundrobin
   server web1 192.168.0.50:80 check

 backend de-backend
   http-response add-header X-Via TEST
   reqirep "^([^\ :]*)\ /de/(.+)" "\1\ /\2"
   server web1 192.168.0.50:80 maxconn 100



Test1 to /

[root@home etc]# curl -i 192.168.0.99/
HTTP/1.1 200 OK
Date: Thu, 27 Oct 2016 09:57:50 GMT
Server: Apache/2.4.23 (Fedora) OpenSSL/1.0.2j-fips PHP/5.6.26
X-Powered-By: PHP/5.6.26
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8







. rest of html page is displayed


Test2 to /de/index.php

[root@home etc]# curl -i 192.168.0.99/de/
HTTP/1.1 200 OK
Date: Thu, 27 Oct 2016 09:58:49 GMT
Server: Apache/2.4.23 (Fedora) OpenSSL/1.0.2j-fips PHP/5.6.26
X-Powered-By: PHP/5.6.26
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
X-Via: TEST







. rest of html page is displayed

You will note the X-Via is inserted and I get the same content as the first
request as /de is removed so I just get index.php

>From what I can see if you have a redirect, Ie 301 its not going to be the
same as the URL rewrite and ive not figured out how to do that while
keeping everything else below /de/this/that/request as /this/that/request.
X-Bogosity: Unsure, tests=bogofilter, spamicity=0.50, version=1.2.4

I see the rule works and does as intended if you goto /de it gets
re-written to /

I hope that helps?  I am not sure there is much more I can share here with
regard your request.


Regards

Andrew Smalley

Loadbalancer.org Ltd.



On 27 October 2016 at 10:21, Jürgen Haas <juer...@paragon-es.de> wrote:

> Hi Andrew,
>
> I'm responding directly as your message went to my email directly and
> not through the forum.
>
> I'm now using this rule:
>
> > backend backend_test
> >   reqirep "^([^\ :]*)\ /de/(.+)" "\1\ /\2"
> >   http-response add-header X-Via TEST
> >   server server_test 1.2.3.4:80 maxconn 100
>
> Then I use
>
> > curl -I http://test.arocom.de/de/team
>
> which is certainly not caching and the response is this:
>
> > HTTP/1.1 404 Not Found
> > Date: Thu, 27 Oct 2016 09:07:03 GMT
> > Server: Apache
> > Content-Type: text/html; charset=iso-8859-1
> > X-Via: TEST
>
> This indicates that HaProxy is forwarding the request to the server and
> does not respond with a 301. This is a fact just because of:
>
> - The header X-Via is only set by this rule, so it ends up there
> - The "Server: Apache" shows that the response comes from the server
>
> So, if you're getting a 301, I guess it is not triggered by reqrep. It
> must be something different.
>
> Any idea?
>
>
> Thanks
> Jürgen
>
> Am 27.10.2016 um 10:50 schrieb Andrew Smalley:
> > Hello Jürgen
> >
> > In my tests the reqrep or reqirep (case insensitive) did the job of
> > changing the address bar URL .
> >
> > I went to http://www.example.com/de/this/page.html
> >
> > Then the page / url changed to
> >
> >
> > http://www.example.com/this/page.html
> >
> > I had to do this a few times in a private browser session and after
> > clearing my cache a few times because the previous test was cached which
> > was really annoying while trying to  establish which rule works.
> >
> > The last one I provided seemed to do the job and if you want to add it
> > into an ACL you know what the rewrite rule is now.
> >
> > Regards
> >
> > Andrew Smalley
> >
> > Loadbalancer.org Ltd.
> >
> >
> >
> > On 27 October 2016 at 07:40, Jürgen Haas <jurgenh...@paragon-es.de
> > <mailto:jurgenh...@paragon-es.de>> wrote:
> >
> > Hi Andrew,
> >
> > You mean just the reqrep line on its own does the redirect? Because
> if
> > not I would then require the redirect line in addition which then
> would
> > cause that loop.
> >
> > Or is your approach just forwarding the corrected URi to the backend
> > such that it deals with the that and responds as if the original
> request
> > were to that URI? That's not what I need. I really need a redirect
> with
> > a 301 such that users will see that new URL in their browser's
> address
> > bar and also search engines should "learn" about that corrected
> > str

Re: Can I specify a wildcard redirect

[Andrew Smalley]

Hello Jürgen

Thank you for your reply saying its the same line you already have

I did this on a single VIP assuming you just wanted to rewrite /de to / and
have everything below /de/page-x become /page-x

If this is the case it works well and does not produce a redirect loop.

Try it out and see how it works on its own.



Regards

Andrew Smalley

Loadbalancer.org Ltd.



On 25 October 2016 at 15:18, Jürgen Haas <jurgenh...@paragon-es.de> wrote:

> Thanks Andrew,
>
> That's the same regex that I have in my backend definition. But I also
> need the ACLs to make sure that the redirect only happens on a specific
> host and with a specific beginning of a path. Otherwise that would be
> redirected every time and end up in an infinite loop, doesn't it?
>
> Thanks
> Jürgen
>
> Am 25.10.2016 um 15:47 schrieb Andrew Smalley:
> > Hello Jürgen
> >
> > Sorry for the delay in replying to you.
> >
> > after a little playing I have come up with this single line without an
> > ACL which seems to do what you want.
> >
> > It will redirect http://domain.com/de/this/that/other/dir
> >
> >
> > To
> >
> > http://domain.com/this/that/other/dir
> >
> >
> > reqrep ^([^\ :]*)\ /de/(.*) \1\ /\2
> >
> > Regards
> >
> > Andrew Smalley
> >
> > Loadbalancer.org Ltd.
> >
> >
> >
> > On 25 October 2016 at 10:35, Jürgen Haas
> > <jurgenhaas-m5i1dm4aril35hdljg3...@public.gmane.org
> > <mailto:jurgenhaas-m5i1dm4aril35hdljg3...@public.gmane.org>> wrote:
> >
> > Hi Andrew,
> >
> > just not having luck with this. Here is my rule which is certainly
> used
> > when e.g. calling https://www.arocom.de/de/team but it doesn't
> redirect
> > to https://www.arocom.de/team
> >
> > Any idea what's wrong?
> >
> > backend backend_aweb2_https
> >   acl r_host hdr(host) -i -n www.arocom.de <http://www.arocom.de>
> >   acl r_path path_beg /de/
> >   reqirep "^([^\ :]*)\ /de/(.+)" "\1\ /\2" if r_host r_path
> >   redirect prefix / code 301 if r_host r_path
> >   http-response add-header X-Via aweb2
> >   server server_aweb2 1.2.3.4:80 <http://1.2.3.4:80> maxconn 100
> >
> > Thanks
> > Jürgen
> >
> >
> > Am 24.10.2016 um 11:23 schrieb Andrew Smalley:
> > > Hello Jürgen
> > >
> > > In that case I think you will want something like
> > >
> > >
> > > |acl de_url path_beg /de reqrep ^([^\ :]*)\ /de/\d+/(.+)/? \1\ /\2
> > > redirect prefix / code 301 if de_url |
> > >
> > >
> > >
> > > Regards
> > >
> > > Andrew Smalley
> > >
> > > Loadbalancer.org Ltd.
> > >
> > >
> > >
> > > On 24 October 2016 at 10:19, Jürgen Haas
> > > <jurgenhaas-m5i1dm4aril35hdljg3...@public.gmane.org
> > <mailto:jurgenhaas-m5i1dm4aril35hdljg3...@public.gmane.org>
> > > <mailto:jurgenhaas-m5i1dm4aril35hdljg3...@public.gmane.org
> > <mailto:jurgenhaas-m5I1DM4ARil35hdLjg3A3A-
> xmd5yjdbdmrexy1tmh2...@public.gmane.org>>>
> > wrote:
> > >
> > > Hi Andrew,
> > >
> > > Thanks for your quick reply and yes, I'm using the manual
> almost daily.
> > > But my question is not covered, I guess.
> > >
> > > Also your example is not working as it is always redirecting
> to the
> > > front page, but we would require wildcards.
> > >
> > > Examples:
> > >
> > > http://www.example.com/de/page-one <http://www.example.com/de/
> page-one>
> > > <http://www.example.com/de/page-one
> > <http://www.example.com/de/page-one>> =>
> > >     http://www.example.com/page-one
> > <http://www.example.com/page-one> <http://www.example.com/page-one
> > <http://www.example.com/page-one>>
> > > http://www.example.com/de/page-two
> > <http://www.example.com/de/page-two>
> > > <http://www.example.com/de/page-two
> > <http://www.example.com/de/page-two>> =>
> > > http://www.example.com/page-two
> > <http://www.example.com/page-two> <http://www.example.com/page-two
> > <http://www.example.com/page-two>>
> > >
> > > I

Re: Can I specify a wildcard redirect

[Andrew Smalley]

Hello Jürgen

Sorry for the delay in replying to you.

after a little playing I have come up with this single line without an ACL
which seems to do what you want.

It will redirect http://domain.com/de/this/that/other/dir


To

http://domain.com/this/that/other/dir


reqrep ^([^\ :]*)\ /de/(.*) \1\ /\2

Regards

Andrew Smalley

Loadbalancer.org Ltd.



On 25 October 2016 at 10:35, Jürgen Haas <jurgenh...@paragon-es.de> wrote:

> Hi Andrew,
>
> just not having luck with this. Here is my rule which is certainly used
> when e.g. calling https://www.arocom.de/de/team but it doesn't redirect
> to https://www.arocom.de/team
>
> Any idea what's wrong?
>
> backend backend_aweb2_https
>   acl r_host hdr(host) -i -n www.arocom.de
>   acl r_path path_beg /de/
>   reqirep "^([^\ :]*)\ /de/(.+)" "\1\ /\2" if r_host r_path
>   redirect prefix / code 301 if r_host r_path
>   http-response add-header X-Via aweb2
>   server server_aweb2 1.2.3.4:80 maxconn 100
>
> Thanks
> Jürgen
>
>
> Am 24.10.2016 um 11:23 schrieb Andrew Smalley:
> > Hello Jürgen
> >
> > In that case I think you will want something like
> >
> >
> > |acl de_url path_beg /de reqrep ^([^\ :]*)\ /de/\d+/(.+)/? \1\ /\2
> > redirect prefix / code 301 if de_url |
> >
> >
> >
> > Regards
> >
> > Andrew Smalley
> >
> > Loadbalancer.org Ltd.
> >
> >
> >
> > On 24 October 2016 at 10:19, Jürgen Haas
> > <jurgenhaas-m5i1dm4aril35hdljg3...@public.gmane.org
> > <mailto:jurgenhaas-m5i1dm4aril35hdljg3...@public.gmane.org>> wrote:
> >
> > Hi Andrew,
> >
> > Thanks for your quick reply and yes, I'm using the manual almost
> daily.
> > But my question is not covered, I guess.
> >
> > Also your example is not working as it is always redirecting to the
> > front page, but we would require wildcards.
> >
> > Examples:
> >
> > http://www.example.com/de/page-one
> > <http://www.example.com/de/page-one> =>
> > http://www.example.com/page-one <http://www.example.com/page-one>
> > http://www.example.com/de/page-two
> > <http://www.example.com/de/page-two> =>
> > http://www.example.com/page-two <http://www.example.com/page-two>
> >
> > In other words, we just want to remove the "/de" subsctring from the
> > URL. Is that possible?
> >
> >
> > Thanks
> > Jürgen
> >
> >
> >
> > Am 24.10.2016 um 11:00 schrieb Andrew Smalley:
> > > Hello Jürgen
> > >
> > > Below is a link to the haproxy manual which will tell you exactly
> what
> > > you wish to know.
> > >
> > > https://www.haproxy.com/doc/aloha/7.0/haproxy/http_
> redirection.html
> > <https://www.haproxy.com/doc/aloha/7.0/haproxy/http_redirection.html
> >
> > >
> > > and something like this will be what you are looking to do
> > >
> > > |acl is_de path_beg -i /de acl is_domain hdr(host) -i
> www.domain.com <http://www.domain.com>
> > > <http://www.domain.com> redirect code 301 location
> > > http://www.domain.com/ if is_domain is_de|
> > >
> > >
> > >
> > > Regards
> > >
> > > Andrew Smalley
> > >
> > > Loadbalancer.org Ltd.
> > >
> > >
> > >
> > > On 24 October 2016 at 09:53, Jürgen Haas
> > > <jurgenhaas-m5i1dm4aril35hdljg3...@public.gmane.org
> > <mailto:jurgenhaas-m5i1dm4aril35hdljg3...@public.gmane.org>
> > > <mailto:jurgenhaas-m5i1dm4aril35hdljg3...@public.gmane.org
> > <mailto:jurgenhaas-m5I1DM4ARil35hdLjg3A3A-
> xmd5yjdbdmrexy1tmh2...@public.gmane.org>>>
> > wrote:
> > >
> > > Hi all,
> > >
> > > one of my clients is looking for a wildcard redirect to get
> redirects
> > > from www.example.com/de/* <http://www.example.com/de/*>
> > <http://www.example.com/de/*> to
> > > www.example.com/* <http://www.example.com/*>
> > <http://www.example.com/*>
> > >
> > > I know how to do just the opposite, but for this one I
> > couldn't find a
> > > solution in the documentation.
> > >
> > > Any chance that can be done?
> > >
> > >
> > > Thanks
> > > Jürgen
> > >
> > >
> >
> >
> >
>
>
>

Re: Can I specify a wildcard redirect

[Andrew Smalley]

Hello Jürgen

In that case I think you will want something like


acl de_url path_beg /de
reqrep ^([^\ :]*)\ /de/\d+/(.+)/? \1\ /\2
redirect prefix / code 301 if de_url



Regards

Andrew Smalley

Loadbalancer.org Ltd.



On 24 October 2016 at 10:19, Jürgen Haas <jurgenh...@paragon-es.de> wrote:

> Hi Andrew,
>
> Thanks for your quick reply and yes, I'm using the manual almost daily.
> But my question is not covered, I guess.
>
> Also your example is not working as it is always redirecting to the
> front page, but we would require wildcards.
>
> Examples:
>
> http://www.example.com/de/page-one => http://www.example.com/page-one
> http://www.example.com/de/page-two => http://www.example.com/page-two
>
> In other words, we just want to remove the "/de" subsctring from the
> URL. Is that possible?
>
>
> Thanks
> Jürgen
>
>
>
> Am 24.10.2016 um 11:00 schrieb Andrew Smalley:
> > Hello Jürgen
> >
> > Below is a link to the haproxy manual which will tell you exactly what
> > you wish to know.
> >
> > https://www.haproxy.com/doc/aloha/7.0/haproxy/http_redirection.html
> >
> > and something like this will be what you are looking to do
> >
> > |acl is_de path_beg -i /de acl is_domain hdr(host) -i www.domain.com
> > <http://www.domain.com> redirect code 301 location
> > http://www.domain.com/ if is_domain is_de|
> >
> >
> >
> > Regards
> >
> > Andrew Smalley
> >
> > Loadbalancer.org Ltd.
> >
> >
> >
> > On 24 October 2016 at 09:53, Jürgen Haas
> > <jurgenhaas-m5i1dm4aril35hdljg3...@public.gmane.org
> > <mailto:jurgenhaas-m5i1dm4aril35hdljg3...@public.gmane.org>> wrote:
> >
> > Hi all,
> >
> > one of my clients is looking for a wildcard redirect to get redirects
> > from www.example.com/de/* <http://www.example.com/de/*> to
> > www.example.com/* <http://www.example.com/*>
> >
> > I know how to do just the opposite, but for this one I couldn't find
> a
> > solution in the documentation.
> >
> > Any chance that can be done?
> >
> >
> > Thanks
> > Jürgen
> >
> >
>
>
>

Re: Can I specify a wildcard redirect

[Andrew Smalley]

Hello Jürgen

Below is a link to the haproxy manual which will tell you exactly what you
wish to know.

https://www.haproxy.com/doc/aloha/7.0/haproxy/http_redirection.html

and something like this will be what you are looking to do

acl is_de path_beg -i /de
acl is_domain hdr(host) -i www.domain.com

redirect code 301 location http://www.domain.com/ if is_domain is_de



Regards

Andrew Smalley

Loadbalancer.org Ltd.



On 24 October 2016 at 09:53, Jürgen Haas <jurgenh...@paragon-es.de> wrote:

> Hi all,
>
> one of my clients is looking for a wildcard redirect to get redirects
> from www.example.com/de/* to www.example.com/*
>
> I know how to do just the opposite, but for this one I couldn't find a
> solution in the documentation.
>
> Any chance that can be done?
>
>
> Thanks
> Jürgen
>
>

Re: HaProxy for SFTP load balancing

[Andrew Smalley]

Hello Malreddy,

Below is a working VIP I have created on our loadbalancer.org appliance
which will do what you want without the ACL and

With regard the ACL, You will not be able to do some of this in TCP Mode

https://www.haproxy.com/doc/aloha/7.0/haproxy/acls.html

listen stfp
bind 192.168.100.100:8022 transparent
mode tcp
balance leastconn
stick on src
stick-table type ip size 10240k expire 30m peers loadbalancer_replication
server backup 127.0.0.1:9081 backup  non-stick
option redispatch
option abortonclose
maxconn 4
server sftp-1 192.168.100.101:22  weight 100  check port 22 inter
4000  rise 2  fall 2  minconn 0  maxconn 0  on-marked-down
shutdown-sessions



Regards

Andrew Smalley

Loadbalancer.org Ltd.



On 18 October 2016 at 15:16, <malreddy.t...@abinnovative.com> wrote:

> Hi Andrew,
>
>
>
> We need High availability for SFTP
>
>
>
>
>
> Haproxy installed in server with ip (1.2.3.4)
>
>
>
> for this IP several clients are mapped as mentioned below
>
>
>
> client1.hh.com mapped to IP 1.2.3.4
>
> client2.hh.com mapped to IP 1.2.3.4
>
> client3.hh.com mapped to IP 1.2.3.4
>
>
>
>
>
> *For client1 the associated sftp servers are sftp1,sftp2,sftp3.*
>
>
>
>
>
> When request comes from *client1.hh.com <http://client1.hh.com>*, then it
> should be serviced by any of the sftp servers associated to this client i.e
> sftp1 or sftp2 or sftp3.
>
>
>
>
>
> To achieve this, below is the haproxy.cfg
>
>
>
>
>
> listen sftp-server
> bind :2121
> mode tcp
> maxconn 2000
> option redis-check
> retries 3
> option redispatch
> #checking if the request is coming from client1
> *acl devclient1 ssl_fc_sni_reg -i devclient1.healthhub.net.in
> <http://devclient1.healthhub.net.in>*
> #req.ssl_sni ssl_fc_sni_reg
> balance roundrobin
>
> *use_backend srvs_devclient1 if devclient1*
>
>
>
>
>
> *backend srvs_devclient1*
>
>
> * balance roundrobin*
> * server ftp01 172.31.10.247:22 <http://172.31.10.247:22> check weight 2*
> * server ftp02 172.31.10.156:22 <http://172.31.10.156:22> check weight 2*
>
>
>
> But when I try to transfer file i'm getting exception as connection closed
> by foreign client.
>
> I'm able to transfer file to sftp server directly(sftp1) which is up and
> running, but through haproxy it's not working.
>
>
>
> Kindly suggest how to fetch the servername from which the request is
> coming so that I can map that particular client to the associated sftp
> servers.
>
>
>
> More over if any of sftp server is down, haproxy should route the request
> to any of the associated sftp servers which are up.
>
>
>
> Eg: sftp1 is down, haproxy proxy should able to route the request to sftp2
> or sftp3 which are up and running.
>
>
>
> Requesting you to assist us to resolve the issue.
>
>
>
>
>
> Thanks in advance.
>
>
>
>
>
>
>
> -Original Message-
> From: "Andrew Smalley" <asmal...@loadbalancer.org>
> Sent: Thursday, October 6, 2016 7:43pm
> To: "vi...@abinnovative.com" <vi...@abinnovative.com>
> Cc: "Lukas Tribus" <lu...@gmx.net>, "HAProxy" <haproxy@formilux.org>,
> malreddy.t...@abinnovative.com
> Subject: Re: HaProxy for SFTP load balancing
>
> If you want a connect to port check you can use the below example
>
> listen sftp bind 192.168.100.100:8022 transparent mode http balance
> leastconn option forwardfor if-none stick on hdr(X-Forwarded-For,-1)
> stick on src stick-table type string len 64 size 10240k expire 30m peers
> loadbalancer_replication server backup 127.0.0.1:9081 backup non-stick
> option http-keep-alive option redispatch option abortonclose maxconn 4
> server RIP_ 192.168.100.0:80 weight RIP_Name check port 8022 inter 4000
> rise 2 fall 2 minconn 100 maxconn 0 on-marked-down shutdown-sessions
>
> Of if you wish to define an external file to use then something like below
> will work.
>
> listen sftp bind 192.168.100.100:8022 transparent mode http balance
> leastconn option forwardfor if-none stick on hdr(X-Forwarded-For,-1)
> stick on src stick-table type string len 64 size 10240k expire 30m peers
> loadbalancer_replication server backup 127.0.0.1:9081 backup non-stick
> option external-check external-check command /var/lib/loadbalancer.org/
> check/sftp_check.sh option http-keep-alive option redispatch option
> abortonclose maxconn 4 server RIP_ 192.168.100.0:80 weight RIP_Name
> check inter 4000 rise 2 fall 2 minconn 100 maxconn 0 on-marked-down
> shutdown-sessions
>
>
> I hope this helps?
>
>
> Regards
>
> Andrew Smalley
>
> Loadbalancer.org Ltd.
>
>
> On 6 October 2016 at 15:07, vi...@abinnovative.com <vi...@abinnovative.com
> > wrote:
>
>> We gave, that doesn't works.
>>
>>
>> Vijay
>>
>>
>> On 06-10-2016 07:34 PM, Lukas Tribus wrote:
>>
>> Hi Vijay,
>>
>>
>> enable health-checks, by adding the "check" keyword to both your server
>> configuration lines.
>>
>>
>> Lukas
>>
>>
>>
>>
>>
>> --
>> *Thanks*
>> *Vijay*
>>
>

Re: HaProxy for SFTP load balancing

[Andrew Smalley]

If you want a connect to port check you can use the below example


listen sftp
bind 192.168.100.100:8022 transparent
mode http
balance leastconn
option forwardfor if-none
stick on hdr(X-Forwarded-For,-1)
stick on src
stick-table type string len 64 size 10240k expire 30m peers
loadbalancer_replication
server backup 127.0.0.1:9081 backup  non-stick
option http-keep-alive
option redispatch
option abortonclose
maxconn 4
server RIP_ 192.168.100.0:80  weight RIP_Name  check port 8022
inter 4000  rise 2  fall 2  minconn 100  maxconn 0  on-marked-down
shutdown-sessions

Of if you wish to define an external file to use then something like
below will work.

listen sftp
bind 192.168.100.100:8022 transparent
mode http
balance leastconn
option forwardfor if-none
stick on hdr(X-Forwarded-For,-1)
stick on src
stick-table type string len 64 size 10240k expire 30m peers
loadbalancer_replication
server backup 127.0.0.1:9081 backup  non-stick
option external-check
external-check command /var/lib/loadbalancer.org/check/sftp_check.sh
option http-keep-alive
option redispatch
option abortonclose
maxconn 4
server RIP_ 192.168.100.0:80  weight RIP_Name  check  inter 4000
rise 2  fall 2  minconn 100  maxconn 0  on-marked-down
shutdown-sessions


I hope this helps?



Regards

Andrew Smalley

Loadbalancer.org Ltd.



On 6 October 2016 at 15:07, vi...@abinnovative.com <vi...@abinnovative.com>
wrote:

> We gave, that doesn't works.
>
>
> Vijay
>
>
> On 06-10-2016 07:34 PM, Lukas Tribus wrote:
>
> Hi Vijay,
>
>
> enable health-checks, by adding the "check" keyword to both your server
> configuration lines.
>
>
> Lukas
>
>
>
>
>
> --
> *Thanks*
> *Vijay*
>

Re: PEM file question

[Andrew Smalley]

Hello Robert

I have seen your question about the requirement of the private key in
haproxy and your suggestion that the webserver does not require a private
key.

I should correct you there. The webserver does use a private key and the
intermediate chain from the key signer too.

The same for haproxy. You could append all keys together so you have

 private key start ---
--- private key end ---
-- intermediate key start ---
-- intermediate key end ---
-- your public key (pem) start ---
-- your public key (pem) end ---
-- any other key you want start ---
-- any other key you want end ---

You then tell haproxy to use the combined pem file for SSL termination.

I hope this helps.


Regards

Andrew Smalley

Loadbalancer.org Ltd.



On 28 September 2016 at 16:13, robert johnson <robert.john...@intertek.com>
wrote:

> Hi Guys,
>
> I tried searching the mailing list with no luck.  Any way, here is my
> question:
>
> Why does haproxy require the private key in the PEM file when terminating
> SSL?
>
> Other web servers only require the cert
>
> thanks,
>
> rob
>
> Valued Quality. Delivered.
> --
> CONFIDENTIALITY NOTICE
> This e-mail may contain confidential or privileged information, if you are
> not the intended recipient, or the person responsible for delivering the
> message to the intended recipient then please notify us by return e-mail
> immediately. Should you have received this e-mail in error then you should
> not copy this for any purpose nor disclose its contents to any other person.
>
> Intertek is dedicated to Customer Service and welcomes your feedback.
> Please visit http://www.intertek.com/email-feedback/ to send us your
> suggestions or comments. We thank you for your time.
>
> Except where explicitly agreed in writing, all work and services performed
> by Intertek is subject to our Standard Terms and Conditions of Business
> which can be obtained at our website: http://www.intertek.com/terms/
> Should you have any difficulty obtaining these from the web site, please
> contact us immediately and we will send a copy by return.
>

Re: Certificate Authentication failing Outlook 2016

[Andrew Smalley]

Hello Alberto

I think you will want something like this.

If the client does not have an SSL Cert in their browser they will not be
able to connect.
http://blog.haproxy.com/2012/10/03/ssl-client-certificate-management-at-application-level/

Regards

Andrew Smalley

Loadbalancer.org
http://www.loadbalancer.org

On 12 July 2016 at 15:41, Alberto Valdes <alberc...@gmail.com> wrote:

> Hello everyone. I want to configure HAProxy to allow connections only from
> users with a valid certificate, so the connection between the client
> application and HAProxy is restricted and then the connection between
> HAProxy and my backend servers is only SSL without certificate
> authentication.
>
> So far my configuration works with Firefox, Internet Explorer, Microsoft
> Edge, Chrome, Thunderbird (IMAP) and Smarthphones mail apps (IMAP).
>
> The problem comes when I try to use Outlook 2016 client (I also tested it
> with Outlook 2010 and Outlook 2013 and I get the same problem) it just
> crashes.
>
> This is what I did to create the certificates --> https://paste.ee/p/d4kYu
> 2 <https://paste.ee/p/d4kYu>
>
> And this is my HAProxy configuration file --> https://paste.ee/p/Xw5Lp1
> <https://paste.ee/p/Xw5Lp>
>
> Did someone manage to get this working?
>
> I found that when using any Microsoft product (Edge, Internet Explorer,
> Outlook) I get a "Connection closed during SSL handshake" error in my
> HAProxy logs and then I am asked to confirm the client certificate.
>
> So my guess is that it fails when using Outlook because I have no way to
> confirm the certificate, therefore no data is sent to finish the SSL
> handshake
>
> I changed my "defaults" configuration and now I do not get the "Connection
> closed during SSL handshake" error, but Outlook still crashes
>
> Thanks
>

Re: TLS version by hostname

[Andrew Smalley]

Hi Ed

Id say what you are asking is a no with a single vip.

However if you chain a vip with all ssl tls allowed on the first vip with
an acl

Then rather than your backend being real servers make the backend 2 more
vips one with the tls version and another without that would work very well
for you.

acl alltls goto alltlsVIP
acl sometls goto sometlsVIP

The syntax is not correct but im sure toy get the idea.

Have same ssl cert for sni on all 3 vips change your tls and cipher options
on the 2 backend vips and mirror your real servers there.
On 9 Jun 2016 22:36, "Eduard Martinescu"  wrote:

> Some googling didn't turn up what I was looking for so I thought I would
> ask here.
>
> Is it possible to enable different TLS version on a per hostname basis vis
> SNI?
>
> So, with a single
>
> frontend ssl_app
>   bind 10.0.0.1:443 ssl crt mycrt crt /my/crt/directory
>
> Is there a way for that ssl_app frontend to allow TLS 1.0 for some subset
> of SNI hostnames, while disallowing it for others? Or can I only enable it
> for all or none?
>
> Ed
>
> --
> Eduard Martinescu ✉ 
> Principal Software Engineer
> Office: 585.708.9685 ✆ <+15857089685>
> [image: http://www.salsalabs.com] 
> DonorPro merged with Salsa, read about it here.
> 
>

Re: HAproxy and ftp_put response "504 Timeout"

[Andrew Smalley]

If you are doing an external ftp connection you will not need to do
anything on haproxy,

I was assuming that the ftp server would be internal

Can you test from the server on 192.168.11.254 to make a ftp connection
manually and if it works then good. If not then you will need to find the
reason its not working

Regards

Andrew Smalley

Loadbalancer.org
http://www.loadbalancer.org

On 16 May 2016 at 14:35, Info (ITpartner.ee) <i...@itpartner.ee> wrote:

> Well yes, internal php script makes a call to some outside FTP server,
> looking like:
>
>
>
>
> |--|
>
> | app_back (192.168.11.254) - > HAproxy (with public IP)|  - >   Some FTP
> hosting
>
>
> |--|
>
>
>
> Could you please clarify what do you mean under “loadbalance port 21”?
>
>
>
> *From:* Andrew Smalley [mailto:asmal...@loadbalancer.org]
> *Sent:* Monday, May 16, 2016 4:27 PM
>
> *To:* Info (ITpartner.ee) <i...@itpartner.ee>
> *Cc:* HAProxy <haproxy@formilux.org>
> *Subject:* Re: HAproxy and ftp_put response "504 Timeout"
>
>
>
> Juri
>
> Your welcome.
>
> I made an assumption that you would need to also loadbalance port 21 for
> ftp.
>
> Is your php script making a call to an external service or is it behind
> haproxy?
>
>
> Regards
>
> Andrew Smalley
>
> Loadbalancer.org
>
> http://www.loadbalancer.org
>
>
>
> On 16 May 2016 at 14:24, Info (ITpartner.ee) <i...@itpartner.ee> wrote:
>
> Hello Andrew,
>
>
>
> Thanks for fast reply!
>
> I have already tried similar configuration and tried yours, but I get “
> *ERR_CONNECTION_REFUSED*” on any http request to this server.
>
>
>
> After removing ftp_front and ftp_back + haproxy restart, all fine again.
>
>
>
> // Juri
>
>
>
> *From:* Andrew Smalley [mailto:asmal...@loadbalancer.org]
> *Sent:* Monday, May 16, 2016 4:10 PM
> *To:* Info (ITpartner.ee) <i...@itpartner.ee>
> *Cc:* HAProxy <haproxy@formilux.org>
> *Subject:* Re: HAproxy and ftp_put response "504 Timeout"
>
>
>
> Hello Juri
>
> You say your PHP Script uses FTP Protocol, so you will need to add another
> VIP for ftp on port 21 in TCP Mode as shown below
>
> frontend app_front
>
>bind *:80
>
>default_backend admin_back
>
>
>
> backend admin_back
>
>mode http
>
>balance roundrobin
>
>server admin 192.168.11.254:80 check
>
> frontend ftp_front
>
>
>
>bind *:21
>
>default_backend ftp_back
>
>
>
> backend ftp_back
>
>mode tcp
>
>balance roundrobin
>
>server admin 192.168.11.254:21 <http://192.168.11.254:80> check
>
>
> Regards
>
> Andrew Smalley
>
> Loadbalancer.org
>
> http://www.loadbalancer.org
>
>
>
> On 16 May 2016 at 14:02, Info (ITpartner.ee) <i...@itpartner.ee> wrote:
>
> Hello,
>
>
>
> Really need a help to solve this issue. We have PHP ftp file upload
> script. After project migration from regular hosting under HAproxy as a
> load balancer, our php file upload script stopped working.
>
> We receive “504 Gateway Time-out. The server didn't respond in time.”
> error after ~30 seconds. Increasing keep-alive time or php execution time
> makes no effect.
>
> By checking php code line by line we realized that ftp_connect, ftp_login
> – works fine,  but it gets an error after ftp_put request.
>
> Our haproxy conf looks like this:
>
>
>
> frontend app_front
>
>bind *:80
>
>default_backend admin_back
>
>
>
> backend admin_back
>
>mode http
>
>balance roundrobin
>
>server admin 192.168.11.254:80 check
>
>
>
> Tried “ftp –n” connection directly from server – all fine. Turning off
> FirewallD service on both haproxy and “admin_back” server makes no
> difference.
>
> Can you give us any suggestions?
>
>
>
> BR,
>
> Juri
>
>
>
>
>

Re: HAproxy and ftp_put response "504 Timeout"

[Andrew Smalley]

Juri

Your welcome.

I made an assumption that you would need to also loadbalance port 21 for
ftp.

Is your php script making a call to an external service or is it behind
haproxy?

Regards

Andrew Smalley

Loadbalancer.org
http://www.loadbalancer.org

On 16 May 2016 at 14:24, Info (ITpartner.ee) <i...@itpartner.ee> wrote:

> Hello Andrew,
>
>
>
> Thanks for fast reply!
>
> I have already tried similar configuration and tried yours, but I get “
> *ERR_CONNECTION_REFUSED*” on any http request to this server.
>
>
>
> After removing ftp_front and ftp_back + haproxy restart, all fine again.
>
>
>
> // Juri
>
>
>
> *From:* Andrew Smalley [mailto:asmal...@loadbalancer.org]
> *Sent:* Monday, May 16, 2016 4:10 PM
> *To:* Info (ITpartner.ee) <i...@itpartner.ee>
> *Cc:* HAProxy <haproxy@formilux.org>
> *Subject:* Re: HAproxy and ftp_put response "504 Timeout"
>
>
>
> Hello Juri
>
> You say your PHP Script uses FTP Protocol, so you will need to add another
> VIP for ftp on port 21 in TCP Mode as shown below
>
> frontend app_front
>
>bind *:80
>
>default_backend admin_back
>
>
>
> backend admin_back
>
>mode http
>
>balance roundrobin
>
>server admin 192.168.11.254:80 check
>
> frontend ftp_front
>
>
>
>bind *:21
>
>default_backend ftp_back
>
>
>
> backend ftp_back
>
>mode tcp
>
>balance roundrobin
>
>server admin 192.168.11.254:21 <http://192.168.11.254:80> check
>
>
> Regards
>
> Andrew Smalley
>
> Loadbalancer.org
>
> http://www.loadbalancer.org
>
>
>
> On 16 May 2016 at 14:02, Info (ITpartner.ee) <i...@itpartner.ee> wrote:
>
> Hello,
>
>
>
> Really need a help to solve this issue. We have PHP ftp file upload
> script. After project migration from regular hosting under HAproxy as a
> load balancer, our php file upload script stopped working.
>
> We receive “504 Gateway Time-out. The server didn't respond in time.”
> error after ~30 seconds. Increasing keep-alive time or php execution time
> makes no effect.
>
> By checking php code line by line we realized that ftp_connect, ftp_login
> – works fine,  but it gets an error after ftp_put request.
>
> Our haproxy conf looks like this:
>
>
>
> frontend app_front
>
>bind *:80
>
>default_backend admin_back
>
>
>
> backend admin_back
>
>mode http
>
>balance roundrobin
>
>server admin 192.168.11.254:80 check
>
>
>
> Tried “ftp –n” connection directly from server – all fine. Turning off
> FirewallD service on both haproxy and “admin_back” server makes no
> difference.
>
> Can you give us any suggestions?
>
>
>
> BR,
>
> Juri
>
>
>

Re: HAproxy and ftp_put response "504 Timeout"

[Andrew Smalley]

Hello Juri

You say your PHP Script uses FTP Protocol, so you will need to add another
VIP for ftp on port 21 in TCP Mode as shown below


frontend app_front

   bind *:80

   default_backend admin_back



backend admin_back

   mode http

   balance roundrobin
   server admin 192.168.11.254:80 check

frontend ftp_front


   bind *:21

   default_backend ftp_back



backend ftp_back

   mode tcp

   balance roundrobin
   server admin 192.168.11.254:21 <http://192.168.11.254:80> check

Regards

Andrew Smalley

Loadbalancer.org
http://www.loadbalancer.org

On 16 May 2016 at 14:02, Info (ITpartner.ee) <i...@itpartner.ee> wrote:

> Hello,
>
>
>
> Really need a help to solve this issue. We have PHP ftp file upload
> script. After project migration from regular hosting under HAproxy as a
> load balancer, our php file upload script stopped working.
>
> We receive “504 Gateway Time-out. The server didn't respond in time.”
> error after ~30 seconds. Increasing keep-alive time or php execution time
> makes no effect.
>
> By checking php code line by line we realized that ftp_connect, ftp_login
> – works fine,  but it gets an error after ftp_put request.
>
> Our haproxy conf looks like this:
>
>
>
> frontend app_front
>
>bind *:80
>
>default_backend admin_back
>
>
>
> backend admin_back
>
>mode http
>
>balance roundrobin
>
>server admin 192.168.11.254:80 check
>
>
>
> Tried “ftp –n” connection directly from server – all fine. Turning off
> FirewallD service on both haproxy and “admin_back” server makes no
> difference.
>
> Can you give us any suggestions?
>
>
>
> BR,
>
> Juri
>

Re: Q: about HTTP/2

[Andrew Smalley]

Hello Baptiste,

We have been asked questions about HTTP/2 but it does not seem to be a
block when we say its not fully supported in Layer7


Regards

Andrew Smalley

Loadbalancer.org
http://www.loadbalancer.org

On 1 April 2016 at 11:25, Baptiste <bed...@gmail.com> wrote:

> On Fri, Apr 1, 2016 at 12:18 PM, Aleksandar Lazic <al-hapr...@none.at>
> wrote:
> > Hi Willy & other core devs/pms.
> >
> > I know that HTTP/2 is on the road-map but not ready yet.
> >
> > Would you be so kind and share some of your thoughts, stats and plans for
> > HTTP/2.
> >
> > Thank you very much.
> >
> > Best regards
> > Aleks
> >
>
>
> Do you guys, on the ML, really need HTTP/2?
> If so what's your deadline??
>
> Baptiste
>
>