Re: LB as a first row of defence against DDoS
hi all, Sorry for not answering sooner, but you know, you say "I'll do it in a couple of minute", then you focus on something else, then you forget, then you say "I'll do it in a couple of minute", then :) First of all, such type of article takes a long time to write, to review, to fix, to test, etc... So I need long period of time to focus to write this type of article. And these type of period are quite rare and I used them to contribute code to ... HAProxy :) That said, I'll write a new DDOS protection article once HAProxy 1.6 will be released, since it embeds some new features which are interesting on this topic. Concerning your demand, I don't understand it! Could you provide me your own configuration (or a fake one) you would like to be protected adding comment to the type of protection you expect, then I'll see what I can do. Baptiste
Re: Need your help on HAProxy Load balancing algorithms
On Wed, Jun 24, 2015 at 10:13 AM, Vinod Kishan Lalbeg wrote: > Dear Sir/ Madam, > > I am a PhD student in Pune, India. I am working on Dynamic Algorithms for > High-Availability Cloud Server Load Balancing in Linux Environment for QoS. > I am very new to this concepts and technology. > > As I was reading > Red_Hat_Enterprise_Linux-7-Load_Balancer_Administration-en-US document I > came across Keepalived and HAProxy terms and started reading. > > I wanted your help on the load balancing algorithms which are used in > HAProxy. If I can get the source code to study them along with documentation > it will be a great help. I also wanted to know, if I get come idea/ > algorithm on load balancing can you test and verify it so that I can have a > detailed report on the working of the algorithm. > > Plz respond to my mail. > > Thanks and regards > > Mr. Vinod K. Lalbeg > Asst. Prof., NWIMSR, > Pune-1 Hi Vinod, First, good luck in your PhD. For load-balancing algorithm, you want to read this part of the doc: http://cbonte.github.io/haproxy-dconv/snapshot/configuration-1.6.html#balance about the source code, it's available here: http://git.haproxy.org/?p=haproxy.git Baptiste
Re: Location of log file of haproxy
On Thu, Jun 18, 2015 at 7:17 PM, Ajay Kumar wrote: > Hi, > > I am using HAProxy in smartOS VM of Joyent but failed to trace of its log > file. I explored in internet too but not found any more than following but > then not found folder /etc/rsyslog.d/ in the smartOS. > > http://kvz.io/blog/2010/08/11/haproxy-logging/ > > https://www.percona.com/blog/2014/10/03/haproxy-give-me-some-logs-on-centos-6-5/ > > I am looking for following help, > 1. where is log file of HAProxy > 2. how could get the log to my specific log file other than syslog(which has > been mentioned many places in internet) > > Regards, > Ajay > > Hi Ajay, HAProxy sends logs to a syslog server. So first, ensure your syslog server and HAProxy are propertly configured. Then, reading your syslog configuration will tell you where the files could be. Baptiste
Re: Odd SSL performance
Phil, without -k, HAProxy spends its time to compute TLS keys. Can you run 'openssl speed rsa2048' and report here the number? My guess is that it shouldn't be too far from 400 :) Baptiste On Thu, Jun 18, 2015 at 3:20 PM, Phil Daws wrote: > Hello Baptiste: > > we were seeing lower tps from a remote system to the front-end LB hence > trying to exclude client side issues by using the LB interface. Yes, when we > use '-k', we do see a huge difference but its interesting that we pretty much > always get 390 tps for a single core, and when we go to nbproc 2 then 780. > > Appreciate the input Baptiste & Lukas. > > Thanks, Phil. > > - On 18 Jun, 2015, at 14:15, Baptiste bed...@gmail.com wrote: > >> Phil, >> >> First, use '-k' option on ab to keep connections alive on ab side. >> >> From a pure benchamrk point of view, using the loopback is useless! >> Furthermore if all VMs are hosted on the same hypervisor. >> You won't be able to get any accurate conclusion from your test, >> because the injector VM is impacting the HAProxy VM, which migh be >> mutually impacted the server VMs... >> >> Baptiste >> >> >> On Thu, Jun 18, 2015 at 2:41 PM, Phil Daws wrote: >>> Hello Lukas: >>> >>> Path is as follows: >>> >>> Internet -> HAProxy [Frontend:443 -> Backend:80] -> 6 x NGINX >>> >>> Yeah, unfortunately due to the application behind NGINX our benchmarking >>> has to >>> be without keep-alives :( >>> >>> Thanks, Phil >>> >>> - On 18 Jun, 2015, at 13:38, Lukas Tribus luky...@hotmail.com wrote: >>> >>>> Hi Phil, >>>> >>>> >>>>> Hello all: >>>>> >>>>> we are rolling out a new system and are testing the SSL performance with >>>>> some strange results. This is all being performed on a cloud hypervisor >>>>> instance with the following: >>>> >>>> You are saying nginx listens on 443 (SSL) and 80, and you connect to those >>>> ports directly from ab. Where in that picture is haproxy? >>>> >>>> >>>> >>>>> Have tried adding the option prefer-last-server but that did not make a >>>>> great deal of difference. Any thoughts please as to what could be wrong ? >>>> >>>> Without keepalive it won't make any difference. Enable keepalive with ab >>>> (-k). >>>> >>>> >>>> >>>> Lukas >>> >>> (null) > > (null) >
Re: Odd SSL performance
Phil, First, use '-k' option on ab to keep connections alive on ab side. >From a pure benchamrk point of view, using the loopback is useless! Furthermore if all VMs are hosted on the same hypervisor. You won't be able to get any accurate conclusion from your test, because the injector VM is impacting the HAProxy VM, which migh be mutually impacted the server VMs... Baptiste On Thu, Jun 18, 2015 at 2:41 PM, Phil Daws wrote: > Hello Lukas: > > Path is as follows: > > Internet -> HAProxy [Frontend:443 -> Backend:80] -> 6 x NGINX > > Yeah, unfortunately due to the application behind NGINX our benchmarking has > to be without keep-alives :( > > Thanks, Phil > > - On 18 Jun, 2015, at 13:38, Lukas Tribus luky...@hotmail.com wrote: > >> Hi Phil, >> >> >>> Hello all: >>> >>> we are rolling out a new system and are testing the SSL performance with >>> some strange results. This is all being performed on a cloud hypervisor >>> instance with the following: >> >> You are saying nginx listens on 443 (SSL) and 80, and you connect to those >> ports directly from ab. Where in that picture is haproxy? >> >> >> >>> Have tried adding the option prefer-last-server but that did not make a >>> great deal of difference. Any thoughts please as to what could be wrong ? >> >> Without keepalive it won't make any difference. Enable keepalive with ab >> (-k). >> >> >> >> Lukas > > (null) >
Re: [ANNOUNCE] haproxy-1.6-dev2
mited impact > on code stability (unless they fix bugs of course), and on configuration > so that early adopters can quickly update when they face a bug that is > fixed. If you're developing something great and intrusive, please keep > it for when 1.7 opens. > > I was told that current version could fail to build on OpenBSD, but there's > a patch floating around for this so hopefully this will be resolved soon. > > Last point, very recently I got a request from someone who desired a bit > more signatures in the release process. I don't want to make the whole > workflow a pain, but at least now I've switched to signed tags, which is > easy to do and happens only once in a while. > > I'm not appending the changelog, it's too large and boring, really. > > Usual URLs below : > Site index : http://www.haproxy.org/ > Sources : http://www.haproxy.org/download/1.6/src/devel/ > Git repository : http://git.haproxy.org/git/haproxy.git/ > Git Web browsing : http://git.haproxy.org/?p=haproxy.git > Changelog: http://www.haproxy.org/download/1.6/src/CHANGELOG > Cyril's HTML doc : > http://cbonte.github.com/haproxy-dconv/configuration-1.6.html > > Regards, > Willy > > It's a great release Looking forward to play with it! Note that in my lab, 1.6-dev performs slightly better than 1.5. Baptiste
Re: Disable/enable server for all backends
On Wed, Jun 17, 2015 at 10:23 PM, jeff saremi wrote: > In the command: > disable server / > can the backend be left out? or passed as a wildcard? this way when a server > is disabled or enabled it will be for all backends. Hi Jeff, This is currently not doable. Baptiste
Re: Health check of backends without explicit health-check?
Hi Krishna, Usually, people use a service discovery tool to do this. Some other people use a local service to cache the check response and serve it to all haproxy servers. Baptiste On Wed, Jun 17, 2015 at 11:38 AM, Krishna Kumar (Engineering) wrote: > On Tue, Jun 16, 2015 at 4:29 PM, Krishna Kumar (Engineering) > wrote: > > I was referring to HAProxy as the LB here. If there is any means to do this, > kindly let me know. > > Thanks, > - Krishna Kumar > > > >> Hi list, >> >> Is there any way to log, or report, or notify, or identify any backend >> that is not responding, without using explicit health-checks? The >> reason for this is that we are planning a big deployment of LB/servers, >> something along the lines of: >> >> LB1, LB2, LB100 or more >> ^ >> | >> v >> Thousands of servers as backends >> >> where many of the LB's could share the same backend. Doing a health- >> check from many LB's to the same servers is a possible load issue on >> the servers. Is there any other way, based on response timeout, or >> something else, to determine which of the backends are not responding, >> and be able to retrieve that information? >> >> Thanks, >> - Krishna Kumar > > > > -- > > This email and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to whom they are addressed. > If you have received this email in error please notify the system manager. > This message contains confidential information and is intended only for the > individual named. If you are not the named addressee you should not > disseminate, distribute or copy this e-mail. Please notify the sender > immediately by e-mail if you have received this e-mail by mistake and delete > this e-mail from your system. If you are not the intended recipient you are > notified that disclosing, copying, distributing or taking any action in > reliance on the contents of this information is strictly prohibited. > Although Flipkart has taken reasonable precautions to ensure no viruses are > present in this email, the company cannot accept responsibility for any loss > or damage arising from the use of this email or attachments
Re: HAProxy Stats and SSL Problems
As stated by Piba-nl, your error is here: listen stats :44300 bind *:44300 ssl crt /etc/ssl/private/the.pem.withkey.pem When you declare your listen section like this, it is equivalent to: listen stats bind :44300 bind *:44300 ssl crt /etc/ssl/private/the.pem.withkey.pem Which means that 2 listening sockets will get the traffic, one deciphering the traffic, and the other one not... Simply remove the ':44300' from your listen section definition. Baptiste
Re: The cause for 504's
On Thu, Jun 11, 2015 at 5:41 PM, Joseph Lynch wrote:
>>> Jun 10 17:27:33 localhost haproxy[23508]: 10.126.160.11:37139
>>> [10/Jun/2015:17:26:03.027] http-in resub-bb-default/njorch0pe16
>>> 30935/0/1/-1/90937 504 194 - - sH-- 16/14/0/0/0 0/0
>>> {569760396|297|RESUB|EMAIL|0|9001|0|0|1.0|NJ|60} "POST /somepath
>>> HTTP/1.1"
> The interesting bit of this to me is the timing events:
> 30935/0/1/-1/90937. My understanding of
> http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#8.4
> indicates that this took 30s for the proxy to receive the client
> request and over 90 seconds before timing out. What do you have
> "timeout server" set to? The docs suggest multiples of 3 usually
> indicate packet loss,
Well, retransmit occurs after 3s, 9s, 27s, etc...
In his case, I guess the timeout server is 60s, which is not enough,
but obviously already high!
> so it might be worth running tcpdump on your
> outgoing traffic on the proxy and on your incoming traffic on your
> service's server and trying to see where these seconds are coming from
> (wireshark can be helpful to find these long sessions). If your
> application log doesn't show the request then that to me is more
> evidence that your requests are having issues getting from your proxy
> to your backend servers.
Very true, tcpdump is your friend!
Have you remarked any common pattern between those 504?
Same source IP, same cookie value, same URLs, same server, etc...
Baptiste
Re: Need help about ACLs settings
Or enable the proxy-protocol : http://cbonte.github.io/haproxy-dconv/snapshot/configuration-1.5.html#send-proxy http://cbonte.github.io/haproxy-dconv/snapshot/configuration-1.5.html#accept-proxy Baptiste On Thu, Jun 11, 2015 at 11:56 AM, Thierry FOURNIER wrote: > On Thu, 11 Jun 2015 09:06:43 + > Thibault LABRUT wrote: > >> Hello, >> >> I’m going to install HA Proxy. >> >> My architecture is as folows : >> - 2 servers in DMZ => reverse proxy (RP) >> - 2 servers in LAN => Load balancing (LB) >> >> Several applications contact RP with different IP adress but with always de >> same port. >> >> With the settings as below the connection is up : >> >> RP settings >> >> # Frontend >> frontend http_test >> bind xx.xx.xx.xx:42 >> capture request header Host len 200 >> default_backend test >> >> # Backend >> backend test >> server srv_ test test.maycompany.local:42 check >> >> LB settings >> >> # Frontend >> frontend http_test >> bind xx.xx.xx.xx:42 >> capture request header Host len 200 >> default_backend test >> >> # Backend >> backend test >> balance roundrobin >> server test01 xx.xx.xx.xx:42 check >> server test02 xx.xx.xx.xx:42 check >> >> But in this case the connection is down : >> >> # Frontend >> frontend http_test >> bind xx.xx.xx.xx:42 >> capture request header Host len 200 >> >> # ACL >> acl acl_test src 12.34.56.78 (IP client) >> use_backend test if acl_test >> >> # Backend >> backend test >> server srv_ test test.maycompany.local:42 check >> >> LB settings >> >> # Frontend >> frontend http_test >> bind xx.xx.xx.xx:42 >> capture request header Host len 200 >> >> # ACL >> acl acl_test src 12.34.56.78 >> use_backend test if acl_test >> >> # Backend >> backend test >> balance roundrobin >> server test01 xx.xx.xx.xx:42 check >> server test02 xx.xx.xx.xx:42 check >> >> Can you say me what is the problem with my settings? >> > > > Hi, > > If I understand, you have two HAProxy chained, RP is in front and LB is > in back. > > In this case, the connexions received by the LB load balancer cannot > known the original IP source, because the connexions are established by > the LB load balancer with its own IP. > > You can use the header "x-forwarded-for" for string the original ip > source. The directive is "option forwardfor". On the LB HAProxy, you > can use a sample taht returns the content of the header > x-forwarded-for, like this: > >acl acl_test fhdr(x-forwarded-for) -m ipv4 12.34.56.78 > > best regards > Thierry > > >> Best Regards, >> >> Thibault Labrut. >
Re: Need help about ACLs settings
On Thu, Jun 11, 2015 at 11:06 AM, Thibault LABRUT wrote: > Hello, > > I’m going to install HA Proxy. > > My architecture is as folows : > - 2 servers in DMZ => reverse proxy (RP) > - 2 servers in LAN => Load balancing (LB) > > Several applications contact RP with different IP adress but with always de > same port. > > With the settings as below the connection is up : > > RP settings > > # Frontend > frontend http_test > bind xx.xx.xx.xx:42 > capture request header Host len 200 > default_backend test > > # Backend > backend test > server srv_ test test.maycompany.local:42 check > > LB settings > > # Frontend > frontend http_test > bind xx.xx.xx.xx:42 > capture request header Host len 200 > default_backend test > > # Backend > backend test > balance roundrobin > server test01 xx.xx.xx.xx:42 check > server test02 xx.xx.xx.xx:42 check > > But in this case the connection is down : > > # Frontend > frontend http_test > bind xx.xx.xx.xx:42 > capture request header Host len 200 > > # ACL > acl acl_test src 12.34.56.78 (IP client) > use_backend test if acl_test > > # Backend > backend test > server srv_ test test.maycompany.local:42 check > > LB settings > > # Frontend > frontend http_test > bind xx.xx.xx.xx:42 > capture request header Host len 200 > > # ACL > acl acl_test src 12.34.56.78 > use_backend test if acl_test > > # Backend > backend test > balance roundrobin > server test01 xx.xx.xx.xx:42 check > server test02 xx.xx.xx.xx:42 check > > Can you say me what is the problem with my settings? > > Best Regards, > > Thibault Labrut. Hi Thibault, In the second case, you don't have any default backend. So you'll get a 503 unless you are 12.34.56.78. Baptiste
Re: Limiting concurrent range connections
If you could give more information about the issue, share haproxy
version, compilation procedure, etc...
some gdb outputs..
Baptiste
On Thu, Jun 4, 2015 at 1:43 PM, Sachin Shetty wrote:
> I did try it, it needs 1.6.dev1 and that version segfaults as soon as the
> request is made
>
> (egnyte_server)egnyte@egnyte-laptop:~/haproxy$ ~/haproxy/sbin/haproxy -f
> conf/haproxy.conf -d
> [WARNING] 154/044207 (24974) : Setting tune.ssl.default-dh-param to 1024
> by default, if your workload permits it you should set it to at least
> 2048. Please set a value >= 1024 to make this warning disappear.
> Note: setting global.maxconn to 2000.
> Available polling systems :
> epoll : pref=300, test result OK
>poll : pref=200, test result OK
> select : pref=150, test result FAILED
> Total: 3 (2 usable), will use epoll.
> Using epoll() as the polling mechanism.
> :haproxy_l2.accept(0005)=0009 from [192.168.56.102:50119]
> Segmentation fault
>
>
>
> Thanks
> Sachin
>
>
> On 6/4/15 3:45 PM, "Baptiste" wrote:
>
>>Hi sachin,
>>
>>Look my conf, I turned your tcp-request content statement into
>>http-request.
>>
>>Baptiste
>>
>>On Thu, Jun 4, 2015 at 12:05 PM, Sachin Shetty wrote:
>>> Tried it, I don¹t see the table populating at all.
>>>
>>> stick-table type string size 1M expire 10m store conn_cur
>>> acl is_range hdr_sub(Range) bytes=
>>> acl is_path_throttled path_beg /public-api/v1/fs-content-download
>>> #tcp-request content track-sc1 base32 if is_range is_path_throttled
>>> http-request set-header X-track %[url]
>>> tcp-request content track-sc1 req.hdr(X-track) if is_range
>>> is_path_throttled
>>> http-request deny if { sc1_conn_cur gt 2 } is_range is_path_throttled
>>>
>>> (egnyte_server)egnyte@egnyte-laptop:~$ echo "show table haproxy_l2" |
>>> socat /tmp/haproxy.sock stdio
>>> # table: haproxy_l2, type: string, size:1048576, used:0
>>>
>>> (egnyte_server)egnyte@egnyte-laptop:~$
>>>
>>>
>>>
>>>
>>>
>>>
>>> On 6/3/15 8:36 PM, "Baptiste" wrote:
>>>
>>>>Yes, the url sample copies whole URL as sent by the client.
>>>>Simply give it a try on a staging server and let us know the status.
>>>>
>>>>Baptiste
>>>>
>>>>On Wed, Jun 3, 2015 at 3:19 PM, Sachin Shetty
>>>>wrote:
>>>>> Thanks Baptiste - Will "http-request set-header X-track %[url]" help
>>>>>me
>>>>> track URL with query parameters as well?
>>>>>
>>>>> On 6/3/15 6:36 PM, "Baptiste" wrote:
>>>>>
>>>>>>On Wed, Jun 3, 2015 at 2:17 PM, Sachin Shetty
>>>>>>wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> I am trying to write some throttles that would limit concurrent
>>>>>>>connections
>>>>>>> for Range requests + specific urls. For example I want to allow
>>>>>>>only 2
>>>>>>> concurrent range requests downloading a file
>>>>>>> /public-api/v1/fs-content-download
>>>>>>>
>>>>>>> I have a working rule:
>>>>>>>
>>>>>>> stick-table type string size 1M expire 10m store conn_cur
>>>>>>> tcp-request inspect-delay 5s
>>>>>>> acl is_range hdr_sub(Range) bytes=
>>>>>>> acl is_path_throttled path_beg /public-api/v1/fs-content-download
>>>>>>> tcp-request content track-sc1 base32 if is_range is_path_throttled
>>>>>>> http-request deny if { sc1_conn_cur gt 2 } is_range
>>>>>>>is_path_throttled
>>>>>>>
>>>>>>> Just wanted to see if there is a better way of doing this? Is this
>>>>>>>efficient
>>>>>>> enough.
>>>>>>>
>>>>>>> I need to include the query string as well in my tracker, but I
>>>>>>>could
>>>>>>>not
>>>>>>> figure that out.
>>>>>>>
>>>>>>> Thanks
>>>>>>> Sachin
>>>>>>>
>>>>>>
>>>>>>Hi Sachin,
>>>>>>
>>>>>>I would do it like this:
>>>>>>
>>>>>> stick-table type string size 1M expire 10m store conn_cur
>>>>>> tcp-request inspect-delay 5s
>>>>>> tcp-request accept if HTTP
>>>>>> acl is_range hdr_sub(Range) bytes=
>>>>>> acl is_path_throttled path_beg /public-api/v1/fs-content-download
>>>>>> http-request set-header X-track %[url]
>>>>>> http-request track-sc1 req.hdr(X-track) if is_range is_path_throttled
>>>>>> http-request deny if { sc1_conn_cur gt 2 } is_range is_path_throttled
>>>>>>
>>>>>>There might be some typo, but you get the idea.
>>>>>>
>>>>>>Baptiste
>>>>>
>>>>>
>>>
>>>
>
>
Re: Limiting concurrent range connections
Hi sachin,
Look my conf, I turned your tcp-request content statement into http-request.
Baptiste
On Thu, Jun 4, 2015 at 12:05 PM, Sachin Shetty wrote:
> Tried it, I don¹t see the table populating at all.
>
> stick-table type string size 1M expire 10m store conn_cur
> acl is_range hdr_sub(Range) bytes=
> acl is_path_throttled path_beg /public-api/v1/fs-content-download
> #tcp-request content track-sc1 base32 if is_range is_path_throttled
> http-request set-header X-track %[url]
> tcp-request content track-sc1 req.hdr(X-track) if is_range
> is_path_throttled
> http-request deny if { sc1_conn_cur gt 2 } is_range is_path_throttled
>
> (egnyte_server)egnyte@egnyte-laptop:~$ echo "show table haproxy_l2" |
> socat /tmp/haproxy.sock stdio
> # table: haproxy_l2, type: string, size:1048576, used:0
>
> (egnyte_server)egnyte@egnyte-laptop:~$
>
>
>
>
>
>
> On 6/3/15 8:36 PM, "Baptiste" wrote:
>
>>Yes, the url sample copies whole URL as sent by the client.
>>Simply give it a try on a staging server and let us know the status.
>>
>>Baptiste
>>
>>On Wed, Jun 3, 2015 at 3:19 PM, Sachin Shetty wrote:
>>> Thanks Baptiste - Will "http-request set-header X-track %[url]" help me
>>> track URL with query parameters as well?
>>>
>>> On 6/3/15 6:36 PM, "Baptiste" wrote:
>>>
>>>>On Wed, Jun 3, 2015 at 2:17 PM, Sachin Shetty
>>>>wrote:
>>>>> Hi,
>>>>>
>>>>> I am trying to write some throttles that would limit concurrent
>>>>>connections
>>>>> for Range requests + specific urls. For example I want to allow only 2
>>>>> concurrent range requests downloading a file
>>>>> /public-api/v1/fs-content-download
>>>>>
>>>>> I have a working rule:
>>>>>
>>>>> stick-table type string size 1M expire 10m store conn_cur
>>>>> tcp-request inspect-delay 5s
>>>>> acl is_range hdr_sub(Range) bytes=
>>>>> acl is_path_throttled path_beg /public-api/v1/fs-content-download
>>>>> tcp-request content track-sc1 base32 if is_range is_path_throttled
>>>>> http-request deny if { sc1_conn_cur gt 2 } is_range is_path_throttled
>>>>>
>>>>> Just wanted to see if there is a better way of doing this? Is this
>>>>>efficient
>>>>> enough.
>>>>>
>>>>> I need to include the query string as well in my tracker, but I could
>>>>>not
>>>>> figure that out.
>>>>>
>>>>> Thanks
>>>>> Sachin
>>>>>
>>>>
>>>>Hi Sachin,
>>>>
>>>>I would do it like this:
>>>>
>>>> stick-table type string size 1M expire 10m store conn_cur
>>>> tcp-request inspect-delay 5s
>>>> tcp-request accept if HTTP
>>>> acl is_range hdr_sub(Range) bytes=
>>>> acl is_path_throttled path_beg /public-api/v1/fs-content-download
>>>> http-request set-header X-track %[url]
>>>> http-request track-sc1 req.hdr(X-track) if is_range is_path_throttled
>>>> http-request deny if { sc1_conn_cur gt 2 } is_range is_path_throttled
>>>>
>>>>There might be some typo, but you get the idea.
>>>>
>>>>Baptiste
>>>
>>>
>
>
Re: Limiting concurrent range connections
Yes, the url sample copies whole URL as sent by the client.
Simply give it a try on a staging server and let us know the status.
Baptiste
On Wed, Jun 3, 2015 at 3:19 PM, Sachin Shetty wrote:
> Thanks Baptiste - Will "http-request set-header X-track %[url]" help me
> track URL with query parameters as well?
>
> On 6/3/15 6:36 PM, "Baptiste" wrote:
>
>>On Wed, Jun 3, 2015 at 2:17 PM, Sachin Shetty wrote:
>>> Hi,
>>>
>>> I am trying to write some throttles that would limit concurrent
>>>connections
>>> for Range requests + specific urls. For example I want to allow only 2
>>> concurrent range requests downloading a file
>>> /public-api/v1/fs-content-download
>>>
>>> I have a working rule:
>>>
>>> stick-table type string size 1M expire 10m store conn_cur
>>> tcp-request inspect-delay 5s
>>> acl is_range hdr_sub(Range) bytes=
>>> acl is_path_throttled path_beg /public-api/v1/fs-content-download
>>> tcp-request content track-sc1 base32 if is_range is_path_throttled
>>> http-request deny if { sc1_conn_cur gt 2 } is_range is_path_throttled
>>>
>>> Just wanted to see if there is a better way of doing this? Is this
>>>efficient
>>> enough.
>>>
>>> I need to include the query string as well in my tracker, but I could
>>>not
>>> figure that out.
>>>
>>> Thanks
>>> Sachin
>>>
>>
>>Hi Sachin,
>>
>>I would do it like this:
>>
>> stick-table type string size 1M expire 10m store conn_cur
>> tcp-request inspect-delay 5s
>> tcp-request accept if HTTP
>> acl is_range hdr_sub(Range) bytes=
>> acl is_path_throttled path_beg /public-api/v1/fs-content-download
>> http-request set-header X-track %[url]
>> http-request track-sc1 req.hdr(X-track) if is_range is_path_throttled
>> http-request deny if { sc1_conn_cur gt 2 } is_range is_path_throttled
>>
>>There might be some typo, but you get the idea.
>>
>>Baptiste
>
>
Re: add header or query parameter when redirecting
> > Hi Baptiste, > > Unfortunately, we are not willing to upgrade to HAproxy 1.6 just yet, so we > are going to use another solution for this redirect (change DNS records to > resolve old hostnames to the new web server). > > Thank you for the info anyway, it may be useful for another time. > > Sylvain Well, HAPEE-1.5-r2 will have this feature and will be available soon. It's part of the backports from 1.6. Contact us at http://www.haproxy.com for more information. Cherry on the cake, you'll have access to our support team in the mean time :) Baptiste
Re: Dynamic backend selection using maps
hi Jim, hdr_end could do the trick if you include the '.' in the matching string. Baptiste On Wed, Jun 3, 2015 at 4:55 PM, Jim Gronowski wrote: > I’m not very familiar with the map function, but does hdr_end(host) work in > this context? > > > > If so, in order to only match *.foo.com and not blahfoo.com, you’d need to > include the dot in your map – ‘.foo.com’ instead of ‘foo.com’. > > > > > > From: David Reuss [mailto:shuffle...@gmail.com] > Sent: Wednesday, June 03, 2015 05:23 > To: haproxy@formilux.org > Subject: Dynamic backend selection using maps > > > > Hello, > > > > I have this use_backend declaration: > > > > use_backend > %[req.hdr(host),lower,map_dom(/etc/haproxy/worker.map,b_nodes_default)] > > > > Which seems to work wonderfully, but say i have "foo.com" in my map, it will > match foo.com.whatever.com, and ideally i'd like to only match if the domain > ends with my value (foo.com), and also, it should NOT match blahfoo.com > > > > How would i achieve that? > > > > Ditronics, LLC email disclaimer: > This communication, including attachments, is intended only for the > exclusive use of addressee and may contain proprietary, confidential, or > privileged information. Any use, review, duplication, disclosure, > dissemination, or distribution is strictly prohibited. If you were not the > intended recipient, you have received this communication in error. Please > notify sender immediately by return e-mail, delete this communication, and > destroy any copies.
Re: add header or query parameter when redirecting
On Wed, Jun 3, 2015 at 11:58 AM, Sylvain Faivre
wrote:
> Hello,
>
> I use the redirect directive to redirect users from old sites to a new site,
> eg:
> redirect prefix http://new-site.com code 301 if old-site
>
> I would like to redirect requests from many old sites to the same new site,
> so I need a way to add info about the old host in the new redirected
> request.
>
> I'm looking for a way to add a header to the redirected request to identify
> the host, for example :
> X-Orig-Site: old-site-123.com
>
> Is this possible ?
>
> I guess I can't add a header to the request with HAproxy, since HAproxy only
> sends a new Location header to the browser, and the browser sets the
> headers.
>
> So, is there a way to alter the location sent in the redirect, to include «
> &orig-site=old-site-123.com » ?
>
> I think I'm missing something here.
> Should I user « http-request redirect » instead of « redirect prefix » ?
>
>
> By the way, I tried to use the set-cookie option for this, but it was a bad
> idea :
> redirect prefix http://new-site.com code 301 set-cookie
> ORIG=%[hdr(host)] if old_site
>
> This doesn't work for two reasons :
>
> 1. The « %[hdr(host)] » part is send literally in the request :
> Set-Cookie: ORIG=%[hdr(host)]; path=/;
>
> 2. The request sent to new-site.com doesn't seem to include this cookie
>
>
> Sylvain
>
Hi Sylvain,
The only "good way" to do what you want to achieve, is to use a query
string parameter and http-request and http-response rules coupled to a
few sections...
Basically, haproxy is not able to modify the headers sent by a
redirect rule. So the trick here, is to perform the redirect in a
dummy frontend section used as a server in a dedicated backend and
insert a header in the response, like this:
backend be_redirect
http-request capture req.hdr(host),word(1,:),lower len 32
http-response replace-value Location (.*)
\1&orig-site=%[capture.req.hdr(0)] if { res.hdr(Location) -m sub ? }
http-response replace-value Location (.*)
\1?orig-site=%[capture.req.hdr(0)] if !{ res.hdr(Location) -m sub ? }
server dummy_redirect 127.0.0.1:8001
frontend fe_dummy_redirect
bind 127.0.0.1:8001
http-request redirect prefix http://new-site.com code 301
Note that this configuration needs HAProxy 1.6 (latest snapshot).
Baptiste
Re: Limiting concurrent range connections
On Wed, Jun 3, 2015 at 2:17 PM, Sachin Shetty wrote:
> Hi,
>
> I am trying to write some throttles that would limit concurrent connections
> for Range requests + specific urls. For example I want to allow only 2
> concurrent range requests downloading a file
> /public-api/v1/fs-content-download
>
> I have a working rule:
>
> stick-table type string size 1M expire 10m store conn_cur
> tcp-request inspect-delay 5s
> acl is_range hdr_sub(Range) bytes=
> acl is_path_throttled path_beg /public-api/v1/fs-content-download
> tcp-request content track-sc1 base32 if is_range is_path_throttled
> http-request deny if { sc1_conn_cur gt 2 } is_range is_path_throttled
>
> Just wanted to see if there is a better way of doing this? Is this efficient
> enough.
>
> I need to include the query string as well in my tracker, but I could not
> figure that out.
>
> Thanks
> Sachin
>
Hi Sachin,
I would do it like this:
stick-table type string size 1M expire 10m store conn_cur
tcp-request inspect-delay 5s
tcp-request accept if HTTP
acl is_range hdr_sub(Range) bytes=
acl is_path_throttled path_beg /public-api/v1/fs-content-download
http-request set-header X-track %[url]
http-request track-sc1 req.hdr(X-track) if is_range is_path_throttled
http-request deny if { sc1_conn_cur gt 2 } is_range is_path_throttled
There might be some typo, but you get the idea.
Baptiste
Re: Dynamic backend selection using maps
On Wed, Jun 3, 2015 at 2:22 PM, David Reuss wrote: > Hello, > > I have this use_backend declaration: > > use_backend > %[req.hdr(host),lower,map_dom(/etc/haproxy/worker.map,b_nodes_default)] > > Which seems to work wonderfully, but say i have "foo.com" in my map, it will > match foo.com.whatever.com, and ideally i'd like to only match if the domain > ends with my value (foo.com), and also, it should NOT match blahfoo.com > > How would i achieve that? Hi David, Then store .foo.com as your map key, then use: %[req.hdr(host),lower,map_end(/etc/haproxy/worker.map,b_nodes_default)] Baptiste
Re: Global least loaded server
On Tue, Jun 2, 2015 at 6:36 PM, N P wrote: > Hi, > > I want to send two transactions with different weights to different servers. > I have done this using frontend, backend, and ACL as can be seen from the > below config. > The other requirement is to also use leastconn balancing. > > The problem is that in this setting, leastconn applies within each backend > and the selected server is not essentially the GLOBAL least loaded server in > total (maybe due to a bug in the system). Note that, same servers are used > in the backends with different weights. > From what I understood from the code, the problem seems to be that each > backend tracks the number of connection of its own servers separately. > Therefore, although a server is overloaded in one backend, the other backend > might think that it is completely free. > > > My requirement is to forward requests to different servers with different > weights, but select the least loaded server in total. I checked Haproxy code > to see what I need to change, but could not figure it out. I am not very > familiar with HAProxy code and structure. I wonder if there is an easy > solution to do this, or if some one can help me with some directions to do > this; either to config HAProxydifferently or to change its code to address > my requirement. > Any help is appreciated. > > > My setting is: > > backend BK1 >balance leastconn >server web1 000.000.000.000:00 weight W1 >server web2 111.111.111.111:11 weight W2 > > backend BK2 > balance leastconn > server web1 000.000.000.000:00 weight W3 > server web2 111.111.111.111:11 weight W4 > > > frontend http > bind *:80 > mode http > acl myACL url_beg /MYURL > use_backend BK1 if myACL > default_backend BK2 Hi, Your health checks should be able to report an overloaded server, or better, using the agent-check for this purpose. Baptiste
Re: Configure Haproxy to dynamically set backend server
Hello,
What you want to do is a forward proxy.
HAProxy is not able to do this and the coming DNS feature won't allow
it as well.
Why you want to switch from ATS to HAProxy since ATS can do this
easily out of the box?
If you know in advance the server IP address, then there is something
we can do using faked cookie persistence and a map.
It is much simpler than a lot of if/then/else in LUA.
Baptiste
On Tue, Jun 2, 2015 at 3:59 AM, Mrunmayi Dhume wrote:
> Hello,
>
> Thanks for all your help. Any rough estimate on when the patch for doing DNS
> resolutions during runtime with asynchronous methods might be out?
>
> -Mrunmayi
>
>
>
> On Saturday, May 30, 2015 2:47 AM, Thierry FOURNIER
> wrote:
>
>
> On Sat, 30 May 2015 00:25:59 + (UTC)
> Mrunmayi Dhume wrote:
>
>> Hello Thierry,
>> This seems to be what we are looking for, however it doesn't seem to work
>> as expected. When we use your example as is, it seems to fail with a 500
>> error. When we switch to using a IP address, it works, so it seems like DNS
>> resolution is a problem?
>
>
> Yes, haproxy can not execute DNS résolutions while is running. It does
> DNS resolution only during the configuration parsing. Its because the
> standard DNS resolution are a synchronous process, and the HAProxy
> architecture does not accept synchronous processes.
>
> Note that a patch is currently in development for doing DNS resolutions
> during the runtime with asynchronous methods.
>
>
> As per this doc -
> http://cbonte.github.io/haproxy-dconv/configuration-1.6.html#4-option%20http_proxy
> http-proxy mode does not accept hostname, instead it only accepts IP.
>> The below example works:
>> core.register_fetches("choose_backend", function(txn) if
>> txn.sf.req_fhdr(Host) == 'example.test.com' andtxn.sf.req_path ==
>> '/test' thenreturn "1.1.1.1" else if [...] end
>> return "default_backend" end);
>> In the haproxy configuration file, you must load the lua file, and usethe
>> new declared fetch in your frontend:
>> global [...] lua-load your-lua-file.lua [...]
>> listen your_frt [...] option http_proxy http-request
>> set-uri http://%[lua.choose_backend]%[url]
>> We don’t want to have to specify the IP as that means that we will have to
>> perform some sort of dns resolution in lua. Can you suggest an alternative?
>
>
> Actually, you can use maps to do this. A map is a file containing a
> name and his correspondance. You can put a hostname and the associated
> ip.
>
> This map can be updated throught the HAProxy's socket (without
> restarting HAProxy). This is not a real DNS Resolution, you must kown
> the full list of your domains.
>
>
> Thierry
>
>
>> Thanks!
>> -Mrunmayi
>>
>>
>> On Wednesday, May 27, 2015 1:50 AM, Thierry FOURNIER
>> wrote:
>>
>>
>> On Tue, 26 May 2015 21:39:23 + (UTC)
>> Mrunmayi Dhume wrote:
>>
>> > Thanks for your detailed reply Thierry. While this approach would solve
>> > the aspect of choosing the backend dynamically we still need to explicitly
>> > define each backend server separately in the haproxy config file. Our
>> > use-case involves having 100+ backends and we would prefer not to
>> > complicate
>> > the config file by defining each backend server as it is not easy to
>> > maintain. We prefer to set it based on incoming http request information
>> > like path or host header and keep haproxy config file simple with just
>> > listen and FE directives and of course single default backend server
>>
>>
>> Hi,
>>
>> HAProxy does not permit to choose the destination IP and PORT.
>>
>> But, maybe I have an ugly solution to your problem.
>>
>> You can try to deal with the option "option http_proxy". This option
>> understand the base proxy requests.
>>
>> You create a "listen" section which use Lua for rewriting the path of
>> the HTTP request like this:
>>
>>core.register_fetches("choose_backend", function(txn)
>> if txn.sf.req_fhdr(Host) == 'example.test.com' and
>> txn.sf.req_path == '/test' then
>> return "test1. example.com:8081"
>> else if
>> [...]
>> end
>> return "default_backend"
>>end);
>>
>> In the haproxy configuration file, you must load the lua file, and use
>> the new declared fetch inyour frontend:
>>
>>global
Re: stick-table and conn_rate question
On Wed, May 27, 2015 at 3:42 PM, Roland RoLaNd wrote:
> managed to successfully reject access from specific users depending on
> condition; but what i eventually want is to provide them with a certain page
> instead of reject (redirect isn't an option)
>
>
> backend phoenix
> stick-table type string len 40 size 5M expire 2m store conn_rate(60s)
> tcp-request inspect-delay 10s
> stick on url_param(sid) table phoenix
> tcp-request content track-sc0 url_param(sid)
> errorfile 200 /etc/haproxy/custom_response/phoenix.http if { sc0_conn_rate
> gt 10 }
>
>
> checking socket; the conn rate is above 10:
> 0x8581a0: key=100testing01 use=0 exp=119272 server_id=1
> conn_rate(6)=90
>
>
> i think the problem is that condition should be set in frontend config in
> a way that points to the "phoenix" table instead of the default frontend
> table...
>
> any advice?
Hi Roland,
You can use the stick table gpc0 as a flag and query it from the
frontend for the next coming request.
If greater than 0, route the user to a specific backend where you can
deliver pages.
Some examples here:
http://blog.haproxy.com/2012/02/27/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/
Baptiste
Re: Git-daemon behind HAProxy
Le 22 mai 2015 20:08, "Hoggins!" a écrit : > > Hi folks, > > Has anyone experienced putting git-daemon behind HAProxy ? > I'm not sure where to start, and Google is not really my friend on that one. > > Thanks ! > > Hoggins! > Hi Hoggins, Please describe the characteristics of this application :) Baptiste
Re: Remove // from URL
Hi Peter, Which HAProxy version are you running? what's your whole configuration settings? Baptiste On Wed, May 20, 2015 at 12:18 PM, Peter BUtler wrote: > Sorry, I pressed send a little early on this. MOre information > > backend https_mysite >mode http >option tcp-check >reqrep ^([^\ ]*\ )//(.*)\1/\2 >server webserver 10.1.1.1:80 check > > Any ideas what I have missed in getting this to work? > > From: Peter BUtler > Sent: Wednesday, May 20, 2015 9:16 AM > To: haproxy@formilux.org > Subject: Remove // from URL > > I have a site: https://mysite.comAfter a little browsing, something > within the app gives a https://mysite.com//something or > https://mysite.com//other-thing > > Notice the double slash. If it exists, how do I remove the second slash > for all contexts? > > I assume a reqrep will do it, but I have not managed to work it out? > > Back to basics, this is what I have that it resulting in the // > > acl is_mysite hdr_end(host) -i mysite.com > use_backend https_mysite if is_mysite > > > thanks
Re: Shutdown port when all backends are offline
> Is there any way to control the frontend in that kind of way, that it does > not listen on the assigned interface/port, when all backends are down? you can write your own script which reads haproxy stats socket and then stop/disable the frontend if all the backends are down. Baptiste
Re: [SPAM] backup option doesn't seem to work
Hi Yves, The answer is simple. The client comes with his persistence cookie which is valid. So HAProxy honors persistance despite the server is a backup one. http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#backup You can fix it by deletting cookies pointing to servers in backup state. Baptiste On Mon, May 18, 2015 at 10:12 AM, Yves Van Wert wrote: > Hi Baptiste, > > when i made the post to the list we were still running haproxy 1.4. I've > upgraded yesterday to 1.5 but still notice the same behaviour. > > The backend config is : > > backend weblogic-tpc >mode http >stats enable >stats auth admin:axihaproxy >balance roundrobin >cookie SERVERID insert indirect nocache >option httpclose >option forwardfor >option allbackups >server igcbiasprd05n 10.130.101.1:9003 check cookie igcbiasprd05n > weight 15 >server igcbiasprd06n 10.130.101.1:9004 check cookie igcbiasprd06n > weight 15 >server igcbiasprd07n 10.130.101.1:9005 check cookie igcbiasprd07n > weight 15 >server igcbiasprd03n 10.130.101.7:9003 check cookie igcbiasprd03n > weight 10 backup >server igcbiasprd04n 10.130.101.8:9003 check cookie igcbiasprd04n > weight 10 backup >server igcbiasprd01n 10.130.101.5:9003 check cookie igcbiasprd01n > weight 10 backup >server igcbiasprd02n 10.130.101.6:9003 check cookie igcbiasprd02n > weight 10 backup > > > i'll attach a snippet of the logfile. > > do you have any idea what could go wrong ? > > regards > Yves > > > > > On Wed, May 6, 2015 at 12:04 PM, Baptiste wrote: >> >> On Mon, May 4, 2015 at 5:38 PM, Yves Van Wert wrote: >> > Hi list, >> > >> > i've created this backend config : >> > >> > backend weblogic-tpc >> >mode http >> >balance roundrobin >> >cookie SERVERID insert indirect nocache >> >option httpclose >> >option forwardfor >> >option allbackups >> >server server01n 10.130.101.5:9003 check cookie server01n weight >> > 10 >> >server server02n 10.130.101.6:9003 check cookie server02n weight >> > 10 >> >server server05n 10.130.101.1:9003 check cookie server05n weight >> > 15 >> >server server06n 10.130.101.1:9004 check cookie server06n weight >> > 15 >> >server server07n 10.130.101.1:9005 check cookie server07n weight >> > 15 >> >server server03n 10.130.101.7:9003 check cookie server03n weight >> > 10 >> > backup >> >server server04n 10.130.101.8:9003 check cookie server04n weight >> > 10 >> > backup >> > >> > >> > >> > after starting haproxy i notice in the logfile that connections are also >> > being sent to server03 & 04. Any idea on how this is possible ? >> > >> > thanks >> > Yves >> >> >> Hi Yves, >> >> Please share you logs as well :) >> >> Baptiste > >
Re: Need help with HAProxy configuration mixed content http and https
On Wed, May 20, 2015 at 6:49 AM, Tu Nguyen wrote: > Hello, > I’m new to HAProxy. I’m trying to set up HA to handle mixed content site > (http and https). My site runs on http except login box which needs https. > When I apply the configure with mode tcp, everything is fine. But I cannot > modify header, which I need to identify user’s real IP. > So I want to use mode http and when I do that, the content of login box does > not appear ( all css, static files cannot be loaded) > Could you please tell me if anyway to fix this problem or HAProxy does not > support this yet? > > This is my HAProxy config, below: > > ## > # HAPROXY 1.5.12 > ## > > global > daemon > user haproxy > group haproxy > chroot /home/haproxy > maxconn 1 > stats socket /tmp/haproxy > pidfile /var/run/haproxy.pid > log 127.0.0.1 local1 > tune.ssl.default-dh-param 2048 > > defaults > #mode http > retries 3 > option redispatch > timeout connect 5ms > timeout client 5ms > timeout server 5ms > errorfile 400 /prefix/haproxy/errors/400.http > errorfile 403 /prefix/haproxy/errors/403.http > errorfile 408 /dev/null > errorfile 500 /prefix/haproxy/errors/500.http > errorfile 502 /prefix/haproxy/errors/502.http > errorfile 503 /prefix/haproxy/errors/503.http > errorfile 504 /prefix/haproxy/errors/504.http > > > FRONTEND > > frontend fe_https > bind *:443 ssl crt /prefix/haproxy/ca/domain01.pem > mode http > option httpclose > option forwardfor > > acl ssl_host01.vn hdr(host) -i host01.vn www.host01.vn > use_backend be_host01_https if ssl_host01.vn > > frontend fe_http > bind *:80 > log global > mode http > option httplog > option forwardfor > > acl host01.vn hdr(host) -i host01.vn www.host01.vn > use_backend be_game5_http if host01.vn > > BACKEND > > backend be_host01_https > mode http > option httplog > option forwardfor > log global > balance roundrobin > > server SSL_HOST_1 10.0.0.1:80 check > server SSL_HOST_2 10.0.0.2:80 check > > backend be_host01_http > mode http > log global > balance roundrobin > > server HOST_9 10.0.0.1:80 check > server HOST_10 10.0.0.2:80 check > > ## END > > Thanks in advanced, > > Tu Nguyen, Hi Tu, Could you share also logs generated by HAProxy when trying to acess login page? Also, your HTTP frontend points to a backend whose name is be_game5_http. Could you confirm this is a typo or you did not forward all your configuration? Baptiste
Re: multiple health checks
On Thu, May 14, 2015 at 7:54 AM, Glenn Elliott
wrote:
> Hi All,
>
>
>
> I have a backend server which really needs two health checks to be UP..
>
>
>
> /* config sample*/
>
> backend sso-backend
>
> redirect scheme https if !{ ssl_fc }
>
> stick on src
>
> stick-table type ip size 200k expire 60m
>
> option forwardfor
>
> option httpchk GET /getlinked/GetLinked.aspx
>
> http-check expect rstatus 302|200
>
> balance leastconn
>
> server sso01 sso01:80 check inter 15s
>
> server sso02 sso02:80 check inter 15s
>
>
>
>
>
> Backend servers sso01 & sso02 each have a dependent server (web01 & web02
> respectively) that needs checking as well.. if the dependent server fails I
> want to take the backend server down. Is this possible?
>
>
>
> VIP
>
>|
>
>
>
>| |
>
> sso01 sso02
>
> ||
>
> web01 web02
>
Hi Glenn,
Are sso01 and web01 runnig on the same server / same IP address?
Baptiste
Re: Issue with SSL
On Wed, May 13, 2015 at 2:16 PM, Krishna Kumar (Engineering) wrote: > Hi Baptiste, > > Thank you very much for the tips. I have nbproc=8 in my configuration. Made > the > following changes: > > Added both bind and tune.bufsize changeresult -> > works. > Removed the tune.bufsize > result -> works. > Added bind-process for frontend and backend as: > bind-process 1,2,3,4,5,6,7,8 > result -> works > Removed the bind-process > result -> fails. > > (the bind-process change you suggested worked for 16K and also for 128K, > which > was what I was initially testing before going smaller to find that 16K > failed and 4K > worked) > > The performance for SSL is also very much lower compared to regular traffic, > it may be related to configuration settings (about 2x to 3x worse): > > 128 bytes I/O: > SSL:BW: 22168.31 KB/s RPS: 63408.79 > NO-SSL: BW: 61193.31 KB/s RPS: 175033.38 > > 64K bytes I/O: > SSL:BW: 506393.55 KB/s RPS: 7884.49 rps > NO-SSL: BW: 1101296.07 KB/sRPS: 17147.05 rps > > I will send the configuration a little later, as it needs heavy cleaning up, > there are > lots of things I want to clean before that. > > Thanks, > - Krishna Kumar > Ok, so we spotted a bug there :) At least, HAProxy should warn you your backend and frontend aren't on the same process. In my mind, HAProxy silently create a backend to the frontend's process, even if it was not supposed to be there. But this behavior may have changed recently. No time to dig further in it, but I'll let Willy know so he can check about it. Simply bear this rule in mind: a frontend and a backend must be on the same process. Baptiste
Re: haproxytool which supports HAProxy in nbproc >1 mode
Hi Pavlos, Thanks a lot for the great work! I'm going to have a look at it as soon as possible :) Baptiste On Wed, May 13, 2015 at 12:00 AM, Pavlos Parissis wrote: > Hi all, > > I have pushed to github a tool which I call haproxytool that can be used > to perform the most frequent operations on frontends/pools/servers. > You can find it here https://github.com/unixsurfer/haproxytool. > > It uses haproxyadmin Python library which supports HAProxy in > multi-process mode(nbproc >1) by aggregating operations to all processes. > > haproxyadmin Python library is a sister project and it does all the work > for the tool. > > Please have a look at them and let me know what you think. > > Warning, I am engineer who likes to write some code, so if you spot > something stupid in my code be nice with me and I will do my best to fix > it:-) > > Cheers, > Pavlos >
Re: Issue with SSL
On Wed, May 13, 2015 at 10:07 AM, Krishna Kumar (Engineering) wrote: > Hi all, > > I am having the following problem with SSL + large I/O. Details are: > > Distribution: Debian 7, Kernel: 3.19.6, ab version: 2.3, haproxy: 1.5.12, > nginx: 1.2.1 > > $ ab -k -n 10 -c 100 http://:80/128K > Works correctly. > > $ ab -k -n 1 -c 10 https://:443/4K > Works correctly. > > $ ab -k -n 1 -c 10 https://:443/128K > No output, finally the only message is: > apr_poll: The timeout specified has expired (70007) > > $ ab -k -n 1 -c 10 https://:443/16K > No output, finally the only message is: > apr_poll: The timeout specified has expired (70007) > > Configuration file (SSL parts only): > defaults: > nbproc=8 > ssl-default-bind-ciphers > kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL > ssl-default-bind-options no-sslv3 > > frontend www-https > bind *:443 ssl crt /etc/ssl/private/haproxy.pem > reqadd X-Forwarded-Proto:\ https > default_backend www-backend > > $ haproxy -vv | egrep -i "ssl|tls" > OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1 USE_TFO=1 > Built with OpenSSL version : OpenSSL 1.0.1k 8 Jan 2015 > Running on OpenSSL version : OpenSSL 1.0.1k 8 Jan 2015 > OpenSSL library supports TLS extensions : yes > OpenSSL library supports SNI : yes > OpenSSL library supports prefer-server-ciphers : yes > > I found that setting nbproc=1 works for SSL, but setting it to >1 (2, 4, 8) > hangs > as above. With nbproc=2, I make slightly more progress than with 8 (system > has 48 cores though): > > $ ab -k -n 1 -c 10 https://:443/128K > apr_poll: The timeout specified has expired (70007) > Total of 200 requests completed > > I tried adding the following to frontend and backend respectively: >To the frontend -> bind-process 1,2 >To the backend -> bind-process 3,4,5,6,7,8 > > How can I fix this issue? > > Thanks, > - Krishna Kumar > Hi Krishna, Well, a frontend and a backend must be on the same HAProxy process. Please try again by binding all frontend and backend to the same process and let us know if you still have the issue. Also, could you share with us your whole configuration, since some global parameters may have some impact on HAProxy. That said, it's weird it brakes up at 16K...; Could you add the following directive in the global section: "tune.bufsize 32000" and run again the 16K test and report any issue? (it's simply a test and should not be used in any case as a workaround!) Baptiste
Re: Is FTP through haproxy at all viable?
On Fri, May 8, 2015 at 4:02 PM, Shawn Heisey wrote: > I have a load balancer setup with both haproxy and LVS-NAT. The LVS-NAT > is giving us high availability for FTP. > > When I tried migrating everything from CentOS 5, where it all works, to > Ubuntu 14 (for the newer kernel and because I find debian-based systems > far easier to use), everything worked except passive FTP. > > Is there a viable solution for FTP through haproxy? The machine has > public IP addresses on one side and private on the other, and is > configured with ip forwarding turned on, so the redundant pair acts as > the default gateway for the backend machines. Everything is behind a > Cisco firewall, so I have disabled the ufw firewall that Ubuntu includes. > > Alternatively, if someone can help me make passive FTP work through > LVS-NAT like it does on CentOS, I am fine with that. I've asked for > help on that here: > > http://askubuntu.com/questions/620853/lvs-nat-doesnt-work-with-passive-ftp-active-ftp-is-fine > > Thanks, > Shawn > Hi Shawn, Well, FTP can work in active mode only. To configure it, you must open port 21 and the active ports where you FTP server expects the user to get connected to. Baptiste
Re: Question on distribution not according to backend weight
Hi Frank, My problem: The weight setting for a backend seems to be ignored when the > max concurrent session setting is reached. I was expecting the connection > to get queued for this backend but it seems to flip over to the host that > has connections available. > This is expected. The queue manager starts working as soon as at least one server as reached its maxconn. It has The weight is taken into account by the load-balancing algorithm, but since the queue manager has precedence over it. Hence as soon as a server has reached its maxconn, it is excluded from the load-balancing algorithm. Then the relative weight of the remaining server is applied. > I simplified my setup to 2 backend smtp servers, one with weight 100, the > other with weight 1. The max connection setting is set to 2. I'm opening > multiple SMTP connections simultaneously to this haproxy server. Attached > screenshot from haproxy stats shows that backend with weight 1 gets way too > many sessions. > > Increasing max concurrent sessions to 5 or more seem to prevent this > behavior, but I'm not totally sure about this. > The question is "Why do you need a maxconn to 2 on your servers?" > I would like to have only a small fraction (100:1) of requests go to the > backend with the lower weight and wonder how to do this correctly. It's > more important to me to have a defined distribution of connections going to > backends than answering requests as quickly as possible regardless of what > backend is used. > > the weight is the good way to go, simply increase your maxconn, unless there is a good reason for it to be as low as 2. Baptiste
Re: [haproxy]: Performance of haproxy-to-4-nginx vs direct-to-nginx
Le 7 mai 2015 04:24, "Krishna Kumar (Engineering)" a écrit : > > I found the source of the problem. One of the backends was being shared > with another person who was testing iptables rules/tunnel setups, and > that might have caused some connection drops. I have now removed that > backend from my setup and use dedicated systems, after which the original > configuration without specifying source port is working, no connection flaps > now. > > Thanks, > - Krishna Kumar How much performance do you have now? Baptiste
Re: [haproxy]: Performance of haproxy-to-4-nginx vs direct-to-nginx
On Wed, May 6, 2015 at 7:15 AM, Krishna Kumar (Engineering) wrote: > Hi Baptiste, > > On Wed, May 6, 2015 at 1:24 AM, Baptiste wrote: >> >> > Also, during the test, the status of various backend's change often >> > between >> > OK to DOWN, >> > and then gets back to OK almost immediately: >> > >> > >> > www-backend,nginx-3,0,0,0,10,3,184,23843,96517588,,0,,27,0,0,180,DOWN >> > >> > 1/2,1,1,0,7,3,6,39,,7,3,1,,220,,2,0,,37,L4CON,,0,0,184,0,0,0,0,00,0,6,Out >> > of local source ports on the system,,0,2,3,92, >> >> this error is curious with the type of traffic your generating! >> Maybe you should let HAProxy manage the source ports on behalf of the >> server. >> Try adding the "source 0.0.0.0:1024-65535" parameter in your backend >> description. > > > Yes, this has fixed the issue - I no longer get state change after an hour > testing. > The performance didn't improve though. I will check the sysctl parameters > that > were different between haproxy/nginx nodes. > > Thanks, > - Krishna Kumar You have to investigate why this issue happened. I mean, it is not normal. As Pavlos mentionned, you connection rate is very low, since you do keep alive and you opened only 500 ports. Wait, I know, could you share the keep-alive connection from your nginx servers? By default, they close connections every 100 requests... This might be the root of the issue. The configuration I sent you just tells haproxy to manage himself the source ports on behalf of the kernel. It is much more efficient for this task. We never enable it, since in most cases, kernel is good enough. Baptiste
Re: [SPAM] backup option doesn't seem to work
On Mon, May 4, 2015 at 5:38 PM, Yves Van Wert wrote: > Hi list, > > i've created this backend config : > > backend weblogic-tpc >mode http >balance roundrobin >cookie SERVERID insert indirect nocache >option httpclose >option forwardfor >option allbackups >server server01n 10.130.101.5:9003 check cookie server01n weight 10 >server server02n 10.130.101.6:9003 check cookie server02n weight 10 >server server05n 10.130.101.1:9003 check cookie server05n weight 15 >server server06n 10.130.101.1:9004 check cookie server06n weight 15 >server server07n 10.130.101.1:9005 check cookie server07n weight 15 >server server03n 10.130.101.7:9003 check cookie server03n weight 10 > backup >server server04n 10.130.101.8:9003 check cookie server04n weight 10 > backup > > > > after starting haproxy i notice in the logfile that connections are also > being sent to server03 & 04. Any idea on how this is possible ? > > thanks > Yves Hi Yves, Please share you logs as well :) Baptiste
Re: Couple of questions on future support
Hi all, HTTP/2 will be support in 1.7, if not in 1.6 :) It's a long journey, you know :) Krishna, Could you elaborate more about the geo location stuf? you can do it natively with maps and conversion of maxmind ip ranges into HAProxy's subnets. What feature would you like, what missing stuff do you have here, please share your information. Baptiste On Wed, May 6, 2015 at 11:38 AM, Danijel Starman wrote: > Hi, > > I believe Willy mentioned that HTTP/2 support is being worked on, I > assume for 1.6 version. > -- > *blap* > > > On Wed, May 6, 2015 at 11:04 AM, Krishna Kumar (Engineering) > wrote: >> Hi all, >> >> 1. Is there any plan to support HTTP/2? Any estimate on the amount of >> work/time >> it would take to implement? >> >> 2. Is there any plan to have support for Geolocation (other than what is >> mentioned >> in the homepage)? >> >> Thanks, >> - Krishna Kumar >> >
Re: [haproxy]: Performance of haproxy-to-4-nginx vs direct-to-nginx
> Also, during the test, the status of various backend's change often between > OK to DOWN, > and then gets back to OK almost immediately: > > www-backend,nginx-3,0,0,0,10,3,184,23843,96517588,,0,,27,0,0,180,DOWN > 1/2,1,1,0,7,3,6,39,,7,3,1,,220,,2,0,,37,L4CON,,0,0,184,0,0,0,0,00,0,6,Out > of local source ports on the system,,0,2,3,92, this error is curious with the type of traffic your generating! Maybe you should let HAProxy manage the source ports on behalf of the server. Try adding the "source 0.0.0.0:1024-65535" parameter in your backend description. > Please let me know if this can be fixed, as it might help performance even > more. > > In short, for small file sizes, haproxy results are *much* better than > running against a single > backend server directly (with some failures as shown above). For big files, > the numbers for > haproxy are slightly lower. devil might be in your sysctls. Baptiste
Re: Choosing backend based on constant
On Thu, Apr 30, 2015 at 11:49 AM, Veiko Kukk wrote: > Hi everybody > > I'd like to simplify my haproxy configuration management by using almost > identical configurations for different groups of haproxy installations that > use different backends based on string comparision. The only difference in > haproxy configuration files of different groups would be that string. > > The configuration logic would be something like this (not syntactically > correct for haproxy, I know, but should show what I wish to accomplish): > > constant = foo # first hostgroup configuration > constant = bar # second hostgroup configuration > > # common configuration for all hostgroups > use_backend ha_backend_foo if constant == foo > use_backend ha_backend_bar if constant == bar > ... > > I wonder how to specify that string and form acl to use in 'use_backend' > statement? > > Thanks in advance, > Veiko Hi Veiko, The question is how do you set your constant, what piece of information do you use from the traffic or whatever? Then we may help you. Baptiste
Re: SMTPS and L7 health-checks
On Wed, Apr 29, 2015 at 9:18 AM, iain wrote: > On 29/04/15 04:26, Baptiste wrote: > >> Hi, >> You need to enable the check-ssl on the server line. >> In your case haproxy sends a check in clear, while the server expects a >> ciphered connexion. > > That's correct, because I am trying to keep the health checks on the > cleartext TCP/25 port. > > However, I did try your suggestion to kick it down to SSL. I changed the > server lines to: > > ---CUT--->8---CUT--- > server MTA1 xx.xx.xx.xx:465 check-send-proxy send-proxy check-ssl verify > none > server MTA2 xx.xx.xx.xx:465 check-send-proxy send-proxy check-ssl verify > none > ---CUT--->8---CUT--- > > ...but got the same results, connection fails to establish and as it > terminates, the following appears in the logs: > > ---CUT--->8---CUT--- > Apr 29 08:57:58 lb1 haproxy[21820]: 172.23.0.197:35845 > [29/Apr/2015:08:57:38.331] MTASSL MTASSL/MTA1 1/-1/20005 0 sC 1/0/0/0/3 0/0 > Apr 29 08:57:58 lb1 haproxy[21820]: 172.23.0.197:35845 > [29/Apr/2015:08:57:38.331] MTASSL MTASSL/MTA1 1/-1/20005 0 sC 1/0/0/0/3 0/0 > ---CUT--->8---CUT--- > > The MTA's logs contain only the follow repeating entries: > > ---CUT--->8---CUT--- > 2015-04-29 09:11:15 SMTP connection from [xx.xx.xx.xx]:46670 > I=[xx.xx.xx.xx]:25 (TCP/IP connection count = 1) > 2015-04-29 09:11:15 SMTP connection from [xx.xx.xx.xx]:60941 > I=[xx.xx.xx.xx]:25 (TCP/IP connection count = 2) > 2015-04-29 09:11:15 SMTP connection from lb2.example.org > [xx.xx.xx.xx]:46670 I=[xx.xx.xx.xx]:25 lost (error: Connection reset by > peer) > 2015-04-29 09:11:15 SMTP connection from lb1.example.org > [xx.xx.xx.xx]:60941 I=[xx.xx.xx.xx]:25 lost (error: Connection reset by > peer) > ---CUT--->8---CUT--- > > I should perhaps have mentioned that I'm running this on Debian 7 with > HAproxy version 1.5.8. > > Hi Iain, You were right, sorry, my fault. Could you try a tcpdump when (capturing whole packets) you do the health check on the port 25? What does HAProxy reports in its logs? Baptiste
Re: SMTPS and L7 health-checks
Le 28 avr. 2015 06:25, "iain" a écrit : > > I have a working configuration for a couple of MTAs listening on TCP/25. > The layer 7 health checks work just fine with: > > ---CUT--->8---CUT--- > listen MTA > bind xx.xx.xx.xx:25 > bind XX:XX:XX:XX:::25 > mode tcp > option tcpka > option tcplog > option smtpchk HELO lb1.example.org > no option http-server-close > log global > balance leastconn > server MTA1 xx.xx.xx.xx:25 check-send-proxy send-proxy check > server MTA2 xx.xx.xx.xx:25 check-send-proxy send-proxy check > ---CUT--->8---CUT--- > > In addition to this, I also have the same servers listening on TCP/465 > for SSL authenticated connections, with layer 7 health checks being > performed on the TCP/25 port: > > ---CUT--->8---CUT--- > listen MTASSL > bind xx.xx.xx.xx:465 > bind XX:XX:XX:XX::XX:465 > mode tcp > option tcpka > option tcplog > option smtpchk HELO lb1.net.tain.com > no option http-server-close > log global > balance leastconn > server MTA1 xx.xx.xx.xx:465 port 25 check-send-proxy send-proxy check > server MTA2 xx.xx.xx.xx:465 port 25 check-send-proxy send-proxy check > ---CUT--->8---CUT--- > > The problem I am finding is that connections on the SSL side do not > cleanly complete. Can someone show me exactly where I am making an error > in here? > > Hi, You need to enable the check-ssl on the server line. In your case haproxy sends a check in clear, while the server expects a ciphered connexion. Baptiste
Re: Client ip in tcp mode
Hi yves, Could you tell us which application server are you using? (For offline consulting of the answer) Baptiste Le 27 avr. 2015 07:01, "Yves Van Wert" a écrit : > Hi Baptiste, > > that did the trick ! Thank you for your assistance > > Yves > > On Sat, Apr 25, 2015 at 4:35 PM, Baptiste wrote: > >> Hi Yves, >> >> proxy protocol is your friend. But the server must be compatible. >> http://blog.haproxy.com/haproxy/proxy-protocol/ >> >> Baptiste >> >> On Fri, Apr 24, 2015 at 6:33 PM, Yves Van Wert wrote: >> > hi list, >> > >> > Is there any way to get the client ip passed through to the backend >> servers >> > when running in tcp mode? Putting the haproxy in transparent mode is not >> > really an option. >> > >> > Thank you >> > Yves >> > >
Re: Client ip in tcp mode
Hi Yves, proxy protocol is your friend. But the server must be compatible. http://blog.haproxy.com/haproxy/proxy-protocol/ Baptiste On Fri, Apr 24, 2015 at 6:33 PM, Yves Van Wert wrote: > hi list, > > Is there any way to get the client ip passed through to the backend servers > when running in tcp mode? Putting the haproxy in transparent mode is not > really an option. > > Thank you > Yves
Re: SEGV capturing tcp traffic
Hi, I reported this issue to Willy already and latest snapshot includes a fix: http://git.haproxy.org/?p=haproxy.git;a=commit;h=e91ffd093e548aa08d7ccb835fd261f3d71ffb17 run a git pull or git clone ;) Baptiste On Fri, Apr 24, 2015 at 5:58 PM, CJ Ess wrote: > Its possible that I'm doing this wrong, I don't see many examples of working > with tcp streams, but this combination seems to SEGV haproxy 1.6 > consistently. > > The idea is to capture the first 32 bytes of a TCP stream and use it to make > a sticky session. What I've done is this: > > frontend fe_capture > mode tcp > bind *:9048 > default_backend be_capture > > backend be_capture > mode tcp > balance roundrobin > tcp-request inspect-delay 5s > tcp-request content accept > stick-table type binary len 32 size 30k expire 30m > stick on payload(0,32) > server test9050 127.0.0.1:9050 weight 1 check observe layer4 > server test9051 127.0.0.1:9051 weight 1 check observe layer4 > > And to test it I do this: > > curl -v http://127.0.0.1:9048/ > (And I'm not really doing all this to look at http, this is just an example > that demonstrates the issue) > >
Re: SSL backends stopped working
On Thu, Apr 23, 2015 at 4:18 PM, wrote: > SSLv3 is not allowed anywhere in our infrastructure, it is disabled already. > You did not catch the point. HAProxy may use SSLv3 to get connected to the server. so disable sslv3 on the server side on haproxy just to ensure this is not the root of the problem. Then we could investigate further. Baptiste
Re: SSL backends stopped working
maybe the server refuses sslv3... Can you disable sslv3 on the server side? Baptiste On Thu, Apr 23, 2015 at 3:38 PM, wrote: > I've checked again, but the time on those servers is correct.. > > On 2015-04-23 14:16, Daniel Schneller wrote: >> >> Have you checked the time/date on the Haproxy host? >> If they are wrong, the certificate might look bad from HAProxy's >> point of view. >> >> Daniel >> >> -- >> Daniel Schneller >> Infrastructure Architect / Developer >> CenterDevice GmbH >> >>> On 23.04.2015, at 10:00, i...@linux-web-development.de wrote: >>> >>> Hi! >>> >>> I'm having trouble with one of our HAProxy-Servers that uses a >>> backend with TLS. When starting HAProxy the backend will report all >>> servers as down: >>> >>>> Server web_remote/apache_rem_1 is DOWN, reason: Layer6 invalid >>>> response, info: "SSL handshake failure", check duration: 41ms. 1 >>>> active and 0 backup servers left. 0 sessions active, 0 requeued, 0 >>>> remaining in queue. >>> >>> >>> My backend configuration is as follows: >>> >>> backend web_remote >>> balance leastconn >>> option httpchk HEAD / >>> option redispatch >>> retries 3 >>> >>> default-server inter 5000 rise 2 fall 5 maxconn 1 maxqueue >>> 5 >>> >>> server apache_rem_1 1.2.3.4:12345 check maxconn 1000 maxqueue 5000 >>> ssl ca-file /etc/ssl/web.pem >>> server apache_rem_2 2001:1:2:3:4:5:6:8:12345 check maxconn 1000 >>> maxqueue 5000 ssl ca-file /etc/ssl/web.pem >>> >>> This backend worked just fine until now, a quick wget on the server >>> also worked and openssl s_client reports the certificate of the >>> backend to be valid. >>> >>> I couldn't find anything on the list except that the error would be >>> due to SSL_ABORT, but I'm not sure what this is supposed to tell >>> me... >>> >>> Is there anything else for HAProxy/TLS that could be configured >>> wrong? How could I debug this issue when everything else reports the >>> handshake was successful? > > >
Re: Backend status changes continuously
> Sometimes during the test, I also see many "nf_conntrack: table full, > dropping > packet" messages on the host system. First, increase conntrack table size with the following sysctl net.netfilter.nf_conntrack_max=655360 run your test again and report the reslut here Baptiste
Re: Backend status changes continuously
Hi Krishna, Maybe you could be more verbose on your application, architecture, etc... also which haproxy version, share your configuration, etc... Cause we can't answer you, I'm sorry! Baptiste On Tue, Apr 21, 2015 at 9:59 AM, Krishna Kumar (Engineering) wrote: > Hi all, > > While running the command: :" ab -n 10 -c 1000 192.168.122.110:80/256", > the haproxy stats page shows the 4 different backend servers changing status > between "Active up, going down", "Active or backup down", "Down", "Backup > down, going UP", sometimes all 4 backends are in DOWN state. The result is > very > poor performance reported by 'ab' as compared to running directly against a > single backend. > > What could be the reason for this continuous state change? > > root@HAPROXY:~# haproxy -vv > HA-Proxy version 1.5.8 2014/10/31 > Copyright 2000-2014 Willy Tarreau > > Build options : > TARGET = linux2628 > CPU = generic > CC = gcc > CFLAGS = -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat > -Werror=format-security -D_FORTIFY_SOURCE=2 > OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1 > > Default settings : > maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 > > Encrypted password support via crypt(3): yes > Built with zlib version : 1.2.7 > Compression algorithms supported : identity, deflate, gzip > Built with OpenSSL version : OpenSSL 1.0.1e 11 Feb 2013 > Running on OpenSSL version : OpenSSL 1.0.1k 8 Jan 2015 > OpenSSL library supports TLS extensions : yes > OpenSSL library supports SNI : yes > OpenSSL library supports prefer-server-ciphers : yes > Built with PCRE version : 8.30 2012-02-04 > PCRE library supports JIT : no (USE_PCRE_JIT not set) > Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT > IP_FREEBIND > > Available polling systems : > epoll : pref=300, test result OK >poll : pref=200, test result OK > select : pref=150, test result OK > Total: 3 (3 usable), will use epoll. > > > Thanks, > - Krishna Kumar >
Re: SSL Acceleration
On Fri, Apr 17, 2015 at 9:32 AM, Kamran Malik wrote: > hi > > I have a rather simple question related to SSL acceleration. I have gone > through some of the email archives but haven't been able to figure this out. > > On a server where among other things I am running the HAProxy application I > want to be able to provide an accelerator card (say like a NITROX III > security accelerator) to accelerate the SSL termination for Client > connections. The question I have is that is this possible in HAProxy to use > an accelerator? > > I know that natively if the server running HAProxy has the AVX2 instruction > set then a certain amount of acceleration is achieved. My issue is can I use > a separate accelerator card in the server and can HAProxy use that? > > Thanks in advance > > Regards, > Kamran Malik > > PS just started using HAProxy and love it! Thanks! Hi Kamran, Actually, it does not depends only on HAProxy, but also on your openssl library. If the library is able to take advantage of such device, then haproxy will perform better. Baptiste
Re: Multiple defaults sections
On Fri, Apr 17, 2015 at 2:22 AM, Igor Cicimov wrote: > > Hi all, > > In the docs it says: > > A "defaults" section sets default parameters for all other sections > following > its declaration. Those default parameters are reset by the next "defaults" > section. > > So I wonder is the next defaults section resetting _all_ options and > parameters from the previous one or just the ones explicitly selected? For > example: > > defaults > timeout client 60s > timeout server 60s > option http-server-close > ... > defaults > timeout client 10s > > Then I would expect to see only the "timeout client" being changed to 10s > and for the rest to keep their initial values. If not then we would end up > writing duplicate blocks. > > Thanks, > Igor > Hi Igor, A new defaults section erases all parameters already set. Then the new section update its default parameters. Baptiste
Re: Long ACLs
simply load content from a flat file using the -f directive in your haproxy ACL configuration. Baptiste On Wed, Apr 15, 2015 at 6:11 AM, CJ Ess wrote: > What is the best way to deal with long ACLs with HAProxy. For instance > Amazon EC2 has around 225 address blocks. So if I wanted to direct requests > originating from EC2 to a particular backend, thats a lot of CIDRs to manage > and compare against. Any suggestions how best to approach a situation like > this? > >
Re: redis redispatch question
On Tue, Apr 14, 2015 at 5:12 PM, Jim Gronowski wrote: > Good day, everyone. > > > > I'm using HAproxy in front of a redis sentinel cluster. If has worked very > well, but this morning I ran into a small problem. The sentinel cluster > elected a new master, and HAproxy correctly detected the change and updated > accordingly (new connections went to the correct server). However, one of > our client web applications kept the connection open to the old server (now > a slave), generating errors. I'm guessing it's due to keepalives. > > > > Will 'option redispatch' correct this? If not, is there a preferred way to > close the connection and force the client to reconnect? It doesn't > necessarily have to be graceful, although that would be nice. > > > > Pertinent config below. > > > > -Jim > > > > > > defaults > > log global > > modetcp > > option tcplog > > option dontlognull > > option clitcpka > > option srvtcpka > > timeout connect 5000 > > timeout client 3m > > timeout server 12 > > errorfile 400 /etc/haproxy/errors/400.http > > errorfile 403 /etc/haproxy/errors/403.http > > errorfile 408 /etc/haproxy/errors/408.http > > errorfile 500 /etc/haproxy/errors/500.http > > errorfile 502 /etc/haproxy/errors/502.http > > errorfile 503 /etc/haproxy/errors/503.http > > errorfile 504 /etc/haproxy/errors/504.http > > > > frontend redisFE > > bind *:6379 > > mode tcp > > frontend redisFE > > bind *:6379 > > mode tcp > > maxconn 10240 > > default_backend redisBE > > > > backend redisBE > > mode tcp > > option tcplog > > balance source > > option tcp-check > > #tcp-check send AUTH\ foobar\r\n > > #tcp-check expect +OK > > tcp-check send PING\r\n > > tcp-check expect string +PONG > > tcp-check send info\ replication\r\n > > tcp-check expect string role:master > > tcp-check send QUIT\r\n > > tcp-check expect string +OK > > server redis-01 127.0.0.1:6379 maxconn 1024 check inter 1s > > server redis-02 127.0.0.2:6379 maxconn 1024 check inter 1s > > > > Ditronics, LLC email disclaimer: > This communication, including attachments, is intended only for the > exclusive use of addressee and may contain proprietary, confidential, or > privileged information. Any use, review, duplication, disclosure, > dissemination, or distribution is strictly prohibited. If you were not the > intended recipient, you have received this communication in error. Please > notify sender immediately by return e-mail, delete this communication, and > destroy any copies. Hi Jim, You're missing the parameter on-marked-down shutdown-sessions on your server lines. It will kill sessions established on a server when it is marked as DOWN by the health checking. Baptiste
Re: HA proxy - Need infromation
Hi Thibault, You can contact haproxy.com, we have a nice GUI and an API on top of HAProxy in our ALOHA appliance. And we speak French :) Just give a call and ask to speak to Sean (+33 1 30 67 60 74) Baptiste On Mon, Apr 13, 2015 at 4:55 PM, Thibault Labrut wrote: > Hello, > > I currently installing HAProxy with keepalived to one of my clients. > > To facilitate the administration of this tool, I would like to know if you > can advise me of administration web gui for HA proxy. > > Thank you for your help. > > Best regards, > -- > Thibault Labrut > enioka > 24 galerie Saint-Marc > 75002 Paris > +33 615 700 935 > +33 144 618 314
Re: limiting conn-curs per-ip using x-forwarded-for
Hi Klavs,
Please give a try to the configuration below:
frontend nocache
mode http
..
option httplog
option accept-invalid-http-request
stick-table type ip size 100k expire 30s store conn_cur
tcp-request inspect-delay 5s
tcp-request content accept if HTTP
tcp-request content track-sc1 hdr(X-Forwarded-For)
tcp-request content reject if { sc1_conn_cur ge 10 }
'tcp-request connection' is executed when the connection has just
arrived into HAProxy. So the header X-Forwarded-For might not yet be
read already.
the conf above uses the 'tcp-request content' instead, and to be sure
we'll find the header, I've added the inspect delay which accept the
request once the buffer is confirmed to contain HTTP.
Baptiste
On Tue, Apr 7, 2015 at 12:33 PM, Klavs Klavsen wrote:
> Back from easter vacation :)
>
> Baptiste wrote on 03/25/2015 10:30 AM:
>>
>> Hi,
>>
>> some useful examples can be taken from this blog post:
>>
>> http://blog.haproxy.com/2012/02/27/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/
>>
>> Just replace src by hdr(X-Forwarded-For).
>>
>
> Tried:
>
> frontend nocache
> mode http
> ..
> option httplog
> option accept-invalid-http-request
> stick-table type ip size 100k expire 30s store conn_cur
> tcp-request connection reject if { src_conn_cur ge 10 }
> tcp-request connection track-sc1 hdr(X-Forwarded-For)
> ..
>
> but haproxy complains:
> 'tcp-request connection track-sc1' : fetch method 'hdr(X-Forwarded-For)'
> extracts information from 'HTTP request headers,HTTP response headers', none
> of which is available here
>
> I took the example from
> http://blog.haproxy.com/2012/02/27/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/
>
> :(
>
>
> --
> Regards,
> Klavs Klavsen, GSEC - k...@vsen.dk - http://www.vsen.dk - Tlf. 61281200
>
> "Those who do not understand Unix are condemned to reinvent it, poorly."
> --Henry Spencer
>
>
Re: 'acl' and 'use_backend' in defaults section?
unfortunately, for now you'll have to repeat the acl in each frontend :) Baptiste On Tue, Apr 7, 2015 at 9:14 PM, Florin Andrei wrote: > I have a few ACLs that are identical for several frontends. I tried to > define the ACLs in the defaults section, but I got an error (quote at the > end). > > Is there a way around this? I'd like to not have to repeat identical > configuration lines for many frontends. > > > Apr 7 19:05:49 haproxy-test haproxy-systemd-wrapper: [ALERT] 096/190549 > (20038) : parsing [/etc/haproxy/haproxy.cfg:56] : 'acl' not allowed in > 'defaults' section. > Apr 7 19:05:49 haproxy-test haproxy-systemd-wrapper: [ALERT] 096/190549 > (20038) : parsing [/etc/haproxy/haproxy.cfg:57] : 'acl' not allowed in > 'defaults' section. > Apr 7 19:05:49 haproxy-test haproxy-systemd-wrapper: [ALERT] 096/190549 > (20038) : parsing [/etc/haproxy/haproxy.cfg:58] : 'acl' not allowed in > 'defaults' section. > Apr 7 19:05:49 haproxy-test haproxy-systemd-wrapper: [ALERT] 096/190549 > (20038) : parsing [/etc/haproxy/haproxy.cfg:59] : 'acl' not allowed in > 'defaults' section. > Apr 7 19:05:49 haproxy-test haproxy-systemd-wrapper: [ALERT] 096/190549 > (20038) : parsing [/etc/haproxy/haproxy.cfg:60] : 'acl' not allowed in > 'defaults' section. > Apr 7 19:05:49 haproxy-test haproxy-systemd-wrapper: [ALERT] 096/190549 > (20038) : parsing [/etc/haproxy/haproxy.cfg:62] : 'use_backend' not allowed > in 'defaults' section. > Apr 7 19:05:49 haproxy-test haproxy-systemd-wrapper: [ALERT] 096/190549 > (20038) : parsing [/etc/haproxy/haproxy.cfg:63] : 'use_backend' not allowed > in 'defaults' section. > Apr 7 19:05:49 haproxy-test haproxy-systemd-wrapper: [ALERT] 096/190549 > (20038) : parsing [/etc/haproxy/haproxy.cfg:64] : 'use_backend' not allowed > in 'defaults' section. > Apr 7 19:05:49 haproxy-test haproxy-systemd-wrapper: [ALERT] 096/190549 > (20038) : parsing [/etc/haproxy/haproxy.cfg:65] : 'use_backend' not allowed > in 'defaults' section. > Apr 7 19:05:49 haproxy-test haproxy-systemd-wrapper: [ALERT] 096/190549 > (20038) : parsing [/etc/haproxy/haproxy.cfg:66] : 'use_backend' not allowed > in 'defaults' section. > > > > -- > Florin Andrei > http://florin.myip.org/ >
Re: possible header capture corruption when timeout queue
Hi David, If you're in SQ state, it means the request never reached a server, so you can't have any response header value. Baptiste On Thu, Apr 9, 2015 at 11:11 PM, David Birdsong wrote: > Greetings, I hope the rewrite from C->Lua is going well... > > I'm looking to trace down a weird scenario that might be a bug. We're > running: 1.5.2. Our backend is configured w/ a 500ms timeout queue and we > consistent hash on uri for load balancing. > > For requests logged as termination 'SQ' that trigger the timeout queue, the > backend server logs show zero requests matching the request log, which is > expected. The head-scratching finding is that on many of the request logs > we're seeing header captures that indicate part of the response was read > back from the server, but the header values themselves would be pretty > unlikely given that we can match URLs to expected header values. > > ...really what we'd expect is an empty header capture on the timeout queue > request log lines. > > I combed through the release notes to see if this was fixed, but I wasn't > able to match any of the notes to this particular occurrence. For the time > being, we're stuck at 1.5.5 since 1.5.6 changes hashes for path-based > hashing. We're working on re-arranging our infra to not take such a hit were > our working set request hashing to be redrawn which will happen with >= > 1.5.6. > > If there's a fix for this, we could probably expedite some work-arounds that > would allow us to upgrade if necessary. > > Here's a snippet from our frontend/backend config: > https://gist.github.com/davidbirdsong/55152514acbd9f2dbc2d > > Thanks!
Re: AW: forward client disconnects in http mode
Haproxy closes the connection with an RST. Baptiste Le 9 avr. 2015 16:54, "Pavlos Parissis" a écrit : > On 09/04/2015 02:52 μμ, Dieter van Zeder wrote: > > Here's the the stripped-down configuration. Http-server-close is > required in order to use leastconn. The frontend actually contains various > acl rules, thus mode http. > > > > I had a look at the doc and it isn't mentioned that http-server-close is > required by leastcon balance method. Am I missing something here? > > Hold on a second. HAProxy 1.5 (I assume you use that version) runs in > keep-alive mode by default, which means your app will see the TCP > connection on the server-side closed as soon as the client closes the > connection. Unless defaults timeouts play a role here. > > Remove option http-server-close and recheck if curl and crtl+c. > > Cheers, > Pavlos > > >
Re: CPU saturated with 250Mbps traffic on frontend
On Mon, Apr 6, 2015 at 2:54 PM, Evgeniy Sudyr wrote: > Btw, where Pavlos reported his test results? There in list or somewhere else? On this ML. Pavlos was running Linux ;) Baptiste
Re: Health check for backend constituted with multiple socks proxies.
I mean what happens if you point your browser directly to one of the Ip address? Cause, what you're doing with your HAProxy configuration currently, is only forwarding the TCP connection from a browser client to a socks5 server. If your browser client don't know how to speak to the socks5 server, HAProxy won't do it on behalf of it. So please confirm first the browser can use any of the listed IP without using HAProxy. Then we'll dig into your issue... Baptiste On Fri, Apr 3, 2015 at 2:05 AM, Hongyi Zhao wrote: > On Thu, 02 Apr 2015 15:04:09 +0200, Baptiste wrote: > >> Hi Hongyi, >> >> What happens if you brows directly one of the IP address??? > > These are socks5 proxies servers address, not websites. > > What do you mean by saying that 'brows directly one of the IP address' > for my case? > > Regards >> >> Baptiste > > > > > > -- > .: Hongyi Zhao [ hongyi.zhao AT gmail.com ] Free as in Freedom :. > >
Re: Health check for backend constituted with multiple socks proxies.
On Thu, Apr 2, 2015 at 2:27 PM, Hongyi Zhao wrote: > Hi all, > > My haproxy.cfg is as follows: > > - > global > maxconn 4096 > daemon > nbproc 3 > defaults > mode tcp > timeout connect 5000ms > timeout client 5ms > timeout server 5ms > frontend socks5 > bind0.0.0.0: > default_backend socks5-balance > backend socks5-balance > balance roundrobin > > server socks5-1 104.220.35.112:48178 check > server socks5-2 104.236.196.208:1234 check > server socks5-3 113.61.111.196:60088 check > server socks5-4 114.94.131.120:8118 check > server socks5-5 115.119.233.36:2235 check > server socks5-6 115.29.49.52: check > server socks5-7 117.247.65.204:1080 check > server socks5-8 118.26.201.224:1080 check > server socks5-9 118.26.228.8:1080 check > ... > server socks5-3194.23.80.193:60088 check > server socks5-3295.163.65.88:49389 check > - > > I found that the the health-check results given by haproxy are not > consistent with the real statues/availabilities of these servers listed > in the backend section. > > For example, when I use the -db mode to see the message on stdout, I can > found that even haproxy reported there are serveral backend servers are > available, I still cann't use 127.0.0.1: as proxy to access websites/ > urls. > > Any hints on how to let haproxy give a more precise/reliable/correctness > health-check for this case? > > Thanks in advance. > > Regards > -- > .: Hongyi Zhao [ hongyi.zhao AT gmail.com ] Free as in Freedom :. > Hi Hongyi, What happens if you brows directly one of the IP address??? Baptiste
Re: Agent-check not working with backend HTTPS
Hi Claudio, Yes, you can trust Vincent's job :) Baptiste On Thu, Apr 2, 2015 at 8:47 AM, Claudio Ruggieri wrote: > Dear Cyril, > I updated haproxy to 1.5.11 via ppa. The behaviour is what expected. > All seams fine now. > > Vincent's ppa is maintained? Is safe to use it in production enviroment? > > Thank you. > > > -Messaggio originale- > Da: Cyril Bonté [mailto:cyril.bo...@free.fr] > Inviato: mercoledì 1 aprile 2015 20.19 > A: Malcolm Turnbull; Claudio Ruggieri > Cc: haproxy@formilux.org > Oggetto: Re: Agent-check not working with backend HTTPS > > Hi all, > > Le 01/04/2015 18:09, Malcolm Turnbull a écrit : >> Claudio, >> >> I just tested this on HAProxy 1.6 Dev0 and the bug is fixed (along >> with several others)... >> It was spotted by someone a few months ago that an SSL re-encrypted >> real server would force agent checks to https (incorrectly) > > Yes and this is fixed since 1.5.9 for the 1.5 branch, with commit 1f96a87c : > http://www.haproxy.org/git?p=haproxy-1.5.git;a=commit;h=1f96a87c4e1412ccdc6cfe81bfd6f20a1782886a > > A ppa is maintained by Vincent Bernat, which provides recent versions of > haproxy for Ubuntu : > https://launchpad.net/~vbernat/+archive/ubuntu/haproxy-1.5 > > > -- > Cyril Bonté
Re: Agent-check not working with backend HTTPS
On Wed, Apr 1, 2015 at 4:13 PM, Claudio Ruggieri wrote: > Hi all, > > I have a problem with agent-check, in my haproxy installation. > > Ubuntu Server 14.04 LTS with haproxy 1.5.3-1~ubuntu14.04.1 > > > > HAProxy is configured with 2 backends: one http e one https. > > Agent-check is a script bash that simply return a percentage. > > > > HTTP backend works fine. HTTPS backend doesn't work. In the web Statistic > Report I see no weight is updated and I don't have errors in log. > > > > This is the HTTPS backend configuration: > > > > backend application-https > > description "HTTPS Application backend" > > cookie SRV insert indirect maxidle 24h maxlife 24h > > > > server rp1-test-https 192.168.170.181:443 maxconn 100 weight 100 > fall 2 rise 2 check inter 2s agent-check agent-port 4321 agent-inter 5s > cookie rp1-test-https ssl verify none > > server rp2-test-https 192.168.170.182:443 maxconn 100 weight 100 > fall 2 rise 2 check inter 2s agent-check agent-port 4321 agent-inter 5s > cookie rp2-test-https ssl verify none > > > > Any idea? Hi Claudio, What does a tcpdump on port 4321 tells you? and what type of content do you see from the server to haproxy in the packet captured? Baptiste
Re: Complete rewrite of HAProxy in Lua
I'll have to find a way to code buffer overflows in LUA! Baptiste
Re: ldap-check with Active Directory
I think they play with their syslog server to detect a check from real traffic and prevent the syslog server to log the checks. Baptiste On Tue, Mar 31, 2015 at 11:33 AM, Matt . wrote: > Hi Baptiste, > > Yes I've seen it also and never got around large logs. > > What do most people do, empty logt very often ? > > > > 2015-03-31 11:29 GMT+02:00 Baptiste : >> Hi Matt, >> >> The issue with LDAP, is that it is not a banner protocol. >> So either you check the TCP port is well bound on the server for a >> simple L4 check, for L7, you don't have the choice, you must send a >> message and check the server's result. >> >> Baptiste >> >> >> On Tue, Mar 31, 2015 at 9:53 AM, Matt . wrote: >>> I'm also testing some ldap checks but I see lots of logging and log >>> partitions filling up like crazy. >>> >>> I wonder if it's really doable to check the ldap status in in a gracefull >>> way. >>> >>> 2015-03-31 9:45 GMT+02:00 Neil - HAProxy List >>> : >>>> Hello >>>> >>>> I was thinking of updating the ldap-check but I think I've a better idea. >>>> Macros (well ish). >>>> >>>> send-binary 300c0201 # LDAP bind request "" simple >>>> send-binary 01 # message ID >>>> send-binary 6007 # protocol Op >>>> send-binary 0201 # bind request >>>> send-binary 03 # LDAP v3 >>>> send-binary 04008000 # name, simple authentication >>>> expect binary 0a0100 # bind response + result code: success >>>> send-binary 30050201034200 # unbind request >>>> >>>> could be in a file named macros/ldap-simple-bind >>>> >>>> then the option >>>> tcp-check-macro ldap-simple-bind >>>> >>>> would use it, I know this is close to includes. >>>> >>>> similarly macros/smtp-helo-quit >>>> connect port 25 >>>> expect rstring ^220 >>>> send QUIT\r\n >>>> expect rstring ^221 >>>> >>>> >>>> or from >>>> http://blog.haproxy.com/2014/06/06/binary-health-check-with-haproxy-1-5-php-fpmfastcgi-probe-example/ >>>> # FCGI_BEGIN_REQUEST >>>> send-binary 01 # version >>>> send-binary 01 # FCGI_BEGIN_REQUEST >>>> send-binary 0001 # request id >>>> send-binary 0008 # content length >>>> send-binary 00 # padding length >>>> send-binary 00 # >>>> send-binary 0001 # FCGI responder >>>> send-binary # flags >>>> send-binary # >>>> send-binary # >>>> # FCGI_PARAMS >>>> send-binary 01 # version >>>> send-binary 04 # FCGI_PARAMS >>>> send-binary 0001 # request id >>>> send-binary 0045 # content length >>>> send-binary 03 # padding length: padding for content % 8 = 0 >>>> send-binary 00 # >>>> send-binary 0e03524551554553545f4d4554484f44474554 # REQUEST_METHOD = GET >>>> send-binary 0b055343524950545f4e414d452f70696e67 # SCRIPT_NAME = /ping >>>> send-binary 0f055343524950545f46494c454e414d452f70696e67 # SCRIPT_FILENAME >>>> = /ping >>>> send-binary 040455534552524F4F54 # USER = ROOT >>>> send-binary 00 # padding >>>> # FCGI_PARAMS >>>> send-binary 01 # version >>>> send-binary 04 # FCGI_PARAMS >>>> send-binary 0001 # request id >>>> send-binary # content length >>>> send-binary 00 # padding length: padding for content % 8 = 0 >>>> send-binary 00 # >>>> >>>> expect binary 706f6e67 # pong >>>> >>>> (though for items like >>>> send-binary 0e03524551554553545f4d4554484f44474554 # REQUEST_METHOD = GET >>>> I'd prefer a >>>> send-as-binary "REQUEST_METHOD = GET" >>>> ) >>>> >>>> these and many others could be shipped with haproxy. >>>> >>>> this seems to make sense to me as they are small contained logical items >>>> >>>> Neil >>>> >>>> >>>> On 30 March 2015 at 23:02, Baptiste wrote: >>>>> >>>>> you should believe it :) >>>>> >>>>> On Mon, Mar 30, 2015 at 11:34 PM, Neil - HAProxy List >>>>> wrote: >>>>> > Hello >>&
Re: ldap-check with Active Directory
> I was thinking of updating the ldap-check but I think I've a better idea. > Macros (well ish). > > send-binary 300c0201 # LDAP bind request "" simple > send-binary 01 # message ID > send-binary 6007 # protocol Op > send-binary 0201 # bind request > send-binary 03 # LDAP v3 > send-binary 04008000 # name, simple authentication > expect binary 0a0100 # bind response + result code: success > send-binary 30050201034200 # unbind request > > could be in a file named macros/ldap-simple-bind > > then the option > tcp-check-macro ldap-simple-bind > > would use it, I know this is close to includes. > > similarly macros/smtp-helo-quit > connect port 25 > expect rstring ^220 > send QUIT\r\n > expect rstring ^221 > > > or from > http://blog.haproxy.com/2014/06/06/binary-health-check-with-haproxy-1-5-php-fpmfastcgi-probe-example/ > # FCGI_BEGIN_REQUEST > send-binary 01 # version > send-binary 01 # FCGI_BEGIN_REQUEST > send-binary 0001 # request id > send-binary 0008 # content length > send-binary 00 # padding length > send-binary 00 # > send-binary 0001 # FCGI responder > send-binary # flags > send-binary # > send-binary # > # FCGI_PARAMS > send-binary 01 # version > send-binary 04 # FCGI_PARAMS > send-binary 0001 # request id > send-binary 0045 # content length > send-binary 03 # padding length: padding for content % 8 = 0 > send-binary 00 # > send-binary 0e03524551554553545f4d4554484f44474554 # REQUEST_METHOD = GET > send-binary 0b055343524950545f4e414d452f70696e67 # SCRIPT_NAME = /ping > send-binary 0f055343524950545f46494c454e414d452f70696e67 # SCRIPT_FILENAME > = /ping > send-binary 040455534552524F4F54 # USER = ROOT > send-binary 00 # padding > # FCGI_PARAMS > send-binary 01 # version > send-binary 04 # FCGI_PARAMS > send-binary 0001 # request id > send-binary # content length > send-binary 00 # padding length: padding for content % 8 = 0 > send-binary 00 # > > expect binary 706f6e67 # pong > > (though for items like > send-binary 0e03524551554553545f4d4554484f44474554 # REQUEST_METHOD = GET > I'd prefer a > send-as-binary "REQUEST_METHOD = GET" > ) > > these and many others could be shipped with haproxy. > > this seems to make sense to me as they are small contained logical items > > Neil > Hi Neil, Both contributions are interresting! Let's wait for other people feedback. Baptiste
Re: ldap-check with Active Directory
Hi Matt, The issue with LDAP, is that it is not a banner protocol. So either you check the TCP port is well bound on the server for a simple L4 check, for L7, you don't have the choice, you must send a message and check the server's result. Baptiste On Tue, Mar 31, 2015 at 9:53 AM, Matt . wrote: > I'm also testing some ldap checks but I see lots of logging and log > partitions filling up like crazy. > > I wonder if it's really doable to check the ldap status in in a gracefull way. > > 2015-03-31 9:45 GMT+02:00 Neil - HAProxy List > : >> Hello >> >> I was thinking of updating the ldap-check but I think I've a better idea. >> Macros (well ish). >> >> send-binary 300c0201 # LDAP bind request "" simple >> send-binary 01 # message ID >> send-binary 6007 # protocol Op >> send-binary 0201 # bind request >> send-binary 03 # LDAP v3 >> send-binary 04008000 # name, simple authentication >> expect binary 0a0100 # bind response + result code: success >> send-binary 30050201034200 # unbind request >> >> could be in a file named macros/ldap-simple-bind >> >> then the option >> tcp-check-macro ldap-simple-bind >> >> would use it, I know this is close to includes. >> >> similarly macros/smtp-helo-quit >> connect port 25 >> expect rstring ^220 >> send QUIT\r\n >> expect rstring ^221 >> >> >> or from >> http://blog.haproxy.com/2014/06/06/binary-health-check-with-haproxy-1-5-php-fpmfastcgi-probe-example/ >> # FCGI_BEGIN_REQUEST >> send-binary 01 # version >> send-binary 01 # FCGI_BEGIN_REQUEST >> send-binary 0001 # request id >> send-binary 0008 # content length >> send-binary 00 # padding length >> send-binary 00 # >> send-binary 0001 # FCGI responder >> send-binary # flags >> send-binary # >> send-binary # >> # FCGI_PARAMS >> send-binary 01 # version >> send-binary 04 # FCGI_PARAMS >> send-binary 0001 # request id >> send-binary 0045 # content length >> send-binary 03 # padding length: padding for content % 8 = 0 >> send-binary 00 # >> send-binary 0e03524551554553545f4d4554484f44474554 # REQUEST_METHOD = GET >> send-binary 0b055343524950545f4e414d452f70696e67 # SCRIPT_NAME = /ping >> send-binary 0f055343524950545f46494c454e414d452f70696e67 # SCRIPT_FILENAME >> = /ping >> send-binary 040455534552524F4F54 # USER = ROOT >> send-binary 00 # padding >> # FCGI_PARAMS >> send-binary 01 # version >> send-binary 04 # FCGI_PARAMS >> send-binary 0001 # request id >> send-binary # content length >> send-binary 00 # padding length: padding for content % 8 = 0 >> send-binary 00 # >> >> expect binary 706f6e67 # pong >> >> (though for items like >> send-binary 0e03524551554553545f4d4554484f44474554 # REQUEST_METHOD = GET >> I'd prefer a >> send-as-binary "REQUEST_METHOD = GET" >> ) >> >> these and many others could be shipped with haproxy. >> >> this seems to make sense to me as they are small contained logical items >> >> Neil >> >> >> On 30 March 2015 at 23:02, Baptiste wrote: >>> >>> you should believe it :) >>> >>> On Mon, Mar 30, 2015 at 11:34 PM, Neil - HAProxy List >>> wrote: >>> > Hello >>> > >>> > Thanks so much. That worked well, I now get >>> > L7OK/0 in 0ms >>> > not sure I believe the 0ms but maybe I should >>> > >>> > Thanks again, >>> > >>> > Neil >>> > >>> > On 30 March 2015 at 22:14, Baptiste wrote: >>> >> >>> >> On Mon, Mar 30, 2015 at 10:33 PM, Neil - HAProxy List >>> >> wrote: >>> >> > Hello >>> >> > >>> >> > I'm trying to use ldap-check with active directory and the response >>> >> > active >>> >> > directory gives is not one ldap-check is happy to accept >>> >> > >>> >> > when I give a 389 directory backend ldap server all is well, when I >>> >> > use >>> >> > AD I >>> >> > get 'Not LDAPv3 protocol' >>> >> > >>> >> > I've done a little poking about and found that >>> >> > if ((msglen > 2) || >>> >> >
Re: ldap-check with Active Directory
you should believe it :)
On Mon, Mar 30, 2015 at 11:34 PM, Neil - HAProxy List
wrote:
> Hello
>
> Thanks so much. That worked well, I now get
> L7OK/0 in 0ms
> not sure I believe the 0ms but maybe I should
>
> Thanks again,
>
> Neil
>
> On 30 March 2015 at 22:14, Baptiste wrote:
>>
>> On Mon, Mar 30, 2015 at 10:33 PM, Neil - HAProxy List
>> wrote:
>> > Hello
>> >
>> > I'm trying to use ldap-check with active directory and the response
>> > active
>> > directory gives is not one ldap-check is happy to accept
>> >
>> > when I give a 389 directory backend ldap server all is well, when I use
>> > AD I
>> > get 'Not LDAPv3 protocol'
>> >
>> > I've done a little poking about and found that
>> > if ((msglen > 2) ||
>> > (memcmp(check->bi->data + 2 + msglen,
>> > "\x02\x01\x01\x61", 4) != 0)) {
>> > set_server_check_status(check,
>> > HCHK_STATUS_L7RSP, "Not LDAPv3 protocol");
>> > is where I'm getting stopped as msglen is 4
>> >
>> > Here is tcpdump of 389 directory response (the one that works) 2 packets
>> > 21:29:34.195699 IP 389.ldap > HAPROXY.57109: Flags [.], ack 15, win 905,
>> > options [nop,nop,TS val 856711882 ecr 20393440], length 0
>> > 0x: 0050 5688 7042 0064 403b 2700 0800 4500 .PV.pB.d@;'...E.
>> > 0x0010: 0034 9d07 4000 3f06 3523 ac1b e955 ac18 .4..@.?.5#...U..
>> > 0x0020: 2810 0185 df15 5cab ffcd 63ba 77d3 8010 (.\...c.w...
>> > 0x0030: 0389 2c07 0101 080a 3310 62ca 0137 ..,...3.b..7
>> > 0x0040: 2de0 -.
>> > 21:29:34.195958 IP 389.ldap > HAPROXY.57109: Flags [P.], seq 1:15, ack
>> > 15,
>> > win 905, options [nop,nop,TS val 856711882 ecr 20393440], length 14
>> > 0x: 0050 5688 7042 0064 403b 2700 0800 4500 .PV.pB.d@;'...E.
>> > 0x0010: 0042 9d08 4000 3f06 3514 ac1b e955 ac18 .B..@.?.5U..
>> > 0x0020: 2810 0185 df15 5cab ffcd 63ba 77d3 8018 (.\...c.w...
>> > 0x0030: 0389 e878 0101 080a 3310 62ca 0137 ...x..3.b..7
>> > 0x0040: 2de0 300c 0201 0161 070a 0100 0400 0400 -.0a
>> >
>> > Here is tcpdump of active directory (broken) 1 packet
>> >
>> > 21:25:24.519883 IP ADSERVER.ldap > HAPROXY.57789: Flags [P.], seq 1:23,
>> > ack
>> > 15, win 260, options [nop,nop,TS val 1870785 ecr 20331021], length 22
>> > 0x: 0050 5688 7042 0050 5688 7780 0800 4500 .PV.pB.PV.w...E.
>> > 0x0010: 004a 1d7d 4000 8006 34e3 ac18 280d ac18 .J.}@...4...(...
>> > 0x0020: 2810 0185 e1bd 5a3f 2ae7 3ced 7b5b 8018 (.Z?*.<.{[..
>> > 0x0030: 0104 1d7a 0101 080a 001c 8bc1 0136 ...z...6
>> > 0x0040: 3a0d 3084 0010 0201 0161 8400 :.0a
>> > 0x0050: 070a 0100 0400 0400
>> >
>> > this was discussed but not finished before see
>> > http://www.serverphorums.com/read.php?10,394453
>> >
>> > I can see the string \02\01\01\61 is there but not in the correct place
>> >
>> > Anyone have any ideas about fixing this so that both (and possibly
>> > other)
>> > ldap implementations work?
>> >
>> > Thanks,
>> >
>> > Neil
>>
>>
>> Hi Neil
>>
>> Yes you can switch to the tcp-check checking method.
>> I works with binary protocols as well.
>> Here is what I use for the AD in my lab:
>>
>> option tcp-check
>> tcp-check connect port 389
>> tcp-check send-binary 300c0201 # LDAP bind request "" simple
>> tcp-check send-binary 01 # message ID
>> tcp-check send-binary 6007 # protocol Op
>> tcp-check send-binary 0201 # bind request
>> tcp-check send-binary 03 # LDAP v3
>> tcp-check send-binary 04008000 # name, simple authentication
>> tcp-check expect binary 0a0100 # bind response + result code: success
>> tcp-check send-binary 30050201034200 # unbind request
>>
>>
>> You could add the same sequence for LDAPs on port 636:
>> tcp-check connect port 636 ssl
>> tcp-check send-binary 300c0201 # LDAP bind request "" simple
>> tcp-check send-binary 01 # message ID
>> tcp-check send-binary 6007 # protocol Op
>> tcp-check send-binary 0201 # bind request
>> tcp-check send-binary 03 # LDAP v3
>> tcp-check send-binary 04008000 # name, simple authentication
>> tcp-check expect binary 0a0100 # bind response + result code: success
>> tcp-check send-binary 30050201034200 # unbind request
>>
>>
>> Note for myself: put this tip on the blog..
>>
>> Baptiste
>
>
Re: using a fetcher in wrong context, performance tip
On Mon, Mar 30, 2015 at 10:11 PM, Pavlos Parissis wrote: > Hi all, > > During a stress test I discovered a drop of 5% performance at rate of > 380K req/s when the following 3 statements were added in a frontend > where HTTPS is not used > > http-request add-header X-Cipher-Name %sslc > http-request add-header X-Cipher-Version %sslv > http-request add-header X-Cipher-Bits %[ssl_fc_use_keysize] > > Here is the stress result > # wrk --timeout 3s --latency -c 1000 -d 5m -t 24 > http://10.190.3.1/ > Running 5m test @ http://10.190.3.1/ > 24 threads and 1000 connections > Thread Stats Avg Stdev Max ± Stdev > Latency 2.31ms 815.14us 27.06ms 74.32% > Req/Sec16.98k 2.25k 32.00k85.12% > Latency Distribution > 50%2.43ms > 75%2.71ms > 90%3.15ms > 99%3.88ms > 115019521 requests in 5.00m, 16.50GB read > Socket errors: connect 0, read 0, write 0, timeout 13264 > Requests/sec: 383420.54 > Transfer/sec: 56.31MB > > After I removed only the ssl_fc_use_keysize fetcher > http-request add-header X-Cipher-Bits %[ssl_fc_use_keysize] > > performance was improved by 5%, see below > # wrk --timeout 3s --latency -c 1000 -d 5m -t 24 > http://10.190.3.1/ > Running 5m test @ http://10.190.3.1/ > 24 threads and 1000 connections > Thread Stats Avg Stdev Max ± Stdev > Latency 2.12ms 831.01us 206.61ms 74.86% > Req/Sec17.88k 2.22k 31.56k80.62% > Latency Distribution > 50%2.30ms > 75%2.62ms > 90%2.88ms > 99%3.72ms > 120947683 requests in 5.00m, 17.35GB read > Socket errors: connect 0, read 0, write 0, timeout 17255 > Requests/sec: 403180.76 > Transfer/sec: 59.21MB > > When I added it back but with a condition if traffic is HTTPS > performance at that high rate of request was increased > http-request add-header X-Cipher-Bits %[ssl_fc_use_keysize] if > https_traffic > > stress results: > # wrk --timeout 3s --latency -c 1000 -d 5m -t 24 > http://10.190.3.1/ > Running 5m test @ http://10.190.3.1/ > 24 threads and 1000 connections > Thread Stats Avg Stdev Max ± Stdev > Latency 2.07ms 823.41us 32.08ms 75.64% > Req/Sec17.86k 2.27k 29.56k81.81% > Latency Distribution > 50%2.27ms > 75%2.54ms > 90%2.76ms > 99%3.80ms > 120945989 requests in 5.00m, 17.35GB read > Socket errors: connect 0, read 0, write 0, timeout 19828 > Requests/sec: 403177.77 > Transfer/sec: 59.21MB > > > I also added the same condition for other 2 variables accessed as log > formatters and the performance was improved even more > > stress results with > http-request add-header X-Cipher-Name %sslc if https_traffic > http-request add-header X-Cipher-Version %sslv if https_traffic > http-request add-header X-Cipher-Bits %[ssl_fc_use_keysize] if > https_traffic > > # wrk --timeout 3s --latency -c 1000 -d 5m -t 24 > http://10.190.3.1/ > Running 5m test @ http://10.190.3.1/ > 24 threads and 1000 connections > Thread Stats Avg Stdev Max ± Stdev > Latency 2.12ms9.64ms 607.23ms 99.79% > Req/Sec19.43k 3.28k 33.56k82.82% > Latency Distribution > 50%1.95ms > 75%2.20ms > 90%2.41ms > 99%3.36ms > 131646991 requests in 5.00m, 18.88GB read > Socket errors: connect 0, read 0, write 0, timeout 30179 > Requests/sec: 438828.20 > Transfer/sec: 64.45MB > > Lesson learned here is to either condition all your statements or pay > attention at the context you apply a logic. > > > Cheers, > Pavlos > Hey Just to highlight the most important point, from my point of view: "Requests/sec: 438828.20" nice job man! Baptiste
Re: ldap-check with Active Directory
On Mon, Mar 30, 2015 at 10:33 PM, Neil - HAProxy List
wrote:
> Hello
>
> I'm trying to use ldap-check with active directory and the response active
> directory gives is not one ldap-check is happy to accept
>
> when I give a 389 directory backend ldap server all is well, when I use AD I
> get 'Not LDAPv3 protocol'
>
> I've done a little poking about and found that
> if ((msglen > 2) ||
> (memcmp(check->bi->data + 2 + msglen,
> "\x02\x01\x01\x61", 4) != 0)) {
> set_server_check_status(check,
> HCHK_STATUS_L7RSP, "Not LDAPv3 protocol");
> is where I'm getting stopped as msglen is 4
>
> Here is tcpdump of 389 directory response (the one that works) 2 packets
> 21:29:34.195699 IP 389.ldap > HAPROXY.57109: Flags [.], ack 15, win 905,
> options [nop,nop,TS val 856711882 ecr 20393440], length 0
> 0x: 0050 5688 7042 0064 403b 2700 0800 4500 .PV.pB.d@;'...E.
> 0x0010: 0034 9d07 4000 3f06 3523 ac1b e955 ac18 .4..@.?.5#...U..
> 0x0020: 2810 0185 df15 5cab ffcd 63ba 77d3 8010 (.\...c.w...
> 0x0030: 0389 2c07 0101 080a 3310 62ca 0137 ..,...3.b..7
> 0x0040: 2de0 -.
> 21:29:34.195958 IP 389.ldap > HAPROXY.57109: Flags [P.], seq 1:15, ack 15,
> win 905, options [nop,nop,TS val 856711882 ecr 20393440], length 14
> 0x: 0050 5688 7042 0064 403b 2700 0800 4500 .PV.pB.d@;'...E.
> 0x0010: 0042 9d08 4000 3f06 3514 ac1b e955 ac18 .B..@.?.5U..
> 0x0020: 2810 0185 df15 5cab ffcd 63ba 77d3 8018 (.\...c.w...
> 0x0030: 0389 e878 0101 080a 3310 62ca 0137 ...x..3.b..7
> 0x0040: 2de0 300c 0201 0161 070a 0100 0400 0400 -.0a
>
> Here is tcpdump of active directory (broken) 1 packet
>
> 21:25:24.519883 IP ADSERVER.ldap > HAPROXY.57789: Flags [P.], seq 1:23, ack
> 15, win 260, options [nop,nop,TS val 1870785 ecr 20331021], length 22
> 0x: 0050 5688 7042 0050 5688 7780 0800 4500 .PV.pB.PV.w...E.
> 0x0010: 004a 1d7d 4000 8006 34e3 ac18 280d ac18 .J.}@...4...(...
> 0x0020: 2810 0185 e1bd 5a3f 2ae7 3ced 7b5b 8018 (.Z?*.<.{[..
> 0x0030: 0104 1d7a 0101 080a 001c 8bc1 0136 ...z...6
> 0x0040: 3a0d 3084 0010 0201 0161 8400 :.0a
> 0x0050: 070a 0100 0400 0400
>
> this was discussed but not finished before see
> http://www.serverphorums.com/read.php?10,394453
>
> I can see the string \02\01\01\61 is there but not in the correct place
>
> Anyone have any ideas about fixing this so that both (and possibly other)
> ldap implementations work?
>
> Thanks,
>
> Neil
Hi Neil
Yes you can switch to the tcp-check checking method.
I works with binary protocols as well.
Here is what I use for the AD in my lab:
option tcp-check
tcp-check connect port 389
tcp-check send-binary 300c0201 # LDAP bind request "" simple
tcp-check send-binary 01 # message ID
tcp-check send-binary 6007 # protocol Op
tcp-check send-binary 0201 # bind request
tcp-check send-binary 03 # LDAP v3
tcp-check send-binary 04008000 # name, simple authentication
tcp-check expect binary 0a0100 # bind response + result code: success
tcp-check send-binary 30050201034200 # unbind request
You could add the same sequence for LDAPs on port 636:
tcp-check connect port 636 ssl
tcp-check send-binary 300c0201 # LDAP bind request "" simple
tcp-check send-binary 01 # message ID
tcp-check send-binary 6007 # protocol Op
tcp-check send-binary 0201 # bind request
tcp-check send-binary 03 # LDAP v3
tcp-check send-binary 04008000 # name, simple authentication
tcp-check expect binary 0a0100 # bind response + result code: success
tcp-check send-binary 30050201034200 # unbind request
Note for myself: put this tip on the blog..
Baptiste
Re: RTMP offloading
> frontend rtmp_https > bindxxx.xxx.xxx.xxx:443 name > xxx.xxx.xxx.xxx:443 ssl crt /var/etc/haproxy/mycert.pem > modetcp > log global > maxconn 9 > timeout client 60 > use_backend rtmpbackend_tcp_ipvANY if > default_backend rtmpbackend_tcp_ipvANY > > > backend rtmpbackend_tcp_ipvANY > modetcp > balance leastconn > timeout connect 3 > timeout server 3 > retries 3 > option httpchk GET / > server rtmp-01 172.16.5.11:443 check-ssl > check inter 1000 weight 100 verify none > server rtmp-02 172.16.5.12:443 check-ssl > check inter 1000 weight 100 verify none Weren't you supposed to connect on port 1935 where traffic is unciphered? Can you confirm wether traffic is ciphered or not on server's port 443 ?? (you seem to be mixing clear traffic over a connection which expect ciphered traffic on the server side). Does haproxy says the servers are UP (logs, stats page, etc...) Baptiste
Re: RTMP offloading
Matt, I won't do your configuration since I have no idea what you want to do. Share what you did exactly, share more information about the issues (logs, etc...) and we may help. Baptiste On Sun, Mar 29, 2015 at 3:53 PM, Matt . wrote: > Hi, > > I have tried all, also TCP, I'm configuring it using pfsense so I need > to grab it from there. > > Do you have a small example of what should work ? I can paste that to > pfsense to than. > > In my app I just should connect rtmps to port 443 on ha, offload and > connect to normal rtmp 1935 again was my idea ? > > Thanks so far! > > Cheers, > > Matt > > 2015-03-29 15:47 GMT+02:00 Baptiste : >> On Sun, Mar 29, 2015 at 1:05 PM, Matt . wrote: >>> Hi Guys, >>> >>> >>> I'm trying to offload a rtmp connection where I connect using rtmps to >>> ha proxy and offload the ssl layer there. >>> >>> In some strange way I can't get it working but I can with other >>> services the same way. >>> >>> Is RTMP a hard one in this case ? >>> >>> Thanks, >>> >>> Matt >>> >> >> Hi, >> >> Are you using mode tcp ? >> could you share your configuration? >> any error message provided by any equipement involved in your setup? >> >> Baptiste
Re: route by destination IP address
Hi, No HAProxy won't do this. Instead, if you could explain us clearly what is your problem, we may be able to help you. For now you just explain what you tried to achieve. Baptiste On Sun, Mar 29, 2015 at 3:33 PM, Abdelouahed Haitoute wrote: > I think I've found the issue. During test, I'm visiting a hostname > http://example/. But the acl condition req.hdr_ip(host) will only work if I > visit http://192.168.0.1/. > > Is it possible to let haproxy resolve the domain name and then check the IP > address? > >> Op 29 mrt. 2015, om 14:04 heeft Abdelouahed Haitoute >> het volgende geschreven: >> >> Hello, >> >> I'm trying to route http-requests based on destination IP address. I've got >> the following configuration, but unfortunately its not working: >> >> frontend proxy :3128 >> acl host_destip req.hdr_ip(host) 192.168.0.1 >> use_backend a if host_destip >> default_backend b >> >> I'm expecting all http-traffic with destination IP address 192.168.0.1 to go >> to backend a, but its using the default_backend. >> >> Any help is welcome. > >
Re: RTMP offloading
On Sun, Mar 29, 2015 at 1:05 PM, Matt . wrote: > Hi Guys, > > > I'm trying to offload a rtmp connection where I connect using rtmps to > ha proxy and offload the ssl layer there. > > In some strange way I can't get it working but I can with other > services the same way. > > Is RTMP a hard one in this case ? > > Thanks, > > Matt > Hi, Are you using mode tcp ? could you share your configuration? any error message provided by any equipement involved in your setup? Baptiste
Re: active/passive with no failback; stick table not 100% sticky?
On Fri, Mar 27, 2015 at 11:04 PM, Michael Bayer wrote: > Hi there - > > We are evaluating different ways of using the "stick match" and "backup" > options in order to achieve certain behaviors for failover, involving a > Galera cluster. For reference, we're picking and choosing from this blog > post: > http://blog.haproxy.com/2014/01/17/emulating-activepassing-application-clustering-with-haproxy/. > > We're basically looking to have all connections on only one server at all > times; as soon as a server is available, everyone should be kicked off and > blocked from any other servers in the backend. This is because while Galera > is a "multi-master" cluster, we're trying to have the application only use > one node as "master" at a time, at least for the moment. > > it seems like using just the "stick" table alone, as in: > > backend db-vms-galera > option httpchk > stick-table type ip size 1 > stick on dst > timeout server 90m > server rhos-node1 rhel7-1:3306 check inter 1s port 9200 > on-marked-down shutdown-sessions > server rhos-node2 rhel7-2:3306 check inter 1s port 9200 > on-marked-down shutdown-sessions > server rhos-node3 rhel7-3:3306 check inter 1s port 9200 > on-marked-down shutdown-sessions > > is not enough; from my observations running the "show table" socket command > and watching the logs, when a node goes down, its entry still remains in the > stick table for some period of time, and new connections, assuming they > continue to come in fast, have no choice but to skip stick match altogether > (I can provide logs and samples that show this happening). > > So we would then gather that the best configuration is this: > > backend db-vms-galera > option httpchk > stick-table type ip size 1 > stick on dst > timeout server 90m > server rhos-node1 rhel7-1:3306 check inter 1s port 9200 > on-marked-down shutdown-sessions > server rhos-node2 rhel7-2:3306 check inter 1s port 9200 > on-marked-down shutdown-sessions backup > server rhos-node3 rhel7-3:3306 check inter 1s port 9200 > on-marked-down shutdown-sessions backup > > this works a lot better; when I kill node1, all the connections go to node2 > unambiguously. Then, our galera cluster in an effort to bring node1 back up, > puts node2 into "Read only" mode, which bounces all connections to node3. At > this point node1 comes back and then the stick table does not appear to be > of any use; most connections continue to go to node3 and querying the stick > table shows that it's set to node3, however a handful of requests also go > back to node1. So again this is not a pure "active/passive" setup, multiple > nodes get hit at the same time. Was wondering if this behavior could be > clarified and how we can use the stick table as an absolute "gate" for all > requests, where no connections will fall through if a server goes down or > comes back up. > > I had hopes for the unusual setup of just making all three servers a > "backup" server: > > backend db-vms-galera > option httpchk > timeout server 90m > server rhos-node1 rhel7-1:3306 check inter 1s port 9200 > on-marked-down shutdown-sessions backup > server rhos-node2 rhel7-2:3306 check inter 1s port 9200 > on-marked-down shutdown-sessions backup > server rhos-node3 rhel7-3:3306 check inter 1s port 9200 > on-marked-down shutdown-sessions backup > > The idea being, no server is "official", so there's nothing to "fail back" > towards. This sort of seemed to work but still seems like it wants to "fail > back" up from node 3 to node2, to node 1; this approach seems to do the best > job of making sure all connections are all on one server, though; not > perfectly because it doesn't bump off connections still talking to the > being-replaced server, but still fairly well. > > Any insight on the usage of the stick table here would be appreciated! > > Hi Michael, Can you add the 'nopurge' option on your stick-table statement and tell us if that fixes your issue? Baptiste
Re: Availability of HAProxy on Windows Server
Use hyperv and a linux VM inside. It works pretty well :) Baptiste On Fri, Mar 27, 2015 at 12:50 PM, Simon Dick wrote: > I'm afraid Windows isn't a supported platform, please see > http://www.haproxy.org/#plat > > On 26 March 2015 at 21:38, Abhijit Damle wrote: >> Hi, >> >> >> >> Do you have any version of HAProxy supported on Windows Server >> editions (server 2008, server 2012 etc). if so from where can I download it? >> >> >> >> Thanks and regards, >> >> Abhijit Damle >> Senior Software Engineer >> Beca >> www.beca.com >> >> >> >> >> --- >> >> NOTICE: This email, if it relates to a specific contract, is sent on behalf >> of the Beca company which entered into the contract. Please contact the >> sender if you are unsure of the contracting Beca company or visit our web >> page http://www.beca.com for further information on the Beca Group. If this >> email relates to a specific contract, by responding you agree that, >> regardless of its terms, this email and the response by you will be a valid >> communication for the purposes of that contract, and may bind the parties >> accordingly. >> This e-mail together with any attachments is confidential, may be subject to >> legal privilege and may contain proprietary information, including >> information protected by copyright. If you are not the intended recipient, >> please do not copy, use or disclose this e-mail; please notify us >> immediately by return e-mail and then delete this e-mail. >> >> --- >
[HAProxy Technologies] Meeting with us in SF bay Area
Hi the list!!! I'll be traveling for business purpose to the SF bay Area, from the 20th of April to 1st of May. I'll meet some customers and prospects on behalf of our company, HAProxy Technologies. So if any of you is available and wants to meet us, either to speak about the open source version, the roadmap, the wish list, the ecosystem (third party tools you use around HAProxy), etc..., just send me a mail! If you simply want to drink a beer or a coffee and discuss about anything but HAProxy, this is also possible !!! Baptiste -- --- Baptiste Assmann Product Manager - Consultant e: bassm...@haproxy.com| t: https://twitter.com/haproxy_tech w: http://www.haproxy.com/ | b: http://blog.haproxy.com/
Re: Does HAproxy support sending ServerName TLS extension to backend servers?
On Thu, Mar 26, 2015 at 7:44 AM, Jarno Huuskonen wrote: > Hi, > > On Wed, Mar 25, Shawn Heisey wrote: >> On 3/25/2015 10:16 AM, Brandon wrote: >> > Hi, I am trying to deploy HAProxy in HTTP mode in front of a Windows >> > Server 2012 R2 ADFS 3.0 farm. In ADFS 3.0 backend servers require that >> > clients support SNI. >> > >> > In my testing it does not appear that HAProxy is sending the ServerName >> > extension in the TLS handshake and as a result I am receiving a "Bad >> > Gateway" error. The HAProxy logs just say "Connection error during SSL >> > handshake". I captured the traffic with wireshark and the ServerName TLS >> > extension is indeed missing and the ADFS server is sending a RESET >> > packet right after the SSL HELLO packet. > > Do any of the force-tls10, force-tls11 or force-tls12 (or no-sslv3) > make any difference ? > >> Haproxy 1.5 does support SNI, but in order for it to work, the version >> of openssl used must also support it. If you're running an old OS, it >> might not have that support. RHEL6 and its derivatives (like CentOS6) >> include openssl 0.9.8e, and I don't think that version has SNI ... the > > CentOS6 (6.6) comes with openssl 1.0.1e, but it also has compatibility > package: > openssl098e. (haproxy -vv should show what version you're using). > > It should be possible to configure ADFS not to require SNI(=add default > binding), we're testing netscaler as adfs proxy (netscaler doesn't suppot > SNI on backend). And the default binding seems to work. > (For example: http://jesperstahle.azurewebsites.net/?p=1382) > > -Jarno > > -- > Jarno Huuskonen > Hi, HAProxy does not support SNI on backend yet. The biggest problem is not to send the SNI, the problem is what to send :) Do you send the Host header sent by the client, do you want to forge one, what happens if you do rewritting of the Host header, etc... So we could discuss the options here, then we'll be able to code something I guess... Baptiste
Re: how make the images directory accessible for all clients?
Hi Fraj, You need to re-order your configuration and slightly update it: acl white_list src 127.0.0.1 192.168.1.0/24 acl restricted_page path_beg /images http-request allow if restricted_page http-request allow if white_list http-request deny Baptiste On Wed, Mar 25, 2015 at 10:18 AM, Fraj KALLEL wrote: > Hello, > > > below my haproxy configuration. > > how can i make the images directory accessible for all clients? > > > Thanks. > > global > log 127.0.0.1 local0 > log 127.0.0.1 local1 notice > #log loghostlocal0 info > maxconn 4096 > #debug > #quiet > user haproxy > group haproxy > > defaults > log global > modehttp > option httplog > option dontlognull > retries 3 > option redispatch > maxconn 2000 > timeout connect 5000ms > timeout queue5000ms > timeout client 25m > timeout server 25m > > listen webfarm 192.168.1.28:80 >mode http >stats enable >stats auth stelb:abcder >balance roundrobin >appsession PHPSESSID len 64 timeout 3h request-learn prefix >option httpclose >option forwardfor >option httpchk HEAD /check.txt HTTP/1.0 > >acl white_list src 127.0.0.1 192.168.1.0/24 >http-request allow if white_list >http-request deny > >acl restricted_page path_beg /images > >server webA 192.168.1.23:80 cookie A check >server webB 192.168.1.24:80 cookie B check > > Sincerly yours, > Fraj KALLEL
Re: limiting conn-curs per-ip using x-forwarded-for
Hi, some useful examples can be taken from this blog post: http://blog.haproxy.com/2012/02/27/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/ Just replace src by hdr(X-Forwarded-For). Baptiste On Tue, Mar 24, 2015 at 5:58 PM, Jarno Huuskonen wrote: > Hi, > > On Tue, Mar 24, Klavs Klavsen wrote: >> I now have: >> stick-table type string size 100k store conn_cur,gpc0 >> stick store-request hdr(X-Forwarded-For,-1) >> tcp-request content track-sc2 hdr(X-Forwarded-For) >> acl allowed sc2_conn_cur lt 2 >> block unless allowed > > tcp-request inspect-delay ? > Most of the examples seem to use inspect-delay: > http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4.2-tcp-request%20content > >> shouldn't the key - be the x-forwarded-for header? > > Have you checked that the requests have (one) x-forwarded-for header ? > hdr(X-Forwarded-For) = first header, and hdr(X-Forwarded-For,-1) = last > header. > (http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#7.3.6-req.hdr) > > And is the haproxy ip the only one thats in the stick table ? > > -Jarno > > -- > Jarno Huuskonen >
Re: using backend node details in acls/response manipulation
Hi Martin,
HAProxy can report an 'id' of a backend and of a server.
You can give a try to this:
http-response set-header X-Backend-Info %[be_id]/%[srv_id] if { src
10.0.0.0/24 }
It should add the following header if the first server of the first
backend was used:
X-Backend-Info: 1/1
IDs can be forced in HAProxy's configuration using the directive 'id'.
You may even be able to convert a backend id to a string using a map:
http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#map
Baptiste
On Tue, Mar 24, 2015 at 8:36 PM, Martin Nikolov
wrote:
> Hi guys,
> I'm wondering if it is possible to use things like selected backend node's
> ip, name or port as variables. My goal is to set a header in the http
> response with the selected backend's details to a certain set of source ip
> addresses (hence the acl, which is the easy part). I searched in the
> documentation, but was not able to find a solution.
>
> Thanks in advance.
> Regards.
Re: Haproxy Consuing CPU 100% : need a fix
On Thu, Mar 19, 2015 at 2:22 PM, Saurab t wrote: > Apologies, here is the information; > > > METAL SERVER > Kernel : 2.6.32-431.el6.x86_64 > OS: Centos 6.5 > Ram : 32073 > CPU : > Architecture: x86_64 > CPU op-mode(s):32-bit, 64-bit > Byte Order:Little Endian > CPU(s):24 > On-line CPU(s) list: 0-23 > Thread(s) per core:2 > Core(s) per socket:6 > Socket(s): 2 > NUMA node(s): 2 > Vendor ID: GenuineIntel > CPU family:6 > Model: 62 > Stepping: 4 > CPU MHz: 2099.992 > BogoMIPS: 4199.40 > Virtualization:VT-x > L1d cache: 32K > L1i cache: 32K > L2 cache: 256K > L3 cache: 15360K > NUMA node0 CPU(s): 0-5,12-17 > NUMA node1 CPU(s): 6-11,18-23 > > --- > NIC : Speed: 1000Mb/s and Duplex: Full [each public and private ] total : > 2GiGs > >>Also, please remove this statement: > >option http-server-close > >>replace by the two following ones: > >option http-keep-alive > >option prefer-last-server > > Any Specific Reason for it. Kindly let us know reason to replace. We're still missing a screenshot of your stats page when HAProxy is running at 100% of CPU... Note: your CPU is quite slow ! Have you disabled iptables, irqbalance, pin your network interrupts and HAProxy to different CPU cores also, I've heard that some people get much better performance from centos 7.x, thanks to its kernel 3.10... concerning http-keep-alive and prefer-last-server, these options instruct HAProxy to keep connections opened on the server side for a specific client traffic. In such case, there will be much less small packets on the network and no need to close and open connections between each HTTP request. You should get much better performance, but it depends on your traffic pattern. Baptiste > > > On Thu, Mar 19, 2015 at 6:30 PM, Baptiste wrote: >> >> On Thu, Mar 19, 2015 at 1:37 PM, Saurab t >> wrote: >> > Hello Willy, >> > >> > Thanks you for your kind response. >> > >> > Here are the information required >> > >> > Haproxy version : >> > HA-Proxy version 1.5.8 2014/10/31 >> > Copyright 2000-2014 Willy Tarreau >> > >> > >> > >> > If this can help As you have already responded to two other scenarios : >> > >> > http://www.serverphorums.com/read.php?10,1075864 >> > >> > http://t55696.web-haproxy.webtalks.info/100-cpu-load-t55696.html >> > >> > how can we "exactly" trace if we have issue similar. >> > >> > ELSE : >> > >> > Attached is the haproxy config. Kindly guide us. Thanks a lot in >> > advance. >> > >> > Even small suggestions are very much appreciated. >> > >> > Thanks & Regards >> > Saurab >> > >> > >> > >> > On 3/19/2015 12:33 PM, Willy Tarreau wrote: >> > >> > Hello, >> > >> > On Thu, Mar 19, 2015 at 11:04:54AM +0530, Saurabh Tiwari wrote: >> > >> > Hello, >> > >> > we are facing issue of haproxy consuming 100% CPU , we tried different >> > tunings on haproxy cfg . But only solution remains is of making the >> > nbproc > 1, which is not a permanent solution. >> > >> > _Pasting the common config section:_ >> > global >> > maxconn 28 >> > nbproc 1 >> > userhaproxy >> > group haproxy >> > chroot /var/lib/haproxy >> > stats socket/var/run/haproxy.sock >> > >> > defaults >> > modehttp >> > balance roundrobin >> > >> > maxconn 275000 >> > timeout connect 5000 >> > timeout server 5 >> > timeout client 5 >> > >> > timeout http-keep-alive 5s >> > timeout http-request15s >> > >> > retries 3 >> > option redispatch >> > option abortonclose >> > option tcp-smart-accept >> > option tcp-smart-connect >> > #option splice-auto >> > >> > listen stats self.prv:x0x0x >> > stats enable >> > stats uri / >> > >> > Your config is truncated, you only list the stats page,
Re: Haproxy Consuing CPU 100% : need a fix
On Thu, Mar 19, 2015 at 1:37 PM, Saurab t wrote: > Hello Willy, > > Thanks you for your kind response. > > Here are the information required > > Haproxy version : > HA-Proxy version 1.5.8 2014/10/31 > Copyright 2000-2014 Willy Tarreau > > > > If this can help As you have already responded to two other scenarios : > > http://www.serverphorums.com/read.php?10,1075864 > > http://t55696.web-haproxy.webtalks.info/100-cpu-load-t55696.html > > how can we "exactly" trace if we have issue similar. > > ELSE : > > Attached is the haproxy config. Kindly guide us. Thanks a lot in advance. > > Even small suggestions are very much appreciated. > > Thanks & Regards > Saurab > > > > On 3/19/2015 12:33 PM, Willy Tarreau wrote: > > Hello, > > On Thu, Mar 19, 2015 at 11:04:54AM +0530, Saurabh Tiwari wrote: > > Hello, > > we are facing issue of haproxy consuming 100% CPU , we tried different > tunings on haproxy cfg . But only solution remains is of making the > nbproc > 1, which is not a permanent solution. > > _Pasting the common config section:_ > global > maxconn 28 > nbproc 1 > userhaproxy > group haproxy > chroot /var/lib/haproxy > stats socket/var/run/haproxy.sock > > defaults > modehttp > balance roundrobin > > maxconn 275000 > timeout connect 5000 > timeout server 5 > timeout client 5 > > timeout http-keep-alive 5s > timeout http-request15s > > retries 3 > option redispatch > option abortonclose > option tcp-smart-accept > option tcp-smart-connect > #option splice-auto > > listen stats self.prv:x0x0x > stats enable > stats uri / > > Your config is truncated, you only list the stats page, I guess you're > not running at 100% with a stats page only, so would you please post > your complete config (remove any password or sensitive info, hide IP > addresses if you wish). > > Please also give some information such as the request and/or connection > rate, traffic type (mostly SSL, etc). > > Kindly suggest, any solution possible. We need fix badly , do not wish > to migrate to nginx just for this reason. > > That doesn't make sense, if you switch from one product to another every > time you're facing a configuration problem, you can switch often! If you > need features that you only find in nginx, sure you'd rather switch, but > if the features you need are in haproxy, in general you should get better > performance here so switching will make the situation worse. > > Willy > > You have not given any hints about your environment... I mean VM, hw, details on cpu/ram/nic, etc... Also, please remove this statement: option http-server-close replace by the two following ones: option http-keep-alive option prefer-last-server Baptiste
Re: Haproxy Consuing CPU 100% : need a fix
On Thu, Mar 19, 2015 at 8:03 AM, Willy Tarreau wrote: > Hello, > > On Thu, Mar 19, 2015 at 11:04:54AM +0530, Saurabh Tiwari wrote: >> Hello, >> >> we are facing issue of haproxy consuming 100% CPU , we tried different >> tunings on haproxy cfg . But only solution remains is of making the >> nbproc > 1, which is not a permanent solution. >> >> _Pasting the common config section:_ >> global >> maxconn 28 >> nbproc 1 >> userhaproxy >> group haproxy >> chroot /var/lib/haproxy >> stats socket/var/run/haproxy.sock >> >> defaults >> modehttp >> balance roundrobin >> >> maxconn 275000 >> timeout connect 5000 >> timeout server 5 >> timeout client 5 >> >> timeout http-keep-alive 5s >> timeout http-request15s >> >> retries 3 >> option redispatch >> option abortonclose >> option tcp-smart-accept >> option tcp-smart-connect >> #option splice-auto >> >> listen stats self.prv:x0x0x >> stats enable >> stats uri / > > Your config is truncated, you only list the stats page, I guess you're > not running at 100% with a stats page only, so would you please post > your complete config (remove any password or sensitive info, hide IP > addresses if you wish). > > Please also give some information such as the request and/or connection > rate, traffic type (mostly SSL, etc). > >> Kindly suggest, any solution possible. We need fix badly , do not wish >> to migrate to nginx just for this reason. > > That doesn't make sense, if you switch from one product to another every > time you're facing a configuration problem, you can switch often! If you > need features that you only find in nginx, sure you'd rather switch, but > if the features you need are in haproxy, in general you should get better > performance here so switching will make the situation worse. > > Willy > > Hi, We also need your HAProxy version, a screenshot of the stats page when HAProxy is running at 100%, some log lines, more information on your server (HW, VM, capacity, etc...). Baptiste
Re: Haproxy 1.5 ssl redirect
Hi Sean! You're welcome :) I still have in my TODO list to contact you about your AVI network experience ;) Talk to you soon. Baptiste On Wed, Mar 18, 2015 at 7:06 PM, Sean Patronis wrote: > Baptiste, > > Thanks for the links, I had run across them earlier this morning in my > google searching, but your post made me pay more attention to them... I have > it working now, and the trick that seemed to do it for me was making all the > paths absolute (since I am forcing https anyhow, and each since > frontend/backend combo is unique) with this line in my backend config: > > # ProxyPassReverse /mirror/foo/ http://bk.dom.com/bar > # Note: we turn the urls into absolute in the mean time > acl hdr_location res.hdr(Location) -m found > rspirep ^Location:\ (https?://localtest.test123.com(:[0-9]+)?)?(/.*) > Location:\ \3 if hdr_location > > > Thanks for all the help from everyone is this thread! > > --Sean Patronis > Auto Data Direct Inc. > 850.877.8804 > > On 03/18/2015 12:06 PM, Baptiste wrote: >> >> Hi Sean, >> >> You may find some useful information here: >> >> http://blog.haproxy.com/2014/04/28/howto-write-apache-proxypass-rules-in-haproxy/ >> and here: >> >> http://blog.haproxy.com/2013/02/26/ssl-offloading-impact-on-web-applications/ >> >> Baptiste >> >> >> On Wed, Mar 18, 2015 at 3:39 PM, Sean Patronis >> wrote: >>> >>> Thanks for the link. That looks promising, but testing did not change >>> anything and I am waiting on the developers to give me some indication of >>> what headers they may expect. Maybe we can tackle this a different way >>> since we know it works in apache. I am attempting to replace the >>> following >>> VirtualHost in apache and put it into haproxy: >>> >>> ## [test.test123.com] >>> >>> ServerName test.test123.com >>> SSLEngine on >>> SSLProtocol all -SSLv3 >>> SSLHonorCipherOrder On >>> SSLCipherSuite >>> >>> ECDHE-RSA-AES256-SHA384:AES256-SHA256:!RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM:!SSLV2:!eNULL >>> ProxyPassReverse / http://10.0.60.5/ >>> ProxyPass / http://10.0.60.5/ >>> >>> >>> what haproxy frontend settings do I need to make this match whatever >>> apache >>> and mod_proxy is doing? >>> >>> 10.0.60.5:80 is already in haproxy I think the problem may be that >>> there are some headers getting set by ProxyPass and ProxyPassReverse that >>> I >>> am not setting in haproxy. More specifically, I think that the apache >>> ProxyPassReverse is rewiting the problem URI to https, and haproxy is >>> not. >>> >>> --Sean Patronis >>> Auto Data Direct Inc. >>> 850.877.8804 >>> >>> On 03/17/2015 06:24 PM, Cyril Bonté wrote: >>>> >>>> Hi, >>>> >>>> Le 17/03/2015 20:42, Sean Patronis a écrit : >>>>> >>>>> Unfortunately that did not fix it. I mirrored your config and the >>>>> problem still exists. I am not quite sure how the URL is getting built >>>>> on the backend (the developers say it is all relative URL/URI), but >>>>> whatever haproxy is doing, it is doing it differently than apache (with >>>>> mod_proxy). Just for fun, I swapped back the ssl termination to apache >>>>> to prove that is does not have an issue (once it passes through apache >>>>> for ssl, it still goes through Haproxy and all of the backends/acl >>>>> etc). >>>>> >>>>> My goal in all of this was to ditch apache and go all haproxy on the >>>>> front end. >>>>> >>>>> Any other ideas? >>>> >>>> >>>> Have a look at this answer : >>>> http://permalink.gmane.org/gmane.comp.web.haproxy/10361 >>>> >>>> I assume that your application is not aware of an SSL termination, so >>>> you >>>> have to notify it with the right configuration, which depends on your >>>> backends softwares. Can you provide some information on them ? >>>> >>>> >>>>> --Sean Patronis >>>>> Auto Data Direct Inc. >>>>> 850.877.8804 >>>>> >>>>> On 03/17/2015 11:51 AM, Scott McKeown|redIT wrote: >>>>>> >>>>>> Hi Sean, >>>>>> >>>>>> I've got a setup that is somewhat like what
Re: Haproxy 1.5 ssl redirect
Hi Sean, You may find some useful information here: http://blog.haproxy.com/2014/04/28/howto-write-apache-proxypass-rules-in-haproxy/ and here: http://blog.haproxy.com/2013/02/26/ssl-offloading-impact-on-web-applications/ Baptiste On Wed, Mar 18, 2015 at 3:39 PM, Sean Patronis wrote: > Thanks for the link. That looks promising, but testing did not change > anything and I am waiting on the developers to give me some indication of > what headers they may expect. Maybe we can tackle this a different way > since we know it works in apache. I am attempting to replace the following > VirtualHost in apache and put it into haproxy: > > ## [test.test123.com] > > ServerName test.test123.com > SSLEngine on > SSLProtocol all -SSLv3 > SSLHonorCipherOrder On > SSLCipherSuite > ECDHE-RSA-AES256-SHA384:AES256-SHA256:!RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM:!SSLV2:!eNULL > ProxyPassReverse / http://10.0.60.5/ > ProxyPass / http://10.0.60.5/ > > > what haproxy frontend settings do I need to make this match whatever apache > and mod_proxy is doing? > > 10.0.60.5:80 is already in haproxy I think the problem may be that > there are some headers getting set by ProxyPass and ProxyPassReverse that I > am not setting in haproxy. More specifically, I think that the apache > ProxyPassReverse is rewiting the problem URI to https, and haproxy is not. > > --Sean Patronis > Auto Data Direct Inc. > 850.877.8804 > > On 03/17/2015 06:24 PM, Cyril Bonté wrote: >> >> Hi, >> >> Le 17/03/2015 20:42, Sean Patronis a écrit : >>> >>> Unfortunately that did not fix it. I mirrored your config and the >>> problem still exists. I am not quite sure how the URL is getting built >>> on the backend (the developers say it is all relative URL/URI), but >>> whatever haproxy is doing, it is doing it differently than apache (with >>> mod_proxy). Just for fun, I swapped back the ssl termination to apache >>> to prove that is does not have an issue (once it passes through apache >>> for ssl, it still goes through Haproxy and all of the backends/acl etc). >>> >>> My goal in all of this was to ditch apache and go all haproxy on the >>> front end. >>> >>> Any other ideas? >> >> >> Have a look at this answer : >> http://permalink.gmane.org/gmane.comp.web.haproxy/10361 >> >> I assume that your application is not aware of an SSL termination, so you >> have to notify it with the right configuration, which depends on your >> backends softwares. Can you provide some information on them ? >> >> >>> >>> --Sean Patronis >>> Auto Data Direct Inc. >>> 850.877.8804 >>> >>> On 03/17/2015 11:51 AM, Scott McKeown|redIT wrote: >>>> >>>> Hi Sean, >>>> >>>> I've got a setup that is somewhat like what you are after. I have >>>> however, done it in a very dirrerent way for this very same reason. >>>> >>>> Example below: >>>> >>>> global >>>> log /dev/log local4 debug >>>> maxconn 4096 >>>> daemon >>>> tune.ssl.default-dh-param 2048 >>>> >>>> ssl-default-bind-ciphers >>>> >>>> ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA:HIGH:!RC4:!MD5:!aNULL:!EDH >>>> >>>> ssl-default-bind-options no-sslv3 >>>> ssl-default-server-ciphers >>>> >>>> ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA:HIGH:!RC4:!MD5:!aNULL:!EDH >>>> >>>> ssl-default-server-options no-sslv3 >>>> >>>> defaults >>>> log global >>>> option httplog >>>> retries 3 >>>> timeout client 5 >>>> timeout connect 5 >>>> timeout server 5 >>>> >>>> listen http-in >>>> bind x.x.x.x:80 >>>> mode http >>>> default_backend www_redit >>>> >>>> listen https-in >>>> bind x.x.x.x:443 ssl crt /etc/certs/server_2015.pem >>>> mode http >>>> >>>> acl samson_vpn_gateway src 10.8.0.1 >>>> >>>> acl missing_nagios_slash path_reg -i ^/nagios3[^/]*$ >>>> acl missing_cacti_slash path_reg -i ^/cacti[^/]*$ >>>> acl missing_dradis_slash
Re: send/accept-proxy over unix socket not working
On Wed, Mar 18, 2015 at 1:07 PM, Lukas Tribus wrote: > > > >> Date: Wed, 18 Mar 2015 01:49:47 +0100 >> From: denni...@conversis.de >> To: luky...@hotmail.com; jarno.huusko...@uef.fi >> CC: haproxy@formilux.org >> Subject: Re: send/accept-proxy over unix socket not working >> >> On 13.03.2015 18:44, Lukas Tribus wrote: >>>> What version of haproxy are you using ? (And what OS) ? >>>> >>>>> In the first frontend I set: >>>>> server clear /var/lib/haproxy/test send-proxy >>>>> >>>>> In the second frontend I set: >>>>> bind /var/lib/haproxy/test accept-proxy >>>> >>>> Are you able to connect to the /var/lib/haproxy/test socket with >>>> netcat or socat ? And/or do you have chroot in haproxy.cfg ? >>> >>> Also if you drop privileges, check permission with the haproxy user. >>> >>> If supported by your kernel, you could use abstract namespaces >>> instead. >> >> According to the documentation abstract namespaces are not recommended >> when using nbproc> 1. The reason I'm dealing with unix sockets at all >> is that I want to get around the problem of losing the stick table >> content on reload I posted about in another mail. The idea is to run two >> instances. One with nbproc> 1 for ssl offloading and that forwards the >> requests to the second instance that is using nbproc = 1 and contains >> the http frontend and a backend. In theory this should allow me to >> reload the config of the backend instance without losing the stick table >> content. >> >> I'm using chroot /var/lib/haproxy but the behavior is the same without >> this directive. Either way a socket gets created as >> /var/lib/haproxy/test as intended but for some reason I keep getting 503 >> when using a unix socket but everything works fine when using abstract >> namespaces or an ip address. >> >> I've attached the configuration and the debug output in case that helps >> to pinpoint the issue. > > Comment user and group and run haproxy as root. If thats works, it means > you have a permission problem. > > > Lukas > > > Hi He has a permission problem! That's what I mentionned with the user parameter on the bind line.. Actually, HAProxy starts up as root and create the socket with root user, then it drops it switches to user haproxy, group haproxy (according to your conf). This user is not allowed to access the socket, since there is no write allowed for "others". To fix your issue, simply update your bind line: bind /var/lib/haproxy/test accept-proxy user haproxy group haproxy Same on server line: server clear /var/lib/haproxy/test send-proxy user haproxy group haproxy Hope this helps. Baptiste
Re: lua api
On Tue, Mar 17, 2015 at 8:04 PM, Joe Williams wrote: > List, > > I am trying to figure out how to use the new lua API. After reading > https://raw.githubusercontent.com/yuxans/haproxy/master/doc/lua-api/index.rst > it still isn't clear to me how to get the client IP of a connection. Is > information about the socket available inside lua? If so, any suggestions on > how to access it? I am hoping to get the IP address from each HTTP request > and do some processing on it. > > Thanks! > -Joe Joe, It's not really clear in the documentation, but I put an example of an HAProxy fetch called in a lua script: http://blog.haproxy.com/2015/03/12/haproxy-1-6-dev1-and-lua/ Bascally, in your lua script, you can recover the client Ip address like this: local clientip = txn.f:src() Baptiste
Re: building haproxy with lua support
On Tue, Mar 17, 2015 at 1:51 AM, Joe Williams wrote: > List, > > I seem to be running into issues building haproxy with lua support using > HEAD. Any thoughts? > > joe@ubuntu:~/haproxy$ make DEBUG=-ggdb CFLAGS=-O0 TARGET=linux2628 > USE_LUA=yes LUA_LIB=/opt/lua53/lib/ LUA_INC=/opt/lua53/include/ LDFLAGS=-ldl > > /opt/lua53/lib//liblua.a(loadlib.o): In function `lookforfunc': > loadlib.c:(.text+0x502): undefined reference to `dlsym' > loadlib.c:(.text+0x549): undefined reference to `dlerror' > loadlib.c:(.text+0x576): undefined reference to `dlopen' > loadlib.c:(.text+0x5ed): undefined reference to `dlerror' > /opt/lua53/lib//liblua.a(loadlib.o): In function `gctm': > loadlib.c:(.text+0x781): undefined reference to `dlclose' > collect2: error: ld returned 1 exit status > make: *** [haproxy] Error 1 > > joe@ubuntu:~/haproxy$ /opt/lua53/bin/lua -v > Lua 5.3.0 Copyright (C) 1994-2015 Lua.org, PUC-Rio > > Thanks! > > -Joe Hi Joe, You're missing an "LDFLAGS=-ldl". More information on this blog page, including some quickstart code example: http://blog.haproxy.com/2015/03/12/haproxy-1-6-dev1-and-lua/ Baptiste
Re: Support For Postfix
Let me rephrase this: your version of postfix is too old and does not include the proxy protocol. Please use postfix 2.10 or above. Baptiste On Mon, Mar 16, 2015 at 4:26 PM, adcd gmail wrote: > I read this but I dont understand how it is related to postfix not knowing > this config parameter > maybe the compiled version doesnt include this? > > > > On Mon, 16 Mar 2015 14:52:37 +0200, Baptiste wrote: > >>> Hi, thanks for the reply >>> 2.9.6 >>> >>> >> >> Proxy protocol is available in Postfix since version 2.10: >>http://blog.haproxy.com/haproxy/proxy-protocol/ >> >> Baptiste > > > > -- > Using Opera's mail client: http://www.opera.com/mail/
Re: Support For Postfix
> Hi, thanks for the reply > 2.9.6 > > Proxy protocol is available in Postfix since version 2.10: http://blog.haproxy.com/haproxy/proxy-protocol/ Baptiste
Re:
On Mon, Mar 16, 2015 at 10:44 AM, Fraj KALLEL wrote: > Hello, > > I use haproxy v1.4 as load balancer in front of 2 web servers (webA and > webB). > webA has more resource (RAM, CPU, HDD) than webB, and I used roundrobin as > algorithm of balance. > > This is the config file of the haproxy. > > global > log 127.0.0.1 local0 > log 127.0.0.1 local1 notice > #log loghostlocal0 info > maxconn 4096 > #debug > #quiet > user haproxy > group haproxy > > defaults > log global > modehttp > option httplog > option dontlognull > retries 3 > option redispatch > maxconn 2000 > timeout connect 5000ms > timeout queue5000ms > timeout client 25m > timeout server 25m > > listen webfarm 192.168.1.28:80 >mode http >stats enable >stats auth stelb:abcder >balance roundrobin >appsession PHPSESSID len 64 timeout 3h request-learn prefix >option httpclose >option forwardfor >option httpchk HEAD /check.txt HTTP/1.0 > >acl white_list src 127.0.0.1 192.168.1.0/24 >http-request allow if white_list >http-request deny > >acl restricted_page path_beg /images > >server webA 192.168.1.23:80 cookie A check >server webB 192.168.1.24:80 cookie B check > > > After periode of utilization I find that webA receive more traffic than webB > while by definition roundrobin algorithm assign to each process in equal > portions and in circular order, handling all processes without priority > (also known as cyclic executive). > > Is this a normal compotement ? > > Thanks. > > Sincerly yours, > Fraj KALLEL Hi Fraj, This is normal and this is due to persistence. More information on this blog post: http://blog.haproxy.com/2012/03/29/load-balancing-affinity-persistence-sticky-sessions-what-you-need-to-know/ There is no rule, either A or B could get more requests. Baptiste
RE: send/accept-proxy over unix socket not working
Le 13 mars 2015 18:45, "Lukas Tribus" a écrit : > > > What version of haproxy are you using ? (And what OS) ? > > > >> In the first frontend I set: > >> server clear /var/lib/haproxy/test send-proxy > >> > >> In the second frontend I set: > >> bind /var/lib/haproxy/test accept-proxy > > > > Are you able to connect to the /var/lib/haproxy/test socket with > > netcat or socat ? And/or do you have chroot in haproxy.cfg ? > > Also if you drop privileges, check permission with the haproxy user. > > If supported by your kernel, you could use abstract namespaces > instead. > > > Lukas > > Hi, In most cases this is due to either chroot or rights on the socket. Check the user and mode parameters of both your bind and server descritption. Also ensure the unix socket is available in a chroot environment, if any. Baptiste
Re: frequent NOSRV/SC log hits behind AWS ELB
On Tue, Mar 10, 2015 at 11:48 AM, Roland RoLaNd wrote:
> Hello,
>
> i am running haproxy version: 1.5.11 on EC2 instances behind an AWS load
> balancer
>
> lately i am noticing a lot of 503 forbidden logs with "SC" as termination
> state due to "nosrv" error
>
> my backend servers(which are behind an ELB of their own) are all healthy and
> responsive
>
> moreover i set a loop that checks port 80 between haproxy and backend
> servers; and it never failed; it was checking the connection every 10 ms
>
> this is a log sample:
>
> Mar 10 10:33:50 api haproxy[1056]: 172.16.100.169:15235
> [10/Mar/2015:10:33:50.905] API API/ 8/-1/-1/-1/8 503 213 - - SC--
> 79/79/0/0/0 0/0 {177.103.215.19|Dalvik/1.6.0 (Linux; U; Android 4.4.4;
> XT1032 Build/KXB21.14-L1.} "POST /api/v2.3/androidevent?buildnumber=1.10
> HTTP/1.1"
>
>
> and this is my current config:
>
> global
> log /dev/loglocal0
> log /dev/loglocal1 notice
> chroot /var/lib/haproxy
> stats socket /run/haproxy/admin.sock mode 660 level admin
> stats timeout 30s
> user haproxy
> group haproxy
> maxconn 65000
> daemon
>
> # Default SSL material locations
> ca-base /etc/ssl/certs
> crt-base /etc/ssl/private
>
> # Default ciphers to use on SSL-enabled listening sockets.
> # For more information, see ciphers(1SSL).
> ssl-default-bind-ciphers
> kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
> ssl-default-bind-options no-sslv3
>
> defaults
> log global
> modehttp
> option httplog
> option dontlognull
> timeout connect 1
> timeout client 5
> timeout server 5
> # users which we are redrecting no where, example rejected will die
> in 50 ms
> timeout tarpit 50
> errorfile 400 /etc/haproxy/errors/400.http
> errorfile 403 /etc/haproxy/errors/403.http
> errorfile 408 /etc/haproxy/errors/408.http
> errorfile 500 /etc/haproxy/errors/500.http
> errorfile 502 /etc/haproxy/errors/502.http
> errorfile 503 /etc/haproxy/errors/503.http
> errorfile 504 /etc/haproxy/errors/504.http
> balance roundrobin
> # keeps keep alive between client and proxy but disable it between
> proxy and backedn
> option http-server-close
> option forwardfor
> option redispatch
>retries 99
>
> frontend API
> bind *:80
>
>
> maxconn 6
> # Blacklist: Deny access to some IPs before anything else is
> checked
> tcp-request content reject if { src -f /etc/haproxy/blacklist.lst }
> http-request set-header X-custom-http-scheme
> %[hdr(X-Forwarded-Proto)]
>
>
> stick-table type ip size 500k expire 30s store
> conn_cur,conn_rate(10s),http_req_rate(10s),http_err_rate(10s)
>
>
> option http-server-close
> # elb logs pubc ips
> capture request header X-Forwarded-For len 50
> capture request header User-Agent len 64
> acl network_allowed src x.x.x.x
> acl restricted_page path_beg /restricted
> http-request deny if restricted_page !network_allowed
> # direct uris to propper elb
> acl uri_api path_beg /api
> acl uri_wdev path_beg /wdev
> acl uri_staging path_beg /staging
>
> use_backend api if uri_api
> use_backend wdev if uri_wdev
> use_backend staging if uri_staging
>
>
>
> default_backend API
>
> backend API
> server API ELB_CNAME:80 check
> backend wdev
> server wdev ELB_CNAME:80 check
> backend staging
> server staging ELB_CNAME:80 check
>
>
>
>
>
Hi Roland,
This is by ELB design... It can change its IP address based on the load...
When this arrives, the only workaround is to reload HAProxy.
Soon, HAProxy will perform DNS resolution to kept updated on the fly
of server IP address changes.
Baptiste
Re: Peers with long hostnames
Le 5 mars 2015 07:47, "Willy Tarreau" a écrit : > > Hi Cyril, > > On Wed, Mar 04, 2015 at 11:20:38PM +0100, Cyril Bonté wrote: > > Le 04/03/2015 23:18, Cyril Bonté a écrit : > > >Le 04/03/2015 23:10, James Candalino a écrit : > > >>Cool, solution 1 worked. It seems as though the peer name is limited to > > >>only 32 characters yet hostnames as reported by the system can be much > > >>longer. > > > > > >Right, and it has been extended to 64 characters in the 1.6-dev branch. > > So maybe it's time that we backport this patch into 1.5. We haven't > received any negative feedback for 1.6 yet after almost 2 months. What > do people think ? > > Willy > > Hello, I do agree!! Baptiste
Re: Lua patchset merged
I love it ! Just wrote, as a proof of concept, a forward proxy... That said, it seems my lua script is "blocking"... I mean, if the remote server is slow to deliver the response, then HAProxy doesn't process any other request or response. Baptiste
[FIX] [LUA] missing ifdef related to Openssl
a couple of missing ifdef for openssl prevent to build LUA without SSL enabled. This patch fix it. Baptiste 0002-FIX-missing-ifdef-related-to-SSL-when-enabling-LUA.patch Description: Binary data
[FIX] [LUA] segfault in txn.get_headers
When we try to execute the txn.get_headers function in a TCP mode frontend or backend, then HAProxy segfaults. Baptiste 0001-fix-a-segfault-in-txn.get_headers.patch Description: Binary data
Re: Lua patchset merged
how do you pass arguments to a lua function? Imagine I want to call the following lua function: "function download (host, file)" Baptiste
Re: Lua patchset merged
A few ifdef missing when SSL is not compiled in HAProxy:
diff --git a/src/hlua.c b/src/hlua.c
index a0e4d91..3d69c5d 100644
--- a/src/hlua.c
+++ b/src/hlua.c
@@ -1542,6 +1542,7 @@ __LJMP static int hlua_socket_connect(struct lua_State *L)
return 0;
}
+#ifdef USE_OPENSSL
__LJMP static int hlua_socket_connect_ssl(struct lua_State *L)
{
struct hlua_socket *socket;
@@ -1551,6 +1552,7 @@ __LJMP static int hlua_socket_connect_ssl(struct
lua_State *L)
socket->s->target = &socket_ssl.obj_type;
return MAY_LJMP(hlua_socket_connect(L));
}
+#endif
__LJMP static int hlua_socket_setoption(struct lua_State *L)
{
@@ -3563,7 +3565,9 @@ void hlua_init(void)
lua_pushstring(gL.T, "__index");
lua_newtable(gL.T);
+#ifdef USE_OPENSSL
hlua_class_function(gL.T, "connect_ssl", hlua_socket_connect_ssl);
+#endif
hlua_class_function(gL.T, "connect", hlua_socket_connect);
hlua_class_function(gL.T, "send",hlua_socket_send);
hlua_class_function(gL.T, "receive", hlua_socket_receive);
Baptiste
On Sun, Mar 1, 2015 at 6:22 PM, Cyril Bonté wrote:
> Hi Tierry,
>
> Huge work ! I've not played with it yet, but I've already compiled it
> successfully ;-)
>
> Some early feedbacks :
> - It appears that the code requires at least LUA 5.2.
>
> - Maybe we'll have to work on the Makefile to ease the compilation. For
> example, on debian, I have to add -llua5.2 instead of -llua
>
> - There's a small typo in an error message (hlua.c:423) : "Malformad
> argument mask" instead of "Malformed argument mask" for the
> hlua_lua2arg_check() function.
> I'll send a patch later for that.
>
> - Talking about hlua_lua2arg_check(), There are 2 other points :
> 1. The function comments has some typos. While trying to fix them, I'm
> realizing I don't understand the comment and I'm not sure to rewrite it
> correctly. Can you have a look at it ?
> 2. I think we can have a buffer overflow with the following test :
> if (idx >= ARGM_NBARGS && argp[idx].type != ARGT_STOP)
>
> The calling function (hlua_run_sample_fetch) already allows a same buffer
> overflow :
> struct arg args[ARGM_NBARGS];
> and
> args[i].type = ARGT_STOP;
> where `i' can be equal to ARGM_NBARGS.
>
> - As it is done for other libraries, maybe we can add the compiled version
> of LUA when "haproxy -vv" is called.
> I'll also send a patch for that.
>
> - Still about the version : maybe we can add a #error when LUA_VERSION_NUM
> is not defined or less than 502 :
> # LUA 5.0.x : not devined
> # LUA 5.1.x : equal to 501
> # LUA 5.2.x : equal to 502
> # LUA 5.3.x : equal to 503
>
> I think I'll try some LUA scripts before the end of the week-end (which is
> approaching too quickly) ;-)
>
> --
> Cyril Bonté
>
