d" server works correctly with haproxy1.5. Can
>>> you confirm whether its a bug in 1.6-dev4?
>>
>> This is due to the introduction of the SRV_ADMF_CMAINT flag, which is
>> set permanently. The "enable/disable" socket command will only modify
>> the SRV_ADMF_
d, so if you don't get a response, simply consider it lost.
>> I didn't sent a patch so to speak, Remi did send a 'diff --git' but
>> without the comment to put into the haproxy repository, after which
>> Baptiste then wrote he would submit it after confirmation that i
m
bind :8443 ssl crt server.pem accept-proxy-v2
You can play with weight on the current site to send a few request to
the newhaproxy box and increase this weight once you're confident.
Baptiste
arded to a server, then all
subsequent messages are going to be forwarded to this server, regardless of
the next topics set over the same connection.
To be routed again, a client must send next PUBLISH message over a new TCP
connection.
Baptiste
On Thu, Sep 10, 2015 at 7:58 PM, Baptiste <
This would be doable only if the information can be retrived from the
payload of the first request sent by the client.
could you provide more information about how MQTT protocol works? Is
there any server banner?
A simple TCP dump containing an example of the message you want to
route would be appreciated and allow us to deliver you an accurate
answer.
Baptiste
On Tue, Sep 8, 2015 at 7:58 AM, Baptiste <bed...@gmail.com> wrote:
>>> Hi,
>>>
>>> I wonder why the code send the TCP port in the DNS query...
>>> I'm currently installing an opnsense and I'll try to reproduce the
>>> problem.
>>>
>
Hi Piba,
Finally, Willy fixed it in a different (and smarter) way:
http://git.haproxy.org/?p=haproxy.git;a=commit;h=07101d5a162a125232d992648a8598bfdeee3f3f
Baptiste
connect() looks wrong for ipv4:
>
> ERRORS
> The connect() system call fails if:
>
> [EINVAL] The namelen argument is not a valid length for the
> address family.
>
>
Ok, excellent.
I wonder how this could happen :)
Let me check tonight and com back to you.
Baptiste
e the lead over it.
Baptiste
On Mon, Sep 7, 2015 at 12:32 PM, Remi Gacogne <rgaco...@coredump.fr> wrote:
> Hi,
>
> On 09/07/2015 10:47 AM, Baptiste wrote:
>>> It fails that way:
>>>
>>> socket(PF_INET,SOCK_DGRAM,17)= (0x4)
>>> connect(4,{ AF_INET 8.
es can benefit from such an alliance.
Baptiste
>> Hi,
>>
>> I wonder why the code send the TCP port in the DNS query...
>> I'm currently installing an opnsense and I'll try to reproduce the
>> problem.
>>
>> I've not used FreeBSD since 5.4 version :)
>>
>> Baptiste
>
> Hi Baptiste,
On Mon, Sep 7, 2015 at 10:12 PM, PiBa-NL <piba.nl@gmail.com> wrote:
> Hi Remi and Baptiste / haproxy users,
>
> Thanks for the quick fix for socket issues.
>
> Haproxy now starts succesfull and sends some DNS requests successfully.
> However the google backend serv
resolve-prefer', if fail again, it fails over to the remaining family.
The patches also trigger a failover if the server answers a truncated
response.
I'll send you the patch by tomorrow.
I'll patch later to make haproxy send an OPT record to announce the number
of bytes it support as UDP payload.
Baptiste
is asynchronous and performs multiple
resolutions in parallel). To speed up start up, the new server-state
feature will apply last resolved IP to server which rely on DNS to
resolve their IP addresses.
All of this should be available in 1.6.
In the mean time, I would recommend using a local DNS cache, such as dnsmasq.
Baptiste
Hi Conrad,
Please use the two patches in attachement.
Baptiste
From c19188e50313616833f0a6b3d5b1373c8f5bac78 Mon Sep 17 00:00:00 2001
From: Baptiste Assmann <bed...@gmail.com>
Date: Thu, 3 Sep 2015 10:59:39 +0200
Subject: [PATCH 02/10] MINOR: BUGFIX: DNS resolution doesn't start
On Thu, Sep 3, 2015 at 1:11 AM, Baptiste <bed...@gmail.com> wrote:
> On Thu, Sep 3, 2015 at 12:56 AM, Conrad Hoffmann <con...@soundcloud.com>
> wrote:
>> Hello,
>>
>> it's kind of late and I am not 100% sure I'm getting this right, so would
>&
g |
> HRB 110657B
Hi Conrad,
I remarked this as well.
Please apply the patch in attachment and confirm it fixes this issue.
I introduced this bug when trying to fix an other one: DNS resolution
was supposed to start with first health check.
Unfortunately, it started after hold.valid perio
an example of a 'weird' character which passed through?
Baptiste
/3
KO - 2/3
KO - 2/3
OK - 3/3 - Server UP
Is there a way to configure the counter to reset itself in case of
flapping ?
Thanks.
Hi there,
Thanks for reporting this behavior.
I'll have a look and come back to you.
Baptiste
servers. You can simply use any of the VIP
handling the web traffic.
Baptiste
On Thu, Aug 27, 2015 at 4:25 AM, Igor Cicimov
ig...@encompasscorporation.com wrote:
Obviously you need to have a separate VIP for the 10.10.130.30 and
10.10.130.31 and use that as a DGW on the backend servers
on the HAProxy box only.
On your web server, you must change the default gateway to your HAProxy box.
I you did all of this and this is still not working, then it deserves
a deeper analysis of your whole platform with hands on the servers.
Baptiste
On Mon, Aug 17, 2015 at 10:35 AM, Lukas Erlacher erlac...@in.tum.de wrote:
Hi Lukas,
Actually, you're setting response headers with data available only at
the request time. This is not possible in HAProxy 1.5
This will be possible in HAProxy 1.6 using the capture statement.
Baptiste
Hi
I would say yes, but better let Willy answer this question.
Note: this is very dangerous to do this!
Baptiste
On Wed, Aug 19, 2015 at 9:18 AM, mihaly.vukov...@t-systems.com wrote:
hi,
thanks the answer, I will try that.
One question is still open, setting a timeout to 0 mean infinite
could also set 2 defaults sections. One with timeouts, one without.
Baptiste
-random-delay-specific-http-requests-haproxy-lua/
Baptiste
Search for use-backend here:
http://cbonte.github.io/haproxy-dconv/configuration-1.5.html
Baptiste
On Mon, Aug 17, 2015 at 6:49 PM, Roman Gelfand rgelfa...@gmail.com wrote:
I do decipher traffic at haproxy. Could you point me to a sample.
On Mon, Aug 17, 2015 at 12:44 PM Baptiste bed
so it could be used in a rule pointing to the backend?
Thanks in advance
If you decipher the traffic at HAProxy layer, yes.
Baptiste
This will be possible in HAProxy 1.6 using the capture statement.
Baptiste
,
This is because your ELB has changed its IP address (this is by design).
You have to run HAProxy 1.6, which includes a DNS resolution of server IPs.
That way, you won't have to reload HAProxy each time ELB change its IP
address. HAProxy will resolve it automatically for you.
Baptiste
the following article:
http://blog.haproxy.com/2014/02/13/asymmetric-routing-multiple-default-gateways-on-linux-with-haproxy/
Baptiste
if { sc0_conn_cur ge 40 }
Baptiste
On Mon, Aug 17, 2015 at 4:53 AM, Amol mandm_z...@yahoo.com wrote:
Hi Baptiste,
I tried to read about SC0 and SRC, but i am not quite sure what i would gain
by changing SRC to SCO for the acl paramters? did u have some example to
explain?
Thanks
, there should not be any noticeable performance impact, since
IP lookup is very quick in HAProxy (a few hundred of nano second in a
tree of 1.000.000 IPs).
Concerning comments, any string after a dash '#' is considered as a
comment and not loaded in the ACL.
Baptiste
On Sat, Aug 15, 2015 at 8:28 AM
change and
confirm it works after this.
Baptiste
On Thu, Aug 13, 2015 at 10:28 PM, Rich Vigorito ri...@ocp.org wrote:
A couple clarifications. What do you mean by temporary? ... this wouldnt be
needed indefinitely? What ive articulated is only one site served through the
2 web servers. Our
and taking too much connections allowed by the maxconn.
Baptiste
-transparent-proxy-mode/
Baptiste
On Thu, Aug 13, 2015 at 2:29 AM, Rich Vigorito ri...@ocp.org wrote:
No inside the firewall one default gateway. 10.10.130.1
The web servers and haproxy servers have one interface I believe
Sent from my Verizon Wireless 4G LTE DROID
Baptiste bed...@gmail.com
mode tcp
bind :443
server 10.0.0.1:443
Baptiste
On Thu, Aug 13, 2015 at 4:53 AM, Sandeep Jindal sandeep...@gmail.com wrote:
Hi Baptiste,
Not sure if that answers my question. What you suggested is to enable SSL
for HAProxy.
My use case if one step further. Once HAProxy receives the SSL
Do you mean your web servers have 2 interfaces, each one with its own
default gateway?
Baptiste
Le 12 août 2015 23:10, Rich Vigorito ri...@ocp.org a écrit :
Good to hear. Into the firewall 192.168.0.1 and out of the firewall
10.10.130.1
Thanks!
*Sent from my Verizon Wireless 4G LTE DROID
are
supposed to do, what type of application are they applied to and how
this application is supposed to work.
Without a bit of context, it is impossible to help!
Baptiste
Hi Rich,
Thanks a lot for this info, this is clearer now.
In my first mail, I asked you to provide us the default gateway of the
web servers.
could you please let us know this information ?
Baptiste
On Wed, Aug 12, 2015 at 5:54 PM, Rich Vigorito ri...@ocp.org wrote:
Also for clarification
:/
Baptiste
the simplest one showing a
client, haproxy and a server, with their respective interfaces, IPs
and default gateway.
Last, a TCPdump on HAProxy box showing the traffic on the interface
between haproxy and the server for the IP address of the client.
Baptiste
in the
defaults section.
And why not adding a option prefer-last-server' which may help
keeping the connection alive despite the load-balancing algorithm.
Baptiste
On Tue, Aug 4, 2015 at 11:27 PM, BBuhl b_b...@yahoo.de wrote:
Baptiste bed...@gmail.com schrieb am 22:21 Dienstag, 4.August 2015:
Hi Benji,
Thanks a lot for your feedback!
First, about the resolve-prefer, I coded it (and documented as well)
first for IPv4 as a default. That said, Willy
admins to mix servers with an IP
address and servers with a hostname in the same farm.
It also allows the admin to choose on which servers you want to enable
DNS resolution.
If you think this makes sense to have it in the default-server, then
we have to find a way to negate it per server.
Baptiste
can give a try to the http-request capture statement, to
capture at the request time, then inject it back at the time of the
response.
Baptiste
Please be more accurate in your answer, otherwise we can't help you!
Baptiste
On Fri, Jul 31, 2015 at 3:44 PM, Francys Nivea
francys.so...@neurotech.com.br wrote:
Hello Baptiste,
A simple one. Just wanted to send the user and pass together with each
server balanced.
Peace,
*Francys
the
client is dumb, simply use balance source.
Baptiste
On Fri, Jul 31, 2015 at 3:53 PM, Francys Nivea
francys.so...@neurotech.com.br wrote:
Sorry
I dont have control over the balanced servers. The only information I have
are IP, Port, and credentials (User and Pass of each server).
I have
type of authentification do you use?
Baptiste
In 1.6, %[query] should do the trick.
Baptiste
On Fri, Jul 31, 2015 at 1:17 AM, Phillip Decker
pdecker999+hapr...@gmail.com wrote:
And it only kinda works because when there is no question mark then the
field will have the uri instead of being empty...
On Thu, Jul 30, 2015 at 7:12 PM
and how?
Regards
Sandeep Jindal
201 604 5277
Hi Sandeep,
Simply create your certificate with openssl, and enable enable 'ssl'
and 'crt /path/to/your/cert' on your bind line in your HAProxy
frontend.
Baptiste
or hexadecimal format (prefixed by 0x)
It does not expect a log format variable as your trying to do.
Baptiste
On Sun, Jul 26, 2015 at 1:00 PM, Vinay Y S vinay...@gmail.com wrote:
Actually I suppose the syntax could be same as sample fetches. For example:
http-response set-tos %[res.hdr_val(X-Tos
Hi Baptiste,
can you apply the patch to current git master?
Thanks!
Bjoern
Hi,
Only Willy can do this :)
I'm nothing else than a humble contributor.
Baptiste
Hi Baptiste,
thanks you for answering.
At the moment i'm testing 1.6 to bring it in production soon.
Do you have an example config snippet for your suggestion?
Hi,
Unfortunately, not.
Baptiste
troubleshooting steps have you already performed?
Have you dug into systemd?
NOTE: Please don't use a translator with your HAProxy configuration.
That's why now, haproxy is in fashion tcp instead of mode tcp.
Baptiste
the data into a blacklist purpose
stick table with an expire argument, then use the in_table converter
to know if a request is blacklisted or not.
When you use sc0_* function, you refresh the data in the table.
Baptiste
Simply use the same statement to choose the severity level based on ACLs.
It works on both http-request and http-response.
Baptiste
On Sun, Jul 19, 2015 at 10:53 AM, Haim Ari haim@startapp.com wrote:
Thank you it works.
What would be the best way to separate each log type to different
Hi,
SSL offloading in front of IMAPs (port 993) is supported.
If you try to do STARTTLS over IMAP, it is not supported.
Baptiste
On Wed, Jul 15, 2015 at 10:38 AM, Cohen Galit galit.co...@comverse.com wrote:
Hello HAProxy team,
I see that the SSL offloading for http protocol is already
Hi Marc-Antoine,
no idea, sorry.
Maybe some of our SSL experts may help :)
Baptiste
On Wed, Jul 15, 2015 at 11:06 AM, Marc-Antoine
marc-antoine.b...@ovh.net wrote:
Hi,
nobody knows plz ?
On Thu, 9 Jul 2015 13:06:59 +0200,
Marc-Antoine marc-antoine.b...@ovh.net wrote :
Hi all,
I have
the simplest solution
able to solve my issues.
I mean your choice to take in sync haproxy.cfg file between 2 or more haproxy
LB (rsync, custom script, etc.)
rsync or scp...
I mean, it's not only a cfg file, but also your SSL certificates, your
ACLs, MAPs, etc...
Baptiste
=%[capture.req.hdr(0)] # put your if statements as you want /
need
You can create as many http-response rules as you need to update first
the domain, then the path.
Baptiste
Anyone can help me?
Tnx,
rr
2015-07-14 21:34 GMT+02:00 Baptiste bed...@gmail.com:
Please repost your question. I
On Wed, Jul 15, 2015 at 8:28 AM, Marco Corte ma...@marcocorte.it wrote:
Il 14/07/2015 22:11, Baptiste ha scritto:
- when parsing the configuration, HAProxy uses libc functions and
resolvers provided by the operating system = if the server can't be
resolved at this step, then HAProxy can't
, it needs the most accurate
information and as fast as possible.
You don't want to tune your local bind or powerdns just for HAProxy
and prevent any other service to operate as usual.
Baptiste
flexible enough for this
purpose without being intrusive in the underlying operating system.
Baptiste
-Robin-
Nenad Merdanovic wrote on 7/15/2015 08:56:
Hello Robin,
On 07/15/2015 08:49 AM, Robin Geuze wrote:
Tbh I don't really see the point of configuring the resolvers in haproxy
when
/unixsurfer/haproxytool
Cheers,
Pavlos
+1 to Pavlos' tool for this type of task
Baptiste
a redirect to a page which cleans up the cookie then
redirect the user to the login page.
Baptiste
On Fri, Jul 17, 2015 at 5:49 PM, mlist ml...@apsystems.it wrote:
We found this behavior does not appears if we manually clean cookie in the
browser. There is a configuration option to invalidate
Hi Nathan,
The 'usesrc' keyword triggers this error. It needs root privileges.
(just checked in the source code)
Baptiste
On Thu, Jul 16, 2015 at 5:13 PM, Nathan Williams nath.e.w...@gmail.com wrote:
oh, i think this comment thread explains it:
http://comments.gmane.org
Hi,
The documentation is missing the usesrc requirements about root privileges.
This patch add this information in the doc.
Baptiste
From 8537d9b6c136a270c79670ebccf972a11fa86af7 Mon Sep 17 00:00:00 2001
From: Baptiste Assmann bed...@gmail.com
Date: Fri, 17 Jul 2015 21:59:42 +0200
Subject
is that you don't need to reload HAProxy to change your X value ;)
I would welcome a contribution about SRV record type.
That said, before this, I have to rewrite part of the response parser
to store the response in a real DNS packet structure instead of
keeping data in a buffer.
Baptiste
on port 10025 and confirm HAProxy
tries to get connected to the SMTP server?
Baptiste
and slave HAProxy servers.
Baptiste
Aim,
Simply use the statement http-request set-log-level, like:
http-request set-log-level silent unless { path_beg -i /testing }
Baptiste
Please repost your question. I can't see it in my mail history.
Baptiste
On Tue, Jul 14, 2015 at 3:33 PM, rickytato rickytato
rickyt...@r2consulting.it wrote:
Anyone can help me? I keep using Nginx?
2015-07-07 10:46 GMT+02:00 rickytato rickytato rickyt...@r2consulting.it:
1.5.12
2015-07
? FWIW, we're using haproxy 1.5.4 and
kernel 4.0.4 on CentOS 7.
Some features require root privileges, that said, from a documentation
point of view, It doesn't seem the 'source' keyword like I asked you
to set it up is one of them.
Can you start it up with strace ??
Baptiste
Regards,
Nathan W
On Sun, Jul 12, 2015 at 11:38 PM, Baptiste bed...@gmail.com wrote:
hi all,
As you may have noticed already, HAProxy 1.6-dev2 version has
integrated a new feature: server IP address resolution using DNS.
Main purpose of this dev is to make HAProxy aware of a server IP
change when using
Nathan,
The question is: why do you want to use the VIP to get connected on
your backend server?
Please give a try to the following source line, instead of your current one:
source 0.0.0.0 usesrc 10.240.36.13
Baptiste
On Tue, Jul 14, 2015 at 9:06 PM, Nathan Williams nath.e.w...@gmail.com
Hi,
Madison May reported that the timeout applied by the default
configuration is inproperly set up.
This patch fix this:
- hold valid default to 10s
- timeout retry default to 1s
Baptiste
From d84e08b599c30fb1d0d35a3715d76c331ee4c1c4 Mon Sep 17 00:00:00 2001
From: Baptiste Assmann bed
on
a public mailing list) :)
Baptiste
in haproxy.
I let the LUA experts answer you on the rest of the mail :)
Baptiste
Thank you for everything you do. You are one of the unsung heroes who
make the guts of the Internet possible.
Hehe don't feel like you're exagerating a bit here ? :-)
Willy
nope.
Baptiste
-1
Hi Vinod,
First, good luck in your PhD.
For load-balancing algorithm, you want to read this part of the doc:
http://cbonte.github.io/haproxy-dconv/snapshot/configuration-1.6.html#balance
about the source code, it's available here:
http://git.haproxy.org/?p=haproxy.git
Baptiste
are
interesting on this topic.
Concerning your demand, I don't understand it!
Could you provide me your own configuration (or a fake one) you would
like to be protected adding comment to the type of protection you
expect, then I'll see what I can do.
Baptiste
is impacting the HAProxy VM, which migh be
mutually impacted the server VMs...
Baptiste
On Thu, Jun 18, 2015 at 2:41 PM, Phil Daws ux...@splatnix.net wrote:
Hello Lukas:
Path is as follows:
Internet - HAProxy [Frontend:443 - Backend:80] - 6 x NGINX
Yeah, unfortunately due to the application behind
Phil,
without -k, HAProxy spends its time to compute TLS keys.
Can you run 'openssl speed rsa2048' and report here the number?
My guess is that it shouldn't be too far from 400 :)
Baptiste
On Thu, Jun 18, 2015 at 3:20 PM, Phil Daws ux...@splatnix.net wrote:
Hello Baptiste:
we were seeing
in internet)
Regards,
Ajay
Hi Ajay,
HAProxy sends logs to a syslog server.
So first, ensure your syslog server and HAProxy are propertly configured.
Then, reading your syslog configuration will tell you where the files could be.
Baptiste
:
http://cbonte.github.com/haproxy-dconv/configuration-1.6.html
Regards,
Willy
It's a great release
Looking forward to play with it!
Note that in my lab, 1.6-dev performs slightly better than 1.5.
Baptiste
.
Baptiste
Hi Krishna,
Usually, people use a service discovery tool to do this.
Some other people use a local service to cache the check response and
serve it to all haproxy servers.
Baptiste
On Wed, Jun 17, 2015 at 11:38 AM, Krishna Kumar (Engineering)
krishna...@flipkart.com wrote:
On Tue, Jun 16
Which means that 2 listening sockets will get the traffic, one
deciphering the traffic, and the other one not...
Simply remove the ':44300' from your listen section definition.
Baptiste
Labrut.
Hi Thibault,
In the second case, you don't have any default backend.
So you'll get a 503 unless you are 12.34.56.78.
Baptiste
that your requests are having issues getting from your proxy
to your backend servers.
Very true, tcpdump is your friend!
Have you remarked any common pattern between those 504?
Same source IP, same cookie value, same URLs, same server, etc...
Baptiste
Or enable the proxy-protocol :
http://cbonte.github.io/haproxy-dconv/snapshot/configuration-1.5.html#send-proxy
http://cbonte.github.io/haproxy-dconv/snapshot/configuration-1.5.html#accept-proxy
Baptiste
On Thu, Jun 11, 2015 at 11:56 AM, Thierry FOURNIER
tfourn...@haproxy.com wrote
If you could give more information about the issue, share haproxy
version, compilation procedure, etc...
some gdb outputs..
Baptiste
On Thu, Jun 4, 2015 at 1:43 PM, Sachin Shetty sshe...@egnyte.com wrote:
I did try it, it needs 1.6.dev1 and that version segfaults as soon as the
request is made
Hi sachin,
Look my conf, I turned your tcp-request content statement into http-request.
Baptiste
On Thu, Jun 4, 2015 at 12:05 PM, Sachin Shetty sshe...@egnyte.com wrote:
Tried it, I don¹t see the table populating at all.
stick-table type string size 1M expire 10m store conn_cur
acl
frontend fe_dummy_redirect
bind 127.0.0.1:8001
http-request redirect prefix http://new-site.com code 301
Note that this configuration needs HAProxy 1.6 (latest snapshot).
Baptiste
)]
Baptiste
req.hdr(X-track) if is_range is_path_throttled
http-request deny if { sc1_conn_cur gt 2 } is_range is_path_throttled
There might be some typo, but you get the idea.
Baptiste
Hi Baptiste,
Unfortunately, we are not willing to upgrade to HAproxy 1.6 just yet, so we
are going to use another solution for this redirect (change DNS records to
resolve old hostnames to the new web server).
Thank you for the info anyway, it may be useful for another time.
Sylvain
Yes, the url sample copies whole URL as sent by the client.
Simply give it a try on a staging server and let us know the status.
Baptiste
On Wed, Jun 3, 2015 at 3:19 PM, Sachin Shetty sshe...@egnyte.com wrote:
Thanks Baptiste - Will http-request set-header X-track %[url] help me
track URL
hi Jim,
hdr_end could do the trick if you include the '.' in the matching string.
Baptiste
On Wed, Jun 3, 2015 at 4:55 PM, Jim Gronowski jgronow...@ditronics.com wrote:
I’m not very familiar with the map function, but does hdr_end(host) work in
this context?
If so, in order to only match
401 - 500 of 1451 matches
Mail list logo