if { capture.req.hdr(2) -i true }
NOTE to you and to everyone: this is a dirty hack. Use it for
debugging purpose only.
Hopefully we'll have session variables in HAProxy soon and you could
replace such type of configuration.
Baptiste
Please read:
capture request header LBBEBUG len 5
http-response set-header LBNODENAME your server hostname here if {
capture.req.hdr(2) -i true }
instead of ugly X-Blah and X-Found
Baptiste
-Origin: X that will be not funny to
manage.
Regards,
Charles
Hi Charles,
What is CORS ???
What should $origin return? The content of a HTTP header called Origin?
Or something else?
Baptiste
dedicated to what you want to do.
And so, you should have update your configuration accordingly.
That's what Willy mentionned: http-request capture rules from 1.6.
Baptiste
X_ID ^/([0-9]+)/.*$ \1 if { req.hdr(X_ID) -m found }
should do the trick.
Baptiste
except 127.0.0.0/8
default_backend SGproxy
B/R
Sean
Hi,
If you don't give us any information on how your SSO works, we can't help you.
If I were you I would start by removing option httpclose.
Baptiste
and backend configuration.
Baptiste
/
Baptiste
use the 'http-response add-acl'.
Hope this helps.
Baptiste
Hi Alexander,
You don't disable logging in a backend, since the frontend is
responsible to generate the log line.
If you don't want to log static content, you can do something like this:
acl static ###put your acl rule here
http-request set-log-level silent if static
Baptiste
logs only errors.
http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#option%20dontlog-normal
Baptiste
plans to introduce this functionality in 1.6 release?
Cheers,
Pavlos
Hi Pavlos,
I'm speaking on behalf of Willy, so he may complete my answer.
I don't know if this will be available in 1.6, but in order to support
HTTP/2.0, HAProxy will have to support connection pooling.
Baptiste
On Fri, Dec 5, 2014 at 7:20 PM, Daniel Lieberman
dlieber...@bitpusher.com wrote:
On Dec 5, 2014, at 5:21 AM, Baptiste bed...@gmail.com wrote:
On Thu, Dec 4, 2014 at 11:50 PM, Daniel Lieberman
dlieber...@bitpusher.com wrote:
We have a situation where our app servers sometimes get into a bad
to
promise any feature for any version any more :)
So it may happen in 1.6, or later.
Baptiste
if { src 10.0.0.1 }
add as many IPs as needed.
Baptiste
On Wed, Dec 10, 2014 at 1:39 PM, Philipp Kolmann
kolm...@zid.tuwien.ac.at wrote:
Hi Baptiste,
Am 10.12.14 um 12:37 schrieb Baptiste:
Which version of HAProxy are you running? In 1.5, you can do: use-server
htc1 if { src 10.0.0.1 } add as many IPs as needed.
Yes I am on 1.5 already
Oudot
30 Avenue du Médipole
38300 BOURGOIN-JALLIEU
Tél : 04.69.15.70.39
Fax : 04.69.15.71.00
a.laga...@ch-bourgoin.fr
Hi Antoine,
HAProxy can't do this, unfortunately.
Baptiste
to modify the
response code like this?
Regards,
Dennis
Hi Dennis,
Yes you can using rspirep.
Baptiste
use_backend man-www1 if www1 www1nb
backend man-maint
rsprep ^HTTP/1.1\ 200\ OK HTTP/1.0\ 503\ Service\ Unavailable
server local_maint localhost:8001
I would rather use:
rspirep ^HTTP/1\..\ 200\ OK HTTP/1.0\ 503\ Service\
Unavailable\r\nConnection:\ Close
Baptiste
/introduction.html#backported-features
Baptiste
On Tue, Dec 9, 2014 at 6:54 PM, Patrick Kaeding
pkaed...@launchdarkly.com wrote:
Hello
I'm interested in using HAProxy as my external-facing proxy, in front
of my applications. I want to implement an SSO application to handle
authentication
the global 'autokill' feature.
Baptiste
On Wed, Dec 17, 2014 at 10:39 PM, Pavlos Parissis
pavlos.paris...@gmail.com wrote:
Hi,
I remember someone( maybe Baptiste) saying that in multi process mode
backends will be picked up by the process which frontend is bound to.
But, I found not to be the case in 1.5.9.
I also remember
the port using SSL and point to your certificate:
listen stats
bind :8050 ssl crt /path/to/crt
[...]
Baptiste
Hi Yosef,
Please keep the ML in Cc.
You first need to compile HAProxy to support SSL.
Use the USE_OPENSSL compilation directive.
Baptiste
On Mon, Dec 29, 2014 at 2:25 PM, Yosef Amir amir.yo...@comverse.com wrote:
Hi,
I get the following error :
# haproxy -f /etc/haproxy/haproxy.cfg
[ALERT
By default, HAProxy will use the openssl library installed on your system.
Don't forget to install the openssl dev packages as well.
And also, you have to create a self signed certificate and to put it
somewhere in your server (use the 'crt' keyword to point to it).
Baptiste
On Mon, Dec 29
Hi Zbynek,
Have you changed the default gateway of your server?
traffic from server to client must pass through HAProxy box.
In your case, I guess HAProxy sends a SYN to the server and the
servers sends the S/A to the client directly, bypassing HAProxy.
Baptiste
On Mon, Jan 26, 2015 at 1:24
what does dmesg says then?
Or errors logged by HAProxy?
You may have some iptables issues or source port exhaustion.
Baptiste
On Mon, Jan 26, 2015 at 2:53 PM, Zbyněk Rozman zbynek.roz...@stable.cz wrote:
Hi Babtiste,
yes we do have change that:
[root@srvA ~]# cat /etc/sysconfig/network
-check expect rstring healthStatus:(Healthy|DegradedMode)
and it seems to work.
What is the problem ? Are we doing something bad, or perhaps we don't
understand the meaning of the negation ?
Thank you for your help.
Sébastien Rohaut
Hi,
What does your option httpchk look like?
Baptiste
.
Baptiste
looks more global, since you have no statistics at all in
your frontend and your main server as well.
Could you share your configuration and the output of haproxy -vv ?
Baptiste
while the
limitation is in the hypervisor and multitenancy of your supplier.
Baptiste
On Thu, Feb 5, 2015 at 4:54 PM, Klavs Klavsen k...@vsen.dk wrote:
Baptiste wrote on 02/05/2015 04:44 PM:
[CUT]
3000 req/s in clear is low and a so rounded number is not normal :)
Move (far far) away from this provider.
You're wasting your time investigating perfomance issue while
,
prefixing and/or for sticky session purposes.
Is there a way to get haproxy just set a simple uuid cookie if
one isn't there?
Thanks,
Alberto
Hi Alberto,
You may be able to do something with the http-response set-header and
the rand fetch.
Baptiste
without explaining us the problem.
So it's hard to help.
Baptiste
Hi Marcello,
When using TProxy, the traffic from the server to the client must pass
through the Load-balancer.
Also, the server and the client can't be in the same subnet.
Baptiste
managing
manually.
We use keepalived a lot :)
Baptiste
will be kept open until timeout.
Wouldn't it make sense to implement an option for b) so it can be used during
major attacks or so?
Hi Christian,
Have you had a look at tarpit related options from HAProxy?
You can slowdown the attack thanks to it.
Baptiste
-and-binding-with-haproxy-and-aloha-load-balancer/
If you can't do it, maybe you should ask the HAProxy experts to help you:
http://haproxy.com/services/haproxy-professional-services/
Baptiste
on frontends and binds.
Your hardware knows the limit :)
Baptiste
haproxy should report the reason of the fail in a log line, which
can be easily anonymized.
Please share with us these logs information.
Baptiste
On Thu, Feb 12, 2015 at 9:23 PM, chris...@endlessnow.com wrote:
Is there a problem with health checks and haproxy? Again, using a
machine
gun approach on the health check service, we see no problems, but for
whatever reason, occasionally (maybe 1 out 10, could be more), the
haproxy
tcp
Guys,
This is not an HAProxy related question, but more a system question.
simply test your configuration with -c and redirect stderr to a text
file in /var/log/ and you're done!
Baptiste
On Tue, Feb 17, 2015 at 2:57 PM, Cohen Galit galit.co...@comverse.com wrote:
Hello HAProxy team,
We
HTTP request
with tcp-check send and matching with two consecutive tcp-check expect
rules:
tcp-check expect string HTTP/1.1\ 200\ OK
tcp-check expect ! string healthStatus:Unhealthy
Baptiste
We can verify this quickly :
- using haproxy 1.5.5 and later, remove option http-server-close. It will
default to option http-keep-alive, and see if it's better.
Don't forget to enable option prefer-last-server as well to ensure
you'll keep the same connection.
Baptiste
:)
Baptiste
rules and simple
header addition.
That said should not be there for 1.6...
Baptiste
and HAProxy will send a cookie for all requests.
Baptiste
side with your configuration.
Simply failover to a SSL forward configuration:
listen spdytest
modetcp
bind X.X.X.X:443
server backend1 10.X.X.X:1443
Baptiste
On Mon, Jan 12, 2015 at 9:03 PM, Srinivas Kotaru kotar...@gmail.com wrote:
Baptiste bedis9@... writes:
On Thu, Jan 8, 2015 at 10:16 PM, Srinivas Kotaru kotarusv@... wrote:
Srinivas Kotaru kotarusv at ... writes:
I hit similar issue of below post. Any solution yet?
http
HAS_CF_CONNECTING_IP
tcp-request content track-sc0 hdr_ip(x-forwarded-for,-1) if HTTP
!HAS_CF_CONNECTING_IP HAS_X_FORWARDED_FOR
So use CF-Connecting-IP if present, X-Forwarded-For else.
Thanks,
Mathias
Hi Mathias,
I've not run your conf, but it sounds good.
Baptiste
://blog.haproxy.com/2012/10/16/high-performance-waf-platform-with-naxsi-and-haproxy/
Look for the http_err_rate keyword.
Baptiste
workaround to do what you want: is to offload
monitoring into a dedicated backend (one per server).
Baptiste
...
In the blog article, I did not mention the global section because it
is not visible by our customer in our appliances.
That said, I should update the article as proposed.
Baptiste
On Wed, Feb 11, 2015 at 3:55 AM, Tod Schmidt tschmi...@yahoo.com wrote:
Wow, thanks for that response. That makes total
tod,
You're missing a global section and a maxconn into this section.
By default, HAProxy allows only 2000 connection on the process and
you're running our of free connections.
Please add this in your production server and report us how it works:
global
maxconn 2
Baptiste
On Mon, Feb 9, 2015 at 9:50 PM, Shawn Heisey hapr...@elyograg.org wrote:
On 2/9/2015 1:08 PM, Baptiste wrote:
could you define what you mean by heavy ?
What type of web application do you host?
How many req / conn per second do you expect?
When doing SSL, the CPU is not enough, the memory
of web application do you host?
How many req / conn per second do you expect?
When doing SSL, the CPU is not enough, the memory also matters.
Baptiste
lines generated by your HAProxy?
Both traffic and events.
Baptiste
haproxy group haproxy
Same on server line:
server clear /var/lib/haproxy/test send-proxy user haproxy group haproxy
Hope this helps.
Baptiste
Hi Sean,
You may find some useful information here:
http://blog.haproxy.com/2014/04/28/howto-write-apache-proxypass-rules-in-haproxy/
and here:
http://blog.haproxy.com/2013/02/26/ssl-offloading-impact-on-web-applications/
Baptiste
On Wed, Mar 18, 2015 at 3:39 PM, Sean Patronis spatro
Hi, thanks for the reply
2.9.6
Proxy protocol is available in Postfix since version 2.10:
http://blog.haproxy.com/haproxy/proxy-protocol/
Baptiste
to persistence.
More information on this blog post:
http://blog.haproxy.com/2012/03/29/load-balancing-affinity-persistence-sticky-sessions-what-you-need-to-know/
There is no rule, either A or B could get more requests.
Baptiste
Let me rephrase this: your version of postfix is too old and does not
include the proxy protocol.
Please use postfix 2.10 or above.
Baptiste
On Mon, Mar 16, 2015 at 4:26 PM, adcd gmail adcd...@gmail.com wrote:
I read this but I dont understand how it is related to postfix not knowing
-2015 Lua.org, PUC-Rio
Thanks!
-Joe
Hi Joe,
You're missing an LDFLAGS=-ldl.
More information on this blog page, including some quickstart code example:
http://blog.haproxy.com/2015/03/12/haproxy-1-6-dev1-and-lua/
Baptiste
called in a lua script:
http://blog.haproxy.com/2015/03/12/haproxy-1-6-dev1-and-lua/
Bascally, in your lua script, you can recover the client Ip address like this:
local clientip = txn.f:src()
Baptiste
(HW, VM, capacity, etc...).
Baptiste
on cpu/ram/nic, etc...
Also, please remove this statement:
option http-server-close
replace by the two following ones:
option http-keep-alive
option prefer-last-server
Baptiste
between each HTTP request.
You should get much better performance, but it depends on your traffic pattern.
Baptiste
On Thu, Mar 19, 2015 at 6:30 PM, Baptiste bed...@gmail.com wrote:
On Thu, Mar 19, 2015 at 1:37 PM, Saurab t saurabh.tiwari@gmail.com
wrote:
Hello Willy,
Thanks you
this is due to either chroot or rights on the socket.
Check the user and mode parameters of both your bind and server
descritption.
Also ensure the unix socket is available in a chroot environment, if any.
Baptiste
HAProxy.
Soon, HAProxy will perform DNS resolution to kept updated on the fly
of server IP address changes.
Baptiste
Hi,
some useful examples can be taken from this blog post:
http://blog.haproxy.com/2012/02/27/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/
Just replace src by hdr(X-Forwarded-For).
Baptiste
On Tue, Mar 24, 2015 at 5:58 PM, Jarno Huuskonen jarno.huusko...@uef.fi wrote:
Hi
be forced in HAProxy's configuration using the directive 'id'.
You may even be able to convert a backend id to a string using a map:
http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#map
Baptiste
On Tue, Mar 24, 2015 at 8:36 PM, Martin Nikolov
martin.martinniko...@gmail.com wrote:
Hi
to highlight the most important point, from my point of view:
Requests/sec: 438828.20
nice job man!
Baptiste
you should believe it :)
On Mon, Mar 30, 2015 at 11:34 PM, Neil - HAProxy List
maillist-hapr...@iamafreeman.com wrote:
Hello
Thanks so much. That worked well, I now get
L7OK/0 in 0ms
not sure I believe the 0ms but maybe I should
Thanks again,
Neil
On 30 March 2015 at 22:14, Baptiste
authentication
tcp-check expect binary 0a0100 # bind response + result code: success
tcp-check send-binary 30050201034200 # unbind request
Note for myself: put this tip on the blog..
Baptiste
Hi Matt,
The issue with LDAP, is that it is not a banner protocol.
So either you check the TCP port is well bound on the server for a
simple L4 check, for L7, you don't have the choice, you must send a
message and check the server's result.
Baptiste
On Tue, Mar 31, 2015 at 9:53 AM, Matt
I think they play with their syslog server to detect a check from real
traffic and prevent the syslog server to log the checks.
Baptiste
On Tue, Mar 31, 2015 at 11:33 AM, Matt . yamakasi@gmail.com wrote:
Hi Baptiste,
Yes I've seen it also and never got around large logs.
What do most
prefer a
send-as-binary REQUEST_METHOD = GET
)
these and many others could be shipped with haproxy.
this seems to make sense to me as they are small contained logical items
Neil
Hi Neil,
Both contributions are interresting!
Let's wait for other people feedback.
Baptiste
I'll have to find a way to code buffer overflows in LUA!
Baptiste
in the
packet captured?
Baptiste
Use hyperv and a linux VM inside.
It works pretty well :)
Baptiste
On Fri, Mar 27, 2015 at 12:50 PM, Simon Dick sim...@irrelevant.org wrote:
I'm afraid Windows isn't a supported platform, please see
http://www.haproxy.org/#plat
On 26 March 2015 at 21:38, Abhijit Damle abhijit.da...@beca.com
Matt,
I won't do your configuration since I have no idea what you want to do.
Share what you did exactly, share more information about the issues
(logs, etc...) and we may help.
Baptiste
On Sun, Mar 29, 2015 at 3:53 PM, Matt . yamakasi@gmail.com wrote:
Hi,
I have tried all, also TCP
, stats page, etc...)
Baptiste
a hard one in this case ?
Thanks,
Matt
Hi,
Are you using mode tcp ?
could you share your configuration?
any error message provided by any equipement involved in your setup?
Baptiste
Hi,
No HAProxy won't do this.
Instead, if you could explain us clearly what is your problem, we may
be able to help you.
For now you just explain what you tried to achieve.
Baptiste
On Sun, Mar 29, 2015 at 3:33 PM, Abdelouahed Haitoute
ahaito...@rinis.nl wrote:
I think I've found the issue
On Sat, Feb 28, 2015 at 9:03 AM, Baptiste bed...@gmail.com wrote:
On Sat, Feb 28, 2015 at 8:42 AM, Vivek Malik vivek.ma...@gmail.com wrote:
Hi Baptise,
Using set-map on the stats socket gives the expected result (except
that I can't use functions there). set map motion.map monday 12345 did
On Fri, Feb 27, 2015 at 12:04 PM, Dmitry Sivachenko trtrmi...@gmail.com wrote:
On 27 февр. 2015 г., at 11:52, Baptiste bed...@gmail.com wrote:
On Fri, Feb 27, 2015 at 9:02 AM, Dmitry Sivachenko trtrmi...@gmail.com
wrote:
On 27 февр. 2015 г., at 2:56, Baptiste bed...@gmail.com wrote
, I'm digging into it.
Baptiste
the 'stick store-response' when an error is returned by
the server and track it when traffic comes in with the in_table fetch.
This may require you to switch to HAProxy 1.6-dev.
Baptiste
I love it !
Just wrote, as a proof of concept, a forward proxy...
That said, it seems my lua script is blocking... I mean, if the
remote server is slow to deliver the response, then HAProxy doesn't
process any other request or response.
Baptiste
a couple of missing ifdef for openssl prevent to build LUA without SSL enabled.
This patch fix it.
Baptiste
0002-FIX-missing-ifdef-related-to-SSL-when-enabling-LUA.patch
Description: Binary data
When we try to execute the txn.get_headers function in a TCP mode
frontend or backend, then HAProxy segfaults.
Baptiste
0001-fix-a-segfault-in-txn.get_headers.patch
Description: Binary data
On Fri, Feb 27, 2015 at 9:02 AM, Dmitry Sivachenko trtrmi...@gmail.com wrote:
On 27 февр. 2015 г., at 2:56, Baptiste bed...@gmail.com wrote:
On Thu, Feb 26, 2015 at 3:58 PM, Dmitry Sivachenko trtrmi...@gmail.com
wrote:
Hello!
Given the following configuration
backend BC
option
how do you pass arguments to a lua function?
Imagine I want to call the following lua function: function download
(host, file)
Baptiste
Great news, congratulation Thierry!
Baptiste
, hlua_socket_connect);
hlua_class_function(gL.T, send,hlua_socket_send);
hlua_class_function(gL.T, receive, hlua_socket_receive);
Baptiste
On Sun, Mar 1, 2015 at 6:22 PM, Cyril Bonté cyril.bo...@free.fr wrote:
Hi Tierry,
Huge work ! I've not played with it yet
.
Baptiste
Hi Mathieu,
There is no such MIB for HAProxy.
Baptiste
On Wed, Feb 25, 2015 at 4:17 PM, Mathieu Sergent
mathieu.sergent...@gmail.com wrote:
Hi,
I want to know if a MIB for HAProxy is available ?
Regards,
Mathieu
=haproxy.git;a=blob_plain;f=src/sample.c;hb=HEAD
and with the upper and lower and any other converter functions.
Baptiste
has a free slot
b1 and b2 will be used when ALL s1, s2 and s3 will be operationnaly DOWN.
2) nbsrv(BC) will be still equal to 3 because checks for s1, s2 and s3 still
succeed
nope, nbsrv is 5, since b1 and b2 should be counted as well.
Baptiste
,
Yes, this is normal and by design.
Baptiste
801 - 900 of 1451 matches
Mail list logo