[no subject]
unsubscribe
Haproxy F5 usage question
I have a situation where a backend server defined in HAProxy may be a vip on our F5.The F5 vip is setup for source persistence. Right now all the requests to this vip from the haproxy box are all going to one pool member. Obviously the f5 is seeing the ip of the server and not the true client. I do have haproxy sending out the X-Forwarded-For. But the f5 does not see it. Anyone have an example of how scenario like this would work? Do I need to modify haproxy or is this an f5 issue? Thank you again in advance.. [circle]http://www.suny.edu/ Alex DeMarco Manager of Technical Services The State University of New York State University Plaza - Albany, New York 12246 Tel: 518.320.1398Fax: 518.320.1550 Be a part of Generation SUNY: Facebookhttp://www.facebook.com/generationsuny - Twitterhttp://www.twitter.com/generationsuny - YouTubehttp://www.youtube.com/generationsuny inline: image001.gif
RE: Haproxy F5 usage question
Right now it is just a proof of concept idea. Part of the problem is that F5 the we own does not do reverse proxying,. At least not without running an iRule that no one on their support department will support you on. Unless I am completely missing something. - Alex From: Jeffrey 'jf' Lim [mailto:jfs.wo...@gmail.com] Sent: Wednesday, January 09, 2013 2:46 PM To: DeMarco, Alex Cc: haproxy@formilux.org Subject: Re: Haproxy F5 usage question On Thu, Jan 10, 2013 at 2:05 AM, DeMarco, Alex alex.dema...@suny.edumailto:alex.dema...@suny.edu wrote: I have a situation where a backend server defined in HAProxy may be a vip on our F5.The F5 vip is setup for source persistence. Right now all the requests to this vip from the haproxy box are all going to one pool member. Obviously the f5 is seeing the ip of the server and not the true client. I do have haproxy sending out the X-Forwarded-For. But the f5 does not see it. So let me get this right. You've got a BIGIP sitting behind a HAProxy instance? Why are things configured this way? -jf Anyone have an example of how scenario like this would work? Do I need to modify haproxy or is this an f5 issue? Thank you again in advance.. [circle]http://www.suny.edu/ Alex DeMarco Manager of Technical Services The State University of New York State University Plaza - Albany, New York 12246 Tel: 518.320.1398Fax: 518.320.1550 Be a part of Generation SUNY: Facebookhttp://www.facebook.com/generationsuny - Twitterhttp://www.twitter.com/generationsuny - YouTubehttp://www.youtube.com/generationsuny inline: image001.gif
stats question
Hello, Right now I have: Listen stats :1936 stats enable stats uri /stats I also have a frontend bound to port 80. Is it possible to get /stats to answer on port 80 as well but for only a specific set of ip's? I only want it to answer when called from 123.456.789.99 for example. thanks! [circle]http://www.suny.edu/ Alex DeMarco Manager of Technical Services The State University of New York State University Plaza - Albany, New York 12246 Tel: 518.320.1398Fax: 518.320.1550 Be a part of Generation SUNY: Facebookhttp://www.facebook.com/generationsuny - Twitterhttp://www.twitter.com/generationsuny - YouTubehttp://www.youtube.com/generationsuny inline: image001.gif
RE: stats question
Thank you.. However, I a have a followup.. What does it mean when I get this:
'stats' ignored because frontend 'myfrontend-80' has no backend capability?
Even though I have a default backend defined?
Thanks again.
- Alex
From: Baptiste [mailto:bed...@gmail.com]
Sent: Thursday, January 03, 2013 3:24 PM
To: DeMarco, Alex
Cc: haproxy@formilux.org
Subject: Re: stats question
Hi Alex,
configure your stat URL as usual, then you can protect it with an ACL:
http-request allow if { path /stats } { src 123.456.789.99 }
http-request deny if { path /stats }
cheers
On Thu, Jan 3, 2013 at 9:05 PM, DeMarco, Alex
alex.dema...@suny.edumailto:alex.dema...@suny.edu wrote:
123.456.789.99
Passing host head to the backend
Hello All, In my setup my backend server need to see the orginal host header in the request. So if the client requests http://myurl.com/application The backend that handles /application needs to see https://myurl.com/application in the request. How can I pass this along? Thank you - Alex
RE: Passing host head to the backend
Hmm interesting.. Using firebug in Firefox I can see it calling the backend but it does not appear to be reverse proxying the request. Instead of http://myurl.com/application I seen http://myappserver/application. Still reviewing my config not sure why this is occurring since I have it working for other parts. - Alex -Original Message- From: Baptiste [mailto:bed...@gmail.com] Sent: Tuesday, December 18, 2012 2:43 PM To: DeMarco, Alex Cc: haproxy@formilux.org Subject: Re: Passing host head to the backend Hi, Nothing to do, it will pas it straight away, unless you tell HAProxy to do otherwise. cheers On Tue, Dec 18, 2012 at 8:22 PM, DeMarco, Alex alex.dema...@suny.edu wrote: Hello All, In my setup my backend server need to see the orginal host header in the request. So if the client requests http://myurl.com/application The backend that handles /application needs to see https://myurl.com/application in the request. How can I pass this along? Thank you - Alex
Re: Re-encrypt to the backend
Thank you, I have this working..
- Alex
Original message
From: Willy Tarreau w...@1wt.eu
Date: 12/14/2012 2:48 AM (GMT-05:00)
To: DeMarco, Alex alex.dema...@suny.edu
Cc: haproxy@formilux.org
Subject: Re: Re-encrypt to the backend
Hi Alex,
On Fri, Dec 14, 2012 at 12:58:17AM +, DeMarco, Alex wrote:
I am making pretty good progress with my initial haproxy config. However, I
do have a question/problem.
I have haproxy terminating ssl, however, I have a need on the backend that
certain requests to send them to the backend encrypted. So basically for
certain requests I need to re-encrypt them and send them to the backend
because the backend http server is expecting an ssl connection.
Can I do this in haproxy? If so, could you give me some pointers? Thanks!
Yes, for this you should have two distinct backends, one with the HTTP servers
and another one with the HTTPS servers (with the ssl server keyword). Then
you just select which backend to use from the frontend based on the requests.
For example :
frontend www
bind :443 ssl crt ...
use_backend secure if { path /login }
default_backend clear
backend clear
server http1 192.168.0.1:80 check
server http2 192.168.0.2:80 check
backend secure
server https1 192.168.0.1:443 check ssl
server https2 192.168.0.2:443 check ssl
Regards,
Willy
Re-encrypt to the backend
I am making pretty good progress with my initial haproxy config. However, I do have a question/problem. I have haproxy terminating ssl, however, I have a need on the backend that certain requests to send them to the backend encrypted. So basically for certain requests I need to re-encrypt them and send them to the backend because the backend http server is expecting an ssl connection. Can I do this in haproxy? If so, could you give me some pointers? Thanks! Alex
HAProxy statistics report page
Question, on demo.1wt.eu what was used to create this? Is it a function in HAProxy? I've been looking thru the doc and cannot seem to find it. Thank you. - Alex
Stats error
I am trying to get stats enable to work. However, every time I try to start haproxy I get the following error: 'stats' ignored because frontend has no backend capability. I have backend rules in place so I am not sure what else I am missing.. Any ideas? Thank you.. Alex
UPDATE RE: Stats error
I got it working.. thank you - Alex From: DeMarco, Alex [mailto:alex.dema...@suny.edu] Sent: Friday, December 07, 2012 7:18 PM To: haproxy@formilux.org Subject: Stats error I am trying to get stats enable to work. However, every time I try to start haproxy I get the following error: 'stats' ignored because frontend has no backend capability. I have backend rules in place so I am not sure what else I am missing.. Any ideas? Thank you.. Alex
Re: ssl for ver 1.5 question
Thanks I have it working.. Alex Baptiste wrote: Hi Alex, by default, IIS will export the cert in a PKCS12 format, you have to translate it into PEM format. When exporting, don't forget to export the private key as well. openssl pkcs12 -in key_and_cert.pfx -out key_andcert.pem -nodes cheers On Thu, Dec 6, 2012 at 2:43 PM, DeMarco, Alex alex.dema...@suny.edu wrote: Hello, I am trying to setup a test of haproxy terminating ssl for an IIS website. The IIS site already has a ssl cert bound to it. Do I just export the cert from IIS and then point haproxy to the cert file? Like: bind 0.0.0.0:443 ssl crt ./mycert.crt prefer-server-ciphers I am not well versed in SSL tech so thanks for all help. - ALex
