Hi Igor,
> Hi, I used hdr(user-agent) ACL to block some traffic, recently need to
> block some Chinese named user-agent, does haproxy could handle this?
The HTTP RFC only allows ASCII in the headers.
Lukas
Hi Thomas!
> We are using HAProxy v1.5-dev19, and are seeing a lot of the following
> errors in our haproxy logs:
>
> <-- snip -->
> Oct 16 02:24:22 localhost haproxy[2473]: :44950
> [16/Oct/2013:02:24:22.643] https-in/1: SSL handshake failure
> Oct 16 02:30:47 localhost haproxy[2473]: :37530
> [1
Hi,
> Lukas,
>
> The folks that access our service via the ColdFusion CFHTTP method
> report errors, because those calls fail, and thus they are not getting
> the requested data.
It fails sporadically for some clients or it never works for specific
clients?
I would suggest:
- collect as much in
Hi,
>> The HTTP RFC only allows ASCII in the headers.
>
> In header *names*, but anything can fit in a value, except LF.
Ah, sorry about that, I really thought values are restricted as well.
> It is possible to filter on this if you can write these characters in
> the configuration. We don't
Hi Fred,
> I am using many haproxy instances, for separated projects.
>
> This is causing a high cpu usage, and a high load in the OS up to 12.00
> and so on.
>
> The question is, using just one instance, would reduce the CPU load, or
> it would make no difference at all ?
There is no way we can
Hi Fred,
> FreeBSD 9.2 - Dual Xeon E5-2650 - 32 GB RAM.
>
> Haproxy 1.4 (Latest)
>
> 30.000~35.000 concurrent connections. About 200~300 Megabit/s. In totality.
Alright, but we still need to know what haproxy does in this box.
Can you post your configuration and explain what it does? Also we ne
Hi Fred,
> I am using a 10 Gbps Intel 520-DA2 NIC.
>
> The cpu usage in top vary per process we have something like :
>
> Haproxy - 93%
> Haproxy - 85%
> Haproxy - 50%
> Haproxy - 43%
> Haproxy - 32%
> Haproxy - 20%
> Haproxy - 15%
> Haproxy - 5%
> Haproxy - 1%
>
> About 30-40 Processes.
>
> I am
Hi,
> Yes, this is why I was speaking with Jeff about this.
>
> Because I suppose that these processes have a default loop, that uses a
> certain amount of CPU (kQueue implementation)
Its not busy polling, if thats what you are referring to. CPU usage should
be low with kqueue (because its fully
Hi,
> Yes, the current version (for my usage) is really stable.
>
> However, you are right, because too many processes, will create too many
> threads, assuming I have just 16 Physical Cores...
>
> Do you believe on a good CPU usage decrease, by switching to one process
> only ?
I can't guarante
Hi!
> So what is the current behavior? Does the stats socket function with nbproc>
> 1
No.
> or will it only modify one of the two processes if you drain / disable
> a server, etc.)
Yes, it will only modify the process where the stats process runs on, so in
other words the behavior will be co
Hi Igor,
> Using newest snapshot, when I do
>
> echo "set weight s1/p1 100"| socat stdio /tmp/haproxy
>
> to a server already has weight 100, then fresh haproxy's stat page, it
> requires password, and it doesn't accept the right password set in
> "stats auth" until I reload the haproxy.
>
> I ha
Hi!
While trying to reproduce Igor's problem, I noticed some strange behavior
in the stats output:
A server has an initial weight of 100, and unix socket, html and csv
outputs match. But when I modify the weight (in this case, I set it again
to 100), then the unix socket shows the correct weight
Hi!
> Here is my config http://pastie.org/private/wf0dv30krqpasgmhtdnahw
> (Deleted some servers and two backends for clear config)
>
> I used script to handle servers weight since haproxy-ss-20131031, so I
> never tried previous versions.
Sorry, still can't reproduce.
For problem 1 (after set
Hi Sam,
> We are running dual HAProxy machines as our load balancers for our
> web application, with keepalived for failover. This is the 2nd time
> that both HAProxy instances have died in production with no indication
> as to why.
When this happens, do you always see both HAProxy instances cr
Hi!
> #-
> backend PROD_http
> #-
> mode http
> option httplog
> stats enable
> stats auth admin:turnh3r3-
> balance roundrobin
> stick on src table PROD_https
> cookie SERVERID insert indirect nocache
> option httpclose
Hi!
> Hi,
>
> I'm using haproxy 1.5-dev19 on centos 6.4 (2.6.32-358.23.2.el6.x86_64).
>
>
> And when the maxconn value is reached, haproxy crashed .
>
> Log message :
>
> haproxy kernel: : haproxy[4487]: segfault at 2a8 ip 000'0004541a5
> sp 7fff8c0a8c80 error 4 in haproxy[4
Hi!
> Can version 1.5 terminate DTLS connections like it does for SSL?
No; haproxy only works with TCP (HTTP or raw TCP). DTLS is for datagram
protocols like UDP, which haproxy doesn't support anyway (even without
encryption).
Regards,
Lukas
Hi,
> Then I make a performance test. The result is following:
> When the test machine directly accessed
> vm_A(http://192.168.13.87:8080/ok.html). It can reach about 9000
> Transactions Per Second.
> When the test machine accessed haproxy
> machine_B(http://192.168.13.6/ok.html). It can also rea
Hi Igor,
> For testing and bench purpose, client mode like stud[1] would be
> useful, any plan to implement this feature?
Not sure what that means, can you elaborate on the use case?
SSL encrypted backend connections are already supported.
Regards,
Lukas
Hi,
> listen http
> bind: 80
> mode ssl-client
> use-server sslsrv 127.0.0.1:443
This should already work without the need to introduce a new "mode".
Just configure your frontent without SSL and your backend with SSL, both
using HTTP mode.
Regards,
Lukas
Hi Annika,
> we have a few regarding load at our Haproxy 1.5-dev19 cluster.
> We run constantly at a load of 12 - 15 most of it is system load.
> [...]
> On our old cluster i do not see any of the "Resource temporarily
> unavailable” at splicing operation.
We can't tell if that kind of load is
Hi,
> There are some bugs with splice in 1.5-dev19... they have been fixed.
>
> See this thread for the patches:
> http://comments.gmane.org/gmane.comp.web.haproxy/12774
>
> (Or google for: "Oh and by the way, the bug was present since 1.5-dev12." )
This is not what Annika is seeing; that bug
Hi,
>> listen http
>> bind: 80
>> mode ssl-client
>> use-server sslsrv 127.0.0.1:443
> I think this should work
> --
> listen http :80
> mode http
> server sslsrv 127.0.0.1:443 ssl
> --
Yes exactly, or something like this when using the frontend/backend approach:
frontend myfrontend
mode http
Hi,
> For testing we disabled splicing on one of the cluster members on the
> new cluster (after succesfull tests). Now load drops below 8 from 16.
> So I maybe try it with splice-auto and if that does not help with a
> new haproxy build with the following git commits:
Yes, but please fix the ti
Hi Igor,
> include/common/time.h:111:29: warning: implicit conversion from
> 'unsigned long' to '__darwin_suseconds_t' (aka 'int') changes value
> from
> 18446744073709551615 to -1 [-Wconstant-conversion]
> tv->tv_sec = tv->tv_usec = TV_ETERNITY;
> ~ ^~~
> include/common/time.h:32:26: not
Hi,
>> Hello Experts,
>> not sure if this subject was already discussed or not, like to hear the
>> advices and suggestions.
>> If a single HAProxy instance as a load-balancer could not handle the
>> high-load traffic, how to scale multiple instances as a group of
>> load-balancers to handle the
Hi folks,
> On Sat, 23 Nov 2013 12:05:24 +0100
> Willy Tarreau wrote:
>
>> Hi Mark-Antoine,
>>
>> On Sat, Nov 23, 2013 at 07:37:21PM +0900, Marc-Antoine Perennou wrote:
>>> I don't have access to a computer to actually test those, but:
>>> - the first one looks nice, never felt really confident
Hi Willy and everyone,
> Subject: [ANNOUNCE] haproxy-1.5-dev20
>
> Hi all,
>
> here is probably the largest update we ever had, it's composed of 345
> patches!
Wow, thats one hell of a -dev release, nice work :)
> - keep-alive: the dynamic allocation of the connection and applet in the
> sess
Hi!
>>> - sflow output
>>
>> Can't log-format already do this?
> Sure, but it might be a better integration in the rest of networking
> infrastructure if sflow is supported.
FYI, Neil Mckee has a fork available with sflow support:
http://marc.info/?t=13673552702&r=1&w=2
http://blog.sflow
Hi!
> In my test of 1.5dev21, I found the following acl failed:
>
> acl my_host req.hdr(host) -m str www.mytest.com
> use_backend www if my_host
>
>
> and result in an 503 error(because there is no default backend).
>
> I tried :
> 1. my_host req.hdr(host) -m beg www.mytest.com
> 2.
Hi!
>> Is anything ringing a bell to you? Anything I could do for the app to be
>> more responsive in HTTPS?
> [...]
> You're right, your HAProxy is in tunnel mode, which means it let the
> client and the server negociate the keep-alive mode.
> Obviously, they did not.
Correct. In case you origi
Hi,
> backend transparent-cache1
> option transparent
> option tcp-smart-connect
> source 10.0.253.26 usesrc clientip set-mark 0x11
Doesn't the following configuration achieve what you are trying to do?
backend transparent-cache1
option transparent
option tcp-smart-connect
source
Hi,
> To be more clear:
> There is "client side", which is client to haproxy.
> And there is "server side", which is haproxy to server.
>
> My patch implement mark for "server side", while
> http-request/http-response as i see in source code only for "client
> side".
Yes, I see.
Currently, the
Hi,
> we are using 1.5dev19 and I like to know is there option to use acl and
> reqidel.
> What I want. Remove accept-encoding gzip, deflate when matched acl. Because
> I know that client is broken. And I want to set gzip compression globaly on.
Please check the documentation, you should f
Hi,
> dev19 is OK.
>
> The config I use is:
With your exact configuration (other than changing the server ip) I'm
still unable to reproduce the problem:
0002:ap.accept(0004)=0005 from [10.0.0.3:55871]
0002:ap.clireq[0005:]: GET / HTTP/1.1
0002:ap.clihdr[0005:]: Us
Hi,
> but my web server use https (ssl)so load-balancer have to provide
> this. download the haproxy-1.5-dev21and make this.but... error...
>
> src/shctx.o: In function `atomic_dec':
> /root/haproxy-1.5-dev21/src/shctx.c:134: undefined reference to
> `__sync_sub_and_fetch_4'
> src/shctx.o: In fu
Hi,
> My Linux is
> [...]
> Description: CentOS release 5.10 (Final)
> [...]
> and Installed openssl-1.0.1e
Please decide now: would you like to use the openssl from your
repository or do you want to build it on your own? There is no
point in troubleshooting 2 different problems at the same time
Hi,
> I have made a patch to add proxy protocol to Varnish 3.0
> you can find it at http://varnish.hocdet.net
Nice!
Btw, is there any patch available for apache? Google search
with the apache, haproxy, proxy keywords isn't very helpful,
as you can immagine ...
We need more exotic names for tho
Hi,
> HTTP/1.1 200 OK
> Date: Mon, 30 Dec 2013 05:40:02 GMT
> X
> MicrosoftOfficeWebServer: 5.0_Pub
> X
> XXX
>
> Cache-Control: private
> Content-Type: text/html; charset=utf-8
> Content-Length: 73803
>
>
Hi,
> Hi,
>
> I know haproxy doesn't do UDP loadbalancing, but I figured someone here
> might now A nice tool which can doe this for me. (If haproxy could do it
> it would have been nice though... ;-) )
>
> I've looked at pen but it doesn't seem to do IPV6.
>
> LVS can do the trick but I need to
Hi,
> Subject: http-keep-alive broken?
>
> Hi,
>
> I'm using haproxy ss-20131229 to reverse proxy some windows iis server
> with ntlm-auth enabled (one of them being exchange 2012).
>
> While I understood that using 'option http-keep-alive' would make
> ntlm-auth work, it doesn't work for me. Ar
Hi,
> Could haproxy add a tos based acl?
> http://en.wikipedia.org/wiki/Type_of_service
> We want to do some action on the traffic based on the tos field.
Should work already with something like this:
acl local_net src 192.168.0.0/16
http-response set-tos 46 if local_net
http://cbonte.githu
Hi,
> Problem description – then i access my two web servers through HA-Proxy
> version 1.5-dev21-51437d2 2013/12/29
>
> it acts as round robin load balancing with out any ssl sticky sessions
> effect. I would be very pleased if some could help to make sticky ssl
> sessions work with out ssl offlo
Hi,
> Thats great, but is there can be anything like this?
>
> acl bad_guys tos-acl 0x20
> block if bad_guys
Ah ok, you want to match incoming TOS.
That is indeed not supported currently.
Also, not all *nixes provide an API for this. Linux has
IP_RECVTOS/IPV6_RECVTCLASS to do it, but BSD hasn
Hi,
> Wile I do agree that using tcp-mode would make stuff easier, I also need
> to do some redirecting on the host-header. Which is AFAIK not possible
> while in tcp-mode. (I might be wrong)
No, I really meant http mode, but in the (default) tunneling mode, which
can only analyze the first requ
Hi,
> Dumb question: what is the advantage of the proxy protocol for http (as
> would be the case with varnish)? I assumed the proxy protocol was used
> to enable load balancing of non-http protocols.
It can be useful even when you are load-balancing http. Perhaps you don't
want to touch the HT
Hi,
> Hi, this question is silly, but I use haproxy even on my laptop to
> split traffic, for example, there's a ACL to let some special domains
> go via remote proxy, and the default goes local proxy, I wonder is it
> possible to replace local proxy with haproxy, so I could have: "
> server defa
Hi,
> Hello ,
>
> Many thanks for your replay. This thing is more stranger i downloaded and
> compiled serverl versions of HAproxy 1.5.x.x and the result was alwase the
> same
>
> I experimented with following versions
>
> At first i testing with
> http://haproxy.1wt.eu/download/1.5/src/devel/hapr
Hi,
> The problem I'm having (also tested with ss-20140101 yesterday) happens
> with http-keep-alive enabled and also when just running in tunnel mode.
> But, when http-keep-alive is enabled I get the problem with ~98% of the
> requests and in tunnel mode I get it with ~10% of the requests.
> Aut
Hi,
> Have been wondering about if/how i could persist ssl sessions between
> servers myself if i ever need it.
> And found the concept of a SSL-session-id rather promising, then after
> looking into how to use it and its reliability i found some articles
> saying it might not be wise..
>
> https
Hi,
> Well, after spending some time compiling testing compiling testing I
> finally found that the patch
> 0103-OPTIM-MEDIUM-epoll-fuse-active-events-into--1.5-dev19.diff done
> between 20131115 and 20131116 is causing my problems.
>
> I also found that this problem is much easier to reproduce on
Hi,
> My web servers contain text file wich contain name of that server.
> Then put following line to web browser https://X.X.X.X/index.txt
> and browse this page it displays server name One server file index.txt
> contains server name etee-live1 and other server the file contains this
> server n
Hi,
> Disabling epoll doesn't fix it... drat... Tested it with ss-20140104.
> Could it be that it's a more subtle bug somewhere else?
If disabling epoll doesn't workaround that problem then another patch must
be the reason for this.
> But, Yes, that is correct. 20131115 works and 2013116 doesn
Hi,
> Recently, we use haproxy1.5-dev21 in our product.And we want to get
> the benefit of http-keep-alive. But after we added the option
> http-keep-alive and deployed new version of haproxy. We found that the
> connection of FIN_WAIT_2 CLOSED ESTABLISHED increased quickly. when we
> change to th
Hi,
> And this program generated a file rfc5077-output-1389174665--p-4431-
> 192.168.35.254.csv with following contet:
This output is extremely useful. What it says is that session id caching
works perfectly fine; as long as TLS ticket remains disabled on the client
side.
But when the client us
Hi,
> I want to enable client side ssl for a specific URL only. My web app
> admin lives at https://example.org/admin and I want only the /admin part
> require a client certificate. In Apache I would do it with a /admin> block. In haproxy I am able to require a certificate for the
> entire fronte
Hi,
> $ openssl s_client -state -quiet -connect xx.xx.xx.xx:443
>
> SSL_connect:before/connect initialization
> SSL_connect:SSLv2/v3 write client hello A
> SSL_connect:SSLv3 read server hello A
> depth=4 /C=NL/O=xxx/CN=xxx
> verify error:num=19:self signed certificate in certificate chain
> verif
Hi,
> I calculated the connection in frontend and backend "direct".( as
> freeBSD don't show port of 2001 in netstat -na when connect to
> client.)
>
> root@Haproxy01:~ # sh frontend_tcp_conns.sh
> FIN_WAIT_1 129
> FIN_WAIT_2 25729
> LAST_ACK 1730
> CLOSING 5
> CLOSE_WAIT 1560
> CLOSED 211
> SYN_
Hi,
> Thanks very much for your answer !
> Actually, we just used FreeBSD9.2 with the same configuration before,
> but the situation almost the same :(
Ok, at least its not likely to be a OS bug then.
> And is there any other possible reason there ? Or is there any
> possible tools for track t
Hey guys,
>> Do you still want me to bisect? Or should I wait? If you think the
>> problem is the same I'll just test the fix :-)
>
> Don't waste your time bisecting. I'll propose you to test the patch
> instead. The problem I've seen is always the same and is related to
> the fact that the SSL l
Hi,
> OK we discussed this with Emeric in the last few days and came up with a
> solution closer from yours than from mine. What made me accept to change
> my mind is to realize that many users don't see warnings at all. Probably
> that the new shitty service managers which replace init are respo
Hi,
> Here's an update of current 1.5 status. All reported bugs were fixed.
>
> I'm currently working on something that was just reported to me today
> which is not exactly a bug but a design mistake around the way track-
> counters are tracked between HTTP requests when they're done in "content"
Hi,
> If anyone has any thoughts or insights I'd be intrigued to hear them
> and if you want to reproduce and have difficulties doing so I'd be
> happy to help.
Please provide the smallest config you can reproduce the problem with
and the output of "haproxy -vv". I cannot currently reproduce
Hi,
> If I use older 1.5-dev snapshot (haproxy-ss-20131031) then login
> works on firefox (same config).
>
> With latest snapshot haproxy-ss-20140116 the ssl backend doesn't work at
> all. All requests get 408 error from haproxy.
Not sure what exactly happens, but can you please update to the la
Hi,
> [root@localhost ~]# rpm -qi glibc-devel
> Name : glibc-devel Relocations: (not relocatable)
> Version : 2.12 Vendor: CentOS
> Release : 1.107.el6_4.5 Build Date: Mon 14 Oct 2013 09:14:18 BST
I see a more recent glibc when booting from Centos 6.4 livecd:
> [root@livecd ~]# rpm -qi glibc
Hi,
> Hi, build latest git head, error like:
>
> src/listener.c:361:5: warning: implicit declaration of function
> 'fcntl' is invalid in C99 [-Wimplicit-function-declaration]
> fcntl(cfd, F_SETFL, O_NONBLOCK);
>
> ^
> src/listener.c:361:16: error: use of undeclared identifier 'F_SETFL'
> fcntl(cfd
Hi,
> I would like to know if Haproxy is able to prevent OS fingerprinting /
> public display of the os it is running on. (nmap -O as an example)
No, an application cannot prevent OS fingerprinting.
> The purpose is essentially to test my infrastructure and enhance my
> understanding of w
Hi,
> Can you tell me if the following is possible with HA proxy please:
>
> LB-Prim-Node---LB-Backup-Node
> HTTPS VIP
> |___Heart Beat___|
> | | |
> | | |
> | | |
> Real-Srv1 Real-Srv2 Real-Srv3
> HTTPS HTTPS HTTPS
>
> I need a HTTPS entry and the backend server in t
Hi,
> Excellent. Having looked at the documentation, I cant clearly see the
> configuration options I need to use. Can you point me to a doc that
> will explain on how to set it up and which options to use please?
examples/ssl.cfg is a (very) simplified configuration of what you would
like t
Hi,
> In the latest HAProxy 1.5 release (dev22), it is indicated that
> keep-alive is now enabled by default for both client and server sides.
> I have some questions regarding its use in the following scenario.
>
> I use HAProxy in front of an array of servers: one nginx for
> delivering static
Hi,
> Thanks for your suggestion, Lukas.
>
> For my own understanding, are you saying that there is no difference
> between having "http-keep-alive" and having "http-server-close" to a
> backend server once websocket connection to that server is establish,
> and both settings allow for establishi
Hi,
> I can`t find in haproxy documentation any information about Nagle`s
> algorithm or TCP_NODELAY option
You probably want to read about http-no-delay option [1]. You cannot
directly disable or enable TCP_NODELAY, but you need to work with
http-no-delay.
Regards,
Lukas
[1]
http://cbon
Hi,
> Not a problem ... our Head of IS did a detailed write up on our
> investigation process and findings at his blog if you are interested:
>
> http://blog.tinola.com/?e=36
Thanks, thats really interesting and very detailed.
Someone from RedHat really should take a look at this. Most likely
Hi,
> same problem as mentioned here:
>
>
> http://comments.gmane.org/gmane.comp.web.haproxy/7172
Same solution, use the mirrors:
http://master.formilux.org/git/people/willy/haproxy.git/
http://master.formilux.org/git/people/willy/haproxy-1.4.git/
> I've tried for three days in a row.
Hi,
> I hope you are not to angry that I ask a Linux network question here.
>
> The reason is that on this list are also very experienced users about
> high traffic
> and high performance setups.
Still offtopic, as it isn't a haproxy issue. If you think thats a kernel
issue, LKML is the right p
Hi,
> Hello:
>
> My name is Zhang Xiaojie
>
> I would like to ask who is haproxy product? I in the website not found
> about haproxy is who the community information or company!
The commercial aspect is covered on haproxy.com (exceliance.fr now redirects
to it):
http://www.haproxy.com/en
Hi,
> Hi all,
>
> At GitHub we’ve worked on a patch to make HAProxy’s ALPN code compatible
> with the patches for it that have landed in OpenSSL:
Great, thats something that needs fixing, yes.
> This final version is slightly different from what HAProxy currently
> expects, which is based on s
Hi,
> I’ve updated the patch which now does actual negotiation. The logic comes
> from the example OpenSSL server application that also was committed in the
> commit that adds ALPN support to OpenSSL:
Great, it works correctly now. When negotiating spdy I now get a
ERR_SPDY_PROTOCOL_ERROR in Chr
Hi,
> Feb 18 14:46:02 localhost haproxy[23414]: 10.46.10.145:58871
> [18/Feb/2014:14:46:02.454] example.dk .dk/ -1/-1/31 212 cR
> 2/2/0/0/0 0/0
> Feb 18 14:46:02 localhost haproxy[23414]: 10.46.10.145:58872
> [18/Feb/2014:14:46:02.455] example.dk .dk/ -1/-1/30 212 cR
> 1/1/0/0/0 0/0
cR means [1
Hi,
> What would I look for in the tcpdump?
Whether or not the browser takes more than 10 seconds to complete
the http request, as per your configuration:
timeout http-request 10s
This is the timeout you are hitting. Also read this [1]. Share
your tcpdump capture if it doesn't contain anythin
Hi,
>> Whether or not the browser takes more than 10 seconds to complete
>> the http request, as per your configuration:
>> timeout http-request 10s
>>
> it's not even close to 10 seconds.. it happens as soon as I press f5 -
> randomly.
Well, I was assuming this is the issue, since it was the on
Hi,
> I have attached a dump, from the client side of the problem.
> As you can see it starts to send the reply, and then suddenly resets.
When looking at "tcp.stream eq 0":
We RST in the middle of a HTTP response, without any apparent reason.
When looking at "tcp.stream eq 1":
270 ms after the
Hi,
> the odd thing is, if I point the url to the varnish right behind the
> haproxy - the issue goes away completely.
>
> The dump I send you, was from over the internet (a few countries apart)
> - so that's probably why the MSS is the size it is :)
>
> I'll grab a dump on haproxy server tomorro
Hi,
>> Can you tell us more about this server? What OS is running? Any firewalls
>> (software or hardware)? Any other "security" product in between?
>> The server is announcing 1380 Byte MSS to me here as well, so this was
>> not something on your client side, but this is server side and thats no
Hi,
> 11:04:59.057223 accept(7, {sa_family=AF_INET, sin_port=htons(59491),
> sin_addr=inet_addr("10.46.10.145")}, [16]) = 1
> 11:04:59.057310 fcntl(1, F_SETFL, O_RDONLY|O_NONBLOCK) = 0
> 11:04:59.057342 setsockopt(1, SOL_TCP, TCP_NODELAY, [1], 4) = 0
> 11:04:59.057370 accept(7, 0x7fff50f0b480, [
Hi,
> I tried with same config (just removing the bind ssl lines and option
> http-keep-alive) with haproxy haproxy-1.4.24-2.el6.x86_64
That's interesting.
One last thing to try: can you remove the "timeout http-request" completely
from the configuration and retry?
Regards,
Lukas
Hi,
>> One last thing to try: can you remove the "timeout http-request"
>> completely from the configuration and retry?
>>
> done. still got 408.
>
> I tried removing it on both 1.4 and 1.5dev22
Try removing "timeout client" as well (never ever do this in production).
You will see a startup warn
Hi,
> I suggest you try this an different box, not virtualized or on a different
> hypervisor as well. I still think what you are experiencing is time jump
> related.
Compile the test program from this bugreport:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=186393
and let it run for a few
Hi Andy,
> Also, I'm not sure if this makes a difference, but the two times
> I was able to reproduce this today (yes, two times... the first
> time, Wireshark crashed *sigh*), the connections/requests were
> HTTP over SSL.
For the record: are you using HAproxy SSL functionality or do you
use som
Hi,
>> There wasn't a request made prior to it sending that 408, so
>> something seems a bit fishy there, too. I could be completely missing
>> something, though.
>
> It's *exactly* the purpose of 408 : indicate to the client that we're
> fed up with waiting for it to send a request (hence the "re
Hi,
> We have experimented a bit with the latest haproxies and keep-alive. We
> rely on haproxy to set good maxconn values for our servers so they can
> operate at full speed without becoming overloaded.
>
> When using multiple servers in a backend, "prefer-last-server" is
> required to get
Hi,
> I just noticed I had missed a "timeout client".. When disabling that - I
> can't seem to reproduce the 408 issue.
Ok.
> I applied both patches, and can still reproduce the error (when timeout
> client is set), but the log no longer logs cR (since I enabled httplog).
I'm not sure if the
Hi,
> Just upgraded a production node from 1.4.18 to 1.5-dev22.
> Ran fine for a couple of minutes then crashed with the following kernel
> messages:
>
> WARNING: at mm/page_alloc.c:2107 __alloc_pages_nodemask+0x1fd/0x790()
> Hardware name: X9SRE/X9SRE-3F/X9SRi/X9SRi-3F
> Pid: 23190, comm: haprox
Hi,
> I agree that it does indeed look like a kernel issue (in the intel eth
> driver?), however 1.5 is doing something new that triggers this.
>
> Any idea of a significant 1.4 -> 1.5 change that can affect what is
> happening in the kernel?
There are *a lot* of changes between those two major
Hi.
> Hello,I have installed haproxy 1.4.23 on Cnetos 6.3 .And I can see
> the haproxy stats through WEB,but I don't the meaning of 'Resp'(in the
> following picture).What does it means?
Its the "eresp" column in the csv output and means "response errors" on
the server side. It also includes "sr
Hi Jordan,
> I'm running into an issue with one of our API endpoints that takes in a
> fairly large amount of data over a PUT (or sometimes POST) request body.
> This would cause the server to timeout, and after some investigation it
> looked like the request was being mangled. We switched from S
Hi,
> Is this [1] the correct archive to use?
Yes.
> By mangled, I mean, the full request wasn't making it to my server,
> only partial data, which caused it to fail.
Ok. Upgrade to current code, if it still fails, enable logging (httplog),
we should be able to see something.
Regards,
Lu
Hi,
> On 03.03.2014 14:45, Sander Klein wrote:
>> Hi,
>>
>> would it be possible to support IP_FREEBIND with HAProxy-1.5 on linux?
>>
>> I'm asking because nonlocal_bind only works for IPv4 and it seems
>> linux upstream does not want to support nonlocal_bind for IPv6.
>>
>> A thread about this c
Lets set IP_FREEBIND on IPv6 sockets as well, this works since Linux 3.3
and doesn't require CAP_NET_ADMIN privileges (IPV6_TRANSPARENT does).
This allows unprivileged users to bind to non-local IPv6 addresses, which
can be useful when setting up the listening sockets or when connecting
to backend
Hi Joshua,
> Hi folks,
>
> I was testing haproxy-1.5-dev22 on SmartOS (an illumos-based system)
> and ran into a problem. There's a small window after non-blocking
> connect() is called, but before the TCP connection is established,
> where recv() may return ENOTCONN. On Linux, the behaviour here
901 - 1000 of 1687 matches
Mail list logo
