Il 12/11/2012 17:59, Marco Corte ha scritto:
Hi all again.
I was able to reproduce the behaviour on a normal server, so it is
unrelated to the virtualization.
Sorry for the long description.
Normal situation:
servers A1-A4 in status NOLB - L7OKC/404
servers A5-A8 in status UP - L7OK/200
Il 07/03/2013 21:27, S Ahmed ha scritto:
How and what tools do you suggest I use to monitor my haproxy service?
How can I tell if haproxy is becoming a bottleneck? (say I
mis-configured it etc.)
Look at the logs and at the statistics.
Search the official documentation for the stats
Il 13/04/2013 01:01, Vicky Perdana:
Hi,
I am a newbie to haproxy and was wondering if someone can confirm that the
following config is valid? Effectively I would like to load balanced two
servers on multiple ports.
snippet
Listen mybackendLB
bind
28/09/2013 03:37, Mark Ruys wrote:
I'm using a Nagios plugin to monitor the HAProxy status. Now and then,
HAProxy reports UP 2/3 as a backend status in the statistics. I
wonder, what does 2/3 mean?
Foreword: I have never used Nagios.
You wrote backed status, but... could it be server status?
Il 15/11/2013 00:28, Chris Burroughs ha scritto:
A variety of nicely formatted mirrors of the docs used to be at:
https://code.google.com/p/haproxy-docs
But all such urls are now returng 403. I'm not sure if they are
official or not, but does anyone know what happened to them?
I use
Il 07/06/2014 03:25, Jakov Sosic ha scritto:
Hi,
is it possible to set up TCP balancing, but to check backend servers
with http checks?
Hi,
Yes it is possible.
Look in the documentation for option httpchk:
...
This option does not necessarily require an HTTP backend, it also works with
Hi
There is a very small typo in the statistics interface: a set in
lowercase where allothers are uppercase Set
I am sorry, but I do not know how to properly document the change I
made... hope that is helps.
.marcoc
diff --git a/src/dumpstats.c b/src/dumpstats.c
index 5365042..c8bac08
Hi, all!
If I use for the HTTP statistics page a uri like the one in the examples
stats uri /haproxy?stats
the 'Scope:' filter in the page does not work properly.
If I insert, say, 'XXX' in the 'Scope:' box, the resulting URI in the
browser is actually
/haproxy?scope=XXX
where the
Il 07/09/2014 22:01, pablo platt ha scritto:
I have one user that see a warning in Chrome and can't use my website.
Well... one should know which warning, otherwise it is quite difficult
to fix it (if it has to be fixed at all).
Could this article be helpful?
Il 29/12/2014 08:32, 이승엽 ha scritto:
I installed Haproxy and 2 WAS. and then I uploaded file to server.
but upload speed was very slow. but download speed was working.
I opened port about FTP and PASSIVE FTP but same problme(file upload was
very slow).
Hi!
I would check the Linux TCP
Hi.
I am running haproxy on 2 ubuntu 12.04 LTS boxes with some IP managed
by keepalived.
One week ago I updated many packages including haproxy that is now
version 1.5.12.
Since then, the peer traffic between the nodes increased a lot.
If both nodes are active, each one owning some IPs,
Il 19/05/2015 05:21, Willy Tarreau ha scritto:
Hi Marco,
I think the easiest thing to start with is to run netstat -atn on the
backup node to verify if the peers connection is always between the same
two ports or if it changes, indicating a reconnection.
Hi, Willy
I did not find yet the
Il 16/05/2015 11:35, Willy Tarreau ha scritto:
Hi Marco,
On Mon, May 11, 2015 at 02:32:47PM +0200, Marco Corte wrote:
Hi.
I am running haproxy on 2 ubuntu 12.04 LTS boxes with some IP managed
by keepalived.
One week ago I updated many packages including haproxy that is now
version 1.5.12
Hi all.
I currently give access to the stats page using a simple profiling by groups
. amministratori that have admin access to everything
. readonly that have no admin acces to everything
All users see the full set of listen, frontend and backend sections.
userlist stats-auth
Hi, Willy
Il 20/05/2015 00:27, Willy Tarreau ha scritto:
Hi Marco,
On Tue, May 19, 2015 at 08:20:05AM +0200, Willy Tarreau wrote:
The farthest apart the peers are, the most likely it
is to happen.
And this is the case: the nodes are in two different datacenters.
From 10.64.38.2:
$ ping
Il 26/06/2015 15:57, Willy Tarreau ha scritto:
Another one is an issue that was reported in 1.5.12
with peers trying to immediately reconnect upon error and eating a lot
of CPU.
Both peers in that cluster are running 1.5.13 and I do not see the
behaviour any more.
Thank you!
.marcoc
Il 14/07/2015 22:11, Baptiste ha scritto:
- when parsing the configuration, HAProxy uses libc functions and
resolvers provided by the operating system = if the server can't be
resolved at this step, then HAProxy can't start
[...]
First, we want to fix the error when HAProxy fails starting up
Hi!
It is a dependency required by the package, not by haproxy.
In the past I did never find a "almost current" version of haproxy
packaged for the RedHat/CentOS 6 world.
I hope that someone has better news for you...
.marcoc
Hi!
Does haproxy start manually? Is it only a systemd issue?
Il 16/11/2015 16:51, SL ha scritto:
systemctl status haproxy.service
systemctl status haproxy.service -l
.marcoc
Hi, Michael!
The low Qualys rating is the problem, correct?
[root@(redacted) ~]# haproxy --version
HA-Proxy version 1.5.4 2014/09/02
Copyright 2000-2014 Willy Tarreau
I would use a newer version. 1.5.15 has been released.
In the above configuration, the key component here is
Hi!
I use keepalived for IP management.
I use Ansible on another host to deploy the configuration on the haproxy
nodes.
This setup gives me better control on the configuration: it is split in
several files on the Ansible host, but assembled to a single config file
on the nodes.
This gives
I can only answer shortly. Sorry
For the checks I would configure another backend section that only does the
checks and is not used by any frontend.
Then I would use the "track" keyword in you current backend.
Sorry again for the answer.
.marcoc
Il 09 dic 2016 11:39 AM, "Michele Mazzucco"
Hi everyone!
After a lot of time I noticed a strange string in the stats web
interface for v1.6 and v1.7 (demo.haproxy.org).
The HTML
External
resources:
http://www.haproxy.org/;>Primary site
http://www.haproxy.org/#down;>Updates (v1.5)
http://www.haproxy.org/#docs;>Online manual
What
Il 16/12/2016 20:54, Guillaume Bourque ha scritto:
Hello Marco,
I would be very interest on how you build your harpy config, you must
have per server settings and then a global config ?
On the Ansible Control Machine the configuration is split in several
files named either ".common" or in
Hello, Ryan!
I also propose a different approach... just in case.
I had the same problem with some further constraints.
The Java client runs on Windows and an haproxy instance running on
another server was very difficult to setup complying to all the security
policies.
In this case it was
On 06/03/2017 14:45, Simon E. Silva Lauinger wrote:
bind *:443 name *:443 ssl crt /path/to/cert.pem
mode tcp
Did you also try with
mode http
on the frontend?
.marcoc
Hello, list!
In http mode I am using cookie based persistence with something like
cookie rs insert indirect nocache httponly maxidle 1h
How can I instruct haproxy to add an header to the response together
when it performs this set cookie?
Thank you in advance
.marcoc
Hi all.
A frontend listen both for HTTP and for HTTPS.
It should set the "Secure" attribute to the cookies over the encypted
channel and not on the others.
Here are the relevant lines of the configuration
frontend XXX-FE
bind 10.64.44.160:80 name HTTP
bind 10.64.44.160:443 name HTTPS
Hello, list!
I was not clear in the previous post. I am sorry.
A frontend listen both for HTTP and for HTTPS.
It should set the "Secure" attribute to the cookies over the encrypted
channel and not on the others.
frontend XXX-FE
bind 10.64.44.160:80
bind 10.64.44.160:443 ssl crt
Hello, list!
now I need to change every response to clients to add "secure" attribute
for all client encrypted connections.
I applied following rules, but _no secure attribute is added to the
response_:
Is it possible that this is in some way related to the issue that I
noticed some weeks
Hello, list.
In HAproxy 1.7.9 a frontend authenticates clients via SSL certificate
...
bind 1.1.1.1: ssl crt /etc/ssl/private/XXX.pem force-tlsv12
ca-file /etc/ssl/YYY.pem verify required
...
Is there a way to deny the access to some certificates without using a
certificate
Hello!
acl revoked_cert ssl_c_sha1 -m bin
FC481501DB98290C5E9B22530D2CA73EB36E76C5
matches the bad certificate.
Thank you _a lot_, Lukas, for the example and for the link to the porper
documentation section!
To summarize, to block the client I declare
acl revoked_cert ssl_c_sha1 -m
Hello!
All traffic will flow through haproxy which will act as a TCP layer4
switch.
To avoid bottlenecks, the haproxy node NICs need to provide at least as
much bandwidth as the sum of the expected traffic on each SFTP server.
.marcoc
Hello.
My vote to drop support for version 1.4
.marcoc
We use ansible without any GUI.
On the managed nodes just ssh access is needed, no agent.
This let us manage 16 haproxy 2-node-clusters (32 nodes in total)
running on two diferent linux flavors; some of the clusters have a
similar configuration, some others are completely different.
In our
Hi
I would try Jarno's method with the "frontend" rules: simple, effective,
great.
Similar results may achieved with the "backup"s inside each "backend"
section.
Because of the "use_backend" map and a ton of other reasons, this
approach should not fit your case, but... who knows?
Il 2018-12-17 15:52 UPPALAPATI, PRAVEEN ha scritto:
option httpchk get
/nexus/v1/repository/rawcentral/com.att.swm.attpublic/healthcheck.txt
HTTP/1.1\r\nAuthorization:\ Basic\
Is maybe the lowercase get method not understood?
Did you try with GET?
.marcoc
Good morning!
Christopher helped me fixing the http-use-htx issue "BUG/MEDIUM:
proto_htx: Fix data size update if end of the cookie is removed".
I am testing haproxy 1.9.5 with the same site real server, with the same
configuration:
browser <--- HTTP/2 ---> haproxy <--- HTTP ---> real
Il 2019-03-27 16:28 Christopher Faulet ha scritto:
Your server seems to reject empty POST request when there is no
content-length header.
Christopher,
I will test the fix as soon as it will be released in a 1.9.x.
Thank you a lot again for the troubleshooting.
.marcoc
you have no idea of
Hello!
I am testing haproxy version 1.9.4 on Ubuntu 18.04.
With the "option http-use-htx", haproxy shows a strange behaviour when
the real server is IIS and if the users' browsers try to do a POST.
A configuration similar to the following lets the GETs work properly,
but the POST fails
Il 2019-02-07 17:50 Marco Corte ha scritto:
A configuration similar to the following lets the GETs work properly,
but the POST fails after the server timeout (session state "SD" in
haproxy logs):
Sorry. I was wrong.
It is a capital "S"
S : the TCP session was
Il 2019-02-07 17:50 Marco Corte ha scritto:
Hello!
I am testing haproxy version 1.9.4 on Ubuntu 18.04.
With the "option http-use-htx", haproxy shows a strange behaviour when
the real server is IIS and if the users' browsers try to do a POST.
I activated two frontend/backend pair o
Il 2019-02-08 14:46 Badari Prasad ha scritto:
Can I get some reference for a url based rate limiting, so that I can
build on this
Hi!
I found there two posts very valuable
https://www.haproxy.com/blog/introduction-to-haproxy-stick-tables/
Il 2019-02-11 6:36 Badari Prasad ha scritto:
Hi Marco
Thank you for the response. I came up with my own haproxy cfg,
where i would want to rate limit based on event name and client id in
url.
URL ex : /api/v1//
Have attached a file for my haproxy cfg. But it does not seems to be
rate
Hi, list!
If do not use HTTP/2 in the frontend, the connection to the real server
is kept open.
I did not find anything about this in the documentation or in the change
logs.
Can you please point me to the explanation of this behaviour?
Thank you.
.marcoc
Il 2019-01-30 11:40 Luke Seelenbinder ha scritto:
Are you on 1.9.x? 1.8.x does not support reuse of backend connections
when using an h2 frontend. 1.9.x does support this and it works quite
nicely.
Yes! I am on version 1.8.17.
Thank you for the explanation!
.marcoc
Hi, all
HAProxy 1.8.17 on Ubuntu 18.04.
The relevant configuration is trivial:
frontend
mode http
option httplog
bind 1.2.3.4:443 name HTTPS ssl crt /etc/ssl/private/full.pem
ssl-min-ver TLSv1.2 alpn h2,http/1.1
timeout client 1m
use_backend onboard
backend onboard
mode http
Hello!
It did not happen for weeks, but today I found again haproxy using a
full CPU core.
Haproxy v1.9.8 on Ubuntu 18.04.
Actually there was a misalignment in a "peer" stick table configuration
between the two peers, but I do not know if this can cause the
behaviour.
If anyone is
Hello!
From time to time, about twice daily, and without any apparent reason,
haproxy jumps from using about 15% CPU usage to 100% (relative to the
single core it can use).
The situation becomes normal again after about 15-20 minutes.
During one of these events, I was able to capture (see
Il 2019-04-18 18:33 Willy Tarreau ha scritto:
Hello Marco,
On Thu, Apr 18, 2019 at 05:27:26PM +0200, Marco Corte wrote:
Hello!
From time to time, about twice daily, and without any apparent reason,
haproxy jumps from using about 15% CPU usage to 100% (relative to the
single
core it can use
Hi!
> But may I use only one health check process ,and all the process share
> the result
> of the health check, then there are only one check every 3 sec, how to
> archive this?
I would try the "track" option:
backend tester
bind-process 1
server one1 ... check
server two2 ... check
backend
Hi.
Environment:
- Ubuntu 18.04
- Haproxy 2.0.4 from vbernat repository
I found a strange behaviour of the statistics page if when
alpn h2,http/1.1
is in the "bind" line of the statistics like:
frontend stats-http
mode http
option httplog
bind 10.64.69.192:443 alpn h2,http/1.1 ssl crt
Hello!
I see a strange behaviour of the DNS resolution on version 2.0.9 and
2.0.10, but I do not know since when this happens.
On Ubuntu 18.04, I set up haproxy to use the local DNS service provided
by systemd.
Actually I see that haproxy tries to resolve the names every second.
The
Hi!
> If it bothers you (I don't really see why), you can increase the "inter"
> value on your servers to check them less often and as such refresh their
> address less often.
You can configure "hold valid " to configure internal caching
(it should be 10 seconds by default though):
I post
Hi!
Il 17/04/20 18:43, Davide Guarneri ha scritto:
crt /etc/haproxy/ssl/cert.pem ca-file /etc/haproxy/ssl/ca-chain.cert.pem
verify required crl-file /etc/haproxy/ssl/intermediate.crl.pem
I would verify how the certificates and the keys are placed in the files.
/etc/haproxy/ssl/cert.pem must
Il 16/09/20 18:08, Axel DUMAS ha scritto:
At the boot, HAProxy say "Starting frontend srv_java: cannot bind socket
[192.168.0.19:26000]".
> ...
In addition, when I just use the command "sudo service haproxy restart",
HAProxy works very well.
Hi, Axel!
I would try the following.
Create a
Hi, Stefano!
I am not able to answer your question directly, because of my limited
haproxy knowledge.
Generally speaking, I prefer to return code 429 when a client makes too
many requests, instead of queuing them.
This page helped me a lot to understand haproxy capabilities
Hi all.
I have a bind section that contains
... ssl crt ZZZ.pem ...
where ZZZ.pem is actually a full path.
If I upload a new certificate/key to ZZZ.pem and a corresponding OCSP
response to ZZZ.pem.ocsp and do a
# systemctl reload haproxy.service
then the certificate and the OCSP
Il 2021-11-05 13:11 Marco Corte ha scritto:
Hi all.
I have a bind section that contains
... ssl crt ZZZ.pem ...
where ZZZ.pem is actually a full path.
If I upload a new certificate/key to ZZZ.pem and a corresponding OCSP
response to ZZZ.pem.ocsp and do a
# systemctl reload
Hi.
Sorry for the OT
If I browse https://www.haproxy.org/, the links to haproxy.com do not
work.
Clicking on the banners on the left ("Looking for support?", "Looking
for Easy?",...) I land on a 404 not found.
http://www.haproxy.org/external?link=1 -> works
Hi!
Less than 24 hours between the issue opening and the fix? :-O
Great job. Really.
.marcoc
Il 2022-03-11 18:00 Willy Tarreau ha scritto:
Hi Marco,
On Thu, Mar 03, 2022 at 12:26:09PM +0100, Marco Corte wrote:
Hi!
I can add a "reason phrase" to a response based on the HTTP status
like
this:
http-response set-status 200 reason OK if { status eq 200 }
Is there any
Hi!
I can add a "reason phrase" to a response based on the HTTP status like
this:
http-response set-status 200 reason OK if { status eq 200 }
Is there any way to add the reason phrase for a set of codes without an
explicit rule for each code?
I would like to write a set of rules like this
63 matches
Mail list logo