Re: haproxy does not recover from L7STS/404

Il 12/11/2012 17:59, Marco Corte ha scritto: Hi all again. I was able to reproduce the behaviour on a normal server, so it is unrelated to the virtualization. Sorry for the long description. Normal situation: servers A1-A4 in status NOLB - L7OKC/404 servers A5-A8 in status UP - L7OK/200

Re: how to monitor haproxy, key metrics etc.

Il 07/03/2013 21:27, S Ahmed ha scritto: How and what tools do you suggest I use to monitor my haproxy service? How can I tell if haproxy is becoming a bottleneck? (say I mis-configured it etc.) Look at the logs and at the statistics. Search the official documentation for the stats

Re: Haproxy multiple backend addresses ports

Il 13/04/2013 01:01, Vicky Perdana: Hi, I am a newbie to haproxy and was wondering if someone can confirm that the following config is valid? Effectively I would like to load balanced two servers on multiple ports. snippet Listen mybackendLB bind

Re: UP 2/3 status

28/09/2013 03:37, Mark Ruys wrote: I'm using a Nagios plugin to monitor the HAProxy status. Now and then, HAProxy reports UP 2/3 as a backend status in the statistics. I wonder, what does 2/3 mean? Foreword: I have never used Nagios. You wrote backed status, but... could it be server status?

Re: code.google.com haproxy-docs

Il 15/11/2013 00:28, Chris Burroughs ha scritto: A variety of nicely formatted mirrors of the docs used to be at: https://code.google.com/p/haproxy-docs But all such urls are now returng 403. I'm not sure if they are official or not, but does anyone know what happened to them? I use

Re: TCP balancing with http check?

Il 07/06/2014 03:25, Jakov Sosic ha scritto: Hi, is it possible to set up TCP balancing, but to check backend servers with http checks? Hi, Yes it is possible. Look in the documentation for option httpchk: ... This option does not necessarily require an HTTP backend, it also works with

Typo in stats interface

Hi There is a very small typo in the statistics interface: a set in lowercase where allothers are uppercase Set I am sorry, but I do not know how to properly document the change I made... hope that is helps. .marcoc diff --git a/src/dumpstats.c b/src/dumpstats.c index 5365042..c8bac08

Stats uri with '?' and 'Scope:'

Hi, all! If I use for the HTTP statistics page a uri like the one in the examples stats uri /haproxy?stats the 'Scope:' filter in the page does not work properly. If I insert, say, 'XXX' in the 'Scope:' box, the resulting URI in the browser is actually /haproxy?scope=XXX where the

Re: Recommended SSL ciphers and settings

Il 07/09/2014 22:01, pablo platt ha scritto: I have one user that see a warning in Chrome and can't use my website. Well... one should know which warning, otherwise it is quite difficult to fix it (if it has to be fixed at all). Could this article be helpful?

Re: file upload to HAproxy

Il 29/12/2014 08:32, 이승엽 ha scritto: I installed Haproxy and 2 WAS. and then I uploaded file to server. but upload speed was very slow. but download speed was working. I opened port about FTP and PASSIVE FTP but same problme(file upload was very slow). Hi! I would check the Linux TCP

Higher 'peer' traffic with 1.5.12

Hi. I am running haproxy on 2 ubuntu 12.04 LTS boxes with some IP managed by keepalived. One week ago I updated many packages including haproxy that is now version 1.5.12. Since then, the peer traffic between the nodes increased a lot. If both nodes are active, each one owning some IPs,

Re: Higher 'peer' traffic with 1.5.12

Il 19/05/2015 05:21, Willy Tarreau ha scritto: Hi Marco, I think the easiest thing to start with is to run netstat -atn on the backup node to verify if the peers connection is always between the same two ports or if it changes, indicating a reconnection. Hi, Willy I did not find yet the

Re: Higher 'peer' traffic with 1.5.12

Il 16/05/2015 11:35, Willy Tarreau ha scritto: Hi Marco, On Mon, May 11, 2015 at 02:32:47PM +0200, Marco Corte wrote: Hi. I am running haproxy on 2 ubuntu 12.04 LTS boxes with some IP managed by keepalived. One week ago I updated many packages including haproxy that is now version 1.5.12

How to profile stats web page users

Hi all. I currently give access to the stats page using a simple profiling by groups . amministratori that have admin access to everything . readonly that have no admin acces to everything All users see the full set of listen, frontend and backend sections. userlist stats-auth

Re: Higher 'peer' traffic with 1.5.12

Hi, Willy Il 20/05/2015 00:27, Willy Tarreau ha scritto: Hi Marco, On Tue, May 19, 2015 at 08:20:05AM +0200, Willy Tarreau wrote: The farthest apart the peers are, the most likely it is to happen. And this is the case: the nodes are in two different datacenters. From 10.64.38.2: $ ping

Re: [ANNOUNCE] haproxy-1.5.13

Il 26/06/2015 15:57, Willy Tarreau ha scritto: Another one is an issue that was reported in 1.5.12 with peers trying to immediately reconnect upon error and eating a lot of CPU. Both peers in that cluster are running 1.5.13 and I do not see the behaviour any more. Thank you! .marcoc

Re: Server IP resolution using DNS in HAProxy

Il 14/07/2015 22:11, Baptiste ha scritto: - when parsing the configuration, HAProxy uses libc functions and resolvers provided by the operating system = if the server can't be resolved at this step, then HAProxy can't start [...] First, we want to fix the error when HAProxy fails starting up

Re: HAproxy version 1.5 on centos 6.5

Hi! It is a dependency required by the package, not by haproxy. In the past I did never find a "almost current" version of haproxy packaged for the RedHat/CentOS 6 world. I hope that someone has better news for you... .marcoc

Re: Trouble starting haproxy on Debian8 (systemd)

Hi! Does haproxy start manually? Is it only a systemd issue? Il 16/11/2015 16:51, SL ha scritto: systemctl status haproxy.service systemctl status haproxy.service -l .marcoc

Re: Potential Bug

Hi, Michael! The low Qualys rating is the problem, correct? [root@(redacted) ~]# haproxy --version HA-Proxy version 1.5.4 2014/09/02 Copyright 2000-2014 Willy Tarreau I would use a newer version. 1.5.15 has been released. In the above configuration, the key component here is

Re: HAProxy clustering

Hi! I use keepalived for IP management. I use Ansible on another host to deploy the configuration on the haproxy nodes. This setup gives me better control on the configuration: it is split in several files on the Ansible host, but assembled to a single config file on the nodes. This gives

Re: configuration problem with "backup" backends

I can only answer shortly. Sorry For the checks I would configure another backend section that only does the checks and is not used by any frontend. Then I would use the "track" keyword in you current backend. Sorry again for the answer. .marcoc Il 09 dic 2016 11:39 AM, "Michele Mazzucco"

External resources: [...] updates (v1.5)

Hi everyone! After a lot of time I noticed a strange string in the stats web interface for v1.6 and v1.7 (demo.haproxy.org). The HTML External resources: http://www.haproxy.org/;>Primary site http://www.haproxy.org/#down;>Updates (v1.5) http://www.haproxy.org/#docs;>Online manual What

Re: HAProxy clustering

Il 16/12/2016 20:54, Guillaume Bourque ha scritto: Hello Marco, I would be very interest on how you build your harpy config, you must have per server settings and then a global config ? On the Ansible Control Machine the configuration is split in several files named either ".common" or in

Re: Considering HAProxy to Bump TLS 1.1 Traffic to TLS 1.2

Hello, Ryan! I also propose a different approach... just in case. I had the same problem with some further constraints. The Java client runs on Windows and an haproxy instance running on another server was very difficult to setup complying to all the security policies. In this case it was

Re: pre-connect header problem

On 06/03/2017 14:45, Simon E. Silva Lauinger wrote: bind *:443 name *:443 ssl crt /path/to/cert.pem mode tcp Did you also try with mode http on the frontend? .marcoc

Set cookie and header

Hello, list! In http mode I am using cookie based persistence with something like cookie rs insert indirect nocache httponly maxidle 1h How can I instruct haproxy to add an header to the response together when it performs this set cookie? Thank you in advance .marcoc

Persistence cookie "secure" on frontend

Hi all. A frontend listen both for HTTP and for HTTPS. It should set the "Secure" attribute to the cookies over the encypted channel and not on the others. Here are the relevant lines of the configuration frontend XXX-FE bind 10.64.44.160:80 name HTTP bind 10.64.44.160:443 name HTTPS

Re: Persistence cookie "secure" on frontend

Hello, list! I was not clear in the previous post. I am sorry. A frontend listen both for HTTP and for HTTPS. It should set the "Secure" attribute to the cookies over the encrypted channel and not on the others. frontend XXX-FE bind 10.64.44.160:80 bind 10.64.44.160:443 ssl crt

Re: Set-Cookie Secure

Hello, list! now I need to change every response to clients to add "secure" attribute for all client encrypted connections. I applied following rules, but _no secure attribute is added to the response_: Is it possible that this is in some way related to the issue that I noticed some weeks

Denying client certificates

Hello, list. In HAproxy 1.7.9 a frontend authenticates clients via SSL certificate ... bind 1.1.1.1: ssl crt /etc/ssl/private/XXX.pem force-tlsv12 ca-file /etc/ssl/YYY.pem verify required ... Is there a way to deny the access to some certificates without using a certificate

Re: Denying client certificates

Hello! acl revoked_cert ssl_c_sha1 -m bin FC481501DB98290C5E9B22530D2CA73EB36E76C5 matches the bad certificate. Thank you _a lot_, Lukas, for the example and for the link to the porper documentation section! To summarize, to block the client I declare acl revoked_cert ssl_c_sha1 -m

Re: High throughput SFTP server load balancing with HAProxy

Hello! All traffic will flow through haproxy which will act as a TCP layer4 switch. To avoid bottlenecks, the haproxy node NICs need to provide at least as much bandwidth as the sum of the expected traffic on each SFTP server. .marcoc

Re: Poll: haproxy 1.4 support ?

Hello. My vote to drop support for version 1.4 .marcoc

Re: Quick question on HA Proxy cluster management

We use ansible without any GUI. On the managed nodes just ssh access is needed, no agent. This let us manage 16 haproxy 2-node-clusters (32 nodes in total) running on two diferent linux flavors; some of the clusters have a similar configuration, some others are completely different. In our

Re: Is it possible to configure a failover backend?

Hi I would try Jarno's method with the "frontend" rules: simple, effective, great. Similar results may achieved with the "backup"s inside each "backend" section. Because of the "use_backend" map and a ton of other reasons, this approach should not fit your case, but... who knows?

Re: Http HealthCheck Issue

Il 2018-12-17 15:52 UPPALAPATI, PRAVEEN ha scritto: option httpchk get /nexus/v1/repository/rawcentral/com.att.swm.attpublic/healthcheck.txt HTTP/1.1\r\nAuthorization:\ Basic\ Is maybe the lowercase get method not understood? Did you try with GET? .marcoc

Strange "content-length" with http-use-htx

Good morning! Christopher helped me fixing the http-use-htx issue "BUG/MEDIUM: proto_htx: Fix data size update if end of the cookie is removed". I am testing haproxy 1.9.5 with the same site real server, with the same configuration: browser <--- HTTP/2 ---> haproxy <--- HTTP ---> real

Re: Strange "content-length" with http-use-htx

Il 2019-03-27 16:28 Christopher Faulet ha scritto: Your server seems to reject empty POST request when there is no content-length header. Christopher, I will test the fix as soon as it will be released in a 1.9.x. Thank you a lot again for the troubleshooting. .marcoc you have no idea of

http-use-htx and IIS

Hello! I am testing haproxy version 1.9.4 on Ubuntu 18.04. With the "option http-use-htx", haproxy shows a strange behaviour when the real server is IIS and if the users' browsers try to do a POST. A configuration similar to the following lets the GETs work properly, but the POST fails

Re: http-use-htx and IIS

Il 2019-02-07 17:50 Marco Corte ha scritto: A configuration similar to the following lets the GETs work properly, but the POST fails after the server timeout (session state "SD" in haproxy logs): Sorry. I was wrong. It is a capital "S" S : the TCP session was

Re: http-use-htx and IIS

Il 2019-02-07 17:50 Marco Corte ha scritto: Hello! I am testing haproxy version 1.9.4 on Ubuntu 18.04. With the "option http-use-htx", haproxy shows a strange behaviour when the real server is IIS and if the users' browsers try to do a POST. I activated two frontend/backend pair o

Re: Require info on ACL for rate limiting on per URL basis.

Il 2019-02-08 14:46 Badari Prasad ha scritto: Can I get some reference for a url based rate limiting, so that I can build on this Hi! I found there two posts very valuable https://www.haproxy.com/blog/introduction-to-haproxy-stick-tables/

Re: Require info on ACL for rate limiting on per URL basis.

Il 2019-02-11 6:36 Badari Prasad ha scritto: Hi Marco Thank you for the response. I came up with my own haproxy cfg, where i would want to rate limit based on event name and client id in url. URL ex : /api/v1// Have attached a file for my haproxy cfg. But it does not seems to be rate

Re: HTTP connection is reset after each request

Hi, list! If do not use HTTP/2 in the frontend, the connection to the real server is kept open. I did not find anything about this in the documentation or in the change logs. Can you please point me to the explanation of this behaviour? Thank you. .marcoc

Re: HTTP connection is reset after each request

Il 2019-01-30 11:40 Luke Seelenbinder ha scritto: Are you on 1.9.x? 1.8.x does not support reuse of backend connections when using an h2 frontend. 1.9.x does support this and it works quite nicely. Yes! I am on version 1.8.17. Thank you for the explanation! .marcoc

HTTP connection is reset after each request

Hi, all HAProxy 1.8.17 on Ubuntu 18.04. The relevant configuration is trivial: frontend mode http option httplog bind 1.2.3.4:443 name HTTPS ssl crt /etc/ssl/private/full.pem ssl-min-ver TLSv1.2 alpn h2,http/1.1 timeout client 1m use_backend onboard backend onboard mode http

Haproxy 1.9.8 - 100% CPU

Hello! It did not happen for weeks, but today I found again haproxy using a full CPU core. Haproxy v1.9.8 on Ubuntu 18.04. Actually there was a misalignment in a "peer" stick table configuration between the two peers, but I do not know if this can cause the behaviour. If anyone is

Randomly high CPU usage

Hello! From time to time, about twice daily, and without any apparent reason, haproxy jumps from using about 15% CPU usage to 100% (relative to the single core it can use). The situation becomes normal again after about 15-20 minutes. During one of these events, I was able to capture (see

Re: Randomly high CPU usage

Il 2019-04-18 18:33 Willy Tarreau ha scritto: Hello Marco, On Thu, Apr 18, 2019 at 05:27:26PM +0200, Marco Corte wrote: Hello! From time to time, about twice daily, and without any apparent reason, haproxy jumps from using about 15% CPU usage to 100% (relative to the single core it can use

Re: one health check instead of muli check when using master-worker model

Hi! > But may I use only one health check process ,and all the process share > the result > of the health check, then there are only one check every 3 sec, how to > archive this? I would try the "track" option: backend tester bind-process 1 server one1 ... check server two2 ... check backend

Haproxy 2.0.4 - HTTP/2 on stats page prevents actions

Hi. Environment: - Ubuntu 18.04 - Haproxy 2.0.4 from vbernat repository I found a strange behaviour of the statistics page if when alpn h2,http/1.1 is in the "bind" line of the statistics like: frontend stats-http mode http option httplog bind 10.64.69.192:443 alpn h2,http/1.1 ssl crt

DNS resolution every second - v2.0.10

Hello! I see a strange behaviour of the DNS resolution on version 2.0.9 and 2.0.10, but I do not know since when this happens. On Ubuntu 18.04, I set up haproxy to use the local DNS service provided by systemd. Actually I see that haproxy tries to resolve the names every second. The

Re: DNS resolution every second - v2.0.10

Hi! > If it bothers you (I don't really see why), you can increase the "inter" > value on your servers to check them less often and as such refresh their > address less often. You can configure "hold valid " to configure internal caching (it should be 10 seconds by default though): I post

Re: Problem with crl certificate

Hi! Il 17/04/20 18:43, Davide Guarneri ha scritto: crt /etc/haproxy/ssl/cert.pem ca-file /etc/haproxy/ssl/ca-chain.cert.pem verify required crl-file /etc/haproxy/ssl/intermediate.crl.pem I would verify how the certificates and the keys are placed in the files. /etc/haproxy/ssl/cert.pem must

Re: HAProxy : Starting frontend srv_java: cannot bind socket [192.168.0.19:26000]

Il 16/09/20 18:08, Axel DUMAS ha scritto: At the boot, HAProxy say "Starting frontend srv_java: cannot bind socket [192.168.0.19:26000]". > ... In addition, when I just use the command "sudo service haproxy restart", HAProxy works very well. Hi, Axel! I would try the following. Create a

Re: Rate Limit per IP with queueing (delay)

Hi, Stefano! I am not able to answer your question directly, because of my limited haproxy knowledge. Generally speaking, I prefer to return code 429 when a client makes too many requests, instead of queuing them. This page helped me a lot to understand haproxy capabilities

OCSP with dynamic SSL storage

Hi all. I have a bind section that contains ... ssl crt ZZZ.pem ... where ZZZ.pem is actually a full path. If I upload a new certificate/key to ZZZ.pem and a corresponding OCSP response to ZZZ.pem.ocsp and do a # systemctl reload haproxy.service then the certificate and the OCSP

Re: OCSP with dynamic SSL storage

Il 2021-11-05 13:11 Marco Corte ha scritto: Hi all. I have a bind section that contains ... ssl crt ZZZ.pem ... where ZZZ.pem is actually a full path. If I upload a new certificate/key to ZZZ.pem and a corresponding OCSP response to ZZZ.pem.ocsp and do a # systemctl reload

OT: https://www.haproxy.org/ has some broken links

Hi. Sorry for the OT If I browse https://www.haproxy.org/, the links to haproxy.com do not work. Clicking on the banners on the left ("Looking for support?", "Looking for Easy?",...) I land on a 404 not found. http://www.haproxy.org/external?link=1 -> works

Re: [ANNOUNCE] haproxy-2.4.12

Hi! Less than 24 hours between the issue opening and the fix? :-O Great job. Really. .marcoc

Re: Always add "reason"

Il 2022-03-11 18:00 Willy Tarreau ha scritto: Hi Marco, On Thu, Mar 03, 2022 at 12:26:09PM +0100, Marco Corte wrote: Hi! I can add a "reason phrase" to a response based on the HTTP status like this: http-response set-status 200 reason OK if { status eq 200 } Is there any

Always add "reason"

Hi! I can add a "reason phrase" to a response based on the HTTP status like this: http-response set-status 200 reason OK if { status eq 200 } Is there any way to add the reason phrase for a set of codes without an explicit rule for each code? I would like to write a set of rules like this