tcp-check setup
Hi , I installed in my lab HA-Proxy version 1.5-dev22-1a34d57 2014/02/03. I would like HAProxy to check IMAP response (banner) in order to increase HA. IMAP Server banner is * OK ProxyIMAP ready to serve you, master . In order to run negative test I inserted wrong string (blabla) but when I run telnet 0 50777 I still get imap banner * OK ProxyIMAP ready to serve you, master . I expect to get kind of error like server is not available. What did I configure wrong ? 10x in advance ! listen imap4_proxy 0.0.0.0:50777 #bind :50143 name PLAIN #bind :50443 name SSL #bind :50993 name TLS balance roundrobin mode tcp tcp-check connect port 50143 option tcp-check tcp-check expect string blabla log global maxconn 2 #server casfarm casimap.site2 server cas1 10.106.26.44:50143 server cas2 10.106.138.132:50143 Thanks Amir Yosef This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: secur...@comverse.com. Thank You.
HAProxy - DNS
Hi , Does HAProxy 1.5 support an option of name resolution via DNS ? Does it support getting from DNS list of ips and proxying + balancing+ testing (health check) that list for the period of the TTL ? Thanks Amir Yosef This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: secur...@comverse.com. Thank You.
RE: HAProxy - DNS
Thanks a lot for the quick prompt. Will be very appreciate if you can elaborate (High Level is fine) for this feature option/s ? Thanks Amir Yosef From: Baptiste [mailto:bed...@gmail.com] Sent: Sunday, November 16, 2014 9:32 PM To: Yosef Amir Cc: Cohen Galit; HAProxy; Meltser Tiran Subject: Re: HAProxy - DNS Le 16 nov. 2014 20:25, Yosef Amir amir.yo...@comverse.commailto:amir.yo...@comverse.com a écrit : Hi , Does HAProxy 1.5 support an option of name resolution via DNS ? Does it support getting from DNS list of ips and proxying + balancing+ testing (health check) that list for the period of the TTL ? Thanks Amir Yosef This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: secur...@comverse.commailto:secur...@comverse.com. Thank You. Hi, Server name resolution is under development in 1.6 branch. Baptiste This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: secur...@comverse.com. Thank You.
RE: HAProxy - DNS
Thanks a lot for your clear answer. Thanks Amir Yosef -Original Message- From: Baptiste [mailto:bed...@gmail.com] Sent: Monday, November 17, 2014 10:44 AM To: Yosef Amir Cc: Cohen Galit; HAProxy; Meltser Tiran Subject: Re: HAProxy - DNS On Sun, Nov 16, 2014 at 8:50 PM, Yosef Amir amir.yo...@comverse.com wrote: Thanks a lot for the quick prompt. Will be very appreciate if you can elaborate (High Level is fine) for this feature option/s ? DNS resolution will be per server. So if your DNS server answers multiple IPs, then HAProxy will use only one. If you have many servers in the farm, then you must dedicate one name resolution per server. For now, we won't follow TTLs, name resolution will be triggered by health checks after a period configured by the admin. We can't do a DNS resolution, pick up all IPs and create a farm based on this. Simply because HAProxy does not allow adding servers on the fly for now. Configuration will look like this: # a dedicated resolvers section resolvers myfooresolvers resolver l 127.0.0.1:53 resolve_retries 3 timeout retry 1s hold valid 5s [] backend be default-server inter 2s # servers needing DNS resolution points to the appropriate resolvers section server s1 s1.domain.com:80 resolvers myfooresolvers check server s2 s2.domain.com:80 resolvers myfooresolvers check With the example above, DNS response will be considered for 5s (hold valid period). Since health checks will be run every 2s, then next DNS resolution will happen after 6s No plans for now to follow TTLs, but this won't be very complicated to add this option later, something like 'hold valid follow-ttl' CNAMEs will be followed if delivered by the server. If s1.domain.com returns 2 IPs, then current IP is searched in the list. If found, then nothing happens. If not found, the first IP of the list will be used for this server. Baptiste “This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: secur...@comverse.com. Thank You.”
RE: HAProxy - DNS
We have in our system DNS which has its own logic for health check and balancing for preconfigured farms. So, our system DNS could respond with different ip to the different queries for the same name i.g s1.domain.com. Could it will be problem for the HAProxy ? Thanks Amir Yosef -Original Message- From: Baptiste [mailto:bed...@gmail.com] Sent: Monday, November 17, 2014 10:44 AM To: Yosef Amir Cc: Cohen Galit; HAProxy; Meltser Tiran Subject: Re: HAProxy - DNS On Sun, Nov 16, 2014 at 8:50 PM, Yosef Amir amir.yo...@comverse.com wrote: Thanks a lot for the quick prompt. Will be very appreciate if you can elaborate (High Level is fine) for this feature option/s ? DNS resolution will be per server. So if your DNS server answers multiple IPs, then HAProxy will use only one. If you have many servers in the farm, then you must dedicate one name resolution per server. For now, we won't follow TTLs, name resolution will be triggered by health checks after a period configured by the admin. We can't do a DNS resolution, pick up all IPs and create a farm based on this. Simply because HAProxy does not allow adding servers on the fly for now. Configuration will look like this: # a dedicated resolvers section resolvers myfooresolvers resolver l 127.0.0.1:53 resolve_retries 3 timeout retry 1s hold valid 5s [] backend be default-server inter 2s # servers needing DNS resolution points to the appropriate resolvers section server s1 s1.domain.com:80 resolvers myfooresolvers check server s2 s2.domain.com:80 resolvers myfooresolvers check With the example above, DNS response will be considered for 5s (hold valid period). Since health checks will be run every 2s, then next DNS resolution will happen after 6s No plans for now to follow TTLs, but this won't be very complicated to add this option later, something like 'hold valid follow-ttl' CNAMEs will be followed if delivered by the server. If s1.domain.com returns 2 IPs, then current IP is searched in the list. If found, then nothing happens. If not found, the first IP of the list will be used for this server. Baptiste “This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: secur...@comverse.com. Thank You.”
RE: HAProxy - DNS
Lets say that the DNS is configure with s1.domain.com which has 5 ips: 10.0.0.1 10.0.0.2 10.0.0.3 10.0.0.4 10.0.0.5 The DNS respond for the first DNS query 10.0.0.1 for the second 10.0.0.2 and so on...(roundrobin) That’s mean the for each health check (DNS query) HAProxy will get different ip. Probably for TCP mode (stateless sessions) it is fine but I guess it will not proper configuration for HTTP (statefull sessions), right ? Thanks Amir Yosef -Original Message- From: Baptiste [mailto:bed...@gmail.com] Sent: Monday, November 17, 2014 12:10 PM To: Yosef Amir Cc: Cohen Galit; HAProxy; Meltser Tiran Subject: Re: HAProxy - DNS On Mon, Nov 17, 2014 at 10:40 AM, Yosef Amir amir.yo...@comverse.com wrote: We have in our system DNS which has its own logic for health check and balancing for preconfigured farms. So, our system DNS could respond with different ip to the different queries for the same name i.g s1.domain.com. Could it will be problem for the HAProxy ? Hi Yosef, This won't be a problem. Imagine, s1 has currently 10.0.0.1 assigned and your DNS resolve s1.domain.com to both 10.0.0.1 and 10.0.0.11 in a roundrobin fashion. As long as HAProxy can find current server's IP in the list returned by the DNS server, nothing will happen. Now, if you DNS server updates its list to 20.0.0.1 and 20.0.0.11, then HAProxy won't find anymore 10.0.0.1, so an IP update will be triggered and the first IP of the list will be used. Baptiste “This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: secur...@comverse.com. Thank You.”
RE: HAProxy - DNS
You are right, that's the way our DNS works. I probably wasn't clear enough. I will describe a scenario. Let's say we have HTTP client which opened session to HAProxy and HAProxy bind to 10.0.0.1 backend server (HAProxy will get 10.0.0.1 from the DNS upon health check and not upon client request As far as I understand) Session time out is 7 minutes. After 1 minute the same HTTP client sent second request. Now I have few questions: 1. Will HAProxy keep 10.0.0.1 session (since the session time out 7 minutes- not expired) for the second request from the HTTP client ? 2. How HAproxy test / health check ips of exist sessions when configured working with DNS? 3. I guess that new session will get ip from the latest DNS response by health check i.g 10.0.0.4, right ? Hope my questions are clear now Thanks Amir Yosef -Original Message- From: Baptiste [mailto:bed...@gmail.com] Sent: Monday, November 17, 2014 2:12 PM To: Yosef Amir Cc: Cohen Galit; HAProxy; Meltser Tiran Subject: Re: HAProxy - DNS On Mon, Nov 17, 2014 at 11:37 AM, Yosef Amir amir.yo...@comverse.commailto:amir.yo...@comverse.com wrote: Lets say that the DNS is configure with s1.domain.com which has 5 ips: 10.0.0.1 10.0.0.2 10.0.0.3 10.0.0.4 10.0.0.5 The DNS respond for the first DNS query 10.0.0.1 for the second 10.0.0.2 and so on...(roundrobin) That's mean the for each health check (DNS query) HAProxy will get different ip. Probably for TCP mode (stateless sessions) it is fine but I guess it will not proper configuration for HTTP (statefull sessions), right ? Actually, your DNS server will answer with all the IPs, but in different orders: IE, response 1: 10.0.0.1 10.0.0.2 10.0.0.3 10.0.0.4 10.0.0.5 response 2: 10.0.0.2 10.0.0.3 10.0.0.4 10.0.0.5 10.0.0.1 response 3: 10.0.0.3 10.0.0.4 10.0.0.5 10.0.0.1 10.0.0.2 and so on. The IP of the server won't change as long as its current IP belongs to the list. If you think your DNS server has a different behavior, please let me know which one you're using and how it is configured, so I can give it a try. Baptiste This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: secur...@comverse.com. Thank You.
RE: HAProxy - DNS
Thanks ! Thanks Amir Yosef -Original Message- From: Baptiste [mailto:bed...@gmail.com] Sent: Monday, November 17, 2014 6:06 PM To: Yosef Amir Cc: Cohen Galit; HAProxy; Meltser Tiran Subject: Re: HAProxy - DNS Let me answer inline. On Mon, Nov 17, 2014 at 2:48 PM, Yosef Amir amir.yo...@comverse.com wrote: Will HAProxy keep 10.0.0.1 session (since the session time out 7 minutes- not expired) for the second request from the HTTP client ? an incoming connection won't trigger a name resolution. the name resolution is simply used to update a server's IP address upon time without restarting HAProxy. How HAproxy test / health check ips of exist sessions when configured working with DNS? I've already explained this twice. I might be not clear enough. Let me rephrase: - server's health check triggers name resolution (after a 'valid' period timeout has expired) - if the IP address currently affected to the server is found in the DNS response, then no changes otherwise, HAProxy will apply the first IP address returned by the DNS server I guess that new session will get ip from the latest DNS response by health check i.g 10.0.0.4, right ? no, if the DNS server changes its response, it means the server has change its IP address. existing sessions will time out while new ones will be established to the new IP. It doesn't affect persistence at all. Baptiste “This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: secur...@comverse.com. Thank You.”
RE: HAProxy - DNS
Hi Baptiste, First, I would like to thank you for your great support! Now, I have few questions related HAProxy 1.5.8. IMAP SSL health-check mechanism and configuration. For plain IMAP configuration (no SSl) the health-check for the backend servers with the logic of active/no-active server according the banner response seems to work just fine. I would like to know if I can get same IMAP health-check result/support for IMAP backend server support SSL. 1. I would like to understand if the following is supported by HAPROXY 1.5.8 health-check mechanism: a. HAProxy to open SSL connection to the IMAP server ( i.g on port 443). b. HAProxy to perform SSL negotiation and accept and certificate that the backend server send. c. After SSL negotiation HAProxy to check the IMAP banner (probably need to decrypt the server response) d. HAProxy to compare the banner response the predefine string (as works for plain test health check on port 143). 2. Does HAProxy source/kit contains open SSL binaries? Can HAProxy work/linkage to existing open SSL on my Linux unit? How can I control it? Can I configure the HAProxy with the open SSL path that exist on my unit? Appreciate your support. Thanks Amir Yosef -Original Message- From: Baptiste [mailto:bed...@gmail.com] Sent: Monday, November 17, 2014 6:06 PM To: Yosef Amir Cc: Cohen Galit; HAProxy; Meltser Tiran Subject: Re: HAProxy - DNS Let me answer inline. On Mon, Nov 17, 2014 at 2:48 PM, Yosef Amir amir.yo...@comverse.commailto:amir.yo...@comverse.com wrote: Will HAProxy keep 10.0.0.1 session (since the session time out 7 minutes- not expired) for the second request from the HTTP client ? an incoming connection won't trigger a name resolution. the name resolution is simply used to update a server's IP address upon time without restarting HAProxy. How HAproxy test / health check ips of exist sessions when configured working with DNS? I've already explained this twice. I might be not clear enough. Let me rephrase: - server's health check triggers name resolution (after a 'valid' period timeout has expired) - if the IP address currently affected to the server is found in the DNS response, then no changes otherwise, HAProxy will apply the first IP address returned by the DNS server I guess that new session will get ip from the latest DNS response by health check i.g 10.0.0.4, right ? no, if the DNS server changes its response, it means the server has change its IP address. existing sessions will time out while new ones will be established to the new IP. It doesn't affect persistence at all. Baptiste This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: secur...@comverse.com. Thank You.
Health-check with banner for IMAP over SSL
Hi HAProxy team, I have few questions related HAProxy 1.5.8. IMAP SSL health-check mechanism and configuration. For plain IMAP configuration (no SSl) the health-check for the backend servers with the logic of active/no-active server according the banner response seems to work just fine. I would like to know if I can get same IMAP health-check result/support for IMAP backend server support SSL. 1. I would like to understand if the following is supported by HAPROXY 1.5.8 health-check mechanism: a. HAProxy to open SSL connection to the IMAP server ( i.g on port 443). b. HAProxy to perform SSL negotiation and accept and certificate that the backend server send. c. After SSL negotiation HAProxy to check the IMAP banner (probably need to decrypt the server response) d. HAProxy to compare the banner response the predefine string (as works for plain test health check on port 143). Does HAProxy source/kit contains open SSL binaries? Can HAProxy work/linkage to existing open SSL on my Linux unit? How can I control it? Can I configure the HAProxy with the open SSL path that exist on my unit Thanks Amir Yosef This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: secur...@comverse.com. Thank You.
RE: Health-check with banner for IMAP over SSL
Hi HAProxy team, I have few questions related HAProxy 1.5.8. IMAP SSL health-check mechanism and configuration. For plain IMAP configuration (no SSl) the health-check for the backend servers with the logic of active/no-active server according the banner response seems to work just fine. I would like to know if I can get same IMAP health-check result/support for IMAP backend server support SSL. 1. I would like to understand if the following is supported by HAPROXY 1.5.8 health-check mechanism: a. HAProxy to open SSL connection to the IMAP server ( i.g on port 443). b. HAProxy to perform SSL negotiation and accept any certificate that the backend server send. c. After SSL negotiation HAProxy to check the IMAP banner (probably need to decrypt the server response) d. HAProxy to compare the banner response the predefine string (as works for plain test health check on port 143). Does HAProxy source/kit contains open SSL binaries? Can HAProxy work/linkage to existing open SSL on my Linux unit? How can I control it? Can I configure the HAProxy with the open SSL path that exist on my unit Thanks Amir Yosef _ From: Yosef Amir Sent: Tuesday, November 25, 2014 8:39 AM To: 'haproxy@formilux.org' Subject: Health-check with banner for IMAP over SSL Hi HAProxy team, I have few questions related HAProxy 1.5.8. IMAP SSL health-check mechanism and configuration. For plain IMAP configuration (no SSl) the health-check for the backend servers with the logic of active/no-active server according the banner response seems to work just fine. I would like to know if I can get same IMAP health-check result/support for IMAP backend server support SSL. 2. I would like to understand if the following is supported by HAPROXY 1.5.8 health-check mechanism: a. HAProxy to open SSL connection to the IMAP server ( i.g on port 443). b. HAProxy to perform SSL negotiation and accept and certificate that the backend server send. c. After SSL negotiation HAProxy to check the IMAP banner (probably need to decrypt the server response) d. HAProxy to compare the banner response the predefine string (as works for plain test health check on port 143). Does HAProxy source/kit contains open SSL binaries? Can HAProxy work/linkage to existing open SSL on my Linux unit? How can I control it? Can I configure the HAProxy with the open SSL path that exist on my unit Thanks Amir Yosef This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: secur...@comverse.com. Thank You.
HProxy - HTTPS for Stats
Hi , I would like to configure stats in haproxy.config file. For http is working great. How can I configure the HAProxy stats to use HTTPS ? Does it supported? My current lab configuration for stats is : listen stats :8050 mode http stats admin if TRUE # LOCALHOST stats show-legends stats uri /admin?stats #default is /haproxy?stats stats refresh 5s stats realm HAProxy\ Statistics #the \ sign stands for space userlist stats-auth group readonly users haproxy user haproxy insecure-password haproxy Thanks Amir Yosef This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: secur...@comverse.com. Thank You.
RE: HProxy - HTTPS for Stats
Thanks. I will check it. Thanks Amir Yosef -Original Message- From: Baptiste [mailto:bed...@gmail.com] Sent: Monday, December 29, 2014 12:59 PM To: Yosef Amir Cc: haproxy@formilux.org; Cohen Galit Subject: Re: HProxy - HTTPS for Stats On Mon, Dec 29, 2014 at 11:00 AM, Yosef Amir amir.yo...@comverse.com wrote: Hi , I would like to configure stats in haproxy.config file. For http is working great. How can I configure the HAProxy stats to use HTTPS ? Does it supported? My current lab configuration for stats is : listen stats :8050 mode http stats admin if TRUE # LOCALHOST stats show-legends stats uri /admin?stats #default is /haproxy?stats stats refresh 5s stats realm HAProxy\ Statistics #the \ sign stands for space userlist stats-auth group readonly users haproxy user haproxy insecure-password haproxy Thanks Amir Yosef This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: secur...@comverse.com. Thank You. Hi Yosef, You can simply bind the port using SSL and point to your certificate: listen stats bind :8050 ssl crt /path/to/crt [...] Baptiste “This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: secur...@comverse.com. Thank You.”
RE: HProxy - HTTPS for Stats
I would like that HAProxy will use the OPENSSL already installed on my Linux. I don't want to bring the SSL libs with HAProxy . Assuming I compiled HAProxy using USE_OPENSSL=1: 1. Does it mean HAProxy will link to local OPENSSL on my Linux ? 2. Does stats configuration with SSL (as you sent in previous mail) will work ? (listen stats bind :8050 ssl crt /path/to/crt) -Original Message- From: Baptiste [mailto:bed...@gmail.com] Sent: Monday, December 29, 2014 4:02 PM To: Yosef Amir; HAProxy Subject: Re: HProxy - HTTPS for Stats Hi Yosef, Please keep the ML in Cc. You first need to compile HAProxy to support SSL. Use the USE_OPENSSL compilation directive. Baptiste On Mon, Dec 29, 2014 at 2:25 PM, Yosef Amir amir.yo...@comverse.com wrote: Hi, I get the following error : # haproxy -f /etc/haproxy/haproxy.cfg [ALERT] 362/160119 (16836) : parsing [/etc/haproxy/haproxy.cfg:49] : 'bind :8050' unknown keyword 'ssl'. Registered keywords : [ TCP] defer-accept [ TCP] interface arg [ TCP] mss arg [ TCP] v4v6 [ TCP] v6only [ TCP] transparent (not supported) [STAT] level arg [UNIX] gid arg [UNIX] group arg [UNIX] mode arg [UNIX] uid arg [UNIX] user arg [ ALL] accept-proxy [ ALL] backlog arg [ ALL] id arg [ ALL] maxconn arg [ ALL] name arg [ ALL] nice arg [ ALL] process arg [ALERT] 362/160119 (16836) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg [ALERT] 362/160119 (16836) : Fatal errors found in configuration. Thanks Amir Yosef -Original Message- From: Baptiste [mailto:bed...@gmail.com] Sent: Monday, December 29, 2014 12:59 PM To: Yosef Amir Cc: haproxy@formilux.org; Cohen Galit Subject: Re: HProxy - HTTPS for Stats On Mon, Dec 29, 2014 at 11:00 AM, Yosef Amir amir.yo...@comverse.com wrote: Hi , I would like to configure stats in haproxy.config file. For http is working great. How can I configure the HAProxy stats to use HTTPS ? Does it supported? My current lab configuration for stats is : listen stats :8050 mode http stats admin if TRUE # LOCALHOST stats show-legends stats uri /admin?stats #default is /haproxy?stats stats refresh 5s stats realm HAProxy\ Statistics #the \ sign stands for space userlist stats-auth group readonly users haproxy user haproxy insecure-password haproxy Thanks Amir Yosef This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: secur...@comverse.com. Thank You. Hi Yosef, You can simply bind the port using SSL and point to your certificate: listen stats bind :8050 ssl crt /path/to/crt [...] Baptiste This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: secur...@comverse.com. Thank You. This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: secur...@comverse.com. Thank You.
RE: HProxy - HTTPS for Stats
I successfully compiled HAProxy 1.5.9 on my Red Hat Enterprise Linux Server release 5.1 (Tikanga). I successfully initialize HAProxy include stats over HTTPS. Thanks a lot From: David Coulson [mailto:da...@davidcoulson.net] Sent: Monday, December 29, 2014 7:06 PM To: Yosef Amir Cc: Baptiste; HAProxy; Cohen Galit Subject: Re: HProxy - HTTPS for Stats What platform are you running, and what version of haproxy are you using? There are probably precompiled binaries for 1.5 which is needed for ssl. Sent from my iPad On Dec 29, 2014, at 11:01 AM, Yosef Amir amir.yo...@comverse.commailto:amir.yo...@comverse.com wrote: I would like that HAProxy will use the OPENSSL already installed on my Linux. I don’t want to bring the SSL libs with HAProxy . Assuming I compiled HAProxy using USE_OPENSSL=1: 1.Does it mean HAProxy will link to local OPENSSL on my Linux ? 2.Does stats configuration with SSL (as you sent in previous mail) will work ? (listen stats bind :8050 ssl crt /path/to/crt) -Original Message- From: Baptiste [mailto:bed...@gmail.com] Sent: Monday, December 29, 2014 4:02 PM To: Yosef Amir; HAProxy Subject: Re: HProxy - HTTPS for Stats Hi Yosef, Please keep the ML in Cc. You first need to compile HAProxy to support SSL. Use the USE_OPENSSL compilation directive. Baptiste On Mon, Dec 29, 2014 at 2:25 PM, Yosef Amir amir.yo...@comverse.commailto:amir.yo...@comverse.com wrote: Hi, I get the following error : # haproxy -f /etc/haproxy/haproxy.cfg [ALERT] 362/160119 (16836) : parsing [/etc/haproxy/haproxy.cfg:49] : 'bind :8050' unknown keyword 'ssl'. Registered keywords : [ TCP] defer-accept [ TCP] interface arg [ TCP] mss arg [ TCP] v4v6 [ TCP] v6only [ TCP] transparent (not supported) [STAT] level arg [UNIX] gid arg [UNIX] group arg [UNIX] mode arg [UNIX] uid arg [UNIX] user arg [ ALL] accept-proxy [ ALL] backlog arg [ ALL] id arg [ ALL] maxconn arg [ ALL] name arg [ ALL] nice arg [ ALL] process arg [ALERT] 362/160119 (16836) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg [ALERT] 362/160119 (16836) : Fatal errors found in configuration. Thanks Amir Yosef -Original Message- From: Baptiste [mailto:bed...@gmail.com] Sent: Monday, December 29, 2014 12:59 PM To: Yosef Amir Cc: haproxy@formilux.orgmailto:haproxy@formilux.org; Cohen Galit Subject: Re: HProxy - HTTPS for Stats On Mon, Dec 29, 2014 at 11:00 AM, Yosef Amir amir.yo...@comverse.commailto:amir.yo...@comverse.com wrote: Hi , I would like to configure stats in haproxy.config file. For http is working great. How can I configure the HAProxy stats to use HTTPS ? Does it supported? My current lab configuration for stats is : listen stats :8050 mode http stats admin if TRUE # LOCALHOST stats show-legends stats uri /admin?stats #default is /haproxy?stats stats refresh 5s stats realm HAProxy\ Statistics #the \ sign stands for space userlist stats-auth group readonly users haproxy user haproxy insecure-password haproxy Thanks Amir Yosef This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: secur...@comverse.commailto:secur...@comverse.com. Thank You. Hi Yosef, You can simply bind the port using SSL and point to your certificate: listen stats bind :8050 ssl crt /path/to/crt [...] Baptiste This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: secur...@comverse.commailto:secur...@comverse.com. Thank You. “This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: secur...@comverse.commailto:secur...@comverse.com. Thank You.” “This e-mail message may contain confidential, commercial or privileged
RE: tcp-check for IMAP SSL ?
Right, I found older response from Baptiste. ...So, first, you must compile HAProxy with OpenSSL support (install first openssl librairies from your operating system). Then the configuration of IMAP health check can be scripted through the tcp-check feature: option tcp-check tcp-check connect port 143 tcp-check expect string *\ OK tcp-check connect port 993 ssl tcp-check expect string *\ OK ... I will try that first. thanks Thanks Amir Yosef From: Rainer Duffner [mailto:rai...@ultra-secure.de] Sent: Thursday, January 01, 2015 4:18 PM To: PiBa-NL Cc: Yosef Amir; HAProxy Subject: Re: tcp-check for IMAP SSL ? Am 01.01.2015 um 14:37 schrieb PiBa-NL piba.nl@gmail.commailto:piba.nl@gmail.com: Yosef Amir schreef op 1-1-2015 om 13:57: listen IMAP_SSL mode tcp bind :443 name VVM_SSL balance roundrobin tcp-check connect port 443 Maybe try the 'ssl' keyword as below. (i have not tested it at all..) tcp-check connect port 443 ssl option tcp-check tcp-check expect string ? server MIPS3 3.3.3.3 check server MIPS4 4.4.4.4 check Hi, Port 143 will actually be inline-TLS (STARTTLS). SSL is on port 993. The above answer should be correct, according to this: http://comments.gmane.org/gmane.comp.web.haproxy/19274 But only for SSL. Don't know about inline-TLS. Rainer This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: secur...@comverse.com. Thank You.
RE: tcp-check for IMAP SSL ?
My question is if HAProxy tcp-check can check the SSL and the check expect string and only if both working consider the server as healthy for service? I mean if HAProxy can perform SSL check (and accept any certificate) and after the SSL handshake use check expect string. Example - check expect string *\ OK\ IMAP4\ server\ ready\ (Multi\ Media\ IP\ Store) Thanks Amir Yosef From: PiBa-NL [mailto:piba.nl@gmail.com] Sent: Thursday, January 01, 2015 3:37 PM To: Yosef Amir; HAProxy Subject: Re: tcp-check for IMAP SSL ? Yosef Amir schreef op 1-1-2015 om 13:57: Hi , I have servers that listen for plain IMAP on port 143 and servers that listen for IMAP SSL on port 443. I have successfully tested HAProxy for tcp-check proxying to IMAP servers listen on port 143 . I don't know how to configure the option tcp-check on HAProxy proxying to IMAP servers working over SSL only. Any idea ? listen IMAP_PLAIN mode tcp bind :143 name VVM_PLAIN balance roundrobin tcp-check connect port 143 option tcp-check tcp-check expect string *\ OK\ IMAP4\ server\ ready\ (Multi\ Media\ IP\ Store) server MIPS1 1.1.1.1 check server MIPS2 2.2.2.2 check listen IMAP_SSL mode tcp bind :443 name VVM_SSL balance roundrobin tcp-check connect port 443 Maybe try the 'ssl' keyword as below. (i have not tested it at all..) tcp-check connect port 443 ssl option tcp-check tcp-check expect string ? server MIPS3 3.3.3.3 check server MIPS4 4.4.4.4 check Thanks Amir Yosef This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: secur...@comverse.commailto:secur...@comverse.com. Thank You. This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: secur...@comverse.com. Thank You.
tcp-check for IMAP SSL ?
Hi , I have servers that listen for plain IMAP on port 143 and servers that listen for IMAP SSL on port 443. I have successfully tested HAProxy for tcp-check proxying to IMAP servers listen on port 143 . I don't know how to configure the option tcp-check on HAProxy proxying to IMAP servers working over SSL only. Any idea ? listen IMAP_PLAIN mode tcp bind :143 name VVM_PLAIN balance roundrobin tcp-check connect port 143 option tcp-check tcp-check expect string *\ OK\ IMAP4\ server\ ready\ (Multi\ Media\ IP\ Store) server MIPS1 1.1.1.1 check server MIPS2 2.2.2.2 check listen IMAP_SSL mode tcp bind :443 name VVM_SSL balance roundrobin tcp-check connect port 443 option tcp-check tcp-check expect string ? server MIPS3 3.3.3.3 check server MIPS4 4.4.4.4 check Thanks Amir Yosef This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: secur...@comverse.com. Thank You.
Recall: Logging to file when HAProxy failed to start
Yosef Amir would like to recall the message, Logging to file when HAProxy failed to start. “This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: secur...@comverse.com. Thank You.”
Logging to file when HAProxy failed to start
Hi , Currently, When HAproxy failed to initial (E.G invalid haproxy.cfg options) it write the error to the screen. Is there option that HAproxy will write to log file when it failed to initial? Thanks Amir Yosef This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: secur...@comverse.com. Thank You.
Logging to file when HAProxy failed to start
Hi , Currently, When HAproxy failed to initial (E.G invalid haproxy.cfg options) it write the error to the screen. Is there option that HAproxy will write to log file when it failed to initial? Example: [root@proxy-au2 ~]# haproxy -f /usr/cti/conf/haproxy/haproxy.cfg [ALERT] 040/172141 (12460) : Starting proxy HAProxy_DirectDeposit: cannot bind socket [0.0.0.0:50025] In this example: HAProxy alert - cannot bind socket. How can I get this kind of alerts that stop HAProxy from starting to write log file ? Thanks Amir Yosef This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: secur...@comverse.com. Thank You.