Re: strange issues with IE 6

2010-08-06 Thread eni-urgence 

Hello

Finaly, i have installed nginx as ssl termintation instead of stunnel 
and i have no more problem with IE6 and safari.


Thanks for all.


Cyril Bonté a écrit :

Hi,

Le mercredi 4 août 2010 17:24:26, eni-urgence a écrit :
  

Hello.

I have removed the friendly error message from IE and it display a
blank page.
I have not mentionned that i have stunnel in front of haproxy for ssl
termination. I have made some test and capture packet and i think that
it's stunnel that don't  work.
I will make more test.



Can you verify that SSL v3 is enabled in IE6, still in the advanced tab, where 
Hervé proposed you to disable the friendly HTTP error messages ?


--
Cyril Bonté

Re: strange issues with IE 6

2010-08-04 Thread eni-urgence 

Hello.

   I have removed the friendly error message from IE and it display a 
blank page.
I have not mentionned that i have stunnel in front of haproxy for ssl 
termination. I have made some test and capture packet and i think that 
it's stunnel that don't  work.

I will make more test.

Cheers



Hervé COMMOWICK a écrit :

Hello,

You can't have a HTTP 200 in all your log and a HTTP 404 in your web
browser, or IE6 really became a bunch of crap.
you can disable IE crap about friendly 404 error page with this :

1. Go to Tools Menu in the Internet Explorer and click the Internet
Options.

2. You will be displayed with the Internet Options dialog box. Click
the Advanced tab.

3. Uncheck the Show friendly HTTP error messages check box and then
click the OK button at the end.

Regards,

Hervé.


On Wed, 04 Aug 2010 15:58:48 +0200
eni-urgence eni-urge...@scan-eco.com wrote:

  

Hello all.


I have some strange issue with ie6 (I know it's quite old but our 
customer don't want to upgrade for now). A page  that works through

the proxy with last release of webrowser  (IE8, firefox, Safari...)
don't want to work with IE6.  The http request go on the proxy and
it's forwarded to the apache server but the browser display a 404
error (Page not found)

you can find the haproxy trace
Aug  4 15:54:16 web0103 haproxy[19109]: 127.0.0.1:35663 
[04/Aug/2010:15:54:16.535] public-http-applicatif-prod 
webfarm-http-applicatif-prod-Avignon/web0103-applicatif-10084 
0/0/0/85/86 200 5046 - - --NI 0/0/0/0/0 0/0 {192.168.1.8|} {|Apache} 
GET /scanweb/custom/demo/index.php HTTP/1.1




and the apache trace

secure.scan-prod.com 192.168.1.8 192.168.1.8 192.168.100.41 - - 
[04/Aug/2010:15:54:16 +0200] GET /scanweb/custom/demo/index.php 
HTTP/1.1 200 4547 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 
5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR

3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET
CLR 3.5.30729)

I have seen in haproxy doc that the return code 200 said all is ok.
The information --NI said that no cookie have been set. I don't
understand why.


Is anyone have seen it before?

Thanks for your help

NICOLE Emerik
Newbie french user of haproxy.

Some Questions

2010-07-13 Thread eni-urgence 

Hello everybody.


   1) I want to use the errorfile directive in the configuration in 
order to display a custom html page (on proxy disk). Is it possible to 
include an image file in those pages ? And if not, if I use html page 
stored on a webserver, can I include image and css ?


   2) I want to make a advanced redirection too. I want something like 
this : 
   if  the  url begin by www  and the last uri dir  is in a file 
then haproxy redirect to https://secure.mydomain1.tld/customer1/
   I'm using mass virtualhost on my apache backend and for each domain 
name, the sub directories are the same.

examples :
request on http://www.domain1.com/customer1/ redirect to 
https://secure.domain1.com/customer1/
 http://www.domain2.com/customer1/ redirect to 
https://secure.domain2.com/customer1/
 http://www.domain2.com/customer2/  dont redirect 
because customer2 is not in the file.


At this time, I have made this in the config file :
   acl is_www hdr_beg -i www
   acl is_customer path_dir -f /var/chroot/haproxy/acl/customer.lst
 

but i have a problem with the redirect directive because part of the 
to option is given in the requested url : subdirectories and domain name.
Is it possible to extract only the domain name (without server name) , 
store it in a variable and reuse it in redirect directive ?  extract 
domain1.tld from http://www.domain1.tld/customer1/
Is it possible to extract the last dir from uri ? extract customer1  
from http://www.domain1.tld/customer1/


   3) Is it possible to define the Max age of the cookie with Haproxy ? 
Or is it better to make it in the code ?




Thanks to all
NICOLE Emerik
Newbie french use of haproxy

Re: performance with and without haproxy

2010-06-29 Thread eni-urgence 

Willy Tarreau a écrit :

Hello,

On Fri, Jun 25, 2010 at 05:15:02PM +0200, eni-urgence wrote:
  

Hello


   Is anyone have already notice a perfomance decrease with and
without haproxy ? I m' the only one on the proxy and web server, and
the http resquest is served 0.5 and 1s slower than without haproxy?



How are you measuring the delay ? From haproxy's logs or from the
client ? 1 second is huge. A typical traversal delay should be in
the range of about 40-100 microseconds, or 10-25000 times lower
than what you're observing. Maybe you're having a config issue,
or maybe there's something wrong on the machine you're running
it on (eg: is it virtualized, this is causing new classes of hard
to debug trouble) ?

Regards,
Willy



  

Hello Willy and thanks for your help and interrest.

It's an  test embeded in the php/ajax application.  According to the 
developper, the measure is made like that :
for one ajax call, he creates a timer on the call. Then at the beginning 
of the php scripts, he creates an other time which evaluate the 
generation time of the script and call back it to ajax.
On client side, when the response is received, it gives the transfer 
time+the php time. Then he substracts the php time (return by ajax) from 
the total duration . This duration include the transfert time of the 
request to the server.


I had tested transfer between a web server in production (and quite 
loaded ~1 ) and the proxy machine (not so powerfull then the webserver).



The network path for the test is like that :
Client (on LAN) -- Firewall -- stunnel on VIP 
192.168.100.153 (on the proxies) -- Haproxy (listening on 
127.0.0.1) -- WebServer (listening on 192.168.100.41) (on the 
proxy too for the moment )


The proxy server is a Quad core Intel(R) Xeon(R) CPU   X5460  
3.16GHz with 4G RAM. Os is CentOS 5.5 64b. Not virtualised.  I haven't 
tweak the OS  parameters  according to your advice  (found on many 
sites). With one RAID1.
The webServer, which serves for measurement reference, is a double Quad 
Core with 6Go RAM and a double RAID1 (one for system, one for php pages 
and some data)


After some test, it appears that is a hardware/design problem. I made a 
new virtual host (https) on the proxy machine, call it directly not 
through haproxy and the transfer time are similar.  Now i had to found 
why . Is think the double RAID and the IO disk is for much in those 
difference.



Thanks for your help and time. And sorry for inconvenience.


NICOLE Emerik
Newbie french user of Haproxy

performance with and without haproxy

2010-06-25 Thread eni-urgence 

Hello


   Is anyone have already notice a perfomance decrease with and without 
haproxy ? I m' the only one on the proxy and web server, and the http 
resquest is served 0.5 and 1s slower than without haproxy?



NICOLE Emerik
Newbie french user of Haproxy

Re: haproxy question about check

2010-06-02 Thread eni-urgence 


Hello.

Sorry for my latency on the answer.
Thank you for the trick about the check. I will test it when i have times.

About the multi site question, i will explain because it's a bit 
confusing. I have two agency at this time : one this 2 WEB/DNS server 
(agency A) and the other with 1 WEB/DNSserver (agency B). Agency A have 
two WAN line . My zones are configured  with 3 NS record, 2 go on Agency 
A via different public adress. My firewall NAT the public adress on 2 
different private adress (on DMZ), and using view I adjust the response 
. Today,in order to provide service continuity,   I start the DNS 
server of agency B when the DNS server of Agency A are down. But it's a 
lose of power and server that i want to use now with haproxy.


Have i been clear?

Hello,

On 05/21/2010 03:15 PM, eni-urgence wrote:

Hello all.

I discover haproxy few weeks ago and I want to thanks willy for his 
very good product.

I'm planing to integrate haproxy to our dmz.
I want to use haproxy for loadbalancing  heavy secure php/ajax 
applications with cookie persitence:  a collaborate scheduler and a 
image consult extranet.


stunnel service will handle  https connections and forward  decrypted 
requests  to haproxy on port 88. Then haproxy will forward 
connections to web server on port 10088, 100089 (and so...) on a mass 
virtual host configuration of apache (see below).
In /var/www/vhost-SSL/ on web server, there is some symbolic links to 
the php sources. Some domains are not linked  to same path because 
they don't provide the same application. So i don't want to have to 
delete/rename the running.ok file on every path when I want to 
shutdown the webserver.
I want to use the httpcheck  on port 10081 and the file running.ok 
. But I want a soft stop of service. I want haproxy to stop 
forwarding new connection if he don't find the running.ok file but 
continue to forward connection if cookie is initialised. so i will 
configure a backup server with same cookies  (like said in Haproxy 
documentation).


Use http-check disable-on-404 for this



So now my questions :
   - is it possible to check only the header like this /HEAD / 
HTTP/1.0 /for backup server ?


option httpchk HEAD / HTTP/1.0

   - Like said in the article of willy 
(http://1wt.eu/articles/2006_lb/),it  is good to load balance the 
encryption/decryption flow too. So a haproxy instance in tcp mode  
(layer 4), seems to be a good solution. But our applications have to 
know the client IP for security reasons. I  read that a recompiled 
kernel with tproxy support will forward connections keeping the real 
client IP. Is that true ?


Yes it is, tproxy has been included in mainstream =2.6.28 kernel.
Usage of X-Forwarded-For header is preferred if you use stunnel.

- I want to manage a multi site configuration keeping the  
session persistence. How can I manage to do so?


I don't understand this question :)

Regards,

Hervé.

Re: Haproxy + Ajax

2010-06-02 Thread eni-urgence 

Thank you for you quick answer and sorry for my late response


Hervé COMMOWICK a écrit :
This is an old interview, HAProxy (=1.4) now support keepalive on the 
client side.


Don't use http-pretend-keepalive unless your backend server need it 
(apache doesn't need this)


To enable keepalive, you just need to have option http-server-close 
instead of option httpclose.


Regards,

Hervé.


On 05/21/2010 06:11 PM, eni-urgence wrote:


Hello (again).
In this interview http://linuxfr.org/2008/09/15/24484.html (in 
french), Willy Tareau said that there is some problem with php 
application which use ajax technologie. because haproxy ignore keep 
alive. Is there a big impact on performance ?

My web server are configured with /KeepAlive Off
MaxKeepAliveRequests 100
KeepAliveTimeout 15/
and i dont think php redefine this variable.

I read that a option http-pretend-keepalive have been added to 
version 1.4.4. have i any interrest to use this option?


Is there any kind of  thing about not using ajax and haproxy 
together? Like haproxy cut the url which can be very long with ajax 
call. Is someone had experience problem . And what kind?


Thank you

NICOLE Emerik
Newbie french user of haproxy
eni-urge...@scan-eco.com
www.scan-eco.com
www.quickmed.fr

haproxy question about check

2010-05-21 Thread eni-urgence 

Hello all.

I discover haproxy few weeks ago and I want to thanks willy for his very 
good product.

I'm planing to integrate haproxy to our dmz.
I want to use haproxy for loadbalancing  heavy secure php/ajax 
applications with cookie persitence:  a collaborate scheduler and a 
image consult extranet.


stunnel service will handle  https connections and forward  decrypted 
requests  to haproxy on port 88. Then haproxy will forward connections 
to web server on port 10088, 100089 (and so...) on a mass virtual host 
configuration of apache (see below).
In /var/www/vhost-SSL/ on web server, there is some symbolic links to 
the php sources. Some domains are not linked  to same path because they 
don't provide the same application. So i don't want to have to 
delete/rename the running.ok file on every path when I want to 
shutdown the webserver.
I want to use the httpcheck  on port 10081 and the file running.ok . 
But I want a soft stop of service. I want haproxy to stop forwarding new 
connection if he don't find the running.ok file but continue to 
forward connection if cookie is initialised. so i will configure a 
backup server with same cookies  (like said in Haproxy documentation).


So now my questions :
   - is it possible to check only the header like this /HEAD / HTTP/1.0 
/for backup server ?
   - Like said in the article of willy 
(http://1wt.eu/articles/2006_lb/),it  is good to load balance the 
encryption/decryption flow too. So a haproxy instance in tcp mode  
(layer 4), seems to be a good solution. But our applications have to 
know the client IP for security reasons. I  read that a recompiled 
kernel with tproxy support will forward connections keeping the real 
client IP. Is that true ?
- I want to manage a multi site configuration keeping the  session 
persistence. How can I manage to do so?


haproxy configuration : (it 's a test configuration file. I think some 
variable are not good valued)


/defaults
   log global
   modehttp
   option  httplog
   retries 3
   option redispatch
   maxconn 2000
   contimeout  5000
   clitimeout  5
   srvtimeout  5
   stats enable
   option forwardfor
   balance roundrobin
   option httpchk HEAD /running.ok HTTP/1.0
   option http-server-close/

/
/

/listen private-admin_stats 192.168.1.60:8088
   mode http
   stats uri/admin?stats
   stats realm Global\ statistics
   stats auth  stats:stats84/

/frontend public-http-app
   bind 192.168.1.62:88
   reqadd   sce_proxy:\ lbl0101
   reqadd   sceproxy_secure:\ https
   capture request header Location len 80
   capture response header Location len 80
   capture response header Server len 20
   default_backend webfarm-http-app/

/backend webfarm-http-app
   cookie SERVERID prefix nocache
   server lbl0101-app1 192.168.1.62:10088 check port 100081 inter 
2000 rise 2 fall 5 weight 8 cookie lbl0101-app
   server lbl0101-app1-bck 192.168.1.62:10088 check  inter 2000 
rise 2 fall 5 cookie lbl0101-app backup
   server lbl0101-app2 192.168.1.62:10089 check //port 100081 
//inter 2000 rise 2 fall 5 cookie lbl0101-app2
   server lbl0101-app2-bck 192.168.1.62:10089 check inter 2000 rise 
2 fall 5 cookie lbl0101-app2 backup/




NameVirtualHost apache configuration :

/NameVirtualHost 192.168.1.62:10081
VirtualHost 192.168.1.62:10081
   UseCanonicalName Off
   ServerName *
   VirtualDocumentRoot /var/www/vhosts-SSL/%0
   VirtualScriptAlias /var/www/vhosts/%0/cgi-bin/
   DirectoryIndex index.html index.htm index.shtml index.php
   HostNameLookups off
   #CustomLog logs/ssl_access_log vcommon
   #CustomLog /var/log/httpd/access_log cawstats
/VirtualHost/

/NameVirtualHost 192.168.1.62:10088
VirtualHost 192.168.1.62:10088
   UseCanonicalName Off
   ServerName *
   VirtualDocumentRoot /var/www/vhosts-SSL/%0
   VirtualScriptAlias /var/www/vhosts/%0/cgi-bin/
   DirectoryIndex index.html index.htm index.shtml index.php
   HostNameLookups off
   #CustomLog logs/ssl_access_log vcommon
   #CustomLog /var/log/httpd/access_log cawstats
/VirtualHost/

/NameVirtualHost 192.168.1.62:10089
VirtualHost 192.168.1.62:10089
   UseCanonicalName Off
   ServerName *
   VirtualDocumentRoot /var/www/vhosts-SSL/%0
   VirtualScriptAlias /var/www/vhosts/%0/cgi-bin/
   DirectoryIndex index.html index.htm index.shtml index.php
   HostNameLookups off
   #CustomLog logs/ssl_access_log vcommon
   #CustomLog /var/log/httpd/access_log cawstats
/VirtualHost/

Some example of the link in /var/www/vhosts-SSL :

/192.168.1.62 - /var/www/check (= is where the file running.ok will be)
secure.myfirstdomain.com - /var/www/html/myfirstdomain.com
secure1.myfirstdomain.com - /var/www/html/myfirstdomain.com
secure.myseconddomain.com - /var/www/html/myfseconddomain.com
secure.myfthirddomain.com -

Haproxy + Ajax

2010-05-21 Thread eni-urgence 


Hello (again).
In this interview http://linuxfr.org/2008/09/15/24484.html (in french), 
Willy Tareau said that there is some problem with php application which 
use ajax technologie. because haproxy ignore keep alive. Is there a big 
impact on performance ?
My web server are configured with 
/KeepAlive Off

MaxKeepAliveRequests 100
KeepAliveTimeout 15/
and i dont think php redefine this variable.

I read that a option http-pretend-keepalive have been added to version 
1.4.4. have i any interrest to use this option?


Is there any kind of  thing about not using ajax and haproxy together? 
Like haproxy cut the url which can be very long with ajax call. Is 
someone had experience problem . And what kind?


Thank you

NICOLE Emerik
Newbie french user of haproxy
eni-urge...@scan-eco.com
www.scan-eco.com
www.quickmed.fr