Re: strange issues with IE 6
Hello Finaly, i have installed nginx as ssl termintation instead of stunnel and i have no more problem with IE6 and safari. Thanks for all. Cyril Bonté a écrit : Hi, Le mercredi 4 août 2010 17:24:26, eni-urgence a écrit : Hello. I have removed the friendly error message from IE and it display a blank page. I have not mentionned that i have stunnel in front of haproxy for ssl termination. I have made some test and capture packet and i think that it's stunnel that don't work. I will make more test. Can you verify that SSL v3 is enabled in IE6, still in the advanced tab, where Hervé proposed you to disable the friendly HTTP error messages ? -- Cyril Bonté
Re: strange issues with IE 6
Hello. I have removed the friendly error message from IE and it display a blank page. I have not mentionned that i have stunnel in front of haproxy for ssl termination. I have made some test and capture packet and i think that it's stunnel that don't work. I will make more test. Cheers Hervé COMMOWICK a écrit : Hello, You can't have a HTTP 200 in all your log and a HTTP 404 in your web browser, or IE6 really became a bunch of crap. you can disable IE crap about friendly 404 error page with this : 1. Go to Tools Menu in the Internet Explorer and click the Internet Options. 2. You will be displayed with the Internet Options dialog box. Click the Advanced tab. 3. Uncheck the Show friendly HTTP error messages check box and then click the OK button at the end. Regards, Hervé. On Wed, 04 Aug 2010 15:58:48 +0200 eni-urgence eni-urge...@scan-eco.com wrote: Hello all. I have some strange issue with ie6 (I know it's quite old but our customer don't want to upgrade for now). A page that works through the proxy with last release of webrowser (IE8, firefox, Safari...) don't want to work with IE6. The http request go on the proxy and it's forwarded to the apache server but the browser display a 404 error (Page not found) you can find the haproxy trace Aug 4 15:54:16 web0103 haproxy[19109]: 127.0.0.1:35663 [04/Aug/2010:15:54:16.535] public-http-applicatif-prod webfarm-http-applicatif-prod-Avignon/web0103-applicatif-10084 0/0/0/85/86 200 5046 - - --NI 0/0/0/0/0 0/0 {192.168.1.8|} {|Apache} GET /scanweb/custom/demo/index.php HTTP/1.1 and the apache trace secure.scan-prod.com 192.168.1.8 192.168.1.8 192.168.100.41 - - [04/Aug/2010:15:54:16 +0200] GET /scanweb/custom/demo/index.php HTTP/1.1 200 4547 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) I have seen in haproxy doc that the return code 200 said all is ok. The information --NI said that no cookie have been set. I don't understand why. Is anyone have seen it before? Thanks for your help NICOLE Emerik Newbie french user of haproxy.
Some Questions
Hello everybody. 1) I want to use the errorfile directive in the configuration in order to display a custom html page (on proxy disk). Is it possible to include an image file in those pages ? And if not, if I use html page stored on a webserver, can I include image and css ? 2) I want to make a advanced redirection too. I want something like this : if the url begin by www and the last uri dir is in a file then haproxy redirect to https://secure.mydomain1.tld/customer1/ I'm using mass virtualhost on my apache backend and for each domain name, the sub directories are the same. examples : request on http://www.domain1.com/customer1/ redirect to https://secure.domain1.com/customer1/ http://www.domain2.com/customer1/ redirect to https://secure.domain2.com/customer1/ http://www.domain2.com/customer2/ dont redirect because customer2 is not in the file. At this time, I have made this in the config file : acl is_www hdr_beg -i www acl is_customer path_dir -f /var/chroot/haproxy/acl/customer.lst but i have a problem with the redirect directive because part of the to option is given in the requested url : subdirectories and domain name. Is it possible to extract only the domain name (without server name) , store it in a variable and reuse it in redirect directive ? extract domain1.tld from http://www.domain1.tld/customer1/ Is it possible to extract the last dir from uri ? extract customer1 from http://www.domain1.tld/customer1/ 3) Is it possible to define the Max age of the cookie with Haproxy ? Or is it better to make it in the code ? Thanks to all NICOLE Emerik Newbie french use of haproxy
Re: performance with and without haproxy
Willy Tarreau a écrit : Hello, On Fri, Jun 25, 2010 at 05:15:02PM +0200, eni-urgence wrote: Hello Is anyone have already notice a perfomance decrease with and without haproxy ? I m' the only one on the proxy and web server, and the http resquest is served 0.5 and 1s slower than without haproxy? How are you measuring the delay ? From haproxy's logs or from the client ? 1 second is huge. A typical traversal delay should be in the range of about 40-100 microseconds, or 10-25000 times lower than what you're observing. Maybe you're having a config issue, or maybe there's something wrong on the machine you're running it on (eg: is it virtualized, this is causing new classes of hard to debug trouble) ? Regards, Willy Hello Willy and thanks for your help and interrest. It's an test embeded in the php/ajax application. According to the developper, the measure is made like that : for one ajax call, he creates a timer on the call. Then at the beginning of the php scripts, he creates an other time which evaluate the generation time of the script and call back it to ajax. On client side, when the response is received, it gives the transfer time+the php time. Then he substracts the php time (return by ajax) from the total duration . This duration include the transfert time of the request to the server. I had tested transfer between a web server in production (and quite loaded ~1 ) and the proxy machine (not so powerfull then the webserver). The network path for the test is like that : Client (on LAN) -- Firewall -- stunnel on VIP 192.168.100.153 (on the proxies) -- Haproxy (listening on 127.0.0.1) -- WebServer (listening on 192.168.100.41) (on the proxy too for the moment ) The proxy server is a Quad core Intel(R) Xeon(R) CPU X5460 3.16GHz with 4G RAM. Os is CentOS 5.5 64b. Not virtualised. I haven't tweak the OS parameters according to your advice (found on many sites). With one RAID1. The webServer, which serves for measurement reference, is a double Quad Core with 6Go RAM and a double RAID1 (one for system, one for php pages and some data) After some test, it appears that is a hardware/design problem. I made a new virtual host (https) on the proxy machine, call it directly not through haproxy and the transfer time are similar. Now i had to found why . Is think the double RAID and the IO disk is for much in those difference. Thanks for your help and time. And sorry for inconvenience. NICOLE Emerik Newbie french user of Haproxy
performance with and without haproxy
Hello Is anyone have already notice a perfomance decrease with and without haproxy ? I m' the only one on the proxy and web server, and the http resquest is served 0.5 and 1s slower than without haproxy? NICOLE Emerik Newbie french user of Haproxy
Re: haproxy question about check
Hello. Sorry for my latency on the answer. Thank you for the trick about the check. I will test it when i have times. About the multi site question, i will explain because it's a bit confusing. I have two agency at this time : one this 2 WEB/DNS server (agency A) and the other with 1 WEB/DNSserver (agency B). Agency A have two WAN line . My zones are configured with 3 NS record, 2 go on Agency A via different public adress. My firewall NAT the public adress on 2 different private adress (on DMZ), and using view I adjust the response . Today,in order to provide service continuity, I start the DNS server of agency B when the DNS server of Agency A are down. But it's a lose of power and server that i want to use now with haproxy. Have i been clear? Hello, On 05/21/2010 03:15 PM, eni-urgence wrote: Hello all. I discover haproxy few weeks ago and I want to thanks willy for his very good product. I'm planing to integrate haproxy to our dmz. I want to use haproxy for loadbalancing heavy secure php/ajax applications with cookie persitence: a collaborate scheduler and a image consult extranet. stunnel service will handle https connections and forward decrypted requests to haproxy on port 88. Then haproxy will forward connections to web server on port 10088, 100089 (and so...) on a mass virtual host configuration of apache (see below). In /var/www/vhost-SSL/ on web server, there is some symbolic links to the php sources. Some domains are not linked to same path because they don't provide the same application. So i don't want to have to delete/rename the running.ok file on every path when I want to shutdown the webserver. I want to use the httpcheck on port 10081 and the file running.ok . But I want a soft stop of service. I want haproxy to stop forwarding new connection if he don't find the running.ok file but continue to forward connection if cookie is initialised. so i will configure a backup server with same cookies (like said in Haproxy documentation). Use http-check disable-on-404 for this So now my questions : - is it possible to check only the header like this /HEAD / HTTP/1.0 /for backup server ? option httpchk HEAD / HTTP/1.0 - Like said in the article of willy (http://1wt.eu/articles/2006_lb/),it is good to load balance the encryption/decryption flow too. So a haproxy instance in tcp mode (layer 4), seems to be a good solution. But our applications have to know the client IP for security reasons. I read that a recompiled kernel with tproxy support will forward connections keeping the real client IP. Is that true ? Yes it is, tproxy has been included in mainstream =2.6.28 kernel. Usage of X-Forwarded-For header is preferred if you use stunnel. - I want to manage a multi site configuration keeping the session persistence. How can I manage to do so? I don't understand this question :) Regards, Hervé.
Re: Haproxy + Ajax
Thank you for you quick answer and sorry for my late response Hervé COMMOWICK a écrit : This is an old interview, HAProxy (=1.4) now support keepalive on the client side. Don't use http-pretend-keepalive unless your backend server need it (apache doesn't need this) To enable keepalive, you just need to have option http-server-close instead of option httpclose. Regards, Hervé. On 05/21/2010 06:11 PM, eni-urgence wrote: Hello (again). In this interview http://linuxfr.org/2008/09/15/24484.html (in french), Willy Tareau said that there is some problem with php application which use ajax technologie. because haproxy ignore keep alive. Is there a big impact on performance ? My web server are configured with /KeepAlive Off MaxKeepAliveRequests 100 KeepAliveTimeout 15/ and i dont think php redefine this variable. I read that a option http-pretend-keepalive have been added to version 1.4.4. have i any interrest to use this option? Is there any kind of thing about not using ajax and haproxy together? Like haproxy cut the url which can be very long with ajax call. Is someone had experience problem . And what kind? Thank you NICOLE Emerik Newbie french user of haproxy eni-urge...@scan-eco.com www.scan-eco.com www.quickmed.fr
haproxy question about check
Hello all. I discover haproxy few weeks ago and I want to thanks willy for his very good product. I'm planing to integrate haproxy to our dmz. I want to use haproxy for loadbalancing heavy secure php/ajax applications with cookie persitence: a collaborate scheduler and a image consult extranet. stunnel service will handle https connections and forward decrypted requests to haproxy on port 88. Then haproxy will forward connections to web server on port 10088, 100089 (and so...) on a mass virtual host configuration of apache (see below). In /var/www/vhost-SSL/ on web server, there is some symbolic links to the php sources. Some domains are not linked to same path because they don't provide the same application. So i don't want to have to delete/rename the running.ok file on every path when I want to shutdown the webserver. I want to use the httpcheck on port 10081 and the file running.ok . But I want a soft stop of service. I want haproxy to stop forwarding new connection if he don't find the running.ok file but continue to forward connection if cookie is initialised. so i will configure a backup server with same cookies (like said in Haproxy documentation). So now my questions : - is it possible to check only the header like this /HEAD / HTTP/1.0 /for backup server ? - Like said in the article of willy (http://1wt.eu/articles/2006_lb/),it is good to load balance the encryption/decryption flow too. So a haproxy instance in tcp mode (layer 4), seems to be a good solution. But our applications have to know the client IP for security reasons. I read that a recompiled kernel with tproxy support will forward connections keeping the real client IP. Is that true ? - I want to manage a multi site configuration keeping the session persistence. How can I manage to do so? haproxy configuration : (it 's a test configuration file. I think some variable are not good valued) /defaults log global modehttp option httplog retries 3 option redispatch maxconn 2000 contimeout 5000 clitimeout 5 srvtimeout 5 stats enable option forwardfor balance roundrobin option httpchk HEAD /running.ok HTTP/1.0 option http-server-close/ / / /listen private-admin_stats 192.168.1.60:8088 mode http stats uri/admin?stats stats realm Global\ statistics stats auth stats:stats84/ /frontend public-http-app bind 192.168.1.62:88 reqadd sce_proxy:\ lbl0101 reqadd sceproxy_secure:\ https capture request header Location len 80 capture response header Location len 80 capture response header Server len 20 default_backend webfarm-http-app/ /backend webfarm-http-app cookie SERVERID prefix nocache server lbl0101-app1 192.168.1.62:10088 check port 100081 inter 2000 rise 2 fall 5 weight 8 cookie lbl0101-app server lbl0101-app1-bck 192.168.1.62:10088 check inter 2000 rise 2 fall 5 cookie lbl0101-app backup server lbl0101-app2 192.168.1.62:10089 check //port 100081 //inter 2000 rise 2 fall 5 cookie lbl0101-app2 server lbl0101-app2-bck 192.168.1.62:10089 check inter 2000 rise 2 fall 5 cookie lbl0101-app2 backup/ NameVirtualHost apache configuration : /NameVirtualHost 192.168.1.62:10081 VirtualHost 192.168.1.62:10081 UseCanonicalName Off ServerName * VirtualDocumentRoot /var/www/vhosts-SSL/%0 VirtualScriptAlias /var/www/vhosts/%0/cgi-bin/ DirectoryIndex index.html index.htm index.shtml index.php HostNameLookups off #CustomLog logs/ssl_access_log vcommon #CustomLog /var/log/httpd/access_log cawstats /VirtualHost/ /NameVirtualHost 192.168.1.62:10088 VirtualHost 192.168.1.62:10088 UseCanonicalName Off ServerName * VirtualDocumentRoot /var/www/vhosts-SSL/%0 VirtualScriptAlias /var/www/vhosts/%0/cgi-bin/ DirectoryIndex index.html index.htm index.shtml index.php HostNameLookups off #CustomLog logs/ssl_access_log vcommon #CustomLog /var/log/httpd/access_log cawstats /VirtualHost/ /NameVirtualHost 192.168.1.62:10089 VirtualHost 192.168.1.62:10089 UseCanonicalName Off ServerName * VirtualDocumentRoot /var/www/vhosts-SSL/%0 VirtualScriptAlias /var/www/vhosts/%0/cgi-bin/ DirectoryIndex index.html index.htm index.shtml index.php HostNameLookups off #CustomLog logs/ssl_access_log vcommon #CustomLog /var/log/httpd/access_log cawstats /VirtualHost/ Some example of the link in /var/www/vhosts-SSL : /192.168.1.62 - /var/www/check (= is where the file running.ok will be) secure.myfirstdomain.com - /var/www/html/myfirstdomain.com secure1.myfirstdomain.com - /var/www/html/myfirstdomain.com secure.myseconddomain.com - /var/www/html/myfseconddomain.com secure.myfthirddomain.com -
Haproxy + Ajax
Hello (again). In this interview http://linuxfr.org/2008/09/15/24484.html (in french), Willy Tareau said that there is some problem with php application which use ajax technologie. because haproxy ignore keep alive. Is there a big impact on performance ? My web server are configured with /KeepAlive Off MaxKeepAliveRequests 100 KeepAliveTimeout 15/ and i dont think php redefine this variable. I read that a option http-pretend-keepalive have been added to version 1.4.4. have i any interrest to use this option? Is there any kind of thing about not using ajax and haproxy together? Like haproxy cut the url which can be very long with ajax call. Is someone had experience problem . And what kind? Thank you NICOLE Emerik Newbie french user of haproxy eni-urge...@scan-eco.com www.scan-eco.com www.quickmed.fr