Has the behaviour of "nopurge" changed or something else...
Hi Guys, I was reading an old blog and I found myself having an issue with the way the stick table and "nopurge" interact. Basically what is said in that Blog does not work as advertised with my version of HAProxy(1.8.23). What you will find is that the stick table correctly gets an entry added fine but when the real server then fails a health check and the backup server is inserted this entry is not updated. As such the moment the real server comes back online traffic instantly moves away from the backup server. Remove "nopurge" and my expectations are then met with traffic staying on the backup server until I take action such as clearing the stick table or putting the backup server itself into maint mode. The Blog: https://www.haproxy.com/blog/emulating-activepassing-application-clustering-with-haproxy/ I don't understand if this is a bug or a change in the expectations of this feature but I thought I'd highlight it to everyone so I can get some advice. The issue was also covered in the comments of the Blog (why oh why did I not read this first!): *jean *on March 28, 2017 at 6:19 pm > Hello, > I feel like I missed something here… When I implement this configuration > on a simple 2-nodes haproxy solution: > – the table gets populated after the first request > # table: bk_ldap_mirror, type: ip, size:1, used:1 > 0x55f490608b74: key=192.168.1.2 use=0 exp=0 server_id=1 > – If I shutdown the s1 backend, failover happens, everything goes to s2, > but no change in the table. > – when I put s1 backend back on, all further requests get back to s1 > What I expected: > – once s1 is done, change server_id value in stick table would switch to 2 > – when s1 is back online, stick to s2 unless it fails or is pushed to > maintenance mode, in which case server_id in stick table would change again. > I’m on haproxy 1.7.3. What am I missing? wtarreau on May 4, 2017 at 7:18 am > What you describe is what should happen with this configuration. Either > you’ve got a mistake or you’re facing a bug, I can’t say for now. Please > first upgrade to 1.7.5 to fix known bugs and retry. If it doesn’t work, you > should bring this to the mailing list as it might be a bug. Eugene Brown on December 18, 2017 at 11:06 pm > I have found that using nopurge allows for a failback. Removing nopurge > proves sticky. > As soon as my original server comes back up, if nopurge is set, the > connect fails back. > I did not let my failed connection dead for for an extended time. > What I don’t understand if the table size is 1 and is no purged, then what > is in the table when it fails to the second connection? I display the table > and it never changes with nopurge set. But when not set, the table updates > and the connection persists on the new connection. So is it a bug? Or is it a change in the behavior where we might need to go back and update the documentation? Thanks in advance! Aaron West
Re: Question about Maglev algorithm
I've not used it yet with IPVS because I have nothing with a new enough Kernel (4.18+ I think), however, isn't this quite similar to HAProxy's consistent hash options? Aaron Loadbalancer.org
Re: Balance based on network/cpu load
Hi Jessy, We made an opensource feedback agent which you can use if you like, it'll save you the need to make anything: https://www.loadbalancer.org/blog/open-source-windows-service-for-reporting-server-load-back-to-haproxy-load-balancer-feedback-agent/ Aaron West Loadbalancer.org Ltd.
Re: Throughput slow with kernel 4.9.0
Hi Brendon, I just wanted to reach out and say that we found this too! It seems that the Kernel developers decided to halve the default TCP memory in the 4.x kernels, it probably makes sense for most applications but not when dealing with busy high network usage like we typically see when acting as a load balancer and/or reverse proxy. The actual change is mentioned here: https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=b66e91ccbc34ebd5a2f90f9e1bc1597e2924a500 For me reducing it by 50% didn't work well... So I wrote a script to simply double TCP memory if a newer Kernel is detected as I knew it was reduced by 50% from what I had been used to and it always worked for me on the old defaults. However, your method is better(Less lazy)... Simply decide if you need to increase it by looking out for the error message: TCP: out of memory -- consider tuning tcp_mem Anyway, just thought I'd mention it for info and to say you are not alone ;) Aaron West Loadbalancer.org Ltd. www.loadbalancer.org
Re: Question on Caching.
Hi Willy, I think what we are looking for is some kind of small cache to accelerate the load times of a single page; this is particularly for things such as WordPress where page load times can be slow. I imagine it being set to cache the homepage only, fairly small(just a few K) and I guess it would need to only cache the HTML body rather than headers... Does that make any sense at all? It may be that the small object cache would help? Or the idea itself may be a waste of time... Currently, I've been looking at the Apache module mod_cache. I'd value your opinion either way. Aaron West Loadbalancer.org Ltd. www.loadbalancer.org +1 888 867 9504 / +44 (0)330 380 1064 aa...@loadbalancer.org
Re: Logging check response
Just another idea, you could utilize the external check feature to script something that does the check and logs the output: https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#option%20external-check Aaron West Loadbalancer.org Ltd. www.loadbalancer.org +1 888 867 9504 / +44 (0)330 380 1064 aa...@loadbalancer.org LEAVE A REVIEW | DEPLOYMENT GUIDES | BLOG
Re: Re: haproxy tcp mode source ip
Hi, The TPROXY method truly makes it source IP transparent(Your real servers will see the connection as coming from the client's IP) so it will be fine for IP based privileges I think. Aaron West Loadbalancer.org Ltd. www.loadbalancer.org +1 888 867 9504 / +44 (0)330 380 1064 aa...@loadbalancer.org LEAVE A REVIEW | DEPLOYMENT GUIDES | BLOG
Re: Re: haproxy tcp mode source ip
Yes, you can use TPROXY instead of Proxy Protocol if you don't mind the additional routing changes(Need to move to two-arm with real servers setting the GW to be the HAProxy server). You can see an example in this short Blog here: https://loadbalancer.org/blog/setting-up-haproxy-with-transparent-mode-on-centos-6-x/ Aaron West Loadbalancer.org Ltd. www.loadbalancer.org +1 888 867 9504 / +44 (0)330 380 1064 aa...@loadbalancer.org LEAVE A REVIEW | DEPLOYMENT GUIDES | BLOG
Re: Throughput issue after moving between kernels.
I think I understand that with faster networks giving shorter RTT you need less buffer space and then as either RTT or throughput increases(Maybe 40G+) then you will need more, am I right? So maybe it was changed to take into account modern internet links, however, that doesn't explain the observed throughput issue as yet... I wonder what else might have changed. Aaron West Loadbalancer.org Ltd. www.loadbalancer.org +1 888 867 9504 / +44 (0)330 380 1064 aa...@loadbalancer.org LEAVE A REVIEW | DEPLOYMENT GUIDES | BLOG
Re: Force Sticky session on HaProxy
I've used something like this before: stick store-response res.cook(JSESSIONID) stick match req.cook(JSESSIONID) "stick on" does this I think: stick match req.cook(JSESSIONID) stick store-request req.cook(JSESSIONID) As the client doesn't have the cookie at the beginning of the connection it has to wait to store it until it's received from the server, I have a vague memory that I had issues with using simply "stick on" for this so switched to the first method above. There is a massive problem with my suggestion however, if you clear the stick table or restart the service(Which will clear the stick table) then users lose persistence until they close their browsers and start a new session or the server issues a new cookie. Obviously reloads while synchronising the stick table should be fine. However, i'm sure there will be a far better solution so I'm just starting the ball rolling really... Aaron West Loadbalancer.org Ltd. www.loadbalancer.org +1 888 867 9504 / +44 (0)330 380 1064 aa...@loadbalancer.org LEAVE A REVIEW | DEPLOYMENT GUIDES | BLOG
Re: Experimental / broken HTTP/2 support
Yes! RDP 8.0+ can use UDP traffic for a better connection, that's what I was thinking when I asked. Aaron West Loadbalancer.org Ltd. www.loadbalancer.org +1 888 867 9504 / +44 (0)330 380 1064 aa...@loadbalancer.org LEAVE A REVIEW | DEPLOYMENT GUIDES | BLOG
Re: Experimental / broken HTTP/2 support
Hi Willy, Sorry to bother you, just a quick question if I may. Does support for QUIC imply we'd have rudimentary UDP support as well or is it only going to support QUIC Protocol? Aaron West Loadbalancer.org Ltd. www.loadbalancer.org +1 888 867 9504 / +44 (0)330 380 1064 aa...@loadbalancer.org LEAVE A REVIEW | DEPLOYMENT GUIDES | BLOG On 15 October 2017 at 18:02, Willy Tarreau <w...@1wt.eu> wrote: > Hi Sander, > > On Sun, Oct 15, 2017 at 04:27:15PM +0200, Sander Klein wrote: >> Hi, >> >> I haven't been paying much attention to the list lately, but I am wondering >> what the current status of http/2 support is in 1.8-(dev|snapshot). >> >> Is it in a usable-but-needs testing state? Or more like >> stay-away-because-it-kills-kittens state? > > The code I posted was not merged because it was experimental and I was > not satisfied with what the architecture would look like in the long > term. So I kept it handy "just in case" but didn't want to merge it. > > Now after several failed attempts and with a lot of design sessions > with my coworkers, I've made a good progress on a totally different > approach which will later allow us to implement HTTP/2 on both sides, > as well as implement support for QUIC. I have not merged anything yet > because as I'm picking code from the first implementation, I regularly > encounter obstacles that I need to overcome and this leads to lots of > rebases to keep only bisectable code. The good point is that the code > that finally settles there is much better and contains much less hacks. > > If anyone is interested, I can publish a work-in-progress branch once > in a while, but for now the code in this branch only supports establishing > a connection and exchanging PING frames, so that's totally useless, which > is why I've not considered publishing it for now :-/ > > If everything goes well, the final rebased and cleaned up code should > be available for a release candidate by the end of the month. > > Stay tuned! > Willy >
Re: HAproxy and lvs
Hi John, As mentioned in the previous thread, LVS lives in the Kernel and works as a router. HAproxy is userspace and a reverse proxy so a completely different beast! So to answer your question, no it doesn't. Aaron West Loadbalancer.org Ltd. www.loadbalancer.org +1 888 867 9504 / +44 (0)330 380 1064 aa...@loadbalancer.org LEAVE A REVIEW | DEPLOYMENT GUIDES | BLOG On 11 October 2017 at 03:37, John Wei <johnt...@gmail.com> wrote: > It seems that HAproxy can also perform TCP load balance. > Does HAproxy leverage lvs when performing TCP load balance? > > John >
Re: Inquiry: Mailing List, HAProxy
Hey Logan, Sure is! Kind Regards Aaron West Loadbalancer.org Ltd. www.loadbalancer.org +1 888 867 9504 / +44 (0)330 380 1064 aa...@loadbalancer.org LEAVE A REVIEW | DEPLOYMENT GUIDES | BLOG On 5 October 2017 at 00:28, Logan Hicks <logan.hi...@live.com> wrote: > To whom it may concern: > > > Is this still the mailing list for the HAProxy project? > > Respectfully, > > Logan Hicks a.k.a Fallenour
Re: haproxy fails to properly direct connection to correct back end.
I suspect your looking for this site: https://discourse.haproxy.org/ It's a better place to get configuration advice and works in the fashion you are after, no old mailing list necessary. Aaron West Loadbalancer.org www.loadbalancer.org +1 888 867 9504 / +44 (0)330 380 1064 aa...@loadbalancer.org LEAVE A REVIEW | DEPLOYMENT GUIDES | BLOG On 29 July 2017 at 21:10, p s <mtlr...@hotmail.com> wrote: > After sending to this list I got spammed by random people telling me that > they are on vacation. WTF. > > It's so much better to report issues on github and not to mess with emails > and these random replies. > > > > > From: p s <mtlr...@hotmail.com> > Sent: July 29, 2017 4:05 PM > To: haproxy@formilux.org > Subject: haproxy fails to properly direct connection to correct back end. > > > I had default version of haproxy from ubuntu, which was 1.5.x, so I decided > to update to latest stable first before I report the bug. > > After I update to latest 1.7.x haproxy stops working with my config. When I > was trying to start I was getting: > > > Job for haproxy.service failed because the control process exited with error > code. See "systemctl status haproxy.service". systemctl status > haproxy.service wouldn't show any info about why haproxy fails. FYI, with > nginx it clearly points to what nginx doesn't like, and there is no need to > guess. Can this be fixed to properly show errors? > > > So, back to my original issue. > > Basically, I added only this to the default config: > > > backend nodejs > timeout server 1h > timeout connect 1s > option httpclose > option forwardfor > server server1 127.0.0.1:80 #check > > backend nodejs_test > timeout server 1h > timeout connect 1s > option httpclose > option forwardfor > server server2 127.0.0.1:3000 > option http-no-delay > > frontend all > bind *:8090 > timeout client 1h > option http-no-delay > acl is_test path_beg /test > use_backend nodejs_test if is_test > default_backend nodejs > mode http > > I do not run anything on port 80, now I make a request to example.com/test > and haproxy totally fails. 1.5.x would fail with "ERROR 503: Service > Unavailable." on first request and would work on second one, 1.7.x doesn't > fail that miserably, it just doesn't work at all, and my wget auto-retries 3 > times and then it works. > I inspected with wireshark what's going on and I see that haproxy when > handling my request tries to connect to default backend on port 80 (and I > don't run anything on port 80 atm). It's clearly a bug, it shouldn't even > touch port 80, and should directly connect to nodejs_test on port 3000. > > > Another point: why don't you host your project on github, it will be way > more popular, it would be much easier for anybody to contribute etc. Now, it > does feel like haproxy should be avoided, as there is no bugtracker, mailing > list that feels broken, etc... feels like it's dying. >
Re: X-Forwarded-For Balancing
Trenton, To clarify I believe it will stick on XFF header if present but if not present fall back to stick on source.IP. Basically, it will use the first working "stick on" declaration, source IP will always work as there will always be one so that goes in as a last resort. Aaron West Loadbalancer.org www.loadbalancer.org +1 888 867 9504 / +44 (0)330 380 1064 aa...@loadbalancer.org LEAVE A REVIEW | DEPLOYMENT GUIDES | BLOG On 26 July 2017 at 19:36, Andrew Smalley <asmal...@loadbalancer.org> wrote: > Hi Trenton > > Here we use the stick on src ( Source IP ) and X-Forward-For method so we > can stick on both criteria > > Also the -1 to move the XFF IP back, Imagine there are 2 or 3 proxy's all > inserting X-Forward-For the -1 could also be -2 or -3 etc to move the ip > forward in the list > > 192.168.100.12 172.16.21.20 172.31.31.2 > > -1 would put the red address like this > > 172.16.21.20 172.31.31.2 > > I hope that all makes sense > > > Andruw Smalley > > Loadbalancer.org Ltd. > > www.loadbalancer.org > +1 888 867 9504 / +44 (0)330 380 1064 > asmal...@loadbalancer.org > > Leave a Review | Deployment Guides | Blog > > > On 25 July 2017 at 19:42, Trenton Dyck <trenton.d...@uxpsystems.com> wrote: >> >> Andrew, >> >> >> >> Thanks for this suggestion! When you say ‘move the XFF header back’ and >> you have a second stick on parameter what is the behavior you expect? Will >> it use src ip if no X-Forwarded-For header is present (our desired >> behavior)? >> >> >> >> Thanks, >> >> Trent >> >> >> >> From: Andrew Smalley [mailto:asmal...@loadbalancer.org] >> Sent: Tuesday, July 25, 2017 12:54 PM >> To: Trenton Dyck >> Cc: Aleksandar Lazic; haproxy@formilux.org >> Subject: Re: X-Forwarded-For Balancing >> >> >> >> Hi Trenton >> >> I hope the below example will help you with X-Forward-For + Stick table + >> replication >> >> listen VIP_Name >> >> bind 192.168.100.50:65435 transparent >> >> mode http >> >> balance roundrobin >> >> option forwardfor if-none >> >> stick on hdr(X-Forwarded-For,-1) # Note the ,-1 is to move the XFF >> header back one place in the list. >> >> stick on src >> >> stick-table type string len 64 size 10240k expire 30m peers >> loadbalancer_replication >> >> server backup 127.0.0.1:9081 backup non-stick >> >> option http-keep-alive >> >> timeout http-request 5s >> >> option redispatch >> >> option abortonclose >> >> maxconn 4 >> >> server RIP_Name 192.168.100.200:80 weight 100 check inter 500 rise >> 1 fall 1 minconn 0 maxconn 0 on-marked-down shutdown-sessions >> >> server RIP_Name-1 192.168.100.255:80 weight 100 check inter 500 >> rise 1 fall 1 minconn 0 maxconn 0 on-marked-down shutdown-sessions >> >> >> Andruw Smalley >> >> Loadbalancer.org Ltd. >> >> www.loadbalancer.org >> >> +1 888 867 9504 / +44 (0)330 380 1064 >> >> asmal...@loadbalancer.org >> >> Leave a Review | Deployment Guides | Blog >> >> >> >> On 25 July 2017 at 17:36, Trenton Dyck <trenton.d...@uxpsystems.com> >> wrote: >> >> Hi Alek, >> >> I want to balance via round-robin, but I want stick-tables to use the >> X-Forwarded-For header instead of src ip. It makes sense in our use case >> because a vast majority of our clients are behind a NAT and have the same >> source IP, but the X-Forwarded-For header is unique to them. >> >> Thanks, >> Trent >> >> >> -Original Message- >> From: Aleksandar Lazic [mailto:al-hapr...@none.at] >> Sent: Tuesday, July 25, 2017 11:20 AM >> To: Trenton Dyck >> Cc: haproxy@formilux.org >> Subject: Re: X-Forwarded-For Balancing >> >> Hi Trenton, >> >> Trenton Dyck wrote on 25.07.2017: >> >> > Hi, >> > >> > Is it possible to balance, via X-Forwarded-For header? We have come >> > across an issue with sticky-sessions and server weight that I can't >> > seem to find the answer to online (Unbalanced traffic). I think >> > stick-tables with this acl option would be nice to have for a future >> > version. >> >> http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#4-balance >> >> Something like this >> >> balance hdr(X-Forwarded-For) >> >> Does it make sense to balance based on this header?! >> What's the issue you want to solve? >> >> What do you mean with "stick-tables with this acl option"? >> >> > Please keep met CCed for responses since I'm not subscribed. >> > >> > Thanks, >> > >> > Trent >> >> -- >> Best Regards >> Aleks >> >> > >
Re: HAProxy Timeout Oddity WebKit XHR Replay
Liam, Still not seeing anything jump out, your timeout settings look fine to me at least. Do you use the stats page and if so do you see errors incrementing there? Also, do you have the log lines for these connections? Aaron West Loadbalancer.org www.loadbalancer.org +1 888 867 9504 / +44 (0)330 380 1064 aa...@loadbalancer.org LEAVE A REVIEW | DEPLOYMENT GUIDES | BLOG On 24 July 2017 at 20:17, Liam Middlebrook <loothel...@csh.rit.edu> wrote: > HA-Proxy version 1.5.18 2016/05/10 > > And I'll try and get the config cleaned up to what should be relevant > but it's pretty large so some specifics to get would be nice, I can say > for sure the timeout settings are as follows: > > > timeout connect 5s > > > timeout client 5m > > > timeout server 5m > > > timeout http-request 10s > > > # Long timeout for WebSocket connections. > > timeout tunnel 1h > > # defined for each app > timeout check 5000ms > > > Thanks, > > Liam Middlebrook (loothelion) > On 07/24/2017 12:02 PM, Aaron West wrote: >> Hi Liam, >> >> Can we get the config and version number that you are running? >> >> Nothing springs to mind although someone cleverer than me on the list >> may have an instant suggestion. >> >> Aaron West >> >> Loadbalancer.org >> >> www.loadbalancer.org >> +1 888 867 9504 / +44 (0)330 380 1064 >> aa...@loadbalancer.org >> >> LEAVE A REVIEW | DEPLOYMENT GUIDES | BLOG >> >> >> On 24 July 2017 at 19:59, Liam Middlebrook <loothel...@csh.rit.edu> wrote: >>> Hi, >>> >>> I'm currently running HAProxy within an Openshift Origin cluster. Until >>> a recent update of Openshift I did not experience issues with connection >>> timeouts, the connections would last up until the specified timeout as >>> defined by the application. >>> >>> After an update to Openshift I changed HAProxy settings around to give a >>> global 600s timeout for client and server. However when I make a form >>> upload request the connection is killed after 30 seconds. When I signal >>> an XHR Replay in my network inspector the connection lasts longer than >>> the 30 seconds and is able to successfully upload the file. >>> >>> I asked in irc with no luck. Any ideas why this may be happening? >>> >>> >>> Thanks, >>> >>> >>> Liam Middlebrook (loothelion) >>>
Re: HAProxy Timeout Oddity WebKit XHR Replay
Hi Liam, Can we get the config and version number that you are running? Nothing springs to mind although someone cleverer than me on the list may have an instant suggestion. Aaron West Loadbalancer.org www.loadbalancer.org +1 888 867 9504 / +44 (0)330 380 1064 aa...@loadbalancer.org LEAVE A REVIEW | DEPLOYMENT GUIDES | BLOG On 24 July 2017 at 19:59, Liam Middlebrook <loothel...@csh.rit.edu> wrote: > Hi, > > I'm currently running HAProxy within an Openshift Origin cluster. Until > a recent update of Openshift I did not experience issues with connection > timeouts, the connections would last up until the specified timeout as > defined by the application. > > After an update to Openshift I changed HAProxy settings around to give a > global 600s timeout for client and server. However when I make a form > upload request the connection is killed after 30 seconds. When I signal > an XHR Replay in my network inspector the connection lasts longer than > the 30 seconds and is able to successfully upload the file. > > I asked in irc with no luck. Any ideas why this may be happening? > > > Thanks, > > > Liam Middlebrook (loothelion) >
Re: help for setting up haproxy using Linux system proxy
On 8 July 2017 at 11:25, Aaron West <aa...@loadbalancer.org> wrote: > for me at least, it would > boggle the mind that you have a reverse proxy using a forward proxy. I think I I should clarify the above... I don't mean using forward proxies as a real server(Think webfilters) because that makes sense I just mean routing to client or server via a forward proxy seems confusing to me... Aaron West Loadbalancer.org www.loadbalancer.org +1 888 867 9504 / +44 (0)330 380 1064 aa...@loadbalancer.org LEAVE A REVIEW | DEPLOYMENT GUIDES | BLOG
Re: help for setting up haproxy using Linux system proxy
I'm going to go out on a limb here and say that you can't(Or shouldn't just in case somehow you can...), first, for me at least, it would boggle the mind that you have a reverse proxy using a forward proxy. I guess you could use a transparent proxy although I'm still not sure why but HAproxy would then just be routing to it's destination unaware there's a proxy in the way... However, the question really has to be why? Only thing I can think of is that you are trying to implement a DMZ so have decided to restrict all outbound traffic, why not just allow the specific traffic through the firewall? You can cherry pick exactly what to allow so only allow the destination or sources that you actually require, it would be much much easier. Sorry if that's not what you wanted to hear or if I'm wrong in some way... Aaron West Loadbalancer.org www.loadbalancer.org +1 888 867 9504 / +44 (0)330 380 1064 aa...@loadbalancer.org LEAVE A REVIEW | DEPLOYMENT GUIDES | BLOG On 8 July 2017 at 08:56, founder <oscarzhan...@qq.com> wrote: > > i have linux sever setting up with haproxy but this sever can't access > directly to Internet . we have set up a proxy at linux server but it seems > haproxy has not used system proxy. how can we set haproxy to use system > proxy. thanks in adance. > 发自我的iPhone
Re: Send PROXY protocol header from HAProxy
Hi Dave, I don't see the "send-proxy" directive in your config, have you tried it : https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#5.2-send-proxy Sorry if I'm misunderstanding something already... Aaron West Loadbalancer.org Limited +44 (0)330 380 1064 www.loadbalancer.org On 23 March 2017 at 12:38, Dave J <mr_wad...@hotmail.com> wrote: > I've probably got lost in the masses of documentation on this subject, but > I'm trying to configure my HAProxy process to send the PROXY protocol > header as described at http://www.haproxy.org/download/1.8/doc/proxy- > protocol.txt. This is because I am having to write support for the PROXY > protocol into a C++ server (in order for it to have access to the client > IP/port) and I want to test my code is working properly with the parsing of > the PROXY header. > > Here is my minimal config file: > > --- > > global >maxconn 4096 > > defaults >log global >mode http >retries 3 >option redispatch >maxconn 2000 >timeout connect 5000 >timeout client 5 >timeout server 5 > > frontend TestServerTest > bind 10.6.186.24:54781 > mode tcp > default_backend TestServernodes > > backend TestServernodes > mode tcp > # Note there is no 'check' after the below line unlike the others as > we don't want to send the > # healthcheck ("OPTIONS / HTTP/1.0"...) string to the TestServer as it > doesn't understand it! > server TestServer01 10.6.186.24:48080 > > --- > > What I am finding is that when I start HAProxy and connect to 54781, the > first data that TestServer at 48080 receives is the data which is sent from > my client; it is not the PROXY header described at the link I posted. > > Can someone please tell me what I am missing in my configuration that is > preventing the PROXY header being sent to my backend server? > > Thanks in advance. > > Dave J > > >
Re: Haproxy reload fails on RHEL 7.2
I think this is your problem, if using systemd please use either the wrapper with this systemd service : https://github.com/horms/haproxy/blob/master/contrib/systemd/haproxy.service.in Or maybe this systemd service : [Unit] Description=HAProxy Load Balancer After=syslog.target network.target [Service] ExecStart=/usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid ExecReload=/bin/kill -USR2 $MAINPID user=root group=root [Install] WantedBy=multi-user.target Aaron West Loadbalancer.org Limited +44 (0)330 380 1064 www.loadbalancer.org On 9 February 2017 at 17:34, Gunuganti, Uma Maheshwar Rao < ugunuga...@informatica.com> wrote: > Hi Brandon, > >I don’t see any default haproxy on my VM, also I didn't find file at > /usr/lib/systemd/system/haproxy.service. > >I could see haproxy which I installed 1.7.2 at /etc/init.d/haproxy , > attached the same file changing the extension. > > Thanks, > UmaMahesh > > -Original Message- > From: Brandon Perkins [mailto:bperk...@redhat.com] > Sent: Thursday, February 09, 2017 7:43 AM > To: Gunuganti, Uma Maheshwar Rao <ugunuga...@informatica.com> > Cc: haproxy@formilux.org > Subject: Re: Haproxy reload fails on RHEL 7.2 > > On Wed, Feb 08, 2017 at 11:39:37PM +, Gunuganti, Uma Maheshwar Rao > wrote: > > Date: Wed, 8 Feb 2017 23:39:37 + > > From: "Gunuganti, Uma Maheshwar Rao" <ugunuga...@informatica.com> > > To: "haproxy@formilux.org" <haproxy@formilux.org> > > Subject: Haproxy reload fails on RHEL 7.2 > > List-Id: Haproxy <haproxy@formilux.org> > > Content-Type: multipart/alternative; > > boundary="_000_CY1PR03MB2267E796DBA293868A4D8 > 2ADD3420CY1PR03MB2267namp_" > > > > Hi, > > > > I am using haproxy 1.7.2 version and trying to use reload option which > is failing in my environment with RHEL 7.2 version, same works fine in RHEL > 6.8 version. > > > > Please find the logs below: > > > > Feb 8 23:38:19 localhost systemd: Reloaded SYSV: HA-Proxy is a TCP/HTTP > reverse proxy which is particularly suited for high availability > environments.. > > Feb 8 23:38:19 localhost systemd: haproxy.service: main process > > exited, code=killed, status=9/KILL Feb 8 23:38:19 localhost haproxy: > > Shutting down haproxy: [FAILED] Feb 8 23:38:19 localhost systemd: Unit > haproxy.service entered failed state. > > Feb 8 23:38:19 localhost systemd: haproxy.service failed. > > > > > > Thanks in advance for help. > > > > Thanks, > > UmaMahesh > > > > Could you please post your: > > /usr/lib/systemd/system/haproxy.service > > file. It appears that you're running your own version of HAProxy, as RHEL > 7.2 ships with haproxy-1.5.14-3.el7 and not 1.7.2. > > There are some significant differences between the upstream systemd > service file and the one we use in Fedora and RHEL, that may indicate where > the problem lies. > > -- > Thanks, > Brandon > >
Re: Haproxy loabalance with cookie
Hi Hoang, Could we get your HAproxy config please, an example of both scenarios would be best. It may help to better to better understand your situation. Aaron West Loadbalancer.org Limited +44 (0)330 380 1064 www.loadbalancer.org On 7 February 2017 at 01:55, Hoang Le Trung <hoangletr...@orenj.com> wrote: > Hi > > > > I use HAproxy to loadblance my backend servers. > > But I have problem when I using cookie. > > When a cookie is present, the same backend server is used until it dies. > So it make overload on this server while other servers free. > > If not using cookie, Each client need pass authentication to request data > from backend servers. It work ok but take long time to finish many requests > from client. > > So any solution for my case, I want use Haproxy to load balance session > with client and backend server. When client send request, it will forward > balance to backend servers( not only one server when use cookie). And > client do not need re-authentication when send subsequent request > > > > > > Thanks! > > Best Regards, > > > > -- > This e-mail may contain confidential or privileged information. If you > received this e-mail by mistake, please don't forward it to anyone else, > please erase it from your device and let me know so I don't do it again. >
Re: Getting Client IP to backend instance application
Hi Viranga, Can I check if you've configured your backend web servers to use either the X-Forwarded-For or X-Client-IP header in your logging? Normally you would need to do something like the following: http://www.loadbalancer.org/blog/iis-and-x-forwarded-for-header http://www.loadbalancer.org/blog/apache-and-x-forwarded-for-headers Otherwise without understanding your traffic flow it would appear correct, it's worth bearing in mind that XFF headers will usually contain the client IP followed by each successive proxy the connection went through so check it if contains multiple addresses. Aaron West Loadbalancer.org Limited +44 (0)330 380 1064 www.loadbalancer.org On 18 January 2017 at 03:38, Jayalath, Viranga <viranga.jayal...@pearson.com > wrote: > Hi Haproxy team , > > I have a question. I have a backed instance which attached to haproxy > instance. I have requirement to get client IP in my nodejs application > logs . But how ever im getting the haproxy IP. I refer all your x forwarder > options can use to get client ip but still im getting the haproxy server ip > in my logs. Can you advice any thing i can do . Below you i will mentioned > configuration changes i used. > > # add X-FORWARDED-FOR > option forwardfor > # add X-CLIENT-IP > http-request add-header X-CLIENT-IP %[src] > > > -- > Best Regards, > > Viranga Jayalath > DevOps and Application Engineering,Cloud Services Technology Operations > > Pearson Lanka (Pvt) Ltd. > Technology Operations > Orion City, Alnitak Building > No. 752, Dr. Danister De Silva Mawatha > Sri Lanka > > > *M* +94 (0) 714 672980 <+94%2071%20467%202980> > > Learn more at *pearson.com <http://pearson.com/>* > > *ALWAYS LEARNING* >
Re: Need help to reolsve haproxy issue
I've not personally had any issues with systemd which I know doesn't mean there isn't any... However, on closer inspection, it gets started through a wrapper "haproxy-systemd-wrapper" for me : [Unit] Description=HAProxy Load Balancer After=network.target [Service] ExecStartPre=/usr/local/sbin/haproxy -f /etc/haproxy/haproxy.cfg -c -q ExecStart=/usr/local/sbin/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg -$ ExecReload=/bin/kill -USR2 $MAINPID KillMode=mixed Restart=always [Install] WantedBy=multi-user.target So definitely check if you are using that wrapper or not if systemd is being used. Otherwise, my feeling is that for whatever reason you cannot access the socket previously created due to permissions... I mean I can get the same error trying to start HAproxy as an unprivileged user who cannot write to the file/directory. Aaron West Loadbalancer.org Limited +44 (0)330 380 1064 www.loadbalancer.org On 16 January 2017 at 16:21, Baptiste <bed...@gmail.com> wrote: > Might be a systemd dependency issue, where the socket is not created > before the process is started. > > Baptiste > > On Mon, Jan 16, 2017 at 4:46 PM, Aaron West <aa...@loadbalancer.org> > wrote: > >> Hi Praveen, >> >> Am I right in assuming it's a socket for the stats page? Also what user >> is starting HAproxy because maybe it doesn't have permissions to create the >> socket? >> >> We might need your whole config or at least the GLOBAL section... >> >> Aaron West >> >> Loadbalancer.org Limited >> +44 (0)330 380 1064 >> www.loadbalancer.org >> >> On 16 January 2017 at 15:38, Praveen Koppula < >> praveenkumarkopp...@gmail.com> wrote: >> >>> Some content was missing. Adding again. >>> >>> When we reboot our machine (Where haproxy installed) teh haproxy going >>> to be down and it's not starting after machine boot. >>> When we force to start haproxy service getting below error. >>> Error: Starting haproxy [ALERT] 047/083514 : Starting frontend GLOBAL: >>> error when trying to preserve previous UNIX socket >>> [/etc/haproxy/haproxysock] startproc: exit status of parent of >>> /usr/sbin/haproxy: 1 Failed >>> >>> On Mon, Jan 16, 2017 at 10:32 AM, Praveen Koppula < >>> praveenkumarkopp...@gmail.com> wrote: >>> >>>> Can you please help me on this. >>>> >>>> Haproxy version is : 1.5.4-2.1 >>>> >>>> Thanks in advance >>>> >>> >>> >> >
Re: Need help to reolsve haproxy issue
Hi Praveen, Am I right in assuming it's a socket for the stats page? Also what user is starting HAproxy because maybe it doesn't have permissions to create the socket? We might need your whole config or at least the GLOBAL section... Aaron West Loadbalancer.org Limited +44 (0)330 380 1064 www.loadbalancer.org On 16 January 2017 at 15:38, Praveen Koppula <praveenkumarkopp...@gmail.com> wrote: > Some content was missing. Adding again. > > When we reboot our machine (Where haproxy installed) teh haproxy going to > be down and it's not starting after machine boot. > When we force to start haproxy service getting below error. > Error: Starting haproxy [ALERT] 047/083514 : Starting frontend GLOBAL: > error when trying to preserve previous UNIX socket > [/etc/haproxy/haproxysock] startproc: exit status of parent of > /usr/sbin/haproxy: 1 Failed > > On Mon, Jan 16, 2017 at 10:32 AM, Praveen Koppula < > praveenkumarkopp...@gmail.com> wrote: > >> Can you please help me on this. >> >> Haproxy version is : 1.5.4-2.1 >> >> Thanks in advance >> > >
Re: Need help to reolsve haproxy issue
There are some very knowledgeable people on this list so I'm sure someone can help, however, what might the problem actually be? Aaron West Loadbalancer.org Limited +44 (0)330 380 1064 www.loadbalancer.org On 16 January 2017 at 15:32, Praveen Koppula <praveenkumarkopp...@gmail.com> wrote: > Can you please help me on this. > > Haproxy version is : 1.5.4-2.1 > > Thanks in advance >
Re: Reverse proxy settings
Hi Thierry, You need to add "ssl" to the server line, probably "ssl verify none" if you don't need it to check validity of the backend cert. So : backend https-in mode http option httplog option forwardfor http-request set-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto https if { ssl_fc } option httpchk HEAD /HTTP/1.1\r\nHost:localhost option http-server-close server node0 ip_web_server:443 ssl verify none Aaron West Loadbalancer.org Limited +44 (0)330 380 1064 www.loadbalancer.org
Re: Haproxy help
Hi Vivek, You can do this I think with the first scheduler so the option balance first : This is what haproxy doc says: first The first server with available connection slots receives the connection. The servers are chosen from the lowest numeric identifier to the highest (see server parameter id), which defaults to the server's position in the farm. Once a server reaches its maxconn value, the next server is used. It does not make sense to use this algorithm without setting maxconn. The purpose of this algorithm is to always use the smallest number of servers so that extra servers can be powered off during non-intensive hours. This algorithm ignores the server weight, and brings more benefit to long session such as RDP or IMAP than HTTP, though it can be useful there too. In order to use this algorithm efficiently, it is recommended that a cloud controller regularly checks server usage to turn them off when unused, and regularly checks backend queue to turn new servers on when the queue inflates. Alternatively, using http-check send-state may inform servers on the load. Otherwise you may be able to do something based on session rate with ACL's, I used this config once previously : frontend TestVIP 192.168.0.236:80 http://192.168.0.236/ transparent mode http maxconn 4 option accept-invalid-http-request acl max_conn_reached srv_sess_rate(prod/ProdRIP) gt 10 acl prod_dead nbsrv(prod) lt 1 acl whitelist hdr_sub(Cookie) -i SERVERID default_backend prod use_backend prod if whitelist use_backend fallback if max_conn_reached OR prod_dead backend prod mode http balance leastconn option abortonclose option forwardfor option accept-invalid-http-response option http-keep-alive cookie SERVERID insert nocache indirect server ProdRIP 192.168.0.245 weight 100 cookie ProdRIP check port 80 inter 4000 rise 2 fall 2 minconn 0 maxconn 0 backend fallback mode http balance leastconn option abortonclose option forwardfor option accept-invalid-http-response option http-keep-alive server FallbackRIP 192.168.0.246 weight 100 minconn 0 maxconn 0 Regards Aaron West Loadbalancer.org Limited +44 (0)330 380 1064 www.loadbalancer.org On 18 August 2015 at 13:06, vivek pal mr.vivek...@gmail.com wrote: Hi, We have configured haproxy with balance roundrobin, added 2 web server web1,web2 and map website.domain.com with haproxy ip when we hit website.domain.com into browser it's working, request is transferring both server. We want to set first 100 hit sent to web1 and rest web2. is it possible? Regards, Vivek Pal.
Re: question on tcp persistence via source ip
Hi, I'm not aware of a way to achieve what you want exactly. The stick table expiry works best with something like HTTP where connections are not that long so fresh connections keep refreshing the timer. In the case of SSH or RDP you have 1 potentially very long connection so the only option you have is to use a very long expire timeout. An example being RDP where I regularly recommend 12 hours or so for expire time... Aaron On 13 June 2014 02:52, Hailing Xu hailin...@gmail.com wrote: Hello haproxy geeks, I am trying to use haproxy in the following scenario that persistent tcp connections using source ip. The client establishes a tcp connection (such as ssh for e.g),to vip, and vip allocates a real server rs1. I can see the stick table entry via cli. When this tcp session keeps a long time, during this period, the relevant stick table entry's expiration time is always decresing, until it is removed for timeout. But at this time point the existing tcp connection is still alive. If I close the connection, and start a new one, it is allocated a different real server, for round robin and no stick table entry matches. My question is is it normal that timeout the stick entry even there is still a session alive from that client? if yes, why it is designed such a way. Is it more comprehensible that the stick table starts timing out after no session from that client. if no, is there any configuration in haproxy I missed to avoid the stick table timeout in case there still existing live session from that client. Thanks a lot for your help and information. Hailing.