Re: RHEL distribution still uses HAProxy 1.5

On 01.05.2018 16:26, Norman Branitsky wrote: > We opened a ticket with RHEL Support to ask when they would upgrade to at > least HAProxy 1.7. > This was their reply: > > Most recent comment: On 2018-05-01 10:22:28, Patil, Ravindra commented: > "Hello > > The reason 1.7 (as well and 1.6 and 1.8)

Re: DNS resolver and mixed case responses

On 04.04.2018 16:30, Tim Düsterhus wrote: > Dale, > > Am 03.04.2018 um 16:17 schrieb Dale Smith: >> I'm trying to understand what system is at fault here; the DNS server for >> not responding with the same case as the query, or HAProxy which >> should be >> performing a case insensitive match. >

Re: 100% cpu usage after reload (USR2) with "bind abns@...."

On 05.03.2018 21:06, Dennis Jacobfeuerborn wrote: > Hi, > today I started experimenting with the HAProxy 1.8.4 release and ran > into a Problem when it comes to reloading the configuration (USR2). > I'm running the release tarball via RPM on a CentOS 7 System in > master-worker mode

100% cpu usage after reload (USR2) with "bind abns@...."

Hi, today I started experimenting with the HAProxy 1.8.4 release and ran into a Problem when it comes to reloading the configuration (USR2). I'm running the release tarball via RPM on a CentOS 7 System in master-worker mode and every time I perform a "systemctl reload" the worker process suddenly

Re: Proposal: modify stat socket command feedback

On 30.06.2017 13:43, Andjelko Iharos wrote: > Hi all, > > I'd like to propose for discussion an improvement to the feedback > delivered by HAProxy over the stats socket. > > Currently the feedback of stats socket commands is inconsistent and it > can be difficult for external tools issuing

Re: [PATCH] MEDIUM: ssl: allow haproxy to start without default certificate

On 12.06.2017 16:21, Emmanuel Hocdet wrote: > In haproxy 1.8dev, default certificate can now be optional. > This patch allow that. This looks like a big footgun. While the idea is interesting and useful if this is to be considered at all this behavior should only be allowed after the user

Admin socket server state and MAINT flag issues

Hi, i'm currently playing with the values that the admin socket return when the "show servers state" command is issued and I noticed to things: 1. When using and abstract namespace socket as address on a server line then the srv_addr "field" will be empty which technically isn't a problem but the

Re: 502 error when connection loopback to haproxy

On 17.02.2017 12:42, Chungwei Yen wrote: > Hi > > I am having a strange error when sending requests back to haproxy. The > configuration is to have an additional layer of frontend/backend to > generate a unique request id for every request then redirect back to > haproxy to the real frontend. >

Re: stick-table not updated with every request

On 22.10.2016 00:08, Willy Tarreau wrote: > Hi Dennis, > > On Fri, Oct 21, 2016 at 09:09:39PM +0200, Dennis Jacobfeuerborn wrote: >> So after more experimenting I got things to work properly when I move >> the "limited_path" acl check from the "tcp-reque

Re: stick-table not updated with every request

On 21.10.2016 18:01, Chad Lavoie wrote: > Greetings, > > > On 10/21/2016 08:19 AM, Dennis Jacobfeuerborn wrote: >> Hi, >> I'm currently experimenting with rate limiting request and while this >> sort-of works I see an issue where sometimes the stick-table that

Re: stick-table not updated with every request

On 21.10.2016 18:01, Chad Lavoie wrote: > Greetings, > > > On 10/21/2016 08:19 AM, Dennis Jacobfeuerborn wrote: >> Hi, >> I'm currently experimenting with rate limiting request and while this >> sort-of works I see an issue where sometimes the stick-table that

stick-table not updated with every request

Hi, I'm currently experimenting with rate limiting request and while this sort-of works I see an issue where sometimes the stick-table that contains the rate-limiting variables isn't update with every request allowing multiple requests to succeed even if they shouldn't. I attached the

Re: Rate limiting w/o 429s

On 05.08.2016 19:11, CJ Ess wrote: > So I know I can use Haproxy to send 429s when a given request rate is > exceeded. > > I have a case where the "user" is mostly screen scrapers and click bots, so > if I return a 429 they'll just turn around and re-request until successful > - I can't expect

Re: Unable to compile HAProxy on RHEL7

On 22.07.2016 17:43, Kuldip Madnani wrote: > I want to compile HAProxy version 1.6.7 for which i am using the following > steps: > > 1. tar xzvf haproxy-1.6.7.tar.gz > 2. make TARGET="generic" USE_STATIC_PCRE=1 USE_OPENSSL=1 USE_LIBCRYPT=1 > USE_ZLIB=1 > > But getting this error: > > $ make

Re: Adding backend server name as request header

ric > CC = gcc > CFLAGS = -O2 -g -fno-strict-aliasing > OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 > USE_PCRE=1 > > TIA > > Guillaume > > --- > Le 2016-05-12 à 14:29, Dennis Jacobfeuerborn <denni...@conversis.de> a écrit : >

Re: Adding backend server name as request header

send-name-header X-CustomHeader > ``` > Which would set the ID of the selected server into the header > `X-CustomHeader`. > See the documentation for further details. > http://cbonte.github.io/haproxy-dconv/configuration-1.5.html > > > > On Thu, May 12, 2016 at 6:29

Adding backend server name as request header

Hi, I'm wondering if there is a way to add the name of the server chosen for the request as a request header i.e. if the following server is chosen for the request: server back1 10.1.0.10:8080 check inter 2 then I'd like to receive this header on the 10.1.0.10 system: X-CustomHeader: back1

Re: HTTPS with SSL pass-through

On 03.05.2016 18:12, Lukas Tribus wrote: > Hi Ondrej, > > your backend probably redirects indefinitely. > > I suggest you troubleshoot what happens exactly with curl (curl -vk > https://example.com), that way you should be able to understand how the > backend behaves. > If I'd have to venture

Re: Sharing SSL information via PROXY protocol or HAProxy internally

On 15.04.2016 16:01, Christian Ruppert wrote: > Hi, > > would it be possible to inherit the SSL information from a SSL > listener/frontend via PROXY protocol? > So for example: > > listen ssl-relay > mode tcp > > ... > > server rsa unix@/var/run/haproxy_ssl_rsa.sock send-proxy-v2 >

Re: Multiple front ends listening to the same address/port -- want a config error

On 12.04.2016 21:11, Baptiste wrote: > On Tue, Apr 12, 2016 at 7:39 PM, Shawn Heisey wrote: >> I copied a front end to set up a new service on my haproxy install. I >> changed the name of the front end, but forgot to change the port number >> on the "bind" option. >> >>

Re: Q: about HTTP/2

On 01.04.2016 16:35, Shawn Heisey wrote: > On 4/1/2016 4:25 AM, Baptiste wrote: >> Do you guys, on the ML, really need HTTP/2? If so what's your deadline?? > > Need? Perhaps not. Want? Very much so. Deadline: ASAP, but don't be > in a hurry. I definitely prefer to have a battle-tested

Re: General SSL vs. non-SSL Performance

On 18.03.2016 11:46, Willy Tarreau wrote: > Hi Christian, > > On Fri, Mar 18, 2016 at 11:31:57AM +0100, Christian Ruppert wrote: >> I also just stumbled over this: >> https://software.intel.com/en-us/articles/accelerating-ssl-load-balancers-with-intel-xeon-v3-processors >> Might be interesting

Haproxy, Internet Explorer and sporadic 408 response

Hi, I'm getting reports that occasionally IE users see 408 error when calling out Site but the behavior is not easily reproducible. I found something about this Problem in the archives: http://comments.gmane.org/gmane.comp.web.haproxy/15263 The proposed workaround mentioned there is to add the

Re: HAProxy Failure Modes

On 11.02.2016 20:23, Edward Hart (c) wrote: > Q1: Can HAProxy be configured to 'roll back' if a patch update causes a > HAProxy failure on a production server? > Q2: Can HAProxy be configured to fail to a known safe state in the event of > server failure during operation? > > I am developing

send-proxy requests not added to stick-table

Hi, I've run into a strange phenomenon and I'm not sure if it's something I'm doing wrong. I have one SSL offloading frontend that receives requests, does "http-request set-header X-Forwarded-Proto https" and then uses send-proxy to forward the request to the plain http backend. In the plain

Re: send-proxy requests not added to stick-table

On 12.02.2016 03:29, Dennis Jacobfeuerborn wrote: > Hi, > I've run into a strange phenomenon and I'm not sure if it's something > I'm doing wrong. > > I have one SSL offloading frontend that receives requests, does > "http-request set-header X-Forwarded-Proto https"

Re: Load balancing and session affinity

Hi alex, the expiry time gets reset on every access so if the expiry time is set to 1h and the client sends a request say every 30 minutes then that session will never expire. Once the session has expired though there is no way for haproxy to know which backend server the client was connected to

HTTP/2 load balancing

Hi, no I'm not asking about when haproxy will begin to support HTTP/2 but instead I'm wondering how this is going to work in general. The Google Cloud Platform for example seem to translate HTTP/2 requests from the client into HTTP/1.1 requests to the servers. While this of course works it also

Re: simply copy mapped value into acl

On 16.11.2015 15:25, Dennis Jacobfeuerborn wrote: > Hi, > I'm trying to figure out the best way to match a source ip against an ip > mapping file and make decisions based on that. What I'm now doing is this: > > acl acl_is_xx src,map_ip() -m str xx > acl acl_is_yy src,map_ip() -

Re: simply copy mapped value into acl

On 23.11.2015 19:19, Andrew Hayworth wrote: > On Mon, Nov 23, 2015 at 10:52 AM, Dennis Jacobfeuerborn > <denni...@conversis.de> wrote: >> Hm, I wasn't aware of the -M flag, thanks! >> >> However in you example you again you have to do multiple lookups even >> t

Re: simply copy mapped value into acl

On 23.11.2015 22:38, Willy Tarreau wrote: > Hi Andrew, > > On Mon, Nov 23, 2015 at 12:19:22PM -0600, Andrew Hayworth wrote: >> That said, the difference between one and two map lookups is >> negligible, so I don't think you're saving much this way and it'll >> make configuration harder in some

Re: simply copy mapped value into acl

On 23.11.2015 17:04, Andrew Hayworth wrote: > On Mon, Nov 23, 2015 at 6:26 AM, Dennis Jacobfeuerborn > <denni...@conversis.de> wrote: >> >> On 16.11.2015 15:25, Dennis Jacobfeuerborn wrote: >>> Hi, >>> I'm trying to figure out the best way to match

simply copy mapped value into acl

Hi, I'm trying to figure out the best way to match a source ip against an ip mapping file and make decisions based on that. What I'm now doing is this: acl acl_is_xx src,map_ip() -m str xx acl acl_is_yy src,map_ip() -m str yy http-request set-header X-Test wasxx if acl_is_xx ... http-request

Re: Microsoft Edge 408

On 24.09.2015 20:00, Sander Klein wrote: > Hi, > > I have some clients that complain about getting 408 errors with > Microsoft Edge. I haven't been able to catch such a request yet, but I > am wondering if this is the same as the Google Chrome preconnect problem. > > Anyone by any chance got the

Re: Easy haproxy redundancy

There is no need to run a full Pacemaker stack. Just run HAProxy on both nodes and manage the virtual ips using keepalived. Regards, Dennis On 08/24/2015 06:09 PM, Kobus Bensch wrote: Hi I have redundant haproxy servers on my environment. We use corosync and pacemaker that manages the HA

Re: High performance HAProxy

2) you didn't specify any process binding in ssl_termination, so the kernel wakes all processes with incoming connections, and a few of them take some and the other ones go back to sleep. With a kernel 3.9 or later, you can multiply the bind lines and bind each of them to a

Re: Is FTP through haproxy at all viable?

On 09.05.2015 21:50, Shawn Heisey wrote: On 5/9/2015 11:43 AM, Dennis Jacobfeuerborn wrote: Most FTP clients these days support SFTP as well and if you use say proftpd+mod_sftp then handling SFTP on the server side become pretty much identical to handling FTP (except all that active/passive

Re: conntrack recommendations

On 07.05.2015 14:30, Vincent Bernat wrote: ❦ 7 mai 2015 13:11 +0100, Neil - HAProxy List maillist-hapr...@iamafreeman.com : I'm after a 'definitivish' reference for setting up conntrack I've been hit by having too small table on some new VMs as ubuntu, by default, sizes the table by

Re: Stick tables and counters persistence

an example of what that looks like? Am I literally adding 127.0.0.1 as a peer? On Fri, Apr 17, 2015 at 12:26 AM, Dennis Jacobfeuerborn denni...@conversis.de wrote: On 17.04.2015 02:12, Igor Cicimov wrote: Hi all, Just a quick one, are the stick tables and counters persisted on haproxy

switching backends based on boolean value

Hi, I'm trying to find the best way to toggle maintenance mode for a site. I have a regular and a maintenance backend defined an I'm using something like: frontend: acl is_maintenance always_false use_backend back-maintenance if is_maintenance default_backend back Since I saw some ACL

Re: Stick tables and counters persistence

On 17.04.2015 02:12, Igor Cicimov wrote: Hi all, Just a quick one, are the stick tables and counters persisted on haproxy 1.5.11 reload/restart? With nbproc=1 yes as long as you use a peers section that contains the local host as an entry. Regards, Dennis

Re: switching backends based on boolean value

On 17.04.2015 00:51, Igor Cicimov wrote: On Fri, Apr 17, 2015 at 3:26 AM, Dennis Jacobfeuerborn denni...@conversis.de wrote: Hi, I'm trying to find the best way to toggle maintenance mode for a site. I have a regular and a maintenance backend defined an I'm using something like

Re: 1.5, reload and zero downtime

On 06.04.2015 22:45, Pavlos Parissis wrote: On 06/04/2015 08:41 μμ, Brian Fleming wrote: I can do reload and there will be no downtime? Yes, reload is a safe operation. But, don't be surprised if you see the old process alive for long time(days). This behavior is caused by insane timeout

Environment variable in port part of peer definition not resolved

Hi, I'm trying to make the haproxy configuration more dynamic using environment variables and while this works for the definition of the pid file and the stats socket when I try to use an env. variable as the port of a peer definition I get an error: peers lb1-peers peer haproxy1-lb1

Re: send/accept-proxy over unix socket not working

On 18.03.2015 13:53, Baptiste wrote: On Wed, Mar 18, 2015 at 1:07 PM, Lukas Tribus luky...@hotmail.com wrote: Date: Wed, 18 Mar 2015 01:49:47 +0100 From: denni...@conversis.de To: luky...@hotmail.com; jarno.huusko...@uef.fi CC: haproxy@formilux.org

Re: send/accept-proxy over unix socket not working

On 13.03.2015 18:44, Lukas Tribus wrote: What version of haproxy are you using ? (And what OS) ? In the first frontend I set: server clear /var/lib/haproxy/test send-proxy In the second frontend I set: bind /var/lib/haproxy/test accept-proxy Are you able to connect to the

HAProxy loses stick tables on reload

Hi, until a moment ago I was under the impression that when performing a reload using the init script (which uses the -sf option for the reload) the stick tables would survive but apparently I was mistaken. Is there a better way to perform a graceful restart that maintains the stick table or a

send/accept-proxy over unix socket not working

Hi, I'm currently trying to find the most efficient way to pass traffic from one frontend to another (and later to another process altogether) so I've tried using unix sockets but this does not seem to work. In the first frontend I set: server clear /var/lib/haproxy/test send-proxy In the second

Re: HAProxy loses stick tables on reload

On 12.03.2015 19:00, Lukas Tribus wrote: Hi, until a moment ago I was under the impression that when performing a reload using the init script (which uses the -sf option for the reload) the stick tables would survive but apparently I was mistaken. Is there a better way to perform a graceful

Browser using wrong/weak ssl cipher only with haproxy

Hi, I noticed that when I use my browser (latest Firefox) to connect to haproxy then it will select an RC4 based cipher even though better options are available. When I make a connection to e.g. https://www.google.com/ the browser uses the correct cipher instead (stronger and the first in the list

Re: SSL Performance increase?

On 06.02.2015 18:50, Dennis Jacobfeuerborn wrote: On 06.02.2015 14:13, Lukas Tribus wrote: I tried to implement these recommendations but didn't seem to get results I was expecting. How exactly does one reliably test that the 1-RTT handshake is actually working? Enable TFO and announce http

Re: SSL Performance increase?

On 06.02.2015 07:38, Shawn Heisey wrote: On 2/5/2015 5:54 AM, Klavs Klavsen wrote: Adding nbproc 4, improved performance of https from 511 req/s to 1296 req/s.. not quite an exponential scaling.. We tested with 8 cores and got 1328 req/s.. so it seems we're hitting something else already

Re: SSL Performance increase?

On 06.02.2015 14:13, Lukas Tribus wrote: I tried to implement these recommendations but didn't seem to get results I was expecting. How exactly does one reliably test that the 1-RTT handshake is actually working? Enable TFO and announce http/1.1 via NPN and ALPN, that should do it. But

Re: SSL Performance increase?

On 05.02.2015 20:09, Baptiste wrote: On Thu, Feb 5, 2015 at 4:54 PM, Klavs Klavsen k...@vsen.dk wrote: Baptiste wrote on 02/05/2015 04:44 PM: [CUT] 3000 req/s in clear is low and a so rounded number is not normal :) Move (far far) away from this provider. You're wasting your time

Modify http response code

Hi, is there a way to modify the http code of a response? Right now I use a backup server to deliver a static maintenance page but I want it to be delivered with a 503 code instead of 200. Is there a way to modify the response code like this? Regards, Dennis

Three questions about stick-tables and request rate limiting

Hi, I'm currently getting a feel for how the stick-tables work in connection with rate limiting requests and three questions have come up. As a foundation I used this link: http://blog.haproxy.com/2012/02/27/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/ (Specifically the Limiting the

Re: 25% of requests shown as error-req

On 31.10.2014 10:05, Willy Tarreau wrote: Hi Dennis, On Fri, Oct 31, 2014 at 12:51:21AM +0100, Dennis Jacobfeuerborn wrote: On 30.10.2014 19:01, Dennis Jacobfeuerborn wrote: ... [30/Oct/2014:18:46:36.035] front-http front-http/NOSRV -1/-1/-1/-1/19117 400 187 - - CR-- 49/49/0/0/0 0/0

25% of requests shown as error-req

Hi, I just put haproxy into use on a site and while things seem to work I noticed that the frontend shows 20 mio. sessions handled total but under errors/req it shows a number of 5 mio. These 5 mio. seem to correspond to the number of 4xx reponses shown when i hover over the sessions/total entry

Re: 25% of requests shown as error-req

On 30.10.2014 17:12, Dennis Jacobfeuerborn wrote: Hi, I just put haproxy into use on a site and while things seem to work I noticed that the frontend shows 20 mio. sessions handled total but under errors/req it shows a number of 5 mio. These 5 mio. seem to correspond to the number of 4xx

Re: 25% of requests shown as error-req

On 30.10.2014 19:01, Dennis Jacobfeuerborn wrote: ... [30/Oct/2014:18:46:36.035] front-http front-http/NOSRV -1/-1/-1/-1/19117 400 187 - - CR-- 49/49/0/0/0 0/0 BADREQ ... So after a bit more googling I found the following mail thread that mentions this as some sort of tcp pre-connect

Re: Understanding haproxy cpu usage in ssl-offload scenario

On 17.10.2014 03:47, Dennis Jacobfeuerborn wrote: Hi, I'm currently trying to determine the best configuration for haproxy but have issues with understanding how the cpu's are used. The system is a virtual machine configured with 8 cores. The global section of the configuration contains

Understanding haproxy cpu usage in ssl-offload scenario

Hi, I'm currently trying to determine the best configuration for haproxy but have issues with understanding how the cpu's are used. The system is a virtual machine configured with 8 cores. The global section of the configuration contains these cpu settings: nbproc 8 cpu-map all

Re: shellshock and haproxy

On 30.09.2014 10:51, Baptiste wrote: On Mon, Sep 29, 2014 at 2:36 PM, Thomas Heil h...@terminal-consulting.de wrote: Hi, To mitigate the shellshock attack we added two lines in our frontends. -- frontend fe_80 -- reqideny ^[^:]+:\s*\(\s*\) reqideny

Re: Session sticking to backup server

' and or 'on-marked-up shutdown-backup-sessions' they might help with your issue. Another option could be to remove the backup server from your config, and serve the static page with 'errorfile 503 /etc/haproxy/errorfiles/503sorry.http'. Dennis Jacobfeuerborn schreef op 29-9-2014 4:23: Hi

tcp-check not checking

Hi, I just configured the load-balacing for systems that are yet to be installed yet according to the tcp-check of haproxy these systems are all available. This is the backend config I'm using right now: backend back-api bind-process 1 option tcp-check mode http balance roundrobin

Re: tcp-check not checking

the line completely or add : tcp-check connect You might also want to look at option httpchk. Which is more friendly for basic http checks. Greets PiBa-NL Dennis Jacobfeuerborn schreef op 19-9-2014 19:45: Hi, I just configured the load-balacing for systems that are yet to be installed

Re: Load balancing FTP with HAProxy behind a firewall

On 16.07.2014 10:39, Nicolas Zedde wrote: Hi everyone, I use HAProxy to publish my websites for months now and it works like a charm. Thank you for that. Today, I have to setup FTP access through HAProxy and I face the hideous protocol caveats with the data channel. I want all FTP

Re: Load balancing FTP with HAProxy behind a firewall

On 16.07.2014 15:31, Nicolas Zedde wrote: -Original Message- From: Dennis Jacobfeuerborn [mailto:denni...@conversis.de] Sent: Wednesday, July 16, 2014 1:22 PM To: haproxy@formilux.org Subject: Re: Load balancing FTP with HAProxy behind a firewall Have you considered using SFTP

Re: Detecting if the the client connected using SSL

On 08.07.2014 10:14, Baptiste wrote: On Mon, Jul 7, 2014 at 12:17 PM, Dennis Jacobfeuerborn denni...@conversis.de wrote: On 07.07.2014 08:57, Baptiste wrote: On Mon, Jul 7, 2014 at 3:48 AM, Dennis Jacobfeuerborn denni...@conversis.de wrote: Hi, I'm experimenting with the SSL capabilities

Re: Detecting if the the client connected using SSL

On 07.07.2014 08:57, Baptiste wrote: On Mon, Jul 7, 2014 at 3:48 AM, Dennis Jacobfeuerborn denni...@conversis.de wrote: Hi, I'm experimenting with the SSL capabilities of haproxy and I'm wondering if there is a way to detect if the client connected using SSL? The background is that I have

Detecting if the the client connected using SSL

Hi, I'm experimenting with the SSL capabilities of haproxy and I'm wondering if there is a way to detect if the client connected using SSL? The background is that I have two frontends one for SSL and one for regular http. In the SSL frontend I forward the requests to the http frontend via