On 01.05.2018 16:26, Norman Branitsky wrote:
> We opened a ticket with RHEL Support to ask when they would upgrade to at
> least HAProxy 1.7.
> This was their reply:
>
> Most recent comment: On 2018-05-01 10:22:28, Patil, Ravindra commented:
> "Hello
>
> The reason 1.7 (as well and 1.6 and 1.8)
On 04.04.2018 16:30, Tim Düsterhus wrote:
> Dale,
>
> Am 03.04.2018 um 16:17 schrieb Dale Smith:
>> I'm trying to understand what system is at fault here; the DNS server for
>> not responding with the same case as the query, or HAProxy which
>> should be
>> performing a case insensitive match.
>
On 05.03.2018 21:06, Dennis Jacobfeuerborn wrote:
> Hi,
> today I started experimenting with the HAProxy 1.8.4 release and ran
> into a Problem when it comes to reloading the configuration (USR2).
> I'm running the release tarball via RPM on a CentOS 7 System in
> master-worker mode
Hi,
today I started experimenting with the HAProxy 1.8.4 release and ran
into a Problem when it comes to reloading the configuration (USR2).
I'm running the release tarball via RPM on a CentOS 7 System in
master-worker mode and every time I perform a "systemctl reload" the
worker process suddenly
On 30.06.2017 13:43, Andjelko Iharos wrote:
> Hi all,
>
> I'd like to propose for discussion an improvement to the feedback
> delivered by HAProxy over the stats socket.
>
> Currently the feedback of stats socket commands is inconsistent and it
> can be difficult for external tools issuing
On 12.06.2017 16:21, Emmanuel Hocdet wrote:
> In haproxy 1.8dev, default certificate can now be optional.
> This patch allow that.
This looks like a big footgun. While the idea is interesting and useful
if this is to be considered at all this behavior should only be allowed
after the user
Hi,
i'm currently playing with the values that the admin socket return when
the "show servers state" command is issued and I noticed to things:
1. When using and abstract namespace socket as address on a server line
then the srv_addr "field" will be empty which technically isn't a
problem but the
On 17.02.2017 12:42, Chungwei Yen wrote:
> Hi
>
> I am having a strange error when sending requests back to haproxy. The
> configuration is to have an additional layer of frontend/backend to
> generate a unique request id for every request then redirect back to
> haproxy to the real frontend.
>
On 22.10.2016 00:08, Willy Tarreau wrote:
> Hi Dennis,
>
> On Fri, Oct 21, 2016 at 09:09:39PM +0200, Dennis Jacobfeuerborn wrote:
>> So after more experimenting I got things to work properly when I move
>> the "limited_path" acl check from the "tcp-reque
On 21.10.2016 18:01, Chad Lavoie wrote:
> Greetings,
>
>
> On 10/21/2016 08:19 AM, Dennis Jacobfeuerborn wrote:
>> Hi,
>> I'm currently experimenting with rate limiting request and while this
>> sort-of works I see an issue where sometimes the stick-table that
On 21.10.2016 18:01, Chad Lavoie wrote:
> Greetings,
>
>
> On 10/21/2016 08:19 AM, Dennis Jacobfeuerborn wrote:
>> Hi,
>> I'm currently experimenting with rate limiting request and while this
>> sort-of works I see an issue where sometimes the stick-table that
Hi,
I'm currently experimenting with rate limiting request and while this
sort-of works I see an issue where sometimes the stick-table that
contains the rate-limiting variables isn't update with every request
allowing multiple requests to succeed even if they shouldn't.
I attached the
On 05.08.2016 19:11, CJ Ess wrote:
> So I know I can use Haproxy to send 429s when a given request rate is
> exceeded.
>
> I have a case where the "user" is mostly screen scrapers and click bots, so
> if I return a 429 they'll just turn around and re-request until successful
> - I can't expect
On 22.07.2016 17:43, Kuldip Madnani wrote:
> I want to compile HAProxy version 1.6.7 for which i am using the following
> steps:
>
> 1. tar xzvf haproxy-1.6.7.tar.gz
> 2. make TARGET="generic" USE_STATIC_PCRE=1 USE_OPENSSL=1 USE_LIBCRYPT=1
> USE_ZLIB=1
>
> But getting this error:
>
> $ make
ric
> CC = gcc
> CFLAGS = -O2 -g -fno-strict-aliasing
> OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1
> USE_PCRE=1
>
> TIA
>
> Guillaume
>
> ---
> Le 2016-05-12 à 14:29, Dennis Jacobfeuerborn <denni...@conversis.de> a écrit :
>
send-name-header X-CustomHeader
> ```
> Which would set the ID of the selected server into the header
> `X-CustomHeader`.
> See the documentation for further details.
> http://cbonte.github.io/haproxy-dconv/configuration-1.5.html
>
>
>
> On Thu, May 12, 2016 at 6:29
Hi,
I'm wondering if there is a way to add the name of the server chosen for
the request as a request header i.e. if the following server is chosen
for the request:
server back1 10.1.0.10:8080 check inter 2
then I'd like to receive this header on the 10.1.0.10 system:
X-CustomHeader: back1
On 03.05.2016 18:12, Lukas Tribus wrote:
> Hi Ondrej,
>
> your backend probably redirects indefinitely.
>
> I suggest you troubleshoot what happens exactly with curl (curl -vk
> https://example.com), that way you should be able to understand how the
> backend behaves.
>
If I'd have to venture
On 15.04.2016 16:01, Christian Ruppert wrote:
> Hi,
>
> would it be possible to inherit the SSL information from a SSL
> listener/frontend via PROXY protocol?
> So for example:
>
> listen ssl-relay
> mode tcp
>
> ...
>
> server rsa unix@/var/run/haproxy_ssl_rsa.sock send-proxy-v2
>
On 12.04.2016 21:11, Baptiste wrote:
> On Tue, Apr 12, 2016 at 7:39 PM, Shawn Heisey wrote:
>> I copied a front end to set up a new service on my haproxy install. I
>> changed the name of the front end, but forgot to change the port number
>> on the "bind" option.
>>
>>
On 01.04.2016 16:35, Shawn Heisey wrote:
> On 4/1/2016 4:25 AM, Baptiste wrote:
>> Do you guys, on the ML, really need HTTP/2? If so what's your deadline??
>
> Need? Perhaps not. Want? Very much so. Deadline: ASAP, but don't be
> in a hurry. I definitely prefer to have a battle-tested
On 18.03.2016 11:46, Willy Tarreau wrote:
> Hi Christian,
>
> On Fri, Mar 18, 2016 at 11:31:57AM +0100, Christian Ruppert wrote:
>> I also just stumbled over this:
>> https://software.intel.com/en-us/articles/accelerating-ssl-load-balancers-with-intel-xeon-v3-processors
>> Might be interesting
Hi,
I'm getting reports that occasionally IE users see 408 error when
calling out Site but the behavior is not easily reproducible. I found
something about this Problem in the archives:
http://comments.gmane.org/gmane.comp.web.haproxy/15263
The proposed workaround mentioned there is to add the
On 11.02.2016 20:23, Edward Hart (c) wrote:
> Q1: Can HAProxy be configured to 'roll back' if a patch update causes a
> HAProxy failure on a production server?
> Q2: Can HAProxy be configured to fail to a known safe state in the event of
> server failure during operation?
>
> I am developing
Hi,
I've run into a strange phenomenon and I'm not sure if it's something
I'm doing wrong.
I have one SSL offloading frontend that receives requests, does
"http-request set-header X-Forwarded-Proto https" and then uses
send-proxy to forward the request to the plain http backend.
In the plain
On 12.02.2016 03:29, Dennis Jacobfeuerborn wrote:
> Hi,
> I've run into a strange phenomenon and I'm not sure if it's something
> I'm doing wrong.
>
> I have one SSL offloading frontend that receives requests, does
> "http-request set-header X-Forwarded-Proto https"
Hi alex,
the expiry time gets reset on every access so if the expiry time is set
to 1h and the client sends a request say every 30 minutes then that
session will never expire.
Once the session has expired though there is no way for haproxy to know
which backend server the client was connected to
Hi,
no I'm not asking about when haproxy will begin to support HTTP/2 but
instead I'm wondering how this is going to work in general. The Google
Cloud Platform for example seem to translate HTTP/2 requests from the
client into HTTP/1.1 requests to the servers. While this of course works
it also
On 16.11.2015 15:25, Dennis Jacobfeuerborn wrote:
> Hi,
> I'm trying to figure out the best way to match a source ip against an ip
> mapping file and make decisions based on that. What I'm now doing is this:
>
> acl acl_is_xx src,map_ip() -m str xx
> acl acl_is_yy src,map_ip() -
On 23.11.2015 19:19, Andrew Hayworth wrote:
> On Mon, Nov 23, 2015 at 10:52 AM, Dennis Jacobfeuerborn
> <denni...@conversis.de> wrote:
>> Hm, I wasn't aware of the -M flag, thanks!
>>
>> However in you example you again you have to do multiple lookups even
>> t
On 23.11.2015 22:38, Willy Tarreau wrote:
> Hi Andrew,
>
> On Mon, Nov 23, 2015 at 12:19:22PM -0600, Andrew Hayworth wrote:
>> That said, the difference between one and two map lookups is
>> negligible, so I don't think you're saving much this way and it'll
>> make configuration harder in some
On 23.11.2015 17:04, Andrew Hayworth wrote:
> On Mon, Nov 23, 2015 at 6:26 AM, Dennis Jacobfeuerborn
> <denni...@conversis.de> wrote:
>>
>> On 16.11.2015 15:25, Dennis Jacobfeuerborn wrote:
>>> Hi,
>>> I'm trying to figure out the best way to match
Hi,
I'm trying to figure out the best way to match a source ip against an ip
mapping file and make decisions based on that. What I'm now doing is this:
acl acl_is_xx src,map_ip() -m str xx
acl acl_is_yy src,map_ip() -m str yy
http-request set-header X-Test wasxx if acl_is_xx ...
http-request
On 24.09.2015 20:00, Sander Klein wrote:
> Hi,
>
> I have some clients that complain about getting 408 errors with
> Microsoft Edge. I haven't been able to catch such a request yet, but I
> am wondering if this is the same as the Google Chrome preconnect problem.
>
> Anyone by any chance got the
There is no need to run a full Pacemaker stack. Just run HAProxy on both
nodes and manage the virtual ips using keepalived.
Regards,
Dennis
On 08/24/2015 06:09 PM, Kobus Bensch wrote:
Hi
I have redundant haproxy servers on my environment. We use corosync and
pacemaker that manages the HA
2) you didn't specify any process binding in ssl_termination, so the
kernel wakes all processes with incoming connections, and a few of
them take some and the other ones go back to sleep. With a kernel
3.9 or later, you can multiply the bind lines and bind each of them
to a
On 09.05.2015 21:50, Shawn Heisey wrote:
On 5/9/2015 11:43 AM, Dennis Jacobfeuerborn wrote:
Most FTP clients these days support SFTP as well and if you use say
proftpd+mod_sftp then handling SFTP on the server side become pretty
much identical to handling FTP (except all that active/passive
On 07.05.2015 14:30, Vincent Bernat wrote:
❦ 7 mai 2015 13:11 +0100, Neil - HAProxy List
maillist-hapr...@iamafreeman.com :
I'm after a 'definitivish' reference for setting up conntrack
I've been hit by having too small table on some new VMs as ubuntu, by
default, sizes the table by
an example of what that looks like? Am I literally adding
127.0.0.1 as a peer?
On Fri, Apr 17, 2015 at 12:26 AM, Dennis Jacobfeuerborn
denni...@conversis.de wrote:
On 17.04.2015 02:12, Igor Cicimov wrote:
Hi all,
Just a quick one, are the stick tables and counters persisted on haproxy
Hi,
I'm trying to find the best way to toggle maintenance mode for a site. I
have a regular and a maintenance backend defined an I'm using something
like:
frontend:
acl is_maintenance always_false
use_backend back-maintenance if is_maintenance
default_backend back
Since I saw some ACL
On 17.04.2015 02:12, Igor Cicimov wrote:
Hi all,
Just a quick one, are the stick tables and counters persisted on haproxy
1.5.11 reload/restart?
With nbproc=1 yes as long as you use a peers section that contains the
local host as an entry.
Regards,
Dennis
On 17.04.2015 00:51, Igor Cicimov wrote:
On Fri, Apr 17, 2015 at 3:26 AM, Dennis Jacobfeuerborn
denni...@conversis.de wrote:
Hi,
I'm trying to find the best way to toggle maintenance mode for a site. I
have a regular and a maintenance backend defined an I'm using something
like
On 06.04.2015 22:45, Pavlos Parissis wrote:
On 06/04/2015 08:41 μμ, Brian Fleming wrote:
I can do reload and there will be no downtime?
Yes, reload is a safe operation. But, don't be surprised if you see the
old process alive for long time(days). This behavior is caused by insane
timeout
Hi,
I'm trying to make the haproxy configuration more dynamic using
environment variables and while this works for the definition of the pid
file and the stats socket when I try to use an env. variable as the port
of a peer definition I get an error:
peers lb1-peers
peer haproxy1-lb1
On 18.03.2015 13:53, Baptiste wrote:
On Wed, Mar 18, 2015 at 1:07 PM, Lukas Tribus luky...@hotmail.com wrote:
Date: Wed, 18 Mar 2015 01:49:47 +0100
From: denni...@conversis.de
To: luky...@hotmail.com; jarno.huusko...@uef.fi
CC: haproxy@formilux.org
On 13.03.2015 18:44, Lukas Tribus wrote:
What version of haproxy are you using ? (And what OS) ?
In the first frontend I set:
server clear /var/lib/haproxy/test send-proxy
In the second frontend I set:
bind /var/lib/haproxy/test accept-proxy
Are you able to connect to the
Hi,
until a moment ago I was under the impression that when performing a
reload using the init script (which uses the -sf option for the reload)
the stick tables would survive but apparently I was mistaken.
Is there a better way to perform a graceful restart that maintains the
stick table or a
Hi,
I'm currently trying to find the most efficient way to pass traffic from
one frontend to another (and later to another process altogether) so
I've tried using unix sockets but this does not seem to work.
In the first frontend I set:
server clear /var/lib/haproxy/test send-proxy
In the second
On 12.03.2015 19:00, Lukas Tribus wrote:
Hi,
until a moment ago I was under the impression that when performing a
reload using the init script (which uses the -sf option for the reload)
the stick tables would survive but apparently I was mistaken.
Is there a better way to perform a graceful
Hi,
I noticed that when I use my browser (latest Firefox) to connect to
haproxy then it will select an RC4 based cipher even though better
options are available. When I make a connection to e.g.
https://www.google.com/ the browser uses the correct cipher instead
(stronger and the first in the list
On 06.02.2015 18:50, Dennis Jacobfeuerborn wrote:
On 06.02.2015 14:13, Lukas Tribus wrote:
I tried to implement these recommendations but didn't seem to get
results I was expecting. How exactly does one reliably test that the
1-RTT handshake is actually working?
Enable TFO and announce http
On 06.02.2015 07:38, Shawn Heisey wrote:
On 2/5/2015 5:54 AM, Klavs Klavsen wrote:
Adding nbproc 4, improved performance of https from 511 req/s to 1296
req/s..
not quite an exponential scaling..
We tested with 8 cores and got 1328 req/s.. so it seems we're hitting
something else already
On 06.02.2015 14:13, Lukas Tribus wrote:
I tried to implement these recommendations but didn't seem to get
results I was expecting. How exactly does one reliably test that the
1-RTT handshake is actually working?
Enable TFO and announce http/1.1 via NPN and ALPN, that should
do it.
But
On 05.02.2015 20:09, Baptiste wrote:
On Thu, Feb 5, 2015 at 4:54 PM, Klavs Klavsen k...@vsen.dk wrote:
Baptiste wrote on 02/05/2015 04:44 PM:
[CUT]
3000 req/s in clear is low and a so rounded number is not normal :)
Move (far far) away from this provider.
You're wasting your time
Hi,
is there a way to modify the http code of a response? Right now I use a
backup server to deliver a static maintenance page but I want it to be
delivered with a 503 code instead of 200. Is there a way to modify the
response code like this?
Regards,
Dennis
Hi,
I'm currently getting a feel for how the stick-tables work in connection
with rate limiting requests and three questions have come up.
As a foundation I used this link:
http://blog.haproxy.com/2012/02/27/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/
(Specifically the Limiting the
On 31.10.2014 10:05, Willy Tarreau wrote:
Hi Dennis,
On Fri, Oct 31, 2014 at 12:51:21AM +0100, Dennis Jacobfeuerborn wrote:
On 30.10.2014 19:01, Dennis Jacobfeuerborn wrote:
...
[30/Oct/2014:18:46:36.035] front-http front-http/NOSRV
-1/-1/-1/-1/19117 400 187 - - CR-- 49/49/0/0/0 0/0
Hi,
I just put haproxy into use on a site and while things seem to work I
noticed that the frontend shows 20 mio. sessions handled total but under
errors/req it shows a number of 5 mio. These 5 mio. seem to correspond
to the number of 4xx reponses shown when i hover over the sessions/total
entry
On 30.10.2014 17:12, Dennis Jacobfeuerborn wrote:
Hi,
I just put haproxy into use on a site and while things seem to work I
noticed that the frontend shows 20 mio. sessions handled total but under
errors/req it shows a number of 5 mio. These 5 mio. seem to correspond
to the number of 4xx
On 30.10.2014 19:01, Dennis Jacobfeuerborn wrote:
...
[30/Oct/2014:18:46:36.035] front-http front-http/NOSRV
-1/-1/-1/-1/19117 400 187 - - CR-- 49/49/0/0/0 0/0 BADREQ
...
So after a bit more googling I found the following mail thread that
mentions this as some sort of tcp pre-connect
On 17.10.2014 03:47, Dennis Jacobfeuerborn wrote:
Hi,
I'm currently trying to determine the best configuration for haproxy but
have issues with understanding how the cpu's are used.
The system is a virtual machine configured with 8 cores. The global
section of the configuration contains
Hi,
I'm currently trying to determine the best configuration for haproxy but
have issues with understanding how the cpu's are used.
The system is a virtual machine configured with 8 cores. The global
section of the configuration contains these cpu settings:
nbproc 8
cpu-map all
On 30.09.2014 10:51, Baptiste wrote:
On Mon, Sep 29, 2014 at 2:36 PM, Thomas Heil
h...@terminal-consulting.de wrote:
Hi,
To mitigate the shellshock attack we added two lines in our frontends.
--
frontend fe_80
--
reqideny ^[^:]+:\s*\(\s*\)
reqideny
' and or 'on-marked-up
shutdown-backup-sessions' they might help with your issue.
Another option could be to remove the backup server from your config,
and serve the static page with 'errorfile 503
/etc/haproxy/errorfiles/503sorry.http'.
Dennis Jacobfeuerborn schreef op 29-9-2014 4:23:
Hi
Hi,
I just configured the load-balacing for systems that are yet to be
installed yet according to the tcp-check of haproxy these systems are
all available. This is the backend config I'm using right now:
backend back-api
bind-process 1
option tcp-check
mode http
balance roundrobin
the line completely or add : tcp-check
connect
You might also want to look at option httpchk. Which is more friendly
for basic http checks.
Greets PiBa-NL
Dennis Jacobfeuerborn schreef op 19-9-2014 19:45:
Hi,
I just configured the load-balacing for systems that are yet to be
installed
On 16.07.2014 10:39, Nicolas Zedde wrote:
Hi everyone,
I use HAProxy to publish my websites for months now and it works like a
charm. Thank you for that.
Today, I have to setup FTP access through HAProxy and I face the hideous
protocol caveats with the data channel.
I want all FTP
On 16.07.2014 15:31, Nicolas Zedde wrote:
-Original Message-
From: Dennis Jacobfeuerborn [mailto:denni...@conversis.de]
Sent: Wednesday, July 16, 2014 1:22 PM
To: haproxy@formilux.org
Subject: Re: Load balancing FTP with HAProxy behind a firewall
Have you considered using SFTP
On 08.07.2014 10:14, Baptiste wrote:
On Mon, Jul 7, 2014 at 12:17 PM, Dennis Jacobfeuerborn
denni...@conversis.de wrote:
On 07.07.2014 08:57, Baptiste wrote:
On Mon, Jul 7, 2014 at 3:48 AM, Dennis Jacobfeuerborn
denni...@conversis.de wrote:
Hi,
I'm experimenting with the SSL capabilities
On 07.07.2014 08:57, Baptiste wrote:
On Mon, Jul 7, 2014 at 3:48 AM, Dennis Jacobfeuerborn
denni...@conversis.de wrote:
Hi,
I'm experimenting with the SSL capabilities of haproxy and I'm wondering
if there is a way to detect if the client connected using SSL?
The background is that I have
Hi,
I'm experimenting with the SSL capabilities of haproxy and I'm wondering
if there is a way to detect if the client connected using SSL?
The background is that I have two frontends one for SSL and one for
regular http. In the SSL frontend I forward the requests to the http
frontend via
71 matches
Mail list logo