On 2023-03-26 07:19:18, Willy Tarreau wrote:
> I could finally reproduce it, figure the cause and the fix. The 2.6
> backport is missing this patch for evports and kqueue:
>
> 698342635 BUG/MAJOR: poller: drop FD's tgid when masks don't match
>
> I could verify that it fixes the problem. Withou
Hi,
I saw in the 2.6.10 release notes to report any issues that seem like
they could be related to the concurrency changes. When reloading config
on 2.6.10 or 2.6.11 on FreeBSD 13.1-RELEASE the old process does not
exit and starts to use 100%+ CPU. This does not happen on 2.6.9 with
the same confi
On 2023-03-07 08:09:04, Rainer Duffner wrote:
> I admit I only toyed with TP, so I really don???t know what I???m doing
> there, but:
>
> Have you tried to just use pfSense for this? The developer of the package
> (https://github.com/PiBa-NL) seemed to be active here, but I haven???t seen
> any
Hi Stefan and thanks for your replies.
(Sorry for the late reply and replying to my own mail, I don't seem to
be receiving messages from the list after confirming the subscription
twice and noticed your replies when checking the archives.)
> when I understand you correct then you have forwarding
Hi,
After my other thread about performance issues on OpenBSD we decided to
switch OSes on our HAProxy boxes to FreeBSD 13.1. In the test
environment everything worked perfectly with transparent proxying but
when cutting production over to FreeBSD I ran into an issue and had to
revert for now.
W
use for Debian (because of the version-number
2.4.21 instead of 2.4.22) or need we to wait for repo to be synced?
Greetings,
Marc
> -Original Message-
> From: Willy Tarreau
> Sent: Tuesday, February 14, 2023 5:15 PM
> To: haproxy@formilux.org
> Subject: [ANNOUNCE]
On 2023-01-24 23:04:14, Olivier Houchard wrote:
> On Tue, Jan 24, 2023 at 11:05:37PM +0100, Willy Tarreau wrote:
> > On Tue, Jan 24, 2023 at 02:15:08PM -0600, Marc West wrote:
> > > > Stupid question but I prefer to ask in order to be certain, are all of
> > > >
On 2023-01-24 06:58:57, Willy Tarreau wrote:
> Hi Marc,
Hi Willy,
> See the difference ? There seems to be an insane FD locking cost on this
> system that simply wastes 40% of the CPU there. So I suspect that in your
> first tests you were stressing the locking while in the last one
On 2023-01-23 07:58:24, Willy Tarreau wrote:
> Hi Marc,
Hi Willy,
Thanks for your reply and all of your work on haproxy!
> I think you should try to flood the machine using UDP traffic to see
> the difference between the part that happens in the network stack and
> the part that ha
Hi,
We have been running HAProxy on OpenBSD for serveral years (currently
OpenBSD 7.2 / HAProxy 2.6.7) and everything has been working perfect
until a recent event of higher than normal traffic. It was an unexpected
flood to one site and above ~1100 cur sessions we started to see major
impacts to
is feature.
SSL-LOAD-EXTRA-FILES is an excellent feature we’ve been waiting for as
it simplifies our cert deployment, but in its current form It’s not
really usable for us.
Thank you.
--
Marc-Antoine Leclercq
When you specify multiple server like below, I get how to put the cookie
and its value, but how to specify the cookie value in a server-template
configuration. Because there you have one line that could match multiple
servers. So putting a static value there, does not make sense.
backend bk_w
Can someone Ddos them
-Original Message-
From: Emma Davis [mailto:emma.da...@forglobalreach.com]
To: haproxy@formilux.org
Subject: RE: Load Balancing Software Users
Hi,
Trust you are doing good.
Just a quick follow up to check if you had a chance to review my
previ
empty, so my question
is: would it be plausible that haproxy opens an zeroes the content of the
pidfile faster than cat can read from it ? (This is with version 1.6.14)
Thanks !
Marc
quot;haproxy",
17}, {"[", 1}, {"10", 2}, {"]: ", 3}, {"", 0}, {"Server toto_blue/toto_blue1 is
DOWN, reason: Socket error, check duration: 0ms. 30 active and 1 backup servers
left. 0 sessions active, 0 requeued, 0 remaining in queue.", 169}, {"\n", 1}],
msg_controllen=0, msg_flags=0}, MSG_DONTWAIT|MSG_NOSIGNAL) = 214
26356 11:50:48.820802 getpid() = 10
[...]
26357 11:50:52.704807 sendmsg(19, {msg_name(110)={sa_family=AF_LOCAL,
sun_path="/dev/log"}, msg_iov(8)=[{"<149>Jan 23 10:50:52 ", 21}, {"haproxy",
17}, {"[", 1}, {"10", 2}, {"]: ", 3}, {"", 0}, {"Server toto_blue/toto_blue0 is
UP, reason: Layer7 check passed, code: 200, info: \"OK\", check duration: 16ms.
1 active and 1 backup servers online. 0 sessions requeued, 0 total in queue.",
185}, {"\n", 1}], msg_controllen=0, msg_flags=0}, MSG_DONTWAIT|MSG_NOSIGNAL) =
230
Thanks again for your help !
Marc
Hello,
Thanks for your answer Willy !
On Mon, Jan 22, 2018 at 05:47:55PM +0100, Willy Tarreau wrote:
> Hi Marc,
>
> On Mon, Jan 22, 2018 at 03:18:20PM +0100, Marc Fournier wrote:
> > Cyril Bonté writes:
> >
> > Hello,
> >
> > > Im' not sure
y",
10}, {"[", 1}, {"57", 2}, {"]: ", 3}, {"", 0}, {"Server blue/blue0 was DOWN and
now enters maintenance.", 54}, {"\n", 1}], msg_controllen=0, msg_flags=0},
MSG_DONTWAIT|MSG_NOSIGNAL) = 109
[pid 12164] getpid()= 57
[...]
In this specific situation, HAProxy is not able to recover by itself. I
assume due to how maintenance mode with DNS resolution works. But I've
also seen a case (when no DNS was involved) where the backend server
was seen offline, then online again, despite the actual service behind
HAProxy was up and running the whole time.
Thanks !
Marc
ers a nice hook for this class of tools:
http://cbonte.github.io/haproxy-dconv/1.8/management.html#9
Basically, fetch the stats, parse the CSV format and extract the
per-server/backend "current sessions" field, trigger an alert if the
value is below a certain threshold.
HTH,
Marc
Marc Fournier writes:
> Simply adding "resolve-prefer ipv4" makes the symptom go away, so no big
> deal. But I wanted to point this out, as it might bite others, and I'm
> pretty sure 1.7.x didn't have this issue.
It turns out that "resolve-prefer ipv4"
lso, it doesn't seem right to me that a whole backend can get knocked
out by an incomplete DNS config (ie: the setup works well the first 30
seconds, as long as only the ipv4 A records get considered).
Thanks !
Marc
want to go.
Regards,
Marc
> On 4 Jul 2017, at 6:12 pm, Willy Tarreau wrote:
>
> On Mon, Jul 03, 2017 at 10:11:29PM +1000, Marc Boschma wrote:
>> Is there anyway to log details from the PROXY protocol version 2, such as
>> namespace or any other TLVs? Especially custom.
ssing decisions based on that; even if having to utilise Lua
to effect the inspection…
Possible?
Regards,
Marc
Hello, I am trying to install HAProxy on a VPS with OVH kernel "Linux
vps81430.vps.ovh.ca 3.10.0-327.18.2.el7.x86_64 # 1 SMP Thu Jul 12 11:03:55
UTC 2016 x86_64 x86_64 x86_64 GNU / Linux "but it does not work.
How could I fix it?
?
is there a way of setting it up so that haproxy listens HTTP/2 and talks
HTTP/1.1 to the backend … ?
> On Dec 16, 2015, at 15:34, Lukas Tribus wrote:
>
> Hi Marc,
>
>
>
>> server web2 119.81.152.73:443 weight 1 maxconn 30 check ssl verify none
>
> Apac
tried, just in case, to build / run the 1.7.x dev branch … neither
seems to work ...
> On Dec 16, 2015, at 12:10, Marc Fournier wrote:
>
>
> Okay … thanks to Vincent/Lukas, I have a 1.6.2 built that has OpenSSL 1.0.2
> statically linked … so this line now works, in so far
Okay … thanks to Vincent/Lukas, I have a 1.6.2 built that has OpenSSL 1.0.2
statically linked … so this line now works, in so far as letting the server
start up:
bind :443 ssl crt /etc/ssl/cert.pem no-sslv3 ciphers TLSv1.2 alpn
h2,http/1.1
When I hit the server, the haproxy.log file shows
I’m working on a Debian Jessie (8) system, and need to get a verison of haproxy
working that supports http/2 … I found this HOWTO for HAProxy+Jetty (
https://www.eclipse.org/jetty/documentation/current/http2-configuring-haproxy.html
), but when I do a ‘apt-get install haproxy’, it is installing
Thank you! Upgrading to 1.6.2 seems to have fixed the issue.
Regards,
Marc
Lukas Tribus , 11/6/2015 10:25 AM:
> Hi
>
> I am testing out the new 1.6 Haproxy and everything works great except
> when I try to use it for balancing LDAP traffic in mode tcp. It seems
> to segfa
9s slowstart 20s
Marc
sion. You must compile from sources or wait for the next dev release.
> >
> > Actually, the function "txn.close()" causes a segfault, it will be
> > fixed in a few time.
>
> I just merged your temporary fix, Thierry, so the segfault is supposed
> to be gone. CCing
to a
> single certificate file, not a
> directory)?
yes it works fine with crt pointing to a signe certificate file.
>
> Can you make the openssl tests from the server, connecting locally without
> any intermediate
> devices?
i did and results are the same.
Regards,
>
&g
roduce the segfault ?
>
> Thierry
>
> On Mon, 17 Aug 2015 15:00:25 +0200
> Marc-Antoine wrote:
>
> > Hi,
> >
> > Cyril, as you said, if removed "txn:close()" from the lua script, I don't
> > get segfault anymore.
> >
> > I noticed
127.0.0.1:80
acl debugme req.hdr_cnt(X-debug-me) ge 1
http-request lua mirror if debugme
#default_backend be
Regards,
On Sat, 15 Aug 2015 23:56:57 +0200,
Cyril Bonté wrote :
> Hi Marc-Antoine,
>
> Le 12/08/2015 19:01, Marc-Antoine a écrit :
> > I
response .. "Content-Length: " .. buffer:len() .. "\r\n"
response = response .. "Connection: close\r\n"
response = response .. "\r\n"
response = response .. buffer
txn.res:send(response)
txn:close()
end
On
errorfile 504 /etc/haproxy/errors/504.http
### HTTP ###
frontend fe:80
bind 127.0.0.1:80
acl debugme req.hdr_cnt(X-debug-me) ge 1
http-request lua mirror if debugme
default_backend be
frontend fe:443
bind 127.0.0.1:443 ssl crt /etc/ssl/private
de
> Baptiste wrote on 8/12/2015 11:29:
> > On Wed, Aug 12, 2015 at 11:22 AM, Marc-Antoine
> > wrote:
> >> Hi all,
> >>
> >> i'm trying to use an ECC certificate under haproxy without success :
> >>
> >> * haproxy -vv
> >>
/home/provisionning/0.pem crt
/home/provisionning/cluster2.d
default_backend cluster2
any idea ?
--
Marc-Antoine
Hi,
On Mon, 20 Jul 2015 11:50:50 +0200,
Marc-Antoine wrote :
> Hi Lukas,
>
> frontend cluster:443
> bind 1.2.3.4:443 ssl strict-sni crt /home/provisionning/0.pem crt
> /home/provisionning/cluster.d
> default_backend cluster
> capture request header Host len 2
> > I made a mistake in my previous email : it works locally AND remotely !
>
> What fixed the problem? This may be useful for others as well.
>
>
> Lukas
>
>
--
Marc-Antoine
Hi Lukas,
I made a mistake in my previous email : it works locally AND remotely !
Regards,
On Mon, 20 Jul 2015 19:04:24 +0200,
Lukas Tribus wrote :
> Hi Marc,
>
>
> > Hi Lukas,
> >
> > great intuition :)
> >
> > ---
> >
> > CONNECTED(000
> directory)?
>
> Can you make the openssl tests from the server, connecting locally without
> any intermediate
> devices?
>
>
>
> Thanks,
>
> Lukas
>
>
--
Marc-Antoine
:
> Hi Marc,
>
>
>
> > Hi all,
> >
> > I have some problem making ocsp stapling working. here is what i did :
> >
> > I have 8150.pem with chain, cert and key in it.
> >
> > I have 8150.pem.ocsp that seems ok :
> >
> > # openssl o
Hi,
nobody knows plz ?
On Thu, 9 Jul 2015 13:06:59 +0200,
Marc-Antoine wrote :
> Hi all,
>
> I have some problem making ocsp stapling working. here is what i did :
>
> I have 8150.pem with chain, cert and key in it.
>
> I have 8150.pem.ocsp that seems ok :
>
>
,
--
Marc-Antoine
Hi, just to let you know changelog is missing 1.5.14 infos ;)
great job by the way !
On Fri, 3 Jul 2015 17:55:56 +0200,
Willy Tarreau wrote :
> Changelog: http://www.haproxy.org/download/1.5/src/CHANGELOG
--
Marc-Antoine
Title: Loi Pinel 2015
Si vous
ne parvenez pas à visualiser la newsletter, cliquez
ici
Qu'est
ce que la Loi Pinel ? Le nouveau dispositif Pinel vous permet
d'effacer vos impôts sur 6, 9 ou 12 ans et ainsi déduire
jusqu'à 21% maximum du prix de
the running haproxy process (well, you do,
but not only), you *replace* it.
What you may be looking for, though, is haproxy-systemd-wrapper, which
does all this automatically when it receives SIGUSR2 or SIGHUP.
Regards,
Marc-Antoine
found it just after I sent this:
balance hdr(X-Forwarded-For)
testing right now, but *looks* like it fixes the issue … *cross fingers*
> On Jan 16, 2015, at 9:21 AM, Marc Fournier wrote:
>
>
> Morning all …
>
>I’ve been fighting with an issue here, and hav
Morning all …
I’ve been fighting with an issue here, and have run out of ideas …
We have a wordpress site, two webheads behind haproxy … balance leastconn …
in front of haproxy, we are using Incapsula, as CDN/DDoS shield … if I am only
running one webhead, everythign works great, pages
for this but i'm not sure, do you know it?
Furthermore, I'm interesting in dynamic ACL, what's this? Could you explain
more?
Thanks in advance,
Marc
On 11 September 2014 07:44, Willy Tarreau wrote:
> On Wed, Sep 10, 2014 at 10:38:55PM -0700, Matt Robenolt wrote:
>> Awesome, thanks. :)
>>
>> Is it possible to also get this applied into the 1.5 branch since this is
>> low risk and doesn???t break any backwards compatibility and whatnot?
>
> I'v
stemd wrapper: propagate exit status
>
> src/haproxy-systemd-wrapper.c | 69
> ++-
> 1 file changed, 49 insertions(+), 20 deletions(-)
>
> --
> 1.9.1
>
>
>
Looks good to me.
Any comments, Will?
Regards,
Marc-Antoine
when you say “current version”, do you mean the 1.5 dev version? I’m running
1.4 right now, but its not production, so I can easily “upgrade” if that is
required …
On Apr 14, 2014, at 12:30 , Thierry FOURNIER wrote:
> Hi Marc,
>
> This dev is done in the current haproxy ver
On Apr 9, 2014, at 05:05 , Thierry FOURNIER wrote:
> On Tue, 8 Apr 2014 11:02:42 -0700
> Marc Fournier wrote:
>
>>
>> as per the subject, has anyone done something like this?
>>
>> we’re setting up two backend pools, one geared to RTL languages, one to L
as per the subject, has anyone done something like this?
we’re setting up two backend pools, one geared to RTL languages, one to LTR …
I’d like to set it up so that its transparent to the end user, so that if they
come in requesting, for instance, Arabic, they get directed to the RTL pool,
an
On Sat, 2014-02-15 at 20:04 -0600, Ryan O'Hara wrote:
> On Sun, Feb 16, 2014 at 10:08:31AM +0900, Marc-Antoine Perennou wrote:
>
> > This is why you get
> >
> > haproxy-systemd-wrapper -> main haproxy process -> haproxy worker.
> >
> > haproxy-sys
proxy-systemd-wrapper waits for the main haproxy process to exit to
avoir zombies. The main haproxy process exits when all its workers are
done.
> Thanks.
> Ryan
>
Hope that helps and sounds right.
Marc-Antoine
comments/suggestions are welcome. :)
> >
> > In case the patches get stripped, they are also available from my
> > github account [2]. They are applied to a copy of 1.4.24 there, but
> > should apply cleanly to the development tree.
>
> Great, thank you! I'll wait fo
Formerly, if A was replaced by B, and then B by C before
A finished exiting, we didn't wait for B to finish so it
ended up as a zombie process.
Fix this by waiting randomly every child we spawn.
Signed-off-by: Marc-Antoine Perennou
---
src/haproxy-systemd-wrapper.c | 10 --
1
On 1 April 2013 23:49, Willy Tarreau wrote:
> Great. I'm planning a dev18 release for tomorrow afternoon, tell me
> if you want me to wait a bit more.
>
> Thanks,
> Willy
>
It will be ready before the afternoon so that you can get it in dev18!
Thanks
Hi,
After checking out the man page of waitpid, wait would indeed be sufficient
here.
I didn't actually know about waitpid(-1)
I'll resubmit an updated patch tomorrow!
Thanks
On 1 April 2013 23:32, Willy Tarreau wrote:
> Hi Marc-Antoine,
>
> On Thu, Mar 14, 2013 at 02:
Formerly, if A was replaced by B, and then B by C before
A finished exiting, we didn't wait for B to finish so it
ended up as a zombie process.
Fix this by queuing all process we spawn for waitpid.
Signed-off-by: Marc-Antoine Perennou
---
src/haproxy-systemd-wrapper.c
Formerly, if A was replaced by B, and then B by C before
A finished exiting, we didn't wait for B to finish so it
ended up as a zombie process.
Fix this by queuing all process we spawn for waitpid.
Signed-off-by: Marc-Antoine Perennou
---
src/haproxy-systemd-wrapper.c
Signed-off-by: Marc-Antoine Perennou
---
.gitignore | 1 +
contrib/systemd/Makefile | 8
contrib/systemd/haproxy.service.in | 11 +++
3 files changed, 20 insertions(+)
create mode 100644 contrib/systemd/Makefile
create mode 100644 contrib
Hi,
On 13 February 2013 08:11, Willy Tarreau wrote:
> Hi Marc-Antoine,
>
> On Tue, Feb 12, 2013 at 10:53:54AM +0100, Marc-Antoine Perennou wrote:
> > +systemd/haproxy.service: contrib/systemd/haproxy.service.in
> > + mkdir -p systemd
> > + sed -e
Signed-off-by: Marc-Antoine Perennou
---
.gitignore | 1 +
Makefile | 8 ++--
contrib/systemd/haproxy.service.in | 11 +++
3 files changed, 18 insertions(+), 2 deletions(-)
create mode 100644 contrib/systemd/haproxy.service.in
(not to
conflict with
haproxy itself) signal, and spawing a new haproxy with "-sf" as a child to
relay the
first one.
Signed-off-by: Marc-Antoine Perennou
---
.gitignore| 1 +
Makefile | 16 +-
src/haproxy-systemd-wrapper.c | 113 +
her systems.
Signed-off-by: Marc-Antoine Perennou
---
doc/haproxy-en.txt | 1 +
doc/haproxy-fr.txt | 1 +
doc/haproxy.1 | 4
include/types/global.h | 1 +
src/haproxy.c | 35 +++
5 files changed, 30 insertions(+), 12 deletions(
On 9 February 2013 11:06, Willy Tarreau wrote:
> Hi,
>
> On Sat, Feb 09, 2013 at 10:44:04AM +0100, Marc-Antoine Perennou wrote:
> > I just made a simple test, running a webserver serving a big file
> locally,
> > using haproxy,
> > my wrapper and systemd service. I
SIGUSR2 ok here ? I first did it with SIGUSR1 but then children couldn't
bind
to this signal on reload, since it was already a USR1 action, so I took the
first one
not colliding.
On 9 February 2013 09:49, Willy Tarreau wrote:
> On Fri, Feb 08, 2013 at 03:58:47PM +0100, Marc-Anto
On 9 February 2013 09:45, Willy Tarreau wrote:
> On Fri, Feb 08, 2013 at 03:58:46PM +0100, Marc-Antoine Perennou wrote:
> > @@ -1493,8 +1499,13 @@ int main(int argc, char **argv)
> > px = px->next;
> > }
> >
> > -
Signed-off-by: Marc-Antoine Perennou
---
.gitignore | 1 +
Makefile | 8 ++--
contrib/systemd/haproxy.service.in | 11 +++
3 files changed, 18 insertions(+), 2 deletions(-)
create mode 100644 contrib/systemd/haproxy.service.in
Signed-off-by: Marc-Antoine Perennou
---
doc/haproxy-en.txt | 1 +
doc/haproxy-fr.txt | 1 +
doc/haproxy.1 | 4
include/types/global.h | 1 +
src/haproxy.c | 35 +++
5 files changed, 30 insertions(+), 12 deletions(-)
diff --git
Hi,
Currently, to reload haproxy configuration, you have to use "-sf".
Systemd philosophy is for the daemon not to fork by themselves, but rather let
the init process do it for them.
My first patch adds a new option "-Ds" which is exactly like "-D", but instead
of
forking n times to get n jobs
Signed-off-by: Marc-Antoine Perennou
---
.gitignore| 1 +
Makefile | 16 +-
src/haproxy-systemd-wrapper.c | 122 ++
3 files changed, 137 insertions(+), 2 deletions(-)
create mode 100644 src/haproxy-systemd
It is totally normal that systemd kills the new process as the main one
which was the first has exited. This is the expected behaviour.
I'm currently patching haproxy to fully support systemd, I'll probably
submit my patches by tomorrow (It's fully functionnal here, only needs a
little cleaning)
Signed-off-by: Marc-Antoine Perennou
---
doc/haproxy-en.txt | 1 +
doc/haproxy-fr.txt | 1 +
doc/haproxy.1 | 4
include/types/global.h | 1 +
src/haproxy.c | 31 +++
5 files changed, 26 insertions(+), 12 deletions(-)
diff --git a
Hi,
I'm trying to use haproxy with systemd.
It cannot be done with a raw haproxy for now, because when "reloading" the
configuration file
with haproxy -sf , the former process gets killed, so the service enters a
"failed" state
and thus kills all its children, resulting in no haproxy running.
In
I didn't specify a TARGET option. This was before the Makefile was changed
to prevent that mistake.
On Thu, Sep 17, 2009 at 10:31 AM, Jeffrey 'jf' Lim wrote:
> On Thu, Sep 17, 2009 at 10:25 PM, Marc wrote:
>
>> Hi All,
>> HAProxy is using up 100% of (1) CPU
i386 GNU/Linux
Host is a PowerEdge 860 with Dual Core Genuine Intel(R) CPU 2160 @ 1.80GHz
and 2GB RAM.
Session Rate is ~2800
Process shouldn't be working that hard, right?
Thanks for any advice.
---Marc
haproxy-www.cfg
Description: Binary data
80 matches
Mail list logo