Re: I can't disable TLS v1.1 from Internet
Am 24.10.22 um 15:50 schrieb Aleksandar Lazic: Hi Roberto. On 24.10.22 03:21, Roberto Carna wrote: Dear, I have this scenario: Internet --> HAproxy Frontend --> HAproxy Backend --> Web servers What is the config for the frontend of the HAProxy Frontend? BTW.: HAProxy 1.5 is't maintained any more since 2020-01-10 https://www.haproxy.org/ You can get a more recent version from this repos. https://github.com/iusrepo?q=hap&type=all&language=&sort= https://github.com/DBezemer/rpm-haproxy Thanks in advance, greetings!!! Regards Alex you really should upgrade haproxy. to configure ssl versions you can set global optoins (eg) ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets in the global section. here i disallow tls v1.0 and v1.1. you can have a look at https://mozilla.github.io/server-side-tls/ssl-config-generator/ to get a valid ssl config with ciphers etc. you have to consider two things: 1) which clients will access your haproxy (frontend). if you have old or legacy browsers or even some applications with (old java) this will affect the choice of ciphers and protocols. 2) which openssl version is installed on your server and which openssl version will haproxy use. Some old openssl libs don't support tls v1.2 (maybe even not v1.1, if it's t old) markus
haproxy 2.6.0 and quic
Hi,
we are using haproxy 2.4.17 at the moment. i have compiled haproxy 2.6 with
quic support and quctls
when i no check my config i get
/opt/haproxy-260# /opt/haproxy-260/sbin/haproxy -c -f haproxy.cfg
[NOTICE] (35905) : haproxy version is 2.6.0-a1efc04
[NOTICE] (35905) : path to executable is /opt/haproxy-260/sbin/haproxy
[WARNING] (35905) : config : parsing [haproxy.cfg:100]: 'log-format' overrides previous 'option httplog' in 'defaults'
section.
[ALERT](35905) : config : parsing [haproxy.cfg:213] : 'bind' : unsupported stream protocol for datagram family 2
address 'quic4@:4443'; QUIC is not compiled in if this is what you were looking for.
[ALERT](35905) : config : Error(s) found in configuration file : haproxy.cfg
[ALERT](35905) : config : Fatal errors found in configuration.
the bind part looks like
frontend https
bind 12.34.56.79:4443 ssl crt /opt/haproxy/haproxy.ssl.crt crt /opt/haproxy/domain.pem crt /opt/haproxy/domain2.pem
alpn h2,http/1.1
# enables HTTP/3 over QUIC
bind quic4@:4443 ssl crt /opt/haproxy/haproxy.ssl.crt crt
/opt/haproxy/domain.pem crt /opt/haproxy/domain2.pem alpn h3
could it be a problem with my network setup?
i have to network cards in my VM. one for internal and one for external
connections
the external connects has to virtual ip address
2: eth0: mtu 1500 qdisc pfifo_fast state UP
group default qlen 1000
link/ether 02:01:4d:66:f4:62 brd ff:ff:ff:ff:ff:ff
inet 46.16.79.137/24 brd 46.16.79.137 scope global eth0
valid_lft forever preferred_lft forever
inet 46.16.74.36/32 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::1:4dff:fe66:f462/64 scope link
valid_lft forever preferred_lft forever
my build command was
make TARGET=linux-glibc USE_OPENSSL=1 SSL_INC=/opt/quictls/include SSL_LIB=/opt/quictls/lib64
LDFLAGS="-Wl,-rpath,/opt/quictls/lib64" ADDLIB="-lz -ldl" USE_ZLIB=1 USE_PCRE=1 USE_PCRE=yes USE_LUA=1
LUA_LIB_NAME=lua5.3 LUA_INC=/usr/include/lua5.3 ;
HAProxy version 2.6.0-a1efc04 2022/05/31 - https://haproxy.org/
Status: long-term supported branch - will stop receiving fixes around Q2 2027.
Known bugs: http://www.haproxy.org/bugs/bugs-2.6.0.html
Running on: Linux Ubuntu
Build options :
TARGET = linux-glibc
CPU = generic
CC = cc
CFLAGS = -O2 -g -Wall -Wextra -Wundef -Wdeclaration-after-statement -Wfatal-errors -Wtype-limits -fwrapv
-Wno-address-of-packed-member -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-clobbered
-Wno-missing-field-initializers -Wno-cast-function-type -Wno-string-plus-int -Wno-atomic-alignment
OPTIONS = USE_PCRE=yes USE_OPENSSL=1 USE_LUA=1 USE_ZLIB=1
DEBUG = -DDEBUG_STRICT -DDEBUG_MEMORY_POOLS
Feature list : +EPOLL -KQUEUE +NETFILTER +PCRE -PCRE_JIT -PCRE2 -PCRE2_JIT +POLL +THREAD +BACKTRACE -STATIC_PCRE
-STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H -ENGINE +GETADDRINFO +OPENSSL +LUA +ACCEPT4
-CLOSEFROM +ZLIB -SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL -SYSTEMD -OBSOLETE_LINKER +PRCTL
-PROCCTL +THREAD_DUMP -EVPORTS -OT -QUIC -PROMEX -MEMORY_PROFILING
Default settings :
bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Built with multi-threading support (MAX_THREADS=64, default=2).
Built with OpenSSL version : OpenSSL 3.0.3+quic 3 May 2022
Running on OpenSSL version : OpenSSL 3.0.3+quic 3 May 2022
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
OpenSSL providers loaded : default
Built with Lua version : Lua 5.3.1
Built with network namespace support.
Support for malloc_trim() is enabled.
Built with zlib version :
Running on zlib version :
Compression algorithms supported : identity("identity"), deflate("deflate"),
raw-deflate("deflate"), gzip("gzip")
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT
IP_FREEBIND
Built with PCRE version :
Running on PCRE version :
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Encrypted password support via crypt(3): yes
Built with gcc compiler version ...
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Available multiplexer protocols :
(protocols marked as cannot be specified using 'proto' keyword)
h2 : mode=HTTP side=FE|BE mux=H2flags=HTX|HOL_RISK|NO_UPG
fcgi : mode=HTTP side=BE mux=FCGI flags=HTX|HOL_RISK|NO_UPG
: mode=HTTP side=FE|BE mux=H1flags=HTX
h1 : mode=HTTP side=FE|BE mux=H1flags=HTX|NO_UPG
: mode=TCP side=FE|BE mux=PASS flags=
none : mode=TCP side=FE|BE mux=PASS flags=NO_UPG
Available services : none
Available filters :
[CACHE] cache
[COMP] compression
[FCGI] fcgi-app
[SPOE] spoe
[TRACE] trace
Seamless Restarts/Reloads in haproxy and master/worker-mode 1.8.
i have upgraded to version 1.8. and so far everything works. i have to questions about the new features: 1) seamless reload one of the new features ist seamless restarts. it is also said, that even an version upgrade should work. how do i achieve this? at the moment my startup script is very simple: ./sbin/haproxy -D -f ./haproxy.cfg my reload looks like ./sbin/haproxy -f ./haproxy.cfg -p /opt/haproxy/var/pid -sf $(cat /opt/haproxy/var/pid) how do i get a seamless reload? any special parameters or config needed or does it work out of the box? 2) master/worker-mode haproxy will also support the so called worker mode with sbin/haproxy -w 2 what is the benefit over the old/other one? do i need the master/worker-mode for seamless reloads? thanxs Markus
haproxy 1.8.0 and http/2
hi, i just want to thank the haproxy team for making such a great programme. i have updated our production server to haproxy 1.8.0 and now be able to support http/2 to clients via haproxy. no need to change the backend servers as they still run on http/1.1. thanxs to the haproxy team Markus
Re: redirect scheme and error 503 (in logs)
Am 13.09.17 um 10:41 schrieb Jarno Huuskonen:
> Hi,
>
> Can you try with newer haproxy, AFAIK 1.7.6 had redirect related
> regression:
> https://www.mail-archive.com/haproxy@formilux.org/msg26519.html
>
that looks good. upgraded to version 1.7.9 and the 503 errors are gone. i can
use the redirect scheme in my frontend section
thanxs
> On Tue, Sep 12, Markus Rietzler wrote:
>> Am 12.09.17 um 22:11 schrieb Markus Rietzler:
>>> i have some acls in my haproxy.cfg.
>>> i want to do a http https redirection for some of my urls
>>>
>>>
>>> acl pathContent path_beg /foo /bar
>>> acl is_root path -i /
>>> redirect scheme https code 301 if redirect_neander pathContent
>>> redirect scheme https code 301 if redirect_neander is_root
>>>
>>> i sometimes see a "503 Service unavailable" error in my browser.
>>>
>>> this is a curl call to my server:
>>>
>>> curl -v http://www.server.de/foo
>>> * Trying 12.34.45.67...
>>> * TCP_NODELAY set
>>> * Connected to www.server.de (12.34.45.67) port 80 (#0)
>>>> GET /agb HTTP/1.1
>>>> Host: www.server.de
>>>> User-Agent: curl/7.54.0
>>>> Accept: */*
>>>>
>>> < HTTP/1.1 301 Moved Permanently
>>> < Content-length: 0
>>> < Location: https://www.server.de/foo
>>> <
>>> * Connection #0 to host www.neanderticket.de left intact
>>>
>>> and in my haproxy.log i see
>>>
>>> 77.88.99.11:34548 [12/Sep/2017:22:09:28.741] www www/ 0/-1/-1/-1/0
>>> 503 309 - - LR-- 34/22/0/0/0 0/0
>>> {www.server.de|curl/7.54.0} "GET /foo HTTP/1.1"\
>>>
>>> when accessed via iphone the page is redirected to ssl. then it is ok, all
>>> objects are loaded via ssl and the page is
>>> displayed ok. BUT i do get the 503 NOSRV error in the haproxy.log.
>>>
>>> i have several 503 erros in the logs. i am a little concerned that this is
>>> a real error and my users do see a 503 error
>>> page in the browser - at least sometimes.
>>>
>>>
>>> markus
>>>
>>>
>> if i use the acl in my frontend section i get the 503 if i use it in my
>> backend section there is no error...
>>
>> with the redirect scheme rules in the backend section it seems to work
>> pretty good. now i get the log
>>
>> 77.88.99.11:48362 [12/Sep/2017:22:30:34.115] www lbwww/master 4/0/0/-1/4
>> 301 97 - - LR-- 47/27/0/1/0 0/0
>> {www.server.de|curl/7.54.0} "HEAD /foo HTTP/1.1"\
>>
>> even the tests with curl or my iphone do what they should. i see the 301 in
>> my haproxy.log, my iphone displays the page
>> the way it should (switched from http to https)
>>
>> ./sbin/haproxy -vv
>> HA-Proxy version 1.7.6 2017/06/16
>> Copyright 2000-2017 Willy Tarreau
>
Re: redirect scheme and error 503 (in logs)
Am 12.09.17 um 22:11 schrieb Markus Rietzler:
> i have some acls in my haproxy.cfg.
> i want to do a http https redirection for some of my urls
>
>
> acl pathContent path_beg /foo /bar
> acl is_root path -i /
> redirect scheme https code 301 if redirect_neander pathContent
> redirect scheme https code 301 if redirect_neander is_root
>
> i sometimes see a "503 Service unavailable" error in my browser.
>
> this is a curl call to my server:
>
> curl -v http://www.server.de/foo
> * Trying 12.34.45.67...
> * TCP_NODELAY set
> * Connected to www.server.de (12.34.45.67) port 80 (#0)
>> GET /agb HTTP/1.1
>> Host: www.server.de
>> User-Agent: curl/7.54.0
>> Accept: */*
>>
> < HTTP/1.1 301 Moved Permanently
> < Content-length: 0
> < Location: https://www.server.de/foo
> <
> * Connection #0 to host www.neanderticket.de left intact
>
> and in my haproxy.log i see
>
> 77.88.99.11:34548 [12/Sep/2017:22:09:28.741] www www/ 0/-1/-1/-1/0
> 503 309 - - LR-- 34/22/0/0/0 0/0
> {www.server.de|curl/7.54.0} "GET /foo HTTP/1.1"\
>
> when accessed via iphone the page is redirected to ssl. then it is ok, all
> objects are loaded via ssl and the page is
> displayed ok. BUT i do get the 503 NOSRV error in the haproxy.log.
>
> i have several 503 erros in the logs. i am a little concerned that this is a
> real error and my users do see a 503 error
> page in the browser - at least sometimes.
>
>
> markus
>
>
if i use the acl in my frontend section i get the 503 if i use it in my backend
section there is no error...
with the redirect scheme rules in the backend section it seems to work pretty
good. now i get the log
77.88.99.11:48362 [12/Sep/2017:22:30:34.115] www lbwww/master 4/0/0/-1/4 301
97 - - LR-- 47/27/0/1/0 0/0
{www.server.de|curl/7.54.0} "HEAD /foo HTTP/1.1"\
even the tests with curl or my iphone do what they should. i see the 301 in my
haproxy.log, my iphone displays the page
the way it should (switched from http to https)
./sbin/haproxy -vv
HA-Proxy version 1.7.6 2017/06/16
Copyright 2000-2017 Willy Tarreau
Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv
OPTIONS = USE_ZLIB=1 USE_OPENSSL=yes USE_LUA=1 USE_PCRE=yes
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.8
Running on zlib version : 1.2.8
Compression algorithms supported : identity("identity"), deflate("deflate"),
raw-deflate("deflate"), gzip("gzip")
Built with OpenSSL version : OpenSSL 1.0.2g 1 Mar 2016
Running on OpenSSL version : OpenSSL 1.0.2g 1 Mar 2016
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.38 2015-11-23
Running on PCRE version : 8.38 2015-11-23
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with Lua version : Lua 5.3.1
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT
IP_FREEBIND
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Available filters :
[COMP] compression
[TRACE] trace
[SPOE] spoe
redirect scheme and error 503 (in logs)
i have some acls in my haproxy.cfg.
i want to do a http https redirection for some of my urls
acl pathContent path_beg /foo /bar
acl is_root path -i /
redirect scheme https code 301 if redirect_neander pathContent
redirect scheme https code 301 if redirect_neander is_root
i sometimes see a "503 Service unavailable" error in my browser.
this is a curl call to my server:
curl -v http://www.server.de/foo
* Trying 12.34.45.67...
* TCP_NODELAY set
* Connected to www.server.de (12.34.45.67) port 80 (#0)
> GET /agb HTTP/1.1
> Host: www.server.de
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Content-length: 0
< Location: https://www.server.de/foo
<
* Connection #0 to host www.neanderticket.de left intact
and in my haproxy.log i see
77.88.99.11:34548 [12/Sep/2017:22:09:28.741] www www/ 0/-1/-1/-1/0 503
309 - - LR-- 34/22/0/0/0 0/0
{www.server.de|curl/7.54.0} "GET /foo HTTP/1.1"\
when accessed via iphone the page is redirected to ssl. then it is ok, all
objects are loaded via ssl and the page is
displayed ok. BUT i do get the 503 NOSRV error in the haproxy.log.
i have several 503 erros in the logs. i am a little concerned that this is a
real error and my users do see a 503 error
page in the browser - at least sometimes.
markus
Re: redirect scheme except some urls/params
Am 09.09.17 um 16:03 schrieb Markus Rietzler:
> hi,
>
> i want activate redirection from http to https for my sites. but my problem
> is, that there are certain requests, which
> can't be redirected to https.
>
> so i have to write some acls to check this.
>
> the urls which can't be redirected all contains client=, they can look
> like:
>
> - /path/what=all;client=bar
> - /path/what=all;client=foo
> - /path/what=all;client=bar;mode=something
> - /path/?client=bar;what=today
>
> those paths will be internal rewritten in apache.
>
> so i need to check, that client= is not present in the request.
>
> there are two further cases: client=; and client=sitemap they can be
> redirected to https. i tried a few ways but they
> didn't work. i either get a 503 Server not available or all the client=xxx
> requests are redirected to https.
>
> i tried:
>
> acl clientCheck urlp_reg /client=(?!(sitemap|;)).+/
> redirect scheme https code 301 if !clientCheck
>
> or
>
> acl clientCheck path_reg /client=/
> redirect scheme https code 301 if !clientCheck
>
> any hints?
>
> thanxs
>
> markus
>
>
have tried to setup another rule. just redirect on certain paths.
acl redirect_host hdr(host) -i www.host.de
acl pathContent path_beg /agb /aktuell /datenschutz /fotos ...
acl is_root path -i /
redirect scheme https code 301 if redirect_host pathContent
redirect scheme https code 301 if redirect_host is_root
but then i get a
503 Service Unavailable
No server is available to handle this request.
error. this is the log for this case:
12.34.56.78:52328 [09/Sep/2017:16:24:53.888] www www/ 1/-1/-1/-1/1 503
349 - - LR-- 64/53/0/0/0 0/0
{www.host.de|Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWe}
"GET /fotos/1234.jpg HTTP/1.1"\
redirect scheme except some urls/params
hi, i want activate redirection from http to https for my sites. but my problem is, that there are certain requests, which can't be redirected to https. so i have to write some acls to check this. the urls which can't be redirected all contains client=, they can look like: - /path/what=all;client=bar - /path/what=all;client=foo - /path/what=all;client=bar;mode=something - /path/?client=bar;what=today those paths will be internal rewritten in apache. so i need to check, that client= is not present in the request. there are two further cases: client=; and client=sitemap they can be redirected to https. i tried a few ways but they didn't work. i either get a 503 Server not available or all the client=xxx requests are redirected to https. i tried: acl clientCheck urlp_reg /client=(?!(sitemap|;)).+/ redirect scheme https code 301 if !clientCheck or acl clientCheck path_reg /client=/ redirect scheme https code 301 if !clientCheck any hints? thanxs markus
Re: Two way authentication issue
Am 25.08.17 um 08:49 schrieb Lukas Tribus: > Hello, > > > Am 25.08.2017 um 01:47 schrieb Keresztes Péter-Zoltán: >> Hello >> >> Basically what I need is when I browse /service/ws to use client certificate >> authentication otherwise for everything else to use normal ssl termination > > this is not possible with Haproxy. > > Also, never ever bind to the same port twice. The kernel will load-balance > between the 2 frontends and the behavior will be undeterministic. > > > cheers, > lukas > > > you can do or use client authentication with ssl certificates on haproxy. BUT 1) you have to use and configure the certificates on haproxy 2) you can not pass this certificate to the backend server. only eg. user name as an environment variable markus
Re: High Availability for haproxy itself
Am 02.06.17 um 11:35 schrieb Raphaël Enrici: > Hi, > > if you are in a simple case where you only need some kind of active/passive > solution without big scaling needs on a > Linux system, look for "haproxy keepalived" on your favorite search engine, > you'll find many articles explaining the way > to go. > > If you need HA and horizontal scaling, take a look at the article from > Vincent Bernat here: > https://vincent.bernat.im/en/blog/2013-exabgp-highavailability > > HTH, > Raph > > > Le 2017-06-02 10:34, Jiafan Zhou a écrit : >> Hi, >> >> Haproxy ensures the HA for real servers such as httpd. However, in the >> case of haproxy itself, if it fails, then it requires another instance >> of haproxy to be ready. Is there any High Availability solution for >> haproxy itself? >> >> Regards, >> Jiafan > > Hi, keepalived works very well. i have a setup with haproxy running on two VM which are connected via keepalived. the node (to be exact the virtual IP address) is switched if i stop haproxy on my master. then haproxy on my fallback node will "jump in". if i restart haproxy on master the IP is switched back... this works very stable in the last years. the only thing which i could optimize is the healthcheck in keepalived. at the moment i do a simple "is the process running" (killall -0 haproxy) test. i think this could be optimized. Eg. don't know if it would recognise a hanging haproxy process correctly. maybe it would be better to do some http access and look at the answer (eg. do i get an "OK" back) or check the response time and switch if it tooks too long... Markus
Re: HAProxy 1.5 vs 1.6
Am 10.11.16 um 10:24 schrieb Pavlos Parissis: > On 09/11/2016 09:20 μμ, Steven Le Roux wrote: >> Hi a first good coverage for a comparison between 1.5 and 1.6 would be >> http://blog.haproxy.com/2015/10/14/whats-new-in-haproxy-1-6/ >> >> 1.6 is perfectly considered stable and hasn't seen any maintenance >> release for more than 2 months. It's being widely used so I would be >> confident with it. It brings many improvements and features (libslz, >> lua, server states checkpointing,...) over 1.5 >> > > Same story here. 1.6 is a rock solid release and works fine. > > Cheers, > Pavlos > > We are using 1.6.x for quite a long time and it runs perfectly! Markus
Re: New to haproxy questions
Am 17.01.15 um 03:38 schrieb Jeff Zellner: > 5) Is there a relatively simple way to get "true HA" with a redundant load > balancer? We have two identical machines side-by-side running EL6 and haproxy, > one is a disk dd of the other. In the past we used heartbeat with limited > success; pacemaker has been very problematic for us. For now, we're managing > manually. i use haproxy in a HA setup with two machines running keepalived. it works quite well so far. you can setup different checks in keepalived. at the moment i do a simple check if haproxy is alive. when haproxy is stopped, my virtual ip-address is switched on the backup server. if the master is coming back the ip-address is switched back again. i should implement a better and more robust check. at the moment it is a simple "is alive check". if haproxy is there but not responding any more or haproxy is very slow, the check would not detect this. but in the last 12 month i had a very stable setup. i can reboot the server for maintenance without (nearly) any downtime of my webpage... markus
Re: HAProxy and SSL through and through
Am 18.07.14 15:48, schrieb Jacob Gibson:
> I realize that not everyone may have had those old messages around. I have
> included my original post below. Also, I've
> read that using the ssl sessionid is not reliable so I'm looking for an
> alternative.
>
> I was happily using HAProxy, until I received word that we need to also
> encrypt traffic to the web servers. So,
> internet --https--> load balancer --https--> web servers. Can I still do
> this with HAProxy? We don't need any Layer 7
> rules. If so, what would the config look like?
>
> We do need the following:
>
> 1) HTTPS all the way through
thats no problem. we do it in our setup.
this is (part) of our setup:
defaults
mode http
option forwardfor
frontend https
bind 12.23.45.56:443 ssl no-sslv3 crt /opt/haproxy/haproxy.ssl.crt
capture request header Host len 32
reqadd X-Forwarded-Proto:\ https
# you could add headers
http-request set-header X-SSL %[ssl_fc]
http-request set-header X-SSL-Client-Verify %[ssl_c_verify]
http-request set-header X-SSL-Client-SHA1 %{+Q}[ssl_c_sha1]
http-request set-header X-SSL-Client-DN %{+Q}[ssl_c_s_dn]
http-request set-header X-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
http-request set-header X-SSL-Issuer%{+Q}[ssl_c_i_dn]
http-request set-header X-SSL-Client-Not-Before %{+Q}[ssl_c_notbefore]
http-request set-header X-SSL-Client-Not-After %{+Q}[ssl_c_notafter]
default_backend lbhttps
monitor-uri /ok
backend lbhttps
server master 10.11.12.13:443 ssl maxconn 50 check weight 1 inter 5s rise
3 fall 2 verify none
server slave 10.11.12.14:443 ssl maxconn 50 check backup weight 1 inter 5s
rise 3 fall 2 verify none
> 2) Web servers need to see the IP of the user
thats a (small) problem with haproxy. as it acts as a http-proxy the webserver
will only see the ip-adress of haproxy.
but you can use x-forwared-for header or set it like in the example above. but
then your application will have to use
that header and not REMOTE_ADDR
> 3) Users need sticky sessions to a web server (where the sticky assignment
> counter gets refreshed on each user request)
i asume, that this will work. we only use one backend server for SSL. but the
setup for lbhttps is a fallback-setup. so
when "master" is not there all the requests are routet to slave.
> 5) Mobile and older browser support (I say this because I keep reading this
> about SNI, but I don't know if that applies
> to us)
this is nothing that is affected by haproxy. thats general. problem is, that
you only can have *one* ssl-server
listening/binding to an ip-address. multiple virtual servers like with http
will not work.
markus
ssl compression
hi, i am just in the process of reviewing/correcting/hardening my ssl setup. haproxy uses ssl-termination on the frontend. this works very well. i also use ssl on the backand - due to the setup of our application and apache config - this also works very well. when i run a ssl check with globalsign or ssllabs i get a warning about CRIME/BEAST (in tls v 1.0) in apache i can use #don't use sslcompression, its unsecure SSLCompression off to switch off tls compression (because of beast/crime attack) with tls v1.0 and compression. can i deactivate it in haproxy too? thanxs markus
Re: [ANNOUNCE] haproxy-1.5.0
Am 19.06.14 22:01, schrieb Ryan O'Hara: > On Thu, Jun 19, 2014 at 09:54:29PM +0200, Willy Tarreau wrote: >> Hi everyone, >> >> The list has been unusually silent today, just as if everyone was waiting >> for something to happen :-) >> >> Today is a great day, the reward of 4 years of hard work. I'm announcing the >> release of HAProxy 1.5.0. > thank you to everyone involved in this great project. we are using haproxy now since half a year and are very happy with it! every dev-version of the 1.5 branch worked very well. ssl termination, loadbalancing and fallback are great! don't know how i could liveed with out it in the past... markus
warning tune.ssl.default-dh-param
i, with dev26 and now the release of version 1.5. i get the following warning when starting haproxy: Starting haproxy: [WARNING] 170/090803 (38826) : Setting tune.ssl.default-dh-param to 1024 by default, if your workload permits it you should set it to at least 2048. Please set a value >= 1024 to make this warning disappear. as far as i understood i need this if i use Diffie-Hellman to generate the session key. i need a special dh-key, right? if i don't use this i don't need to set the tune-ssl param. thanxs markus
ssl client certificate passthrough/verify only with certain path
hi, i use haproxy 1.5dev24 with ssl-frontend, haproxy connects via ssl to backends. what i want to achieve is a secure access to certain internal or admin pages. best would be a three step check: 1) all clients with certain ip-adresses are allowed 2) if from unkown ip-address then client ssl certificate is checked 3) as a last fallback access via one time password (mod_auth_otp) is possible. i have figured out how to route access based on ip-address to backends. frontend https bind xx.xx.xx.xx:443 ssl crt /opt/haproxy/haproxy.ssl.crt ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!RC4+RSA:+HIGH:+MEDIUM capture request header Host len 32 reqadd X-Forwarded-Proto:\ https acl is_admi path_beg /internal acl ip_allowed src 123.45.66.77 123.45.77.88 use_backend int_ip if is_admi ip_allowed use_backend int_cert if is_admi !ip_allowed default_backend lbhttps monitor-uri /ok i could combine 2+3) in apache config. also mod_auth_otp would work in apache. the question is, h in apache the client certificate check can be restricted to location, only then my browser asks if which ssl certificate should be used. when i use verify optional in the bind-config option of haproxy then it will be checked all the times when i connect to the ssl-site, also when the client certificate is only important for access /internal... may i miss something, maybe there are better ways to achieve a "secure access". maybe i work with subdomains or a frontend on other ports... i also could bypass haproxy for those access... thats also an option... markus
Re: haproxy-1.5-dev23 and ssl handshake failure
> > Markus, please follow Willy's advise and remove all force-* configurations > from your bind line, you should use no-sslv3/no-tlsv1[0-2] keywords to > configure specific TLS version, but in this case, as long as you > troubleshooting this, I strongly suggest to not configure any specific TLS > settings. > i have removed the force-options. so i just have frontend https bind 46.16.74.36:443 ssl crt /opt/haproxy/haproxy.ssl.crt ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!RC4+RSA:+HIGH:+MEDIUM with dev23 and dev24 i don't see any handshake error messages anymore. thats good. the error messages in the browser came very seldom. so its hard to confirm, that they are gone. but i would suppose, that they are fixed. i will have a look on this and report... thanxs markus
Re: haproxy for ajp (tomcat)?
Am 25.04.14 19:53, schrieb Kobus Bensch: > Hi Paul > > We use haproxy to multiple https servers. After this we have a separate > tomcat server for each http server. So a one to one relationship between > Apache and tomcat. We then use apache to shop to the tomcat servers. > > -- > | haproxy1 HA haproxy2 | using corosync/pacemaker > --- > Apache1. Apache2 >|| > Tomcat1 Tomcat2 >\ / > \ / > MySQL DBS > > > > Sent from my iPhone > >> On 25 Apr 2014, at 18:19, Paul Hirose wrote: >> >> I was wondering if anyone uses haproxy for http -> ajp (tomcat) >> load-balancing. I often use haproxy for http -> http, but I was just >> wondering what would need to happen for the incoming http(s) request to get >> translated into ajp and forwarded to tomcat's ajp connector rather than the >> http connector. >> >> If not, I suppose I could do the http -> ajp conversion in apache httpd, and >> place haproxy in between the httpd process and multiple tomcat backends >> using tcp mode rather than http mode. >> >> I've no specific need for this yet, per se. Just curious. >> Thanks, >> PH >> == >> Paul Hirose >> > with ajp you can use loadbalancing in apache to use several backend tomcat servers. it should work with haproxy but i wonder why not use load balancing with apache. its there already... markus
Re: HAproxy and Mysql
Am 25.04.14 04:25, schrieb Ben Timby: > My only feedback is that haproxy has a lot of features that make it useful as > a MySQL frontend. The stats are great for > sizing and monitoring purposes. Timeouts and queuing are also great for > managing load etc. I used to run haproxy in > front of a single MySQL instance for those features alone ala: > > http://flavio.tordini.org/a-more-stable-mysql-with-haproxy > > If you are looking to load balance multiple database servers, I think haproxy > is a good choice for doing that. > > It will work great as long as everything is functioning normally, but you > will need to put a lot of work into handling > failures and master migration etc. These things haproxy has nothing directly > to do with. Here is some information on > handling failure cases etc. using a simple agent along with haproxy. It is > old information, but should be useful. > > http://www.alexwilliams.ca/blog/2009/08/10/using-haproxy-for-mysql-failover-and-redundancy/ > > i "only" use haproxy for http load balancing, but i also read about the tcp load balancing and use it as a mysql balancer. one more thing to take in account: setting up master/slave replication in mysql is quite easy and works really very good. if you use a load balancer in front of mysql you have to think about your application and use case. as long we are only talking about read-access (just selects) its easy. but if you also want to have write access (inserts, updated and deletes) it gets complicated. then we are not talking about master/slave replication, we talk about master/master or even multi-master-replication. then you have to think about your database setup (uniquite indexes across all the servers)... markus
Re: haproxy-1.5-dev23 and ssl handshake failure
>> my problem is, that i sometimes see an error message in my browser. i >> also got one response from a user saying that he can't access our >> ssl-pages and gets an error. > > There are 2 issues here: > - the fact that you sometimes (?) see this error in the browser > - the fact that one user can't open the ssl-page at all (likely he has > a browser or SSL middlebox incompatible with your SSL settings) > i try to confirm this (as it happens randomly its not that easy). > > Markus, please follow Willy's advise and remove all force-* configurations > from your bind line, you should use no-sslv3/no-tlsv1[0-2] keywords to > configure specific TLS version, but in this case, as long as you > troubleshooting this, I strongly suggest to not configure any specific TLS > settings. i have now removed them. my thought was to prevent use of "weaker" ssl-versions (like sslv2), but i found in the docs that this is deactivated per default. so no real need to force "newer", as sslv3 and tlsv1x are used per default. > > Also, we need the haproxy -vv output. You said you started running SSL > on haproxy April, 8 th, but dev23 was only released these days. So what > release did you run previsouly, and did you have the same problems (in > the browsers, not the log)? > i have activated ssl loadbalancing on 8th of april (not because of heartbleed). so i have only numbers starting at 8th of april. while testing i used ssl loadbalancing before and saw a few errors, that stopped me from activating ssl load balancing in haproxy in the first run. i have used all versions starting from 1.5 dev19 to now dev23. ./haproxy -vv HA-Proxy version 1.5-dev23-8317b28 2014/04/23 Copyright 2000-2014 Willy Tarreau Build options : TARGET = linux2628 CPU = generic CC = gcc CFLAGS = -O2 -g -fno-strict-aliasing OPTIONS = USE_OPENSSL=yes Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 Encrypted password support via crypt(3): yes Built without zlib support (USE_ZLIB not set) Compression algorithms supported : identity Built with OpenSSL version : OpenSSL 1.0.1 14 Mar 2012 Running on OpenSSL version : OpenSSL 1.0.1 14 Mar 2012 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Built without PCRE support (using libc's regex instead) Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. > > [1] https://www.ssllabs.com/ssltest/ > everything is OK, i see sslv2 is disabled ;-) just what i wanted when first using force-
Re: haproxy-1.5-dev23 and ssl handshake failure
Am 24.04.14 03:19, schrieb Stefan: > We also have a lot of "SSL handshake failure" records in log file > > Here some details on configs: > > - haproxy -vv: > HA-Proxy version 1.5-dev23-8317b28 2014/04/23 > Copyright 2000-2014 Willy Tarreau > > Build options : > TARGET = linux2628 > CPU = native > CC = gcc > CFLAGS = -m64 -march=x86-64 -O2 -march=native -g -fno-strict-aliasing > OPTIONS = USE_LINUX_SPLICE=1 USE_LINUX_TPROXY=1 USE_LIBCRYPT=1 USE_ZLIB=1 > USE_OPENSSL=1 USE_STATIC_PCRE=1 > > Default settings : > maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 > > Encrypted password support via crypt(3): yes > Built with zlib version : 1.2.8 > Compression algorithms supported : identity, deflate, gzip > Built with OpenSSL version : OpenSSL 1.0.1e 11 Feb 2013 > Running on OpenSSL version : OpenSSL 1.0.1e 11 Feb 2013 > OpenSSL library supports TLS extensions : yes > OpenSSL library supports SNI : yes > OpenSSL library supports prefer-server-ciphers : yes > Built with PCRE version : 8.33 2013-05-28 > PCRE library supports JIT : no (USE_PCRE_JIT not set) > Built with transparent proxy support using: > IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND > > Available polling systems : > epoll : pref=300, test result OK >poll : pref=200, test result OK > select : pref=150, test result OK > Total: 3 (3 usable), will use epoll. > > > could you send our ssl config in haproxy? did you see those errors after 8th of april like willy and me (i have activated ssl loadbalancing on 8th of april, so i can't compare before heartbleed) markus
Re: haproxy-1.5-dev23 and ssl handshake failure
Am 23.04.14 22:59, schrieb Willy Tarreau: > Hi again Markus, > > I've checked my own logs and found SSL handshake failures starting > on April 8th, or the day after Heartbleed was disclosed, as can be > seen below with the number of errors per day : > > # err date > 2 Mar 27 > 2 Mar 28 > 1 Mar 29 > 2 Mar 30 > 3 Mar 31 > 3 Apr 1 > 7 Apr 2 > 1 Apr 3 > 2 Apr 4 > 8 Apr 5 > 24 Apr 6 > 2 Apr 7 > 619 Apr 8 > 2 Apr 9 > 2 Apr 10 > 158 Apr 11 > 6 Apr 12 > 2 Apr 13 > 158 Apr 14 > 157 Apr 15 > 168 Apr 16 > 109 Apr 17 > 7 Apr 18 > 7 Apr 19 > 7 Apr 20 > 110 Apr 21 > 497 Apr 22 > 123 Apr 23 > > Interestingly, my version was neither upgraded nor restarted during this > period, so it cannot be caused by a code change, and is very likely caused > by bots trying the attack. So I think it's also possible that you're > experiencing the same things and that you didn't notice them before > upgrading and checking your logs. > > Hoping this helps, > Willy > > thats really interesting. i can't compare with my numbers as i have activated ssl loadbalancing on 8th of april. i just checked all of my log files and data, because i first doubt this. so i can't compare my "old" numbers. so heartbleed could really be the cause of the high numbers. my problem is, that i sometimes see an error message in my browser. i also got one response from a user saying that he can't access our ssl-pages and gets an error. markus
haproxy-1.5-dev23 and ssl handshake failure
today i have switch to dev23. everything is working very well in our environment. haproxy works perfect in http mode. load balancing our two backend servers with master/slave and backup setup. i also use haproxy for ssl terminiation. exakt: haproxy takes ssl requests to our shop and then do ssl to the backend servers with backup setup. so far everything works very good. only problem is that i see xx.xx.xx.xx:50281 [23/Apr/2014:19:49:03.771] https/1: SSL handshake failure those error messages in the log file. what happens here? sometimes i get an error message in the browser, firefox gives the error message: ssl_error_illegal_parameter_alert. but not always. this is the ssl config for haproxy global daemon maxconn 2000 stats socket/opt/haproxy/var/socket mode 0600 level admin user www group www pidfile /opt/haproxy/var/pid defaults mode http log global balance roundrobin option httplog option dontlognull retries 3 option redispatch option http-server-close # option http-keep-alive option forwardfor timeout connect 5000ms timeout client 5ms timeout server 5ms log 127.0.0.1 local0 frontend https bind xx.xx.xx.xx:443 ssl crt /opt/haproxy/haproxy.ssl.crt force-sslv3 force-tlsv10 ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!RC4+RSA:+HIGH:+MEDIUM capture request header Host len 32 default_backend lbhttps monitor-uri /ok reqadd X-Forwarded-Proto:\ https backend lbhttps server master yy.yy.yy.yy:443 ssl maxconn 50 check weight 1 inter 5s rise 3 fall 2 verify none server slave zz.zz.zz.zz:443 ssl maxconn 50 check backup weight 1 inter 5s rise 3 fall 2 verify none
