Nedd hep on Rate limit based of opened session by IP

2015-11-08 Thread Sébastien ROHAUT 
Hi,

I'm trying to set a rate limit not only based on source IP, but based on
number of opened sessions (based on a JSESSIONID cookie) per IP. For
exemple, allow only 10 new sessions per IP in 3 minutes.

I need some help ? How to do that ?

Thanks,

Sebastien Rohaut

tcp-check with persistent session cookie ?

2015-11-06 Thread Sébastien ROHAUT 
Hi,

We encountered a big problem this afternoon, which crashed for a while one
of our websites, a java (tomcat+lift) application. We are using Haproxy 1.5.

For our backend, we're doing something like this, using tcp-check because
we need to check status AND a string, which is not possible with http-check
:

backend backend-mywebsite
  balance roundrobin
  option redispatch
  option tcp-check
  tcp-check send GET\ /check \ HTTP/1.1\r\nHost:\
www.mywebsite.fr\r\nConnection:\
close\r\n
  tcp-check send \r\n
  tcp-check expect string HTTP/1.1\ 200\ OK
  tcp-check expect  rstring "healthStatus":"(Healthy|DegradedMode)"
  cookie JSESSIONID prefix nocache


  server s1 s1:11503  weight 1 check inter 10s fall 3 rise 2 ssl cookie s1
  server s2 s2:11503  weight 1 check inter 10s fall 3 rise 2 ssl cookie s2
  server s3 s3:11503  weight 1 check inter 10s fall 3 rise 2 ssl cookie s3
  server s4 s4:11503  weight 1 check inter 10s fall 3 rise 2 ssl cookie s4

For some reasons, the /check page didn't returned the correct application
status and our / returned a 500 even if /check was OK, so we decided to
check /.

After 20 minutes, our application crashed. In fact, our 4 fronts crashed at
the same time, and if we restarted them, 20 minutes after, they crashed
again. We lost some time because we were really thinking on a software bug,
before we realize the root cause.

* Each tcp-check send opens a session on the application
* Each session, on the / page, consumes 500 KB
* session duration : 30 minutes
* We have 4 Haproxy, doing 2 checks (the app provides 2 websites, so one
check for each Host: ), 6 times per minute = 48 checks, each minute. On
each front.
* After 20 minutes : more than 450 MB used in the app for sessions
* Full GC, crash

So, my question is :

Is it possible to get and store the JSESSIONID cookie returned by the
tcp-check expect (or something like this), and send it with the tcp-check
send, to reuse the same session ?

Is there a way for a health check to use persistent cookie session (always
the same, one per server), returned by the check ?

Thank you very much,

Sebastien Rohaut

Re: http-check string and rerturn code != 200 behaviour

2015-02-17 Thread Sébastien ROHAUT 
Hi,

Thank you for your answer. I changed my configuration like this :

  tcp-check send GET\ /mycheck\ HTTP/1.1\r\nHost:\ myhost\r\nConnection:\
close\r\n
  tcp-check send \r\n
  tcp-check expect string HTTP/1.1\ 200\ OK
  tcp-check expect ! string healthStatus:Unhealthy

And it works very well. Even in SSL. You now have my eternal gratitude :)

Sébastien Rohaut

2015-02-16 22:22 GMT+01:00 Baptiste bed...@gmail.com:

 On Mon, Feb 16, 2015 at 9:29 PM, Sébastien ROHAUT
 sebastien.rohaut@gmail.com wrote:
  Hi,
 
  I'm using an http-check expect string to test the presence of a certain
  string in the body response. Like this
 
  option httpchk GET /mycheck HTTP/1.1\r\nHost:\ myhost.xx\r\nConnection:\
  close
  http-check expect ! string healthStatus:Unhealthy
 
  When the backend is not accessible, our nginx returns a default page,
 with a
  5XX return code.
 
  In this case (return code != 200), it should be considered as an error,
 and
  the associated serveur should be removed from the server. It's not the
 case
  : HAProxy only check the string, and says it's OK.
 
  Question :
 
  How to check the string AND check the return code ? I want my server to
 be
  removed if string is absent OR if return code is != 200 !
 
  Thank you,
 
  Sébastien Rohaut

 Hi Sébastien,

 You can write such séquence using tcp-check, sending your HTTP request
 with tcp-check send and matching with two consecutive tcp-check expect
 rules:
 tcp-check expect string HTTP/1.1\ 200\ OK
 tcp-check expect ! string healthStatus:Unhealthy

 Baptiste

Re: http-check string and rerturn code != 200 behaviour

2015-02-17 Thread Sébastien ROHAUT 
Of course ! A very good idea ! But the better should be to accept multiple
http-heck expect :)

2015-02-17 10:25 GMT+01:00 Baptiste bed...@gmail.com:

 On Tue, Feb 17, 2015 at 10:12 AM, Sébastien ROHAUT
 sebastien.rohaut@gmail.com wrote:
  Hi,
 
  Thank you for your answer. I changed my configuration like this :
 
tcp-check send GET\ /mycheck\ HTTP/1.1\r\nHost:\ myhost\r\nConnection:\
  close\r\n
tcp-check send \r\n
tcp-check expect string HTTP/1.1\ 200\ OK
tcp-check expect ! string healthStatus:Unhealthy
 
  And it works very well. Even in SSL. You now have my eternal gratitude :)
 
  Sébastien Rohaut


 Sébastien,

 Thanks for your feedback!
 If you don't mind, I'm going to post a blog article on
 blog.haproxy.com with this tip :)

 Baptiste

http-check string and rerturn code != 200 behaviour

2015-02-16 Thread Sébastien ROHAUT 
Hi,

I'm using an http-check expect string to test the presence of a certain
string in the body response. Like this

option httpchk GET /mycheck HTTP/1.1\r\nHost:\ myhost.xx\r\nConnection:\
close
http-check expect ! string healthStatus:Unhealthy

When the backend is not accessible, our nginx returns a default page, with
a 5XX return code.

In this case (return code != 200), it should be considered as an error, and
the associated serveur should be removed from the server. It's not the case
: HAProxy only check the string, and says it's OK.

Question :

How to check the string AND check the return code ? I want my server to be
removed if string is absent OR if return code is != 200 !

Thank you,

Sébastien Rohaut

Problem with string negation in httpcheck-expect

2015-01-26 Thread Sébastien ROHAUT 
Hi,

We're encountering a problem with a http-check expect ! string. here is a
sample of our check url :

{
  hostname:toto,
  type:backend,
  isHealthy:true,
  healthStatus:Healthy,
  healthyServices:2,
  unhealthyServices:0,
  services:[{
name:Elasticsearch,
isServiceHealthy:true,
serviceHealthStatus:Healthy,
message:ES Cluster status is GREEN
  },{
name:ZooKeeper,
isServiceHealthy:true,
serviceHealthStatus:Healthy,
message:ZK Cluster is available
  }],
  belisariusRelease:96
}

For the http-check, we want to test the value of  healthStatus, which can
be Healthy, Unhealthy, DegradedMode. Our server must be put out of
the backend only if value is Unhealthy. So, we tried this :

http-check expect ! string healthStatus:Unhealthy

But it doesn't work as expected. In fact, whatever we put, if we use
negation (we didn't tried with something else than string), it doesn't
work. We event tried with toto (which we be never here), it's the same :
the server is always excluded from the backend's pool.

At the end, we used to put a rstring :

http-check expect  rstring healthStatus:(Healthy|DegradedMode)

and it seems to work.

What is the problem ? Are we doing something bad, or perhaps we don't
understand the meaning of the negation ?

Thank you for your help.

Sébastien Rohaut