Re: Help

2021-07-07 Thread Shawn Heisey
On 7/7/2021 6:45 AM, Anilton Silva Fernandes wrote: Hi there. Can I get some help from you. I’m configuring HAProxy as a frontend on HTTPS with centified and I want clients to be redirect to BACKEND on HTTPS as well (443) but I want clients to see only HAProxy certificate, as the backend

Apache/mod_wsgi complaining that the client closed the connection

2021-07-04 Thread Shawn Heisey
I have an application behind haproxy 2.4.1 that is wsgi -- python.  It is this one: https://github.com/atoponce/d-note It appears to work perfectly, but the Apache error log shows this every time the page is loaded: [Sun Jul 04 13:06:09.790898 2021] [wsgi:error] [pid 23697:tid

OT: About WebPageTest results (was Re: SSL Labs says my server isn't doing ssl session resumption)

2021-06-21 Thread Shawn Heisey
On 2021-06-20 06:03, Shawn Heisey wrote: Unrelated, and off topic because it's mostly about Apache, but strange: I've been doing some tests with webpagetest.org, and seeing REALLY long load times for some resources in their waterfall graph. I see no speed problems when I load the pages from my

Re: SSL Labs says my server isn't doing ssl session resumption

2021-06-20 Thread Shawn Heisey
On 6/20/2021 3:16 PM, Lukas Tribus wrote: It's a haproxy bug, affecting 2.4 releases, I've filed an issue in our tracker: https://github.com/haproxy/haproxy/issues/1297 Almost always when I report a problem I'm having with a mature piece of software, I expect the issue to be PEBCAK, not an

Re: SSL Labs says my server isn't doing ssl session resumption

2021-06-20 Thread Shawn Heisey
On 6/20/2021 1:52 AM, Lukas Tribus wrote: Can you try disabling threading, by putting nbthread 1 in your config? That didn't help. From testssl.sh: SSL Session ID support yes Session Resumption Tickets: yes, ID: no An upgrade to 2.4.1 would also be advisable, it actually

Re: SSL Labs says my server isn't doing ssl session resumption

2021-06-20 Thread Shawn Heisey
On 6/17/2021 1:01 AM, Willy Tarreau wrote: I don't know if the config is responsible for this but I've just tested on haproxy.org and it does work there: Session resumption (caching) Yes Session resumption (tickets) Yes Many thanks to everyone who replied, and countless

Re: SSL Labs says my server isn't doing ssl session resumption

2021-06-19 Thread Shawn Heisey
On 6/16/2021 9:26 AM, Lukas Tribus wrote: That is not true, you can disable TLS tickets and still get resumption on TLSv1.2. Disabling TLSv1.0 does not mean disabling Session ID caching. What do you see with testssl.sh ? That was an interesting rabbit hole. Finally got it downloaded

SSL Labs says my server isn't doing ssl session resumption

2021-06-11 Thread Shawn Heisey
I'm fiddling with ssl labs to see how I can improve my TLS setup. Here's what they say about a site I have behind haproxy with TLS: https://www.elyograg.org/foo/haproxy-ssllabs-session-resumption-not-working.png They claim that session resumption isn't working. I'm hoping that I've just done

Re: Upgrading from 1.8 to 2.4, getting warning I can't figure out

2021-06-10 Thread Shawn Heisey
On 6/8/2021 1:47 AM, Remi Tricot-Le Breton wrote: OCSP stapling won't work on any version that shows this warning (for this specific response). But apart from that, everything else should work fine, that's why you only get a warning when parsing the configuration file. If you are positive that

Re: Upgrading from 1.8 to 2.4, getting warning I can't figure out

2021-06-06 Thread Shawn Heisey
On 6/5/2021 10:47 PM, Shawn Heisey wrote: On 6/5/2021 9:30 PM, Shawn Heisey wrote: [WARNING]  (81457) : Loading: OCSP response status not successful. Content will be ignored. Another self-followup: Apparently that warning also happens with 1.8.22 ... I was unaware of this, as I haven't

Re: Upgrading from 1.8 to 2.4, getting warning I can't figure out

2021-06-05 Thread Shawn Heisey
On 6/5/2021 9:30 PM, Shawn Heisey wrote: [WARNING]  (81457) : Loading: OCSP response status not successful. Content will be ignored. I deleted the .ocsp file sitting next to the certificate file, and now when I check the config file, it's says it's valid with no other messages. root@smeagol

Upgrading from 1.8 to 2.4, getting warning I can't figure out

2021-06-05 Thread Shawn Heisey
I am upgrading haproxy on my servers from 1.8.22 to 2.4.0. I have been slowly working to fix the messages that I get when I check the config file. I have one left, but I cannot find any info about how to fix it: [WARNING] (81457) : Loading: OCSP response status not successful. Content will

Re: Idea + question regarding the build targets

2019-06-15 Thread Shawn Heisey
On 6/15/2019 2:54 AM, Willy Tarreau wrote: Actually maybe we should have some super-options separate from the target to decide what feature set to enable. Instead of having just TARGET being mandatory, we could have both TARGET and OPTIONS for example. Then one could just build like this :

Re: Idea + question regarding the build targets

2019-06-14 Thread Shawn Heisey
On 6/14/2019 7:01 AM, Willy Tarreau wrote: OK. When discussing this with William, we figured it could be interesting instead to have some aliases which are maybe more symbolic, such as : - linux-complete : full set of supported features, will simply fail if you don't have all libs

Re: haproxy architecture

2019-05-20 Thread Shawn Heisey
On 5/20/2019 6:58 AM, Jeff Abrahamson wrote: We set up an haproxy instance to front several rails servers.  It's working well, so we're quickly wanting to use it for other services. Since the load on the haproxy host is low (even miniscule), we're tempted to push everything through a single

Re: DDoS protection: ban clients with high HTTP error rates

2019-01-23 Thread Shawn Heisey
On 1/23/2019 8:16 AM, Marco Colli wrote: 1. Based on advanced conditions (e.g. current user) our Rails application decides whether to return a normal response (e.g. 2xx) or a 429 (Too Many Requests); it can also return other errors, like 401 2. HAProxy bans clients if they produce too many 4xx

Re: Trying to get logging above 1024 characters

2018-08-14 Thread Shawn Heisey
On 8/14/2018 3:06 PM, Cyril Bonté wrote: >> Is there any config that will successfully log the full request? > > Please read the documentation about the length option for the log > keyword, particularly the part about tune.http.logurilen ;-) Thank you! That fixed it, I'm now successfully

Trying to get logging above 1024 characters

2018-08-14 Thread Shawn Heisey
I'm trying with 1.8.13 to get full logging of requests that would push the syslog message beyond 1024 characters. I'm not having very good luck. I have this config in global: log 127.0.0.1 len 65535 format rfc5424 local0 log 127.0.0.1 len 65535 format rfc5424 local1 notice In some of

Re: Setting up per-domain logging with haproxy

2018-07-17 Thread Shawn Heisey
On 7/17/2018 2:17 PM, Jonathan Matthews wrote: > That's *entirely* your local syslog daemon's responsibility - > configure it appropriately, and it'll do what you want. I seem to remember there being logging options to have haproxy create logfiles directly, in addition to syslog. But now when I

Setting up per-domain logging with haproxy

2018-07-17 Thread Shawn Heisey
I have a setup that works like this: internet->haproxy->apache->tomcat I have been doing some experiments where the apache server is skipped, and traffic goes directly from haproxy to tomcat. These experiments have gone very well. Removing Apache from the mix would simplify things greatly. I

Re: 502 Bad Gateway

2018-05-08 Thread Shawn Heisey
On 5/7/2018 11:25 PM, UPPALAPATI, PRAVEEN wrote: > If I add ssl termination to the config: > > listen http_proxy-1000 > bind *:1000 ssl test.pem > mode http > option httplog > http-request set-uri https://%[url_param(redirHost)]%[capture.req.uri] > option http_proxy > > I get

Re: Backup server takes too long to go active

2018-04-25 Thread Shawn Heisey
On 4/25/2018 1:29 AM, Lukas Tribus wrote: You seem to be able to reproduce this easily, so please share the logs when this happens including the requests (don't use dontlognull), so that we can see the server up/down events and the all the successful and failing requests together with

Re: Backup server takes too long to go active

2018-04-24 Thread Shawn Heisey
On 4/24/2018 3:38 PM, Cyril Bonté wrote: Le 24/04/2018 à 23:07, Shawn Heisey a écrit : The configuration I had is with a backend that has two servers, one of them tagged as backup. This is the actual config that I had active when I saw the problem: backend be-cdn-9000 description Back

Backup server takes too long to go active

2018-04-24 Thread Shawn Heisey
I sent this query to the list previously nine days ago. I got no response. Trying again. == Kernel info: root@lb1:/etc/haproxy# uname -a Linux lb1 3.13.0-52-generic #86-Ubuntu SMP Mon May 4 04:32:59 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux Here's the haproxy version output:

Re: Version 1.5.12, getting 502 when server check fails, but server is still working

2018-04-17 Thread Shawn Heisey
On 4/17/2018 2:54 PM, Lukas Tribus wrote: >> Originally, the "hollywood" entry on the be-cdn-9000 backend (which you can >> see at the config I linked above) had the backup keyword. But what I >> noticed happening was that when planet went down, it took about ten >> additional seconds (no precise

Re: Version 1.5.12, getting 502 when server check fails, but server is still working

2018-04-17 Thread Shawn Heisey
On 4/17/2018 3:41 AM, Willy Tarreau wrote: Here I'm afraid we're all wasting a lot of time trying to guess what you have in your config that causes the problem. It's OK if you cannot post your config here, but please at least post a smaller one reproducing the issue so that we can help you. I

Re: Version 1.5.12, getting 502 when server check fails, but server is still working

2018-04-16 Thread Shawn Heisey
On 4/16/2018 1:46 PM, Willy Tarreau wrote: > On Mon, Apr 16, 2018 at 10:03:44AM -0600, Shawn Heisey wrote: >> I am curious about why I couldn't use "track". > "track" means that your current server will always be in the same state > as the designated on

Re: Version 1.5.12, getting 502 when server check fails, but server is still working

2018-04-16 Thread Shawn Heisey
On 4/16/2018 6:43 AM, Jarno Huuskonen wrote: There's also http-check disable-on-404 (http://cbonte.github.io/haproxy-dconv/1.5/configuration.html#4.2-http-check%20disable-on-404) I couldn't get this to work at first.  If I put the disable-on-404 option in the actual back end, it complains

Re: Version 1.5.12, getting 502 when server check fails, but server is still working

2018-04-16 Thread Shawn Heisey
On 4/16/2018 9:15 AM, Lukas Tribus wrote: Hello Shawn, please keep the mailing-list in the loop. Sorry about that.  Looks like the haproxy list doesn't set a reply-to header sending replies to the list.  Most mailing lists I have dealt with do this, so just hitting "reply" does the right

Re: Version 1.5.12, getting 502 when server check fails, but server is still working

2018-04-16 Thread Shawn Heisey
On 4/16/2018 6:43 AM, Jarno Huuskonen wrote: There's also http-check disable-on-404 (http://cbonte.github.io/haproxy-dconv/1.5/configuration.html#4.2-http-check%20disable-on-404) So maybe first set flag that returns 404 on health check and only after thirty seconds fail the health check. This

Version 1.5.12, getting 502 when server check fails, but server is still working

2018-04-15 Thread Shawn Heisey
I'm working on making my application capable of handling service restarts on the back end with zero loss or interruption.  It runs on two servers behind haproxy. At application shutdown, I'm setting a flag that makes the healthcheck fail, and then keeping the application running for thirty

Version 1.5.12, possible issue with backup server

2018-04-15 Thread Shawn Heisey
Kernel info: root@lb1:/etc/haproxy# uname -a Linux lb1 3.13.0-52-generic #86-Ubuntu SMP Mon May 4 04:32:59 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux Here's the haproxy version output: root@lb1:/etc/haproxy# haproxy -vv HA-Proxy version 1.5.12 2015/05/02 Copyright 2000-2015 Willy Tarreau

Problem installing 1.8.7 -- systemd changes

2018-04-12 Thread Shawn Heisey
I have a script on my system that I use to handle compiling and installing a new haproxy version.  That script has "EXTRA=haproxy-systemd-wrapper"on the line that does the install. It looks like that's no longer part of haproxy, and that the systemd service definition (included in contrib)

Re: HAPROXY + keepalived + NFSv4 (NFS Ganesha)

2018-02-19 Thread Shawn Heisey
On 2/19/2018 10:08 AM, TomK wrote: > Wondering if there is a way to setup an HA NFSv4 server using HAPROXY > and keepalived or if anyone tried that doesn't result in the client > disconnecting with this error even when using the VIP through a basic > HAPROXY + keepalived config: > >

Re: slowly move connections away from failed real server to remaining real server.

2018-02-14 Thread Shawn Heisey
On 2/13/2018 7:49 AM, Andrew Smalley wrote: > We have had a request and not sure if there is any way to implement this. > > Simply think of two real servers being loadbalanced. one fails all the > connections are moved to the remaining server overloading it. > > What we want is for the traffic

Re: haproxy http2 benchmark

2018-02-01 Thread Shawn Heisey
On 1/30/2018 7:41 PM, 龙红波 wrote: >           h2load -n100 -c20 -m5 https://$0.172.144.113:1999/128 >           starting benchmark... >           spawning thread #0: 20 total client(s). 100 total requests >           TLS Protocol: TLSv1.2 >           Cipher: ECDHE-RSA-AES256-GCM-SHA384 >    

Re: Problem with the logs

2017-01-25 Thread Shawn Heisey
On 1/25/2017 1:29 AM, Igor Cortes wrote: > Hi, my name is Igor and I have a problem with the logs of HaProxy. I > am using HaProxy to balance the SSH connections between some servers > and I need to log only the successful connections. > > I am trying using the option dontlognull in the frontend

Re: PEM file question

2016-10-01 Thread Shawn Heisey
On 9/28/2016 9:13 AM, robert johnson wrote: > I tried searching the mailing list with no luck. Any way, here is my > question: > > Why does haproxy require the private key in the PEM file when > terminating SSL? > > Other web servers only require the cert As Andrew mentioned, all SSL server

[PATCH] Re: make install wants to install haproxy-systemd-wrapper

2016-07-29 Thread Shawn Heisey
On 7/27/2016 2:03 PM, Shawn Heisey wrote: > I'm building some new load balancer machines and I need to install into > systemd on them. I've compiled and installed haproxy 1.5.18, and found > that a fix for the problem Tim outlined has made it into this version, > and now even whe

Re: make install wants to install haproxy-systemd-wrapper

2016-07-27 Thread Shawn Heisey
On 4/22/2015 7:17 PM, Tim Hogard wrote: > > The makefile is trying to install the systemd wrapper on all platforms even > if it isn't built. > This is from the current build haproxy-ss-20150422 as well as haproxy-1.5.11. > The easy soltuion for non-linux systems is drop it to this: >

Re: "errorfile 503" doesn't appear to be working

2016-06-23 Thread Shawn Heisey
On 6/22/2016 7:41 PM, Michael Ezzell wrote: > On Jun 22, 2016 7:06 PM, "Shawn Heisey" <hapr...@elyograg.org > <mailto:hapr...@elyograg.org>> wrote: > > > > I have verified that there is nothing on the line after the headers. On > > the recommend

Re: "errorfile 503" doesn't appear to be working

2016-06-22 Thread Shawn Heisey
On 6/22/2016 12:45 AM, Jarno Huuskonen wrote: > On Tue, Jun 21, Shawn Heisey wrote: >> When I take down the back end server and make a request, I get the >> browser's standard unavailable page, I do not see the custom page I >> defined. Have I done something wrong? > &g

"errorfile 503" doesn't appear to be working

2016-06-21 Thread Shawn Heisey
This is the backend config: backend be-stg-spark-443 description Back end for spark stg ssl errorfile 503 /etc/haproxy/pages/spark-error.http no log log 127.0.0.1 local0 notice err server palazzo 10.100.2.17:443 ssl track chk-liferay-stg-443/palazzo The

Re: Setting OCSP response via socket

2016-06-15 Thread Shawn Heisey
On 6/14/2016 10:31 AM, Thijs Kinkhorst wrote: > However, the following does not work: > 1. Start HAproxy without the .ocsp file present. > 2. Issue "set ssl ocsp-response " to socket. > 3. HAproxy responds with "OCSP single response: Certificate ID does not > match any certificate or issuer.",

Re: Trying to stop health check messages from being logged

2016-05-06 Thread Shawn Heisey
On 5/4/2016 5:30 PM, Chris White wrote: > I am trying to stop backend health check error messages from being > logged to the system console. > But I am still seeing error messages logged when a backend server goes down > 2016 May 4 23:11:14 devtest0 backend web has no server available! It's

Re: stats page redirecting to https

2016-04-20 Thread Shawn Heisey
On 4/20/2016 12:56 PM, PiBa-NL wrote: > Op 20-4-2016 om 20:45 schreef Shawn Heisey: >> The problem is that if I try to go tohttp://spark.REDACTED.com:8080/ >> ... this is redirected tohttps://spark.REDACTED.com:8080/ ... and I get >> this in the log: > Are you using

stats page redirecting to https

2016-04-20 Thread Shawn Heisey
I have this in my config: listen stats 0.0.0.0:8080 description The stats listener. stats uri / Elsewhere in my config I have something that will redirect http requests to the hostname spark.REDACTED.com over to https, which is not anything unusual. The IP address for this

Re: Config order -- when will it matter?

2016-04-13 Thread Shawn Heisey
On 4/13/2016 10:46 AM, Shawn Heisey wrote: > I'm working on some changes to a frontend, one of which is moving the > port 80 bind into the same frontend as port 443. > > Which of the many directives that I'm using will be evaluated in order, > and which of them will take effect

Config order -- when will it matter?

2016-04-13 Thread Shawn Heisey
I'm working on some changes to a frontend, one of which is moving the port 80 bind into the same frontend as port 443. Which of the many directives that I'm using will be evaluated in order, and which of them will take effect first no matter where they are? Specific questions: Will the

Re: Multiple front ends listening to the same address/port -- want a config error

2016-04-12 Thread Shawn Heisey
On 4/12/2016 1:11 PM, Baptiste wrote: > This is not an error, this type of configuration is valid. You should > write a script which check this on your own. I know it's not a config error, and I would not want effective behavior in any current versions to be changed. The mistake was mine, not

Multiple front ends listening to the same address/port -- want a config error

2016-04-12 Thread Shawn Heisey
I copied a front end to set up a new service on my haproxy install. I changed the name of the front end, but forgot to change the port number on the "bind" option. Haproxy didn't complain about this configuration when I tested for validity, so I didn't realize I'd made a mistake until the

Re: Q: about HTTP/2

2016-04-05 Thread Shawn Heisey
On 4/2/2016 6:23 AM, Dennis Jacobfeuerborn wrote: > What about the multiplexing of connections? If you use http 1.x to > communicate with the servers you effectively nullify that 2.0 feature. > At least in theory in order to actually get all the benefits from http/2 > you need support for the

Re: Q: about HTTP/2

2016-04-01 Thread Shawn Heisey
On 4/1/2016 4:25 AM, Baptiste wrote: > Do you guys, on the ML, really need HTTP/2? If so what's your deadline?? Need? Perhaps not. Want? Very much so. Deadline: ASAP, but don't be in a hurry. I definitely prefer to have a battle-tested solution that takes a year than a lousy implementation

Re: redirect returning empty response.

2016-03-29 Thread Shawn Heisey
On 3/29/2016 4:56 PM, Colin Leavett-Brown wrote: > I have the following haproxy configuration: > > global > daemon > maxconn 2048 > tune.ssl.default-dh-param 1024 > > defaults > mode http > timeout connect 5000ms > timeout client 5ms >

Re: http/2 - missing something ...

2016-01-11 Thread Shawn Heisey
On 12/16/2015 11:25 PM, Vincent Bernat wrote: > From the point of view of Wordpress, you tell it that https is used. > It doesn't need to know that you are using clear text between HAProxy > and the backend. Can anyone provide information about how to configure wordpress to do this? I put

Providing SNI information for checks of SSL backends?

2015-12-11 Thread Shawn Heisey
When defining check entries in a backend, is it possible to provide SNI information to the http client within haproxy so that backend Apache webservers that support SNI can be used, and have the check request directed to the correct virtualhost? I saw something that said SNI checks are not as

Re: Resolvable host names in backend server throw invalid address error

2015-10-16 Thread Shawn Heisey
On 10/16/2015 9:40 AM, Mark Betz wrote: > I am not having much luck getting output from tcpdump inside the > container. I don't have much experience with the tool so any tips will > be appreciated. I'm starting the command in the container start-up > script right before haproxy is launched... > >

Re: Documentation problems for 1.6

2015-10-14 Thread Shawn Heisey
On 10/14/2015 12:37 PM, Willy Tarreau wrote: > Good catch, it's indeed "1.6" instead of "1.6dev". Where did you find this > link ? In the 1.6 section here: http://www.haproxy.org/#docs It's the "Lua reference manual in HTML" link. Thanks, Shawn

Documentation problems for 1.6

2015-10-14 Thread Shawn Heisey
Just FYI, in case you don't already know, I have some problems to report with the documentation links on the website. The 1.6 HTML documentation links on haproxy.org have "1.7-dev0" at the top: http://cbonte.github.io/haproxy-dconv/intro-1.6.html

Re: Try request again if response body is empty?

2015-10-10 Thread Shawn Heisey
On 10/10/2015 12:31 AM, Willy Tarreau wrote: > Is the response closed when this happens (eg: server crash) ? If so, > we could add some sample fetches to detect that the request or response > channels are closed in case that could help. This is trivial to do, but > it will only be reliable if the

Try request again if response body is empty?

2015-10-07 Thread Shawn Heisey
Before I get started with this, I know and acknowledge that the problem I'm trying to solve is not in haproxy. I suspect that haproxy cannot do what I'm going to ask, but I was asked if it could do it, so I am passing the question along to make sure. We are having a problem with our Liferay

Re: Easy haproxy redundancy

2015-08-28 Thread Shawn Heisey
On 8/27/2015 10:22 PM, Nathan Williams wrote: We have 2 OpenStack VMs with IPs on the internal network, a keepalived -managed VIP on the internal network that's added to each VMs allowed -address-pairs in neutron, and a floating IP from the external network mapped to the internal VIP

Re: Easy haproxy redundancy

2015-08-27 Thread Shawn Heisey
On 8/27/2015 6:52 PM, Nathan Williams wrote: There's a sysctl for that, net.ipv4.ip_nonlocal_bind. Interesting. That's one I had never seen before. I would assume that the OS does this intelligently so that when the IP address *does* suddenly appear at a later time, the application works

Re: health checks with SNI/virtual hosts

2015-07-24 Thread Shawn Heisey
On 7/23/2015 3:20 PM, Jim Gronowski wrote: I’m trying to do health checks on a site that is served with SNI – so going directly to the IP generates a 404 – the backend server is looking for the hostname to determine which site to send it to. Is it correct to put the full URL in the

Re: LB as a first row of defence against DDoS

2015-06-25 Thread Shawn Heisey
On 6/24/2015 8:58 PM, Baptiste wrote: That said, I'll write a new DDOS protection article once HAProxy 1.6 will be released, since it embeds some new features which are interesting on this topic. I look forward to it. Thank you for your diligence! Concerning your demand, I don't understand

Re: HTTP/2 -- is support required on the back end?

2015-06-24 Thread Shawn Heisey
On 6/24/2015 1:23 PM, Willy Tarreau wrote: Thus my first goal with HTTP/2 in haproxy really is to make it a solid H2-H1 gateway in order to provide a seamless migration to H2 to everyone, just like haproxy was massively used to provide IPv6 connectivity for the last IPv6 day. I'll still

Re: LB as a first row of defence against DDoS

2015-06-24 Thread Shawn Heisey
On 6/18/2015 4:32 PM, Shawn Heisey wrote: On 6/17/2015 9:29 PM, Krishna Kumar (Engineering) wrote: Referring to Baptiste's excellent blog on Use a lb as a first row of defense against DDoS @ http://blog.haproxy.com/2012/02/27/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/ I am

HTTP/2 -- is support required on the back end?

2015-06-24 Thread Shawn Heisey
When http/2 support lands in haproxy, will http/2 support also be required on the back end to take advantage of it? I'm hoping that I can leverage http/2 without immediate support on the back end. I would expect that the LAN connection between haproxy and the back end servers will be fast enough

Re: LB as a first row of defence against DDoS

2015-06-18 Thread Shawn Heisey
On 6/17/2015 9:29 PM, Krishna Kumar (Engineering) wrote: Referring to Baptiste's excellent blog on Use a lb as a first row of defense against DDoS @ http://blog.haproxy.com/2012/02/27/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/ I am not able to find a follow up, if it was

Re: new primes in haproxy after logjam

2015-06-04 Thread Shawn Heisey
On 6/4/2015 9:54 AM, Willy Tarreau wrote: I simply used openssl dhparam size as suggested, and am trusting openssl to provide something reasonably safe since this is how every user builds their own dhparam when they don't want to use the initial one. I've been trying to read up on this

Re: OCSP stapling troubleshooting

2015-06-02 Thread Shawn Heisey
On 6/2/2015 12:38 PM, Andrew Hayworth wrote: Are you reloading HAProxy or issuing a 'set ssl ocsp-response' command via the stats socket after you retrieve the response? That's necessary after you pull down an updated OCSP response. For example, here's our script that pulls down the OCSP

Re: OCSP stapling troubleshooting

2015-06-02 Thread Shawn Heisey
On 6/2/2015 11:42 AM, Lukas Tribus wrote: Share your cronjob script, your configuration, and SSLtest output at least (you basically didn't share any OCSP related informations). Here's the script that retrieves the OCSP responses, with its redacted config file:

[SOLVED] Re: OCSP stapling troubleshooting

2015-06-02 Thread Shawn Heisey
On 6/2/2015 1:29 PM, Andrew Hayworth wrote: On Tue, Jun 2, 2015 at 2:16 PM, Shawn Heisey hapr...@elyograg.org wrote: My script may update a dozen ocsp responses all used by a single haproxy process ... so when I am using the stats socket to set the ocsp response, how do I tell haproxy which

OCSP stapling troubleshooting

2015-06-02 Thread Shawn Heisey
I've done a Qualys Labs SSL test against my setup fronted with haproxy, using this URL: https://www.ssllabs.com/ssltest/index.html I thought I had OCSP stapling correctly configured, but Qualys says it's not there. I ave a cronjob that uses openssl to retrieve the .ocsp file for each

Re: Recommendations for a new haproxy installation

2015-05-28 Thread Shawn Heisey
On 4/30/2015 11:50 PM, Willy Tarreau wrote: If you're working on preparing the OS, please *do* verify that conntrack is properly tuned (large hash table with at least 1/4 of the total number of sessions). Otherwise under load it will become extremely slow. When I asked about recommendations

Re: haproxy config question

2015-05-20 Thread Shawn Heisey
On 5/20/2015 9:59 AM, Alex wrote: Do I need rpcbind runing on haproxy , ? we are trying to use the haproxy to load balance across GlusterFS for NFS using mode tcp but i get connection refused port 111 . NFS as a protocol is fairly complicated, like passive FTP in some ways. An initial

mode tcp in front end will not override mode http in defaults

2015-05-15 Thread Shawn Heisey
I found what I think is a couple of bugs. I'm running 1.5.12. If mode http or option forwardfor are in the defaults section, I cannot get a frontend configured with mode tcp to work. The mode tcp config is not overriding the default choice, it operates in the http mode specified in defaults.

Re: mode tcp in front end will not override mode http in defaults

2015-05-15 Thread Shawn Heisey
On 5/15/2015 4:40 PM, Cyril Bonté wrote: If mode http or option forwardfor are in the defaults section, I cannot get a frontend configured with mode tcp to work. The mode tcp config is not overriding the default choice, it operates in the http mode specified in defaults. It should not, are

Re: Is FTP through haproxy at all viable?

2015-05-09 Thread Shawn Heisey
On 5/9/2015 2:04 AM, Malcolm Turnbull wrote: LVS with FTP works fine in the current kernels but does need the correct firewall modules loaded + conntrack enabled. I was really hoping to avoid that, but the more I've read, the more I've dreaded that the firewall would be required. Setting it up

Re: Is FTP through haproxy at all viable?

2015-05-09 Thread Shawn Heisey
On 5/9/2015 11:43 AM, Dennis Jacobfeuerborn wrote: Most FTP clients these days support SFTP as well and if you use say proftpd+mod_sftp then handling SFTP on the server side become pretty much identical to handling FTP (except all that active/passive nonsense goes away an nobody can simply

Is FTP through haproxy at all viable?

2015-05-08 Thread Shawn Heisey
I have a load balancer setup with both haproxy and LVS-NAT. The LVS-NAT is giving us high availability for FTP. When I tried migrating everything from CentOS 5, where it all works, to Ubuntu 14 (for the newer kernel and because I find debian-based systems far easier to use), everything worked

Re: Is FTP through haproxy at all viable?

2015-05-08 Thread Shawn Heisey
On 5/8/2015 8:39 AM, Ben Timby wrote: With some iptables rules you can use FTP active and passive mode via haproxy. The key is to assign unique passive port ranges to each backend then port forward those ranges. You must be able to configure each FTP server daemon with it's own range.

Re: Config option for staging/dev backends?

2015-05-01 Thread Shawn Heisey
On 4/30/2015 4:08 PM, Cyril Bonté wrote: No, you didn't provide err as the minlevel argument. It should be something like : log 127.0.0.1 local0 notice err Also, ensure you don't have a log global somewhere in those backends or in the previously declared defaults section. I now have a

Re: Config option for staging/dev backends?

2015-05-01 Thread Shawn Heisey
On 5/1/2015 12:30 PM, Cyril Bonté wrote: Message from syslogd@ at Fri May 1 11:29:51 2015 ... localhost.localdomain haproxy[23754]: backend be-services-dev-8443 has no server available! Any other ideas? Please provide your configuration, I'm quite sure it's a misconfiguration in it. I'm

Sharing a generic script for OCSP stapling retrieval

2015-05-01 Thread Shawn Heisey
I've built a shell script that will gather OCSP responses with the 'openssl' binary for a list of certificates. This will be very helpful for me when I get a production haproxy running that does OCSP stapling. It consists of a script, a config file, and a set of certificates that probably need

Config option for staging/dev backends?

2015-04-30 Thread Shawn Heisey
I have a number of backend configs that handle requests to dev and staging webservers. These backend configs only have one server. If that server goes down briefly because the server process is restarted, which happens frequently precisely because they are for dev/staging, I get a console

Re: Config option for staging/dev backends?

2015-04-30 Thread Shawn Heisey
On 4/30/2015 1:03 PM, Pavlos Parissis wrote: On 30/04/2015 08:31 μμ, Shawn Heisey wrote: I definitely DO want this kind of console notification if one of the production backends has no server available, but I don't want the interruption for staging or dev. If a config option to reduce

Re: Config option for staging/dev backends?

2015-04-30 Thread Shawn Heisey
On 4/30/2015 2:11 PM, Cyril Bonté wrote: Simply adjust your the log levels in your haproxy configuration for those backends, by setting the minimum syslog level to error for example, this will prevent still log the events but won't send them as emerg/alert/crit (which I assume one of them is

Recommendations for a new haproxy installation

2015-04-29 Thread Shawn Heisey
I have an existing load balancer installation that I have been slowly migrating from IPVS to haproxy. It's CentOS 6, so many components are out of date, such as TLS support. Once that migration is done, I would like to entirely replace the hardware and load an ideal software environment for

Re: Recommendations for a new haproxy installation

2015-04-29 Thread Shawn Heisey
On 4/29/2015 3:00 PM, Shawn Heisey wrote: How can I be sure that openssl is compiled with support for TLS acceleration in the CPU? I am compiling haproxy from source. Would you recommend that I install a separate and newer openssl from source for explicit use with haproxy, and tweak its

Re: Haproxy 1.4.18 crashing

2015-04-11 Thread Shawn Heisey
On 4/11/2015 2:49 AM, Willy Tarreau wrote: As you have posted yourself, this has nothing to do with haproxy, it's a kernel crash (in the scheduler here). Your system is running a totally outdated and unmaintained kernel (2.6.35.14) which suffers from many bugs snip Now regarding your version

Re: Does HAproxy support sending ServerName TLS extension to backend servers?

2015-03-25 Thread Shawn Heisey
On 3/25/2015 10:16 AM, Brandon wrote: Hi, I am trying to deploy HAProxy in HTTP mode in front of a Windows Server 2012 R2 ADFS 3.0 farm. In ADFS 3.0 backend servers require that clients support SNI. In my testing it does not appear that HAProxy is sending the ServerName extension in the

Re: Hardware planning for SSL-heavy haproxy servers

2015-02-10 Thread Shawn Heisey
On 2/9/2015 2:16 PM, Baptiste wrote: A single CPU core (choose the fastest one with AESNI enabled) can easily handle you current traffic and meet also the requirements of your capacity planning. From a memory point of view, 16G sounds more than enough for your traffic expectation. To get

Hardware planning for SSL-heavy haproxy servers

2015-02-09 Thread Shawn Heisey
What should be my goal when buying hardware for haproxy if I am planning to secure everything with TLS/SSL terminated by haproxy? Due to customer requirements, many of the back-end connections will also be encrypted. Other than getting the latest processor architecture I can find at the highest

Re: Hardware planning for SSL-heavy haproxy servers

2015-02-09 Thread Shawn Heisey
On 2/9/2015 1:08 PM, Baptiste wrote: could you define what you mean by heavy ? What type of web application do you host? How many req / conn per second do you expect? When doing SSL, the CPU is not enough, the memory also matters. I would plan on 16 or 32GB of RAM for the machine, more if

Re: SSL Performance increase?

2015-02-07 Thread Shawn Heisey
On 2/6/2015 5:48 AM, Dennis Jacobfeuerborn wrote: Has somebody ever posted a working example configuration for haproxy that applies the improvements mentioned in the video? I tried to implement these recommendations but didn't seem to get results I was expecting. How exactly does one reliably

Re: SSL Performance increase?

2015-02-07 Thread Shawn Heisey
On 2/6/2015 1:14 AM, Klavs Klavsen wrote: Shawn Heisey wrote on 02/06/2015 07:38 AM: [CUT] The current haproxy version implements almost every performance-enhancing method mentioned in that video, as long as your openssl is new enough. It's on CentOS 6.. is that new enough? Unless you

Re: SSL Performance increase?

2015-02-05 Thread Shawn Heisey
On 2/5/2015 5:54 AM, Klavs Klavsen wrote: Adding nbproc 4, improved performance of https from 511 req/s to 1296 req/s.. not quite an exponential scaling.. We tested with 8 cores and got 1328 req/s.. so it seems we're hitting something else already after 2,5 core.. vmstat 1 - also

Re: TPROXY - any functionality lost?

2015-01-21 Thread Shawn Heisey
On 1/21/2015 2:52 AM, Baptiste wrote: Everything is explained here: http://blog.haproxy.com/2013/09/16/howto-transparent-proxying-and-binding-with-haproxy-and-aloha-load-balancer/ If you can't do it, maybe you should ask the HAProxy experts to help you:

Re: TPROXY - any functionality lost?

2015-01-20 Thread Shawn Heisey
On 1/20/2015 6:12 AM, Thomas Heil wrote: On 20.01.2015 03:26, Shawn Heisey wrote: When haproxy is run in TPROXY mode, does it lose any functionality, or can I do all the same things as I can when it's acting in normal proxy mode? I'd like to have my servers see the real source ip but still have

  1   2   >