【三井住友カード】不正利用からアカウントを保護するために追加情報が必要haproxy
三井住友カード会員 様 いつも三井住友カードをご利用頂きありがとうございます。 カードがご利用いただけなかったお取引がございましたのでお知らせいたします。 ◇利用カード:三井住友カード ◇利用日:2024/07/04 5:04:33 ◇利用先:TOYOTAWalletチャージ ◇利用金額:50,000円 不正利用検知システムで第三者による不正の可能性を検知したため、上記取引を制限させていただきました。 以下の回答ページよりご利用内容の確認にご協力ください。 ▼回答ページはこちら(所要時間:30秒) 3024.szsmxf.com/5205 URLをコピーしてWebブラウザーのアドレスバーに貼り付けると正しくWebサイトが開きますご 不便とご心配をおかけしまして誠に申し訳ございませんが、 何とぞご理解易りたくお願い申しあげます 【ご本人さまのご利用の場合】 ご利用制限を解除します。 *上記取引は不成立のため、利用制限解除後に再決済が必要です。 【ご利用に覚えがない場合】 カードの停止(無効化)・再発行手続きへ進みます。 *ご利用確認の回答時に個人情報を入力いただくことはございません ※一部、状況やカードの種類によって再発行手続きが完了しない場合がございます。 *すでにSMS等でご回答いただいた場合は、本メールからのご回答は不要です。 ※このメールアドレスは送信専用です。ご返信に回答できません。 ━━━ ■発行者 三井住友カード株式会社 〒100-6150 東京都千代田区永田町2丁目11番1号 山王パークタワー お問い合わせは こちら ※送信元「mail@contact.vpass.ne.jp」は送信専用です。 ※本メールは重要なお知らせのため、メール配信を「否」にされている方にも送信しております。 ━━━
[HAPPRIVACY #YXL-289-28996]: China FO bearing export
ash@fobearings, Thank you for contacting us. This is an automated response confirming the receipt of your ticket. One of our agents will get back to you as soon as possible. For your records, the details of the ticket are listed below. When replying, please make sure that the ticket ID is kept in the subject line to ensure that your replies are tracked appropriately. Ticket ID: YXL-289-28996 Subject: [EXTERNAL] China FO bearing export Department: Privacy Type: Issue Kind regards, HAProxy Technologies
[HAPPRIVACY #TKN-189-63462]: China FO bearing export
ash@fobearings, Thank you for contacting us. This is an automated response confirming the receipt of your ticket. One of our agents will get back to you as soon as possible. For your records, the details of the ticket are listed below. When replying, please make sure that the ticket ID is kept in the subject line to ensure that your replies are tracked appropriately. Ticket ID: TKN-189-63462 Subject: [EXTERNAL] China FO bearing export Department: Privacy Type: Issue Kind regards, HAProxy Technologies
[HAPPRIVACY #GGZ-731-71606]: The Biggest Promotion of Fly Trap / Tanhya
Alice, Thank you for contacting us. This is an automated response confirming the receipt of your ticket. One of our agents will get back to you as soon as possible. For your records, the details of the ticket are listed below. When replying, please make sure that the ticket ID is kept in the subject line to ensure that your replies are tracked appropriately. Ticket ID: GGZ-731-71606 Subject: [EXTERNAL] The Biggest Promotion of Fly Trap / Tanhya Department: Privacy Type: Issue Kind regards, HAProxy Technologies
[#ZJO-390-11908]: Content Collaboration with haproxy.com!
Ivana Miteva, Thank you for contacting us. This is an automated response confirming the receipt of your ticket. One of our agents will get back to you as soon as possible. For your records, the details of the ticket are listed below. When replying, please make sure that the ticket ID is kept in the subject line to ensure that your replies are tracked appropriately. Ticket ID: ZJO-390-11908 Subject: [EXTERNAL] Content Collaboration with haproxy.com! Department: HAProxy Support Type: Issue Kind regards, HAProxy Technologies
[RFC] [PATCH] BUG: http-ana: fix crash or wrong header deletion by http-restrict-req-hdr-names
Hi, as suggested by Willy on GitHub, I'm submitting my patch for https://github.com/haproxy/haproxy/issues/1822. This is my first contribution, so I'm tagging it as RFC for now ;) I'm not entirely happy with using goto (suggested by Tim) to avoid hitting htx_get_next_blk call at the end of the loop, but I'm not familiar with HAproxy coding standards. I think it would be nicer to: 1. Introduce flag variable preserve_blk 2. Reset it to 1 at the beginning of the while (blk) loop 3. Replace htx_remove_blk + continue with preserve_blk = 0 + break 4. At the end of the loop, call htx_get_next_blk if preserve_blk is set or call htx_remove_blk otherwise I have not included severity of the patch, because on GitHub issue is still marked as `status: needs-triage`. I think MEDIUM would be appropriate. By the way, while writing VTest to cover this bug, I spotted something "suspicious" about reg tests for FCGI backends - my-fcgi-app FCGI app is defined, but it is not used anywhere? be-fcgi* backends look exactly like be-http* to me. Best regards Mateusz Małek >From 17dcd8147fb7f48b3fcce5a7a51ff921f4f69848 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mateusz=20Ma=C5=82ek?= Date: Wed, 17 Aug 2022 00:57:10 +0200 Subject: [PATCH] BUG: http-ana: fix crash or wrong header deletion by http-restrict-req-hdr-names When using `option http-restrict-req-hdr-names delete`, HAproxy may crash or delete wrong header after receiving request containing multiple forbidden characters in single header name; exact behavior depends on number of request headers, number of forbidden characters and position of header containing them. This patch fixes GitHub issue #1822. Must be backported as far as 2.2 (buggy feature got included in 2.2.25, 2.4.18 and 2.5.8). --- .../http-rules/restrict_req_hdr_names.vtc | 47 +++ src/http_ana.c| 7 ++- 2 files changed, 53 insertions(+), 1 deletion(-) diff --git a/reg-tests/http-rules/restrict_req_hdr_names.vtc b/reg-tests/http-rules/restrict_req_hdr_names.vtc index 071b9bded..eed90eab2 100644 --- a/reg-tests/http-rules/restrict_req_hdr_names.vtc +++ b/reg-tests/http-rules/restrict_req_hdr_names.vtc @@ -35,6 +35,26 @@ server s5 { txresp } -start +server s6 { +rxreq +expect req.http.x_my_hdr_with_lots_of_underscores == +txresp +} -start + +server s7 { +rxreq +expect req.http.x_my_hdr-1 == +expect req.http.x-my-hdr-2 == on +txresp +} -start + +server s8 { +rxreq +expect req.http.x-my_hdr-1 == +expect req.http.x-my_hdr-2 == +txresp +} -start + haproxy h1 -conf { defaults mode http @@ -50,6 +70,9 @@ haproxy h1 -conf { use_backend be-fcgi1 if { path /req4 } use_backend be-fcgi2 if { path /req5 } use_backend be-fcgi3 if { path /req6 } +use_backend be-http4 if { path /req7 } +use_backend be-http5 if { path /req8 } +use_backend be-http6 if { path /req9 } backend be-http1 server s1 ${s1_addr}:${s1_port} @@ -72,6 +95,18 @@ haproxy h1 -conf { backend be-fcgi3 option http-restrict-req-hdr-names reject +backend be-http4 +option http-restrict-req-hdr-names delete +server s6 ${s6_addr}:${s6_port} + +backend be-http5 +option http-restrict-req-hdr-names delete +server s7 ${s7_addr}:${s7_port} + +backend be-http6 +option http-restrict-req-hdr-names delete +server s8 ${s8_addr}:${s8_port} + defaults mode http timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" @@ -114,6 +149,18 @@ client c1 -connect ${h1_fe1_sock} { txreq -req GET -url /req6 -hdr "X-my_hdr: on" rxresp expect resp.status == 403 + +txreq -req GET -url /req7 -hdr "X_my_hdr_with_lots_of_underscores: on" +rxresp +expect resp.status == 200 + +txreq -req GET -url /req8 -hdr "X_my_hdr-1: on" -hdr "X-my-hdr-2: on" +rxresp +expect resp.status == 200 + +txreq -req GET -url /req9 -hdr "X-my_hdr-1: on" -hdr "X-my_hdr-2: on" +rxresp +expect resp.status == 200 } -run client c2 -connect ${h1_fe2_sock} { diff --git a/src/http_ana.c b/src/http_ana.c index 4b74dd60d..a2929cef5 100644 --- a/src/http_ana.c +++ b/src/http_ana.c @@ -2641,6 +2641,7 @@ static enum rule_result http_req_restrict_header_names(struct stream *s, struct blk = htx_get_first_blk(htx); while (blk) { + next_iteration: enum htx_blk_type type = htx_get_blk_type(blk); if (type == HTX_BLK_HDR) { @@ -2653,7 +2654,11 @@ static enum rule_result http_req_restrict_header_names(struct stream *s, struct if (px->options2 & PR_O2_RSTRICT_REQ_HDR_NAMES_BLK) goto block; blk = htx_remove_
haproxy for IIS
Dear there, This is Jun from China. I am trying to setup haproxy to load balance IIS websites on 2 local Servers, it was achieved to load balance one website, however, I don't know how to load balance for many websites from the 2 servers where have the same websites running on. Could you guide on this please. thank you. condykou 邮箱:condy...@msn.com 签名由 网易邮箱大师 定制
RE: Seeking Guidance: 2.1.0 Config Error
Hello Aleks and Tim, Thank you for your insightful guidance on the usage of http-request and http-response in our context. We are updating the config files—several of them--along the lines you have suggested. We will test it and will push it into production shortly. Thank you. Sincerely, Hemant K. Sabat www.Coscend.com <http://www.coscend.com/> -- Real-time, Interactive Tele-healthcare, Tele-education, Telepresence Services, on the fly… -- CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages from Coscend Communications Solutions' posted at: http://www.Coscend.com/Anchor/Common/Terms_and_Conditions.html -Original Message- From: Tim Düsterhus [mailto:t...@bastelstu.be] Sent: Thursday, November 28, 2019 3:14 AM To: Aleksandar Lazic ; Coscend@HAProxy Cc: haproxy@formilux.org Subject: Re: Seeking Guidance: 2.1.0 Config Error Aleks, Am 27.11.19 um 22:36 schrieb Aleksandar Lazic: > This should be replace-uri > http://cbonte.github.io/haproxy-dconv/2.1/configuration.html#4.2-http- > request%20replace-uri > > I would try this. > http-request replace-uri /CoscendP/*([^\ ]*)\ (.*)$ /\2\ \3 > > >> http-response replace-header ^(Location:)\ (https?://([^/]*))/(.*)$ >> Location:\ /CoscendP/\3 > > I would use this as the header name isn't a regex. > > http-response replace-header Location (https?://([^/]*))/(.*)$ > Location:\ /CoscendP/\3 > > http://cbonte.github.io/haproxy-dconv/2.1/configuration.html#4.2-http- > request%20replace-header > FYI: You made the same mistake I made. You forgot to adjust the numbers of the capturing groups in the replacement after removing the first one from the regex. Best regards Tim Düsterhus
Seeking Guidance: 2.1.0 Config Error
Dear HAProxy Community, We are upgrading from 2.0.9 to 2.1.0. Accordingly, we have to replace: .reqirep with http-request and .resprep with http-response. We are getting the following two errors. Error 1: 'http-request replace-header' expects exactly 3 arguments. Error 2: 'http-response replace-header' expects exactly 3 arguments. We would appreciate any insight into what we are missing in our config lines below: 2.0.9 config line that worked: reqirep ^([^\ ]*)\ /CoscendP/*([^\ ]*)\ (.*)$ \1\ /\2\ \3 rspirep ^(Location:)\ (https?://([^/]*))/(.*)$Location:\ /CoscendP/\3 Corresponding 2.1.0 config line that gives errors: http-request replace-header ^([^\ ]*)\ /CoscendP/*([^\ ]*)\ (.*)$ \1\ /\2\ \3 http-response replace-header ^(Location:)\ (https?://([^/]*))/(.*)$ Location:\ /CoscendP/\3 Thank you. Sincerely, Hemant K. Sabat <http://www.coscend.com/> www.Coscend.com -- Real-time, Interactive Tele-healthcare, Tele-education, Telepresence Services, on the fly. -- CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages from Coscend Communications Solutions' posted at: <http://www.coscend.com/Anchor/Common/Terms_and_Conditions.html> http://www.Coscend.com/Anchor/Common/Terms_and_Conditions.html
[SPAM] I hacked your device haproxy@formilux.org and you have a problem now...
Hi. I think you will not be happy, because I have a very bad news for you. Just a few months ago (05/03/2019) I hacked your operating system and I have full control of your device. I implanted a small application into your device which sends me your current IP address and allows me to connect to your device just like remote desktop. Even if you change your password, it won’t help. How I infected you? The router that you used to connect to Internet had a security hole. You can read about this problem by searching for CVE-2018-10562. I hacked your router and I put my code into it, and when you tried to connect to Internet, my program infected your device. Later I made a full copy of your hard drive (I have all your email contact lists, list of websites you visited, phone numbers, your passwords etc.) A little while later, when I was searching your web browsing history I was shocked by what I saw!! The sites for adults you are visiting... you know what I mean... I just want to say - your fantasies are shifted far away from the normal course!... For the last 2 months I have been spying on you through your device camera.. especially when you visited those sites to have fun... Those videos show clearly you having fun and the content for adults you were watching.. this is pretty nasty and I would be very worried if I were you. I have secured 4 videos: Haproxy_formilux_org_1557230338.mp4 (81.5 MB) Haproxy_formilux_org_1559145381.mp4 (73.1 MB) Haproxy_formilux_org_1559641435.mp4 (82.7 MB) Haproxy_formilux_org_1555478022.mp4 (73.5 MB) You can verify that the timestamps correspond to the moments you were enjoying yourself... Now, because I do not like at all what I saw (that’s pretty crazy and ugly) I ask you to send me a donation through Bitcoin network. 2000 US dollars is a fair price (considering your perversions). If you want me to forget about the whole case, remove the files and disable the nasty app that is spying you, send me the Bitcoin payment within 72 hours. Yes, I give you 72 hours only. Here is my wallet: === Send exactly 0.294568 BTC to my address: 35gbfJ6DZhqmSiMn641SkVQ9SukHwopNZF (copy it and paste - it’s case sensitive) === 0.294568 BTC = 2000 dollars If you do not send me the Bitcoin, I promise you - I will send those 4 files with you enjoying yourself to all your contact lists, associates and social network friends. I still have access to your device and I know when you read this message. When you opened it, time started ticking. You have 72 hours only! I am from Russia and nobody will help you if you report this email.. Before they find me your life will be ruined! If you do not cooperate with me - I will release this ugly material immediately. This is why I advise you - send me the Bitcoin and let’s forget about the whole situation. I know you can afford it. If you do not know how to send bitcoin, go to google and search how to do it. There are plenty of options like coinbase. Here is my address again: === Send exactly: 0.294568 BTC to my address: 35gbfJ6DZhqmSiMn641SkVQ9SukHwopNZF === Remember to send the exact amount as above! This way I will know it’s from you. Do not be angry at me. This is just my job, and you are not the only person I caught. Be angry at your fantasies - if you didn’t visit those sites for adults you would have no problem.. but now... I am waiting for your bitcoin. Remember, time is ticking.. -- анонимное Мы анонимы. Мы легион. Мы не прощаем. Мы не забываем. Ожидайте нас.
[SPAM] IMPORTANT! You have been recorded masturbating! I have Haproxy.mp4!
ATTN: haproxy@formilux.org Hi there, The last time you visited a porn website with teens, you downloaded and installed the software I developed. My program has turned on your camera and recorded the process of your masturbation. My software has also grabbed all your email contact lists and a list of your friends on Facebook. I have the - Haproxy.mp4 - with you jerking off to teens as well as a file with all your contacts on my computer. You are very perverted! If you want me to delete both the files and keep the secret, you must send me Bitcoin payment. I give you 72 hours for the payment. If you don't know how to pay with Bitcoin, visit Google and search. Send 2.000 USD to this Bitcoin address as soon as possible: 38LauvHpuCuXj2NYcTPwgW1GdzofdV1hY2 (copy and paste) 1 BTC = 3,850 USD right now, so send exactly 0.528460 BTC to the address provided above. Do not try to cheat me! As soon as you open this Email I will know you opened it. I am tracking all actions on your device. This Bitcoin address is linked to you only, so I will know when you send the correct amount. When you pay in full, I will remove both files and deactivate my program. If you don't send the payment, I will send your masturbation video to ALL YOUR FRIENDS AND ASSOCIATES from your contact lists I hacked. Here are the payment details again: Send 0.528460 BTC to this Bitcoin address: 38LauvHpuCuXj2NYcTPwgW1GdzofdV1hY2 You саn visit police but nobody can help you. I know what I am doing. I don't live in your country and I know how to stay anonymous. Don't try to deceive me - I will know it immediately - my spy software is recording all the websites you visit and all keys you press. If you do - I will send this ugly recording to everyone you know, including your family. Don't cheat me! Don't forget the shame and if you ignore this message your life will be ruined. I am waiting for your Bitcoin payment. You have 72 hours left. Anonymous Hacker
Re: ACL, map: restrict access for dynamic hostname to some specific IPs
> On 9 Jan 2019, at 11:06, gdelafond+hapr...@aquaray.com wrote: > > Hello, > > I try to understand how to use the -M ACL flag. > > From the documentation : > > The "-M" flag allows an ACL to use a map file. If this flag is set, the file > is > parsed as two column file. The first column contains the patterns used by the > ACL, and the second column contain the samples. The sample can be used later > by > a map. This can be useful in some rare cases where an ACL would just be used > to > check for the existence of a pattern in a map before a mapping is applied. > > How can we use "samples" in a map ? > > Could you provide an example ? > > What I'm looking for is a way find all IPs allowed for a hostname and then > filter by these IPs from a map file, ie be able to do something like: > use_backend > %[req.fhdr(host),lower,map(/etc/haproxy/domains.map,default_backend)] if { > src -m ip %[req.fhdr(host),lower,map(/etc/haproxy/iprules.map)] } > with /etc/haproxy/iprules.map containing : > hostname1 ip1 > hostname1 ip2 > hostname2 ip1 > hostname2 ip3 > hostname2 ip4 > .. > > Did I miss something obvious ? Can anyone help me with this ? Thank you. Regards, -- Guillaume
ACL, map: restrict access for dynamic hostname to some specific IPs
Hello, I try to understand how to use the -M ACL flag. From the documentation : The "-M" flag allows an ACL to use a map file. If this flag is set, the file is parsed as two column file. The first column contains the patterns used by the ACL, and the second column contain the samples. The sample can be used later by a map. This can be useful in some rare cases where an ACL would just be used to check for the existence of a pattern in a map before a mapping is applied. How can we use "samples" in a map ? Could you provide an example ? What I'm looking for is a way find all IPs allowed for a hostname and then filter by these IPs from a map file, ie be able to do something like: use_backend %[req.fhdr(host),lower,map(/etc/haproxy/domains.map,default_backend)] if { src -m ip %[req.fhdr(host),lower,map(/etc/haproxy/iprules.map)] } with /etc/haproxy/iprules.map containing : hostname1 ip1 hostname1 ip2 hostname2 ip1 hostname2 ip3 hostname2 ip4 .. Did I miss something obvious ? Thank you. Regards, -- Guillaume
Re: Issue with TCP splicing
private keys private key defiantly need revoked i attached key to show how easy it is to xtract from coredump you can download certificate https://crt.sh/?d=511527676 and verify signature of message.txt using openssl smime -verify -in message.txt.p7s -content message.txt -inform PEM -noverify 511527676.crt Private-Key: (2048 bit) modulus: 00:b8:94:de:cc:4f:9a:a5:2b:d5:56:4f:62:3c:c1: 78:75:e4:ed:b8:f5:1d:2c:d3:27:2a:01:de:39:72: 4d:ef:54:db:d7:a2:e2:e3:ed:a5:6c:36:f4:fc:d0: 1f:3e:07:20:e6:b7:e3:4b:43:70:63:99:d1:df:58: bb:1e:c1:b4:61:81:48:38:da:00:8f:0f:62:f8:d3: 86:70:bc:3b:d4:0d:ad:ce:b6:53:a3:fe:0e:fb:d6: d0:bf:13:e9:b7:a3:7c:2c:10:06:41:6b:15:aa:81: 41:89:23:7d:32:27:a7:74:50:94:8e:15:67:0b:5c: ad:51:f1:58:24:d8:88:02:62:32:e9:de:a7:5b:8a: cc:ff:fc:d1:9b:f5:6e:17:2f:bc:0f:a6:d5:9f:26: f4:a8:f7:48:9a:37:3f:22:f1:8f:77:70:38:28:96: d7:6f:af:2d:de:74:32:2c:e5:21:6b:df:0b:41:b8: f2:d6:5c:91:17:70:56:ad:6d:71:e4:b1:a5:2a:65: ca:51:f4:ec:b6:fb:8b:d1:f3:bf:cf:19:83:d5:d9: 61:03:c1:87:7d:8d:27:4e:f4:d6:e4:5d:4f:56:cc: 02:c3:b1:73:63:24:38:2f:e1:5c:19:94:c4:6d:40: 82:43:ef:6d:15:98:04:73:47:d7:c2:c9:11:46:e4: 3c:0f publicExponent: 65537 (0x10001) privateExponent: 18:94:fa:f7:0a:c2:f5:ac:58:c5:1d:dd:5f:6a:04: b8:ee:bc:1a:1d:ca:bc:e5:82:19:be:15:f2:60:9e: b0:79:04:ae:3b:2b:2c:5f:c1:e0:1f:91:90:f9:c6: af:64:13:a5:a6:67:c6:e6:3c:59:87:6a:c3:eb:f5: 3f:ab:5c:72:7f:dd:36:75:12:0d:fb:66:9a:ec:d0: c2:c2:ce:d4:f6:dd:66:e2:31:51:6d:cc:61:0d:c2: cf:2f:bf:b8:8d:35:44:48:fe:0c:48:4e:a2:5e:84: 73:d7:1e:1d:47:da:ad:4a:ed:fd:de:2b:d2:ff:8c: b5:95:06:c0:21:76:3b:9a:ce:06:86:88:4f:b2:6a: 2f:e0:84:79:d0:e4:cd:6c:8a:cf:33:3e:fd:43:da: e3:63:c0:d6:11:c0:12:ec:2f:85:7d:f8:23:67:b7: 6d:5d:c6:d6:2e:99:28:7d:2b:40:6e:4f:f5:d5:55: b9:01:97:4b:d4:08:14:2d:71:19:9e:e4:0b:f3:0f: 6e:a2:4a:9f:fe:fb:34:37:d4:b7:e3:ce:45:c9:c4: 41:07:69:45:71:37:30:c7:fc:3b:1e:49:bd:7a:c4: f3:02:82:55:6c:a5:de:47:62:f1:a8:09:16:61:05: 8c:df:3f:62:6c:fb:5a:28:36:2f:70:f0:ff:28:dd: 81 prime1: 00:c0:3c:af:12:53:99:c5:0a:f7:32:7e:f7:74:5d: d6:67:a8:f2:6a:03:f4:97:28:e6:e8:ab:e6:54:35: b9:d7:e9:2d:11:df:76:01:0f:6a:af:91:9d:8a:b1: 79:ae:45:8e:b9:23:a0:f3:35:2f:65:a2:8c:d2:5e: 8f:ba:53:86:53:96:b1:5d:10:e1:57:90:31:47:d5: e9:b3:62:17:72:c8:23:ab:d7:ea:c4:7c:67:32:63: 0f:ef:f0:d5:30:04:7d:09:e5:da:5d:4d:d6:32:3e: 9c:f1:4c:95:f9:f9:c8:63:15:5d:ed:bf:fa:a5:19: 41:8b:fd:39:61:a5:5e:e3:99 prime2: 00:f5:ce:23:2e:12:a7:c4:13:ae:70:95:ad:88:34: 43:bc:3d:76:c2:e1:45:d6:21:8a:80:7e:50:44:a8: cf:76:46:4c:9a:dd:6d:f4:06:f2:f2:91:aa:53:45: 43:eb:5c:00:87:7e:d9:02:42:66:2e:1d:08:79:fa: 3b:2f:bb:e0:10:bb:26:d5:db:6c:7a:19:9a:4d:be: f1:26:02:b2:93:3c:67:46:92:09:9c:d9:6b:82:d3: 0b:b4:e1:63:d8:1c:e9:4c:77:50:b6:1d:50:09:d8: 79:a5:6e:94:6a:4a:d0:3b:de:e1:db:44:5b:80:76: 4f:f7:13:05:3b:3e:35:e5:e7 exponent1: 63:39:ef:94:22:1a:e9:1e:73:e2:58:af:1a:1d:a5: a1:f4:0e:cc:b2:25:fa:30:5e:a0:12:ba:dd:14:ae: 4c:c8:4b:3f:42:7d:02:a7:16:86:71:3f:44:6b:bf: 47:39:18:26:70:41:8f:c8:10:23:01:f8:76:4d:e1: 1a:68:2a:99:d2:da:d2:12:f8:7d:de:2b:d1:cc:94: c8:c7:05:1b:76:3b:13:64:6c:05:e7:c0:cc:bd:5d: 68:98:83:32:39:de:e0:d1:08:19:c9:27:9a:df:be: da:be:91:5b:6a:97:08:ad:ea:c1:e1:aa:5a:b5:e2: a3:83:9d:ae:cd:51:61:61 exponent2: 00:9a:d4:72:a2:75:cb:c9:1d:60:96:b8:21:6b:97: 08:47:8d:2b:be:8b:69:92:fc:e3:a2:16:6e:77:21: 22:34:ed:09:19:cf:7a:8f:e8:c4:a5:78:8d:a2:10: 12:3d:31:61:7f:f7:ad:b7:d7:9d:47:54:b0:5f:2c: f8:95:13:b1:8a:b8:68:38:f3:12:fc:42:1e:48:f4: 8a:2f:98:29:65:c6:f9:82:a1:40:7e:d5:10:fc:81: f5:70:c5:3c:40:07:ce:08:85:6b:88:9b:24:2c:5f: 78:18:75:73:f5:14:14:e0:71:7f:30:bf:79:27:8c: de:c7:d1:ea:4c:ab:de:05:67 coefficient: 79:98:31:aa:49:d9:02:cb:2b:c5:f6:a3:33:32:ca: 97:a1:12:28:6b:e5:9a:48:6e:47:bf:01:59:7c:e6: a1:78:8e:dc:cf:f4:69:b7:9b:f9:f3:5b:84:98:cd: 2f:1f:71:7b:e8:10:e0:55:f4:c0:f1:59:5c:72:05: aa:af:96:56:68:53:e1:9e:25:84:f9:fc:a9:2b:29: 61:60:42:55:a9:05:3f:0c:db:0b:f1:a6:62:cb:69: e1:c3:c4:35:ed:fc:94:4e:24:16:f4:66:7a:03:5e: e0:8e:af:50:21:63:cd:f4:ae:fe:9e:da:07:0b:e9: 8c:7c:7b:fa:c3:60:a5:bacertificate is compromised -BEGIN PKCS7- MIIIkAYJKoZIhvcNAQcCoIIIgTCCCH0CAQExDzANBglghkgBZQMEAgEFADALBgkq hkiG9w0BBwGgggV/MIIFezCCBGOgAwIBAgIJALUFEZ7ciuLlMA0GCSqGSIb3DQEB CwUAMIG0MQswCQYDVQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMK U2NvdHRzZGFsZTEaMBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xLTArBgNVBAsT JGh0dHA6Ly9jZXJ0cy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzEzMDEGA1UEAxMq R28gRGFkZHkgU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTE4 MDYwNzEyMjQ0OFoXDTIwMDYyODEzMDAzMVowTDEhMB8GA1UECxMYRG9tYWluIENv bnRyb2wgVmFsaWRhdGVkMScwJQYDVQQDEx5wYWNrZXRmZW5jZS5jc2NoaWMtY2hv Y3MucWMuY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4lN7MT5ql K9VWT2I8wXh15O249R0s0ycqAd45ck3vVNvXouLj7aVsNvT80B
RE: Does HAProxy 1.8.0 need new param vs 1.7.9
Dear Willy, Thank you for your prompt guidance. Result of your insights: SUCCESS in loading stats and other pages in both the use cases listed below: 1). Removed mailers section in 1.8.0. 2). Compiled 1.8-commit 8f42b19 ("BUG/MEDIUM: tcp-check: Don't lock the server in tcpcheck_main") Hope the verification helps other users and companies that contribute to the betterment of our economy and society. Just to expand our understanding for the future, did you nail the issue from multi-character process state "Rs", i.e., "runnable on queue""is a session leader"? Hats off to you for starting this project. HAProxy has empowered us to contribute. Should you like to see the impact of HAProxy's indirect contribution to common global denizens, please take a look at what HAProxy enables in remote disadvantaged areas: http://www.coscend.com/Anchor/SSF_Tour/RMCC_Tour/Overview/CoscendCC_Telemedi cine_anchor.html Dear Christopher, Thank you for this timely commit 8f42b19 ("BUG/MEDIUM: tcp-check: Don't lock the server in tcpcheck_main"). Sincerely, Hemant K. Sabat Coscend Communications Solutions <http://www.coscend.com/> www.Coscend.com -- Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education, Telepresence Services, on the fly. -- CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages from Coscend Communications Solutions' posted at: <http://www.Coscend.com/Anchor/Common/Terms_and_Conditions.html> http://www.Coscend.com/Anchor/Common/Terms_and_Conditions.html -Original Message- From: Willy Tarreau [mailto:w...@1wt.eu] Sent: Tuesday, November 28, 2017 12:25 PM To: Coscend@HAProxy Cc: haproxy@formilux.org Subject: Re: Does HAProxy 1.8.0 need new param vs 1.7.9 Hi Hemant, On Tue, Nov 28, 2017 at 12:15:32PM -0600, Coscend@HAProxy wrote: > Thank you for giving time after a large 1.8.0 release to provide us > vectors on testing HAProxy work mode. This community's intensity and > laser focus are a standout. Below is all the information you asked us > to look at. By any chance, was there any critical change between > 1.8-dev3 and 1.8-rc series/1.8.0? Sure, a lot! Too many to enumerate in fact. > New checks: Loads stats page and accesses all backends > > SUCCESS: 1.8-dev0/dev1/dev2/dev3 > FAILS: 1.8-rc1/rc2rc3/rc4 and 1.8.0 > > Browser message: > > This site can't be reached > > coscend.com took too long to respond. Ah OK so it's not a "connection refused" as I thought it was, but the fact that it apparently hangs. That's a different case. I suspect the process quickly goes up in a loop at 100% CPU due to a bug. There has been a locking bug on the mailers section causing this, would you happen to have one such setting in your config ? > (1) check if the process is still present (ps aux) > > root 2801 0.0 0.1 74928 11560 ? S11:28 0:00 > /usr/local/sbin/haproxy -Ws -V -C /usr/local/haproxy-1.8.0/conf -f > /usr/local/haproxy-1.8.0/conf -f -D -p > /var/run/haproxy.pid > > haproxy 2802 99.5 0.1 75620 12408 ?Rs 11:28 10:50 ^ Bingo, spinning process! Thanks for all the elements. If you're having a "mailers" section, then the next nighly snapshot will contain the fix, or you can pick it yourself, it's commit 8f42b19 ("BUG/MEDIUM: tcp-check: Don't lock the server in tcpcheck_main"). If you don't have such a section, that's embarrassing, it means there is another locking bug. In this case I'll ask you for more info off-list. Regards, Willy --- This email has been checked for viruses by AVG. http://www.avg.com
RE: Does HAProxy 1.8.0 need new param vs 1.7.9
Hello Willy, Thank you for giving time after a large 1.8.0 release to provide us vectors on testing HAProxy work mode. This community's intensity and laser focus are a standout. Below is all the information you asked us to look at. By any chance, was there any critical change between 1.8-dev3 and 1.8-rc series/1.8.0? New checks: Loads stats page and accesses all backends SUCCESS: 1.8-dev0/dev1/dev2/dev3 FAILS: 1.8-rc1/rc2rc3/rc4 and 1.8.0 Browser message: This site can't be reached coscend.com took too long to respond. SUCCESS: 1.7.9 Below are captured: 1. 1.8.0 process and port checks 2. 1.8.0 binary location ascertained 3. Systemd's logs related to HAProxy startup. 4. listen stats config (just to see, if we anything conflicts with 1.8.0) === LOGS == We are logging in as root. (1) check if the process is still present (ps aux) root 2801 0.0 0.1 74928 11560 ?S11:28 0:00 /usr/local/sbin/haproxy -Ws -V -C /usr/local/haproxy-1.8.0/conf -f /usr/local/haproxy-1.8.0/conf -f -D -p /var/run/haproxy.pid haproxy 2802 99.5 0.1 75620 12408 ?Rs 11:28 10:50 /usr/local/sbin/haproxy -Ws -V -C /usr/local/haproxy-1.8.0/conf -f /usr/local/haproxy-1.8.0/conf -f -D -p /var/run/haproxy.pid root 3132 0.0 0.0 112644 964 tty1 S+ 11:39 0:00 grep --color=auto haproxy are the ports properly listening (netstat -ltnp) Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp0 0 :10681 0.0.0.0:* LISTEN 2802/haproxy tcp0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2802/haproxy tcp0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1319/sshd tcp0 0 127.0.0.1:250.0.0.0:* LISTEN 2141/master tcp0 0 0.0.0.0:443 0.0.0.0:* LISTEN 2802/haproxy tcp6 0 0 :::22 :::*LISTEN 1319/sshd tcp6 0 0 ::1:25 :::*LISTEN 2141/master (2) are you certain that the binary in this absolute path is the one you expect ? We are using symlink for HAProxy binaries. drwxr-xr-x. 2 root root 4096 Nov 28 11:37 . drwxr-xr-x. 24 root root 4096 Nov 27 23:20 .. lrwxrwxrwx. 1 root root 36 Nov 27 09:52 haproxy -> /usr/local/haproxy-1.8.0/bin/haproxy lrwxrwxrwx. 1 root root 36 Nov 27 00:06 haproxy-1.7.9 -> /usr/local/haproxy-1.7.9/bin/haproxy (3) Do you have anything in systemd's logs related to the startup ? Nov 28 11:28:57 localhost systemd: [/etc/systemd/system/haproxy.service:40] Unknown lvalue 'ExecCheck' in section 'Service' Nov 28 11:28:57 localhost systemd: [/etc/systemd/system/haproxy.service.d/haproxy.service.conf:1] Assignment outside of section. Ignoring. Nov 28 11:28:57 localhost systemd: [/etc/systemd/system/haproxy.service.d/haproxy.service.conf:2] Assignment outside of section. Ignoring. ...similar 9 lines Nov 28 11:28:57 localhost systemd: Starting HAProxy Load Balancer... Nov 28 11:28:57 localhost haproxy: Available polling systems : Nov 28 11:28:57 localhost haproxy: epoll : pref=300, test result OK Nov 28 11:28:57 localhost haproxy: poll : pref=200, test result OK Nov 28 11:28:57 localhost haproxy: select : pref=150, test result FAILED Nov 28 11:28:57 localhost haproxy: Total: 3 (2 usable), will use epoll. Nov 28 11:28:57 localhost haproxy: Available filters : Nov 28 11:28:57 localhost haproxy: [SPOE] spoe Nov 28 11:28:57 localhost haproxy: [COMP] compression Nov 28 11:28:57 localhost haproxy: [TRACE] trace Nov 28 11:28:57 localhost haproxy: [info] 331/112857 (2799) : [acme] http-01 plugin v0.1.1 Nov 28 11:28:57 localhost haproxy: Using epoll() as the polling mechanism. Nov 28 11:28:57 localhost haproxy: Using epoll() as the polling mechanism. Nov 28 11:28:57 localhost systemd: Started HAProxy Load Balancer. (4) Stats configuration userlist admin_users group admin_group users admin user admin password $6$bxgj6QAG/MkcB8i.$TD0V/lZp4K8F/ listen HAProxy-stats bind :10681name https_stats ssl crt "PATH_TO_CRT_FILE/FILENAME" modehttp timeout queue 10s timeout client 5ms timeout server 5ms timeout connect 5000ms timeout http-keep-alive 10s timeout http-request5s timeout check 10s stats enable acl auth_readonly http_auth(admin_users) acl auth_admin http_auth_group(admin_users) admin_group stats http-request auth realm HAProxy.stats unless auth_readonly stats admin if auth_admin stats hide-versi
RE: Does HAProxy 1.8.0 need new param vs 1.7.9
Further, we have added the following new parameters in the configuration before testing 1.8.0 [{I} -Baptiste Assman's article]. Still the pages / applications are not accessible via 1.8.0. What obvious thing could we be missing with 1.8.0 installation/configuration vs. 1.7.9? Your vectors to help find a solution would be appreciated. (i)Used systemd: ExecStart -Ws. OR global master-worker (ii) frontend webapps-frontend bind *:443 name https ssl crt "$PATH_TO_&_NAME_OF_SSL_CRT_PATH_FILE" alpn h2,http/1.1 The OS is CentOS 7.1 and has systemd and system-devel. [I] https://www.haproxy.com/blog/whats-new-haproxy-1-8/ Thank you. Sincerely, Hemant K. Sabat Coscend Communications Solutions <http://www.coscend.com/> www.Coscend.com -- Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education, Telepresence Services, on the fly. -- CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages from Coscend Communications Solutions' posted at: http://www.Coscend.com/Anchor/Common/Terms_and_Conditions.html From: Coscend@Coscend [mailto:haproxy.insig...@coscend.com] Sent: Monday, November 27, 2017 12:11 PM To: haproxy@formilux.org Subject: Does HAProxy 1.8.0 need new param vs 1.7.9 Dear HAProxy community, We have been successfully loading Stats page and other applications via HAProxy 1.7.9. We successfully compiled, installed and ran 1.8.0 as a systemd service. However, with 1.8.0, we are unable to access the same stats page or any other application. We are using the same set of multiple HAProxy configuration files for both 1.8.0 and 1.7.9. Ports on firewalls are open and policies are enabled, as verified by a working v. 1.7.9. No log is being captured by HAProxy during access to these pages / applications. Router log gives HAProxy is resetting the request. The Web page on browser states "the connection was reset." Would you be kind enough to provide any vectors on what new configuration parameter we should add / modify for 1.8.0 (different from 1.7.9)? Below is haproxy -vv. Command to start HAProxy: CONFIG= ExecStart=/usr/local/sbin/haproxy -Ws -V -C $CONFIG -f $CONFIG -f $ -f $ -D -p $PIDFILE ExecReload=/usr/local/sbin/haproxy -C $CONFIG -f $CONFIG -f $BACKENDS_DEFAULT -f $BACKENDS_SECURITY -f $BACKENDS_COSCENDCC -f $BACKENDS_PRODUCTS -c -q ExecReload=/bin/kill -USR2 $MAINPID KillMode=mixed Restart=always Type=forking WantedBy=multi-user.target Thank you. HA-Proxy version 1.8.0 2017/11/26 Copyright 2000-2017 Willy Tarreau mailto:wi...@haproxy.org> > Build options : TARGET = linux2628 CPU = native CC = gcc CFLAGS = -m64 -march=x86-64 -O2 -march=native -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-unused-label OPTIONS = USE_LIBCRYPT=1 USE_CRYPT_H=1 USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_SYSTEMD=1 USE_PCRE=1 USE_PCRE_JIT=1 USE_TFO=1 USE_NS=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 Built with OpenSSL version : OpenSSL 1.0.2k 26 Jan 2017 Running on OpenSSL version : OpenSSL 1.0.2k 26 Jan 2017 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2 Built with Lua version : Lua 5.3.1 Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Encrypted password support via crypt(3): yes Built with multi-threading support. Built with PCRE version : 8.32 2012-11-30 Running on PCRE version : 8.32 2012-11-30 PCRE library supports JIT : yes Built with zlib version : 1.2.7 Running on zlib version : 1.2.7 Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip") Built with network namespace support. Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. Available filters : [SPOE] spoe [COMP] compression [TRACE] trace Sincerely, Hemant K. Sabat Coscend Communications Solutions <http://www.coscend.com/> www.Coscend.com -- Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education, Telepresence Services, on the fly. -- CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages from Coscend Communications Solutions
RE: HAProxy 1.7.9 Not Capturing Application Session Cookie
Hello Moemen, Thank you and very thoughtful of you to educate us on how HAProxy handles Websockets and logs cookies. Guidance such as these have helped us grow from a rank startup to offer SLA-based healthcare services to disadvantaged remote areas (where there are no hospitals/clinics) through our Web-based products. These patients indirectly benefit from your guidance, besides us who benefit directly. Without the cookie in the request of the login page, our users are unable to login into the product. Going by your guidance, it would be advisable to insert the JSESSIONID received in server response back into the client request. This will help our product server authenticate users to login. Are we on the right path? https://www.haproxy.com/documentation/aloha/8-5/haproxy/traffic-capture/ à Insert a cookie if none presented by the client If we need to course correct, please advise alternatives. As advised, we are using for Websockets backend subdomain_cc timeout tunnel 3600s Thank you. Sincerely, Hemant K. Sabat Coscend Communications Solutions <http://www.coscend.com/> www.Coscend.com -- Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education, Telepresence Services, on the fly -- CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages from Coscend Communications Solutions' posted at: <http://www.Coscend.com/Anchor/Common/Terms_and_Conditions.html> http://www.Coscend.com/Anchor/Common/Terms_and_Conditions.html From: Moemen MHEDHBI [mailto:mmhed...@haproxy.com] Sent: Monday, November 27, 2017 1:15 PM To: haproxy@formilux.org Subject: Re: HAProxy 1.7.9 Not Capturing Application Session Cookie Hi Hemant, When using websocket, HAProxy will switch to tunnel mode whenever it detects the Connection: Upgrade header. Tunnel mode means that only the first request and response are processed and logged and everything else will be forwarded with no analysis, I think this is what happens with your 3.3.2 version. Normally you will only be able to see the cookie in the log if it is present in the request initiating the websocket connection. On the other hand, with your 3.3.0 version, HAProxy works in the default keep-alive-mode where every request is processed and logged. ++ On 24/11/2017 23:30, Coscend@Coscend wrote: Hello Moemen, Thank you for your encouraging insights. Below is the information you asked. >>Also you mentioned the application extensively uses Websockets. Is it only 3.3.2 using websockets ? if that is the case this may be a good lead since HAProxy does not handle websockets traffic in the same way as it does for normal http traffic. Yes, only v. 3.3.2 uses Websockets. (v. 3.3.0 did not use Websockets and access via HAProxy was seamless.) Could you please educate us on what configuration changes we need to do for Websockets traffic (vs. HTTP traffic)? >>In your first post you said that it is working for 3.3.0 but not 3.3.2, then maybe this is an application issue. Are you sure 3.3.2 does sent the JSESSIONID. Yes. Please see below JSESSIONID in the login page URL loaded, HAProxy logs and product log. Is there any other way to verify whether the v. 3.3.2 is publishing JSESSIONID? Through HAProxy, login page URL loads with a JSESSIONID: <https://coscend.com/CoscendCC.Test/signin;jsessionid=E916C54BB7A9EA30E3EC90 21AEF4CB79> https://coscend.com/CoscendCC.Test/signin;jsessionid=E916C54BB7A9EA30E3EC902 1AEF4CB79 HAProxy log has the same JSESSIONID ONLY in the first two lines -- in server response: Nov 23 01:29:59 localhost haproxy[6585]: 192.168.100.152:60014 [23/Nov/2017:01:29:59.588] webapps-frontend~ subdomain_cc/CoscendCC.Test 0/0/0/10/10 302 343 - JSESSIONID=E916C54BB7A9EA30E3EC9021AEF4CB79 1/1/0/0/0 0/0 {|coscend.com||} {||0|no-cache||./signin;jsessionid=no-cache|} "GET /CoscendCC.Test/ HTTP/1.1" Nov 23 01:29:59 localhost haproxy[6585]: 192.168.100.152:60014 [23/Nov/2017:01:29:59.588] webapps-frontend~ subdomain_cc/CoscendCC.Test 0/0/0/10/10 302 343 - JSESSIONID=E916C54BB7A9EA30E3EC9021AEF4CB79 1/1/0/0/0 0/0 {|coscend.com||} {||0|no-cache||./signin;jsessionid=no-cache|} "GET /CoscendCC.Test/ HTTP/1.1" Product log: DEBUG 11-24 15:10:26.951 1341302 145 MainPage [105-6083-exec-6] - WebSocketBehavior::onConnect [uid: ded43405-f081-4a04-be0c-b92dd510a94a, session: 6015021798DAE92F2F989D8ED5E0B9DE, key: <mailto:org.apache.wicket.protocol.ws.api.registry.PageIdKey@0> org.apache.wicket.protocol.ws.api.registry.PageIdKey@0] We have also tried the following new configuration, but HAProxy still does not capture request cookie or response cookie after first two lines. Thank you. HAProxy.cfg -- frontend webapps-frontend
[SPAM] haproxy@formilux.org开票、普通增值税、专用17%、联系13798544434陈会计haproxy@formilux.org
haproxyhaproxy尊敬的商家朋友您好,我司可长期对外优惠开具各行业:普通增值票、专用17%票、需要联系13798544434陈会计,手机微信同步。 本司承诺:所开出票据均可验证后付款、客户资料绝对保密。2017/11/10
RE: Seeking Assistance: HTTP Headers Conf. to Access Web Product
Attached is the correct HAProxy log output. The attachment in the previous post was from an unrelated context. Apologies. Thank you for your assistance. From: Coscend@HAProxy [mailto:haproxy.insig...@coscend.com] Sent: Wednesday, July 19, 2017 2:16 AM To: haproxy@formilux.org Subject: Seeking Assistance: HTTP Headers Conf. to Access Web Product Hello HAProxy Community, We are seeking your assistance with the following issue we are facing with HAProxy being used as a reverse proxy server. Your vectors could help us learn and identify the cause of our issue and solve it. Thank you. ISSUE = We are able to successfully access and run our Web application from INTERNALLY, bypassing HAProxy, using URL. But, through HAProxy 1.7.8, only the login page of this Web application loads. Upon clicking on login button, nothing happens and we are unable to go past it. Below inline are the: [1] HTTP header analysis from browser inspection tool, for both successful application run (withOUT HAProxy) and failed run with HAProxy. Diffs: Set-Cookie header (JSESSIONID), Transfer-Encoding, Accept-encoding, expires, p::submit [2] HAProxy conf. with relevant frontend and backend. - we are using modular, multiple files. [3] HAProxy log (ATTACHED). [1] Browser inspection output: HTTP Headers == Successful running: bypassing HAProxy (internally) - Request URL:http:// http://%3c> < IP:Port>/Product.Name/wicket/bookmarkable/org.apache.openmeetings.web.pages. auth.SignInPage?2-1.0-signin-signin-submit Request Method:POST Status Code:200 Remote Address: Referrer Policy:no-referrer-when-downgrade Response Headers view source Ajax-Location:. Cache-Control:no-cache, no-store Content-Security-Policy:default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; Content-Type:text/xml;charset=UTF-8 Date:Mon, 17 Jul 2017 19:36:24 GMT Expires:Thu, 01 Jan 1970 00:00:00 GMT Pragma:no-cache Set-Cookie:JSESSIONID=07E88B37E0F1F42D0BBD319FDC79DBD0;path=/; HttpOnly Strict-Transport-Security:max-age=31536000; includeSubDomains; preload Transfer-Encoding:chunked X-Content-Type-Options:nosniff X-Frame-Options:SAMEORIGIN X-XSS-Protection:1; mode=block Request Headers view source Accept:application/xml, text/xml, */*; q=0.01 Accept-Encoding:gzip, deflate Accept-Language:en-US,en;q=0.8 Connection:keep-alive Content-Length:61 Content-Type:application/x-www-form-urlencoded; charset=UTF-8 Cookie:JSESSIONID=CD59ACAA3BCFE3F4C8A3AEBE77C52BC6 DNT:1 Host:< IP:Port> Origin:http:// Referer:http:signin;jsessionid=CD59ACAA3BCFE3F4C8 A3AEBE77C52BC6 User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36 Wicket-Ajax:true Wicket-Ajax-BaseURL:signin X-Requested-With:XMLHttpRequest Query String Parameters view source view URL encoded 2-1.0-signin-signin-submit: Form Data view source view URL encoded login:<.> pass:<.> p::submit:1 FAILED LOGIN via HAProxy --- Request URL:https:// https://%3cour.domain.com%3e/%3cProduct.Name%3e/wicket/bookmarkable/org .apache.openmeetings.web.pages.auth.SignInPage?1-1.2-signin> //wicket/bookmarkable/org.apache.openmeetings. web.pages.auth.SignInPage?1-1.2-signin Request Method:POST Status Code:400 Remote Address::443 Referrer Policy:no-referrer-when-downgrade Response Headers view source Cache-Control:nocache, no-store Content-Language:en Content-Length:800 Content-Security-Policy:default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; Content-Type:text/html;charset=utf-8 Date:Wed, 19 Jul 2017 06:45:33 GMT Pragma:no-cache Referrer-Policy:no-referrer-when-downgrade Strict-Transport-Security:max-age=31536000; includeSubDomains; preload X-Content-Type-Options:nosniff X-Frame-Options:SAMEORIGIN X-XSS-Protection:1; mode=block Request Headers view source Accept:application/xml, text/xml, */*; q=0.01 Accept-Encoding:gzip, deflate, br Accept-Language:en-US,en;q=0.8 Connection:keep-alive Content-Length:45 Content-Type:application/x-www-form-urlencoded; charset=UTF-8 Cookie:JSESSIONID=cc-tt-d~6EE3B690118810FEE7ED4B38E61D9294 DNT:1 Host: Origin:https:// Referer:https:///Product.Name/signin;jsessionid=6EE3B6901188 10FEE7ED4B38E61D9294 User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36 Wicket-Ajax:true Wicket-Ajax-BaseURL:signin Wicket-FocusedElementId:btn1d9 X-Requested-With:XMLHttpRequest Query String Parameters view source view URL encoded 1-1.2-signin: Form Data view source view URL encod
Seeking Assistance: HTTP Headers Conf. to Access Web Product
Hello HAProxy Community, We are seeking your assistance with the following issue we are facing with HAProxy being used as a reverse proxy server. Your vectors could help us learn and identify the cause of our issue and solve it. Thank you. ISSUE = We are able to successfully access and run our Web application from INTERNALLY, bypassing HAProxy, using URL. But, through HAProxy 1.7.8, only the login page of this Web application loads. Upon clicking on login button, nothing happens and we are unable to go past it. Below inline are the: [1] HTTP header analysis from browser inspection tool, for both successful application run (withOUT HAProxy) and failed run with HAProxy. Diffs: Set-Cookie header (JSESSIONID), Transfer-Encoding, Accept-encoding, expires, p::submit [2] HAProxy conf. with relevant frontend and backend. - we are using modular, multiple files. [3] HAProxy log (ATTACHED). [1] Browser inspection output: HTTP Headers == Successful running: bypassing HAProxy (internally) - Request URL:http://< IP:Port>/Product.Name/wicket/bookmarkable/org.apache.openmeetings.web.pages. auth.SignInPage?2-1.0-signin-signin-submit Request Method:POST Status Code:200 Remote Address: Referrer Policy:no-referrer-when-downgrade Response Headers view source Ajax-Location:. Cache-Control:no-cache, no-store Content-Security-Policy:default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; Content-Type:text/xml;charset=UTF-8 Date:Mon, 17 Jul 2017 19:36:24 GMT Expires:Thu, 01 Jan 1970 00:00:00 GMT Pragma:no-cache Set-Cookie:JSESSIONID=07E88B37E0F1F42D0BBD319FDC79DBD0;path=/; HttpOnly Strict-Transport-Security:max-age=31536000; includeSubDomains; preload Transfer-Encoding:chunked X-Content-Type-Options:nosniff X-Frame-Options:SAMEORIGIN X-XSS-Protection:1; mode=block Request Headers view source Accept:application/xml, text/xml, */*; q=0.01 Accept-Encoding:gzip, deflate Accept-Language:en-US,en;q=0.8 Connection:keep-alive Content-Length:61 Content-Type:application/x-www-form-urlencoded; charset=UTF-8 Cookie:JSESSIONID=CD59ACAA3BCFE3F4C8A3AEBE77C52BC6 DNT:1 Host:< IP:Port> Origin:http:// Referer:http:signin;jsessionid=CD59ACAA3BCFE3F4C8 A3AEBE77C52BC6 User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36 Wicket-Ajax:true Wicket-Ajax-BaseURL:signin X-Requested-With:XMLHttpRequest Query String Parameters view source view URL encoded 2-1.0-signin-signin-submit: Form Data view source view URL encoded login:<.> pass:<.> p::submit:1 FAILED LOGIN via HAProxy --- Request URL:https:wicket/bookmarkable/org.apache.o penmeetings.web.pages.auth.SignInPage?1-1.2-signin Request Method:POST Status Code:400 Remote Address::443 Referrer Policy:no-referrer-when-downgrade Response Headers view source Cache-Control:nocache, no-store Content-Language:en Content-Length:800 Content-Security-Policy:default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; Content-Type:text/html;charset=utf-8 Date:Wed, 19 Jul 2017 06:45:33 GMT Pragma:no-cache Referrer-Policy:no-referrer-when-downgrade Strict-Transport-Security:max-age=31536000; includeSubDomains; preload X-Content-Type-Options:nosniff X-Frame-Options:SAMEORIGIN X-XSS-Protection:1; mode=block Request Headers view source Accept:application/xml, text/xml, */*; q=0.01 Accept-Encoding:gzip, deflate, br Accept-Language:en-US,en;q=0.8 Connection:keep-alive Content-Length:45 Content-Type:application/x-www-form-urlencoded; charset=UTF-8 Cookie:JSESSIONID=cc-tt-d~6EE3B690118810FEE7ED4B38E61D9294 DNT:1 Host: Origin:https:// Referer:https:///Product.Name/signin;jsessionid=6EE3B6901188 10FEE7ED4B38E61D9294 User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36 Wicket-Ajax:true Wicket-Ajax-BaseURL:signin Wicket-FocusedElementId:btn1d9 X-Requested-With:XMLHttpRequest Query String Parameters view source view URL encoded 1-1.2-signin: Form Data view source view URL encoded login:<.> pass:<.> [2] HAProxy configuration --- global log 127.0.0.1 local2 log-tag haproxy pidfile /var/run/haproxy.pid userhaproxy group haproxy nbproc 1 maxconn 5000 spread-checks 5 debug
RE: Regarding migration on version haproxy-1.7.3
Hello Devendra, In the spirit of assisting, further to Pavlos' insights, you might want to check Baptiste Assman's blog on 1.5 vs. 1.6 below. It is our understanding that the new features in 1.6 have been mostly carried over to 1.7 as well. https://www.haproxy.com/blog/whats-new-in-haproxy-1-6/ Examples include bind :, environmental variables Willy Tarreau's note during general release of 1.6: https://www.mail-archive.com/haproxy@formilux.org/msg19877.html 1.7: https://www.mail-archive.com/haproxy@formilux.org/msg24244.html Thank you. Sincerely, Hemant K. Sabat Coscend Communications Solutions www.Coscend.com -- Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education, Telepresence Services, on the fly… -- CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages from Coscend Communications Solutions' posted at: http://www.Coscend.com/Terms_and_Conditions.html -Original Message- From: Pavlos Parissis [mailto:pavlos.paris...@gmail.com] Sent: Thursday, June 8, 2017 2:53 AM To: Devendra Joshi ; haproxy@formilux.org Subject: Re: Regarding migration on version haproxy-1.7.3 On 06/08/2017 07:31 AM, Devendra Joshi wrote: > Hi, > currently we are using haproxy-1.5.14 & now we want to migrate on > haproxy-1.7.3 > <https://www.mail-archive.com/search?l=haproxy@formilux.org&q=subject: > %22%5C%5BANNOUNCE%5C%5D+haproxy%5C-1.7.3%22&o=newest> > > is there any config changes or need to do some setting. > You should always test a software before you push it to production. In most of the cases I have seen the upgrade is very smooth, but it depends on the configuration. Some people never change the config they created with 1.4 version and get in troubles when they upgrade to 1.6 or 1.7 version. Just build a test machine, load the config, check for errors and then test it with some traffic. In case of troubles in production after the upgrade, you can easily roll back by downgrading the package. 1.7.6 version is coming soon, so you may want to wait few days for that one to be released before you upgrade production. Cheers, Pavlos
RE: Multiple Config Files Use Leads to Lockout
Hello Pavlos, An update: Following your guidance, we have successfully transitioned from using 'system V init' to 'systemd' in order to start/stop/reload HAProxy. Thank you for helping us advance with times. We would appreciate your guidance on why using multiple HAProxy config files in a directory forces us to reset our password to our WebSocket product for us to login? HAPRoxy configuration is in the previously posted message. Sincerely, Hemant K. Sabat -Original Message- From: Coscend@HAProxy [mailto:haproxy.insig...@coscend.com] Sent: Saturday, April 8, 2017 4:18 AM To: 'Pavlos Parissis' ; 'haproxy' Subject: RE: Multiple Config Files Use Leads to Lockout Hello Pavlos, Below we have provided both the information you requested. Your guidance would be appreciated. (1) Sanitized version of HAProxy configuration is below. Please help us identify why using multiple HAProxy config files in a directory forces us to reset our password to our WebSocket product for us to login? Single haproxy.cfg file works perfectly with the same configuration. (2) >> May I ask why you are using the SysVinit and not systemd to start haproxy? You are using CentOS 7.2, which uses systemd, Thank you for guiding us to use systemd. Today, we created a haproxy.service executable file in /usr/lib/systemd/system/haproxy.service, but failed to start HAProxy. The haproxy.service file is below. What did we do wrong? HAProxy configuration file (sanitized) global log 127.0.0.1 local2 log-tag haproxy pidfile /var/run/haproxy.pid userhaproxy group haproxy nbproc 1 maxconn 5000 spread-checks 5 debug chroot "/usr/local/haproxy-1.7.5/lib" stats socket""/usr/local/haproxy-1.7.5/lib/haproxy.sock" maxsslconn 256 tune.ssl.default-dh-param 4096 ca-base /etc/pki/CA/ssl.cert crt-base /etc/pki/CA/ssl.key ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS ssl-default-bind-options no-sslv3 no-tls-tickets ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS ssl-default-server-options no-sslv3 no-tls-tickets maxcomprate 1 maxcompcpuusage 50 tune.comp.maxlevel 5 defaults modehttp log global option httplog option http-server-close option redispatch retries 3 backlog 1 timeout client 5ms timeout connect 5000ms timeout server 5ms timeout http-keep-alive 10s timeout http-request15s timeout queue 30s timeout check 10s timeout tarpit 60s default-server inter 3s rise 2 fall 3 option forwardfor option abortonclose maxconn 5 compression algo gzip compression offload compression type text/html "text/html; charset=utf-8" text/html;charset=utf-8 text/plain text/css text/javascript application/x-javascript application/javascript applica
RE: Multiple Config Files Use Leads to Lockout
Hello Pavlos, Below we have provided both the information you requested. Your guidance would be appreciated. (1) Sanitized version of HAProxy configuration is below. Please help us identify why using multiple HAProxy config files in a directory forces us to reset our password to our WebSocket product for us to login? Single haproxy.cfg file works perfectly with the same configuration. (2) >> May I ask why you are using the SysVinit and not systemd to start haproxy? You are using CentOS 7.2, which uses systemd, Thank you for guiding us to use systemd. Today, we created a haproxy.service executable file in /usr/lib/systemd/system/haproxy.service, but failed to start HAProxy. The haproxy.service file is below. What did we do wrong? HAProxy configuration file (sanitized) global log 127.0.0.1 local2 log-tag haproxy pidfile /var/run/haproxy.pid user haproxy group haproxy nbproc 1 maxconn 5000 spread-checks 5 debug chroot "/usr/local/haproxy-1.7.5/lib" stats socket ""/usr/local/haproxy-1.7.5/lib/haproxy.sock" maxsslconn 256 tune.ssl.default-dh-param 4096 ca-base /etc/pki/CA/ssl.cert crt-base /etc/pki/CA/ssl.key ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS ssl-default-bind-options no-sslv3 no-tls-tickets ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS ssl-default-server-options no-sslv3 no-tls-tickets maxcomprate 1 maxcompcpuusage 50 tune.comp.maxlevel 5 defaults modehttp log global option httplog option http-server-close option redispatch retries 3 backlog 1 timeout client 5ms timeout connect 5000ms timeout server 5ms timeout http-keep-alive 10s timeout http-request15s timeout queue 30s timeout check 10s timeout tarpit 60s default-server inter 3s rise 2 fall 3 option forwardfor option abortonclose maxconn 5 compression algo gzip compression offload compression type text/html "text/html; charset=utf-8" text/html;charset=utf-8 text/plain text/css text/javascript application/x-javascript application/javascript application/ecmascript application/rss+xml application/atomsvc+xml application/atom+xml application/atom+xml;type=entry application/atom+xml;type=feed application/cmisquery+xml application/cmisallowableactions+xml application/cmisatom+xml application/cmistree+xml application/cmisacl+xml application/msword application/vnd.ms-excel application/vnd.ms-powerpoint image/svg+xml errorfile 400 /usr/local/haproxy-1.7.5/errors/400.http ... frontend webapps-frontend bind *:443 name https ssl crt /etc/pki/CA/pem.ecc log global optionforwardfor optionhttplog clf http-request set-header X-Forwarded-Port %[dst_port] acl host_coscend_httpreq.hdr(Hos
Multiple Config Files Use Leads to Lockout
Dear HAProxy Community, We are seeking your guidance with regard to the following issue we are facing with our HAProxy use. -- ISSUE --- When we use a single monolithic config file (haproxy.cfg), HAPRoxy launches fine and we are able to access our products that use HTTP/TCP (WebSockets) and RTMP. When we launch HAProxy using multiple config files in a directory, HAProxy launches fine. However, our products do not allow administrator to login (i.e., locks out). We have to reset the password to login. Once the admin logs out, again it locks out the administrator and the password has to be reset to login. How is using multiple HAProxy config files in a directory connected to logging in to our WebSocket product? DETAILS We are running HAProxy as a daemon service. We are using HAProxy init script from HAProxy's Github source. /etc/init.d/haproxy has the following lines: Option 1: When using SINGLE Config FILE CFG=haproxy-1.7.5/conf/$BASENAME.cfg Option 2: When using a config DIRECTORY (conf.modular) with multiple files in alphanumerical order, namely global, defaults, frontend, backend, dns resolver and statistics: CFG=haproxy-1.7.5/conf.modular Environment: HAProxy version: 1.7.5 CentOS 7.2 Lua 5.3 Zlib compression PCRE 8.3x OpenSSL 1.0.2k Thank you. Sincerely, Hemant K. Sabat Coscend Communications Solutions Web site: <http://www.coscend.com/> www.Coscend.com -- Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education, Telepresence Services, on the fly. -- CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages from Coscend Communications Solutions' posted at: <http://www.coscend.com/Terms_and_Conditions.html> http://www.Coscend.com/Terms_and_Conditions.html
RE: WebSocket + compression + timeout tunnel broken in v1.7?
Hello Krisjan, Thank you for posting this issue that helped us isolate our issue as well. Hello HAProxy Developers, We are seeking your assistance to overcome this issue. This would enable our WebSocket product benefit from HTTP compression. · Our WebSocket product that was working through 1.6.x, started reloading through 1.7.3 every 35 seconds—the value assigned to timeout client / server (defaults). When compression algo (defaults) is removed, timeout tunnel (backend) is effective. · Other non-WebSocket products are working fine even with compression algo (defaults) and timeout tunnel (backend). Our HAProxy is compiled with USE_ZLIB=1 (not SLZ). Thank you. Sincerely, Hemant K. Sabat Coscend Communications Solutions Web site: www.Coscend.com <http://www.coscend.com/> -- Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education, Telepresence Services, on the fly… -- CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages from Coscend Communications Solutions' posted at: http://www.Coscend.com/Terms_and_Conditions.html From: Kristjan Koppel [mailto:krist...@ppesa.org] Sent: Friday, March 17, 2017 5:57 AM To: haproxy Subject: WebSocket + compression + timeout tunnel broken in v1.7? Hi! I upgraded a HAProxy instance from v1.6.10 to v1.7.3 with no changes to configuration and I noticed that now clients connecting to a WebSocket backend are getting disconnected after being idle for "timeout client" time rather than the much longer "timeout tunnel" time. As I understand it, "timeout tunnel" is supposed to override the "timeout client" setting for WebSocket sessions and this worked fine with v1.6 and earlier. Also, this HAProxy instance has compression enabled in the defaults section. If I remove the compression settings from there (or if I move them to other backends only), then "timeout tunnel" starts to work again. So, I guess this is a bug in HAProxy v1.7? I managed to reproduce this with the official HAProxy Docker images, a minimal haproxy.cfg and wscat (from the Debian package node-ws) as follows: haproxy.cfg: global stats socket /run/haproxy.sock mode 660 level admin stats timeout 30s daemon defaults modehttp timeout connect 5s timeout client 50s timeout server 60s timeout tunnel 15m compression algo gzip compression type text/html listen ws_test bind :8000 server wscat 172.17.0.1:8001 I started one wscat instance in listening mode for the backend: $ wscat -l 8001 With HAProxy v1.6.11 running the above config I see the following: $ date; wscat -c ws://172.17.0.2:8000; date Fri Mar 17 12:10:59 EET 2017 connected (press CTRL+C to quit) > foo < bar disconnected Fri Mar 17 12:26:03 EET 2017 State of the session about 30 seconds after starting the above command: $ echo "show sess" | socat /run/haproxy.sock stdio 0x12253b0: proto=tcpv4 src=172.17.0.1:52046 fe=ws_test be=ws_test srv=wscat ts=08 age=31s calls=4 rq[f=8848202h,i=0,an=00h,rx=14m32s,wx=,ax=] rp[f=88048202h,i=0,an=00h,rx=14m32s,wx=,ax=] s0=[7,8h,fd=1,ex=] s1=[7,118h,fd=2,ex=] exp=14m29s With HAProxy v1.7.3 running the same config I see the following: $ date; wscat -c ws://172.17.0.3:8000; date Fri Mar 17 12:29:39 EET 2017 connected (press CTRL+C to quit) > foo < bar disconnected Fri Mar 17 12:30:33 EET 2017 Obviously it takes me a bit of time to send the 2 strings manually, so total time is a bit more than the "timeout client" value here. State of the session about 30 seconds after starting the above command: $ echo "show sess" | socat /run/haproxy.sock stdio 0x22a4f10: proto=tcpv4 src=172.17.0.1:55996 fe=ws_test be=ws_test srv=wscat ts=04 age=33s calls=6 rq[f=8848000h,i=0,an=00h,rx=20s,wx=,ax=] rp[f=88048000h,i=0,an=00h,rx=30s,wx=,ax=] s0=[7,8h,fd=1,ex=] s1=[7,118h,fd=2,ex=] exp=20s If I remove the compression lines from the config and try again with HAProxy v1.7.3, then it's fine again: $ date; wscat -c ws://172.17.0.3:8000; date Fri Mar 17 12:35:22 EET 2017 connected (press CTRL+C to quit) > foo < bar disconnected Fri Mar 17 12:50:26 EET 2017 State of the session about 30 seconds after starting the above command: $ echo "show sess" | socat /run/haproxy.sock stdio 0x1e64500: proto=tcpv4 src=172.17.0.1:56038 fe=ws_test be=ws_test srv=wscat ts=04 age=31s calls=5 rq[f=8848000h,i=0,an=00h,rx=14m33s,wx=,ax=] rp[f=88048000h,i=0,an=00h,rx=14m33s,wx=,ax=] s0=[7,8h,fd=1,ex=] s1=[7,118h,fd=2,ex=] exp=14m33s I'll be happy to provide any additional
Re: HAProxy clustering
So because one loadbal can reach the service the others can? Log spam needs getting rid of anyway. Filter it out whether its the in service or one of the out of service loadbal. If you have a complex health check that creates load make it a little smarter and cache its result for a while On Fri, 16 Dec 2016 at 19:56, Jeff Palmer wrote: > backend health should be in on the sticktables that are shared between > > all instances, right? > > > > With that in mind, the inactive servers would know the backed states > > if a failover were to occur. no sense in having the log spam, network > > traffic, and load from healthchecks that aree essentially useless > > (IMO, of course) > > > > > > > > > > On Fri, Dec 16, 2016 at 2:50 PM, Neil - HAProxy List > > wrote: > > > Stephan, > > > > > > I'm curious... > > > > > > Why would you want the inactive loadbal not to check the services? > > > > > > If you really really did want that you do something horrid like tell > > > keepalive to block with iptables access to the backends when it does not > own > > > the service ip > > > > > > but why? you healthchecks should be fairly lightweight? > > > > > > Neil > > > > > > > > > On 16 Dec 2016 15:44, "Marco Corte" wrote: > > >> > > >> Hi! > > >> > > >> I use keepalived for IP management. > > >> > > >> I use Ansible on another host to deploy the configuration on the haproxy > > >> nodes. > > >> This setup gives me better control on the configuration: it is split in > > >> several files on the Ansible host, but assembled to a single config > file on > > >> the nodes. > > >> This gives also the opportunity to deploy the configuration on one node > > >> only. > > >> On the Ansible host, the configuration changes are tracked with git. > > >> > > >> I also considered an automatic replication of the config, between the > > >> nodes but... I did not like the idea. > > >> > > >> > > >> .marcoc > > >> > > > > > > > > > > > -- > > Jeff Palmer > > https://PalmerIT.net > >
Re: HAProxy clustering
Stephan, I'm curious... Why would you want the inactive loadbal not to check the services? If you really really did want that you do something horrid like tell keepalive to block with iptables access to the backends when it does not own the service ip but why? you healthchecks should be fairly lightweight? Neil On 16 Dec 2016 15:44, "Marco Corte" wrote: > Hi! > > I use keepalived for IP management. > > I use Ansible on another host to deploy the configuration on the haproxy > nodes. > This setup gives me better control on the configuration: it is split in > several files on the Ansible host, but assembled to a single config file on > the nodes. > This gives also the opportunity to deploy the configuration on one node > only. > On the Ansible host, the configuration changes are tracked with git. > > I also considered an automatic replication of the config, between the > nodes but... I did not like the idea. > > > .marcoc > >
Re: missing documentation on 51degrees samples
Ping? -Patrick On 2016/10/7 13:27, Patrick Hemmer wrote: > The documentation doesn't mention the sample fetcher `51d.all`, nor > the converter `51d.single`. The only place they're mentioned is the > repo README. > > Also the documentation for `51degrees-property-name-list` indicates it > takes an optional single string argument (`[]`), rather than > multiple string arguments (`...`). This led me to expect it > was comma delimited, which ended up not working. > > -Patrick
Re: Getting JSON encoded data from the stats socket.
Might help to see an example of what the results look like when using this schema, however I do have one comment below. On 2016/11/14 03:09, Simon Horman wrote: > Hi Willy, Hi All, > > On Thu, Nov 10, 2016 at 04:52:56PM +0100, Willy Tarreau wrote: >> Hi Simon! >> >> On Thu, Nov 10, 2016 at 04:27:15PM +0100, Simon Horman wrote: >>> My preference is to take things calmly as TBH I am only just getting >>> started on this and I think the schema could take a little time to get >>> a consensus on. >> I totally agree with you. I think the most difficult thing is not to >> run over a few arrays and dump them but manage to make everyone agree >> on the schema. And that will take more than a few days I guess. Anyway >> I'm fine with being proven wrong :-) > I took a first pass at defining a schema. > > * The schema follows what is described on json-schema.org (or at least > tries to). Is this a suitable approach? > * The schema only covers "show info" and "show stat" and the fields > are based on the typed output variants of those commands. > This leads me to several questions: > - Is this field selection desirable? It seems to make sense to me > as presumably the intention of the JSON output is for it to > be machine readable. > - Is such an approach appropriate for other show commands? > - And more generally, which other show commands are desired to > support output in JSON (in the near term)? > > { > "$schema": "http://json-schema.org/draft-04/schema#";, > "oneOf": [ > { > "title": "Info", > "description": "Info about HAProxy status", > "type": "array", > "items": { > "properties": { > "title": "Info Item", > "type": "object", > "field": { "$ref": "#/definitions/field" }, > "processNum": { "$ref": "#/definitions/processNum" }, > "tags": { "$ref": "#/definitions/tags" }, > "value": { "$ref": "#/definitions/typedValue" } > }, > "required": ["field", "processNum", "tags", "value"] > } > }, > { > "title": "Stat", > "description": "HAProxy statistics", > "type": "array", > "items": { > "title": "Info Item", > "type": "object", > "properties": { > "objType": { > "enum": ["F", // Frontend > "B", // Backend > "L", // Listener > "S" // Server Do we really need to save a few bytes and abbreviate these? We're already far more chatty than the CSV output as you're outputting field names (e.g. "proxyId" and "processNum"), so abbreviating the values when you've got full field names seems rather contrary. And then as you've demonstrated, this requires defining a "sub-schema" for explaining what "F", "B", etc, are. Thus requiring anyone parsing the json to have to keep a mapping of the values (and do the translation) within their code. Ditto for all the other "enum" types down below. > ] > }, > "proxyId": { > "type": "integer", > "minimum": 0 > }, > "id": { > "description": "Unique identifyier of object within > proxy", > "type": "integer", > "minimum": 0 > }, > "field": { "$ref": "#/definitions/field" }, > "processNum": { "$ref": "#/definitions/processNum" }, > "tags": { "$ref": "#/definitions/tags" }, > "typedValue": { "$ref": "#/de
Re: Sharing SSL information via PROXY protocol or HAProxy internally
I too am interested in this functionality. Looking at the proxy protocol documentation (http://www.haproxy.org/download/1.6/doc/proxy-protocol.txt), it seems that the requisite information is present in the PP2 header: " The PP2_CLIENT_SSL flag indicates that the client connected over SSL/TLS.". Looking through the source it seems haproxy adds this when sending PP2, but not when receiving it. -Patrick On 2016/4/16 04:57, Christian Ruppert wrote: > Hi Dennis, > > On 2016-04-16 02:13, Dennis Jacobfeuerborn wrote: >> On 15.04.2016 16:01, Christian Ruppert wrote: >>> Hi, >>> >>> would it be possible to inherit the SSL information from a SSL >>> listener/frontend via PROXY protocol? >>> So for example: >>> >>> listen ssl-relay >>> mode tcp >>> >>> ... >>> >>> server rsa unix@/var/run/haproxy_ssl_rsa.sock send-proxy-v2 >>> >>> listen ssl-rsa_ecc >>> mode tcp >>> >>> ... >>> >>> bind unix@/var/run/haproxy_ssl_rsa.sock accept-proxy ssl crt >>> SSl-RSA.PEM user haproxy >>> >>> frontend http_https >>> bind :80 # http >>> bind unix@/var/run/haproxy_ssl.sock accept-proxy user haproxy # >>> https >>> >>> redirect scheme https code 301 if !{ssl_fc} >>> >>> >>> Here the ssl_fc and other SSL related ACLs do not work because the >>> actual SSL termination has been done in the above ssl-rsa_ecc listener. >>> Sharing that either internally or via the PROXY protocol would be >>> really >>> handy, if that's possible. >>> For now we use the bind "id" to check whether it's the proxy connection >>> or not but the above would be much easier/better IMHO. >> >> For this specific case of http to https redirect I use the >> X-Forwarded-Proto header. In the ssl frontend I do this: >> >> http-request set-header X-Forwarded-Proto https >> >> and in the plain http frontend I do this: >> >> http-request redirect scheme https if !{ req.hdr(X-Forwarded-Proto) >> https } > > The problem here is that one could set that in a plain http request as > well and would avoid some redirects and whatnot, depending on what you > do based on what decision. You may also want the other SSL data, > cipher, version etc. Since 1.6 you can set variables, ok, but somehow > passing that kind of information could be really useful I guess. > >> >> You usually need to set this header anyway so the application knows it >> needs to generate https URLs in the generated HTML. >> >> Regards, >> Dennis >
Re: rspadd X-Frame-Options:\ ALLOW-FROM
Hello the warning explains it. you are attempting to change a response based on a request header. responses dont have access to request headers. there are ways round that this has come up on the list before so archives will have an answer or two Neil On 15 Oct 2016 16:28, "Amol" wrote: > Hi Igor, > Thanks so much for the reply, here is the error/warning i get when i add > your config line > > sudo /etc/init.d/haproxy restart > * Restarting haproxy haproxy [WARNING] 288/112410 (18154) : parsing > [/etc/haproxy/haproxy.cfg:84] : anonymous acl will never match because it > uses keyword 'req.hdr' which is incompatible with 'frontend http-response > header rule' > [WARNING] 288/112410 (18157) : parsing [/etc/haproxy/haproxy.cfg:84] : > anonymous acl will never match because it uses keyword 'req.hdr' which is > incompatible with 'frontend http-response header rule' > >[ OK ] > am i also missing something else? like an acl rule for req.hdr? > > -- > *From:* Igor Cicimov > *To:* Amol > *Cc:* HAproxy Mailing Lists > *Sent:* Friday, October 14, 2016 6:27 PM > *Subject:* Re: rspadd X-Frame-Options:\ ALLOW-FROM > > Amol, > > On Sat, Oct 15, 2016 at 7:21 AM, Amol wrote: > > Hi, > I am trying to configure my LB such that it can allow one of my websites > to render the pages behind this LB. > i am using Ubuntu 12.04 LTS > and > haproxy -v > HA-Proxy version 1.5.14 2015/07/02 > > config file entry > rspadd X-Frame-Options:\ ALLOW-FROM if https://load.example.com > > > You are missing a condition here, try: > > rspadd X-Frame-Options:\ ALLOW-FROM if { req.hdr(Host) -i load.example.com > } > > > > > but i get this error > > [ALERT] 287/161307 (22941) : parsing [/etc/haproxy/haproxy.cfg:83] : error > detected while parsing a 'rspadd' condition : no such ACL : ' > https://load.example.com/'. > [ALERT] 287/161307 (22941) : Error(s) found in configuration file : > /etc/haproxy/haproxy.cfg > [ALERT] 287/161307 (22941) : Fatal errors found in configuration. > <https://load.iformbuilder.com/> > > > > my prior setting was > config file entry > rspadd X-Frame-Options:\ SAMEORIGIN > > and that blocked any site from rendering the pages behind this LB. But now > i want it to allow this one link to open the pages. > > Please let me know if anyone has tackled this before. > > > > > -- > Igor Cicimov | DevOps > > > p. +61 (0) 433 078 728 > e. ig...@encompasscorporation.com <http://encompasscorporation.com/> > w*.* www.encompasscorporation.com > > a. > Level 4, 65 York Street, Sydney 2000 > > >
Re: configure peer namespace
Well nevermind. Applying the namespace to the remote peers isn't quite as simple. The local peer was simple as it behaves like a normal frontend bind. But it appears the remote peers are treated rather differently, and don't share anything with the server struct, and thus can't as easily accept all the server options. -Patrick On 2016/10/14 23:39, hapr...@stormcloud9.net wrote: > So I took a poke at this, and it seems pretty trivial to add an option > to support changing the namespace for a peer local binding. However I > implemented it on my own system by just copying the bind keyword > parsing code out of `cfg_parse_listen`. Meaning that I just added > support for *ALL* bind keywords, not just `namespace`. > > Given how trivial it was, I'm willing to attempt putting together a > patch to add the functionality, but have a few questions. > The primary question is should I add support for all bind options? Or > only the `namespace` option? > Should I do something similar for the peer remotes, adding support for > all server options? > > Other thoughts? > > -Patrick > > On 2016/10/9 21:59, Patrick Hemmer wrote: >> Can we get the ability to configure the peer namespace? >> Right now haproxy uses the default namespace, but in our system we >> have an "internal" interface which is able to talk to the other >> haproxy nodes, and this interface is in another network namespace. >> >> Additionally, the error output for failure to bind to a peer address >> is lacking. I had to do an `strace` to figure out what the error was: >> [ALERT] 282/214021 (2725) : [haproxy.main()] . >> [ALERT] 282/214021 (2725) : [haproxy.main()] Some protocols failed to >> start their listeners! Exiting. >> >> That's on haproxy 1.6.9 >> >> Anyway, I can change the namespace that haproxy is launched in, and >> then manually override the namespace for every `bind` and `server` >> parameter, but it's rather cumbersome to do so. Would be much nicer >> to be able to control the peer binding namespace, just like any other >> bind. >> >> If this would be a simple change, I might be willing to attempt it. >> But I've never worked in the haproxy source before, so not sure how >> involved it would be. >> >> Thanks >> >> -Patrick >
Re: configure peer namespace
So I took a poke at this, and it seems pretty trivial to add an option to support changing the namespace for a peer local binding. However I implemented it on my own system by just copying the bind keyword parsing code out of `cfg_parse_listen`. Meaning that I just added support for *ALL* bind keywords, not just `namespace`. Given how trivial it was, I'm willing to attempt putting together a patch to add the functionality, but have a few questions. The primary question is should I add support for all bind options? Or only the `namespace` option? Should I do something similar for the peer remotes, adding support for all server options? Other thoughts? -Patrick On 2016/10/9 21:59, Patrick Hemmer wrote: > Can we get the ability to configure the peer namespace? > Right now haproxy uses the default namespace, but in our system we > have an "internal" interface which is able to talk to the other > haproxy nodes, and this interface is in another network namespace. > > Additionally, the error output for failure to bind to a peer address > is lacking. I had to do an `strace` to figure out what the error was: > [ALERT] 282/214021 (2725) : [haproxy.main()] . > [ALERT] 282/214021 (2725) : [haproxy.main()] Some protocols failed to > start their listeners! Exiting. > > That's on haproxy 1.6.9 > > Anyway, I can change the namespace that haproxy is launched in, and > then manually override the namespace for every `bind` and `server` > parameter, but it's rather cumbersome to do so. Would be much nicer to > be able to control the peer binding namespace, just like any other bind. > > If this would be a simple change, I might be willing to attempt it. > But I've never worked in the haproxy source before, so not sure how > involved it would be. > > Thanks > > -Patrick
Re: Output logs in separate files
Haproxy doesn't write to /var/log/local6.log, that's your logging daemon (syslog-ng, rsyslog, whatever). That is what you need to adjust. Most such logging daemons have the ability to match & filter based on the contents of the log message. If there's nothing in the contents of the message for you to filter on, then yes, you can adjust the haproxy config `log-format` parameter and add `%sp` (the server port, which is what I assume you mean by "output port") to the log message. -Patrick On 2016/10/13 02:58, Pavel Rudenkov wrote: > > Hello, dear developers! > Several haproxy ports outputting log in local6. The very same local6 > outputs logs to overall /var/log/local6.log file that is in one file. > Required to implement each output port a separate file *.log, not in > common. Suitable for this log-tag? Other options? >
RE: HAProxy Build Error with TARGET
Bryan, Thank you for your prompt guidance. We downloaded this source code: http://www.haproxy.org/download/1.6/src/haproxy-1.6.9.tar.gz After reviewing your e-mail, we found out (from https://github.com/haproxy/haproxy) that we should use TARGET=linux2628 "- linux2628 for Linux 2.6.28, 3.x, and above (enables splice and tproxy)" Thank you, once again. Sincerely, Hemant K. Sabat Coscend Communications Solutions Web site: www.Coscend.com -- CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages from Coscend Communications Solutions' posted at: http://www.Coscend.com/Terms_and_Conditions.html -Original Message- From: Bryan Talbot [mailto:bryan.tal...@playnext.com] Sent: Tuesday, September 13, 2016 11:56 PM To: haproxy.insig...@coscend.com Cc: HAproxy Mailing Lists Subject: Re: HAProxy Build Error with TARGET > On Sep 13, 2016, at Sep 13, 9:16 PM, Coscend@HAProxy wrote: > > Hello HAProxy Community, > > We are upgrading from HAProxy 1.6.7 to 1.6.9 by building from source. > We would appreciate any vector on the issue we are facing with > specifying TARGET in make and makefile. What source are you using? > > It is building fine with TARGET=linux2628. > However, we are getting a build error with TARGET=linux310 (see log > summary and detailed log below). Makefile also has TARGET=linux310. > Our Linux version, uname -r gives 3.10.0-229.el7.x86_64 The official source at http://git.haproxy.org/git/haproxy-1.6.git does not define TARGET for linux310 anywhere that I can find. -Bryan
HAProxy Build Error with TARGET
Hello HAProxy Community, We are upgrading from HAProxy 1.6.7 to 1.6.9 by building from source. We would appreciate any vector on the issue we are facing with specifying TARGET in make and makefile. It is building fine with TARGET=linux2628. However, we are getting a build error with TARGET=linux310 (see log summary and detailed log below). Makefile also has TARGET=linux310. Our Linux version, uname -r gives 3.10.0-229.el7.x86_64 Thank you. ERROR SUMMARY - /bin/ld: /usr/local/lua-5.3.1/lib//liblua.a(loadlib.o): undefined reference to symbol 'dlclose@@GLIBC_2.2.5' /bin/ld: note: 'dlclose@@GLIBC_2.2.5' is defined in DSO /lib64/libdl.so.2 so try adding it to the linker command line /lib64/libdl.so.2: could not read symbols: Invalid operation collect2: error: ld returned 1 exit status make: *** [haproxy] Error 1 = DETAILED LOG: Build Error = gcc -Iinclude -Iebtree -Wall -m64 -march=x86-64 -O2 -march=native -g -fno-strict-aliasing -Wdeclaration-after-statement -DCONFIG_HAP_CRYPT -DNEED_CRYPT_H -DUSE_GETADDRINFO -DUSE_ZLIB -DENABLE_POLL -DCONFIG_REGPARM=3 -DUSE_OPENSSL -DUSE_PRIVATE_CACHE -DUSE_LUA -I/usr/local/lua-5.3.1/include/ -DUSE_PCRE -I/usr/include -DUSE_PCRE_JIT -DUSE_TFO -DCONFIG_HAP_NS -DCONFIG_HAPROXY_VERSION=\"1.6.9\" -DCONFIG_HAPROXY_DATE=\"2016/08/30\" \ -DBUILD_TARGET='"linux310"' \ -DBUILD_ARCH='"x86_64"' \ -DBUILD_CPU='"native"' \ -DBUILD_CC='"gcc"' \ -DBUILD_CFLAGS='"-m64 -march=x86-64 -O2 -march=native -g -fno-strict-aliasing -Wdeclaration-after-statement"' \ -DBUILD_OPTIONS='"USE_LIBCRYPT=1 USE_CRYPT_H=1 USE_GETADDRINFO=1 USE_ZLIB=1 USE_POLL=default USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_PCRE=1 USE_PCRE_JIT=1 USE_TFO=1 USE_NS=1"' \ -c -o src/haproxy.o src/haproxy.c gcc -Iinclude -Iebtree -Wall -m64 -march=x86-64 -O2 -march=native -g -fno-strict-aliasing -Wdeclaration-after-statement -DCONFIG_HAP_CRYPT -DNEED_CRYPT_H -DUSE_GETADDRINFO -DUSE_ZLIB -DENABLE_POLL -DCONFIG_REGPARM=3 -DUSE_OPENSSL -DUSE_PRIVATE_CACHE -DUSE_LUA -I/usr/local/lua-5.3.1/include/ -DUSE_PCRE -I/usr/include -DUSE_PCRE_JIT -DUSE_TFO -DCONFIG_HAP_NS -DCONFIG_HAPROXY_VERSION=\"1.6.9\" -DCONFIG_HAPROXY_DATE=\"2016/08/30\" -c -o src/base64.o src/base64.c gcc -Iinclude -Iebtree -Wall -m64 -march=x86-64 -O2 -march=native -g -fno-strict-aliasing -Wdeclaration-after-statement -DCONFIG_HAP_CRYPT -DNEED_CRYPT_H -DUSE_GETADDRINFO -DUSE_ZLIB -DENABLE_POLL -DCONFIG_REGPARM=3 -DUSE_OPENSSL -DUSE_PRIVATE_CACHE -DUSE_LUA -I/usr/local/lua-5.3.1/include/ -DUSE_PCRE -I/usr/include -DUSE_PCRE_JIT -DUSE_TFO -DCONFIG_HAP_NS -DCONFIG_HAPROXY_VERSION=\"1.6.9\" -DCONFIG_HAPROXY_DATE=\"2016/08/30\" -c -o src/protocol.o src/protocol.c gcc -Iinclude -Iebtree -Wall -m64 -march=x86-64 -O2 -march=native -g -fno-strict-aliasing -Wdeclaration-after-statement -DCONFIG_HAP_CRYPT -DNEED_CRYPT_H -DUSE_GETADDRINFO -DUSE_ZLIB -DENABLE_POLL -DCONFIG_REGPARM=3 -DUSE_OPENSSL -DUSE_PRIVATE_CACHE -DUSE_LUA -I/usr/local/lua-5.3.1/include/ -DUSE_PCRE -I/usr/include -DUSE_PCRE_JIT -DUSE_TFO -DCONFIG_HAP_NS -DCONFIG_HAPROXY_VERSION=\"1.6.9\" -DCONFIG_HAPROXY_DATE=\"2016/08/30\" -c -o src/uri_auth.o src/uri_auth.c gcc -Iinclude -Iebtree -Wall -m64 -march=x86-64 -O2 -march=native -g -fno-strict-aliasing -Wdeclaration-after-statement -DCONFIG_HAP_CRYPT -DNEED_CRYPT_H -DUSE_GETADDRINFO -DUSE_ZLIB -DENABLE_POLL -DCONFIG_REGPARM=3 -DUSE_OPENSSL -DUSE_PRIVATE_CACHE -DUSE_LUA -I/usr/local/lua-5.3.1/include/ -DUSE_PCRE -I/usr/include -DUSE_PCRE_JIT -DUSE_TFO -DCONFIG_HAP_NS -DCONFIG_HAPROXY_VERSION=\"1.6.9\" -DCONFIG_HAPROXY_DATE=\"2016/08/30\" -c -o src/standard.o src/standard.c gcc -Iinclude -Iebtree -Wall -m64 -march=x86-64 -O2 -march=native -g -fno-strict-aliasing -Wdeclaration-after-statement -DCONFIG_HAP_CRYPT -DNEED_CRYPT_H -DUSE_GETADDRINFO -DUSE_ZLIB -DENABLE_POLL -DCONFIG_REGPARM=3 -DUSE_OPENSSL -DUSE_PRIVATE_CACHE -DUSE_LUA -I/usr/local/lua-5.3.1/include/ -DUSE_PCRE -I/usr/include -DUSE_PCRE_JIT -DUSE_TFO -DCONFIG_HAP_NS -DCONFIG_HAPROXY_VERSION=\"1.6.9\" -DCONFIG_HAPROXY_DATE=\"2016/08/30\" -c -o src/buffer.o src/buffer.c gcc -Iinclude -Iebtree -Wall -m64 -march=x86-64 -O2 -march=native -g -fno-strict-aliasing -Wdeclaration-after-statement -DCONFIG_HAP_CRYPT -DNEED_CRYPT_H -DUSE_GETADDRINFO -DUSE_ZLIB -DENABLE_POLL -DCONFIG_REGPARM=3 -DUSE_OPENSSL -DUSE_PRIVATE_CACHE -DUSE_LUA -I/usr/local/lua-5.3.1/include/ -DUSE_PCRE -I/usr/include -DUSE_PCRE_JIT -DUSE_TFO -DCONFIG_HAP_NS -DCONFIG_HAPROXY_VERSION=\"1.6.9\" -DCONFIG_HAPROXY_DATE=\"2016/08/30\" -c -o src/log.o src/log.c gcc -Iinclude -Iebtree -Wall -m64 -march=x86-64 -O2 -march=native -g -
Re: Inform backend about https for http2 connections
Hello if you can have the app not specify the scheme for the css etc. just use //site.com/path or /path if it is on the same site On 6 Aug 2016 04:33, "Igor Cicimov" wrote: > On 6 Aug 2016 1:31 am, "Matthias Fechner" wrote: > > > > Dear all, > > > > > > I use haproxy in tcp mode to have http2 working. > > Now I have the problem that the backend has to know if the connection > > was encrypted or not (some websites using this information to add the > > schema to css and javascript URIs). > > > > Afaik, since http2 is by default tls encrypted just by specifying h2 as > protocol to the backend should be enough i guess. > > > Normally I think a > > reqadd X-Forwarded-Proto:\ https > > > > should do the trick. > > > > Will this work if working in tcp mode or are there other tricks to do > this? > > > > > > Thanks > > Matthias > > > > -- > > > > "Programming today is a race between software engineers striving to > > build bigger and better idiot-proof programs, and the universe trying to > > produce bigger and better idiots. So far, the universe is winning." -- > > Rich Cook > > > > >
Re: 1.6 vs 1.5 http-request add-header format
Thank you very much Cyril! req.fhdr() did the trick! > Le 20/07/2016 à 11:48, hapr...@abisoft.biz a écrit : >> Sure thing. Here is the full config (Haproxy 1.6.7): >> >> [...] >> defaults >> mode http >> [...] >> log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %tsc\ >> %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %{+Q}r\ %ST\ "%CC"\ "%hr"\ "%CS"\ "%hs"\ >> ireq_size=%U\ resp_size=%B\ %fi:%fp\ %si:%sp\ %sslc\ %sslv\ >> %[capture.req.hdr(0)] >> >> frontend lb-useast >> mode http >> bind *:80 >> option forwardfor except 127.0.0.0/8 >> >> ** http-request add-header X-Haproxy-ACL test, >> >> declare capture request len 256 >> http-request capture hdr(X-Haproxy-ACL) id 0 >> >> [...] >> Notice the line marked "**". When it has "test," it doesn't appear in the log > Ah ok, then this has nothing to do with "http-request add-header", but > the understanding of the hdr() fetch. > hdr() will use the commas as separator, hence it will fetch the last > occurence (the empty value behind your comma). > If you want to capture the whole header line, you want to use fhdr() > instead. > http://cbonte.github.io/haproxy-dconv/1.6/configuration.html#req.hdr > vs > http://cbonte.github.io/haproxy-dconv/1.6/configuration.html#req.fhdr > Not tested but I'm almost sure it's your issue.
Re: 1.6 vs 1.5 http-request add-header format
Sure thing. Here is the full config (Haproxy 1.6.7): global log 127.0.0.1:514 local0 chroot /var/lib/haproxy pidfile /var/run/haproxy.pid maxconn 25000 # 33KB per established connection; raise after upgrading instance type userhaproxy group haproxy daemon # turn on stats unix socket stats socket /var/lib/haproxy/stats tune.ssl.default-dh-param 2048 ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA defaults mode http log global option dontlognull# log sessions even if no data exchange happened option splice-auto# accelerate performance with kernel tcp splicing options option httplog# enable logging of HTTP request, session state and timers option http-server-close # operate in http-close mode option redispatch # allow switching to another backend server when the one in the cookie gets down option contstats # enable continuous traffic statistics updates retries 3 backlog 25000 # correlates with maxconn timeout client 60s # was 120 timeout client-fin 15s # was 25 timeout connect 5s timeout server 60s # was 120 timeout tunnel 1h timeout http-keep-alive 10s # was 1 timeout http-request 5s # was 15 timeout queue 30s timeout tarpit 60s timeout check5s default-server inter 6s rise 1 fall 3 log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %{+Q}r\ %ST\ "%CC"\ "%hr"\ "%CS"\ "%hs"\ ireq_size=%U\ resp_size=%B\ %fi:%fp\ %si:%sp\ %sslc\ %sslv\ %[capture.req.hdr(0)] frontend lb-useast mode http bind *:80 option forwardfor except 127.0.0.0/8 ** http-request add-header X-Haproxy-ACL test, declare capture request len 256 http-request capture hdr(X-Haproxy-ACL) id 0 capture request header Referrer len 64 capture request header Content-Length len 10 capture request header User-Agent len 64 acl nonssl_allowed path_beg /privacy.html redirect scheme https if !{ ssl_fc } !nonssl_allowed acl srv_uat2 hdr(host) -i uat.mydom.net use_backend uat2_backend if srv_uat2 backend uat2_backend # Remove the ACL header reqdel ^X-Haproxy-ACL option httpchk GET /testpage.html balance roundrobin cookie appcoookie insert nocache indirect server uat-1 uat-1.mydom.net:443 ssl ca-file /etc/nginx/_.mydom.net.pem cookie uat-1 weight 10 check port 80 server uat-2 uat-2.mydom.net:443 ssl ca-file /etc/nginx/_.mydom.net.pem cookie uat-2 weight 10 check port 80 Notice the line marked "**". When it has "test," it doesn't appear in the log (check the last entry in the log line): x.y.222.4:47663 [20/Jul/2016:09:28:10.267] lb-useast uat2_backend/uat-1 0/0/8/121/129 --NI 1/1/0/0/0 0/0 "GET /privacy.html HTTP/1.1" 200 - {|||curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.21 Ba} - ireq_size=190 resp_size=15636 172.22.2.19:80 172.22.1.140:443 - - - After I remove the comma, "test" appears in the log: x.y.222.4:47853 [20/Jul/2016:09:32:25.407] lb-useast uat2_backend/uat-1 0/0/8/124/132 --NI 1/1/0/0/0 0/0 "GET /privacy.html HTTP/1.1" 200 - {test|||curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.21 Ba} - ireq_size=190 resp_size=15636 172.22.2.19:80 172.22.1.140:443 - - test Here is the config for Haproxy 1.5.4 (I had to change it, since 1.5 doesn't support http-request capture; global and defaults sections are the same, so I skip it here): ... frontend lb-useast mode http bind *:80 option forwardfor except 127.0.0.0/8 http-request add-header X-Haproxy-ACL test, no log default_backend logger backend logger server localhost localhost:5 send-proxy frontend logger bind localhost:5 accept-proxy capture request header Referrer len 64 capture request header Content-Length len 10 capture request header User-Agent len 64 capture request header X-Haproxy-ACL len 256 acl nonssl_allowed path_beg /privacy.html redirect scheme https if !{ ssl_fc } !nonssl_allowed acl srv_uat2 hdr(host) -i uat.mydom.net use_backend uat2_
Re: rate limiting question
Hello Cyril, Thank you for the reply! My current config for rate limiting is: tcp-request content track-sc0 src stick-table type ip size 500k expire 30s store conn_cur,conn_rate(10s),http_req_rate(10s),http_err_rate(10s) tcp-request content reject if { src -f /etc/haproxy/blacklist.lst } http-request add-header X-Haproxy-ACL %[req.fhdr(X-Haproxy-ACL,-1)]whitelisted, if { src -f /etc/haproxy/whitelist.lst } http-request allow if { src -f /etc/haproxy/whitelist.lst } http-request add-header X-Haproxy-ACL %[req.fhdr(X-Haproxy-ACL,-1)]over-100-active-connections, if { src_conn_cur ge 100 } http-request add-header X-Haproxy-ACL %[req.fhdr(X-Haproxy-ACL,-1)]over-3-connections-in-10-seconds, if { src_conn_rate gt 3 } http-request add-header X-Haproxy-ACL %[req.fhdr(X-Haproxy-ACL,-1)]high-error-rate, if { sc0_http_err_rate() gt 100 } http-request add-header X-Haproxy-ACL %[req.fhdr(X-Haproxy-ACL,-1)]high-request-rate, if { sc0_http_req_rate() gt 500 } Won't it be affected if I make the change according to your suggestion? Particularly, I'm worrying about http_err_rate and http_req_rate counters. Wednesday, July 20, 2016, 1:33:53 AM, you wrote: > Hi, > Le 18/07/2016 à 11:30, hapr...@abisoft.biz a écrit : >> Hello, >> >> I have a sticky table for ip checks against high connection rate (for >> testing purposes it's set now to 3 connections in 10 seconds): >> >> frontend lb-useast >> ... >> tcp-request content track-sc0 src >> stick-table type ip size 500k expire 30s store >> conn_cur,conn_rate(10s),http_req_rate(10s),http_err_rate(10s) >> http-request add-header X-Haproxy-ACL >> %[req.fhdr(X-Haproxy-ACL,-1)]over-3-connections-in-10-seconds, if { >> src_conn_rate gt 3 } >> ... >> default_backend logger >> >> backend logger >> server localhost localhost:5 send-proxy >> >> frontend logger >> ... >> acl whitelisted req.fhdr(X-Haproxy-ACL) -m beg whitelisted, >> acl fail-validation req.fhdr(X-Haproxy-ACL) -m found >> http-request deny if !whitelisted fail-validation >> ... >> >> When I run 3 curl requests in a row, the table shows there were 5 >> connections with 1 failed: >> # echo "show table lb-useast" | socat - unix:/var/lib/haproxy/stats >> # table: lb-useast, type: ip, size:512000, used:1 >> 0x24b3628: key=x.y.222.4 use=0 exp=26100 conn_rate(1)=5 conn_cur=0 >> http_req_rate(1)=3 http_err_rate(1)=1 > After doing some tests, indeed, it appears that with mode http and a > frontend/backend, conn_rate counters are incremented twice (before and > after). >> >> The curl command is pretty straightforward: >> for ((i=1;i<=3;i++)); do curl -s http://uat.my.com/privacy.html > /dev/null; >> echo $i; done > With this loop, conn_rate will be 1, then 3, then 5. > I couldn't spend more time on the issue and won't have much time for it > next days, but you can try a workaround, by replacing tcp-request > content with tcp-request connection : >tcp-request connection track-sc0 src >> >> How does haproxy count connections, so it gets 5 instead of 3? >> >> PS haproxy version is 1.5.4 -- Best regards, Alex
1.6 vs 1.5 http-request add-header format
Hi, The following construction worked in 1.5.4 and doesn't work in 1.6.7: http-request add-header X-Haproxy-ACL %[req.fhdr(X-Haproxy-ACL,-1)]over-3-connections-in-10-seconds, if { src_conn_rate gt 3 } while the one w/o the comma in the end works in 1.6.7 well: http-request add-header X-Haproxy-ACL %[req.fhdr(X-Haproxy-ACL,-1)]over-3-connections-in-10-seconds if { src_conn_rate gt 3 } There're no errors, it just doesn't put the value of the custom header X-Haproxy-ACL in the log. Is it a bug or a syntax change? What's the new syntax? -- Best regards, Alex
rate limiting question
Hello, I have a sticky table for ip checks against high connection rate (for testing purposes it's set now to 3 connections in 10 seconds): frontend lb-useast ... tcp-request content track-sc0 src stick-table type ip size 500k expire 30s store conn_cur,conn_rate(10s),http_req_rate(10s),http_err_rate(10s) http-request add-header X-Haproxy-ACL %[req.fhdr(X-Haproxy-ACL,-1)]over-3-connections-in-10-seconds, if { src_conn_rate gt 3 } ... default_backend logger backend logger server localhost localhost:5 send-proxy frontend logger ... acl whitelisted req.fhdr(X-Haproxy-ACL) -m beg whitelisted, acl fail-validation req.fhdr(X-Haproxy-ACL) -m found http-request deny if !whitelisted fail-validation ... When I run 3 curl requests in a row, the table shows there were 5 connections with 1 failed: # echo "show table lb-useast" | socat - unix:/var/lib/haproxy/stats # table: lb-useast, type: ip, size:512000, used:1 0x24b3628: key=x.y.222.4 use=0 exp=26100 conn_rate(1)=5 conn_cur=0 http_req_rate(1)=3 http_err_rate(1)=1 The curl command is pretty straightforward: for ((i=1;i<=3;i++)); do curl -s http://uat.my.com/privacy.html > /dev/null; echo $i; done How does haproxy count connections, so it gets 5 instead of 3? PS haproxy version is 1.5.4 -- Best regards, Alex
Server transparency
Ha proxiers, Wondering if it might be possible to have return traffic of transparent L4 proxies seem to come from individual real server or at least leave from same IP stack as request was received from. Problem is I’ve got a HA proxy binding to multiple ‘public’ IP stacks with client transparency, each load balancing for different smtp pools, and every real server of every pool has the same default GW on the ‘private’ side of my HA proxy (though they could be configured to pool specific ‘private' side default GWs). I would like every real server, whenever they establish an outbound connection, to been seen as either their individually IP or at least as their individually HA proxy ‘public’ side IP, right now every 'real' outbound connection just seems to come from the same IP stack, ie. the one with the HA proxy’s default GW. Would it be possible to change this somehow, or do I need to split into separate HA proxies each on separate VMs and thus get different ‘public’ side default GW per pool? TIA /Steffen
Re: Only using map file when an entry exists
Thanks Nanad, That works perfectly, thank you On 11 March 2016 at 22:37, Nenad Merdanovic wrote: > Hello Neil, > > You seem to have missed my answer, so I am gonna top post this time :) > > http-request redirect location > %[hdr(host),map(/etc/haproxy/redirect_host.map)] code 301 if { > hdr(host),map(/etc/haproxy/redirect_host.map) -m found } > > Regards, > Nenad > > On 03/11/2016 11:32 PM, Neil - HAProxy List wrote: > > Hello > > > > I've left a little time and no one has said anything more so time for me > > to act and submit a patch. > > > > I want to make functions that can be used in acls and take a map and > > provide has_key and, for completeness, has_value > > > > Are those names uncontroversial/ suitable and, i really hope, is this > > unnecessary as it already exists. > > > > I'm more that a little surprised to find myself the first to want this > > > > Cheers > > > > Neil > > > > On 11 Mar 2016 22:16, "Neil" > <mailto:n...@iamafreeman.com>> wrote: > > > > Hello > > > > I've left a little time and no one has said anything more so time > > for me to act and submit a patch. > > > > I want to make functions that can be used in acls and take a map and > > provide has_key and, for completeness, has_value > > > > Are those names uncontroversia/ suitablel and, i really hope, is > > this unnecessary as it already exists. > > > > I'm more that a little sutprised to find myself the first to want > this > > > > Cheers > > > > Neil > > > > On 3 Mar 2016 18:08, "Neil - HAProxy List" > > > <mailto:maillist-hapr...@iamafreeman.com>> wrote: > > > > Thanks Conrad, > > > > That sort of thing looks better that what I had, and I'll give > > it a go. > > > > I still think this is a bit long winded syntax for something > > that probably quite a common things to want to do? A > > map_contains type boolean function still seems like a good to > have? > > > > Thanks > > > > Neil > > > > On 3 March 2016 at 13:05, Conrad Hoffmann > <mailto:con...@soundcloud.com>> wrote: > > > > If you are using haproxy >=1.6, you might be able to do > > something like this: > > > > acl no_redir %[req.redir] -m str NO_REDIR > > http-request set-var(req.redir) \ > > %[hdr(host),map(/etc/haproxy/redirect_host.map,NO_REDIR)] > > http-request redirect location %[req.redir] code 301 if > > !no_redir > > > > This is completely made up and untested, but I hope you get > > the idea. > > Avoids a second map lookup altogether, but also map lookups > > are quite fast, > > so unless you map is huge you don't really need to worry > > about this. Also, > > double negation, but this is just to give you some idea > > > > Cheers, > > Conrad > > -- > > Conrad Hoffmann > > Traffic Engineer > > > > SoundCloud Ltd. | Rheinsberger Str. 76/77, 10115 Berlin, > Germany > > > > Managing Director: Alexander Ljung | Incorporated in England > > & Wales > > with Company No. 6343600 | Local Branch Office | AG > > Charlottenburg | > > HRB 110657B > > > > >
Re: Only using map file when an entry exists
Hello I've left a little time and no one has said anything more so time for me to act and submit a patch. I want to make functions that can be used in acls and take a map and provide has_key and, for completeness, has_value Are those names uncontroversial/ suitable and, i really hope, is this unnecessary as it already exists. I'm more that a little surprised to find myself the first to want this Cheers Neil On 11 Mar 2016 22:16, "Neil" wrote: > Hello > > I've left a little time and no one has said anything more so time for me > to act and submit a patch. > > I want to make functions that can be used in acls and take a map and > provide has_key and, for completeness, has_value > > Are those names uncontroversia/ suitablel and, i really hope, is this > unnecessary as it already exists. > > I'm more that a little sutprised to find myself the first to want this > > Cheers > > Neil > On 3 Mar 2016 18:08, "Neil - HAProxy List" < > maillist-hapr...@iamafreeman.com> wrote: > >> Thanks Conrad, >> >> That sort of thing looks better that what I had, and I'll give it a go. >> >> I still think this is a bit long winded syntax for something that >> probably quite a common things to want to do? A map_contains type boolean >> function still seems like a good to have? >> >> Thanks >> >> Neil >> >> On 3 March 2016 at 13:05, Conrad Hoffmann wrote: >> >>> If you are using haproxy >=1.6, you might be able to do something like >>> this: >>> >>> acl no_redir %[req.redir] -m str NO_REDIR >>> http-request set-var(req.redir) \ >>> %[hdr(host),map(/etc/haproxy/redirect_host.map,NO_REDIR)] >>> http-request redirect location %[req.redir] code 301 if !no_redir >>> >>> This is completely made up and untested, but I hope you get the idea. >>> Avoids a second map lookup altogether, but also map lookups are quite >>> fast, >>> so unless you map is huge you don't really need to worry about this. >>> Also, >>> double negation, but this is just to give you some idea >>> >>> Cheers, >>> Conrad >>> -- >>> Conrad Hoffmann >>> Traffic Engineer >>> >>> SoundCloud Ltd. | Rheinsberger Str. 76/77, 10115 Berlin, Germany >>> >>> Managing Director: Alexander Ljung | Incorporated in England & Wales >>> with Company No. 6343600 | Local Branch Office | AG Charlottenburg | >>> HRB 110657B >>> >> >>
Re: Only using map file when an entry exists
I'm amazed by the number of typos in one message. ;) On 3 Mar 2016 18:08, "Neil - HAProxy List" wrote: > Thanks Conrad, > > That sort of thing looks better that what I had, and I'll give it a go. > > I still think this is a bit long winded syntax for something that probably > quite a common things to want to do? A map_contains type boolean function > still seems like a good to have? > > Thanks > > Neil > > On 3 March 2016 at 13:05, Conrad Hoffmann wrote: > >> If you are using haproxy >=1.6, you might be able to do something like >> this: >> >> acl no_redir %[req.redir] -m str NO_REDIR >> http-request set-var(req.redir) \ >> %[hdr(host),map(/etc/haproxy/redirect_host.map,NO_REDIR)] >> http-request redirect location %[req.redir] code 301 if !no_redir >> >> This is completely made up and untested, but I hope you get the idea. >> Avoids a second map lookup altogether, but also map lookups are quite >> fast, >> so unless you map is huge you don't really need to worry about this. Also, >> double negation, but this is just to give you some idea >> >> Cheers, >> Conrad >> -- >> Conrad Hoffmann >> Traffic Engineer >> >> SoundCloud Ltd. | Rheinsberger Str. 76/77, 10115 Berlin, Germany >> >> Managing Director: Alexander Ljung | Incorporated in England & Wales >> with Company No. 6343600 | Local Branch Office | AG Charlottenburg | >> HRB 110657B >> > >
Re: Only using map file when an entry exists
Thanks Conrad, That sort of thing looks better that what I had, and I'll give it a go. I still think this is a bit long winded syntax for something that probably quite a common things to want to do? A map_contains type boolean function still seems like a good to have? Thanks Neil On 3 March 2016 at 13:05, Conrad Hoffmann wrote: > If you are using haproxy >=1.6, you might be able to do something like > this: > > acl no_redir %[req.redir] -m str NO_REDIR > http-request set-var(req.redir) \ > %[hdr(host),map(/etc/haproxy/redirect_host.map,NO_REDIR)] > http-request redirect location %[req.redir] code 301 if !no_redir > > This is completely made up and untested, but I hope you get the idea. > Avoids a second map lookup altogether, but also map lookups are quite fast, > so unless you map is huge you don't really need to worry about this. Also, > double negation, but this is just to give you some idea > > Cheers, > Conrad > -- > Conrad Hoffmann > Traffic Engineer > > SoundCloud Ltd. | Rheinsberger Str. 76/77, 10115 Berlin, Germany > > Managing Director: Alexander Ljung | Incorporated in England & Wales > with Company No. 6343600 | Local Branch Office | AG Charlottenburg | > HRB 110657B >
Only using map file when an entry exists
Hello HA-Proxy version 1.5.15 2015/11/01 I've got a service with some redirects for old virtual hosts to new locations on main website that I want to store in a map file /etc/haproxy/redirect_host.map with lines like www.oldname.com http://www.shiny.net/collections/oldname My issue is I don't want a redirect to occur when there is no entry in the map I started with http-request redirect location %[hdr(host),map(/etc/haproxy/redirect_host.map)] code 301 This would take out the whole site as a request to http://www.shiny.net gets a redirect with a blank location. (and so does http://www.shiny.net/collections/oldname) - this is because they are all in the same frontend so as a hack around I've taken the first column to another file and gone with acl isRedirectHost hdr(host) -i -f /etc/haproxy/acl_isRedirectHost.txt http-request redirect location %[hdr(host),map(/etc/haproxy/redirect_host.map)] code 301 if isRedirectHost This works but is yuck (I'd have to automate generating the acl file from the map - not hard but not clean). Ideally I'd like a way to only redirect when a value is in the map what would be fine is if there were a contained_in_map function that I could use something like http-request redirect location %[hdr(host),map(/etc/haproxy/redirect_host.map)] code 301 if %[hdr(host),contained_in_map(/etc/haproxy/redirect_host.map)] All other suggestions very welcome too Thank you, Neil
help
Howto masquerade real server in a two armed transparent setup
Trying to make a two armed transparent setup like mentioned here <http://www.loadbalancer.org/blog/load-balancing-methods> to do both transparently L4 [SSL] DR + L7 SSL termination load balanced services. I’m having the load balanced services working, but I wont the real servers to be able to access the public internet and to have other non-balanced services like management ssh access through HAproxy VMs to my real servers. Question is now how do I possible masquerade the real servers to access public internet through my active/passiveHAproxies, currently setup like mentioned here <http://www.devconsole.info/?p=1294>. Any hints/URLs are welcomed? TIA /Steffen
help
découvrez votre offre
Si le message ne s'affiche pas correctement merci de suivre ce [1]lien References 1. http://clicks.deal-actuel.com/v/NC/wraQlh7ZPhKAOCSqC7oPH3/a83bd420 [1]Histoire d'Or Vivez un Noël en Grand grâce au premier bijoutier de France [2]1er bijoutier de France [3]BIJOUX [4]MONTRES [5]IDÉES CADEAUX [6]Histoire d'or vous souhaite la bienvenue ! [7]PROFITEZ D'ORES ET DÉJÀ DE VOTRE OFFRE DE BIENVENUE : [8]LIVRAISON GRATUITE AVEC LE CODE BIENVENUE [9]Offre reservée à haproxy@formilux.org [10]Bienvenue chez le premier bijoutier de France ! A la recherche de brillantes idées cadeaux pour Noël ? Découvrez nos collections de bijoux, il y en a pour tous les goûts : plus de 2 500 bijoux en or ou en argent vous attendent. Ne manquez pas nos montres de grandes marques, plus de 500 modèles disponibles pour trouver le vôtre ! N’hésitez plus et rendez-vous sur histoiredor.com ! Achetez vos cadeaux en ligne en toute sérénité : paiement sécurisé, garantie deux ans sur tous nos bijoux, nous avons pensé à tout. Votre achat ne convient pas ? Vous bénéficiez de 30 jours pour nous faire votre retour et être remboursé intégralement. [11]À tout de suite ! [12]JE DÉCOUVRE [13]4 BONNES RAISONS POUR NE PLUS HÉSITER [14]Paiement 100% sécurisé [15]Retrait GRATUIT sous 2h en magasin [16]Retour GRATUIT sous 30 jours [17]Livraison garantie avant Noël [pix.gif?eml-publisher=natexo&eml-name=noel14-prm1_bienvenue&ea-rnd=[R ANDOM]] [imp?type(inv)g(22282168)a(2463532)] References Visible links 1. http://clicks.deal-actuel.com/c/NC/sr/wraQlh7ZPhKAOCSqC7oPH3/b/PgX/2e8cc255://ea.histoiredor.com/dynclick/histoiredor/?eml-publisher=natexo&eml-name=noel14-prm1_bienvenue&eurl=http%3A%2F%2Fwww.histoiredor.com%2Ffr%2Fhistoire-or%3Futm_source%3Dnatexo%26utm_medium%3Dshoot%26utm_content%3Dprm1_bienvenue%26utm_campaign%3Dnoel14-prm 2. http://clicks.deal-actuel.com/c/NC/sa/wraQlh7ZPhKAOCSqC7oPH3/b/PgX/175b3013://ea.histoiredor.com/dynclick/histoiredor/?eml-publisher=natexo&eml-name=noel14-prm1_bienvenue&eurl=http%3A%2F%2Fwww.histoiredor.com%2Ffr%2Fhistoire-or%3Futm_source%3Dnatexo%26utm_medium%3Dshoot%26utm_content%3Dprm1_bienvenue%26utm_campaign%3Dnoel14-prm 3. http://clicks.deal-actuel.com/c/NC/sn/wraQlh7ZPhKAOCSqC7oPH3/b/PgX/ff5a0295://ea.histoiredor.com/dynclick/histoiredor/?eml-publisher=natexo&eml-name=noel14-prm1_bienvenue&eurl=http%3A%2F%2Fwww.histoiredor.com%2Ffr%2Fbijoux%2Fpar-famille%3Futm_source%3Dnatexo%26utm_medium%3Dshoot%26utm_content%3Dprm1_bienvenue%26utm_campaign%3Dnoel14-prm 4. http://clicks.deal-actuel.com/c/NC/sj/wraQlh7ZPhKAOCSqC7oPH3/b/PgX/916043ce://ea.histoiredor.com/dynclick/histoiredor/?eml-publisher=natexo&eml-name=noel14-prm1_bienvenue&eurl=http%3A%2F%2Fwww.histoiredor.com%2Ffr%2Fmontres%2Fpar-marque%3Futm_source%3Dnatexo%26utm_medium%3Dshoot%26utm_content%3Dprm1_bienvenue%26utm_campaign%3Dnoel14-prm 5. http://clicks.deal-actuel.com/c/NC/ss/wraQlh7ZPhKAOCSqC7oPH3/b/PgX/ae6690b3://ea.histoiredor.com/dynclick/histoiredor/?eml-publisher=natexo&eml-name=noel14-prm1_bienvenue&eurl=http%3A%2F%2Fwww.histoiredor.com%2Ffr%2Fhistoire-or%3Futm_source%3Dnatexo%26utm_medium%3Dshoot%26utm_content%3Dprm1_bienvenue%26utm_campaign%3Dnoel14-prm 6. http://clicks.deal-actuel.com/c/NC/sI/wraQlh7ZPhKAOCSqC7oPH3/b/PgX/0c1fb4ff://ea.histoiredor.com/dynclick/histoiredor/?eml-publisher=natexo&eml-name=noel14-prm1_bienvenue&eurl=http%3A%2F%2Fwww.histoiredor.com%2Ffr%2Fhistoire-or%3Futm_source%3Dnatexo%26utm_medium%3Dshoot%26utm_content%3Dprm1_bienvenue%26utm_campaign%3Dnoel14-prm 7. http://clicks.deal-actuel.com/c/NC/sN/wraQlh7ZPhKAOCSqC7oPH3/b/PgX/386a04cf://ea.histoiredor.com/dynclick/histoiredor/?eml-publisher=natexo&eml-name=noel14-prm1_bienvenue&eurl=http%3A%2F%2Fwww.histoiredor.com%2Ffr%2Fhistoire-or%3Futm_source%3Dnatexo%26utm_medium%3Dshoot%26utm_content%3Dprm1_bienvenue%26utm_campaign%3Dnoel14-prm 8. http://clicks.deal-actuel.com/c/NC/sg/wraQlh7ZPhKAOCSqC7oPH3/b/PgX/a3c4d2c5://ea.histoiredor.com/dynclick/histoiredor/?eml-publisher=natexo&eml-name=noel14-prm1_bienvenue&eurl=http%3A%2F%2Fwww.histoiredor.com%2Ffr%2Fhistoire-or%3Futm_source%3Dnatexo%26utm_medium%3Dshoot%26utm_content%3Dprm1_bienvenue%26utm_campaign%3Dnoel14-prm 9. http://clicks.deal-actuel.com/c/NC/s5/wraQlh7ZPhKAOCSqC7oPH3/b/PgX/4fe87890://ea.histoiredor.com/dynclick/histoiredor/?eml-publisher=natexo&eml-name=noel14-prm1_bienvenue&eurl=http%3A%2F%2Fwww.histoiredor.com%2Ffr%2Fhistoire-or%3Futm_source%3Dnatexo%26utm_medium%3Dshoot%26utm_content%3Dprm1_bienvenue%26utm_campaign%3Dnoel14-prm 10. http://clicks.deal-actuel.com/c/NC/sv/wraQlh7ZPhKAOCSqC7oPH3/b/PgX/40b6830e
conntrack recommendations
Hello I'm after a 'definitivish' reference for setting up conntrack I've been hit by having too small table on some new VMs as ubuntu, by default, sizes the table by memory size. Before that I was completely ignorant of the role of conntrack Having forced the size got rid off that but leaves me thinking I need to understand this better and do I want to track incoming http connections at all. Do I just want to conntrack http connections to backends? Googling has provided some answers but mainly more questions and it hard to tell what to follow. Anyone got a good link? Something for the haproxy site/manuals to mention? Thanks, Neil
Re: Access control for stats page
Actually deny if url_hastats !location_trusted !magic_cookie_trusted You could have another backend with a go away message and use_backend that rather than deny On 22 Apr 2015 03:54, "CJ Ess" wrote: > Very cool, thank you for the snippets! > > On Tue, Apr 21, 2015 at 6:55 PM, Neil - HAProxy List < > maillist-hapr...@iamafreeman.com> wrote: > >> heres are some relevent snips >> I run this in with same address as the service >> >> frontend SSL >> ... >> acl url_hastats url_beg /hastats >> acl location_trusted src 123.123.123.0/24 >> acl magic_cookie_trusted hdr_sub(cookie) >> magicforthissiteonly=foobar_SHA1value_etc >> use_backend hastats if url_hastats location_trusted >> use_backend hastats if url_hastats magic_cookie_trusted >> deny if url_hastats >> ... >> >> backend hastats >> mode http >> stats uri /hastats >> stats realm Service\ Loadbalancer >> stats show-desc url.domain: >> Service Loadbalancerrunning on >> hostname config version >> stats show-legends >> stats auth admin:password >> stats admin if TRUE >> >> >> On 21 April 2015 at 21:04, Neil - HAProxy List < >> maillist-hapr...@iamafreeman.com> wrote: >> >>> Hello >>> >>> Yep there is >>> >>> Have a frontend >>> >>> Send say /hastats to a hastats backend >>> >>> have the backend have its stats URL be /hastats too >>> >>> Set the acls in the frontend >>> >>> I'll post a config example in a bit. >>> >>> Neil >>> On 21 Apr 2015 20:09, "CJ Ess" wrote: >>> >>>> Is there a way to setup an ACL for the haproxy stats page? We do have >>>> authentication set up for the URL, but we would feel better if we could >>>> limit access to a white list of local networks. Is there a way to do that? >>>> >>>> >> >
Re: Access control for stats page
heres are some relevent snips I run this in with same address as the service frontend SSL ... acl url_hastats url_beg /hastats acl location_trusted src 123.123.123.0/24 acl magic_cookie_trusted hdr_sub(cookie) magicforthissiteonly=foobar_SHA1value_etc use_backend hastats if url_hastats location_trusted use_backend hastats if url_hastats magic_cookie_trusted deny if url_hastats ... backend hastats mode http stats uri /hastats stats realm Service\ Loadbalancer stats show-desc url.domain: Service Loadbalancerrunning on hostname config version stats show-legends stats auth admin:password stats admin if TRUE On 21 April 2015 at 21:04, Neil - HAProxy List < maillist-hapr...@iamafreeman.com> wrote: > Hello > > Yep there is > > Have a frontend > > Send say /hastats to a hastats backend > > have the backend have its stats URL be /hastats too > > Set the acls in the frontend > > I'll post a config example in a bit. > > Neil > On 21 Apr 2015 20:09, "CJ Ess" wrote: > >> Is there a way to setup an ACL for the haproxy stats page? We do have >> authentication set up for the URL, but we would feel better if we could >> limit access to a white list of local networks. Is there a way to do that? >> >>
Re: Access control for stats page
Hello Yep there is Have a frontend Send say /hastats to a hastats backend have the backend have its stats URL be /hastats too Set the acls in the frontend I'll post a config example in a bit. Neil On 21 Apr 2015 20:09, "CJ Ess" wrote: > Is there a way to setup an ACL for the haproxy stats page? We do have > authentication set up for the URL, but we would feel better if we could > limit access to a white list of local networks. Is there a way to do that? > >
Re: ldap-check with Active Directory
Hello I was thinking of updating the ldap-check but I think I've a better idea. Macros (well ish). send-binary 300c0201 # LDAP bind request "" simple send-binary 01 # message ID send-binary 6007 # protocol Op send-binary 0201 # bind request send-binary 03 # LDAP v3 send-binary 04008000 # name, simple authentication expect binary 0a0100 # bind response + result code: success send-binary 30050201034200 # unbind request could be in a file named macros/ldap-simple-bind then the option tcp-check-macro ldap-simple-bind would use it, I know this is close to includes. similarly macros/smtp-helo-quit connect port 25 expect rstring ^220 send QUIT\r\n expect rstring ^221 or from http://blog.haproxy.com/2014/06/06/binary-health-check-with-haproxy-1-5-php-fpmfastcgi-probe-example/ # FCGI_BEGIN_REQUEST send-binary 01 # version send-binary 01 # FCGI_BEGIN_REQUEST send-binary 0001 # request id send-binary 0008 # content length send-binary 00 # padding length send-binary 00 # send-binary 0001 # FCGI responder send-binary # flags send-binary # send-binary # # FCGI_PARAMS send-binary 01 # version send-binary 04 # FCGI_PARAMS send-binary 0001 # request id send-binary 0045 # content length send-binary 03 # padding length: padding for content % 8 = 0 send-binary 00 # send-binary 0e03524551554553545f4d4554484f44474554 # REQUEST_METHOD = GET send-binary 0b055343524950545f4e414d452f70696e67 # SCRIPT_NAME = /ping send-binary 0f055343524950545f46494c454e414d452f70696e67 # SCRIPT_FILENAME = /ping send-binary 040455534552524F4F54 # USER = ROOT send-binary 00 # padding # FCGI_PARAMS send-binary 01 # version send-binary 04 # FCGI_PARAMS send-binary 0001 # request id send-binary # content length send-binary 00 # padding length: padding for content % 8 = 0 send-binary 00 # expect binary 706f6e67 # pong (though for items like send-binary 0e03524551554553545f4d4554484f44474554 # REQUEST_METHOD = GET I'd prefer a send-as-binary "REQUEST_METHOD = GET" ) these and many others could be shipped with haproxy. this seems to make sense to me as they are small contained logical items Neil On 30 March 2015 at 23:02, Baptiste wrote: > > you should believe it :) > > On Mon, Mar 30, 2015 at 11:34 PM, Neil - HAProxy List > wrote: > > Hello > > > > Thanks so much. That worked well, I now get > > L7OK/0 in 0ms > > not sure I believe the 0ms but maybe I should > > > > Thanks again, > > > > Neil > > > > On 30 March 2015 at 22:14, Baptiste wrote: > >> > >> On Mon, Mar 30, 2015 at 10:33 PM, Neil - HAProxy List > >> wrote: > >> > Hello > >> > > >> > I'm trying to use ldap-check with active directory and the response > >> > active > >> > directory gives is not one ldap-check is happy to accept > >> > > >> > when I give a 389 directory backend ldap server all is well, when I use > >> > AD I > >> > get 'Not LDAPv3 protocol' > >> > > >> > I've done a little poking about and found that > >> > if ((msglen > 2) || > >> > (memcmp(check->bi->data + 2 + msglen, > >> > "\x02\x01\x01\x61", 4) != 0)) { > >> > set_server_check_status(check, > >> > HCHK_STATUS_L7RSP, "Not LDAPv3 protocol"); > >> > is where I'm getting stopped as msglen is 4 > >> > > >> > Here is tcpdump of 389 directory response (the one that works) 2 packets > >> > 21:29:34.195699 IP 389.ldap > HAPROXY.57109: Flags [.], ack 15, win 905, > >> > options [nop,nop,TS val 856711882 ecr 20393440], length 0 > >> > 0x: 0050 5688 7042 0064 403b 2700 0800 4500 .PV.pB.d@ ;'...E. > >> > 0x0010: 0034 9d07 4000 3f06 3523 ac1b e955 ac18 .4..@ .?.5#...U.. > >> > 0x0020: 2810 0185 df15 5cab ffcd 63ba 77d3 8010 (.\...c.w... > >> > 0x0030: 0389 2c07 0101 080a 3310 62ca 0137 ..,...3.b..7 > >> > 0x0040: 2de0 -. > >> > 21:29:34.195958 IP 389.ldap > HAPROXY.57109: Flags [P.], seq 1:15, ack > >> > 15, > >> > win 905, options [nop,nop,TS val 856711882 ecr 20393440], length 14 > >> > 0x: 0050 5688 7042 0064 403b 2700 0800 4500 .PV.pB.d@ ;'...E. > >> > 0x0010: 0042 9d08 4000 3f06 3514 ac1b e955 ac18 .B..@ .?.5U.. > >> > 0x0020: 2810 0185 df15 5cab ffcd 63ba 77d3 8018 (.\...c.w... > >> > 0x0030:
Re: ldap-check with Active Directory
Hello Thanks so much. That worked well, I now get *L7OK/0 in 0ms* not sure I believe the 0ms but maybe I should Thanks again, Neil On 30 March 2015 at 22:14, Baptiste wrote: > On Mon, Mar 30, 2015 at 10:33 PM, Neil - HAProxy List > wrote: > > Hello > > > > I'm trying to use ldap-check with active directory and the response > active > > directory gives is not one ldap-check is happy to accept > > > > when I give a 389 directory backend ldap server all is well, when I use > AD I > > get 'Not LDAPv3 protocol' > > > > I've done a little poking about and found that > > if ((msglen > 2) || > > (memcmp(check->bi->data + 2 + msglen, > > "\x02\x01\x01\x61", 4) != 0)) { > > set_server_check_status(check, > > HCHK_STATUS_L7RSP, "Not LDAPv3 protocol"); > > is where I'm getting stopped as msglen is 4 > > > > Here is tcpdump of 389 directory response (the one that works) 2 packets > > 21:29:34.195699 IP 389.ldap > HAPROXY.57109: Flags [.], ack 15, win 905, > > options [nop,nop,TS val 856711882 ecr 20393440], length 0 > > 0x: 0050 5688 7042 0064 403b 2700 0800 4500 .PV.pB.d@;'...E. > > 0x0010: 0034 9d07 4000 3f06 3523 ac1b e955 ac18 .4..@.?.5#...U.. > > 0x0020: 2810 0185 df15 5cab ffcd 63ba 77d3 8010 (.\...c.w... > > 0x0030: 0389 2c07 0101 080a 3310 62ca 0137 ..,...3.b..7 > > 0x0040: 2de0 -. > > 21:29:34.195958 IP 389.ldap > HAPROXY.57109: Flags [P.], seq 1:15, ack > 15, > > win 905, options [nop,nop,TS val 856711882 ecr 20393440], length 14 > > 0x: 0050 5688 7042 0064 403b 2700 0800 4500 .PV.pB.d@;'...E. > > 0x0010: 0042 9d08 4000 3f06 3514 ac1b e955 ac18 .B..@.?.5U.. > > 0x0020: 2810 0185 df15 5cab ffcd 63ba 77d3 8018 (.\...c.w... > > 0x0030: 0389 e878 0101 080a 3310 62ca 0137 ...x..3.b..7 > > 0x0040: 2de0 300c 0201 0161 070a 0100 0400 0400 -.0a > > > > Here is tcpdump of active directory (broken) 1 packet > > > > 21:25:24.519883 IP ADSERVER.ldap > HAPROXY.57789: Flags [P.], seq 1:23, > ack > > 15, win 260, options [nop,nop,TS val 1870785 ecr 20331021], length 22 > > 0x: 0050 5688 7042 0050 5688 7780 0800 4500 .PV.pB.PV.w...E. > > 0x0010: 004a 1d7d 4000 8006 34e3 ac18 280d ac18 .J.}@...4...(... > > 0x0020: 2810 0185 e1bd 5a3f 2ae7 3ced 7b5b 8018 (.Z?*.<.{[.. > > 0x0030: 0104 1d7a 0101 080a 001c 8bc1 0136 ...z...6 > > 0x0040: 3a0d 3084 0010 0201 0161 8400 :.0a > > 0x0050: 070a 0100 0400 0400 > > > > this was discussed but not finished before see > > http://www.serverphorums.com/read.php?10,394453 > > > > I can see the string \02\01\01\61 is there but not in the correct place > > > > Anyone have any ideas about fixing this so that both (and possibly other) > > ldap implementations work? > > > > Thanks, > > > > Neil > > > Hi Neil > > Yes you can switch to the tcp-check checking method. > I works with binary protocols as well. > Here is what I use for the AD in my lab: > > option tcp-check > tcp-check connect port 389 > tcp-check send-binary 300c0201 # LDAP bind request "" simple > tcp-check send-binary 01 # message ID > tcp-check send-binary 6007 # protocol Op > tcp-check send-binary 0201 # bind request > tcp-check send-binary 03 # LDAP v3 > tcp-check send-binary 04008000 # name, simple authentication > tcp-check expect binary 0a0100 # bind response + result code: success > tcp-check send-binary 30050201034200 # unbind request > > > You could add the same sequence for LDAPs on port 636: > tcp-check connect port 636 ssl > tcp-check send-binary 300c0201 # LDAP bind request "" simple > tcp-check send-binary 01 # message ID > tcp-check send-binary 6007 # protocol Op > tcp-check send-binary 0201 # bind request > tcp-check send-binary 03 # LDAP v3 > tcp-check send-binary 04008000 # name, simple authentication > tcp-check expect binary 0a0100 # bind response + result code: success > tcp-check send-binary 30050201034200 # unbind request > > > Note for myself: put this tip on the blog.. > > Baptiste >
ldap-check with Active Directory
Hello I'm trying to use ldap-check with active directory and the response active directory gives is not one ldap-check is happy to accept when I give a 389 directory backend ldap server all is well, when I use AD I get 'Not LDAPv3 protocol' I've done a little poking about and found that if ((msglen > 2) || (memcmp(check->bi->data + 2 + msglen, "\x02\x01\x01\x61", 4) != 0)) { set_server_check_status(check, HCHK_STATUS_L7RSP, "Not LDAPv3 protocol"); is where I'm getting stopped as msglen is 4 Here is tcpdump of 389 directory response (the one that works) 2 packets 21:29:34.195699 IP 389.ldap > HAPROXY.57109: Flags [.], ack 15, win 905, options [nop,nop,TS val 856711882 ecr 20393440], length 0 0x: 0050 5688 7042 0064 403b 2700 0800 4500 .PV.pB.d@;'...E. 0x0010: 0034 9d07 4000 3f06 3523 ac1b e955 ac18 .4..@.?.5#...U.. 0x0020: 2810 0185 df15 5cab ffcd 63ba 77d3 8010 (.\...c.w... 0x0030: 0389 2c07 0101 080a 3310 62ca 0137 ..,...3.b..7 0x0040: 2de0 -. 21:29:34.195958 IP 389.ldap > HAPROXY.57109: Flags [P.], seq 1:15, ack 15, win 905, options [nop,nop,TS val 856711882 ecr 20393440], length 14 0x: 0050 5688 7042 0064 403b 2700 0800 4500 .PV.pB.d@;'...E. 0x0010: 0042 9d08 4000 3f06 3514 ac1b e955 ac18 .B..@.?.5U.. 0x0020: 2810 0185 df15 5cab ffcd 63ba 77d3 8018 (.\...c.w... 0x0030: 0389 e878 0101 080a 3310 62ca 0137 ...x..3.b..7 0x0040: 2de0 300c 0201 0161 070a 0100 0400 0400 -.0a Here is tcpdump of active directory (broken) 1 packet 21:25:24.519883 IP ADSERVER.ldap > HAPROXY.57789: Flags [P.], seq 1:23, ack 15, win 260, options [nop,nop,TS val 1870785 ecr 20331021], length 22 0x: 0050 5688 7042 0050 5688 7780 0800 4500 .PV.pB.PV.w...E. 0x0010: 004a 1d7d 4000 8006 34e3 ac18 280d ac18 .J.}@...4...(... 0x0020: 2810 0185 e1bd 5a3f 2ae7 3ced 7b5b 8018 (.Z?*.<.{[.. 0x0030: 0104 1d7a 0101 080a 001c 8bc1 0136 ...z...6 0x0040: 3a0d 3084 0010 0201 0161 8400 :.0a 0x0050: 070a 0100 0400 0400 this was discussed but not finished before see http://www.serverphorums.com/read.php?10,394453 I can see the string \02\01\01\61 is there but not in the correct place Anyone have any ideas about fixing this so that both (and possibly other) ldap implementations work? Thanks, Neil
Re: no-sslv3 in default
Hello I'd go further. Sslv3 us an obsolete protocol does anyone disagree with that? For a start make no-sslv3 the default and have a enable-obsolete-sslv3 option. Or better make enabling it a compile time option. Or maybe just get rid of it altogether? The examples on the web and on this mailing lists archive should be able for beginners to use without opening themselves up to sslv3 issues. And it'll save us all having to remember to type 8 chars to disable support for something our clients do not use. Cheers Neil On 15 Oct 2014 20:11, "Bryan Talbot" wrote: > With SSLv3 being so old, and in light of new (POODLE) exploits driving > additional nails into its coffin, it would be nice to disable SSLv3 in a > defaults section so that it doesn't get enabled by accident when someone > adds a new "bind" line. > > Docs for 1.5 say that no-sslv3 is not supported in a defaults section. > Can that option be added and made available in 1.5? > > -Bryan > >
Notifica��o de devolu��o de cheque 25/08 11:05 (53623)
Title: sake visualizar
Re: Adding Serial Number to POST Requests
Hi Using peers should prevent the reset when restarting? Neil On 16 Jul 2014 21:47, "Baptiste" wrote: > On Wed, Jul 16, 2014 at 7:04 PM, Jonathan Matthews > wrote: > > On 16 Jul 2014 16:56, "Zuoning Yin" wrote: > >> > >> We later also got the help from Willy. He provided us a configuration > >> which solved our problem. To benefit other people, I just posted it > here. > > > > I had meant to chime in on this thread earlier. > > > > What happens when your HAProxy layer loses state - be it reboot, service > > restart or data centre power cut? Are you risking resetting the counter > and > > overwriting existing data on the backend? Are you in fact treating HAP > as a > > single point of truth? > > > > J > > That's why I propose to use the unique-id format as well. > You can combine a timestamp with your unique id. > So going back to 0 is not a problem anymore. > > Baptiste > >
Re: Binaries for HAProxy.
And lets not do too much to dampen any pressure to get haproxy 1.5 into rhel7 and ubuntu1404 Neil On 16 Jul 2014 16:12, "Ghislain" wrote: > > >> Just put http://nd-build-01.linux-appliance.net/repos/centos/ >> haproxy/haproy-centos-6x.repo under /etc/yum.repos.d/ >> and issue yum install haproxy. >> > > of course you do trust the security of your entire server on this repo ? > before doing that just be sure of what this implies :) > > there is no issue on trusting someone but remember that you trust this > someone to install software as root on your server and update the package > when new version comes. > > Do a minimum homework before authorizing repos. I do trust the debian > team for backported 1.5 haproxy package but nevertheless i asked here if > they were legit , verified what i could and limited the package i accept > from the repo to a minimum just in case. I think the same goes on for > centOS/Redhat repos, do chack the source and if not sure build yourself if > there is no official sources. > > > regards, > Ghislain. > >
Re: Using a WhiteList in HAProxy 1.5
Hi If you only have one range and it does not change often then a acl file should be avoided. http-request deny unless src 123.123.123.123/123 If you have more than one range a acl should be used Only if you have many or they change often would a file suit. Is clearer imho Neil On 16 Jul 2014 17:10, "Baptiste" wrote: > On Wed, Jul 16, 2014 at 5:45 PM, JDzialo John wrote: > > > > Hi Guys, > > > > > > > > I want to only allow certain internal company IP addresses to have > access to one of my web farms. I am using haproxy 1.5 on Debian 7. > > > > > > > > I am using a whitelist.lst file with the following contents... > > > > > > > > 10.0.0.0/8 > > > > > > > > Here is my frontend configuration... > > > > > > > > frontend https-in > > > > bind *:443 ssl crt > /etc/ssl/xxx.cert.chain.pem > > > > http-request allow if { src -f > /etc/haproxy/whitelist.lst } > > > > reqadd X-Forwarded-Proto:https > > > > reqadd X-Forwarded-Port:443 > > > > timeout client 60 > > > > > > > > default-backend web > > > > > > > > However any IP is still allowed through this frontend. It does not > appear to be restricting access to any other IP. Am I missing something in > my configuration? > > > > > > > > Thanks > > > > > > > > > > > > John Dzialo | Linux System Administrator > > > > Direct 203.783.8163 | Main 800.352.0050 > > > > > > > > Environmental Data Resources, Inc. > > > > 440 Wheelers Farms Road, Milford, CT 06461 > > > > www.edrnet.com | commonground.edrnet.com > > > > > > > > > > > > Hi John, > > Please avoid HTML mails... > > Give a try to the following configuration: > http-request deny unless { src -f /etc/haproxy/whitelist.lst } > > > Baptiste > >
Re: 1.5 latest segfault trying to negate acl
Hi Thank you, I can confirm this fixes the issue for me Thanks, Neil On 9 April 2014 12:35, Willy Tarreau wrote: > Hi guys, > > sorry it took that long to take a look at it. > > I've just pushed the patch, it's available here : > > > http://git.1wt.eu/web?p=haproxy.git;a=commitdiff_plain;h=6a0b6bd648592e73f42fb8e7341bf984d26ba8dc > > The bug happens when the sc0_get_gpc0() statement is applied to an > explicit table while sc0 is not yet tracked. The implicit table > already contained the check for the existence of the tracker, but > not the code doing the lookup in an alternate table. > > Thanks for reporting this! > > Willy > >
1.5 latest segfault trying to negate acl
Hello my logs have a uncomforting line *kernel: [7302179.685736] haproxy[1766]: segfault at 7c ip 7f6629410a9f sp 7fffdaf98868 error 4 in libc-2.15.so <http://libc-2.15.so>[7f66292ae000+1b5000]* We caused this trying to use this config which tries to track the source of a connection unless it matches a acl following along the lines of http://blog.serverfault.com/2010/08/26/1016491873/ *globalmaxconn 4096 user haproxygroup haproxydefaultsmode httpretries3 option redispatchmaxconn2000timeout connect 5stimeout client 20stimeout server 60sfrontend http 0.0.0.0:80 <http://0.0.0.0:80>maxconn 25000 default_backend be_defaultstick-table type ip size 200 expire 10s store gpc0acl on_naughtystep sc0_get_gpc0(http) gt 0 use_backend be_badman if on_naughtystep# Both these directives will make haproxy segfaulttcp-request connection track-sc0 src if !on_naughtystep# tcp-request connection track-sc0 src unless on_naughtystep# This one doesn't# tcp-request connection track-sc0 srcbackend be_defaultbalance roundrobinfullconn 1000server server server:80 maxconn 50 check inter 2000 rise 2 fall 2backend be_badman block if TRUE* haproxy running is compiled from head *haproxy -vvHA-Proxy version 1.5-dev22 2014/02/03Copyright 2000-2014 Willy Tarreau >Build options : TARGET = linux26 CPU = generic CC = gcc CFLAGS = -O2 -g -fno-strict-aliasing OPTIONS = USE_LINUX_SPLICE=1 USE_OPENSSL=1 USE_PCRE=1Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200Encrypted password support via crypt(3): yesBuilt without zlib support (USE_ZLIB not set)Compression algorithms supported : identityBuilt with OpenSSL version : OpenSSL 1.0.1 14 Mar 2012Running on OpenSSL version : OpenSSL 1.0.1 14 Mar 2012OpenSSL library supports TLS extensions : yesOpenSSL library supports SNI : yesOpenSSL library supports prefer-server-ciphers : yesBuilt with PCRE version : 8.12 2011-01-15PCRE library supports JIT : no (USE_PCRE_JIT not set)Built with transparent proxy support using: IP_TRANSPARENT IP_FREEBINDAvailable polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OKTotal: 3 (3 usable), will use epoll.* Any ideas what to do next? Thanks Neil
Re: Haproxy 1.4 url redirection issue
Hello Amol Here is an example of the sort of thing I use The 3 important things for are ServerName https://servicename.domain.com:443 SetEnv HTTPS on UseCanonicalName On ServerName https://servicename.domain.com:443 ## Vhost docroot DocumentRoot /var/www/ ## Directories, there should at least be a declaration for /var/www Options Indexes ExecCGI AllowOverride None Order allow,deny Allow from all ## Logging LogLevel warn ServerSignature Off ## Custom fragment This tricks PHP into believing the script was accessed over SSL SetEnv HTTPS on DirectoryIndex index.php UseCanonicalName On ErrorLog "|/usr/bin/cronolog --link /var/log/apache2/servicename_error.log /var/log/apache2/%Y/servicename_error-%Y%m%d.log" LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" direct LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxied SetEnvIf Remote_Addr "^" direct # make it always set SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" !direct SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" proxied SetEnvIf Request_URI "^/healthcheck$" !direct # keep these SetEnvIf Request_URI "^/healthcheck$" !proxied CustomLog "|/usr/bin/cronolog --link /var/log/apache2/servicename_directaccess /var/log/apache2/%Y/servicename_directaccess-%Y%m%d.log" direct env=direct CustomLog "|/usr/bin/cronolog --link /var/log/apache2/servicename_access /var/log/apache2/%Y/servicename_access-%Y%m%d.log" proxied env=proxied I like to log traffic from the loadbal separately to traffic from the public and I ignore /healthcheck from the loadbal but not from others. You'll need to tell haproxy to "option forwardfor". Also using cronolog. Neil On 1 March 2014 15:27, Baptiste wrote: > Hi > > More chance to get an answer from Apache 2.2 and wordpress people... > > Baptiste > > On Fri, Feb 28, 2014 at 4:12 PM, Amol wrote: > > well the application behind haproxy in this case is wordpress on > apache2.2, > > any settings there? > > > > > > > > > > On Friday, February 28, 2014 4:57 AM, Baptiste wrote: > > It may not fix the issue. > > But at least the configuration will do what you expect from it... > > > > That said, the issue may be in the application too :) > > It is commonly seen that applications don't behave properly when SSL > > offloading is enabled in front of them. > > > > Baptiste > > > > > > On Thu, Feb 27, 2014 at 4:16 PM, Amol wrote: > >> Thanks Baptiste, let me give that a try > >> > >> > >> > >> On Thursday, February 27, 2014 9:37 AM, Baptiste > wrote: > >> Hi Amol, > >> > >> There are a few improvement you can do. > >> First update your frontend acl to: > >> acl host_xx hdr(host) -i xx.com > >> > >> then in your backend, this ACL should never match: "acl login_page > >> url_beg /xyz" > >> replace url_beg by path_beg. > >> > >> Your problem is not there as well. > >> I think your application server is sending hardcoded data or Location > >> headers. > >> analyzing the body of the pages and HAProxy logs may help here. > >> > >> Baptiste > >> > >> > >> > >> On Tue, Feb 25, 2014 at 4:56 PM, Amol wrote: > >>> Hi i am using HA-Proxy version 1.4.12 and i have an issue trying to > >>> redirect > >>> my website to "http" > >>> requirement : when a user types in http://.com he should > >>> not > >>> be redirected to https://.com > >>> currently it does that and some of the video links on our main page do > >>> not > >>> work (basically vimeo has http links while our page is https so it > throws > >>> a > >>> security exception) > >>> > >>> at the same time we need users with http://.com/xyz to > be > >>> redirected to https://.com/xyz (this helps users login > to > >>> secure application) > >>> > >>> so under my current configurations i cannot get the first part to work, > >>> basically (www..com works and stays http but when i type > >>> http://.com it does a redirection to https) > >>> > >>> frontend http-in > >>>bind xx.xx.xx.xx:80 name http > >>>bind 10.xx.xx.xx:8000 name https # forwared by stunnel > >>> > >>>
Re: HAProxy Next?
Hi I'd like the option of a web based api to replace the functionality of the web admin pages with a service which can be used remotely to monitor and control multiple haproxy and provide any fancy authentication and auditing outside of the haproxy service using whichever tech seems appropriate. Exposing the socket via xinetd doesn't really do it, for me at least. Neil On 17 Dec 2013 08:16, "Annika Wickert" wrote: > Hi all, > > we did some thinking about how to improve haproxy and which features > we’d like to see in next versions. > > We came up with the following list and would like to discuss if they can > be done/should be done or not. > - One global statssocket which can be switched through to see stats of > every bind process. And also an overall overview summed up from all > backends and frontends. > - One global control socket to control every backend server and set them > inactive or active on the fly. > - In general better nbproc > 1 support > - Include possibility in configfile to maintain one configfile for each > backend / frontend pair > - CPU pinning in haproxy without manually using taskset/cpuset > - sflow output > - latency metrics at stats interface (frontend and backend, avg, 95%, 90%, > max, min) > - accesslist for statssocket or ldap authentication for stats socket > > Are there any others things which would be cool? I hope we can have a > nice discussion about a “fancy” feature set which could be provided by > lovely haproxy. > > Best regards, > Annika > > --- > Systemadministration > > Travian Games GmbH > Wilhelm-Wagenfeld-Str. 22 > 80807 München > Germany > > a.wick...@traviangames.com > www.traviangames.de > > Sitz der Gesellschaft München > AG München HRB: 173511 > Geschäftsführer: Siegfried Müller > USt-IdNr.: DE246258085 > > Diese Email einschließlich ihrer Anlagen ist vertraulich und nur für den > Adressaten bestimmt. Wenn Sie nicht der vorgesehene Empfänger sind, > bitten wir Sie, diese Email mit Anlagen unverzüglich und vollständig zu > löschen und uns umgehend zu benachrichtigen. > > This email and its attachments are strictly confidential and are > intended solely for the attention of the person to whom it is addressed. > If you are not the intended recipient of this email, please delete it > including its attachments immediately and inform us accordingly. > >
Re: Haproxy rate limit per matching request
Hello Chris and I followed this example but found that it limits by url but for all users. that might be what you want in a slashdotting but its not what we want for individual users falling asleep with nose on f5(reload) key we looked at base32+src rather than url but that excludes the url parameters I've started a separate thread with a new url32+src function. Neil On 1 November 2013 18:39, Cyril Bonté wrote: > Hi Przemyslaw, > > Le 31/10/2013 12:05, Przemysław Hejman a écrit :> Hello guys, it's me one > again. > > > > > I just wanted to share my experiences after several very simple > > acceptance tests. First of all, I've found that the whitelist did not > > work - I had to change my configuration to something like this: > > > > global > > stats socket /tmp/haproxy.sock > > defaults > > mode http > > timeout connect 5000ms > > timeout client 5ms > > timeout server 5ms > > frontend app > > bind *:8080 > > option http-server-close > > stick-table type integer size 200k expire 30m store > http_req_cnt > > acl white_list src 127.0.0.1 192.168.1.205 192.168.0.133 > > tcp-request content accept if white_list > > tcp-request content track-sc0 urlp(SID,?) > > tcp-request content reject if { sc0_http_req_cnt gt 2 } > > tcp-request inspect-delay 10s > > default_backend web_servers > > backend web_servers > > balance roundrobin > > server web01 127.0.0.1:80 check inter 1000 > > > > Therefore, I've decided to do a little test. I've put request sent by > > curl in a for loop like this > > for i in `seq 1 400`; do curl > > "192.168.0.132:8080/index.html?SID=33?asdf"; done > > > > Eveything to seem fine HOWEVER I have noticed that several (about 20) > > requests randomly PASSED. > > Sorry, I didn't have time to reply to the configuration you provided last > time. But it is normal if it didn't work 100% of the times : this is > because your forgot to add a line that waits for a layer7 information, as > Willy said. > > The important thing was to add : > tcp-request content reject if !HTTP > > > > > Pushing the stick-table and tracking/rejecting operations back to > > backend definition solved my problem. > > Indeed, this is another way to wait for HTTP data to be complete, as a > HTTP frontend will use the backend only once the headers are received. > > Thanks for sharing. > > -- > Cyril Bonté > >
url32+src - like base32+src but whole url including parameters
Hello I have a need to limit traffic to each url from each source address. much like base32+src but the whole url including parameters (this came from looking at the recent 'Haproxy rate limit per matching request' thread) attached is patch that seems to do the job, its a copy and paste job of the base32 functions the url32 function seems to work too and using 2 machines to request the same url locks me out of both if I abuse from either with the url32 key function and only the one if I use url32_src Neil url32+src Description: Binary data
Re: AW: AW: Loadbalancing with ssl on www only
Off topic:Presuming its not long dince you ordered. I would expect any decent expensive certificate issuer to allow you to get a new certificate with the additional name of the non wildcard same name without charge they will most likely want the original revoked before refunding. Unless they don't want any more orders from you. Back on topic again: A browser should not even get to the redirect without warning. However it could well cache the redirect and not bother you with warning the next time you went there in tgat browser session. Neil On 29 Oct 2013 17:13, "Felix Ferchland" wrote: > I can tell you, it worked. > > I think the difference is he kind of redirect (url vs header redirect).*** > * > > But I’m not an expert in proxy url rewriting, so I simply have to deal > with that. > > I can’t order a new certificate for the domain because it’s an ev cert and > these are quite expensive… > > ** ** > > ** ** > > *Von:* David Coulson [mailto:da...@davidcoulson.net] > *Gesendet:* Dienstag, 29. Oktober 2013 17:58 > *An:* Felix Ferchland > *Cc:* Bhaskar Maddala; > *Betreff:* Re: AW: Loadbalancing with ssl on www only > > ** ** > > No way it worked with Apache. Ssl verification happens before http can do > anything. > > Sent from my iPad > > > On Oct 29, 2013, at 12:39 PM, "Felix Ferchland" > wrote: > > So it’s simply impossible to redirect the request? > > I was using nginx as reverse proxy before and even apache can do that with > a redirection… > > I’m a little surprised that this is simply impossible and i need another > ssl vertificate. > > > > But thanks for the quick answers! > > **** > > > > *Von:* Bhaskar Maddala [mailto:madda...@gmail.com ] > *Gesendet:* Dienstag, 29. Oktober 2013 16:07 > *An:* David Coulson > *Cc:* Felix; haproxy@formilux.org > *Betreff:* Re: Loadbalancing with ssl on www only > > > > Ahh, thank you > > -Bhaskar > > > > On Tue, Oct 29, 2013 at 10:56 AM, David Coulson > wrote: > > A wildcard cert is helpful for some things, but domain.com will not > validate against a cert issued for *.domain.com > > > > On 10/29/13, 10:52 AM, Bhaskar Maddala wrote: > > If it is any help you can get a certificate for *. domain.com > > On Oct 28, 2013 9:37 PM, "Felix" wrote: > > Hello, > > I am using haproxy to loadbalance my webapplication but I get into a > problem > with our ssl certificate. > haproxy is also serving the ssl certificate to the clients. this works > quite > well. we only have certificate for www as subdomain, so all traffic hitting > haproxy should be redirected to https://www. > if the visitor comes from non ssl the domain can be rewritten without a > problem, but if the visitor types the domain with ssl but without > subdomain, > the url can't be rewritten before the (in this case invalid) ssl > certificate > was served by haproxy. > is there a way to redirect an ssl request before serving the certificate? > > global >maxconn 4096 >daemon >log 128.0.0.1 local0 > > defaults >log global >mode http >contimeout 5000 >clitimeout 5 >srvtimeout 5 >option forwardfor >retries 3 >option redispatch >option http-server-close > > frontend http *:80 >mode http >redirect location https://www.url.com if !{ ssl_fc } > > frontend https ># reqadd X-Forwarded-Proto:\ https ># www Redirect >mode http >acl non-www hdr(host)url.com >redirect prefix https://www.url.com if non-www > >bind *:443 ssl crt /crt/ssl.pem no-sslv3 >default_backend web >option forwardfor > > > > > > > > > >
Re: haproxy duplicate http_request_counter values (BUG)
Oh, for some reason my mail client wasn't showing the response from Willy when I made this reply. Not sure if this info is really necessary any more. Will try the patch on that email and report back to it. -Patrick On 08/13/2013 07:13 PM, Patrick Hemmer wrote: > > On 2013/08/11 15:45, Patrick Hemmer wrote: >> I'm using the %rt field in the "unique-id-format" config parameter >> (the full value is "%{+X}o%pid-%rt"), and am getting lots of >> duplicates. In one specific case, haproxy added the same >> http_request_counter value to 70 different http requests within a >> span of 61 seconds (from various client hosts too). Does the >> http_request_counter only increment under certain conditions, or is >> this a bug? >> >> This is with haproxy 1.5-dev19 >> >> -Patrick > > > This appears to be part of a bug. I just experienced a scenario where > haproxy stopped responding. When I went into the log I found binary > garbage in place of the request ID. I have haproxy configured to route > certain URLs, and to respond with a `errorfile` when a request comes > in that doesn't match any of the configure paths. It seems whenever I > request an invalid URL and get the `errorfile` response, the request > ID gets screwed up and becomes jumbled binary data. > > For example: haproxy[28645]: 207.178.167.185:49560 api bad_url/ > 71/-1/-1/-1/71 3/3/0/0/3 0/0 127/242 403 PR-- Á + GET / HTTP/1.1 > Notice the "Á", that's supposed to be the process ID and request ID > separated by a hyphen. When I pipe it into xxd, I get this: > > 000: 6861 7072 6f78 795b 3238 3634 355d 3a20 haproxy[28645]: > 010: 3230 372e 3137 382e 3136 372e 3138 353a 207.178.167.185: > 020: 3439 3536 3020 6170 6920 6261 645f 7572 49560 api bad_ur > 030: 6c2f 3c4e 4f53 5256 3e20 3731 2f2d 312f l/ 71/-1/ > 040: 2d31 2f2d 312f 3731 2033 2f33 2f30 2f30 -1/-1/71 3/3/0/0 > 050: 2f33 2030 2f30 2031 3237 2f32 3432 2034 /3 0/0 127/242 4 > 060: 3033 2050 522d 2d20 90c1 8220 2b20 4745 03 PR-- ... + GE > 070: 5420 2f20 4854 5450 2f31 2e31 0a T / HTTP/1.1. > > > I won't post my entire config as it's over 300 lines, but here's the > juicy stuff: > > > global > log 127.0.0.1 local0 > maxconn 20480 > user haproxy > group haproxy > daemon > > defaults > log global > modehttp > option httplog > option dontlognull > retries 3 > option redispatch > timeout connect 5000 > timeout client 6 > timeout server 17 > option clitcpka > option srvtcpka > > stats enable > stats uri /haproxy/stats > stats refresh 5 > stats auth my:secret > > listen stats > bind 0.0.0.0:90 > mode http > stats enable > stats uri / > stats refresh 5 > > frontend api > bind *:80 > bind *:81 accept-proxy > > option httpclose > option forwardfor > http-request add-header X-Request-Timestamp %Ts.%ms > unique-id-format %{+X}o%pid-%rt > unique-id-header X-Request-Id > rspadd X-Api-Host:\ i-a22932d9 > > reqrep ^([^\ ]*)\ ([^\?\ ]*)(\?[^\ ]*)?\ HTTP.* \0\r\nX-API-URL:\ \2 > > > acl is_1_1 path_dir /1/my/path > use_backend 1_1 if is_1_1 > > acl is_1_2 path_dir /1/my/other_path > use_backend 1_2 if is_1_2 > > ... > > default_backend bad_url > > log-format %ci:%cp\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ > %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %U/%B\ %ST\ %tsc\ %ID\ +\ %r > > backend bad_url > block if TRUE > errorfile 403 /etc/haproxy/bad_url.http
nike free cuando die Fülle und Aussehen
nike free run schuhe ist a distinct gestartet von Nike, Gesellschaft. später. Seit seiner Einführung Start, } http://www.nike.com hat häufig eingeführt enthüllte neue und aktualisiert Modelle in der innen gehalten die Produktion. Der Nike völlig kostenlos Schuhe Funktion a eine große Luft-Dämpfung Extra Polsterung Einheit mit Ferse das ist sichtbar durch die der auf der Zwischensohle in den meisten Allgemeinen in den meisten. Schuhe sind zweifellos eine sehr wichtige entscheidend Teil Dressing. Als, Ich habe nicht besorgt mit meinen Schuhen verbunden on} {von den Marken konzentriert. Manchmal Rabatt Frauen Schuhe oder Stiefel kann nicht wegen ihrer Notwendigkeit. i Kauf der, ich werde Fokus auf den Stil. Und ich denke, Nur es ist nicht nur ist nicht nur veraltet, sondern auch sondern zusätzlich der Wert ist unglaublich teuer. Mehrere der bieten eine ähnliche Erfahrung seit unzähligen Jahren. nike free deutschland Sneakers könnte ist in der Regel am besten erklärt von mit "Komfort und Mode verbunden Weg "Schuhe, die getted haved kontinuierliche top preisen. Mit einer|Marketing, Nike hat Angebote startete eine Abwechslung von neuen Aussehen Schuhe, like, Schuhe, Schuhe oder Stiefel, Luftwaffe einen Schuh, etc. In welchem , koaleszierten Reiz und Komfort und Luxus. Schuhe erscheinen in den zum im 1980er Jahren. Die tatsächliche ist immer, die Basketball-Athleten . Für diejenigen, die laufen, sie wissen sie sind voll und ganz bewusst, wie wichtig es ist Es kann zu empfangen Sportschuhe jede Kleinigkeit rechts. The main könnte sein, dass das Bedürfnisse um gut fixierten, aber auch fast alle erforderlich um der Ausführung Sowie bekräftigen das ist Pflichtfeld Diese Art der activeness. Es gibt verdorben Joggingschuhe in dass Lage und es ist sehr bedeutende for lernen damit bestimmen Bestimmt. Darin Artikel ist sicher, get kargen 2009 Rückblick. Wir machen sind in die ungleichen Komponenten das wird diese shoe folglich plus betrachten einige storming rühmt. http://www.nikefreeschuhekaufendeutschland.eu/media/catalog/product/cache/1/small_image/170x/9df78eab33525d08d6e5fb8d27136e95/0/b/0b9af0ff431f5ec9da3380cc91cc4b66.image.320x212.jpg Sportschuhe hergestellt von|world wide web|internet|Online nike free run deutschland Regel unbestreitbar der Favorit jede Alter. Der ausstehenden Wahl reizvolle durch zahlreiche unzählige Menschen. nike kostenlos, eine von mehreren laufende Turnschuhe Linien ist eingeführt diesem Jahr for die erste time. Anschließend, hält Nike Bringing Out die neuen Modelle Ankündigung in der. Da dies wäre das sein|Geburtstagsfeier|besonderen Geburtstag|20. Geburtstag Geburtstag bday mit elan - Air Max 90 wieder einige angekommen der Markt und viele Air Max Fans 'eyes.The nike free 90 Schuhe besitzen a enthalten eine bemerkenswerte Eigenschaft von über cup of tea in der Schuhabsatz. Die tatsächliche aus dem Ort ist attraktiv der air max Liebhaber. Der Nike lose 90 Schuhe erleben Minuten diese Art der kam zu sein Dank für Ihren Besuch Online-Shop: http://www.nikefreeschuhekaufendeutschland.eu --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,738174,738174#msg-738174
I like Air Jordan Shoes
That rockets while in the primary one fourth has been trailing 18 things. Rick adelman claimed: "for many of us commence I am disenchanted, we all present air jordan shoes nz, works an entire video game struggled for you to scale released. We're the best problem now will be attack. The offensive ending a lot of turnovers can make opponents without difficulty timeof fast-break things. Nowadays players effect can be slower clap, not to one other bash with attacking put out adequate difficulty, would make these people sluggish strike flow. While in the minute half we all gamed a bit improved, do tactical additional completely, after own prospect is often caught credit score. Yet entry is very lose also dismal. If a crew could layup, each of the pictures glimpse thus easily. While in the following fifty percent all of us played many attacks, however going through Dallas good coaches and teams such as when, need to lead very complicated. " The rockets right now a total of 14 turnovers, specifically while in the very first half, problem is located just about everywhere. Discipline is quite unhappiness: "when in the beginning from the activity, the players have instantaneous right express, the actual competition would not offer you time and effort for you to help you warm-up. POST need ideas of what's the trigger, but it surely looks like that will everybody from the earliest quarter usually are not in-form. Next MY SPOUSE AND I make it possible for next workforce enjoy, circumstances will be absolutely no transform. Love it if more do not know what exactly the scientific explanation for this people needed that long period failed to get into the overall game. However have to have praise the actual online players don't give air jordan new zealand shoes upward, tolerance to be able to remaining. However such as POST stated previous to, backward too much. The rockets while in the remaining point inside Martin and also scola below the actual instruction involving consecutive scoring, lastly douse the rockets head desire will be bariah, the Puerto Rico players throughout the 15 pictures 8-10 rockets absolutely reliant that will the pup. Rick adelman claimed: "bariah very last period perform thus nicely. That mavericks regarding your pet to design a considerable number of equipment removed, even two or three instances a great deal of. Next, beside your pet kept countless strikers, plus focus manage reb chandler. Some of our defensive online players never have had the opportunity for you to sidestep these people to select upon bariah efficient defensive. This is certainly right now I can claim, I became capable to examine video tutorial soon after such a concrete floor examination is precisely what motive. Naturally nowitzki, Jason kidd along with terry also shows you triggered a considerable number of nike air jordan heels nz." This isn't once that rockets had been bariah played air jordan xx8 black camo. Seeing that battier said, the rockets facing accommodating any time tiny state-of-the-art defense often lack of muscle. This is the reason going through Dallas, bariah along with terry may often e-field hair MAO's the reason. http://www.airjordansnewzealand.com/. --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,733136,733136#msg-733136
nike free das Jahr 2013 Joggen Turnschuhe Zwischensohle und Laufsohle flex grooves
nike free 5.0 damen 2013 Laufschuhe Zwischensohle und Laufsohle flex Linien entworfen zu erhöhen Mächtigkeit, und so der variable Die transluzenten Gummi knifflig Verschleiß, und trotzdem a fantastisch nike kostenlos aufblasbaren Kissen um sicherzustellen, dass Dämpfungstechnologie Blick Vom Bodendichtung Zusammen mit kombiniert nike kostenlos Luftfeder denen die mithilfe Substanz, service Sicherheit mit dem Hinterfuß Einstimmige Kosten -kostenlos Kissen freeimize Auswirkungen Moderation, so läuft mehr glatte, natürliche Bottom erreicht zu die gesamte Fuß, Dämpfung force und Folge in the sicher sein, die Sicherheit und Komfort. nike free 5.0 herren Ort Mundschuh schmiedeeisernen Design hilft bei der Reduzierung minimiert Rutschen, das Tragen bequemer bequem. Die EVA Innensohle Sohle verabschieden Einklang mit dem Spuren Design, perfekt passen paroxysm der Fuß formen bieten Dokumentation Die Kraft retikulären Wickler die gesamte Fuß, Verbesserung Komfort und Atmungsaktivität, on vom weniger schwierig 1.289 Yuan Dieser Schuh wird zum Preis von Kwai Sprint Spikes (Nike Zoom Superfly) Verwendung des Nike Fuse-Technologie Technologie Füße auf dem Schuh Klebstoff tape zu steigern ihre Ausbildung die Menge der fit, Komfort und Transformation, die ultra-dünnen Phylon-Mittelsohle a, full palm Pebax Sprint einzige Plattform und Kupplung Dieser Schuh wird zum Preis von 999 Yuan. http://www.nikeschuheschweizshop.com/skin/frontend/default/bluescale/images/bottom3.jpg beispiellosen nike free 5.0 v4 Test, Ihrer von neue Version des auf der nike free 3 .0 V2, obwohl obwohl noch nie gesehen haben Veränderung der durch die auf dem Kissen von Luftstrom, allerdings der in der auf dem Schuh selbst hat Angebote unterzogen große Änderungen, selbst mehr retrotaste, so dass Um sicherzustellen, dass zumindest Das komplette als gegenüber dem aktualisierten Version adidas_1 adidas_1 ane eher Kräutertee weit besser . vom auf dem neuen kostenlosen Fruchtsaft arbeitet auf der model in der auf der Air kostenlos 3 Monate, der Körper aus dem getan aus Nylon gefertigt und sowie Ledermaterial mix and match, hochrot gepunktete entwerfen it ein außergewöhnliches Textur und Mystik. 30. September 2013, die nike free 5.0 v4 damen insgesamt Foamposite lose Silbermetallic zum Verkauf, der freien Gesamte Foamposite kostenlos metallic typischerweise Silber Stahl bekannt, vor kurzem spät Lebensmittelgeschäft viel Bombe, die kostenlos no cost lose Satz nur Paar sein ganze Handfläche lose Ordnungszahl 6 Platte in der aus dem auf die Basketball-Schuhe in der Regel Schuhe vor Garnett und Duncan Billigung Integral Sicherheitsnetz Körper der auf dem Schuh-Design, einige starke Leistung frei Schuhe, freies restraint . bewusst sein willkommen Internet-Shop: http://www.nikeschuheschweizshop.com --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,730220,730220#msg-730220
the nike footwear Hyperposite just formally released the newest color to light-weight
nike shoes uk 2013 future shelves on 12 , 31, To bell ringer the occasion, Nike special "MvsW bolted faction bucket" activities used yesterday evening, attended by Xu Hao Ying, Jan Dear, Stephanie Cheng also poems Ya, 903DJ DonaldMr member of the Dash, part with the Dear Jane Bob and Jackal, everybody wear the newest nike shoes the year 2013 and Pak Sha Road, Causeway Bay, Nike Sportwear Retailer to Happy Pit marching very bouncy! Japanese shops atmos again with the NSW launch articulation edition http://www.nike.com this is not the initial involving the two sides A partnership, prior to the introduction of your atmos x nike shoes ane are desired and became a well used, and this also sale in the year of 2013, it will have two. A wilderness camouflage that has a leopard material lap decorated with snakelike, another in rainforest camouflage having a black serpentine. 2 different styles merely all without losing the rave with the gas. It appears to be Nike want a special color related nike shoes uk online shop Flyposite allow it to needlessly and Hyperposite of shoes go hand in hand, so the front in this "Megatron" was born.This double "Megatron" just isn't a formal cooperation models together with Hasbro, but Nike hit an edge ball, Detroit mighty team wide telephone receiver Calvin Johnson's sobriquet as being the inspiration to make this "Megatron".The spring and summer of 2013, Nike launched a wonderful nike shoes Unification, to deliver protection for everyone sorts of sports, to help you to fulfill the challenges within the exercise 100 % of confidence. Your the thicker net quilted neoprene uppers, fully engrossed foot and provides lightweight comfort As well as breathability, and also bring adequate reinforcement towards foot with fantastic warmth. nike shoes and boots inflatable cushion heel at the comfort, providing safeguard and cushioning on the foot. Low-occurrence Phylon midsole delivers lightweight cushioning, nike shoes multidirectional flex grooves inside forefoot, so education is more natural pace. Galosh point from the heel as well as the forefoot in the outsole help the wear resistance in the shoe using a different surface. Use traction mode to take more natural to sports execution. http://www.nikeshoesukonlinesale.co.uk/media/catalog/product/cache/1/small_image/175x/9df78eab33525d08d6e5fb8d27136e95/n/i/nike_air321.jpg August 2012, this nike free Hyperposite just basically released the revolutionary color to light-weight, the the celebrated sneaker collectors Mayor brought us a brand new color in the actual spy. This connected with Air Max Hyperposite one's body from the shoe to create a deep blue polyurethane foam material, metal grain allow it to be rich visual effects like gradient, then a sky-blasphemous swoosh extremely blatant same light bluish within the bottom palm Maximum AIR extraordinarily clear attractive.Popular, NEW BALANCE is actually jogging shoes to conquer the planet, each classic types entered the introduction could not escape being clicked, but very sorcerous the NEW BALANCE company throughout 2013 and still have not done well to target on jogging sneakers, but try ut skateboarding shoes. NIKE company could be the Chinese so it NEW BALANCE formally fired in jogging sneakers market, the roll-out of the environment Max 1 2013 QS USA Track & area of function jogging sneakers. Breathable uppers, the soles of erotic function, even though not personally experient, just consider the pictures I really believe can feel. this is our online store:http://www.nikeshoesukonlinesale.co.uk --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,730219,730219#msg-730219
nike shox r4 Hyperfuse will certainly once again released a fresh color
nike shox in everyone's feeling from the coating to break into explosion design is basically less and less, Please not confuse this explosive crack Along with Safari pattern. Overwhelmed by the revolutionary design of tailor made big Mache II nike shox a single SUPREME "new,http://www.nike.com can be stated to indicate probably the most critical crack content. Both shoes were being black nylon net toe and natural language with red cellular lining and white plastic mesh toe In addition to tongue with azure lined presentation, one's body on the shoe in addition to probably the most dazzling ** genera protection The crack huge increase decorated. Black laces and white but tend to not do devoid of the bottom this info decorative embellishment. nike shox uk Ken Griffey Jr's shoes or boots, surely we aren't unfamiliar, often begin to see the shoes printed SWINGMAN swing Logo design will folks have the need to look feeling. 2013 NIKE will kick off a new design on the new nike shox 360 place, shoe body having synthetic leather Along with Hyperfuse material combining Phylon midsole Cushlon ST offers more damping impact, concurrently 360 ??degrees nike domineering aviation max technology is now this section where the highlight of any solid rubber outsole also registered many square lymph gland decorative, provides hefty wear-resistant and also non-slip effect. Undoubtedly probably the most dazzling at a loss for the exposure of 5 color that a part of water green / orange tree / white color of the revolutionary All new goods are required to Offer Cost of $ 170, available for sale in 2013. http://www.nikeshoxnzuksaleonline.co.uk/media/catalog/product/cache/1/small_image/175x/9df78eab33525d08d6e5fb8d27136e95/n/i/nikeshoxnz6.jpg 2010 was obviously a troubled year, dismayed the entire world with the devastating earthquake throughout Haiti in The month of january. Many equipment companies are involved in the establishment of any disaster relief charity fund, to Mianbaozhili. Some mesh groups, especially made for Haiti relief work. They to retail shoes, the earnings with the auction donated to help Haiti to aid weather this devastation. Nike company created the Kinbe Dad Lage do not note Nike Rocker Low and Nike Zoom Kobe V, Each shoes sold all income will likely be donated towards the Haiti charity outcome. On this occasion this can be the third set of Special Edition nike shox three hundred and sixty LeBron VII. The actual Kinbe Pa Lage pattern created by Forest Park elementary school children. 3D Caribe movie seriously isn't enjoyable? Back three dimensional Piranha is usually a type of stereoscopic 3D! 360 the designer Emilio Zuniga Nike nike shox r4 shoes or boots guest with the transformation of the system, your entire body of the shoe based bluish suede, nylon material, a couple of shoes with neon orange color finish and shoes before the shoes ultimately perhaps the white painted inside red two color Xuepentaikou appearance, in addition perhaps the eye, the full shoes looks like a fierce Meng piranha! Returning to the nike shox women uk Hyperfuse will once more released a different color, this bivalent nike shox r4 Hyperfuse olive-green to the color main, solely inside, Nike Logotype, tongue Nike terms, bottom cushion for the toe end to eye-catching fluorescent green are dashed, cleverly finishing touch towards the overall color common sense. This double nike shox r4 Hyperfuse initiated a policy of at the Nike Sportswear store shelves available for sale so you desire to start with the shoes supporters must be aware. The last winter NIKE special night to develop the nike shox reflective Jogging Series and unveiled VAPOR FLASH Hat. That a newcomer for the design, the unanticipated reaction so warm, made sale several days has speed journey city, to create of a reflective effects WINDRUNNER JACKET for your U.S. internal team this year NIKE will redouble their attempts and underneath the guise of Lunao theme outside reactions are also very fiery. Extremely popular, latest NIKEiD undertake this kind of nike shox broody material also enroll in the fray, as well as launched a personalized choice of reflective material AIR FORCE 1 iD. this is our online shop:http://www.nikeshoxnzuksaleonline.co.uk --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,730213,730213#msg-730213
Re: Spy a cell phone anywhere in the world.
i looked the blog copy9blog.com ;) --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,343992,726779#msg-726779
nice of Nike spread world wide
Yes, the nike shoes is a great running footwear. It includes the runner an appropriate feel because of improved heel for landing and durability purposes. Furthermore , it provides you with cushioning due to full-length shox beneath the shoe.http://www.nike.com Ecosystem Cole Haan Sneakers performance the truly great technology that make donning A lot of sneaker hassle-free than whenever you want before facing forward! Your own personal slimest soles all over the chicest large heel shoes setting up ashore your have Cole Haan web-site could features your Nike Air flow technologies which will make each and every tiny detail sense simply because while you are searching towards nike australia the cushiony smoke cigars Nike Air Yeezy Zen Gray. http://www.nikeshoesukonlinesale.co.uk/media/catalog/product/cache/1/small_image/175x/9df78eab33525d08d6e5fb8d27136e95/n/i/nike_air321.jpg >From Nike cooperate with NBA in 1970s, nice of nike shoes uk spread over the >world. The majority of people knows Nike, from kids to olders, expecially NBA >fans, just how much is above others. A lot of them want to own some Nike shox >shoes which in turn is capable of doing their star dream. Much like Kobe or >Jordan in NBA field, they can find their position within the pub baseball >games. However, the orginal purchase of Nike shox is pricey, this may unhappy >people who prefer to play basketball for themselves. Neverless to say those >whose remuneration may simply slove the mealtime job, what can they are doing >Just quit their dreams No, the roll-bankrupt online reap the benefits of >convinence and help simple to use for getting discount Nike shox shoes, you >need to simply try to look for Nike Shoes Sale or Discount Nike shoes, others >like cheap Nike allows you to obtain the how does someone buy really cheap >Nike shoes which in turn your family lavatory afraid. once I looked at the nike shoes uk online shop box I noticed we have a toughie which usually displays any babys' experience, your numbers racket zero-3 along with the 'no' circle/slash symbol. Any idea why this sticker is within the box? The label states how the technique is stated in Taiwan. Would be the shoes created using bad real that is certainly harmful pertaining to infants?It really is that's doubtful an undesirable shoe. It may be a better idea to invest a bit more and search for a store that sells running shoes exclusively Since which will be better on your own feet and legs. expert nike air jordan,Basket Nike Pas Cher,Nike Jordans Retro partisan, de fournir Basket Nike Pas Cher, la qualité garantie à 100% de Basket Air Jordan Chaussures,Air Jordan rétro Chaussures et Nike Air Jordan enrichir votre équipement de basket-ball, libres d'expédition chaussures de basket-ball jordans Nous promettons solennellement:Pas satisfait les chaussures nike Jordan gratuitement la mise en accusation. Si vous trouvez des problèmes de qualité des air jordan, nous avons remplacé gratuitement. http://www.nikeshoesukonlinesale.co.uk --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,725087,725087#msg-725087
Nike Shox bought at Hibbett Sports having a dagger of the newborns face
nike shox purchased at Hibbett Sports that has a sticker of the baby's face, the quantity 0-3 and a "No' circle implies that the shoes are not for sale in those numbers pool. The shoes usually are not created using bad material, it is made with allow air through and sturdy material. Unbelievable Ease and comfort and superiority cause them to become suitable for. Well, the initial place I'd personally pay attention to these footwear is Nike's website. These people have a wide range of discounted products on the site and you could be able to find them there. I also notice that you will find Pink http://www.nike.com Shox on sites like Eastbay, Finish Line, and Boom. Actually the best place to take a look could be Amazon-it is indeed my pet buying place and also you can never predict what will you find with small prices. http://www.nikeshoxaustraliaonlinesale.com/media/catalog/product/cache/1/small_image/175x175/9df78eab33525d08d6e5fb8d27136e95/N/i/NikeShox283_2.jpg With all the heat of World Cup, beyond the topic of teams,nike shox australia Mercurial Vapor may also be the mian topic among students. Considering the new compilation of Mercurial Vapor, it contunies the real key distinctive line of speed. Also the colors and fashoins can match the necessity of 90's. For football players gonna school football team, no take most widely used inside football field. Students who wish to be considered a prefessional football player may purchase one to get. Also the modern sale within this you'll be able to stimulate students to get one because of their teamate. Can school without the need of Nike, it may be impossible, the modern play invent of self-lacing Nike shox shoes will expand the greater sell to kids whose lacing lose day by day, also for these who will be lazy to lace shoes from the class. While using increasing sales of Nike shox shoes, the strom to varsity stands out as the new trend to new Nike shox shoes. You can get them online on Nikes website, or nike shox australia online store or outlet locations. They're also on amazon.com, or you might check eBay. In case you have an area Foot Locker store, even if they don't really contain the ones you desire in store, they'll order them available for you.2010 is an excellent year for Nike, with all the beginning of World Cup in South Africa, Nike offers various of products into market. Additionally, from NBA to football, Nike has followed its purpose - Simply sleep together. The original meaning may be used to basketball games. But after age period, they've got extended into each area. nike shox r3 men's shoe is a shoe that appears sharp rolling around in its deep set colors. The shoe comes in a very good blue, black red or blue color, which has a transparent Nike symbol quietly. It possesses a great rubber outsole for grip and sturdiness. It gives air sole unit cushioning and cushioning with premium leather for that upper areas. here you are at our web shop:http://www.nikeshoxaustraliaonlinesale.com --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,725080,725080#msg-725080
Nike Shox Barato such an creature off-line tote
My spouse and i inserted an order intended for nike shox plus they didn't send a verification e mail. These people responded to an e-mail so it could well be over a couple weeks to even ship the shoes which was contradicting to their rescue insurance plan of two days. http://www.nike.com I emailed and demanded a reimbursement. The tutor said it would be 7-20 days to get your money back. 20 days gone no amounts. Chances are they said the bucks could be during my account today. It were refunded once again. DON'T order readily available cozenage artists!!! You will lose your hard earned money. http://www.nikeshoxnzukonline.co.uk/media/catalog/product/cache/1/small_image/175x/9df78eab33525d08d6e5fb8d27136e95/n/i/nikeshoxnz6.jpg nike shox uk type of shoes functions very cushioned teachers along with genuine shock from the heels in the shoes. This lines are suited to the larger runner who wants one of the most cushioning available. Nike Shox are ideal for utilizing the pounding beyond running on hard surfaces like tangible and concrete. Nike Shox brand of Nike running sneakers allows your foot to mimic barefoot running play with no distressful in relation to hazard of treading on sharpened objects. These sneakers are exceedingly flexible and minimally cushioned to boost natural foot motility. They certainly require time to have helpful to, but they're very very theraputic for building up this base lowering quads. cloth with the performer to nike shox r4 run locate the optimal structure regarding type concerning sneakers, lacoste via the internet, Original, actually might be a medley a part of footwear, or maybe fundamentally, these as discounted setting most footwear also simply because informal footwear blend. This unique nike air-move, a variety of forms, shop lacoste, may perhaps have their individual personalized spot for a hear the finest varieties Adidas Glow In The Dark Tenis Nike Shox they keep lead the popularity inside the craze world. When you haven't bought one last winter weather, you cannot miss the thrill in 2011. With Nike Shox Barato this animal offline handbag, setup wear the most efficient T-shirt extremely jeans, even though you peer stylish and elegant as the optimal pop figure. Clic handbagsIn regarding that wardrobe, there could be at nominal one handbag showcasing clic forming and ridge. These reliable handbags, which doesn't walk out style, can match your complete wardrobe for years and won't to be able to highlight well-being clic and trendy style. thanks for visiting our web store: http://www.nikeshoxnzukonline.co.uk --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,725079,725079#msg-725079
Re: Debian/Ubuntu packages for HAProxy
While it's great to have more Ubuntu packages, especially for the dev version, I took a look at the Ubuntu ecosystem and basically all the packages are missing the USE_ZLIB to enable gzip compression. If it can be added I'll start using them instead of compiling from source. Cheers --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,720288,721806#msg-721806
Re: Spy a cell phone anywhere in the world.
oh thank you so much !!! :D --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,343992,716626#msg-716626
Re: Spy a cell phone anywhere in the world.
hello all how i can move my spytic account to copy9 website. any help??? --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,343992,716613#msg-716613
Re: Spy a cell phone anywhere in the world.
I found website www.copy9.com. oh copy9 has many feature such as Ambient Voice Record, Yahoo Messenger Chat, Whatpsapp, Key Logger, Voice Memos, Notes, Photo Camera Roll (Pictures)... with lower price compared with spytic. Oh my god --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,343992,716611#msg-716611
Haproxy 1.5 dev + Nginx 1.4.1 + SPDY
Hi I currently have Haproxy 1.5 dev18 as a load balancer to 2x Nginx 1.4.1 backend servers. The site i.e. mydomain.com is currently all http:// non-SSL based. I want to utilise SPDY/SSL for mydomain.com at https://mydomain.com. However, trying to get my head around the best way to accomplish this. 1. Setup Haproxy with SPDY support only OR 2. Setup Nginx with SPDY support only Question is 1. If I setup Haproxy with SPDY support only, do I still need to setup Nginx with SPDY support too ? Would both Haproxy and Nginx use and point to the same SSL certificate ? Anyone got a basic haproxy.cfg config example of how that would look ? 2. If I setup Nginx with SPDY support only, do I need to setup Haproxy with SPDY support too ? Would both Nginx 1.4.1 backends be setup with the same SSL certificate copied over from 1 Nginx backend to the other ? Which would be better for A. performance B. scalability C. management Appreciate and advice and info to help clarify my understanding :) --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,709640,709640#msg-709640
Re: bytes_sent?
This is already present in haproxy 1.5. 1.5 has a `log-format` parameter which lets you specify a custom format. The format has a `%U` parameter which is the number of bytes sent by the client. -Patrick On 2013/15/05 02:23, Joel Krauska wrote: > The HTTP Log Format tracks bytes_read, which appears to be the number > of bytes in the HTTP response send from the backend to the requesting > client. > > https://code.google.com/p/haproxy-docs/wiki/HTTPLogFormat > > I feel also that bytes_sent may be an interesting field to track. > > For example: An Image upload site may care a lot more about image > uploads to their servers than downloads. (esp for an upload backend pool) > > Checking the ratio of bytes_read vs bytes_sent also provides > interesting insight in to how an application is performing. > > Is there anyway I can lobby to get bytes_sent added to future > revisions of the HTTP Log format? > > Is there any other method to collect this info? > > The stats page is already collecting Bytes in and Bytes out, but I'm > missing it in the log format, so I can't look at it on a per-request > level. > > Thanks, > > Joel
Re: HAproxy & tproxy problem when try to make transparent proxy
Hello, L. Alberto Giménez ha scritto: > Please check that: > > * You have the tproxy enabled in your kernel > * You have haproxy compiled with tproxy support > > Your backend servers *can't* see the clients directly (i.e., they have > the haproxy box as default gateway and *no other* gateways). > > The same for the clients (not mandatory, but if they can see the > servers, it may cause trouble). Like I wrote before, I use ubuntu server 9.10, with kernel 2.6.31 and iptables 1.4.4, so with built-in tproxy support (if I'm not wrong). And I compiled Haproxy by "hands" with correct parameters I think... > lsmod [...] nf_tproxy_core24281 xt_socket, [...] > haproxy -vv HA-Proxy version 1.4.2 2010/03/17 Copyright 2000-2010 Willy Tarreau Build options : TARGET = linux26 CPU = i686 CC = gcc CFLAGS = -O2 -march=i686 -g OPTIONS = USE_LINUX_TPROXY=1 USE_STATIC_PCRE=1 [...] The client can't see directly the backend server. > ping -c 1 192.168.0.2 PING 192.168.0.2 (192.168.0.2) 56(84) bytes of data. From 192.168.1.2 icmp_seq=1 Destination Host Unreachable --- 192.168.0.2 ping statistics --- 1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms The backend server can't see the clients directly. > ping -c 1 192.168.1.2 PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data. *From 192.168.1.21 icmp_seq=1 Destination Host Unreachable* (not From 192.168.0.2 like expected) --- 192.168.1.2 ping statistics --- 1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms So, incredible.. I find the trick.. Alberto, you save my mind.. :-) In backend server I have 2nd ethernet card configured with 192.168.1.21. The cable is out but I forget to disable it (how I'm chicken..).. So everytime the backend try to access to client from this route. Many times errors are in the most simple things. Thanks, thank you very much.. Really! Daniele Hi all, perhaps there is hope for me too ... I have HAProxy running on 192.168.1.101, with this configuration: ... backend test mode http source 0.0.0.0 usesrc clientip server serv1 192.168.4.41 frontend test mode http bind 192.168.1.101:8090 default_backend test the HAProxy is from 1.5-dev6, build with TARGET=linux26 USE_LINUX_TPROXY=1, kernel is 2.6.26-2-amd64 The server is in my vmware player, debian 6 kernel 2.6.32-5-686). By default, player is bridged and dhcp assings it ip 192.168.1.28 (host xp is 192.168.1.62), and default gateway is 192.168.1.2 So manually change ip address on server (eth0, no other cards) to 192.168.4.41 255.255.0.0, and set default gateway to be 192.168.1.101 (the HAProxy machine). On HAProxy I have done routing commands as Daniele did. And I still get 503. What have I done wrong? Is there any known issue if SERVER is in virtual machine? --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,120994,707061#msg-707061
Re: keep alive on both client and server side and x-forwarded-for
Thnx Willy, understand now. I am afraid this not an option for my case. But generally, could this feature be added in the future? I think, from the usage point of view, that is reasonable request: I would like to know the client IP on my server, not the IP of the machine HAProxy is running on. BR, Saša --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,703863,704477#msg-704477
Any haproxy + nginx (ngx_pagespeed) users ?
Curious anyone tried using haproxy to load balance Nginx backends which have Nginx Pagespeed ngx_pagespeed module enabled ? And are using CDN pull services ? Problem is a bit complex, so just linking to the full explanation at https://groups.google.com/d/topic/ngx-pagespeed-discuss/-pX4cRlcwas/discussion Summary of problem is 1. haproxy load balances over 4x VPS servers with Nginx backends for mydomain.com and each backend VPS has haproxy set cookie unique to each VPS, cookie name = vps1, vps2, vps3, vps4 2. each Nginx backend has sites using CDN pull service so that cdn.mydomain.com pulls source from mydomain.com 3. one of the VPS has ngx_pagespeed module installed https://github.com/pagespeed/ngx_pagespeed which allows optimisation of site elements i.e. minification and combining js/css links and rewriting the js/css urls. 4. now i have ngx_pagespeed to also rewrite mydomain.com/css and mydomain.com/js based urls to using cdn.mydomain.com/css and cdn.mydomain.js urls 5. problem is when a visitor visits mydomain.com and calls rewritten cdn.mydomain.com/css file, cdn.mydomain get's it's source file from mydomain.com which haproxy load balancer runs on and can give the visitor one of the other 3 VPSes with non-ngx_pagespeed rewritten urls = 404 not found. So essentially, the mydomain.com page call becomes mydomain.com/index tagged with vps4 cookie which is ngx_pagespeed nginx backend based cdn.mydomain.com/css/style.pagespeed.css tagged with vps1 cookie which isn't ngx_pagespeed based so style.css gets 404 not found error I think haproxy sees 2 user sessions here, the first being from actual user hitting mydomain.com and 2nd user it considers the cdn.mydomain.com calling mydomain.com original for the css file so it has a different cookie ? Not sure if there's anything setting wise in haproxy to solve this ? --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,700728,700728#msg-700728
Re: HAproxy as a reverse+transparent proxy help (pfsense)
Hi, anksoWX. HAProxy now supports SSL termination as well. I cannot say anything about your topology, but the same can be achieved in a better way by installing HAProxy on pfSense inside a FreeBSD jail. You can check out the link below If you are strugging with pfSense packages for HAProxy. I have documented the whole thing here. Installing HAProxy on pfSense I am also running this setup on a pfSense VM. Thanks, Dinesh Sharma --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,552462,698299#msg-698299
Balance Roundrobin vs Balance Source
Hi All, We have HAPROXY 1.4.22 running in our environment, one issue that I have encountered during testing concerns source IP address affinity, we are trying to achieve a form of Sticky Session persistence. I noticed that if we have the following configuration in place then we experience problems with web pages not loading: #- # NSD which proxys to the NSD Application Servers on port 8081 #- frontend http-nsd mode http bind *:8081 default_backend nsd #- # round robin balancing between the various backends #- backend nsd mode http balance roundrobin cookie SERVERID insert indirect nocache server server01 xxx.xxx.xxx.:8081 check cookie s1 server server02 xxx.xxx..xxx:8081 check cookie s2 If we then change the balance mode to source then the web page loads successfully. Is this the correct way to be achieving 'stickiness' or is there a better more elegant way of achieving this?. Many thanks Jon --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,692792,692792#msg-692792
Re: Is this possible in HAPROXY 1.4
Thanks Lukas, much appreciated. I'll play around some more. --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,690173,690397#msg-690397
Re: Is this possible in HAPROXY 1.4
Hi Lucas, Thanks for taking the time to respond. It might help explain further how the environment is set-up. The data flow goes: User -> Internet -> Cloud Firewall -> Cloud SLB -> DMZ Web Agent -> - HAPROXY -> Lifreray Application The SSL termination is done at the Cloud SLB end, the traffic is then sent onto the Web Agent and then onto HAPROXY and then out to the application. This mostly works fine, but for some of these functional elements,we get this problem, when we click on some of the sub menu's in the application it fails to load, and the analyzer shows that the user is trying to access the resource using http instead of https. There is no SSL termination performed by HAPROXY, as the traffic is being passed via our SLB Cloud. This is my current configuration: global log 127.0.0.1 local2 chroot /var/lib/haproxy pidfile /var/run/haproxy.pid maxconn 4000 userhaproxy group haproxy daemon stats socket /var/lib/haproxy/stats defaults modehttp log global option httplog option dontlognull option http-server-close option forwardfor except 127.0.0.0/8 option redispatch retries 3 timeout http-request10s timeout queue 1m timeout connect 10s timeout client 1m timeout server 1m timeout http-keep-alive 10s timeout check 10s maxconn 3000 frontend http-openfire bind *:7070 default_backend openfire backend openfire balance roundrobin server :7070 check server :7070 check frontend http-uapi bind *:7080 default_backend uapi backend uapi balance roundrobin server :7080 check server :7080 check frontend http-sec bind *:8080 default_backend sec backend sec balance roundrobin server :8080 check server :8080 check frontend http-wall bind *:9080 default_backend wall backend wall balance roundrobin server :9080 check server :9080 check frontend http-xmpp bind *:9090 default_backend xmpp backend xmpp balance roundrobin server :9090 check server :9090 check frontend http-aim bind *:10080 default_backend aim backend aim balance roundrobin server :10080 check server :10080 check frontend http-servicedesk bind *:8081 default_backend servicedesk backend servicedesk balance roundrobin server :8081 check server :8081 check listen stats :1936 mode http stats enable stats hide-version stats realm Haproxy\ Statistics stats uri / stats auth haproxy: The bit that I am trying to work out concerns the 'backend servicedesk' and how I can make HAPROXY take the http request from the application and turn it into a https request, does this mean I have to install something like STUNNEL and the certificate on the HAPROXY Server in order for it to be https?. What I tried was: frontend unsecured *:80 redirect location https:// - this is resolvable via a hosts file entry to the app1 server. frontend secured *:443 mode http default_backend httpsapp backend httpsapp mode http balance roundrobin server app1 :8081 check server app2 :8081 check But that doesnt seem to affect the outcome of the request. I'm probably being stupid and not understanding what I need to cater for. Thanks again. Jon --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,690173,690196#msg-690196
Is this possible in HAPROXY 1.4
Hi All, We have been testing HAPROXY 1.4 on a Cloud environment for a forthcoming implementation, due to the constraints on the cloud providers SLB we decide to look at using something else. So I implemented HAPROXY, and everything seemed to be going smoothly, until we started doing some functional testing. The problems lies with the vendors application which uses Liferay, some of the URL's that the application have hard-coded the links as http, instead of https, so when we try the test the web page just hangs instead of re-directing to the correct page. In a browser trace we see that the request as: http:///servicedesk/controller?docommand=renderradform.., when it should be https:// I have played around with the haproxy configuration using 'redirect location https:// and redirect prefix https:// but without success. On speaking to the vendor, they are aware of this issue, and for their own implementations they have used a physical F5 NLB and re-directed all http traffic over to https. Am I able to do this in HAPROXY 1.4? Many thanks for your time. Best regards Jon --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,690173,690173#msg-690173
Nike Air Max and Air Utmost twenty four-heptad string
Nike transformation, mainly from hip-hop on the inspiration on the nike air max shoes. Additionally, as a result of interest in the world wide web amid young adults, Nike begun to accept a different key phrase. Air flow Utmost evolved into accessible in the web based retailer as well as online store. Nike Air Max and Air Utmost twenty four-heptad string, Nike as well as Nike Airforce boasts a great privilege. Thus, you can even prize all of them. For everyone methods of Nike shoes, they need to perform with Nike, so, they could adjust to the attitude throughout athletics, additionally , on behalf of one's soul inside movement .. Air Max Penny's first signature shoe, Nike decline, Hardaway title. The shoes include the most successful sneakerheads. It shows a big gem of cyclones plus the only visible wraparound Max Air device. nike air max uk sale key ingredient, as they can be a serious method to obtain beer fermentation of sugar. New breweries use barley malt extract, syrup or powder-like, this fermentation is significantly faster. Usually can be a special single mobile body yeast, sugar also to discharge liquor and CO2, the two additional identification portion of beer. To find out a certain possibility, you only currently know the dimensions and new kitchen countertops, you will need to have what sort of installation, obviously, have a chance, you may not. If the actually is the case, you may be told to start shopping. Whether you appear for the kitchen countertop materials reside within the network maybe in the vicinity of just one on the enhanced retailer, is unquestionably a great possibility, you do encounter an easy collection of material, most of different designs and different types of .. wearing AIR MAX 2011 shoes, your feet will delight in great comfort, As a matter of fact, these shoes have won most people of all ages and praise. When i these positive comments and drive, and also try to try and buy a couple of Air Max shoes. I am happy with all the low price of those shoes, but superiority. http://www.nikeairmaxsaleukonline.co.uk/media/catalog/product/cache/1/small_image/175x/9df78eab33525d08d6e5fb8d27136e95/e/3/e30_2.jpg nike air max uk sale online infrared ostrich. Nike Air Max 90 Premium - infrared is among the favorite color of the oxygen Max 90 series. Airforce begun to love basketball to exhibit the character on the sport, has additionally become a fundamental portion of the sports culture. Release, AF125 25-year extension of the legendary performance and classic styling, only those Nike imaginative, designers can do this, they may not be only focused on maintaining AF1 soul, is associated with innovation. In 2007, Nike launched the brand new Air Force 1 series from the original style features refined, Nike has placed the Air Force within the 25th, AF1 new journey. http://www.nikeairmaxsaleukonline.co.uk --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,666075,666075#msg-666075
Re: HAProxy 1.5 Dev12 SSL Segfault w/ssl_sni
Are you using the latest build (now 20121030)? I believe there was a known segfault issue in 20121021 that has since been fixed Regards, Andy --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,594310,594344#msg-594344
Re: SSL protocol version determination
Hi Willy/Baptiste, Excellent, thanks for the rapid response - I'll give this a try. Best Regards, Andy --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,593921,594245#msg-594245
SSL protocol version determination
Possibly a numpty question..but anyway.. Using 1.5dev12 (build 20121023) Is there any way I can config haproxy to pick up the SSL protocol version that has been negotiated between server and client. So that if say the best a client can negotiate is something lower than TLS1.0, then I can send them off to a page telling them to upgrade? Thanks in advance.. Best Regards, Andy --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,593921,593921#msg-593921