[HAPPRIVACY #YXL-289-28996]: China FO bearing export
ash@fobearings, Thank you for contacting us. This is an automated response confirming the receipt of your ticket. One of our agents will get back to you as soon as possible. For your records, the details of the ticket are listed below. When replying, please make sure that the ticket ID is kept in the subject line to ensure that your replies are tracked appropriately. Ticket ID: YXL-289-28996 Subject: [EXTERNAL] China FO bearing export Department: Privacy Type: Issue Kind regards, HAProxy Technologies
[HAPPRIVACY #TKN-189-63462]: China FO bearing export
ash@fobearings, Thank you for contacting us. This is an automated response confirming the receipt of your ticket. One of our agents will get back to you as soon as possible. For your records, the details of the ticket are listed below. When replying, please make sure that the ticket ID is kept in the subject line to ensure that your replies are tracked appropriately. Ticket ID: TKN-189-63462 Subject: [EXTERNAL] China FO bearing export Department: Privacy Type: Issue Kind regards, HAProxy Technologies
[HAPPRIVACY #GGZ-731-71606]: The Biggest Promotion of Fly Trap / Tanhya
Alice, Thank you for contacting us. This is an automated response confirming the receipt of your ticket. One of our agents will get back to you as soon as possible. For your records, the details of the ticket are listed below. When replying, please make sure that the ticket ID is kept in the subject line to ensure that your replies are tracked appropriately. Ticket ID: GGZ-731-71606 Subject: [EXTERNAL] The Biggest Promotion of Fly Trap / Tanhya Department: Privacy Type: Issue Kind regards, HAProxy Technologies
[#ZJO-390-11908]: Content Collaboration with haproxy.com!
Ivana Miteva, Thank you for contacting us. This is an automated response confirming the receipt of your ticket. One of our agents will get back to you as soon as possible. For your records, the details of the ticket are listed below. When replying, please make sure that the ticket ID is kept in the subject line to ensure that your replies are tracked appropriately. Ticket ID: ZJO-390-11908 Subject: [EXTERNAL] Content Collaboration with haproxy.com! Department: HAProxy Support Type: Issue Kind regards, HAProxy Technologies
[RFC] [PATCH] BUG: http-ana: fix crash or wrong header deletion by http-restrict-req-hdr-names
Hi,
as suggested by Willy on GitHub, I'm submitting my patch for
https://github.com/haproxy/haproxy/issues/1822.
This is my first contribution, so I'm tagging it as RFC for now ;)
I'm not entirely happy with using goto (suggested by Tim) to avoid
hitting htx_get_next_blk call at the end of the loop, but I'm not
familiar with HAproxy coding standards. I think it would be nicer to:
1. Introduce flag variable preserve_blk
2. Reset it to 1 at the beginning of the while (blk) loop
3. Replace htx_remove_blk + continue with preserve_blk = 0 + break
4. At the end of the loop, call htx_get_next_blk if preserve_blk is set
or call htx_remove_blk otherwise
I have not included severity of the patch, because on GitHub issue is
still marked as `status: needs-triage`. I think MEDIUM would be
appropriate.
By the way, while writing VTest to cover this bug, I spotted something
"suspicious" about reg tests for FCGI backends - my-fcgi-app FCGI app is
defined, but it is not used anywhere? be-fcgi* backends look exactly
like be-http* to me.
Best regards
Mateusz Małek
>From 17dcd8147fb7f48b3fcce5a7a51ff921f4f69848 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mateusz=20Ma=C5=82ek?=
Date: Wed, 17 Aug 2022 00:57:10 +0200
Subject: [PATCH] BUG: http-ana: fix crash or wrong header deletion by
http-restrict-req-hdr-names
When using `option http-restrict-req-hdr-names delete`, HAproxy may
crash or delete wrong header after receiving request containing multiple
forbidden characters in single header name; exact behavior depends on
number of request headers, number of forbidden characters and position
of header containing them.
This patch fixes GitHub issue #1822.
Must be backported as far as 2.2 (buggy feature got included in 2.2.25,
2.4.18 and 2.5.8).
---
.../http-rules/restrict_req_hdr_names.vtc | 47 +++
src/http_ana.c| 7 ++-
2 files changed, 53 insertions(+), 1 deletion(-)
diff --git a/reg-tests/http-rules/restrict_req_hdr_names.vtc
b/reg-tests/http-rules/restrict_req_hdr_names.vtc
index 071b9bded..eed90eab2 100644
--- a/reg-tests/http-rules/restrict_req_hdr_names.vtc
+++ b/reg-tests/http-rules/restrict_req_hdr_names.vtc
@@ -35,6 +35,26 @@ server s5 {
txresp
} -start
+server s6 {
+rxreq
+expect req.http.x_my_hdr_with_lots_of_underscores ==
+txresp
+} -start
+
+server s7 {
+rxreq
+expect req.http.x_my_hdr-1 ==
+expect req.http.x-my-hdr-2 == on
+txresp
+} -start
+
+server s8 {
+rxreq
+expect req.http.x-my_hdr-1 ==
+expect req.http.x-my_hdr-2 ==
+txresp
+} -start
+
haproxy h1 -conf {
defaults
mode http
@@ -50,6 +70,9 @@ haproxy h1 -conf {
use_backend be-fcgi1 if { path /req4 }
use_backend be-fcgi2 if { path /req5 }
use_backend be-fcgi3 if { path /req6 }
+use_backend be-http4 if { path /req7 }
+use_backend be-http5 if { path /req8 }
+use_backend be-http6 if { path /req9 }
backend be-http1
server s1 ${s1_addr}:${s1_port}
@@ -72,6 +95,18 @@ haproxy h1 -conf {
backend be-fcgi3
option http-restrict-req-hdr-names reject
+backend be-http4
+option http-restrict-req-hdr-names delete
+server s6 ${s6_addr}:${s6_port}
+
+backend be-http5
+option http-restrict-req-hdr-names delete
+server s7 ${s7_addr}:${s7_port}
+
+backend be-http6
+option http-restrict-req-hdr-names delete
+server s8 ${s8_addr}:${s8_port}
+
defaults
mode http
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
@@ -114,6 +149,18 @@ client c1 -connect ${h1_fe1_sock} {
txreq -req GET -url /req6 -hdr "X-my_hdr: on"
rxresp
expect resp.status == 403
+
+txreq -req GET -url /req7 -hdr "X_my_hdr_with_lots_of_underscores: on"
+rxresp
+expect resp.status == 200
+
+txreq -req GET -url /req8 -hdr "X_my_hdr-1: on" -hdr "X-my-hdr-2: on"
+rxresp
+expect resp.status == 200
+
+txreq -req GET -url /req9 -hdr "X-my_hdr-1: on" -hdr "X-my_hdr-2: on"
+rxresp
+expect resp.status == 200
} -run
client c2 -connect ${h1_fe2_sock} {
diff --git a/src/http_ana.c b/src/http_ana.c
index 4b74dd60d..a2929cef5 100644
--- a/src/http_ana.c
+++ b/src/http_ana.c
@@ -2641,6 +2641,7 @@ static enum rule_result
http_req_restrict_header_names(struct stream *s, struct
blk = htx_get_first_blk(htx);
while (blk) {
+ next_iteration:
enum htx_blk_type type = htx_get_blk_type(blk);
if (type == HTX_BLK_HDR) {
@@ -2653,7 +2654,11 @@ static enum rule_result
http_req_restrict_header_names(struct stream *s, struct
if (px->options2 &
PR_O2_RSTRICT_REQ_HDR_NAMES_BLK)
goto block;
blk = htx_remove_blk(htx, blk);
-
haproxy for IIS
Dear there, This is Jun from China. I am trying to setup haproxy to load balance IIS websites on 2 local Servers, it was achieved to load balance one website, however, I don't know how to load balance for many websites from the 2 servers where have the same websites running on. Could you guide on this please. thank you. condykou 邮箱:condy...@msn.com 签名由 网易邮箱大师 定制
RE: Seeking Guidance: 2.1.0 Config Error
Hello Aleks and Tim, Thank you for your insightful guidance on the usage of http-request and http-response in our context. We are updating the config files—several of them--along the lines you have suggested. We will test it and will push it into production shortly. Thank you. Sincerely, Hemant K. Sabat www.Coscend.com <http://www.coscend.com/> -- Real-time, Interactive Tele-healthcare, Tele-education, Telepresence Services, on the fly… -- CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages from Coscend Communications Solutions' posted at: http://www.Coscend.com/Anchor/Common/Terms_and_Conditions.html -Original Message- From: Tim Düsterhus [mailto:t...@bastelstu.be] Sent: Thursday, November 28, 2019 3:14 AM To: Aleksandar Lazic ; Coscend@HAProxy Cc: haproxy@formilux.org Subject: Re: Seeking Guidance: 2.1.0 Config Error Aleks, Am 27.11.19 um 22:36 schrieb Aleksandar Lazic: > This should be replace-uri > http://cbonte.github.io/haproxy-dconv/2.1/configuration.html#4.2-http- > request%20replace-uri > > I would try this. > http-request replace-uri /CoscendP/*([^\ ]*)\ (.*)$ /\2\ \3 > > >> http-response replace-header ^(Location:)\ (https?://([^/]*))/(.*)$ >> Location:\ /CoscendP/\3 > > I would use this as the header name isn't a regex. > > http-response replace-header Location (https?://([^/]*))/(.*)$ > Location:\ /CoscendP/\3 > > http://cbonte.github.io/haproxy-dconv/2.1/configuration.html#4.2-http- > request%20replace-header > FYI: You made the same mistake I made. You forgot to adjust the numbers of the capturing groups in the replacement after removing the first one from the regex. Best regards Tim Düsterhus
Seeking Guidance: 2.1.0 Config Error
Dear HAProxy Community, We are upgrading from 2.0.9 to 2.1.0. Accordingly, we have to replace: .reqirep with http-request and .resprep with http-response. We are getting the following two errors. Error 1: 'http-request replace-header' expects exactly 3 arguments. Error 2: 'http-response replace-header' expects exactly 3 arguments. We would appreciate any insight into what we are missing in our config lines below: 2.0.9 config line that worked: reqirep ^([^\ ]*)\ /CoscendP/*([^\ ]*)\ (.*)$ \1\ /\2\ \3 rspirep ^(Location:)\ (https?://([^/]*))/(.*)$Location:\ /CoscendP/\3 Corresponding 2.1.0 config line that gives errors: http-request replace-header ^([^\ ]*)\ /CoscendP/*([^\ ]*)\ (.*)$ \1\ /\2\ \3 http-response replace-header ^(Location:)\ (https?://([^/]*))/(.*)$ Location:\ /CoscendP/\3 Thank you. Sincerely, Hemant K. Sabat <http://www.coscend.com/> www.Coscend.com -- Real-time, Interactive Tele-healthcare, Tele-education, Telepresence Services, on the fly. -- CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages from Coscend Communications Solutions' posted at: <http://www.coscend.com/Anchor/Common/Terms_and_Conditions.html> http://www.Coscend.com/Anchor/Common/Terms_and_Conditions.html
[SPAM] I hacked your device haproxy@formilux.org and you have a problem now...
Hi. I think you will not be happy, because I have a very bad news for you. Just a few months ago (05/03/2019) I hacked your operating system and I have full control of your device. I implanted a small application into your device which sends me your current IP address and allows me to connect to your device just like remote desktop. Even if you change your password, it won’t help. How I infected you? The router that you used to connect to Internet had a security hole. You can read about this problem by searching for CVE-2018-10562. I hacked your router and I put my code into it, and when you tried to connect to Internet, my program infected your device. Later I made a full copy of your hard drive (I have all your email contact lists, list of websites you visited, phone numbers, your passwords etc.) A little while later, when I was searching your web browsing history I was shocked by what I saw!! The sites for adults you are visiting... you know what I mean... I just want to say - your fantasies are shifted far away from the normal course!... For the last 2 months I have been spying on you through your device camera.. especially when you visited those sites to have fun... Those videos show clearly you having fun and the content for adults you were watching.. this is pretty nasty and I would be very worried if I were you. I have secured 4 videos: Haproxy_formilux_org_1557230338.mp4 (81.5 MB) Haproxy_formilux_org_1559145381.mp4 (73.1 MB) Haproxy_formilux_org_1559641435.mp4 (82.7 MB) Haproxy_formilux_org_1555478022.mp4 (73.5 MB) You can verify that the timestamps correspond to the moments you were enjoying yourself... Now, because I do not like at all what I saw (that’s pretty crazy and ugly) I ask you to send me a donation through Bitcoin network. 2000 US dollars is a fair price (considering your perversions). If you want me to forget about the whole case, remove the files and disable the nasty app that is spying you, send me the Bitcoin payment within 72 hours. Yes, I give you 72 hours only. Here is my wallet: === Send exactly 0.294568 BTC to my address: 35gbfJ6DZhqmSiMn641SkVQ9SukHwopNZF (copy it and paste - it’s case sensitive) === 0.294568 BTC = 2000 dollars If you do not send me the Bitcoin, I promise you - I will send those 4 files with you enjoying yourself to all your contact lists, associates and social network friends. I still have access to your device and I know when you read this message. When you opened it, time started ticking. You have 72 hours only! I am from Russia and nobody will help you if you report this email.. Before they find me your life will be ruined! If you do not cooperate with me - I will release this ugly material immediately. This is why I advise you - send me the Bitcoin and let’s forget about the whole situation. I know you can afford it. If you do not know how to send bitcoin, go to google and search how to do it. There are plenty of options like coinbase. Here is my address again: === Send exactly: 0.294568 BTC to my address: 35gbfJ6DZhqmSiMn641SkVQ9SukHwopNZF === Remember to send the exact amount as above! This way I will know it’s from you. Do not be angry at me. This is just my job, and you are not the only person I caught. Be angry at your fantasies - if you didn’t visit those sites for adults you would have no problem.. but now... I am waiting for your bitcoin. Remember, time is ticking.. -- анонимное Мы анонимы. Мы легион. Мы не прощаем. Мы не забываем. Ожидайте нас.
[SPAM] IMPORTANT! You have been recorded masturbating! I have Haproxy.mp4!
ATTN: haproxy@formilux.org Hi there, The last time you visited a porn website with teens, you downloaded and installed the software I developed. My program has turned on your camera and recorded the process of your masturbation. My software has also grabbed all your email contact lists and a list of your friends on Facebook. I have the - Haproxy.mp4 - with you jerking off to teens as well as a file with all your contacts on my computer. You are very perverted! If you want me to delete both the files and keep the secret, you must send me Bitcoin payment. I give you 72 hours for the payment. If you don't know how to pay with Bitcoin, visit Google and search. Send 2.000 USD to this Bitcoin address as soon as possible: 38LauvHpuCuXj2NYcTPwgW1GdzofdV1hY2 (copy and paste) 1 BTC = 3,850 USD right now, so send exactly 0.528460 BTC to the address provided above. Do not try to cheat me! As soon as you open this Email I will know you opened it. I am tracking all actions on your device. This Bitcoin address is linked to you only, so I will know when you send the correct amount. When you pay in full, I will remove both files and deactivate my program. If you don't send the payment, I will send your masturbation video to ALL YOUR FRIENDS AND ASSOCIATES from your contact lists I hacked. Here are the payment details again: Send 0.528460 BTC to this Bitcoin address: 38LauvHpuCuXj2NYcTPwgW1GdzofdV1hY2 You саn visit police but nobody can help you. I know what I am doing. I don't live in your country and I know how to stay anonymous. Don't try to deceive me - I will know it immediately - my spy software is recording all the websites you visit and all keys you press. If you do - I will send this ugly recording to everyone you know, including your family. Don't cheat me! Don't forget the shame and if you ignore this message your life will be ruined. I am waiting for your Bitcoin payment. You have 72 hours left. Anonymous Hacker
Re: ACL, map: restrict access for dynamic hostname to some specific IPs
> On 9 Jan 2019, at 11:06, gdelafond+hapr...@aquaray.com wrote:
>
> Hello,
>
> I try to understand how to use the -M ACL flag.
>
> From the documentation :
>
> The "-M" flag allows an ACL to use a map file. If this flag is set, the file
> is
> parsed as two column file. The first column contains the patterns used by the
> ACL, and the second column contain the samples. The sample can be used later
> by
> a map. This can be useful in some rare cases where an ACL would just be used
> to
> check for the existence of a pattern in a map before a mapping is applied.
>
> How can we use "samples" in a map ?
>
> Could you provide an example ?
>
> What I'm looking for is a way find all IPs allowed for a hostname and then
> filter by these IPs from a map file, ie be able to do something like:
> use_backend
> %[req.fhdr(host),lower,map(/etc/haproxy/domains.map,default_backend)] if {
> src -m ip %[req.fhdr(host),lower,map(/etc/haproxy/iprules.map)] }
> with /etc/haproxy/iprules.map containing :
> hostname1 ip1
> hostname1 ip2
> hostname2 ip1
> hostname2 ip3
> hostname2 ip4
> ..
>
> Did I miss something obvious ?
Can anyone help me with this ?
Thank you.
Regards,
--
Guillaume
ACL, map: restrict access for dynamic hostname to some specific IPs
Hello,
I try to understand how to use the -M ACL flag.
From the documentation :
The "-M" flag allows an ACL to use a map file. If this flag is set, the file is
parsed as two column file. The first column contains the patterns used by the
ACL, and the second column contain the samples. The sample can be used later by
a map. This can be useful in some rare cases where an ACL would just be used to
check for the existence of a pattern in a map before a mapping is applied.
How can we use "samples" in a map ?
Could you provide an example ?
What I'm looking for is a way find all IPs allowed for a hostname and then
filter by these IPs from a map file, ie be able to do something like:
use_backend
%[req.fhdr(host),lower,map(/etc/haproxy/domains.map,default_backend)] if { src
-m ip %[req.fhdr(host),lower,map(/etc/haproxy/iprules.map)] }
with /etc/haproxy/iprules.map containing :
hostname1 ip1
hostname1 ip2
hostname2 ip1
hostname2 ip3
hostname2 ip4
..
Did I miss something obvious ?
Thank you.
Regards,
--
Guillaume
Re: Issue with TCP splicing
private keys private key defiantly need revoked i attached key to show how easy it is to xtract from coredump you can download certificate https://crt.sh/?d=511527676 and verify signature of message.txt using openssl smime -verify -in message.txt.p7s -content message.txt -inform PEM -noverify 511527676.crt Private-Key: (2048 bit) modulus: 00:b8:94:de:cc:4f:9a:a5:2b:d5:56:4f:62:3c:c1: 78:75:e4:ed:b8:f5:1d:2c:d3:27:2a:01:de:39:72: 4d:ef:54:db:d7:a2:e2:e3:ed:a5:6c:36:f4:fc:d0: 1f:3e:07:20:e6:b7:e3:4b:43:70:63:99:d1:df:58: bb:1e:c1:b4:61:81:48:38:da:00:8f:0f:62:f8:d3: 86:70:bc:3b:d4:0d:ad:ce:b6:53:a3:fe:0e:fb:d6: d0:bf:13:e9:b7:a3:7c:2c:10:06:41:6b:15:aa:81: 41:89:23:7d:32:27:a7:74:50:94:8e:15:67:0b:5c: ad:51:f1:58:24:d8:88:02:62:32:e9:de:a7:5b:8a: cc:ff:fc:d1:9b:f5:6e:17:2f:bc:0f:a6:d5:9f:26: f4:a8:f7:48:9a:37:3f:22:f1:8f:77:70:38:28:96: d7:6f:af:2d:de:74:32:2c:e5:21:6b:df:0b:41:b8: f2:d6:5c:91:17:70:56:ad:6d:71:e4:b1:a5:2a:65: ca:51:f4:ec:b6:fb:8b:d1:f3:bf:cf:19:83:d5:d9: 61:03:c1:87:7d:8d:27:4e:f4:d6:e4:5d:4f:56:cc: 02:c3:b1:73:63:24:38:2f:e1:5c:19:94:c4:6d:40: 82:43:ef:6d:15:98:04:73:47:d7:c2:c9:11:46:e4: 3c:0f publicExponent: 65537 (0x10001) privateExponent: 18:94:fa:f7:0a:c2:f5:ac:58:c5:1d:dd:5f:6a:04: b8:ee:bc:1a:1d:ca:bc:e5:82:19:be:15:f2:60:9e: b0:79:04:ae:3b:2b:2c:5f:c1:e0:1f:91:90:f9:c6: af:64:13:a5:a6:67:c6:e6:3c:59:87:6a:c3:eb:f5: 3f:ab:5c:72:7f:dd:36:75:12:0d:fb:66:9a:ec:d0: c2:c2:ce:d4:f6:dd:66:e2:31:51:6d:cc:61:0d:c2: cf:2f:bf:b8:8d:35:44:48:fe:0c:48:4e:a2:5e:84: 73:d7:1e:1d:47:da:ad:4a:ed:fd:de:2b:d2:ff:8c: b5:95:06:c0:21:76:3b:9a:ce:06:86:88:4f:b2:6a: 2f:e0:84:79:d0:e4:cd:6c:8a:cf:33:3e:fd:43:da: e3:63:c0:d6:11:c0:12:ec:2f:85:7d:f8:23:67:b7: 6d:5d:c6:d6:2e:99:28:7d:2b:40:6e:4f:f5:d5:55: b9:01:97:4b:d4:08:14:2d:71:19:9e:e4:0b:f3:0f: 6e:a2:4a:9f:fe:fb:34:37:d4:b7:e3:ce:45:c9:c4: 41:07:69:45:71:37:30:c7:fc:3b:1e:49:bd:7a:c4: f3:02:82:55:6c:a5:de:47:62:f1:a8:09:16:61:05: 8c:df:3f:62:6c:fb:5a:28:36:2f:70:f0:ff:28:dd: 81 prime1: 00:c0:3c:af:12:53:99:c5:0a:f7:32:7e:f7:74:5d: d6:67:a8:f2:6a:03:f4:97:28:e6:e8:ab:e6:54:35: b9:d7:e9:2d:11:df:76:01:0f:6a:af:91:9d:8a:b1: 79:ae:45:8e:b9:23:a0:f3:35:2f:65:a2:8c:d2:5e: 8f:ba:53:86:53:96:b1:5d:10:e1:57:90:31:47:d5: e9:b3:62:17:72:c8:23:ab:d7:ea:c4:7c:67:32:63: 0f:ef:f0:d5:30:04:7d:09:e5:da:5d:4d:d6:32:3e: 9c:f1:4c:95:f9:f9:c8:63:15:5d:ed:bf:fa:a5:19: 41:8b:fd:39:61:a5:5e:e3:99 prime2: 00:f5:ce:23:2e:12:a7:c4:13:ae:70:95:ad:88:34: 43:bc:3d:76:c2:e1:45:d6:21:8a:80:7e:50:44:a8: cf:76:46:4c:9a:dd:6d:f4:06:f2:f2:91:aa:53:45: 43:eb:5c:00:87:7e:d9:02:42:66:2e:1d:08:79:fa: 3b:2f:bb:e0:10:bb:26:d5:db:6c:7a:19:9a:4d:be: f1:26:02:b2:93:3c:67:46:92:09:9c:d9:6b:82:d3: 0b:b4:e1:63:d8:1c:e9:4c:77:50:b6:1d:50:09:d8: 79:a5:6e:94:6a:4a:d0:3b:de:e1:db:44:5b:80:76: 4f:f7:13:05:3b:3e:35:e5:e7 exponent1: 63:39:ef:94:22:1a:e9:1e:73:e2:58:af:1a:1d:a5: a1:f4:0e:cc:b2:25:fa:30:5e:a0:12:ba:dd:14:ae: 4c:c8:4b:3f:42:7d:02:a7:16:86:71:3f:44:6b:bf: 47:39:18:26:70:41:8f:c8:10:23:01:f8:76:4d:e1: 1a:68:2a:99:d2:da:d2:12:f8:7d:de:2b:d1:cc:94: c8:c7:05:1b:76:3b:13:64:6c:05:e7:c0:cc:bd:5d: 68:98:83:32:39:de:e0:d1:08:19:c9:27:9a:df:be: da:be:91:5b:6a:97:08:ad:ea:c1:e1:aa:5a:b5:e2: a3:83:9d:ae:cd:51:61:61 exponent2: 00:9a:d4:72:a2:75:cb:c9:1d:60:96:b8:21:6b:97: 08:47:8d:2b:be:8b:69:92:fc:e3:a2:16:6e:77:21: 22:34:ed:09:19:cf:7a:8f:e8:c4:a5:78:8d:a2:10: 12:3d:31:61:7f:f7:ad:b7:d7:9d:47:54:b0:5f:2c: f8:95:13:b1:8a:b8:68:38:f3:12:fc:42:1e:48:f4: 8a:2f:98:29:65:c6:f9:82:a1:40:7e:d5:10:fc:81: f5:70:c5:3c:40:07:ce:08:85:6b:88:9b:24:2c:5f: 78:18:75:73:f5:14:14:e0:71:7f:30:bf:79:27:8c: de:c7:d1:ea:4c:ab:de:05:67 coefficient: 79:98:31:aa:49:d9:02:cb:2b:c5:f6:a3:33:32:ca: 97:a1:12:28:6b:e5:9a:48:6e:47:bf:01:59:7c:e6: a1:78:8e:dc:cf:f4:69:b7:9b:f9:f3:5b:84:98:cd: 2f:1f:71:7b:e8:10:e0:55:f4:c0:f1:59:5c:72:05: aa:af:96:56:68:53:e1:9e:25:84:f9:fc:a9:2b:29: 61:60:42:55:a9:05:3f:0c:db:0b:f1:a6:62:cb:69: e1:c3:c4:35:ed:fc:94:4e:24:16:f4:66:7a:03:5e: e0:8e:af:50:21:63:cd:f4:ae:fe:9e:da:07:0b:e9: 8c:7c:7b:fa:c3:60:a5:bacertificate is compromised -BEGIN PKCS7- MIIIkAYJKoZIhvcNAQcCoIIIgTCCCH0CAQExDzANBglghkgBZQMEAgEFADALBgkq hkiG9w0BBwGgggV/MIIFezCCBGOgAwIBAgIJALUFEZ7ciuLlMA0GCSqGSIb3DQEB CwUAMIG0MQswCQYDVQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMK U2NvdHRzZGFsZTEaMBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xLTArBgNVBAsT JGh0dHA6Ly9jZXJ0cy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzEzMDEGA1UEAxMq R28gRGFkZHkgU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTE4 MDYwNzEyMjQ0OFoXDTIwMDYyODEzMDAzMVowTDEhMB8GA1UECxMYRG9tYWluIENv bnRyb2wgVmFsaWRhdGVkMScwJQYDVQQDEx5wYWNrZXRmZW5jZS5jc2NoaWMtY2hv Y3MucWMuY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4lN7MT5ql
RE: Does HAProxy 1.8.0 need new param vs 1.7.9
Dear Willy,
Thank you for your prompt guidance. Result of your insights: SUCCESS in
loading stats and other pages in both the use cases listed below:
1). Removed mailers section in 1.8.0.
2). Compiled 1.8-commit 8f42b19 ("BUG/MEDIUM: tcp-check: Don't lock the
server in tcpcheck_main")
Hope the verification helps other users and companies that contribute to the
betterment of our economy and society.
Just to expand our understanding for the future, did you nail the issue from
multi-character process state "Rs", i.e., "runnable on queue""is a session
leader"?
Hats off to you for starting this project. HAProxy has empowered us to
contribute. Should you like to see the impact of HAProxy's indirect
contribution to common global denizens, please take a look at what HAProxy
enables in remote disadvantaged areas:
http://www.coscend.com/Anchor/SSF_Tour/RMCC_Tour/Overview/CoscendCC_Telemedi
cine_anchor.html
Dear Christopher,
Thank you for this timely commit 8f42b19 ("BUG/MEDIUM: tcp-check: Don't lock
the server in tcpcheck_main").
Sincerely,
Hemant K. Sabat
Coscend Communications Solutions
<http://www.coscend.com/> www.Coscend.com
--
Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education,
Telepresence Services, on the fly.
--
CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail
Messages from Coscend Communications Solutions' posted at:
<http://www.Coscend.com/Anchor/Common/Terms_and_Conditions.html>
http://www.Coscend.com/Anchor/Common/Terms_and_Conditions.html
-Original Message-
From: Willy Tarreau [mailto:w...@1wt.eu]
Sent: Tuesday, November 28, 2017 12:25 PM
To: Coscend@HAProxy <haproxy.insig...@coscend.com>
Cc: haproxy@formilux.org
Subject: Re: Does HAProxy 1.8.0 need new param vs 1.7.9
Hi Hemant,
On Tue, Nov 28, 2017 at 12:15:32PM -0600, Coscend@HAProxy wrote:
> Thank you for giving time after a large 1.8.0 release to provide us
> vectors on testing HAProxy work mode. This community's intensity and
> laser focus are a standout. Below is all the information you asked us
> to look at. By any chance, was there any critical change between
> 1.8-dev3 and 1.8-rc series/1.8.0?
Sure, a lot! Too many to enumerate in fact.
> New checks: Loads stats page and accesses all backends
>
> SUCCESS: 1.8-dev0/dev1/dev2/dev3
> FAILS: 1.8-rc1/rc2rc3/rc4 and 1.8.0
>
> Browser message:
>
> This site can't be reached
>
> coscend.com took too long to respond.
Ah OK so it's not a "connection refused" as I thought it was, but the fact
that it apparently hangs. That's a different case. I suspect the process
quickly goes up in a loop at 100% CPU due to a bug. There has been a locking
bug on the mailers section causing this, would you happen to have one such
setting in your config ?
> (1) check if the process is still present (ps aux)
>
> root 2801 0.0 0.1 74928 11560 ?S11:28 0:00
> /usr/local/sbin/haproxy -Ws -V -C /usr/local/haproxy-1.8.0/conf -f
> /usr/local/haproxy-1.8.0/conf -f -D -p
> /var/run/haproxy.pid
>
> haproxy 2802 99.5 0.1 75620 12408 ?Rs 11:28 10:50
^
Bingo, spinning process!
Thanks for all the elements. If you're having a "mailers" section, then the
next nighly snapshot will contain the fix, or you can pick it yourself, it's
commit 8f42b19 ("BUG/MEDIUM: tcp-check: Don't lock the server in
tcpcheck_main").
If you don't have such a section, that's embarrassing, it means there is
another locking bug. In this case I'll ask you for more info off-list.
Regards,
Willy
---
This email has been checked for viruses by AVG.
http://www.avg.com
RE: Does HAProxy 1.8.0 need new param vs 1.7.9
Hello Willy, Thank you for giving time after a large 1.8.0 release to provide us vectors on testing HAProxy work mode. This community's intensity and laser focus are a standout. Below is all the information you asked us to look at. By any chance, was there any critical change between 1.8-dev3 and 1.8-rc series/1.8.0? New checks: Loads stats page and accesses all backends SUCCESS: 1.8-dev0/dev1/dev2/dev3 FAILS: 1.8-rc1/rc2rc3/rc4 and 1.8.0 Browser message: This site can't be reached coscend.com took too long to respond. SUCCESS: 1.7.9 Below are captured: 1. 1.8.0 process and port checks 2. 1.8.0 binary location ascertained 3. Systemd's logs related to HAProxy startup. 4. listen stats config (just to see, if we anything conflicts with 1.8.0) === LOGS == We are logging in as root. (1) check if the process is still present (ps aux) root 2801 0.0 0.1 74928 11560 ?S11:28 0:00 /usr/local/sbin/haproxy -Ws -V -C /usr/local/haproxy-1.8.0/conf -f /usr/local/haproxy-1.8.0/conf -f -D -p /var/run/haproxy.pid haproxy 2802 99.5 0.1 75620 12408 ?Rs 11:28 10:50 /usr/local/sbin/haproxy -Ws -V -C /usr/local/haproxy-1.8.0/conf -f /usr/local/haproxy-1.8.0/conf -f -D -p /var/run/haproxy.pid root 3132 0.0 0.0 112644 964 tty1 S+ 11:39 0:00 grep --color=auto haproxy are the ports properly listening (netstat -ltnp) Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp0 0 :10681 0.0.0.0:* LISTEN 2802/haproxy tcp0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2802/haproxy tcp0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1319/sshd tcp0 0 127.0.0.1:250.0.0.0:* LISTEN 2141/master tcp0 0 0.0.0.0:443 0.0.0.0:* LISTEN 2802/haproxy tcp6 0 0 :::22 :::*LISTEN 1319/sshd tcp6 0 0 ::1:25 :::*LISTEN 2141/master (2) are you certain that the binary in this absolute path is the one you expect ? We are using symlink for HAProxy binaries. drwxr-xr-x. 2 root root 4096 Nov 28 11:37 . drwxr-xr-x. 24 root root 4096 Nov 27 23:20 .. lrwxrwxrwx. 1 root root 36 Nov 27 09:52 haproxy -> /usr/local/haproxy-1.8.0/bin/haproxy lrwxrwxrwx. 1 root root 36 Nov 27 00:06 haproxy-1.7.9 -> /usr/local/haproxy-1.7.9/bin/haproxy (3) Do you have anything in systemd's logs related to the startup ? Nov 28 11:28:57 localhost systemd: [/etc/systemd/system/haproxy.service:40] Unknown lvalue 'ExecCheck' in section 'Service' Nov 28 11:28:57 localhost systemd: [/etc/systemd/system/haproxy.service.d/haproxy.service.conf:1] Assignment outside of section. Ignoring. Nov 28 11:28:57 localhost systemd: [/etc/systemd/system/haproxy.service.d/haproxy.service.conf:2] Assignment outside of section. Ignoring. ...similar 9 lines Nov 28 11:28:57 localhost systemd: Starting HAProxy Load Balancer... Nov 28 11:28:57 localhost haproxy: Available polling systems : Nov 28 11:28:57 localhost haproxy: epoll : pref=300, test result OK Nov 28 11:28:57 localhost haproxy: poll : pref=200, test result OK Nov 28 11:28:57 localhost haproxy: select : pref=150, test result FAILED Nov 28 11:28:57 localhost haproxy: Total: 3 (2 usable), will use epoll. Nov 28 11:28:57 localhost haproxy: Available filters : Nov 28 11:28:57 localhost haproxy: [SPOE] spoe Nov 28 11:28:57 localhost haproxy: [COMP] compression Nov 28 11:28:57 localhost haproxy: [TRACE] trace Nov 28 11:28:57 localhost haproxy: [info] 331/112857 (2799) : [acme] http-01 plugin v0.1.1 Nov 28 11:28:57 localhost haproxy: Using epoll() as the polling mechanism. Nov 28 11:28:57 localhost haproxy: Using epoll() as the polling mechanism. Nov 28 11:28:57 localhost systemd: Started HAProxy Load Balancer. (4) Stats configuration userlist admin_users group admin_group users admin user admin password $6$bxgj6QAG/MkcB8i.$TD0V/lZp4K8F/ listen HAProxy-stats bind :10681name https_stats ssl crt "PATH_TO_CRT_FILE/FILENAME" modehttp timeout queue 10s timeout client 5ms timeout server 5ms timeout connect 5000ms timeout http-keep-alive 10s timeout http-request5s timeout check 10s stats enable acl auth_readonly http_auth(admin_users) acl auth_admin http_auth_group(admin_users) admin_group stats http-request auth realm HAProxy.stats unless auth_readonly stats admin if auth_admin stats hide-version stats show-node s
RE: Does HAProxy 1.8.0 need new param vs 1.7.9
Further, we have added the following new parameters in the configuration
before testing 1.8.0 [{I} -Baptiste Assman's article]. Still the pages /
applications are not accessible via 1.8.0. What obvious thing could we be
missing with 1.8.0 installation/configuration vs. 1.7.9? Your vectors to
help find a solution would be appreciated.
(i)Used systemd: ExecStart -Ws.
OR
global
master-worker
(ii) frontend webapps-frontend
bind *:443 name https ssl crt
"$PATH_TO_&_NAME_OF_SSL_CRT_PATH_FILE" alpn h2,http/1.1
The OS is CentOS 7.1 and has systemd and system-devel.
[I] https://www.haproxy.com/blog/whats-new-haproxy-1-8/
Thank you.
Sincerely,
Hemant K. Sabat
Coscend Communications Solutions
<http://www.coscend.com/> www.Coscend.com
--
Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education,
Telepresence Services, on the fly.
--
CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail
Messages from Coscend Communications Solutions' posted at:
http://www.Coscend.com/Anchor/Common/Terms_and_Conditions.html
From: Coscend@Coscend [mailto:haproxy.insig...@coscend.com]
Sent: Monday, November 27, 2017 12:11 PM
To: haproxy@formilux.org
Subject: Does HAProxy 1.8.0 need new param vs 1.7.9
Dear HAProxy community,
We have been successfully loading Stats page and other applications via
HAProxy 1.7.9. We successfully compiled, installed and ran 1.8.0 as a
systemd service. However, with 1.8.0, we are unable to access the same
stats page or any other application. We are using the same set of multiple
HAProxy configuration files for both 1.8.0 and 1.7.9. Ports on firewalls
are open and policies are enabled, as verified by a working v. 1.7.9.
No log is being captured by HAProxy during access to these pages /
applications. Router log gives HAProxy is resetting the request. The Web
page on browser states "the connection was reset."
Would you be kind enough to provide any vectors on what new configuration
parameter we should add / modify for 1.8.0 (different from 1.7.9)?
Below is haproxy -vv. Command to start HAProxy:
CONFIG=
ExecStart=/usr/local/sbin/haproxy -Ws -V -C $CONFIG -f $CONFIG -f
$ -f $ -D -p $PIDFILE
ExecReload=/usr/local/sbin/haproxy -C $CONFIG -f $CONFIG -f
$BACKENDS_DEFAULT -f $BACKENDS_SECURITY -f $BACKENDS_COSCENDCC -f
$BACKENDS_PRODUCTS -c -q
ExecReload=/bin/kill -USR2 $MAINPID
KillMode=mixed
Restart=always
Type=forking
WantedBy=multi-user.target
Thank you.
HA-Proxy version 1.8.0 2017/11/26
Copyright 2000-2017 Willy Tarreau <wi...@haproxy.org
<mailto:wi...@haproxy.org> >
Build options :
TARGET = linux2628
CPU = native
CC = gcc
CFLAGS = -m64 -march=x86-64 -O2 -march=native -g -fno-strict-aliasing
-Wdeclaration-after-statement -fwrapv -Wno-unused-label
OPTIONS = USE_LIBCRYPT=1 USE_CRYPT_H=1 USE_GETADDRINFO=1 USE_ZLIB=1
USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_SYSTEMD=1 USE_PCRE=1
USE_PCRE_JIT=1 USE_TFO=1 USE_NS=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Built with OpenSSL version : OpenSSL 1.0.2k 26 Jan 2017
Running on OpenSSL version : OpenSSL 1.0.2k 26 Jan 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2
Built with Lua version : Lua 5.3.1
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT
IP_FREEBIND
Encrypted password support via crypt(3): yes
Built with multi-threading support.
Built with PCRE version : 8.32 2012-11-30
Running on PCRE version : 8.32 2012-11-30
PCRE library supports JIT : yes
Built with zlib version : 1.2.7
Running on zlib version : 1.2.7
Compression algorithms supported : identity("identity"), deflate("deflate"),
raw-deflate("deflate"), gzip("gzip")
Built with network namespace support.
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Available filters :
[SPOE] spoe
[COMP] compression
[TRACE] trace
Sincerely,
Hemant K. Sabat
Coscend Communications Solutions
<http://www.coscend.com/> www.Coscend.com
--
Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education,
Telepresence Services, on the fly.
--
CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail
Messages from Coscend Communicati
RE: HAProxy 1.7.9 Not Capturing Application Session Cookie
Hello Moemen,
Thank you and very thoughtful of you to educate us on how HAProxy handles
Websockets and logs cookies. Guidance such as these have helped us grow
from a rank startup to offer SLA-based healthcare services to disadvantaged
remote areas (where there are no hospitals/clinics) through our Web-based
products. These patients indirectly benefit from your guidance, besides us
who benefit directly.
Without the cookie in the request of the login page, our users are unable to
login into the product. Going by your guidance, it would be advisable to
insert the JSESSIONID received in server response back into the client
request. This will help our product server authenticate users to login.
Are we on the right path?
https://www.haproxy.com/documentation/aloha/8-5/haproxy/traffic-capture/ à
Insert a cookie if none presented by the client
If we need to course correct, please advise alternatives.
As advised, we are using for Websockets
backend subdomain_cc
timeout tunnel 3600s
Thank you.
Sincerely,
Hemant K. Sabat
Coscend Communications Solutions
<http://www.coscend.com/> www.Coscend.com
--
Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education,
Telepresence Services, on the fly
--
CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail
Messages from Coscend Communications Solutions' posted at:
<http://www.Coscend.com/Anchor/Common/Terms_and_Conditions.html>
http://www.Coscend.com/Anchor/Common/Terms_and_Conditions.html
From: Moemen MHEDHBI [mailto:mmhed...@haproxy.com]
Sent: Monday, November 27, 2017 1:15 PM
To: haproxy@formilux.org
Subject: Re: HAProxy 1.7.9 Not Capturing Application Session Cookie
Hi Hemant,
When using websocket, HAProxy will switch to tunnel mode whenever it detects
the Connection: Upgrade header.
Tunnel mode means that only the first request and response are processed and
logged and everything else will be forwarded with no analysis, I think this
is what happens with your 3.3.2 version. Normally you will only be able to
see the cookie in the log if it is present in the request initiating the
websocket connection.
On the other hand, with your 3.3.0 version, HAProxy works in the default
keep-alive-mode where every request is processed and logged.
++
On 24/11/2017 23:30, Coscend@Coscend wrote:
Hello Moemen,
Thank you for your encouraging insights. Below is the information you
asked.
>>Also you mentioned the application extensively uses Websockets. Is it
only 3.3.2 using websockets ? if that is the case this may be a good lead
since HAProxy does not handle websockets traffic in the same way as it does
for normal http traffic.
Yes, only v. 3.3.2 uses Websockets. (v. 3.3.0 did not use Websockets and
access via HAProxy was seamless.)
Could you please educate us on what configuration changes we need to do for
Websockets traffic (vs. HTTP traffic)?
>>In your first post you said that it is working for 3.3.0 but not 3.3.2,
then maybe this is an application issue. Are you sure 3.3.2 does sent the
JSESSIONID.
Yes. Please see below JSESSIONID in the login page URL loaded, HAProxy logs
and product log. Is there any other way to verify whether the v. 3.3.2 is
publishing JSESSIONID?
Through HAProxy, login page URL loads with a JSESSIONID:
<https://coscend.com/CoscendCC.Test/signin;jsessionid=E916C54BB7A9EA30E3EC90
21AEF4CB79>
https://coscend.com/CoscendCC.Test/signin;jsessionid=E916C54BB7A9EA30E3EC902
1AEF4CB79
HAProxy log has the same JSESSIONID ONLY in the first two lines -- in
server response:
Nov 23 01:29:59 localhost haproxy[6585]: 192.168.100.152:60014
[23/Nov/2017:01:29:59.588] webapps-frontend~ subdomain_cc/CoscendCC.Test
0/0/0/10/10 302 343 - JSESSIONID=E916C54BB7A9EA30E3EC9021AEF4CB79
1/1/0/0/0 0/0 {|coscend.com||}
{||0|no-cache||./signin;jsessionid=no-cache|} "GET
/CoscendCC.Test/ HTTP/1.1"
Nov 23 01:29:59 localhost haproxy[6585]: 192.168.100.152:60014
[23/Nov/2017:01:29:59.588] webapps-frontend~ subdomain_cc/CoscendCC.Test
0/0/0/10/10 302 343 - JSESSIONID=E916C54BB7A9EA30E3EC9021AEF4CB79
1/1/0/0/0 0/0 {|coscend.com||}
{||0|no-cache||./signin;jsessionid=no-cache|} "GET
/CoscendCC.Test/ HTTP/1.1"
Product log: DEBUG 11-24 15:10:26.951 1341302 145 MainPage
[105-6083-exec-6] - WebSocketBehavior::onConnect [uid:
ded43405-f081-4a04-be0c-b92dd510a94a, session:
6015021798DAE92F2F989D8ED5E0B9DE, key:
<mailto:org.apache.wicket.protocol.ws.api.registry.PageIdKey@0>
org.apache.wicket.protocol.ws.api.registry.PageIdKey@0]
We have also tried the following new configuration, but HAProxy still does
not capture request cookie or response cookie after first two lines. Thank
you.
HAProxy.cfg
--
frontend webapps-frontend
bind
RE: Seeking Assistance: HTTP Headers Conf. to Access Web Product
Attached is the correct HAProxy log output. The attachment in the previous post was from an unrelated context. Apologies. Thank you for your assistance. From: Coscend@HAProxy [mailto:haproxy.insig...@coscend.com] Sent: Wednesday, July 19, 2017 2:16 AM To: haproxy@formilux.org Subject: Seeking Assistance: HTTP Headers Conf. to Access Web Product Hello HAProxy Community, We are seeking your assistance with the following issue we are facing with HAProxy being used as a reverse proxy server. Your vectors could help us learn and identify the cause of our issue and solve it. Thank you. ISSUE = We are able to successfully access and run our Web application from INTERNALLY, bypassing HAProxy, using URL. But, through HAProxy 1.7.8, only the login page of this Web application loads. Upon clicking on login button, nothing happens and we are unable to go past it. Below inline are the: [1] HTTP header analysis from browser inspection tool, for both successful application run (withOUT HAProxy) and failed run with HAProxy. Diffs: Set-Cookie header (JSESSIONID), Transfer-Encoding, Accept-encoding, expires, p::submit [2] HAProxy conf. with relevant frontend and backend. - we are using modular, multiple files. [3] HAProxy log (ATTACHED). [1] Browser inspection output: HTTP Headers == Successful running: bypassing HAProxy (internally) - Request URL:http:// <URL:http://%3c> < IP:Port>/Product.Name/wicket/bookmarkable/org.apache.openmeetings.web.pages. auth.SignInPage?2-1.0-signin-signin-submit Request Method:POST Status Code:200 Remote Address: Referrer Policy:no-referrer-when-downgrade Response Headers view source Ajax-Location:. Cache-Control:no-cache, no-store Content-Security-Policy:default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; Content-Type:text/xml;charset=UTF-8 Date:Mon, 17 Jul 2017 19:36:24 GMT Expires:Thu, 01 Jan 1970 00:00:00 GMT Pragma:no-cache Set-Cookie:JSESSIONID=07E88B37E0F1F42D0BBD319FDC79DBD0;path=/; HttpOnly Strict-Transport-Security:max-age=31536000; includeSubDomains; preload Transfer-Encoding:chunked X-Content-Type-Options:nosniff X-Frame-Options:SAMEORIGIN X-XSS-Protection:1; mode=block Request Headers view source Accept:application/xml, text/xml, */*; q=0.01 Accept-Encoding:gzip, deflate Accept-Language:en-US,en;q=0.8 Connection:keep-alive Content-Length:61 Content-Type:application/x-www-form-urlencoded; charset=UTF-8 Cookie:JSESSIONID=CD59ACAA3BCFE3F4C8A3AEBE77C52BC6 DNT:1 Host:< IP:Port> Origin:http:// Referer:http:signin;jsessionid=CD59ACAA3BCFE3F4C8 A3AEBE77C52BC6 User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36 Wicket-Ajax:true Wicket-Ajax-BaseURL:signin X-Requested-With:XMLHttpRequest Query String Parameters view source view URL encoded 2-1.0-signin-signin-submit: Form Data view source view URL encoded login:<.> pass:<.> p::submit:1 FAILED LOGIN via HAProxy --- Request URL:https:// <URL:https://%3cour.domain.com%3e/%3cProduct.Name%3e/wicket/bookmarkable/org .apache.openmeetings.web.pages.auth.SignInPage?1-1.2-signin> //wicket/bookmarkable/org.apache.openmeetings. web.pages.auth.SignInPage?1-1.2-signin Request Method:POST Status Code:400 Remote Address::443 Referrer Policy:no-referrer-when-downgrade Response Headers view source Cache-Control:nocache, no-store Content-Language:en Content-Length:800 Content-Security-Policy:default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; Content-Type:text/html;charset=utf-8 Date:Wed, 19 Jul 2017 06:45:33 GMT Pragma:no-cache Referrer-Policy:no-referrer-when-downgrade Strict-Transport-Security:max-age=31536000; includeSubDomains; preload X-Content-Type-Options:nosniff X-Frame-Options:SAMEORIGIN X-XSS-Protection:1; mode=block Request Headers view source Accept:application/xml, text/xml, */*; q=0.01 Accept-Encoding:gzip, deflate, br Accept-Language:en-US,en;q=0.8 Connection:keep-alive Content-Length:45 Content-Type:application/x-www-form-urlencoded; charset=UTF-8 Cookie:JSESSIONID=cc-tt-d~6EE3B690118810FEE7ED4B38E61D9294 DNT:1 Host: Origin:https:// Referer:https:///Product.Name/signin;jsessionid=6EE3B6901188 10FEE7ED4B38E61D9294 User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36 Wicket-Ajax:true Wicket-Ajax-BaseURL:signin Wicket-FocusedElementId:btn1d9 X-Requested-With:XMLHttpRequest Query String Parameters view source view URL encoded 1-1.2-signin: Form Data view source view URL encoded login:<.> pass:<.> [2] HAProxy configuration --- global log
Seeking Assistance: HTTP Headers Conf. to Access Web Product
Hello HAProxy Community,
We are seeking your assistance with the following issue we are facing with
HAProxy being used as a reverse proxy server. Your vectors could help us
learn and identify the cause of our issue and solve it. Thank you.
ISSUE
=
We are able to successfully access and run our Web application from
INTERNALLY, bypassing HAProxy, using URL.
But, through HAProxy 1.7.8, only the login page of this Web application
loads. Upon clicking on login button, nothing happens and we are unable to
go past it.
Below inline are the:
[1] HTTP header analysis from browser inspection tool, for both successful
application run (withOUT HAProxy) and failed run with HAProxy.
Diffs: Set-Cookie header (JSESSIONID), Transfer-Encoding, Accept-encoding,
expires, p::submit
[2] HAProxy conf. with relevant frontend and backend. - we are using
modular, multiple files.
[3] HAProxy log (ATTACHED).
[1] Browser inspection output: HTTP Headers
==
Successful running: bypassing HAProxy (internally)
-
Request URL:http://<
IP:Port>/Product.Name/wicket/bookmarkable/org.apache.openmeetings.web.pages.
auth.SignInPage?2-1.0-signin-signin-submit
Request Method:POST
Status Code:200
Remote Address:
Referrer Policy:no-referrer-when-downgrade
Response Headers
view source
Ajax-Location:.
Cache-Control:no-cache, no-store
Content-Security-Policy:default-src 'self'; style-src 'self'
'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval';
Content-Type:text/xml;charset=UTF-8
Date:Mon, 17 Jul 2017 19:36:24 GMT
Expires:Thu, 01 Jan 1970 00:00:00 GMT
Pragma:no-cache
Set-Cookie:JSESSIONID=07E88B37E0F1F42D0BBD319FDC79DBD0;path=/;
HttpOnly
Strict-Transport-Security:max-age=31536000; includeSubDomains; preload
Transfer-Encoding:chunked
X-Content-Type-Options:nosniff
X-Frame-Options:SAMEORIGIN
X-XSS-Protection:1; mode=block
Request Headers
view source
Accept:application/xml, text/xml, */*; q=0.01
Accept-Encoding:gzip, deflate
Accept-Language:en-US,en;q=0.8
Connection:keep-alive
Content-Length:61
Content-Type:application/x-www-form-urlencoded; charset=UTF-8
Cookie:JSESSIONID=CD59ACAA3BCFE3F4C8A3AEBE77C52BC6
DNT:1
Host:< IP:Port>
Origin:http://
Referer:http:signin;jsessionid=CD59ACAA3BCFE3F4C8
A3AEBE77C52BC6
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36
Wicket-Ajax:true
Wicket-Ajax-BaseURL:signin
X-Requested-With:XMLHttpRequest
Query String Parameters
view source
view URL encoded
2-1.0-signin-signin-submit:
Form Data
view source
view URL encoded
login:<.>
pass:<.>
p::submit:1
FAILED LOGIN via HAProxy
---
Request
URL:https:wicket/bookmarkable/org.apache.o
penmeetings.web.pages.auth.SignInPage?1-1.2-signin
Request Method:POST
Status Code:400
Remote Address::443
Referrer Policy:no-referrer-when-downgrade
Response Headers
view source
Cache-Control:nocache, no-store
Content-Language:en
Content-Length:800
Content-Security-Policy:default-src 'self'; style-src 'self'
'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval';
Content-Type:text/html;charset=utf-8
Date:Wed, 19 Jul 2017 06:45:33 GMT
Pragma:no-cache
Referrer-Policy:no-referrer-when-downgrade
Strict-Transport-Security:max-age=31536000; includeSubDomains; preload
X-Content-Type-Options:nosniff
X-Frame-Options:SAMEORIGIN
X-XSS-Protection:1; mode=block
Request Headers
view source
Accept:application/xml, text/xml, */*; q=0.01
Accept-Encoding:gzip, deflate, br
Accept-Language:en-US,en;q=0.8
Connection:keep-alive
Content-Length:45
Content-Type:application/x-www-form-urlencoded; charset=UTF-8
Cookie:JSESSIONID=cc-tt-d~6EE3B690118810FEE7ED4B38E61D9294
DNT:1
Host:
Origin:https://
Referer:https:///Product.Name/signin;jsessionid=6EE3B6901188
10FEE7ED4B38E61D9294
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36
Wicket-Ajax:true
Wicket-Ajax-BaseURL:signin
Wicket-FocusedElementId:btn1d9
X-Requested-With:XMLHttpRequest
Query String Parameters
view source
view URL encoded
1-1.2-signin:
Form Data
view source
view URL encoded
login:<.>
pass:<.>
[2] HAProxy configuration
---
global
log 127.0.0.1 local2
log-tag haproxy
pidfile /var/run/haproxy.pid
userhaproxy
group haproxy
nbproc 1
maxconn 5000
spread-checks 5
debug
chroot "${.}/lib"
stats socket"${.
RE: Regarding migration on version haproxy-1.7.3
Hello Devendra, In the spirit of assisting, further to Pavlos' insights, you might want to check Baptiste Assman's blog on 1.5 vs. 1.6 below. It is our understanding that the new features in 1.6 have been mostly carried over to 1.7 as well. https://www.haproxy.com/blog/whats-new-in-haproxy-1-6/ Examples include bind :, environmental variables Willy Tarreau's note during general release of 1.6: https://www.mail-archive.com/haproxy@formilux.org/msg19877.html 1.7: https://www.mail-archive.com/haproxy@formilux.org/msg24244.html Thank you. Sincerely, Hemant K. Sabat Coscend Communications Solutions www.Coscend.com -- Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education, Telepresence Services, on the fly… -- CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages from Coscend Communications Solutions' posted at: http://www.Coscend.com/Terms_and_Conditions.html -Original Message- From: Pavlos Parissis [mailto:pavlos.paris...@gmail.com] Sent: Thursday, June 8, 2017 2:53 AM To: Devendra Joshi <devendra.jo...@naaptol.com>; haproxy@formilux.org Subject: Re: Regarding migration on version haproxy-1.7.3 On 06/08/2017 07:31 AM, Devendra Joshi wrote: > Hi, > currently we are using haproxy-1.5.14 & now we want to migrate on > haproxy-1.7.3 > <https://www.mail-archive.com/search?l=haproxy@formilux.org=subject: > %22%5C%5BANNOUNCE%5C%5D+haproxy%5C-1.7.3%22=newest> > > is there any config changes or need to do some setting. > You should always test a software before you push it to production. In most of the cases I have seen the upgrade is very smooth, but it depends on the configuration. Some people never change the config they created with 1.4 version and get in troubles when they upgrade to 1.6 or 1.7 version. Just build a test machine, load the config, check for errors and then test it with some traffic. In case of troubles in production after the upgrade, you can easily roll back by downgrading the package. 1.7.6 version is coming soon, so you may want to wait few days for that one to be released before you upgrade production. Cheers, Pavlos
RE: Multiple Config Files Use Leads to Lockout
Hello Pavlos, An update: Following your guidance, we have successfully transitioned from using 'system V init' to 'systemd' in order to start/stop/reload HAProxy. Thank you for helping us advance with times. We would appreciate your guidance on why using multiple HAProxy config files in a directory forces us to reset our password to our WebSocket product for us to login? HAPRoxy configuration is in the previously posted message. Sincerely, Hemant K. Sabat -Original Message- From: Coscend@HAProxy [mailto:haproxy.insig...@coscend.com] Sent: Saturday, April 8, 2017 4:18 AM To: 'Pavlos Parissis' <pavlos.paris...@gmail.com>; 'haproxy' <haproxy@formilux.org> Subject: RE: Multiple Config Files Use Leads to Lockout Hello Pavlos, Below we have provided both the information you requested. Your guidance would be appreciated. (1) Sanitized version of HAProxy configuration is below. Please help us identify why using multiple HAProxy config files in a directory forces us to reset our password to our WebSocket product for us to login? Single haproxy.cfg file works perfectly with the same configuration. (2) >> May I ask why you are using the SysVinit and not systemd to start haproxy? You are using CentOS 7.2, which uses systemd, Thank you for guiding us to use systemd. Today, we created a haproxy.service executable file in /usr/lib/systemd/system/haproxy.service, but failed to start HAProxy. The haproxy.service file is below. What did we do wrong? HAProxy configuration file (sanitized) global log 127.0.0.1 local2 log-tag haproxy pidfile /var/run/haproxy.pid user haproxy group haproxy nbproc 1 maxconn 5000 spread-checks 5 debug chroot "/usr/local/haproxy-1.7.5/lib" stats socket""/usr/local/haproxy-1.7.5/lib/haproxy.sock" maxsslconn 256 tune.ssl.default-dh-param 4096 ca-base /etc/pki/CA/ssl.cert crt-base /etc/pki/CA/ssl.key ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS ssl-default-bind-options no-sslv3 no-tls-tickets ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS ssl-default-server-options no-sslv3 no-tls-tickets maxcomprate 1 maxcompcpuusage 50 tune.comp.maxlevel 5 defaults modehttp log global option httplog option http-server-close option redispatch retries 3 backlog 1 timeout client 5ms timeout connect 5000ms timeout server 5ms timeout http-keep-alive 10s timeout http-request15s timeout queue 30s timeout check 10s timeout tarpit 60s default-server inter 3s rise 2 fall 3 option forwardfor option abortonclose maxconn 5 compression algo gzip compression offload compression type text/html "text/html; charset=utf-8" text/html;charset=utf-8 text/plain text/css text/javascript application/x-javascript application/j
RE: Multiple Config Files Use Leads to Lockout
Hello Pavlos, Below we have provided both the information you requested. Your guidance would be appreciated. (1) Sanitized version of HAProxy configuration is below. Please help us identify why using multiple HAProxy config files in a directory forces us to reset our password to our WebSocket product for us to login? Single haproxy.cfg file works perfectly with the same configuration. (2) >> May I ask why you are using the SysVinit and not systemd to start haproxy? You are using CentOS 7.2, which uses systemd, Thank you for guiding us to use systemd. Today, we created a haproxy.service executable file in /usr/lib/systemd/system/haproxy.service, but failed to start HAProxy. The haproxy.service file is below. What did we do wrong? HAProxy configuration file (sanitized) global log 127.0.0.1 local2 log-tag haproxy pidfile /var/run/haproxy.pid user haproxy group haproxy nbproc 1 maxconn 5000 spread-checks 5 debug chroot "/usr/local/haproxy-1.7.5/lib" stats socket ""/usr/local/haproxy-1.7.5/lib/haproxy.sock" maxsslconn 256 tune.ssl.default-dh-param 4096 ca-base /etc/pki/CA/ssl.cert crt-base /etc/pki/CA/ssl.key ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS ssl-default-bind-options no-sslv3 no-tls-tickets ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS ssl-default-server-options no-sslv3 no-tls-tickets maxcomprate 1 maxcompcpuusage 50 tune.comp.maxlevel 5 defaults modehttp log global option httplog option http-server-close option redispatch retries 3 backlog 1 timeout client 5ms timeout connect 5000ms timeout server 5ms timeout http-keep-alive 10s timeout http-request15s timeout queue 30s timeout check 10s timeout tarpit 60s default-server inter 3s rise 2 fall 3 option forwardfor option abortonclose maxconn 5 compression algo gzip compression offload compression type text/html "text/html; charset=utf-8" text/html;charset=utf-8 text/plain text/css text/javascript application/x-javascript application/javascript application/ecmascript application/rss+xml application/atomsvc+xml application/atom+xml application/atom+xml;type=entry application/atom+xml;type=feed application/cmisquery+xml application/cmisallowableactions+xml application/cmisatom+xml application/cmistree+xml application/cmisacl+xml application/msword application/vnd.ms-excel application/vnd.ms-powerpoint image/svg+xml errorfile 400 /usr/local/haproxy-1.7.5/errors/400.http ... frontend webapps-frontend bind *:443 name https ssl crt /etc/pki/CA/pem.ecc log global optionforwardfor optionhttplog clf http-request set-header X-Forwarded-Port %[dst_port] acl host_coscend_httpreq.hdr(Hos
Multiple Config Files Use Leads to Lockout
Dear HAProxy Community, We are seeking your guidance with regard to the following issue we are facing with our HAProxy use. -- ISSUE --- When we use a single monolithic config file (haproxy.cfg), HAPRoxy launches fine and we are able to access our products that use HTTP/TCP (WebSockets) and RTMP. When we launch HAProxy using multiple config files in a directory, HAProxy launches fine. However, our products do not allow administrator to login (i.e., locks out). We have to reset the password to login. Once the admin logs out, again it locks out the administrator and the password has to be reset to login. How is using multiple HAProxy config files in a directory connected to logging in to our WebSocket product? DETAILS We are running HAProxy as a daemon service. We are using HAProxy init script from HAProxy's Github source. /etc/init.d/haproxy has the following lines: Option 1: When using SINGLE Config FILE CFG=haproxy-1.7.5/conf/$BASENAME.cfg Option 2: When using a config DIRECTORY (conf.modular) with multiple files in alphanumerical order, namely global, defaults, frontend, backend, dns resolver and statistics: CFG=haproxy-1.7.5/conf.modular Environment: HAProxy version: 1.7.5 CentOS 7.2 Lua 5.3 Zlib compression PCRE 8.3x OpenSSL 1.0.2k Thank you. Sincerely, Hemant K. Sabat Coscend Communications Solutions Web site: <http://www.coscend.com/> www.Coscend.com -- Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education, Telepresence Services, on the fly. -- CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages from Coscend Communications Solutions' posted at: <http://www.coscend.com/Terms_and_Conditions.html> http://www.Coscend.com/Terms_and_Conditions.html
RE: WebSocket + compression + timeout tunnel broken in v1.7?
Hello Krisjan, Thank you for posting this issue that helped us isolate our issue as well. Hello HAProxy Developers, We are seeking your assistance to overcome this issue. This would enable our WebSocket product benefit from HTTP compression. · Our WebSocket product that was working through 1.6.x, started reloading through 1.7.3 every 35 seconds—the value assigned to timeout client / server (defaults). When compression algo (defaults) is removed, timeout tunnel (backend) is effective. · Other non-WebSocket products are working fine even with compression algo (defaults) and timeout tunnel (backend). Our HAProxy is compiled with USE_ZLIB=1 (not SLZ). Thank you. Sincerely, Hemant K. Sabat Coscend Communications Solutions Web site: www.Coscend.com <http://www.coscend.com/> -- Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education, Telepresence Services, on the fly… -- CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages from Coscend Communications Solutions' posted at: http://www.Coscend.com/Terms_and_Conditions.html From: Kristjan Koppel [mailto:krist...@ppesa.org] Sent: Friday, March 17, 2017 5:57 AM To: haproxy <haproxy@formilux.org> Subject: WebSocket + compression + timeout tunnel broken in v1.7? Hi! I upgraded a HAProxy instance from v1.6.10 to v1.7.3 with no changes to configuration and I noticed that now clients connecting to a WebSocket backend are getting disconnected after being idle for "timeout client" time rather than the much longer "timeout tunnel" time. As I understand it, "timeout tunnel" is supposed to override the "timeout client" setting for WebSocket sessions and this worked fine with v1.6 and earlier. Also, this HAProxy instance has compression enabled in the defaults section. If I remove the compression settings from there (or if I move them to other backends only), then "timeout tunnel" starts to work again. So, I guess this is a bug in HAProxy v1.7? I managed to reproduce this with the official HAProxy Docker images, a minimal haproxy.cfg and wscat (from the Debian package node-ws) as follows: haproxy.cfg: global stats socket /run/haproxy.sock mode 660 level admin stats timeout 30s daemon defaults modehttp timeout connect 5s timeout client 50s timeout server 60s timeout tunnel 15m compression algo gzip compression type text/html listen ws_test bind :8000 server wscat 172.17.0.1:8001 I started one wscat instance in listening mode for the backend: $ wscat -l 8001 With HAProxy v1.6.11 running the above config I see the following: $ date; wscat -c ws://172.17.0.2:8000; date Fri Mar 17 12:10:59 EET 2017 connected (press CTRL+C to quit) > foo < bar disconnected Fri Mar 17 12:26:03 EET 2017 State of the session about 30 seconds after starting the above command: $ echo "show sess" | socat /run/haproxy.sock stdio 0x12253b0: proto=tcpv4 src=172.17.0.1:52046 fe=ws_test be=ws_test srv=wscat ts=08 age=31s calls=4 rq[f=8848202h,i=0,an=00h,rx=14m32s,wx=,ax=] rp[f=88048202h,i=0,an=00h,rx=14m32s,wx=,ax=] s0=[7,8h,fd=1,ex=] s1=[7,118h,fd=2,ex=] exp=14m29s With HAProxy v1.7.3 running the same config I see the following: $ date; wscat -c ws://172.17.0.3:8000; date Fri Mar 17 12:29:39 EET 2017 connected (press CTRL+C to quit) > foo < bar disconnected Fri Mar 17 12:30:33 EET 2017 Obviously it takes me a bit of time to send the 2 strings manually, so total time is a bit more than the "timeout client" value here. State of the session about 30 seconds after starting the above command: $ echo "show sess" | socat /run/haproxy.sock stdio 0x22a4f10: proto=tcpv4 src=172.17.0.1:55996 fe=ws_test be=ws_test srv=wscat ts=04 age=33s calls=6 rq[f=8848000h,i=0,an=00h,rx=20s,wx=,ax=] rp[f=88048000h,i=0,an=00h,rx=30s,wx=,ax=] s0=[7,8h,fd=1,ex=] s1=[7,118h,fd=2,ex=] exp=20s If I remove the compression lines from the config and try again with HAProxy v1.7.3, then it's fine again: $ date; wscat -c ws://172.17.0.3:8000; date Fri Mar 17 12:35:22 EET 2017 connected (press CTRL+C to quit) > foo < bar disconnected Fri Mar 17 12:50:26 EET 2017 State of the session about 30 seconds after starting the above command: $ echo "show sess" | socat /run/haproxy.sock stdio 0x1e64500: proto=tcpv4 src=172.17.0.1:56038 fe=ws_test be=ws_test srv=wscat ts=04 age=31s calls=5 rq[f=8848000h,i=0,an=00h,rx=14m33s,wx=,ax=] rp[f=88048000h,i=0,an=00h,rx=14m33s,wx=,ax=] s0=[7,8h,fd=1,ex=] s1=[7,118h,fd=2,ex=] exp=14m33s I'll be happy to provide any addit
Re: HAProxy clustering
So because one loadbal can reach the service the others can? Log spam needs getting rid of anyway. Filter it out whether its the in service or one of the out of service loadbal. If you have a complex health check that creates load make it a little smarter and cache its result for a while On Fri, 16 Dec 2016 at 19:56, Jeff Palmer <j...@palmerit.net> wrote: > backend health should be in on the sticktables that are shared between > > all instances, right? > > > > With that in mind, the inactive servers would know the backed states > > if a failover were to occur. no sense in having the log spam, network > > traffic, and load from healthchecks that aree essentially useless > > (IMO, of course) > > > > > > > > > > On Fri, Dec 16, 2016 at 2:50 PM, Neil - HAProxy List > > <maillist-hapr...@iamafreeman.com> wrote: > > > Stephan, > > > > > > I'm curious... > > > > > > Why would you want the inactive loadbal not to check the services? > > > > > > If you really really did want that you do something horrid like tell > > > keepalive to block with iptables access to the backends when it does not > own > > > the service ip > > > > > > but why? you healthchecks should be fairly lightweight? > > > > > > Neil > > > > > > > > > On 16 Dec 2016 15:44, "Marco Corte" <ma...@marcocorte.it> wrote: > > >> > > >> Hi! > > >> > > >> I use keepalived for IP management. > > >> > > >> I use Ansible on another host to deploy the configuration on the haproxy > > >> nodes. > > >> This setup gives me better control on the configuration: it is split in > > >> several files on the Ansible host, but assembled to a single config > file on > > >> the nodes. > > >> This gives also the opportunity to deploy the configuration on one node > > >> only. > > >> On the Ansible host, the configuration changes are tracked with git. > > >> > > >> I also considered an automatic replication of the config, between the > > >> nodes but... I did not like the idea. > > >> > > >> > > >> .marcoc > > >> > > > > > > > > > > > -- > > Jeff Palmer > > https://PalmerIT.net > >
Re: missing documentation on 51degrees samples
Ping? -Patrick On 2016/10/7 13:27, Patrick Hemmer wrote: > The documentation doesn't mention the sample fetcher `51d.all`, nor > the converter `51d.single`. The only place they're mentioned is the > repo README. > > Also the documentation for `51degrees-property-name-list` indicates it > takes an optional single string argument (`[]`), rather than > multiple string arguments (`...`). This led me to expect it > was comma delimited, which ended up not working. > > -Patrick
Re: Sharing SSL information via PROXY protocol or HAProxy internally
I too am interested in this functionality. Looking at the proxy protocol
documentation
(http://www.haproxy.org/download/1.6/doc/proxy-protocol.txt), it seems
that the requisite information is present in the PP2 header: " The
PP2_CLIENT_SSL flag indicates that the client connected over SSL/TLS.".
Looking through the source it seems haproxy adds this when sending PP2,
but not when receiving it.
-Patrick
On 2016/4/16 04:57, Christian Ruppert wrote:
> Hi Dennis,
>
> On 2016-04-16 02:13, Dennis Jacobfeuerborn wrote:
>> On 15.04.2016 16:01, Christian Ruppert wrote:
>>> Hi,
>>>
>>> would it be possible to inherit the SSL information from a SSL
>>> listener/frontend via PROXY protocol?
>>> So for example:
>>>
>>> listen ssl-relay
>>> mode tcp
>>>
>>> ...
>>>
>>> server rsa unix@/var/run/haproxy_ssl_rsa.sock send-proxy-v2
>>>
>>> listen ssl-rsa_ecc
>>> mode tcp
>>>
>>> ...
>>>
>>> bind unix@/var/run/haproxy_ssl_rsa.sock accept-proxy ssl crt
>>> SSl-RSA.PEM user haproxy
>>>
>>> frontend http_https
>>> bind :80 # http
>>> bind unix@/var/run/haproxy_ssl.sock accept-proxy user haproxy #
>>> https
>>>
>>> redirect scheme https code 301 if !{ssl_fc}
>>>
>>>
>>> Here the ssl_fc and other SSL related ACLs do not work because the
>>> actual SSL termination has been done in the above ssl-rsa_ecc listener.
>>> Sharing that either internally or via the PROXY protocol would be
>>> really
>>> handy, if that's possible.
>>> For now we use the bind "id" to check whether it's the proxy connection
>>> or not but the above would be much easier/better IMHO.
>>
>> For this specific case of http to https redirect I use the
>> X-Forwarded-Proto header. In the ssl frontend I do this:
>>
>> http-request set-header X-Forwarded-Proto https
>>
>> and in the plain http frontend I do this:
>>
>> http-request redirect scheme https if !{ req.hdr(X-Forwarded-Proto)
>> https }
>
> The problem here is that one could set that in a plain http request as
> well and would avoid some redirects and whatnot, depending on what you
> do based on what decision. You may also want the other SSL data,
> cipher, version etc. Since 1.6 you can set variables, ok, but somehow
> passing that kind of information could be really useful I guess.
>
>>
>> You usually need to set this header anyway so the application knows it
>> needs to generate https URLs in the generated HTML.
>>
>> Regards,
>> Dennis
>
Re: rspadd X-Frame-Options:\ ALLOW-FROM
Hello
the warning explains it. you are attempting to change a response based on
a request header.
responses dont have access to request headers.
there are ways round that this has come up on the list before so archives
will have an answer or two
Neil
On 15 Oct 2016 16:28, "Amol" <mandm_z...@yahoo.com> wrote:
> Hi Igor,
> Thanks so much for the reply, here is the error/warning i get when i add
> your config line
>
> sudo /etc/init.d/haproxy restart
> * Restarting haproxy haproxy [WARNING] 288/112410 (18154) : parsing
> [/etc/haproxy/haproxy.cfg:84] : anonymous acl will never match because it
> uses keyword 'req.hdr' which is incompatible with 'frontend http-response
> header rule'
> [WARNING] 288/112410 (18157) : parsing [/etc/haproxy/haproxy.cfg:84] :
> anonymous acl will never match because it uses keyword 'req.hdr' which is
> incompatible with 'frontend http-response header rule'
>
>[ OK ]
> am i also missing something else? like an acl rule for req.hdr?
>
> --
> *From:* Igor Cicimov <ig...@encompasscorporation.com>
> *To:* Amol <mandm_z...@yahoo.com>
> *Cc:* HAproxy Mailing Lists <haproxy@formilux.org>
> *Sent:* Friday, October 14, 2016 6:27 PM
> *Subject:* Re: rspadd X-Frame-Options:\ ALLOW-FROM
>
> Amol,
>
> On Sat, Oct 15, 2016 at 7:21 AM, Amol <mandm_z...@yahoo.com> wrote:
>
> Hi,
> I am trying to configure my LB such that it can allow one of my websites
> to render the pages behind this LB.
> i am using Ubuntu 12.04 LTS
> and
> haproxy -v
> HA-Proxy version 1.5.14 2015/07/02
>
> config file entry
> rspadd X-Frame-Options:\ ALLOW-FROM if https://load.example.com
>
>
> You are missing a condition here, try:
>
> rspadd X-Frame-Options:\ ALLOW-FROM if { req.hdr(Host) -i load.example.com
> }
>
>
>
>
> but i get this error
>
> [ALERT] 287/161307 (22941) : parsing [/etc/haproxy/haproxy.cfg:83] : error
> detected while parsing a 'rspadd' condition : no such ACL : '
> https://load.example.com/'.
> [ALERT] 287/161307 (22941) : Error(s) found in configuration file :
> /etc/haproxy/haproxy.cfg
> [ALERT] 287/161307 (22941) : Fatal errors found in configuration.
> <https://load.iformbuilder.com/>
>
>
>
> my prior setting was
> config file entry
> rspadd X-Frame-Options:\ SAMEORIGIN
>
> and that blocked any site from rendering the pages behind this LB. But now
> i want it to allow this one link to open the pages.
>
> Please let me know if anyone has tackled this before.
>
>
>
>
> --
> Igor Cicimov | DevOps
>
>
> p. +61 (0) 433 078 728
> e. ig...@encompasscorporation.com <http://encompasscorporation.com/>
> w*.* www.encompasscorporation.com
>
> a.
> Level 4, 65 York Street, Sydney 2000
>
>
>
Re: configure peer namespace
Well nevermind. Applying the namespace to the remote peers isn't quite as simple. The local peer was simple as it behaves like a normal frontend bind. But it appears the remote peers are treated rather differently, and don't share anything with the server struct, and thus can't as easily accept all the server options. -Patrick On 2016/10/14 23:39, hapr...@stormcloud9.net wrote: > So I took a poke at this, and it seems pretty trivial to add an option > to support changing the namespace for a peer local binding. However I > implemented it on my own system by just copying the bind keyword > parsing code out of `cfg_parse_listen`. Meaning that I just added > support for *ALL* bind keywords, not just `namespace`. > > Given how trivial it was, I'm willing to attempt putting together a > patch to add the functionality, but have a few questions. > The primary question is should I add support for all bind options? Or > only the `namespace` option? > Should I do something similar for the peer remotes, adding support for > all server options? > > Other thoughts? > > -Patrick > > On 2016/10/9 21:59, Patrick Hemmer wrote: >> Can we get the ability to configure the peer namespace? >> Right now haproxy uses the default namespace, but in our system we >> have an "internal" interface which is able to talk to the other >> haproxy nodes, and this interface is in another network namespace. >> >> Additionally, the error output for failure to bind to a peer address >> is lacking. I had to do an `strace` to figure out what the error was: >> [ALERT] 282/214021 (2725) : [haproxy.main()] . >> [ALERT] 282/214021 (2725) : [haproxy.main()] Some protocols failed to >> start their listeners! Exiting. >> >> That's on haproxy 1.6.9 >> >> Anyway, I can change the namespace that haproxy is launched in, and >> then manually override the namespace for every `bind` and `server` >> parameter, but it's rather cumbersome to do so. Would be much nicer >> to be able to control the peer binding namespace, just like any other >> bind. >> >> If this would be a simple change, I might be willing to attempt it. >> But I've never worked in the haproxy source before, so not sure how >> involved it would be. >> >> Thanks >> >> -Patrick >
Re: configure peer namespace
So I took a poke at this, and it seems pretty trivial to add an option to support changing the namespace for a peer local binding. However I implemented it on my own system by just copying the bind keyword parsing code out of `cfg_parse_listen`. Meaning that I just added support for *ALL* bind keywords, not just `namespace`. Given how trivial it was, I'm willing to attempt putting together a patch to add the functionality, but have a few questions. The primary question is should I add support for all bind options? Or only the `namespace` option? Should I do something similar for the peer remotes, adding support for all server options? Other thoughts? -Patrick On 2016/10/9 21:59, Patrick Hemmer wrote: > Can we get the ability to configure the peer namespace? > Right now haproxy uses the default namespace, but in our system we > have an "internal" interface which is able to talk to the other > haproxy nodes, and this interface is in another network namespace. > > Additionally, the error output for failure to bind to a peer address > is lacking. I had to do an `strace` to figure out what the error was: > [ALERT] 282/214021 (2725) : [haproxy.main()] . > [ALERT] 282/214021 (2725) : [haproxy.main()] Some protocols failed to > start their listeners! Exiting. > > That's on haproxy 1.6.9 > > Anyway, I can change the namespace that haproxy is launched in, and > then manually override the namespace for every `bind` and `server` > parameter, but it's rather cumbersome to do so. Would be much nicer to > be able to control the peer binding namespace, just like any other bind. > > If this would be a simple change, I might be willing to attempt it. > But I've never worked in the haproxy source before, so not sure how > involved it would be. > > Thanks > > -Patrick
Re: Output logs in separate files
Haproxy doesn't write to /var/log/local6.log, that's your logging daemon (syslog-ng, rsyslog, whatever). That is what you need to adjust. Most such logging daemons have the ability to match & filter based on the contents of the log message. If there's nothing in the contents of the message for you to filter on, then yes, you can adjust the haproxy config `log-format` parameter and add `%sp` (the server port, which is what I assume you mean by "output port") to the log message. -Patrick On 2016/10/13 02:58, Pavel Rudenkov wrote: > > Hello, dear developers! > Several haproxy ports outputting log in local6. The very same local6 > outputs logs to overall /var/log/local6.log file that is in one file. > Required to implement each output port a separate file *.log, not in > common. Suitable for this log-tag? Other options? >
RE: HAProxy Build Error with TARGET
Bryan, Thank you for your prompt guidance. We downloaded this source code: http://www.haproxy.org/download/1.6/src/haproxy-1.6.9.tar.gz After reviewing your e-mail, we found out (from https://github.com/haproxy/haproxy) that we should use TARGET=linux2628 "- linux2628 for Linux 2.6.28, 3.x, and above (enables splice and tproxy)" Thank you, once again. Sincerely, Hemant K. Sabat Coscend Communications Solutions Web site: www.Coscend.com -- CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages from Coscend Communications Solutions' posted at: http://www.Coscend.com/Terms_and_Conditions.html -Original Message- From: Bryan Talbot [mailto:bryan.tal...@playnext.com] Sent: Tuesday, September 13, 2016 11:56 PM To: haproxy.insig...@coscend.com Cc: HAproxy Mailing Lists <haproxy@formilux.org> Subject: Re: HAProxy Build Error with TARGET > On Sep 13, 2016, at Sep 13, 9:16 PM, Coscend@HAProxy <haproxy.insig...@coscend.com> wrote: > > Hello HAProxy Community, > > We are upgrading from HAProxy 1.6.7 to 1.6.9 by building from source. > We would appreciate any vector on the issue we are facing with > specifying TARGET in make and makefile. What source are you using? > > It is building fine with TARGET=linux2628. > However, we are getting a build error with TARGET=linux310 (see log > summary and detailed log below). Makefile also has TARGET=linux310. > Our Linux version, uname -r gives 3.10.0-229.el7.x86_64 The official source at http://git.haproxy.org/git/haproxy-1.6.git does not define TARGET for linux310 anywhere that I can find. -Bryan
HAProxy Build Error with TARGET
Hello HAProxy Community, We are upgrading from HAProxy 1.6.7 to 1.6.9 by building from source. We would appreciate any vector on the issue we are facing with specifying TARGET in make and makefile. It is building fine with TARGET=linux2628. However, we are getting a build error with TARGET=linux310 (see log summary and detailed log below). Makefile also has TARGET=linux310. Our Linux version, uname -r gives 3.10.0-229.el7.x86_64 Thank you. ERROR SUMMARY - /bin/ld: /usr/local/lua-5.3.1/lib//liblua.a(loadlib.o): undefined reference to symbol 'dlclose@@GLIBC_2.2.5' /bin/ld: note: 'dlclose@@GLIBC_2.2.5' is defined in DSO /lib64/libdl.so.2 so try adding it to the linker command line /lib64/libdl.so.2: could not read symbols: Invalid operation collect2: error: ld returned 1 exit status make: *** [haproxy] Error 1 = DETAILED LOG: Build Error = gcc -Iinclude -Iebtree -Wall -m64 -march=x86-64 -O2 -march=native -g -fno-strict-aliasing -Wdeclaration-after-statement -DCONFIG_HAP_CRYPT -DNEED_CRYPT_H -DUSE_GETADDRINFO -DUSE_ZLIB -DENABLE_POLL -DCONFIG_REGPARM=3 -DUSE_OPENSSL -DUSE_PRIVATE_CACHE -DUSE_LUA -I/usr/local/lua-5.3.1/include/ -DUSE_PCRE -I/usr/include -DUSE_PCRE_JIT -DUSE_TFO -DCONFIG_HAP_NS -DCONFIG_HAPROXY_VERSION=\"1.6.9\" -DCONFIG_HAPROXY_DATE=\"2016/08/30\" \ -DBUILD_TARGET='"linux310"' \ -DBUILD_ARCH='"x86_64"' \ -DBUILD_CPU='"native"' \ -DBUILD_CC='"gcc"' \ -DBUILD_CFLAGS='"-m64 -march=x86-64 -O2 -march=native -g -fno-strict-aliasing -Wdeclaration-after-statement"' \ -DBUILD_OPTIONS='"USE_LIBCRYPT=1 USE_CRYPT_H=1 USE_GETADDRINFO=1 USE_ZLIB=1 USE_POLL=default USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_PCRE=1 USE_PCRE_JIT=1 USE_TFO=1 USE_NS=1"' \ -c -o src/haproxy.o src/haproxy.c gcc -Iinclude -Iebtree -Wall -m64 -march=x86-64 -O2 -march=native -g -fno-strict-aliasing -Wdeclaration-after-statement -DCONFIG_HAP_CRYPT -DNEED_CRYPT_H -DUSE_GETADDRINFO -DUSE_ZLIB -DENABLE_POLL -DCONFIG_REGPARM=3 -DUSE_OPENSSL -DUSE_PRIVATE_CACHE -DUSE_LUA -I/usr/local/lua-5.3.1/include/ -DUSE_PCRE -I/usr/include -DUSE_PCRE_JIT -DUSE_TFO -DCONFIG_HAP_NS -DCONFIG_HAPROXY_VERSION=\"1.6.9\" -DCONFIG_HAPROXY_DATE=\"2016/08/30\" -c -o src/base64.o src/base64.c gcc -Iinclude -Iebtree -Wall -m64 -march=x86-64 -O2 -march=native -g -fno-strict-aliasing -Wdeclaration-after-statement -DCONFIG_HAP_CRYPT -DNEED_CRYPT_H -DUSE_GETADDRINFO -DUSE_ZLIB -DENABLE_POLL -DCONFIG_REGPARM=3 -DUSE_OPENSSL -DUSE_PRIVATE_CACHE -DUSE_LUA -I/usr/local/lua-5.3.1/include/ -DUSE_PCRE -I/usr/include -DUSE_PCRE_JIT -DUSE_TFO -DCONFIG_HAP_NS -DCONFIG_HAPROXY_VERSION=\"1.6.9\" -DCONFIG_HAPROXY_DATE=\"2016/08/30\" -c -o src/protocol.o src/protocol.c gcc -Iinclude -Iebtree -Wall -m64 -march=x86-64 -O2 -march=native -g -fno-strict-aliasing -Wdeclaration-after-statement -DCONFIG_HAP_CRYPT -DNEED_CRYPT_H -DUSE_GETADDRINFO -DUSE_ZLIB -DENABLE_POLL -DCONFIG_REGPARM=3 -DUSE_OPENSSL -DUSE_PRIVATE_CACHE -DUSE_LUA -I/usr/local/lua-5.3.1/include/ -DUSE_PCRE -I/usr/include -DUSE_PCRE_JIT -DUSE_TFO -DCONFIG_HAP_NS -DCONFIG_HAPROXY_VERSION=\"1.6.9\" -DCONFIG_HAPROXY_DATE=\"2016/08/30\" -c -o src/uri_auth.o src/uri_auth.c gcc -Iinclude -Iebtree -Wall -m64 -march=x86-64 -O2 -march=native -g -fno-strict-aliasing -Wdeclaration-after-statement -DCONFIG_HAP_CRYPT -DNEED_CRYPT_H -DUSE_GETADDRINFO -DUSE_ZLIB -DENABLE_POLL -DCONFIG_REGPARM=3 -DUSE_OPENSSL -DUSE_PRIVATE_CACHE -DUSE_LUA -I/usr/local/lua-5.3.1/include/ -DUSE_PCRE -I/usr/include -DUSE_PCRE_JIT -DUSE_TFO -DCONFIG_HAP_NS -DCONFIG_HAPROXY_VERSION=\"1.6.9\" -DCONFIG_HAPROXY_DATE=\"2016/08/30\" -c -o src/standard.o src/standard.c gcc -Iinclude -Iebtree -Wall -m64 -march=x86-64 -O2 -march=native -g -fno-strict-aliasing -Wdeclaration-after-statement -DCONFIG_HAP_CRYPT -DNEED_CRYPT_H -DUSE_GETADDRINFO -DUSE_ZLIB -DENABLE_POLL -DCONFIG_REGPARM=3 -DUSE_OPENSSL -DUSE_PRIVATE_CACHE -DUSE_LUA -I/usr/local/lua-5.3.1/include/ -DUSE_PCRE -I/usr/include -DUSE_PCRE_JIT -DUSE_TFO -DCONFIG_HAP_NS -DCONFIG_HAPROXY_VERSION=\"1.6.9\" -DCONFIG_HAPROXY_DATE=\"2016/08/30\" -c -o src/buffer.o src/buffer.c gcc -Iinclude -Iebtree -Wall -m64 -march=x86-64 -O2 -march=native -g -fno-strict-aliasing -Wdeclaration-after-statement -DCONFIG_HAP_CRYPT -DNEED_CRYPT_H -DUSE_GETADDRINFO -DUSE_ZLIB -DENABLE_POLL -DCONFIG_REGPARM=3 -DUSE_OPENSSL -DUSE_PRIVATE_CACHE -DUSE_LUA -I/usr/local/lua-5.3.1/include/ -DUSE_PCRE -I/usr/include -DUSE_PCRE_JIT -DUSE_TFO -DCONFIG_HAP_NS -DCONFIG_HAPROXY_VERSION=\"1.6.9\" -DCONFIG_HAPROXY_DATE=\"2016/08/30\" -c -o src/log.o src/log.c gcc -Iinclude -Iebtree -Wall -m64 -march=x86-64 -O2 -march=native -g -fno-strict-aliasing -Wdeclaration-after-statement -DCONFIG_HAP_CRYPT -DNEE
Re: Inform backend about https for http2 connections
Hello if you can have the app not specify the scheme for the css etc. just use //site.com/path or /path if it is on the same site On 6 Aug 2016 04:33, "Igor Cicimov" <ig...@encompasscorporation.com> wrote: > On 6 Aug 2016 1:31 am, "Matthias Fechner" <ide...@fechner.net> wrote: > > > > Dear all, > > > > > > I use haproxy in tcp mode to have http2 working. > > Now I have the problem that the backend has to know if the connection > > was encrypted or not (some websites using this information to add the > > schema to css and javascript URIs). > > > > Afaik, since http2 is by default tls encrypted just by specifying h2 as > protocol to the backend should be enough i guess. > > > Normally I think a > > reqadd X-Forwarded-Proto:\ https > > > > should do the trick. > > > > Will this work if working in tcp mode or are there other tricks to do > this? > > > > > > Thanks > > Matthias > > > > -- > > > > "Programming today is a race between software engineers striving to > > build bigger and better idiot-proof programs, and the universe trying to > > produce bigger and better idiots. So far, the universe is winning." -- > > Rich Cook > > > > >
Re: 1.6 vs 1.5 http-request add-header format
Thank you very much Cyril! req.fhdr() did the trick!
> Le 20/07/2016 à 11:48, hapr...@abisoft.biz a écrit :
>> Sure thing. Here is the full config (Haproxy 1.6.7):
>>
>> [...]
>> defaults
>> mode http
>> [...]
>> log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %tsc\
>> %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %{+Q}r\ %ST\ "%CC"\ "%hr"\ "%CS"\ "%hs"\
>> ireq_size=%U\ resp_size=%B\ %fi:%fp\ %si:%sp\ %sslc\ %sslv\
>> %[capture.req.hdr(0)]
>>
>> frontend lb-useast
>> mode http
>> bind *:80
>> option forwardfor except 127.0.0.0/8
>>
>> ** http-request add-header X-Haproxy-ACL test,
>>
>> declare capture request len 256
>> http-request capture hdr(X-Haproxy-ACL) id 0
>>
>> [...]
>> Notice the line marked "**". When it has "test," it doesn't appear in the log
> Ah ok, then this has nothing to do with "http-request add-header", but
> the understanding of the hdr() fetch.
> hdr() will use the commas as separator, hence it will fetch the last
> occurence (the empty value behind your comma).
> If you want to capture the whole header line, you want to use fhdr()
> instead.
> http://cbonte.github.io/haproxy-dconv/1.6/configuration.html#req.hdr
> vs
> http://cbonte.github.io/haproxy-dconv/1.6/configuration.html#req.fhdr
> Not tested but I'm almost sure it's your issue.
Re: 1.6 vs 1.5 http-request add-header format
Sure thing. Here is the full config (Haproxy 1.6.7):
global
log 127.0.0.1:514 local0
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 25000 # 33KB per established connection; raise after
upgrading instance type
userhaproxy
group haproxy
daemon
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
defaults
mode http
log global
option dontlognull# log sessions even if no data exchange happened
option splice-auto# accelerate performance with kernel tcp
splicing options
option httplog# enable logging of HTTP request, session state
and timers
option http-server-close # operate in http-close mode
option redispatch # allow switching to another backend server
when the one in the cookie gets down
option contstats # enable continuous traffic statistics updates
retries 3
backlog 25000 # correlates with maxconn
timeout client 60s # was 120
timeout client-fin 15s # was 25
timeout connect 5s
timeout server 60s # was 120
timeout tunnel 1h
timeout http-keep-alive 10s # was 1
timeout http-request 5s # was 15
timeout queue 30s
timeout tarpit 60s
timeout check5s
default-server inter 6s rise 1 fall 3
log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %tsc\
%ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %{+Q}r\ %ST\ "%CC"\ "%hr"\ "%CS"\ "%hs"\
ireq_size=%U\ resp_size=%B\ %fi:%fp\ %si:%sp\ %sslc\ %sslv\
%[capture.req.hdr(0)]
frontend lb-useast
mode http
bind *:80
option forwardfor except 127.0.0.0/8
** http-request add-header X-Haproxy-ACL test,
declare capture request len 256
http-request capture hdr(X-Haproxy-ACL) id 0
capture request header Referrer len 64
capture request header Content-Length len 10
capture request header User-Agent len 64
acl nonssl_allowed path_beg /privacy.html
redirect scheme https if !{ ssl_fc } !nonssl_allowed
acl srv_uat2 hdr(host) -i uat.mydom.net
use_backend uat2_backend if srv_uat2
backend uat2_backend
# Remove the ACL header
reqdel ^X-Haproxy-ACL
option httpchk GET /testpage.html
balance roundrobin
cookie appcoookie insert nocache indirect
server uat-1 uat-1.mydom.net:443 ssl ca-file /etc/nginx/_.mydom.net.pem
cookie uat-1 weight 10 check port 80
server uat-2 uat-2.mydom.net:443 ssl ca-file /etc/nginx/_.mydom.net.pem
cookie uat-2 weight 10 check port 80
Notice the line marked "**". When it has "test," it doesn't appear in the log
(check the last entry in the log line):
x.y.222.4:47663 [20/Jul/2016:09:28:10.267] lb-useast uat2_backend/uat-1
0/0/8/121/129 --NI 1/1/0/0/0 0/0 "GET /privacy.html HTTP/1.1" 200 -
{|||curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.21 Ba} -
ireq_size=190 resp_size=15636 172.22.2.19:80 172.22.1.140:443 - - -
After I remove the comma, "test" appears in the log:
x.y.222.4:47853 [20/Jul/2016:09:32:25.407] lb-useast uat2_backend/uat-1
0/0/8/124/132 --NI 1/1/0/0/0 0/0 "GET /privacy.html HTTP/1.1" 200 -
{test|||curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.21 Ba} -
ireq_size=190 resp_size=15636 172.22.2.19:80 172.22.1.140:443 - - test
Here is the config for Haproxy 1.5.4 (I had to change it, since 1.5 doesn't
support http-request capture; global and defaults sections are the same, so I
skip it here):
...
frontend lb-useast
mode http
bind *:80
option forwardfor except 127.0.0.0/8
http-request add-header X-Haproxy-ACL test,
no log
default_backend logger
backend logger
server localhost localhost:5 send-proxy
frontend logger
bind localhost:5 accept-proxy
capture request header Referrer len 64
capture request header Content-Length len 10
capture request header User-Agent len 64
capture request header X-Haproxy-ACL len 256
acl nonssl_allowed path_beg /privacy.html
redirect scheme https if !{ ssl_fc } !nonssl_allowed
acl srv_uat2 hdr(host) -i uat.mydom.net
use_backend uat2_backend if
Re: rate limiting question
Hello Cyril,
Thank you for the reply!
My current config for rate limiting is:
tcp-request content track-sc0 src
stick-table type ip size 500k expire 30s store
conn_cur,conn_rate(10s),http_req_rate(10s),http_err_rate(10s)
tcp-request content reject if { src -f /etc/haproxy/blacklist.lst }
http-request add-header X-Haproxy-ACL
%[req.fhdr(X-Haproxy-ACL,-1)]whitelisted, if { src -f
/etc/haproxy/whitelist.lst }
http-request allow if { src -f /etc/haproxy/whitelist.lst }
http-request add-header X-Haproxy-ACL
%[req.fhdr(X-Haproxy-ACL,-1)]over-100-active-connections, if { src_conn_cur ge
100 }
http-request add-header X-Haproxy-ACL
%[req.fhdr(X-Haproxy-ACL,-1)]over-3-connections-in-10-seconds, if {
src_conn_rate gt 3 }
http-request add-header X-Haproxy-ACL
%[req.fhdr(X-Haproxy-ACL,-1)]high-error-rate, if { sc0_http_err_rate() gt 100 }
http-request add-header X-Haproxy-ACL
%[req.fhdr(X-Haproxy-ACL,-1)]high-request-rate, if { sc0_http_req_rate() gt 500
}
Won't it be affected if I make the change according to your suggestion?
Particularly, I'm worrying about http_err_rate and http_req_rate counters.
Wednesday, July 20, 2016, 1:33:53 AM, you wrote:
> Hi,
> Le 18/07/2016 à 11:30, hapr...@abisoft.biz a écrit :
>> Hello,
>>
>> I have a sticky table for ip checks against high connection rate (for
>> testing purposes it's set now to 3 connections in 10 seconds):
>>
>> frontend lb-useast
>> ...
>> tcp-request content track-sc0 src
>> stick-table type ip size 500k expire 30s store
>> conn_cur,conn_rate(10s),http_req_rate(10s),http_err_rate(10s)
>> http-request add-header X-Haproxy-ACL
>> %[req.fhdr(X-Haproxy-ACL,-1)]over-3-connections-in-10-seconds, if {
>> src_conn_rate gt 3 }
>> ...
>> default_backend logger
>>
>> backend logger
>> server localhost localhost:5 send-proxy
>>
>> frontend logger
>> ...
>> acl whitelisted req.fhdr(X-Haproxy-ACL) -m beg whitelisted,
>> acl fail-validation req.fhdr(X-Haproxy-ACL) -m found
>> http-request deny if !whitelisted fail-validation
>> ...
>>
>> When I run 3 curl requests in a row, the table shows there were 5
>> connections with 1 failed:
>> # echo "show table lb-useast" | socat - unix:/var/lib/haproxy/stats
>> # table: lb-useast, type: ip, size:512000, used:1
>> 0x24b3628: key=x.y.222.4 use=0 exp=26100 conn_rate(1)=5 conn_cur=0
>> http_req_rate(1)=3 http_err_rate(1)=1
> After doing some tests, indeed, it appears that with mode http and a
> frontend/backend, conn_rate counters are incremented twice (before and
> after).
>>
>> The curl command is pretty straightforward:
>> for ((i=1;i<=3;i++)); do curl -s http://uat.my.com/privacy.html > /dev/null;
>> echo $i; done
> With this loop, conn_rate will be 1, then 3, then 5.
> I couldn't spend more time on the issue and won't have much time for it
> next days, but you can try a workaround, by replacing tcp-request
> content with tcp-request connection :
>tcp-request connection track-sc0 src
>>
>> How does haproxy count connections, so it gets 5 instead of 3?
>>
>> PS haproxy version is 1.5.4
--
Best regards,
Alex
1.6 vs 1.5 http-request add-header format
Hi,
The following construction worked in 1.5.4 and doesn't work in 1.6.7:
http-request add-header X-Haproxy-ACL
%[req.fhdr(X-Haproxy-ACL,-1)]over-3-connections-in-10-seconds, if {
src_conn_rate gt 3 }
while the one w/o the comma in the end works in 1.6.7 well:
http-request add-header X-Haproxy-ACL
%[req.fhdr(X-Haproxy-ACL,-1)]over-3-connections-in-10-seconds if {
src_conn_rate gt 3 }
There're no errors, it just doesn't put the value of the custom header
X-Haproxy-ACL in the log.
Is it a bug or a syntax change? What's the new syntax?
--
Best regards,
Alex
rate limiting question
Hello,
I have a sticky table for ip checks against high connection rate (for testing
purposes it's set now to 3 connections in 10 seconds):
frontend lb-useast
...
tcp-request content track-sc0 src
stick-table type ip size 500k expire 30s store
conn_cur,conn_rate(10s),http_req_rate(10s),http_err_rate(10s)
http-request add-header X-Haproxy-ACL
%[req.fhdr(X-Haproxy-ACL,-1)]over-3-connections-in-10-seconds, if {
src_conn_rate gt 3 }
...
default_backend logger
backend logger
server localhost localhost:5 send-proxy
frontend logger
...
acl whitelisted req.fhdr(X-Haproxy-ACL) -m beg whitelisted,
acl fail-validation req.fhdr(X-Haproxy-ACL) -m found
http-request deny if !whitelisted fail-validation
...
When I run 3 curl requests in a row, the table shows there were 5 connections
with 1 failed:
# echo "show table lb-useast" | socat - unix:/var/lib/haproxy/stats
# table: lb-useast, type: ip, size:512000, used:1
0x24b3628: key=x.y.222.4 use=0 exp=26100 conn_rate(1)=5 conn_cur=0
http_req_rate(1)=3 http_err_rate(1)=1
The curl command is pretty straightforward:
for ((i=1;i<=3;i++)); do curl -s http://uat.my.com/privacy.html > /dev/null;
echo $i; done
How does haproxy count connections, so it gets 5 instead of 3?
PS haproxy version is 1.5.4
--
Best regards,
Alex
Server transparency
Ha proxiers, Wondering if it might be possible to have return traffic of transparent L4 proxies seem to come from individual real server or at least leave from same IP stack as request was received from. Problem is I’ve got a HA proxy binding to multiple ‘public’ IP stacks with client transparency, each load balancing for different smtp pools, and every real server of every pool has the same default GW on the ‘private’ side of my HA proxy (though they could be configured to pool specific ‘private' side default GWs). I would like every real server, whenever they establish an outbound connection, to been seen as either their individually IP or at least as their individually HA proxy ‘public’ side IP, right now every 'real' outbound connection just seems to come from the same IP stack, ie. the one with the HA proxy’s default GW. Would it be possible to change this somehow, or do I need to split into separate HA proxies each on separate VMs and thus get different ‘public’ side default GW per pool? TIA /Steffen
Re: Only using map file when an entry exists
Thanks Nanad,
That works perfectly, thank you
On 11 March 2016 at 22:37, Nenad Merdanovic <ni...@nimzo.info> wrote:
> Hello Neil,
>
> You seem to have missed my answer, so I am gonna top post this time :)
>
> http-request redirect location
> %[hdr(host),map(/etc/haproxy/redirect_host.map)] code 301 if {
> hdr(host),map(/etc/haproxy/redirect_host.map) -m found }
>
> Regards,
> Nenad
>
> On 03/11/2016 11:32 PM, Neil - HAProxy List wrote:
> > Hello
> >
> > I've left a little time and no one has said anything more so time for me
> > to act and submit a patch.
> >
> > I want to make functions that can be used in acls and take a map and
> > provide has_key and, for completeness, has_value
> >
> > Are those names uncontroversial/ suitable and, i really hope, is this
> > unnecessary as it already exists.
> >
> > I'm more that a little surprised to find myself the first to want this
> >
> > Cheers
> >
> > Neil
> >
> > On 11 Mar 2016 22:16, "Neil" <n...@iamafreeman.com
> > <mailto:n...@iamafreeman.com>> wrote:
> >
> > Hello
> >
> > I've left a little time and no one has said anything more so time
> > for me to act and submit a patch.
> >
> > I want to make functions that can be used in acls and take a map and
> > provide has_key and, for completeness, has_value
> >
> > Are those names uncontroversia/ suitablel and, i really hope, is
> > this unnecessary as it already exists.
> >
> > I'm more that a little sutprised to find myself the first to want
> this
> >
> > Cheers
> >
> > Neil
> >
> > On 3 Mar 2016 18:08, "Neil - HAProxy List"
> > <maillist-hapr...@iamafreeman.com
> > <mailto:maillist-hapr...@iamafreeman.com>> wrote:
> >
> > Thanks Conrad,
> >
> > That sort of thing looks better that what I had, and I'll give
> > it a go.
> >
> > I still think this is a bit long winded syntax for something
> > that probably quite a common things to want to do? A
> > map_contains type boolean function still seems like a good to
> have?
> >
> > Thanks
> >
> > Neil
> >
> > On 3 March 2016 at 13:05, Conrad Hoffmann <con...@soundcloud.com
> > <mailto:con...@soundcloud.com>> wrote:
> >
> > If you are using haproxy >=1.6, you might be able to do
> > something like this:
> >
> > acl no_redir %[req.redir] -m str NO_REDIR
> > http-request set-var(req.redir) \
> > %[hdr(host),map(/etc/haproxy/redirect_host.map,NO_REDIR)]
> > http-request redirect location %[req.redir] code 301 if
> > !no_redir
> >
> > This is completely made up and untested, but I hope you get
> > the idea.
> > Avoids a second map lookup altogether, but also map lookups
> > are quite fast,
> > so unless you map is huge you don't really need to worry
> > about this. Also,
> > double negation, but this is just to give you some idea
> >
> > Cheers,
> > Conrad
> > --
> > Conrad Hoffmann
> > Traffic Engineer
> >
> > SoundCloud Ltd. | Rheinsberger Str. 76/77, 10115 Berlin,
> Germany
> >
> > Managing Director: Alexander Ljung | Incorporated in England
> > & Wales
> > with Company No. 6343600 | Local Branch Office | AG
> > Charlottenburg |
> > HRB 110657B
> >
> >
>
Re: Only using map file when an entry exists
Hello I've left a little time and no one has said anything more so time for me to act and submit a patch. I want to make functions that can be used in acls and take a map and provide has_key and, for completeness, has_value Are those names uncontroversial/ suitable and, i really hope, is this unnecessary as it already exists. I'm more that a little surprised to find myself the first to want this Cheers Neil On 11 Mar 2016 22:16, "Neil" <n...@iamafreeman.com> wrote: > Hello > > I've left a little time and no one has said anything more so time for me > to act and submit a patch. > > I want to make functions that can be used in acls and take a map and > provide has_key and, for completeness, has_value > > Are those names uncontroversia/ suitablel and, i really hope, is this > unnecessary as it already exists. > > I'm more that a little sutprised to find myself the first to want this > > Cheers > > Neil > On 3 Mar 2016 18:08, "Neil - HAProxy List" < > maillist-hapr...@iamafreeman.com> wrote: > >> Thanks Conrad, >> >> That sort of thing looks better that what I had, and I'll give it a go. >> >> I still think this is a bit long winded syntax for something that >> probably quite a common things to want to do? A map_contains type boolean >> function still seems like a good to have? >> >> Thanks >> >> Neil >> >> On 3 March 2016 at 13:05, Conrad Hoffmann <con...@soundcloud.com> wrote: >> >>> If you are using haproxy >=1.6, you might be able to do something like >>> this: >>> >>> acl no_redir %[req.redir] -m str NO_REDIR >>> http-request set-var(req.redir) \ >>> %[hdr(host),map(/etc/haproxy/redirect_host.map,NO_REDIR)] >>> http-request redirect location %[req.redir] code 301 if !no_redir >>> >>> This is completely made up and untested, but I hope you get the idea. >>> Avoids a second map lookup altogether, but also map lookups are quite >>> fast, >>> so unless you map is huge you don't really need to worry about this. >>> Also, >>> double negation, but this is just to give you some idea >>> >>> Cheers, >>> Conrad >>> -- >>> Conrad Hoffmann >>> Traffic Engineer >>> >>> SoundCloud Ltd. | Rheinsberger Str. 76/77, 10115 Berlin, Germany >>> >>> Managing Director: Alexander Ljung | Incorporated in England & Wales >>> with Company No. 6343600 | Local Branch Office | AG Charlottenburg | >>> HRB 110657B >>> >> >>
Re: Only using map file when an entry exists
I'm amazed by the number of typos in one message. ;) On 3 Mar 2016 18:08, "Neil - HAProxy List" <maillist-hapr...@iamafreeman.com> wrote: > Thanks Conrad, > > That sort of thing looks better that what I had, and I'll give it a go. > > I still think this is a bit long winded syntax for something that probably > quite a common things to want to do? A map_contains type boolean function > still seems like a good to have? > > Thanks > > Neil > > On 3 March 2016 at 13:05, Conrad Hoffmann <con...@soundcloud.com> wrote: > >> If you are using haproxy >=1.6, you might be able to do something like >> this: >> >> acl no_redir %[req.redir] -m str NO_REDIR >> http-request set-var(req.redir) \ >> %[hdr(host),map(/etc/haproxy/redirect_host.map,NO_REDIR)] >> http-request redirect location %[req.redir] code 301 if !no_redir >> >> This is completely made up and untested, but I hope you get the idea. >> Avoids a second map lookup altogether, but also map lookups are quite >> fast, >> so unless you map is huge you don't really need to worry about this. Also, >> double negation, but this is just to give you some idea >> >> Cheers, >> Conrad >> -- >> Conrad Hoffmann >> Traffic Engineer >> >> SoundCloud Ltd. | Rheinsberger Str. 76/77, 10115 Berlin, Germany >> >> Managing Director: Alexander Ljung | Incorporated in England & Wales >> with Company No. 6343600 | Local Branch Office | AG Charlottenburg | >> HRB 110657B >> > >
Re: Only using map file when an entry exists
Thanks Conrad, That sort of thing looks better that what I had, and I'll give it a go. I still think this is a bit long winded syntax for something that probably quite a common things to want to do? A map_contains type boolean function still seems like a good to have? Thanks Neil On 3 March 2016 at 13:05, Conrad Hoffmann <con...@soundcloud.com> wrote: > If you are using haproxy >=1.6, you might be able to do something like > this: > > acl no_redir %[req.redir] -m str NO_REDIR > http-request set-var(req.redir) \ > %[hdr(host),map(/etc/haproxy/redirect_host.map,NO_REDIR)] > http-request redirect location %[req.redir] code 301 if !no_redir > > This is completely made up and untested, but I hope you get the idea. > Avoids a second map lookup altogether, but also map lookups are quite fast, > so unless you map is huge you don't really need to worry about this. Also, > double negation, but this is just to give you some idea > > Cheers, > Conrad > -- > Conrad Hoffmann > Traffic Engineer > > SoundCloud Ltd. | Rheinsberger Str. 76/77, 10115 Berlin, Germany > > Managing Director: Alexander Ljung | Incorporated in England & Wales > with Company No. 6343600 | Local Branch Office | AG Charlottenburg | > HRB 110657B >
Only using map file when an entry exists
Hello HA-Proxy version 1.5.15 2015/11/01 I've got a service with some redirects for old virtual hosts to new locations on main website that I want to store in a map file /etc/haproxy/redirect_host.map with lines like www.oldname.com http://www.shiny.net/collections/oldname My issue is I don't want a redirect to occur when there is no entry in the map I started with http-request redirect location %[hdr(host),map(/etc/haproxy/redirect_host.map)] code 301 This would take out the whole site as a request to http://www.shiny.net gets a redirect with a blank location. (and so does http://www.shiny.net/collections/oldname) - this is because they are all in the same frontend so as a hack around I've taken the first column to another file and gone with acl isRedirectHost hdr(host) -i -f /etc/haproxy/acl_isRedirectHost.txt http-request redirect location %[hdr(host),map(/etc/haproxy/redirect_host.map)] code 301 if isRedirectHost This works but is yuck (I'd have to automate generating the acl file from the map - not hard but not clean). Ideally I'd like a way to only redirect when a value is in the map what would be fine is if there were a contained_in_map function that I could use something like http-request redirect location %[hdr(host),map(/etc/haproxy/redirect_host.map)] code 301 if %[hdr(host),contained_in_map(/etc/haproxy/redirect_host.map)] All other suggestions very welcome too Thank you, Neil
help
Howto masquerade real server in a two armed transparent setup
Trying to make a two armed transparent setup like mentioned here <http://www.loadbalancer.org/blog/load-balancing-methods> to do both transparently L4 [SSL] DR + L7 SSL termination load balanced services. I’m having the load balanced services working, but I wont the real servers to be able to access the public internet and to have other non-balanced services like management ssh access through HAproxy VMs to my real servers. Question is now how do I possible masquerade the real servers to access public internet through my active/passiveHAproxies, currently setup like mentioned here <http://www.devconsole.info/?p=1294>. Any hints/URLs are welcomed? TIA /Steffen
découvrez votre offre
Si le message ne s'affiche pas correctement merci de suivre ce [1]lien References 1. http://clicks.deal-actuel.com/v/NC/wraQlh7ZPhKAOCSqC7oPH3/a83bd420 [1]Histoire d'Or Vivez un Noël en Grand grâce au premier bijoutier de France [2]1er bijoutier de France [3]BIJOUX [4]MONTRES [5]IDÉES CADEAUX [6]Histoire d'or vous souhaite la bienvenue ! [7]PROFITEZ D'ORES ET DÉJÀ DE VOTRE OFFRE DE BIENVENUE : [8]LIVRAISON GRATUITE AVEC LE CODE BIENVENUE [9]Offre reservée à haproxy@formilux.org [10]Bienvenue chez le premier bijoutier de France ! A la recherche de brillantes idées cadeaux pour Noël ? Découvrez nos collections de bijoux, il y en a pour tous les goûts : plus de 2 500 bijoux en or ou en argent vous attendent. Ne manquez pas nos montres de grandes marques, plus de 500 modèles disponibles pour trouver le vôtre ! N’hésitez plus et rendez-vous sur histoiredor.com ! Achetez vos cadeaux en ligne en toute sérénité : paiement sécurisé, garantie deux ans sur tous nos bijoux, nous avons pensé à tout. Votre achat ne convient pas ? Vous bénéficiez de 30 jours pour nous faire votre retour et être remboursé intégralement. [11]À tout de suite ! [12]JE DÉCOUVRE [13]4 BONNES RAISONS POUR NE PLUS HÉSITER [14]Paiement 100% sécurisé [15]Retrait GRATUIT sous 2h en magasin [16]Retour GRATUIT sous 30 jours [17]Livraison garantie avant Noël [pix.gif?eml-publisher=natexoeml-name=noel14-prm1_bienvenueea-rnd=[R ANDOM]] [imp?type(inv)g(22282168)a(2463532)] References Visible links 1. http://clicks.deal-actuel.com/c/NC/sr/wraQlh7ZPhKAOCSqC7oPH3/b/PgX/2e8cc255://ea.histoiredor.com/dynclick/histoiredor/?eml-publisher=natexoeml-name=noel14-prm1_bienvenueeurl=http%3A%2F%2Fwww.histoiredor.com%2Ffr%2Fhistoire-or%3Futm_source%3Dnatexo%26utm_medium%3Dshoot%26utm_content%3Dprm1_bienvenue%26utm_campaign%3Dnoel14-prm 2. http://clicks.deal-actuel.com/c/NC/sa/wraQlh7ZPhKAOCSqC7oPH3/b/PgX/175b3013://ea.histoiredor.com/dynclick/histoiredor/?eml-publisher=natexoeml-name=noel14-prm1_bienvenueeurl=http%3A%2F%2Fwww.histoiredor.com%2Ffr%2Fhistoire-or%3Futm_source%3Dnatexo%26utm_medium%3Dshoot%26utm_content%3Dprm1_bienvenue%26utm_campaign%3Dnoel14-prm 3. http://clicks.deal-actuel.com/c/NC/sn/wraQlh7ZPhKAOCSqC7oPH3/b/PgX/ff5a0295://ea.histoiredor.com/dynclick/histoiredor/?eml-publisher=natexoeml-name=noel14-prm1_bienvenueeurl=http%3A%2F%2Fwww.histoiredor.com%2Ffr%2Fbijoux%2Fpar-famille%3Futm_source%3Dnatexo%26utm_medium%3Dshoot%26utm_content%3Dprm1_bienvenue%26utm_campaign%3Dnoel14-prm 4. http://clicks.deal-actuel.com/c/NC/sj/wraQlh7ZPhKAOCSqC7oPH3/b/PgX/916043ce://ea.histoiredor.com/dynclick/histoiredor/?eml-publisher=natexoeml-name=noel14-prm1_bienvenueeurl=http%3A%2F%2Fwww.histoiredor.com%2Ffr%2Fmontres%2Fpar-marque%3Futm_source%3Dnatexo%26utm_medium%3Dshoot%26utm_content%3Dprm1_bienvenue%26utm_campaign%3Dnoel14-prm 5. http://clicks.deal-actuel.com/c/NC/ss/wraQlh7ZPhKAOCSqC7oPH3/b/PgX/ae6690b3://ea.histoiredor.com/dynclick/histoiredor/?eml-publisher=natexoeml-name=noel14-prm1_bienvenueeurl=http%3A%2F%2Fwww.histoiredor.com%2Ffr%2Fhistoire-or%3Futm_source%3Dnatexo%26utm_medium%3Dshoot%26utm_content%3Dprm1_bienvenue%26utm_campaign%3Dnoel14-prm 6. http://clicks.deal-actuel.com/c/NC/sI/wraQlh7ZPhKAOCSqC7oPH3/b/PgX/0c1fb4ff://ea.histoiredor.com/dynclick/histoiredor/?eml-publisher=natexoeml-name=noel14-prm1_bienvenueeurl=http%3A%2F%2Fwww.histoiredor.com%2Ffr%2Fhistoire-or%3Futm_source%3Dnatexo%26utm_medium%3Dshoot%26utm_content%3Dprm1_bienvenue%26utm_campaign%3Dnoel14-prm 7. http://clicks.deal-actuel.com/c/NC/sN/wraQlh7ZPhKAOCSqC7oPH3/b/PgX/386a04cf://ea.histoiredor.com/dynclick/histoiredor/?eml-publisher=natexoeml-name=noel14-prm1_bienvenueeurl=http%3A%2F%2Fwww.histoiredor.com%2Ffr%2Fhistoire-or%3Futm_source%3Dnatexo%26utm_medium%3Dshoot%26utm_content%3Dprm1_bienvenue%26utm_campaign%3Dnoel14-prm 8. http://clicks.deal-actuel.com/c/NC/sg/wraQlh7ZPhKAOCSqC7oPH3/b/PgX/a3c4d2c5://ea.histoiredor.com/dynclick/histoiredor/?eml-publisher=natexoeml-name=noel14-prm1_bienvenueeurl=http%3A%2F%2Fwww.histoiredor.com%2Ffr%2Fhistoire-or%3Futm_source%3Dnatexo%26utm_medium%3Dshoot%26utm_content%3Dprm1_bienvenue%26utm_campaign%3Dnoel14-prm 9. http://clicks.deal-actuel.com/c/NC/s5/wraQlh7ZPhKAOCSqC7oPH3/b/PgX/4fe87890://ea.histoiredor.com/dynclick/histoiredor/?eml-publisher=natexoeml-name=noel14-prm1_bienvenueeurl=http%3A%2F%2Fwww.histoiredor.com%2Ffr%2Fhistoire-or%3Futm_source%3Dnatexo%26utm_medium%3Dshoot%26utm_content%3Dprm1_bienvenue%26utm_campaign%3Dnoel14-prm 10. http://clicks.deal-actuel.com/c/NC/sv/wraQlh7ZPhKAOCSqC7oPH3/b/PgX/40b6830e://ea.histoiredor.com/dynclick/histoiredor/?eml-publisher=natexoeml-name=noel14-prm1_bienvenueeurl=http%3A%2F
Re: Access control for stats page
Hello Yep there is Have a frontend Send say /hastats to a hastats backend have the backend have its stats URL be /hastats too Set the acls in the frontend I'll post a config example in a bit. Neil On 21 Apr 2015 20:09, CJ Ess zxcvbn4...@gmail.com wrote: Is there a way to setup an ACL for the haproxy stats page? We do have authentication set up for the URL, but we would feel better if we could limit access to a white list of local networks. Is there a way to do that?
Re: Access control for stats page
heres are some relevent snips I run this in with same address as the service frontend SSL ... acl url_hastats url_beg /hastats acl location_trusted src 123.123.123.0/24 acl magic_cookie_trusted hdr_sub(cookie) magicforthissiteonly=foobar_SHA1value_etc use_backend hastats if url_hastats location_trusted use_backend hastats if url_hastats magic_cookie_trusted deny if url_hastats ... backend hastats mode http stats uri /hastats stats realm Service\ Loadbalancer stats show-desc br/font color='GoldenRod ' size='5'url.domain: Service Loadbalancer/fontbr/font color='blue' size='3'running on hostnamebr/ config version/font stats show-legends stats auth admin:password stats admin if TRUE On 21 April 2015 at 21:04, Neil - HAProxy List maillist-hapr...@iamafreeman.com wrote: Hello Yep there is Have a frontend Send say /hastats to a hastats backend have the backend have its stats URL be /hastats too Set the acls in the frontend I'll post a config example in a bit. Neil On 21 Apr 2015 20:09, CJ Ess zxcvbn4...@gmail.com wrote: Is there a way to setup an ACL for the haproxy stats page? We do have authentication set up for the URL, but we would feel better if we could limit access to a white list of local networks. Is there a way to do that?
Re: ldap-check with Active Directory
Hello
I was thinking of updating the ldap-check but I think I've a better idea.
Macros (well ish).
send-binary 300c0201 # LDAP bind request ROOT simple
send-binary 01 # message ID
send-binary 6007 # protocol Op
send-binary 0201 # bind request
send-binary 03 # LDAP v3
send-binary 04008000 # name, simple authentication
expect binary 0a0100 # bind response + result code: success
send-binary 30050201034200 # unbind request
could be in a file named macros/ldap-simple-bind
then the option
tcp-check-macro ldap-simple-bind
would use it, I know this is close to includes.
similarly macros/smtp-helo-quit
connect port 25
expect rstring ^220
send QUIT\r\n
expect rstring ^221
or from
http://blog.haproxy.com/2014/06/06/binary-health-check-with-haproxy-1-5-php-fpmfastcgi-probe-example/
# FCGI_BEGIN_REQUEST
send-binary 01 # version
send-binary 01 # FCGI_BEGIN_REQUEST
send-binary 0001 # request id
send-binary 0008 # content length
send-binary 00 # padding length
send-binary 00 #
send-binary 0001 # FCGI responder
send-binary # flags
send-binary #
send-binary #
# FCGI_PARAMS
send-binary 01 # version
send-binary 04 # FCGI_PARAMS
send-binary 0001 # request id
send-binary 0045 # content length
send-binary 03 # padding length: padding for content % 8 = 0
send-binary 00 #
send-binary 0e03524551554553545f4d4554484f44474554 # REQUEST_METHOD = GET
send-binary 0b055343524950545f4e414d452f70696e67 # SCRIPT_NAME = /ping
send-binary 0f055343524950545f46494c454e414d452f70696e67 # SCRIPT_FILENAME
= /ping
send-binary 040455534552524F4F54 # USER = ROOT
send-binary 00 # padding
# FCGI_PARAMS
send-binary 01 # version
send-binary 04 # FCGI_PARAMS
send-binary 0001 # request id
send-binary # content length
send-binary 00 # padding length: padding for content % 8 = 0
send-binary 00 #
expect binary 706f6e67 # pong
(though for items like
send-binary 0e03524551554553545f4d4554484f44474554 # REQUEST_METHOD = GET
I'd prefer a
send-as-binary REQUEST_METHOD = GET
)
these and many others could be shipped with haproxy.
this seems to make sense to me as they are small contained logical items
Neil
On 30 March 2015 at 23:02, Baptiste bed...@gmail.com wrote:
you should believe it :)
On Mon, Mar 30, 2015 at 11:34 PM, Neil - HAProxy List
maillist-hapr...@iamafreeman.com wrote:
Hello
Thanks so much. That worked well, I now get
L7OK/0 in 0ms
not sure I believe the 0ms but maybe I should
Thanks again,
Neil
On 30 March 2015 at 22:14, Baptiste bed...@gmail.com wrote:
On Mon, Mar 30, 2015 at 10:33 PM, Neil - HAProxy List
maillist-hapr...@iamafreeman.com wrote:
Hello
I'm trying to use ldap-check with active directory and the response
active
directory gives is not one ldap-check is happy to accept
when I give a 389 directory backend ldap server all is well, when I
use
AD I
get 'Not LDAPv3 protocol'
I've done a little poking about and found that
if ((msglen 2) ||
(memcmp(check-bi-data + 2 + msglen,
\x02\x01\x01\x61, 4) != 0)) {
set_server_check_status(check,
HCHK_STATUS_L7RSP, Not LDAPv3 protocol);
is where I'm getting stopped as msglen is 4
Here is tcpdump of 389 directory response (the one that works) 2
packets
21:29:34.195699 IP 389.ldap HAPROXY.57109: Flags [.], ack 15, win
905,
options [nop,nop,TS val 856711882 ecr 20393440], length 0
0x: 0050 5688 7042 0064 403b 2700 0800 4500 .PV.pB.d@
;'...E.
0x0010: 0034 9d07 4000 3f06 3523 ac1b e955 ac18 .4..@
.?.5#...U..
0x0020: 2810 0185 df15 5cab ffcd 63ba 77d3 8010
(.\...c.w...
0x0030: 0389 2c07 0101 080a 3310 62ca 0137
..,...3.b..7
0x0040: 2de0 -.
21:29:34.195958 IP 389.ldap HAPROXY.57109: Flags [P.], seq 1:15,
ack
15,
win 905, options [nop,nop,TS val 856711882 ecr 20393440], length 14
0x: 0050 5688 7042 0064 403b 2700 0800 4500 .PV.pB.d@
;'...E.
0x0010: 0042 9d08 4000 3f06 3514 ac1b e955 ac18 .B..@
.?.5U..
0x0020: 2810 0185 df15 5cab ffcd 63ba 77d3 8018
(.\...c.w...
0x0030: 0389 e878 0101 080a 3310 62ca 0137
...x..3.b..7
0x0040: 2de0 300c 0201 0161 070a 0100 0400 0400
-.0a
Here is tcpdump of active directory (broken) 1 packet
21:25:24.519883 IP ADSERVER.ldap HAPROXY.57789: Flags [P.], seq
1:23,
ack
15, win 260, options [nop,nop,TS val 1870785 ecr 20331021], length 22
0x: 0050 5688 7042 0050 5688 7780 0800 4500
.PV.pB.PV.w...E.
0x0010: 004a 1d7d 4000 8006 34e3 ac18 280d ac18 .J.}@
...4...(...
0x0020: 2810 0185 e1bd 5a3f 2ae7 3ced 7b5b 8018
(.Z?*..{[..
0x0030: 0104 1d7a 0101 080a 001c 8bc1 0136
...z...6
0x0040: 3a0d 3084 0010 0201
ldap-check with Active Directory
Hello
I'm trying to use ldap-check with active directory and the response active
directory gives is not one ldap-check is happy to accept
when I give a 389 directory backend ldap server all is well, when I use AD
I get 'Not LDAPv3 protocol'
I've done a little poking about and found that
if ((msglen 2) ||
(memcmp(check-bi-data + 2 + msglen,
\x02\x01\x01\x61, 4) != 0)) {
set_server_check_status(check,
HCHK_STATUS_L7RSP, Not LDAPv3 protocol);
is where I'm getting stopped as msglen is 4
Here is tcpdump of 389 directory response (the one that works) 2 packets
21:29:34.195699 IP 389.ldap HAPROXY.57109: Flags [.], ack 15, win 905,
options [nop,nop,TS val 856711882 ecr 20393440], length 0
0x: 0050 5688 7042 0064 403b 2700 0800 4500 .PV.pB.d@;'...E.
0x0010: 0034 9d07 4000 3f06 3523 ac1b e955 ac18 .4..@.?.5#...U..
0x0020: 2810 0185 df15 5cab ffcd 63ba 77d3 8010 (.\...c.w...
0x0030: 0389 2c07 0101 080a 3310 62ca 0137 ..,...3.b..7
0x0040: 2de0 -.
21:29:34.195958 IP 389.ldap HAPROXY.57109: Flags [P.], seq 1:15, ack 15,
win 905, options [nop,nop,TS val 856711882 ecr 20393440], length 14
0x: 0050 5688 7042 0064 403b 2700 0800 4500 .PV.pB.d@;'...E.
0x0010: 0042 9d08 4000 3f06 3514 ac1b e955 ac18 .B..@.?.5U..
0x0020: 2810 0185 df15 5cab ffcd 63ba 77d3 8018 (.\...c.w...
0x0030: 0389 e878 0101 080a 3310 62ca 0137 ...x..3.b..7
0x0040: 2de0 300c 0201 0161 070a 0100 0400 0400 -.0a
Here is tcpdump of active directory (broken) 1 packet
21:25:24.519883 IP ADSERVER.ldap HAPROXY.57789: Flags [P.], seq 1:23, ack
15, win 260, options [nop,nop,TS val 1870785 ecr 20331021], length 22
0x: 0050 5688 7042 0050 5688 7780 0800 4500 .PV.pB.PV.w...E.
0x0010: 004a 1d7d 4000 8006 34e3 ac18 280d ac18 .J.}@...4...(...
0x0020: 2810 0185 e1bd 5a3f 2ae7 3ced 7b5b 8018 (.Z?*..{[..
0x0030: 0104 1d7a 0101 080a 001c 8bc1 0136 ...z...6
0x0040: 3a0d 3084 0010 0201 0161 8400 :.0a
0x0050: 070a 0100 0400 0400
this was discussed but not finished before see
http://www.serverphorums.com/read.php?10,394453
I can see the string \02\01\01\61 is there but not in the correct place
Anyone have any ideas about fixing this so that both (and possibly other)
ldap implementations work?
Thanks,
Neil
Re: ldap-check with Active Directory
Hello
Thanks so much. That worked well, I now get
*L7OK/0 in 0ms*
not sure I believe the 0ms but maybe I should
Thanks again,
Neil
On 30 March 2015 at 22:14, Baptiste bed...@gmail.com wrote:
On Mon, Mar 30, 2015 at 10:33 PM, Neil - HAProxy List
maillist-hapr...@iamafreeman.com wrote:
Hello
I'm trying to use ldap-check with active directory and the response
active
directory gives is not one ldap-check is happy to accept
when I give a 389 directory backend ldap server all is well, when I use
AD I
get 'Not LDAPv3 protocol'
I've done a little poking about and found that
if ((msglen 2) ||
(memcmp(check-bi-data + 2 + msglen,
\x02\x01\x01\x61, 4) != 0)) {
set_server_check_status(check,
HCHK_STATUS_L7RSP, Not LDAPv3 protocol);
is where I'm getting stopped as msglen is 4
Here is tcpdump of 389 directory response (the one that works) 2 packets
21:29:34.195699 IP 389.ldap HAPROXY.57109: Flags [.], ack 15, win 905,
options [nop,nop,TS val 856711882 ecr 20393440], length 0
0x: 0050 5688 7042 0064 403b 2700 0800 4500 .PV.pB.d@;'...E.
0x0010: 0034 9d07 4000 3f06 3523 ac1b e955 ac18 .4..@.?.5#...U..
0x0020: 2810 0185 df15 5cab ffcd 63ba 77d3 8010 (.\...c.w...
0x0030: 0389 2c07 0101 080a 3310 62ca 0137 ..,...3.b..7
0x0040: 2de0 -.
21:29:34.195958 IP 389.ldap HAPROXY.57109: Flags [P.], seq 1:15, ack
15,
win 905, options [nop,nop,TS val 856711882 ecr 20393440], length 14
0x: 0050 5688 7042 0064 403b 2700 0800 4500 .PV.pB.d@;'...E.
0x0010: 0042 9d08 4000 3f06 3514 ac1b e955 ac18 .B..@.?.5U..
0x0020: 2810 0185 df15 5cab ffcd 63ba 77d3 8018 (.\...c.w...
0x0030: 0389 e878 0101 080a 3310 62ca 0137 ...x..3.b..7
0x0040: 2de0 300c 0201 0161 070a 0100 0400 0400 -.0a
Here is tcpdump of active directory (broken) 1 packet
21:25:24.519883 IP ADSERVER.ldap HAPROXY.57789: Flags [P.], seq 1:23,
ack
15, win 260, options [nop,nop,TS val 1870785 ecr 20331021], length 22
0x: 0050 5688 7042 0050 5688 7780 0800 4500 .PV.pB.PV.w...E.
0x0010: 004a 1d7d 4000 8006 34e3 ac18 280d ac18 .J.}@...4...(...
0x0020: 2810 0185 e1bd 5a3f 2ae7 3ced 7b5b 8018 (.Z?*..{[..
0x0030: 0104 1d7a 0101 080a 001c 8bc1 0136 ...z...6
0x0040: 3a0d 3084 0010 0201 0161 8400 :.0a
0x0050: 070a 0100 0400 0400
this was discussed but not finished before see
http://www.serverphorums.com/read.php?10,394453
I can see the string \02\01\01\61 is there but not in the correct place
Anyone have any ideas about fixing this so that both (and possibly other)
ldap implementations work?
Thanks,
Neil
Hi Neil
Yes you can switch to the tcp-check checking method.
I works with binary protocols as well.
Here is what I use for the AD in my lab:
option tcp-check
tcp-check connect port 389
tcp-check send-binary 300c0201 # LDAP bind request ROOT simple
tcp-check send-binary 01 # message ID
tcp-check send-binary 6007 # protocol Op
tcp-check send-binary 0201 # bind request
tcp-check send-binary 03 # LDAP v3
tcp-check send-binary 04008000 # name, simple authentication
tcp-check expect binary 0a0100 # bind response + result code: success
tcp-check send-binary 30050201034200 # unbind request
You could add the same sequence for LDAPs on port 636:
tcp-check connect port 636 ssl
tcp-check send-binary 300c0201 # LDAP bind request ROOT simple
tcp-check send-binary 01 # message ID
tcp-check send-binary 6007 # protocol Op
tcp-check send-binary 0201 # bind request
tcp-check send-binary 03 # LDAP v3
tcp-check send-binary 04008000 # name, simple authentication
tcp-check expect binary 0a0100 # bind response + result code: success
tcp-check send-binary 30050201034200 # unbind request
Note for myself: put this tip on the blog..
Baptiste
Re: no-sslv3 in default
Hello I'd go further. Sslv3 us an obsolete protocol does anyone disagree with that? For a start make no-sslv3 the default and have a enable-obsolete-sslv3 option. Or better make enabling it a compile time option. Or maybe just get rid of it altogether? The examples on the web and on this mailing lists archive should be able for beginners to use without opening themselves up to sslv3 issues. And it'll save us all having to remember to type 8 chars to disable support for something our clients do not use. Cheers Neil On 15 Oct 2014 20:11, Bryan Talbot bryan.tal...@playnext.com wrote: With SSLv3 being so old, and in light of new (POODLE) exploits driving additional nails into its coffin, it would be nice to disable SSLv3 in a defaults section so that it doesn't get enabled by accident when someone adds a new bind line. Docs for 1.5 say that no-sslv3 is not supported in a defaults section. Can that option be added and made available in 1.5? -Bryan
Notifica��o de devolu��o de cheque 25/08 11:05 (53623)
Title: sake visualizar
Re: Using a WhiteList in HAProxy 1.5
Hi
If you only have one range and it does not change often then a acl file
should be avoided.
http-request deny unless src 123.123.123.123/123
If you have more than one range a acl should be used
Only if you have many or they change often would a file suit.
Is clearer imho
Neil
On 16 Jul 2014 17:10, Baptiste bed...@gmail.com wrote:
On Wed, Jul 16, 2014 at 5:45 PM, JDzialo John jdzi...@edrnet.com wrote:
Hi Guys,
I want to only allow certain internal company IP addresses to have
access to one of my web farms. I am using haproxy 1.5 on Debian 7.
I am using a whitelist.lst file with the following contents...
10.0.0.0/8
Here is my frontend configuration...
frontend https-in
bind *:443 ssl crt
/etc/ssl/xxx.cert.chain.pem
http-request allow if { src -f
/etc/haproxy/whitelist.lst }
reqadd X-Forwarded-Proto:https
reqadd X-Forwarded-Port:443
timeout client 60
default-backend web
However any IP is still allowed through this frontend. It does not
appear to be restricting access to any other IP. Am I missing something in
my configuration?
Thanks
John Dzialo | Linux System Administrator
Direct 203.783.8163 | Main 800.352.0050
Environmental Data Resources, Inc.
440 Wheelers Farms Road, Milford, CT 06461
www.edrnet.com | commonground.edrnet.com
Hi John,
Please avoid HTML mails...
Give a try to the following configuration:
http-request deny unless { src -f /etc/haproxy/whitelist.lst }
Baptiste
Re: Binaries for HAProxy.
And lets not do too much to dampen any pressure to get haproxy 1.5 into rhel7 and ubuntu1404 Neil On 16 Jul 2014 16:12, Ghislain gad...@aqueos.com wrote: Just put http://nd-build-01.linux-appliance.net/repos/centos/ haproxy/haproy-centos-6x.repo under /etc/yum.repos.d/ and issue yum install haproxy. of course you do trust the security of your entire server on this repo ? before doing that just be sure of what this implies :) there is no issue on trusting someone but remember that you trust this someone to install software as root on your server and update the package when new version comes. Do a minimum homework before authorizing repos. I do trust the debian team for backported 1.5 haproxy package but nevertheless i asked here if they were legit , verified what i could and limited the package i accept from the repo to a minimum just in case. I think the same goes on for centOS/Redhat repos, do chack the source and if not sure build yourself if there is no official sources. regards, Ghislain.
Re: 1.5 latest segfault trying to negate acl
Hi Thank you, I can confirm this fixes the issue for me Thanks, Neil On 9 April 2014 12:35, Willy Tarreau w...@1wt.eu wrote: Hi guys, sorry it took that long to take a look at it. I've just pushed the patch, it's available here : http://git.1wt.eu/web?p=haproxy.git;a=commitdiff_plain;h=6a0b6bd648592e73f42fb8e7341bf984d26ba8dc The bug happens when the sc0_get_gpc0() statement is applied to an explicit table while sc0 is not yet tracked. The implicit table already contained the check for the existence of the tracker, but not the code doing the lookup in an alternate table. Thanks for reporting this! Willy
1.5 latest segfault trying to negate acl
Hello my logs have a uncomforting line *kernel: [7302179.685736] haproxy[1766]: segfault at 7c ip 7f6629410a9f sp 7fffdaf98868 error 4 in libc-2.15.so http://libc-2.15.so[7f66292ae000+1b5000]* We caused this trying to use this config which tries to track the source of a connection unless it matches a acl following along the lines of http://blog.serverfault.com/2010/08/26/1016491873/ *globalmaxconn 4096user haproxygroup haproxydefaultsmode httpretries3 option redispatchmaxconn2000timeout connect 5stimeout client 20stimeout server 60sfrontend http 0.0.0.0:80 http://0.0.0.0:80maxconn 25000 default_backend be_defaultstick-table type ip size 200 expire 10s store gpc0acl on_naughtystep sc0_get_gpc0(http) gt 0 use_backend be_badman if on_naughtystep# Both these directives will make haproxy segfaulttcp-request connection track-sc0 src if !on_naughtystep# tcp-request connection track-sc0 src unless on_naughtystep# This one doesn't# tcp-request connection track-sc0 srcbackend be_defaultbalance roundrobinfullconn 1000server server server:80 maxconn 50 check inter 2000 rise 2 fall 2backend be_badmanblock if TRUE* haproxy running is compiled from head *haproxy -vvHA-Proxy version 1.5-dev22 2014/02/03Copyright 2000-2014 Willy Tarreau w...@1wt.eu w...@1wt.euBuild options : TARGET = linux26 CPU = generic CC = gcc CFLAGS = -O2 -g -fno-strict-aliasing OPTIONS = USE_LINUX_SPLICE=1 USE_OPENSSL=1 USE_PCRE=1Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200Encrypted password support via crypt(3): yesBuilt without zlib support (USE_ZLIB not set)Compression algorithms supported : identityBuilt with OpenSSL version : OpenSSL 1.0.1 14 Mar 2012Running on OpenSSL version : OpenSSL 1.0.1 14 Mar 2012OpenSSL library supports TLS extensions : yesOpenSSL library supports SNI : yesOpenSSL library supports prefer-server-ciphers : yesBuilt with PCRE version : 8.12 2011-01-15PCRE library supports JIT : no (USE_PCRE_JIT not set)Built with transparent proxy support using: IP_TRANSPARENT IP_FREEBINDAvailable polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OKTotal: 3 (3 usable), will use epoll.* Any ideas what to do next? Thanks Neil
Re: Haproxy 1.4 url redirection issue
Hello Amol
Here is an example of the sort of thing I use
The 3 important things for are
ServerName https://servicename.domain.com:443
SetEnv HTTPS on
UseCanonicalName On
VirtualHost *:8080
ServerName https://servicename.domain.com:443
## Vhost docroot
DocumentRoot /var/www/
## Directories, there should at least be a declaration for /var/www
Directory /var/www
Options Indexes ExecCGI
AllowOverride None
Order allow,deny
Allow from all
/Directory
## Logging
LogLevel warn
ServerSignature Off
## Custom fragment
This tricks PHP into believing the script was accessed over SSL
SetEnv HTTPS on
DirectoryIndex index.php
UseCanonicalName On
ErrorLog |/usr/bin/cronolog --link
/var/log/apache2/servicename_error.log
/var/log/apache2/%Y/servicename_error-%Y%m%d.log
LogFormat %h %l %u %t \%r\ %s %b \%{Referer}i\ \%{User-Agent}i\
direct
LogFormat %{X-Forwarded-For}i %l %u %t \%r\ %s %b \%{Referer}i\
\%{User-Agent}i\ proxied
SetEnvIf Remote_Addr ^ direct # make it always set
SetEnvIf X-Forwarded-For ^.*\..*\..*\..* !direct
SetEnvIf X-Forwarded-For ^.*\..*\..*\..* proxied
SetEnvIf Request_URI ^/healthcheck$ !direct
# keep these SetEnvIf Request_URI ^/healthcheck$ !proxied
CustomLog |/usr/bin/cronolog --link
/var/log/apache2/servicename_directaccess
/var/log/apache2/%Y/servicename_directaccess-%Y%m%d.log direct env=direct
CustomLog |/usr/bin/cronolog --link /var/log/apache2/servicename_access
/var/log/apache2/%Y/servicename_access-%Y%m%d.log proxied env=proxied
/VirtualHost
I like to log traffic from the loadbal separately to traffic from the
public and I ignore /healthcheck from the loadbal but not from others.
You'll need to tell haproxy to option forwardfor. Also using cronolog.
Neil
On 1 March 2014 15:27, Baptiste bed...@gmail.com wrote:
Hi
More chance to get an answer from Apache 2.2 and wordpress people...
Baptiste
On Fri, Feb 28, 2014 at 4:12 PM, Amol mandm_z...@yahoo.com wrote:
well the application behind haproxy in this case is wordpress on
apache2.2,
any settings there?
On Friday, February 28, 2014 4:57 AM, Baptiste bed...@gmail.com wrote:
It may not fix the issue.
But at least the configuration will do what you expect from it...
That said, the issue may be in the application too :)
It is commonly seen that applications don't behave properly when SSL
offloading is enabled in front of them.
Baptiste
On Thu, Feb 27, 2014 at 4:16 PM, Amol mandm_z...@yahoo.com wrote:
Thanks Baptiste, let me give that a try
On Thursday, February 27, 2014 9:37 AM, Baptiste bed...@gmail.com
wrote:
Hi Amol,
There are a few improvement you can do.
First update your frontend acl to:
acl host_xx hdr(host) -i xx.com
then in your backend, this ACL should never match: acl login_page
url_beg /xyz
replace url_beg by path_beg.
Your problem is not there as well.
I think your application server is sending hardcoded data or Location
headers.
analyzing the body of the pages and HAProxy logs may help here.
Baptiste
On Tue, Feb 25, 2014 at 4:56 PM, Amol mandm_z...@yahoo.com wrote:
Hi i am using HA-Proxy version 1.4.12 and i have an issue trying to
redirect
my website to http
requirement : when a user types in http://website_name.com he should
not
be redirected to https://website_name.com
currently it does that and some of the video links on our main page do
not
work (basically vimeo has http links while our page is https so it
throws
a
security exception)
at the same time we need users with http://website_name.com/xyz to
be
redirected to https://website_name.com/xyz (this helps users login
to
secure application)
so under my current configurations i cannot get the first part to work,
basically (www.website_name.com works and stays http but when i type
http://website_name.com it does a redirection to https)
frontend http-in
bind xx.xx.xx.xx:80 name http
bind 10.xx.xx.xx:8000 name https # forwared by stunnel
acl host_xx hdr_beg(host) -i xx.com
use_backend xx-http if host_xx
default_backend xx-https
backend xx-http
balance roundrobin
cookie BALANCEID insert indirect nocache
option http-server-close
option httpchk OPTIONS /check.txt HTTP/1.1\r\nHost:\ www
server xx-app1 xx.xx.xx.xx:80 cookie A check
server xx-app6 xx.xx.xx.xx:80 cookie B check backup
acl secure dst_port eq 8000
acl login_page url_beg /xyz
redirect prefix https://xx.com if login_page !secure
backend xx-https
mode http
balance roundrobin
cookie BALANCEID insert indirect nocache
option http-server-close
# option forwardfor except 127.0.0.1
option httpchk OPTIONS /check.txt HTTP/1.1\r\nHost:\ www
server xx-app1 xx.xx.xx.xx:80 cookie s1 weight 1 maxconn 5000
check
Re: HAProxy Next?
Hi I'd like the option of a web based api to replace the functionality of the web admin pages with a service which can be used remotely to monitor and control multiple haproxy and provide any fancy authentication and auditing outside of the haproxy service using whichever tech seems appropriate. Exposing the socket via xinetd doesn't really do it, for me at least. Neil On 17 Dec 2013 08:16, Annika Wickert a.wick...@traviangames.com wrote: Hi all, we did some thinking about how to improve haproxy and which features we’d like to see in next versions. We came up with the following list and would like to discuss if they can be done/should be done or not. - One global statssocket which can be switched through to see stats of every bind process. And also an overall overview summed up from all backends and frontends. - One global control socket to control every backend server and set them inactive or active on the fly. - In general better nbproc 1 support - Include possibility in configfile to maintain one configfile for each backend / frontend pair - CPU pinning in haproxy without manually using taskset/cpuset - sflow output - latency metrics at stats interface (frontend and backend, avg, 95%, 90%, max, min) - accesslist for statssocket or ldap authentication for stats socket Are there any others things which would be cool? I hope we can have a nice discussion about a “fancy” feature set which could be provided by lovely haproxy. Best regards, Annika --- Systemadministration Travian Games GmbH Wilhelm-Wagenfeld-Str. 22 80807 München Germany a.wick...@traviangames.com www.traviangames.de Sitz der Gesellschaft München AG München HRB: 173511 Geschäftsführer: Siegfried Müller USt-IdNr.: DE246258085 Diese Email einschließlich ihrer Anlagen ist vertraulich und nur für den Adressaten bestimmt. Wenn Sie nicht der vorgesehene Empfänger sind, bitten wir Sie, diese Email mit Anlagen unverzüglich und vollständig zu löschen und uns umgehend zu benachrichtigen. This email and its attachments are strictly confidential and are intended solely for the attention of the person to whom it is addressed. If you are not the intended recipient of this email, please delete it including its attachments immediately and inform us accordingly.
url32+src - like base32+src but whole url including parameters
Hello I have a need to limit traffic to each url from each source address. much like base32+src but the whole url including parameters (this came from looking at the recent 'Haproxy rate limit per matching request' thread) attached is patch that seems to do the job, its a copy and paste job of the base32 functions the url32 function seems to work too and using 2 machines to request the same url locks me out of both if I abuse from either with the url32 key function and only the one if I use url32_src Neil url32+src Description: Binary data
Re: Haproxy rate limit per matching request
Hello
Chris and I followed this example but found that it limits by url but for
all users. that might be what you want in a slashdotting but its not what
we want for individual users falling asleep with nose on f5(reload) key
we looked at base32+src rather than url but that excludes the url parameters
I've started a separate thread with a new url32+src function.
Neil
On 1 November 2013 18:39, Cyril Bonté cyril.bo...@free.fr wrote:
Hi Przemyslaw,
Le 31/10/2013 12:05, Przemysław Hejman a écrit : Hello guys, it's me one
again.
I just wanted to share my experiences after several very simple
acceptance tests. First of all, I've found that the whitelist did not
work - I had to change my configuration to something like this:
global
stats socket /tmp/haproxy.sock
defaults
mode http
timeout connect 5000ms
timeout client 5ms
timeout server 5ms
frontend app
bind *:8080
option http-server-close
stick-table type integer size 200k expire 30m store
http_req_cnt
acl white_list src 127.0.0.1 192.168.1.205 192.168.0.133
tcp-request content accept if white_list
tcp-request content track-sc0 urlp(SID,?)
tcp-request content reject if { sc0_http_req_cnt gt 2 }
tcp-request inspect-delay 10s
default_backend web_servers
backend web_servers
balance roundrobin
server web01 127.0.0.1:80 check inter 1000
Therefore, I've decided to do a little test. I've put request sent by
curl in a for loop like this
for i in `seq 1 400`; do curl
192.168.0.132:8080/index.html?SID=33?asdf; done
Eveything to seem fine HOWEVER I have noticed that several (about 20)
requests randomly PASSED.
Sorry, I didn't have time to reply to the configuration you provided last
time. But it is normal if it didn't work 100% of the times : this is
because your forgot to add a line that waits for a layer7 information, as
Willy said.
The important thing was to add :
tcp-request content reject if !HTTP
Pushing the stick-table and tracking/rejecting operations back to
backend definition solved my problem.
Indeed, this is another way to wait for HTTP data to be complete, as a
HTTP frontend will use the backend only once the headers are received.
Thanks for sharing.
--
Cyril Bonté
Re: AW: AW: Loadbalancing with ssl on www only
Off topic:Presuming its not long dince you ordered. I would expect any
decent expensive certificate issuer to allow you to get a new certificate
with the additional name of the non wildcard same name without charge they
will most likely want the original revoked before refunding.
Unless they don't want any more orders from you.
Back on topic again:
A browser should not even get to the redirect without warning. However it
could well cache the redirect and not bother you with warning the next time
you went there in tgat browser session.
Neil
On 29 Oct 2013 17:13, Felix Ferchland fe...@ferchland.org wrote:
I can tell you, it worked.
I think the difference is he kind of redirect (url vs header redirect).***
*
But I’m not an expert in proxy url rewriting, so I simply have to deal
with that.
I can’t order a new certificate for the domain because it’s an ev cert and
these are quite expensive…
** **
** **
*Von:* David Coulson [mailto:da...@davidcoulson.net]
*Gesendet:* Dienstag, 29. Oktober 2013 17:58
*An:* Felix Ferchland
*Cc:* Bhaskar Maddala; haproxy@formilux.org
*Betreff:* Re: AW: Loadbalancing with ssl on www only
** **
No way it worked with Apache. Ssl verification happens before http can do
anything.
Sent from my iPad
On Oct 29, 2013, at 12:39 PM, Felix Ferchland fe...@ferchland.org
wrote:
So it’s simply impossible to redirect the request?
I was using nginx as reverse proxy before and even apache can do that with
a redirection…
I’m a little surprised that this is simply impossible and i need another
ssl vertificate.
But thanks for the quick answers!
*Von:* Bhaskar Maddala [mailto:madda...@gmail.com madda...@gmail.com]
*Gesendet:* Dienstag, 29. Oktober 2013 16:07
*An:* David Coulson
*Cc:* Felix; haproxy@formilux.org
*Betreff:* Re: Loadbalancing with ssl on www only
Ahh, thank you
-Bhaskar
On Tue, Oct 29, 2013 at 10:56 AM, David Coulson da...@davidcoulson.net
wrote:
A wildcard cert is helpful for some things, but domain.com will not
validate against a cert issued for *.domain.com
On 10/29/13, 10:52 AM, Bhaskar Maddala wrote:
If it is any help you can get a certificate for *. domain.com
On Oct 28, 2013 9:37 PM, Felix fe...@ferchland.org wrote:
Hello,
I am using haproxy to loadbalance my webapplication but I get into a
problem
with our ssl certificate.
haproxy is also serving the ssl certificate to the clients. this works
quite
well. we only have certificate for www as subdomain, so all traffic hitting
haproxy should be redirected to https://www.
if the visitor comes from non ssl the domain can be rewritten without a
problem, but if the visitor types the domain with ssl but without
subdomain,
the url can't be rewritten before the (in this case invalid) ssl
certificate
was served by haproxy.
is there a way to redirect an ssl request before serving the certificate?
global
maxconn 4096
daemon
log 128.0.0.1 local0
defaults
log global
mode http
contimeout 5000
clitimeout 5
srvtimeout 5
option forwardfor
retries 3
option redispatch
option http-server-close
frontend http *:80
mode http
redirect location https://www.url.com if !{ ssl_fc }
frontend https
# reqadd X-Forwarded-Proto:\ https
# www Redirect
mode http
acl non-www hdr(host)url.com
redirect prefix https://www.url.com if non-www
bind *:443 ssl crt /crt/ssl.pem no-sslv3
default_backend web
option forwardfor
Re: haproxy duplicate http_request_counter values (BUG)
Oh, for some reason my mail client wasn't showing the response from
Willy when I made this reply. Not sure if this info is really necessary
any more. Will try the patch on that email and report back to it.
-Patrick
On 08/13/2013 07:13 PM, Patrick Hemmer wrote:
On 2013/08/11 15:45, Patrick Hemmer wrote:
I'm using the %rt field in the unique-id-format config parameter
(the full value is %{+X}o%pid-%rt), and am getting lots of
duplicates. In one specific case, haproxy added the same
http_request_counter value to 70 different http requests within a
span of 61 seconds (from various client hosts too). Does the
http_request_counter only increment under certain conditions, or is
this a bug?
This is with haproxy 1.5-dev19
-Patrick
This appears to be part of a bug. I just experienced a scenario where
haproxy stopped responding. When I went into the log I found binary
garbage in place of the request ID. I have haproxy configured to route
certain URLs, and to respond with a `errorfile` when a request comes
in that doesn't match any of the configure paths. It seems whenever I
request an invalid URL and get the `errorfile` response, the request
ID gets screwed up and becomes jumbled binary data.
For example: haproxy[28645]: 207.178.167.185:49560 api bad_url/NOSRV
71/-1/-1/-1/71 3/3/0/0/3 0/0 127/242 403 PR-- Á + GET / HTTP/1.1
Notice the Á, that's supposed to be the process ID and request ID
separated by a hyphen. When I pipe it into xxd, I get this:
000: 6861 7072 6f78 795b 3238 3634 355d 3a20 haproxy[28645]:
010: 3230 372e 3137 382e 3136 372e 3138 353a 207.178.167.185:
020: 3439 3536 3020 6170 6920 6261 645f 7572 49560 api bad_ur
030: 6c2f 3c4e 4f53 5256 3e20 3731 2f2d 312f l/NOSRV 71/-1/
040: 2d31 2f2d 312f 3731 2033 2f33 2f30 2f30 -1/-1/71 3/3/0/0
050: 2f33 2030 2f30 2031 3237 2f32 3432 2034 /3 0/0 127/242 4
060: 3033 2050 522d 2d20 90c1 8220 2b20 4745 03 PR-- ... + GE
070: 5420 2f20 4854 5450 2f31 2e31 0a T / HTTP/1.1.
I won't post my entire config as it's over 300 lines, but here's the
juicy stuff:
global
log 127.0.0.1 local0
maxconn 20480
user haproxy
group haproxy
daemon
defaults
log global
modehttp
option httplog
option dontlognull
retries 3
option redispatch
timeout connect 5000
timeout client 6
timeout server 17
option clitcpka
option srvtcpka
stats enable
stats uri /haproxy/stats
stats refresh 5
stats auth my:secret
listen stats
bind 0.0.0.0:90
mode http
stats enable
stats uri /
stats refresh 5
frontend api
bind *:80
bind *:81 accept-proxy
option httpclose
option forwardfor
http-request add-header X-Request-Timestamp %Ts.%ms
unique-id-format %{+X}o%pid-%rt
unique-id-header X-Request-Id
rspadd X-Api-Host:\ i-a22932d9
reqrep ^([^\ ]*)\ ([^\?\ ]*)(\?[^\ ]*)?\ HTTP.* \0\r\nX-API-URL:\ \2
acl is_1_1 path_dir /1/my/path
use_backend 1_1 if is_1_1
acl is_1_2 path_dir /1/my/other_path
use_backend 1_2 if is_1_2
...
default_backend bad_url
log-format %ci:%cp\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\
%ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %U/%B\ %ST\ %tsc\ %ID\ +\ %r
backend bad_url
block if TRUE
errorfile 403 /etc/haproxy/bad_url.http
nike free cuando die Fülle und Aussehen
nike free run schuhe ist a distinct gestartet von Nike, Gesellschaft. später.
Seit seiner Einführung Start, } http://www.nike.com hat häufig eingeführt
enthüllte neue und aktualisiert Modelle in der innen gehalten die Produktion.
Der Nike völlig kostenlos Schuhe Funktion a eine große Luft-Dämpfung Extra
Polsterung Einheit mit Ferse das ist sichtbar durch die der auf der
Zwischensohle in den meisten Allgemeinen in den meisten. Schuhe sind zweifellos
eine sehr wichtige entscheidend Teil Dressing. Als, Ich habe nicht besorgt mit
meinen Schuhen verbunden on} {von den Marken konzentriert. Manchmal Rabatt
Frauen Schuhe oder Stiefel kann nicht wegen ihrer Notwendigkeit. i Kauf der,
ich werde Fokus auf den Stil. Und ich denke, Nur es ist nicht nur ist nicht nur
veraltet, sondern auch sondern zusätzlich der Wert ist unglaublich teuer.
Mehrere der bieten eine ähnliche Erfahrung seit unzähligen Jahren.
nike free deutschland Sneakers könnte ist in der Regel am besten erklärt von
mit Komfort und Mode verbunden Weg Schuhe, die getted haved kontinuierliche
top preisen. Mit einer|Marketing, Nike hat Angebote startete eine Abwechslung
von neuen Aussehen Schuhe, like, Schuhe, Schuhe oder Stiefel, Luftwaffe einen
Schuh, etc. In welchem , koaleszierten Reiz und Komfort und Luxus. Schuhe
erscheinen in den zum im 1980er Jahren. Die tatsächliche ist immer, die
Basketball-Athleten . Für diejenigen, die laufen, sie wissen sie sind voll und
ganz bewusst, wie wichtig es ist Es kann zu empfangen Sportschuhe jede
Kleinigkeit rechts. The main könnte sein, dass das Bedürfnisse um gut
fixierten, aber auch fast alle erforderlich um der Ausführung Sowie bekräftigen
das ist Pflichtfeld Diese Art der activeness. Es gibt verdorben Joggingschuhe
in dass Lage und es ist sehr bedeutende for lernen damit bestimmen Bestimmt.
Darin Artikel ist sicher, get kargen 2009 Rückblick. Wir machen sind in die
ungleichen Komponenten das wird diese shoe folglich plus betrachten einige
storming rühmt.
http://www.nikefreeschuhekaufendeutschland.eu/media/catalog/product/cache/1/small_image/170x/9df78eab33525d08d6e5fb8d27136e95/0/b/0b9af0ff431f5ec9da3380cc91cc4b66.image.320x212.jpg
Sportschuhe hergestellt von|world wide web|internet|Online nike free run
deutschland Regel unbestreitbar der Favorit jede Alter. Der ausstehenden Wahl
reizvolle durch zahlreiche unzählige Menschen. nike kostenlos, eine von
mehreren laufende Turnschuhe Linien ist eingeführt diesem Jahr for die erste
time. Anschließend, hält Nike Bringing Out die neuen Modelle Ankündigung in
der. Da dies wäre das sein|Geburtstagsfeier|besonderen Geburtstag|20.
Geburtstag Geburtstag bday mit elan - Air Max 90 wieder einige angekommen der
Markt und viele Air Max Fans 'eyes.The nike free 90 Schuhe besitzen a enthalten
eine bemerkenswerte Eigenschaft von über cup of tea in der Schuhabsatz. Die
tatsächliche aus dem Ort ist attraktiv der air max Liebhaber. Der Nike lose 90
Schuhe erleben Minuten diese Art der kam zu sein Dank für Ihren Besuch
Online-Shop: http://www.nikefreeschuhekaufendeutschland.eu
---
posted at http://www.serverphorums.com
http://www.serverphorums.com/read.php?10,738174,738174#msg-738174
I like Air Jordan Shoes
That rockets while in the primary one fourth has been trailing 18 things. Rick adelman claimed: for many of us commence I am disenchanted, we all present air jordan shoes nz, works an entire video game struggled for you to scale released. We're the best problem now will be attack. The offensive ending a lot of turnovers can make opponents without difficulty timeof fast-break things. Nowadays players effect can be slower clap, not to one other bash with attacking put out adequate difficulty, would make these people sluggish strike flow. While in the minute half we all gamed a bit improved, do tactical additional completely, after own prospect is often caught credit score. Yet entry is very lose also dismal. If a crew could layup, each of the pictures glimpse thus easily. While in the following fifty percent all of us played many attacks, however going through Dallas good coaches and teams such as when, need to lead very complicated. The rockets right now a total of 14 turnovers, specifically while in the very first half, problem is located just about everywhere. Discipline is quite unhappiness: when in the beginning from the activity, the players have instantaneous right express, the actual competition would not offer you time and effort for you to help you warm-up. POST need ideas of what's the trigger, but it surely looks like that will everybody from the earliest quarter usually are not in-form. Next MY SPOUSE AND I make it possible for next workforce enjoy, circumstances will be absolutely no transform. Love it if more do not know what exactly the scientific explanation for this people needed that long period failed to get into the overall game. However have to have praise the actual online players don't give air jordan new zealand shoes upward, tolerance to be able to remaining. However such as POST stated previous to, backward too much. The rockets while in the remaining point inside Martin and also scola below the actual instruction involving consecutive scoring, lastly douse the rockets head desire will be bariah, the Puerto Rico players throughout the 15 pictures 8-10 rockets absolutely reliant that will the pup. Rick adelman claimed: bariah very last period perform thus nicely. That mavericks regarding your pet to design a considerable number of equipment removed, even two or three instances a great deal of. Next, beside your pet kept countless strikers, plus focus manage reb chandler. Some of our defensive online players never have had the opportunity for you to sidestep these people to select upon bariah efficient defensive. This is certainly right now I can claim, I became capable to examine video tutorial soon after such a concrete floor examination is precisely what motive. Naturally nowitzki, Jason kidd along with terry also shows you triggered a considerable number of nike air jordan heels nz. This isn't once that rockets had been bariah played air jordan xx8 black camo. Seeing that battier said, the rockets facing accommodating any time tiny state-of-the-art defense often lack of muscle. This is the reason going through Dallas, bariah along with terry may often e-field hair MAO's the reason. http://www.airjordansnewzealand.com/. --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,733136,733136#msg-733136
nike shox r4 Hyperfuse will certainly once again released a fresh color
nike shox in everyone's feeling from the coating to break into explosion design is basically less and less, Please not confuse this explosive crack Along with Safari pattern. Overwhelmed by the revolutionary design of tailor made big Mache II nike shox a single SUPREME new,http://www.nike.com can be stated to indicate probably the most critical crack content. Both shoes were being black nylon net toe and natural language with red cellular lining and white plastic mesh toe In addition to tongue with azure lined presentation, one's body on the shoe in addition to probably the most dazzling ** genera protection The crack huge increase decorated. Black laces and white but tend to not do devoid of the bottom this info decorative embellishment. nike shox uk Ken Griffey Jr's shoes or boots, surely we aren't unfamiliar, often begin to see the shoes printed SWINGMAN swing Logo design will folks have the need to look feeling. 2013 NIKE will kick off a new design on the new nike shox 360 place, shoe body having synthetic leather Along with Hyperfuse material combining Phylon midsole Cushlon ST offers more damping impact, concurrently 360 ??degrees nike domineering aviation max technology is now this section where the highlight of any solid rubber outsole also registered many square lymph gland decorative, provides hefty wear-resistant and also non-slip effect. Undoubtedly probably the most dazzling at a loss for the exposure of 5 color that a part of water green / orange tree / white color of the revolutionary All new goods are required to Offer Cost of $ 170, available for sale in 2013. http://www.nikeshoxnzuksaleonline.co.uk/media/catalog/product/cache/1/small_image/175x/9df78eab33525d08d6e5fb8d27136e95/n/i/nikeshoxnz6.jpg 2010 was obviously a troubled year, dismayed the entire world with the devastating earthquake throughout Haiti in The month of january. Many equipment companies are involved in the establishment of any disaster relief charity fund, to Mianbaozhili. Some mesh groups, especially made for Haiti relief work. They to retail shoes, the earnings with the auction donated to help Haiti to aid weather this devastation. Nike company created the Kinbe Dad Lage do not note Nike Rocker Low and Nike Zoom Kobe V, Each shoes sold all income will likely be donated towards the Haiti charity outcome. On this occasion this can be the third set of Special Edition nike shox three hundred and sixty LeBron VII. The actual Kinbe Pa Lage pattern created by Forest Park elementary school children. 3D Caribe movie seriously isn't enjoyable? Back three dimensional Piranha is usually a type of stereoscopic 3D! 360 the designer Emilio Zuniga Nike nike shox r4 shoes or boots guest with the transformation of the system, your entire body of the shoe based bluish suede, nylon material, a couple of shoes with neon orange color finish and shoes before the shoes ultimately perhaps the white painted inside red two color Xuepentaikou appearance, in addition perhaps the eye, the full shoes looks like a fierce Meng piranha! Returning to the nike shox women uk Hyperfuse will once more released a different color, this bivalent nike shox r4 Hyperfuse olive-green to the color main, solely inside, Nike Logotype, tongue Nike terms, bottom cushion for the toe end to eye-catching fluorescent green are dashed, cleverly finishing touch towards the overall color common sense. This double nike shox r4 Hyperfuse initiated a policy of at the Nike Sportswear store shelves available for sale so you desire to start with the shoes supporters must be aware. The last winter NIKE special night to develop the nike shox reflective Jogging Series and unveiled VAPOR FLASH Hat. That a newcomer for the design, the unanticipated reaction so warm, made sale several days has speed journey city, to create of a reflective effects WINDRUNNER JACKET for your U.S. internal team this year NIKE will redouble their attempts and underneath the guise of Lunao theme outside reactions are also very fiery. Extremely popular, latest NIKEiD undertake this kind of nike shox broody material also enroll in the fray, as well as launched a personalized choice of reflective material AIR FORCE 1 iD. this is our online shop:http://www.nikeshoxnzuksaleonline.co.uk --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,730213,730213#msg-730213
the nike footwear Hyperposite just formally released the newest color to light-weight
nike shoes uk 2013 future shelves on 12 , 31, To bell ringer the occasion, Nike special MvsW bolted faction bucket activities used yesterday evening, attended by Xu Hao Ying, Jan Dear, Stephanie Cheng also poems Ya, 903DJ DonaldMr member of the Dash, part with the Dear Jane Bob and Jackal, everybody wear the newest nike shoes the year 2013 and Pak Sha Road, Causeway Bay, Nike Sportwear Retailer to Happy Pit marching very bouncy! Japanese shops atmos again with the NSW launch articulation edition http://www.nike.com this is not the initial involving the two sides A partnership, prior to the introduction of your atmos x nike shoes ane are desired and became a well used, and this also sale in the year of 2013, it will have two. A wilderness camouflage that has a leopard material lap decorated with snakelike, another in rainforest camouflage having a black serpentine. 2 different styles merely all without losing the rave with the gas. It appears to be Nike want a special color related nike shoes uk online shop Flyposite allow it to needlessly and Hyperposite of shoes go hand in hand, so the front in this Megatron was born.This double Megatron just isn't a formal cooperation models together with Hasbro, but Nike hit an edge ball, Detroit mighty team wide telephone receiver Calvin Johnson's sobriquet as being the inspiration to make this Megatron.The spring and summer of 2013, Nike launched a wonderful nike shoes Unification, to deliver protection for everyone sorts of sports, to help you to fulfill the challenges within the exercise 100 % of confidence. Your the thicker net quilted neoprene uppers, fully engrossed foot and provides lightweight comfort As well as breathability, and also bring adequate reinforcement towards foot with fantastic warmth. nike shoes and boots inflatable cushion heel at the comfort, providing safeguard and cushioning on the foot. Low-occurrence Phylon midsole delivers lightweight cushioning, nike shoes multidirectional flex grooves inside forefoot, so education is more natural pace. Galosh point from the heel as well as the forefoot in the outsole help the wear resistance in the shoe using a different surface. Use traction mode to take more natural to sports execution. http://www.nikeshoesukonlinesale.co.uk/media/catalog/product/cache/1/small_image/175x/9df78eab33525d08d6e5fb8d27136e95/n/i/nike_air321.jpg August 2012, this nike free Hyperposite just basically released the revolutionary color to light-weight, the the celebrated sneaker collectors Mayor brought us a brand new color in the actual spy. This connected with Air Max Hyperposite one's body from the shoe to create a deep blue polyurethane foam material, metal grain allow it to be rich visual effects like gradient, then a sky-blasphemous swoosh extremely blatant same light bluish within the bottom palm Maximum AIR extraordinarily clear attractive.Popular, NEW BALANCE is actually jogging shoes to conquer the planet, each classic types entered the introduction could not escape being clicked, but very sorcerous the NEW BALANCE company throughout 2013 and still have not done well to target on jogging sneakers, but try ut skateboarding shoes. NIKE company could be the Chinese so it NEW BALANCE formally fired in jogging sneakers market, the roll-out of the environment Max 1 2013 QS USA Track area of function jogging sneakers. Breathable uppers, the soles of erotic function, even though not personally experient, just consider the pictures I really believe can feel. this is our online store:http://www.nikeshoesukonlinesale.co.uk --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,730219,730219#msg-730219
nike free das Jahr 2013 Joggen Turnschuhe Zwischensohle und Laufsohle flex grooves
nike free 5.0 damen 2013 Laufschuhe Zwischensohle und Laufsohle flex Linien entworfen zu erhöhen Mächtigkeit, und so der variable Die transluzenten Gummi knifflig Verschleiß, und trotzdem a fantastisch nike kostenlos aufblasbaren Kissen um sicherzustellen, dass Dämpfungstechnologie Blick Vom Bodendichtung Zusammen mit kombiniert nike kostenlos Luftfeder denen die mithilfe Substanz, service Sicherheit mit dem Hinterfuß Einstimmige Kosten -kostenlos Kissen freeimize Auswirkungen Moderation, so läuft mehr glatte, natürliche Bottom erreicht zu die gesamte Fuß, Dämpfung force und Folge in the sicher sein, die Sicherheit und Komfort. nike free 5.0 herren Ort Mundschuh schmiedeeisernen Design hilft bei der Reduzierung minimiert Rutschen, das Tragen bequemer bequem. Die EVA Innensohle Sohle verabschieden Einklang mit dem Spuren Design, perfekt passen paroxysm der Fuß formen bieten Dokumentation Die Kraft retikulären Wickler die gesamte Fuß, Verbesserung Komfort und Atmungsaktivität, on vom weniger schwierig 1.289 Yuan Dieser Schuh wird zum Preis von Kwai Sprint Spikes (Nike Zoom Superfly) Verwendung des Nike Fuse-Technologie Technologie Füße auf dem Schuh Klebstoff tape zu steigern ihre Ausbildung die Menge der fit, Komfort und Transformation, die ultra-dünnen Phylon-Mittelsohle a, full palm Pebax Sprint einzige Plattform und Kupplung Dieser Schuh wird zum Preis von 999 Yuan. http://www.nikeschuheschweizshop.com/skin/frontend/default/bluescale/images/bottom3.jpg beispiellosen nike free 5.0 v4 Test, Ihrer von neue Version des auf der nike free 3 .0 V2, obwohl obwohl noch nie gesehen haben Veränderung der durch die auf dem Kissen von Luftstrom, allerdings der in der auf dem Schuh selbst hat Angebote unterzogen große Änderungen, selbst mehr retrotaste, so dass Um sicherzustellen, dass zumindest Das komplette als gegenüber dem aktualisierten Version adidas_1 adidas_1 ane eher Kräutertee weit besser . vom auf dem neuen kostenlosen Fruchtsaft arbeitet auf der model in der auf der Air kostenlos 3 Monate, der Körper aus dem getan aus Nylon gefertigt und sowie Ledermaterial mix and match, hochrot gepunktete entwerfen it ein außergewöhnliches Textur und Mystik. 30. September 2013, die nike free 5.0 v4 damen insgesamt Foamposite lose Silbermetallic zum Verkauf, der freien Gesamte Foamposite kostenlos metallic typischerweise Silber Stahl bekannt, vor kurzem spät Lebensmittelgeschäft viel Bombe, die kostenlos no cost lose Satz nur Paar sein ganze Handfläche lose Ordnungszahl 6 Platte in der aus dem auf die Basketball-Schuhe in der Regel Schuhe vor Garnett und Duncan Billigung Integral Sicherheitsnetz Körper der auf dem Schuh-Design, einige starke Leistung frei Schuhe, freies restraint . bewusst sein willkommen Internet-Shop: http://www.nikeschuheschweizshop.com --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,730220,730220#msg-730220
Re: Spy a cell phone anywhere in the world.
i looked the blog copy9blog.com ;) --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,343992,726779#msg-726779
Nike Shox Barato such an creature off-line tote
My spouse and i inserted an order intended for nike shox plus they didn't send a verification e mail. These people responded to an e-mail so it could well be over a couple weeks to even ship the shoes which was contradicting to their rescue insurance plan of two days. http://www.nike.com I emailed and demanded a reimbursement. The tutor said it would be 7-20 days to get your money back. 20 days gone no amounts. Chances are they said the bucks could be during my account today. It were refunded once again. DON'T order readily available cozenage artists!!! You will lose your hard earned money. http://www.nikeshoxnzukonline.co.uk/media/catalog/product/cache/1/small_image/175x/9df78eab33525d08d6e5fb8d27136e95/n/i/nikeshoxnz6.jpg nike shox uk type of shoes functions very cushioned teachers along with genuine shock from the heels in the shoes. This lines are suited to the larger runner who wants one of the most cushioning available. Nike Shox are ideal for utilizing the pounding beyond running on hard surfaces like tangible and concrete. Nike Shox brand of Nike running sneakers allows your foot to mimic barefoot running play with no distressful in relation to hazard of treading on sharpened objects. These sneakers are exceedingly flexible and minimally cushioned to boost natural foot motility. They certainly require time to have helpful to, but they're very very theraputic for building up this base lowering quads. cloth with the performer to nike shox r4 run locate the optimal structure regarding type concerning sneakers, lacoste via the internet, Original, actually might be a medley a part of footwear, or maybe fundamentally, these as discounted setting most footwear also simply because informal footwear blend. This unique nike air-move, a variety of forms, shop lacoste, may perhaps have their individual personalized spot for a hear the finest varieties Adidas Glow In The Dark Tenis Nike Shox they keep lead the popularity inside the craze world. When you haven't bought one last winter weather, you cannot miss the thrill in 2011. With Nike Shox Barato this animal offline handbag, setup wear the most efficient T-shirt extremely jeans, even though you peer stylish and elegant as the optimal pop figure. Clic handbagsIn regarding that wardrobe, there could be at nominal one handbag showcasing clic forming and ridge. These reliable handbags, which doesn't walk out style, can match your complete wardrobe for years and won't to be able to highlight well-being clic and trendy style. thanks for visiting our web store: http://www.nikeshoxnzukonline.co.uk --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,725079,725079#msg-725079
Nike Shox bought at Hibbett Sports having a dagger of the newborns face
nike shox purchased at Hibbett Sports that has a sticker of the baby's face, the quantity 0-3 and a No' circle implies that the shoes are not for sale in those numbers pool. The shoes usually are not created using bad material, it is made with allow air through and sturdy material. Unbelievable Ease and comfort and superiority cause them to become suitable for. Well, the initial place I'd personally pay attention to these footwear is Nike's website. These people have a wide range of discounted products on the site and you could be able to find them there. I also notice that you will find Pink http://www.nike.com Shox on sites like Eastbay, Finish Line, and Boom. Actually the best place to take a look could be Amazon-it is indeed my pet buying place and also you can never predict what will you find with small prices. http://www.nikeshoxaustraliaonlinesale.com/media/catalog/product/cache/1/small_image/175x175/9df78eab33525d08d6e5fb8d27136e95/N/i/NikeShox283_2.jpg With all the heat of World Cup, beyond the topic of teams,nike shox australia Mercurial Vapor may also be the mian topic among students. Considering the new compilation of Mercurial Vapor, it contunies the real key distinctive line of speed. Also the colors and fashoins can match the necessity of 90's. For football players gonna school football team, no take most widely used inside football field. Students who wish to be considered a prefessional football player may purchase one to get. Also the modern sale within this you'll be able to stimulate students to get one because of their teamate. Can school without the need of Nike, it may be impossible, the modern play invent of self-lacing Nike shox shoes will expand the greater sell to kids whose lacing lose day by day, also for these who will be lazy to lace shoes from the class. While using increasing sales of Nike shox shoes, the strom to varsity stands out as the new trend to new Nike shox shoes. You can get them online on Nikes website, or nike shox australia online store or outlet locations. They're also on amazon.com, or you might check eBay. In case you have an area Foot Locker store, even if they don't really contain the ones you desire in store, they'll order them available for you.2010 is an excellent year for Nike, with all the beginning of World Cup in South Africa, Nike offers various of products into market. Additionally, from NBA to football, Nike has followed its purpose - Simply sleep together. The original meaning may be used to basketball games. But after age period, they've got extended into each area. nike shox r3 men's shoe is a shoe that appears sharp rolling around in its deep set colors. The shoe comes in a very good blue, black red or blue color, which has a transparent Nike symbol quietly. It possesses a great rubber outsole for grip and sturdiness. It gives air sole unit cushioning and cushioning with premium leather for that upper areas. here you are at our web shop:http://www.nikeshoxaustraliaonlinesale.com --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,725080,725080#msg-725080
nice of Nike spread world wide
Yes, the nike shoes is a great running footwear. It includes the runner an appropriate feel because of improved heel for landing and durability purposes. Furthermore , it provides you with cushioning due to full-length shox beneath the shoe.http://www.nike.com Ecosystem Cole Haan Sneakers performance the truly great technology that make donning A lot of sneaker hassle-free than whenever you want before facing forward! Your own personal slimest soles all over the chicest large heel shoes setting up ashore your have Cole Haan web-site could features your Nike Air flow technologies which will make each and every tiny detail sense simply because while you are searching towards nike australia the cushiony smoke cigars Nike Air Yeezy Zen Gray. http://www.nikeshoesukonlinesale.co.uk/media/catalog/product/cache/1/small_image/175x/9df78eab33525d08d6e5fb8d27136e95/n/i/nike_air321.jpg From Nike cooperate with NBA in 1970s, nice of nike shoes uk spread over the world. The majority of people knows Nike, from kids to olders, expecially NBA fans, just how much is above others. A lot of them want to own some Nike shox shoes which in turn is capable of doing their star dream. Much like Kobe or Jordan in NBA field, they can find their position within the pub baseball games. However, the orginal purchase of Nike shox is pricey, this may unhappy people who prefer to play basketball for themselves. Neverless to say those whose remuneration may simply slove the mealtime job, what can they are doing Just quit their dreams No, the roll-bankrupt online reap the benefits of convinence and help simple to use for getting discount Nike shox shoes, you need to simply try to look for Nike Shoes Sale or Discount Nike shoes, others like cheap Nike allows you to obtain the how does someone buy really cheap Nike shoes which in turn your family lavatory afraid. once I looked at the nike shoes uk online shop box I noticed we have a toughie which usually displays any babys' experience, your numbers racket zero-3 along with the 'no' circle/slash symbol. Any idea why this sticker is within the box? The label states how the technique is stated in Taiwan. Would be the shoes created using bad real that is certainly harmful pertaining to infants?It really is that's doubtful an undesirable shoe. It may be a better idea to invest a bit more and search for a store that sells running shoes exclusively Since which will be better on your own feet and legs. expert nike air jordan,Basket Nike Pas Cher,Nike Jordans Retro partisan, de fournir Basket Nike Pas Cher, la qualité garantie à 100% de Basket Air Jordan Chaussures,Air Jordan rétro Chaussures et Nike Air Jordan enrichir votre équipement de basket-ball, libres d'expédition chaussures de basket-ball jordans Nous promettons solennellement:Pas satisfait les chaussures nike Jordan gratuitement la mise en accusation. Si vous trouvez des problèmes de qualité des air jordan, nous avons remplacé gratuitement. http://www.nikeshoesukonlinesale.co.uk --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,725087,725087#msg-725087
Re: Debian/Ubuntu packages for HAProxy
While it's great to have more Ubuntu packages, especially for the dev version, I took a look at the Ubuntu ecosystem and basically all the packages are missing the USE_ZLIB to enable gzip compression. If it can be added I'll start using them instead of compiling from source. Cheers --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,720288,721806#msg-721806
Re: Spy a cell phone anywhere in the world.
I found website www.copy9.com. oh copy9 has many feature such as Ambient Voice Record, Yahoo Messenger Chat, Whatpsapp, Key Logger, Voice Memos, Notes, Photo Camera Roll (Pictures)... with lower price compared with spytic. Oh my god --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,343992,716611#msg-716611
Re: Spy a cell phone anywhere in the world.
hello all how i can move my spytic account to copy9 website. any help??? --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,343992,716613#msg-716613
Re: Spy a cell phone anywhere in the world.
oh thank you so much !!! :D --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,343992,716626#msg-716626
Haproxy 1.5 dev + Nginx 1.4.1 + SPDY
Hi I currently have Haproxy 1.5 dev18 as a load balancer to 2x Nginx 1.4.1 backend servers. The site i.e. mydomain.com is currently all http:// non-SSL based. I want to utilise SPDY/SSL for mydomain.com at https://mydomain.com. However, trying to get my head around the best way to accomplish this. 1. Setup Haproxy with SPDY support only OR 2. Setup Nginx with SPDY support only Question is 1. If I setup Haproxy with SPDY support only, do I still need to setup Nginx with SPDY support too ? Would both Haproxy and Nginx use and point to the same SSL certificate ? Anyone got a basic haproxy.cfg config example of how that would look ? 2. If I setup Nginx with SPDY support only, do I need to setup Haproxy with SPDY support too ? Would both Nginx 1.4.1 backends be setup with the same SSL certificate copied over from 1 Nginx backend to the other ? Which would be better for A. performance B. scalability C. management Appreciate and advice and info to help clarify my understanding :) --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,709640,709640#msg-709640
Re: HAproxy tproxy problem when try to make transparent proxy
Hello, L. Alberto Giménez ha scritto: Please check that: * You have the tproxy enabled in your kernel * You have haproxy compiled with tproxy support Your backend servers *can't* see the clients directly (i.e., they have the haproxy box as default gateway and *no other* gateways). The same for the clients (not mandatory, but if they can see the servers, it may cause trouble). Like I wrote before, I use ubuntu server 9.10, with kernel 2.6.31 and iptables 1.4.4, so with built-in tproxy support (if I'm not wrong). And I compiled Haproxy by hands with correct parameters I think... lsmod [...] nf_tproxy_core24281 xt_socket, [...] haproxy -vv HA-Proxy version 1.4.2 2010/03/17 Copyright 2000-2010 Willy Tarreau Build options : TARGET = linux26 CPU = i686 CC = gcc CFLAGS = -O2 -march=i686 -g OPTIONS = USE_LINUX_TPROXY=1 USE_STATIC_PCRE=1 [...] The client can't see directly the backend server. ping -c 1 192.168.0.2 PING 192.168.0.2 (192.168.0.2) 56(84) bytes of data. From 192.168.1.2 icmp_seq=1 Destination Host Unreachable --- 192.168.0.2 ping statistics --- 1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms The backend server can't see the clients directly. ping -c 1 192.168.1.2 PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data. *From 192.168.1.21 icmp_seq=1 Destination Host Unreachable* (not From 192.168.0.2 like expected) --- 192.168.1.2 ping statistics --- 1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms So, incredible.. I find the trick.. Alberto, you save my mind.. :-) In backend server I have 2nd ethernet card configured with 192.168.1.21. The cable is out but I forget to disable it (how I'm chicken..).. So everytime the backend try to access to client from this route. Many times errors are in the most simple things. Thanks, thank you very much.. Really! Daniele Hi all, perhaps there is hope for me too ... I have HAProxy running on 192.168.1.101, with this configuration: ... backend test mode http source 0.0.0.0 usesrc clientip server serv1 192.168.4.41 frontend test mode http bind 192.168.1.101:8090 default_backend test the HAProxy is from 1.5-dev6, build with TARGET=linux26 USE_LINUX_TPROXY=1, kernel is 2.6.26-2-amd64 The server is in my vmware player, debian 6 kernel 2.6.32-5-686). By default, player is bridged and dhcp assings it ip 192.168.1.28 (host xp is 192.168.1.62), and default gateway is 192.168.1.2 So manually change ip address on server (eth0, no other cards) to 192.168.4.41 255.255.0.0, and set default gateway to be 192.168.1.101 (the HAProxy machine). On HAProxy I have done routing commands as Daniele did. And I still get 503. What have I done wrong? Is there any known issue if SERVER is in virtual machine? --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,120994,707061#msg-707061
Re: bytes_sent?
This is already present in haproxy 1.5. 1.5 has a `log-format` parameter which lets you specify a custom format. The format has a `%U` parameter which is the number of bytes sent by the client. -Patrick On 2013/15/05 02:23, Joel Krauska wrote: The HTTP Log Format tracks bytes_read, which appears to be the number of bytes in the HTTP response send from the backend to the requesting client. https://code.google.com/p/haproxy-docs/wiki/HTTPLogFormat I feel also that bytes_sent may be an interesting field to track. For example: An Image upload site may care a lot more about image uploads to their servers than downloads. (esp for an upload backend pool) Checking the ratio of bytes_read vs bytes_sent also provides interesting insight in to how an application is performing. Is there anyway I can lobby to get bytes_sent added to future revisions of the HTTP Log format? Is there any other method to collect this info? The stats page is already collecting Bytes in and Bytes out, but I'm missing it in the log format, so I can't look at it on a per-request level. Thanks, Joel
Re: keep alive on both client and server side and x-forwarded-for
Thnx Willy, understand now. I am afraid this not an option for my case. But generally, could this feature be added in the future? I think, from the usage point of view, that is reasonable request: I would like to know the client IP on my server, not the IP of the machine HAProxy is running on. BR, Saša --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,703863,704477#msg-704477
Any haproxy + nginx (ngx_pagespeed) users ?
Curious anyone tried using haproxy to load balance Nginx backends which have Nginx Pagespeed ngx_pagespeed module enabled ? And are using CDN pull services ? Problem is a bit complex, so just linking to the full explanation at https://groups.google.com/d/topic/ngx-pagespeed-discuss/-pX4cRlcwas/discussion Summary of problem is 1. haproxy load balances over 4x VPS servers with Nginx backends for mydomain.com and each backend VPS has haproxy set cookie unique to each VPS, cookie name = vps1, vps2, vps3, vps4 2. each Nginx backend has sites using CDN pull service so that cdn.mydomain.com pulls source from mydomain.com 3. one of the VPS has ngx_pagespeed module installed https://github.com/pagespeed/ngx_pagespeed which allows optimisation of site elements i.e. minification and combining js/css links and rewriting the js/css urls. 4. now i have ngx_pagespeed to also rewrite mydomain.com/css and mydomain.com/js based urls to using cdn.mydomain.com/css and cdn.mydomain.js urls 5. problem is when a visitor visits mydomain.com and calls rewritten cdn.mydomain.com/css file, cdn.mydomain get's it's source file from mydomain.com which haproxy load balancer runs on and can give the visitor one of the other 3 VPSes with non-ngx_pagespeed rewritten urls = 404 not found. So essentially, the mydomain.com page call becomes mydomain.com/index tagged with vps4 cookie which is ngx_pagespeed nginx backend based cdn.mydomain.com/css/style.pagespeed.css tagged with vps1 cookie which isn't ngx_pagespeed based so style.css gets 404 not found error I think haproxy sees 2 user sessions here, the first being from actual user hitting mydomain.com and 2nd user it considers the cdn.mydomain.com calling mydomain.com original for the css file so it has a different cookie ? Not sure if there's anything setting wise in haproxy to solve this ? --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,700728,700728#msg-700728
Balance Roundrobin vs Balance Source
Hi All, We have HAPROXY 1.4.22 running in our environment, one issue that I have encountered during testing concerns source IP address affinity, we are trying to achieve a form of Sticky Session persistence. I noticed that if we have the following configuration in place then we experience problems with web pages not loading: #- # NSD which proxys to the NSD Application Servers on port 8081 #- frontend http-nsd mode http bind *:8081 default_backend nsd #- # round robin balancing between the various backends #- backend nsd mode http balance roundrobin cookie SERVERID insert indirect nocache server server01 xxx.xxx.xxx.:8081 check cookie s1 server server02 xxx.xxx..xxx:8081 check cookie s2 If we then change the balance mode to source then the web page loads successfully. Is this the correct way to be achieving 'stickiness' or is there a better more elegant way of achieving this?. Many thanks Jon --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,692792,692792#msg-692792
Re: Is this possible in HAPROXY 1.4
Thanks Lukas, much appreciated. I'll play around some more. --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,690173,690397#msg-690397
Is this possible in HAPROXY 1.4
Hi All, We have been testing HAPROXY 1.4 on a Cloud environment for a forthcoming implementation, due to the constraints on the cloud providers SLB we decide to look at using something else. So I implemented HAPROXY, and everything seemed to be going smoothly, until we started doing some functional testing. The problems lies with the vendors application which uses Liferay, some of the URL's that the application have hard-coded the links as http, instead of https, so when we try the test the web page just hangs instead of re-directing to the correct page. In a browser trace we see that the request as: http:///servicedesk/controller?docommand=renderradform.., when it should be https:// I have played around with the haproxy configuration using 'redirect location https:// and redirect prefix https:// but without success. On speaking to the vendor, they are aware of this issue, and for their own implementations they have used a physical F5 NLB and re-directed all http traffic over to https. Am I able to do this in HAPROXY 1.4? Many thanks for your time. Best regards Jon --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,690173,690173#msg-690173
Re: Is this possible in HAPROXY 1.4
Hi Lucas, Thanks for taking the time to respond. It might help explain further how the environment is set-up. The data flow goes: User - Internet - Cloud Firewall - Cloud SLB - DMZ Web Agent - - HAPROXY - Lifreray Application The SSL termination is done at the Cloud SLB end, the traffic is then sent onto the Web Agent and then onto HAPROXY and then out to the application. This mostly works fine, but for some of these functional elements,we get this problem, when we click on some of the sub menu's in the application it fails to load, and the analyzer shows that the user is trying to access the resource using http instead of https. There is no SSL termination performed by HAPROXY, as the traffic is being passed via our SLB Cloud. This is my current configuration: global log 127.0.0.1 local2 chroot /var/lib/haproxy pidfile /var/run/haproxy.pid maxconn 4000 userhaproxy group haproxy daemon stats socket /var/lib/haproxy/stats defaults modehttp log global option httplog option dontlognull option http-server-close option forwardfor except 127.0.0.0/8 option redispatch retries 3 timeout http-request10s timeout queue 1m timeout connect 10s timeout client 1m timeout server 1m timeout http-keep-alive 10s timeout check 10s maxconn 3000 frontend http-openfire bind *:7070 default_backend openfire backend openfire balance roundrobin server :7070 check server :7070 check frontend http-uapi bind *:7080 default_backend uapi backend uapi balance roundrobin server :7080 check server :7080 check frontend http-sec bind *:8080 default_backend sec backend sec balance roundrobin server :8080 check server :8080 check frontend http-wall bind *:9080 default_backend wall backend wall balance roundrobin server :9080 check server :9080 check frontend http-xmpp bind *:9090 default_backend xmpp backend xmpp balance roundrobin server :9090 check server :9090 check frontend http-aim bind *:10080 default_backend aim backend aim balance roundrobin server :10080 check server :10080 check frontend http-servicedesk bind *:8081 default_backend servicedesk backend servicedesk balance roundrobin server :8081 check server :8081 check listen stats :1936 mode http stats enable stats hide-version stats realm Haproxy\ Statistics stats uri / stats auth haproxy: The bit that I am trying to work out concerns the 'backend servicedesk' and how I can make HAPROXY take the http request from the application and turn it into a https request, does this mean I have to install something like STUNNEL and the certificate on the HAPROXY Server in order for it to be https?. What I tried was: frontend unsecured *:80 redirect location https:// - this is resolvable via a hosts file entry to the app1 server. frontend secured *:443 mode http default_backend httpsapp backend httpsapp mode http balance roundrobin server app1 :8081 check server app2 :8081 check But that doesnt seem to affect the outcome of the request. I'm probably being stupid and not understanding what I need to cater for. Thanks again. Jon --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,690173,690196#msg-690196
Nike Air Max and Air Utmost twenty four-heptad string
Nike transformation, mainly from hip-hop on the inspiration on the nike air max shoes. Additionally, as a result of interest in the world wide web amid young adults, Nike begun to accept a different key phrase. Air flow Utmost evolved into accessible in the web based retailer as well as online store. Nike Air Max and Air Utmost twenty four-heptad string, Nike as well as Nike Airforce boasts a great privilege. Thus, you can even prize all of them. For everyone methods of Nike shoes, they need to perform with Nike, so, they could adjust to the attitude throughout athletics, additionally , on behalf of one's soul inside movement .. Air Max Penny's first signature shoe, Nike decline, Hardaway title. The shoes include the most successful sneakerheads. It shows a big gem of cyclones plus the only visible wraparound Max Air device. nike air max uk sale key ingredient, as they can be a serious method to obtain beer fermentation of sugar. New breweries use barley malt extract, syrup or powder-like, this fermentation is significantly faster. Usually can be a special single mobile body yeast, sugar also to discharge liquor and CO2, the two additional identification portion of beer. To find out a certain possibility, you only currently know the dimensions and new kitchen countertops, you will need to have what sort of installation, obviously, have a chance, you may not. If the actually is the case, you may be told to start shopping. Whether you appear for the kitchen countertop materials reside within the network maybe in the vicinity of just one on the enhanced retailer, is unquestionably a great possibility, you do encounter an easy collection of material, most of different designs and different types of .. wearing AIR MAX 2011 shoes, your feet will delight in great comfort, As a matter of fact, these shoes have won most people of all ages and praise. When i these positive comments and drive, and also try to try and buy a couple of Air Max shoes. I am happy with all the low price of those shoes, but superiority. http://www.nikeairmaxsaleukonline.co.uk/media/catalog/product/cache/1/small_image/175x/9df78eab33525d08d6e5fb8d27136e95/e/3/e30_2.jpg nike air max uk sale online infrared ostrich. Nike Air Max 90 Premium - infrared is among the favorite color of the oxygen Max 90 series. Airforce begun to love basketball to exhibit the character on the sport, has additionally become a fundamental portion of the sports culture. Release, AF125 25-year extension of the legendary performance and classic styling, only those Nike imaginative, designers can do this, they may not be only focused on maintaining AF1 soul, is associated with innovation. In 2007, Nike launched the brand new Air Force 1 series from the original style features refined, Nike has placed the Air Force within the 25th, AF1 new journey. http://www.nikeairmaxsaleukonline.co.uk --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,666075,666075#msg-666075
Re: HAProxy 1.5 Dev12 SSL Segfault w/ssl_sni
Are you using the latest build (now 20121030)? I believe there was a known segfault issue in 20121021 that has since been fixed Regards, Andy --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,594310,594344#msg-594344
Re: SSL connection logging
Hi Willy, Hi Andy, On Sun, Oct 07, 2012 at 02:04:56PM +0200, hapr...@serverphorums.com wrote: Hi All, Now running the patched (20121006) 1.5-dev12 as a test - glad to see the ECDHE support and it looks to be working well. Thanks for the feedback. Does the new version provide any detailed logging on the SSL connections established e.g. ciphers/protocols negotiated particularly for inbound connections? Not yet. This is the point where we know we need some more work. It's just useful occasionally to be able to know this information in the event of having to debug issues, especially where connections from the public are involved? Thanks I would go further, it's essential. Haproxy has always shone in the area of logging, we can't reasonably stay this way without any information telling us at least whether the connection was SSL or not ! Regards, Willy Thanks for this. I'll take that as a statement of intent, and look forward to seeing it appear at some point in the future when you guys get the chance! Meantime I'll carry on testing :) Best Regards, Andy --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,577075,577573#msg-577573
SSL connection logging
Hi All, Now running the patched (20121006) 1.5-dev12 as a test - glad to see the ECDHE support and it looks to be working well. Does the new version provide any detailed logging on the SSL connections established e.g. ciphers/protocols negotiated particularly for inbound connections? It's just useful occasionally to be able to know this information in the event of having to debug issues, especially where connections from the public are involved? Thanks Best Regards, Andy --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,577075,577075#msg-577075
Re: git clone hangs?
I had this same problem and it turned out to be an ssh problem, my .ssh directory did not have the correct permissions (which are 700). --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,407517,568942#msg-568942
how to submit mail and how to relay mails from haproxy for outgoing mails
I want to load balance postfix for outgoing mails.my network configuration is as follows. php application ---postfix:25(localhost)haproxy(localhost)--multiple smtp server's for mail relaying to other domains I have configured haproxy. but i am confused with binding of port. my /etc/haproxy.cfg file looks like global maxconn 4096 # Total Max Connections. This is dependent on ulimit daemon nbproc 4 # Number of processing cores. Dual Dual-core Opteron is 4 cores for example. log 127.0.0.1 mail defaults modetcp clitimeout 6 srvtimeout 3 contimeout 4000 listen smtp_proxy bind 127.0.0.1:? which port i should write here. mode tcp option tcplog log global server postfix 199.83.x.x:? ( which port i should write here.) send-proxy and postfix also running on same server. but when i write port no 25 to bind haproxy. but it fails to start because postfix already running on port 25. Now i want to know on which port i should listen (bind) haproxy and what port no i should write for postfix server and postscreen_upstream_proxy_protocol = haproxy in master.cf file so postfix can use smtp_proxy using haproxy. in /etc/postfix/master.cf ?( which port i should write here.) inet n - n - 1 postscreen smtpd pass - - n - - smtpd help will be appreciated. --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,558062,558062#msg-558062
HAproxy as a reverse+transparent proxy help (pfsense)
Good morning people, since yesterday i have an existing problem that i can't solve without any help.. Topology: pfsense (Reverse+transparent proxy (haproxy), Load Balancer (of pfsense), SSL termination (stunnel)) after pfsense i have 2 web servers that pfsense load balance them. Here is the picture with the exact topology: http://i50.tinypic.com/6tmzcm.png so i have a pfsense VM with haproxy installed and i want this scenario: when a user hits a public IP address or later the domain of a server http or https i want to send him to 1 of the 2 servers depends of the load balancer. Also i want this reverse proxy make it transparent i think this is the easy step and i think that i have found it, its on the haproxy - tab Frontends - checkbox Use 'forwardfor' option . But how can i set it up in this topology? --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,552462,552462#msg-552462
Re: HAproxy as a reverse+transparent proxy help (pfsense)
Hi Baptiste, It's a VM and generally i don't think that it needs compile with transparent proxy enabled in the packages of pfsense there is haproxy and haproxy supports transparency. Regards, --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,552462,552488#msg-552488
Re: HAproxy as a reverse+transparent proxy help (pfsense)
Yeah, the all thing is not this. The transparent proxy is the last thing i want to know. --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,552462,552500#msg-552500
Re: HAproxy as a reverse+transparent proxy help (pfsense)
I said it very clearly, that i have found how to make it transparent, and i said also the exact way to do it. I want help with the set up of the reverse proxy. This... Regards, --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,552462,552583#msg-552583
Re: HAproxy as a reverse+transparent proxy help (pfsense)
Yes and i am asking how to set up haproxy to works as a reverse proxy. Because haproxy can do load balance too. Regards, --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,552462,552625#msg-552625
Re: iptables performance impact
Hello, The only performance data I've seen is what impact do ACLs have on a router and firewall targeted at SMBs with an 'Allow-only' US policy. They then compared it to using an IP Blocker appliance to cut the noise on the perimeter before it reached devices deeper in the network. http://www.techguard.com/support/breakingpoint-poliwall-testing/ The increase in latency and drop in TCP connections was substantive. The appliances all had less than 100 Mbit of throughput. Hope that helps -- Doug --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,170409,545308#msg-545308
Re: haproxy - varnish - backend server
Just coming back to update you all on the solution. It was as David suggested just not letting varnish manipulate X-Forwarded-For, allowed haproxy - varnish configuration to work for the app :D Thanks for your help guys.. --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,508289,515997#msg-515997
