HTTP and send-proxy
Hi all! I want use the haproxy PROXY protocol for our use case. To send our clients ip address to the peer haproxy. But after I config the send-proxy and accept-proxy in the configuration. The web nevent be successful responsed. The 503 error always there. the configure there ha-L0.conf -- # frontend ## frontend tcp-in bind 192.168.137.41:2220 bind 192.168.132.41:2221 bind 192.168.133.41: mode tcp log global option tcplog #distingush HTTP and non-HTTP tcp-request inspect-delay 30s tcp-request content accept if HTTP #ACL DEFINE acl squid_incompatiable-Host hdr_reg(Host) -f /usr/local/etc/acl-define.d/squid_incompatiable-Host.txt acl direct-dstip dst -f /usr/local/etc/acl-define.d/direct_out-dst.txt #ACL DEFINE of websocket acl missing_host hdr_cnt(Host) eq 0 acl QQClient hdr(User-Agent) -i QQClient acl has_range hdr_cnt(Range) gt 0 #ACTION use_backend Direct if !HTTP use_backend Direct if HTTP_1.1 missing_host use_backend Direct if direct-dstip use_backend Direct if METH_CONNECT use_backend Direct if QQClient default_backend HAL1 backend HAL1 mode http log global source 0.0.0.0 server ha2-l1-n1 localhost:3330 send-proxy ha-L1.conf -- # frontend ## frontend localhostlister bind localhost:3330 accept-proxy mode http #ACL DEFINE acl direct-dstip dst -f /usr/local/etc/acl-define.d/direct_out-dst.txt #ACL DEFINE of websocket acl is_websocket hdr(Upgrade) -i WebSocket acl is_websocket hdr_beg(Host) -i ws acl missing_host hdr_cnt(Host) eq 0 acl QQClient hdr(User-Agent) -i QQClient acl has_range hdr_cnt(Range) gt 0 #ACTION use_backend NginxClusterWebsockets if is_websocket default_backend SquidCluster backend SquidCluster mode http option forwardfor header X-Client balance uri whole log global acl mgmt-src src -f /usr/local/etc/acl-define.d/mgmt-src.txt errorfile 502 /usr/local/etc/errorfiles/504.http acl is_internal_error status ge 500 rspideny . if is_internal_error !mgmt-src rspidel ^via:.* unless mgmt-src rspidel ^x-cache:* unless mgmt-src rspidel ^x-cache-lookup:* unless mgmt-src rspidel ^X-Ecap:* unless mgmt-src source 0.0.0.0 option httpchk GET http://192.168.172.4/check.txt server sq-L1-n1a x.x.x.x:3129 weight 20 check inter 5s maxconn 1 And we use the haproxy -d argument found the ha0 seems never send the msg to the ha1 0090:HAL1.clireq[0019:]: GET http://www.taobao.com/ HTTP/1.1 0090:HAL1.clihdr[0019:]: User-Agent: curl/7.26.0 0090:HAL1.clihdr[0019:]: Host: www.taobao.com 0090:HAL1.clihdr[0019:]: Accept: */* 0090:HAL1.clihdr[0019:]: Proxy-Connection: Keep-Alive 008d:HAL1.clicls[000e:001a] 008d:HAL1.closed[000e:001a] Is there any one can help what's the problem there ? --- Regards Jinge
Re: ACL HTTP not capture all the HTTP traffic ?
Hi Lukas, I'm not sure I understand this configuration. Can you clarify what services you are offering and what it has to do with transparent proxying? Looks to me like you use option transparent to transform HAProxy into a forward proxy, but HAProxy really is a reverse proxy only. Yes, we use haproxy as a forward proxy. And every thing works great. Just the backend Go Direct. After a few experiment.We found that - when use the options http-server-close and http-pretend-keepalive in the default sections, the HAproxy did not capture all the HTTP traffic. - when we use the option forceclose our HAproxy can get All of the HTTP traffic rightly. Reproduce the problem, start HAProxy in debug mode, and post the debug output of a session which erronously goes to the direct backend. I suspect its not valid HTTP and therefor goes to the direct backend. Also post the output of ./haproxy -vv. And our haproxy -vv HA-Proxy version 1.5-dev19 2013/06/17 Copyright 2000-2013 Willy Tarreau w...@1wt.eu Build options : TARGET = freebsd CPU = generic CC = cc CFLAGS = -O2 -pipe -fno-strict-aliasing -DFREEBSD_PORTS OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 Encrypted password support via crypt(3): yes Built with zlib version : 1.2.7 Compression algorithms supported : identity, deflate, gzip Built with OpenSSL version : OpenSSL 0.9.8y 5 Feb 2013 Running on OpenSSL version : OpenSSL 0.9.8y 5 Feb 2013 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Built with PCRE version : 8.33 2013-05-28 PCRE library supports JIT : no (USE_PCRE_JIT not set) Built with transparent proxy support using: IP_BINDANY IPV6_BINDANY Available polling systems : kqueue : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use kqueue. And I will find my detail debug. And show you there. Regards, Lukas
Re: lots of connections stay in FIN_WAIT2 and CLOSE_WAIT
Hi Lukas. FIN_WAIT2 18532 #almost all the client to haproxy. A high FIN_WAIT2 count is normal on any internet facing server. Nothing bad happens because of this. CLOSE_WAIT 17674 # almost all the haproxy to the internet. [...] option http-pretend-keepalive Do you really have a buggy backend requiring http-pretend-keepalive? I'm asking because it looks like a lot of people are configuring workarounds for problems they *don't* have. If you really need this, try combining it with option forceclose, which probably decreases the number of sockets in CLOSE_WAIT. Thanks. We use haproxy for our forward proxy. And it works great. I follow your idear and change to forceclose. And after that the traffic go to the Internet decreases a lot. But is it there any thing bad happend when we use the directive forceclose in our forward proxy? Still, I'm not sure that there is an actual problem here. Are you running out of source ports or are you having any real operational problem because of those numbers? As we just have 200Mbps traffic on this server and the connections numbers very high. And we plan to increase the traffic to 1Gbps, so when the traffic increase will the connections become the bottleneck? Regards Jinge
Haproxy core dump on FreeBSD9.1?
Hi everyone, It's happens on my FreeBSD9.1 stable. And the HAProxy detail. root@Ha-L1-n1:/usr/local/etc # haproxy -vv HA-Proxy version 1.5-dev19 2013/06/17 Copyright 2000-2013 Willy Tarreau w...@1wt.eu Build options : TARGET = freebsd CPU = generic CC = cc CFLAGS = -O2 -pipe -fno-strict-aliasing -DFREEBSD_PORTS OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 Encrypted password support via crypt(3): yes Built with zlib version : 1.2.7 Compression algorithms supported : identity, deflate, gzip Built with OpenSSL version : OpenSSL 0.9.8y 5 Feb 2013 Running on OpenSSL version : OpenSSL 0.9.8y 5 Feb 2013 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Built with PCRE version : 8.33 2013-05-28 PCRE library supports JIT : no (USE_PCRE_JIT not set) Built with transparent proxy support using: IP_BINDANY IPV6_BINDANY Available polling systems : kqueue : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use kqueue. The HAProxy configure ### global pidfile /var/run/ha-l1-n1.pid maxconn 20 maxpipes 5 daemon stats socket /tmp/ha-l1-n1.sock nbproc 2 spread-checks 5 tune.rcvbuf.client 16384 tune.rcvbuf.server 16384 tune.sndbuf.client 32768 tune.sndbuf.server 16384 node frontendL1 # debug defaults #TCP SECTION maxconn 20 backlog 32768 timeout connect 5s timeout client 60s timeout server 60s timeout queue 60s timeout check 10s timeout http-request 15s timeout http-keep-alive 1s timeout tunnel 3600s option tcpka # option tcp-smart-accept #option nolinger #HTTP SECTION hash-type consistent option accept-invalid-http-request option accept-invalid-http-response option redispatch #option http-server-close #option http-pretend-keepalive #option http-no-delay option forceclose retries 2 option httplog no option checkcache #SYSTEM SECTION option dontlog-normal option dontlognull option log-separate-errors #cookie SERVERID # frontend ## frontend tcp-in bind : mode tcp log global option tcplog #distingush HTTP and non-HTTP tcp-request inspect-delay 10s tcp-request content accept if HTTP #ACTION use_backend NginxCluster if HTTP default_backend Direct backend NginxCluster mode http option abortonclose option forwardfor header X-Client balance uri whole log global source 0.0.0.0 option httpchk GET /check.txt HTTP/1.1\r\nHost:\ 192.168.172.30 server Jail-L2-nx1-n1 192.168.172.26: weight 20 check inter 5s maxconn 1 server Jail-L2-nx2-n1 192.168.172.25: weight 20 check inter 5s maxconn 1 server XEN-L2-xn1-n2 192.168.172.15: weight 20 check inter 5s maxconn 1 server XEN-L2-xn2-n2 192.168.172.16: weight 20 check inter 5s maxconn 1 backend Direct mode tcp log global option tcplog no option httpclose no option http-server-close no option accept-invalid-http-response no option http-pretend-keepalive option transparent option abortonclose I use IPFW to fwd my traffic to HA. fwd 192.168.20.20, tcp from any to any via vlan64 in And I have a core dump file here but it's too large to upload (about 63MB). Regards Jinge
Re: Haproxy core dump on FreeBSD9.1?
Hi Lukas, I have send this to Willy. Thank you! Regards Jinge On 2013-7-17, at 下午10:12, Lukas Tribus luky...@hotmail.com wrote: Hi! And I have a core dump file here but it's too large to upload (about 63MB). Please upload the core dump along with the exectuable somewhere and send the link to Willy Tarreau (the core dump will contain sensitive data, so I suggest you don't sent it to the mailing list): w...@1wt.eu Regards, Lukas
Http traffic not go to backend transparent.
5s maxconn 1 backend Direct mode tcp log global option tcplog no option httpclose no option http-server-close no option accept-invalid-http-response no option http-pretend-keepalive source 0.0.0.0 usesrc clientip option transparent option abortonclose option tcp-smart-connect /0 /1 /2 /3 /4 /5 /6 /7 /8 /9 /10 Load Average || Interface Traffic PeakTotal lagg0 in 9.005 MB/s 9.748 MB/s1.855 GB out 9.378 MB/s 9.817 MB/s1.879 GB vlan708 in 8.528 MB/s 9.236 MB/s1.269 GB out 507.189 KB/s539.656 KB/s 78.061 MB (All the traffic go to the Internet throught Direct backend) vlan705 in 3.701 KB/s 9.934 KB/s 10.645 MB out 2.394 KB/s 6.652 KB/s7.050 MB vlan67 in 0.579 KB/s 0.737 KB/s1.873 MB out 0.788 KB/s 1.793 KB/s1.627 MB vlan64 in477.880 KB/s532.444 KB/s 103.494 MB (The incomming traffic through vlan64 ) out 8.888 MB/s 9.288 MB/s1.762 GB vlan62 in 3.875 KB/s 10.380 KB/s 483.774 MB out 1.908 KB/s 5.141 KB/s 33.764 MB lo0 in 0.000 KB/s 0.046 KB/s6.867 KB out 0.000 KB/s 0.046 KB/s6.867 KB igb1 in 4.772 MB/s 4.772 MB/s 849.381 MB out 4.054 MB/s 5.263 MB/s 956.056 MB igb0 in 4.232 MB/s 5.724 MB/s1.026 GB out 5.333 MB/s 5.333 MB/s 967.559 MB Regards Jinge
ACL HTTP not capture all the HTTP traffic ?
Hi all, We have a haproxy for our web service. We forward the tcp port 80 traffic to haproxy. And if it's not the HTTP traffic we send it to the Internet use the option transparent.But We found there are lots of HTTP traffic in the Direct Backend,which shouldn't be there. Here is the configure. ### global pidfile /var/run/haproxy.pid maxconn 20 maxpipes 5 daemon stats socket /tmp/haproxy.sock nbproc 4 spread-checks 5 tune.rcvbuf.client 16384 tune.rcvbuf.server 16384 tune.sndbuf.client 32768 tune.sndbuf.server 16384 defaults #TCP SECTION maxconn 20 backlog 32768 timeout connect 5s timeout client 60s timeout server 60s timeout queue 60s timeout check 10s timeout http-request 15s timeout http-keep-alive 1s timeout tunnel 3600s option tcpka #HTTP SECTION hash-type consistent option accept-invalid-http-request option accept-invalid-http-response option redispatch option http-server-close option http-pretend-keepalive retries 2 option httplog no option checkcache #SYSTEM SECTION option dontlog-normal option dontlognull option log-separate-errors # frontend ## frontend tcp-in bind : mode tcp log global option tcplog tcp-request inspect-delay 30s tcp-request content accept if HTTP use_backend NginxCluster if HTTP default_backend Direct backend NginxCluster mode http option abortonclose balance uri whole log global source 0.0.0.0 server ngx1 192.168.10.1:80 weight 20 check inter 5s maxconn 1 server ngx2 192.168.10.2:80 weight 20 check inter 5s maxconn 1 server ngx3 192.168.10.3:80 weight 20 check inter 5s maxconn 1 backend Direct mode tcp log global option tcplog no option httpclose no option http-server-close no option accept-invalid-http-response no option http-pretend-keepalive option transparent option abortonclose option tcp-smart-connect And here is the topological. client | | | | | | haproxy | ___| || || |http traffic|not http traffic ||to Internet outside nginxInternet So is the HTTP ACL can not capture all the HTTP traffic there? Regards Jinge
lots of connections stay in FIN_WAIT2 and CLOSE_WAIT
Hi all, We have a haproxy for our web service. We forward the tcp port 80 traffic to haproxy. And if it's not the http traffic we send it to the Internet use the option transparent. Here is the configure. ### global pidfile /var/run/haproxy.pid maxconn 20 maxpipes 5 daemon stats socket /tmp/haproxy.sock nbproc 4 spread-checks 5 tune.rcvbuf.client 16384 tune.rcvbuf.server 16384 tune.sndbuf.client 32768 tune.sndbuf.server 16384 defaults #TCP SECTION maxconn 20 backlog 32768 timeout connect 5s timeout client 60s timeout server 60s timeout queue 60s timeout check 10s timeout http-request 15s timeout http-keep-alive 1s timeout tunnel 3600s option tcpka #HTTP SECTION hash-type consistent option accept-invalid-http-request option accept-invalid-http-response option redispatch option http-server-close option http-pretend-keepalive retries 2 option httplog no option checkcache #SYSTEM SECTION option dontlog-normal option dontlognull option log-separate-errors # frontend ## frontend tcp-in bind : mode tcp log global option tcplog tcp-request inspect-delay 30s tcp-request content accept if HTTP use_backend NginxCluster if HTTP default_backend Direct backend NginxCluster mode http option abortonclose balance uri whole log global source 0.0.0.0 server ngx1 192.168.10.1:80 weight 20 check inter 5s maxconn 1 server ngx2 192.168.10.2:80 weight 20 check inter 5s maxconn 1 server ngx3 192.168.10.3:80 weight 20 check inter 5s maxconn 1 backend Direct mode tcp log global option tcplog no option httpclose no option http-server-close no option accept-invalid-http-response no option http-pretend-keepalive option transparent And it works as we expected.But there are lots of connection, one is the connections between client side and the haproxy which stay in FIN_WAIT2. The other is the server side the backend Direct connections to the internet which stays in CLOSE_WAIT.Here is the connection. Here is the connection state i get. And my traffic is about 200Mbps. OS: ubuntu 13.04 Memory: 8G Processor:AMD 2380 X 2 FIN_WAIT2 18532 #almost all the client to haproxy. CLOSING 7 LISTEN 12 SYN_RECV 21 CLOSE_WAIT 17674 # almost all the haproxy to the internet. TIME_WAIT 6403 ESTABLISHED 51495 LAST_ACK 143 SYN_SENT 25 FIN_WAIT1 220 And here is the topological. client | | | | | | haproxy | ___| || || |http traffic|not http traffic ||to Internet outside nginxInternet Thanks for anyone can help. Regards Jinge Regards Jinge
Re: FreeBSD with options transparent not working.
Hi PiBa-NL, I just check my config as your advice. And find the pf.conf is not correct. As I use rdr rdr on vlan64 proto tcp from any to any - 127.0.0.1 port The dst is changed. So I change to use ipfw and it seems get the things done. ipfw add fwd 127.0.0.1, tcp from any to any via vlan64 in and thank you for your advice! And there is another questions. If I use pf , can it also doing this like ipfw ? And how can I config it. Regards Jinge On 2013-7-12, at 上午2:47, PiBa-NL piba.nl@gmail.com wrote: Hi Jinge, What version of FreeBSD do you run? What firewall does it use pf/ipfw ? What does haproxy -vv show? (version/transparent options) Can you write a little about the network topology and what isn't working about it? For example like this: ClientMachine = 172.16.1.100/24 Haproxy LAN1 = 172.16.1.1/24 Haproxy LAN2 = 192.168.1.1/24 Server1 = 192.168.1.101/24 Now ClientMachine sends a tcp request to 192.168.1.101. This request is routed through the haproxy machine which functions as a 'router' but also the request is intercepted by machine firewall (make sure to NOT use a standard portforward rule as it will change the destination-IP..) and redirected to the haproxy process, which determines its not http, and then sends traffic further to Server1 using the option transparent. The question then is does Server1 ever recieve a SYN packet (check with tcpdump/wireshark)? Does HAProxy show all backends as 'available' in the stats page? Does the clientmachine use the proper IP(so NOT the haproxy-ip) for connecting to Server1 and is traffic routed through the haproxy machine? Is this what doesn't currently work.? Or is the trouble with the nginx machines machines not being able to be connected the original client ip? There are 3 different HAProxy options called or referred to as 'transparent' which makes it also a bit difficult to see which option your asking about.. A- option transparent (for sending connection to original destination) B- source 0.0.0.0 usesrc clientip (for sending client-IP to the backend servers) C- bind transparent (for binding to a nonlocal (CARP?) IP address) I'm sure C is not what your asking about, but i'm unclear if your current issue is with A or B. Could you try and make a smallest possible haproxy configuration that still contains the problem you currently experience? Greets PiBa-NL Op 11-7-2013 14:38, Baptiste schreef: So the problem might be in the way you compiled HAProxy or you have configured your OS. Unfortunately, I can't help on FreeBSD :'( Baptiste On Thu, Jul 11, 2013 at 11:55 AM, jinge altman87...@gmail.com wrote: Hi, Baptiste! But i just test with this and found no use. Regards Jinge On 2013-7-11, at 下午5:35, Baptiste bed...@gmail.com wrote: Hi Jinge, Could you update your source statement to: source 0.0.0.0 usesrc clientip And let us know if that fixed your issue. Baptiste On Thu, Jul 11, 2013 at 11:25 AM, jinge altman87...@gmail.com wrote: Hi,all! We use HAproxy for our web system. And there is a statement if not HTTP will go backend Direct.Which is client-side transparent proxying. Here is the configure. But we found that the Direct backend not working. Is anyone can tell me. Are there any problem in my configure? Or should there any turning on my FreeBSD. global pidfile /var/run/haproxy.pid maxconn 20 maxpipes 5 daemon stats socket /tmp/haproxy.sock nbproc 4 spread-checks 5 tune.rcvbuf.client 16384 tune.rcvbuf.server 16384 tune.sndbuf.client 32768 tune.sndbuf.server 16384 defaults #TCP SECTION maxconn 20 backlog 32768 timeout connect 5s timeout client 60s timeout server 60s timeout queue 60s timeout check 10s timeout http-request 15s timeout http-keep-alive 1s timeout tunnel 3600s option tcpka #HTTP SECTION hash-type consistent option accept-invalid-http-request option accept-invalid-http-response option redispatch option http-server-close option http-pretend-keepalive retries 2 option httplog no option checkcache #SYSTEM SECTION option dontlog-normal option dontlognull option log-separate-errors # frontend ## frontend tcp-in bind : mode tcp log global option tcplog tcp-request inspect-delay 30s tcp-request content accept if HTTP use_backend NginxCluster if HTTP default_backend Direct backend NginxCluster mode http option abortonclose balance uri whole log global source 0.0.0.0 server ngx1 192.168.10.1:80 weight 20 check inter 5s maxconn 1 server ngx2 192.168.10.2:80 weight 20 check inter 5s maxconn 1 server ngx3 192.168.10.3:80 weight 20 check inter 5s maxconn 1
FreeBSD with options transparent not working.
Hi,all! We use HAproxy for our web system. And there is a statement if not HTTP will go backend Direct.Which is client-side transparent proxying. Here is the configure. But we found that the Direct backend not working. Is anyone can tell me. Are there any problem in my configure? Or should there any turning on my FreeBSD. global pidfile /var/run/haproxy.pid maxconn 20 maxpipes 5 daemon stats socket /tmp/haproxy.sock nbproc 4 spread-checks 5 tune.rcvbuf.client 16384 tune.rcvbuf.server 16384 tune.sndbuf.client 32768 tune.sndbuf.server 16384 defaults #TCP SECTION maxconn 20 backlog 32768 timeout connect 5s timeout client 60s timeout server 60s timeout queue 60s timeout check 10s timeout http-request 15s timeout http-keep-alive 1s timeout tunnel 3600s option tcpka #HTTP SECTION hash-type consistent option accept-invalid-http-request option accept-invalid-http-response option redispatch option http-server-close option http-pretend-keepalive retries 2 option httplog no option checkcache #SYSTEM SECTION option dontlog-normal option dontlognull option log-separate-errors # frontend ## frontend tcp-in bind : mode tcp log global option tcplog tcp-request inspect-delay 30s tcp-request content accept if HTTP use_backend NginxCluster if HTTP default_backend Direct backend NginxCluster mode http option abortonclose balance uri whole log global source 0.0.0.0 server ngx1 192.168.10.1:80 weight 20 check inter 5s maxconn 1 server ngx2 192.168.10.2:80 weight 20 check inter 5s maxconn 1 server ngx3 192.168.10.3:80 weight 20 check inter 5s maxconn 1 backend Direct mode tcp log global option tcplog no option httpclose no option http-server-close no option accept-invalid-http-response no option http-pretend-keepalive option transparent Regards Jinge
Re: FreeBSD with options transparent not working.
Hi, Baptiste! But i just test with this and found no use. Regards Jinge On 2013-7-11, at 下午5:35, Baptiste bed...@gmail.com wrote: Hi Jinge, Could you update your source statement to: source 0.0.0.0 usesrc clientip And let us know if that fixed your issue. Baptiste On Thu, Jul 11, 2013 at 11:25 AM, jinge altman87...@gmail.com wrote: Hi,all! We use HAproxy for our web system. And there is a statement if not HTTP will go backend Direct.Which is client-side transparent proxying. Here is the configure. But we found that the Direct backend not working. Is anyone can tell me. Are there any problem in my configure? Or should there any turning on my FreeBSD. global pidfile /var/run/haproxy.pid maxconn 20 maxpipes 5 daemon stats socket /tmp/haproxy.sock nbproc 4 spread-checks 5 tune.rcvbuf.client 16384 tune.rcvbuf.server 16384 tune.sndbuf.client 32768 tune.sndbuf.server 16384 defaults #TCP SECTION maxconn 20 backlog 32768 timeout connect 5s timeout client 60s timeout server 60s timeout queue 60s timeout check 10s timeout http-request 15s timeout http-keep-alive 1s timeout tunnel 3600s option tcpka #HTTP SECTION hash-type consistent option accept-invalid-http-request option accept-invalid-http-response option redispatch option http-server-close option http-pretend-keepalive retries 2 option httplog no option checkcache #SYSTEM SECTION option dontlog-normal option dontlognull option log-separate-errors # frontend ## frontend tcp-in bind : mode tcp log global option tcplog tcp-request inspect-delay 30s tcp-request content accept if HTTP use_backend NginxCluster if HTTP default_backend Direct backend NginxCluster mode http option abortonclose balance uri whole log global source 0.0.0.0 server ngx1 192.168.10.1:80 weight 20 check inter 5s maxconn 1 server ngx2 192.168.10.2:80 weight 20 check inter 5s maxconn 1 server ngx3 192.168.10.3:80 weight 20 check inter 5s maxconn 1 backend Direct mode tcp log global option tcplog no option httpclose no option http-server-close no option accept-invalid-http-response no option http-pretend-keepalive option transparent Regards Jinge
Re: Does the transparent can't work in FreeBSD?
Hi PiBa-NL, I just follow your advice and find my pf configure is not correct rdr on vlan64 proto tcp from any to any - 127.0.0.1 port And I change to ipfw and fwd then it works corrently. ipfw add fwd 127.0.0.1, tcp from any to any via vlan64 in And you tell my I can use pf's divert-to, but after a test I found it doesn't work.Here is the configure pass in quick on vlan64 inet proto tcp from any to any divert-to 127.0.0.1 port So can your tell my the right configure? Thank you. Regards Jinge On 2013-7-11, at 下午12:07, jinge altman87...@gmail.com wrote: Hi PiBa-NL, Thanks for your reply! And I will follow your advice! Regards Jinge On 2013-7-10, at 上午4:25, PiBa-NL piba.nl@gmail.com wrote: Hi Jinge, Im not exactly sure how this is supposed to work.. did manage to get transparent proxy for the server side working.. (the server is presented with a connection from original client ip.) This works with haproxy 1.5dev19 on FreeBSD8.3 with help of some ipfw fwd rules.. Your config also seams to be working (used some parts their-of to test..) Did require the following ipfw rule for me..: ipfw add 90 fwd localhost tcp from any to any in recv em1 Actually on pfSense it also needs -x haproxy as it is a bit customized.. And because i run 'ipfw' combined with 'pf' i also needed to configure pf with floating 'pass on match' rules to allow the 'strange traffic'.. That pf cannot handle.. If you however have FreeBSD 9 you might want to look into the divert-to rules that pf can make. Might make stuff simpler if it turns out to work.. Please report back your required settings (config if it changes) when you manage to get it working. Greetings PiBa-NL Op 9-7-2013 12:55, jinge schreef: Hi,all! We use haproxy and FreeBSD for our cache system. And we want to use the transparent option http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4-option%20transparent which for some compatiable things. But found it doest work. Here is the configure which worked in Ubuntu. frontend tcp-in bind : mode tcp log global option tcplog #distingush HTTP and non-HTTP tcp-request inspect-delay 30s tcp-request content accept if HTTP default_backend Direct backend Direct mode tcp log global option tcplog no option httpclose no option http-server-close no option accept-invalid-http-response option transparent Can anyone tell my if is the FreeBSD can not support transparent here or my configure is not correct ? And how to make transparent work right. Thanks! Regards Jinge
Does the transparent can't work in FreeBSD?
Hi,all! We use haproxy and FreeBSD for our cache system. And we want to use the transparent option http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4-option%20transparent which for some compatiable things. But found it doest work. Here is the configure which worked in Ubuntu. frontend tcp-in bind : mode tcp log global option tcplog #distingush HTTP and non-HTTP tcp-request inspect-delay 30s tcp-request content accept if HTTP default_backend Direct backend Direct mode tcp log global option tcplog no option httpclose no option http-server-close no option accept-invalid-http-response option transparent Can anyone tell my if is the FreeBSD can not support transparent here or my configure is not correct ? And how to make transparent work right. Thanks! Regards Jinge
Re: Haproxy CPU 100%, after running about two weeks
Thanks! I follow your advise, and upgrade my haproxy. And I will observe if there is any problem. Regards Jinge On 2013-5-2, at 下午3:49, Lukas Tribus luky...@hotmail.com wrote: Hi Jinge! I believe you are facing 2 different issues here. Today, our haproxy CPU grow to 100%. And the machine become terribly slow. Please upgrade to recent 1.4 code, you are missing a a few fixes, including one a security fix. I suggest the snapshot 20130427 which also includes a loop fix (causing 100% load from haproxy). Download at [1]. [1297314.773541] cleanup rbuf bug: copied DBE7B6DA seq DBE7B3C8 rcvnxt DBE7B6DA [...] [1297314.773625] [81046a75] ? warn_slowpath_common+0x78/0x8c This is a kernel issue with tcp splicing and has probably been fixed. Please see [2]. Not sure if Debian is backporting this fix though. You could just disable tcp splicing as a intermediate workaround. Cheers, Lukas [1] http://haproxy.1wt.eu/download/1.4/src/snapshot/ [2] http://comments.gmane.org/gmane.linux.network/231555
What's the different between http-server-close in frontend or in backends.
Hi list. Sorry for my poor English. i use haproxy nowadays.But i just don't now thats the difference between http-server-close in frontend or in backends.Can someone help me?
haproxy ssh transparent proxy
Sorry for i'm new in haproxy,there is my problem i wanna haproxy to proxy any non-http traffic. And there is my config about it listen tcp-in bind 192.168.137.18: mode tcp tcp-request inspect-delay 5s tcp-request content accept if HTTP use_backend SquidClusters if HTTP default_backend Non-http if !HTTP ##default let any non-http traffic behave like's self, backend Non-http mode tcp log global timeout server 1h server directserver 0.0.0.0 but it's doesn't work. Is there any one help me?
