Re: HA Proxy

2023-10-13 Thread Aleksandar Lazic 

Hi Mohammed.

Yes HAProxy supports all of the requested capacity and features from 
below. For a nice example what HAProxy is able to handle can you read 
this Blog post. 
https://www.haproxy.com/blog/haproxy-forwards-over-2-million-http-requests-per-second-on-a-single-aws-arm-instance


The very detailed Documentation can be found in the Web 
https://docs.haproxy.org/ or in the source repository under the doc 
directory 
https://git.haproxy.org/?p=haproxy.git;a=tree;f=doc;h=9a53977a683fd7e80f23fff2a18ef192ca908636;hb=HEAD


There are very good examples and explanations for HAProxy features on 
the HAProxy com Blog page https://www.haproxy.com/blog and you can also 
find some examples with your favorite Search engine. Please take care 
that some search results refer to some previous HAPRoxy Versions which 
are not maintained anymore, this means that the founded solution could 
work or need some rework for the current versions.


HAProxy have two versions the Opensource one and the Enterprise one.

If your company want support and is willing to pay for that can you get 
in touch with HAProxy Sales via the contact from 
https://www.haproxy.com/contact-us for the HAProxy Enterprise version 
https://www.haproxy.com/products/haproxy-enterprise.


Hth with best regards

Alex

On 2023-10-13 (Fr.) 09:41, Mohammed Anees A wrote:


Hi Team

We have a requirement to for a Software based NLB to Load Balance an 
enterprise application.


Following are the Capacity and Features of NLB required. Please 
confirm, does HA Proxy supports the below capacity and features ?. let 
us know the licensing model and Support structure.


Capacity :

  * Requests per Second =  5000 RPS
  * Concurrent Connections = 5000 Concurrent Sessions.
  * Throughput = 40 Mbps

Features :

 1. *Routing Profile *

Routing profile can be TCP based (layer 4) or HTTP based (layer 7).

**

 2. *Load Balancing Method*

All load balancing methods are supported. It is recommended to use 
Least Connections or Round Robin load balancing methods, for better 
distribution between Application servers.


 3. *Session persistence (stickiness)*

The LB must be configured with session persistence to enable a session 
connection with the same application server instance. Configure 
session persistence in all levels of load balancing (for example, if 
there is a global load balancer in front of a few local load balancers).


To achieve session persistence, configure the LB with one of the 
following persistence profiles:


  * HTTP Cookie
  * Client IP (Source address)

 4. *Health monitoring*

**

An important property of an LB is the ability to perform health 
monitoring checks (heartbeats) on each Application server. By using 
health monitors, the LB verifies the server response or checks for any 
network problems that can prevent a client from reaching a server. By 
doing so, the LB can place the server in or out of service and can 
make reliable load-balancing and high availability decisions.**


A common and recommended health monitor is *HTTP GET Request.***

 5. *Idle (execution) timeout*

Setting the execution timeout controls termination of idle 
connections. Configure an execution timeout of at least 4 hours.


 6. *HTTPS Configuration*

The load balancer supports several HTTPS configuration methods.

These include:

  * SSL bridging
  * SSL offload
  * SSL pass-through

SSL bridging and SSL offload are supported in HTTP based routing 
(layer 7), and require deploying TLS certificate on the LB. SSL 
pass-through is supported in TCP based routing (layer 4), and does not 
require deploying a certificate on the LB.


Regards

Mohammed Anees

+91 9944170656

HA Proxy

2023-10-13 Thread Mohammed Anees A 
Hi Team



We have a requirement to for a Software based NLB to Load Balance an
enterprise application.



Following are the Capacity and Features of NLB required. Please confirm,
does HA Proxy supports the below capacity and features ?. let us know the
licensing model and Support structure.



Capacity :



   - Requests per Second =  5000 RPS
   - Concurrent Connections = 5000 Concurrent Sessions.
   - Throughput = 40 Mbps

Features :



   1. *Routing Profile *

Routing profile can be TCP based (layer 4) or HTTP based (layer 7).



   1. *Load Balancing Method*

All load balancing methods are supported. It is recommended to use Least
Connections or Round Robin load balancing methods, for better distribution
between Application servers.

   1. *Session persistence (stickiness)*

The LB must be configured with session persistence to enable a session
connection with the same application server instance. Configure session
persistence in all levels of load balancing (for example, if there is a
global load balancer in front of a few local load balancers).

To achieve session persistence, configure the LB with one of the following
persistence profiles:

   - HTTP Cookie
   - Client IP (Source address)



   1. *Health monitoring*



An important property of an LB is the ability to perform health monitoring
checks (heartbeats) on each Application server. By using health monitors,
the LB verifies the server response or checks for any network problems that
can prevent a client from reaching a server. By doing so, the LB can place
the server in or out of service and can make reliable load-balancing and
high availability decisions.

A common and recommended health monitor is *HTTP GET Request.*

   1. *Idle (execution) timeout*



Setting the execution timeout controls termination of idle connections.
Configure an execution timeout of at least 4 hours.





   1. *HTTPS Configuration*



The load balancer supports several HTTPS configuration methods.



These include:

   - SSL bridging
   - SSL offload
   - SSL pass-through



SSL bridging and SSL offload are supported in HTTP based routing (layer 7),
and require deploying TLS certificate on the LB. SSL pass-through is
supported in TCP based routing (layer 4), and does not require deploying a
certificate on the LB.





Regards

Mohammed Anees

+91 9944170656

RE: Interest in HA Proxy from Sonicwall

2023-04-05 Thread Kenny Lederman 
Hi Team,

You can disregard as Jonathan Purcell 
jpurc...@haproxy.com<mailto:jpurc...@haproxy.com> has already reached out to me 
on this request.

Thank you.

Kenny Lederman
Enterprise Account Manager
(206) 455-6488 - Office
(847) 932-9771 - Cell
kenny.leder...@softchoice.com<mailto:kenny.leder...@softchoice.com>
[cid:image001.gif@01D967B5.F0910E40]<https://www.softchoice.com/>
[Softchoice]<https://www.softchoice.com/>
415 1st Avenue North, Suite 300
Seattle, WA  98109


From: Илья Шипицин 
Sent: Wednesday, April 5, 2023 11:56 AM
To: Aleksandar Lazic 
Cc: Kenny Lederman ; haproxy@formilux.org
Subject: Re: Interest in HA Proxy from Sonicwall

External message. Do not click links or open attachments unless you recognize 
the source. Message externe. Ne cliquez sur aucun lien et n’ouvrez aucune pièce 
jointe à moins d’en connaître la provenance.


ср, 5 апр. 2023 г. в 20:18, Aleksandar Lazic 
mailto:al-hapr...@none.at>>:
Hi Kenny.

On 05.04.23 20:04, Kenny Lederman wrote:
> Hi team,
>
> Do you have an account rep assigned to Sonicwall that could help me with
> getting a POC set up?

This is the Open Source Mailing list, if you want to get in touch with
the Company behind HAProxy please use this.

original intention was not clear :) maybe Kenny is looking for open source 
individuals to hire them in purpose.

otherwise, yes, https://www.haproxy.com<https://www.haproxy.com/> is proper way 
to contact sales/commercial/whatever.


https://www.haproxy.com/contact-us/

Of course can you setup the Open Source HAProxy by your team, the
documentation is hosted at this URL.

http://docs.haproxy.org/

> Thank you,
>
> Kenny Lederman

Best Regards
Alex

> Enterprise Account Manager
>
> (206) 455-6488 - Office
>
> (847) 932-9771 - Cell
>
> kenny.leder...@softchoice.com<mailto:kenny.leder...@softchoice.com> 
> <mailto:kenny.leder...@softchoice.com<mailto:kenny.leder...@softchoice.com>>
>
> <https://www.softchoice.com/>
>
>
>
> Softchoice <https://www.softchoice.com/>
>
>
>
> 415 1st Avenue North, Suite 300
> Seattle, WA  98109
>
>
>
> Manage Subscription
> <https://tech.softchoice.com/subscription-center>Unsubscribe
> <https://tech.softchoice.com/subscription-center>Privacy
> <https://www.softchoice.com/about-softchoice/help/privacy>
>

Manage Subscription<https://tech.softchoice.com/subscription-center>   
Unsubscribe<https://tech.softchoice.com/subscription-center>  
Privacy<https://www.softchoice.com/about-softchoice/help/privacy>

Re: Interest in HA Proxy from Sonicwall

2023-04-05 Thread Илья Шипицин 
ср, 5 апр. 2023 г. в 20:18, Aleksandar Lazic :

> Hi Kenny.
>
> On 05.04.23 20:04, Kenny Lederman wrote:
> > Hi team,
> >
> > Do you have an account rep assigned to Sonicwall that could help me with
> > getting a POC set up?
>
> This is the Open Source Mailing list, if you want to get in touch with
> the Company behind HAProxy please use this.
>

original intention was not clear :) maybe Kenny is looking for open source
individuals to hire them in purpose.

otherwise, yes, https://www.haproxy.com is proper way to contact
sales/commercial/whatever.


>
> https://www.haproxy.com/contact-us/
>
> Of course can you setup the Open Source HAProxy by your team, the
> documentation is hosted at this URL.
>
> http://docs.haproxy.org/
>
> > Thank you,
> >
> > Kenny Lederman
>
> Best Regards
> Alex
>
> > Enterprise Account Manager
> >
> > (206) 455-6488 - Office
> >
> > (847) 932-9771 - Cell
> >
> > kenny.leder...@softchoice.com 
> >
> > 
> >
> >
> >
> > Softchoice 
> >
> >
> >
> > 415 1st Avenue North, Suite 300
> > Seattle, WA  98109
> >
> >
> >
> > Manage Subscription
> > Unsubscribe
> > Privacy
> > 
> >
>
>

Re: Interest in HA Proxy from Sonicwall

2023-04-05 Thread Aleksandar Lazic 

Hi Kenny.

On 05.04.23 20:04, Kenny Lederman wrote:

Hi team,

Do you have an account rep assigned to Sonicwall that could help me with 
getting a POC set up?


This is the Open Source Mailing list, if you want to get in touch with 
the Company behind HAProxy please use this.


https://www.haproxy.com/contact-us/

Of course can you setup the Open Source HAProxy by your team, the 
documentation is hosted at this URL.


http://docs.haproxy.org/


Thank you,

Kenny Lederman


Best Regards
Alex


Enterprise Account Manager

(206) 455-6488 - Office

(847) 932-9771 - Cell

kenny.leder...@softchoice.com 





Softchoice 



415 1st Avenue North, Suite 300
Seattle, WA  98109



Manage Subscription 
Unsubscribe 
Privacy

Interest in HA Proxy from Sonicwall

2023-04-05 Thread Kenny Lederman 
Hi team,

Do you have an account rep assigned to Sonicwall that could help me with 
getting a POC set up?

Thank you,

Kenny Lederman
Enterprise Account Manager
(206) 455-6488 - Office
(847) 932-9771 - Cell
kenny.leder...@softchoice.com
[cid:image001.gif@01D967AE.74FCB830]
[Softchoice]
415 1st Avenue North, Suite 300
Seattle, WA  98109



Manage Subscription   
Unsubscribe  
Privacy

Re: Ha proxy frontend

2022-12-28 Thread Willy Tarreau 
On Thu, Dec 29, 2022 at 11:33:03AM +0500, Ghufran Shahzad wrote:
> Yes, sure, I make 2 azure vms, and install mysql server and use load
> balancer , mysql percona clusters , then i install ha proxy on both vms but
> when i access them it is not working, can you please give me a solution?

You realize that there is almost no info here ? What's your configuration,
which ip/ports are each service bound to and do the correspond to what is
in the config, what do you see in your logs, are the backend servers checked
or not, and if so are they reported up ? What does "is not working" mean in
your situation, does it mean you get a "Trying..." which would indicate that
you are connecting to the wrong address, or "Connection refused" that means
that you're probably connecting to the wrong port, or does the connection
establish and nothing happens, which could mean that the connection with the
backend server isn't in a good state ?

You will hardly get more help if you're not doing at least some minimal
homework, particularly on the elements we cannot guess for you.

Hoping this helps,
Willy

PS: please keep the list in Cc when you respond.
PPS: please avoid top-posting, it generally indicates that responses
 are not read, and makes it more annoying for others to respond.

Re: Ha proxy frontend

2022-12-28 Thread Willy Tarreau 
On Thu, Dec 29, 2022 at 11:26:43AM +0500, Ghufran Shahzad wrote:
> how we can access frontend ip on ha proxy? kindly give me detailed
> solution. thanks

Could you please precise your question ?

Willy

Ha proxy frontend

2022-12-28 Thread Ghufran Shahzad 
how we can access frontend ip on ha proxy? kindly give me detailed
solution. thanks

Re: HA Proxy License

2022-10-07 Thread Aleksandar Lazic 
Hi John.

I suggest to get in touch whith HAProxy company via this form.

https://www.haproxy.com/contact-us/

best regards
alex

07.10.2022 17:55:42 John Bowling (CE CEN) :

> Hello,
> 
> What are the costs for the license or is there a subscription for license?
> 
> *John L. Bowling (JB)*
> 
> Senior Team Leader
> 
> *IES – Network Engineering & Security (NES)*
> 
> *Network Operational Readiness (NOC)*
> 
> Whole Foods Market – Global Support (CEN)
> 
> An Amazon Company
> 
> 1011 W 5th  Street, 4th floor
> 
> Austin, Texas USA 78703
> 
> Mobile: +1-512-221-3780
> 
> Desk: +1-512.542.0797
> 
> Email: john.bowl...@wholefoods.com
> 
> www.wholefoodsmarket.com[http://www.wholefoodsmarket.com/]
> 
> Four principles: customer obsession rather than competitor focus, passion for 
> invention, commitment to operational excellence, and long-term thinking
> 
>  
> 
> For WFM technical support please call Global Help Desk at 1-877-923-4263  
>  
> 
>  Monday-Friday 6:00am-9:00pm CST Sat & Sun: 8:00am-4:00pm
> 
> For service request, open up WFM Internal ticket in OrchardNow 
> OrchardNow[https://wfmprod.service-now.com/nav_to.do?uri=%2Fhome.do%3F]
> 
>  
> 
> This email contains proprietary and confidential material for the sole use of 
> the intended recipient. Any review, use, distribution or disclosure by others 
> without the permission of the sender is strictly prohibited.  If you are not 
> the intended recipient (or authorized to receive for the recipient), please 
> contact the sender by reply email and delete all copies of this message. 
> Thank you.
>

HA Proxy License

2022-10-07 Thread John Bowling (CE CEN) 
Hello,

What are the costs for the license or is there a subscription for license?

John L. Bowling (JB)
Senior Team Leader
IES - Network Engineering & Security (NES)
Network Operational Readiness (NOC)
Whole Foods Market - Global Support (CEN)
An Amazon Company
1011 W 5th  Street, 4th floor
Austin, Texas USA 78703
Mobile: +1-512-221-3780
Desk: +1-512.542.0797
Email: john.bowl...@wholefoods.com
www.wholefoodsmarket.com
Four principles: customer obsession rather than competitor focus, passion for 
invention, commitment to operational excellence, and long-term thinking

For WFM technical support please call Global Help Desk at 1-877-923-4263
 Monday-Friday 6:00am-9:00pm CST Sat & Sun: 8:00am-4:00pm
For service request, open up WFM Internal ticket in OrchardNow 
OrchardNow

This email contains proprietary and confidential material for the sole use of 
the intended recipient. Any review, use, distribution or disclosure by others 
without the permission of the sender is strictly prohibited.  If you are not 
the intended recipient (or authorized to receive for the recipient), please 
contact the sender by reply email and delete all copies of this message. Thank 
you.

Re: HA-Proxy inquiry

2021-09-22 Thread Илья Шипицин 
hello,

there are several tutorials to start with, for example HAProxy version
2.4.0 - Starter Guide (cbonte.github.io)
<http://cbonte.github.io/haproxy-dconv/2.4/intro.html>

ср, 22 сент. 2021 г. в 10:16, Lhendup Norbu :

> Dear Sir/Madan,
>
>
>
> I am Lhendup Norbu working in Bank of Bhutan under Data Center Division.
> We want to do POC with the HA proxy load balancer in our environment.
>
> Please guide us on the way forward in HA-Proxy Load Balancer.
>
>
>
>
>
> *Warm Regards*
>
>
>
> Lhendup Norbu
>
> IT Officer, Data Center Division
>
> IT Department
>
> *Bank of Bhutan Limited *
> Data Center, Thimphu : Kingdom of Bhutan
>
> *+975 77281157, IP -0060*
>
> *http://www.bob.bt <http://www.bob.bt/>*
>
>
>
>
> The information in this mail is strictly confidential and is intended
> solely for the addressee(s). Access to this mail by anyone else is
> unauthorized. Copying or further distribution beyond the original
> recipient(s) may be unlawful. Please note that any unauthorized
> addressee(s) needs a specific written consent for further circulation of
> the information(s). Any opinion expressed in this mail is that of sender
> and does not necessarily reflect that of the Bank of Bhutan Limited
>

HA-Proxy inquiry

2021-09-21 Thread Lhendup Norbu 
Dear Sir/Madan,



I am Lhendup Norbu working in Bank of Bhutan under Data Center Division. We
want to do POC with the HA proxy load balancer in our environment.

Please guide us on the way forward in HA-Proxy Load Balancer.





Warm Regards



Lhendup Norbu

IT Officer, Data Center Division

IT Department

Bank of Bhutan Limited
Data Center, Thimphu : Kingdom of Bhutan

+975 77281157, IP -0060

 <http://www.bob.bt/> http://www.bob.bt





The information in this mail is strictly confidential and is intended solely 
for the addressee(s). Access to this mail by anyone else is unauthorized. 
Copying or further distribution beyond the original recipient(s) may be 
unlawful. Please note that any unauthorized addressee(s) needs a specific 
written consent for further circulation of the information(s). Any opinion 
expressed in this mail is that of sender and does not necessarily reflect that 
of the Bank of Bhutan Limited

HA-Proxy 1.7.5-2ppal~xenial

2021-05-27 Thread Sajid Kazi 
Hi,



We are using HA-proxy version 1.7.5-2ppal~xenial
<http://www.haproxy.org/download/1.8/src/haproxy-1.8.30.tar.gz> 2017/05/27
and have configured below setting to secure a cookie. These configuration
does not seem to work. Please suggest what I am doing wrong.



Rspirep ^(set-cookie:.*) \1;\Secure



And also, Need Content-Security-Policy settings.



Your help is really appreciated.





Thanks

Saj

Re: [PATCH] DOC: replace use of HA-Proxy with HAProxy

2021-01-20 Thread Willy Tarreau 
Hi Bertrand,

On Thu, Jan 21, 2021 at 01:20:09AM +, Bertrand Jacquin wrote:
> This all definitely make sense, I'll provide the split patchset over the
> week-end as I want to adjust vtest as well as William righfully pointed
> out vtest itself is also messing around with naming and making my eyes
> bleed everytime I see this. Again, this is all silly and pretty much
> point less, not a reason to not split and test all this properly.

Perfect, thank you!

Willy

Re: [PATCH] DOC: replace use of HA-Proxy with HAProxy

2021-01-20 Thread Bertrand Jacquin 
Hi Willy,

On Wednesday, January 20 2021 at 19:54:09 +0100, Willy Tarreau wrote:
> On Mon, Jan 18, 2021 at 08:47:43AM +0100, William Lallemand wrote:
> > Hello Bertrand,
> > 
> > On Sun, Jan 17, 2021 at 06:58:46PM +, Bertrand Jacquin wrote:
> > > This is a pretty lame commit in a attempt to use a common wording of
> > > HAProxy used 1319 times compared to HAproxy used 10 times
> > > index e36e020c5ce7..92449a04f6e2 100644
> > > 
> > > [...]
> > >
> > > --- a/src/haproxy.c
> > > +++ b/src/haproxy.c
> > > @@ -537,7 +537,7 @@ static void display_version()
> > >  {
> > >   struct utsname utsname;
> > >  
> > > - printf("HA-Proxy version %s %s - https://haproxy.org/\n;
> > > + printf("HAProxy version %s %s - https://haproxy.org/\n;
> > >  PRODUCT_STATUS "\n", haproxy_version, haproxy_date);
> > >  
> > >   if (strlen(PRODUCT_URL_BUGS) > 0) {
> > > 
> > 
> > I wanted to do this a long time ago, and at this time we decided to keep
> > it as it was to not break existing scripts. I think we'll let Willy
> > decide if that's a good idea now :-)
> 
> I'm totally fine with changing this ugly one that I usually spot right
> after the release :-)
> 
> However, this one and the other only real user-visible one affecting the
> mailers subject should be changed as a separate patch because we won't
> backport them. Ideally the doc and code comments should be in separate
> patches so that the doc ones can be backported and we keep the cleanups
> apart. But at quick glance there aren't that many comments so I think
> they'll easily be backported without causing trouble. Just something to
> keep in mind for next time.

This all definitely make sense, I'll provide the split patchset over the
week-end as I want to adjust vtest as well as William righfully pointed
out vtest itself is also messing around with naming and making my eyes
bleed everytime I see this. Again, this is all silly and pretty much
point less, not a reason to not split and test all this properly.

Cheers,
Bertrand

-- 
Bertrand

Re: [PATCH] DOC: replace use of HA-Proxy with HAProxy

2021-01-20 Thread Willy Tarreau 
On Wed, Jan 20, 2021 at 07:26:05PM +0100, Tim Düsterhus wrote:
> Willy,
> 
> Am 18.01.21 um 08:47 schrieb William Lallemand:
> > I wanted to do this a long time ago, and at this time we decided to keep
> > it as it was to not break existing scripts. I think we'll let Willy
> > decide if that's a good idea now :-)
> > 
> 
> I assume you missed this email, so I just put you in CC here for you to
> take a look.

For once I didn't miss, I noticed them but can't catch up with all the
requests that arrive in parallel from so many channels :-(

Thanks for the reminder!
Willy

Re: [PATCH] DOC: replace use of HA-Proxy with HAProxy

2021-01-20 Thread Willy Tarreau 
On Mon, Jan 18, 2021 at 08:47:43AM +0100, William Lallemand wrote:
> Hello Bertrand,
> 
> On Sun, Jan 17, 2021 at 06:58:46PM +, Bertrand Jacquin wrote:
> > This is a pretty lame commit in a attempt to use a common wording of
> > HAProxy used 1319 times compared to HAproxy used 10 times
> > index e36e020c5ce7..92449a04f6e2 100644
> > 
> > [...]
> >
> > --- a/src/haproxy.c
> > +++ b/src/haproxy.c
> > @@ -537,7 +537,7 @@ static void display_version()
> >  {
> > struct utsname utsname;
> >  
> > -   printf("HA-Proxy version %s %s - https://haproxy.org/\n;
> > +   printf("HAProxy version %s %s - https://haproxy.org/\n;
> >PRODUCT_STATUS "\n", haproxy_version, haproxy_date);
> >  
> > if (strlen(PRODUCT_URL_BUGS) > 0) {
> > 
> 
> I wanted to do this a long time ago, and at this time we decided to keep
> it as it was to not break existing scripts. I think we'll let Willy
> decide if that's a good idea now :-)

I'm totally fine with changing this ugly one that I usually spot right
after the release :-)

However, this one and the other only real user-visible one affecting the
mailers subject should be changed as a separate patch because we won't
backport them. Ideally the doc and code comments should be in separate
patches so that the doc ones can be backported and we keep the cleanups
apart. But at quick glance there aren't that many comments so I think
they'll easily be backported without causing trouble. Just something to
keep in mind for next time.

If you could provide me with updated patches that separate the two visible
changes mentioned above that would be great, given that I'm too busy to
spend time splitting patches at the moment. Don't scratch your head too
long, just place both of them (mailers and version) into a single patch,
that's OK.

Thanks!
Willy

Re: [PATCH] DOC: replace use of HA-Proxy with HAProxy

2021-01-20 Thread Tim Düsterhus 
Bertrand,

Am 17.01.21 um 22:13 schrieb Bertrand Jacquin:
> Indeed, there are not well numbered since I use format.numbered = false
> in my git config. Let me know if you want me to resend them with proper
> subject/threading.
> 

I am not responsible for patch handling, so my opinion regarding that
does not matter as much and I expect that the maintainers can figure it out.

I assumed a mishandling of git send-email, because I wasn't aware of
that configuration option. My first steps with git send-email went
horribly :-)

If you don't mind, changing that setting in the repository specific git
config should "fix" it for any future patches, while not changing
anything about other projects.

Best regards
Tim Düsterhus

Re: [PATCH] DOC: replace use of HA-Proxy with HAProxy

2021-01-20 Thread Tim Düsterhus 
Willy,

Am 18.01.21 um 08:47 schrieb William Lallemand:
> I wanted to do this a long time ago, and at this time we decided to keep
> it as it was to not break existing scripts. I think we'll let Willy
> decide if that's a good idea now :-)
> 

I assume you missed this email, so I just put you in CC here for you to
take a look.

Best regards
Tim Düsterhus

Re: [PATCH] DOC: replace use of HA-Proxy with HAProxy

2021-01-18 Thread William Dauchy 
On Mon, Jan 18, 2021 at 6:35 AM John Traweek CCNA, Sec+
 wrote:
> How do I unsubscribe?

send an email to haproxy+unsubscr...@formilux.org
-- 
William

Re: [PATCH] DOC: replace use of HA-Proxy with HAProxy

2021-01-17 Thread William Lallemand 
Hello Bertrand,

On Sun, Jan 17, 2021 at 06:58:46PM +, Bertrand Jacquin wrote:
> This is a pretty lame commit in a attempt to use a common wording of
> HAProxy used 1319 times compared to HAproxy used 10 times
> index e36e020c5ce7..92449a04f6e2 100644
> 
> [...]
>
> --- a/src/haproxy.c
> +++ b/src/haproxy.c
> @@ -537,7 +537,7 @@ static void display_version()
>  {
>   struct utsname utsname;
>  
> - printf("HA-Proxy version %s %s - https://haproxy.org/\n;
> + printf("HAProxy version %s %s - https://haproxy.org/\n;
>  PRODUCT_STATUS "\n", haproxy_version, haproxy_date);
>  
>   if (strlen(PRODUCT_URL_BUGS) > 0) {
> 

I wanted to do this a long time ago, and at this time we decided to keep
it as it was to not break existing scripts. I think we'll let Willy
decide if that's a good idea now :-)

Regards,

-- 
William Lallemand

Re: [PATCH] DOC: replace use of HA-Proxy with HAProxy

2021-01-17 Thread John Traweek CCNA, Sec+ 
How do I unsubscribe?

On 1/17/21, 2:00 PM, "Tim Düsterhus"  wrote:

Bertrand,

Am 17.01.21 um 20:19 schrieb Bertrand Jacquin:
> On Sunday, January 17 2021 at 20:02:47 +0100, Tim Düsterhus wrote:
>> Bertrand,
>>
>> Am 17.01.21 um 19:58 schrieb Bertrand Jacquin:
>>> This is a pretty lame commit in a attempt to use a common wording of
>>> HAProxy used 1319 times compared to HAproxy used 10 times
>>
>> I believe you have a typo in the commit message.
> 
> You are correct, I was too quick in reusing the commit message.
> Fixed in new patchset
> 

I see you use git send-email, but the patches are not properly numbered
which makes it hard to see which patches belong together. Here's what I
do for my patches, which results in proper threading.

1. Generate patch files from your commits using:

  git format-patch -v  -M master --cc=
--to=haproxy@formilux.org -o outgoing

2. Send the patches from step (1):

  git send-email outgoing/*.patch --in-reply-to=

Best regards
Tim Düsterhus

Re: [PATCH] DOC: replace use of HA-Proxy with HAProxy

2021-01-17 Thread Bertrand Jacquin 
On Sunday, January 17 2021 at 20:28:40 +0100, Tim Düsterhus wrote:
> Bertrand,
> 
> Am 17.01.21 um 20:19 schrieb Bertrand Jacquin:
> > On Sunday, January 17 2021 at 20:02:47 +0100, Tim Düsterhus wrote:
> >> Bertrand,
> >>
> >> Am 17.01.21 um 19:58 schrieb Bertrand Jacquin:
> >>> This is a pretty lame commit in a attempt to use a common wording of
> >>> HAProxy used 1319 times compared to HAproxy used 10 times
> >>
> >> I believe you have a typo in the commit message.
> > 
> > You are correct, I was too quick in reusing the commit message.
> > Fixed in new patchset
> > 
> 
> I see you use git send-email, but the patches are not properly numbered
> which makes it hard to see which patches belong together. Here's what I
> do for my patches, which results in proper threading.

Indeed, there are not well numbered since I use format.numbered = false
in my git config. Let me know if you want me to resend them with proper
subject/threading.

Cheers,

-- 
Bertrand

Re: [PATCH] DOC: replace use of HA-Proxy with HAProxy

2021-01-17 Thread Tim Düsterhus 
Bertrand,

Am 17.01.21 um 20:19 schrieb Bertrand Jacquin:
> On Sunday, January 17 2021 at 20:02:47 +0100, Tim Düsterhus wrote:
>> Bertrand,
>>
>> Am 17.01.21 um 19:58 schrieb Bertrand Jacquin:
>>> This is a pretty lame commit in a attempt to use a common wording of
>>> HAProxy used 1319 times compared to HAproxy used 10 times
>>
>> I believe you have a typo in the commit message.
> 
> You are correct, I was too quick in reusing the commit message.
> Fixed in new patchset
> 

I see you use git send-email, but the patches are not properly numbered
which makes it hard to see which patches belong together. Here's what I
do for my patches, which results in proper threading.

1. Generate patch files from your commits using:

  git format-patch -v  -M master --cc=
--to=haproxy@formilux.org -o outgoing

2. Send the patches from step (1):

  git send-email outgoing/*.patch --in-reply-to=

Best regards
Tim Düsterhus

[PATCH] DOC: replace use of HA-Proxy with HAProxy

2021-01-17 Thread Bertrand Jacquin 
This is a pretty lame commit in a attempt to use a common wording of
HAProxy used 1319 times compared to HA-Proxy used 10 times
---
 doc/internals/filters.txt | 2 +-
 doc/intro.txt | 8 
 doc/management.txt| 2 +-
 examples/haproxy.init | 2 +-
 scripts/run-regtests.sh   | 2 +-
 src/haproxy.c | 4 ++--
 6 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/doc/internals/filters.txt b/doc/internals/filters.txt
index 5e9b58e56194..a72e908136b4 100644
--- a/doc/internals/filters.txt
+++ b/doc/internals/filters.txt
@@ -109,7 +109,7 @@ itself.
 The list of available filters is reported by 'haproxy -vv':
 
 $> haproxy -vv
-    HA-Proxy version 1.7-dev2-3a1d4a-33 2016/03/21
+HAProxy version 1.7-dev2-3a1d4a-33 2016/03/21
 Copyright 2000-2016 Willy Tarreau 
 
 [...]
diff --git a/doc/intro.txt b/doc/intro.txt
index c8021405ba7c..3e650e5faf07 100644
--- a/doc/intro.txt
+++ b/doc/intro.txt
@@ -1498,24 +1498,24 @@ branch, you need to proceed this way :
 generally sufficient to type "haproxy -v". A development version will
 appear like this, with the "dev" word after the branch number :
 
-  HA-Proxy version 1.6-dev3-385ecc-68 2015/08/18
+  HAProxy version 1.6-dev3-385ecc-68 2015/08/18
 
 A stable version will appear like this, as well as unmodified stable
 versions provided by operating system vendors :
 
-  HA-Proxy version 1.5.14 2015/07/02
+  HAProxy version 1.5.14 2015/07/02
 
 And a nightly snapshot of a stable version will appear like this with an
 hexadecimal sequence after the version, and with the date of the snapshot
 instead of the date of the release :
 
-  HA-Proxy version 1.5.14-e4766ba 2015/07/29
+  HAProxy version 1.5.14-e4766ba 2015/07/29
 
 Any other format may indicate a system-specific package with its own
 patch set. For example HAProxy Enterprise versions will appear with the
 following format (--) :
 
-  HA-Proxy version 1.5.0-994126-357 2015/07/02
+  HAProxy version 1.5.0-994126-357 2015/07/02
 
 In addition, versions 2.1 and above will include a "Status" line indicating
 whether the version is safe for production or not, and if so, till when, as
diff --git a/doc/management.txt b/doc/management.txt
index 2600478fddbc..b4a610d46f12 100644
--- a/doc/management.txt
+++ b/doc/management.txt
@@ -354,7 +354,7 @@ the versions of the libraries being used are reported 
there. It is also what
 you will systematically be asked for when posting a bug report :
 
   $ haproxy -vv
-  HA-Proxy version 1.6-dev7-a088d3-4 2015/10/08
+  HAProxy version 1.6-dev7-a088d3-4 2015/10/08
   Copyright 2000-2015 Willy Tarreau 
 
   Build options :
diff --git a/examples/haproxy.init b/examples/haproxy.init
index f08fcb0dd95c..cc120d855dae 100644
--- a/examples/haproxy.init
+++ b/examples/haproxy.init
@@ -1,7 +1,7 @@
 #!/bin/sh
 #
 # chkconfig: - 85 15
-# description: HA-Proxy is a TCP/HTTP reverse proxy which is particularly 
suited \
+# description: HAProxy is a TCP/HTTP reverse proxy which is particularly 
suited \
 #  for high availability environments.
 # processname: haproxy
 # config: /etc/haproxy/haproxy.cfg
diff --git a/scripts/run-regtests.sh b/scripts/run-regtests.sh
index 27bb13cbf75b..5e2cf0f23bf6 100755
--- a/scripts/run-regtests.sh
+++ b/scripts/run-regtests.sh
@@ -345,7 +345,7 @@ if [ $preparefailed ]; then
 fi
 
 { read HAPROXY_VERSION; read TARGET; read FEATURES; read SERVICES; } << EOF
-$($HAPROXY_PROGRAM $HAPROXY_ARGS -vv | grep 'HA-Proxy 
version\|TARGET.*=\|^Feature\|^Available services' | sed 's/.* [:=] //')
+$($HAPROXY_PROGRAM $HAPROXY_ARGS -vv | grep 'HAProxy 
version\|TARGET.*=\|^Feature\|^Available services' | sed 's/.* [:=] //')
 EOF
 
 HAPROXY_VERSION=$(echo $HAPROXY_VERSION | cut -d " " -f 3)
diff --git a/src/haproxy.c b/src/haproxy.c
index e36e020c5ce7..92449a04f6e2 100644
--- a/src/haproxy.c
+++ b/src/haproxy.c
@@ -1,5 +1,5 @@
 /*
- * HA-Proxy : High Availability-enabled HTTP/TCP proxy
+ * HAProxy : High Availability-enabled HTTP/TCP proxy
  * Copyright 2000-2021 Willy Tarreau .
  *
  * This program is free software; you can redistribute it and/or
@@ -537,7 +537,7 @@ static void display_version()
 {
    struct utsname utsname;
 
-   printf("HA-Proxy version %s %s - https://haproxy.org/\n;
+   printf("HAProxy version %s %s - https://haproxy.org/\n;
   PRODUCT_STATUS "\n", haproxy_version, haproxy_date);
 
if (strlen(PRODUCT_URL_BUGS) > 0) {

Re: [PATCH] DOC: replace use of HA-Proxy with HAProxy

2021-01-17 Thread Bertrand Jacquin 
On Sunday, January 17 2021 at 20:02:47 +0100, Tim Düsterhus wrote:
> Bertrand,
> 
> Am 17.01.21 um 19:58 schrieb Bertrand Jacquin:
> > This is a pretty lame commit in a attempt to use a common wording of
> > HAProxy used 1319 times compared to HAproxy used 10 times
> 
> I believe you have a typo in the commit message.

You are correct, I was too quick in reusing the commit message.
Fixed in new patchset

-- 
Bertrand

Re: Ha-proxy ignoring context after first digit

2020-07-14 Thread Jonathan Matthews 
Hey there. Just to start by double-checking you know this is the public
mailing list for the open source haproxy project, and not a commercial
support contact ... :-)

>From near the top of your configuration: what do you reckon these lines do?


acl path_mtc-jenkins-1 path_beg /mtc-jenkins-1
use_backend mtc-jenkins-1_1564 if path_mtc-jenkins-1


There’s probably a relevant “amendment” you could make there :-) If you
need a hand figuring it out, let us know how far you get and where you get
stuck!

HTH,
Jonathan

> --
Jonathan Matthews
https://jpluscplusm.com

RE: Ha-proxy ignoring context after first digit

2020-07-14 Thread microgenesis . r 
Hello Jonathan,

Greetings for the day,

Please find the Front-end and Back-end of  Ha-Proxy configuration details in 
the attachment.

Kindly let us know if there is any amendments.

Mit freundlichen Grüßen / With Best Regards,
Gokulakrishnan.R
Gsep-Crosscutting
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
- -
Daimler AG
Global Software Engineering Platform (GSEP)
Incident/Query: GSEP 
Webticket<https://cism-web.es.corpintra.net/cgi-bin/bin/runTemplate?TP=web_ticket=GSEP-Support>
Requirements:   Submit a GSEP 
Demand<https://gsep.daimler.com/jira/secure/CreateIssue%21default.jspa>

From: Jonathan Matthews 
Sent: Tuesday, July 14, 2020 2:26 PM
To: R, Gokulakrishnan (623-Extern-MicroGenesis) 
Cc: haproxy@formilux.org; Ramavarapu, Krishna Chaitanya 
(623-Extern-MicroGenesis) 
Subject: Re: Ha-proxy ignoring context after first digit

On Tue, 14 Jul 2020 at 08:47, 
mailto:microgenesi...@daimler.com>> wrote:
We are using Ha-proxy 1.8. Recently we started facing issue with Ha-Proxy 
ignoring context after first digit.
Do you perhaps mean “Host” rather than Context?
Please check and help us on this.
Whilst I’m not ruling out a bug in haproxy causing this, it is *vastly* more 
likely that this is either inadvertently caused by your haproxy configuration 
or another layer 7/HTTP device in your traffic flow.

Please post the smallest haproxy config which exhibits this issue so folks can 
help you figure it out!

J
--
Jonathan Matthews
https://jpluscplusm.com

If you are not the addressee, please inform us immediately that you have 
received this e-mail by mistake, and delete it. We thank you for your support.

frontend http_gsep-int_in
  bind :80
  mode http
  http-request deny if { path -i -m beg /stash } { src 53.55.88.99 }
  http-request deny if { path -i -m beg /crowd } { src 53.55.88.99 }
  http-request deny if { path -i -m beg / } { src 53.55.88.99 }   

 acl path_mtc-jenkins-1 path_beg /mtc-jenkins-1
use_backend mtc-jenkins-1_1564 if path_mtc-jenkins-1

acl path_mtc-jenkins-2 path_beg /mtc-jenkins-2
use_backend mtc-jenkins-2_1565 if path_mtc-jenkins-2

acl path_mtc-jenkins-6 path_beg /mtc-jenkins-6
use_backend mtc_application_zone6 if path_mtc-jenkins-6

acl path_mtc-jenkins-7 path_beg /mtc-jenkins-7
use_backend mtc_application_zone7 if path_mtc-jenkins-7

acl path_mtc-jenkins-8 path_beg /mtc-jenkins-8
use_backend mtc_application_zone8 if path_mtc-jenkins-8

acl path_mtc-jenkins-9 path_beg /mtc-jenkins-9
use_backend mtc_application_zone9 if path_mtc-jenkins-9

acl path_mtc-jenkins-10 path_beg /mtc-jenkins-10
use_backend mtc_application_zone10 if path_mtc-jenkins-10

default_backend apache_servers
  


  backend apache_servers
server server1 127.0.0.1:81 maxconn 32

backend mtc-jenkins-1_1564
   #   http-request set-header X-Forwarded-Proto https
#  http-request set-header X-Forwarded-Port 443
server mtc-jenkins-1 53.55.88.100:8080 check

  backend mtc-jenkins-2_1565
server mtc-jenkins-2 53.55.88.99:8080 check

  backend mtc_application_zone6
server mtc-jenkins-6 53.55.112.187:8080 check

  backend mtc_application_zone7
server mtc-jenkins-7 53.55.112.186:8080 check

  backend mtc_application_zone8
server mtc-jenkins-8 53.55.112.185:8080 check

  backend mtc_application_zone9
server mtc-jenkins-9 53.55.112.184:8080 check

  backend mtc_application_zone10
server mtc-jenkins-10 53.55.112.183:8080 check

Re: Ha-proxy ignoring context after first digit

2020-07-14 Thread Jonathan Matthews 
On Tue, 14 Jul 2020 at 08:47,  wrote:

> We are using Ha-proxy 1.8. Recently we started facing issue with Ha-Proxy
> ignoring context after first digit.
>
Do you perhaps mean “Host” rather than Context?

> Please check and help us on this.
>
Whilst I’m not ruling out a bug in haproxy causing this, it is *vastly*
more likely that this is either inadvertently caused by your haproxy
configuration or another layer 7/HTTP device in your traffic flow.

Please post the smallest haproxy config which exhibits this issue so folks
can help you figure it out!

J
-- 
Jonathan Matthews
https://jpluscplusm.com

Ha-proxy ignoring context after first digit

2020-07-14 Thread microgenesis . r 
Hello Team,

Greetings for the day,

We are using Ha-proxy 1.8. Recently we started facing issue with Ha-Proxy 
ignoring context after first digit.

Issue : Ha-proxy configuration ignoring after 1st digit

Observation: we are not able to use https://gsep.daimler.com/mtc-jenkins-10 as 
it is redirecting to 
https://gsep.daimler.com/mtc-jenkins-1<https://gsep.daimler.com/>

Workaround we found: we did changes from Ha-proxy config file ( 
https://gsep.daimler.com/mtc-jenkins-10 to 
https://gsep.daimler.com/mtc-jenkins-ten<https://gsep.daimler.com/mtc-jenkins-10>)
 it worked.

But in future we may need more masters were it can be go till 20 or 25. So 
please help us with a permanent solution like Ha-proxy should not ignore the 
context after first digit.

Please check and help us on this.

Mit freundlichen Grüßen / With Best Regards,
Gokulakrishnan.R
Gsep-Crosscutting
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
- -
Daimler AG
Global Software Engineering Platform (GSEP)
Incident/Query: GSEP 
Webticket<https://cism-web.es.corpintra.net/cgi-bin/bin/runTemplate?TP=web_ticket=GSEP-Support>
Requirements:   Submit a GSEP 
Demand<https://gsep.daimler.com/jira/secure/CreateIssue%21default.jspa>


If you are not the addressee, please inform us immediately that you have 
received this e-mail by mistake, and delete it. We thank you for your support.

Re: HA-Proxy version 1.8.13 2018/07/30.

2019-08-30 Thread GARDAIS Ionel 
Hi Leonardo, 

What are you trying to achieve ? 
What is your current setup ? 

-- 
Ionel GARDAIS 
Tech'Advantage CIO - IT Team manager 


De: "BISSOLI Leonardo"  
À: "haproxy"  
Envoyé: Vendredi 30 Août 2019 17:05:57 
Objet: HA-Proxy version 1.8.13 2018/07/30. 



Hi All. 



My name is Leonardo Bissoli and we’re working in a project that use HAProxy. 



We can successfully deploy 2 Load Balance Servers with 2 Web Servers the only 
issue that we’re facing is when we reboot the Load Balance Server (the page 
couldn’t be reached anymore) but there is no error in the HAProxy. 



Do you have any cue where I can start do search? I’ve tried forums, manual etc 
but we couldn’t find yet the reason that stop to work after the reboot. 



If we reboot the Web Servers there is no issue, all back to work as usual. The 
problem is only when we reboot the LB Servers. 



Using curl is working as well 



curl [ http://localhost:7025/helloworld/hi.jsp | 
http://localhost:7025/helloworld/hi.jsp ] 

 

 

 

JSP Test 



 

 

Hello, World. This is from Web Server 02 

Fri Aug 30 14:57:52 UTC 2019 

 

 



curl [ http://localhost:7025/helloworld/hi.jsp | 
http://localhost:7025/helloworld/hi.jsp ] 

 

 

 

JSP Test 



 

 

Hello, World. This is from Web Server 01 

Fri Aug 30 14:57:57 UTC 2019 

 

 



Thank you. 






Best Regards, 



Leonardo Bissoli 
QUMAS SW Dev & Cloud 








Office: +353 2 1491 5106 
[ mailto:leonardo.biss...@3ds.com | leonardo.biss...@3ds.com ]  




[ http://www.3ds.com/ENOVIA | 3DS.COM/ENOVIA ] 



Dassault Systemes Limited | Phoenix House | Monahan Rd | Cork | Ireland 




This email and any attachments are intended solely for the use of the 
individual or entity to whom it is addressed and may be confidential and/or 
privileged. 

If you are not one of the named recipients or have received this email in 
error, 

(i) you should not read, disclose, or copy it, 

(ii) please notify sender of your receipt by reply email and delete this email 
and all attachments, 

(iii) Dassault Systèmes does not accept or assume any liability or 
responsibility for any use of or reliance on this email. 


Please be informed that your personal data are processed according to our data 
privacy policy as described on our website. Should you have any questions 
related to personal data protection, please contact 3DS Data Protection Officer 
at [ mailto:3ds.compliance-priv...@3ds.com | 3ds.compliance-priv...@3ds.com ] 




For other languages, go to https://www.3ds.com/terms/email-disclaimer 

--

232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON

Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301

HA-Proxy version 1.8.13 2018/07/30.

2019-08-30 Thread BISSOLI Leonardo 
Hi All.

My name is Leonardo Bissoli and we’re working in a project that use HAProxy.

We can successfully deploy 2 Load Balance Servers with 2 Web Servers the only 
issue that we’re facing is when we reboot the Load Balance Server (the page 
couldn’t be reached anymore) but there is no error in the HAProxy.

Do you have any cue where I can start do search? I’ve tried forums, manual etc 
but we couldn’t find yet the reason that stop to work after the reboot.

If we reboot the Web Servers there is no issue, all back to work as usual. The 
problem is only when we reboot the LB Servers.

Using curl is working as well

curl http://localhost:7025/helloworld/hi.jsp



JSP Test



Hello, World. This is from Web Server 02
Fri Aug 30 14:57:52 UTC 2019



curl http://localhost:7025/helloworld/hi.jsp



JSP Test



Hello, World. This is from Web Server 01
Fri Aug 30 14:57:57 UTC 2019



Thank you.


Best Regards,

Leonardo Bissoli
QUMAS SW Dev & Cloud






Office: +353 2 1491 5106
leonardo.biss...@3ds.com

[3DS Logo]

3DS.COM/ENOVIA


Dassault Systemes Limited | Phoenix House | Monahan Rd | Cork | Ireland



This email and any attachments are intended solely for the use of the 
individual or entity to whom it is addressed and may be confidential and/or 
privileged.

If you are not one of the named recipients or have received this email in error,

(i) you should not read, disclose, or copy it,

(ii) please notify sender of your receipt by reply email and delete this email 
and all attachments,

(iii) Dassault Systèmes does not accept or assume any liability or 
responsibility for any use of or reliance on this email.


Please be informed that your personal data are processed according to our data 
privacy policy as described on our website. Should you have any questions 
related to personal data protection, please contact 3DS Data Protection Officer 
at 3ds.compliance-priv...@3ds.com


For other languages, go to https://www.3ds.com/terms/email-disclaimer

Re: HA Proxy Support for RedHat 8 Enquiries

2019-08-21 Thread Bruno Henc 
The RHEL7 package for HAProxy Enterprise is fully compatible with RHEL8, 
and there's also a build against openssl 1.1.1 , so for all intents and 
purposes one can start using it on RHEL8.



Direct RHEL8 support should arrive with the release of HAProxy 
Enterprise 2.0 which should arrive at the end of Q3 or at the start of 
Q4.  We can expedite the process if needed.



If you have any further questions regarding the enterprise version feel 
free to reach out at supp...@haproxy.com or sa...@haproxy.com, the 
mailing list is oriented towards questions regarding open source 
development of the community edition.


On 8/21/19 9:42 AM, Eng, Lijwee wrote:


Hi HA Proxy Team,

Would like to check is HA Proxy compatible with RHEL 8, from the 
current compatibility , based on the current documentation, 1-9r1 
supports up to RHEL 7.


Will RHEL 8 be supported as well ?

https://www.haproxy.com/documentation/hapee/1-9r1/getting-started/os-hardware/

Please advise, thank you!

Regards

*LiJwee Eng*

Systems Engineer

*Dell Technologies**| *Data Protection Solutions

Mobile +65 97516931

lijwee@dell.com <mailto:lijwee@dell.com>**


--
Bruno Henc
Support Engineer
HAProxy Technologies - Powering your uptime!
375 Totten Pond Road, Suite 302 | Waltham, MA 02451, US
+1 (844) 222-4340 | www.haproxy.com <https://www.haproxy.com/>

HA Proxy Support for RedHat 8 Enquiries

2019-08-21 Thread Eng, Lijwee 
Hi HA Proxy Team,

Would like to check is HA Proxy compatible with RHEL 8, from the current 
compatibility , based on the current documentation, 1-9r1 supports up to RHEL 7.
Will RHEL 8 be supported as well ?
https://www.haproxy.com/documentation/hapee/1-9r1/getting-started/os-hardware/

Please advise, thank you!

Regards
LiJwee Eng
Systems Engineer
Dell Technologies | Data Protection Solutions
Mobile +65 97516931<+65%209751%206931>
lijwee@dell.com<mailto:lijwee@dell.com>

Re: Chained HA proxy with proxy protocol not working

2019-05-24 Thread Lukas Tribus 
Hi Tim,

On Fri, 24 May 2019 at 13:36, Tim Düsterhus  wrote:
>
> Lukas,
>
> Am 24.05.19 um 11:27 schrieb Lukas Tribus:
> > FYI this was double posted and has already been looked at here:
> >
> > https://discourse.haproxy.org/t/chained-haproxy-in-tcp-mode-with-proxy-protocol-enabled-not-working/3843/
> >
>
> I'm not signed up in Discourse, thus here on the list.
>
> I believe when `accept-proxy` is configured on HAProxy B there should be
> another `send-proxy` in the `server` line of HAProxy B, no?

Correct, 'accept-proxy' on haproxy B is a wrong and irrelevant
configuration, it was wrongly used for testing purposes (and confirms
that the backend server expects plain SSL instead of PROXY+SSL).

The point is that unless the source IP is needed on haproxy B, the
PROXY protocol can be passed transparently to the backend server,
without accepting and rewriting it on the backend.

Lukas

Re: Chained HA proxy with proxy protocol not working

2019-05-24 Thread Tim Düsterhus 
Lukas,

Am 24.05.19 um 11:27 schrieb Lukas Tribus:
> FYI this was double posted and has already been looked at here:
> 
> https://discourse.haproxy.org/t/chained-haproxy-in-tcp-mode-with-proxy-protocol-enabled-not-working/3843/
> 

I'm not signed up in Discourse, thus here on the list.

I believe when `accept-proxy` is configured on HAProxy B there should be
another `send-proxy` in the `server` line of HAProxy B, no?

Best regards
Tim Düsterhus

Re: Chained HA proxy with proxy protocol not working

2019-05-24 Thread Lukas Tribus 
Hello,

On Wed, 22 May 2019 at 14:03, praveen kumar  wrote:
>
> have a haproxy setup as follow:
>
> Client --> Haproxy (LOCATION A)--> HAProxy(LOCATION B)> Server

FYI this was double posted and has already been looked at here:

https://discourse.haproxy.org/t/chained-haproxy-in-tcp-mode-with-proxy-protocol-enabled-not-working/3843/


Lukas

Re: Chained HA proxy with proxy protocol not working

2019-05-22 Thread Aleksandar Lazic 

You need to add `accept-proxy` keyword in receiving haproxy bind line.

https://cbonte.github.io/haproxy-dconv/1.9/configuration.html#5.1-accept-proxy

Hth
 Aleks

Wed May 22 14:03:26 GMT+02:00 2019 praveen kumar :

>
> have a haproxy setup as follow:
>
> Client --> Haproxy (LOCATION A)--> HAProxy(LOCATION B)> Server
>
> Both HA Proxy are running in TCP mode in both frontend and backend. My server 
> wants to see actual client ip connecting to it, so I have enabled  send-proxy 
>  on location A haproxy and sending it haproxy at location B. I can proxy 
> header on my server. I can see initial ssl handshake between haproxy at 
> location B and server, but no data is being sent and response not received at 
> the client end.
>
> Location A config :
>
> global
> log  127.0.0.1:514 [http://127.0.0.1:514]  local0 info
> log  127.0.0.1:514 [http://127.0.0.1:514]  local0 debug
>   #log   127.0.0.1:514 [http://127.0.0.1:514]  local1 notice
>   #log  loghost local0 info
> maxconn 4096
>   #chroot  /usr/share/haproxy
>   #user  haproxy
>   #group  haproxy
> daemon
> debug
>   #quiet
>   #ssl-server-verify  none
> defaults
> mode tcp
> log global
> option httplog
> option dontlognull
> option http-server-close
> option redispatch
> retries 3
> timeout http-request 10s
> timeout queue 1m
> timeout connect 10s
> timeout client 1m
> timeout server 1m
> timeout http-keep-alive 10s
> timeout check 10s
> maxconn 3000
>
> frontend https_in
> bind *:443
> mode tcp
> option tcplog
> timeout client 1m
> default_backend https
>
> backend https
> mode tcp
> option tcplog
> option log-health-checks
>   #option  redispatch
> server halocb x.x.x.x:443 check send-proxy-v2
>
> Location B config :
>
> global
> log  127.0.0.1:514 [http://127.0.0.1:514]  local0 info
> log  127.0.0.1:514 [http://127.0.0.1:514]  local0 debug
>   #log   127.0.0.1:514 [http://127.0.0.1:514]  local1 notice
>   #log  loghost local0 info
> maxconn 4096
>   #chroot  /usr/share/haproxy
>   #user  haproxy
>   #group  haproxy
> daemon
> debug
>   #quiet
>   #ssl-server-verify  none
> defaults
> mode tcp
> log global
> option httplog
> option dontlognull
> option http-server-close
> option redispatch
> retries 3
> timeout http-request 10s
> timeout queue 1m
> timeout connect 10s
> timeout client 1m
> timeout server 1m
> timeout http-keep-alive 10s
> timeout check 10s
> maxconn 3000
>
> frontend https_in
> bind *:443
> mode tcp
> option tcplog
> timeout client 1m
> default_backend https
>
> backend https
> mode tcp
> option tcplog
> option log-health-checks
>   #option  redispatch
> server halocb  mysite.ul.com:443 [http://mysite.ul.com:443]  check ssl verify 
> none
>
>
> --
> V.PRAVEEN KUMAR
>

Chained HA proxy with proxy protocol not working

2019-05-22 Thread praveen kumar 
have a haproxy setup as follow:

Client --> Haproxy (LOCATION A)--> HAProxy(LOCATION B)> Server

Both HA Proxy are running in TCP mode in both frontend and backend. My
server wants to see actual client ip connecting to it, so I have enabled
*send-proxy* on location A haproxy and sending it haproxy at location B. I
can proxy header on my server. I can see initial ssl handshake between
haproxy at location B and server, but no data is being sent and response
not received at the client end.

*Location A config :*

global
log 127.0.0.1:514 local0 info
log 127.0.0.1:514 local0 debug
#log 127.0.0.1:514 local1 notice
#log loghost local0 info
maxconn 4096
#chroot /usr/share/haproxy
#user haproxy
#group haproxy
daemon
debug
#quiet
#ssl-server-verify none
defaults
mode tcp
log global
option httplog
option dontlognull
option http-server-close
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000

frontend https_in
bind *:443
mode tcp
option tcplog
timeout client 1m
default_backend https

backend https
mode tcp
option tcplog
option log-health-checks
#option redispatch
server halocb x.x.x.x:443 check send-proxy-v2

*Location B config :*

global
log 127.0.0.1:514 local0 info
log 127.0.0.1:514 local0 debug
#log 127.0.0.1:514 local1 notice
#log loghost local0 info
maxconn 4096
#chroot /usr/share/haproxy
#user haproxy
#group haproxy
daemon
debug
#quiet
#ssl-server-verify none
defaults
mode tcp
log global
option httplog
option dontlognull
option http-server-close
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000

frontend https_in
bind *:443
mode tcp
option tcplog
timeout client 1m
default_backend https

backend https
mode tcp
option tcplog
option log-health-checks
#option redispatch
server halocb mysite.ul.com:443 check ssl verify none


-- 
V.PRAVEEN KUMAR

Re: SSL termination with HA proxy

2019-04-15 Thread Aleksandar Lazic 
Hi.

Am 15.04.2019 um 18:06 schrieb bhanu chandra suman:
> Hi,
> 
> As per your mail i can understand again my create certificates in that server
> (.pemkey). is it right

Yes.

For a TLS/SSL server is at least a Key and a Certificate required.

Do you have already a Key and a Certificate?

Maybe this post helps you to create certificates.
https://serversforhackers.com/c/using-ssl-certificates-with-haproxy

Regards
Aleks

> On Mon, Apr 15, 2019 at 9:27 PM Aleksandar Lazic  <mailto:al-hapr...@none.at>> wrote:
> 
> Hi.
> 
> Am 15.04.2019 um 17:55 schrieb bhanu chandra suman:
> >
> > root@ip-172-31-80-163:~# uname -a
> > Linux ip-172-31-80-163 4.15.0-1035-aws #37-Ubuntu SMP Mon Mar 18 
> 16:15:14 UTC
> > 20                                                                      
>  
>      
> >           19 x86_64 x86_64 x86_64 GNU/Linux
> > root@ip-172-31-80-163:~# haproxy -v
> > HA-Proxy version 1.8.8-1ubuntu0.4 2019/01/24
> > Copyright 2000-2018 Willy Tarreau  <mailto:wi...@haproxy.org> <mailto:wi...@haproxy.org
> <mailto:wi...@haproxy.org>>>
> 
> Well I assume this version have TLS/SSL enabled as you haven't used `-vv`!
> 
> Please take a look into this blog post which describes how to add TLS/SSL
> termination into haproxy.
> 
> 
> https://www.haproxy.com/blog/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/
> 
> Regards
> Aleks
> 
> > On Mon, Apr 15, 2019 at 8:58 PM Aleksandar Lazic  <mailto:al-hapr...@none.at>
> > <mailto:al-hapr...@none.at <mailto:al-hapr...@none.at>>> wrote:
> >
> >     Hi.
> >
> >     Please keep the Mailinglist in the loop.
> >
> >     Am 15.04.2019 um 17:27 schrieb bhanu chandra suman:
> >     > image.png
> >
> >     It's not easy to copy text from Screenshot's so please copy text 
> into
> the mail.
> >
> >     Please use 2 v.
> >
> >     haproxy -vv
> >
> >     Thanks.
> >
> >     > On Mon, Apr 15, 2019 at 8:53 PM Aleksandar Lazic 
>  <mailto:al-hapr...@none.at>
> >     <mailto:al-hapr...@none.at <mailto:al-hapr...@none.at>>
> >     > <mailto:al-hapr...@none.at <mailto:al-hapr...@none.at>
> <mailto:al-hapr...@none.at <mailto:al-hapr...@none.at>>>> wrote:
> >     >
> >     >     Hi.
> >     >
> >     >     Am 15.04.2019 um 17:19 schrieb bhanu chandra suman:
> >     >     > Hi Team,
> >     >     >
> >     >     > I installed haproxy in ubuntu machine. and after that i 
> edited the
> >     >     haproxy.cfg file.
> >     >
> >     >     Please can you tell us more about this.
> >     >
> >     >     haproxy -vv
> >     >     uname -a
> >     >
> >     >     > bind *:18083
> >     >     > mode http
> >     >     > default_backend backendnodes
> >     >     > backend backendnodes
> >     >     > balance roundrobin
> >     >     > option forwardfor
> >     >     > server node1 x.x.x.x:18083 check
> >     >     > server node2 x.x.x.x:18083 check
> >     >     > listen stats
> >     >     > bind :32700
> >     >     > stats enable
> >     >     > stats uri /
> >     >     > stats hide-version
> >     >     > stats auth user:password
> >     >     > Its working fine.but i need SSL termination with HA proxy.
> >     >     > could you please help me this issue.
> >     >
> >     >     Please take a look into this blog post which describes how 
> TLS/SSL
> >     Termination
> >     >     works in haproxy.
> >     >
> >     >   
> >   
>   
> https://www.haproxy.com/blog/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/
> >     >
> >     >     > --
> >     >     > S.B.C.Suman
> >     >
> >     >     Regards
> >     >     Aleks
> >     >
> >     >
> >     >
> >     > --
> >     > S.B.C.Suman
> >     > +91 9989894950.
> >
> >
> >
> > --
> > S.B.C.Suman
> > +91 9989894950.
> 
> 
> 
> -- 
> S.B.C.Suman
> +91 9989894950.

RE: SSL termination with HA proxy

2019-04-15 Thread Gibson, Brian (IMS) 
You need to run haproxy –vv not hparoxy –v.  Your output should look something 
like this:
haproxy -vv
HA-Proxy version 1.8.19 2019/02/11
Copyright 2000-2019 Willy Tarreau 

Build options :
  TARGET  = linux2628
  CPU = generic
  CC  = gcc
  CFLAGS  = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv 
-Wno-unused-label
  OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 
USE_SYSTEMD=1 USE_PCRE2=1 USE_PCRE2_JIT=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with OpenSSL version : OpenSSL 1.1.1a  20 Nov 2018
Running on OpenSSL version : OpenSSL 1.1.1b  26 Feb 2019
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT 
IP_FREEBIND
Encrypted password support via crypt(3): yes
Built with multi-threading support.
Built with PCRE2 version : 10.31 2018-02-12
PCRE2 library supports JIT : yes
Built with zlib version : 1.2.7
Running on zlib version : 1.2.7
Compression algorithms supported : identity("identity"), deflate("deflate"), 
raw-deflate("deflate"), gzip("gzip")
Built with network namespace support.

Available polling systems :
  epoll : pref=300,  test result OK
   poll : pref=200,  test result OK
 select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
[SPOE] spoe
[COMP] compression
[TRACE] trace

From: bhanu chandra suman [mailto:bhanuchandra.su...@gmail.com]
Sent: Monday, April 15, 2019 11:56 AM
To: Aleksandar Lazic 
Cc: haproxy 
Subject: Re: SSL termination with HA proxy

[https://mailtrack.io/trace/mail/fbd2a0eab7e2e5568c9b88276b6623f9505f8adb.png?u=3280423]

root@ip-172-31-80-163:~# uname -a
Linux ip-172-31-80-163 4.15.0-1035-aws #37-Ubuntu SMP Mon Mar 18 16:15:14 UTC 
20  
  19 x86_64 x86_64 x86_64 GNU/Linux
root@ip-172-31-80-163:~# haproxy -v
HA-Proxy version 1.8.8-1ubuntu0.4 2019/01/24
Copyright 2000-2018 Willy Tarreau mailto:wi...@haproxy.org>>



On Mon, Apr 15, 2019 at 8:58 PM Aleksandar Lazic 
mailto:al-hapr...@none.at>> wrote:
Hi.

Please keep the Mailinglist in the loop.

Am 15.04.2019 um 17:27 schrieb bhanu chandra suman:
> image.png

It's not easy to copy text from Screenshot's so please copy text into the mail.

Please use 2 v.

haproxy -vv

Thanks.

> On Mon, Apr 15, 2019 at 8:53 PM Aleksandar Lazic 
> mailto:al-hapr...@none.at>
> <mailto:al-hapr...@none.at<mailto:al-hapr...@none.at>>> wrote:
>
> Hi.
>
> Am 15.04.2019 um 17:19 schrieb bhanu chandra suman:
> > Hi Team,
> >
> > I installed haproxy in ubuntu machine. and after that i edited the
> haproxy.cfg file.
>
> Please can you tell us more about this.
>
> haproxy -vv
> uname -a
>
> > bind *:18083
> > mode http
> > default_backend backendnodes
> > backend backendnodes
> > balance roundrobin
> > option forwardfor
> > server node1 x.x.x.x:18083 check
> > server node2 x.x.x.x:18083 check
> > listen stats
> > bind :32700
> > stats enable
> > stats uri /
> > stats hide-version
> > stats auth user:password
> > Its working fine.but i need SSL termination with HA proxy.
> > could you please help me this issue.
>
> Please take a look into this blog post which describes how TLS/SSL 
> Termination
> works in haproxy.
>
> 
> https://www.haproxy.com/blog/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/
>
> > --
> > S.B.C.Suman
>
> Regards
> Aleks
>
>
>
> --
> S.B.C.Suman
> +91 9989894950.


--
S.B.C.Suman
+91 9989894950.



Information in this e-mail may be confidential. It is intended only for the 
addressee(s) identified above. If you are not the addressee(s), or an employee 
or agent of the addressee(s), please note that any dissemination, distribution, 
or copying of this communication is strictly prohibited. If you have received 
this e-mail in error, please notify the sender of the error.

Re: SSL termination with HA proxy

2019-04-15 Thread Aleksandar Lazic 
Hi.

Am 15.04.2019 um 17:55 schrieb bhanu chandra suman:
> 
> root@ip-172-31-80-163:~# uname -a
> Linux ip-172-31-80-163 4.15.0-1035-aws #37-Ubuntu SMP Mon Mar 18 16:15:14 UTC
> 20                                                                            
>  
>           19 x86_64 x86_64 x86_64 GNU/Linux
> root@ip-172-31-80-163:~# haproxy -v
> HA-Proxy version 1.8.8-1ubuntu0.4 2019/01/24
> Copyright 2000-2018 Willy Tarreau  <mailto:wi...@haproxy.org>>

Well I assume this version have TLS/SSL enabled as you haven't used `-vv`!

Please take a look into this blog post which describes how to add TLS/SSL
termination into haproxy.

https://www.haproxy.com/blog/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/

Regards
Aleks

> On Mon, Apr 15, 2019 at 8:58 PM Aleksandar Lazic  <mailto:al-hapr...@none.at>> wrote:
> 
> Hi.
> 
> Please keep the Mailinglist in the loop.
> 
> Am 15.04.2019 um 17:27 schrieb bhanu chandra suman:
> > image.png
> 
> It's not easy to copy text from Screenshot's so please copy text into the 
> mail.
> 
> Please use 2 v.
> 
> haproxy -vv
> 
> Thanks.
> 
> > On Mon, Apr 15, 2019 at 8:53 PM Aleksandar Lazic  <mailto:al-hapr...@none.at>
> > <mailto:al-hapr...@none.at <mailto:al-hapr...@none.at>>> wrote:
> >
> >     Hi.
> >
> >     Am 15.04.2019 um 17:19 schrieb bhanu chandra suman:
> >     > Hi Team,
> >     >
> >     > I installed haproxy in ubuntu machine. and after that i edited the
> >     haproxy.cfg file.
> >
> >     Please can you tell us more about this.
> >
> >     haproxy -vv
> >     uname -a
> >
> >     > bind *:18083
> >     > mode http
> >     > default_backend backendnodes
> >     > backend backendnodes
> >     > balance roundrobin
> >     > option forwardfor
> >     > server node1 x.x.x.x:18083 check
> >     > server node2 x.x.x.x:18083 check
> >     > listen stats
> >     > bind :32700
> >     > stats enable
> >     > stats uri /
> >     > stats hide-version
> >     > stats auth user:password
> >     > Its working fine.but i need SSL termination with HA proxy.
> >     > could you please help me this issue.
> >
> >     Please take a look into this blog post which describes how TLS/SSL
> Termination
> >     works in haproxy.
> >
> >   
>  
> https://www.haproxy.com/blog/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/
> >
> >     > --
> >     > S.B.C.Suman
> >
> >     Regards
> >     Aleks
> >
> >
> >
> > --
> > S.B.C.Suman
> > +91 9989894950.
> 
> 
> 
> -- 
> S.B.C.Suman
> +91 9989894950.

Re: SSL termination with HA proxy

2019-04-15 Thread bhanu chandra suman 
root@ip-172-31-80-163:~# uname -a
Linux ip-172-31-80-163 4.15.0-1035-aws #37-Ubuntu SMP Mon Mar 18 16:15:14
UTC 20
  19 x86_64 x86_64 x86_64 GNU/Linux
root@ip-172-31-80-163:~# haproxy -v
HA-Proxy version 1.8.8-1ubuntu0.4 2019/01/24
Copyright 2000-2018 Willy Tarreau 



On Mon, Apr 15, 2019 at 8:58 PM Aleksandar Lazic  wrote:

> Hi.
>
> Please keep the Mailinglist in the loop.
>
> Am 15.04.2019 um 17:27 schrieb bhanu chandra suman:
> > image.png
>
> It's not easy to copy text from Screenshot's so please copy text into the
> mail.
>
> Please use 2 v.
>
> haproxy -vv
>
> Thanks.
>
> > On Mon, Apr 15, 2019 at 8:53 PM Aleksandar Lazic  > <mailto:al-hapr...@none.at>> wrote:
> >
> > Hi.
> >
> > Am 15.04.2019 um 17:19 schrieb bhanu chandra suman:
> > > Hi Team,
> > >
> > > I installed haproxy in ubuntu machine. and after that i edited the
> > haproxy.cfg file.
> >
> > Please can you tell us more about this.
> >
> > haproxy -vv
> > uname -a
> >
> > > bind *:18083
> > > mode http
> > > default_backend backendnodes
> > > backend backendnodes
> > > balance roundrobin
> > > option forwardfor
> > > server node1 x.x.x.x:18083 check
> > > server node2 x.x.x.x:18083 check
> > > listen stats
> > > bind :32700
> > > stats enable
> > > stats uri /
> > > stats hide-version
> > > stats auth user:password
> > > Its working fine.but i need SSL termination with HA proxy.
> > > could you please help me this issue.
> >
> > Please take a look into this blog post which describes how TLS/SSL
> Termination
> > works in haproxy.
> >
> >
> https://www.haproxy.com/blog/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/
> >
> > > --
> > > S.B.C.Suman
> >
> > Regards
> > Aleks
> >
> >
> >
> > --
> > S.B.C.Suman
> > +91 9989894950.
>
>

-- 
S.B.C.Suman
+91 9989894950.

Re: SSL termination with HA proxy

2019-04-15 Thread Aleksandar Lazic 
Hi.

Please keep the Mailinglist in the loop.

Am 15.04.2019 um 17:27 schrieb bhanu chandra suman:
> image.png

It's not easy to copy text from Screenshot's so please copy text into the mail.

Please use 2 v.

haproxy -vv

Thanks.

> On Mon, Apr 15, 2019 at 8:53 PM Aleksandar Lazic  <mailto:al-hapr...@none.at>> wrote:
> 
> Hi.
> 
> Am 15.04.2019 um 17:19 schrieb bhanu chandra suman:
> > Hi Team,
> >
> > I installed haproxy in ubuntu machine. and after that i edited the
> haproxy.cfg file.
> 
> Please can you tell us more about this.
> 
> haproxy -vv
> uname -a
> 
> > bind *:18083
> > mode http
> > default_backend backendnodes
> > backend backendnodes
> > balance roundrobin
> > option forwardfor
> > server node1 x.x.x.x:18083 check
> > server node2 x.x.x.x:18083 check
> > listen stats
> > bind :32700
> > stats enable
>     > stats uri /
> > stats hide-version
> > stats auth user:password
> > Its working fine.but i need SSL termination with HA proxy.
> > could you please help me this issue.
> 
> Please take a look into this blog post which describes how TLS/SSL 
> Termination
> works in haproxy.
> 
> 
> https://www.haproxy.com/blog/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/
> 
> > --
> > S.B.C.Suman
> 
> Regards
> Aleks
> 
> 
> 
> -- 
> S.B.C.Suman
> +91 9989894950.

Re: SSL termination with HA proxy

2019-04-15 Thread Aleksandar Lazic 
Hi.

Am 15.04.2019 um 17:19 schrieb bhanu chandra suman:
> Hi Team,
> 
> I installed haproxy in ubuntu machine. and after that i edited the 
> haproxy.cfg file.

Please can you tell us more about this.

haproxy -vv
uname -a

> bind *:18083
> mode http
> default_backend backendnodes
> backend backendnodes
> balance roundrobin
> option forwardfor
> server node1 x.x.x.x:18083 check
> server node2 x.x.x.x:18083 check
> listen stats
> bind :32700
> stats enable
> stats uri /
> stats hide-version
> stats auth user:password
> Its working fine.but i need SSL termination with HA proxy.
> could you please help me this issue.

Please take a look into this blog post which describes how TLS/SSL Termination
works in haproxy.

https://www.haproxy.com/blog/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/

> -- 
> S.B.C.Suman

Regards
Aleks

SSL termination with HA proxy

2019-04-15 Thread bhanu chandra suman 
Hi Team,

I installed haproxy in ubuntu machine. and after that i edited the
haproxy.cfg file.
bind *:18083
mode http
default_backend backendnodes
backend backendnodes
balance roundrobin
option forwardfor
server node1 x.x.x.x:18083 check
server node2 x.x.x.x:18083 check
listen stats
bind :32700
stats enable
stats uri /
stats hide-version
stats auth user:password
Its working fine.but i need SSL termination with HA proxy.
could you please help me this issue.


-- 
S.B.C.Suman
+91 9989894950.

Re: HA Proxy Load Balancer

2018-12-21 Thread Aleksandar Lazic 
Hi Lance.

Please keep the list in the loop as there are several other persons which can
also help, thank you.

Am 21.12.2018 um 14:49 schrieb Lance Melancon:
> I hope this helps in what you are requesting. So this config works great but I
> need to redirect the server to a sub site as in myserver.net/site. We are
> looking for the exact syntax to add to the haproxy.cfg. I’m including my
> programmer that may understand your feedback better than myself. We did try
> several things referring to the documentation with no luck. Thanks!

docx with embedded Images is not a very secure nor a common format on this list,
due to this fact let me copy the content of the docx here and comment it inline
and answer below.

> Haproxy.cfg:
> global
>log /dev/log local0
>log /dev/log local1 notice
>chroot /var/lib/haproxy
>stats timeout 30s
>user haproxy
>group haproxy
>daemon
>maxconn 15000
> 
> defaults
>log global
>mode http
>option httplog
>option dontlognull
>timeout connect 5000
>timeout client 5
>timeout server 5
> 
> frontend myserver.net
>bind *:443
>mode tcp

Okay here is the problem.

As the haproxy is only used for tcp proxying not for http you will not be able
to make what you want.

https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#4-mode

>maxconn 15000
>default_backend hac_cluster
> 
> backend hac_cluster
>mode tcp
>balance leastconn
>server myserver 192.1.1.1:443 check maxconn 5000
>server myserver 192.1.1.2:443 check maxconn 5000
> 
>listen statistics
>bind *:80

I would not recommend to put statistics on port 80, but that's only my opinion.

>mode http
>stats enable
>stats hide-version
>stats refresh 30s
>stats show-node
>stats auth myserver:password   
>stats admin if TRUE
>stats uri /lbstats
> 
> 
> haproxy -vv
>> ## excerpt from image
> Version 1.7.8
> No compression libs, openssl, pcre nor lua support

On which platform is this haproxy running?
Is haproxy installed from the package management or was it build from sources?

To be able to do what you want you will need to do the following steps.

* Install haproxy with openssl support

* get the certificates from the backend server and add it to the haproxy

https://www.haproxy.com/blog/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/
  - Pay attention that you copy teh certificates into the chroot dir
>chroot /var/lib/haproxy

* create a frontend acl for the path `acl my_site path_beg -i /site`

* create a use_backend line `use_backend my_site if my_site`

* create a backend with the name `my_site` with the server line like
  `server myserver myserver.net: ...`

As I mentioned before it's not a easy task to dig into this topic, therefore I
strongly recommend to give you and your programmer some time to understand how
load balancing on level 6(TLS/SSL) + 7(http) works.

Here are some links which could help to get a better picture of HAProxy and LB
in general.
http://www.haproxy.org/download/1.7/doc/intro.txt
https://www.haproxy.com/blog/the-four-essential-sections-of-an-haproxy-configuration/
https://www.haproxy.com/blog/introduction-to-haproxy-acls/

In any case please post some logs, configs or anything directly in the mail body
so that the persons which reads this list via a console are able to follow it
without to open a word document.

We are glad to help as long as we can read the mails ;-)

Very best regards
Aleks


> -Original Message-
> From: Aleksandar Lazic 
> Sent: Thursday, December 20, 2018 4:21 PM
> To: Lance Melancon 
> Cc: haproxy@formilux.org
> Subject: Re: HA Proxy Load Balancer
> 
>  
> 
> CAUTION: This email originated from outside Cypress-Fairbanks ISD. Do not 
> click
> links or open attachments unless you recognize the sender and know the content
> is safe.
> 
>  
> 
>  
> 
>  
> 
> Hi Lance.
> 
>  
> 
> Am 20-12-2018 21:41, schrieb Lance Melancon:
> 
>> Thanks for the info. Unfortunately I am not a programmer by a long
> 
>> shot and syntax is a big problem for me. I tried a few things but no
> 
>> luck and I can't find any examples of a redirect.
> 
>> So do I need both the backend and acl statements?
> 
>> I'm simply trying to use mysite.net to direct to mysite.net/website.
> 
>> Any time I use a / the config fails.
> 
>  
> 
> I'm not sure if you have read and understand my last mail?
> 
> Have you time to dig into this topic as it isn't a quick shot, mostly AFAIK.
> 
>  
> 
> We need some more infos to be able to help you.
> 
>  
> 
>> haproxy -vv
> 
>> anonymized config
> 
>  

Re: HA Proxy Load Balancer

2018-12-21 Thread Veiko Kukk 

On 2018-12-20 20:41, Lance Melancon wrote:

Thanks for the info. Unfortunately I am not a programmer by a long
shot and syntax is a big problem for me. I tried a few things but no
luck and I can't find any examples of a redirect.
So do I need both the backend and acl statements?
I'm simply trying to use mysite.net to direct to mysite.net/website.
Any time I use a / the config fails.


Maybe this will help you 
http://www.catb.org/esr/faqs/smart-questions.html


Veiko

Re: HA Proxy Load Balancer

2018-12-20 Thread Aleksandar Lazic 

Hi Lance.

Am 20-12-2018 21:41, schrieb Lance Melancon:

Thanks for the info. Unfortunately I am not a programmer by a long
shot and syntax is a big problem for me. I tried a few things but no
luck and I can't find any examples of a redirect.
So do I need both the backend and acl statements?
I'm simply trying to use mysite.net to direct to mysite.net/website.
Any time I use a / the config fails.


I'm not sure if you have read and understand my last mail?
Have you time to dig into this topic as it isn't a quick shot, mostly 
AFAIK.


We need some more infos to be able to help you.


haproxy -vv
anonymized config


Regards
Aleks


-Original Message-
From: Aleksandar Lazic 
Sent: Thursday, December 20, 2018 2:00 PM
To: Lance Melancon 
Cc: haproxy@formilux.org
Subject: Re: HA Proxy Load Balancer

CAUTION: This email originated from outside Cypress-Fairbanks ISD. Do
not click links or open attachments unless you recognize the sender
and know the content is safe.



Hi Lance.

Am 20-12-2018 18:20, schrieb Lance Melancon:


We are testing the load balancer and it's working but I can't see how
to direct the server to a specific website such as server.net/site. Is
this possible? Syntax? Thanks!


Well yes. I think it is a good starting point to read and understand
this blog article.

https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.haproxy.com%2Fblog%2Fusing-haproxy-as-an-api-gateway-part-1%2Fdata=02%7C01%7CLance.melancon%40cfisd.net%7C6aa4b53295ce4715f0b308d666b5b424%7C12ac55e201c5446abe37be3ef2056122%7C0%7C1%7C636809327941066192sdata=TCDRAt2XnDHm8IpoeJVVHnDt7Vcf7SnRo%2B6iIgAZ5kg%3Dreserved=0

What you want to do is "HTTP Routing"

For example a short snipplet
###

acl my_site path_beg -i /site

...
use_backend my_site if my_site

###

I would help a lot to have some more Information from you like.

haproxy -vv
anonymized config

As we don't know how much knowledge do you have about http I want to
tell you that this statement "server.net/site" 2 parts.

Host: server.net
Path: /site

This is explained in detail in the doc.
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcbonte.github.io%2Fhaproxy-dconv%2F1.9%2Fconfiguration.html%231data=02%7C01%7CLance.melancon%40cfisd.net%7C6aa4b53295ce4715f0b308d666b5b424%7C12ac55e201c5446abe37be3ef2056122%7C0%7C1%7C636809327941066192sdata=SzilrSGyMgnpUAgQs%2F0U6%2BzCPH7ToIjK1R1zxESfRP4%3Dreserved=0

Hth
Aleks


CYPRESS-FAIRBANKS ISD CONFIDENTIALITY NOTICE: This email, including
any attachments, is for the sole use of the intended recipient(s) and
may contain confidential student and/or employee information.
Unauthorized use and/or disclosure is prohibited under federal and
state law. If you are not the intended recipient, you may not use,
disclose, copy or disseminate this information. Please call the sender
immediately or reply by email and destroy all copies of the original
message, including any attachments. Unless expressly stated in this
e-mail, nothing in this message should be construed as a digital or
electronic signature.

CYPRESS-FAIRBANKS ISD CONFIDENTIALITY NOTICE: This email, including
any attachments, is for the sole use of the intended recipient(s) and
may contain confidential student and/or employee information.
Unauthorized use and/or disclosure is prohibited under federal and
state law. If you are not the intended recipient, you may not use,
disclose, copy or disseminate this information. Please call the sender
immediately or reply by email and destroy all copies of the original
message, including any attachments. Unless expressly stated in this
e-mail, nothing in this message should be construed as a digital or
electronic signature.

RE: HA Proxy Load Balancer

2018-12-20 Thread Lance Melancon 
Thanks for the info. Unfortunately I am not a programmer by a long shot and 
syntax is a big problem for me. I tried a few things but no luck and I can't 
find any examples of a redirect.
So do I need both the backend and acl statements?
I'm simply trying to use mysite.net to direct to mysite.net/website. Any time I 
use a / the config fails.


-Original Message-
From: Aleksandar Lazic 
Sent: Thursday, December 20, 2018 2:00 PM
To: Lance Melancon 
Cc: haproxy@formilux.org
Subject: Re: HA Proxy Load Balancer

CAUTION: This email originated from outside Cypress-Fairbanks ISD. Do not click 
links or open attachments unless you recognize the sender and know the content 
is safe.



Hi Lance.

Am 20-12-2018 18:20, schrieb Lance Melancon:

> We are testing the load balancer and it's working but I can't see how
> to direct the server to a specific website such as server.net/site. Is
> this possible? Syntax? Thanks!

Well yes. I think it is a good starting point to read and understand this blog 
article.

https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.haproxy.com%2Fblog%2Fusing-haproxy-as-an-api-gateway-part-1%2Fdata=02%7C01%7CLance.melancon%40cfisd.net%7C6aa4b53295ce4715f0b308d666b5b424%7C12ac55e201c5446abe37be3ef2056122%7C0%7C1%7C636809327941066192sdata=TCDRAt2XnDHm8IpoeJVVHnDt7Vcf7SnRo%2B6iIgAZ5kg%3Dreserved=0

What you want to do is "HTTP Routing"

For example a short snipplet
###

acl my_site path_beg -i /site

...
use_backend my_site if my_site

###

I would help a lot to have some more Information from you like.

haproxy -vv
anonymized config

As we don't know how much knowledge do you have about http I want to tell you 
that this statement "server.net/site" 2 parts.

Host: server.net
Path: /site

This is explained in detail in the doc.
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcbonte.github.io%2Fhaproxy-dconv%2F1.9%2Fconfiguration.html%231data=02%7C01%7CLance.melancon%40cfisd.net%7C6aa4b53295ce4715f0b308d666b5b424%7C12ac55e201c5446abe37be3ef2056122%7C0%7C1%7C636809327941066192sdata=SzilrSGyMgnpUAgQs%2F0U6%2BzCPH7ToIjK1R1zxESfRP4%3Dreserved=0

Hth
Aleks

> CYPRESS-FAIRBANKS ISD CONFIDENTIALITY NOTICE: This email, including
> any attachments, is for the sole use of the intended recipient(s) and
> may contain confidential student and/or employee information.
> Unauthorized use and/or disclosure is prohibited under federal and
> state law. If you are not the intended recipient, you may not use,
> disclose, copy or disseminate this information. Please call the sender
> immediately or reply by email and destroy all copies of the original
> message, including any attachments. Unless expressly stated in this
> e-mail, nothing in this message should be construed as a digital or
> electronic signature.
CYPRESS-FAIRBANKS ISD CONFIDENTIALITY NOTICE: This email, including any 
attachments, is for the sole use of the intended recipient(s) and may contain 
confidential student and/or employee information. Unauthorized use and/or 
disclosure is prohibited under federal and state law. If you are not the 
intended recipient, you may not use, disclose, copy or disseminate this 
information. Please call the sender immediately or reply by email and destroy 
all copies of the original message, including any attachments. Unless expressly 
stated in this e-mail, nothing in this message should be construed as a digital 
or electronic signature.

Re: HA Proxy Load Balancer

2018-12-20 Thread Aleksandar Lazic 

Hi Lance.

Am 20-12-2018 18:20, schrieb Lance Melancon:

We are testing the load balancer and it's working but I can't see how 
to direct the server to a specific website such as server.net/site. Is 
this possible? Syntax? Thanks!


Well yes. I think it is a good starting point to read and understand 
this blog article.


https://www.haproxy.com/blog/using-haproxy-as-an-api-gateway-part-1/

What you want to do is "HTTP Routing"

For example a short snipplet
###

acl my_site path_beg -i /site

...
use_backend my_site if my_site

###

I would help a lot to have some more Information from you like.

haproxy -vv
anonymized config

As we don't know how much knowledge do you have about http I want to 
tell you that this statement "server.net/site" 2 parts.


Host: server.net
Path: /site

This is explained in detail in the doc.
http://cbonte.github.io/haproxy-dconv/1.9/configuration.html#1

Hth
Aleks

CYPRESS-FAIRBANKS ISD CONFIDENTIALITY NOTICE: This email, including any 
attachments, is for the sole use of the intended recipient(s) and may 
contain confidential student and/or employee information. Unauthorized 
use and/or disclosure is prohibited under federal and state law. If you 
are not the intended recipient, you may not use, disclose, copy or 
disseminate this information. Please call the sender immediately or 
reply by email and destroy all copies of the original message, 
including any attachments. Unless expressly stated in this e-mail, 
nothing in this message should be construed as a digital or electronic 
signature.

HA Proxy Load Balancer

2018-12-20 Thread Lance Melancon 
We are testing the load balancer and it's working but I can't see how to direct 
the server to a specific website such as server.net/site. Is this possible? 
Syntax? Thanks!
CYPRESS-FAIRBANKS ISD CONFIDENTIALITY NOTICE: This email, including any 
attachments, is for the sole use of the intended recipient(s) and may contain 
confidential student and/or employee information. Unauthorized use and/or 
disclosure is prohibited under federal and state law. If you are not the 
intended recipient, you may not use, disclose, copy or disseminate this 
information. Please call the sender immediately or reply by email and destroy 
all copies of the original message, including any attachments. Unless expressly 
stated in this e-mail, nothing in this message should be construed as a digital 
or electronic signature.

Re: HA-Proxy configuration

2018-10-10 Thread Jonathan Matthews 
On Wed, 10 Oct 2018 at 07:08, anjireddy.komire...@wipro.com <
anjireddy.komire...@wipro.com> wrote:

> Hi Team,
>
>
> I am looking for HA-Proxy configuration Help in over project, can i know
> some one who can give more information on configuration using 2 different 
> HA-Proxy
> servers for high availability.
>
>
> Feel free to contact me on - 9849916124
>

Hey there,


Welcome to the public mailing list for users of the open source haproxy
tool.


You'd probably do best by posting the configuration and HA setup as far as
you've managed to get it going, and asking questions about specific
problems you encounter along the way. You're more likely to get help via
email than via telephone!


Here is the starter guide for the current stable version:

http://cbonte.github.io/haproxy-dconv/1.8/intro.html. There are links along
the top of that page to the configuration and management manuals, which
will be of interest as you evolve your HA setup.


If, instead, you feel you would like to trade time for money, and want to
take advantage of a commercial support option, some are listed here:

http://www.haproxy.org/#supp


As a backstop, my UK company is already set up as a supplier inside Wipro's
procurement system. Do get in touch if the routes I've mentioned above
don't meet your needs :-)


All the best,

Jonathan

-- 

Jonathan Matthews

London, UK

http://www.jpluscplusm.com/contact.html



-- 
Jonathan Matthews
London, UK
http://www.jpluscplusm.com/contact.html

Re: HA-Proxy configuration

2018-10-10 Thread Aleksandar Lazic 
Hi.

Have you seen this link list, there are some good examples for a ha solutins ?

http://www.haproxy.org/#link

In general is keepalived and haproxy a good kombination.

On which plattform do you plan to run the ha setup?

Best regards
Aleks


 Ursprüngliche Nachricht 
Von: "anjireddy.komire...@wipro.com" 
Gesendet: 10. Oktober 2018 08:05:24 MESZ
An: "haproxy@formilux.org" 
CC: "santhosh.pa...@wipro.com" 
Betreff: HA-Proxy configuration

Hi Team,


I am looking for HA-Proxy configuration Help in over project, can i know some 
one who can give more information on configuration using 2 different HA-Proxy 
servers for high availability.


Feel free to contact me on - 9849916124


Regards,

Anjireddy.

The information contained in this electronic message and any attachments to 
this message are intended for the exclusive use of the addressee(s) and may 
contain proprietary, confidential or privileged information. If you are not the 
intended recipient, you should not disseminate, distribute or copy this e-mail. 
Please notify the sender immediately and destroy all copies of this message and 
any attachments. WARNING: Computer viruses can be transmitted via email. The 
recipient should check this email and any attachments for the presence of 
viruses. The company accepts no liability for any damage caused by any virus 
transmitted by this email. www.wipro.com

HA-Proxy configuration

2018-10-10 Thread anjireddy.komire...@wipro.com 
Hi Team,


I am looking for HA-Proxy configuration Help in over project, can i know some 
one who can give more information on configuration using 2 different HA-Proxy 
servers for high availability.


Feel free to contact me on - 9849916124


Regards,

Anjireddy.

The information contained in this electronic message and any attachments to 
this message are intended for the exclusive use of the addressee(s) and may 
contain proprietary, confidential or privileged information. If you are not the 
intended recipient, you should not disseminate, distribute or copy this e-mail. 
Please notify the sender immediately and destroy all copies of this message and 
any attachments. WARNING: Computer viruses can be transmitted via email. The 
recipient should check this email and any attachments for the presence of 
viruses. The company accepts no liability for any damage caused by any virus 
transmitted by this email. www.wipro.com

Re: HA Proxy Source IP Issue

2018-09-17 Thread Dave Cottlehuber 
On Mon, 17 Sep 2018, at 13:04, Damen Barker wrote:
> Hi There
>
> We are running 1.6, the issue we are facing is that my backend servers
> are seeing the incoming IP address of the HAProxy server and not the
> client IP address and our application needs to see this. Please see
> below our configuration and if you can offer any advice that would be
> greatly received.

Welcome Damen.

See 
https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#4-option%20forwardfor

option forwardfor

and adjust your application accordingly. Sometimes x-real-ip is used or 
sometimes the application can support the PROXY protocol, you'll need to check 
whats possible -- https://www.haproxy.com/blog/haproxy/proxy-protocol/ was 
invented IIRC by Willy for haproxy, but it's really widespread now in other 
applications, as a generic non-HTTP-specific way of providing inbound IP 
address to proxied applications.

A+
Dave

Re: lua script, 200% cpu usage with nbthread 3 - haproxy hangs - __spin_lock - HA-Proxy version 1.9-dev1-e3faf02 2018/08/25

2018-08-29 Thread Frederic Lecaille 

On 08/28/2018 11:19 AM, Frederic Lecaille wrote:

On 08/27/2018 10:46 PM, PiBa-NL wrote:

Hi Frederic, Oliver,


Hi Pieter,


Thanks for your investigations :).
I've made a little reg-test (files attached). Its probably not 
'correct' to commit as-is, but should be enough to get a 
reproduction.. I hope..


changing it to nbthread 1 makes it work every time..(that i tried)


Your script is correct. Thank you a lot for this Pieter.


The test actually seems to show a variety of issues.
## Every once in a while it takes like 7 seconds to run a test.. 
During which cpu usage is high..


Sounds like the first issue you reported. You can use -t varnistest 
option to set a large timeout so that you might have enough time to kill 
varnistest (Ctrl+C) to prevent it to kill haproxy. Then you can attach 
gdb to the haproxy process.



  c0    7.6 HTTP rx timeout (fd:5 7500 ms)

## But most of the time, it just doesn't finish with a correct result 
(ive seen haproxy do core dumps also while testing..). There is of 
course the option that i did something wrong in the lua as well...


Does the test itself work for you guys? (with nbthread 1)


I have not managed to make this script fails with "nbthread 1".

I have also seen coredumps with "nbthread 3" even with only one HTTP 
request from c0 client:



     client c0 -connect ${h1_fe1_sock} {
     txreq -url "/"
     rxresp
     expect resp.status == 200
     }

If you run varnishtest with -l option, it leaves the temporary vtc.* 
directory if the test failed.


If you set your environment to produce coredumps (ulimit -c unlimited) 
you should find coredump files in /tmp/vtc.*// 
directory (/tmp/vtc.*/h1/ in our case).


According to gdb we have an issue in src/ssl_sock.c. So I have CC this 
mail to Emeric:


Reading symbols from haproxy...done.
[New LWP 32432]
[New LWP 32431]
[New LWP 32428]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/home/flecaille/src/haproxy/haproxy -d -f 
/tmp/vtc.32410.6f80f987/h1/cfg'.

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x7f78f98bba56 in ASN1_get_object ()
    from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
[Current thread is 1 (Thread 0x7f78f8522700 (LWP 32432))]
(gdb) bt full
#0  0x7f78f98bba56 in ASN1_get_object ()
    from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
No symbol table info available.
#1  0x7f78f98c2ff8 in ?? () from 
/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1

No symbol table info available.
#2  0x7f78f98c41b5 in ?? () from 
/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1

No symbol table info available.
#3  0x7f78f98c4ead in ASN1_item_ex_d2i ()
    from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
No symbol table info available.
#4  0x7f78f98c4f2b in ASN1_item_d2i ()
    from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
No symbol table info available.
#5  0x7f78f9cdac98 in d2i_SSL_SESSION ()
    from /usr/lib/x86_64-linux-gnu/libssl.so.1.1
No symbol table info available.
#6  0x55e2078be006 in ssl_sock_init (conn=0x7f78e8012220) at 
src/ssl_sock.c:4985
     ptr = 0xf800 address 0xf800>

     sess = 
     may_retry = 
     conn = 0x7f78e8012220
#7  0x55e20797dfc1 in conn_xprt_init (conn=0x7f78e8012220)
     at include/proto/connection.h:84
     ret = 0
#8  tcp_connect_server (conn=0x7f78e8012220, data=0, delack=out>)

     at src/proto_tcp.c:545
     fd = 18
     srv = 
     be = 0x55e207c567e0 
     src = 
#9  0x55e207981aba in si_connect (si=0x7f78e8017680)
     at include/proto/stream_interface.h:366
     ret = 0
#10 connect_server (s=s@entry=0x7f78e80173b0) at src/backend.c:1223
     cli_conn = 0x0
     srv_conn = 0x7f78e8012220
     srv_cs = 
     old_cs = 
     reuse = 
     err = 
#11 0x55e207924295 in sess_update_stream_int (s=0x7f78e80173b0) at 
src/stream.c:885

     conn_err = 
     si = 0x7f78e8017680
     req = 0x7f78e80173c0
#12 process_stream (t=, context=0x7f78e80173b0, 
state=)

     at src/stream.c:2240
     s = 0x7f78e80173b0
     sess = 
     rqf_last = 
     rpf_last = 2147483648
     rq_prod_last = 
     rq_cons_last = 
     rp_cons_last = 
     rp_prod_last = 
     req_ana_back = 
     req = 0x7f78e80173c0
     res = 0x7f78e8017420
     si_f = 0x7f78e8017638
     si_b = 0x7f78e8017680
#13 0x55e2079ab1f8 in process_runnable_tasks () at src/task.c:381
     t = 
     state = 
     ctx = 
---Type  to continue, or q  to quit---
     process = 
     t = 
     max_processed = 
#14 0x55e207959c51 in run_poll_loop () at src/haproxy.c:2386
     next = 
     exp = 
#15 run_thread_poll_loop (data=) at src/haproxy.c:2451
     ptif = 
     ptdf = 
     start_lock = 0
#16 0x7f78f9f27494 in start_thread (arg=0x7f78f8522700) at

Re: lua script, 200% cpu usage with nbthread 3 - haproxy hangs - __spin_lock - HA-Proxy version 1.9-dev1-e3faf02 2018/08/25

2018-08-28 Thread PiBa-NL 

Hi Frederic,

Op 28-8-2018 om 11:27 schreef Frederic Lecaille:

On 08/27/2018 10:46 PM, PiBa-NL wrote:

Hi Frederic, Oliver,

Thanks for your investigations :).
I've made a little reg-test (files attached). Its probably not 
'correct' to commit as-is, but should be enough to get a 
reproduction.. I hope..


changing it to nbthread 1 makes it work every time..(that i tried)

The test actually seems to show a variety of issues.
## Every once in a while it takes like 7 seconds to run a test.. 
During which cpu usage is high..


do you think we can reproduce this 200% CPU usage issue after having 
disabled ssl


With ssl 'disabled' i can run the test 500 times without a single failure..

As for the cpu usage issue it does not seem to reproduce 'easily' when 
running inside varnishtest.. But that might also be because it dumps its 
core most of the time..
Using the same config that varnishtest generated, and then changing the 
ports to :80 (for frontend) and 81 (for stats) then manually running 
haproxy -f /tmp/vtc.132.456/h1/cfg after a few curl requests curl hangs 
waiting for haproxy's response which is running 100% cpu..


Below 2 backtraces one of 100% cpu usage, and one of a core dump. Does 
that help? Do you need the actual core+binary?


Regards,
PiBa-NL (Pieter)

#
Using 100% cpu:

(gdb) info thread
  Id   Target Id Frame
* 1    LWP 101573 of process 28901 0x000801e11e3a in _kevent () from 
/lib/libc.so.7
  2    LWP 100816 of process 28901 0x000801e11e3a in _kevent () 
from /lib/libc.so.7
  3    LWP 101309 of process 28901 0x00080187a71d in ?? () from 
/usr/local/lib/liblua-5.3.so

(gdb) thread 3
[Switching to thread 3 (LWP 101309 of process 28901)]
#0  0x00080187a71d in ?? () from /usr/local/lib/liblua-5.3.so
(gdb) bt full
#0  0x00080187a71d in ?? () from /usr/local/lib/liblua-5.3.so
No symbol table info available.
#1  0x00080187acd7 in ?? () from /usr/local/lib/liblua-5.3.so
No symbol table info available.
#2  0x00080187b108 in ?? () from /usr/local/lib/liblua-5.3.so
No symbol table info available.
#3  0x000801873e30 in lua_gc () from /usr/local/lib/liblua-5.3.so
No symbol table info available.
#4  0x00438e45 in hlua_ctx_resume (lua=0x8024dbf80, 
yield_allowed=1) at src/hlua.c:1186

    ret = 0
    msg = 0x5a5306  "Hiu\360"
    trace = 0x7fffdfdfcc00 ""
#5  0x0044887a in hlua_applet_http_fct (ctx=0x8024d4a80) at 
src/hlua.c:6716

    si = 0x803081840
    strm = 0x803081500
    res = 0x803081570
    rule = 0x80242d6e0
    px = 0x8024c4400
    hlua = 0x8024dbf80
    blk1 = 0x7fffdfdfcca0 ""
    len1 = 34397581057
    blk2 = 0x803081578 ""
    len2 = 34410599800
---Type  to continue, or q  to quit---
    ret = 0
#6  0x005a78a7 in task_run_applet (t=0x80242db40, 
context=0x8024d4a80, state=16385) at src/applet.c:49

    app = 0x8024d4a80
    si = 0x803081840
#7  0x005a49a6 in process_runnable_tasks () at src/task.c:384
    t = 0x80242db40
    state = 16385
    ctx = 0x8024d4a80
    process = 0x5a77f0 
    t = 0x80242db40
    max_processed = 200
#8  0x0051a6b2 in run_poll_loop () at src/haproxy.c:2386
    next = -2118609833
    exp = -2118610700
#9  0x00517672 in run_thread_poll_loop (data=0x8024843c8) at 
src/haproxy.c:2451
    start_lock = {lock = 0, info = {owner = 0, waiters = 0, 
last_location = {function = 0x0, file = 0x0, line = 0}}}

    ptif = 0x8c1980 
    ptdf = 0x800f177cc
#10 0x000800f12bc5 in ?? () from /lib/libthr.so.3
No symbol table info available.
#11 0x in ?? ()
No symbol table info available.
Backtrace stopped: Cannot access memory at address 0x7fffdfdfd000


##
Core dump:

gdb --core haproxy.core /usr/local/sbin/haproxy
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain 
conditions.

Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "amd64-marcel-freebsd"...
Core was generated by `haproxy -f /tmp/vtc.28884.6c5c88f3/h1/cfg'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libcrypt.so.5...done.
Loaded symbols for /lib/libcrypt.so.5
Reading symbols from /lib/libz.so.6...done.
Loaded symbols for /lib/libz.so.6
Reading symbols from /lib/libthr.so.3...done.
Loaded symbols for /lib/libthr.so.3
Reading symbols from /usr/lib/libssl.so.8...done.
Loaded symbols for /usr/lib/libssl.so.8
Reading symbols from /lib/libcrypto.so.8...done.
Loaded symbols for /lib/libcrypto.so.8
Reading symbols from /usr/local/lib/liblua-5.3.so...done.
Loaded symbols for /usr/local/lib/liblua-5.3.so
Reading symbols from /lib/libm.so.5...done.
Loaded symbols for /lib/libm.so.5
Reading symbols from

Re: lua script, 200% cpu usage with nbthread 3 - haproxy hangs - __spin_lock - HA-Proxy version 1.9-dev1-e3faf02 2018/08/25

2018-08-28 Thread Willy Tarreau 
On Tue, Aug 28, 2018 at 02:47:28PM +0200, Olivier Houchard wrote:
> Ok you're right, I have a patch for that problem, which should definitively
> be different from Pieter's problem :)
> Willy, I think it's safe to be applied, and should probably be backported
> (albeit it should be adapted, given the API differences with buffers/channels)
> to 1.8 and 1.7, I've been able to reproduce the problem on both.

Looks good, now applied, thanks!

Willy

Re: lua script, 200% cpu usage with nbthread 3 - haproxy hangs - __spin_lock - HA-Proxy version 1.9-dev1-e3faf02 2018/08/25

2018-08-28 Thread Olivier Houchard 
Hi,

On Mon, Aug 27, 2018 at 03:26:50PM +0200, Frederic Lecaille wrote:
[...]
> 
> According to Pieter traces, haproxy has registered HTTP service mode lua
> applets in HTTP mode. Your patch fixes a TCP service mode issue.
> reg-test/lua/b1.vtc script runs both HTTP and TCP lua applets. But this
> is the TCP mode one which makes sometimes fail this script.
> 
> > > > It seems one thread is stuck in lua_gc() while holding the global LUA 
> > > > lock,
> > > > but I don't know enough about LUA to guess what is going on.
> > > 
> > > What is suspect is that the HTTP and TCP applet functions
> > > hlua_applet_(http|tcp)_fct() are called several times even when the applet
> > > is done, or when the streams are disconnected or closed:
> > > 
> > >   /* If the stream is disconnect or closed, ldo nothing. */
> > >  if (unlikely(si->state == SI_ST_DIS || si->state == SI_ST_CLO))
> > >  return;
> > > 
> > > this leads to call hlua_ctx_resume() several times from the same thread I
> > > guess.
> > > 
> > 
> > But if hlua_applet_(http|tcp)_fct() just returns, who calls
> > hlua_ctx_resume() ? :)
> 
> hlua_applet_(http|tcp)_fct() functions. If your run the script previously
> mentioned, when it fails this is because hlua_applet_*tcp*_fct() is
> infinitely called.
> 
> 

Ok you're right, I have a patch for that problem, which should definitively
be different from Pieter's problem :)
Willy, I think it's safe to be applied, and should probably be backported
(albeit it should be adapted, given the API differences with buffers/channels)
to 1.8 and 1.7, I've been able to reproduce the problem on both.

Regards,

Olivier
>From bf62441f9d0b305e16a74dbe3341ee7933c04761 Mon Sep 17 00:00:00 2001
From: Olivier Houchard 
Date: Tue, 28 Aug 2018 14:41:31 +0200
Subject: [PATCH] BUG/MEDIUM: hlua: Make sure we drain the output buffer when
 done.

In hlua_applet_tcp_fct(), drain the output buffer when the applet is done
running, every time we're called.
Overwise, there's a race condition, and the output buffer could be filled
after the applet ran, and as it is never cleared, the stream interface
will never be destroyed.

This should be backported to 1.8 and 1.7.
---
 src/hlua.c | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/hlua.c b/src/hlua.c
index edb4f68c..7bbc854d 100644
--- a/src/hlua.c
+++ b/src/hlua.c
@@ -6446,8 +6446,11 @@ static void hlua_applet_tcp_fct(struct appctx *ctx)
struct hlua *hlua = ctx->ctx.hlua_apptcp.hlua;
 
/* The applet execution is already done. */
-   if (ctx->ctx.hlua_apptcp.flags & APPLET_DONE)
+   if (ctx->ctx.hlua_apptcp.flags & APPLET_DONE) {
+   /* eat the whole request */
+   co_skip(si_oc(si), co_data(si_oc(si)));
return;
+   }
 
/* If the stream is disconnect or closed, ldo nothing. */
if (unlikely(si->state == SI_ST_DIS || si->state == SI_ST_CLO))
-- 
2.14.3

Re: lua script, 200% cpu usage with nbthread 3 - haproxy hangs - __spin_lock - HA-Proxy version 1.9-dev1-e3faf02 2018/08/25

2018-08-28 Thread Frederic Lecaille 

On 08/27/2018 10:46 PM, PiBa-NL wrote:

Hi Frederic, Oliver,

Thanks for your investigations :).
I've made a little reg-test (files attached). Its probably not 'correct' 
to commit as-is, but should be enough to get a reproduction.. I hope..


changing it to nbthread 1 makes it work every time..(that i tried)

The test actually seems to show a variety of issues.
## Every once in a while it takes like 7 seconds to run a test.. During 
which cpu usage is high..


do you think we can reproduce this 200% CPU usage issue after having 
disabled ssl like that:


diff --git a/reg-tests/lua/b2.lua b/reg-tests/lua/b2.lua
index 1053430f..c623d229 100644
--- a/reg-tests/lua/b2.lua
+++ b/reg-tests/lua/b2.lua
@@ -164,7 +164,7 @@ end

 core.register_service("fakeserv", "http", function(applet)
core.Info("APPLET START")
-   local mc = Luacurl("127.0.0.1",8443, true)
+   local mc = Luacurl("127.0.0.1",8443, false)
local headers = {}
local body = ""
core.Info("APPLET GET")
diff --git a/reg-tests/lua/b2.vtc b/reg-tests/lua/b2.vtc
index 1d634d56..11d4d5ae 100644
--- a/reg-tests/lua/b2.vtc
+++ b/reg-tests/lua/b2.vtc
@@ -2,6 +2,11 @@ varnishtest "Lua: txn:get_priv() scope"
 feature ignore_unknown_macro

 haproxy h1 -conf {
+   defaults
+   timeout connect 1s
+   timeout client 1s
+   timeout server 1s
+
 global
 nbthread 3
 lua-load ${testdir}/b2.lua
@@ -14,7 +19,7 @@ haproxy h1 -conf {

 frontend fe2
 mode http
-bind ":8443" ssl crt ${testdir}/common.pem
+bind ":8443" #ssl crt ${testdir}/common.pem
 stats enable
 stats uri /

Re: lua script, 200% cpu usage with nbthread 3 - haproxy hangs - __spin_lock - HA-Proxy version 1.9-dev1-e3faf02 2018/08/25

2018-08-28 Thread Frederic Lecaille 

On 08/27/2018 10:46 PM, PiBa-NL wrote:

Hi Frederic, Oliver,


Hi Pieter,


Thanks for your investigations :).
I've made a little reg-test (files attached). Its probably not 'correct' 
to commit as-is, but should be enough to get a reproduction.. I hope..


changing it to nbthread 1 makes it work every time..(that i tried)


Your script is correct. Thank you a lot for this Pieter.


The test actually seems to show a variety of issues.
## Every once in a while it takes like 7 seconds to run a test.. During 
which cpu usage is high..


Sounds like the first issue you reported. You can use -t varnistest 
option to set a large timeout so that you might have enough time to kill 
varnistest (Ctrl+C) to prevent it to kill haproxy. Then you can attach 
gdb to the haproxy process.



      c0    7.6 HTTP rx timeout (fd:5 7500 ms)

## But most of the time, it just doesn't finish with a correct result 
(ive seen haproxy do core dumps also while testing..). There is of 
course the option that i did something wrong in the lua as well...


Does the test itself work for you guys? (with nbthread 1)


I have not managed to make this script fails with "nbthread 1".

I have also seen coredumps with "nbthread 3" even with only one HTTP 
request from c0 client:



client c0 -connect ${h1_fe1_sock} {
txreq -url "/"
rxresp
expect resp.status == 200
}

If you run varnishtest with -l option, it leaves the temporary vtc.* 
directory if the test failed.


If you set your environment to produce coredumps (ulimit -c unlimited) 
you should find coredump files in /tmp/vtc.*// 
directory (/tmp/vtc.*/h1/ in our case).


According to gdb we have an issue in src/ssl_sock.c. So I have CC this 
mail to Emeric:


Reading symbols from haproxy...done.
[New LWP 32432]
[New LWP 32431]
[New LWP 32428]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/home/flecaille/src/haproxy/haproxy -d -f 
/tmp/vtc.32410.6f80f987/h1/cfg'.

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x7f78f98bba56 in ASN1_get_object ()
   from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
[Current thread is 1 (Thread 0x7f78f8522700 (LWP 32432))]
(gdb) bt full
#0  0x7f78f98bba56 in ASN1_get_object ()
   from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
No symbol table info available.
#1  0x7f78f98c2ff8 in ?? () from 
/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1

No symbol table info available.
#2  0x7f78f98c41b5 in ?? () from 
/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1

No symbol table info available.
#3  0x7f78f98c4ead in ASN1_item_ex_d2i ()
   from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
No symbol table info available.
#4  0x7f78f98c4f2b in ASN1_item_d2i ()
   from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
No symbol table info available.
#5  0x7f78f9cdac98 in d2i_SSL_SESSION ()
   from /usr/lib/x86_64-linux-gnu/libssl.so.1.1
No symbol table info available.
#6  0x55e2078be006 in ssl_sock_init (conn=0x7f78e8012220) at 
src/ssl_sock.c:4985
ptr = 0xf800 address 0xf800>

sess = 
may_retry = 
conn = 0x7f78e8012220
#7  0x55e20797dfc1 in conn_xprt_init (conn=0x7f78e8012220)
at include/proto/connection.h:84
ret = 0
#8  tcp_connect_server (conn=0x7f78e8012220, data=0, delack=)
at src/proto_tcp.c:545
fd = 18
srv = 
be = 0x55e207c567e0 
src = 
#9  0x55e207981aba in si_connect (si=0x7f78e8017680)
at include/proto/stream_interface.h:366
ret = 0
#10 connect_server (s=s@entry=0x7f78e80173b0) at src/backend.c:1223
cli_conn = 0x0
srv_conn = 0x7f78e8012220
srv_cs = 
old_cs = 
reuse = 
err = 
#11 0x55e207924295 in sess_update_stream_int (s=0x7f78e80173b0) at 
src/stream.c:885

conn_err = 
si = 0x7f78e8017680
req = 0x7f78e80173c0
#12 process_stream (t=, context=0x7f78e80173b0, 
state=)

at src/stream.c:2240
s = 0x7f78e80173b0
sess = 
rqf_last = 
rpf_last = 2147483648
rq_prod_last = 
rq_cons_last = 
rp_cons_last = 
rp_prod_last = 
req_ana_back = 
req = 0x7f78e80173c0
res = 0x7f78e8017420
si_f = 0x7f78e8017638
si_b = 0x7f78e8017680
#13 0x55e2079ab1f8 in process_runnable_tasks () at src/task.c:381
t = 
state = 
ctx = 
---Type  to continue, or q  to quit---
process = 
t = 
max_processed = 
#14 0x55e207959c51 in run_poll_loop () at src/haproxy.c:2386
next = 
exp = 
#15 run_thread_poll_loop (data=) at src/haproxy.c:2451
ptif = 
ptdf = 
start_lock = 0
#16 0x7f78f9f27494 in start_thread (arg=0x7f78f8522700) at 
pthread_create.c:333

__res = 
pd = 0x7f78f8522700
now = 
unwind_buf = {cancel_jmp_buf

Re: lua script, 200% cpu usage with nbthread 3 - haproxy hangs - __spin_lock - HA-Proxy version 1.9-dev1-e3faf02 2018/08/25

2018-08-27 Thread PiBa-NL 

Hi Frederic, Oliver,

Thanks for your investigations :).
I've made a little reg-test (files attached). Its probably not 'correct' 
to commit as-is, but should be enough to get a reproduction.. I hope..


changing it to nbthread 1 makes it work every time..(that i tried)

The test actually seems to show a variety of issues.
## Every once in a while it takes like 7 seconds to run a test.. During 
which cpu usage is high..


     c0    7.6 HTTP rx timeout (fd:5 7500 ms)

## But most of the time, it just doesn't finish with a correct result 
(ive seen haproxy do core dumps also while testing..). There is of 
course the option that i did something wrong in the lua as well...


Does the test itself work for you guys? (with nbthread 1)

Did i do something crazy in the lua code? , i do have several loops.. 
but i don't think thats where it 'hangs' ?..


Regards,

PiBa-NL (Pieter)

Luacurl = {}
Luacurl.__index = Luacurl
setmetatable(Luacurl, {
__call = function (cls, ...)
return cls.new(...)
end,
})
function Luacurl.new(server, port, ssl)
local self = setmetatable({}, Luacurl)
self.sockconnected = false
self.server = server
self.port = port
self.ssl = ssl
self.cookies = {}
return self
end

function Luacurl:get(method,url,headers,data)
core.Info("MAKING SOCKET")
if self.sockconnected == false then
  self.sock = core.tcp()
  if self.ssl then
local r = self.sock:connect_ssl(self.server,self.port)
  else
local r = self.sock:connect(self.server,self.port)
  end
  self.sockconnected = true
end
core.Info("SOCKET MADE")
local request = method.." "..url.." HTTP/1.1"
if data ~= nil then
request = request .. "\r\nContent-Length: "..string.len(data)
end
if headers ~= null then
for h,v in pairs(headers) do
request = request .. "\r\n"..h..": "..v
end
end
cookstring = ""
for cook,cookval in pairs(self.cookies) do
cookstring = cookstring .. cook.."="..cookval.."; "
end
if string.len(cookstring) > 0 then
request = request .. "\r\nCookie: "..cookstring
end

request = request .. "\r\n\r\n"
if data and string.len(data) > 0 then
request = request .. data
end
--print(request)
core.Info("SENDING REQUEST")
self.sock:send(request)

--  core.Info("PROCESSING RESPONSE")
return processhttpresponse(self.sock)
end

function processhttpresponse(socket)
local res = {}
core.Info("1")
res.status = socket:receive("*l")
core.Info("2")

if res.status == nil then
core.Info(" processhttpresponse RECEIVING status: NIL")
return res
end
core.Info(" processhttpresponse RECEIVING status:"..res.status)
res.headers = {}
res.headerslist = {}
repeat
core.Info("3")
local header = socket:receive("*l")
if header == nil then
return "error"
end
local valuestart = header:find(":")
if valuestart ~= nil then
local head = header:sub(1,valuestart-1)
local value = header:sub(valuestart+2)
table.insert(res.headerslist, {head,value})
res.headers[head] = value
end
until header == ""
local bodydone = false
if res.headers["Connection"] ~= nil and res.headers["Connection"] == 
"close" then
--  core.Info("luacurl processresponse with connection:close")
res.body = ""
repeat
core.Info("4")
local d = socket:receive("*a")
if d ~= nil then
res.body = res.body .. d
end
until d == nil or d == 0
bodydone = true
end
if bodydone == false and res.headers["Content-Length"] ~= nil then
res.contentlength = tonumber(res.headers["Content-Length"])
if res.contentlength == nil then
  core.Warning("res.contentlength ~NIL = 
"..res.headers["Content-Length"])
end
--  core.Info("luacur, contentlength="..res.contentlength)
res.body = ""
repeat
local d = socket:receive(res.contentlength)
if d == nil then
--  core.Info("luacurl, ERROR?: recieved NIL, 
expecting "..res.contentlength.." bytes only got "..string.len(res.body).." 
sofar")
return
else
res.body = res.body..d
--

Re: lua script, 200% cpu usage with nbthread 3 - haproxy hangs - __spin_lock - HA-Proxy version 1.9-dev1-e3faf02 2018/08/25

2018-08-27 Thread Frederic Lecaille 

On 08/27/2018 03:09 PM, Olivier Houchard wrote:

On Mon, Aug 27, 2018 at 02:29:42PM +0200, Frederic Lecaille wrote:

On 08/27/2018 01:33 PM, Olivier Houchard wrote:

Hi Pieter,

On Sat, Aug 25, 2018 at 10:00:04PM +0200, PiBa-NL wrote:

Hi List, Thierry, Olivier,

Using a lua-socket with connect_ssl and haproxy running with nbthread 3..
results in haproxy hanging with 3 threads for me.

This while using both 1.9-7/30 version (with the 2 extra patches from
Olivier avoiding 100% on a single thread.) and also a build of today's
snapshot: HA-Proxy version 1.9-dev1-e3faf02 2018/08/25

Below info is at the bottom of the mail:
- haproxy -vv
- gdb backtraces

This one is easy to reproduce after just a few calls to the lua function
with the lua code i'm writing on a test-box.. So if a 'simple' config that
makes a reproduction is desired i can likely come up with one.
Same lua code with nbthread 1 seems to work properly.

Is below info (the stack traces) enough to come up with a fix? If not lemme
know and ill try and make a small reproduction of it.


root@freebsd11:~ # haproxy -vv
HA-Proxy version 1.9-dev1-e3faf02 2018/08/25
Copyright 2000-2018 Willy Tarreau 

Build options :
    TARGET  = freebsd
    CPU = generic
    CC  = cc
    CFLAGS  = -DDEBUG_THREAD -DDEBUG_MEMORY -pipe -g -fstack-protector
-fno-strict-aliasing -fno-strict-aliasing -Wdeclaration-after-statement
-fwrapv -fno-strict-overflow -Wno-address-of-packed-member
-Wno-null-dereference -Wno-unused-label -DFREEBSD_PORTS -DFREEBSD_PORTS
    OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_CPU_AFFINITY=1 USE_ACCEPT4=1
USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_STATIC_PCRE=1 USE_PCRE_JIT=1

Default settings :
    maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with network namespace support.
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity("identity"), deflate("deflate"),
raw-deflate("deflate"), gzip("gzip")
Built with PCRE version : 8.40 2017-01-11
Running on PCRE version : 8.40 2017-01-11
PCRE library supports JIT : yes
Built with multi-threading support.
Encrypted password support via crypt(3): yes
Built with transparent proxy support using: IP_BINDANY IPV6_BINDANY
Built with Lua version : Lua 5.3.4
Built with OpenSSL version : OpenSSL 1.0.2k-freebsd  26 Jan 2017
Running on OpenSSL version : OpenSSL 1.0.2k-freebsd  26 Jan 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2

Available polling systems :
   kqueue : pref=300,  test result OK
     poll : pref=200,  test result OK
   select : pref=150,  test result OK
Total: 3 (3 usable), will use kqueue.

Available multiplexer protocols :
(protocols markes as  cannot be specified using 'proto' keyword)
      : mode=TCP|HTTP   side=FE|BE
    h2 : mode=HTTP   side=FE

Available filters :
      [TRACE] trace
      [COMP] compression
      [SPOE] spoe

root@freebsd11:~ # /usr/local/bin/gdb81 --pid 39649
GNU gdb (GDB) 8.1 [GDB v8.1 for FreeBSD]
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-portbld-freebsd11.1".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word".
Attaching to process 39649
Reading symbols from /usr/local/sbin/haproxy...done.
[New LWP 101651 of process 39649]
[New LWP 101652 of process 39649]
Reading symbols from /lib/libcrypt.so.5...(no debugging symbols
found)...done.
Reading symbols from /lib/libz.so.6...(no debugging symbols found)...done.
Reading symbols from /lib/libthr.so.3...(no debugging symbols found)...done.
Reading symbols from /usr/lib/libssl.so.8...(no debugging symbols
found)...done.
Reading symbols from /lib/libcrypto.so.8...(no debugging symbols
found)...done.
Reading symbols from /usr/local/lib/liblua-5.3.so...(no debugging symbols
found)...done.
Reading symbols from /lib/libm.so.5...(no debugging symbols found)...done.
Reading symbols from /lib/libc.so.7...(no debugging symbols found)...done.
Reading symbols from /libexec/ld-elf.so.1...(no debugging symbols
found)...done.
[Switching to LWP 101650 of process 39649]
0x000801e11e3a in _kevent () from /lib/libc.so.7
(gdb) info thread
    Id   Target Id Frame
* 1    LWP 101650 of process 39649 0x000801

Re: lua script, 200% cpu usage with nbthread 3 - haproxy hangs - __spin_lock - HA-Proxy version 1.9-dev1-e3faf02 2018/08/25

2018-08-27 Thread Olivier Houchard 
On Mon, Aug 27, 2018 at 02:29:42PM +0200, Frederic Lecaille wrote:
> On 08/27/2018 01:33 PM, Olivier Houchard wrote:
> > Hi Pieter,
> > 
> > On Sat, Aug 25, 2018 at 10:00:04PM +0200, PiBa-NL wrote:
> > > Hi List, Thierry, Olivier,
> > > 
> > > Using a lua-socket with connect_ssl and haproxy running with nbthread 3..
> > > results in haproxy hanging with 3 threads for me.
> > > 
> > > This while using both 1.9-7/30 version (with the 2 extra patches from
> > > Olivier avoiding 100% on a single thread.) and also a build of today's
> > > snapshot: HA-Proxy version 1.9-dev1-e3faf02 2018/08/25
> > > 
> > > Below info is at the bottom of the mail:
> > > - haproxy -vv
> > > - gdb backtraces
> > > 
> > > This one is easy to reproduce after just a few calls to the lua function
> > > with the lua code i'm writing on a test-box.. So if a 'simple' config that
> > > makes a reproduction is desired i can likely come up with one.
> > > Same lua code with nbthread 1 seems to work properly.
> > > 
> > > Is below info (the stack traces) enough to come up with a fix? If not 
> > > lemme
> > > know and ill try and make a small reproduction of it.
> > > 
> > > 
> > > root@freebsd11:~ # haproxy -vv
> > > HA-Proxy version 1.9-dev1-e3faf02 2018/08/25
> > > Copyright 2000-2018 Willy Tarreau 
> > > 
> > > Build options :
> > >    TARGET  = freebsd
> > >    CPU = generic
> > >    CC  = cc
> > >    CFLAGS  = -DDEBUG_THREAD -DDEBUG_MEMORY -pipe -g -fstack-protector
> > > -fno-strict-aliasing -fno-strict-aliasing -Wdeclaration-after-statement
> > > -fwrapv -fno-strict-overflow -Wno-address-of-packed-member
> > > -Wno-null-dereference -Wno-unused-label -DFREEBSD_PORTS -DFREEBSD_PORTS
> > >    OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_CPU_AFFINITY=1 USE_ACCEPT4=1
> > > USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_STATIC_PCRE=1 USE_PCRE_JIT=1
> > > 
> > > Default settings :
> > >    maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
> > > 
> > > Built with network namespace support.
> > > Built with zlib version : 1.2.11
> > > Running on zlib version : 1.2.11
> > > Compression algorithms supported : identity("identity"), 
> > > deflate("deflate"),
> > > raw-deflate("deflate"), gzip("gzip")
> > > Built with PCRE version : 8.40 2017-01-11
> > > Running on PCRE version : 8.40 2017-01-11
> > > PCRE library supports JIT : yes
> > > Built with multi-threading support.
> > > Encrypted password support via crypt(3): yes
> > > Built with transparent proxy support using: IP_BINDANY IPV6_BINDANY
> > > Built with Lua version : Lua 5.3.4
> > > Built with OpenSSL version : OpenSSL 1.0.2k-freebsd  26 Jan 2017
> > > Running on OpenSSL version : OpenSSL 1.0.2k-freebsd  26 Jan 2017
> > > OpenSSL library supports TLS extensions : yes
> > > OpenSSL library supports SNI : yes
> > > OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2
> > > 
> > > Available polling systems :
> > >   kqueue : pref=300,  test result OK
> > >     poll : pref=200,  test result OK
> > >   select : pref=150,  test result OK
> > > Total: 3 (3 usable), will use kqueue.
> > > 
> > > Available multiplexer protocols :
> > > (protocols markes as  cannot be specified using 'proto' keyword)
> > >      : mode=TCP|HTTP   side=FE|BE
> > >    h2 : mode=HTTP   side=FE
> > > 
> > > Available filters :
> > >      [TRACE] trace
> > >      [COMP] compression
> > >      [SPOE] spoe
> > > 
> > > root@freebsd11:~ # /usr/local/bin/gdb81 --pid 39649
> > > GNU gdb (GDB) 8.1 [GDB v8.1 for FreeBSD]
> > > Copyright (C) 2018 Free Software Foundation, Inc.
> > > License GPLv3+: GNU GPL version 3 or later
> > > <http://gnu.org/licenses/gpl.html>
> > > This is free software: you are free to change and redistribute it.
> > > There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
> > > and "show warranty" for details.
> > > This GDB was configured as "x86_64-portbld-freebsd11.1".
> > > Type "show configuration" for configuration details.
> > > For bug reporting instructions, please see:
> > > <http://www.gnu.org/software/gdb/bugs

Re: lua script, 200% cpu usage with nbthread 3 - haproxy hangs - __spin_lock - HA-Proxy version 1.9-dev1-e3faf02 2018/08/25

2018-08-27 Thread Frederic Lecaille 

On 08/27/2018 01:33 PM, Olivier Houchard wrote:

Hi Pieter,

On Sat, Aug 25, 2018 at 10:00:04PM +0200, PiBa-NL wrote:

Hi List, Thierry, Olivier,

Using a lua-socket with connect_ssl and haproxy running with nbthread 3..
results in haproxy hanging with 3 threads for me.

This while using both 1.9-7/30 version (with the 2 extra patches from
Olivier avoiding 100% on a single thread.) and also a build of today's
snapshot: HA-Proxy version 1.9-dev1-e3faf02 2018/08/25

Below info is at the bottom of the mail:
- haproxy -vv
- gdb backtraces

This one is easy to reproduce after just a few calls to the lua function
with the lua code i'm writing on a test-box.. So if a 'simple' config that
makes a reproduction is desired i can likely come up with one.
Same lua code with nbthread 1 seems to work properly.

Is below info (the stack traces) enough to come up with a fix? If not lemme
know and ill try and make a small reproduction of it.


root@freebsd11:~ # haproxy -vv
HA-Proxy version 1.9-dev1-e3faf02 2018/08/25
Copyright 2000-2018 Willy Tarreau 

Build options :
   TARGET  = freebsd
   CPU = generic
   CC  = cc
   CFLAGS  = -DDEBUG_THREAD -DDEBUG_MEMORY -pipe -g -fstack-protector
-fno-strict-aliasing -fno-strict-aliasing -Wdeclaration-after-statement
-fwrapv -fno-strict-overflow -Wno-address-of-packed-member
-Wno-null-dereference -Wno-unused-label -DFREEBSD_PORTS -DFREEBSD_PORTS
   OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_CPU_AFFINITY=1 USE_ACCEPT4=1
USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_STATIC_PCRE=1 USE_PCRE_JIT=1

Default settings :
   maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with network namespace support.
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity("identity"), deflate("deflate"),
raw-deflate("deflate"), gzip("gzip")
Built with PCRE version : 8.40 2017-01-11
Running on PCRE version : 8.40 2017-01-11
PCRE library supports JIT : yes
Built with multi-threading support.
Encrypted password support via crypt(3): yes
Built with transparent proxy support using: IP_BINDANY IPV6_BINDANY
Built with Lua version : Lua 5.3.4
Built with OpenSSL version : OpenSSL 1.0.2k-freebsd  26 Jan 2017
Running on OpenSSL version : OpenSSL 1.0.2k-freebsd  26 Jan 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2

Available polling systems :
  kqueue : pref=300,  test result OK
    poll : pref=200,  test result OK
  select : pref=150,  test result OK
Total: 3 (3 usable), will use kqueue.

Available multiplexer protocols :
(protocols markes as  cannot be specified using 'proto' keyword)
     : mode=TCP|HTTP   side=FE|BE
   h2 : mode=HTTP   side=FE

Available filters :
     [TRACE] trace
     [COMP] compression
     [SPOE] spoe

root@freebsd11:~ # /usr/local/bin/gdb81 --pid 39649
GNU gdb (GDB) 8.1 [GDB v8.1 for FreeBSD]
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-portbld-freebsd11.1".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word".
Attaching to process 39649
Reading symbols from /usr/local/sbin/haproxy...done.
[New LWP 101651 of process 39649]
[New LWP 101652 of process 39649]
Reading symbols from /lib/libcrypt.so.5...(no debugging symbols
found)...done.
Reading symbols from /lib/libz.so.6...(no debugging symbols found)...done.
Reading symbols from /lib/libthr.so.3...(no debugging symbols found)...done.
Reading symbols from /usr/lib/libssl.so.8...(no debugging symbols
found)...done.
Reading symbols from /lib/libcrypto.so.8...(no debugging symbols
found)...done.
Reading symbols from /usr/local/lib/liblua-5.3.so...(no debugging symbols
found)...done.
Reading symbols from /lib/libm.so.5...(no debugging symbols found)...done.
Reading symbols from /lib/libc.so.7...(no debugging symbols found)...done.
Reading symbols from /libexec/ld-elf.so.1...(no debugging symbols
found)...done.
[Switching to LWP 101650 of process 39649]
0x000801e11e3a in _kevent () from /lib/libc.so.7
(gdb) info thread
   Id   Target Id Frame
* 1    LWP 101650 of process 39649 0x000801e11e3a in _kevent () from
/lib/libc.so.7
   2    LWP 101651 of process 39649 0x00437b92 in __spin_lock
(lbl=LUA_LOCK,

Re: lua script, 200% cpu usage with nbthread 3 - haproxy hangs - __spin_lock - HA-Proxy version 1.9-dev1-e3faf02 2018/08/25

2018-08-27 Thread Olivier Houchard 
Hi Pieter,

On Sat, Aug 25, 2018 at 10:00:04PM +0200, PiBa-NL wrote:
> Hi List, Thierry, Olivier,
> 
> Using a lua-socket with connect_ssl and haproxy running with nbthread 3..
> results in haproxy hanging with 3 threads for me.
> 
> This while using both 1.9-7/30 version (with the 2 extra patches from
> Olivier avoiding 100% on a single thread.) and also a build of today's
> snapshot: HA-Proxy version 1.9-dev1-e3faf02 2018/08/25
> 
> Below info is at the bottom of the mail:
> - haproxy -vv
> - gdb backtraces
> 
> This one is easy to reproduce after just a few calls to the lua function
> with the lua code i'm writing on a test-box.. So if a 'simple' config that
> makes a reproduction is desired i can likely come up with one.
> Same lua code with nbthread 1 seems to work properly.
> 
> Is below info (the stack traces) enough to come up with a fix? If not lemme
> know and ill try and make a small reproduction of it.
> 
> 
> root@freebsd11:~ # haproxy -vv
> HA-Proxy version 1.9-dev1-e3faf02 2018/08/25
> Copyright 2000-2018 Willy Tarreau 
> 
> Build options :
>   TARGET  = freebsd
>   CPU = generic
>   CC  = cc
>   CFLAGS  = -DDEBUG_THREAD -DDEBUG_MEMORY -pipe -g -fstack-protector
> -fno-strict-aliasing -fno-strict-aliasing -Wdeclaration-after-statement
> -fwrapv -fno-strict-overflow -Wno-address-of-packed-member
> -Wno-null-dereference -Wno-unused-label -DFREEBSD_PORTS -DFREEBSD_PORTS
>   OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_CPU_AFFINITY=1 USE_ACCEPT4=1
> USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_STATIC_PCRE=1 USE_PCRE_JIT=1
> 
> Default settings :
>   maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
> 
> Built with network namespace support.
> Built with zlib version : 1.2.11
> Running on zlib version : 1.2.11
> Compression algorithms supported : identity("identity"), deflate("deflate"),
> raw-deflate("deflate"), gzip("gzip")
> Built with PCRE version : 8.40 2017-01-11
> Running on PCRE version : 8.40 2017-01-11
> PCRE library supports JIT : yes
> Built with multi-threading support.
> Encrypted password support via crypt(3): yes
> Built with transparent proxy support using: IP_BINDANY IPV6_BINDANY
> Built with Lua version : Lua 5.3.4
> Built with OpenSSL version : OpenSSL 1.0.2k-freebsd  26 Jan 2017
> Running on OpenSSL version : OpenSSL 1.0.2k-freebsd  26 Jan 2017
> OpenSSL library supports TLS extensions : yes
> OpenSSL library supports SNI : yes
> OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2
> 
> Available polling systems :
>  kqueue : pref=300,  test result OK
>    poll : pref=200,  test result OK
>  select : pref=150,  test result OK
> Total: 3 (3 usable), will use kqueue.
> 
> Available multiplexer protocols :
> (protocols markes as  cannot be specified using 'proto' keyword)
>     : mode=TCP|HTTP   side=FE|BE
>   h2 : mode=HTTP   side=FE
> 
> Available filters :
>     [TRACE] trace
>     [COMP] compression
>     [SPOE] spoe
> 
> root@freebsd11:~ # /usr/local/bin/gdb81 --pid 39649
> GNU gdb (GDB) 8.1 [GDB v8.1 for FreeBSD]
> Copyright (C) 2018 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later
> <http://gnu.org/licenses/gpl.html>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
> and "show warranty" for details.
> This GDB was configured as "x86_64-portbld-freebsd11.1".
> Type "show configuration" for configuration details.
> For bug reporting instructions, please see:
> <http://www.gnu.org/software/gdb/bugs/>.
> Find the GDB manual and other documentation resources online at:
> <http://www.gnu.org/software/gdb/documentation/>.
> For help, type "help".
> Type "apropos word" to search for commands related to "word".
> Attaching to process 39649
> Reading symbols from /usr/local/sbin/haproxy...done.
> [New LWP 101651 of process 39649]
> [New LWP 101652 of process 39649]
> Reading symbols from /lib/libcrypt.so.5...(no debugging symbols
> found)...done.
> Reading symbols from /lib/libz.so.6...(no debugging symbols found)...done.
> Reading symbols from /lib/libthr.so.3...(no debugging symbols found)...done.
> Reading symbols from /usr/lib/libssl.so.8...(no debugging symbols
> found)...done.
> Reading symbols from /lib/libcrypto.so.8...(no debugging symbols
> found)...done.
> Reading symbols from /usr/local/lib/liblua-5.3.so...(no debugging symbols
> found)...done.
> Reading symbols from /lib/libm.so.5...(no debugging symbols found)...done.
> Reading symbol

Re: lua script, 200% cpu usage with nbthread 3 - haproxy hangs - __spin_lock - HA-Proxy version 1.9-dev1-e3faf02 2018/08/25

2018-08-27 Thread Frederic Lecaille 

On 08/25/2018 10:00 PM, PiBa-NL wrote:

Hi List, Thierry, Olivier,


Hi,

Using a lua-socket with connect_ssl and haproxy running with nbthread 
3.. results in haproxy hanging with 3 threads for me.


If your configuration is simple do not hesitate to provide it. Perhaps 
we will be able to write a reg testing file for this bug to reproduce it.

lua script, 200% cpu usage with nbthread 3 - haproxy hangs - __spin_lock - HA-Proxy version 1.9-dev1-e3faf02 2018/08/25

2018-08-25 Thread PiBa-NL 

Hi List, Thierry, Olivier,

Using a lua-socket with connect_ssl and haproxy running with nbthread 
3.. results in haproxy hanging with 3 threads for me.


This while using both 1.9-7/30 version (with the 2 extra patches from 
Olivier avoiding 100% on a single thread.) and also a build of today's 
snapshot: HA-Proxy version 1.9-dev1-e3faf02 2018/08/25


Below info is at the bottom of the mail:
- haproxy -vv
- gdb backtraces

This one is easy to reproduce after just a few calls to the lua function 
with the lua code i'm writing on a test-box.. So if a 'simple' config 
that makes a reproduction is desired i can likely come up with one.

Same lua code with nbthread 1 seems to work properly.

Is below info (the stack traces) enough to come up with a fix? If not 
lemme know and ill try and make a small reproduction of it.



root@freebsd11:~ # haproxy -vv
HA-Proxy version 1.9-dev1-e3faf02 2018/08/25
Copyright 2000-2018 Willy Tarreau 

Build options :
  TARGET  = freebsd
  CPU = generic
  CC  = cc
  CFLAGS  = -DDEBUG_THREAD -DDEBUG_MEMORY -pipe -g -fstack-protector 
-fno-strict-aliasing -fno-strict-aliasing -Wdeclaration-after-statement 
-fwrapv -fno-strict-overflow -Wno-address-of-packed-member 
-Wno-null-dereference -Wno-unused-label -DFREEBSD_PORTS -DFREEBSD_PORTS
  OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_CPU_AFFINITY=1 
USE_ACCEPT4=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_STATIC_PCRE=1 
USE_PCRE_JIT=1


Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with network namespace support.
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity("identity"), 
deflate("deflate"), raw-deflate("deflate"), gzip("gzip")

Built with PCRE version : 8.40 2017-01-11
Running on PCRE version : 8.40 2017-01-11
PCRE library supports JIT : yes
Built with multi-threading support.
Encrypted password support via crypt(3): yes
Built with transparent proxy support using: IP_BINDANY IPV6_BINDANY
Built with Lua version : Lua 5.3.4
Built with OpenSSL version : OpenSSL 1.0.2k-freebsd  26 Jan 2017
Running on OpenSSL version : OpenSSL 1.0.2k-freebsd  26 Jan 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2

Available polling systems :
 kqueue : pref=300,  test result OK
   poll : pref=200,  test result OK
 select : pref=150,  test result OK
Total: 3 (3 usable), will use kqueue.

Available multiplexer protocols :
(protocols markes as  cannot be specified using 'proto' keyword)
    : mode=TCP|HTTP   side=FE|BE
  h2 : mode=HTTP   side=FE

Available filters :
    [TRACE] trace
    [COMP] compression
    [SPOE] spoe

root@freebsd11:~ # /usr/local/bin/gdb81 --pid 39649
GNU gdb (GDB) 8.1 [GDB v8.1 for FreeBSD]
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
<http://gnu.org/licenses/gpl.html>

This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-portbld-freebsd11.1".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word".
Attaching to process 39649
Reading symbols from /usr/local/sbin/haproxy...done.
[New LWP 101651 of process 39649]
[New LWP 101652 of process 39649]
Reading symbols from /lib/libcrypt.so.5...(no debugging symbols 
found)...done.

Reading symbols from /lib/libz.so.6...(no debugging symbols found)...done.
Reading symbols from /lib/libthr.so.3...(no debugging symbols found)...done.
Reading symbols from /usr/lib/libssl.so.8...(no debugging symbols 
found)...done.
Reading symbols from /lib/libcrypto.so.8...(no debugging symbols 
found)...done.
Reading symbols from /usr/local/lib/liblua-5.3.so...(no debugging 
symbols found)...done.

Reading symbols from /lib/libm.so.5...(no debugging symbols found)...done.
Reading symbols from /lib/libc.so.7...(no debugging symbols found)...done.
Reading symbols from /libexec/ld-elf.so.1...(no debugging symbols 
found)...done.

[Switching to LWP 101650 of process 39649]
0x000801e11e3a in _kevent () from /lib/libc.so.7
(gdb) info thread
  Id   Target Id Frame
* 1    LWP 101650 of process 39649 0x000801e11e3a in _kevent () from 
/lib/libc.so.7
  2    LWP 101651 of process 39649 0x00437b92 in __spin_lock 
(lbl=LUA_LOCK, l=0x8cf1d8 , func=0x62a781 
"hlua_ctx_resume",
    file=0x62a328 "src/hlua.c", line=1070)

Re: WAF with HA Proxy.

2018-08-13 Thread DHAVAL JAISWAL 
Thanks Willy,

It's solved.

Now, checking further on configuring Rules.

On Mon, Aug 13, 2018 at 2:32 PM, Willy Tarreau  wrote:

> On Mon, Aug 13, 2018 at 02:24:00PM +0530, DHAVAL JAISWAL wrote:
> > /usr/local/src/modsecurity-2.9.1/hapmodeconfig/INSTALL/include/
>
> Well, I'm sorry, I don't know what type of help you expect by simply
> dumping a path like this.
>
> > ./modsecurity -h
> >
> > -bash: ./modsecurity: No such file or directory
>
> So this clearly shows that something went wrong. You will hardly get
> any help if you insist on remaining crypting and continue to refuse
> to read your error messages on your screen, I'm sorry.
>
> Willy
>



-- 
Thanks & Regards
Dhaval Jaiswal

Re: WAF with HA Proxy.

2018-08-13 Thread Willy Tarreau 
On Mon, Aug 13, 2018 at 02:24:00PM +0530, DHAVAL JAISWAL wrote:
> /usr/local/src/modsecurity-2.9.1/hapmodeconfig/INSTALL/include/

Well, I'm sorry, I don't know what type of help you expect by simply
dumping a path like this.

> ./modsecurity -h
> 
> -bash: ./modsecurity: No such file or directory

So this clearly shows that something went wrong. You will hardly get
any help if you insist on remaining crypting and continue to refuse
to read your error messages on your screen, I'm sorry.

Willy

Re: WAF with HA Proxy.

2018-08-13 Thread DHAVAL JAISWAL 
/usr/local/src/modsecurity-2.9.1/hapmodeconfig/INSTALL/include/


./modsecurity -h

-bash: ./modsecurity: No such file or directory

On Mon, Aug 13, 2018 at 1:14 PM, Willy Tarreau  wrote:

> On Mon, Aug 13, 2018 at 01:09:58PM +0530, DHAVAL JAISWAL wrote:
> > Trying to configure mod security on HA Proxy server with the following
> way.
> > However,  it throws error.
> >
> > https://fossies.org/linux/haproxy/contrib/modsecurity/README
> >
> > ./modsecurity.h  -h
>
> You are sourcing a C include file. The README says "./modsecurity -h",
> not "./modsecurity.h -h". I suspect you got it by auto-completion
> because you skipped the compilation step.
>
> Willy
>



-- 
Thanks & Regards
Dhaval Jaiswal

Re: WAF with HA Proxy.

2018-08-13 Thread Willy Tarreau 
On Mon, Aug 13, 2018 at 01:09:58PM +0530, DHAVAL JAISWAL wrote:
> Trying to configure mod security on HA Proxy server with the following way.
> However,  it throws error.
> 
> https://fossies.org/linux/haproxy/contrib/modsecurity/README
> 
> ./modsecurity.h  -h

You are sourcing a C include file. The README says "./modsecurity -h",
not "./modsecurity.h -h". I suspect you got it by auto-completion
because you skipped the compilation step.

Willy

Re: WAF with HA Proxy.

2018-08-13 Thread DHAVAL JAISWAL 
Trying to configure mod security on HA Proxy server with the following way.
However,  it throws error.

https://fossies.org/linux/haproxy/contrib/modsecurity/README

./modsecurity.h  -h

./modsecurity.h: line 1: /bin: Is a directory

./modsecurity.h: line 2: acmp.h: command not found

./modsecurity.h: line 3: syntax error near unexpected token `('

./modsecurity.h: line 3: `* Copyright (c) 2004-2013 Trustwave Holdings,
Inc. (http://www.trustwave.com/)'

On Thu, May 10, 2018 at 2:58 AM, Mark Lakes 
wrote:

> Thank you for the feedback, although this is in fact a technical solution
> I never intended to offend anyone. I have submitted fixes to haproxy in the
> past but have not as you say responded to questions before this.
>
> thanks again for the feedback
>  -mark
>
>
>
>
>
> On Wed, May 9, 2018 at 2:03 PM, Willy Tarreau  wrote:
>
>> Mark,
>>
>> On Wed, May 09, 2018 at 10:40:38AM -0700, Mark Lakes wrote:
>> > For commercial purposes, see Signal Sciences Next Gen WAF solution:
>> > https://www.signalsciences.com/waf-web-application-firewall/
>>
>> Advertising for commercial products on an open source list is never
>> welcome
>> especially when such a response looks like it's made only to try to place
>> a
>> product and nor really to propose a technical solution (and it's not as if
>> you had ever responded to a question here prior to this one).
>>
>> A large number of commercial product vendors are represented here, some of
>> whom invest a lot in R and support, some even competing in certain
>> areas,
>> and all of them respect this basic rule, focusing only on sharing
>> knowledge
>> and improvements to haproxy. A few times I've even rejected requests from
>> some of my coworkers who asked if it was OK to respond to someone with a
>> link to one of HapTech's commercial solutions and I'm pretty sure others
>> do the same in other companies.
>>
>> Given the complaints we used to have in the past with the spams on the
>> list,
>> I'm pretty sure that most of the list's participants would prefer that the
>> list remains free of any form of advertising so that we can continue to
>> work
>> all together without being polluted nor starting to suspect that each
>> proposal
>> or question would derive to another ad.
>>
>> Also, I'm normally not the one who'd comment on each other's signature,
>> but
>> this one occupies almost half of my 80x24 response e-mail window, full of
>> links and even trackers as if you were trying hard to make a bit of SEO,
>> and this is quite impolite to many users, so I think it would be
>> reasonable
>> to significantly trim it down :
>>
>> > *Mark Lakes*
>> > Sr Software Engineer
>> > (555) 555-
>> > <https://www.signalsciences.com/?utm_source=emailsig>
>> > Winner: InfoWorld Technology of the Year 2018
>> > <https://www.infoworld.com/article/3251828/application-devel
>> opment/infoworlds-2018-technology-of-the-year-award-winners.html#slide24>
>> > <https://www.facebook.com/SignalSciences/>
>> > <https://twitter.com/signalsciences>
>> > <https://www.linkedin.com/company/signal-sciences/>
>>
>> You will simply not find this from most of the regular participants on
>> this
>> list and many would probably like to take the opportunity as well but
>> refrain
>> from doing so to respect others. So at least being the only one to post
>> like
>> this should give you a hint how to proceed in the future.
>>
>> Thanks,
>> Willy
>>
>
>


-- 
Thanks & Regards
Dhaval Jaiswal

Re: Regarding HA proxy configuration with denodo

2018-07-26 Thread Jonathan Matthews 
On Thu, 26 Jul 2018 at 07:12, aditya.ana...@wipro.com <
aditya.ana...@wipro.com> wrote:

> We have two different denodo servers installed on two machines (LINUX)
> installed on AWS and one load balancer installed on one of those machines .
> Can you please provide the steps required or the configuration that need to
> be done to connect HA proxy with the available denodo servers . HA proxy
> should be able to connect either of the denodo server available .
>

Hello.

This is the public mailing list for users of the open source haproxy tool.

You would be best served by posting the configuration as far as you've
managed to get it going, and asking questions about specific problems you
encounter along the way.

Here is the starter guide for the current stable version:
http://cbonte.github.io/haproxy-dconv/1.8/intro.html. There are links along
the top of that page to the configuration and management manuals.

If, instead, you feel you would like to trade time for money, and want to
take advantage of a commercial support option, some are listed here:
http://www.haproxy.org/#supp

As a backstop, my UK company is already set up as a supplier inside Wipro's
procurement system. Do get in touch if the routes I've mentioned above
don't meet your needs :-)

All the best,
Jonathan

> --
Jonathan Matthews
London, UK
http://www.jpluscplusm.com/contact.html

Regarding HA proxy configuration with denodo

2018-07-26 Thread aditya.ana...@wipro.com 
We have two different denodo servers installed on two machines (LINUX) 
installed on AWS and one load balancer installed on one of those machines . Can 
you please provide the steps required or the configuration that need to be done 
to connect HA proxy with the available denodo servers . HA proxy should be able 
to connect either of the denodo server available .

Thanks.


The information contained in this electronic message and any attachments to 
this message are intended for the exclusive use of the addressee(s) and may 
contain proprietary, confidential or privileged information. If you are not the 
intended recipient, you should not disseminate, distribute or copy this e-mail. 
Please notify the sender immediately and destroy all copies of this message and 
any attachments. WARNING: Computer viruses can be transmitted via email. The 
recipient should check this email and any attachments for the presence of 
viruses. The company accepts no liability for any damage caused by any virus 
transmitted by this email. www.wipro.com

Re: WAF with HA Proxy.

2018-05-09 Thread Mark Lakes 
Thank you for the feedback, although this is in fact a technical solution I
never intended to offend anyone. I have submitted fixes to haproxy in the
past but have not as you say responded to questions before this.

thanks again for the feedback
 -mark





On Wed, May 9, 2018 at 2:03 PM, Willy Tarreau  wrote:

> Mark,
>
> On Wed, May 09, 2018 at 10:40:38AM -0700, Mark Lakes wrote:
> > For commercial purposes, see Signal Sciences Next Gen WAF solution:
> > https://www.signalsciences.com/waf-web-application-firewall/
>
> Advertising for commercial products on an open source list is never welcome
> especially when such a response looks like it's made only to try to place a
> product and nor really to propose a technical solution (and it's not as if
> you had ever responded to a question here prior to this one).
>
> A large number of commercial product vendors are represented here, some of
> whom invest a lot in R and support, some even competing in certain areas,
> and all of them respect this basic rule, focusing only on sharing knowledge
> and improvements to haproxy. A few times I've even rejected requests from
> some of my coworkers who asked if it was OK to respond to someone with a
> link to one of HapTech's commercial solutions and I'm pretty sure others
> do the same in other companies.
>
> Given the complaints we used to have in the past with the spams on the
> list,
> I'm pretty sure that most of the list's participants would prefer that the
> list remains free of any form of advertising so that we can continue to
> work
> all together without being polluted nor starting to suspect that each
> proposal
> or question would derive to another ad.
>
> Also, I'm normally not the one who'd comment on each other's signature, but
> this one occupies almost half of my 80x24 response e-mail window, full of
> links and even trackers as if you were trying hard to make a bit of SEO,
> and this is quite impolite to many users, so I think it would be reasonable
> to significantly trim it down :
>
> > *Mark Lakes*
> > Sr Software Engineer
> > (555) 555-
> > 
> > Winner: InfoWorld Technology of the Year 2018
> >  development/infoworlds-2018-technology-of-the-year-award-
> winners.html#slide24>
> > 
> > 
> > 
>
> You will simply not find this from most of the regular participants on this
> list and many would probably like to take the opportunity as well but
> refrain
> from doing so to respect others. So at least being the only one to post
> like
> this should give you a hint how to proceed in the future.
>
> Thanks,
> Willy
>

Re: WAF with HA Proxy.

2018-05-09 Thread Willy Tarreau 
Mark,

On Wed, May 09, 2018 at 10:40:38AM -0700, Mark Lakes wrote:
> For commercial purposes, see Signal Sciences Next Gen WAF solution:
> https://www.signalsciences.com/waf-web-application-firewall/

Advertising for commercial products on an open source list is never welcome
especially when such a response looks like it's made only to try to place a
product and nor really to propose a technical solution (and it's not as if
you had ever responded to a question here prior to this one).

A large number of commercial product vendors are represented here, some of
whom invest a lot in R and support, some even competing in certain areas,
and all of them respect this basic rule, focusing only on sharing knowledge
and improvements to haproxy. A few times I've even rejected requests from
some of my coworkers who asked if it was OK to respond to someone with a
link to one of HapTech's commercial solutions and I'm pretty sure others
do the same in other companies.

Given the complaints we used to have in the past with the spams on the list,
I'm pretty sure that most of the list's participants would prefer that the
list remains free of any form of advertising so that we can continue to work
all together without being polluted nor starting to suspect that each proposal
or question would derive to another ad.

Also, I'm normally not the one who'd comment on each other's signature, but
this one occupies almost half of my 80x24 response e-mail window, full of
links and even trackers as if you were trying hard to make a bit of SEO,
and this is quite impolite to many users, so I think it would be reasonable
to significantly trim it down :

> *Mark Lakes*
> Sr Software Engineer
> (555) 555-
> 
> Winner: InfoWorld Technology of the Year 2018
> 
> 
> 
> 

You will simply not find this from most of the regular participants on this
list and many would probably like to take the opportunity as well but refrain
from doing so to respect others. So at least being the only one to post like
this should give you a hint how to proceed in the future.

Thanks,
Willy

Re: WAF with HA Proxy.

2018-05-09 Thread thierry . fournier 
On Thu, 10 May 2018 02:07:24 +0530
DHAVAL JAISWAL <dhava...@gmail.com> wrote:

> I would prefer to keep this in front of HAProxy. So that any request comes
> first it will pass through he WAF standard rules and then it will come
> inside.


HAProxy is a very robust component. It block protocol attacks which doesn't
respect HTTP protocol and forward other attacks. In other way, it can block
basic attacks with simple ACL (attacks like http://../../../etc/passwd).

With HAProxy in front component, you can process loadbalancing on your WAFs.
This is useful because WAFs use more CPU than loadbalancers.

BR,
Thierry


> Could you please help me with some more documentation, configuration about
> this. How would I achieve it.
> 
> 
> 
> On Thu, May 10, 2018 at 12:14 AM, Malcolm Turnbull <malc...@loadbalancer.org
> > wrote:
> 
> > Dhaval,
> >
> > As far as I'm concerned almost everyone on the planet uses mod_security...
> > But most use it with apache & some use it with Nginx...
> > So you can either put it on all of your web servers...
> > Or Put it in-front of HAProxy...
> > Or make an HAProxy[1] sandwich (which is what we do at Loadbalancer.org[2])
> >
> > [1] https://www.haproxy.com/blog/scalable-waf-protection-with-
> > haproxy-and-apache-with-modsecurity/
> > [2] https://www.loadbalancer.org/blog/blocking-invalid-range-
> > headers-using-modsecurity-and-haproxy-ms15-034-cve-2015-1635/
> >
> >
> > Malcolm Turnbull
> >
> > Loadbalancer.org Ltd.
> >
> > www.loadbalancer.org
> >
> >  +44 (0)330 380 1064
> > malc...@loadbalancer.org
> >
> >
> >
> >
> > On 9 May 2018 at 19:21, DHAVAL JAISWAL <dhava...@gmail.com> wrote:
> > > Looking for open source.
> > >
> > > On Wed, May 9, 2018 at 11:10 PM, Mark Lakes <mla...@signalsciences.com>
> > > wrote:
> > >>
> > >> For commercial purposes, see Signal Sciences Next Gen WAF solution:
> > >> https://www.signalsciences.com/waf-web-application-firewall/
> > >>
> > >>
> > >>
> > >> Mark Lakes
> > >> Sr Software Engineer
> > >> (555) 555-
> > >> Winner: InfoWorld Technology of the Year 2018
> > >>
> > >>
> > >> On Wed, May 9, 2018 at 2:23 AM, DHAVAL JAISWAL <dhava...@gmail.com>
> > wrote:
> > >>>
> > >>> I am looking for WAF solution with HA Proxy.
> > >>>
> > >>> One which I come to know is with HA Proxy version 1.8.8 + mode
> > security.
> > >>> However, I feel its still on early stage.
> > >>>
> > >>> Any other recommendation for WAF with HA Proxy.
> > >>>
> > >>>
> > >>> --
> > >>> Thanks & Regards
> > >>> Dhaval Jaiswal
> > >>
> > >>
> > >
> > >
> > >
> > > --
> > > Thanks & Regards
> > > Dhaval Jaiswal
> >
> 
> 
> 
> -- 
> Thanks & Regards
> Dhaval Jaiswal

Re: WAF with HA Proxy.

2018-05-09 Thread thierry . fournier 
On Wed, 9 May 2018 21:10:48 +0100
Andrew Smalley  wrote:

> Hello Thierry
> 
> Thank you for your response saying it is the SPOE engine that does
> mod_security integration and not the almost correct SPOA that I said.


No, you're right: SPOA is the Agent and the ModSec implemention is an
SPOA. SPOE is the Engine.


> Can I ask how haproxy does the SSO with the SPOE/SPOA Engine?


The SPOE/SPOA is designed for this kind of usage, but I don't heard
about any SPOA soft which implements this kind of functionnality.

I propose four ways:

 - Not easy, but reliable: copy/paste the C SPOA demo agent and modify
   it to perform SSO authentication according with your needs.

 - Easy, but with questionable reliability (because recent dev): I
   submit a few days ago a generic SPOA daemon whoch executes Python
   scripts. Unfortunately, I based my dev on a old HAProxy version
   (1.6 or 1.7), and the agent is not compatible with all SPOP
   (P=Protocol) feature, but i works with 1.8 and 1.9.
  https://www.mail-archive.com/haproxy@formilux.org/msg29093.html
   Once python is executed, you can done authentication with any backend.

 - Hard and not reliable (because new dev): Internal haproxy dev (based
   on the same way than SPOE and Lua socket) which communicates with
   SASL. SASL seems great for SSO authentication: it can process many
   authentication method (HTTP Basic, HTTP Digest) and use many backend:
   PAM, files, passwd, ldap, ...)

 - Easy with some protocols and reliable. Use Lua and socket to
   establish authentication protocol with another server. But some
   limitations prevent the usage of some libraries. The libldap is
   not usable. The usable libs are libs using luasocket, but which
   can be modificated for using haproxy sockets (its the same API
   than luasocket).

BR,
Thierry


> 
> 
> Andruw Smalley
> 
> Loadbalancer.org Ltd.
> 
> www.loadbalancer.org
> +1 888 867 9504 / +44 (0)330 380 1064
> asmal...@loadbalancer.org
> 
> Leave a Review | Deployment Guides | Blog
> 
> 
> On 9 May 2018 at 21:04, Thierry Fournier  
> wrote:
> > Hi,
> >
> > I confirm: the modsecurity i done throught SPOE.
> >
> > The limitation are:
> >
> > The limit of the body size analysed is the size of HAProxy buffer (default
> > 16kB, but for my own usage, I configure 1MB)
> >
> >
> > The response is not analysed.
> >
> >
> > BR,
> > Thierry
> >
> >
> > On 9 May 2018, at 21:40, Andrew Smalley  wrote:
> >
> > Hi Mark
> >
> > Actually as far as I understand the Haproxy implementation of
> > mod_security integration is not with Lua but with SPOA
> >
> > https://www.haproxy.org/download/1.7/doc/SPOE.txt
> > Andruw Smalley
> >
> > Loadbalancer.org Ltd.
> >
> > www.loadbalancer.org
> > +1 888 867 9504 / +44 (0)330 380 1064
> > asmal...@loadbalancer.org
> >
> > Leave a Review | Deployment Guides | Blog
> >
> >
> > On 9 May 2018 at 20:36, Mark Lakes  wrote:
> >
> > RIght, via lua module it integrates with haproxy.
> > -mark
> >
> >
> >
> >
> > Mark Lakes
> > Sr Software Engineer
> > (555) 555-
> > Winner: InfoWorld Technology of the Year 2018
> >
> >
> > On Wed, May 9, 2018 at 11:43 AM, Jonathan Matthews 
> > wrote:
> >
> >
> > On Wed, 9 May 2018 at 18:43, Mark Lakes  wrote:
> >
> >
> > For commercial purposes, see Signal Sciences Next Gen WAF solution:
> > https://www.signalsciences.com/waf-web-application-firewall/
> >
> >
> >
> > That page says it supports "Nginx, Nginx Plus, Apache and IIS". Does it
> > integrate with HAProxy? Via what mechanism?
> >
> > J
> >
> > --
> > Jonathan Matthews
> > London, UK
> > http://www.jpluscplusm.com/contact.html
> >
> >
> >
> >
> >
>

Re: WAF with HA Proxy.

2018-05-09 Thread DHAVAL JAISWAL 
I would prefer to keep this in front of HAProxy. So that any request comes
first it will pass through he WAF standard rules and then it will come
inside.

Could you please help me with some more documentation, configuration about
this. How would I achieve it.



On Thu, May 10, 2018 at 12:14 AM, Malcolm Turnbull <malc...@loadbalancer.org
> wrote:

> Dhaval,
>
> As far as I'm concerned almost everyone on the planet uses mod_security...
> But most use it with apache & some use it with Nginx...
> So you can either put it on all of your web servers...
> Or Put it in-front of HAProxy...
> Or make an HAProxy[1] sandwich (which is what we do at Loadbalancer.org[2])
>
> [1] https://www.haproxy.com/blog/scalable-waf-protection-with-
> haproxy-and-apache-with-modsecurity/
> [2] https://www.loadbalancer.org/blog/blocking-invalid-range-
> headers-using-modsecurity-and-haproxy-ms15-034-cve-2015-1635/
>
>
> Malcolm Turnbull
>
> Loadbalancer.org Ltd.
>
> www.loadbalancer.org
>
>  +44 (0)330 380 1064
> malc...@loadbalancer.org
>
>
>
>
> On 9 May 2018 at 19:21, DHAVAL JAISWAL <dhava...@gmail.com> wrote:
> > Looking for open source.
> >
> > On Wed, May 9, 2018 at 11:10 PM, Mark Lakes <mla...@signalsciences.com>
> > wrote:
> >>
> >> For commercial purposes, see Signal Sciences Next Gen WAF solution:
> >> https://www.signalsciences.com/waf-web-application-firewall/
> >>
> >>
> >>
> >> Mark Lakes
> >> Sr Software Engineer
> >> (555) 555-
> >> Winner: InfoWorld Technology of the Year 2018
> >>
> >>
> >> On Wed, May 9, 2018 at 2:23 AM, DHAVAL JAISWAL <dhava...@gmail.com>
> wrote:
> >>>
> >>> I am looking for WAF solution with HA Proxy.
> >>>
> >>> One which I come to know is with HA Proxy version 1.8.8 + mode
> security.
> >>> However, I feel its still on early stage.
> >>>
> >>> Any other recommendation for WAF with HA Proxy.
> >>>
> >>>
> >>> --
> >>> Thanks & Regards
> >>> Dhaval Jaiswal
> >>
> >>
> >
> >
> >
> > --
> > Thanks & Regards
> > Dhaval Jaiswal
>



-- 
Thanks & Regards
Dhaval Jaiswal

Re: WAF with HA Proxy.

2018-05-09 Thread Mark Lakes 
Sure, note that it doesnt integrate with mod_security. It integrates with
haproxy via a lua script and haproxy config that uses it.



*Mark Lakes*
Sr Software Engineer
(555) 555-

Winner: InfoWorld Technology of the Year 2018





On Wed, May 9, 2018 at 12:40 PM, Andrew Smalley 
wrote:

> Hi Mark
>
> Actually as far as I understand the Haproxy implementation of
> mod_security integration is not with Lua but with SPOA
>
> https://www.haproxy.org/download/1.7/doc/SPOE.txt
> Andruw Smalley
>
> Loadbalancer.org Ltd.
>
> www.loadbalancer.org
> +1 888 867 9504 / +44 (0)330 380 1064
> asmal...@loadbalancer.org
>
> Leave a Review | Deployment Guides | Blog
>
>
> On 9 May 2018 at 20:36, Mark Lakes  wrote:
> > RIght, via lua module it integrates with haproxy.
> > -mark
> >
> >
> >
> >
> > Mark Lakes
> > Sr Software Engineer
> > (555) 555-
> > Winner: InfoWorld Technology of the Year 2018
> >
> >
> > On Wed, May 9, 2018 at 11:43 AM, Jonathan Matthews <
> cont...@jpluscplusm.com>
> > wrote:
> >>
> >> On Wed, 9 May 2018 at 18:43, Mark Lakes 
> wrote:
> >>>
> >>> For commercial purposes, see Signal Sciences Next Gen WAF solution:
> >>> https://www.signalsciences.com/waf-web-application-firewall/
> >>
> >>
> >> That page says it supports "Nginx, Nginx Plus, Apache and IIS". Does it
> >> integrate with HAProxy? Via what mechanism?
> >>
> >> J
> >>
> >> --
> >> Jonathan Matthews
> >> London, UK
> >> http://www.jpluscplusm.com/contact.html
> >
> >
>
>

Re: WAF with HA Proxy.

2018-05-09 Thread Andrew Smalley 
Hello Thierry

Thank you for your response saying it is the SPOE engine that does
mod_security integration and not the almost correct SPOA that I said.

Can I ask how haproxy does the SSO with the SPOE/SPOA Engine?


Andruw Smalley

Loadbalancer.org Ltd.

www.loadbalancer.org
+1 888 867 9504 / +44 (0)330 380 1064
asmal...@loadbalancer.org

Leave a Review | Deployment Guides | Blog


On 9 May 2018 at 21:04, Thierry Fournier  wrote:
> Hi,
>
> I confirm: the modsecurity i done throught SPOE.
>
> The limitation are:
>
> The limit of the body size analysed is the size of HAProxy buffer (default
> 16kB, but for my own usage, I configure 1MB)
>
>
> The response is not analysed.
>
>
> BR,
> Thierry
>
>
> On 9 May 2018, at 21:40, Andrew Smalley  wrote:
>
> Hi Mark
>
> Actually as far as I understand the Haproxy implementation of
> mod_security integration is not with Lua but with SPOA
>
> https://www.haproxy.org/download/1.7/doc/SPOE.txt
> Andruw Smalley
>
> Loadbalancer.org Ltd.
>
> www.loadbalancer.org
> +1 888 867 9504 / +44 (0)330 380 1064
> asmal...@loadbalancer.org
>
> Leave a Review | Deployment Guides | Blog
>
>
> On 9 May 2018 at 20:36, Mark Lakes  wrote:
>
> RIght, via lua module it integrates with haproxy.
> -mark
>
>
>
>
> Mark Lakes
> Sr Software Engineer
> (555) 555-
> Winner: InfoWorld Technology of the Year 2018
>
>
> On Wed, May 9, 2018 at 11:43 AM, Jonathan Matthews 
> wrote:
>
>
> On Wed, 9 May 2018 at 18:43, Mark Lakes  wrote:
>
>
> For commercial purposes, see Signal Sciences Next Gen WAF solution:
> https://www.signalsciences.com/waf-web-application-firewall/
>
>
>
> That page says it supports "Nginx, Nginx Plus, Apache and IIS". Does it
> integrate with HAProxy? Via what mechanism?
>
> J
>
> --
> Jonathan Matthews
> London, UK
> http://www.jpluscplusm.com/contact.html
>
>
>
>
>

Re: WAF with HA Proxy.

2018-05-09 Thread Thierry Fournier 
Hi,

I confirm: the modsecurity i done throught SPOE.

The limitation are:

The limit of the body size analysed is the size of HAProxy buffer (default 
16kB, but for my own usage, I configure 1MB)

The response is not analysed.

BR,
Thierry

> On 9 May 2018, at 21:40, Andrew Smalley  wrote:
> 
> Hi Mark
> 
> Actually as far as I understand the Haproxy implementation of
> mod_security integration is not with Lua but with SPOA
> 
> https://www.haproxy.org/download/1.7/doc/SPOE.txt
> Andruw Smalley
> 
> Loadbalancer.org Ltd.
> 
> www.loadbalancer.org
> +1 888 867 9504 / +44 (0)330 380 1064
> asmal...@loadbalancer.org
> 
> Leave a Review | Deployment Guides | Blog
> 
> 
> On 9 May 2018 at 20:36, Mark Lakes  wrote:
>> RIght, via lua module it integrates with haproxy.
>> -mark
>> 
>> 
>> 
>> 
>> Mark Lakes
>> Sr Software Engineer
>> (555) 555-
>> Winner: InfoWorld Technology of the Year 2018
>> 
>> 
>> On Wed, May 9, 2018 at 11:43 AM, Jonathan Matthews 
>> wrote:
>>> 
>>> On Wed, 9 May 2018 at 18:43, Mark Lakes  wrote:
 
 For commercial purposes, see Signal Sciences Next Gen WAF solution:
 https://www.signalsciences.com/waf-web-application-firewall/
>>> 
>>> 
>>> That page says it supports "Nginx, Nginx Plus, Apache and IIS". Does it
>>> integrate with HAProxy? Via what mechanism?
>>> 
>>> J
>>> 
>>> --
>>> Jonathan Matthews
>>> London, UK
>>> http://www.jpluscplusm.com/contact.html
>> 
>> 
>

Re: WAF with HA Proxy.

2018-05-09 Thread Andrew Smalley 
Hi Mark

Actually as far as I understand the Haproxy implementation of
mod_security integration is not with Lua but with SPOA

https://www.haproxy.org/download/1.7/doc/SPOE.txt
Andruw Smalley

Loadbalancer.org Ltd.

www.loadbalancer.org
+1 888 867 9504 / +44 (0)330 380 1064
asmal...@loadbalancer.org

Leave a Review | Deployment Guides | Blog


On 9 May 2018 at 20:36, Mark Lakes  wrote:
> RIght, via lua module it integrates with haproxy.
> -mark
>
>
>
>
> Mark Lakes
> Sr Software Engineer
> (555) 555-
> Winner: InfoWorld Technology of the Year 2018
>
>
> On Wed, May 9, 2018 at 11:43 AM, Jonathan Matthews 
> wrote:
>>
>> On Wed, 9 May 2018 at 18:43, Mark Lakes  wrote:
>>>
>>> For commercial purposes, see Signal Sciences Next Gen WAF solution:
>>> https://www.signalsciences.com/waf-web-application-firewall/
>>
>>
>> That page says it supports "Nginx, Nginx Plus, Apache and IIS". Does it
>> integrate with HAProxy? Via what mechanism?
>>
>> J
>>
>> --
>> Jonathan Matthews
>> London, UK
>> http://www.jpluscplusm.com/contact.html
>
>

Re: WAF with HA Proxy.

2018-05-09 Thread Mark Lakes 
RIght, via lua module it integrates with haproxy.
-mark




*Mark Lakes*
Sr Software Engineer
(555) 555-

Winner: InfoWorld Technology of the Year 2018





On Wed, May 9, 2018 at 11:43 AM, Jonathan Matthews 
wrote:

> On Wed, 9 May 2018 at 18:43, Mark Lakes  wrote:
>
>> For commercial purposes, see Signal Sciences Next Gen WAF solution:
>> https://www.signalsciences.com/waf-web-application-firewall/
>>
>
> That page says it supports "Nginx, Nginx Plus, Apache and IIS". Does it
> integrate with HAProxy? Via what mechanism?
>
> J
>
>> 
>>
> 
>>
> --
> Jonathan Matthews
> London, UK
> http://www.jpluscplusm.com/contact.html
>

Re: WAF with HA Proxy.

2018-05-09 Thread Malcolm Turnbull 
Dhaval,

As far as I'm concerned almost everyone on the planet uses mod_security...
But most use it with apache & some use it with Nginx...
So you can either put it on all of your web servers...
Or Put it in-front of HAProxy...
Or make an HAProxy[1] sandwich (which is what we do at Loadbalancer.org[2])

[1] 
https://www.haproxy.com/blog/scalable-waf-protection-with-haproxy-and-apache-with-modsecurity/
[2] 
https://www.loadbalancer.org/blog/blocking-invalid-range-headers-using-modsecurity-and-haproxy-ms15-034-cve-2015-1635/


Malcolm Turnbull

Loadbalancer.org Ltd.

www.loadbalancer.org

 +44 (0)330 380 1064
malc...@loadbalancer.org




On 9 May 2018 at 19:21, DHAVAL JAISWAL <dhava...@gmail.com> wrote:
> Looking for open source.
>
> On Wed, May 9, 2018 at 11:10 PM, Mark Lakes <mla...@signalsciences.com>
> wrote:
>>
>> For commercial purposes, see Signal Sciences Next Gen WAF solution:
>> https://www.signalsciences.com/waf-web-application-firewall/
>>
>>
>>
>> Mark Lakes
>> Sr Software Engineer
>> (555) 555-
>> Winner: InfoWorld Technology of the Year 2018
>>
>>
>> On Wed, May 9, 2018 at 2:23 AM, DHAVAL JAISWAL <dhava...@gmail.com> wrote:
>>>
>>> I am looking for WAF solution with HA Proxy.
>>>
>>> One which I come to know is with HA Proxy version 1.8.8 + mode security.
>>> However, I feel its still on early stage.
>>>
>>> Any other recommendation for WAF with HA Proxy.
>>>
>>>
>>> --
>>> Thanks & Regards
>>> Dhaval Jaiswal
>>
>>
>
>
>
> --
> Thanks & Regards
> Dhaval Jaiswal

Re: WAF with HA Proxy.

2018-05-09 Thread Jonathan Matthews 
On Wed, 9 May 2018 at 18:43, Mark Lakes  wrote:

> For commercial purposes, see Signal Sciences Next Gen WAF solution:
> https://www.signalsciences.com/waf-web-application-firewall/
>

That page says it supports "Nginx, Nginx Plus, Apache and IIS". Does it
integrate with HAProxy? Via what mechanism?

J

> 
>

>
-- 
Jonathan Matthews
London, UK
http://www.jpluscplusm.com/contact.html

Re: WAF with HA Proxy.

2018-05-09 Thread DHAVAL JAISWAL 
Looking for open source.

On Wed, May 9, 2018 at 11:10 PM, Mark Lakes <mla...@signalsciences.com>
wrote:

> For commercial purposes, see Signal Sciences Next Gen WAF solution:
> https://www.signalsciences.com/waf-web-application-firewall/
>
>
>
> *Mark Lakes*
> Sr Software Engineer
> (555) 555-
> <https://www.signalsciences.com/?utm_source=emailsig>
> Winner: InfoWorld Technology of the Year 2018
> <https://www.infoworld.com/article/3251828/application-development/infoworlds-2018-technology-of-the-year-award-winners.html#slide24>
> <https://www.facebook.com/SignalSciences/>
> <https://twitter.com/signalsciences>
> <https://www.linkedin.com/company/signal-sciences/>
>
> On Wed, May 9, 2018 at 2:23 AM, DHAVAL JAISWAL <dhava...@gmail.com> wrote:
>
>> I am looking for WAF solution with HA Proxy.
>>
>> One which I come to know is with HA Proxy version 1.8.8 + mode security.
>> However, I feel its still on early stage.
>>
>> Any other recommendation for WAF with HA Proxy.
>>
>>
>> --
>> Thanks & Regards
>> Dhaval Jaiswal
>>
>
>


-- 
Thanks & Regards
Dhaval Jaiswal

Re: WAF with HA Proxy.

2018-05-09 Thread Mark Lakes 
For commercial purposes, see Signal Sciences Next Gen WAF solution:
https://www.signalsciences.com/waf-web-application-firewall/



*Mark Lakes*
Sr Software Engineer
(555) 555-
<https://www.signalsciences.com/?utm_source=emailsig>
Winner: InfoWorld Technology of the Year 2018
<https://www.infoworld.com/article/3251828/application-development/infoworlds-2018-technology-of-the-year-award-winners.html#slide24>
<https://www.facebook.com/SignalSciences/>
<https://twitter.com/signalsciences>
<https://www.linkedin.com/company/signal-sciences/>

On Wed, May 9, 2018 at 2:23 AM, DHAVAL JAISWAL <dhava...@gmail.com> wrote:

> I am looking for WAF solution with HA Proxy.
>
> One which I come to know is with HA Proxy version 1.8.8 + mode security.
> However, I feel its still on early stage.
>
> Any other recommendation for WAF with HA Proxy.
>
>
> --
> Thanks & Regards
> Dhaval Jaiswal
>

WAF with HA Proxy.

2018-05-09 Thread DHAVAL JAISWAL 
I am looking for WAF solution with HA Proxy.

One which I come to know is with HA Proxy version 1.8.8 + mode security.
However, I feel its still on early stage.

Any other recommendation for WAF with HA Proxy.


-- 
Thanks & Regards
Dhaval Jaiswal

Re: Can HA-Proxy set an header when he "breaks" stick routing

2018-03-22 Thread Igor Cicimov 
On Thu, Mar 22, 2018 at 10:42 PM, Igor Cicimov <
ig...@encompasscorporation.com> wrote:

> Hi,
>
> On Thu, Mar 22, 2018 at 6:24 PM, Gisle Grimen <gisle.gri...@evry.com>
> wrote:
>
>> Hi,
>>
>>
>>
>> Thank you for your response.
>>
>>
>>
>> To be very precise the feature I am looking for from HA-Proxy is that
>> when HA-Proxy does a re-dispatch HA-Proxy also ads a Header, which will
>> tell the server receiving the request from HA-Proxy that HA-Proxy has done
>> a re-dispatch. This is the critical feature we are looking for.
>>
>>
>>
>> This feature will be important to both type 1 systems in order to
>> minimize the load on the shared session storage and important to type 3
>> systems in order to allow them to flush local caches of potential stale
>> data. Both of which are systems we run.
>>
>
> ​I see it makes more sense now, I missed this info I must have deleted
> half of the thread. Maybe inserting cookies by haproxy for example SERVERID
> with the value of the server name can help. It will have value of Server1
> for the first requests that have fell over to Server2 so checking the value
> will tell you it came from different server.
>

​Actually think haproxy will remove the cookie from the request before
sending the request to the backend server :-/ Maybe there is an option to
tell it not to but not sure.
​

>
>
>>
>> Best regards,
>>
>>
>>
>> Gisle
>>
>>
>>
>>
>>
>> *From: *Igor Cicimov <ig...@encompasscorporation.com>
>> *Date: *Thursday, 22 March 2018 at 07:48
>> *To: *Gisle Grimen <gisle.gri...@evry.com>
>> *Cc: *Willy Tarreau <w...@1wt.eu>, "haproxy@formilux.org" <
>> haproxy@formilux.org>
>> *Subject: *Re: Can HA-Proxy set an header when he "breaks" stick routing
>>
>>
>>
>> Hi,
>>
>>
>>
>> On Wed, Mar 21, 2018 at 8:57 PM, Gisle Grimen <gisle.gri...@evry.com>
>> wrote:
>>
>> Hi,
>>
>> Il try to be more specific:
>>
>> The functionality I was looking for on HA-Proxy in connection with
>> sticky-routing is the following:
>>
>> Normal flow all servers up (this is functionality available today):
>> 1. HA-Proxy receives a request
>> 2. HA-Proxy checks the sticky table and determines that that request
>> should be sent to Server1
>> 3. HA-Proxy forwards the request to Server1
>>
>> Sticky Server is down: (this is functionality I would like HA-proxy to
>> have or figure out how to configure)
>> 1. HA-Proxy receives a request
>> 2. HA-Proxy checks the sticky table and determines that that request
>> should be sent to Server1
>> 3. HA-Proxy determines that Server1 is down and selects to send the
>> request to Server2
>> 4. HA-Proxy adds an HTTP header to the request. Example:
>> sticky-destination-updated=true
>> 5. HA-Proxy updates sticky table that further request from this source
>> from now on is sent to server to Server2
>> 6. HA-Proxy forwards the request to Server2
>>
>>
>>
>> ​It does have this of course, see https://cbonte.github.io/hapro
>> xy-dconv/1.7/configuration.html#4.2-option%20redispatch
>> <https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcbonte.github.io%2Fhaproxy-dconv%2F1.7%2Fconfiguration.html%234.2-option%2520redispatch=02%7C01%7CGisle.Grimen%40evry.com%7C5bdced70e5274464382508d58fc0f098%7C40cc2915e2834a2794716bdd7ca4c6e1%7C1%7C1%7C636572981204287566=a%2BGKy7VMI9OaxNHWEwNM%2FU%2Bh0B%2Ba00RX2nlVduesAN0%3D=0>
>>
>>  for example. If it didn't many implementations would be broken don't you
>> think?
>>
>>
>>
>> I must say though the use of that header you insist of is not really
>> clear to me except for maybe statistic purposes on the backend. You can
>> have two types of backends (in terms of sessions): 1) one where each server
>> is aware of each other sessions (shared session storage in memory or disk)
>> or 2) one where each server has its own sessions. There is third one where
>> no sessions are needed but that's not of interest here.
>>
>>
>>
>> The second case is the one for which you most probably need stickiness
>> for in which case if the Server1 one goes down and Haproxy re-distributes
>> its connections between Server2 and Serve3 lets say by definition those
>> servers will reset the sessions (since have no idea about them) and the
>> user will have to lets say log in again in the application on their side.
>>
>>  Once done they will stick to the ne

Re: Can HA-Proxy set an header when he "breaks" stick routing

2018-03-22 Thread Igor Cicimov 
Hi,

On Thu, Mar 22, 2018 at 6:24 PM, Gisle Grimen <gisle.gri...@evry.com> wrote:

> Hi,
>
>
>
> Thank you for your response.
>
>
>
> To be very precise the feature I am looking for from HA-Proxy is that when
> HA-Proxy does a re-dispatch HA-Proxy also ads a Header, which will tell the
> server receiving the request from HA-Proxy that HA-Proxy has done a
> re-dispatch. This is the critical feature we are looking for.
>
>
>
> This feature will be important to both type 1 systems in order to minimize
> the load on the shared session storage and important to type 3 systems in
> order to allow them to flush local caches of potential stale data. Both of
> which are systems we run.
>

​I see it makes more sense now, I missed this info I must have deleted half
of the thread. Maybe inserting cookies by haproxy for example SERVERID with
the value of the server name can help. It will have value of Server1 for
the first requests that have fell over to Server2 so checking the value
will tell you it came from different server.


>
> Best regards,
>
>
>
> Gisle
>
>
>
>
>
> *From: *Igor Cicimov <ig...@encompasscorporation.com>
> *Date: *Thursday, 22 March 2018 at 07:48
> *To: *Gisle Grimen <gisle.gri...@evry.com>
> *Cc: *Willy Tarreau <w...@1wt.eu>, "haproxy@formilux.org" <
> haproxy@formilux.org>
> *Subject: *Re: Can HA-Proxy set an header when he "breaks" stick routing
>
>
>
> Hi,
>
>
>
> On Wed, Mar 21, 2018 at 8:57 PM, Gisle Grimen <gisle.gri...@evry.com>
> wrote:
>
> Hi,
>
> Il try to be more specific:
>
> The functionality I was looking for on HA-Proxy in connection with
> sticky-routing is the following:
>
> Normal flow all servers up (this is functionality available today):
> 1. HA-Proxy receives a request
> 2. HA-Proxy checks the sticky table and determines that that request
> should be sent to Server1
> 3. HA-Proxy forwards the request to Server1
>
> Sticky Server is down: (this is functionality I would like HA-proxy to
> have or figure out how to configure)
> 1. HA-Proxy receives a request
> 2. HA-Proxy checks the sticky table and determines that that request
> should be sent to Server1
> 3. HA-Proxy determines that Server1 is down and selects to send the
> request to Server2
> 4. HA-Proxy adds an HTTP header to the request. Example:
> sticky-destination-updated=true
> 5. HA-Proxy updates sticky table that further request from this source
> from now on is sent to server to Server2
> 6. HA-Proxy forwards the request to Server2
>
>
>
> ​It does have this of course, see https://cbonte.github.io/
> haproxy-dconv/1.7/configuration.html#4.2-option%20redispatch
> <https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcbonte.github.io%2Fhaproxy-dconv%2F1.7%2Fconfiguration.html%234.2-option%2520redispatch=02%7C01%7CGisle.Grimen%40evry.com%7C5bdced70e5274464382508d58fc0f098%7C40cc2915e2834a2794716bdd7ca4c6e1%7C1%7C1%7C636572981204287566=a%2BGKy7VMI9OaxNHWEwNM%2FU%2Bh0B%2Ba00RX2nlVduesAN0%3D=0>
>
>  for example. If it didn't many implementations would be broken don't you
> think?
>
>
>
> I must say though the use of that header you insist of is not really clear
> to me except for maybe statistic purposes on the backend. You can have two
> types of backends (in terms of sessions): 1) one where each server is aware
> of each other sessions (shared session storage in memory or disk) or 2) one
> where each server has its own sessions. There is third one where no
> sessions are needed but that's not of interest here.
>
>
>
> The second case is the one for which you most probably need stickiness for
> in which case if the Server1 one goes down and Haproxy re-distributes its
> connections between Server2 and Serve3 lets say by definition those servers
> will reset the sessions (since have no idea about them) and the user will
> have to lets say log in again in the application on their side.
>
>  Once done they will stick to the new server elected. Which brings me to
> the point where I don't understand usage of the mentioned header in the
> first place. Header or not what you need/want is going to happen anyway.
>
>
>
> In the first case with shared sessions, you can use stickiness as well if
> you like but it is not critical as in the one described above. In which
> case Server2 and Server3 will have knowledge of the Server1's sessions and
> it will be business as usual.
>
> ​
>
>
>
> Next request from same source would be processed as follows on HA-Proxy
> (assuming server3 is still up):
> 1. HA-Proxy receives a request
> 2. HA-Proxy checks the sticky table and determines that that request
> shou

Re: Can HA-Proxy set an header when he "breaks" stick routing

2018-03-22 Thread Gisle Grimen 
Hi,

Thank you for your response.

To be very precise the feature I am looking for from HA-Proxy is that when 
HA-Proxy does a re-dispatch HA-Proxy also ads a Header, which will tell the 
server receiving the request from HA-Proxy that HA-Proxy has done a 
re-dispatch. This is the critical feature we are looking for.

This feature will be important to both type 1 systems in order to minimize the 
load on the shared session storage and important to type 3 systems in order to 
allow them to flush local caches of potential stale data. Both of which are 
systems we run.

Best regards,

Gisle


From: Igor Cicimov <ig...@encompasscorporation.com>
Date: Thursday, 22 March 2018 at 07:48
To: Gisle Grimen <gisle.gri...@evry.com>
Cc: Willy Tarreau <w...@1wt.eu>, "haproxy@formilux.org" <haproxy@formilux.org>
Subject: Re: Can HA-Proxy set an header when he "breaks" stick routing

Hi,

On Wed, Mar 21, 2018 at 8:57 PM, Gisle Grimen 
<gisle.gri...@evry.com<mailto:gisle.gri...@evry.com>> wrote:
Hi,

Il try to be more specific:

The functionality I was looking for on HA-Proxy in connection with 
sticky-routing is the following:

Normal flow all servers up (this is functionality available today):
1. HA-Proxy receives a request
2. HA-Proxy checks the sticky table and determines that that request should be 
sent to Server1
3. HA-Proxy forwards the request to Server1

Sticky Server is down: (this is functionality I would like HA-proxy to have or 
figure out how to configure)
1. HA-Proxy receives a request
2. HA-Proxy checks the sticky table and determines that that request should be 
sent to Server1
3. HA-Proxy determines that Server1 is down and selects to send the request to 
Server2
4. HA-Proxy adds an HTTP header to the request. Example: 
sticky-destination-updated=true
5. HA-Proxy updates sticky table that further request from this source from now 
on is sent to server to Server2
6. HA-Proxy forwards the request to Server2

​It does have this of course, see 
https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#4.2-option%20redispatch<https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcbonte.github.io%2Fhaproxy-dconv%2F1.7%2Fconfiguration.html%234.2-option%2520redispatch=02%7C01%7CGisle.Grimen%40evry.com%7C5bdced70e5274464382508d58fc0f098%7C40cc2915e2834a2794716bdd7ca4c6e1%7C1%7C1%7C636572981204287566=a%2BGKy7VMI9OaxNHWEwNM%2FU%2Bh0B%2Ba00RX2nlVduesAN0%3D=0>
 for example. If it didn't many implementations would be broken don't you think?

I must say though the use of that header you insist of is not really clear to 
me except for maybe statistic purposes on the backend. You can have two types 
of backends (in terms of sessions): 1) one where each server is aware of each 
other sessions (shared session storage in memory or disk) or 2) one where each 
server has its own sessions. There is third one where no sessions are needed 
but that's not of interest here.

The second case is the one for which you most probably need stickiness for in 
which case if the Server1 one goes down and Haproxy re-distributes its 
connections between Server2 and Serve3 lets say by definition those servers 
will reset the sessions (since have no idea about them) and the user will have 
to lets say log in again in the application on their side.
 Once done they will stick to the new server elected. Which brings me to the 
point where I don't understand usage of the mentioned header in the first 
place. Header or not what you need/want is going to happen anyway.

In the first case with shared sessions, you can use stickiness as well if you 
like but it is not critical as in the one described above. In which case 
Server2 and Server3 will have knowledge of the Server1's sessions and it will 
be business as usual.
​

Next request from same source would be processed as follows on HA-Proxy 
(assuming server3 is still up):
1. HA-Proxy receives a request
2. HA-Proxy checks the sticky table and determines that that request should be 
sent to Server2
3. HA-Proxy forwards the request to Server2

​That is already the case with Haproxy,
​

The assumption here is that selecting new  sticky-ness target due to existing 
sticky-ness server is not available is something that happens rarely.

What happen on the application when header is set:
The application will then flush all relevant local caches connected to that 
user/session and so on, ensuring that the server does not work on stale data.

This allows one instance of an application to handle all request from one 
user/session, which allows the application to apply aggressively caching of 
data within the specific instance of the application. If for some reason a 
request is forwarded by HA-proxy to another application instance, the instance 
will be able to determine that instance switch has occurred and can flush its 
potential stale cache entries.

You get into issue here on the following case:
1. You are first on serve

Re: Can HA-Proxy set an header when he "breaks" stick routing

2018-03-22 Thread Igor Cicimov 
Hi,

On Wed, Mar 21, 2018 at 8:57 PM, Gisle Grimen <gisle.gri...@evry.com> wrote:

> Hi,
>
> Il try to be more specific:
>
> The functionality I was looking for on HA-Proxy in connection with
> sticky-routing is the following:
>
> Normal flow all servers up (this is functionality available today):
> 1. HA-Proxy receives a request
> 2. HA-Proxy checks the sticky table and determines that that request
> should be sent to Server1
> 3. HA-Proxy forwards the request to Server1
>
> Sticky Server is down: (this is functionality I would like HA-proxy to
> have or figure out how to configure)
> 1. HA-Proxy receives a request
> 2. HA-Proxy checks the sticky table and determines that that request
> should be sent to Server1
> 3. HA-Proxy determines that Server1 is down and selects to send the
> request to Server2
> 4. HA-Proxy adds an HTTP header to the request. Example:
> sticky-destination-updated=true
> 5. HA-Proxy updates sticky table that further request from this source
> from now on is sent to server to Server2
> 6. HA-Proxy forwards the request to Server2
>
>
​It does have this of course, see
https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#4.2-option%20redispatch
 for example. If it didn't many implementations would be broken don't you
think?

I must say though the use of that header you insist of is not really clear
to me except for maybe statistic purposes on the backend. You can have two
types of backends (in terms of sessions): 1) one where each server is aware
of each other sessions (shared session storage in memory or disk) or 2) one
where each server has its own sessions. There is third one where no
sessions are needed but that's not of interest here.

The second case is the one for which you most probably need stickiness for
in which case if the Server1 one goes down and Haproxy re-distributes its
connections between Server2 and Serve3 lets say by definition those servers
will reset the sessions (since have no idea about them) and the user will
have to lets say log in again in the application on their side.
 Once done they will stick to the new server elected. Which brings me to
the point where I don't understand usage of the mentioned header in the
first place. Header or not what you need/want is going to happen anyway.

In the first case with shared sessions, you can use stickiness as well if
you like but it is not critical as in the one described above. In which
case Server2 and Server3 will have knowledge of the Server1's sessions and
it will be business as usual.
​


> Next request from same source would be processed as follows on HA-Proxy
> (assuming server3 is still up):
> 1. HA-Proxy receives a request
> 2. HA-Proxy checks the sticky table and determines that that request
> should be sent to Server2
> 3. HA-Proxy forwards the request to Server2
>
>
​That is already the case with Haproxy,
​

>
> The assumption here is that selecting new  sticky-ness target due to
> existing sticky-ness server is not available is something that happens
> rarely.
>
> What happen on the application when header is set:
> The application will then flush all relevant local caches connected to
> that user/session and so on, ensuring that the server does not work on
> stale data.
>
> This allows one instance of an application to handle all request from one
> user/session, which allows the application to apply aggressively caching of
> data within the specific instance of the application. If for some reason a
> request is forwarded by HA-proxy to another application instance, the
> instance will be able to determine that instance switch has occurred and
> can flush its potential stale cache entries.
>
> You get into issue here on the following case:
> 1. You are first on server 1
> 2. Some reason you are sent to server 2
> 3. Some reason you are sent to server 1 again, which without the described
> functionality we would risk that Server 1 operates on stale data
>
> This scenario is something that for example could happen during high load
> situations.
>
> Best regards,
>
> Gisle
>
> On 21/03/2018, 09:57, "Willy Tarreau" <w...@1wt.eu> wrote:
>
> On Wed, Mar 21, 2018 at 08:20:44AM +, Gisle Grimen wrote:
> > Hi,
> >
> > Thanks for the information. That was sad to hear. In our case the
> traffic is
> > coming from servers and not a web browser so solving this with
> cookies are
> > not an option. The communication between the servers are based on
> > international standards as such we cannot add additional
> requirements to the
> > server sending the requests. As such we have to solve it within our
> > infrastructure. With a little help from HA-proxy you could then
> create very
&

Re: Can HA-Proxy set an header when he "breaks" stick routing

2018-03-21 Thread Gisle Grimen 
Hi, 

Il try to be more specific:

The functionality I was looking for on HA-Proxy in connection with 
sticky-routing is the following:

Normal flow all servers up (this is functionality available today):
1. HA-Proxy receives a request
2. HA-Proxy checks the sticky table and determines that that request should be 
sent to Server1
3. HA-Proxy forwards the request to Server1

Sticky Server is down: (this is functionality I would like HA-proxy to have or 
figure out how to configure)
1. HA-Proxy receives a request
2. HA-Proxy checks the sticky table and determines that that request should be 
sent to Server1
3. HA-Proxy determines that Server1 is down and selects to send the request to 
Server2
4. HA-Proxy adds an HTTP header to the request. Example: 
sticky-destination-updated=true
5. HA-Proxy updates sticky table that further request from this source from now 
on is sent to server to Server2
6. HA-Proxy forwards the request to Server2

Next request from same source would be processed as follows on HA-Proxy 
(assuming server3 is still up):
1. HA-Proxy receives a request
2. HA-Proxy checks the sticky table and determines that that request should be 
sent to Server2
3. HA-Proxy forwards the request to Server2


The assumption here is that selecting new  sticky-ness target due to existing 
sticky-ness server is not available is something that happens rarely.

What happen on the application when header is set:
The application will then flush all relevant local caches connected to that 
user/session and so on, ensuring that the server does not work on stale data.

This allows one instance of an application to handle all request from one 
user/session, which allows the application to apply aggressively caching of 
data within the specific instance of the application. If for some reason a 
request is forwarded by HA-proxy to another application instance, the instance 
will be able to determine that instance switch has occurred and can flush its 
potential stale cache entries.

You get into issue here on the following case:
1. You are first on server 1
2. Some reason you are sent to server 2
3. Some reason you are sent to server 1 again, which without the described 
functionality we would risk that Server 1 operates on stale data

This scenario is something that for example could happen during high load 
situations.

Best regards,

Gisle 
 
On 21/03/2018, 09:57, "Willy Tarreau" <w...@1wt.eu> wrote:

On Wed, Mar 21, 2018 at 08:20:44AM +, Gisle Grimen wrote:
> Hi,
> 
> Thanks for the information. That was sad to hear. In our case the traffic 
is
> coming from servers and not a web browser so solving this with cookies are
> not an option. The communication between the servers are based on
> international standards as such we cannot add additional requirements to 
the
> server sending the requests. As such we have to solve it within our
> infrastructure. With a little help from HA-proxy you could then create 
very
> efficient local caches on each node, but without we need complicated and
> resource intensive shared caches or databases.
> 
> I hope this would be a feature that is possible to add in the future as it
> would help to develop simpler and more efficient applications behind
> HA-Proxy, which in large part can rely in local caches.

The problem I'm having is that you don't describe exactly what you're
trying to achieve nor how you want to use that information about the
broken stickiness, so it's very hard for me to try to figure a working
solution. I proposed one involving sending the initial server ID in a
header for example but I have no idea whether this can work in your case.

So could you please enlighten us on your architecture, the problem that
broken stickiness causes and how you'd like it to be addressed ?

Thanks,
Willy

Re: Can HA-Proxy set an header when he "breaks" stick routing

2018-03-21 Thread Willy Tarreau 
On Wed, Mar 21, 2018 at 08:20:44AM +, Gisle Grimen wrote:
> Hi,
> 
> Thanks for the information. That was sad to hear. In our case the traffic is
> coming from servers and not a web browser so solving this with cookies are
> not an option. The communication between the servers are based on
> international standards as such we cannot add additional requirements to the
> server sending the requests. As such we have to solve it within our
> infrastructure. With a little help from HA-proxy you could then create very
> efficient local caches on each node, but without we need complicated and
> resource intensive shared caches or databases.
> 
> I hope this would be a feature that is possible to add in the future as it
> would help to develop simpler and more efficient applications behind
> HA-Proxy, which in large part can rely in local caches.

The problem I'm having is that you don't describe exactly what you're
trying to achieve nor how you want to use that information about the
broken stickiness, so it's very hard for me to try to figure a working
solution. I proposed one involving sending the initial server ID in a
header for example but I have no idea whether this can work in your case.

So could you please enlighten us on your architecture, the problem that
broken stickiness causes and how you'd like it to be addressed ?

Thanks,
Willy

Re: Can HA-Proxy set an header when he "breaks" stick routing

2018-03-21 Thread Gisle Grimen 
Hi,

Thanks for the information. That was sad to hear. In our case the traffic is 
coming from servers and not a web browser so solving this with cookies are not 
an option. The communication between the servers are based on international 
standards as such we cannot add additional requirements to the server sending 
the requests. As such we have to solve it within our infrastructure. With a 
little help from HA-proxy you could then create very efficient local caches on 
each node, but without we need complicated and resource intensive shared caches 
or databases.

I hope this would be a feature that is possible to add in the future as it 
would help to develop simpler and more efficient applications behind HA-Proxy, 
which in large part can rely in local caches.

Best Regards,

Gisle

On 19/03/2018, 09:31, "Willy Tarreau" <w...@1wt.eu> wrote:

Hi,

On Fri, Mar 16, 2018 at 12:31:47PM +, Gisle Grimen wrote:
> Hi,
> 
> We are using HA-Proxy with sticky routing in front of our cluster. Is 
there a
> way to get HA-Proxy to add or set an header on a forwarded request when
> HA-Proxy "breaks" sticky routing i.e. when forwarding the request to 
another
> server then the one indicated in the sticky table?

No, there is no such thing. You have this information in the logs however.
The difficulty lies with adding some information late in the LB+connection
process, as they happen after headers are processed. There is one exception
to this, "option http-send-name-header", which is able to rewind the stream
and insert a server name after the LB is performed, and it has been causing
tons of bugs alone for more than two years because it's very tricky.

I think that it would not be very difficult to implement something adding
a header containing the ID of the initial server that the stickiness was
expecting however. This way it could allow your servers to see that the
initial name is not the one they expected and deduce the stickiness is
broken. I don't know if that could suit your needs, nor if anyone would
be willing to work on this (maybe you would ?).

Regards,
Willy

Re: Can HA-Proxy set an header when he "breaks" stick routing

2018-03-19 Thread Willy Tarreau 
Hi,

On Fri, Mar 16, 2018 at 12:31:47PM +, Gisle Grimen wrote:
> Hi,
> 
> We are using HA-Proxy with sticky routing in front of our cluster. Is there a
> way to get HA-Proxy to add or set an header on a forwarded request when
> HA-Proxy "breaks" sticky routing i.e. when forwarding the request to another
> server then the one indicated in the sticky table?

No, there is no such thing. You have this information in the logs however.
The difficulty lies with adding some information late in the LB+connection
process, as they happen after headers are processed. There is one exception
to this, "option http-send-name-header", which is able to rewind the stream
and insert a server name after the LB is performed, and it has been causing
tons of bugs alone for more than two years because it's very tricky.

I think that it would not be very difficult to implement something adding
a header containing the ID of the initial server that the stickiness was
expecting however. This way it could allow your servers to see that the
initial name is not the one they expected and deduce the stickiness is
broken. I don't know if that could suit your needs, nor if anyone would
be willing to work on this (maybe you would ?).

Regards,
Willy

  1   2   3   >