Re: HAProxy question
Hi. Nov 19, 2019 11:05:34 AM Micael Gillet : > Hello, As part of a project, I have some questions about HAProxy's abilities. > Could you confirm if HAProxy is able to handle the following points? > > * STP Protection (RSTP) > * VLANs interfaces This is to low level for HAProxy, IMHO. > * HA Cluster in Active / Passive mode Yes it's possible. > * SNMP for monitoring Not out of the box but with tools possible. > * HealthCheck of LDAP services > * Round robin and failover load balancing > * Routing flows to a specific pool based on the source IP address > * Filtering incoming flow by IP/port Yes it's possible. > * Oneconnect" type profile Is this what you mean with that question? https://support.f5.com/csp/article/K7208 It looks like you want to replace a F5 cluster. I would recommend to get in touch with HAProxy Company for a proposal as I assume that the commercial product will fit in your requirements. > Thanks for your support. Regards Micael Gillet Regards aleks > Courriel confidentiel: > Ce message est protégé par les règles relatives au secret des > correspondances. Il est donc établi à destination exclusive de son > destinataire. Celui-ci peut donc contenir des informations confidentielles. > La divulgation de ces informations est à ce titre rigoureusement interdite. > Si vous avez reçu ce message par erreur, merci de le renvoyer à l'expéditeur > dont l'adresse e-mail figure ci-dessus et de détruire le message ainsi que > toute pièce jointe. > This message is protected by the secrecy of correspondence rules. Therefore, > this message is intended solely for the attention of the addressee. This > message may contain privileged or confidential information, as such the > disclosure of these informations is strictly forbidden. If, by mistake, you > have received this message, please return this message to the addressser > whose e-mail address is written above and destroy this message and all files > attached. > > > [https://www.msa.fr/lfy/documents/98830/d420d3b1-9e7c-05ab-6765-009d1e6c1d1f?t=1572346078784] >
HAProxy question
Hello, As part of a project, I have some questions about HAProxy's abilities. Could you confirm if HAProxy is able to handle the following points? 1. STP Protection (RSTP) 2. VLANs interfaces 3. HA Cluster in Active / Passive mode 4. SNMP for monitoring 5. HealthCheck of LDAP services 6. Round robin and failover load balancing 7. Routing flows to a specific pool based on the source IP address 8. Filtering incoming flow by IP/port 9. Oneconnect" type profile Thanks for your support. Regards Micael Gillet Courriel confidentiel: Ce message est protégé par les règles relatives au secret des correspondances. Il est donc établi à destination exclusive de son destinataire. Celui-ci peut donc contenir des informations confidentielles. La divulgation de ces informations est à ce titre rigoureusement interdite. Si vous avez reçu ce message par erreur, merci de le renvoyer à l'expéditeur dont l'adresse e-mail figure ci-dessus et de détruire le message ainsi que toute pièce jointe. This message is protected by the secrecy of correspondence rules. Therefore, this message is intended solely for the attention of the addressee. This message may contain privileged or confidential information, as such the disclosure of these informations is strictly forbidden. If, by mistake, you have received this message, please return this message to the addressser whose e-mail address is written above and destroy this message and all files attached. [https://www.msa.fr/lfy/documents/98830/d420d3b1-9e7c-05ab-6765-009d1e6c1d1f?t=1572346078784]
Re: HaProxy question
On Mon, Aug 13, 2018 at 12:55 AM Igor Cicimov <
ig...@encompasscorporation.com> wrote:
> Hi Jonathan,
>
> I'll keep bottom posting otherwise the thread will become a real mess and
> very hard to follow historically.
>
> On Sun, Aug 12, 2018 at 9:19 PM Jonathan Opperman
> wrote:
>
>> Hi Igor,
>>
>> Not 100% sure what you mean here with the redirect to the proxy bind on
>> that port? What will the rest
>> of the bind look like on the front-end config in haproxy?
>>
>> Cheers
>> Jonathan
>>
>> On Tue, Aug 7, 2018 at 1:16 PM Igor Cicimov <
>> ig...@encompasscorporation.com> wrote:
>>
>>>
>>>
>>> On Tue, Aug 7, 2018 at 10:53 AM, Igor Cicimov <
>>> ig...@encompasscorporation.com> wrote:
>>>
Hi Jonathan,
On Tue, Aug 7, 2018 at 9:43 AM, Jonathan Opperman
wrote:
> Hi All,
>
> I am hoping someone can give me some tips and pointers on getting
> something working
> in haproxy that could do the following:
>
> I have installed haproxy and put a web server behind it, the proxy has
> 2 interfaces,
> eth0 (public) and eth1 (proxy internal)
>
> I've got a requirement where I want to only proxy some source ip
> addresses based on
> their source address so we can gradually add or customers to haproxy
> so that we can
> support TLS1.2 and strong ciphers
>
> I have added an iptables rule and can then bypass haproxy with:
>
> for ip in $INBOUNDEXCLUSIONS ; do
> ipset -N inboundexclusions iphash
> ipset -A inboundexclusions $ip
> done
> $IPTABLES -t nat -N HTTPSINBOUNDBYPASS
> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j
> LOG --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY"
>
> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -d
> 10.0.0.92 -p tcp --dport 443 -j DNAT --to $JONODEMO1:443
> $IPTABLES -t nat -A PREROUTING -m set ! --match-set
> inboundexclusions src -d 10.0.0.92 -p tcp --dport 443 -j
> HTTPSINBOUNDBYPASS
>
> Testing was done and I was happy with the solution, I then had a
> requirement
> to have a proxy with multiple IP address on eth0 (So created eth0:1
> eth0:2) etc
> and changed my haproxy frontend config from bind 0.0.0.0:443
> transparent
> to bind 10.0.0.92:443 transparent but now my dnat doesn't work if
> haproxy
> is running, if I stop haproxy the traffic gets dnatted fine.
>
> I am not sure if I am being very clear in here but basically wanted to
> know if there is
> a way to do selective ssl offloading on the haproxy or bypass
> ssl offloading on the
> server that sits behind the proxy? This is required so that customers
> that do not support
> TLS1.2 and strong ciphers we can still let them connect so actually
> bypassing
> the ssl offloading on the proxy.
>
> Thanks very much for your time reading this.
>
> Regards,
> Jonathan
>
>
One option that comes to mind achiving the same without iptables is
using whitelist file and two backends: one tcp backend that will just pass
through the ssl connection to the SSL server and one in http mode that will
do SSL offloading. Something like:
use_backend be_offload if { src -f /etc/haproxy/whitelist.lst }
default_backend be_passthrough
or vice-versa depending on your implementation and which list would be
shorter :-)
>>> Another idea:
>>>
>>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j LOG
>>> --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY"
>>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -j DNAT --to $JONODEMO1:443
>>> $IPTABLES -t nat -A PREROUTING -m set ! --match-set inboundexclusions
>>> src -i eth0 -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS
>>> $IPTABLES -t nat -A PREROUTING -i eth0 -d 10.0.0.92 -p tcp --dport 443
>>> -j REDIRECT 127.0.2.1:443
>>>
>>> then in haproxy:
>>>
>>> bind 127.0.2.1:443
>>>
>>>
> Well, the last 2 rules with a slight correction for the REDIRECT action:
>
> $IPTABLES -t nat -A PREROUTING -m set ! --match-set inboundexclusions src
> -i eth0 -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS
> $IPTABLES -t nat -A PREROUTING -i eth0 -d 10.0.0.92 -p tcp --dport 443 -j
> REDIRECT --to-ports 4433
>
>
> would mean that the first rule will catch all packets for connections
> coming to 10.0.0.92 from clients that are NOT on the ip list and will be
> sent to the SSL backend directly bypassing haproxy. The ones that don't
> match that rule will be sent to the primary IP, lets say it is still
> 10.0.0.92, but port 4433. This is where you set your SSL termination proxy
> to listen, so same as before just different port.
>
> The point being you can set your haproxy frontend to listen on what ever
> port you like for ssl connections, and redirect to that port via iptables.
> If you want to change the IP too you can go with
Re: HaProxy question
Hi Jonathan,
I'll keep bottom posting otherwise the thread will become a real mess and
very hard to follow historically.
On Sun, Aug 12, 2018 at 9:19 PM Jonathan Opperman
wrote:
> Hi Igor,
>
> Not 100% sure what you mean here with the redirect to the proxy bind on
> that port? What will the rest
> of the bind look like on the front-end config in haproxy?
>
> Cheers
> Jonathan
>
> On Tue, Aug 7, 2018 at 1:16 PM Igor Cicimov <
> ig...@encompasscorporation.com> wrote:
>
>>
>>
>> On Tue, Aug 7, 2018 at 10:53 AM, Igor Cicimov <
>> ig...@encompasscorporation.com> wrote:
>>
>>> Hi Jonathan,
>>>
>>> On Tue, Aug 7, 2018 at 9:43 AM, Jonathan Opperman
>>> wrote:
>>>
Hi All,
I am hoping someone can give me some tips and pointers on getting
something working
in haproxy that could do the following:
I have installed haproxy and put a web server behind it, the proxy has
2 interfaces,
eth0 (public) and eth1 (proxy internal)
I've got a requirement where I want to only proxy some source ip
addresses based on
their source address so we can gradually add or customers to haproxy so
that we can
support TLS1.2 and strong ciphers
I have added an iptables rule and can then bypass haproxy with:
for ip in $INBOUNDEXCLUSIONS ; do
ipset -N inboundexclusions iphash
ipset -A inboundexclusions $ip
done
$IPTABLES -t nat -N HTTPSINBOUNDBYPASS
$IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j
LOG --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY"
$IPTABLES -t nat -A HTTPSINBOUNDBYPASS -d
10.0.0.92 -p tcp --dport 443 -j DNAT --to $JONODEMO1:443
$IPTABLES -t nat -A PREROUTING -m set ! --match-set
inboundexclusions src -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS
Testing was done and I was happy with the solution, I then had a
requirement
to have a proxy with multiple IP address on eth0 (So created eth0:1
eth0:2) etc
and changed my haproxy frontend config from bind 0.0.0.0:443
transparent
to bind 10.0.0.92:443 transparent but now my dnat doesn't work if
haproxy
is running, if I stop haproxy the traffic gets dnatted fine.
I am not sure if I am being very clear in here but basically wanted to
know if there is
a way to do selective ssl offloading on the haproxy or bypass
ssl offloading on the
server that sits behind the proxy? This is required so that customers
that do not support
TLS1.2 and strong ciphers we can still let them connect so actually
bypassing
the ssl offloading on the proxy.
Thanks very much for your time reading this.
Regards,
Jonathan
>>> One option that comes to mind achiving the same without iptables is
>>> using whitelist file and two backends: one tcp backend that will just pass
>>> through the ssl connection to the SSL server and one in http mode that will
>>> do SSL offloading. Something like:
>>>
>>> use_backend be_offload if { src -f /etc/haproxy/whitelist.lst }
>>> default_backend be_passthrough
>>>
>>> or vice-versa depending on your implementation and which list would be
>>> shorter :-)
>>>
>>>
>> Another idea:
>>
>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j LOG
>> --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY"
>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -j DNAT --to $JONODEMO1:443
>> $IPTABLES -t nat -A PREROUTING -m set ! --match-set inboundexclusions src
>> -i eth0 -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS
>> $IPTABLES -t nat -A PREROUTING -i eth0 -d 10.0.0.92 -p tcp --dport 443 -j
>> REDIRECT 127.0.2.1:443
>>
>> then in haproxy:
>>
>> bind 127.0.2.1:443
>>
>>
Well, the last 2 rules with a slight correction for the REDIRECT action:
$IPTABLES -t nat -A PREROUTING -m set ! --match-set inboundexclusions src
-i eth0 -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS
$IPTABLES -t nat -A PREROUTING -i eth0 -d 10.0.0.92 -p tcp --dport 443 -j
REDIRECT --to-ports 4433
would mean that the first rule will catch all packets for connections
coming to 10.0.0.92 from clients that are NOT on the ip list and will be
sent to the SSL backend directly bypassing haproxy. The ones that don't
match that rule will be sent to the primary IP, lets say it is still
10.0.0.92, but port 4433. This is where you set your SSL termination proxy
to listen, so same as before just different port.
The point being you can set your haproxy frontend to listen on what ever
port you like for ssl connections, and redirect to that port via iptables.
If you want to change the IP too you can go with DNAT:
$IPTABLES -t nat -A PREROUTING -i eth0 -d 10.0.0.92 -p tcp --dport 443 -j
DNAT --to-destination 127.0.2.1:4433
Just trying to solve the problem of haproxy binding to 10.0.0.92:443 and
making the dnat rule fail. Hope it is more clear now,
Re: HaProxy question
Hi Igor,
Not 100% sure what you mean here with the redirect to the proxy bind on
that port? What will the rest
of the bind look like on the front-end config in haproxy?
Cheers
Jonathan
On Tue, Aug 7, 2018 at 1:16 PM Igor Cicimov
wrote:
>
>
> On Tue, Aug 7, 2018 at 10:53 AM, Igor Cicimov <
> ig...@encompasscorporation.com> wrote:
>
>> Hi Jonathan,
>>
>> On Tue, Aug 7, 2018 at 9:43 AM, Jonathan Opperman
>> wrote:
>>
>>> Hi All,
>>>
>>> I am hoping someone can give me some tips and pointers on getting
>>> something working
>>> in haproxy that could do the following:
>>>
>>> I have installed haproxy and put a web server behind it, the proxy has 2
>>> interfaces,
>>> eth0 (public) and eth1 (proxy internal)
>>>
>>> I've got a requirement where I want to only proxy some source ip
>>> addresses based on
>>> their source address so we can gradually add or customers to haproxy so
>>> that we can
>>> support TLS1.2 and strong ciphers
>>>
>>> I have added an iptables rule and can then bypass haproxy with:
>>>
>>> for ip in $INBOUNDEXCLUSIONS ; do
>>> ipset -N inboundexclusions iphash
>>> ipset -A inboundexclusions $ip
>>> done
>>> $IPTABLES -t nat -N HTTPSINBOUNDBYPASS
>>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j
>>> LOG --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY"
>>>
>>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -d
>>> 10.0.0.92 -p tcp --dport 443 -j DNAT --to $JONODEMO1:443
>>> $IPTABLES -t nat -A PREROUTING -m set ! --match-set
>>> inboundexclusions src -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS
>>>
>>> Testing was done and I was happy with the solution, I then had a
>>> requirement
>>> to have a proxy with multiple IP address on eth0 (So created eth0:1
>>> eth0:2) etc
>>> and changed my haproxy frontend config from bind 0.0.0.0:443
>>> transparent
>>> to bind 10.0.0.92:443 transparent but now my dnat doesn't work if
>>> haproxy
>>> is running, if I stop haproxy the traffic gets dnatted fine.
>>>
>>> I am not sure if I am being very clear in here but basically wanted to
>>> know if there is
>>> a way to do selective ssl offloading on the haproxy or bypass
>>> ssl offloading on the
>>> server that sits behind the proxy? This is required so that customers
>>> that do not support
>>> TLS1.2 and strong ciphers we can still let them connect so actually
>>> bypassing
>>> the ssl offloading on the proxy.
>>>
>>> Thanks very much for your time reading this.
>>>
>>> Regards,
>>> Jonathan
>>>
>>>
>> One option that comes to mind achiving the same without iptables is using
>> whitelist file and two backends: one tcp backend that will just pass
>> through the ssl connection to the SSL server and one in http mode that will
>> do SSL offloading. Something like:
>>
>> use_backend be_offload if { src -f /etc/haproxy/whitelist.lst }
>> default_backend be_passthrough
>>
>> or vice-versa depending on your implementation and which list would be
>> shorter :-)
>>
>>
> Another idea:
>
> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j LOG
> --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY"
> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -j DNAT --to $JONODEMO1:443
> $IPTABLES -t nat -A PREROUTING -m set ! --match-set inboundexclusions src
> -i eth0 -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS
> $IPTABLES -t nat -A PREROUTING -i eth0 -d 10.0.0.92 -p tcp --dport 443 -j
> REDIRECT 127.0.2.1:443
>
> then in haproxy:
>
> bind 127.0.2.1:443
>
>
Re: HaProxy question
Hi Igor,
Thanks for the suggestion, only saw your reply now as gmail decided to
route emails to the spam folder.
Tried this and got:
Aug 12 18:34:20 vm-proxy-01.prod-01 haproxy[8502]: [ALERT] 223/183420
(8502) : http frontend 'ft_https_demo' (/etc/haproxy/haproxy.cfg:86) tries
to use incompatible tcp backend 'bk_https_demo_passthrough'
(/etc/haproxy/haproxy.
Aug 12 18:34:20 vm-proxy-01.prod-01 haproxy[8502]: [ALERT] 223/183420
(8502) : Fatal errors found in configuration.
need a bit of fine tuning on my front-end/back-end config.
Cheers
Jonathan
On Tue, Aug 7, 2018 at 12:53 PM Igor Cicimov
wrote:
> Hi Jonathan,
>
> On Tue, Aug 7, 2018 at 9:43 AM, Jonathan Opperman
> wrote:
>
>> Hi All,
>>
>> I am hoping someone can give me some tips and pointers on getting
>> something working
>> in haproxy that could do the following:
>>
>> I have installed haproxy and put a web server behind it, the proxy has 2
>> interfaces,
>> eth0 (public) and eth1 (proxy internal)
>>
>> I've got a requirement where I want to only proxy some source ip
>> addresses based on
>> their source address so we can gradually add or customers to haproxy so
>> that we can
>> support TLS1.2 and strong ciphers
>>
>> I have added an iptables rule and can then bypass haproxy with:
>>
>> for ip in $INBOUNDEXCLUSIONS ; do
>> ipset -N inboundexclusions iphash
>> ipset -A inboundexclusions $ip
>> done
>> $IPTABLES -t nat -N HTTPSINBOUNDBYPASS
>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j
>> LOG --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY"
>>
>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -d
>> 10.0.0.92 -p tcp --dport 443 -j DNAT --to $JONODEMO1:443
>> $IPTABLES -t nat -A PREROUTING -m set ! --match-set
>> inboundexclusions src -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS
>>
>> Testing was done and I was happy with the solution, I then had a
>> requirement
>> to have a proxy with multiple IP address on eth0 (So created eth0:1
>> eth0:2) etc
>> and changed my haproxy frontend config from bind 0.0.0.0:443 transparent
>> to bind 10.0.0.92:443 transparent but now my dnat doesn't work if haproxy
>> is running, if I stop haproxy the traffic gets dnatted fine.
>>
>> I am not sure if I am being very clear in here but basically wanted to
>> know if there is
>> a way to do selective ssl offloading on the haproxy or bypass
>> ssl offloading on the
>> server that sits behind the proxy? This is required so that customers
>> that do not support
>> TLS1.2 and strong ciphers we can still let them connect so actually
>> bypassing
>> the ssl offloading on the proxy.
>>
>> Thanks very much for your time reading this.
>>
>> Regards,
>> Jonathan
>>
>>
> One option that comes to mind achiving the same without iptables is using
> whitelist file and two backends: one tcp backend that will just pass
> through the ssl connection to the SSL server and one in http mode that will
> do SSL offloading. Something like:
>
> use_backend be_offload if { src -f /etc/haproxy/whitelist.lst }
> default_backend be_passthrough
>
> or vice-versa depending on your implementation and which list would be
> shorter :-)
>
>
Re: HaProxy question
Hi Jonathan, Thanks for the pointer, correcto mode, found the replies in my spam folder. Appreciate it.. Cheers Jono On Sat, 11 Aug 2018, 17:44 Jonathan Matthews, wrote: > Did you miss the two mails from Igor containing suggestions? > > Like this email, they went both to the list and directly to yourself. > Maybe check your spam folder. > > J > > On Sat, 11 Aug 2018 at 02:28, Jonathan Opperman > wrote: > >> *bump* >> >> Anyone? >> >> On Tue, 7 Aug 2018, 11:43 Jonathan Opperman, wrote: >> >>> Hi All, >>> >>> I am hoping someone can give me some tips and pointers on getting >>> something working >>> in haproxy that could do the following: >>> >>> I have installed haproxy and put a web server behind it, the proxy has 2 >>> interfaces, >>> eth0 (public) and eth1 (proxy internal) >>> >>> I've got a requirement where I want to only proxy some source ip >>> addresses based on >>> their source address so we can gradually add or customers to haproxy so >>> that we can >>> support TLS1.2 and strong ciphers >>> >>> I have added an iptables rule and can then bypass haproxy with: >>> >>> for ip in $INBOUNDEXCLUSIONS ; do >>> ipset -N inboundexclusions iphash >>> ipset -A inboundexclusions $ip >>> done >>> $IPTABLES -t nat -N HTTPSINBOUNDBYPASS >>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j >>> LOG --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY" >>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -d 10.0.0.92 -p tcp >>> --dport 443 -j DNAT --to $JONODEMO1:443 >>> $IPTABLES -t nat -A PREROUTING -m set ! --match-set >>> inboundexclusions src -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS >>> >>> Testing was done and I was happy with the solution, I then had a >>> requirement >>> to have a proxy with multiple IP address on eth0 (So created eth0:1 >>> eth0:2) etc >>> and changed my haproxy frontend config from bind 0.0.0.0:443 >>> transparent >>> to bind 10.0.0.92:443 transparent but now my dnat doesn't work if >>> haproxy >>> is running, if I stop haproxy the traffic gets dnatted fine. >>> >>> I am not sure if I am being very clear in here but basically wanted to >>> know if there is >>> a way to do selective ssl offloading on the haproxy or bypass >>> ssl offloading on the >>> server that sits behind the proxy? This is required so that customers >>> that do not support >>> TLS1.2 and strong ciphers we can still let them connect so actually >>> bypassing >>> the ssl offloading on the proxy. >>> >>> Thanks very much for your time reading this. >>> >>> Regards, >>> Jonathan >>> >>> -- > Jonathan Matthews > London, UK > http://www.jpluscplusm.com/contact.html >
Re: HaProxy question
*bump* Anyone? On Tue, 7 Aug 2018, 11:43 Jonathan Opperman, wrote: > Hi All, > > I am hoping someone can give me some tips and pointers on getting > something working > in haproxy that could do the following: > > I have installed haproxy and put a web server behind it, the proxy has 2 > interfaces, > eth0 (public) and eth1 (proxy internal) > > I've got a requirement where I want to only proxy some source ip addresses > based on > their source address so we can gradually add or customers to haproxy so > that we can > support TLS1.2 and strong ciphers > > I have added an iptables rule and can then bypass haproxy with: > > for ip in $INBOUNDEXCLUSIONS ; do > ipset -N inboundexclusions iphash > ipset -A inboundexclusions $ip > done > $IPTABLES -t nat -N HTTPSINBOUNDBYPASS > $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j LOG > --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY" > $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -d 10.0.0.92 -p tcp --dport > 443 -j DNAT --to $JONODEMO1:443 > $IPTABLES -t nat -A PREROUTING -m set ! --match-set > inboundexclusions src -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS > > Testing was done and I was happy with the solution, I then had a > requirement > to have a proxy with multiple IP address on eth0 (So created eth0:1 > eth0:2) etc > and changed my haproxy frontend config from bind 0.0.0.0:443 transparent > to bind 10.0.0.92:443 transparent but now my dnat doesn't work if haproxy > is running, if I stop haproxy the traffic gets dnatted fine. > > I am not sure if I am being very clear in here but basically wanted to > know if there is > a way to do selective ssl offloading on the haproxy or bypass > ssl offloading on the > server that sits behind the proxy? This is required so that customers that > do not support > TLS1.2 and strong ciphers we can still let them connect so actually > bypassing > the ssl offloading on the proxy. > > Thanks very much for your time reading this. > > Regards, > Jonathan > >
Re: HaProxy question
On Tue, Aug 7, 2018 at 10:53 AM, Igor Cicimov <
ig...@encompasscorporation.com> wrote:
> Hi Jonathan,
>
> On Tue, Aug 7, 2018 at 9:43 AM, Jonathan Opperman
> wrote:
>
>> Hi All,
>>
>> I am hoping someone can give me some tips and pointers on getting
>> something working
>> in haproxy that could do the following:
>>
>> I have installed haproxy and put a web server behind it, the proxy has 2
>> interfaces,
>> eth0 (public) and eth1 (proxy internal)
>>
>> I've got a requirement where I want to only proxy some source ip
>> addresses based on
>> their source address so we can gradually add or customers to haproxy so
>> that we can
>> support TLS1.2 and strong ciphers
>>
>> I have added an iptables rule and can then bypass haproxy with:
>>
>> for ip in $INBOUNDEXCLUSIONS ; do
>> ipset -N inboundexclusions iphash
>> ipset -A inboundexclusions $ip
>> done
>> $IPTABLES -t nat -N HTTPSINBOUNDBYPASS
>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j
>> LOG --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY"
>>
>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -d
>> 10.0.0.92 -p tcp --dport 443 -j DNAT --to $JONODEMO1:443
>> $IPTABLES -t nat -A PREROUTING -m set ! --match-set
>> inboundexclusions src -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS
>>
>> Testing was done and I was happy with the solution, I then had a
>> requirement
>> to have a proxy with multiple IP address on eth0 (So created eth0:1
>> eth0:2) etc
>> and changed my haproxy frontend config from bind 0.0.0.0:443 transparent
>> to bind 10.0.0.92:443 transparent but now my dnat doesn't work if haproxy
>> is running, if I stop haproxy the traffic gets dnatted fine.
>>
>> I am not sure if I am being very clear in here but basically wanted to
>> know if there is
>> a way to do selective ssl offloading on the haproxy or bypass
>> ssl offloading on the
>> server that sits behind the proxy? This is required so that customers
>> that do not support
>> TLS1.2 and strong ciphers we can still let them connect so actually
>> bypassing
>> the ssl offloading on the proxy.
>>
>> Thanks very much for your time reading this.
>>
>> Regards,
>> Jonathan
>>
>>
> One option that comes to mind achiving the same without iptables is using
> whitelist file and two backends: one tcp backend that will just pass
> through the ssl connection to the SSL server and one in http mode that will
> do SSL offloading. Something like:
>
> use_backend be_offload if { src -f /etc/haproxy/whitelist.lst }
> default_backend be_passthrough
>
> or vice-versa depending on your implementation and which list would be
> shorter :-)
>
>
Another idea:
$IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j LOG
--log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY"
$IPTABLES -t nat -A HTTPSINBOUNDBYPASS -j DNAT --to $JONODEMO1:443
$IPTABLES -t nat -A PREROUTING -m set ! --match-set inboundexclusions src
-i eth0 -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS
$IPTABLES -t nat -A PREROUTING -i eth0 -d 10.0.0.92 -p tcp --dport 443 -j
REDIRECT 127.0.2.1:443
then in haproxy:
bind 127.0.2.1:443
Re: HaProxy question
Hi Jonathan,
On Tue, Aug 7, 2018 at 9:43 AM, Jonathan Opperman
wrote:
> Hi All,
>
> I am hoping someone can give me some tips and pointers on getting
> something working
> in haproxy that could do the following:
>
> I have installed haproxy and put a web server behind it, the proxy has 2
> interfaces,
> eth0 (public) and eth1 (proxy internal)
>
> I've got a requirement where I want to only proxy some source ip addresses
> based on
> their source address so we can gradually add or customers to haproxy so
> that we can
> support TLS1.2 and strong ciphers
>
> I have added an iptables rule and can then bypass haproxy with:
>
> for ip in $INBOUNDEXCLUSIONS ; do
> ipset -N inboundexclusions iphash
> ipset -A inboundexclusions $ip
> done
> $IPTABLES -t nat -N HTTPSINBOUNDBYPASS
> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j LOG
> --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY"
>
> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -d
> 10.0.0.92 -p tcp --dport 443 -j DNAT --to $JONODEMO1:443
> $IPTABLES -t nat -A PREROUTING -m set ! --match-set
> inboundexclusions src -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS
>
> Testing was done and I was happy with the solution, I then had a
> requirement
> to have a proxy with multiple IP address on eth0 (So created eth0:1
> eth0:2) etc
> and changed my haproxy frontend config from bind 0.0.0.0:443 transparent
> to bind 10.0.0.92:443 transparent but now my dnat doesn't work if haproxy
> is running, if I stop haproxy the traffic gets dnatted fine.
>
> I am not sure if I am being very clear in here but basically wanted to
> know if there is
> a way to do selective ssl offloading on the haproxy or bypass
> ssl offloading on the
> server that sits behind the proxy? This is required so that customers that
> do not support
> TLS1.2 and strong ciphers we can still let them connect so actually
> bypassing
> the ssl offloading on the proxy.
>
> Thanks very much for your time reading this.
>
> Regards,
> Jonathan
>
>
One option that comes to mind achiving the same without iptables is using
whitelist file and two backends: one tcp backend that will just pass
through the ssl connection to the SSL server and one in http mode that will
do SSL offloading. Something like:
use_backend be_offload if { src -f /etc/haproxy/whitelist.lst }
default_backend be_passthrough
or vice-versa depending on your implementation and which list would be
shorter :-)
HaProxy question
Hi All, I am hoping someone can give me some tips and pointers on getting something working in haproxy that could do the following: I have installed haproxy and put a web server behind it, the proxy has 2 interfaces, eth0 (public) and eth1 (proxy internal) I've got a requirement where I want to only proxy some source ip addresses based on their source address so we can gradually add or customers to haproxy so that we can support TLS1.2 and strong ciphers I have added an iptables rule and can then bypass haproxy with: for ip in $INBOUNDEXCLUSIONS ; do ipset -N inboundexclusions iphash ipset -A inboundexclusions $ip done $IPTABLES -t nat -N HTTPSINBOUNDBYPASS $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j LOG --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY" $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -d 10.0.0.92 -p tcp --dport 443 -j DNAT --to $JONODEMO1:443 $IPTABLES -t nat -A PREROUTING -m set ! --match-set inboundexclusions src -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS Testing was done and I was happy with the solution, I then had a requirement to have a proxy with multiple IP address on eth0 (So created eth0:1 eth0:2) etc and changed my haproxy frontend config from bind 0.0.0.0:443 transparent to bind 10.0.0.92:443 transparent but now my dnat doesn't work if haproxy is running, if I stop haproxy the traffic gets dnatted fine. I am not sure if I am being very clear in here but basically wanted to know if there is a way to do selective ssl offloading on the haproxy or bypass ssl offloading on the server that sits behind the proxy? This is required so that customers that do not support TLS1.2 and strong ciphers we can still let them connect so actually bypassing the ssl offloading on the proxy. Thanks very much for your time reading this. Regards, Jonathan
Re: HAProxy Question
TCP mode load balancing would treat each TCP quad (source ip/source port, dest ip/dest port), stream, or flow as a session or in other words, the TCP stream is the basic unit of TCP load balancing. You can enable the stats http interface and monitor that in your browser for some useful metrics such as session count etc. There are also tools such as hatop that will monitor the stats socket (unix domain socket) and print a summary on the console. See stats * directives in manual... http://haproxy.1wt.eu/download/1.5/doc/configuration.txt
HAProxy Question
Hello, I am trying to trouble shoot a technical issue with haproxy. We are using a round robin algorithm for both http and tcp 443. The thing we notice is that the 443 connections in the logs show multiple tcp ports opening for the same source IP as most clients are behind some type of firewall so the source IP is the same. haproxy uses multiple ports as well to the real servers to distinguish sessions. The question I have is what is the default behavior of the load balancer for these sessions? Is each port call its own session (same ip, different port) and only closed by a tcp FIN. Is there a way to look at active sessions real time so we can determine that round robin is working properly per client with and without a sticky mode? If there is a quick guide in the manual for trouble shooting basics that would be great. I could not locate that. Thanks, Rem
Re: haproxy question about check
Hello, first, there are too many questions for a single mail, it's hard for list subscribers to find enough time to reply to everything, and it is likely that you'll only get partial responses. On Fri, May 21, 2010 at 03:15:54PM +0200, eni-urgence wrote: Hello all. I discover haproxy few weeks ago and I want to thanks willy for his very good product. Thanks, but I'm not the only one :-) I'm planing to integrate haproxy to our dmz. I want to use haproxy for loadbalancing heavy secure php/ajax applications with cookie persitence: a collaborate scheduler and a image consult extranet. stunnel service will handle https connections and forward decrypted requests to haproxy on port 88. Then haproxy will forward connections to web server on port 10088, 100089 (and so...) on a mass virtual host configuration of apache (see below). In /var/www/vhost-SSL/ on web server, there is some symbolic links to the php sources. Some domains are not linked to same path because they don't provide the same application. So i don't want to have to delete/rename the running.ok file on every path when I want to shutdown the webserver. I want to use the httpcheck on port 10081 and the file running.ok . But I want a soft stop of service. I want haproxy to stop forwarding new connection if he don't find the running.ok file but continue to forward connection if cookie is initialised. so i will configure a backup server with same cookies (like said in Haproxy documentation). Now you can proceed more easily : use the http-check disable-on-404 feature. It says that if the server responds 404 to a health check, then it just doesn't want any new user but those with cookies are still welcome. That's precisely what you're doing, and was designed exactly for this usage. So now my questions : - is it possible to check only the header like this /HEAD / HTTP/1.0 /for backup server ? Yes and it's even recommended. Haproxy will only care about the HTTP status code, not the rest. So it's pointless to ask the server to emit the data. - Like said in the article of willy (http://1wt.eu/articles/2006_lb/),it is good to load balance the encryption/decryption flow too. So a haproxy instance in tcp mode (layer 4), seems to be a good solution. But our applications have to know the client IP for security reasons. I read that a recompiled kernel with tproxy support will forward connections keeping the real client IP. Is that true ? Recent linux kernels (= 2.6.28) integrate the patch. Maybe your distro was compiled with it enabled and you don't even need to recompile. However, you should be aware that you have to adjust the routing on your servers so that the response traffic passes through haproxy. You can also use LVS for the pure layer 4 LB, it has the advantage of supporting direct server return since it basically only changes the destination MAC address of the packets. - I want to manage a multi site configuration keeping the session persistence. How can I manage to do so? simply use a same cookie name with different values. Have all your haproxy instances know all the servers. If there are too many servers, then a different option is possible. Have the cookie name (or value) indicate what site handles the session, and have all haproxy instances know about each other and be able to forward traffic to each other. Example : frontend site1 bind :80 acl is_site1 hdr_sub(cookie) SERVERID=a acl is_site2 hdr_sub(cookie) SERVERID=b acl is_site3 hdr_sub(cookie) SERVERID=c use_backend site2 if is_site2 use_backend site3 if is_site3 default_backend local backend local # handles site1's traffic as well as non-site specific traffic # all cookies are prefixed with a cookie SERVERID server srv1 1.0.0.1:80 cookie a1 server srv2 1.0.0.1:80 cookie a2 server srv3 1.0.0.1:80 cookie a3 backend site2 # reroute traffic to site 2's load balancer server site2 2.2.2.2:80 backend site3 # reroute traffic to site 2's load balancer server site3 3.3.3.3:80 Hoping this helps, Willy
Re: haproxy question about check
Hello. Sorry for my latency on the answer. Thank you for the trick about the check. I will test it when i have times. About the multi site question, i will explain because it's a bit confusing. I have two agency at this time : one this 2 WEB/DNS server (agency A) and the other with 1 WEB/DNSserver (agency B). Agency A have two WAN line . My zones are configured with 3 NS record, 2 go on Agency A via different public adress. My firewall NAT the public adress on 2 different private adress (on DMZ), and using view I adjust the response . Today,in order to provide service continuity, I start the DNS server of agency B when the DNS server of Agency A are down. But it's a lose of power and server that i want to use now with haproxy. Have i been clear? Hello, On 05/21/2010 03:15 PM, eni-urgence wrote: Hello all. I discover haproxy few weeks ago and I want to thanks willy for his very good product. I'm planing to integrate haproxy to our dmz. I want to use haproxy for loadbalancing heavy secure php/ajax applications with cookie persitence: a collaborate scheduler and a image consult extranet. stunnel service will handle https connections and forward decrypted requests to haproxy on port 88. Then haproxy will forward connections to web server on port 10088, 100089 (and so...) on a mass virtual host configuration of apache (see below). In /var/www/vhost-SSL/ on web server, there is some symbolic links to the php sources. Some domains are not linked to same path because they don't provide the same application. So i don't want to have to delete/rename the running.ok file on every path when I want to shutdown the webserver. I want to use the httpcheck on port 10081 and the file running.ok . But I want a soft stop of service. I want haproxy to stop forwarding new connection if he don't find the running.ok file but continue to forward connection if cookie is initialised. so i will configure a backup server with same cookies (like said in Haproxy documentation). Use http-check disable-on-404 for this So now my questions : - is it possible to check only the header like this /HEAD / HTTP/1.0 /for backup server ? option httpchk HEAD / HTTP/1.0 - Like said in the article of willy (http://1wt.eu/articles/2006_lb/),it is good to load balance the encryption/decryption flow too. So a haproxy instance in tcp mode (layer 4), seems to be a good solution. But our applications have to know the client IP for security reasons. I read that a recompiled kernel with tproxy support will forward connections keeping the real client IP. Is that true ? Yes it is, tproxy has been included in mainstream =2.6.28 kernel. Usage of X-Forwarded-For header is preferred if you use stunnel. - I want to manage a multi site configuration keeping the session persistence. How can I manage to do so? I don't understand this question :) Regards, Hervé.
haproxy question about check
Hello all. I discover haproxy few weeks ago and I want to thanks willy for his very good product. I'm planing to integrate haproxy to our dmz. I want to use haproxy for loadbalancing heavy secure php/ajax applications with cookie persitence: a collaborate scheduler and a image consult extranet. stunnel service will handle https connections and forward decrypted requests to haproxy on port 88. Then haproxy will forward connections to web server on port 10088, 100089 (and so...) on a mass virtual host configuration of apache (see below). In /var/www/vhost-SSL/ on web server, there is some symbolic links to the php sources. Some domains are not linked to same path because they don't provide the same application. So i don't want to have to delete/rename the running.ok file on every path when I want to shutdown the webserver. I want to use the httpcheck on port 10081 and the file running.ok . But I want a soft stop of service. I want haproxy to stop forwarding new connection if he don't find the running.ok file but continue to forward connection if cookie is initialised. so i will configure a backup server with same cookies (like said in Haproxy documentation). So now my questions : - is it possible to check only the header like this /HEAD / HTTP/1.0 /for backup server ? - Like said in the article of willy (http://1wt.eu/articles/2006_lb/),it is good to load balance the encryption/decryption flow too. So a haproxy instance in tcp mode (layer 4), seems to be a good solution. But our applications have to know the client IP for security reasons. I read that a recompiled kernel with tproxy support will forward connections keeping the real client IP. Is that true ? - I want to manage a multi site configuration keeping the session persistence. How can I manage to do so? haproxy configuration : (it 's a test configuration file. I think some variable are not good valued) /defaults log global modehttp option httplog retries 3 option redispatch maxconn 2000 contimeout 5000 clitimeout 5 srvtimeout 5 stats enable option forwardfor balance roundrobin option httpchk HEAD /running.ok HTTP/1.0 option http-server-close/ / / /listen private-admin_stats 192.168.1.60:8088 mode http stats uri/admin?stats stats realm Global\ statistics stats auth stats:stats84/ /frontend public-http-app bind 192.168.1.62:88 reqadd sce_proxy:\ lbl0101 reqadd sceproxy_secure:\ https capture request header Location len 80 capture response header Location len 80 capture response header Server len 20 default_backend webfarm-http-app/ /backend webfarm-http-app cookie SERVERID prefix nocache server lbl0101-app1 192.168.1.62:10088 check port 100081 inter 2000 rise 2 fall 5 weight 8 cookie lbl0101-app server lbl0101-app1-bck 192.168.1.62:10088 check inter 2000 rise 2 fall 5 cookie lbl0101-app backup server lbl0101-app2 192.168.1.62:10089 check //port 100081 //inter 2000 rise 2 fall 5 cookie lbl0101-app2 server lbl0101-app2-bck 192.168.1.62:10089 check inter 2000 rise 2 fall 5 cookie lbl0101-app2 backup/ NameVirtualHost apache configuration : /NameVirtualHost 192.168.1.62:10081 VirtualHost 192.168.1.62:10081 UseCanonicalName Off ServerName * VirtualDocumentRoot /var/www/vhosts-SSL/%0 VirtualScriptAlias /var/www/vhosts/%0/cgi-bin/ DirectoryIndex index.html index.htm index.shtml index.php HostNameLookups off #CustomLog logs/ssl_access_log vcommon #CustomLog /var/log/httpd/access_log cawstats /VirtualHost/ /NameVirtualHost 192.168.1.62:10088 VirtualHost 192.168.1.62:10088 UseCanonicalName Off ServerName * VirtualDocumentRoot /var/www/vhosts-SSL/%0 VirtualScriptAlias /var/www/vhosts/%0/cgi-bin/ DirectoryIndex index.html index.htm index.shtml index.php HostNameLookups off #CustomLog logs/ssl_access_log vcommon #CustomLog /var/log/httpd/access_log cawstats /VirtualHost/ /NameVirtualHost 192.168.1.62:10089 VirtualHost 192.168.1.62:10089 UseCanonicalName Off ServerName * VirtualDocumentRoot /var/www/vhosts-SSL/%0 VirtualScriptAlias /var/www/vhosts/%0/cgi-bin/ DirectoryIndex index.html index.htm index.shtml index.php HostNameLookups off #CustomLog logs/ssl_access_log vcommon #CustomLog /var/log/httpd/access_log cawstats /VirtualHost/ Some example of the link in /var/www/vhosts-SSL : /192.168.1.62 - /var/www/check (= is where the file running.ok will be) secure.myfirstdomain.com - /var/www/html/myfirstdomain.com secure1.myfirstdomain.com - /var/www/html/myfirstdomain.com secure.myseconddomain.com - /var/www/html/myfseconddomain.com secure.myfthirddomain.com -
Re: haproxy question about check
Hello, On 05/21/2010 03:15 PM, eni-urgence wrote: Hello all. I discover haproxy few weeks ago and I want to thanks willy for his very good product. I'm planing to integrate haproxy to our dmz. I want to use haproxy for loadbalancing heavy secure php/ajax applications with cookie persitence: a collaborate scheduler and a image consult extranet. stunnel service will handle https connections and forward decrypted requests to haproxy on port 88. Then haproxy will forward connections to web server on port 10088, 100089 (and so...) on a mass virtual host configuration of apache (see below). In /var/www/vhost-SSL/ on web server, there is some symbolic links to the php sources. Some domains are not linked to same path because they don't provide the same application. So i don't want to have to delete/rename the running.ok file on every path when I want to shutdown the webserver. I want to use the httpcheck on port 10081 and the file running.ok . But I want a soft stop of service. I want haproxy to stop forwarding new connection if he don't find the running.ok file but continue to forward connection if cookie is initialised. so i will configure a backup server with same cookies (like said in Haproxy documentation). Use http-check disable-on-404 for this So now my questions : - is it possible to check only the header like this /HEAD / HTTP/1.0 /for backup server ? option httpchk HEAD / HTTP/1.0 - Like said in the article of willy (http://1wt.eu/articles/2006_lb/),it is good to load balance the encryption/decryption flow too. So a haproxy instance in tcp mode (layer 4), seems to be a good solution. But our applications have to know the client IP for security reasons. I read that a recompiled kernel with tproxy support will forward connections keeping the real client IP. Is that true ? Yes it is, tproxy has been included in mainstream =2.6.28 kernel. Usage of X-Forwarded-For header is preferred if you use stunnel. - I want to manage a multi site configuration keeping the session persistence. How can I manage to do so? I don't understand this question :) Regards, Hervé.
Re: MySQL + Haproxy Question
Hi On Sat, 24 Oct 2009 19:25:36 -0400, Joseph Hardeman jharde...@colocube.com wrote: Hi Mariusz Thats actually what I thought, but I wanted to ask to be sure. *S* I am going to look into that solution again, the last time I tried it, many months ago now, I couldn't get it to work right and I would have to replace all of the libmysql* so files on my web servers. if ur app don't have huge number of SQL query types u might want to just rewrite parts of it, like they said in mysqlproxy docs, its only experimental feature. Regards Mariusz -- Mariusz Gronczewski (XANi) xani...@gmail.com GnuPG: 0xEA8ACE64 http://devrandom.pl signature.asc Description: PGP signature
MySQL + Haproxy Question
Hey Guys, I was wondering if there was a way to have Haproxy handle mysql requests. I know that I can use the TCP option instead of HTTP and it will work, but I was wondering if anyone has a way to make haproxy send all requests for Select statements to a set of servers and all Insert, Updates, and Deletes to a master MySQL server. I was just thinking about it and was wondering if this was possible and if anyone has done it. If you have would you be willing to share how your setup is. Thanks Joe -- This message has been scanned for viruses by Colocube's AV Scanner
Re: MySQL + Haproxy Question
Hi On Sat, 24 Oct 2009 16:01:26 -0400, Joseph Hardeman jharde...@colocube.com wrote: Hey Guys, I was wondering if there was a way to have Haproxy handle mysql requests. I know that I can use the TCP option instead of HTTP and it will work, but I was wondering if anyone has a way to make haproxy send all requests for Select statements to a set of servers and all Insert, Updates, and Deletes to a master MySQL server. I was just thinking about it and was wondering if this was possible and if anyone has done it. If you have would you be willing to share how your setup is. U can't do that, u either have to use something like http://forge.mysql.com/wiki/MySQL_Proxy_RW_Splitting or (better) rewrite ur app to split write and read requests Regards Mariusz -- Mariusz Gronczewski (XANi) xani...@gmail.com GnuPG: 0xEA8ACE64 http://devrandom.pl signature.asc Description: PGP signature
Re: MySQL + Haproxy Question
Hi Mariusz Thats actually what I thought, but I wanted to ask to be sure. *S* I am going to look into that solution again, the last time I tried it, many months ago now, I couldn't get it to work right and I would have to replace all of the libmysql* so files on my web servers. Thanks for the reply. Joe XANi wrote: Hi On Sat, 24 Oct 2009 16:01:26 -0400, Joseph Hardeman jharde...@colocube.com wrote: Hey Guys, I was wondering if there was a way to have Haproxy handle mysql requests. I know that I can use the TCP option instead of HTTP and it will work, but I was wondering if anyone has a way to make haproxy send all requests for Select statements to a set of servers and all Insert, Updates, and Deletes to a master MySQL server. I was just thinking about it and was wondering if this was possible and if anyone has done it. If you have would you be willing to share how your setup is. U can't do that, u either have to use something like http://forge.mysql.com/wiki/MySQL_Proxy_RW_Splitting or (better) rewrite ur app to split write and read requests Regards Mariusz -- This message has been scanned for viruses by Colocube's AV Scanner
Re: MySQL + Haproxy Question
On Sat, 24 Oct 2009, Joseph Hardeman wrote: Hey Guys, Hi, I was wondering if there was a way to have Haproxy handle mysql requests. I know that I can use the TCP option instead of HTTP and it will work, but I was wondering if anyone has a way to make haproxy send all requests for Select statements to a set of servers and all Insert, Updates, and Deletes to a master MySQL server. I was just thinking about it and was wondering if this was possible and if anyone has done it. If you have would you be willing to share how your setup is. Currently, there is no MySQL support in HAProxy. However, you should try MySQL_Proxy: http://forge.mysql.com/wiki/MySQL_Proxy Best regards, Krzysztof Olędzki
