Re: Need help with HAProxy configuration mixed content http and https
Thanks Baptise, Let me give this a try. On May 21, 2015, at 5:26 AM, Baptiste bed...@gmail.com wrote: it seems your client get connected using HTTPs on the HTTP port of haproxy. you must make your application aware that SSL offloading is being performed by a device in front of it. Some hints: http://blog.haproxy.com/2013/02/26/ssl-offloading-impact-on-web-applications/ http://blog.haproxy.com/2013/02/26/ssl-offloading-impact-on-web-applications/ Baptiste On Wed, May 20, 2015 at 9:41 AM, Tu Nguyen nguyenhongtu...@gmail.com mailto:nguyenhongtu...@gmail.com wrote: Hi Baptiste, This is all my configuration. be_game5_http is be_host01_http, I changed it because of sensitive reason. I’m sorry if it made you confused! Here is haproxy log: # this log generated when I visit host01.vn http://host01.vn/ May 20 14:21:36 localhost haproxy[22380]: 123.30.173.99:41879 http://123.30.173.99:41879/ [20/May/2015:14:21:36.235] fe_http be_host01_http/HOST_9 0/0/0/6/7 200 12764 - - 1/1/0/1/0 0/0 GET / HTTP/1.1 May 20 14:21:36 localhost haproxy[22380]: 123.30.173.99:41879 http://123.30.173.99:41879/ [20/May/2015:14:21:36.242] fe_http be_host01_http/HOST_10 290/0/0/1/291 304 348 - - 1/1/0/1/0 0/0 GET /static/css/fancybox/jquery.fancybox-1.3.4.css HTTP/1.1 May 20 14:21:36 localhost haproxy[22380]: 123.30.173.99:41879 http://123.30.173.99:41879/ [20/May/2015:14:21:36.534] fe_http be_host01_http/HOST_9 39/0/0/1/40 304 349 - - 2/2/0/1/0 0/0 GET /static/js/default/jquery-1.8.3.min.js HTTP/1.1 May 20 14:21:36 localhost haproxy[22380]: 123.30.173.99:41879 http://123.30.173.99:41879/ [20/May/2015:14:21:36.574] fe_http be_host01_http/HOST_10 82/0/1/0/83 304 348 - - 2/2/0/1/0 0/0 GET /static/js/fancybox/jquery.fancybox-1.3.4.min.js HTTP/1.1 # this log generated when I visit https://host01.vn https://host01.vn/ May 20 14:21:56 localhost haproxy[22380]: 123.30.173.99:32217 http://123.30.173.99:32217/ [20/May/2015:14:21:36.568] fe_http fe_http/NOSRV -1/-1/-1/-1/19768 400 0 - - CR-- 1/1/0/0/0 0/0 BADREQ There are some images when I visit host01.vn http://host01.vn/, with tcp mode, it works: qq2015052...@2x.png With mode http, it doesn’t work: qq2015052...@2x.png Thanks and Best regards, Tu Nguyen, On May 20, 2015, at 1:56 PM, Baptiste bed...@gmail.com mailto:bed...@gmail.com wrote: On Wed, May 20, 2015 at 6:49 AM, Tu Nguyen nguyenhongtu...@gmail.com mailto:nguyenhongtu...@gmail.com wrote: Hello, I’m new to HAProxy. I’m trying to set up HA to handle mixed content site (http and https). My site runs on http except login box which needs https. When I apply the configure with mode tcp, everything is fine. But I cannot modify header, which I need to identify user’s real IP. So I want to use mode http and when I do that, the content of login box does not appear ( all css, static files cannot be loaded) Could you please tell me if anyway to fix this problem or HAProxy does not support this yet? This is my HAProxy config, below: ## # HAPROXY 1.5.12 ## global daemon user haproxy group haproxy chroot /home/haproxy maxconn 1 stats socket /tmp/haproxy pidfile /var/run/haproxy.pid log 127.0.0.1 local1 tune.ssl.default-dh-param 2048 defaults #mode http retries 3 option redispatch timeout connect 5ms timeout client 5ms timeout server 5ms errorfile 400 /prefix/haproxy/errors/400.http errorfile 403 /prefix/haproxy/errors/403.http errorfile 408 /dev/null errorfile 500 /prefix/haproxy/errors/500.http errorfile 502 /prefix/haproxy/errors/502.http errorfile 503 /prefix/haproxy/errors/503.http errorfile 504 /prefix/haproxy/errors/504.http FRONTEND frontend fe_https bind *:443 ssl crt /prefix/haproxy/ca/domain01.pem mode http option httpclose option forwardfor acl ssl_host01.vn http://ssl_host01.vn/ hdr(host) -i host01.vn http://host01.vn/ www.host01.vn http://www.host01.vn/ use_backend be_host01_https if ssl_host01.vn http://ssl_host01.vn/ frontend fe_http bind *:80 log global mode http option httplog option forwardfor acl host01.vn http://host01.vn/ hdr(host) -i host01.vn http://host01.vn/ www.host01.vn http://www.host01.vn/ use_backend be_host01_http if host01.vn http://host01.vn/ BACKEND backend be_host01_https mode http option httplog option forwardfor log global balance roundrobin server SSL_HOST_1 10.0.0.1:80 http://10.0.0.1/ check server SSL_HOST_2 10.0.0.2:80 http://10.0.0.2/ check backend be_host01_http mode http log global balance roundrobin server HOST_9 10.0.0.1:80 http://10.0.0.1/ check server HOST_10 10.0.0.2:80 http://10.0.0.2/ check ## END Thanks in advanced, Tu Nguyen, Hi Tu, Could you share also logs generated by HAProxy when trying to acess login page? Also, your HTTP frontend points to a backend whose name is be_game5_http. Could you confirm this is a
Re: Need help with HAProxy configuration mixed content http and https
On Wed, May 20, 2015 at 6:49 AM, Tu Nguyen nguyenhongtu...@gmail.com wrote: Hello, I’m new to HAProxy. I’m trying to set up HA to handle mixed content site (http and https). My site runs on http except login box which needs https. When I apply the configure with mode tcp, everything is fine. But I cannot modify header, which I need to identify user’s real IP. So I want to use mode http and when I do that, the content of login box does not appear ( all css, static files cannot be loaded) Could you please tell me if anyway to fix this problem or HAProxy does not support this yet? This is my HAProxy config, below: ## # HAPROXY 1.5.12 ## global daemon user haproxy group haproxy chroot /home/haproxy maxconn 1 stats socket /tmp/haproxy pidfile /var/run/haproxy.pid log 127.0.0.1 local1 tune.ssl.default-dh-param 2048 defaults #mode http retries 3 option redispatch timeout connect 5ms timeout client 5ms timeout server 5ms errorfile 400 /prefix/haproxy/errors/400.http errorfile 403 /prefix/haproxy/errors/403.http errorfile 408 /dev/null errorfile 500 /prefix/haproxy/errors/500.http errorfile 502 /prefix/haproxy/errors/502.http errorfile 503 /prefix/haproxy/errors/503.http errorfile 504 /prefix/haproxy/errors/504.http FRONTEND frontend fe_https bind *:443 ssl crt /prefix/haproxy/ca/domain01.pem mode http option httpclose option forwardfor acl ssl_host01.vn hdr(host) -i host01.vn www.host01.vn use_backend be_host01_https if ssl_host01.vn frontend fe_http bind *:80 log global mode http option httplog option forwardfor acl host01.vn hdr(host) -i host01.vn www.host01.vn use_backend be_game5_http if host01.vn BACKEND backend be_host01_https mode http option httplog option forwardfor log global balance roundrobin server SSL_HOST_1 10.0.0.1:80 check server SSL_HOST_2 10.0.0.2:80 check backend be_host01_http mode http log global balance roundrobin server HOST_9 10.0.0.1:80 check server HOST_10 10.0.0.2:80 check ## END Thanks in advanced, Tu Nguyen, Hi Tu, Could you share also logs generated by HAProxy when trying to acess login page? Also, your HTTP frontend points to a backend whose name is be_game5_http. Could you confirm this is a typo or you did not forward all your configuration? Baptiste
RE: Need help with haproxy config
Hi Jeffrey, Below is my haproxy config, I have 1 server and 1 backend for testing This is a Wt wthttpd app, with no Apache loaded, Problem I have is that the path to the app seems to change when running from port 80 or haproxy, meaning I lost all my style sheets and resources, not sure what the path is at this point. if I pull the site up with the port address mad-news.net:8060/ww/en/, the path is fine, We don't know your app, we cannot possibly tell whats happening here. You need to track and troubleshoot this down to a single HTTP request to understand the problem. If, and only if you have the exact description of what is happening on the HTTP level, then we can probably tell you what you need to fix in your configuration. Also it crashes after running a while, I have monit loaded, so eventually (minute or two) it will restart, Whats crashing? HAProxy? Post the output of haproxy -vv then and provide a coredump or a gdb backtrace [1]. Regards, Lukas [1] http://www.cyberciti.biz/tips/linux-core-dumps.html
Re: Need help with HAProxy
Could this be related to the number of concurrent connections being run? maxconn 1024 under global seems quite low, and if your servers are holding connections open due to responding slowly could this be the cause? Chris On 13/01/2012 03:37, John Lauro wrote: If the refused connection concerns you, and you can't avoid starting haproxy, one option is to put up a firewall rule to block syn packets while haproxy reloads, and then unblock. That way clients will retry the connection in about 3 seconds instead of being refused.
RE: Need help with HAProxy
There is a brief time between the switchover from the old process to the new where new connections can not be accepted. Better to mark the backend servers down without switching processes. (Several ways to do that). If the refused connection concerns you, and you cant avoid starting haproxy, one option is to put up a firewall rule to block syn packets while haproxy reloads, and then unblock. That way clients will retry the connection in about 3 seconds instead of being refused. From: Mahawar, Manisha (contractor) [mailto:manisha.maha...@twc-contractor.com] Sent: Thursday, January 12, 2012 5:03 PM To: haproxy@formilux.org Subject: Need help with HAProxy I am using HAProxy on RedHat 5.5 and have below configuration. global daemon maxconn 1024 log 127.0.0.1 local1 info defaults log global balance roundrobin mode http retries3 option redispatch timeout connect 30ms timeout client 30ms timeout server 30ms listen epgs bind *:80 server server1 127.0.0.1:8080 maxconn 1 check server server2 epg.local.com:8080 maxconn 1 check stats uri /stats I started firing 5000 request to HAProxy using JMeter. While JMeter is firing the request I removed the server2 from configuration file and fired haproxy -f /etc/haproxy.cfg -p /var/run/haproxy.pid -sf $(cat /var/run/haproxy.pid) command. I noticed 2 connection refused errors in JMeter log. 2012/01/11 03:31:31 ERROR - jmeter.protocol.http.sampler.HTTPJavaImpl: readResponse: java.net.ConnectException: Connection refused 2012/01/11 03:31:31 ERROR - jmeter.protocol.http.sampler.HTTPJavaImpl: readResponse: java.net.ConnectException: Connection refused 2012/01/11 03:31:31 ERROR - jmeter.protocol.http.sampler.HTTPJavaImpl: Cause: java.net.ConnectException: Connection refused 2012/01/11 03:31:31 ERROR - jmeter.protocol.http.sampler.HTTPJavaImpl: Cause: java.net.ConnectException: Connection refused Do you know which configuration I should use to make HAProxy not drop any request and am i verifying it correctly too? Thanks for your help in advance. Manisha _ This E-mail and any of its attachments may contain Time Warner Cable proprietary information, which is privileged, confidential, or subject to copyright belonging to Time Warner Cable. This E-mail is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this E-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this E-mail is strictly prohibited and may be unlawful. If you have received this E-mail in error, please notify the sender immediately and permanently delete the original and any copy of this E-mail and any printout.
Re: Need Help on HAProxy Load Balancing
Hi, On Sat, Oct 16, 2010 at 10:01:22AM +0530, Sivaprakash wrote: Thanks a lot !! Could you please suggest good design for Read - Only data base load balancing sing HAProxy. The only reasonable use of a load balancer in front of a database is for fail-over purposes, so that you only use one node at a time. There is a very good article on the subject here : http://www.alexwilliams.ca/blog/2009/08/10/using-haproxy-for-mysql-failover-and-redundancy/ Concerning haproxy on Windows, some people managed to get it to work, but the performance was terribly low, with a limit on a very small number of concurrent connections (about 500). It was OK for running as a debugging tool, but not for anything close to production. Regards, Willy
