Re: cQ session termination

2010-01-08 Thread Bryan Talbot
wrote: On Fri, Jan 08, 2010 at 12:13:37PM -0800, Bryan Talbot wrote: I'm trying to understand exactly what this termination state means. I'm seeing http connections from clients that seem to be complete and queued. These requests seem to be timing out from the queue well before the timeout

Re: Binding by Hostname

2010-04-21 Thread Bryan Talbot
On Apr 21, 2010, at Apr 21, 3:05 AM, Laurie Young wrote: Unfortunately I am still no closer to knowing if HAProxy can do this :-( I don't think you can bind frontends using name-based virtual hosts like it seems you're attempting to do. If you want to do that, you'll need to use

Re: precedence of if conditions

2010-06-30 Thread Bryan Talbot
See section 7.7: AND is implicit. 7.7. Using ACLs to form conditions -- Some actions are only performed upon a valid condition. A condition is a combination of ACLs with operators. 3 operators are supported : - AND (implicit) - OR (explicit with the or

clarification of CD termination code

2010-07-28 Thread Bryan Talbot
I'm trying to figure out what _exactly_ the CD termination code means. The docs says: CD The client unexpectedly aborted during data transfer. This can be caused by a browser crash, by an intermediate equipment between the client and haproxy which decided to actively

Re: Support for SSL

2010-11-19 Thread Bryan Talbot
Here's an interesting blog post by a Google engineer about how they rolled out SSL for many of their services with very little additional CPU and network overhead. Specifically, he claims that On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10KB

Re: hot reconfiguration, how to?

2010-12-08 Thread Bryan Talbot
See the architecture doc section 4.3 http://haproxy.1wt.eu/download/1.3/doc/architecture.txt -Bryan On Wed, Dec 8, 2010 at 12:51 PM, Joshua N Pritikin jos...@paloalto.comwrote: I found:

Re: HAProxy Cookie/Host Forwarding

2010-12-10 Thread Bryan Talbot
I do something similar using a config that is pretty much like what you've shown. What doesn't work about the config you've shown? -Bryan On Fri, Dec 10, 2010 at 9:05 AM, Anthony Saenz antho...@consumertrack.comwrote: Hi, Don't mean to bug but did anyone get a chance to possibly look at

Re: HAProxy Cookie/Host Forwarding

2010-12-10 Thread Bryan Talbot
example.com:80 http://example.com/ On Fri, Dec 10, 2010 at 10:18 AM, Bryan Talbot btal...@aeriagames.comwrote: I do something similar using a config that is pretty much like what you've shown. What doesn't work about the config you've shown? -Bryan On Fri, Dec 10, 2010 at 9:05 AM, Anthony Saenz

Re: SSLTunnel + HAProxy: advice about hardware minimum requirements

2010-12-21 Thread Bryan Talbot
If you're concerned about the SSL handing of your setup, the openssl command line tool includes some simple tools that can run rudimentary tests and benchmarks. One simple command to make 30 seconds of serial requests using both new and resumed (if you support it) SSL sessions would be: $

logging to unix socket

2010-12-29 Thread Bryan Talbot
I'm trying to configure haproxy to log to a unix socket but keep getting alerts to stderr when the proxy is started, restarted or reloaded. Other than these alert messages, logging to the socket seems to be working just fine. The message is repeated about 20 times. What am I doing wrong?

Re: logging to unix socket

2010-12-30 Thread Bryan Talbot
/max_dgram_qlen 1000 -Bryan On Thu, Dec 30, 2010 at 7:31 AM, Willy Tarreau w...@1wt.eu wrote: Hi Bryan, On Wed, Dec 29, 2010 at 05:09:12PM -0800, Bryan Talbot wrote: I'm trying to configure haproxy to log to a unix socket but keep getting alerts to stderr when the proxy is started, restarted

Re: logging to unix socket

2010-12-30 Thread Bryan Talbot
, Bryan Talbot btal...@aeriagames.comwrote: Yeah, I forgot to mention that I am running haproxy 1.4.10 on CentOS 5.5 with a 2.6.18-194.26.1.el5 kernel. host:~# cat /proc/sys/net/unix/max_dgram_qlen 10 The system is idle and not handling any traffic. I set max_dgram_qlen to 1000 but the problem

Re: precedence of if conditions (again)

2011-01-07 Thread Bryan Talbot
Doesn't this work? ... if A B1 or A B2 or A B3 or A B4 -Bryan On Fri, Jan 7, 2011 at 7:16 AM, Hank A. Paulson h...@spamproof.nospammail.net wrote: On 6/30/10 9:50 PM, Willy Tarreau wrote: On Wed, Jun 30, 2010 at 08:53:19PM -0700, Bryan Talbot wrote: See section 7.7: AND is implicit

Re: Acl url_sub doesn't seems to match

2011-01-12 Thread Bryan Talbot
I think the problem is that url_dom operates on the URL found in the request line but in your case, that URL is a relative URI (/) which does not contain a host name. I think if you use hdr_dom(Host) it'll do what you want. -Bryan On Wed, Jan 12, 2011 at 8:39 AM, Contact Dowhile

Re: reqrep only in case no server available?

2011-02-03 Thread Bryan Talbot
On Thu, Feb 3, 2011 at 5:44 AM, Raphael Bauduin rbli...@gmail.com wrote:  server mainappserver 10.12.13.127:80 weight 16 maxconn 16 check inter 10s  acl maintenance_mode nbsrv eq 0  reqrep ^([^\ ]*)\ /([^\ ]*)\ (.*)     \1\ /\ \3 if maintenance_mode  server static-backup 10.12.13.14:2001

does http-server-close close idle client sockets when needed?

2011-02-14 Thread Bryan Talbot
I can't find in the documentation anything about how haproxy handles client keep-alive (using http-server-close) when the maximum number of client connections has been reached. If there are idle client connections, will the proxy close them to allow new connections to be established? Or, will

balance url_param with POST

2011-02-24 Thread Bryan Talbot
I'm not sure I understand how the url_param option for balance is supposed to work. From reading the description, it sounded like it might work for both GET and POST methods when either method includes a query string section in the URI. However, that doesn't seem to be working as I expected with

Re: balance url_param with POST

2011-02-25 Thread Bryan Talbot
with proxy-caches. Why limit balance url_param to only work with GET? Why not allow it to work with any method that contains a URI? -Bryan On Thu, Feb 24, 2011 at 11:12 AM, Bryan Talbot btal...@aeriagames.com wrote: I'm not sure I understand how the url_param option for balance is supposed to work

Re: balance url_param with POST

2011-02-25 Thread Bryan Talbot
not contain a ''. I believe this should check for the existence of a '?' instead. If this is the case, then I think there is a documentation bug as well since the first line for url_param claims it only works for GET. -Bryan On Fri, Feb 25, 2011 at 12:46 PM, Bryan Talbot btal...@aeriagames.com

Re: balance url_param with POST

2011-02-28 Thread Bryan Talbot
to the end since there is no support for substitution groups. Any pointers? -Bryan On Fri, Feb 25, 2011 at 11:57 PM, Willy Tarreau w...@1wt.eu wrote: Hi Bryan, On Fri, Feb 25, 2011 at 11:40:00PM -0800, Bryan Talbot wrote: Maybe this is the problem?  Line 548 of backend.c from 1.4.11

Re: balance url_param with POST

2011-03-01 Thread Bryan Talbot
I'm not seeing how to use reqrep to alter a POST uri by appending a 'a=1' parameter to the end since there is no support for substitution groups.  Any pointers? We can't modify the contents of a POST request but we can indeed alter the URI. And yes it does support substitution groups. For

admin socket 1.4.x crash report

2011-03-03 Thread Bryan Talbot
I found a way that causes the 1.4.10 (and probably 1.4.11) releases to crash with a segfault. The message in /var/log/messages is Mar 3 12:44:34 host kernel: haproxy[16392]: segfault at rip rsp 7fff7402a9d8 error 14 host:~$ /usr/sbin/haproxy -vv HA-Proxy

Re: admin socket 1.4.x crash report

2011-03-04 Thread Bryan Talbot
Great, thanks for the quick fix Cyril and for getting it into 1.4.12 Willy. -Bryan On Thu, Mar 3, 2011 at 10:23 PM, Willy Tarreau w...@1wt.eu wrote: Hi Guys, On Thu, Mar 03, 2011 at 08:09:57PM +0100, Cyril Bonté wrote: Hi Bryan, Le jeudi 3 mars 2011 19:05:38, Bryan Talbot a écrit : I

Re: How does http_find_header() work?

2011-03-31 Thread Bryan Talbot
This would be useful, but having a format similar to what's currently used for forwardfor would be nice: option uniqueid [{if | unless} condition] [ header name ] I would also like to be sure that any incoming values for the header could be stripped (using reqidel) and still have the new one

X-Forwarded-For contortions

2011-08-12 Thread Bryan Talbot
In haproxy 1.4.x, the option forwardfor feature's lack of an ACL to control its application is causing me to have an ugly and confusing haproxy configuration. The issue has come up recently while attempting to configure the proxy to accept connections from trusted upstream proxies (a CDN) while

Re: X-Forwarded-For contortions

2011-08-15 Thread Bryan Talbot
On Mon, Aug 15, 2011 at 2:12 AM, Brane F. Gračnar brane.grac...@najdi.siwrote: On Friday 12 of August 2011 20:17:11 Bryan Talbot wrote: What are my other options? There are multiple backends so having one shared front end and duplicating the backend sections and putting the XFF handling

Re: X-Forwarded-For contortions

2011-08-24 Thread Bryan Talbot
wrote: Hi Bryan, On Tue, Aug 16, 2011 at 07:51:07AM +0200, Willy Tarreau wrote: Hi Bryan, On Mon, Aug 15, 2011 at 11:13:18AM -0700, Bryan Talbot wrote: That would work but there are several CIDR networks that contain a trusted proxy.  The CDN is global and has proxies on most continents

Re: haproxy not logging correctly or I am misunderstanding something?

2011-08-26 Thread Bryan Talbot
I think you're mixing up your client IP and server IP addresses. The 10.0.3.12:42281 is the source IP:PORT for the TCP connection making the request (the client). The request was serviced by the server named ip_10_0_2_14 which I assume has an IP address of 10.0.2.14. -Bryan On Fri, Aug 26,

Re: How to test keep-alive is working?

2011-08-26 Thread Bryan Talbot
You could use something as simple as curl to see if the connection is left in-tact. $ curl -I -v www.example.com If keep-alive is working, curl will include a verbose message like this: * Connection #0 to host www.example.com left intact and then close the connection since it has no pending

Re: reqrep not working

2011-12-01 Thread Bryan Talbot
You can do it but both replacements need their own statement: one for the URI and one for the Host header. -Bryan On Thu, Dec 1, 2011 at 5:24 AM, hapr...@serverphorums.com wrote: HI, looks like it cant be done change the host based on URI, and rewrite the URI at the same time thx all

Re: How to explain 503 and 504 error.

2011-12-30 Thread Bryan Talbot
The 503's you show are from clients disconnecting very shortly after they've sent the request but before haproxy can connect to a backend server. The client closed the TCP connection without waiting for a response. The client probably didn't actually receive a 503 but haproxy seems to log it

Re: Does haproxy support cronolog?

2012-01-31 Thread Bryan Talbot
Nothing says you can't run a special instance of syslog-ng that only logs for haproxy. The system configuration files don't need to be special in that case. -Bryan On Tue, Jan 31, 2012 at 2:34 AM, Graeme Donaldson gra...@donaldson.za.netwrote: On 31 January 2012 11:21, wsq003 wsq...@sina.com

Re: Match when a header is missing?

2012-09-25 Thread Bryan Talbot
On Tue, Sep 25, 2012 at 12:30 PM, Shawn Heisey hapr...@elyograg.org wrote: I have a need to cause haproxy to match an ACL when a header (User-Agent) is missing. Can that be written with the configuration language in its current state? I'm running 1.4.18 here. How about acl

Re: Slow read http attack

2012-10-03 Thread Bryan Talbot
PM, Willy Tarreau w...@1wt.eu wrote: On Tue, Oct 02, 2012 at 11:42:27PM -0700, Bryan Talbot wrote: Having one (or some small number) of slow readers isn't a problem. The problem comes up when some significant percentage of your requests are from slow readers. Those readers might be from

Re: set-cookie on redirect

2012-12-21 Thread Bryan Talbot
page, and I am currently setting it to a string literal for the main website, but i'd like to set it to the path received from client prior to redirect. Thanks, bp -- Bryan Talbot Architect / Platform team lead, Aeria Games and Entertainment Silicon Valley | Berlin | Tokyo | Sao Paulo

Re: Transparent redirects

2012-12-27 Thread Bryan Talbot
See the docs for reqrep: http://code.google.com/p/haproxy-docs/wiki/reqrep -Bryan On Thu, Dec 27, 2012 at 8:44 AM, Alexandru Florescu a...@pagepeeker.comwrote: Hi, I have an old style URL that looks like this: http://api.domain.com/some_path and a new style URL that looks like this

Re: Connection error on RabbitMQ consumer behind haproxy

2013-01-11 Thread Bryan Talbot
forwardfor is for http only of course. You have the client and server timeouts set to 60 seconds which means that if those tcp connections are idle for that time the connection will be closed. Maybe that's not what you intended? -Bryan On Thu, Jan 10, 2013 at 8:20 PM, B MK bmkg...@gmail.com

Re: Info On Haproxy

2013-01-11 Thread Bryan Talbot
If by go down you mean that the server stops unexpectedly, then haproxy will NOT retry requests that have already been sent to a backend server. If that server goes down the client will receive an error (503 or something) and will have to decide what action to take. -Bryan On Fri, Jan 11, 2013

Re: HA proxy

2013-01-22 Thread Bryan Talbot
Why mess around with a version that's more than 5 years old? Use an up to date version like 1.4.22 or even better, don't compile your own and use a binary package for your platform (assuming there is one since you didn't state what you're trying to build or run on). Then you might try reading

Re: HA proxy

2013-01-22 Thread Bryan Talbot
to evaluate this before we put into production ** ** Paulson ** ** *From:* Bryan Talbot [mailto:btal...@aeriagames.com] *Sent:* Wednesday, January 23, 2013 2:01 AM *To:* Jonathan Matthews *Cc:* haproxy@formilux.org; Saipraveen Guttula (IT Services), Bangalore; Paulson AJ *Subject:* Re

Re: client keep-alive when servers

2013-01-30 Thread Bryan Talbot
If you're asking for keep-alive from client to haproxy and no keep alive from haproxy to server, then that's what the http-server-close option provides. What makes you think that keep alive is not working? -Bryan On Wed, Jan 30, 2013 at 6:32 AM, Chris Burroughs chris.burrou...@gmail.comwrote:

Re: client keep-alive when servers

2013-01-30 Thread Bryan Talbot
with no Connection: close Maybe to rephrase. Can I have haproxy--client use keepalive when haproxy--backend is explicitly closeing and not using keepalive (set in both haproxy and the backend'ss configuration). On 01/30/2013 02:36 PM, Bryan Talbot wrote: If you're asking for keep-alive

Re: client keep-alive when servers

2013-01-30 Thread Bryan Talbot
. Well, funny you should mention tomcat. The backends are tomcat and they all have keep-alive disabled. I don't particularly trust its keepalive which is why I was trying to avoid using it. On 01/30/2013 06:59 PM, Bryan Talbot wrote: Oh, your backend looks like it's tomcat? Some tomcat

Re: Max Sessions and source balancing

2013-02-21 Thread Bryan Talbot
I believe the answer to both of your questions is no. The configuration directives you've specified will be followed: if more than maxconn concurrent requests are needed for a particular server, additional requests will be queue until the maxconn of the fronend / backend is reached. Existing

Re: second backup server when first on fails

2013-02-26 Thread Bryan Talbot
On Tue, Feb 26, 2013 at 2:52 AM, Hauke Bruno Wollentin mail...@haukebruno.de wrote: Hi together, I have haproxy 1.4.22 running with 1 frontend and 1 backend. There are 2 servers in that backend: server prim [...] check port 80 server sec [...] check port 80 backup First one is a

Re: use_backend: brackets/grouping not accepted in condition

2013-03-22 Thread Bryan Talbot
On Fri, Mar 22, 2013 at 2:47 AM, Christian Ruppert c.rupp...@babiel.comwrote: Hi Baptiste, it is IMHO not really clear that brackets are for anonymous ACLs only. Wouldn't it make sense to support it for use_backend as well? Those two are not mutually exclusive: you can use them with

Re: possible crashes on linux with recent glibc

2013-04-01 Thread Bryan Talbot
On Fri, Mar 29, 2013 at 11:01 AM, Willy Tarreau w...@1wt.eu wrote: Hi, For the medium term, I'm going to prepare the following changes : - make poll() rely solely on bit fields without using FD_* macros - add a start up warning when select() is used with a maxconn leading to more

stick socket.io traffic without using cookies

2013-04-19 Thread Bryan Talbot
I'm trying to find a way to get the two-http-request handshake that socket.io uses to stick to the same server without using cookies for persistence. Most of the guides I've found online all use cookies, but in my case, at least some of the (non-browser) client apps don't support them. socket.io

Re: Balance Roundrobin vs Balance Source

2013-04-19 Thread Bryan Talbot
On Thu, Apr 18, 2013 at 1:13 PM, hapr...@serverphorums.com wrote: Hi All, We have HAPROXY 1.4.22 running in our environment, one issue that I have encountered during testing concerns source IP address affinity, we are trying to achieve a form of Sticky Session persistence. I noticed that if

1.5-dev18 segfaults with stats bind-process

2013-04-19 Thread Bryan Talbot
I'm testing out nbproc for ssl offloading for the first time and ran into an issue with stats bind-process which seems to segfault on startup. # cat x.cfg global nbproc 2 stats bind-process 1 listen stats bind :8000 mode http stats enable stats admin if TRUE stats uri / #

Re: 1.5-dev18 segfaults with stats bind-process

2013-04-20 Thread Bryan Talbot
, 2013 at 12:54 AM, Willy Tarreau w...@1wt.eu wrote: On Fri, Apr 19, 2013 at 06:13:12PM -0700, Bryan Talbot wrote: I'm testing out nbproc for ssl offloading for the first time and ran into an issue with stats bind-process which seems to segfault on startup. # cat x.cfg global nbproc 2

Re: stick socket.io traffic without using cookies

2013-04-22 Thread Bryan Talbot
On Fri, Apr 19, 2013 at 1:39 PM, Ian Scott isc...@chippath.com wrote: On 04/19/2013 10:21 AM, Bryan Talbot wrote: I'm trying to find a way to get the two-http-request handshake that socket.io uses to stick to the same server without using cookies for persistence. Most of the guides I've found

Re: do I still need nginx for static file serving?

2013-04-22 Thread Bryan Talbot
Since haproxy is not a webserver (it's a reverse proxy), you still need a webserver to actually serve content and run the application. -Bryan On Mon, Apr 22, 2013 at 2:28 PM, S Ahmed sahmed1...@gmail.com wrote: My backend servers run jetty, and currently I am using nginx that runs on port 80

Re: stick socket.io traffic without using cookies

2013-04-22 Thread Bryan Talbot
this for now though. Is there any chance in being able to extract and stick on a component of the request path? -Bryan On Mon, Apr 22, 2013 at 3:06 PM, Ian Scott isc...@chippath.com wrote: On 04/22/2013 12:40 PM, Bryan Talbot wrote: So it looks like there's no way to properly support socket.io

Re: Block url in https

2013-04-24 Thread Bryan Talbot
Since the traffic passing through your port 443 is presumably encrypted, by design, the proxy can't do anything with the contents including read it. -Bryan On Wed, Apr 24, 2013 at 7:57 AM, Matthieu Boret mbore...@gmail.com wrote: Hi, I try to block a URL(public.mydomain.com) in https but

Re: Keeping LB pools status in sync

2013-04-26 Thread Bryan Talbot
It sounds like you're asking how to use a server's health state in one backend as the health state in another. If so you can use the track option on the servers backend pool1 server server1 1.1.1.1:6060 track pool2/server1 server server2 1.1.1.2:6060 track pool2/server2 backend pool2

Re: SMTP load balancer.

2013-04-30 Thread Bryan Talbot
On Tue, Apr 30, 2013 at 6:52 PM, Eliezer Croitoru elie...@ngtech.co.ilwrote: server smtp1 192.168.25.1:25 maxconn 10 server smtp2 192.168.25.1:25 maxconn 10 ##conf end when I run the connection from other machine I get all the load on one machine.. Looks like you've listed

Re: Monitor always returns HTTP 200

2013-05-02 Thread Bryan Talbot
On Thu, May 2, 2013 at 8:55 AM, James Bensley jwbens...@gmail.com wrote: acl backend_down nbsrv(http--servers) lt 2 # HAProxy can see lee than 2 backend servers monitor-uri /checkuri monitor-net 172.22.0.0/24 What's the address of the computer making the requests?

build with static openssl

2013-05-10 Thread Bryan Talbot
What's required to build haproxy and statically link with openssl libs like can be done with pcre? It would be a nice option to have when running on OS with older openssl (like RHEL 5.x) but still allow haproxy to use latest openssl. -Bryan

Re: build with static openssl

2013-05-13 Thread Bryan Talbot
ok, that's basically what I did to get it working too. I'm still doing some testing but so far it's working as expected and using openssl 1.0.1e on a redhat 5.x system. I ended up configuring openssl with no-dso which seems to make it statically link to its dependencies and not need to pull -ldl

Re: disable haproxy logging to console

2013-05-24 Thread Bryan Talbot
Something like this should do it: *.emerg;local2.none * -Bryan On Fri, May 24, 2013 at 1:16 AM, Wolfgang Routschka wolfgang.routsc...@drumedar.de wrote: Hi Guys, one question about disable haproxy logging to console. System is RHEL6.x Clone Scientifc Linux 6.4 64 Bit with Haproxy

Re: Multiprocess stats?

2013-06-04 Thread Bryan Talbot
Also evaluate if you really _need_ to use 8 processes or are just using that cause that's how many cores are available. -Bryan On Mon, Jun 3, 2013 at 4:13 PM, Lukas Tribus luky...@hotmail.com wrote: Hi Stephanie, We're currently using haproxy with 8 processes. Is there any way to get

Re: Set ssl ciphers in defaults section

2013-06-21 Thread Bryan Talbot
I agree that it would be nice to avoid duplicating this in many different bind sections. Having to repeat a fairly long and ugly line does make the config harder to read. bind 1.2.3.4:443 ssl crt a.b.c.cert crt /etc/haproxy/cert/ ciphers

Re: PFS

2013-08-27 Thread Bryan Talbot
On Sat, Aug 24, 2013 at 4:29 AM, Erwin Schliske erwin.schli...@sevenval.com wrote: bind0.0.0.0:443 ssl crt /etc/ssl/private/concat cert + privkey ciphers ECDHE-RSA-AES256-GCM-SHA384:**ECDHE-ECDSA-AES256-GCM-SHA384:** ECDHE-RSA-AES128-GCM-SHA256:**ECDHE-ECDSA-AES128-GCM-SHA256:**

Re: webdav

2013-10-09 Thread Bryan Talbot
I've used it in front of SVN running in apache httpd and proxy in http mode with ssl. works great. -Bryan On Wed, Oct 9, 2013 at 1:59 AM, Sander Klein roe...@roedie.nl wrote: Hey Baptiste, We want to use it in front of svn and git. We wont actually do any load balancing with it. We just

Re: HAProxy Next?

2013-12-20 Thread Bryan Talbot
websocket support extended to include knowledge of control and data frames. It would be great to report frame rate (similar to http request rate) in both directions, proper open and close vs connection closed due to timeout (no ping-pong), etc. I'm not sure if there is a good reason to rate

Re: Is there a way to mention ssl password in haproxy.cfg file

2014-01-28 Thread Bryan Talbot
On Mon, Jan 27, 2014 at 10:24:35PM +0100, Baptiste wrote: Hi, You can't do this from HAProxy's configuration file. The passphrase is requested by your OpenSSL library. If there is a passphrase on your private key, there is a good reason: keep it secret. Maybe hacking HAProxy start

Re: rewrite URI help

2014-03-06 Thread Bryan Talbot
On Thu, Mar 6, 2014 at 1:42 PM, Steve Phillips stw...@gmail.com wrote: Haven't gotten a response on this...trying again...any help appreciated. Trying to reverse proxy all requests to /slideshare slideSHARE to www.slideshare.net/api/2/get_slideshow my front-end config: acl

Re: Does http-request worked with tunnel mode?

2014-03-14 Thread Bryan Talbot
On Fri, Mar 14, 2014 at 2:11 AM, k simon chio1...@gmail.com wrote: Is it possible add X-Foward-For for each request in http-tunnel mode ? Not in tunnel mode, no.

Re: High client request times (Tq) for no apparent reason

2014-03-24 Thread Bryan Talbot
Client keep alive will make request times be reported as longer. My guess is that you didn't get keep-alive turned off for your test. I believe that for requests after the first that the request time is the sum of the keep-alive wait time plus the client request time. If that sum is greater than

Re: High client request times (Tq) for no apparent reason

2014-03-26 Thread Bryan Talbot
On Wed, Mar 26, 2014 at 8:49 AM, Pedro Mata-Mouros pedro.matamou...@gmail.com wrote: Hi Bryan, Thanks for the insight. I'm still struggling with keep alive I guess... I did check the manual and I missed the last sentence: Setting option http-server-close may display larger request times

Re: ereq steadily increasing

2014-04-07 Thread Bryan Talbot
I finally captured some 504s in the debug logging. 129 since yesterday afternoon. They all seem to look like this: Mar 30 14:46:19.000 haproxy-k49 haproxy[19450]: x.x.x.x:49638 [30/Mar/2014:14:45:19.533] frontend_https~ tapp_http/tapp-m2t 77/0/4/6/60081 504 343 - -

Re: cR, Tq, timeout http-request

2014-04-23 Thread Bryan Talbot
On Thu, Apr 17, 2014 at 11:49 AM, Chris Burroughs chris.burrou...@gmail.com wrote: We are running 1.4.24 for an application that sees almost entirely small http requests. We have the following timeouts: timeout client 7s timeout server 4s timeout connect 4s

Re: redirect question

2014-05-02 Thread Bryan Talbot
On Fri, May 2, 2014 at 2:05 AM, bjun...@gmail.com bjun...@gmail.com wrote: Hi, i'm trying a basic redirect with HAProxy: frontend http acl is_domain hdr_dom(host) -i abc.example.com acl root path_reg ^$|^/$ redirect location http://abc.example.com/?code=1234 code 301

Re: redirect question

2014-05-02 Thread Bryan Talbot
On Fri, May 2, 2014 at 9:13 AM, bjun...@gmail.com bjun...@gmail.com wrote: Hi Bryan, same problem with your acl. I think the acl isn't the problem here, i suspect the redirect line. You are redirecting requests for abc.example.com/ to abc.example.com/ which is why you have a loop.

Re: redirect question

2014-05-02 Thread Bryan Talbot
#1.2.1 -Bryan P.S.: using HAProxy 1.4.24 2014-05-02 18:27 GMT+02:00 Bryan Talbot bryan.tal...@playnext.com: On Fri, May 2, 2014 at 9:13 AM, bjun...@gmail.com bjun...@gmail.comwrote: Hi Bryan, same problem with your acl. I think the acl isn't the problem here, i suspect the redirect

Re: SSL, peered sticky tables + nbproc 1?

2014-05-02 Thread Bryan Talbot
It sounds like that Jeff ran out of CPU for SSL terminations and that could be addressed as described by Willy here https://www.mail-archive.com/haproxy@formilux.org/msg13104.html and allow him to stay with a single-process stick table for the actual load balancing. -Bryan On Fri, May 2,

unique-id-header with capture request header

2014-05-13 Thread Bryan Talbot
We have more than 1 proxy tier. The edge proxy generates a unique ID and the other tiers (and apps in between) log the value and pass it around as a per-request id. Middle tier haproxy instances capture and log the unique id using capture request header which works fine; however, for the edge

Re: [PATCH] Add a configurable support of standardized DH parameters = 1024 bits, disabled by default

2014-05-19 Thread Bryan Talbot
It seems like the warning would be emitted in cases when DH exchange is disabled. ECDH is supported by nearly all new browsers and devices (that we care about anyway) and so have DH disabled and only ECDH enabled when PFS can be used -- specifically to avoid the large DH overhead especially for

Re: Rewrite domain.com to other domain.com/dir/subdir

2014-05-28 Thread Bryan Talbot
On Wed, May 28, 2014 at 2:49 AM, Matt . yamakasi@gmail.com wrote: I'm still struggeling here and also looking at Varnish if it can accomplish it. What have you tried and what part of that is not working as you expect? I think HA proxy is the way as I also use it for normal

Re: Rewrite domain.com to other domain.com/dir/subdir

2014-05-28 Thread Bryan Talbot
On Wed, May 28, 2014 at 11:57 AM, Matt . yamakasi@gmail.com wrote: The normal redirect is working but convirt it to a rewrite is where I'm stuck. Should I use an ACL upfront that looks in the map and do an if on that or is the ACL not needed at all ? The example in the reqirep section

Re: reqidel/forwardfor

2014-06-03 Thread Bryan Talbot
On Tue, Jun 3, 2014 at 8:57 AM, Andy Walker a...@fbsdata.com wrote: Quick question (after writing the email, I realized that there's nothing quick about it) about the order of processing for reqidel and option forwardfor options. First and foremost, we're running HA-Proxy version

Re: bug: long bind lines causes config not to be loaded

2014-06-13 Thread Bryan Talbot
On Fri, Jun 13, 2014 at 1:08 AM, kiorky kio...@cryptelium.net wrote: just forgot to include the version: HA-Proxy version 1.5-dev25-a339395 2014/05/10 On 13/06/2014 10:04, kiorky wrote: Hi we use here a generator for haproxy configs and this one generates amongst all https frontend using

Re: bug: long bind lines causes config not to be loaded

2014-06-13 Thread Bryan Talbot
Sorry for responding in the wrong thread, somehow I'm seeing two threads for this (and another) message. Not sure if it's gmail or the list that's duplicating threads today. -Bryan On Fri, Jun 13, 2014 at 10:48 AM, Bryan Talbot bryan.tal...@playnext.com wrote: On Fri, Jun 13, 2014 at 1:08 AM

Re: [PATCH] Fix a memory leak in DHE key exchange

2014-07-15 Thread Bryan Talbot
Since the patch only concerns DH key parameters = 1024 bits, does that mean that exchanges using Elliptic Curve DH (which use much smaller key sizes than 1024 bits) are not affected by this issue? -Bryan On Tue, Jul 15, 2014 at 7:11 AM, Willy Tarreau w...@1wt.eu wrote: Hi Rémi, On Tue, Jul

Re: Source based LB

2014-08-05 Thread Bryan Talbot
On Tue, Aug 5, 2014 at 7:12 AM, Luis Silva luisfilsi...@gmail.com wrote: Hi guys, I'm trying to use HAProxy to load balance based on the source address. backend bk_ws balance source option httpchk GET / server wsc1 10.174.82.15:8001 maxconn 3 weight 10 check port 8001 inter

Re: ha proxy enquiry

2014-08-11 Thread Bryan Talbot
For some simple cases maybe but why bother when there are real forward proxies that work well? -Bryan On Mon, Aug 11, 2014 at 7:21 PM, Wei Xiong weixiong...@redtreeunwired.com wrote: Hi, I would like to know whether haproxy can be configure as a forward proxy? -- Regards, Ku Wei Xiong

timeout tarpit ignored in 1.5

2014-08-21 Thread Bryan Talbot
Starting from commit bbba2a8ecc35daf99317aaff7015c1931779c33b (1.5-dev24-8) the timeout tarpit setting is ignored and timeout connect is always used instead. MEDIUM: http: jump to dedicated labels after http-request processing Continue the cleanup of http-request post-processing to

Re: [PATCH] Re: timeout tarpit ignored in 1.5

2014-08-22 Thread Bryan Talbot
a fix. Thierry On Thu, 21 Aug 2014 18:47:28 -0700 Bryan Talbot bryan.tal...@playnext.com wrote: Starting from commit bbba2a8ecc35daf99317aaff7015c1931779c33b (1.5-dev24-8) the timeout tarpit setting is ignored and timeout connect is always used instead. MEDIUM: http: jump

Re: Can haproxy sync configuration to another instance for configuration updates?

2014-09-16 Thread Bryan Talbot
There is nothing to be anxious about because there is no support in haproxy or keepalived for synchronization of configuration files -- it's something you'll need to handle using whatever node configuration tools you wish (puppet, chef, scripts, etc). On Tue, Sep 16, 2014 at 4:24 AM, Zebra

Re: hash mapping on x-forwarded-for header?

2014-09-30 Thread Bryan Talbot
On Tue, Sep 30, 2014 at 11:44 AM, Paul McIntire p...@skout.com wrote: Hi api servers and cause them to melt. Is it possible to use hash-type consistent on the x-forwarded-for information from the request hitting the frontend nginx servers? If you're using 1.5 the balance

Re: 1.5.5 - Config with Disabled backend causes silent loss of configuration.

2014-10-09 Thread Bryan Talbot
I think I can reproduce this and a similar bug that causes a SEGFAULT (on load or config check) when 'disabled' appears in a backend using the config shown below. defaults timeout client 5s timeout server 5s frontend main : default_backend one backend one backend two disabled A

Re: 1.5.5 - Config with Disabled backend causes silent loss of configuration.

2014-10-10 Thread Bryan Talbot
The fix is working for me. Only the proxy with 'disabled' specified is actually disabled and a disabled last proxy no longer causes a segfault. Thanks for the fast fix! -Bryan On Fri, Oct 10, 2014 at 6:02 AM, Willy Tarreau w...@1wt.eu wrote: Hi guys, On Thu, Oct 09, 2014 at 11:40:40PM

no-sslv3 in default

2014-10-15 Thread Bryan Talbot
With SSLv3 being so old, and in light of new (POODLE) exploits driving additional nails into its coffin, it would be nice to disable SSLv3 in a defaults section so that it doesn't get enabled by accident when someone adds a new bind line. Docs for 1.5 say that no-sslv3 is not supported in a

Re: DNS

2014-10-22 Thread Bryan Talbot
On Wed, Oct 22, 2014 at 1:50 PM, Jon Hoffart jon.hoff...@medoraco.com wrote: Hello, I am doing some experimenting with HAproxy an balancing one of our mail servers. I was wondering if there is any way to have HAproxy do a reverse DNS as the mail log always shows the client ip as the

Re: DNS

2014-10-29 Thread Bryan Talbot
/2013/09/16/howto-transparent-proxying-and-binding-with-haproxy-and-aloha-load-balancer/ -Bryan thanks, Jon Hoffart On Oct 22, 2014, at 3:20 PM, Bryan Talbot bryan.tal...@playnext.com wrote: On Wed, Oct 22, 2014 at 1:50 PM, Jon Hoffart jon.hoff...@medoraco.com wrote: Hello

Re: hardcoded ssloptions

2014-10-29 Thread Bryan Talbot
I think he wants to globally disable SSLv3 (by removing support at compile time) so it can't be accidentally enabled in an errant bind option. There's no way to disable SSLv3 globally in the haproxy config. -Bryan On Wed, Oct 29, 2014 at 12:24 PM, Lukas Tribus luky...@hotmail.com wrote:

Re: Default monitor fail setup

2014-11-13 Thread Bryan Talbot
Can you share a config that shows the implicit monitor fail behavior and the haproxy version it happens on? I've tried the config below on a couple of 1.4 and 1.5 versions and they behave the same for me. All return 200 unless the explicit monitor fail directive is present. global defaults

Re: POST body not getting forwarded

2014-11-20 Thread Bryan Talbot
On Wed, Nov 19, 2014 at 9:17 PM, Rodney Smith rodney...@gmail.com wrote: I have a problem where a client is sending audio data via POST, and while the request line and headers reach the server, the body of the POST does not. However, if the client uses the header Transfer-Encoding: chunked

Re: Significant number of 400 errors..

2014-11-26 Thread Bryan Talbot
There are clearly a lot of junk bytes in those URI which are not allowed by the HTTP specs. If you really want to be passing unencoded binary control characters, spaces, and nulls to your backends in HTTP request and header lines, then HTTP mode is probably not going to work for you. TCP mode

  1   2   >