RE: Haproxy timing issues

2011-11-02 Thread Lukas Tribus
Hi, you should switch net.ipv4.tcp_tw_recycle off; you have already tcp_tw_reuse on, which serves the same purpose (and it's less dangerous with NATted clients). http://www.serverphorums.com/read.php?10,182544 Lukas From: erik.tor...@apicasystem.com To: bed...@gmail.com CC:

RE: Performance optimization on VMWare VM's

2012-04-15 Thread Lukas Tribus
Does that mean Sandy/Ivy Bridge based Intel Platforms can't be undoubtedly recommended for high performance usage with haproxy or is there a workaround? What platform would you recommend for a new setup?

RE: nginx alone performs x2 than haproxy-nginx

2012-05-03 Thread Lukas Tribus
Hi Pasi, Do you know if ubuntu 12.04 has these optimized drivers or not? I think Canonical developers are going to add the drivers later in some update to Ubuntu 12.04 packages. The drivers are not yet in 12.04. I saw some discussion from Canonical guys on xen-devel about that.

RE: Help with Chrome preconnects

2012-07-11 Thread Lukas Tribus
I would suggest terminating SSL on the haproxy box (with stud in front of it), thus switching haproxy from tcp to http mode. That way, longrunning keepalive-enabled HTTPS sessions terminate there and apache only sees real non-SSL request without blocking any threads. If you would like to avoid

RE: major performance decrease in total throughput with HAproxy 1.4.20

2012-08-16 Thread Lukas Tribus
i am trying to understand why option httpclose would be a problem? With httpclose in your configuration, you need 2 tcp session per *request* on your haproxy box. When you disable httpclose and enable only http-server-close, then you will use keepalive between the client and haproxy. With

RE: HAProxy with native SSL support !

2012-09-04 Thread Lukas Tribus
Willy, this is huge! Great, great work! A few comments/questions: - are you running latest and greatest openssl on demo.1wt.eu? I am asking because Secure Renegotiation doesn't seem to be supported [1]. Older (1.0.0?) releases seem to have a higher memory overhead as well, iirc. - I see you

RE: HAProxy with native SSL support !

2012-09-04 Thread Lukas Tribus
...@1wt.eu To: luky...@hotmail.com CC: haproxy@formilux.org Subject: Re: HAProxy with native SSL support ! Hi Lukas, On Tue, Sep 04, 2012 at 03:05:14PM +0200, Lukas Tribus wrote: Willy, this is huge! Great, great work! A few comments/questions: - are you running latest and greatest openssl

RE: HAProxy with native SSL support !

2012-09-04 Thread Lukas Tribus
Hi, In fact when I say yassl, I really mean CyaSSL. Ok, great. A few more comments about (C)yassl: -    development of new features is obviously not as fast as in OpenSSL. For     example TLS SNI is not supported yet (ETA: next release) [1]. This feature     was introduced in 2007 (0.9.8f)

RE: HAProxy with native SSL support !

2012-09-05 Thread Lukas Tribus
-(C)yassl doesn't support - by design - renegotiation. They also don't implement RFC4756 (secure renegotiation), see [3]. While this is not a security problem (from a server point of view), it will become an interoperability problem sooner or later, once browser vendors make

RE: SSL OCSP Stapling

2012-11-06 Thread Lukas Tribus
Don't know if it helps without some knowledge of the nginx source code, but here [1] you can find the patches applied to nginx to introduce ocsp support. Its doesn't seem to be trivial to implement though, because you also need to run (at regular intervals) an OCSP query towards the CA's OCSP

RE: Upgrading from 1.5dev7 - gotchas?

2013-01-03 Thread Lukas Tribus
I updated to your latest snapshot which reads HAProxy version 1.5-dev17, released 2012/12/28 (and not 12/30 as I would have expected) but the problem is still there. 1.5-dev17 is _not_ the latest snapshot. You can find the latest snapshot from the URL Willy already posted:

RE: Upgrading from 1.5dev7 - gotchas?

2013-01-03 Thread Lukas Tribus
OK, I understand that but when downloading the latest version you're writing about and compiling it, it says 20121228 I see what you mean. Those date variables are updated only when Willy releases a new -dev release; which is a manual process as you can see from git commit [1]. In fact, in

RE: SSL Handshake Errors - EmptyResponse/Connection Reset

2013-01-05 Thread Lukas Tribus
FYI: Firefox only uses TLSv1.0 (see [1]), while Chrome can use up to TLSv1.1 (see [2]). If both Firefox and Chrome trigger the issue without no-tlsv11/12 option, then the issue can be triggered with TLSv1.0 for sure. [1] https://bugzilla.mozilla.org/show_bug.cgi?id=733647 [2]

RE: Unusually high cpu usage after upgrade to 1.5dev17

2013-01-08 Thread Lukas Tribus
Jan  8 18:30:59 srv11 kernel: [ 3878.272003] [ cut here ] Jan  8 18:30:59 srv11 kernel: [ 3878.295572] WARNING: at net/ipv4/tcp.c:1330 tcp_cleanup_rbuf+0x4d/0xfc() Jan  8 18:30:59 srv11 kernel: [ 3878.319107] Hardware name: System x3690 X5 -[7148Z68]- Jan  8

RE: Unusually high cpu usage after upgrade to 1.5dev17

2013-01-09 Thread Lukas Tribus
In the mean time i´ve downgraded to the old kernel, but the performances issues persist. So this seems to be a issue in haproxy. This is very strange. In your first mail you reported that your CPU is spending 30% in userspace and 70% is system. How is your CPU usage now? You are running the

RE: Haproxy F5 usage question

2013-01-09 Thread Lukas Tribus
You should be able to deal with this by adding more ips to your haproxy box and configuring 2 backends in haproxy pointing to the same F5 VIP, but with different source-ips [1]. Remember to configure HAproxy for source persistence as well, if your application needs it. [1]

RE: [PATCH] Add OpenSSL engine support

2013-01-09 Thread Lukas Tribus
Interesting. Are these implementations still in use ? This seems more like early experimentations than definitive releases to me. I don't know if such versions were shipped in any LTS distro, so most likely they'll quickly disappear. Am I wrong ? Looks like you are correct. In openssl 1.0.1

RE: Problems with sni and big connections.

2013-01-11 Thread Lukas Tribus
There has been a POST bug (among many others) which was fixed in -dev16. Please upgrade to latest 1.5-dev17. Date: Thu, 10 Jan 2013 17:44:07 -0800 From: rlpow...@cytobank.org To: haproxy@formilux.org Subject: Problems with sni and big connections.

RE: enabling SPDY

2013-01-15 Thread Lukas Tribus
Theoretically you are able to offload SSL at haproxy, and pass raw, unencrypted SPDY to the backend. I doubt however that this has been done before, and nginx most certainly doesn't accept unencrypted SPDY traffic, so yes, tcp mode will be the only option for now. Regards, Lukas From:

RE: Issue managing multiple SSL certs

2013-01-16 Thread Lukas Tribus
I have the same issues on windows XP clients (IE8). I don't have any issues at all with Win 7/IE9 and win2012/IE10. FYI: There are 2 browser using the Windows XP SSL/TLS stack, and thus don't provide SNI on Windows XP: - Internet Explorer - Safari ( and obsolete Chrome releases prior v 6.0)

RE: Issue managing multiple SSL certs

2013-01-16 Thread Lukas Tribus
As a solution to this I'll try to get additional IPs and configure HAproxy to serve different certificates for different IPs.   Do you foresee any reasons why such an approach won't work? Don't worry, mapping the certificates to dedicated IPs will fix this problem on IE/Safari with Windows

RE: SSL termination/SNI routing

2013-01-19 Thread Lukas Tribus
As a just-maybe-potentially-useful comment: I've gotten around some SNI issues by having the client come to a non-SSL URL, at which I set a cookie (in haproxy) for which site they asked for; then we can redirect to the SSL URL and select the site in haproxy based on the cookie.

RE: CSS not displayed

2013-01-22 Thread Lukas Tribus
The site I want to display is designed with Joomla. There are no errors in Apache logs et Firebugs shows several warnings for js files. The site is well displayed when I connect directly to the Apache server. What are those Firebug warnings exactly? Also, can you show us your haproxy logs?

RE: haproxy invoked oom-killer

2013-02-02 Thread Lukas Tribus
Notice that having the HAproxy box swapping is a huge performance killer and you absolutely do not want to do that, so apart from tuning/configuring the OOM killer you should track the issue down and avoid memory depletion and swapping in first place.

RE: Problems with 1.5-dev17 and bind to interface

2013-02-11 Thread Lukas Tribus
frontend nodes maxconn 2400 bind :12340 interface eth1 default_backend nodes but portscans from another node in the internal network show that 12340 is sometimes open, but most of the it is closed. We believe this is a bug in haproxy. Probably haproxy starts when the VIP

RE: Problems with 1.5-dev17 and bind to interface

2013-02-12 Thread Lukas Tribus
Ah okay, I expected bind :*12340 interface eth1 to listen to traffic coming to the interface, not to bind to al ips which are bound to the interface at the moment of starting haproxy. If that's really the case, the documentation of bind interface could be improved. I think you misunderstood

[PATCH] DOC: simplify bind option interface explanation

2013-02-12 Thread Lukas Tribus
The current documentation of the bind option interface can be misleading (as seen on the ML recently). This patch tries to address misunderstandings by :   - avoiding the words listen or bind in the behavior description, using     restrict to interface instead   - using a different sentence

RE: [PATCH] DOC: simplify bind option interface explanation

2013-02-12 Thread Lukas Tribus
CC: haproxy@formilux.org; c...@itscope.de Subject: Re: [PATCH] DOC: simplify bind option interface explanation On Tue, Feb 12, 2013 at 10:13:19PM +0100, Lukas Tribus wrote: The current documentation of the bind option interface can be misleading (as seen on the ML recently). (...) Patch

struggling with TCP Fast Open (tfo bind option)

2013-02-12 Thread Lukas Tribus
Hi Willy, I tried to enable tfo on the bind line today, however, it failed even on recent kernels for me. At first it was failing with: [ALERT] 042/223418 (1141) : parsing [haproxy.cfg:14] : 'bind *:1234' unknown keyword 'tfo'. Registered keywords : Since this pointed to a trivial parser

RE: struggling with TCP Fast Open (tfo bind option)

2013-02-13 Thread Lukas Tribus
Huh ? It is already present a few lines above : Correct, I was just confused about it because the other keywords like defer-accept or v4v6 are also present twice and tfo was missing below the comment: /* the versions with the NULL parse function*/. lukas@ubuntuvm:~/haproxy-ss-20130125/src$

RE: struggling with TCP Fast Open (tfo bind option)

2013-02-13 Thread Lukas Tribus
Anyway I'm used not to rely on libcs found in the field because many users upgrade their kernels on supported distros. That's why there are so many defines in the makefile ! So do you think it would make sense to introduce a new build flag for TFO and define TCP_FASTOPEN? This would be

RE: struggling with TCP Fast Open (tfo bind option)

2013-02-13 Thread Lukas Tribus
If you want I can send patches, but I will have to fix the mailer first. Yes, please do ! The attached patch fixes the doc/code comments and should reach you without being mangled. Lukas 0001-DOC-tfo-bump-required-kernel-to-linux-3.7.patch

RE: Default certificate wrongly delivered.

2013-02-22 Thread Lukas Tribus
If you upgrade to a recent snapshot you can use the strict-sni feature [1]. This way, when the client doesn't provide SNI, the handshake is aborted. I think this is important even when your clients are supposed to support SNI; the client may be buggy or the SNI detection in haproxy -

RE: Lots of TIME_WAITs and slow response time

2013-03-06 Thread Lukas Tribus
Are you using keepalive on haproxy? Perhaps you are confronting nginx with keepalive enabled and haproxy with client-side keepalive disabled? Can you share the haproxy config? Thomas is right, you should probably unload conntrack for best performance. Also make sure you don't have any network

RE: Lots of TIME_WAITs and slow response time

2013-03-07 Thread Lukas Tribus
IP_SERVER1:3306 check inter 5000 rise 2 fall 3 maxconn 7000 maxqueue 5000 server NS32 IP_SERVER1:3306 check inter 5000 rise 2 fall 3 maxconn 7000 maxqueue 5000 On 03/06/2013 08:31 PM, Lukas Tribus wrote: Are you using keepalive on haproxy? Perhaps you are confronting nginx

RE: Lots of TIME_WAITs and slow response time

2013-03-07 Thread Lukas Tribus
You probably don't want net.ipv4.tcp_tw_recycle = 1 when your clients are behind NAT/CGN boxes. If you have troubles with source port exhaustion, refer to the article Baptiste  wrote: http://blog.exceliance.fr/2012/12/12/haproxy-high-mysql-request-rate-and-tcp-source-port-exhaustion/ Lukas

RE: Lots of TIME_WAITs and slow response time

2013-03-07 Thread Lukas Tribus
PM, Lukas Tribus wrote: Aren't using HTTPS in the frontend when benchmarking haproxy and plain HTTP when benchmarking the original server, are you? That could explain the performance differences. No, I only tested HTTP version :) Anyway, you do want to enable keepalive and to do

RE: Lots of TIME_WAITs and slow response time

2013-03-07 Thread Lukas Tribus
I need it for my firewall it seems so I'll leave it for now. In this case you may want to bypass conntrack for TCP port 80 traffic only. Also consider matching your backend traffic with -j NOTRACK. You can read more about bypassing conntrack and the NOTRACK target here:

RE: Lots of TIME_WAITs and slow response time

2013-03-07 Thread Lukas Tribus
When I try with tw_recycle = 0 then I start to get a lot of TIME_WAIT  connections and performance degrades quite quickly so I cannot remove it  for now This indicates you are running out of source ports and it is probably why the latency increases with the number of simultaneous connections.

RE: Lots of TIME_WAITs and slow response time

2013-03-07 Thread Lukas Tribus
When I try with tw_recycle = 0 then I start to get a lot of TIME_WAIT connections and performance degrades quite quickly so I cannot remove it Having a lot of TIME_WAIT connections shouldn't be a problem, in fact its pretty normal. With tcp_tw_reuse enabled (and tw_recycle disabled), you

RE: strange behavior with version 1.4.22

2013-03-11 Thread Lukas Tribus
Linux ip-x.x.x.x 2.6.21.7-2.fc8xen #1 SMP Fri Feb 15 12:34:28 EST 2008 x86_64 x86_64 x86_64 GNU/Linux [...] CentOS release 5.4 (Final) This seems to be a weird config, you have CentOS 5.4 (released 2009 with a 2.6.18 kernel), but you are running a xenified Fedora kernel compiled in 2008.

RE: after mild Apache Bench test, backend server shows high number of concurrent sessions

2013-03-13 Thread Lukas Tribus
You shouldn't see CLOSE_WAIT for that long on your haproxy box - they should timeout. In 1.4.22 there was a bug fixed which may relate to your problem: BUG/MINOR: checks: expire on timeout.check if smaller than timeout.connect

RE: Performance using SNI with many diffrent ssl certificates?

2013-03-14 Thread Lukas Tribus
But we are wondering if it can scale up to thousands or more say 100k ssl certificates. Has anyone tried it? I believe Willy has seen configurations with 50k certificates running fine.

RE: Performance using SNI with many diffrent ssl certificates?

2013-03-14 Thread Lukas Tribus
I would be very interested in how this was configured, seeing as I am failing to provide consistent, correct, certificates for every request for as little as 20-30 sites. Well, you had your thread Default certificate wrongly delivered about that issue and it didn't seem to be a haproxy

RE: Default certificate wrongly delivered.

2013-03-15 Thread Lukas Tribus
I suspect that some clients fail to use SNI. I've already seen this from time to time. It looks like after some errors, they refrain from using SNI or even TLS at all and fall back to SSLv3. This scared my a bit, so I've done some digging. I've found 2 related bug reports with a lot of

RE: Connection close

2013-03-16 Thread Lukas Tribus
Enable logging, then you will see the reason the connection was closed, I guess there is a connection timeout somewhere. Logging will help you find out where exactly. A few comments about your configuration: noepoll nokqueue nopoll nosepoll nosplice Exactly what are you

RE: Connection close

2013-03-17 Thread Lukas Tribus
Hi, please CC the list, so everyone is seeing your responses. Ubuntu 12.04 LTS, Kernel 3.5, Haproxy 1.4.22 from repo please provide the output from haproxy -vv nonetheless. It should have been compiled with the linux2628 target, as this will enable features like tcp splicing. No, I need

RE: Connection close

2013-03-18 Thread Lukas Tribus
In fact, its 1.4.18, not 1.4.22. The Ubuntu repo is not uptodate. Consider compiling haproxy from source, to have the latest bugfixes in it. Anyway, the build has tcp splicing enabled, so with the configuration changes I proposed, you should be able to handle the load. Remember to check your

RE: Connection close

2013-03-18 Thread Lukas Tribus
With what options would you suggest to compile Haproxy? Something like this should do it: make TARGET=linux2628 ARCH=native Read the README file for details. You were talking about CPU cores assignment how to do it in HAproxy ? Use taskset [1]. Check [2] for interrupts. Lukas [1]

RE: haproxy v1.4.20 crashes with sigabrt

2013-03-19 Thread Lukas Tribus
v1.4.20 is not in Ubuntu repositories, 1.4.18 is. Did you compile haproxy yourself? Lukas

RE: Active/active HAProxy

2013-03-19 Thread Lukas Tribus
conntrackd permit to also share TCP states between boxes that will also run iptables With conntrackd-syncing you just allow the packet to pass the iptables barrier; but the session will still be dropped by the OS because the TCP stack doesn't know the socket, and so does not the application.

RE: Active/active HAProxy

2013-03-21 Thread Lukas Tribus
It's a point in time dump and restore of the in flight packets. Can't dump the details and in flight content of a TCP session if the host is already dead. So either this will work only for manual switchovers (but not for sudden hardware/software failure; also at this point TCP connection

RE: Please help to configure Haproxy with SSL support

2013-03-21 Thread Lukas Tribus
SSL is possible in the 1.5 development branch only. You can find all the necessary informations on the website http://haproxy.1wt.eu/ If you need someone guiding you step by step trough the configuration, I would suggest you acquire commercial support:

RE: Unable to clone repo

2013-03-22 Thread Lukas Tribus
Hi Nick, in fact, its not very fast. You can try the formilux mirrors, they are kept up-to-date:    $ git clone http://master.formilux.org/git/people/willy/haproxy.git/    $ git clone http://master.formilux.org/git/people/willy/haproxy-1.4.git/ Lukas

RE: tuning maxconn and nbproc

2013-03-24 Thread Lukas Tribus
Hi Nick, For maxconn, in defaults. I read a lot of places that this value depends on the ulimit value of the system, but it's not clear in what way they are related. suppose you set maxconn [1] to 2000. This means you can have up to 2000 concurrent session on the haproxy (!) process

RE: tuning maxconn and nbproc

2013-03-24 Thread Lukas Tribus
So you are saying that by using the maxconn property in the global config block HAProxy is automatically adjusting the systems ulimit setting? Yes, HAproxy is automatically adjusting and configuring ulimit based on your configuration (based on settings like maxconn and maxpipes). So unless

RE: IPv6 vrrp and bind transparent

2013-03-27 Thread Lukas Tribus
What kernel are you running? You need at least 2.6.37 to do this with non-local IPv6 binds. Date: Wed, 27 Mar 2013 08:35:18 +0100 From: kolm...@zid.tuwien.ac.at To: haproxy@formilux.org Subject: IPv6 vrrp and bind transparent Hi, I am new to the

RE: SSL problems with HAProxy and Nginx on Ubuntu

2013-03-30 Thread Lukas Tribus
Hi Ashley, please share the relevant part of your haproxy configuration and the output of haproxy -vv and egrep BEGIN|END /etc/ssl/server.pem. That looks like configuration issue to me (those errors sounds like haproxy is configured to do plaintext HTTP on the port instead of ssl). Cheers,

RE: Rewriting request without rewriting headers

2013-03-31 Thread Lukas Tribus
A few of our clients send us GET https://host.example.com/path/to/url; style requests which some of our backends can't handle. I'm not sure its a good idea to rewrite those request; clearly those clients are misconfigured. This are requests for forwarding proxies. You should deny service

RE: struggling with TCP Fast Open (tfo bind option)

2013-04-02 Thread Lukas Tribus
So do you think it would make sense to introduce a new build flag for TFO and define TCP_FASTOPEN? This would be similar to USE_TPROXY, USE_LINUX_SPLICE or USE_ACCEPT4 I guess. That way, users have a documented way to enable TFO with current libc's? Yes, that's an idea indeed. And

RE: Problem with ss-20130402

2013-04-02 Thread Lukas Tribus
that leaves 87,88,89,93,94,95,96,99,100 and 101, right? git-bisect is your friend :) That said, I see some hangs after commit a890d072, but thats patch 104 and not in ss-20130402, so its a separate issue (I will post a new topic about this). Willy, I would rather not issue dev-18 now ;)

Bug: CPU race ACL + commit a890d072?

2013-04-02 Thread Lukas Tribus
Hi Willy, since commit a890d072, the following frontend configuration (in http mode) hangs haproxy, debug output above. acl iscluster1-2   hdr_sub(host) -i testdom2.local use_backend cluster1-2 if iscluster1-2 After process_switching_rules haproxy seems to hang (new connections

RE: [ANNOUNCE] haproxy-1.5-dev18

2013-04-03 Thread Lukas Tribus
Thank you, you did an amazing job here again! TLS ALPN was implemented similarly as NPN was made. It is supposed to replace NPN. Jesus Christ, this was fast. It was only discussed at IETF 86 mid-march (and in 2 drafts this year), and 15 days later its already in haproxy-1.5. I think HAProxy

RE: Invalid ACL with Dev-18 JIT

2013-04-04 Thread Lukas Tribus
Hi Igor, error detected while parsing ACL 'side2' : regex '\b(?:\d{1,3}\.){3}\d{1,3}\b' is invalid. The config works fine without JIT enable. Yes, I can reproduce this. In fact, it does not work _at all_ and fails even if the expression just contains a few letters, like literally

RE: Problem with ss-20130402

2013-04-05 Thread Lukas Tribus
This thread is about a bug which is already fixed in dev18. The only bug fixed after dev18 is the issue from the haproxy-dev18 http-request‏ thread. If you need a .tar.gz with all bugfixes, I suggest you use a snapshot from [1]. They are build every night if something changed in the git, so you

RE: dev18 splice-auto

2013-04-05 Thread Lukas Tribus
It is possible to do that, but only if really necessary. And I probably only want to share that with direct HAProxy developers. No problem with that; but we need to get more informations somehow and I have the feeling that this is hard to reproduce ... Can you give us the output of the failed

RE: segfault when using stick-table gpc0

2013-04-07 Thread Lukas Tribus
Hi! Since upgrading from dev17 to dev18 I'm getting a segfault: I can reproduce this. Here a few details: - a4312fa28e897ed7373785c49ddf3acbc8f9f264 is the first bad commit - does not happen when build with USE_OPENSSL=1 - gdb backtrace (without compiler optimizations): (gdb) bt #0 

RE: HAProxy crashing on start

2013-04-08 Thread Lukas Tribus
Can you recompile with the debug option and without compiler optimizations, create a coredump and backtrace it: # compile (debug + no optimizations) make DEBUG=-DDEBUG_FULL CFLAGS=-g -O0 TARGET=[...] # reise ulimit ulimit -c 75000 # enable coredumping echo 2 /proc/sys/fs/suid_dumpable #

RE: Question on feature stability in 1.5

2013-04-09 Thread Lukas Tribus
Hi Ahmed, I wanted to find out if the features I'm using can be considered complete for 1.5. [...] if these are feature complete (or stable) The latest 1.5 snapshot should be fairly usable also in production,  but since there is no feature freeze, that will very likely change with new

RE: frontend stopped responding

2013-04-10 Thread Lukas Tribus
Hi Will! stopped responding to most requests. How did you recover from that condition? Restart HAproxy? Reboot the whole VM? When in that condition, did you see any other warnings or errors (dmesg, etc)? How was the load and memory usage (top, vmstat, free, uptime, etc)? Regards, Lukas

RE: frontend stopped responding

2013-04-10 Thread Lukas Tribus
No warnings is syslog or dmesg Can you issue a show errors [1] on the control socket? To recover I switched away from the haproxy server to an older Apache-based web server. So haproxy is still in a broken condition on that server? If thats the case, you could attach strace to the process

RE: frontend stopped responding

2013-04-10 Thread Lukas Tribus
Unfortunately, I restarted haproxy, so show errors returns little of use. Alright, since we don't know what actually happened and there are no similar reports, we will probably not find the root cause this time. Next time this happens, please collect the information I asked using show errors,

RE: Invalid ACL with Dev-18 JIT

2013-04-10 Thread Lukas Tribus
Hi Hiroaki! I made a patch to fix this problem. After applying this patch, it seems work correctly now. Thank you, it does work with your patch applied, great! Now you are declaring error and erroffset outside #ifdef USE_PCRE_JIT, but actually use them only inside. This causes a compiler

RE: haproxy hit 100% CPU

2013-04-12 Thread Lukas Tribus
Hi Henry, that sounds like a very serious bug indeed. I suggest you take a traffic capture with a ring buffer and capture the exact frontend traffic. You can do this with dumpcap for example, something like should do it (if your frontend traffic is tcp port 80): dumpcap -i eth0 -p -s0 -b

RE: haproxy hit 100% CPU

2013-04-12 Thread Lukas Tribus
Hi! Hi Henry, I found the bug. It happens when hashing a parameter which is not found (typically an absent URL parameter) and then the connection to the selected server experiences connection retries, and the server goes down and up before the redispatching, and is the last server in the

RE: Can't get client side certificate to work (repost)

2013-04-12 Thread Lukas Tribus
Hi Thomas, I'm trying to follow this blog post: http://blog.exceliance.fr/2012/10/03/ssl-client-certificate-management-at-application-level/, but I can't get the client certificate to work with 1.5dev18. Could you try a few older releases, specifically dev12, 13 and 14 (which is around

RE: Haproxy and multipart/form-data

2013-04-13 Thread Lukas Tribus
Hi Hong! Here is the full config and relevant section of the log: https://gist.github.com/kiafaldorius/5379517 Could you try this exact configuration: acl multipart hdr_beg(Content-Type) -i multipart/form-data Regards, Lukas

RE: Haproxy and multipart/form-data

2013-04-13 Thread Lukas Tribus
Hi! Huh, that one seems to work! That's strange...I know I tried it with hdr_beg(Content-Type) multipart and it didn't work. Now I feel a little dumb, but at least it works =] Which should work. But probably you tested this before you switched everything to http mode and without

RE: Haproxy and multipart/form-data

2013-04-13 Thread Lukas Tribus
probably you tested this before you switched everything to http mode and without http-server-close? Should read '*with* http-server-close?' I suspect that your browser is sending something after the content-type, such as ;something or I don't know what. Exactly, this was from this debug:

RE: Haproxy 1.4

2013-04-14 Thread Lukas Tribus
Hi, Thank you. So check.txt is just an empty txt file? Yes. You can test this with curl. Your configuration expects the following request to return 200 OK: curl -I http://192.168.88.97:80/check.txt If this is not happening, either because the file doesn't exist, HEAD request are not

RE: Is this possible in HAPROXY 1.4

2013-04-14 Thread Lukas Tribus
Hi Jon! I have played around with the haproxy configuration using 'redirect location https:// and redirect prefix https:// but without success. And what exactly is the issue with that? Redirecting is a very basic task haproxy can do without problems. On speaking to the vendor, they are

RE: Is this possible in HAPROXY 1.4

2013-04-14 Thread Lukas Tribus
Hi! Cloud Firewall - Cloud SLB - DMZ Web Agent Well, do they all forward TCP port 80 to your haproxy box? There is not much haproxy can do if the http request even doesn't arrive. Configuration would probably look like this (use redirect prefix, not redirect location): frontend unsecured

RE: 'maxconn' usages

2013-04-15 Thread Lukas Tribus
Hi Merton, maxconn can be configured in multiple places: - as a per process limit in the global section [1] - as a per defaults/frontend/listen limit in the that particular section [2] - as a per server or server option, for that specific socket or server [3] All 3 maxconn configurations have a

RE: haproxy

2013-04-16 Thread Lukas Tribus
Hi, you probably need to set the transparent keyword on the bind line, if you want to bind to a possible non-existing ip address. See docs [1]. how will keepalived communicate with haproxy? It doesn't communicate with haproxy afaik. Why should it? Cheers, Lukas [1]

RE: haproxy

2013-04-16 Thread Lukas Tribus
In that case what is haproxy for? To load-balance traffic on different backends. Haproxy can't load-balance its own load, that would be a catch-22. I thought it is suppose to be a load balancer HAproxy is a reverse proxy and a load balancer, yes. keepalived is a heartbeat to detect the

RE: haproxy

2013-04-16 Thread Lukas Tribus
So do i broadcast the ip for haproxy to the web? Or the virtual ip? Which do i connect from the WAN? Configuration would usually look like this: HAproxy server 1 (active): physical IP: 192.168.0.11/24 virtual IP: 192.168.0.20/24 (active) HAproxy server 2 (standby): physical IP: 192.168.0.12/24

RE: Layer4 connection problem: Resource temporarily unavailable

2013-04-16 Thread Lukas Tribus
Hi Ben! Running haproxy 15 development snapshot from 12/30/2012 I suggest you upgrade to the latest snapshot available from [1]. It doesn't make sense to troubleshoot problems on old development snapshots if you are 155 commits back (you are missing critical bug fixes!): #:~/haproxy$ git log

RE: 'maxconn' usages

2013-04-16 Thread Lukas Tribus
Hi Merton, Please let me know if the above understanding is correct. Yes, thats the concept. if I have multiple backends (multiple server options), does the sum of 'maxconn' of their server options have to be no more than the 'maxconn' of their corresponding frontend? Yes that does make

RE: backport d16a1b2a818359e8c3ade85f789e66ed7ca9488c

2013-04-18 Thread Lukas Tribus
Hi Willy! Done, thanks Thomas! Can you also push it so that people see it in git and a nightly snapshot is created? The bug is pretty major, if it is in git and there are snapshots with this fix included at least we don't forget about it and people not following the ML are aware of it (like

RE: 'maxconn' usages

2013-04-18 Thread Lukas Tribus
These connections tend to stay open for 30-60 mins Ok. Currently, I have only one process of this backend running with HAProxy on the same machine (actually VPS). The machine has 8-core cpu and 1g memory.  How much free memory do you have left and how much does your backend software

RE: Sharing stick stable with 2 instances

2013-04-19 Thread Lukas Tribus
Hi Dan, Is there a feature in 1.4 to share a sticky table between two or more  instances of haproxy. Not in 1.4. There is a feature available in 1.5 (-dev) to do this [1]. Regards, Lukas [1] http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#3.5

RE: Sharing stick stable with 2 instances

2013-04-19 Thread Lukas Tribus
Hi Daniel, kindly CC the mailing-list, there are a lot of other people who may be able to help you better than myself. Would it be possible to use balance source? Is the algorithm deterministic? If the backend configuration with servers is exactly the same, balance source may work in that

RE: Additional colours in web interface for soft stop?

2013-04-19 Thread Lukas Tribus
Hi Geoff! I've told them to ensure the weight is '1' on all servers that should be serving content, but as we all know something like that can be missed pretty easily Agreed. I'm not sure if this is duplicating functionality that wasn't functional or not, but here are the changes I've

RE: Follow-up on thread 'SSL handshake failure' from 2/5/2013

2013-04-24 Thread Lukas Tribus
Hi! Please also note that the second SOAP call made that fails the handshake also causes the HAProxy server to crash. Could you: - use latest snapshot from [1] - provide the output of haproxy -vv - can you tell us OS, kernel and openssl version? - compile haproxy with debug and without

RE: Follow-up on thread 'SSL handshake failure' from 2/5/2013

2013-04-25 Thread Lukas Tribus
, Zack -Original Message- From: Lukas Tribus [mailto:luky...@hotmail.com] Sent: Thursday, April 25, 2013 4:19 PM To: Connelly, Zachary (CGI Federal) Subject: RE: Follow-up on thread 'SSL handshake failure' from 2/5/2013 Hi Zack, in fact

RE: Follow-up on thread 'SSL handshake failure' from 2/5/2013

2013-04-26 Thread Lukas Tribus
Hi! report the exact snapshot you used. He is at current HEAD by using 20130425 with c621d36ba applied manually on it (linux 2.6.18 without tproxy support). He also saw the crashes in -dev18, but I had him update the code. Thanks, Lukas

RE: HAProxy on FreeBSD 8.3 with transparent proxying (TProxy?)

2013-04-26 Thread Lukas Tribus
Hi, throwing in my two cents here, based on a few uneducated guesses reading the Makefile, etc. Feel free to disagree/correct/shout at me :) (actually I wrote this before Willy answered) As for renaming the CONFIG_HAP_LINUX_TPROXY to something different would require everyone that on a

RE: Haproxy CPU 100%, after running about two weeks

2013-05-02 Thread Lukas Tribus
Hi Jinge! I believe you are facing 2 different issues here. Today, our haproxy CPU grow to 100%. And the machine become terribly slow. Please upgrade to recent 1.4 code, you are missing a a few fixes, including one a security fix. I suggest the snapshot 20130427 which also includes a loop

RE: Monitor always returns HTTP 200

2013-05-02 Thread Lukas Tribus
Hi James! I always receive a HTTP 200 response to my browser How do you know that? Do you have a browser extension or are you using tcpdump/wireshark? Can you show this with a curl request, so that we understand whats going on excatly? Something like this should do the job: curl -vv

RE: Monitor always returns HTTP 200

2013-05-02 Thread Lukas Tribus
Hi James! (sorry for repost, first mail was accidentally html) I always receive a HTTP 200 response to my browser How do you know that? Do you have a browser extension or are you using tcpdump/wireshark? Can you show this with a curl request, so that we understand whats going on excatly?

  1   2   3   4   5   6   7   8   9   10   >