SNI healthcheck on backend?

doesn't (seem to) use github, the authors might think about installing gitlab. Best Regards Rainer

Re: Problems with haproxy 1.7.3 on FreeBSD 11.0-p8

Hi, it would be cool if somebody could open a PR at https://bugs.freebsd.org/ I personally don't use FreeBSD 11 for any of my HAProxy-installations (yet), so I'm not really affected (yet) - but thanks for the heads-up. Regards, Rainer

Re: Problems with haproxy 1.7.3 on FreeBSD 11.0-p8

Am 2017-03-06 10:05, schrieb Matthias Fechner: Dear Rainer, I opened a bug report here: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=217576 I have only one server already upgraded to FreeBSD 11. The 10.3 installation are running fine with haproxy 1.7.3. Thanks!

Problem with BOM in healthcheck-file?

on these files and hang - I had to kill -9 it. After replacing the file with its previous, ASCII-only copy, everything started to work again. Can anyone reproduce this? Maybe it's fixed in later versions? Regards Rainer

Re: Problem with BOM in healthcheck-file?

Am 2017-07-20 14:18, schrieb Jarno Huuskonen: Can you share how you've configured health checks in haproxy.cfg ? backend site-back balance roundrobin mode http option httpchk GET /healthcheck.htm HTTP/1.1\r\nHost:\ site.com\r\nConnection:\ close http-check expect string server_up

Re: What is a nice way to bypass the maintenance mode for certain IP's?

/questions/29248144/working-configuration-for-haproxy-with-the-force-persist-setting This pretty much how I would end up doing it and I'm curious to know if there are any errors in my thinking. (haproxy 1.7.9) Regards Rainer

Re: What is a nice way to bypass the maintenance mode for certain IP's?

for the link, I've responded there so that the response can be found for future readers. Willy Thank you! Best Regards Rainer

Question about haproxy logs

Hi, I have lines like these: Apr 19 09:32:03 lb-prod haproxy[16717]: 127.0.0.1:50898 [19/Apr/2018:09:32:03.174] srv-pub-front-ssl srv-pub-back-ssl/WINSRV 0/0/0/36/290 500 284 - - --VN 3/1/0/1/0 0/0 "POST /SaveStatistics HTTP/1.1" Does that mean that the backend-server (WINSRV) replied

Re: Question about SNI

nd-servers. curl-ing the URLs works without problems. Because it's all encrypted, I have a hard time figuring out what haproxy is actually sending to the backend. Is there a way to enable some sort of logging on what requests are actually made to the backend? Best Regards Rainer

Re: Question about SNI

Am 2019-06-25 14:44, schrieb Lukas Tribus: Hello Rainer, On Tue, 25 Jun 2019 at 12:53, wrote: Hi, I tried to read up on this but there are many examples and not all of them seem "correct". It's simple: do not content-switch based on SNI. Use the host header instead. That's it.

Re: Question about SNI

Am 2019-06-25 16:54, schrieb Lukas Tribus: Hello Rainer, On Tue, 25 Jun 2019 at 16:18, wrote: The requests from the healthchecks *do* arrive at the right vhosts on the backend, there's a code 200 in the logs. So, I wonder what exactly is timing out for haproxy. The server on the other end

Re: Question about SNI

Am 2019-06-25 18:26, schrieb Lukas Tribus: Hell Rainer, On Tue, 25 Jun 2019 at 18:01, wrote: Ah, OK. Thanks. However, I still get L7TOUT on the healthchecks. I don't follow. Are health checks working or not? You started this thread saying: Healthchecks are OK. But running a curl gives

Question about SNI

t this). On of my configs, the stick-table config is a bit larger, like this: stick-table type string len 52 size 100k expire 60m stick store-response res.cook(JSESSIONID) stick on req.cook(JSESSIONID) But it should not be relevant to the error, right? Anyone got any ideas? Regards Rainer

Re: Question about SNI

Am 2019-06-20 13:18, schrieb Lukas Tribus: Hello, you only enabled SNI for health checks (check-sni). You need to enable SNI for the actual traffic with the sni keyword. sni str(intern3.local) or sni hdr(host) lukas Ah, ok. Thanks a lot! I now used ssl_fc_sni_reg -i host3.intern I

Re: Question about SNI

Am 2019-06-25 19:44, schrieb Lukas Tribus: Hello Rainer, [...] I suggest your try a HEAD request for the haproxy health check instead: option httpchk HEAD /swagger/ui/index HTTP/1.1\r\nHost:\ app-api.dom.intern\r\nUser-agent:\ LB-Check-API\r\nConnection:\ close There is no need

haproxy and CARP - binding a frontend to a specific IP on the backup-server

at address for sending (which it obviously can't, when it's not MASTER)? Rainer

Re: Empty IP when forwardfor enabled

rised up it from 6 to 15, but no luck. How could I fix this? You probably need option httpclose. -Rainer

haproxy dumps core

GET /ip_monitor_mysql.php HTTP/1.1\r\nHost: p-stage.1st.domain\r\nConnection:\ close server app2 first.ip:80 weight 1 check server input1 second.ip:80 weight 1 check listen admin 0.0.0.0:22002 mode http stats uri / Regards, Rainer

Re: haproxy dumps core

Am Tue, 30 Jul 2013 21:40:34 +0200 schrieb Lukas Tribus luky...@hotmail.com: Hi Rainer! I'm using haproxy on FreeBSD 9.1-amd64 inside a VMware VM. I realized that when I have a situation where all servers in a backend are down, haproxy crashes: Jul 30 08:03:52 px2-bla kernel: pid

Re: haproxy dumps core

Am 30.07.2013 um 21:40 schrieb Lukas Tribus luky...@hotmail.com: Hi Rainer! I'm using haproxy on FreeBSD 9.1-amd64 inside a VMware VM. I realized that when I have a situation where all servers in a backend are down, haproxy crashes: Jul 30 08:03:52 px2-bla kernel: pid 58816 (haproxy

Re: Load balancing FTP with HAProxy behind a firewall

hdr(host) ACL only applies to HTTP. Furthermore, I'm not sure there is a notion of Host header in FTP ;) Last time I looked (admittedly with 1.4) into FTP+HAProxy, the end-result was that it was just not possible. AFAIK, you can use LVS for that on Linux.

Can you balance-out service-checks better?

Hi, we will put haproxy in front of a Zimbra infrastructure (which we have split-up, so that there is a „front end“, with pop, imap, smtp and a „back end“, where the mail sits). I have too haproxy-servers (active/standby via CARP) that are checking the front-ends. I check: - smtp - smtps

Re: Can you balance-out service-checks better?

Am 28.08.2014 um 22:41 schrieb Baptiste bed...@gmail.com: Hi, maybe you could share your HAProxy configuration :) By default, HAProxy tests a service every 3s, which is fine. It just does a tcp connect, so nothing complicated for your server to handle. Since we switched to

Re: Can you balance-out service-checks better?

Am 28.08.2014 um 23:21 schrieb Baptiste bed...@gmail.com: Ok, I would create a monitoring backend, such as below: Hey, thanks a lot! I will try this and report back. Best Regards, Rainer

Is it possible to query the query the status of a server and use it in an ACL?

Hi, I want to take the status of a server of a given backend and use it in another backend or in the frontend. If that possible? I though there might be something simular to nbsrv() - but I haven't found anything. Best Regards Rainer

haproxy sending RSTs to backend-servers

Hi, I’ve configured nginx+haproxy in front of a couple of IIS servers. NGINX terminates SSL. configuration is as following: global log /var/run/log local5 log /var/run/log local1 notice #log loghostlocal0 info maxconn 4096 #debug #quiet user www group www daemon

HAPROXY for IMAP, SMTP

Hi, we use HAPROXY for incoming mail, outgoing mail (authenticated), POP3, IMAP. With incoming mail, I can make use of HAProxy’s send-proxy feature to make the source-IP known to the backend SMTP-servers. (Works in the lab, I just need to move a few hundred customers off port 25 for

Re: 1.5.9 crashes every 4 hours, like clockwork

provisioned with chef and are pretty similar and I’ve got this issue nowhere else. I build the package myself on my own poudriere-server and the same package works elsewhere on much busier servers without problems. We’ve got an icinga event-handler that restarts it… Rainer

Re: tcp-check for IMAP SSL ?

be correct, according to this: http://comments.gmane.org/gmane.comp.web.haproxy/19274 http://comments.gmane.org/gmane.comp.web.haproxy/19274 But only for SSL. Don’t know about inline-TLS. Rainer

Re: Is FTP through haproxy at all viable?

I consider openssh for sftp pretty much unusable for clients/customers. I wouldn’t say that. Certainly true if they don’t actually know what they’re doing. As for the setup: yes, the first directory users can write to in a chroot-setup is a subdirectory of the home directory (because $HOME

Re: Linux or FreeBSD ?

> Am 30.09.2015 um 16:25 schrieb Jeff Palmer : > > Arnall, > > > This advice is less of an haproxy specific response, and more of > general information. > > As someone who's tried to manage mixed infrastructure, I would push > back if possible, unles syour organization has

Re: Linux or FreeBSD ?

> Am 01.10.2015 um 01:22 schrieb Willy Tarreau : > >> > > I'd be tempted to place my judgement between yours and Jeff's. I'd say > that if the company is already using the target OS on any other place, > the cost of switching is low. If the load balancer is the opportunity > to

Re: WAF in HAProxy

> Am 06.05.2016 um 00:15 schrieb Thierry FOURNIER > : > > Hi, > > You can look here: > > http://discourse.haproxy.org/t/ironbee-in-haproxy/92 > > Thierry > > Is that project actually alive? The last (and what looks like only) commit this year was to

Re: HaProxy Hang

> Am 03.03.2017 um 15:07 schrieb David King : > > Hi All > > Hoping someone will be able to help, we're running a bit of an interesting > setup > > we have 3 HAProxy nodes running freebsd 11.0 , each host runs 4 jails, each > running haproxy, but only one of the

Re: NFS mounts freezing via Haproxy

> Am 22.05.2018 um 06:46 schrieb TomK : > > Trying to mount an NFS share vi an Haproxy / Keepalived configuration. When I > mount the NFS share directly from the host, bypassing Haproxy / Keepalived, > it works fine. However, when I try via the Haproxy / Keepalived

Re: OT: About WebPageTest results (was Re: SSL Labs says my server isn't doing ssl session resumption)

> Am 21.06.2021 um 18:25 schrieb Shawn Heisey : > > On 2021-06-20 06:03, Shawn Heisey wrote: >> Unrelated, and off topic because it's mostly about Apache, but strange: >> I've been doing some tests with webpagetest.org, and seeing REALLY >> long load times for some resources in their waterfall

Re: Transparent proxy issue on FreeBSD

> Am 07.03.2023 um 08:46 schrieb Marc West : > > > > Any other thoughts to look at or data that would be helpful to collect? > I admit I only toyed with TP, so I really don’t know what I’m doing there, but: Have you tried to just use pfSense for this? The developer of the package

Re: Transparent proxy issue on FreeBSD

> Am 07.03.2023 um 18:26 schrieb Marc West : > > On 2023-03-07 08:09:04, Rainer Duffner wrote: >> I admit I only toyed with TP, so I really don???t know what I???m doing >> there, but: >> >> Have you tried to just use pfSense for this? The developer of th