@huypv.w wrote:
Hi, my server have 2 apps are running at port 3000 and 3001. I want to use 2 domain to point to these apps. Here is my config:
frontend Local_Server bind *:80 mode http acl app2_req hdr_dom(host) -i domain2.tk use_backend app2 if app2_req default_backend app1 backend app1 server app1 localhost:3000 check backend app2 server app localhost:3001 checkBut it seem not working @@, anyone can help me?
Thank all very much!
Posts: 1
Participants: 1
@amod wrote:
Hi,
I am using cookie based session stickiness for out HAProxy config. We have 2 backend servers serving application request. Since we don’t use session replication, we want that request from same user should be served by same backend server. In production environment, it seems request from same user is getting served from different server in between. Though this happens intermittently. I am not sure whether configuration is correct. Here is relevant section from our haproxy.cfg
backend nodes
mode http
balance source
hash-type consistent
option forwardfor
option httpchk HEAD / HTTP/1.1\r\nHost:localhost
cookie appserver insert indirect nocache
server app1 x.x.x.1:8081 weight1 maxconn 512 check cookie a1
server app2 x.x.x.2.8081 weight1 maxconn 512 check cookie a2
Does server name has to be same as that of cookie value. i.e. In my case, Instead of
server app1 x.x.x.1:8081 weight1 maxconn 512 check cookie a1
I should change it to
server app1 x.x.x.1:8081 weight1 maxconn 512 check cookie app1If this is not the problem, is there anything else that I should configure?
Thanks for all the help.
Amod
Posts: 1
Participants: 1
@watcher666 wrote:
Hello
How can I delete all but specific headers?
So deletes only by name
http-request del-header HostThat’s not working
http-request del-header ^*
Posts: 1
Participants: 1
@paul1 wrote:
Hi again,
I recently mentioned in another post that i setup a lab in virtualbox with two IIS webservers and a windows 10 machine all on the same netw the servork (192.168.200.XXX).
If i access the website from the win 10 machine, if i access the monitoring page of HAproxy my sessions and the data always stay zero.
They are set up using http and layer 4, if i shut the servers or disable IIS HAproxy notices the servers are down, but I’m still getting no stats. I don’t have external access setup to the site, only internal.
For example one server is 192.168.200.2 and the other .3 with bindings to the websites and AD DNS records. I’m beginning to think that perhaps this doesn’t work internally?.
Any advice please, as I’m really stuck!. Really appreciate your help
Posts: 1
Participants: 1
@abhigoel22 wrote:
i am using haproxy as middle server for routing my request to different proxy servers.
So i for particular reasons i was trying to block all png files with my haproxy server . problem is if i access any http domain with .png at end it works perfectly fine it blocks it… but if i access https domain it dosnt block it and lets it through kindly help. i cannot fathom right now because its perfectly routing https requests to the out server but its not blocking https requests with .png at end here is my haproxy config below``` #Forward HaProxy Config global daemon maxconn 300000 defaults mode http timeout connect 10000ms timeout client 50000ms timeout server 50000ms listen stats bind :9999 stats enable stats hide-version stats uri /stats stats auth admin:admin123 frontend pro_in1 bind 0.0.0.0:21001 acl im path_end .png http-request deny if im use_backend pro_out1 backend pro_out1 cookie SERVERID insert indirect nocache option httpclose option forwardfor header X-Client balance roundrobin mode http server ip-1 xxxxxxxxxxx:7777 ```
Posts: 1
Participants: 1
@laxmi wrote:
Hi,
I am using HAProxy version 1.8.8.
I’m observing status code of “503” with termination codes as “CD” and “CC” for some requests. HAProxy logs show that the backend is selected (there are several backend servers in configuration) and also the total http time is less than server timeout and also client timeout.
I understand CC and CD would happen when the client closes the connection. However, the reason for seeing 503 in logs is not clear. Could someone please list the scenarios when this can happen ?
Thanks.
Posts: 1
Participants: 1
@belwals wrote:
Hi,
We are using HAProxy 1.7.9, with keep-alive connection and have overridden connection-timeout to 10m and keep-live is 10s.
Intermittently request is failing with termination code KH, with response code 502.please find below a sample of request timings.
0/0/0/-1/85072
0/0/0/-1/60879
0/0/0/-1/93077
0/0/0/-1/82248
0/0/0/-1/112680
0/0/0/-1/72457
0/0/0/-1/72262
0/0/0/-1/66217
0/0/0/-1/63302
0/0/1/-1/65023
0/0/0/-1/297599
0/0/0/-1/84934
0/0/1/-1/86788
0/0/0/-1/86192
0/0/1/-1/69071
0/0/0/-1/260637
0/0/0/-1/120751So my understanding of failure is:
- Backend is still fetching the data, but HAproxy thinks the connection is idle and closing the premature connection?
- Failover/ load balancing: Requests which are being served by HAProxy leader instance, and afterload balancing are no longer a leader, and the existing connection is being treated as idle
If anyone has faced a similar problem? and if you know the workaround.
I am also wondering if it is worth to try
option prefer-last-server– to redirect calls to the same box
or `option srvtcpka’ – to get packets from backed to HAThanks in advance!
Posts: 1
Participants: 1
@asp wrote:
Hi I’ve setup a 3 node elasticsearch cluster on different VMs locally on my laptop.
I use haproxy for loadbalancing.
Connecting curl or kibana against the loadbalancer works fine, but logstash’s monitoring pipeline is giving errors. I did not test with the real pipeline yet.
Looks for me as if logstash wants to keep the connection open but with haproxy in the chain the connection gets closed and logstash seems not to recognize the closure correctly (or it is not forwarded to logstash correctly). So it hits an error and after a while it reconnects again.I hope anyone of you is using haproxy in front of elasticsearch’s rest api and you can provide your configuration. I am new to haproxy.
Mine looks like this:
global log 127.0.0.1 local2 debug log 127.0.0.1 local0 debug chroot /var/lib/haproxy pidfile /var/run/haproxy.pid maxconn 4000 user haproxy group haproxy daemon stats socket /var/lib/haproxy/stats tune.ssl.default-dh-param 2048 defaults mode http log global option httplog option dontlognull option http-server-close option forwardfor except 127.0.0.0/8 option redispatch retries 3 timeout http-request 10s timeout queue 1m timeout connect 10s timeout client 1m timeout server 1m timeout http-keep-alive 10s timeout check 10s maxconn 3000 frontend ft_elasticsearch_http mode tcp option tcpka option tcplog bind 0.0.0.0:9201 name elasticsearch_http default_backend bk_elasticsearch_http backend bk_elasticsearch_http mode tcp option httpchk HEAD / HTTP/1.1\r\nAuthorization:\ Basic\ aGVhbHRoY2hlY2s6aGVhbHRoMQ== http-check expect status 200 option tcpka option tcplog default-server fall 2 balance source option log-health-checks default-server inter 1s fall 2 #server elastic03.internal.de_9200 elastic03.internal.de:9200 check check-ssl verify required ca-file /etc/haproxy/certs/ca/elasticsearch/elastic.pem inter 2s #server elastic02.internal.de_9200 elastic02.internal.de:9200 check check-ssl verify required ca-file /etc/haproxy/certs/ca/elasticsearch/elastic.pem inter 2s server elastic01.internal.de_9200 elastic01.internal.de:9200 check check-ssl verify required ca-file /etc/haproxy/certs/ca/elasticsearch/elastic.pem inter 2sWhen I wireshark the connection without loadbalancer in the chain, I can see tcp keepalives, but with haproxy in between, I don’t see any.
Thanks a lot, Andreas
Posts: 1
Participants: 1
@makara1 wrote:
Hey Guys, quite new here and also quite the beginner. I would like to match a domain and directory with my map file and i am wondering how to do this the best way.
As far as i can determine the backend selection currently functions with
use_backend %[req.hdr(host),lower,map_dom(mapfile.txt,bk_defaultbackend)]with a mapfile.txt containing something like this:
sub.domain.tld bk_subdomainwhen navigating to sub.domain.tld the properbackend will be selected. however i would like to be able to forward directories e.g
sub.domain.tld/dir bk_otherbackendwhich does not work with map_dom in the usebackend code. How would i go about this ? and how would i rewrite this line?
use_backend %[req.hdr(host),lower,map_dom(mapfile.txt,bk_defaultbackend)]
Posts: 1
Participants: 1
@genseb1 wrote:
Hi,
I have a haproxy (1.8.19) with a backend containing a single server node.
The server was not accessible for few minutes and haproxy considered this server as unavailable.
Feb 13 02:53:54 ip-172-31-42-147 haproxy[27944]: Server node1 is DOWN, reason: Layer4 timeout, check duration: 2002ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
Feb 13 02:53:54 ip-172-31-42-147 haproxy[27944]: Servernode1 is DOWN, reason: Layer4 timeout, check duration: 2002ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
Feb 13 02:53:54 ip-172-31-42-147 haproxy[27944]: backend backend has no server available!
*Feb 13 02:53:54 ip-172-31-42-147 haproxy[27944]: backend backend has no server available!The server was unavailable at 02:53:54 and still at 09:32:00 until we’ve restarted haproxy.
Is there a way to disable http check or to set a periodic recheck of the server health?
Thanks.
Posts: 1
Participants: 1
@genseb1 wrote:
Hi,
We are encountering random 502 issue.
Displaying error using ‘echo “show errors -1 response” | socat stdio /run/haproxy/admin.sock’ it seems that the response was not complete.
Total events captured on [14/Feb/2020:14:38:41.687] : 3
[14/Feb/2020:14:17:09.140] backend plateformefr (#4): invalid response
- frontend https-xxxxxxxxxxx-fr (#3), server node1 (#1), event #2*
- src X.X.X.X:13703, session #9217, session flags 0x001004ce*
- HTTP msg state MSG_???(170), msg flags 0x00000000, tx flags 0xa8003000*
- HTTP chunk len 0 bytes, HTTP body len 0 bytes*
- buffer flags 0x80008002, out 0 bytes, total 15360 bytes*
- pending 15360 bytes, wrapping at 16384, error at position 15360:*
When I have a look at 15360 position, a part of the message seems to be missing.
15310 Set-Cookie: REFERER_PL=deleted; expires=Thu, 01-Ja (nothing after that)
N.B: for every issue, the error is always located at position 15360
I’ve set tune.http.maxhdr to 32767 thinking that the issue was due to this limitation but was not.
Any clues?
Thanks.
Posts: 1
Participants: 1
@pnikolov wrote:
We will need the next version of the 1.8 branch but we couldn’t figure out when it will become available. Is there any way this site can provide a schedule or an ETA to help us plan better. For example, if 1.8 will not become available for a while we can try upgrading to 2.0 but if 1.8 gets released soon, we may want to wait a few days or weeks.
Does anybody know when 1.8.24 will become available?
Best,
Peter
Posts: 1
Participants: 1
@mehulmpt wrote:
For some reason, I have to use tcp mode even though I’m making all calls over HTTP (read: Docker Engine API)
I got into a very specific problem, and after hours of debugging, I found out that it seems some TCP connections are forwarded as it is by HAProxy to a backend without going through frontend block. To support this, a lot of times I don’t even see logs in TCP mode when I make new server requests. Here’s a working config which works absolutely fine:
defaults log global mode http option tcplog timeout connect 5s timeout client 5s timeout server 5s frontend www bind :2376 tcp-request inspect-delay 100ms acl headertest hdr(sessionid) -i test tcp-request content accept if headertest tcp-request content reject default_backend serversThis works fine if I want to block any request with sessionid header other than ‘test’. Now consider the tcp mode config file:
defaults log global mode tcp option tcplog timeout connect 5s timeout client 5s timeout server 5s frontend www bind :2376 tcp-request inspect-delay 100ms acl headertest hdr(sessionid) -i test tcp-request content accept if headertest tcp-request content reject default_backend serversReproducing this bug:
- Switch it to TCP
- First I give an HTTP request with sessionid ‘test1’ which fails would fail because of condition.
- Next I give it HTTP request with sessionid ‘test’ which passes, as expected
- Finally give it a HTTP request ‘test1’ again, it passes! It shows the webpage, and no log entry is generated, although I can verify that the request was received on backend.
Check this:
ALSO: NO LOG ENTRY IS GENERATED FOR THE 3rd request, hence, I believe it never passes through the frontend block.
Why is that? I’ve spent a lot of hours reading the docs, and this should not be the behavior. Clearly, it states that it is possible to read HTTP data in TCP mode in docs (https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#tcp-request%20content) as the docs say and I quote:
It is perfectly possible to match layer 7 contents with “tcp-request content” rules, since HTTP-specific ACL matches are able to preliminarily parse the contents of a buffer before extracting the required data.
Posts: 1
Participants: 1
@Gudjon wrote:
Hi hope its OK to post this here.
I’m hawing problem configuring haproxy with re-encryption.
For some reason I need to re-encrypt all traffic to the backend servers.
I have tested the setup with no encryption to backend and that works fine.
But when use encryption I cet the error “504 Gateway Time-out”.
I can go straight to the backend server using http or https without problems.
Have tested to telnet from the proxy server to backend on 443 that is OK.
The urls are similar to this one "https://proxy.xxxxx.net/name/server/site/worker/xxxxx
The backends are IIS servers.
Am I doing something wrong or misunderstanding.Would be great to get input and/or guidelines if someone has.
Version: HAProxy version 1.8.23-1ppa1~bionic, released 2019/11/26 running on Ubuntu.
Here is similar to what I have configured. Server names and paths changed.
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES25$
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
tune.ssl.default-dh-param 2048
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
defaults
log global
mode http
option httplog
option dontlognulltimeout connect 25000ms timeout client 60000ms timeout server 60000ms timeout queue 60000ms timeout http-request 15000ms timeout http-keep-alive 15000ms option http-server-closefrontend http
bind *:80
bind *:443 ssl crt /etc/haproxy/certs/haproxy_full.pem
#If path inclues begining defined in the acls file trafic is outed to prod_2
acl cond1 path_beg -i -f /etc/haproxy/customer-redirects.acls
use_backend prod_2 if cond1
default_backend prod_1backend prod_1
mode http
#server prod_app1 prod_1.abc.net:80 check #Works as expected if I use 80
server prod_app1 prod_1.abc.net:443 check ssl verify none
#server prod_app1 prod_1.abc.net:443 check ca-file /etc/haproxy/certs/ca.complete.crt # used this one without success same error.backend prod_2
mode http
server prod_app2 prod_2.abc.net:80 check
#server prod_app2 prod_2.abc.net:443 check ssl verify none #Not working
Posts: 1
Participants: 1
@genseb1 wrote:
Hi,
I’m encountering strange behaviour using haproxy 1.8.
I’m using below frontend and backend
frontend https-fr
bind *:443 ssl crt /etc/haproxy/ssl/mycert.crt
acl plateformefr hdr(host) -i www.test.com
use_backend plateformefr if plateformefrbackend plateformefr
http-request set-header X-Forwarded-For %[src]
server node1 myserver:443 ssl verify noneLast week, as my node was unavailable during few minutes, haproxy disabled this node.
To avoid this happens again, we’ve disabled health check removing “check” from “server node1 myserver:443 check ssl verify none”
Last friday, everything working fine.
Today (monday), haproxy returned 503 error.
Below last Friday logs and first today logs:
haproxy.log.1
Feb 14 18:52:04 ip-priv-ip haproxy[4456]: public_ip:13358 [14/Feb/2020:18:52:03.983] https-fr~ plateformefr/node1 0/0/1/315/316 200 10023 - - ---- 5/3/0/1/0 0/0 “GET /index.php?page=mypage HTTP/1.1”haproxy.log
Feb 17 08:12:25 ip-priv-ip haproxy[4456]: public_ip:11591 [17/Feb/2020:08:12:25.177] https-fr~ plateformefr/node1 0/0/13/31/45 503 755 - - ---- 2/2/1/2/0 0/0 “GET / HTTP/1.1”This loadbalancer is only used an internal way so it is normal that no traffic is generated during week end.
To resolve this issue, we’ve restarted haproxy.
Does this issue is due to an inactivity time? Is there a way to avoid this behaviour?
Thanks
Posts: 1
Participants: 1
@justauser wrote:
Hello together,
I try to achieve a good result on ssllabs.com, but I got a complain that my website uses tls v1.0 - I thought that I disabled it by this row in haproxy.cfg:bind abns@go_to_myfrontend accept-proxy ssl crt /etc/haproxy/certs/mycert.pem verify none ciphers EECDH+AESGCM:EDH+AESGCM force-tlsv12 no-tlsv10
But no. Curious is, that when I added the row, ssllabs stopped complains abot tls 1.1.
Do someone know what I missed?
–
OpenSSL 1.0.2k-fips 26 Jan 2017
HA-Proxy version 1.5.18 2016/05/10
CentOS Linux release 7.7.1908 (Core)Thanks a lot in advance for your time.
Posts: 1
Participants: 1
@sideways wrote:
I am trying to setup haproxy in front of 2 CentOS 7 cPanel servers with SSL termination. I have hit the following problem with the cPanel provided Exim package.
It seems like the Exim version provided with cPanel is not built with the option enabled for “PROXY” support.
I am concerned that there maybe nothing I can do to get this working. Exim does not seem to accept the authentication or commands sent by the proxy. I tried with the haproxy backend config enabled for proxy-support and no proxy-support.
Is the build option “PROXY” really required for Exim to function behind haproxy? Is there any workaround anyone can think of? I would prefer not to mess with cPanel RPMs or swap out cPanel entirely but there may be no choice.
Somebody suggested using nginx in this case but it adds a lot of complications for authentication etc and I am thinking there will still be issues if Exim is not proxy aware.
Thanks to anyone who can provide a bit of info or ideas.
Best regards,
Posts: 2
Participants: 1
@yuriy.tigiev wrote:
Hello,
How to logging requests and responses body using Lua by haproxy?
I have made a configuration for nginx and would like to make a similar configuration for HAProxy. Can someone help me to adapt it?
worker_processes 1;
error_log logs/error.log;events {
worker_connections 1024;
}
http {
log_format log_req_resp '$remote_addr - $remote_user [$time_local] ’
'"$request" $status $body_bytes_sent ’
‘"$http_referer" “$http_user_agent” “$proxy_add_x_forwarded_for” “$http_x_real_ip” “$http_host” $request_time req_body:"$request_body" resp_body:"$resp_body"’;server { listen 8899; proxy_set_header X-Real-IP $http_x_real_ip; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Real-Host $http_host; access_log logs/access.log log_req_resp; lua_need_request_body on; set $resp_body ""; body_filter_by_lua ' local resp_body = string.sub(ngx.arg[1], 1, 1000) ngx.ctx.buffered = (ngx.ctx.buffered or "") .. resp_body if ngx.arg[2] then ngx.var.resp_body = ngx.ctx.buffered end '; location / { proxy_pass http://172.30.128.11:3000; } }}
Posts: 1
Participants: 1
@xohox wrote:
Hello.
Tell me, in the statistics 32 active compounds are indicated.
Actually 58.
Where is the mistake?
Posts: 1
Participants: 1
@vocnagar22 wrote:
Hello HAP Community,
I am new to HAProxy and my requirement is to provide High Availability for my Website. Due to session management and details we do not want to use load balancing features available from HAProxy.Is this possible to disable the load balancing and simply use HighAvailability using the check functionality available from HAP? If so, please help me with the required setting.
Posts: 1
Participants: 1
