@johnsonn wrote:

Hi Team,

We have setup new HA Proxy in our project and that I have build new haproxy vm I’m getting below error when I try to see the haproxy services status.

● haproxy.service - HAProxy Load Balancer
Loaded: loaded (/usr/lib/systemd/system/haproxy.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Thu 2020-02-20 09:29:49 IST; 1h 24min ago
Process: 22275 ExecStart=/usr/sbin/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid $OPTIONS (code=exited, status=1/FAILURE)
Main PID: 22275 (code=exited, status=1/FAILURE)

Posts: 1

Participants: 1

Read full topic

@ninjakidd wrote:

Hi there,

I’m having an issue with my Haproxy installtion. I’m trying to get TLS 1.3 working successfully. when using the SSL test site, 1.3 is not being served.

I have made the required changes in the .cfg file, but I think the problem is the version of OpenSSL HAProxy is built withm which is 1.0.2g. Here’s the output from haproxy -vv

    HA-Proxy version 1.8.24-1ppa1~xenial 2020/02/16
    Copyright 2000-2020 Willy Tarreau <willy@haproxy.org>

    Build options :
    TARGET  = linux2628
    CPU     = generic
    CC      = gcc
   CFLAGS  = -O2 -g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-unused-label
  OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_SYSTEMD=1 USE_PCRE2=1 USE_PCRE2_JIT=1 USE_NS=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with OpenSSL version : OpenSSL 1.0.2g  1 Mar 2016
Running on OpenSSL version : OpenSSL 1.0.2g  1 Mar 2016
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2
Built with Lua version : Lua 5.3.1
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Encrypted password support via crypt(3): yes
Built with multi-threading support.
Built with PCRE2 version : 10.21 2016-01-12
PCRE2 library supports JIT : yes
Built with zlib version : 1.2.8
Running on zlib version : 1.2.8
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with network namespace support.

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
        [SPOE] spoe
        [COMP] compression
        [TRACE] trace

I can see that TLSv1.3 is not supported. Here’s the output from openssl version

OpenSSL 1.1.0h 27 Mar 2018 (Library: OpenSSL 1.1.1d 10 Sep 2019)

So OpenSSL is the required version, I just don’t know how to link HAProxy to use the newer libraries. I’m not an expert on these things. I’ve tried to remove current version of HAProxy and reinstall, but this made no difference. I’m assuming I will have to build from source, but I not sure how I go about this without affecting any other services that are depenant on OpenSSL libraries.

Sorry if this is a novice question, but I’m an Windows man, dabbling in a bit of Linux.

Any help would be very much appreciated.

Regards,

Rob

Posts: 1

Participants: 1

Read full topic

@bachkilan wrote:

Hi,

I am trying to create a holding page when the request exceeds the limit

if my maxconn is 10, then when the 11th connection comes I want to show the user a temporary holding page saying they are in a queue and process the request when the connection is available.

could someone help how to approach this design? is this achievable using HAProxy and Lua?

current setup has a Lua service which sends a response of html page for the 11th connection, this html page has a javascript to resubmit the page again after few seconds. Javascript reload is failing in certain browsers so we want to try a different approach for the holding page.

Posts: 1

Participants: 1

Read full topic

@Thoufiq wrote:

Hi There,

We are doing SNI based routing for multiple domains through our HAProxy LBs. but i need to add few more domains in the same HAproxy clusters.

But the domains are as mentioned below.
example.haproxy.com
example1.haproxy.com
example2.haproxy.com
example3.haproxy.com
example4.haproxy.com
.
.
example10.haproxy.com

Is there any easy way to group these domains in a single line acl?

Is it possible to configure like this?

tcp-request content accept if { req_ssl_hello_type 1 }
acl application_5 req_ssl_sni -i example(1-10).haproxy.com

Please help.

Posts: 1

Participants: 1

Read full topic

@alpot wrote:

Hi,

I have this scenario:

client —> Ha Proxy (cert fqdn: adfs.com) --------> ADFS (cert fqdn: adfs.int)

So in the client browser they will type https://adfs.com/adfs/ls/idpinitiatedsignon.aspx and re-directed to ADFS with a cert of fqdn: adfs.int.

My current configuration below does not work. I’m getting error “503 Service Unavailable” if I type in https://adfs.com. But it will work if I use https://adfs.int.

Any suggestion?

Thank you.

---

frontend adfsfe
bind *:443 ssl crt adfs.com.pem
mode http
default_backend adfsbe

backend adfsbe
mode http
balance roundrobin
http-check expect string Sign\ in
reqadd X-Forwarded-Proto:\ https if { ssl_fc }
server adfs1 10.0.2.27:443 ssl verify none sni ssl_fc_sni inter 3s rise 2 fall 3

Posts: 1

Participants: 1

Read full topic

@moses wrote:

i have a haproxy setup on a virtual machine using kvm with 8 cores and 4Gb of memory.
i,m using it as a load balancer with SSL offloading(with verify required).
the server has a load average of 1.7 and is using only about a gigabyte of memory.
the SSL offload takes about 450ms.
my question is why the server is not using the full resources to decrease response time.
what is causing the event loop to stall.
i have enabled multi process in my config
here is the configuraion:

global
  nbproc 8
  cpu-map 1 0
  cpu-map 2 1
  cpu-map 3 2
  cpu-map 4 3
  cpu-map 5 4
  cpu-map 6 5
  cpu-map 7 6
  cpu-map 8 7

  log 127.0.0.1 local0
  maxconn 20000
  daemon
  uid 99
  gid 99
  tune.ssl.default-dh-param 2048
  tune.ssl.cachesize 1000000
  tune.bufsize 32768
  stats socket /var/run/haproxy1.sock mode 600 level admin process 1
  stats socket /var/run/haproxy2.sock mode 600 level admin process 2
  stats socket /var/run/haproxy3.sock mode 600 level admin process 3
  stats socket /var/run/haproxy4.sock mode 600 level admin process 4
  stats socket /var/run/haproxy5.sock mode 600 level admin process 5
  stats socket /var/run/haproxy6.sock mode 600 level admin process 6
  stats socket /var/run/haproxy7.sock mode 600 level admin process 7
  stats socket /var/run/haproxy8.sock mode 600 level admin process 8
  stats timeout 2m #Wait up to 2 minutes for input

#listen stats
#  bind :9001
#  mode http
#  stats enable
#  stats hide-version
#  stats realm Haproxy\ Stats
#  stats uri /haproxy_stats
#  stats auth  admin:sfPalang
#  stats admin if TRUE

defaults
  log     global
  mode    http
  maxconn 10000
  # option  httplog
  option  redispatch
  option  dontlognull
  retries                 3
  timeout http-request    10s
  timeout queue           1m
  timeout connect         10s
  timeout client          1m
  timeout server          1m
  timeout http-keep-alive 10s
  timeout check           10s

frontend https_frontend
  bind 0.0.0.0:443 ssl crt PEM_FILE ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:!DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA ca-file /home/arsalan/rootCA.pem verify required process 1-8
  mode http
  option httpclose
  option forwardfor
  reqadd X-Forwarded-Proto:\ https
  
  SOME BACKEND CONFIGS (http backends with roundrobin config)

Posts: 1

Participants: 1

Read full topic

@maartend wrote:

Hi,

I have seen and tested HAProxy can successfully do client authentication based on client SSL certificates.

But what I miss in this client certificate authentication is the CN or SAN validation.
So in other words, how to ensure HAProxy validates the host(client) name with the name specified in the client certificate (SAN or CN).

For what I have tested this validation does not take place, which results in a client certificate which still can be shared and used by multiple clients, are there any options within HAProxy to ensure such validation can take place?

Am I overlooking something here?

Thanks,

Maarten

Posts: 1

Participants: 1

Read full topic

@Sven_Lowry wrote:

I need to redirect a web request as follows, and can’t get it working with HAProxy.
Original URL:
http://mywebpage.com/webservices/index.asp?param1?parm2

Redirect transparently (so client doesn’t see URL change) to:
https://myazuresite.azurewebsites.net/FunctionName?code=AzureFunctionID&url=/webservices/index.asp?param1?parm2

I can get it working with:
http-request redirect prefix https://myazuresite.azurewebsites.net/FunctionName?code=AzureFunctionID&url=

But this changes the URL presented to the user to that address, which will break application code.

Does anyone know how to do this?

Posts: 1

Participants: 1

Read full topic

@jared_t wrote:

Running into a bit of challenge with URL re-writes. I am trying to whitelabel some of our services…

Lets say we offer a service at portal.company.com

now we setup tenants within that environment and without any whitelablel they can login with the following portal.company.com/login/tenant1.

what i would like to do is just do a rewrite for portal.company.com to portal.tenant.com while still leaving the ability for other users to access portal.company.com

What i have so far is as follows:

   frontend https_443_frontend
   mode http
   bind *:443 ssl crt certlocation
   http-request set-header X-Forwarded-Port %[dst_port]
   http-request add-header X-Forwarded-Proto https if { ssl_fc }
   http-request replace-uri ^portal.company1.com.*) portal.tenant.com\1 if { hdr(host) -i portal.tenant.com }
   acl host_portal_443 hdr(host) -i portal.company1.com
   acl host_tenant_443 hdr(host) -i portal.tenant.com
   use_backend portalbackend if host_portal_443
   use_backend whitelabel if host_tenant_443

   backend whitelabel
   mode http
   # option httpclose
   # option forwardfor
    balance roundrobin
    cookie SERVERID insert indirect nocache
    server pool1.company.com x.x.x.x:443 ssl verify non check cooike s1
    server pool2.company.com x.x.x.x:443 ssl verify non check cooike s1

the above replace-uri - that actually does replace the url however the moment you interact with it it reverts back… so i can imagine i am missing some session handling and more than likely how its handling some of the headers.

any help would be greatly appreciated.

Posts: 1

Participants: 1

Read full topic

@seobi wrote:

haproxy question523×672 37.4 KB

I am building with 2layer as shown in the picture.
main haproxy is responsible for ssh decode and main server, and sub haproxy manages acl.

Sub haproxy has sticky table information and acl access limit.
When you check the information in the “show table”, you are connected.

# table: pcweb-limit-back, type: ip, size:268435456, used:2
0x1dcc20c: key=10.11.12.123 use=0 exp=26377 gpc0=0
0x1dcc67c: key=10.11.12.124 use=0 exp=25909 gpc0=1

Only main haproxy ip (10.11.12.124) will increase gpc0 count only.
client ip (10.11.12.123) does not increase gpc0 count.

How can I increase the gpc0 count of the client ip (10.11.12.123)?

Or if you have a setting to restrict server inflows in other ways, please guide.

Thank you in advance

Main HAproxy config

###
#
# Global Setting
#
###
global
    log 127.0.0.1   local2

    uid 99
    gid 99
    daemon

###
#
# Peers Setting
#
###
peers peerlist
    peer main-hpx 10.11.12.124:11000

###
#
# Default Setting
#
###
defaults
    log     global
    timeout connect 150s              #all client - server
    timeout client 5m                #all client - vip
    timeout server 5m               #vip server - real server
    mode http


###
#
# Frontend Proxy Setting
#
###


frontend main-haproxy
    bind 10.11.12.124:80
    bind 10.11.12.124:443 ssl crt /etc/haproxy/decode.dec
    maxconn 100000
    bind-process 1

    default_backend sub-haproxy

###
#
# Backend Proxy Setting
#
###

backend sub-haproxy
    mode http
    balance roundrobin
    fullconn 100000
    bind-process 1

    option forwardfor

    # haproxy
    server sub-hpx 10.11.12.125:80 check inter 5s fall 2 port 11001

Sub HAproxy config

global
    log 127.0.0.1   local2

    uid 99
    gid 99
    daemon

    maxconn 160000

peers peerlist
    peer sub-hpx 10.11.12.125:11025

defaults
    log     global
    timeout connect 150s
    timeout client 5m
    timeout server 5m 
    mode http


frontend pcweb-front
    mode http
    bind 10.11.12.125:80
    maxconn 100000

    log-format (%f)\ %ci:%cp\ to\ %s\ %{+Q}r\ %ST

    default_backend pcweb-back
    
    acl is_location url_beg /location/id/1234
    
    use_backend pcweb-limit-back if is_location


backend pcweb-back
    mode http
    balance roundrobin
    fullconn 100000

    option httpchk GET /monitor/l7check
    http-request set-header X-Forwarded-For %[src]

    # fixed server
    server web-server1 10.22.23.123 check inter 5s fall 2 port 80
    server web-server2 10.22.23.124 check inter 5s fall 2 port 80


backend pcweb-limit-back
    balance roundrobin
    fullconn 100000
    mode http

    option httpchk GET /monitor/l7check
    option forwardfor

    # Table definition
    stick-table type ip size 256m expire 1m store gpc0 peers peerlist
    http-request track-sc0 hdr(X-Forwarded-For) table pcweb-limit-back
    
    # Accepting connection condition
    acl under_limit table_cnt lt 10
    http-request allow if under_limit { src_inc_gpc0 ge 1 }
    redirect location http://domiain.com/error.html if !under_limit { src_get_gpc0 eq 0 }

    # fixed server
    server web-server3 10.22.23.125 check inter 5s fall 2 port 80
    server web-server4 10.22.23.126 check inter 5s fall 2 port 80

Posts: 1

Participants: 1

Read full topic

@baonq wrote:

My Server not connect to internet and I can’t use api telegram for alert notification.
I have a HAProxy server and I want it to be an api proxy.
But I can’t redirect request to api.telegram.org
My HAProxy config:

frontend http_vip_6_199
bind 192.168.6.199:80
mode http

    capture request header Host len 128
    capture request header User-Agent len 256
    capture request  header Referer len 128

    option forwardfor
    option http-server-close
    option http-keep-alive
    timeout http-keep-alive 3000
    timeout http-request  5000

use_backend api_telegram if { hdr(host) -i api.telegram.org }
redirect scheme https if !{ ssl_fc } { hdr(host) -i api.telegram.org }
backend api_telegram
mode http
server test api.telegram.org:443

and myscript sent telegram msg
curl -i -L
-H “Host: api.telegram.org”
-d “chat_id={TELEGRAM_CHAT_ID}" \ -d "text={MESSAGE}”
-d “parse_mode=HTML”
-d “disable_web_page_preview=true”
“http://192.168.6.199/bot${TELEGRAM_BOT_TOKEN}/sendMessage”

HTTP/1.1 400 Bad Request
Server: nginx/1.16.1
Date: Thu, 27 Feb 2020 02:02:39 GMT
Content-Type: application/json
Content-Length: 80
Connection: keep-alive
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

{“ok”:false,“error_code”:400,“description”:“Bad Request: message text is empty”}

Posts: 1

Participants: 1

Read full topic

@loewie1984 wrote:

quite a mouthful, but yeah for a customer I recently did an implementation of haproxy (free) to be used as a rds load balancer and connection broker with stick tables based on least amount of connections.

The technology stack was:
VMware ESXi
CentOS in Virtual Machine
Docker running in CentOS 8
HaProxy running in Docker with the following configuration:

#global
global
ssl-server-verify none

#stats page
listen stats
bind :9001
mode http
timeout client 6h
stats enable
stats hide-version
stats realm Haproxy\ Statistics
stats uri /
stats auth statsadmin:############
stats admin if TRUE

#rdp configuration
frontend ft_rdp
mode tcp
bind 0.0.0.0:3389 name rdp
timeout client 1h
log global
option tcplog
tcp-request inspect-delay 2s
tcp-request content accept if RDP_COOKIE
default_backend bk_rdp

backend bk_rdp
mode tcp
balance leastconn
persist rdp-cookie
timeout server 1h
timeout connect 4s
log global
option tcplog
option tcp-check
stick-table type string len 32 size 10k expire 12h
stick on rdp_cookie(mstshash)
tcp-check connect port 3389 ssl
default-server inter 3s rise 2 fall 3
server RDS01 192.168.1.10:3389 weight 10 check
server RDS02 192.168.1.11:3389 weight 10 check

Now I’m running the exact same configuration in Hyper-V on a clients network, and now HaProxy is giving me errors stating the following:

[WARNING] 057/100915 (1) : parsing [/usr/local/etc/haproxy/haproxy.cfg:35] : backend ‘bk_rdp’ : ‘option tcplog’ directive is ignored in backends.,
[WARNING] 057/100915 (1) : config : log format ignored for frontend ‘ft_rdp’ since it has no log address.,
[NOTICE] 057/100915 (1) : New worker #1 (6) forked,
[WARNING] 057/100916 (6) : Server bk_rdp/RDS01 is DOWN, reason: Layer4 connection problem, info: “No route to host at step 1 of tcp-check (connect port 3389)”, check duration: 1010ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.,
[WARNING] 057/100917 (6) : Server bk_rdp/RDS02 is DOWN, reason: Layer4 connection problem, info: “No route to host at step 1 of tcp-check (connect port 3389)”, check duration: 1026ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.,
[ALERT] 057/100917 (6) : backend ‘bk_rdp’ has no server available!,

I’ve checked the VLAN the proxy and RDP servers are in, it’s the same. Even more strange from within CentOS I can perfectly resolve the machines and the domain without any further configuration.

My docker run command is: docker run --name=haproxyrds --restart=always -d -p 80:80 -p 443:443 -p 53:53 -p 3389:3389 -p 9001:9001 -v /etc/haproxy:/usr/local/etc/haproxy:ro haproxy:latest

I’ve added the ports 80, 443, and 53 to see if I could reach anything from inside docker container to outside, following this article https://training.play-with-docker.com/docker-networking-hol/ which explains how to ping from inside a docker container towards an computer outside the container, however I’m not even able to retrieve and install the ping package inside the container due to the fact it cannot resolve deb.debian.org and/or security.debian.org.

I’m running out of options to try, (I’m suspecting Hyper-V to be the culprit). Only thing I can imagine to try is to run HaProxy native on CentOS and not within docker.

Posts: 1

Participants: 1

Read full topic

@Hujino wrote:

Hello,

I just bought a domain for my personal blog.

I point my domain to my firewall that hosts my haproxy.

However, my domain can’t reach my backend, it’s running in a loop.

Here is my haproxy configuration :

global
        log 127.0.0.1   local0 debug
        log /dev/log    local0 notice
        maxconn 1024
        chroot /var/haproxy
        uid 604
        gid 604
        daemon
        stats socket /var/run/haproxy.sock mode 666 level admin
        pidfile /var/run/haproxy.pid
    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

    ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

        tune.ssl.default-dh-param 2048
        tune.maxrewrite 16384
        tune.bufsize 65535

defaults
        log     global
        mode    http
        option  redispatch
        option  forwardfor
        retries 3
        maxconn 2000
        timeout server 60s
        timeout connect 5s
        timeout client 10s
        log-format "%ci [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"

frontend http-s-domain

        bind *:80
        bind *:443 ssl crt /etc/haproxy/ssl/storage.domain.com.haproxy.pem crt /etc/haproxy/ssl/another.com.haproxy.pem crt-list /etc/haproxy/ssl/client_crt no-sslv3
        mode    http
        option  httplog clf
        option  forwardfor
        option  http-keep-alive

        capture request header Host len 64
        capture request header Referer len 128
        capture request header User-Agent len 128
        capture request header X-Hit-Front len 128

        acl letsencrypt-acl path_beg /.well-known/acme-challenge/

        acl storage-domain hdr(host) -i storage.domain.com

        ###################
        ### ACL CLIENTS ###
        ###################
        acl another-blog hdr(host) -i another.com

        # HTTP->HTTPS
        http-request add-header X-Forwarded-Proto https if { ssl_fc }
        http-request add-header X-Forwarded-Proto http unless { ssl_fc }
        #www to non-www
        #catch all domains that begin with 'www.'
        acl host_www      hdr_beg(host) -i www.

        #remove 'www.' part from host name
        reqirep ^Host:\ www.(.*)$ Host:\ \1 if host_www
        #now hostname does not contain 'www.' so we can
        #redirect to the same url
        redirect code 301 prefix / if host_www

        use_backend letsencrypt-backend if letsencrypt-acl

        use_backend nextcloud-storage-domain if storage-domain

        use_backend another-blog-prod if another-blog

backend nextcloud-storage-domain
        http-response set-header Referrer-Policy no-referrer-when-downgrade
        http-response set-header X-Content-Type-Options: nosniff
        http-response set-header X-XSS-Protection: 1;mode=block
        http-response set-header X-Frame-Options: SAMEORIGIN
        http-response set-header Strict-Transport-Security max-age=31536000;includeSubDomains;preload
        default-server inter 4s
        timeout server 2h
        http-check expect status 200
        server ncd01 X.X.X.X:8080 cookie A check port 8080 fall 5 rise 3

backend another-blog-prod
        mode http
        default-server inter 4s
        timeout server 2h
        http-check expect status 200
        server web01 X.X.X.X:443 cookie A check port 443 fall 5 rise 3

backend letsencrypt-backend
server letsencrypt 127.0.0.1:1375 check

root@haproxy:~# curl -ILk https://X.X.X.X
HTTP/1.1 200 OK
Etag: 22164-46b9-5e58d731
Content-Type: text/html; charset=utf-8
Content-Length: 18105
Last-Modified: Fri, 28 Feb 2020 09:02:41 GMT
Cache-Control: private, max-age=0, proxy-revalidate, no-store, no-cache, must-revalidate
Server: WEBrick/1.4.2 (Ruby/2.5.5/2019-03-15) OpenSSL/1.1.1d
Date: Fri, 28 Feb 2020 09:15:37 GMT
Connection: Keep-Alive

Is it possible to get your opinion on it?

Posts: 1

Participants: 1

Read full topic

@rawmain wrote:

Using HAProxy version: 2.1.3

I did setting in the /etc/haproxy/haproxy.cfg file:

frontend jira
    # bind :::8080 v4v6
    bind :::443 v4v6 ssl crt /home/user/ssl/server.pem
    http-request redirect scheme https unless { ssl_fc }

    default_backend             jira

frontend confluence
    # bind :::8090 v4v6
    bind :::443 v4v6 ssl crt /home/user/ssl/server.pem
    http-request redirect scheme https unless { ssl_fc }

    default_backend             confluence

backend jira
    balance     roundrobin
    cookie JIRASESSIONID prefix nocache
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
    server jira1 [IPv6 IP]:8080 check cookie jira1
    server jira2 [IPv6 IP]:8080 check cookie jira2

backend confluence
    balance     roundrobin
    cookie CONFSESSIONID prefix nocache
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
    server confluence1 [IPv6 IP]:8090 check cookie confluence1
    server confluence2 [IPv6 IP]:8090 check cookie confluence2

Before I add 443 setting, 8080 and 8090 bind worked well.

But in this case, when restart haproxy, got this error:

Job for haproxy.service failed because the control process exited with error code. See "systemctl status haproxy.service" and "journalctl -xe" for details.

When use journalctl -xe to see detail, got:

...
Feb 28 17:44:21 server systemd[1]: haproxy.service: control process exited, code=exited status=1
Feb 28 17:44:21 server haproxy[30436]: Errors found in configuration file, check it with 'haproxy check'.
Feb 28 17:44:21 server systemd[1]: Failed to start SYSV: HA-Proxy is a TCP/HTTP reverse proxy which is particularly suited for high
-- Subject: Unit haproxy.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit haproxy.service has failed.
--
-- The result is failed.
Feb 28 17:44:21 server systemd[1]: Unit haproxy.service entered failed state.
Feb 28 17:44:21 server sudo[30429]: pam_unix(sudo:session): session closed for user root
Feb 28 17:44:21 server systemd[1]: haproxy.service failed.
Feb 28 17:44:21 server polkitd[2570]: Unregistered Authentication Agent for unix-process:30430:138824114 (system bus name :1.76278,

Why it failed to start SYSV?

Now using IPv6, how to config it correctly?

---

I did Jira(8.6.1) configuration setting for <JIRA_INSTALL>/conf/server.xml:

Comment out:

<Connector port="8080" relaxedPathChars="[]|" relaxedQueryChars="[]|{}^&#x5c;&#x60;&quot;&lt;&gt;"
                   maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false"
                   maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443"
                   acceptCount="100" disableUploadTimeout="true" bindOnInit="false"/>

Uncomment:

        <Connector port="8080" relaxedPathChars="[]|" relaxedQueryChars="[]|{}^&#x5c;&#x60;&quot;&lt;&gt;"
                   maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false"
                   maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443"
                   acceptCount="100" disableUploadTimeout="true" bindOnInit="false" secure="true" scheme="https"
                   proxyName="<subdomain>.<domain>.com" proxyPort="443"/>

Maybe it will work if set real proxyName.

Posts: 1

Participants: 1

Read full topic

@riderkz wrote:

In old version of haproxy 1.8 was

HTTP/1.1 302 Found
Location: https://localhost/

In new version 2.1 it is

HTTP/1.1 302 Found
location: https://localhost/

with “l” in lowercase

Is it possible to revert it back to Uppercase “L”?

Posts: 1

Participants: 1

Read full topic

@hyppopotamus wrote:

Hi community. I have a hard config with more than 1000 backends and the same amount of acl rules to redirect http(s) requests to these backends.

This config looks like

acl blabla1 hdr_beg(host) -i blabla1.com
acl blabla2 hdr_beg(host) -i blabla2.com
…
use_backend back_blabla1 if blabla1
use_backend back_blabla2 if blabla2
…

So, the question is: what is better to use for lower CPU load – hdr_beg or hdr? (if no differences in result)

I could not find any information what derivative is “harder” for CPU.

Posts: 1

Participants: 1

Read full topic

@aarathy53 wrote:

Hi

Can we have a haproxy.cfg without backend members , we want to use the hap solely for redirection only .

Please let me know if more info is needed…

Posts: 1

Participants: 1

Read full topic

@kitatech wrote:

I read that multiple line of the same IP_address:port is “allowed but incorrect”, here in this question.

However I find no pointers to the documentations, so I’ll explain what I would like to do see how this can be best configured (I have ideas that are too inelegant* to be the right way).

Topology:

Internet
|
Firewall (1 pubilc IP address)
|
LAN switch ------- HAproxy
| … |
be_a … be_z

I already configured many subdomains a.example.com … z.example.com who share the same letsencrypt certificate with ssl termination in the unique same frontend.

I need to add a new backend be_AA responding to domain AA.example.com, but I need the ssl termination to be performed on the back-end side.

I added a new front-end AA, before the existing one a-to-z:

frontend http-in-AA
          bind AA.example.com:443 
          use_backend be_AA

frontend http-in-a-to-z
        bind *:443 ssl crt /etc/haproxy/certs/ defer-accept
        acl a ....
        acl z ...

    use_backend be_a if a
    use_backend be_z if z

The syntax check says valid without warning.

Is this correct ?

If not, what would be the best way to add this new server that is an exception to an already existing long list of other servers that work fine with ssl termination in HA proxy.

I supect also I may be confusing the fqdn in the bind address with the acl domain filter:
acl host_a hdr(host) -i a.example.com

Thanks a ton !

(*) The inelegant idea I had:
is to use ssl_fc_sni like in the solution from that question:

frontend ft_test
  mode http
  bind 0.0.0.0:443 ssl crt /certs/haproxy1.pem crt /certs/haproxy2.pem 
  use_backend bk_cert1 if { ssl_fc_sni my.example.com } # content switching based on SNI
  use_backend bk_cert2 if { ssl_fc_sni my.example.org } # content switching based on SNI

The reason I find it inelegant is because I fear that I may have to break my current front-end into one front-end for each a…z.example.com that would be huge work. I might be wrong though ?

Posts: 1

Participants: 1

Read full topic

@Lip90 wrote:

Hi guys,

is there a possibility that the HAProxy completely passes everything that arrives at the domain xyz.domain.de to the internal 192.168.1.30? An NGINX with reverse proxy and Seafile is running on the IP.

I do not want to create the config from the Seafile server. But I have several 443 applications where I could use the HAProxy.

Posts: 1

Participants: 1

Read full topic

@Sergei_Shablovsky wrote:

Hi HAProxy Gurus!

A little bit theoretical but mostly practical question:

in physical multi-CPU server configuration (no VM of course for this type of operations), with the same good NIC:

MORE core + MORE FRQ

VS

LESS core + MORE cache + LESS FRQ

for high loading ?

Thank You for suggestions!

Posts: 1

Participants: 1

Read full topic