@ravr wrote:

I’m using HAProxy to load balance client requests to two backend servers (TCP mode). The backend servers see incoming requests as coming from the HAProxy host (which is expected). I’m trying to configure the setup so that the backend servers receive the client IP rather than HAProxy’s IP.

Please let me know if I’ve understood correctly

1. HAProxy can be configured to send the client’s IP using proxy protocol, but the backend server must support this protocol
2. HAProxy can spoof the client’s IP to the backend, but the backend must have its default gateway as the HAProxy host

Given that the backend servers do not support proxy protocol, and default gateway cannot be set to the HAProxy host, is there any other way to achieve this?

Posts: 1

Participants: 1

Read full topic

@lxt23 wrote:

Hello community,

I’m trying to setup a reverse HAProxy to connect to a forward, LDAP auth based Squid. Both aplications run on the same machine and I have been able to make it work over http with the following config:

global
log 127.0.0.1:514 local2
daemon
maxconn 256

defaults
log global
mode http
option httplog
timeout connect 5s
timeout client 50s
timeout server 50s

frontend squid_front
bind *:3128

bind *:3128 ssl crt /etc/haproxy/cert.pem

mode http
use_backend squid1

backend squid1
mode http
balance roundrobin
option forwardfor
server squid1 127.0.0.1:3129 check port 3129 inter 2000 rise 2 fall 3

However, the second I turn on https, I get:

squid_front/1: SSL handshake failure

Using ssldump on port 3128 I see only:

1 0.0013 (0.0013) S>C TCP FIN
1 0.0021 (0.0007) C>S TCP FIN

and nothing in the squid logs.

cert.pem contains a crt and a key. I have double checked them both with openssl.

selinux is set to permissive and iptables allows all on port 3128.

It’s late, I’m tired, there must be something I’m not seeing or simply missing here.

Pls give me a hand.

haproxy -vv:
HA-Proxy version 1.5.18 2016/05/10
Copyright 2000-2016 Willy Tarreau willy@haproxy.org

Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing -DTCP_USER_TIMEOUT=18
OPTIONS = USE_LINUX_TPROXY=1 USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_PCRE=1

Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.7
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
Running on OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.32 2012-11-30
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND

Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.

Posts: 1

Participants: 1

Read full topic

@Pavan wrote:

Hi,

We are seeing some unstable issue few of the request are getting passed and few are getting 403 error

[14471] [13/Mar/2020:22:09:38.076] [1584137377.999] 6/6/4/0/0/0/3 77/-1/-1/-1/77 PR-- 2xx.9xx.6xx.2xx:6338 10.110.1.227:443 -:- https_frontend~ request_header={#7B#22xxxxxxx#22:#22xxxxxxxxxxxx#22,#22oemId#22:#22xxxxxxxxx1#22,#22products#22:[#7B#22spProductReference#22:#22xxxxxxxxxxxxxxxxxxxxxx#22,#22productId#22:#22xxxxxxxxxxxb7f90#22#7D],#22requestContext#22:#7B#22requestId#22:#22xxxxxxxxxxxxx-8fbe3fe6429b#22,#22correlationId#22:#22xxxxxxxxxxxxx-fb8703a925bc#22,#22requesterId#22:#22xxxxxx#22#7D#7D|xxxxxx.com|||} ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 {0,xxxxxxxx,“200114165847Z”,“230113165847Z”,"/CN=xxxxxxxx"} “POST /foo/bar/foo/bar/1/0/fooo HTTP/1.1” 403 service_backend: - - req_size=772 resp_size=212

[14471] [13/Mar/2020:22:09:38.076] [1584137377.999] 6/6/4/0/0/0/3 77/-1/-1/-1/77 PR-- 2xx.9xx.6xx.2xx:6338 10.110.1.227:443 -:- https_frontend~ request_header={#7B#22xxxxxxx#22:#22xxxxxxxxxxxx#22,#22oemId#22:#22xxxxxxxxx1#22,#22products#22:[#7B#22spProductReference#22:#22xxxxxxxxxxxxxxxxxxxxxx#22,#22productId#22:#22xxxxxxxxxxxb7f90#22#7D],#22requestContext#22:#7B#22requestId#22:#22xxxxxxxxxxxxxxx-8fbe3fe6429b#22,#22correlationId#22:#22xxxxxxxxxxx-fb8703a925bc#22,#22requesterId#22:#22xxxxx#22#7D#7D|xxxxxx.com|||} ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 {0,xxxxxxxx,“200114165847Z”,“230113165847Z”,"/CN=xxxxxxxx"} “POST /foo/bar/foo/bar/1/0/fooo HTTP/1.1” 200 service_backend:service_backend - - req_size=772 resp_size=428

We have deny rules only for http methd and if there is no client certificate is added while request has made

    acl                     valid_method method GET HEAD POST
    http-request            deny if !valid_method
    http-request            deny if { path_beg /foo } !{ ssl_fc_has_crt }

Can someone please help in this

Posts: 1

Participants: 1

Read full topic

@priya wrote:

Kindly provide documentation for HA proxy to be used for NAT64 from V6 VM to connect to V4 VM

Posts: 4

Participants: 2

Read full topic

@envyt wrote:

Basically, I want to put rate limit based on server ip when the requested url return status 429.
My approach is:

• Use sticky-table to persist flag that server ip has encountered 429

• Call dynamic runtime API to set flag for server ip

  frontend rotatingproxies
  bind *:3128
  option httplog
  stick-table type ip size 1m expire 5m store gpc0
  http-request deny deny_status 429 if { sc0_get_gpc0 ge 1 }
  default_backend pool
  option http_proxy
  option forwardfor
  option http-use-proxy-header
  option accept-invalid-http-request

  backend pool
  mode http
  server proxy1 ip1:port1
  balance roundrobin

My problem is I don’t know how to config that makes sticky-table get gpc0 value of server ip.
The line http-request deny deny_status 429 if { sc0_get_gpc0 ge 1 } make no sense.
My questions are:

• In frontend section, how can I know which server ip in backed was used ?
• Could I do something more elegant, like check based status code ?

Posts: 1

Participants: 1

Read full topic

@MaikeCristian wrote:

Good Morning,

I need to perform via HAProxy, a redirect where everything that comes through the URL int-tasy-hs-dev.oncoclinicas.com.br, is redirected to int-tasy-hs-dev.oncoclinicas.com.br/WhebServidorIntegracao. I use HAProxy + Weblogic. In this case, there is a particularity in my Weblogic an Application, responds in Context /. And in a note from the HA documentation there is the following statement:

“if is /, then the redirection is performed to the same URL. This can be used to insert a cookie.”

That is, HA if the prefix is ​​the / context, it redirects to /. The configuration I have is as follows:

global
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 10000
user haproxy
group haproxy
daemon

# turn on stats unix socket
stats socket /var/lib/haproxy/stats

defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 30s
timeout queue 30s
timeout connect 30s
timeout client 5m
timeout server 240m
timeout http-keep-alive 30s
timeout check 30s
maxconn 10000
compression algo gzip
compression type text/html text/plain text/css text/javascript text/css

frontend Tasy_DEV
bind *:80
bind *:443 ssl crt /etc/haproxy/ssl/oncoclinicas.com.br.pem
redirect scheme https if !{ ssl_fc }
default_backend philips_tasy

backend philips_tasy
stats enable
stats uri /haproxy?stats
stats realm Strictly\ Private
balance roundrobin
option httpclose
option forwardfor
cookie SERVERID insert indirect nocache
server ms_1 10.27.10.26:7011 check cookie ms_1

frontend Lab_DEV
bind *:8080
bind *:7443 ssl crt /etc/haproxy/ssl/oncoclinicas.com.br.pem
redirect scheme https if !{ ssl_fc }
default_backend Lab_DEV

backend Lab_DEV
stats enable
stats uri /haproxy?stats
stats realm Strictly\ Private
balance roundrobin
option httpclose
option forwardfor
cookie SERVERID insert indirect nocache
server ms_1 10.27.10.26:7011 check cookie ms_1

frontend WSI_DEV
bind *:8091
bind *:8443 ssl crt /etc/haproxy/ssl/oncoclinicas.com.br.pem
acl host_client hdr(host) -i int-tasy-hs-dev.oncoclinicas.com.br
http-request redirect code 301 location int-tasy-hs-dev.oncoclinicas.com.br/WhebServidorIntegracao if host_client
default_backend WSI_DEV

backend WSI_DEV
#redirect scheme https code 301 if !{ ssl_fc }
stats enable
stats uri /haproxy?stats
stats realm Strictly\ Private
balance roundrobin
option httpclose
option forwardfor
cookie SERVERID insert indirect nocache
server ms_1 10.27.10.26:7011 check cookie ms_1

The first alternative I had tested was:

redirect prefix http://int-tasy-hs-dev.oncoclinicas.com.br code 301 if { hdr(host) -i www.int-tasy-hs-dev.oncoclinicas.com.br/WhebServidorIntegracao }
redirect prefix http://www.int-tasy-hs-dev.oncoclinicas.com.br code 301 if { hdr(host) -i www.int-tasy-hs-dev.oncoclinicas.com.br/WhebServidorIntegracao }

Can you help me try to redirect?

Posts: 1

Participants: 1

Read full topic

@jasetheace wrote:

Hello. I’m rather new to HA Proxy, and I’m having issues getting SSL Passthrough working. I have narrowed my configuration to demonstrate the issue (redacted):

`# frontend specific configuration
frontend http-in
mode tcp

    #bind *:443 ssl crt /etc/haproxy/certs
    bind *:443
    no option httpclose
    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }

    # define a default backend
    default_backend servers

backend specific configuration

backend servers
mode tcp
option log-health-checks
balance leastconn

    # define health check using HTTP OPTIONS call
    option httpchk OPTIONS / HTTP/1.1

    server svr1 1.2.3.4:18082 check ssl verify required verifyhost example1.com ca-file /etc/haproxy/backend-trust-ca/backend-trust-ca.pem
    #server svr1 1.2.3.4:18082`

Testing with curl, I get an error:

$ curl -I https://example.com/ curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol $

The backend check works, as I see this in the logs:

[WARNING] 077/095549 (25563) : Health check for server servers/svr1 succeeded, reason: Layer7 check passed, code: 200, info: "OK", check duration: 3ms, status: 3/3 UP.

And I can see in the status page that it shows as active up too.

I can get it to work if I change the binding on the front end to do ssl (see it commented out above). But if I understand things properly, that will decrypt the SSL, instead of simply passing the tcp connection on to the back end. And I can also get it to work if I remove the check from the back end (see it commented out above). But I really need to be able to do these checks to make sure that the backend servers are healthy. When I make one of those changes, with curl I get:

ssa-syr-taz:~$ curl -I https://example.com/ HTTP/1.1 405 Method Not Allowed [snip]

It almost seems like either of those changes puts haproxy into http mode. In fact, it works if I configure haproxy to use http mode. But I do not want to decrypt the session in haproxy.

Running haproxy in debug mode does not seem to show a difference between a curl connection that works and one that does not.

00000003:http-in.accept(0007)=000d from [1.2.3.10:54194] ALPN=<none> 00000003:servers.srvcls[adfd:adfd] 00000003:servers.clicls[adfd:adfd] 00000003:servers.closed[adfd:adfd]

A packet capture of the failure shows haproxy resetting the connection:

11:06:32.875119 IP 1.2.3.10.54244 > 1.2.3.7.443: Flags [S], seq 2513995732, win 29200, options [mss 1460,sackOK,TS val 788408339 ecr 0,nop,wscale 7], length 0 11:06:32.875154 IP 1.2.3.7.443 > 1.2.3.10.54244: Flags [R.], seq 0, ack 2513995733, win 0, length 0

I’m running version 2.0.13.

‘haproxy -v
HA-Proxy version 2.0.13-1~bpo10+1 2020/02/15 - https://haproxy.org/’

I suspect either I’m trying to do something that is not supported, or I have something misconfigured. Any help of things to try or ways to get additional logs / debugging would be great. Thank you!

Posts: 1

Participants: 1

Read full topic

@jerald wrote:

I get the following error when attempting to access the https frontend url. I have not been able to pin down the configuration needed to resolve this issue:

Can’t connect securely to this page

This might be because the site uses outdated or unsafe TLS security settings. If this keeps happening, try contacting the website’s owner.

I have tried adding ssl force-tlsv* but still get the error. Any suggestions would be greatly appreciated.
( listen https_in :8443 ssl force-tlsv*)

root# haproxy -vv
HA-Proxy version 1.5.18 2016/05/10
Copyright 2000-2016 Willy Tarreau willy@haproxy.org

Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing -DTCP_USER_TIMEOUT=18
OPTIONS = USE_LINUX_TPROXY=1 USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_PCRE=1

Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.7
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
Running on OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.32 2012-11-30
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND

Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.

haproxy.cfg:

#---------------------------------------------------------------------

HTTPS Site Configuration

#---------------------------------------------------------------------
listen https_in :8443
mode tcp
balance source# Load Balancing algorithm
http-request set-header X-Forwarded-Proto https
server server1 :8443 weight 1 maxconn 512 ssl verify none check
server server2 :8443 weight 1 maxconn 512 ssl verify none check

Posts: 1

Participants: 1

Read full topic

@Warkeeper wrote:

Greetings all.

I’m using “tcp-request connection reject if site_dead” to reject all tcp connection requests when backend has no available server.

But I found that when a client wants to establish a connection to a server (reject event is triggered,so backend is all down) behind HAProxy (technically,it’s client sending SYN package to HAProxy),the client receives SYN,ACK first,then receives the RST after client send ACK.

So I wonder if there is anyway to make HAProxy reject the connection request as soon as it receives SYN? (instead of establish tcp connection first then send RST)

Here is what I captured by Wireshark

HAProxy1134×92 8.75 KB

And part of my configuration as follows

backend magpie_backend_1
        mode tcp
        server magpie_server_1 X.X.X.X:39853 check

frontend magpie_frontend_1
        mode tcp
        bind 0.0.0.0:29853
        acl site_dead nbsrv(magpie_backend_1) lt 1
        tcp-request connection reject if site_dead
        default_backend magpie_backend_1

Posts: 1

Participants: 1

Read full topic

@jeffg wrote:

I’m attempting to convert logs to json format. I’ve been able to do this for regular logs with a custom log-format and I also removed the timestamp from rsyslog. I’ve read the docs, googled, searched on here, etc. but I’m not certain if it’s possible to do this for error logs such as SSL failures. What’s I’ve read so far suggests it isn’t possible to modify error logs, only separate them into a different log file.

Does anyone know how to put error logs in json format, or have you developed any simple work around strategies?

Thanks for your help.

Posts: 1

Participants: 1

Read full topic

@mr.simonski wrote:

Hello,
I’m using HA-Proxy version 2.0.13-1~bpo10+1 2020/02/15 on Debian 10.

We have configured the following setup:

global 
	daemon
	chroot /var/lib/haproxy
	user haproxy
	group haproxy
	master-worker

	stats socket /run/haproxy/admin.sock user haproxy group haproxy mode 660 level admin expose-fd listeners
	stats timeout 10s

	# Default SSL material locations
	ca-base /etc/ssl/certs
	crt-base /etc/ssl/private

	tune.ssl.default-dh-param 2048
	ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
	ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

	# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
	# intermediate configuration, tweak to your needs
	ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
	ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
	ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
	ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

	ssl-dh-param-file /etc/haproxy/dhparam.pem
	tune.ssl.cachesize 80000
	tune.ssl.lifetime 900

	log /dev/log len 4096 local0
	log /dev/log len 4096 local1 notice

defaults 
	mode http
	option http-server-close #Setting "option http-server-close" enables HTTP connection-close mode on the server side while keeping the ability to support HTTP keep-alive and pipelining on the client side. This provides the lowest latency on the client side (slow network) and the fastest session reuse on the server side to save server resources
	option forwardfor #Enable insertion of the X-Forwarded-For header to requests sent to servers
	timeout http-keep-alive 15s #Set the maximum allowed time to wait for a new HTTP request to appear
	option redispatch #if a server designated by a cookie is down, clients may definitely stick to it because they cannot flush the cookie, so they will not be able to access the service anymore. Specifying "option redispatch" will allow the proxy to break cookie
	option http-buffer-request # enable HTTP body logging, needed for body param extraction
	retries 3 # per default start 3 retries if server isn't reacting

	log global
	log-format '{"host":"%H","ident":"haproxy-v2","pid":%pid,"time":"%Tl","customerId":"%[capture.req.hdr(4)]","haproxy":{"conn":{"actconn":%ac,"feconn":%fc,"beconn":%bc,"srv_conn":%sc},"queue":{"backend":%bq,"srv":%sq},"time":{"Tq":%Tq,"Tw":%Tw,"Tc":%Tc,"Tr":%Tr,"Tt":%Tt,"Ta":%Ta},"termination_state":"%tsc","retries":%rc,"proxying":{"client_ip":"%ci","client_port":%cp,"frontend_ip":"%fi","frontend_port":%fp,"backend_name":"%b","frontend_name":"%ft","server_name":"%s","server_ip":"%si","server_port":"%sp"},"ssl":{"version":"%sslv","ciphers":"%sslc"},"request":{"method":"%HM","uri":"%HU","uri-query-string":"%HQ","uri-path":"%HP","protocol":"%HV"},"req-headers":{"user-agent":"%[capture.req.hdr(0)]","referrer":"%[capture.req.hdr(1)]","content-length":"%[capture.req.hdr(2)]","requested-host":"%[capture.req.hdr(3)]"},"response":{"status_code":%ST},"bytes":{"uploaded":%U,"read":%B}}}'

	no option log-separate-errors # we need the errors not separately as we have it in ELK stack
	option log-health-checks # we want the haproxy checks logged as well
	no option logasap # disabled as we want to see all time it needs to fulfill the request
	no option dontlognull # disabled as we want to see normal requests as well

	timeout connect 20s
	timeout queue 30s
	timeout client 60s
	timeout server 60s
	timeout client-fin 30s
	timeout http-request 20s
	timeout http-keep-alive 75s
	timeout tarpit 15s

	errorfile 400 /etc/haproxy/errors/400.http
	errorfile 403 /etc/haproxy/errors/403.http
	errorfile 408 /etc/haproxy/errors/408.http
	errorfile 500 /etc/haproxy/errors/500.http
	errorfile 502 /etc/haproxy/errors/502.http
	errorfile 503 /etc/haproxy/errors/503.http
	errorfile 504 /etc/haproxy/errors/504.http



### DEFINE FRONTENDS
  # this is our general frontend
frontend http-https-in 
	mode http
	bind <haproxy-server>:443 ssl crt /etc/haproxy/certs/10.2018..com.pem crt /etc/haproxy/certs/.pem crt /etc/haproxy/certs/.com.pem
	bind <haproxy-server>:80




	# CAPTURE DATA FROM REQUESTS FOR LOGGING
	capture request header User-Agent len 256 # for user agent
	capture request header Referer len 256 # for referrer
	capture request header Content-Length len 10 # for content length of POST (does this also work for PUT?)
	capture request header Host len 128 # for the host, subdomain, etc
	http-request capture req.body_param(customerId) len 4

	# HSTS (63072000 seconds)

	# tell the haproxy backends and all services beyond that this is https/http
	http-request add-header X-Forwarded-Proto https if { ssl_fc }
	http-request add-header X-Forwarded-Proto http if !{ ssl_fc }

	# redirect all non-https traffic
	http-response set-header Strict-Transport-Security max-age=63072000
	http-request redirect scheme https if !{ ssl_fc }


# DEFINE ACLS
...

# DEFINE ACL TO BACKEND
....



# DEFINE BACKENDS
backend backend01
	balance roundrobin
	option httpchk GET /healthcheck
	http-check expect rstatus (2|3)[0-9][0-9]

	server server1 <server-1-IP>:8585  check inter 10s fastinter 5s fall 2 rise 1 observe layer7 on-error mark-down error-limit 10 pool-purge-delay 30s
	server server2 <server-2-IP>:8585  check inter 10s fastinter 5s fall 2 rise 1 observe layer7 on-error mark-down error-limit 10 pool-purge-delay 30s backup

The problem we’re facing are DOWNs and UPs for the configured server1 and server2 without them being really down. I see in the haproxy logs entries like:

Mar 19 21:10:08 haproxy-server haproxy[3203]: [WARNING] 078/211008 (3204) : Health check for server backend01/server1 failed, reason: Layer7 timeout, check duration: 10000ms, status: 0/1 DOWN.
Mar 19 21:10:09 haproxy-server haproxy[3203]: [WARNING] 078/211008 (3204) : Server backend01/server1 is DOWN. 0 active and 1 backup servers left. Running on backup. 1 sessions active, 0 requeued, 0 remaining in queue.
Mar 19 21:10:27 haproxy-server haproxy[3203]: [WARNING] 078/211027 (3204) : Health check for server backend01/server1 succeeded, reason: Layer7 check passed, code: 200, info: "HTTP status check returned code <3C>200<3E>", check duration: 8009ms, status: 2/2 UP.
Mar 19 21:10:27 haproxy-server haproxy[3203]: [WARNING] 078/211027 (3204) : Server backend01/server1 is UP. 1 active and 1 backup servers online. 0 sessions requeued, 0 total in queue.
Mar 19 21:10:47 haproxy-server haproxy[3203]: [WARNING] 078/211047 (3204) : Health check for server backend01/server1 failed, reason: Layer7 timeout, check duration: 10001ms, status: 1/2 UP.
Mar 19 21:11:02 haproxy-server haproxy[3203]: [WARNING] 078/211102 (3204) : Health check for server backend01/server1 failed, reason: Layer7 timeout, check duration: 10000ms, status: 0/1 DOWN.
Mar 19 21:11:02 haproxy-server haproxy[3203]: [WARNING] 078/211102 (3204) : Server backend01/server1 is DOWN. 0 active and 1 backup servers left. Running on backup. 0 sessions active, 0 requeued, 0 remaining in queue.
Mar 19 21:12:17 haproxy-server haproxy[3203]: [WARNING] 078/211217 (3204) : Health check for server backend01/server1 succeeded, reason: Layer7 check passed, code: 200, info: "HTTP status check returned code <3C>200<3E>", check duration: 5006ms, status: 2/2 UP.
Mar 19 21:12:17 haproxy-server haproxy[3203]: [WARNING] 078/211217 (3204) : Server backend01/server1 is UP. 1 active and 1 backup servers online. 0 sessions requeued, 0 total in queue.
Mar 19 21:28:17 haproxy-server haproxy[3203]: [WARNING] 078/212817 (3204) : Health check for server backend01/server1 failed, reason: Layer7 timeout, check duration: 10001ms, status: 1/2 UP.
Mar 19 21:28:32 haproxy-server haproxy[3203]: [WARNING] 078/212832 (3204) : Health check for server backend01/server1 failed, reason: Layer7 timeout, check duration: 10001ms, status: 0/1 DOWN.
Mar 19 21:28:32 haproxy-server haproxy[3203]: [WARNING] 078/212832 (3204) : Server backend01/server1 is DOWN. 0 active and 1 backup servers left. Running on backup. 1 sessions active, 0 requeued, 0 remaining in queue.
Mar 19 21:28:47 haproxy-server haproxy[3203]: [WARNING] 078/212847 (3204) : Health check for server backend01/server1 succeeded, reason: Layer7 check passed, code: 200, info: "HTTP status check returned code <3C>200<3E>", check duration: 5006ms, status: 2/2 UP.
Mar 19 21:28:47 haproxy-server haproxy[3203]: [WARNING] 078/212847 (3204) : Server backend01/server1 is UP. 1 active and 1 backup servers online. 0 sessions requeued, 0 total in queue.
Mar 19 21:36:07 haproxy-server haproxy[3203]: [WARNING] 078/213607 (3204) : Health check for server backend01/server1 failed, reason: Layer7 timeout, check duration: 10001ms, status: 1/2 UP.
Mar 19 21:36:12 haproxy-server haproxy[3203]: [WARNING] 078/213612 (3204) : Health check for server backend01/server1 succeeded, reason: Layer7 check passed, code: 200, info: "HTTP status check returned code <3C>200<3E>", check duration: 1ms, status: 2/2 UP.
Mar 19 21:40:27 haproxy-server haproxy[3203]: [WARNING] 078/214027 (3204) : Health check for server backend01/server1 failed, reason: Layer7 timeout, check duration: 10000ms, status: 1/2 UP.
Mar 19 21:40:42 haproxy-server haproxy[3203]: [WARNING] 078/214042 (3204) : Health check for server backend01/server1 failed, reason: Layer7 timeout, check duration: 10001ms, status: 0/1 DOWN.
Mar 19 21:40:42 haproxy-server haproxy[3203]: [WARNING] 078/214042 (3204) : Server backend01/server1 is DOWN. 0 active and 1 backup servers left. Running on backup. 0 sessions active, 0 requeued, 0 remaining in queue.
Mar 19 21:43:20 haproxy-server haproxy[3203]: [WARNING] 078/214320 (3204) : Health check for server backend01/server1 succeeded, reason: Layer7 check passed, code: 200, info: "HTTP status check returned code <3C>200<3E>", check duration: 8006ms, status: 2/2 UP.
Mar 19 21:43:20 haproxy-server haproxy[3203]: [WARNING] 078/214320 (3204) : Server backend01/server1 is UP. 1 active and 1 backup servers online. 0 sessions requeued, 0 total in queue.
Mar 19 21:56:06 haproxy-server haproxy[3203]: [WARNING] 078/215606 (3204) : Health check for server backend01/server1 failed, reason: Layer7 timeout, check duration: 10001ms, status: 1/2 UP.
Mar 19 21:56:21 haproxy-server haproxy[3203]: [WARNING] 078/215621 (3204) : Health check for server backend01/server1 failed, reason: Layer7 timeout, check duration: 10001ms, status: 0/1 DOWN.
Mar 19 21:56:21 haproxy-server haproxy[3203]: [WARNING] 078/215621 (3204) : Server backend01/server1 is DOWN. 0 active and 1 backup servers left. Running on backup. 0 sessions active, 0 requeued, 0 remaining in queue.
Mar 19 21:58:11 haproxy-server haproxy[3203]: [WARNING] 078/215811 (3204) : Health check for server backend01/server1 succeeded, reason: Layer7 check passed, code: 200, info: "HTTP status check returned code <3C>200<3E>", check duration: 1ms, status: 2/2 UP.
Mar 19 21:58:11 haproxy-server haproxy[3203]: [WARNING] 078/215811 (3204) : Server backend01/server1 is UP. 1 active and 1 backup servers online. 0 sessions requeued, 0 total in queue.
Mar 19 22:10:09 haproxy-server haproxy[3203]: [WARNING] 078/221009 (3204) : Health check for server backend01/server1 failed, reason: Layer7 timeout, check duration: 10000ms, status: 1/2 UP.
Mar 19 22:10:24 haproxy-server haproxy[3203]: [WARNING] 078/221024 (3204) : Health check for server backend01/server1 failed, reason: Layer7 timeout, check duration: 10001ms, status: 0/1 DOWN.
Mar 19 22:10:24 haproxy-server haproxy[3203]: [WARNING] 078/221024 (3204) : Server backend01/server1 is DOWN. 0 active and 1 backup servers left. Running on backup. 0 sessions active, 0 requeued, 0 remaining in queue.
Mar 19 22:13:39 haproxy-server haproxy[3203]: [WARNING] 078/221339 (3204) : Health check for server backend01/server1 succeeded, reason: Layer7 check passed, code: 200, info: "HTTP status check returned code <3C>200<3E>", check duration: 5006ms, status: 2/2 UP.
Mar 19 22:13:39 haproxy-server haproxy[3203]: [WARNING] 078/221339 (3204) : Server backend01/server1 is UP. 1 active and 1 backup servers online. 0 sessions requeued, 0 total in queue.

But I also ran a separate script on the same machine hammering the server1 API with 5 requests/s for more than 2h and none of the ~31k requests was getting something other back than HTTP status code 200.

Did anyone experience something similar?

Posts: 2

Participants: 2

Read full topic

@lucid_thayne wrote:

I want an haproxy rule that does a redirect, but adds CORS headers to the response conditionally, based on the Origin header of the request. Furthermore, the location of the redirect is dynamic. I’m using 1.8, so I don’t have the http-after-response set-header option. I’ve tried several approaches, but none have worked the way I want.

register_service doesn’t allow me to give it any arguments. I can pass it data with a variable, but unfortunately, afaict there isn’t a way to set a variable using log format, or concatenate strings, so I can’t compose multiple inputs into a single variable.

register_action allows me to take arguments, but haproxy doesn’t seem to do any kind of processing before giving them to me, so something like https://%[req.hdr(Host),word(1)].new.example.com%[url] doesn’t work. I also wasn’t able to figure out a way to respond with http other than an HTTP response directly to the res channel, which won’t work if we ever switch to supporting http/2.

Is there a way to accomplish this in haproxy 1.8?

Posts: 1

Participants: 1

Read full topic

@atul9806 wrote:

Hi Guys,
I am looking for a HAProxy solution where we want to translate the incoming url to completely different url, I have gone through the documentation and implemented where backend is using server ip and port.
Kindly suggest if someone achieve this before?

Ask-
www.original.com/test --> www.wanaBeoriginal.co.in/umenhum

Posts: 1

Participants: 1

Read full topic

@mario.almeida wrote:

I want to deny a request if it is accessing only a specific URL.

eg:-
Let us say we have these URLs
/URL/A
/URL/B
/URL/C
/URL/D

I want to block an IP if found only accessing /URL/D. If found accessing other URLs, then previous deny should be removed.

Is this possible to do?

Posts: 1

Participants: 1

Read full topic

@benjamin_wang wrote:

The haproxy version is 2.1.3, and it’s running in K8S environment.

I configured the log configuration below in the “default” section,

log stdout format raw daemon info

And configured the following log configuration in HTTP & TCP frontends respectively,
HTTP frontends:

option httplog
log global

TCP frontends:

option tcplog
log global

Basically the functionality is good. But I see the following log entries being outputted to the stdout every 6 seconds. There will be more than 200K such entries each day. Is it possible to disable the log entries and keep using log level “info”?

10.244.2.1:51340 [23/Mar/2020:00:54:54.591] p9402/1: Connection closed during SSL handshake
10.244.2.1:51337 [23/Mar/2020:00:54:54.591] p9400/1: Connection closed during SSL handshake
10.244.2.1:51336 [23/Mar/2020:00:54:54.591] p9303/1: Connection closed during SSL handshake
10.244.2.1:51341 [23/Mar/2020:00:54:54.591] stats/1: Connection closed during SSL handshake
10.240.0.4:64601 [23/Mar/2020:00:54:54.704] p9400/1: Connection closed during SSL handshake
10.240.0.4:64602 [23/Mar/2020:00:54:54.704] p9303/1: Connection closed during SSL handshake
10.240.0.4:64604 [23/Mar/2020:00:54:54.704] p9402/1: Connection closed during SSL handshake
10.240.0.4:64603 [23/Mar/2020:00:54:54.704] stats/1: Connection closed during SSL handshake
10.240.0.6:55874 [23/Mar/2020:00:54:54.765] stats/1: Connection closed during SSL handshake
10.240.0.6:55870 [23/Mar/2020:00:54:54.765] p9303/1: Connection closed during SSL handshake
10.240.0.6:55872 [23/Mar/2020:00:54:54.765] p9400/1: Connection closed during SSL handshake
10.240.0.6:55871 [23/Mar/2020:00:54:54.765] p9402/1: Connection closed during SSL handshake
10.244.2.1:51339 [23/Mar/2020:00:54:54.591] p9403 server_p9403/p9403_1 1/0/9000 7 -- 26/6/5/1/0 0/0
10.244.2.1:51338 [23/Mar/2020:00:54:54.591] p9401 server_p9401/p9401_1 1/0/9000 0 -- 25/6/5/1/0 0/0
10.240.0.4:64605 [23/Mar/2020:00:54:54.704] p9401 server_p9401/p9401_2 1/0/9000 0 -- 24/5/4/1/0 0/0
10.240.0.4:64606 [23/Mar/2020:00:54:54.704] p9403 server_p9403/p9403_3 1/0/9000 7 -- 23/5/4/1/0 0/0
10.240.0.6:55875 [23/Mar/2020:00:54:54.765] p9401 server_p9401/p9401_1 1/0/9013 0 -- 22/4/3/0/0 0/0
10.240.0.6:55873 [23/Mar/2020:00:54:54.765] p9403 server_p9403/p9403_1 1/0/9013 7 -- 22/4/3/0/0 0/0

Another related question is that why the above log entries were outputted to stdout every 6 seconds instead of the default 2 seconds, because the default health check “inter” value is 2 seconds?

Thanks!

Posts: 1

Participants: 1

Read full topic

@arlinux wrote:

Hello,

I have HA-Proxy version 1.8.19 running.

curl -I -H "Host:www.bing.com" http://www.mydomain.net
HTTP/1.1 301 Moved Permanently
Content-length: 0
Location: https://www.bing.com/

Could someone advise on how to avoid such HOST header injection ?

Thanks!
Ash

Posts: 1

Participants: 1

Read full topic

@tasavi wrote:

Hi there, I’m trying to get a stick-table entry for a given key from Lua.

I’m using HAproxy version 1.9.14 Built with Lua version: Lua 5.3.5

#!/usr/bin/lua

function getStickTable(sticktable)

        local t = sticktable.lookup("/usage")
        for key,value in pairs(t)
        do
                core.log(core.debug,"stick table: "..tostring(key).."=>"..tostring(value))

        end

        return "OK"
end

core.register_fetches("getStickTable", getStickTable)

I got this error log when I try to use sample-fetch from haproxy.

Mar 24 17:04:59 localhost haproxy[18267]: Lua sample-fetch 'getStickTable': runtime error: /etc/haproxy/lua-sticktable.lua:5: attempt to call a nil value (field 'lookup') from /etc/haproxy/lua-sticktable.lua:5 C function line 3.

Is there anyone who knows how to use Lua StickTable Class?
If possible I want to get some sample Lua code for testing.

Thanks.

Posts: 1

Participants: 1

Read full topic

@Doca wrote:

Hi all,

I am using HAProxy as my reverse proxy on an OPNSense firewall. In the backend currently I have two servers: jitsi and frappe/ERPNext

I am running a dyndns with subdomains of my domain at strato and SSL via Let’s encrypt for the two domains.

Accessing the Servers via the public dynDNS domains works fine with the SSL certificates. For Jitis I also configured some port forwarding in the firewall.

Jitsi runs fine.

Frappe/ERPNext allows to access the front page and visit any non-password protected sites. However, when I try to login Frappe fails to perform the login.

The error-log can be seen herer:

I know that this may be a frappe specific problem. However, I hope there may be some simple option or header in HAProxy that I may set to support the login to frappe.

Any help is appreciated!

Thanks
DoCa

Posts: 1

Participants: 1

Read full topic

@dreamgate wrote:

Hi!

I’m a new user to haproxy and I’m currently configuring it to route to my docker containers. My end goal is to reach an A+ on Qualys SSL Labs and enable my site to be included on the HSTS preload list.

According to HSTS preload, you must redirect to HTTPS and include preload header on base domain too (in the redirect).

The other question I have is: What’s the best way to add www prefix on base domain? I’d like to do this for my primary domain only.

Here’s my entire config:

global
    # daemon
    log stdout format raw daemon
    maxconn 4096
    pidfile /var/run/haproxy.pid
    tune.ssl.default-dh-param 2048

    # set minimum SSL requirements
    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
    ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

defaults
    log global
    mode http
    balance roundrobin
    option httplog
    option dontlognull
    option redispatch
    maxconn 4096
    timeout connect 15s
    timeout client  30s
    timeout server  30s
    timeout queue   30s
    timeout http-request 15s
    timeout http-keep-alive 15s

frontend http-in
    bind *:80
    bind *:443 ssl crt /certs/example.net.pem alpn h2,http/1.1
    mode http

    # default headers
    http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

    # redirect all HTTP traffic to HTTPS
    http-request redirect scheme https code 301 unless { ssl_fc }

    # route subdomains
    acl sd-001 hdr(host) -i example.net
    acl sd-002 hdr(host) -i www.example.net

    use_backend main     if sd-001
    use_backend main-www if sd-002

backend main
    redirect prefix https://www.example.net code 301 unless { hdr_beg(host) -i www }

backend main-www
    server main 192.168.224.3:9200 check

Posts: 1

Participants: 1

Read full topic

@benjamin_wang wrote:

The HAProxy version is 2.1.3, and it’s running in K8S environment.

I deployed two HAProxy instances (the replicas is 2), and I manually defined the peers section as below,

peers mypeers
    peer tdv-haproxy-0 tdv-haproxy-0.haproxy-svc-headless.test.svc.cluster.local:15015
    peer tdv-haproxy-1 tdv-haproxy-1.haproxy-svc-headless.test.svc.cluster.local:15015

The functionality is OK, the stick table could be synced to each other successfully. But I wonder whether the peer list could be configured dynamically by DNS resolving something like below?

server-template haproxy- 10 _http._tcp.haproxy-svc-headless.test.svc.cluster.local resolvers mydns check

Thanks!

Posts: 1

Participants: 1

Read full topic