Quantcast
Channel: HAProxy community - Latest topics
Viewing all 4733 articles
Browse latest View live

"Nice" login screen instead of browser user/pwd popup?

$
0
0

@Doca wrote:

Hi all,

is it possible to provide a login screen to the sites managed by HAproxy as reverse proxy?
Right now I use the basic authentication as added layer of security but I would like to have it nicer and for exapmle with an additional OTP or 2FA.

I imagine this to be similar to the Citrix portal.

Cheers
DoCa

Posts: 1

Participants: 1

Read full topic


Two mail servers

$
0
0

@unixm wrote:

I did not find how you can proxy mail to two different mail servers. Is it possible to do this?
Example: mail1@example.com
belongs to server1
and mail2@examle.com belongs to server2
server1 192.168.0.10
server2 192.168.10.20
server1 postfix
server2 exchange

Posts: 1

Participants: 1

Read full topic

ACL based on Basic Auth User

$
0
0

@JamesM wrote:

Hi, I have what would appear to be a bit of an unusual requirement from HAProxy, just wondering if anyone has any ideas if / how it can be implemented.

In short, I’m migrating from one platform to another, both are authenticated by basic authentication. With the number of users I’m looking at, I won’t be able to do the migration in one hit so would like to be able to control which backend the users get to based on their basic authentication username but without HAProxy actually providing the authentication.

HAProxy can see the credentials, which I can prove by logging the Authorization header.

I was hoping I could control it with a list file of migrated users eg:
use backend migrated_backend_application if <basicauth user> -f /var/tmp/migrated_users.lst

Any pointers would be greatly appreciated!

James

Posts: 1

Participants: 1

Read full topic

Redirect with all headears

$
0
0

@namhq.1989 wrote:

I want to redirect all requests from abc.com to xyz.com, here is my config:

redirect prefix https://xyz.com code 308 if { hdr(host) -i abc.com }

But headers are missing when request come to xyz.com. I want to keep all headers from client (for check auth, versioning, …) when request come to new endpoint (xyz.com), how can I do that?

Thanks!

Posts: 1

Participants: 1

Read full topic

Topology visualization from haproxy

Full uri Method

$
0
0

@mho wrote:

hello,
i have 3 devices android, apple and microsoft client:
send a request with my method “MYMETHOD” https://myserver.com/myapp.

But in the hapoxy debug log i see for android and apple:
fe_vip_443.clireq[0013:ffffffff]: MYMETHOD https://myserver.com/myapp/ HTTP/1.1

and for windows:
fe_vip_443.clireq[0017:ffffffff]: MYMETHOD /myapp/ HTTP/1.1

and it’s working for android and apple client.

i want to rewrite with fulluri, i try to capture and transform request but it’s not working.
acl apps path_beg /apps
http-request set-var(txn.myvar) str(https://myserver.com/myapp/) if apps
http-request set-uri %[var(txn.myvar)] if apps
i see in log the %[var(txn.myvar)] content and it’s good value but stay the same.

i try manually with curl -D - https://myserver.com/myapp/ -X MYMETHOD
i see the same thing in haproxy debug log
how to forge request to have:
fe_vip_443.clireq[0013:ffffffff]: MYMETHOD https://myserver.com/myapp/ HTTP/1.1

thanks

Posts: 1

Participants: 1

Read full topic

ERROR smtpserver: Socket to hostname (x.x.x.x) closed remotely. java.net.SocketException: Connection reset

$
0
0

@rannick wrote:

Haproxy smtpchk is flooding errors in smtpservers.log. The option “option smtpchk” in the (haproxy.cfg) SMTP backend is causing the below error at every check.

ERROR smtpserver: Socket to hostname (x.x.x.x) closed remotely.
java.net.SocketException: Connection reset
at java.base/java.net.SocketInputStream.read(Unknown Source)
at java.base/java.net.SocketInputStream.read(Unknown Source)
at java.base/java.io.BufferedInputStream.fill(Unknown Source)
at java.base/java.io.BufferedInputStream.read(Unknown Source)
at org.apache.james.util.CRLFTerminatedReader.read(CRLFTerminatedReader.java:153)
at org.apache.james.util.CRLFTerminatedReader.readLine(CRLFTerminatedReader.java:113)
at org.apache.james.smtpserver.SMTPHandler.readCommandLine(SMTPHandler.java:751)
at org.apache.james.smtpserver.SMTPHandler.handleConnection(SMTPHandler.java:372)
at org.apache.james.util.connection.ServerConnection$ClientConnectionRunner.run(ServerConnection.java:432)
at org.apache.excalibur.thread.impl.ExecutableRunnable.execute(ExecutableRunnable.java:55)
at org.apache.excalibur.thread.impl.WorkerThread.run(WorkerThread.java:116)

After removing the smtpchk then the error disappears. Any ideas? I have even tried setting the correct domain for SMTP in the option smtpchk on haproxy.config file but its not working.

Posts: 1

Participants: 1

Read full topic

Is it possible to get tcp connetion from http respons and do speed limit?

$
0
0

@zenmaster wrote:

Hi Community,
I have a special request and just wonder if it is doable with haproxy.
Basically I want to limit the large object download speed for certain users, I can get the user info from http response, is there a way to get the underlying TCP from http response and do speed limit on the TCP connection? thanks.

Posts: 1

Participants: 1

Read full topic


Pool of erros in smtpserver log because of option smtpchk in haproxy.cfg

$
0
0

@rannick wrote:

Config:

backend smtp-backend-mail
# Layer 4 based load balancing
mode tcp
option smtpchk

Error:

smtpserver.log

ERROR smtpserver: Socket to hostname closed remotely.
java.net.SocketException: Connection reset

haproxy.log

31 03:31:03 localhost haproxy[13975]: IP:60416 [31/Mar/2020:03:31:03.627] https/2: Connection closed during SSL handshake
Mar 31 03:31:03 localhost haproxy[30585]: http http/ -1/-1/-1/-1/+0 400 +187 - - CR-- 0/0/0/0/0 0/0 “”
Mar 31 03:32:03 localhost haproxy[30585]: https/2: Connection closed during SSL handshake
Mar 31 03:32:03 localhost haproxy[13975]: http http/ -1/-1/-1/-1/+0 400 +187 - - CR-- 0/0/0/0/0 0/0 “”

Posts: 1

Participants: 1

Read full topic

Intermittent NTLM Issues

$
0
0

@teejeaux wrote:

Hi, I’m brand new to HAProxy. Trying to setup a very simple load balancer to meet a missing AWS need. I’ve got version 1.8 on an Ubuntu Server Instance, pointing at a pool of four Windows IIS servers. They are using NTLM authentication. I’m attaching the config file I’m using below. I’m not seeing any errors in the log file. What’s happening is that I’m getting intermittent NTLM 401 errors. It will run fine for awhile, the persistence works, but then randomly I’m getting the HTTP request is unauthorized with client authentication scheme ‘Ntlm’. Any thoughts? Help would be sincerely appreciated!

#---------------------------------------------------------------------

Global settings

#---------------------------------------------------------------------
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon

#---------------------------------------------------------------------

Common defaults that all the ‘listen’ and ‘backend’ sections will

use if not designated in their block

#---------------------------------------------------------------------
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 1m
timeout client 2h
timeout server 1h
maxconn 10000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
#---------------------------------------------------------------------

main frontend which proxys to the backends

#---------------------------------------------------------------------
frontend main
bind *:80
capture request header Host len 32
mode http
option http-keep-alive
default_backend webserver

#---------------------------------------------------------------------

round robin balancing between the various backends

#---------------------------------------------------------------------
backend webserver
balance roundrobin
option http-keep-alive
cookie SERVERID insert indirect nocache
server s1 10.16.18.61:80 check cookie s1
server s2 10.16.18.62:80 check cookie s2
server s3 10.16.18.63:80 check cookie s3
server s4 10.16.18.64:80 check cookie s4

Posts: 1

Participants: 1

Read full topic

Vip that check the folder is in witch backend server

$
0
0

@liza wrote:

Hello,
I have 2 Backed servers and would like to balance my vip to the server that have the drive J: that contain a folder named check
The J drive will be on 1 backend server at a time (it is either on server1 or server2).
could you please help
Thanks
Liza

Posts: 1

Participants: 1

Read full topic

HTTP/2 Server Push from Apache behind HAProxy

$
0
0

@cgl wrote:

I’am wondering if it is possible to use the HTTP/2 Server Push feature behind HAProxy. I have created an simple setup to test it, as far as i can see, the Apache Webserver does not push the content if behind a HAProxy. For testing i have used the nghttp client.

I hope it is ok if i post a link to the same question at serverfault, there i have posted details of my test configuration: https://serverfault.com/questions/1010082/http-2-server-push-from-apache-behind-haproxy

Maybe it is just a fundamental misunderstanding on my part, so far i have found nothing concerning this setup.

Many thanks in advance

Posts: 1

Participants: 1

Read full topic

Cannot bind to socket 4443

$
0
0

@MorayM wrote:

I’m trying to add a new port for forwarding to HAProxy but whenever I try to restart the service with the new configuration I get the error

haproxy-systemd-wrapper[32276]: [ALERT] 092/112955 (32277) : Starting frontend my-service: cannot bind socket [<public IP>:4443]

I’m running haproxy through systemctl on CentOS7. Nothing else is using port 4443 (sudo netstat -apn | grep 4443 comes up blank), and I’ve got net.ipv4.ip_forward = 1 and net.ipv4.ip_nonlocal_bind = 1 set in sysctl.conf. I’ve also run sudo setsebool -P haproxy_connect_any=1.

The relevant part of my haproxy.cfg looks like this:

frontend my-service
   bind <public_url>:4443
   default_backend my-backend

I’ve also got other frontends binding to 80, 443 and 8080.

My Global settings and defaults are:

#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
    log         127.0.0.1 local2     #Log configuration

    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     4000
    user        haproxy             #Haproxy running under user and group "haproxy"
    group       haproxy
    daemon

    # turn on stats unix socket
    stats socket /var/lib/haproxy/stats
    tune.ssl.default-dh-param 2048
    ssl-default-bind-ciphers TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20
    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11


#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    option http-server-close
    option forwardfor       except 127.0.0.0/8
    option                  redispatch
    retries                 3
    timeout http-request    15s
    timeout queue           30s
    timeout connect         5s
    timeout client          25s
    timeout server          5m
    timeout http-keep-alive 1s
    timeout check           10s
    timeout tunnel          3600s
    timeout tarpit          60s
    backlog                 10000
    maxconn                 3000

Posts: 1

Participants: 1

Read full topic

Running nginx in parallel with HAProxy to proxy UDP traffic

$
0
0

@MorayM wrote:

I’ve been running HAProxy for about a year at the front of my application as a proxy and load balancer for HTTP/TCP traffic. I now need to proxy UDP traffic, which HAProxy doesn’t support. The simplest solution I can think of is to run up an instance of Nginx in parallel to existing HAProxy instance to handle the UDP traffic, leaving HAProxy unchanged.

Has anyone tried this, or know of any reason why it wouldn’t work? Or does anyone know of a better solution?

Posts: 1

Participants: 1

Read full topic

Windows Server 2019 AD FS problems

$
0
0

@syfy323 wrote:

Hi!

I’m struggling with HAProxy and ADFS in SSL offloading mode.

I already followed this advice:
https://hochwald.net/microsoft-ad-fs-behind-load-balancer/

As well as:

My setup still shows all servers as down. I’m using HAProxy 2.0.13.

If I set the IP of my ADFS host in my hosts file with the SSO-Domain as host, I can view “https://sso.srvfarm.net/adfs/ls/idpinitiatedsignon.aspx” and get http 200 in Chrome (computer in same network).

My config:

global
	log /dev/log local0
	log /dev/log local1 notice
	chroot /var/lib/haproxy
	stats socket /run/haproxy/admin.sock mode 660 level admin
	stats timeout 30s
	user haproxy
	group haproxy
	daemon
	maxconn 40000
	ulimit-n 81000
	# Default ciphers to use on SSL-enabled listening sockets.
	ssl-default-bind-ciphers EECDH+AESGCM:EDH+AESGCM
	ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
	ssl-default-server-ciphers EECDH+AESGCM:EDH+AESGCM
	ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
	tune.ssl.default-dh-param 2048

defaults
	log global
	mode http
	option dontlognull
	option tcplog
	option redispatch
	option contstats
	option http-use-htx
	option forwardfor except 127.0.0.0/8
	maxconn 50000
	balance roundrobin
	timeout connect 10s
	timeout queue 1m
	timeout client 15m
	timeout server 15m
	timeout http-request 10s
	timeout http-keep-alive 10s
	timeout check 10s
	default-server inter 3s rise 2 fall 3
	backlog 10000

# START WebAccess
frontend WebAccess
	maxconn 50000
	bind :::80 v4v6
	bind :::443 v4v6 ssl crt /etc/haproxy/fullchain.pem curves X25519:secp521r1:secp384r1:prime256v1 ciphers EECDH+AESGCM:EDH+AESGCM no-sslv3 no-tlsv10 no-tlsv11 alpn h2
	mode http
	option httplog
	log global
	no option httpclose

	redirect scheme https code 301 if !{ ssl_fc } # redirect 80 -> 443

	http-response add-header Strict-Transport-Security max-age=31536000;\ includeSubDomains;\ preload
	http-response add-header X-Frame-Options sameorigin
	http-response add-header X-Content-Type-Options nosniff
	
	http-request set-header X-MS-Forwarded-Client-IP %[src]

	acl acme-challenge path_beg /.well-known/acme-challenge/
	
	use_backend AcmeForward if acme-challenge

	default_backend ADFSWeb

backend AcmeForward
	mode http
	balance roundrobin
	option httpchk GET /
	option log-health-checks
	http-check expect status 200
	server app01 185.118.197.130:80 check port 80

backend ADFSWeb
	mode http
	balance roundrobin
	option httpchk GET /adfs/ls/idpinitiatedsignon.aspx
	http-check expect status 200
	option httpclose
	option forwardfor header X-Client
	reqadd X-Forwarded-Proto:\ https if { ssl_fc }
	server swde5721 192.168.127.1:443 ssl verify none check check-sni sso.srvfarm.net sni str(sso.srvfarm.net) inter 3s rise 2 fall 3
	server swde5821 192.168.128.1:443 ssl verify none check check-sni sso.srvfarm.net sni str(sso.srvfarm.net) inter 3s rise 2 fall 3

# END WebAccess

userlist UsersFor_HAProxyStatistics
	group admin users admin
	user admin insecure-password redacted
	user stats insecure-password redacted

listen stats
	bind :::7000
	stats enable
	stats uri /
	option httpclose
	acl AuthOkay_ReadOnly http_auth(UsersFor_HAProxyStatistics)
	acl AuthOkay_Admin http_auth_group(UsersFor_HAProxyStatistics) admin
	stats http-request auth realm HAProxy-Statistics unless AuthOkay_ReadOnly
	stats admin if AuthOkay_Admin
	stats show-node
	stats show-legends

I don’t understand whats going wrong here. IMHO “check check-sni sso.srvfarm.net” should be the trick here but the servers still show “Layer7 wrong status: HTTP status check returned code <400>” (same when accessing it via IP instead).

Any ideas?

Thank you!

Posts: 1

Participants: 1

Read full topic


URL not redirecting

$
0
0

@srgpta wrote:

i am using HA-Proxy version 1.8.24-2ppa1~xenial to redirect my URL as per my cfg file. Its not working - Any help ?

I have opened all ports and still its saying connection refused.

#Frontend
frontend www
bind :443
mode http
option forwardfor

FetchData

acl url_tag01 path_beg -i /A
acl url_tag02 path_beg -i /B
acl url_tag03 path_beg -i /C
acl url_tag04 path_beg -i /D

Set Conditions

use_backend nd if url_tag01
use_backend nv if url_tag02
use_backend nf if url_tag03
use_backend ns if url_tag04

Backend

backend nd server ND x.x.x.x:8031 check
backend nv server NV x.x.x.x:8001 check
backend nf server NF x.x.x.x:9201 check
backend ns server NS x.x.x.x:8002 check

Posts: 1

Participants: 1

Read full topic

Adding New Backend/Frontends without reload

$
0
0

@vignesh-sp wrote:

Is there a way to add new front/backend configuration without having to reload the process?

The problem we have is that, we have prometheus scraping our data and in the graphs we see the connections to be zero during the reload, this happens because the reload starts a new process and the stats are reset.

So is there a way to add configs without reloads?

I checked the RunTimeAPI, it has options to add servers to the backend dynamically, but no options to create a new backend as whole.

Also I tried the dataplane api, with that, it reloads the process as do with the systemd once the configuration is done, so no difference here.

I tried the load from state file option, but it only save the backend states, not the number of connections beings served, bytes in/out and other stats.

Is there a way to tell the new process to read the stats from old process which is about to dies? Or is there a way to add configs without reloading the config?

Thanks.

Posts: 3

Participants: 2

Read full topic

GZIP compression on SSL Frontend

$
0
0

@hac3ru wrote:

Hello,

I have an issue with enabling GZIP compression on an SSL frontend, while on plain HTTP works perfectly.
The error I’m getting is:
Apr 5 08:19:50 HAProxy2-wbidder haproxy[7649]: [ALERT] 095/081950 (7649) : config: frontend ‘www-https’: require an explicit filter declaration to use HTTP compression

The www-https frontend config is:
frontend www-https
bind 0.0.0.0:443 ssl crt /etc/haproxy/ssl/bundle.pem
http-request add-header X-Forwarded-Proto https
default_backend pool0
mode http
maxconn 400000
compression algo gzip
compression type text/css text/html text/javascript application/javascript text/plain text/xml application/json image/svg+xml
# Mirror traffic via SPOA-mirror
filter spoe engine traffic-mirror config /etc/haproxy/mirror.cfg

What filter should I set in order to get this working? The documentation doesn’t say anything about a filter, as far as I’ve seen.

Thank you.

Posts: 1

Participants: 1

Read full topic

Haproxy ACL rules based on http server backend username

$
0
0

@dinosauriecito wrote:

Hi there,

I am looking forward for some help on how to implement ACL rules based on server backend username login so I can share the same IP and port with several backends depending the authentication username of each back-end server. I am implementing SSL termination on Haproxy. I found what seems almost exactly the same case(link here) but the difference is they have a user list whereas I just want to provide the usernames in the ACL rule.

I had three failed attempts: :frowning:

In the following attempts, I have as the above figure 2 backends servers with login username of server 1 is “server1” and the counterpart in backend server 2 is “server2”:

1st attempt

frontend one_ip_and_port_to_two_backends
    bind :8055 tfo ssl crt /etc/ssl/certs_self process 2 curves X25519:P-256:secp384r1
    bind abns@haproxy-clt3  accept-proxy tfo ssl crt /etc/ssl/certs_self process 2 curves X25519:P-256:secp384r1
    mode tcp
    option tcp-smart-accept
    acl rule1 req.fhdr(Authorization),regsub(^Basic\s+,,i),b64dec,regsub(:.+,) eq 'server1'
    acl rule2 req.fhdr(Authorization),regsub(^Basic\s+,,i),b64dec,regsub(:.+,) eq 'server2'
    use_backend server1 if rule1
    use_backend server2 if rule2
 
 backend server1
    mode http
    option tcp-smart-connect
    server server1 192.168.0.147:8091 check fall 5 rise 2 maxconn 50

 backend server2
    mode tcp
    option tcp-smart-connect
    server server2 192.168.0.62:88 check fall 5 rise 2 maxconn 50

2nd attempt

frontend one_ip_and_port_to_two_backends
    bind :8055 tfo ssl crt /etc/ssl/certs_self process 2 curves X25519:P-256:secp384r1
    bind abns@haproxy-clt3  accept-proxy tfo ssl crt /etc/ssl/certs_self process 2 curves X25519:P-256:secp384r1
    mode tcp
    option tcp-smart-accept
    default_backend server_seleccion_backend

backend server_seleccion_backend
    mode tcp
    option tcp-smart-connect
    acl rule1 req.fhdr(Authorization),regsub(^Basic\s+,,i),b64dec,regsub(:.+,) eq 'server1'
    acl rule2 req.fhdr(Authorization),regsub(^Basic\s+,,i),b64dec,regsub(:.+,) eq 'server2'
    use_backend server1 if rule1
    use_backend server2 if rule2
 
 backend server1
    mode http
    option tcp-smart-connect
    server server1 192.168.0.147:8091 check fall 5 rise 2 maxconn 50

 backend server2
    mode tcp
    option tcp-smart-connect
    server server2 192.168.0.62:88 check fall 5 rise 2 maxconn 50

3rd attempt

userlist server-auth
    group is-server1 users server_username1
    user server1
    
    group is-server2 users server_username2
    user server2

frontend one_ip_and_port_to_two_backends
    bind :8055 tfo ssl crt /etc/ssl/certs_self process 2 curves X25519:P-256:secp384r1
    bind abns@haproxy-clt3  accept-proxy tfo ssl crt /etc/ssl/certs_self process 2 curves X25519:P-256:secp384r1
    mode tcp
    option tcp-smart-accept
    default_backend server_seleccion_backend

backend server_seleccion_backend
    mode tcp
    option tcp-smart-connect
    acl rule1 http_auth_group(server-auth) is-server2
    acl rule2 http_auth_group(server-auth) is-server1
    use_backend server1 if rule1
    use_backend server2 if rule2
 
 backend server1
    mode http
    option tcp-smart-connect
    server server1 192.168.0.147:8091 check fall 5 rise 2 maxconn 50

 backend server2
    mode tcp
    option tcp-smart-connect
    server server2 192.168.0.62:88 check fall 5 rise 2 maxconn 50

Any pointers would be greatly appreciated!
Hernán

Posts: 1

Participants: 1

Read full topic

How to use frontend without binding IP

$
0
0

@srgpta wrote:

Hi team,

I am trying to setup certain configuration. where one front-end is sending data to back-end via ha-proxy.

#Nv sending data 
frontend www
bind x.x.x.x:443 ssl crt /etc/haproxy/ssl/abc.pem crt /etc/haproxy/ssl/def.pem
mode http
acl if_string_nv path_beg /test_rum
acl if_string_nv1 path_beg /nv
use_backend nv_server if if_string_nv
use_backend nv_server if if_string_nv1

#NF Sending data
acl if_string_nf path_end /_search
acl if_string_nf1 path_beg /_bulk
use_backend nf_server if if_string_nf
use_backend nf_server if if_string_nf1

backend nv_server
 server server1 x.x.x.x:8090 check

backend nf_server
  server server1 x.x.x.x:9200 check

All x.x.x.x having same internal IP address

In second fronted, i have to receive data in https and forward to back-end in http format to x.x.x.x:9200.

Any help? What code i should write where i will receive data in https format and store it in http format.

Thanks

Posts: 1

Participants: 1

Read full topic

Viewing all 4733 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>