@Doca wrote:
Hi all,
is it possible to provide a login screen to the sites managed by HAproxy as reverse proxy?
Right now I use the basic authentication as added layer of security but I would like to have it nicer and for exapmle with an additional OTP or 2FA.I imagine this to be similar to the Citrix portal.
Cheers
DoCa
Posts: 1
Participants: 1
@unixm wrote:
I did not find how you can proxy mail to two different mail servers. Is it possible to do this?
Example: mail1@example.com
belongs to server1
and mail2@examle.com belongs to server2
server1 192.168.0.10
server2 192.168.10.20
server1 postfix
server2 exchange
Posts: 1
Participants: 1
@JamesM wrote:
Hi, I have what would appear to be a bit of an unusual requirement from HAProxy, just wondering if anyone has any ideas if / how it can be implemented.
In short, I’m migrating from one platform to another, both are authenticated by basic authentication. With the number of users I’m looking at, I won’t be able to do the migration in one hit so would like to be able to control which backend the users get to based on their basic authentication username but without HAProxy actually providing the authentication.
HAProxy can see the credentials, which I can prove by logging the Authorization header.
I was hoping I could control it with a list file of migrated users eg:
use backend migrated_backend_application if <basicauth user> -f /var/tmp/migrated_users.lstAny pointers would be greatly appreciated!
James
Posts: 1
Participants: 1
@namhq.1989 wrote:
I want to redirect all requests from abc.com to xyz.com, here is my config:
redirect prefix https://xyz.com code 308 if { hdr(host) -i abc.com }But headers are missing when request come to xyz.com. I want to keep all headers from client (for check auth, versioning, …) when request come to new endpoint (xyz.com), how can I do that?
Thanks!
Posts: 1
Participants: 1
@juanpabloaj wrote:
Hi, do you know some way to get the topology visualization of the network from the haproxy stats?
Posts: 1
Participants: 1
@mho wrote:
hello,
i have 3 devices android, apple and microsoft client:
send a request with my method “MYMETHOD” https://myserver.com/myapp.But in the hapoxy debug log i see for android and apple:
fe_vip_443.clireq[0013:ffffffff]: MYMETHOD https://myserver.com/myapp/ HTTP/1.1and for windows:
fe_vip_443.clireq[0017:ffffffff]: MYMETHOD /myapp/ HTTP/1.1and it’s working for android and apple client.
i want to rewrite with fulluri, i try to capture and transform request but it’s not working.
acl apps path_beg /apps
http-request set-var(txn.myvar) str(https://myserver.com/myapp/) if apps
http-request set-uri %[var(txn.myvar)] if apps
i see in log the %[var(txn.myvar)] content and it’s good value but stay the same.i try manually with curl -D - https://myserver.com/myapp/ -X MYMETHOD
i see the same thing in haproxy debug log
how to forge request to have:
fe_vip_443.clireq[0013:ffffffff]: MYMETHOD https://myserver.com/myapp/ HTTP/1.1thanks
Posts: 1
Participants: 1
@rannick wrote:
Haproxy smtpchk is flooding errors in smtpservers.log. The option “option smtpchk” in the (haproxy.cfg) SMTP backend is causing the below error at every check.
ERROR smtpserver: Socket to hostname (x.x.x.x) closed remotely. java.net.SocketException: Connection reset at java.base/java.net.SocketInputStream.read(Unknown Source) at java.base/java.net.SocketInputStream.read(Unknown Source) at java.base/java.io.BufferedInputStream.fill(Unknown Source) at java.base/java.io.BufferedInputStream.read(Unknown Source) at org.apache.james.util.CRLFTerminatedReader.read(CRLFTerminatedReader.java:153) at org.apache.james.util.CRLFTerminatedReader.readLine(CRLFTerminatedReader.java:113) at org.apache.james.smtpserver.SMTPHandler.readCommandLine(SMTPHandler.java:751) at org.apache.james.smtpserver.SMTPHandler.handleConnection(SMTPHandler.java:372) at org.apache.james.util.connection.ServerConnection$ClientConnectionRunner.run(ServerConnection.java:432) at org.apache.excalibur.thread.impl.ExecutableRunnable.execute(ExecutableRunnable.java:55) at org.apache.excalibur.thread.impl.WorkerThread.run(WorkerThread.java:116)After removing the smtpchk then the error disappears. Any ideas? I have even tried setting the correct domain for SMTP in the option smtpchk on haproxy.config file but its not working.
Posts: 1
Participants: 1
@zenmaster wrote:
Hi Community,
I have a special request and just wonder if it is doable with haproxy.
Basically I want to limit the large object download speed for certain users, I can get the user info from http response, is there a way to get the underlying TCP from http response and do speed limit on the TCP connection? thanks.
Posts: 1
Participants: 1
@rannick wrote:
Config:
backend smtp-backend-mail
# Layer 4 based load balancing
mode tcp
option smtpchkError:
smtpserver.log
ERROR smtpserver: Socket to hostname closed remotely.
java.net.SocketException: Connection resethaproxy.log
31 03:31:03 localhost haproxy[13975]: IP:60416 [31/Mar/2020:03:31:03.627] https/2: Connection closed during SSL handshake
Mar 31 03:31:03 localhost haproxy[30585]: http http/ -1/-1/-1/-1/+0 400 +187 - - CR-- 0/0/0/0/0 0/0 “”
Mar 31 03:32:03 localhost haproxy[30585]: https/2: Connection closed during SSL handshake
Mar 31 03:32:03 localhost haproxy[13975]: http http/ -1/-1/-1/-1/+0 400 +187 - - CR-- 0/0/0/0/0 0/0 “”
Posts: 1
Participants: 1
@teejeaux wrote:
Hi, I’m brand new to HAProxy. Trying to setup a very simple load balancer to meet a missing AWS need. I’ve got version 1.8 on an Ubuntu Server Instance, pointing at a pool of four Windows IIS servers. They are using NTLM authentication. I’m attaching the config file I’m using below. I’m not seeing any errors in the log file. What’s happening is that I’m getting intermittent NTLM 401 errors. It will run fine for awhile, the persistence works, but then randomly I’m getting the HTTP request is unauthorized with client authentication scheme ‘Ntlm’. Any thoughts? Help would be sincerely appreciated!
#---------------------------------------------------------------------
Global settings
#---------------------------------------------------------------------
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon#---------------------------------------------------------------------
Common defaults that all the ‘listen’ and ‘backend’ sections will
use if not designated in their block
#---------------------------------------------------------------------
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 1m
timeout client 2h
timeout server 1h
maxconn 10000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
#---------------------------------------------------------------------main frontend which proxys to the backends
#---------------------------------------------------------------------
frontend main
bind *:80
capture request header Host len 32
mode http
option http-keep-alive
default_backend webserver#---------------------------------------------------------------------
round robin balancing between the various backends
#---------------------------------------------------------------------
backend webserver
balance roundrobin
option http-keep-alive
cookie SERVERID insert indirect nocache
server s1 10.16.18.61:80 check cookie s1
server s2 10.16.18.62:80 check cookie s2
server s3 10.16.18.63:80 check cookie s3
server s4 10.16.18.64:80 check cookie s4
Posts: 1
Participants: 1
@liza wrote:
Hello,
I have 2 Backed servers and would like to balance my vip to the server that have the drive J: that contain a folder named check
The J drive will be on 1 backend server at a time (it is either on server1 or server2).
could you please help
Thanks
Liza
Posts: 1
Participants: 1
@cgl wrote:
I’am wondering if it is possible to use the HTTP/2 Server Push feature behind HAProxy. I have created an simple setup to test it, as far as i can see, the Apache Webserver does not push the content if behind a HAProxy. For testing i have used the nghttp client.
I hope it is ok if i post a link to the same question at serverfault, there i have posted details of my test configuration: https://serverfault.com/questions/1010082/http-2-server-push-from-apache-behind-haproxy
Maybe it is just a fundamental misunderstanding on my part, so far i have found nothing concerning this setup.
Many thanks in advance
Posts: 1
Participants: 1
@MorayM wrote:
I’m trying to add a new port for forwarding to HAProxy but whenever I try to restart the service with the new configuration I get the error
haproxy-systemd-wrapper[32276]: [ALERT] 092/112955 (32277) : Starting frontend my-service: cannot bind socket [<public IP>:4443]I’m running
haproxythroughsystemctlon CentOS7. Nothing else is using port 4443 (sudo netstat -apn | grep 4443comes up blank), and I’ve gotnet.ipv4.ip_forward = 1andnet.ipv4.ip_nonlocal_bind = 1set in sysctl.conf. I’ve also runsudo setsebool -P haproxy_connect_any=1.The relevant part of my
haproxy.cfglooks like this:frontend my-service bind <public_url>:4443 default_backend my-backendI’ve also got other frontends binding to 80, 443 and 8080.
My Global settings and defaults are:
#--------------------------------------------------------------------- # Global settings #--------------------------------------------------------------------- global log 127.0.0.1 local2 #Log configuration chroot /var/lib/haproxy pidfile /var/run/haproxy.pid maxconn 4000 user haproxy #Haproxy running under user and group "haproxy" group haproxy daemon # turn on stats unix socket stats socket /var/lib/haproxy/stats tune.ssl.default-dh-param 2048 ssl-default-bind-ciphers TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20 ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 #--------------------------------------------------------------------- # common defaults that all the 'listen' and 'backend' sections will # use if not designated in their block #--------------------------------------------------------------------- defaults mode http log global option httplog option dontlognull option http-server-close option forwardfor except 127.0.0.0/8 option redispatch retries 3 timeout http-request 15s timeout queue 30s timeout connect 5s timeout client 25s timeout server 5m timeout http-keep-alive 1s timeout check 10s timeout tunnel 3600s timeout tarpit 60s backlog 10000 maxconn 3000
Posts: 1
Participants: 1
@MorayM wrote:
I’ve been running HAProxy for about a year at the front of my application as a proxy and load balancer for HTTP/TCP traffic. I now need to proxy UDP traffic, which HAProxy doesn’t support. The simplest solution I can think of is to run up an instance of Nginx in parallel to existing HAProxy instance to handle the UDP traffic, leaving HAProxy unchanged.
Has anyone tried this, or know of any reason why it wouldn’t work? Or does anyone know of a better solution?
Posts: 1
Participants: 1
@syfy323 wrote:
Hi!
I’m struggling with HAProxy and ADFS in SSL offloading mode.
I already followed this advice:
https://hochwald.net/microsoft-ad-fs-behind-load-balancer/As well as:
My setup still shows all servers as down. I’m using HAProxy 2.0.13.
If I set the IP of my ADFS host in my hosts file with the SSO-Domain as host, I can view “https://sso.srvfarm.net/adfs/ls/idpinitiatedsignon.aspx” and get http 200 in Chrome (computer in same network).
My config:
global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin stats timeout 30s user haproxy group haproxy daemon maxconn 40000 ulimit-n 81000 # Default ciphers to use on SSL-enabled listening sockets. ssl-default-bind-ciphers EECDH+AESGCM:EDH+AESGCM ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ssl-default-server-ciphers EECDH+AESGCM:EDH+AESGCM ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets tune.ssl.default-dh-param 2048 defaults log global mode http option dontlognull option tcplog option redispatch option contstats option http-use-htx option forwardfor except 127.0.0.0/8 maxconn 50000 balance roundrobin timeout connect 10s timeout queue 1m timeout client 15m timeout server 15m timeout http-request 10s timeout http-keep-alive 10s timeout check 10s default-server inter 3s rise 2 fall 3 backlog 10000 # START WebAccess frontend WebAccess maxconn 50000 bind :::80 v4v6 bind :::443 v4v6 ssl crt /etc/haproxy/fullchain.pem curves X25519:secp521r1:secp384r1:prime256v1 ciphers EECDH+AESGCM:EDH+AESGCM no-sslv3 no-tlsv10 no-tlsv11 alpn h2 mode http option httplog log global no option httpclose redirect scheme https code 301 if !{ ssl_fc } # redirect 80 -> 443 http-response add-header Strict-Transport-Security max-age=31536000;\ includeSubDomains;\ preload http-response add-header X-Frame-Options sameorigin http-response add-header X-Content-Type-Options nosniff http-request set-header X-MS-Forwarded-Client-IP %[src] acl acme-challenge path_beg /.well-known/acme-challenge/ use_backend AcmeForward if acme-challenge default_backend ADFSWeb backend AcmeForward mode http balance roundrobin option httpchk GET / option log-health-checks http-check expect status 200 server app01 185.118.197.130:80 check port 80 backend ADFSWeb mode http balance roundrobin option httpchk GET /adfs/ls/idpinitiatedsignon.aspx http-check expect status 200 option httpclose option forwardfor header X-Client reqadd X-Forwarded-Proto:\ https if { ssl_fc } server swde5721 192.168.127.1:443 ssl verify none check check-sni sso.srvfarm.net sni str(sso.srvfarm.net) inter 3s rise 2 fall 3 server swde5821 192.168.128.1:443 ssl verify none check check-sni sso.srvfarm.net sni str(sso.srvfarm.net) inter 3s rise 2 fall 3 # END WebAccess userlist UsersFor_HAProxyStatistics group admin users admin user admin insecure-password redacted user stats insecure-password redacted listen stats bind :::7000 stats enable stats uri / option httpclose acl AuthOkay_ReadOnly http_auth(UsersFor_HAProxyStatistics) acl AuthOkay_Admin http_auth_group(UsersFor_HAProxyStatistics) admin stats http-request auth realm HAProxy-Statistics unless AuthOkay_ReadOnly stats admin if AuthOkay_Admin stats show-node stats show-legendsI don’t understand whats going wrong here. IMHO “check check-sni sso.srvfarm.net” should be the trick here but the servers still show “Layer7 wrong status: HTTP status check returned code <400>” (same when accessing it via IP instead).
Any ideas?
Thank you!
Posts: 1
Participants: 1
@srgpta wrote:
i am using HA-Proxy version 1.8.24-2ppa1~xenial to redirect my URL as per my cfg file. Its not working - Any help ?
I have opened all ports and still its saying connection refused.
#Frontend
frontend www
bind :443
mode http
option forwardforFetchData
acl url_tag01 path_beg -i /A
acl url_tag02 path_beg -i /B
acl url_tag03 path_beg -i /C
acl url_tag04 path_beg -i /DSet Conditions
use_backend nd if url_tag01
use_backend nv if url_tag02
use_backend nf if url_tag03
use_backend ns if url_tag04Backend
backend nd server ND x.x.x.x:8031 check
backend nv server NV x.x.x.x:8001 check
backend nf server NF x.x.x.x:9201 check
backend ns server NS x.x.x.x:8002 check
Posts: 1
Participants: 1
@vignesh-sp wrote:
Is there a way to add new front/backend configuration without having to reload the process?
The problem we have is that, we have prometheus scraping our data and in the graphs we see the connections to be zero during the reload, this happens because the reload starts a new process and the stats are reset.
So is there a way to add configs without reloads?
I checked the RunTimeAPI, it has options to add servers to the backend dynamically, but no options to create a new backend as whole.
Also I tried the dataplane api, with that, it reloads the process as do with the systemd once the configuration is done, so no difference here.
I tried the load from state file option, but it only save the backend states, not the number of connections beings served, bytes in/out and other stats.
Is there a way to tell the new process to read the stats from old process which is about to dies? Or is there a way to add configs without reloading the config?
Thanks.
Posts: 3
Participants: 2
@hac3ru wrote:
Hello,
I have an issue with enabling GZIP compression on an SSL frontend, while on plain HTTP works perfectly.
The error I’m getting is:
Apr 5 08:19:50 HAProxy2-wbidder haproxy[7649]: [ALERT] 095/081950 (7649) : config: frontend ‘www-https’: require an explicit filter declaration to use HTTP compressionThe www-https frontend config is:
frontend www-https
bind 0.0.0.0:443 ssl crt /etc/haproxy/ssl/bundle.pem
http-request add-header X-Forwarded-Proto https
default_backend pool0
mode http
maxconn 400000
compression algo gzip
compression type text/css text/html text/javascript application/javascript text/plain text/xml application/json image/svg+xml
# Mirror traffic via SPOA-mirror
filter spoe engine traffic-mirror config /etc/haproxy/mirror.cfgWhat filter should I set in order to get this working? The documentation doesn’t say anything about a filter, as far as I’ve seen.
Thank you.
Posts: 1
Participants: 1
@dinosauriecito wrote:
Hi there,
I am looking forward for some help on how to implement ACL rules based on server backend username login so I can share the same IP and port with several backends depending the authentication username of each back-end server. I am implementing SSL termination on Haproxy. I found what seems almost exactly the same case(link here) but the difference is they have a user list whereas I just want to provide the usernames in the ACL rule.
I had three failed attempts:
In the following attempts, I have as the above figure 2 backends servers with login username of server 1 is “server1” and the counterpart in backend server 2 is “server2”:
1st attempt
frontend one_ip_and_port_to_two_backends bind :8055 tfo ssl crt /etc/ssl/certs_self process 2 curves X25519:P-256:secp384r1 bind abns@haproxy-clt3 accept-proxy tfo ssl crt /etc/ssl/certs_self process 2 curves X25519:P-256:secp384r1 mode tcp option tcp-smart-accept acl rule1 req.fhdr(Authorization),regsub(^Basic\s+,,i),b64dec,regsub(:.+,) eq 'server1' acl rule2 req.fhdr(Authorization),regsub(^Basic\s+,,i),b64dec,regsub(:.+,) eq 'server2' use_backend server1 if rule1 use_backend server2 if rule2 backend server1 mode http option tcp-smart-connect server server1 192.168.0.147:8091 check fall 5 rise 2 maxconn 50 backend server2 mode tcp option tcp-smart-connect server server2 192.168.0.62:88 check fall 5 rise 2 maxconn 502nd attempt
frontend one_ip_and_port_to_two_backends bind :8055 tfo ssl crt /etc/ssl/certs_self process 2 curves X25519:P-256:secp384r1 bind abns@haproxy-clt3 accept-proxy tfo ssl crt /etc/ssl/certs_self process 2 curves X25519:P-256:secp384r1 mode tcp option tcp-smart-accept default_backend server_seleccion_backend backend server_seleccion_backend mode tcp option tcp-smart-connect acl rule1 req.fhdr(Authorization),regsub(^Basic\s+,,i),b64dec,regsub(:.+,) eq 'server1' acl rule2 req.fhdr(Authorization),regsub(^Basic\s+,,i),b64dec,regsub(:.+,) eq 'server2' use_backend server1 if rule1 use_backend server2 if rule2 backend server1 mode http option tcp-smart-connect server server1 192.168.0.147:8091 check fall 5 rise 2 maxconn 50 backend server2 mode tcp option tcp-smart-connect server server2 192.168.0.62:88 check fall 5 rise 2 maxconn 503rd attempt
userlist server-auth group is-server1 users server_username1 user server1 group is-server2 users server_username2 user server2 frontend one_ip_and_port_to_two_backends bind :8055 tfo ssl crt /etc/ssl/certs_self process 2 curves X25519:P-256:secp384r1 bind abns@haproxy-clt3 accept-proxy tfo ssl crt /etc/ssl/certs_self process 2 curves X25519:P-256:secp384r1 mode tcp option tcp-smart-accept default_backend server_seleccion_backend backend server_seleccion_backend mode tcp option tcp-smart-connect acl rule1 http_auth_group(server-auth) is-server2 acl rule2 http_auth_group(server-auth) is-server1 use_backend server1 if rule1 use_backend server2 if rule2 backend server1 mode http option tcp-smart-connect server server1 192.168.0.147:8091 check fall 5 rise 2 maxconn 50 backend server2 mode tcp option tcp-smart-connect server server2 192.168.0.62:88 check fall 5 rise 2 maxconn 50Any pointers would be greatly appreciated!
Hernán
Posts: 1
Participants: 1
@srgpta wrote:
Hi team,
I am trying to setup certain configuration. where one front-end is sending data to back-end via ha-proxy.
#Nv sending data frontend www bind x.x.x.x:443 ssl crt /etc/haproxy/ssl/abc.pem crt /etc/haproxy/ssl/def.pem mode http acl if_string_nv path_beg /test_rum acl if_string_nv1 path_beg /nv use_backend nv_server if if_string_nv use_backend nv_server if if_string_nv1 #NF Sending data acl if_string_nf path_end /_search acl if_string_nf1 path_beg /_bulk use_backend nf_server if if_string_nf use_backend nf_server if if_string_nf1 backend nv_server server server1 x.x.x.x:8090 check backend nf_server server server1 x.x.x.x:9200 checkAll x.x.x.x having same internal IP address
In second fronted, i have to receive data in https and forward to back-end in http format to x.x.x.x:9200.
Any help? What code i should write where i will receive data in https format and store it in http format.
Thanks
Posts: 1
Participants: 1
