@zenmaster wrote:

Hi Community,
I have a special request and just wonder if it is doable with haproxy.
Basically I want to limit the large object download speed for certain users, I can get the user info from http response, is there a way to get the underlying TCP from http response and do speed limit on the TCP connection? thanks.

Posts: 1

Participants: 1

Read full topic

@albi90 wrote:

Hi Just wondering if its possible to set the source keyword from Lua?

I have had a look around and the documentation on the lua implementation is very sparse

Posts: 1

Participants: 1

Read full topic

@aarathy53 wrote:

Can we create multiple instances of haproxy using one core hap binary ?

I came accross
/usr/sbin/haproxy -D -f /etc/haproxy/dummy/haproxy_s.cfg -p /var/run/haproxy_s.pid

Which creates an instance ,but how to stop or restart the “dum” instance

Posts: 1

Participants: 1

Read full topic

@sbobs wrote:

HAProxy - HA-Proxy version 2.0.14-1ppa1~bionic 2020/04/16

Setting up HAProxy for the first time. It has gone swimmingly and works well. However I would like to resolve the backends by DNS for simplicity in our environment. I have tried to set up the resolvers section and heres the weird thing. It works GREAT! For about 10 seconds. When I restart haproxy everything come up and it all works excellent. It routes to where I need to go and everything. Then after about that first 10 seconds or so it shows as Maintenance on the stats page and the error says:

haproxy[3273]: [WARNING] 106/161936 (3274) : Server bobserver/bobs-server is going DOWN for maintenance (unspecified DNS error). 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.

My config is:
resolvers dns
nameserver bobs-dns-server 10.0.xxx.xxx:53
#parse-resolv-conf
hold valid 10s
resolve_retries 3
timeout resolve 1s
timeout retry 1s
hold other 30s
hold refused 30s
hold nx 30s
hold timeout 30s
hold obsolete 30s

You can also see that I have the #parse-resolv-conf commented out because I wanted to use that, but I am getting the same result. I know the DNS works, I know it continues to work. The server IP’s dont change (its on-prem servers). I can hard code the IP’s but really dont want to.

Any help would be great!

Posts: 1

Participants: 1

Read full topic

@mirco.drick wrote:

I’m trying to setup client based authentication and got a weird problem. When using smartcard certs I get error
SSL client certificate not trusted
even though I’ve set “verify optional” and “crt-ignore-err all ca-ignore-err all” in my frontend. The smartcard certificate validates fine using openssl on the client using the CA specified as CA in haproxy.conf. The must strange thing is that if I use a selfsigned certificate then it works.
Any suggestion on what might be causing this?

Simplified config I am using:
global
chroot /var/lib/haproxy
user haproxy
group haproxy
daemon
crt-base /etc/haproxy/ssl
ssl-server-verify none
frontend main
bind :443 ssl crt website-cert.pem ca-file client-CA-with-chain.pem verify optional crt-ignore-err all ca-ignore-err all

default_backend test
   cookie SRVID insert nocache
   server server1 127.0.0.1:8088 maxconn 1

curl using selfsigned cert against haproxy with netcat running on backend:
curl --insecure --cert-type pem --cert test-cert.pem https://netcat-server
netcat server output:
ncat -l 127.0.0.1 8088
GET / HTTP/1.1
host: netcat-server
user-agent: curl/7.66.0
accept: /
x-ssl: 1
x-ssl-client-sha1: &y�5e��T�%0F%7F�}A�%14%1A�)�
x-ssl-client-verify: 21
x-ssl-client-dn: dn string
x-ssl-issuer: issuer string
connection: close

curl using smartcard cert against haproxy with netcat running on backend:
curl -v --insecure -E ‘pkcs11:URL’ https://netcat-server
Enter PKCS#11 token PIN for Instant EID IP9 (identification):
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS handshake, CERT verify (15):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
…
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> GET / HTTP/1.1
> Host: helpdesk.cardservices.no
> User-Agent: curl/7.66.0
> Accept: /
>
* TLSv1.3 (IN), TLS alert, bad certificate (554):
* OpenSSL SSL_read: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate, errno 0
* Closing connection 0
curl: (56) OpenSSL SSL_read: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate, errno 0

netcat gives no output and haproxy log gives error " SSL client certificate not trusted" so the connection is closed at the frontend for some reason.

Posts: 1

Participants: 1

Read full topic

@baohand09 wrote:

I am new to HAProxy so any help would be appreciated.
I have an HAProxy container with a haproxy.cfg file below:
global
maxconn 256
log logs6.papertrailapp.com:47831 local0
log-send-hostname

defaults
log global
option httplog
mode http
maxconn 1000
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms

frontend http-in
log global
option httplog
bind *:80
default_backend servers

backend servers
log global
balance roundrobin
server server1 web:8000
server server2 web1:8000

Everytime I run docker-compose up, the master process exits immediately. I am not sure why it is exiting immediately. Docker logs haproxyload outputs below:
[NOTICE] 107/183351 (1) : New worker #1 (6) forked

[WARNING] 107/183544 (1) : Exiting Master process…

[WARNING] 107/183544 (6) : Stopping frontend http-in in 0 ms.

[WARNING] 107/183544 (6) : Stopping backend servers in 0 ms.

[WARNING] 107/183544 (6) : Stopping frontend GLOBAL in 0 ms.

[WARNING] 107/183544 (6) : Proxy http-in stopped (FE: 0 conns, BE: 0 conns).

[WARNING] 107/183544 (6) : Proxy servers stopped (FE: 0 conns, BE: 0 conns).

[WARNING] 107/183544 (6) : Proxy GLOBAL stopped (FE: 0 conns, BE: 0 conns).

This is the container in my docker-compose.yml:
haproxyload:
image: haproxy:latest
container_name: haproxyload
networks:
- public
links:
- web:web
- web1:web1
volumes:
- ./haproxy:/usr/local/etc/haproxy/haproxy.cfg:ro
ports:
- “80:80”

The cfg file is valid when I exec into the container and run the command with -c

Posts: 1

Participants: 1

Read full topic

@fsfs wrote:

test URL:
http://www.test.com/testing!%20Just.%20Testpicking.%20[41.34+].zip

haproxy url_dec function:
http://www.test.com/testing! Just. Testpicking. [41.34 ].zip

correct:
http://www.test.com/testing! Just. testpicking. [41.34+].zip

Posts: 1

Participants: 1

Read full topic

@Devopsadmin wrote:

How to setup/make Haproxy send read-write request coming on same port 5432 from application, to backend servers of postgres-patroni cluster based on REST method.

I have three node postgres-patroni cluster running as docker service/containers behind Haproxy. I wanna sent read/get request coming from my-application on port 5432 to relicas of my cluster and sent write/(Delete|Post|Update) request coming from my-application also on port 5432 to master server.

I have tried to achieve it with below config. But didn’t succeed as of now.

Any idea How to make Haproxy achieve above scenario.

Here is my Haproxy.cfg file

global
        maxconn 100

defaults
        log     global
        mode    tcp
        retries 2
        timeout client 30m
        timeout connect 4s
        timeout server 30m
        timeout check 5s
        # never fail on address resolution
        default-server init-addr none

resolvers docker_resolver
        nameserver dns 127.0.0.11:53
listen stats
    mode http
    bind *:7000
    stats enable
    stats uri /

frontend master_postgresql
        bind *:5432
        acl is_post method "POST|UPDATE|DELETE"
        use_backend backend_master if is_post
        default_backend backend_master

frontend replicas_postgresql
        bind *:5432
        acl is_get  method GET
        use_backend backend_replicas  if is_get
        default_backend backend_replicas

frontend patroni_api
        bind *:8008
        default_backend backend_api

backend backend_master
        balance source
        hash-type consistent
        option httpchk OPTIONS /master
        server postgres1 postgres1:5432 maxconn 100 check port 8008 resolvers docker_resolver resolve-prefer ipv4
        server postgres2 postgres2:5432 maxconn 100 check port 8008 resolvers docker_resolver resolve-prefer ipv4
        server postgres3 postgres3:5432 maxconn 100 check port 8008 resolvers docker_resolver resolve-prefer ipv4

backend backend_replicas
        option httpchk OPTIONS /replica
        server postgres1 postgres1:5432 maxconn 100 check port 8008 resolvers docker_resolver resolve-prefer ipv4
        server postgres2 postgres2:5432 maxconn 100 check port 8008 resolvers docker_resolver resolve-prefer ipv4
        server postgres3 postgres3:5432 maxconn 100 check port 8008 resolvers docker_resolver resolve-prefer ipv4

backend backend_api
        option httpchk OPTIONS /master
        server postgres1 postgres1:8008 maxconn 100 check port 8008 resolvers docker_resolver resolve-prefer ipv4
        server postgres2 postgres2:8008 maxconn 100 check port 8008 resolvers docker_resolver resolve-prefer ipv4
        server postgres3 postgres3:8008 maxconn 100 check port 8008 resolvers docker_resolver resolve-prefer ipv4

Posts: 1

Participants: 1

Read full topic

@smalldragoon wrote:

Hi,
I have to use haproxy on my host ( listening port 80 ) .
I have an apache server ( port 81 ) , which serves several websites based on servername.
I have another application ( a chabot : botpress ) whi runs on port 3005.

• I would need to redirect all servernames ( XXX.mydomain.com ) to my apache on port 81
• i would need to redirect chatbot.mydomain.Com to the chatbot, port 400

I tried the following but I guess I’m missing something :
*> *
> global
> log 127.0.0.1 local0 debug
> log 127.0.0.1 local1 notice
> maxconn 4096
> user haproxy
> group haproxy
> daemon
*> *
> defaults
> log global
> mode http
> option httplog
> option dontlognull
> retries 3
> option redispatch
> timeout connect 10000
> timeout client 60000
> timeout server 60000
> maxconn 2000
*> *
> frontend localnodes
*> bind :80
> mode http
> default_backend nodes
*> *
> backend nodes
> mode http
> balance roundrobin
> option forwardfor
> http-send-name-header Host
> server www.mydomain.com www.mydomain.com:81
> server support.mydomain.com support.mydomain.com:81
> server chatbot.mydocmain.Com 192.168.1.35:4000

Any insight on what I’m doing wrong ?

Posts: 1

Participants: 1

Read full topic

@krischanb wrote:

Hello,
I setup haproxy in order to acces my openvpn as well as my nginx webserver using the TCP protcoll. Nginx is set up to enforce https.
Trying to acces my domian (called by mydomain.de/page), the traffic gets redirected and in the browser address line https://mydomain.de/page:4545 appears, with port 4545 being the configurerd port. This connection runs in a timeout.
Removing the portnumber gives me acces to the page I am trying to open. Openvpn runs fine all the time.
Following my haproxy.cfg

global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL). This list is from:
        #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
        # An alternative list with additional directives can be obtained from
        #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
        ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
        ssl-default-bind-options no-sslv3

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

frontend ssl
        mode tcp
        bind 0.0.0.0:443
        tcp-request inspect-delay 5s
        tcp-request content accept if HTTP
        tcp-request content accept if { req.ssl_hello_type 1 }
        # use_backend ssh if { payload(0,7) -m bin 5353482d322e30 }
        use_backend main-ssl  if { req.ssl_hello_type 1 }
        default_backend openvpn

backend main-ssl
        mode tcp
        server main-ssl 127.0.0.1:4545

backend openvpn
        mode tcp
        timeout server 2h
        server openvpn-localhost 127.0.0.1:1193

This is my nginx config:

upstream php-handler {
server unix:/run/php/php7.3-fpm.sock;
}

server {
listen 80 default_server;
listen [::]:80 default_server;
server_name mydomian.de localip;

    root /var/www;

    location ^~ /.well-known/acme-challenge {
            proxy_pass http://127.0.0.1:81;
            proxy_redirect off;
    }

    location / {
            # Enforce HTTPS
            # Use this if you always want to redirect to the DynDNS address (no local access).
            return 301 https://$server_name$request_uri;

            # Use this if you also want to access the server by local IP:
            #return 301 https://$server_addr$request_uri;
}

}

server {
listen 4545 ssl http2;
listen [::]:4545 ssl http2;
server_name mydomian.de localip;

    # Certificates used
    ssl_certificate /etc/letsencrypt/mydomian.de/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/mydomian.de/key.pem;

    ssl_protocols TLSv1.2 TLSv1.3;

    # Max. security, but lower compatibility
    ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384';;

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 4096 bits
    ssl_dhparam /etc/nginx/ssl/dhparams.pem;

    # Use multiple curves.
    ssl_ecdh_curve secp521r1:secp384r1;

    # Server should determine the ciphers, not the client
    ssl_prefer_server_ciphers on;

    # OCSP Stapling
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;

    # This should be ca.pem
    # See here: https://certbot.eff.org/docs/using.html
    ssl_trusted_certificate /etc/letsencrypt/mydomian.de/ca.pem;

    # This is the local DNS server (e.g. the IP of the Router if it is used as DNS server in the local network)
    resolver localdnsserver;

    # SSL session handling
    ssl_session_timeout 24h;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    #
    # Add headers to serve security related headers
    #
    # HSTS (ngx_http_headers_module is required)
    # In order to be recoginzed by SSL test, there must be an index.hmtl in the server's root
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload;" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header X-Robots-Tag none always;
    add_header X-Download-Options noopen always;
    add_header X-Permitted-Cross-Domain-Policies none always;
    add_header Referrer-Policy no-referrer always;
    add_header X-Frame-Options "SAMEORIGIN" always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    location = / {
    # Disable access to the web root, otherwise nginx will show the default site here.
            deny all;
    }

    #
    # Nextcloud
    #
    location ^~ /nextcloud/ {
            # Set max. size of a request (important for uploads to Nextcloud)
            client_max_body_size 1G;
            # Besides the timeout values have to be raised in nginx' Nextcloud config, these values have to be raised for the proxy as well
            proxy_connect_timeout 3600;
            proxy_send_timeout 3600;
            proxy_read_timeout 3600;
            send_timeout 3600;
            proxy_buffering off;
            proxy_request_buffering off;
            proxy_max_temp_file_size 1024m;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_pass http://127.0.0.1:82;
            proxy_redirect off;
    }

    # These two location blocks are needed, otherwise you'll get warnings in the Nextcloud admin UI later on
    location = /.well-known/carddav {
            return 301 $scheme://$host/nextcloud/remote.php/dav;
    }

    location = /.well-known/caldav {
            return 301 $scheme://$host/nextcloud/remote.php/dav;
    }

    # Well-known URL for Webfinger
    # Regardless of this rule, you'll get a warning in the admin UI when the social app is not installed
    location = /.well-known/webfinger {
            return 301 $scheme://$host/nextcloud/public.php?service=webfinger;
    }

    location ~ /(ocm-provider|ocs-provider)/ {
            return 301 $scheme://$host/nextcloud/$1/;
    }

Right now, I do not have a clue where to look. Maybe someone has got a hint for me. By the way, the nginx config works, if openvpn is configured to share the port 443.

Thank you in advance.
Krischan

Posts: 1

Participants: 1

Read full topic

@dreamgate wrote:

Hi!

I have a unix socket created at /app.sock and it expects XMLRPC commands and haproxy has READ/WRITE access to the socket.

Normally, with something like lighttpd you can make a config point to an scgi server @ a socket file.
Or with NGINX you can do something like scgi_pass unix:/app.sock

I was testing something like this, but with no luck:

frontend in
    bind *:5000

    default_backend  rpc

backend rpc
    use-fcgi-app cgi
    server sock-file /app.sock proto fcgi

fcgi-app cgi # confused by this, why does it need docroots, etc? i just want to pass commands to xmlrpc
    log-stderr global
    option     keep-conn
    docroot    /var/www/my-app

Is there any way to do this with HAProxy?

Posts: 1

Participants: 1

Read full topic

@rannick wrote:

I have added option smtpchk in the backend section. It is checking at every second. I don’t want to do that at every second. I want to run a health check every 10 seconds. How can I do that?

Eg:
timeout check 10s

Is the above configuration option correct?

Posts: 1

Participants: 1

Read full topic

@barapapupi wrote:

Hi, I have the following haproxy systemd unit file
Just the defaults.
[Unit]
Description=HAProxy Load Balancer
After=network.target

[Service]
Environment=“CONFIG=/etc/haproxy/haproxy.cfg” “PIDFILE=/run/haproxy.pid”
ExecStartPre=@SBINDIR@/haproxy -f $CONFIG -c -q
ExecStart=@SBINDIR@/haproxy -Ws -f $CONFIG -p $PIDFILE
ExecReload=@SBINDIR@/haproxy -f $CONFIG -c -q
ExecReload=/bin/kill -USR2 $MAINPID
KillMode=mixed
Restart=always
SuccessExitStatus=143
Type=notify

[Install]
WantedBy=multi-user.target

So just the defaults from version 1.8

using systemctl reload haproxy.service works fine and reloads a new process.
However I would like to change the unit file to do
Environment=“CONFIG=/etc/haproxy/haproxy_new.cfg” “PIDFILE=/run/haproxy.pid”

and then reload, after doing a daemon-reload.
However when I check the process running, its always running with the old /etc/haproxy/haproxy.cfg and not with the new /etc/haproxy/haproxy_new.cfg

I understand that this is not conventional, but I’m required to stick to creating a new config file and recreate the unit file and then do a reload.
Can someone help me on how to achieve the above?

Posts: 1

Participants: 1

Read full topic

@hac3ru wrote:

Hello,

I have a question: I’ve set the maxconn on a per backend server basis but that limit just seems to be ignored. Please see the attach picture:

haproxy maxconn754×103 4.57 KB

The backend config is:

backend wbidders
retry-on all-retryable-errors
mode http
fullconn 300000
option http-server-close
option httpchk
http-request del-header X-Forwarded-For
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
# Balancing algorithm
balance leastconn
timeout connect 5s
timeout check 2s
# Backend servers
server wbidder0 172.16.7.240:8080 tfo check weight 10 maxconn 1900
server wbidder5 172.16.7.245:8080 tfo check weight 10 maxconn 1900
server wbidder6 172.16.7.246:8080 tfo check weight 10 maxconn 1900
server wbidder7 172.16.7.247:8080 tfo check weight 10 maxconn 1900
server wbidder8 172.16.7.248:8080 tfo check weight 10 maxconn 1900
server wbidder9 172.16.7.249:8080 tfo check weight 10 maxconn 1900

Any idea what happens?

Posts: 1

Participants: 1

Read full topic

@Thomas7467 wrote:

Hi All,

I’m facing an issue with the following new architecture.

HAProxy manages the HTTPS https://mydomain client requests to access the backend HTTP IIS application server.

Global accesses to the application work fine, but pages request insecure frames http://mydomain.

I was looking to modify the HAProxy response to switch http to https, but I don’t know if this is the best practice.

Could someone help?
Thank you,
Thomas

Posts: 4

Participants: 2

Read full topic

@mkalyniuk wrote:

Hello everybody. I have configured Haproxy, behind it two Nginx servers, with Letsencrypt installed on one of them.
Config Haproxy:
`

global
log         127.0.0.1 local2

chroot      /var/lib/haproxy
pidfile     /var/run/haproxy.pid
maxconn     4000
user        haproxy
group       haproxy
daemon
tune.ssl.default-dh-param 2048
stats socket /var/lib/haproxy/stats
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
mode                    http
log                     global
option                  httplog
option                  dontlognull
option http-server-close
option forwardfor       except 127.0.0.0/8
option                  redispatch
retries                 3
timeout http-request    10s
timeout queue           1m
timeout connect         30s
timeout client          30m
timeout server          30m
timeout http-keep-alive 10s
timeout check           30s
maxconn                 3000
cookie JSESSIONID prefix nocache
option tcplog

frontend http-in
    bind *:80
    reqadd X-Forwarded-Proto:\ http
    default_backend http-servers

backend http-servers
    balance roundrobin
    server web1 10.0.5.92:80 check cookie web1
    server web2 10.0.7.127:80 check cookie web2

frontend https-in
    bind *:443
    mode tcp

    default_backend https-servers


backend https-servers
    mode tcp
    option ssl-hello-chk
    balance roundrobin

    fullconn 200

    server webssl1 10.0.5.92:443 check-ssl verify none cookie webssl1 send-proxy
    server webssl2 10.0.7.127:443 check-ssl verify none cookie webssl2 send-proxy backup

    listen stats
    bind :8080
    stats enable
    stats uri /haproxy_stats
    stats auth admin:password

`
In DNS records set all domain name have public ip this Haproxy.
But, when i try configure certificates throught Letsencrypt, I get an error “Invalid response from”, when i change A records on ip address my nginx web servers on which install certbot, certificates generated correctly. What should I do to fix this problem ?

Posts: 4

Participants: 2

Read full topic

@CipherC wrote:

Hi devs,

We were planning to upgrade existing haproxy-1.6 to the newest haproxy, but met performance problem with those versions.

Then I tested performance on haproxy-1.6.15 / haproxy-1.7.12 / haproxy-1.8.25 / haproxy-1.9.15 / haproxy-2.0.14 / haproxy-2.1.3,
and turned out that seems haproxy performance has been reduced since haproxy-2.0.14.

All these tested have been on same clients/server/nginx machinces, with same haproxy.cfg, and nginx have been tuned to support benchmark rps:9*7k,latencies:4+ms,success ratio:100%.
During those test, nothing except haproxy version is changed.

                    RPS,    Latencies,  Success ratio
haproxy-1.6.15		9*7k    3+ms        100%
haproxy-1.7.12		9*7k    3+ms        100%
haproxy-1.8.25		9*7k    4+ms        100%
haproxy-1.9.15		9*7k    4+ms        100%
haproxy-2.0.14		9*6.2k  3+ms        100%        # start to reduce.
haproxy-2.1.3       9*5.5k  4+ms        100%        # worse

Are there any special configurations (when building haproxy or in haproxy.cfg etc.) need to be token care to tune 2.0/2.1 to same performance?

More information about environment:

Test command:

# ca related options can be ignored in this case.
RATE=7000 DURATION=120 SERVER=3 TIMEOUT=30; echo "GET http://192.168.11.${SERVER}/" | ./vegeta -cpus 4 attack -duration=${DURATION}s -timeout=${TIMEOUT}s -key ca.key -cert ca.crt -rate $RATE -keepalive 1 -insecure | tee results.bin | ./vegeta report | grep -v "^Get "; date

These versions are downloaded from http://www.haproxy.org/#down, and compile with following command:

make TARGET=linux-glibc CPU=x86_64 USE_LINUX_SPLICE=1 USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_OPENSSL=1 USE_LUA=1 USE_PCRE=1 USE_PCRE_JIT=1 USE_CPU_AFFINITY=1 LUA_LIB_NAME=lua5.3 LUA_INC=/usr/include/lua5.3/

Server is a 4C4G Ubuntu 16.04.6 LTS (Xenial Xerus), 4.4.0-142-generic KVM, and the hypernode is completely idle and stable.

haproxy.cfg

root@localhost:~# cat haproxy.cfg
global
        log 127.0.0.1   local0 info
        maxconn 100000
        tune.ssl.default-dh-param 2048
        daemon
        nbproc 4
        cpu-map 1 0
        stats socket /haproxy/haproxy.1 process 1
        cpu-map 2 1
        stats socket /haproxy/haproxy.2 process 2
        cpu-map 3 2
        stats socket /haproxy/haproxy.3 process 3
        cpu-map 4 3
        stats socket /haproxy/haproxy.4 process 4

defaults
        log     global
        option  dontlognull
        option  redispatch
        retries 3
        maxconn 100000
        timeout connect 5s
        timeout client 50s
        timeout server 50s
        timeout tunnel  1h
        option  tcpka
        # errorfile 400 /etc/haproxy/errors/400.http
        # errorfile 403 /etc/haproxy/errors/403.http
        # errorfile 408 /etc/haproxy/errors/408.http
        # errorfile 500 /etc/haproxy/errors/500.http
        # errorfile 502 /etc/haproxy/errors/502.http
        # errorfile 503 /etc/haproxy/errors/503.http
        # errorfile 504 /etc/haproxy/errors/504.http
        timeout client-fin 30s

listen  lbl-noiqom5f
        bind *:80
        mode http
        option httplog
        maxconn 400000
        timeout client 50s
        timeout tunnel 3600s

        default_backend lbl-noiqom5f_default

backend lbl-noiqom5f_default
        mode http
        option httplog
        option http-keep-alive
        balance roundrobin
        timeout server 50s
        timeout tunnel 3600s
        timeout check 5000

        server  lbb-7pq2k6mm 192.168.11.16:80 check inter 10000 fall 2 rise 5 weight 1
root@localhost:~#

Posts: 1

Participants: 1

Read full topic

@naushad79 wrote:

Need some help with haproxy rewrite rules.

How it works

1. https request sent to AWS application load balancer (e.g. https://abc.com)
2. AWS alb send the request to the haproxy which listens to port 80
3. haproxy serves the request

the issue here is when I access the url (e.g. https://abc.com) it loads, when I login to the page the browser url changes to https://abc.com:8888 (port 8888 which is the backend server port)

how do I make sure that haproxy doesn’t add port to the request url

following are some configs that I tried

http-request replace-value Host (.*):8888 \1

http-request replace-value Host (.*):.* 1

acl app_port dst_port 8888
http-request redirect location https://%[req.hdr(Host)]%[capture.req.uri] if app_port

nothing worked

any help would be appreciated

Posts: 1

Participants: 1

Read full topic

@amrbv wrote:

Hello,
We have a single haproxy installation and we need to put it in front of a cPanel server hosting many sites , the configuration worked for a single site with SSL but when i added another one the second site is seeing only the first SSL and not it’s own.

global
log /dev/log	local0
log /dev/log	local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon

# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private

# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
    tune.ssl.default-dh-param 2048

defaults
log global
mode http
option httplog
option http-server-close
option http-buffer-request
timeout http-request 5s
timeout connect 5s

option	dontlognull
    timeout connect 5000
    timeout client  30s
    timeout server  10s
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

frontend stats
bind *:8404
stats enable
stats uri /stats
stats refresh 10s
stats admin if LOCALHOST

frontend public
bind *:443 ssl crt /etc/haproxy/ssl/
reqadd X-Forwarded-Proto:\ https
default_backend cpanel

frontend all
bind *:80
acl letsencrypt-acl path_beg /.well-known/acme-challenge/
http-request track-sc0 src table cpanel
http-request deny deny_status 429 if { sc_http_req_rate(0) gt 100 }
use_backend letsencrypt-backend if letsencrypt-acl
default_backend cpanel

backend letsencrypt-backend
server letsencrypt 127.0.0.1:8888

backend cpanel
stick-table type ip size 1m expire 10m store http_req_rate(10s)
server cpanel 1.2.3.4:80 check

Posts: 1

Participants: 1

Read full topic

@furkan wrote:

This is my configuration from haproxy.cfg

acl test-service path_beg /test

use_backend test-service if test-service

backend test-service
reqrep ^(.)/$\ /test(.) \1\ /\2
balance roundrobin
server manager01 127.0.0.1:7081

I want to remove trailing slash from my api url and also redirect all request to non-slash

Deserved api url:
-> blabla.com/test/abcd

Could you help me about it?
Best regards,

Posts: 1

Participants: 1

Read full topic