@Uffa wrote:

Hi. I am currently trying to load some backend configurations via an external file, which are passed in on startup. This is HAProxy 1.8 on RHEL
If I run the start up command manually (backends.cfg is the external file to load)

/opt/rh/rh-haproxy18/root/usr/sbin/haproxy -Ws -f /etc/opt/rh/rh-haproxy18/haproxy/haproxy.cfg -p /run/rh-haproxy18-haproxy.pid -f /etc/opt/rh/rh-haproxy18/haproxy/backends/backends.cfg &

it starts up fine.
When I move the option into the startup config in
/etc/sysconfig/rh-haproxy18-haproxy

Add extra options to the haproxy daemon here. This can be useful for

specifying multiple configuration files with multiple -f options.

See haproxy(1) for a complete list of options.

OPTIONS="-d -f /etc/opt/rh/rh-haproxy18/haproxy/backends/backends.cfg"

I get errors of unable to find the backends

systemctl status rh-haproxy18-haproxy.service
● rh-haproxy18-haproxy.service - HAProxy Load Balancer
Loaded: loaded (/usr/lib/systemd/system/rh-haproxy18-haproxy.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Thu 2020-04-23 11:40:49 NZST; 9s ago
Process: 28465 ExecStart=/opt/rh/rh-haproxy18/root/usr/sbin/haproxy -Ws -f $CONFIG -p $PIDFILE $OPTIONS (code=exited, status=1/FAILURE)
Process: 1375 ExecStartPre=/opt/rh/rh-haproxy18/root/usr/sbin/haproxy -f $CONFIG -c -q (code=exited, status=1/FAILURE)
Main PID: 28465 (code=exited, status=1/FAILURE)

Apr 23 11:40:48 systemd[1]: Starting HAProxy Load Balancer…
Apr 23 11:40:49 haproxy[1375]: [ALERT] 113/114049 (1375) : Proxy ‘MAIN’: unable to find required default_backend: ‘WWW’.
Apr 23 11:40:49 haproxy[1375]: [ALERT] 113/114049 (1375) : Proxy ‘MAIN’: unable to find required use_backend: ‘SALES-API’.
Apr 23 11:40:49 haproxy[1375]: [ALERT] 113/114049 (1375) : Fatal errors found in configuration.
Apr 23 11:40:49 systemd[1]: rh-haproxy18-haproxy.service: control process exited, code=exited status=1
Apr 23 11:40:49 systemd[1]: Failed to start HAProxy Load Balancer.
Apr 23 11:40:49 systemd[1]: Unit rh-haproxy18-haproxy.service entered failed state.
Apr 23 11:40:49 systemd[1]: rh-haproxy18-haproxy.service failed.

WWW & SALES-API are the backend names
These files load and startup correctly on a manual start

Any ideas please ?
Cheers
Chris

Posts: 1

Participants: 1

Read full topic

@borbat wrote:

I’ve tried so many things and I can’t seem to set it up. Without haproxy, I can connect to inspircd1.local via 127.0.0.1, but using swarm and haproxy it doesn’t connect showing:

[ALERT] 112/230926 (1) : parsing [/usr/local/etc/haproxy/haproxy.cfg:17] : 'server inspircd1' : could not resolve address 'inspircd1.local'.
[ALERT] 112/230926 (1) : Failed to initialize server(s) addr.

My configuration of haproxy.cfg is:

global
log 127.0.0.1 local0 notice

defaults
log global
retries 2
timeout connect 3000
timeout server 5000
timeout client 5000

listen inspircd1.local
bind *:6667
mode tcp
option mysql-check user haproxy_check
balance roundrobin
server inspircd1 inspircd1.local:7000 check #inspircd1.local:7000 check

and my docker-compose is:

version: “3.7”
services:

haproxy:
image: haproxy:alpine
volumes:
- ./haproxy/:/usr/local/etc/haproxy/
depends_on:
- inspircd1
ports:
- “6667:6667”
#- “7001:6697”
networks:
- backend

inspircd1:
image: inspircd/inspircd-docker
volumes:
- ./server1/conf/:/inspircd/conf/
environment:
INSP_NET_SUFFIX: .local
INSP_NET_NAME: inspircd1
INSP_SERVER_NAME: inspircd1.local

  INSP_LINK1_NAME: inspircd2
  INSP_LINK1_IPADDR: inspircd2
  INSP_LINK1_SENDPASS: password
  INSP_LINK1_RECVPASS: password
  INSP_LINK1_TLS_ON: "no"
ports:
  - "6667" #client
#  - "6697" #client
  - "7000" #server
#  - "7001" #server
networks:
  - backend
   # aliases:
   #   - inspircd1.local

Thank you for the help!

Posts: 1

Participants: 1

Read full topic

Hello!
Help me please!
I have backend which supports http2 and http1.1. I need to do SSL offload on haproxy side, then send it reencryted to backend. So I have a problem with the following config:

frontend test_tcp443
bind 10.220.44.3:443 ssl crt test.pem alpn h2,http/1.1
option http-use-htx
default_backend test_tcp8443

backend test_tcp8443
balance roundrobin
option tcp-check
option http-use-htx
server test 10.220.44.3:8443 check ssl verify none alpn h2,http/1.1

If I send http2 request to frontend, it works as expected.

1. Frontend receive http2
2. Haproxy negotiate over alpn with backend server to use http2
3. Haproxy send http2 traffic to backend

If I send http1.1 request to frontend, there is some trouble.

1. Frontend receive http1
2. Haproxy negotiate over alpn with backend server to use http2
3. Haproxy send http2 traffic to backend
   In this scenario I have broken websocket protocol.

So I have a question. How to create configuration that supports the following tasks:

1. SSL offload, reencrypt, sends SSL to backend
2. Sends HTTP2 request over HTTP2 to backend
3. Sends HTTP1 request over HTTP1 to backend

1 post - 1 participant

Read full topic

Hello,

We have a elastic search deployment with kibana. The ELK stack has its own frontend proxy server based on Docker. HTTPS data is served from the Docker proxy based on the URL. Both of the URLs point to the same server and port, but one URL is for the dashboard and the other URL is for Kibana.

https://7685eebcb8a24cdf897012b51dcab3a1.ece.domain.abc:9243 - dashboard
https://6cf30b202fb74ceb96c0d2b1d2a27645.ece.domain.abc:9243 - kibana

If we use IP addresses in the configuration, then Docker does not know what site to send. I tried to add the URL (and not the IP) into configuration but it gives the following error:

Apr 23 09:18:21 ece-lb1.domain.abc haproxy-systemd-wrapper[5335]: [ALERT] 113/091821 (5336) : parsing [/etc/haproxy/haproxy.cfg:59] : ‘server ece01-dashboard’ : invalid address: ‘https://7685eebcb8a24cdf897012b51dcab3a1.ece.domain.abc’ in ‘https://7685eebcb8a24cdf897012b51dcab3a1.ece.domain.abc:9243’

How can i pass the URL to the docker server when making the SSL connection?

frontend ece_front
mode http
bind 10.33.1.101:9243 ssl crt /etc/haproxy/certs/ece.pem
stats uri /haproxy?stats
default_backend ece_back

backend ece_back
mode http
balance roundrobin
option ssl-hello-chk
server ece01-dashboard https://7685eebcb8a24cdf897012b51dcab3a1.ece.domain.abc:9243 ssl crt /etc/haproxy/certs/ece.pem

2 posts - 1 participant

Read full topic

Hello, I was wondering if anyone has used this to round robin outbound traffic through public netblocks?

We use a web balancer in reverse now for this, with a large load balancing company, and it’s very expensive (80k for two updated models in HA). We’re looking for ways to cut costs.

We have developers who get lots of data from the internet and we have many public blocks for this. Our current set up round robins through these blocks, each with a DNS record so sites can contact us if needed. Some firewalls can do multi-wan but require a physical port for each block. Our current set up has all the networks on one physical port, with a dozen VLANs as well. So we’re trying to find a way to replicate this.

Thank you,

Matt

1 post - 1 participant

Read full topic

Hello,

I need help to solve my issue.

What I want to achieve is

http://abc.contoso.com -> https://abc.contoso.com
(Force redirection HTTP to HTTPS)

My problem is that the URI needed for Azure OAuth 2.0 authorization endpoint doesn’t match.

The accepted URI as destination when returning authentication responses (tokens) after successfully authenticating users must be: https://abc.contoso.com/signin-oidc

But HAProxy sends the HTTP form as below:

https://login.microsoftonline.com/bdeebc-dd/oauth2/authorize?client_id=fd&redirect_uri=http%3A%2F%2Fabc.contoso.com%2Fsignin-oidc&response_type=id_token&scope=openid profile&response_mode=form_post

What should I do to have the HTTPS form instead of HTTP for OAuth?

My config is

frontend public_front_end
   bind *:80
   mode http
   option forwardfor
   redirect scheme https code 301 if !{ ssl_fc }

frontend public_secured_front_end
   bind *:443 ssl crt /etc/haproxy/certs

use_backend abc-api if { hdr(host) -i abc.contoso.com }

backend abc-api
mode http
http-request add-header X-Forwarded-Proto https
server webserver01 192.168.0.1:4569 check
option forwardfor

Thanks

1 post - 1 participant

Read full topic

Hi, We have configured haproxy rules basis on rate value map. We need to change the map files frequently and after any modification in map file, daemon and haproxy has to be reload which may lead to connection requests. Please point me out towards the way of seamless reload of the service.
Query : We are also running other services like prometheus and alertmanager which also has to be reload after any changes in config file. We are reloading these services using curl -X http://server-IP:port-no/reload or curl -X http://server-ip:portno./api/v1/alerts . Does HAproxy reload supports any of this kind.

Thanks in Advance

1 post - 1 participant

Read full topic

Hi, first of greetings to the beautiful people at HAProxy Forums. I am in dire need of help.

I have recently installed HAProxy 2.1.4 with LUA 5.3.5 on my CentOS server on linux 3.10.0-1062.el7.x86_64.

Here are my make arguments:

make USE_NS=1 USE_TFO=1 USE_OPENSSL=1 USE_ZLIB=1 USE_LUA=1 USE_PCRE=1 USE_SYSTEMD=1 USE_LIBCRYPT=1 USE_THREAD=1 TARGET=linux-glibc LUA_INC=/opt/lua-5.3.5/include LUA_LIB=/opt/lua-5.3.5/lib

Here is output from haproxy -vv:
[root@localhost haproxy-2.1.4]# haproxy -vv
HA-Proxy version 2.1.4 2020/04/02 - https://haproxy.org/
Status: stable branch - will stop receiving fixes around Q1 2021.
Known bugs: http://www.haproxy.org/bugs/bugs-2.1.4.html
Build options :
TARGET = linux-glibc
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-old-style-declaration -Wno-ignored-qualifiers -Wno-clobbered -Wno-missing-field-initializers -Wtype-limits
OPTIONS = USE_PCRE=1 USE_THREAD=1 USE_LIBCRYPT=1 USE_OPENSSL=1 USE_LUA=1 USE_ZLIB=1 USE_TFO=1 USE_NS=1 USE_SYSTEMD=1

Feature list : +EPOLL -KQUEUE -MY_EPOLL -MY_SPLICE +NETFILTER +PCRE -PCRE_JIT -PCRE2 -PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED -REGPARM -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H -VSYSCALL +GETADDRINFO +OPENSSL +LUA +FUTEX +ACCEPT4 -MY_ACCEPT4 +ZLIB -SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL +SYSTEMD -OBSOLETE_LINKER +PRCTL +THREAD_DUMP -EVPORTS

Default settings :
  bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with multi-threading support (MAX_THREADS=64, default=1).
Built with OpenSSL version : OpenSSL 1.0.2k-fips  26 Jan 2017
Running on OpenSSL version : OpenSSL 1.0.2k-fips  26 Jan 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2
Built with Lua version : Lua 5.3.5
Built with network namespace support.
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with PCRE version : 8.32 2012-11-30
Running on PCRE version : 8.32 2012-11-30
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.7
Running on zlib version : 1.2.7
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
              h2 : mode=HTTP       side=FE|BE     mux=H2
            fcgi : mode=HTTP       side=BE        mux=FCGI
       <default> : mode=HTTP       side=FE|BE     mux=H1
       <default> : mode=TCP        side=FE|BE     mux=PASS

Available services : none

Available filters :
        [SPOE] spoe
        [CACHE] cache
        [FCGI] fcgi-app
        [TRACE] trace
        [COMP] compression

Then what I have done is the following:
mkdir -p /etc/haproxy
mkdir -p /var/lib/haproxy
touch /var/lib/haproxy/stats
ln -s /usr/local/sbin/haproxy /usr/sbin/haproxy
cp examples/haproxy.init /etc/init.d/haproxy
chmod 755 /etc/init.d/haproxy
systemctl daemon-reload
chkconfig haproxy on
useradd -r haproxy

When i start and stop via systemctl however, everything just works fine except for in the logs i get this: /etc/rc.d/init.d/haproxy: line 26: [: =: unary operator expected
Here is the full output:
**[root@localhost haproxy-2.1.4]# systemctl status haproxy
● haproxy.service - SYSV: HA-Proxy is a TCP/HTTP reverse proxy which is particularly suited for high availability environments.
Loaded: loaded (/etc/rc.d/init.d/haproxy; bad; vendor preset: disabled)
Active: active (running) since Fri 2020-04-24 16:32:51 IST; 9min ago
Docs: man:systemd-sysv-generator(8)
Process: 2028 ExecStop=/etc/rc.d/init.d/haproxy stop (code=exited, status=0/SUCCESS)
Process: 2048 ExecStart=/etc/rc.d/init.d/haproxy start (code=exited, status=0/SUCCESS)
Main PID: 2057 (haproxy)
CGroup: /system.slice/haproxy.service
└─2057 /usr/sbin/haproxy -D -f /etc/haproxy/haproxy.cfg -p /var/run/haproxy.pid

Apr 24 16:32:51 localhost.localdomain systemd[1]: Starting SYSV: HA-Proxy is a TCP/HTTP reverse proxy which is particularly suited for hi...nts....
Apr 24 16:32:51 localhost.localdomain haproxy[2048]: /etc/rc.d/init.d/haproxy: line 26: [: =: unary operator expected
Apr 24 16:32:51 localhost.localdomain haproxy[2048]: Starting haproxy: [  OK  ]
Apr 24 16:32:51 localhost.localdomain systemd[1]: Started SYSV: HA-Proxy is a TCP/HTTP reverse proxy which is particularly suited for hig...ments..**

Now i can’t bang my head around as to why this line is there? Also, since it is evident that I compiled wth systemd I am aware that I have not copied the systemd service file. So when the do the following:
rm /etc/init.d/haproxy
cd contrib/systemd
cp haproxy.service.in /lib/systemd/system/
systemctl daemon-reload
systemctl enable haproxy
systemctl start haproxy
systemctl status haproxy

I land in complete soup as now systemctl restart haproxy results the below:
[root@localhost haproxy-2.1.4]# systemctl start haproxy

Failed to start haproxy.service: Unit not found.

[root@localhost haproxy-2.1.4]# systemctl status haproxy

Unit haproxy.service could not be found.

So it seems like there is a file name mismatch so i manually rename the file and then now the results are as follows:
[root@localhost haproxy-2.1.4]# mv -v /lib/systemd/system/haproxy.service.in /lib/systemd/system/haproxy.service

‘/lib/systemd/system/haproxy.service.in’ -> ‘/lib/systemd/system/haproxy.service’

[root@localhost haproxy-2.1.4]# systemctl daemon-reload

[root@localhost haproxy-2.1.4]# systemctl restart haproxy

Failed to restart haproxy.service: Unit is not loaded properly: Invalid argument.

See system logs and 'systemctl status haproxy.service' for details.

[root@localhost haproxy-2.1.4]# systemctl status haproxy.service

● haproxy.service - HAProxy Load Balancer

Loaded: error (Reason: Invalid argument)

Active: inactive (dead) since Fri 2020-04-24 16:48:03 IST; 3min 53s ago

Main PID: 2057 (code=killed, signal=TERM)

Apr 24 16:32:51 localhost.localdomain systemd[1]: Starting SYSV: HA-Proxy is a TCP/HTTP reverse proxy which is particularly suited for hi...nts....

Apr 24 16:32:51 localhost.localdomain haproxy[2048]: /etc/rc.d/init.d/haproxy: line 26: [: =: unary operator expected

Apr 24 16:32:51 localhost.localdomain haproxy[2048]: Starting haproxy: [ OK ]

Apr 24 16:32:51 localhost.localdomain systemd[1]: Started SYSV: HA-Proxy is a TCP/HTTP reverse proxy which is particularly suited for hig...ments..

Apr 24 16:48:03 localhost.localdomain systemd[1]: Stopping haproxy.service...

Apr 24 16:48:03 localhost.localdomain systemd[1]: Stopped haproxy.service.

Apr 24 16:51:40 localhost.localdomain systemd[1]: [/usr/lib/systemd/system/haproxy.service:9] Executable path is not absolute, ignoring: ...TRAOPTS

Apr 24 16:51:40 localhost.localdomain systemd[1]: [/usr/lib/systemd/system/haproxy.service:10] Executable path is not absolute, ignoring:...TRAOPTS

Apr 24 16:51:40 localhost.localdomain systemd[1]: [/usr/lib/systemd/system/haproxy.service:11] Executable path is not absolute, ignoring:...TRAOPTS

Apr 24 16:51:40 localhost.localdomain systemd[1]: haproxy.service lacks both ExecStart= and ExecStop= setting. Refusing.

Hint: Some lines were ellipsized, use -l to show in full.

I am looking for some urgent help here. Thanks in advance.

Regards,

1 post - 1 participant

Read full topic

We have used haproxy for 6 years in production load balancing SSL https >> the backends and it works OK. Now however, our Development office wants to use an haproxy setup similar to production to switch between two (2) backend development servers.

Current non-haproxy setup is that the existing dev server handles the SSL and has sub-ports for the individual developers who create / modify code in their own port. EG:
https://cworks.dev.plsxpress.com:/712/url_togoto
https://cworks.dev.plsxpress.com:/333/url_togoto
https://cworks.dev.plsxpress.com:/603/url_togoto
and so on…

So I have setup a standalone server Centos 7 with haproxy haproxy18-1.8.1-5.el7.x86_64
and if I leave out the :ports it cconnects to the backend and logins ok, but only to the default :333 port. Logs show that the :333, :712, or :603 never are seen by the backend.

Once I have this working, I have a second backend that has newer php, apache, etc… that we’ll use and acl rule to direct traffic to the newer environment for testing and subsequent development.
The test original server listens on 10.1.1.10 with all the ports mentioned including
333,712, 603,20333, 20712, 20603

I can telnet to each port from the haproxy server (10.1.1.1) and connect to all ports so it’s not a firewall issue. The logs show that only incoming occurs to backend 10.1.1.10 >> when the address is without the :port#. If I use the :port# I always get https://cworks.dev.plsxpress.com:333/mod.php/login.php
Firefox can’t establish a connection to the server at cworks.dev.plsxpress.com:333.

And nothing shows up in the httpd access_log on the backend.

CONFIGURATION

global
# run background/daemon by default.
daemon

    # max number of simultaneous connections. Default 5000
    maxconn 5000

    # run as user
    user haproxy
    group haproxy

    # where the ssl certs are kept
    ca-base /etc/ssl
    crt-base /etc/ssl

    # enable socket admin
    stats socket ipv4@10.1.1.1:9999 level admin

    # chroot for maximum protections
    chroot /var/lib/haproxy

    # log standard clf format.
    #log 127.0.0.1:514 local2 info
    log 127.0.0.1 local2
    #log global

    # Allow long URLs
   tune.bufsize 65535

    # longer for some reason
    tune.ssl.default-dh-param 2048

ssl-default-bind-options no-sslv3 no-tls-tickets

defaults
log global

retries 3

    timeout connect 5s
    timeout client 50s
    timeout server 1800s
    timeout http-keep-alive 5s
    timeout http-request  5s
    balance roundrobin
    default-server inter 4000 weight 10

########### PORT 333 ###########
frontend SynchFrontProd333
mode tcp
option tcplog

bind 10.1.1.1:33

    bind 96.81.169.83:33
    default_backend SynchBack333

frontend SisFrontProd333
mode http
option httplog
option dontlognull
option forwardfor

    http-request set-header X-Forwarded-Port %[dst_port]
    http-request set-header X-Forwarded-Proto https

     bind 96.81.169.83:443 ssl crt star.dev.plsxpress.com.pem no-sslv3

    default_backend logic333

    acl dev_xr2 hdr(host) -i cworks.dev.plsxpress.com:200-900

use_backend logic333 if { req.hdr(Host),regsub(:[0-9]+$,) -i dev.plsxpress.com }

http-request set-dst-port hdr(x-port)

acl logic712 hdr(host) -i cworks.dev.plsxpress.com:712

use_backend logic712 if logic712

    stats uri /haproxy?stats
    stats realm StrictlyPrivate
    stats auth SPADMIN:nimdaAdmin
    errorfile 503 /etc/haproxy/errorfile.http

backend SynchBack333
mode tcp
option tcplog
server server10 10.1.1.10:33333 maxconn 128

server server11 10.1.1.11:33333 maxconn 128

backend logic333
mode http
http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
option httpchk OPTIONS * HTTP/1.1\r\nHost:\ cworks.dev.plsxpress.com
option log-health-checks
server server10 10.1.1.10:20333,20712 maxconn 256 check agent-check agent-port 9333 agent-inter 4000

server server603 10.1.1.10:20603 maxconn 256 check agent-check agent-port 9333 agent-inter 4000

server server712 10.1.1.10:20712 maxconn 256 check agent-check agent-port 9333 agent-inter 4000

server server11 10.1.1.11:20333 maxconn 256 check agent-check agent-port 9333 agent-inter 4000

backend logic712
mode http
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
option httpchk OPTIONS * HTTP/1.1\r\nHost:\ cworks.dev.plsxpress.com
server server712 10.1.1.10:712 maxconn 256 check agent-check agent-port 9333 agent-inter 4000

server server10 10.1.1.10 maxconn 256 check agent-check agent-port 9333 agent-inter 4000

server server11 10.1.1.11 maxconn 256 check agent-check agent-port 9333 agent-inter 4000

Can you help?

1 post - 1 participant

Read full topic

Hi,

Could someone please explain what scur mean for backend.

I am generating constant load with 100 connections using wrk. For frontend this metric correctly comes to be 100, but for backend, it occasionally comes to be 1 and then 0 for whole duration.
While checking at the server (using ss command), I see constant 100 connections being made from HAProxy instance to this server. My understanding was that this metric gives the current number of active connections to the server (which should have been 100). But since it is giving 0 for whole duration of load generation, I am getting confused.

Load generation:

wrk -c 100 -t5 -d1m -R1000 http://VIP

Config

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
user haproxy
group haproxy
daemon
#maxconn 65536

defaults
log global
mode http
http-reuse safe
option http-keep-alive
no log
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

frontend test
bind :80
mode http
maxconn 65536
default_backend nginx

backend nginx
mode http
balance leastconn
server 10.30.10.110 10.30.10.110:81 weight 255

I am using HAProxy 2.0.14 for the test. Also, is “connect” metric the only way to get the actual number of connections being made to the backend?

1 post - 1 participant

Read full topic

Hi,

We already have a working setup of haproxy that send traffic to multiple web server compose of nginx/varnish/apache

But I think that our haproxy config need some love to make it a little bit more simple. One thing that seems to be broken or not totally working it’s the remote IP not being send correctly to nginx/apache

> #---------------------------------------------------------------------
> # Global settings
> #---------------------------------------------------------------------
> global
>     log         127.0.0.1 local2     #Log configuration
> 
>     chroot      /var/lib/haproxy
>     pidfile     /var/run/haproxy.pid
>     maxconn     4000
>     user        haproxy             #Haproxy running under user and group "haproxy"
>     group       haproxy
>     daemon
> 
>     # turn on stats unix socket
>     stats socket /var/lib/haproxy/stats
> 
> #---------------------------------------------------------------------
> # common defaults that all the 'listen' and 'backend' sections will
> # use if not designated in their block
> #---------------------------------------------------------------------
> defaults
>     log                     global
>     option                  httplog
>     option                  dontlognull
>     option http-server-close
>     option forwardfor
>     option                  redispatch
>     retries                 3
>     timeout http-request    10s
>     timeout queue           1m
>     timeout connect         10s
>     timeout client          5m
>     timeout server          5m
>     timeout http-keep-alive 10s
>     timeout check           10s
>     maxconn                 10000
> 
> #---------------------------------------------------------------------
> #HAProxy Monitoring Config
> #---------------------------------------------------------------------
> listen stats
>     bind *:8080
>     mode http
>     option forwardfor
>     option httpclose
>     stats enable
>     stats show-legends
>     stats refresh 5s
>     stats uri /stats                             #URL for HAProxy monitoring
>     stats realm Haproxy\ Statistics
>     stats auth user:password
>     stats admin if TRUE
> 
> #---------------------------------------------------------------------
> # FrontEnd Configuration
> #---------------------------------------------------------------------
> listen nginx-http
>     bind *:80
>     mode http
>     balance roundrobin
>     option httpchk HEAD / HTTP/1.1\r\nHost:\ localhost
>     server vWeb01 IP1:80 check weight 1
>     server vWeb02 IP2:80 check weight 1
>     server vWeb03 IP3:80 check weight 1
>     server vWeb04 IP4:80 check weight 1
>     server vWeb05 IP5:80 check weight 1
> 
> frontend fe-nginx-https
>     bind :443
>     mode tcp
>     option tcplog
>     option forwardfor header X-Real-IP
>     http-request set-header X-Real-IP %[src]
>     tcp-request inspect-delay 5s
>     tcp-request content accept if { req.ssl_hello_type 1 }
>     default_backend be-nginx-https
> 
> backend be-nginx-https
>     mode tcp
>     balance roundrobin
>     option ssl-hello-chk
>     server vWeb01 IP2:443 send-proxy-v2 check
>     server vWeb02 IP2:443 send-proxy-v2 check
>     server vWeb03 IP3:443 send-proxy-v2 check
>     server vWeb04 IP4:443 send-proxy-v2 check
>     server vWeb05 IP5:443 send-proxy-v2 check

1 post - 1 participant

Read full topic

Hello,

Currently, I am trying to configure a load balancer from where the traffic will be sent to a Kubernetes cluster. At the edge of the cluster, Istio ingress is serving the cluster’s external request. HAProxy version 1.8

I can access the service using the below command from outside the cluster.

curl -k -HHost:httpbin.example.com --resolve httpbin.example.com:32009:192.168.50.10 https://httpbin.example.com:32009/status/418:

Below is my HAProxy configuration:

Frontend:

frontend https
    bind *:443 ssl crt /etc/ssl/certs/site.pem
    mode tcp

    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }

    default_backend httpbin

Backend:

  backend httpbin
    balance roundrobin
    mode tcp

    acl httpbin_app req_ssl_sni -i httpbin.example.com
    use-server master if httpbin_app

    server master 192.168.50.10:32009 check ssl verify none

     http-request set-header Host httpbin.example.com
     http-request set-header X-Forwarded-For %[src]
     http-request set-header X-Forwarded-Port %[dst_port]
     http-request add-header X-Forwarded-Proto https if { ssl_fc }

Using HAProxy I am getting 503 always. Also during startup, HAProxy is saying the below line:

haproxy[14260]: backend httpbin has no server available!

Can you please help to find out the right configuration for backend?

1 post - 1 participant

Read full topic

Does anybody knows the best configuration to use a cluster of ActiveMQ servers with HAproxy?
I used a working configuration for years, but know with the last activemq (5.15.12), connection is established with clients but after few seconds the whole clients disconnect. I got a lot of errors in activemq logs.

1 post - 1 participant

Read full topic

Can we create multiple instances of haproxy using one core hap binary ?

I came accross
/usr/sbin/haproxy -D -f /etc/haproxy/dummy/haproxy_s.cfg -p /var/run/haproxy_s.pid

Which creates an instance ,but how to stop or restart the “dum” instance

4 posts - 2 participants

Read full topic

Hi Everyone, I am trying to do SSL termination for a web application that was incorrectly setup not to support HTTPS, problem is that I need to change one specific request from GET to POST but the end web application is expecting a Content-Length header otherwise outputs HTTP Status 411.

I did try to set Content-Length header but if length provided is too small I get HTTP 400 if the length provided is too big the request is stuck (obviously).

Would there be any way of computing that Content-Length field and populate with set-header or add-header?

Thanks in advance.

1 post - 1 participant

Read full topic

we are upgrading haproxy fleet from v1.8.14 to v2.1.4，But we can’t start haproxy：

The ‘reqrep’ directive is not supported anymore since HAProxy 2.1. Use ‘http-request replace-path’, ‘http-request replace-uri’ or ‘http-request replace-header’ instead.

So we decided to ditch reqrep and in that process the same regex that was working with reqrep is not working with the http-request replace-uri.
We got 404 not implemented on from our backend server. But on older version 1.8 it’s working as it should.
Example:

#reqrep ^([^\ ]\ /)api/rdc[/]?(.) \1api/\2
http-request replace-uri ^([^\ ]\ /)api/rdc[/]?(.) \1api/\2

What are we doing wrong?

2 posts - 2 participants

Read full topic

Hello
how can I make 2 servers with ftp and http services? here for the http service has been successful for FTP services that can not

this is the config file in /etc/haproxy/haproxy.cfg:

this is the config file for the ftp service in /etc/haproxy/haproxy.cfg:

1 post - 1 participant

Read full topic

Hi

I am new to HAproxy so here is the scenario

I have built a 2x Haproxy servers in HA with keepalived. they are working fantastic but my problem i have is this

VIP is xxx.xxx.xxx.10
app1 is xxx.xxx.xxx.11
app2 is xxx.xxx.xxx.12

when we open web servers using VIP, the VIP send traffic to both servers and also translates their original IP address in the web browser and we don’t want that.

Example Web browser —> xxx.xxx.xxx.10 —> xxx.xxx.xxx.11

Here is the configuration

global
log 127.0.0.1 local0
log 127.0.0.1 local1 debug
maxconn 45000 # Total Max Connections.
daemon
nbproc 1 # Number of processing cores.
stats socket /var/run/haproxy.sock mode 600 level admin
stats timeout 1m
defaults
timeout server 86400000
timeout connect 86400000
timeout client 86400000
timeout queue 1000s

listen stats xxx.xxx.xxx.11:9000
mode http
stats enable
stats hide-version
stats realm Haproxy\ Statistics
stats uri /stats
stats auth admin:admin

[HTTP Site Configuration]

listen http_web xxx.xxx.xxx.10:80
mode http
balance roundrobin # Load Balancing algorithm
option httpchk
option forwardfor
option http-server-close
server server1 app1:80 weight 1 maxconn 512 check
server server2 app2:80 weight 1 maxconn 512 check

[HTTPS Site Configuration]

listen https_web xxx.xxx.xxx.10:443
mode tcp
balance roundrobin # Load Balancing algorithm
reqadd X-Forwarded-Proto:http
server server1 app1:443 weight 1 maxconn 512 check
server server2 app2:443 weight 1 maxconn 512 check

This is for SQL CLuster

listen sql_cluster xxx.xxx.xxx.10:3306
mode tcp
balance roundrobin # Load Balancing algorithm
#option httpchk
#option forwardfor
server server1 db1:3306 weight 1 maxconn 512 check
server server2 db2:3306 weight 1 maxconn 512 check
server server3 db3:3306 weight 1 maxconn 512 check

How to solve that

Thanks

1 post - 1 participant

Read full topic

Hi, how to allow requests by resource access decoded from JWT token.

This is decoded resource_access:
{ [“app1”] = { [“roles”] = { [1] = ROLE_WRITE,} ,} ,[“app2”] = { [“roles”] = { [1] = ROLE_WRITE,[2] = ROLE_READ,} ,} ,[“app3”] = { [“roles”] = { [1] = ROLE_READ,} ,} ,}

I need allow request to specific endpoint when app have read access in JWT token.

Best Regards

1 post - 1 participant

Read full topic

HAProxy version 1.8.19-1

I have configured a backend with one server in it. When resolving of that server (nginx.default.svc.k8s.test.com) fails (according kubernetes service is deleted), the backend goes into L4-DOWN. So far so good.
But when the according kubernetes service is recreated, which means that the hostname is resolveable again, the backend goes into MAINT status and not UP.

If the backend server is resolveable again before the backend goes DOWN, it also comes back UP again, but if this takes longer, it just stays in MAINT.

I don’t understand this behavior. I want the backend server to be UP when it is resolved, regardless of how long it takes until its hostname is resolveable again. Is there a way to achieve this?

The following config parts are - in my opinion - enough for elaboration:

default-server init-addr libc,none resolvers dns

resolvers dns
  nameserver dns01 10.254.205.31:53
  nameserver dns02 10.254.205.32:53
  resolve_retries       3
  timeout retry         1s
  hold valid            5s

backend test
  mode http
  option httpchk HEAD /
  server testhost nginx.default.svc.k8s.test.com:80 check

Here are the logfiles showing the backend switching to MAINT:

Apr 30 14:19:46 load01 haproxy[26347]: Server test/testhost is DOWN, reason: Layer4 timeout, check duration: 2001ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
Apr 30 14:19:46 load01 haproxy[26347]: Server test/testhost is DOWN, reason: Layer4 timeout, check duration: 2001ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
Apr 30 14:19:46 load01 haproxy[26347]: backend test has no server available!
Apr 30 14:19:46 load01 haproxy[26347]: backend test has no server available!
Apr 30 14:20:04 load01 haproxy[26347]: Server test/testhost was DOWN and now enters maintenance (DNS NX status).
Apr 30 14:20:04 load01 haproxy[26347]: Server test/testhost was DOWN and now enters maintenance (DNS NX status).

edit: haproxy version added

1 post - 1 participant

Read full topic