@kmg wrote:

I've a haproxy setup with tcp mode ssl configuration [ to offload ssl sockets traffic]. But Socket is not connecting from client.

To debug the problem I run sniffer, it shows Alert Message as "Unknown CA (48)".

Firefox browser version - 49.0 [ Ubuntu 16.04 LTS]

HAProxy config entry:

frontend wapp1
bind 10.11.12.202:8080 ssl crt /tmp/crt.pem ca-file /tmp/ca.pem verify optional crt-ignore-err all
default_backend app1

Certificates seems good. I checked it through openssl

[root@webserver3 ~]# openssl verify -CAfile ca.pem verbose crt.pem 
crt.pem: OK
[root@webserver3 ~]#

Error:
SSL handshake failure

the problem comes in production env. Kindly someone help me on this

Posts: 13

Participants: 2

Read full topic

@PaulGuijt wrote:

Hi All,

Today I started with HAProxy on my Pi at home, read my share of the docs and ventured composing a config.
I feel insecure, especially because I want to keep my SSH access. Therefore I would appreciate any help, and pointers to good resources for help.

My situation:
* A DSL line with a fixed IPv4 and IPv6, and a router opening certain ports to my Pi
* A Pi with Debian Jessie up to date and secured with IPTables
* The Pi serves SSH, Apache (80 & 443), home automation 1 (ports x-z) and 2 (port w), Webmin

I have been advised to use HAProxy to ReverseProxy my home automation server.
I want https://mi_ip/bla/bli specifically go to http://localhost:y/blo/blu.

My questions beforehand:
1. Ports I don't mention in the HAProxy config, are they untampered passed on? E.g., will I have full SSH access if I don't mention the SSH port?
2. Does HAProxy have any other advantages on a single Pi? Can it enhance performance and security?
3. Is HAProxy acting before or after IPTables?

I made this draft config file:

listen apache
       mode http
       bind *:443 
       server web localhost

listen home_automation.1  
       mode http
       bind http://*:x/bla/bli
       server server1 http://localhost:y/blo/blu

listen home_automation.2  
       mode tcp
       bind *:z 
       server server2 localhost:p

Apologies if I understand something completely wrong, and thanks for any replies!

Regards,
Paul

Posts: 7

Participants: 2

Read full topic

@yansvanhorn wrote:

I am veri interested in running haproxy in multi-master fashion as ingress-controller in kubernetes.

According to:
https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#3.5-peer

It is said that peers are configured using ip addresses. Is it possible to use DNS as well ?

Any other options to configure peers not specyfying ip addresses ? Maybe some discovery is possible ?

Posts: 4

Participants: 2

Read full topic

@mrafael wrote:

Hi there!

I am new to this discourse.

Can someone tell me how to set up a frontend/backend configuration, in TCP Mode that sends always the header X-Forwarded-For.

I want to balance 2 Cisco WSA web proxies in port 8080.

Thanks in advance

Posts: 1

Participants: 1

Read full topic

@kgpopensource wrote:

I have 1 haproxy 1.6.4 server which load balances to two backend apache 2.2.3 servers. What I want to do is use http2 in haproxy as frontend which browsers can talk to and use http1.1 to backend apache servers (conversion from http 2 to http 1.1). Is this architecture possible, or if http2 is used by browser then backend apache should support http2 too ?. Please advise on this issue.

Posts: 4

Participants: 2

Read full topic

@alvalin3200 wrote:

Hi,
We use haproxy in our project, and now we use haproxy to do the health check, and we want the haproxy health check request has Host headers, but should not specify the specific host names, that means: if we have two backend servers,
the health check request to each one with the host header of its self ip address. I see the document that the host filed is fixed like below:

backend https_relay
mode tcp
option httpchk OPTIONS * HTTP/1.1\r\nHost:\ www
server apache1 192.168.1.1:443 check port 80

How can we use the backend server ip address as host field in haproxy health check request and not fixed field as there may be 3 or 4 backend servers. How haproxy support this feature?

Thanks for your help.
Appreciate.

Posts: 1

Participants: 1

Read full topic

@kr428 wrote:

Folks,

we just introduced haproxy to replace apache2 providing reverse proxy / load balancing across a couple of tomcat servers hosting the same application, and we need persistent sessions for users. So far, however, even though anything else works way faster in regular operations, we more often see users complaining about the application complaining about "lost sessions", which is caused by the request being routed to the "wrong" backend. Usually this happens as soon as we brought down and restarted one of the instances. I am not really sure what's causing this trouble so far but noticed one weirdness in cookies.

Currently our backend looks similar to this:

backend app
   balance leastconn
   mode http
   cookie JSESSIONID prefix indirect nocache
   server srv16060 localhost:16060 cookie srv16060 check maxconn 1000
   server srv17070 localhost:17070 cookie srv17070 check maxconn 1000

I omitted a bunch of server lines as they all basically look the same. I see, by now, cookies like these added to the request:

"srv16060~srv160601j3jy5h4ptzerl68anyg1rn8z.srv16060"

This, however, is the session cookie already provided by the backend system itself, thanks to tomcat / jvmRoute configuration.

"srv160601j3jy5h4ptzerl68anyg1rn8z.srv16060"

The name of the instance (srv16060) in this case always is suffixed to the cookie. Unsure whether this is actually a problem, but: Ain't there a way to set up haproxy to evaluate these backend cookies and figure out which server it belongs to by information provided in the cookie itself, i.e. make sure all cookies having ".srv16060" suffix in it will go to the srv16060 server? Pardon me if this is a trivial question - looking at the "prefix" option in the cookies directive I was hoping something like this is already available out of the box but so far I failed to set it up...

TIA and all the best,
Kristian

Posts: 2

Participants: 2

Read full topic

@ppraj wrote:

The application listens on 192.168.9.67:8080/JMaster. When you hit this URL , it prompts for login , now the URL changes to
192.168.9.67:8080/JMaster/login. After login , it changes URL back to 192.168.9.67:8080/JMaster as you are logged in .

Now , I have HAPROXY configured on another server and want users to use the Jenkins app by hitting the HAPROXY URL .Likewise I have other systems too , that needs to use a single URL but with prefix switching .
So I have frontend /JMaster configured to redirect calls to actual server.
I use it like this haproxyip/JMaster .

frontend http-in
 bind *:80
 option http-server-close
 option forwardfor
 acl has_jenkins path_beg /JMaster
 use_backend jenkins_server if has_jenkins
 default_backend jenkins_server

backend jenkins_server
 balance roundrobin
 reqrep ^([^\ ]\ /)JMaster[/]?(.) \1\2
 server ws2 192.168.9.67:8080

After hitting the login page , it changes the URL to HAPROXYip/login which is 404 not found

Posts: 2

Participants: 1

Read full topic

@chomps wrote:

Hi, I have the following currently to redirect all traffic from domain.com to newdomain.com

acl host_redir_domain_com hdr(Host) -i domain.com
redirect prefix https://www.newdomain.com code 301 if host_redir_domain_com

This does the redirect just fine but if I pass the url in my browser domain.com/anyvar then it also redirects to newdomain.com/anyvar which does not exist in the new domain. I want anything after the / to be stripped away and only redirect to the new root domain (ie: newdomain.com only)

Could anyone please help me in achieving this. Your help is much appreciated.
Regards

(HA-Proxy version 1.5.18)

Posts: 2

Participants: 1

Read full topic

@ppraj wrote:

upstream portainer {
server ADDRESS:PORT;
}

server {
listen 80;

location /portainer/ {
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_pass http://portainer/;
}
location /portainer/ws/ {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
proxy_pass http://portainer/ws/;
}
}

Please find this link, as I need to serve content with virtual path for the application and the example as with nginx

https://portainer.readthedocs.io/en/stable/faq.html#how-can-i-configure-my-reverse-proxy-to-serve-portainer

Posts: 2

Participants: 2

Read full topic

@ppraj wrote:

Jenkins listens on 192.168.2.57:9000 . Now my HAPROxy configured on another machine is has been updated with virtual path

   frontend http-in
    bind *:80
    option http-server-close
    option forwardfor
    acl has_jenkins path_beg /jenkins
    use_backend jenkins_server if has_jenkins

backend jenkins_server
balance roundrobin
option forwardfor
server jenkins 192.168.2.57:9000

When I hit /jenkins , page come up with BAD REQUEST. The issue is the actual server does not serve with /jenkins. Hence I need to strip /jenkins and send the request to backend . So I did this

reqrep ^([^\ ]*\ /)jenkins[/]?(.*)     \1\2

The page does not load either , but now no BAD REQUEST . Instead I just get blank page , but when I press F12 I can see in the console and the request headers coming up . The URL now in there /css , which is not good as it needs to be 192.168.2.57:9000/css , to make it work .

The links in the page still points to , which is not the actual server where it is hosted and fails subsequently

Posts: 5

Participants: 2

Read full topic

@rmohr wrote:

Hi,

We are using the haproxy resolvers feature. It works awesome, but I would be grateful to get some clarifications on what haproxy does if it can't reache the DNS server(s) or DNS servers don't provide the requested dns entry.

The main issue we seem to have is that haproxy stops to ask the DNS server if it can resolve a hostname forever in some scenarios.

Our setup looks like this:

resolvers kubernetes
nameserver skydns ${DNS}:53
resolve_retries 10
timeout retry 2s
hold valid 30s

backend servers
mode http
timeout connect 10s
timeout server 1m
balance roundrobin
server host1 virt-api-service:8183 resolvers kubernetes

"$DNS" points to the kubernetes dns server, "virt-api-service" is sooner or later resolvable over this $DNS server, but when we start the application we can't guarantee that the DNS server is already reachable and if it is, we can't guarantee that it already knows about "virt-api-server".

How would you configure the resolvers to deal with such situations?

If I understand https://cbonte.github.io/haproxy-dconv/configuration-1.6.html#5.3.2 correct, it might be that it is not possible. Could that be?

Best Regards,
Roman

Posts: 7

Participants: 2

Read full topic

@fayizk1 wrote:

I want to set dynamic cookie value(from rand function) while doing re-direction. First i tried set-cookie option like following:

http-request redirect code 307 location %[capture.req.uri] set-cookie test=%[rand(20)]

but this gives me:

HTTP/1.1 307 Temporary Redirect
Cache-Control: no-cache
Content-length: 0
Location: /test
Set-Cookie: test=%[rand(20)]; path=/;

after reading haproxy source code i found a workaround, adding Set-Cookie header after location with \r\n works perfectly.

http-request redirect code 307 location %[capture.req.uri]\r\nSet-Cookie:\ test=%[rand(20)]

output:

HTTP/1.1 307 Temporary Redirect
Cache-Control: no-cache
Content-length: 0
Location: /test
Set-Cookie: test=16

I want to know whether this is a good practice?.

Posts: 1

Participants: 1

Read full topic

@arvindsaket wrote:

I am new to HAProxy. I want to restrict all to access a sub URL but not for access from few IPs. My Implementation of HAProxy is below and it is blocking all for IPs. I want "example.com/abc/qaz" accessible from 1.1.1.1 and 2.2.2.2 only.

# Listen to port 80.  Throw a 301 redirect to port 443
 frontend Listen80
    bind *:80
    redirect scheme https code 301 if !{ ssl_fc }

 # List to port 443.  Redirect to appropriate backend based on URL
 frontend Listen443
   bind *:443 ssl crt /etc/ssl/certs/examplesslpem %>

   acl web_url        path_beg   /abc /xyz
   acl web_url        path_beg   /efg /xy
   acl batch_url      path_beg   /h /ga
   acl network_allowed  src     1.1.1.1 2.2.2. 
   acl resticted_pages  path_beg   /abc/qaz/
   http-request deny if resticted_pages !network_allowed
   use_backend BATCH        if batch_url
   use_backend SVC          if svc_url
   use_backend WEB          if web_url

   # Listen to port 8080.  Pass through to WEB backend
  frontend Listen8080
   bind *:8080
   use_backend WEB

backend WEB
   mode http
   balance roundrobin
   option httpclose
   cookie SERVERIDWEB insert indirect nocache secure
   option forwardfor
   http-request set-header X-Forwarded-Port %[dst_port]
   http-request add-header X-Forwarded-Proto https if { ssl_fc }
   reqrep ^([^\ ]*\ /)abc[/]?(.*)     \1\2
   server app-1 example-app1.com:8080 check cookie app1web
   server app-2 example-app2.com:8080 check cookie app2web
   server app-3 example-app3.com:8080 check cookie app3web
   server app-4 example-app4.com:8080 check cookie app4web
   server app-5 example-app5.com:8080 check cookie app5web

Posts: 1

Participants: 1

Read full topic

@litux wrote:

Question about the possibility to skip the queue and giving priority to certain IP addresses in the HAProxy configuration.

Is it possible to skip the queue and always pass traffic from some defined IP addresses to the backend server(s) and if yes how to define this rule into the configuration file?

Posts: 4

Participants: 2

Read full topic

@sadlil wrote:

We have a complex haproxy setup, where one https frontend were used with multiple backend based on path, host name, subdomians, sni, ssl termination etc. Now in one of our case we need to use http2 with all those http backends. and most importantly it should be support host name based routing to different backends. Our backend support both http2 and http1 we just need to forward traffic there after terminating ssl based on hostname.

Couldn't find much more examples related to http2 in Haproxy. All those i found used mode tcp in frontend like this. I am afraid using mode tcp could break my http routings.
So how could i may accomplish this?

Our Haproxy version is 1.7.1
OS Ubuntu16.04

Posts: 2

Participants: 2

Read full topic

@tamal wrote:

Hi,
Does HAProxy 1.7 support http/2 in http mode (not in tcp mode)? If not, what is the plan for HTTP/2 support? I can use HTTP/2 in tcp mode but we need to access path and header matching features to properly route all traffic on 443 port.

Thanks.

Posts: 2

Participants: 2

Read full topic

@rejeanc wrote:

Hi,

I have the following config :

Server A and Server B

On server A and B I have Apache 2.2 Tomcat 6, 7 and 8.

I use HAPROXY to redirect to Server A and Server B :443

backend web-tcp-backend
mode tcp

balance roundrobin

    balance leastconn
    stick-table type ip size 1m expire 12h
    stick on src
    option ssl-hello-chk
    server serverA 192.168.2.22:443 check
    server serverB 192.168.2.33:443 check

I use mod_jk to forward request to tomcat with worker loadbalance:

Setting the First Tomcat Server web1 tomcat7 inst1

worker.web1tomcat7inst1.port=8719
worker.web1tomcat7inst1.host=serverA
worker.web1tomcat7inst1.type=ajp13
worker.web1tomcat7inst1.lbfactor=50
worker.web1tomcat7inst1.socket_keepalive=1

Setting the Second Tomcat Server web2 tomcat7 inst1

worker.web2tomcat7inst1.port=8719
worker.web2tomcat7inst1.host=serverB
worker.web2tomcat7inst1.type=ajp13
worker.web2tomcat7inst1.lbfactor=50
worker.web2tomcat7inst1.socket_keepalive=1

Setting the Load Balancer Worker

worker.loadbalancertomcat7inst1.type=lb
worker.loadbalancertomcat7inst1.balance_workers=web1tomcat7inst1, web2tomcat7inst1
worker.loadbalancertomcat7inst1.sticky_session=1

My question is:

Is my config OK or should I use HAProxy to check : serverA:8719 and serverB:8719 or let mod_jk loadbalancer do the job.

Thanks!

Posts: 1

Participants: 1

Read full topic

@acook wrote:

I have a somewhat complicated setup with 2 instances of HAProxy running on a single server, fronted by Nginx on another server.

Even though there are two instances of haproxy running on the same server, only one of them is ever being used (via iptables rule).

       nginx
         |                    nginx server (10.0.0.1)
---------------------------------------------
         80
         |                    haproxy server (10.0.0.2)
   [ IPTABLES]
       /
      /
  HAproxy_A      HAproxy_B

This setup has worked for me for a long time without any issues. When I want to make a config change for haproxy, I will update the instance which is not being used, restart it, and update iptables, for example:

       nginx
         |                    nginx server (10.0.0.1)
---------------------------------------------
         80
         |                    haproxy server (10.0.0.2)
      [ IPTABLES]
                \
                 \
  HAproxy_A      HAproxy_B

I recently discovered that I'm able to get haproxy to hang and use 100% CPU when using the keepalive option in nginx, and the http-reuse option in haproxy. This only happens when REMOVING backend servers in haproxy and using ApacheBench to simulate load on the servers.

For example:

Nginx config routing to haproxy:

upstream myapp {
server 10.0.0.2;
keepalive 64;
}

server {
    listen 80;
    server_name mynginx;

   location / {
      proxy_pass         http://myapp$request_uri;
      proxy_http_version 1.1;
      proxy_set_header Connection "";
    }

}

Haproxy config routing to a single backend app on 10.134.8.221:

 backend backend_myapp
     balance roundrobin
     http-reuse safe
     server  10.134.8.221_31403 10.134.8.221:31403 maxconn 128  weight 100  check

1. haproxy_a is accepting requests

2. Add another backend servers into haproxy_b (backend app is running on same server, just different port), for example:

   backend backend_myapp
   balance roundrobin
   http-reuse safe
   server 10.134.8.221_31403 10.134.8.221:31403 maxconn 128 weight 100 check
   server 10.134.8.221_31404 10.134.8.221:31404 maxconn 128 weight 100 check

3. Restart haproxy_b with
   /usr/sbin/haproxy_b -p /tmp/haproxy_b.pid -f /etc/haproxy/haproxy_b.cfg -sf <old haproxy_b pid>

4. Update iptables to haproxy_b port
5. Run ab test via nginx. Everything works as expected. Haproxy_b is being used and requests are getting routed to backend servers appropriately.

However, when removing a backend server. For example:

1. haproxy_b is accepting requests
2. Restart haproxy_a (even though the config hasn't changed and only contains the one backend server) with
   /usr/sbin/haproxy_a -p /tmp/haproxy_a.pid -f /etc/haproxy/haproxy_a.cfg -sf <old haproxy_a pid>
3. Update iptables to point to haproxy_a port
4. Run ab test against nginx. Haproxy_b starts using 100% CPU, even though requests should only be coming to haproxy_a. Note that the CPU doesn't spike to 100% until the requests starting coming through nginx to haproxy.

This only happens when using the keepalive option in nginx AND the http-reuse option in haproxy. If I remove either one of these options, I am unable to reproduce the issue.

Is it possible that nginx is keeping the connections alive to the inactive instance of haproxy, and then the next set of requests is coming to the old (non running) instance?

Any ideas on why this would be happening? I realize it's a complicated setup, so would be happy to provide any details I may have forgotten.

Thanks for the help in advance.

Posts: 1

Participants: 1

Read full topic

@bvoros wrote:

Hello All,

I would like to configure basic DDOS protection measures on a pair of HAProxy 1.5 servers that are behind an AWS ELB.
The ELB is in tcp mode with proxy-protocol enabled.

I have read through the internet and came accross several examples but none of them seemed to have worked.

In my current config I can finally see entries in the relevant stick-table but having problems taking action based on them.
I can see the counters go up in the table when generating loads using "ab", but there are no denied sessions when looking at the HAProxy status page.

What am I doing wrong?

Any help would be appreciated.

frontend bits:
tcp-request connection reject if { src_conn_rate(Logger) ge 20 }
tcp-request connection reject if { src_conn_cur(Logger) ge 10 }
tcp-request connection reject if { src_get_gpc0(Logger) gt 0 }
tcp-request connection expect-proxy layer4
tcp-request content track-sc0 src table Logger

Application backend:
acl abuse src_http_req_rate(Logger) ge 10
acl flag_abuser src_inc_gpc0(Logger)
tcp-request content reject if abuse flag_abuser

Logger backend for the stick table:
backend Logger
stick-table type ip size 100k expire 3m store conn_rate(3s),gpc0,conn_cur,http_req_rate(10s),http_err_rate(10s)

Example entries in the table:
0x85302c: key=1xx.2xx.2xx.2xx use=0 exp=169083 gpc0=91 conn_rate(3000)=0 conn_cur=0 http_req_rate(10000)=93 http_err_rate(10000)=9
0x85302c: key=1xx.2xx.2xx.2xx use=2 exp=179997 gpc0=5483 conn_rate(3000)=456 conn_cur=2 http_req_rate(10000)=1543 http_err_rate(10000)=0

Posts: 1

Participants: 1

Read full topic