Hi All,
I am trying to configure haproxy with keepalived but if I start keepalived service first, haproxy fails to start. When keepalived service is stopped, haproxy starts without any problems. I get the error below when I attempt to start haproxy manually while keepalived is running:
Proxy ‘webserver’: unable to find local peer ‘VIP01.domain.com’ in peers section ‘mypeer’.
Fatal errors found in configuration.
Control process exited, code=exited status=1
Failed with result ‘exit-code’.
Failed to start HAProxy Load Balancer.

The system is Centos 8 and I found the article below and checked if net.ipv4.ip_nonlocal_bind sysctl is set to 1 but it still doesn’t start when keepalived is running.
https://cbonte.github.io/haproxy-dconv/1.8/management.html#11

I would greatly appreciate any help.

1 post - 1 participant

Read full topic

we use haproxy in our environment and we recently upgraded to 2.1.0 from 2.0.

Now everytime we reload, the number of FD is increasing by 1. This was not the case in version 2.0.

The fd limit for root user is set to 1024, after 1024 reloads, the haproxy process starts to fail and the reload works no more.
new changes are not being applied.

This happens in haproxy 2.2 as well.

to give a background, we reload the haproxy very frequently so we hit the fd limit real soon and our services starts to fail.

This issue does not happen if we do not read the server-state during reload.

Below is the experiment, and it shows the fd count increase.

  root@haproxynode:/usr/local/src/haproxy-2.2.0# ls -l /proc/$(systemctl status haproxy |grep 'Main PID' |awk '{print $3}')/fd
total 0
lr-x------ 1 root root 64 Jul  9 09:11 0 -> /dev/null
lrwx------ 1 root root 64 Jul  9 09:11 1 -> 'socket:[254090076]'
lrwx------ 1 root root 64 Jul  9 09:11 10 -> 'socket:[254090089]'
lrwx------ 1 root root 64 Jul  9 09:11 2 -> 'socket:[254090076]'
lrwx------ 1 root root 64 Jul  9 09:11 3 -> 'socket:[254090081]'
lrwx------ 1 root root 64 Jul  9 09:11 4 -> 'anon_inode:[eventpoll]'
lr-x------ 1 root root 64 Jul  9 09:11 5 -> /path/to/haproxy/server-state
lr-x------ 1 root root 64 Jul  9 09:11 6 -> 'pipe:[254090092]'
l-wx------ 1 root root 64 Jul  9 09:11 7 -> 'pipe:[254090092]'

root@haproxynode:/usr/local/src/haproxy-2.2.0# systemctl reload haproxy

root@haproxynode:/usr/local/src/haproxy-2.2.0# ls -l /proc/$(systemctl status haproxy |grep 'Main PID' |awk '{print $3}')/fd
total 0
lr-x------ 1 root root 64 Jul  9 09:11 0 -> /dev/null
lrwx------ 1 root root 64 Jul  9 09:11 1 -> 'socket:[254090076]'
l-wx------ 1 root root 64 Jul  9 09:11 10 -> 'pipe:[254090150]'
lrwx------ 1 root root 64 Jul  9 09:11 2 -> 'socket:[254090076]'
lrwx------ 1 root root 64 Jul  9 09:11 4 -> 'socket:[254090139]'
lr-x------ 1 root root 64 Jul  9 09:11 5 -> /path/to/haproxy/server-state
lrwx------ 1 root root 64 Jul  9 09:11 6 -> 'anon_inode:[eventpoll]'
lr-x------ 1 root root 64 Jul  9 09:11 7 -> /path/to/haproxy/server-state
lr-x------ 1 root root 64 Jul  9 09:11 8 -> 'pipe:[254090150]'
lrwx------ 1 root root 64 Jul  9 09:11 9 -> 'socket:[254090148]'


root@haproxynode:/usr/local/src/haproxy-2.2.0# haproxy -v
HA-Proxy version 2.2.0 2020/07/07 - https://haproxy.org/
Status: long-term supported branch - will stop receiving fixes around Q2 2025.
Known bugs: http://www.haproxy.org/bugs/bugs-2.2.0.html
Running on: Linux 4.15.0-42-generic #45-Ubuntu SMP Thu Nov 15 19:32:57 UTC 2018 x86_64
root@haproxynode:/usr/local/src/haproxy-2.2.0#

The number of fd reading the server-state increased to 2. Is this a known bug? or do we have to do something different in newer versions?

1 post - 1 participant

Read full topic

Hello,

I’m trying to figure out what is the good way to redirect requests to add a trailing slash, while preserving the query string.

Found this in the documentation in : http://cbonte.github.io/haproxy-dconv/2.1/configuration.html#4.2-redirect%20prefix

First, it seems there is an error in the following example :

acl missing_slash path_reg ^/article/[^/]*$
redirect code 301 prefix / drop-query append-slash if missing_slash

it think there is a extra / that should be removed like this :

acl missing_slash path_reg ^/article[^/]*$
redirect code 301 prefix / drop-query append-slash if missing_slash

So that’s working (2nd version), but in my case I’d like to preserve the query, but if I remove ‘drop-query’, the append-slash is not behaving right.
I get redirected to something like /article?foo=bar/.

So in the documentation it states that we should only use append-slash in conjunction with drop-query.

But then, what’s the right way to redirect, adding a missing trailing slash on the path, preserving the querystring, and with a config that works for both HTTP1.1 and HTTP2 ?

Thanks!

Olivier

3 posts - 2 participants

Read full topic

Hi
This is my first forum post. Hi everyone. And thank you all in advance.
Help and advice (in addition to the documentation :-)) are always useful.
I have HAProxy version 1.7.5-2 in production with hundreds of services, frontend and backend exposed and balanced without any problem.
Now I need to balance a website (443) that requires authentication with a popup form to log in.
It’s a third party product so I can’t change this.
When calling the url directly a popup appears.
If I expose this url through the HAproxy no popup is displayed. I have not yet understood where the problem is … I am proceeding by exclusion … but is there the possibility through HAproxy to pass authentication credentials directly to a form?
Thanks

Mich

1 post - 1 participant

Read full topic

Hi

I’m wondering if configuring all the timeout settings is needed… I plan run a few services that handle data streaming / data upload (so i guess i might need keep alives?)

Currently, this is my config:

# connection timeouts
    timeout check           15s # additional check timeout
    timeout client          30s # clientside maximum inactivity time
    timeout client-fin      15s # inactivity time for half-closed connections
    timeout connect         30s # time for a connection attempt to a server to succeed
    timeout http-keep-alive 15s # maximum allowed time to wait for a new HTTP request to appear
    timeout http-request    15s # maximum allowed time to wait for a complete HTTP request
    timeout queue           15s # maximum time to wait in the queue for a connection slot to be free
    timeout server          30s # maximum inactivity time on the server side
    timeout server-fin      15s # inactivity timeout on the server side for half-closed connections
    timeout tarpit          15s # duration for which tarpitted connections will be maintained
    timeout tunnel          30m # maximum inactivity time on the client and server side for tunnels

Is this a generally bad idea? I don’t have the fastest server so I’m afraid lowering the connect/client times will cause connections to be dropped.

Can anyone recommend changes I can make here? Thanks!

1 post - 1 participant

Read full topic

Haproxy version: 2.1.4
I am getting the below errors continuously.

OpenSSL error[0x14228044] construct_ca_names: internal error

I browsed through the internet and got this
https://mta.openssl.org/pipermail/openssl-users/2018-October/009003.html

Any help is appreciated.

1 post - 1 participant

Read full topic

Hi!
I have the HAProxy working well but now, we noticed that an old app on one of the containers needs TLS 1.1 and I’m requiring 1.2 and minimum and I don’t want to degrade all the other apps to support the legacy.
Since I’m using TLS termination and I can’t bind 443 again, how can I support a different TLS version to a specific backend?
Thanks a lot!

1 post - 1 participant

Read full topic

Hello.

I am trying to get the number of status codes for each domain separated by protocol.

I can get the number of request data in the domain using http-request track-sc.
However, when tested with the config below, the http-response track-sc and http-response sc-inc-gpc do not seem to work correctly.

I would like to know what is wrong in the config and how to use http-response track-sc and http-response sc-inc-gpc correctly.

I would be grateful if you could give me a guide on what is wrong and what needs to be corrected.

config

frontend HTTP

bind        *:80

http-request    set-var(txn.host)   req.hdr(host),lower,field(1,:)

http-request    track-sc0    var(txn.host)  table BK_ALL
http-request    track-sc1    var(txn.host)  table BK_HTTP


http-response   track-sc0    var(txn.host)  table BK_HTTP_23    if   { status ge 200 } { status lt 400 }
http-response   sc-inc-gpc0(0)  if { status ge 200 } { status lt 300 }
http-response   sc-inc-gpc1(0)  if { status ge 300 } { status lt 400 }

http-response   track-sc0    var(txn.host)  table BK_HTTP_45    if   { status ge 400 } { status lt 600 }
http-response   sc-inc-gpc0(0)  if { status ge 400 } { status lt 500 }
http-response   sc-inc-gpc1(0)  if { status ge 500 } { status lt 600 }

default_backend     BK_DEFAULT

frontend HTTPS

bind        *:443       ssl crt-list /etc/haproxy/ssl/cert-list.txt    tls-ticket-keys /etc/haproxy/ssl/tls-ticket.key    alpn h2,http/1.1      npn h2,http/1.1

acl http2  ssl_fc_alpn -i h2
acl http2  ssl_fc_npn  -i h2

http-request    set-var(txn.host)   req.hdr(host),lower,field(1,:)

http-request    track-sc0    var(txn.host)  table BK_ALL
http-request    track-sc1    var(txn.host)  table BK_HTTPS    if   !http2
http-request    track-sc2    var(txn.host)  table BK_HTTP2    if    http2


http-response   track-sc0    var(txn.host)  table BK_HTTPS_23   if   { status ge 200 } { status lt 400 } !http2
http-response   sc-inc-gpc0(0)                      if { status ge 200 } { status lt 300 } !http2
http-response   sc-inc-gpc1(0)                      if { status ge 300 } { status lt 400 } !http2

http-response   track-sc0    var(txn.host)  table BK_HTTPS_45   if   { status ge 400 } { status lt 600 } !http2
http-response   sc-inc-gpc0(0)                      if { status ge 400 } { status lt 500 } !http2
http-response   sc-inc-gpc1(0)                      if { status ge 500 } { status lt 600 } !http2


http-response   track-sc1    var(txn.host)  table BK_HTTP2_23   if   { status ge 200 } { status lt 400 } http2
http-response   sc-inc-gpc0(1)                      if { status ge 200 } { status lt 300 } http2
http-response   sc-inc-gpc1(1)                      if { status ge 300 } { status lt 400 } http2

http-response   track-sc1    var(txn.host)  table BK_HTTP2_45   if   { status ge 400 } { status lt 600 } http2
http-response   sc-inc-gpc0(1)                      if { status ge 400 } { status lt 500 } http2
http-response   sc-inc-gpc1(1)                      if { status ge 500 } { status lt 600 } http2

default_backend     BK_DEFAULT

backend BK_DEFAULT

server localhost 127.0.0.1:8080 check

backend BK_ALL

stick-table    type string    len 256    size 10k    expire 7d    store    conn_cnt,sess_cnt,http_req_cnt,http_err_cnt,bytes_out_cnt

backend BK_HTTP

stick-table    type string    len 256    size 10k    expire 7d    store    conn_cnt,sess_cnt,http_req_cnt,http_err_cnt,bytes_out_cnt

backend BK_HTTP_23

stick-table    type string    len 256    size 10k    expire 7d    store    conn_cnt,gpc0,gpc1

backend BK_HTTP_45

stick-table    type string    len 256    size 10k    expire 7d    store    conn_cnt,gpc0,gpc1

backend BK_HTTPS

stick-table    type string    len 256    size 10k    expire 7d    store    conn_cnt,sess_cnt,http_req_cnt,http_err_cnt,bytes_out_cnt

backend BK_HTTPS_23

stick-table    type string    len 256    size 10k    expire 7d    store    conn_cnt,gpc0,gpc1

backend BK_HTTPS_45

stick-table    type string    len 256    size 10k    expire 7d    store    conn_cnt,gpc0,gpc1

backend BK_HTTP2

stick-table    type string    len 256    size 10k    expire 7d    store    conn_cnt,sess_cnt,http_req_cnt,http_err_cnt,bytes_out_cnt

backend BK_HTTP2_23

stick-table    type string    len 256    size 10k    expire 7d    store    conn_cnt,gpc0,gpc1

backend BK_HTTP2_45

stick-table    type string    len 256    size 10k    expire 7d    store    conn_cnt,gpc0,gpc1

test

[root]# echo “show table BK_ALL” | socat /var/run/haproxy.stat1 stdio
# table: BK_ALL, type: string, size:10240, used:1
0x17e2688: key=test.com use=0 exp=604789122 conn_cnt=3 sess_cnt=0 http_req_cnt=3 http_err_cnt=0 bytes_out_cnt=636

[root]# echo “show table BK_HTTP” | socat /var/run/haproxy.stat1 stdio
# table: BK_HTTP, type: string, size:10240, used:1
0x17e2858: key=test.com use=0 exp=604784378 conn_cnt=3 sess_cnt=0 http_req_cnt=3 http_err_cnt=0 bytes_out_cnt=636

[root]# echo “show table BK_HTTP_23” | socat /var/run/haproxy.stat1 stdio
# table: BK_HTTP_23, type: string, size:10240, used:0

[root]# echo “show table BK_HTTP_45” | socat /var/run/haproxy.stat1 stdio
# table: BK_HTTP_45, type: string, size:10240, used:0

HAProxy version
haproxy -vv

HA-Proxy version 1.9.15 2020/04/02 - https://haproxy.org/
Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-old-style-declaration -Wno-ignored-qualifiers -Wno-clobbered -Wno-missing-field-initializers -Wtype-limits
OPTIONS = USE_DL=1 USE_OPENSSL=1 USE_LUA=1 USE_SYSTEMD=1 USE_PCRE=1

Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with OpenSSL version : OpenSSL 1.1.1g 21 Apr 2020
Running on OpenSSL version : OpenSSL 1.1.1g 21 Apr 2020
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with Lua version : Lua 5.3.5
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built without compression support (neither USE_ZLIB nor USE_SLZ are set).
Compression algorithms supported : identity(“identity”)
Built with PCRE version : 8.32 2012-11-30
Running on PCRE version : 8.32 2012-11-30
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Encrypted password support via crypt(3): yes
Built with multi-threading support.

Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as cannot be specified using ‘proto’ keyword)
h2 : mode=HTX side=FE|BE
h2 : mode=HTTP side=FE
: mode=HTX side=FE|BE
: mode=TCP|HTTP side=FE|BE

Available filters :
[SPOE] spoe
[COMP] compression
[CACHE] cache
[TRACE] trace

1 post - 1 participant

Read full topic

Hi ,
I am new to Haproxy.
I have installed Ha-proxy version 2.1.4 stable version on Ubuntu.
I have a working config with TCP mode but my applications need https for Java api calls which fail with Handshake error using TCP mode i.e needs SSL certs .

I wanted to know if the below configuration is possible.Are there any other solution for my scenario?

frontend https_front

   bind *:443 ssl crt /etc/ssl/root.example.com.pem (it has both cert and private key)
   mode http
  ### the below acls are not correct.Just added for explaining my scenario###
  acl if  app1.example.com use backend be_app1
  acl if app2.example.com use backend be_app2
  acl if app3.example.com use backend be_app3

backend be_app1
balance source
mode http
server ser1 10.1.101.10:8443 ssl check verify none
server ser2 10.1.101.11:8443 ssl check verify none

backend be_app2
balance source
mode http
server ser1 10.1.101.10:8445 ssl check verify none
server ser2 10.1.101.11:8445 ssl check verify none

backend be_app3
balance source
mode http
server ser1 10.1.101.10:8447 ssl check verify none
server ser2 10.1.101.11:8447 ssl check verify none

Thanks,
Sri

1 post - 1 participant

Read full topic

Hi I am trying to proxy two mqtt broker on same docker swarm through through single port by using SNI. My HAProxy config is

resolvers docker
  nameserver dns "127.0.0.11:53"
defaults
  timeout client 30s
  timeout server 30s
  timeout connect 5s
listen mqtt
  bind *:1883
  use-server mqtt_app_1 if { req_ssl_sni -i mqtt1.ns1.logicbee.dev }
  server     mqtt_app_1 mqtt_1:1883 check resolvers docker resolve-prefer ipv4
  use-server mqtt_app_2 if { req_ssl_sni -i mqtt2.ns1.logicbee.dev }
  server     mqtt_app_2 mqtt_2:1883 check resolvers docker resolve-prefer ipv4

i got the below error

mult_serv_proxy2.1.sm4o91a6ocw7@node0    | [NOTICE] 195/185652 (1) : haproxy version is 2.2.0
mult_serv_proxy2.1.sm4o91a6ocw7@node0    | [NOTICE] 195/185652 (1) : path to executable is /usr/local/sbin/haproxy
mult_serv_proxy2.1.sm4o91a6ocw7@node0    | [ALERT] 195/185652 (1) : parsing [/usr/local/etc/haproxy/haproxy.cfg:12] : 'server mqtt_app_1' : could not resolve address 'mqtt_1'.
mult_serv_proxy2.1.sm4o91a6ocw7@node0    | [ALERT] 195/185652 (1) : parsing [/usr/local/etc/haproxy/haproxy.cfg:14] : 'server mqtt_app_2' : could not resolve address 'mqtt_2'.
mult_serv_proxy2.1.sm4o91a6ocw7@node0    | [ALERT] 195/185652 (1) : Failed to initialize server(s) addr.
mult_serv_proxy2.1.42p4r0h5exw6@node0    | [NOTICE] 195/185659 (1) : New worker #1 (7) forked

my swarm setup works well for httpd proxied by nginx.
When I ping from inside the haproxy container I got the following

Screenshot (243)1920×1080 80.3 KB

How to solve this?

1 post - 1 participant

Read full topic

Hi,

I am currently using haproxy 1.8.25 to loadbalance our gerrit server. I have a requirement where I need to redirect the incoming requests specifically from couple of service accounts to the main server while rest of the traffic goes to read-only servers.

I am able to match the service account username when basic auth is used to authenticate using below ACL.

• acl allow-user req.fhdr(Authorization),regsub(^Basic\s+,i),b64dec,regsub(:.+,) eq ‘service-account’

  use backend gerrit-master if allow-user

but the problem is these service accounts use digest authentication and hence above ACL doesn’t work. Is there any other way to achieve this? Any help will be highly appreciated.

1 post - 1 participant

Read full topic

Hi,

I am using HaProxy in Kubernetes to do an active passive balancing on a statefulset with 2 nodes. This is the config I am using:

global
  log stdout format raw local0

defaults
  default-server init-addr libc,none
  log global
  mode http
  timeout client 20s
  timeout server 5s
  timeout connect 4s

frontend port_8080
  bind *:8080
  mode http
  default_backend repository

backend repository
  option log-health-checks
  mode http
  option httpchk GET /alfresco/api/-default-/public/alfresco/versions/1/probes/-live-
  default-server inter 10s downinter 5s
  server repo0 "${active}:8080/" check fall 2 rise 4
  server repo1 "${passive}:8080/" check backup fall 5 rise 2

{active} and {passive} are environment variables pointing to the active and the passive node.

This works great so far that all traffic is routed to the active node, and nothing to the passive node.

When I then kill the active node on purpose, haproxy realises this very quickly and all traffic gets routed to the passive node. But it then stopps checking the active node if it comes back. I don’t see any failed checks in the logs, it seems haproxy stopps checking all together.
When I then (after the active node is back) kill the passive node, haproxy states it has no backendservers available anymore and stopps working all together.

How can I configure haproxy to still do healthchecks and failback to the active after it is reachable again?

Thanks!

1 post - 1 participant

Read full topic

Hello everybody,

I am trying to use haproxy to redirect traffic based on the url to different traefic instances in docker containers.

The goal is to overcome shortcomings of traefic in handling multiple dns challenge configurations within one instance.

My problem:

• Redirect to ATraefik and BTraefik works, as well as the letsencryptsetup in both and the services running behind ATraefik and BTraefik.
• But the running services have the Port in the URLs e.g.
  • https://Service1.ADomain.com:444
  • https://Service1.BDomain.com:445

The goal:

• I would like to have the services behind ATraefik and BTraefik respond without the Ports in the URL, that is:
  • https://Service1.ADomain.com
  • https://Service1.BDomain.com

Thank you very much for any help with this!

Configurations and Setup:

The setup looks like this:

                             +----------+
                             |          |
+----------------------+     | ATraefik |
|                      |     |          |
|          ADomain.com +<--->+----------+
|haproxy               |
|          BDomain.com +<--->+----------+
|                      |     |          |
+----------------------+     | BTraefik |
                             |          |
                             +----------+

frontend https_in
    bind *:443

    acl host_a hdr(host) -i ADomain.com
    acl host_b hdr(host) -i BDomain.com   

    use_backend a_websecure if host_a
    use_backend b_websecure if host_b

backend a_websecure
    server a_traeifk a_traefik:444

backend b_websecure
    server b_traeifk b_traefik:445

1 post - 1 participant

Read full topic

Hello,

My scenario is as follows:
I have a single server with multiple domains. For each domain I’d like to have a separate docker container (won’t go into reasons why I want this, but it does make sense) as an email server (postfix + dovecot). I’ve researched this extensively for months and believe this should be possible using haproxy.
I’d like to achieve this without ssl termination - basically using pass-though or in other words, read the TLS SNI header (domain) and decide based on that which upstream to forward the traffic to.
Something like this is even described on: https://www.haproxy.com/blog/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/

I’m not sure if I’ve configured something wrong or am I completely missing something here?
If I set a default server, this works, but proxying based on domain (sni) does not.

My configuration is as follows:

defaults
    timeout client 30s
    timeout server 30s
    timeout connect 5s

    option tcplog
    log global


frontend smtp_submission

    mode tcp
    bind *:587

    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }

    use_backend smtp_submission


frontend imap

    mode tcp
    bind *:993

    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }

    use_backend imap


backend smtp_submission

    mode tcp

    acl mail_domain1_match req_ssl_sni -i smtp.domain1.com
    acl mail_domain2_match req_ssl_sni -i smtp.domain2.com

    use-server mail_domain1_smtp_submission if mail_domain1_match
    use-server mail_domain2_smtp_submission if mail_domain2_match

    option ssl-hello-chk

    server mail_domain1_smtp_submission 172.17.0.12:587 weight 0
    server mail_domain2_smtp_submission 172.17.0.11:587 weight 0


backend imap

    mode tcp

    acl mail_domain1_match req_ssl_sni -i imap.domain1.com
    acl mail_domain2_match req_ssl_sni -i imap.domain2.com

    use-server mail_domain1_imap if mail_domain1_match
    use-server mail_domain2_imap if mail_domain2_match

    option ssl-hello-chk

    server mail_domain1_imap 172.17.0.12:993 weight 0
    server mail_domain2_imap 172.17.0.11:993 weight 0

1 post - 1 participant

Read full topic

I have some servers behind the haproxy on the same network with ssl offloading working properly.
Now I’m adding to this backend a remote aws server. This is what I’m adding with no lucky for backend

backend awsmix
balance leastconn
cookie PHPSESSID prefix nocache
server web1 10.0.0.1:80 cookie 0F12 check weight 20
server web2 10.0.0.2:80 cookie D274 check weight 20
server awsa mydomain.com:443 cookie 8S5Q check weight 10

I’m as server awsa is out my datacenter I wanna to be ssl connection. Any case I can’t see any request reaching the “server awsa”

Someone has this setting working? thanks

4 posts - 2 participants

Read full topic

Hello,

I want know if it’s possible to connect to the backend server based on the protocol which was used in the frontend.

So for example a client requests the page with http://page.com i want to set the backend port 80 for the backend server and use HTTP as well. When the client connects with HTTPS, the backend should also be requested with SSL port 443.

It’s probably working with two different backends for ex. be_http and be_https but maybe there is a solution with only one backend and some kind of a port variable ?

Thanks in advance!

1 post - 1 participant

Read full topic

Hi everyone,
I’m aware this argument has already been discussed many times in this community, however I’ll try to bring it back hoping for your help.
I know the expected behaviour of HA-Proxy is to drop the stats after reloading but I was wondering if there is any way to implement a workaround for this issue.
Nowadays monitoring is everything! Or at least very very important

Provided that the server-state-file does not save the stats and thus they can’t be loaded from file during a reload, is there anyway to query with socat ‘show stat’ the older workers or is there any other way to monitor them after a reload?

The Telegraf plugin supports multiple local sockets but don’t know how to monitor the older workers sockets, if there is a way to do this.

One shot saving the stats before the reload doesn’t solve the problem since it not provide the awareness of the state of that sessions in time.

Seamless reloads work perfectly but the fact of lossing stats is an issue I would really want to solve.

Version & Configs:

• HA-Proxy version 2.0.15
• master-worker
• nbproc 1
• stats socket /run/haproxy/stat.sock user haproxy group haproxy mode 660 level admin expose-fd listeners

I will appreciate any advice,

“For Great Justice”

1 post - 1 participant

Read full topic

Hi I’m new in HAproxy,

I want to load balance my server 192.168.1.2/myweb & 192.168.1.3/myweb

my HAproxy IP is 192.168.1.1

this my configuration

backend myweb
option forwardfor
balance roundrobin
mode http
server ubuntu1 192.168.1.2:8890
server ubuntu2 192.168.1.3:8890

If possible i want HAproxy to forward my traffic to the real server, rather than browsing from HAproxy server.

for example like using: http-request redirect location http://192.168.1.2/myweb or http-request redirect prefix http:///myweb
any suggestion?

4 posts - 2 participants

Read full topic

I am redirecting traffic on two different URLs. Able to redirect but unable to mask URL

I want to redirect traffic from http://example.com to http://example1.com and http://example2.com without changing URL at client end so that client could not see the backend URLs.

Qudrath

1 post - 1 participant

Read full topic

backend sessions increasing and bringing down the loadbalancer down. Any help to check what are the backend sessions causing haproxy to go down ?

due to the backend session daemon is also going down , eventually I had to reboot the LB server to bring it up

Jul 16 21:27:44 systemd[1]: Started HAProxy Load Balancer.

Jul 16 21:27:44 haproxy-systemd-wrapper[7922]: haproxy-systemd-wrapper: executing /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -Ds

Jul 16 21:27:44 haproxy-systemd-wrapper[7922]: [ALERT] 197/212744 (7923) : [/usr/sbin/haproxy.main()] Cannot create pidfile /run/haproxy.pid

Jul 16 21:27:44 haproxy-systemd-wrapper[7922]: haproxy-systemd-wrapper: exit, haproxy RC=1

Jul 16 21:27:44 systemd[1]: haproxy.service: main process exited, code=exited, status=1/FAILURE

Jul 16 21:27:44 systemd[1]: Unit haproxy.service entered failed state.

Jul 16 21:27:44 systemd[1]: haproxy.service failed.

2 posts - 2 participants

Read full topic