HAProxy version:2.2.1
I wanna capture tcp packet and make acl by captured tcp packet but now I’m trying to capture payload it doesn’t work.
My configuration

frontend hts_frontend
    bind *:8400
    mode tcp
    maxconn 3000
    option tcplog
    log global
    timeout client  1m
    tcp-request inspect-delay 1s
    tcp-request content capture payload(0,192) len 1

I want to capture the 118th character same as screenshot and make acl if the character is 1 going to A backend server other character is going to B backend server

Please advice me how to do that…

1 post - 1 participant

Read full topic

I am currently having two different frontends, both I want to offer on ssl 443. However each front end has different acls, http-response set-headers. I think the default[1] to redirect to backends is somethink like this.

frontend env_ssl_frontend
bind *:443
mode tcp
option tcplog
tcp-request inspect-delay 10s
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend bk_app1 if { req.ssl_sni -m end app1.domain.com }
use_backend bk_app2 if { req.ssl_sni -m end app2.domain.com }
use_backend bk_app3 if { req.ssl_sni -m end app3.domain.com }

frontend http
bind *:443 ssl crt /etc/ssl/certs/mycert.pem
mode tcp
acl backend1 ssl_fc_sni backed1.domain.com
acl backend2 ssl_fc_sni backed2.domain.com
tcp-request inspect-delay 5s
use_backend backend1 if backend1
use_backend backend2 if backend2

But I think this would mean I cannot separate acl’s for different backends, or am I mistaken here? Or is there another way to configure this? I was thinking of doing maybe an port redirection, but that does not really look nice on the client side.

So basically I would like to have a frontend configuration that is similar to eg. webservers. Where you have a seperate config for a ‘domain’ identified by sni name and certificate.

7 posts - 2 participants

Read full topic

Hi, I would like to do something like this (logically):

http-request deny unless acl1 OR acl2 OR (acl3 AND acl4)

Would this statement do that?

http-request deny unless acl1 or acl2 or acl3 acl4

Thanks!

2 posts - 2 participants

Read full topic

Greetings - I’m working on upgrading haproxy from 1.8 to 2.2. I went through and corrected all of the warnings but I hit a snag with how we monitor websocket backends. Right now, we do this in the websocket specific backend:

option httpchk GET /ws?healthcheck=true HTTP/1.1\r\nHost:\ foobar.net\r\nConnection:\ Upgrade\r\nUpgrade:\ websocket\r\nSec-WebSocket-Key:\ x3JJHMbDL1EzLkh9GBhXDw==\r\nSec-WebSocket-Version:\ 13
http-check expect status 101

When I change it to the new way:

option httpchk GET /ws?healthcheck=true HTTP/1.1
http-check send hdr Host foobar.net hdr Connection Upgrade hdr Upgrade websocket hdr Sec-WebSocket-Key x3JJHMbDL1EzLkh9GBhXDw== hdr Sec-WebSocket-Version 13
http-check expect status 101

http-check send overwrites the Connection header and sets it to close (per the docs). Here are the headers my app receives when I use http-check send:

{
  host: 'foobar.net',
  upgrade: 'websocket',
  'sec-websocket-key': 'x3JJHMbDL1EzLkh9GBhXDw==',
  'sec-websocket-version': '13',
  'content-length': '0',
  connection: 'close'
}

This doesn’t work so I’ve had to revert back to the old deprecated way of doing this.

Is there any way to monitor websockets like we were doing with option httpchk? I’ve been reading through the docs, searching here and elsewhere, and I haven’t found anything. It doesn’t look like this is possible with 2.2 yet.

1 post - 1 participant

Read full topic

We use HAProxy to balance the load between hundreds of servers, however, there is an issue which is new for us and unexpected (works in any HAProxy version). When number of servers in some backend exceeds 100, all weights for active servers are set to zero (marked as SOFT STOPPED) and backend goes down. The only way to make backend UP again is to set server count to 100 or less. We may need to run hundreds of servers under one backed and distribute the load. How we can adjust this number?

4 posts - 2 participants

Read full topic

I have different nameserver ip’s for different networks. Is it possible to just configure them all, and have haproxy figure out which ones exist, and ignore the ones that can’t be reached?

With this config haproxy does not start, when nameservers are not available.

resolvers dnssvrs1
  nameserver dns1 192.168.10.xx:53
  nameserver dns2 192.168.10.yy:53
  nameserver dns3 aaa.aa.aaa.aaa:53
  nameserver dns4 bbb.bb.bbb.bbb:53

2 posts - 2 participants

Read full topic

Is it possible to use SNI switching as detailed in this article when using haproxy deployed to kubernetes with helm?

I want to expose a singe loadbalancer and direct traffic to backend SSL services (that use SNI) in other namespaces based off the hostname.

e.g. *.example.com points to loadbalancer
ssl://a.example.com:8088 -> svc.a-namespace.cluster.local:8088
ssl://b.example.com:8088 -> svc.b-namespace.cluster.local:8088

I tried putting some of the configuration from the article into a configmap but it seems the configmap is actually just for mapping a single port to a backend service.

1 post - 1 participant

Read full topic

Hi,

I want to check 2 conditions on redis, where it should be master and on other checks, at least 2 of 3 sentinel nodes should provide this redis-instance being master.

Therefore, number of servers found on another backend check, is reused and if number if found server is at least 2, it should be selected.

However, condition with use-server and nbsrv is totally ignored. ge 2 is not working and lt 1 for example, not, too.
Any ideas?
Best
Ronny

backend check_master_redis1
mode tcp
option tcp-check
tcp-check connect
tcp-check send PING\r\n
tcp-check expect string +PONG
tcp-check send SENTINEL\ master\ secucore-redis-001\r\n
tcp-check expect string 10.240.50.1
tcp-check send QUIT\r\n
tcp-check expect string +OK

server sentinel1 10.240.50.1:26379 check inter 2s
server sentinel2 10.240.50.2:26379 check inter 2s
server sentinel3 10.240.50.3:26379 check inter 2s

backend check_master_redis2
mode tcp
option tcp-check
tcp-check connect
tcp-check send PING\r\n
tcp-check expect string +PONG
tcp-check send SENTINEL\ master\ secucore-redis-001\r\n
tcp-check expect string 10.240.50.2
tcp-check send QUIT\r\n
tcp-check expect string +OK

server sentinel1 10.240.50.1:26379 check inter 2s
server sentinel2 10.240.50.2:26379 check inter 2s
server sentinel3 10.240.50.3:26379 check inter 2s

backend check_master_redis3
mode tcp
option tcp-check
tcp-check connect
tcp-check send PING\r\n
tcp-check expect string +PONG
tcp-check send SENTINEL\ master\ secucore-redis-001\r\n
tcp-check expect string 10.240.50.3
tcp-check send QUIT\r\n
tcp-check expect string +OK

server sentinel1 10.240.50.1:26379 check inter 2s
server sentinel2 10.240.50.2:26379 check inter 2s
server sentinel3 10.240.50.3:26379 check inter 2s

frontend ft_redis
bind *:6379
mode tcp
use_backend bk_redis

backend bk_redis
mode tcp

option tcp-check
tcp-check connect
tcp-check send PING\r\n
tcp-check expect string +PONG
tcp-check send info\ replication\r\n
tcp-check expect string role:master
tcp-check send QUIT\r\n
tcp-check expect string +OK

use-server redis1 if { srv_is_up(redis1) } { nbsrv(check_master_redis1) ge 2 }
use-server redis2 if { srv_is_up(redis2) } { nbsrv(check_master_redis2) ge 2 }
use-server redis3 if { srv_is_up(redis3) } { nbsrv(check_master_redis3) ge 2 }

server redis1 10.240.50.1:6379 check inter 1s
server redis2 10.240.50.2:6379 check inter 1s
server redis3 10.240.50.3:6379 check inter 1s

1 post - 1 participant

Read full topic

I am using haproxy with k8s handless svc.

when pod destroy, haproxy maint the server.

when pod resume, haproxy setr addr, but no update server status to ready.

“log”

2020-08-04T12:36:41+08:00 127.0.0.1 haproxy[1]: Server fms-appdownloads-live-vn/server2 is going DOWN for maintenance (entry removed from SRV record). 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.

2020-08-04T12:37:11+08:00 127.0.0.1 haproxy[1]: fms-appdownloads-live-vn/server2 changed its IP from 10.154.251.135 to 10.154.3.111 by DNS additional recrd.
2020-08-04T12:37:11+08:00 127.0.0.1 haproxy[1]: fms-appdownloads-live-vn/server2 changed its FQDN from (null) to 10-154-3-111.fms-api-live-vn.fms-live-vn.svc.kube-general-ctl-live.k8s.cluster by ‘SRV record’

“my resolution”

image822×689 103 KB

4 posts - 2 participants

Read full topic

Hello,
upgraded haproxy 2.1.x -> 2.2.x, everything working, almost

using haproxy as reverse proxy for apache servers

configuration for apache backends

backend default
server backend:80 127.0.0.1:80 maxconn 1000 check proto h2

for H2 apache
Protocols h2 h2c http/1.1

% curl 127.0.0.1 --http2 -I
HTTP/1.1 101 Switching Protocols
Upgrade: h2c
Connection: Upgrade

HTTP/2 200
date: Sun, 00 Jan 1900 00:00:00 GMT
server: Apache
last-modified: Thu, 27 Feb 2020 12:06:34 GMT
etag: W/“0-59f8d8d57d36c”
accept-ranges: bytes
vary: Accept-Encoding,User-Agent
content-type: text/html; charset=UTF-8

there is error log on apache backend with version 2.2.x

[Wed Aug 05 14:39:50.453929 2020] [http2:debug] [pid 205856:tid 139673980614400] h2_filter.c(196): (104)Connection reset by peer: [client 127.0.0.1:59244] AH03046: h2_session(280): error reading
[Wed Aug 05 14:39:50.453970 2020] [http2:debug] [pid 205856:tid 139673980614400] h2_session.c(2168): (104)Connection reset by peer: [client 127.0.0.1:59244] AH03403: h2_session(278,IDLE,0): no data, error
[Wed Aug 05 14:39:50.453979 2020] [http2:debug] [pid 205856:tid 139673980614400] h2_session.c(1765): [client 127.0.0.1:59244] AH03401: h2_session(278,IDLE,0): conn error -> shutdown
[Wed Aug 05 14:39:50.453992 2020] [http2:debug] [pid 205856:tid 139673980614400] h2_session.c(594): [client 127.0.0.1:59244] AH03068: h2_session(278,IDLE,0): sent FRAME[GOAWAY[error=0, reason=‘timeout’, last_stream=0]], frames=2/4 (r/s)
[Wed Aug 05 14:39:50.454021 2020] [http2:debug] [pid 205856:tid 139673980614400] h2_conn_io.c(283): (32)Broken pipe: [client 127.0.0.1:59244] AH03044: h2_conn_io(280): pass_out brigade 24 bytes
[Wed Aug 05 14:39:50.454025 2020] [http2:debug] [pid 205856:tid 139673980614400] h2_session.c(720): [client 127.0.0.1:59244] AH03069: h2_session(278,IDLE,0): sent GOAWAY, err=0, msg=timeout
[Wed Aug 05 14:39:50.454030 2020] [http2:debug] [pid 205856:tid 139673980614400] h2_session.c(1675): [client 127.0.0.1:59244] AH03078: h2_session(278,DONE,0): transit [IDLE] – local goaway --> [DONE]
[Wed Aug 05 14:39:50.454034 2020] [http2:debug] [pid 205856:tid 139673980614400] h2_conn.c(217): (70014)End of file found: [client 127.0.0.1:59244] AH03045: h2_session(278,DONE,0): process, closing conn
[Wed Aug 05 14:39:50.454039 2020] [http2:debug] [pid 205856:tid 139673980614400] h2_session.c(1675): [client 127.0.0.1:59244] AH03078: h2_session(278,CLEANUP,0): transit [DONE] – pre_close --> [CLEANUP]

version 2.1.x without any problems sending over cleartext h2 proto on apache servers

with version 2.2.x there is problem but everyhing looks same as 2.1.x (using same compile options)
Available multiplexer protocols :
(protocols marked as cannot be specified using ‘proto’ keyword)
fcgi : mode=HTTP side=BE mux=FCGI
: mode=HTTP side=FE|BE mux=H1
h2 : mode=HTTP side=FE|BE mux=H2
: mode=TCP side=FE|BE mux=PASS

thanks for help

Pavel

1 post - 1 participant

Read full topic

Hello,
I am running 2 replicas of haproxy 2.2.0 in a docker swarm.
The scenario is the following:
I have a backend that includes 10 servers. 3 of them are UP and running (service 0, 1 and 2) and at some point a new service is created (service3) which it’s port 4902 is not listening until some loading occurs (takes a few minutes)

The configuration is the following:
frontend frontend_service_rtsp
bind *:4902
mode tcp
option tcplog
default_backend backend_service_rtsp

backend backend_service_rtsp
  mode tcp
  balance leastconn
  option tcp-check
  server service0_rtsp service0:4902 check resolvers docker init-addr none,last,libc
  server service1_rtsp service1:4902 check resolvers docker init-addr none,last,libc
  server service2_rtsp service2:4902 check resolvers docker init-addr none,last,libc
  server service3_rtsp service3:4902 check resolvers docker init-addr none,last,libc
  server service4_rtsp service4:4902 check resolvers docker init-addr none,last,libc
  server service5_rtsp service5:4902 check resolvers docker init-addr none,last,libc
  server service6_rtsp service6:4902 check resolvers docker init-addr none,last,libc
  server service7_rtsp service7:4902 check resolvers docker init-addr none,last,libc
  server service8_rtsp service8:4902 check resolvers docker init-addr none,last,libc
  server service9_rtsp service9:4902 check resolvers docker init-addr none,last,libc

The server service3_rtsp gets the state UP since the service FQDN gets resolved, the healthcheck occurs and then the server service3_rtsp gets the state DOWN.
After that, haproxy sends sessions to that server even it is in state DOWN.

This is the output from the haproxy service logs:

haproxy_haproxy.2.4j9r7bctyl20@worker000001    | <145>Aug  5 11:17:24 haproxy[56]: Server backend_service_rtsp/service3_rtsp is DOWN, reason: Layer4 connection problem, info: "Connection refused at initial connection step of tcp-check", check duration: 1ms. 3 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
haproxy_haproxy.2.4j9r7bctyl20@worker000001    | <150>Aug  5 11:17:25 haproxy[56]: 10.0.0.7:60896 [05/Aug/2020:11:17:22.623] frontend_service_rtsp backend_service_rtsp/service3_rtsp 1/-1/3009 0 SC 296/149/148/0/3 0/0
haproxy_haproxy.1.3o76uo98mlnc@worker000002    | <150>Aug  5 11:17:25 haproxy[56]: 10.0.0.7:60906 [05/Aug/2020:11:17:22.871] frontend_service_rtsp backend_service_rtsp/service3_rtsp 1/-1/3011 0 SC 314/148/147/0/3 0/0
haproxy_haproxy.2.4j9r7bctyl20@worker000001    | <150>Aug  5 11:17:25 haproxy[56]: 10.0.0.7:60904 [05/Aug/2020:11:17:22.862] frontend_service_rtsp backend_service_rtsp/service3_rtsp 1/-1/3015 0 SC 297/151/150/0/3 0/0
haproxy_haproxy.2.4j9r7bctyl20@worker000001    | <150>Aug  5 11:17:25 haproxy[56]: 10.0.0.7:60908 [05/Aug/2020:11:17:22.901] frontend_service_rtsp backend_service_rtsp/service3_rtsp 1/-1/3014 0 SC 296/150/149/0/3 0/0
haproxy_haproxy.2.4j9r7bctyl20@worker000001    | <150>Aug  5 11:17:26 haproxy[56]: 10.0.0.7:60912 [05/Aug/2020:11:17:23.034] frontend_service_rtsp backend_service_rtsp/service3_rtsp 1/-1/3009 0 SC 296/149/148/0/3 0/0
haproxy_haproxy.1.3o76uo98mlnc@worker000002    | <150>Aug  5 11:17:26 haproxy[56]: 10.0.0.7:60914 [05/Aug/2020:11:17:23.085] frontend_service_rtsp backend_service_rtsp/service3_rtsp 1/-1/3009 0 SC 311/146/145/0/3 0/0
haproxy_haproxy.2.4j9r7bctyl20@worker000001    | <150>Aug  5 11:17:26 haproxy[56]: 10.0.0.7:60920 [05/Aug/2020:11:17:23.260] frontend_service_rtsp backend_service_rtsp/service3_rtsp 1/-1/3012 0 SC 294/148/147/0/3 0/0
haproxy_haproxy.1.3o76uo98mlnc@worker000002    | <150>Aug  5 11:17:26 haproxy[56]: 10.0.0.7:60922 [05/Aug/2020:11:17:23.322] frontend_service_rtsp backend_service_rtsp/service3_rtsp 1/-1/3013 0 SC 309/144/143/0/3 0/0
haproxy_haproxy.1.3o76uo98mlnc@worker000002    | <150>Aug  5 11:17:26 haproxy[56]: 10.0.0.7:60926 [05/Aug/2020:11:17:23.400] frontend_service_rtsp backend_service_rtsp/service3_rtsp 1/-1/3007 0 SC 308/142/141/0/3 0/0
haproxy_haproxy.2.4j9r7bctyl20@worker000001    | <150>Aug  5 11:17:26 haproxy[56]: 10.0.0.7:60928 [05/Aug/2020:11:17:23.419] frontend_service_rtsp backend_service_rtsp/service3_rtsp 1/-1/3007 0 SC 292/147/146/0/3 0/0
haproxy_haproxy.2.4j9r7bctyl20@worker000001    | <150>Aug  5 11:17:26 haproxy[56]: 10.0.0.7:60932 [05/Aug/2020:11:17:23.500] frontend_service_rtsp backend_service_rtsp/service3_rtsp 1/-1/3013 0 SC 292/147/146/0/3 0/0
haproxy_haproxy.1.3o76uo98mlnc@worker000002    | <150>Aug  5 11:17:26 haproxy[56]: 10.0.0.7:60934 [05/Aug/2020:11:17:23.541] frontend_service_rtsp backend_service_rtsp/service3_rtsp 1/-1/3007 0 SC 308/141/140/0/3 0/0
haproxy_haproxy.1.3o76uo98mlnc@worker000002    | <150>Aug  5 11:17:26 haproxy[56]: 10.0.0.7:60938 [05/Aug/2020:11:17:23.780] frontend_service_rtsp backend_service_rtsp/service3_rtsp 1/-1/3010 0 SC 305/139/138/0/3 0/0
haproxy_haproxy.2.4j9r7bctyl20@worker000001    | <150>Aug  5 11:17:26 haproxy[56]: 10.0.0.7:60940 [05/Aug/2020:11:17:23.879] frontend_service_rtsp backend_service_rtsp/service3_rtsp 1/-1/3009 0 SC 289/145/144/0/3 0/0
haproxy_haproxy.1.3o76uo98mlnc@worker000002    | <150>Aug  5 11:17:27 haproxy[56]: 10.0.0.7:60942 [05/Aug/2020:11:17:24.010] frontend_service_rtsp backend_service_rtsp/service3_rtsp 1/-1/3016 0 SC 306/139/138/0/3 0/0
haproxy_haproxy.2.4j9r7bctyl20@worker000001    | <150>Aug  5 11:17:27 haproxy[56]: 10.0.0.7:60948 [05/Aug/2020:11:17:24.210] frontend_service_rtsp backend_service_rtsp/service3_rtsp 1/-1/3014 0 SC 290/144/143/0/3 0/0
haproxy_haproxy.2.4j9r7bctyl20@worker000001    | <150>Aug  5 11:17:27 haproxy[56]: 10.0.0.5:58078 [05/Aug/2020:11:17:24.405] frontend_service_rtsp backend_service_rtsp/service3_rtsp 1/-1/3013 0 SC 290/142/141/0/3 0/0

Is this a normal behaviour?

Thank you in advance!

1 post - 1 participant

Read full topic

Hi we are using haproxy 2.1.4 as SSL terminator between our own client and server machines(High load machines, always busy) and also requests will be a mix of http/1.1 and http/2.0. We are facing lots of SSL handshake failure in front end. I have enabled proxy logs using rsyslog and get following errors,

Aug  5 18:55:35 localhost haproxy[40308]: 127.0.0.1:55442 [05/Aug/2020:18:55:35.364] frontend/1: SSL handshake failure
Aug  5 18:56:20 localhost haproxy[40308]: 204.xx.xx.xx:45474 [05/Aug/2020:18:56:16.761] frontend/1: Connection closed during SSL handshake
Aug  5 18:56:22 localhost haproxy[40308]: 204.xx.xx.xx:52088 [05/Aug/2020:18:56:19.403] frontend/1: Connection closed during SSL handshake
Aug  5 18:56:33 localhost haproxy[40308]: 127.0.0.1:42470 [05/Aug/2020:18:56:33.933] frontend/1: SSL handshake failure
Aug  5 18:56:33 localhost haproxy[40308]: 127.0.0.1:42472 [05/Aug/2020:18:56:33.944] frontend/1: SSL handshake failure

Few of the requests have source Ip as 127.0.0.1 but we are doing a plain text connection between proxy and backend as a proxy is SSL terminator here, I could not get detailed logs out of haproxy, my configurations are as follows,

global
   log         127.0.0.1 local2
   chroot /var/lib/haproxy
   maxconn 200000
   user test
   group testsending
   daemon

tune.ssl.cachesize 200000
#tune.h2.max-concurrent-streams 10
ssl-dh-param-file /etc/haproxy/dhparam.pem

#Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private

#Obtained from https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy

ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11

ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11

defaults
    log     global
    maxconn 20000
    mode    http
    option httplog
    option dontlog-normal
    option logasap
    retries 3
    retry-on all-retryable-errors
    option log-separate-errors
    timeout connect     5s
    timeout client     60s
    timeout server    450s

frontend    frontend_haproxy
     option forwardfor
     capture request header MONITORID len 64
     capture response header MONITORID len 64
     log-format "%ci:%cp\ [%t]\ %f\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ Reqid:%hr\ Resid:%hs\ %{+Q}r\ %sslv\ %sslc"
     bind    *:8088  ssl crt /etc/haproxy/haproxy.pem alpn h2,http/1.1
     default_backend backend_eumagent

 backend     backend_eumagent
     timeout server  420000
     fullconn 2000
     server tomcat localhost:9099 check

and output of haproxy -vv as,

 HA-Proxy version 2.1.4 2020/04/02 - https://haproxy.org/
 Status: stable branch - will stop receiving fixes around Q1 2021.
 Known bugs: http://www.haproxy.org/bugs/bugs-2.1.4.html
 Build options :
   TARGET  = linux-glibc
   CPU     = generic
   CC      = gcc
   CFLAGS  = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-old-style-declaration -Wno-ignored-qualifiers -Wno-clobbered -Wno-missing-field-initializers -Wtype-limits
   OPTIONS = USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 USE_SYSTEMD=1
 
 Feature list : +EPOLL -KQUEUE -MY_EPOLL -MY_SPLICE +NETFILTER +PCRE -PCRE_JIT -PCRE2 -PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED -REGPARM -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H -VSYSCALL +GETADDRINFO +OPENSSL -LUA +FUTEX +ACCEPT4 -MY_ACCEPT4 +ZLIB -SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL +SYSTEMD -OBSOLETE_LINKER +PRCTL +THREAD_DUMP -EVPORTS
 
 Default settings :
   bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
 
 Built with multi-threading support (MAX_THREADS=64, default=6).
 Built with OpenSSL version : OpenSSL 1.1.1c  28 May 2019
 Running on OpenSSL version : OpenSSL 1.1.1c  28 May 2019
 OpenSSL library supports TLS extensions : yes
 OpenSSL library supports SNI : yes
 OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
 Built with network namespace support.
 Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
 Built with PCRE version : 8.32 2012-11-30
 Running on PCRE version : 8.32 2012-11-30
 PCRE library supports JIT : no (USE_PCRE_JIT not set)
 Encrypted password support via crypt(3): yes
 Built with zlib version : 1.2.7
 Running on zlib version : 1.2.7
 Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
 
 Available polling systems :
       epoll : pref=300,  test result OK
        poll : pref=200,  test result OK
      select : pref=150,  test result OK
 Total: 3 (3 usable), will use epoll.
 
 Available multiplexer protocols :
 (protocols marked as <default>      cannot be specified using 'proto' keyword)
               h2 : mode=HTTP       side=FE|BE     mux=H2
             fcgi : mode=HTTP       side=BE        mux=FCGI
        <default>      : mode=HTTP       side=FE|BE     mux=H1
        <default>      : mode=TCP        side=FE|BE     mux=PASS
 
 Available services : none
 
 Available filters :
 	[SPOE] spoe
 	[CACHE] cache
 	[FCGI] fcgi-app
 	[TRACE] trace
 	[COMP] compression

We send requests to haproxy from apache(http1.1) and jetty(http2) httpclients using java 8 and our backend is an apache tomcat 9.0.30+ running using java 11. All our machines are centos 7.x versions.

Kindly help me to debug this issue. Thanks in advance

1 post - 1 participant

Read full topic

Hi,
We are able to run HAPROXY process via a non-root user but the problem is if we need to restart it, we have to do it via “root” user only which is not what we want. We are trying to have complete control on haproxy start/stop/debug.

we are working with below config -

#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
    # to have these messages end up in /var/log/haproxy.log you will
    # need to:
    #
    # 1) configure syslog to accept network log events.  This is done
    #    by adding the '-r' option to the SYSLOGD_OPTIONS in
    #    /etc/sysconfig/syslog
    #
    # 2) configure local2 events to go to the /var/log/haproxy.log
    #   file. A line like the following can be added to
    #   /etc/sysconfig/syslog
    #
    #    local2.*                       /var/log/haproxy.log
    #
    # log         127.0.0.1 local2
 
    log         127.0.0.1  local0
    chroot      /etc/haproxy/lib/haproxy
    pidfile     /etc/haproxy/haproxy.pid
    maxconn     4000
    user        atul
    group       centos
    daemon

    # turn on stats unix socket
    stats socket /etc/haproxy/lib/haproxy/stats

#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
    mode                    tcp
    log                     global
    option                  tcplog
    option                  dontlognull
    option http-server-close
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 3000

#---------------------------------------------------------------------

listen haproxy-monitoring
   bind *:1936
   mode  http
   stats enable
   stats hide-version
   #http-request set-path /projects/%[var(req.rewrite_project)]%[path] if { var(req.rewrite_project) -m found }

   stats realm Haproxy\ Statistics
   stats uri /
   stats auth atuluser:atulhaproxy
   
#---------------------------------------------------------------------   




##=====================================================
##=====================================================
frontend 7962
    mode tcp
    bind *:7962
    acl p_7962 dst_port 7962
    use_backend port_config_7962 if p_7962
    
backend port_config_7962
    mode tcp
    balance roundrobin
    server vm_app 10.241.223.80:7962

After this when we are running command to user “atuluser” we are getting below error -

$ haproxy -f /etc/haproxy/haproxy.cfg
[ALERT] 217/121314 (2112) : [haproxy.main()] Cannot chroot(/etc/haproxy/lib/haproxy).

Though, this folder is exists in the system.

3 posts - 2 participants

Read full topic

Currently, I have a bunch of rules in haproxy.cfg like this:

frontend frontend-https
bind 10.30.1.120:443
redirect prefix http://customerwebapp.com/redir.jsp?customer_domain_id=123 code 301 if { hdr(host) -m sub example.com
}
default_backend backend-https

but I want to integrate a map file and take all the rules sets out with something like this:

frontend frontend-https
bind 10.30.1.120:443
redirect prefix (%[req.hdr(host),lower,map_reg(/etc/haproxy/redirect.map)] code 301

}
default_backend backend-http

and the file would contain something like this
(\w..)?.customer.com(.) https://webapp.com/redir.jsp?customer_domain_id=123

I know it’s missing the conditional, “if { hdr(host) -m sub example.com” but I’m not sure how to integrate them.

1 post - 1 participant

Read full topic

03:27:41 # service haproxy restart
Stopping haproxy: [ OK ]
Starting haproxy: [WARNING] 218/032810 (8549) : parsing [/etc/haproxy/haproxy.cfg:22] : ‘log-format’ : format variable ‘r’ is reserved for HTTP mode.
[WARNING] 218/032810 (8549) : parsing [/etc/haproxy/haproxy.cfg:22] : ‘log-format’ : format variable ‘Tr’ is reserved for HTTP mode.
[WARNING] 218/032810 (8549) : Setting tune.ssl.default-dh-param to 1024 by default, if your workload permits it you should set it to at least 2048. Please set a value >= 1024 to make this warning disappear.
[ OK ]
root@cernrdeckhaproxy101.cernerasp.com:~ ( cernrdeckhaproxy101.cernerasp.com )
03:28:10 #
Message from syslogd@localhost at Aug 6 03:28:10 …
haproxy[8549]: backend rundeck has no server available!

Message from syslogd@localhost at Aug 6 03:28:12 …
haproxy[8550]: backend mysql has no server available!

When i load the page i get 503 service unavailable. Any help will me much appreciated.

4 posts - 2 participants

Read full topic

Is it possible, given HAProxy 2.2 update, to add new CA certificates (for client certs validation), along with SSL server certificates, via Realitme API?

For each new customer I’d like to add one line to crt-list file e.g.

customer1.pem [ca-file customer1CA.crt verify required] customer1.example.com
customer2.pem [ca-file customer2CA.crt verify required] customer2.example.com

2 posts - 2 participants

Read full topic

Hi, I was wondering if someone can point me in the right direction of resolving an exchange CAS server setup. When using owa we receive error “The custom error module does not recognize this error” has anyone come across this before? We have replaced an old TMG with pfsense and haproxy integrated. Thanks

1 post - 1 participant

Read full topic

I am setting up a reverse proxy that handles request target.com.mirror.abc.xyz:8888 and acts as the man in the middle between a client and target.com:8888. It also respects the original scheme of request, so that HAProxy serves https://target.com.mirror.abc.xyz:8888 with backend https://target.com:8888, and serves http://target.com.mirror.abc.xyz:8888 with backend http://target.com:8888.

To do so, I plan to detect and log the original scheme in a custom header like $tell-ngx-ori-scheme, so that I can implement such a reverse proxy by NGINX configuration proxy_pass $tell-ngx-ori-scheme$real_host$request_uri;

The way I used to detect original scheme is http-request set-var(txn.l7_fetch_proto) url,regsub(\"(^[^\/:]*:\/\/)\",\"\1\",i)
It should work, like this:

954×271 12 KB

However, when I test this configuration with curl, the logged custom var l7_fetch_proto shown as empty str "".

While I dig deeper, it appears as only the request comes from curl will cause fetched url segment to be empty str, while logs of browser access history are all shown proper url and base record.

Would someone please tell me how this situation could happen? Here is the full configuration I wrote:

global
    daemon
    stats socket                    /var/run/haproxy.sock mode 0640 expose-fd listeners level admin
    stats timeout                   2m
    log stdout format rfc5424       local0 info

defaults
    mode                            http
    option                          http-use-htx
    log                             global

    timeout client                  30s
    timeout client-fin              5s
    timeout server                  30s
    timeout server-fin              5s
    timeout queue                   30s
    timeout connect                 5s
    timeout http-request            5s
    timeout http-keep-alive         2s
    timeout tunnel                  2m

resolvers mydns
    nameserver                      quad91 9.9.9.11:53
    nameserver                      quad92 149.112.112.11:53

frontend fe_main
    bind                            :80
    bind                            :443 ssl crt-list /etc/haproxy/crt-list.txt
    option                          logasap
    log-format                      "%{+Q}o %{-Q}ci - - [%trg] %r %ST %B \"\" \"\" %cp %ms %ft %b %s %TR %Tw %Tc %Tr %Ta %tsc %ac %fc %bc %sc %rc %sq %bq %CC %CS %hrl %hsl \"striped_dom:\" %[var(txn.striped_dom)] \"ip_striped_dom:\" %[var(txn.ip_striped_dom)] \"l7_fetch_base:\" %[var(txn.l7_fetch_base)] \"l7_fetch_url:\" %[var(txn.l7_fetch_url)] \"l7_fetch_proto:\" %[var(txn.l7_fetch_proto)]"

    http-request set-var(txn.striped_dom) req.hdr(Host),regsub(\"(^.+)\.mirror\.abc\.xyz(:\d+)?\",\"\1\2\",i)
    http-request do-resolve(txn.ip_striped_dom,mydns) var(txn.striped_dom)

    http-request set-var(txn.l7_fetch_proto) url,regsub(\"(^[^\/:]*:\/\/)\",\"\1\",i)
    http-request set-var(txn.l7_fetch_url) url
    http-request set-var(txn.l7_fetch_base) base

    # redirect scheme https code 301  if !{ ssl_fc }
    # http-response set-header        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

    default_backend                 rp-mirror-backend

backend rp-mirror-backend
    http-request deny               if { var(txn.ip_striped_dom) -m ip 10.0.0.0/8 127.0.0.0/8 100.64.0.0/10 172.16.0.0/12 192.0.0.0/24 192.168.0.0/16 198.18.0.0/15 ::1/128 fc00::/7 }
    http-request set-header         Host %[var(txn.striped_dom)]
    http-request set-header         tell-ngx-ori-scheme %[var(txn.l7_fetch_proto)]

    server nginx                    127.0.0.1:9999 send-proxy-v2-ssl-cn proxy-v2-options crc32c
    option                          forwardfor except 127.0.0.1

    ## http-request set-dst            var(txn.ip_striped_dom)
    ## http-request set-dst-port       int(80)
    ## server rp-mirror                0.0.0.0:0

3 posts - 1 participant

Read full topic

Hi
I hve tried to compile HAProxy after what I have found by googling a round
make TARGET=linux-glibc CPU=native USE_STATIC_PCRE=1 USE_OPENSSL=1.1.1 USE_ZLIB=1
sudo make install

sudo touch /etc/init.d/haproxy
sudo chmod +x /etc/init.d/haproxy
sudo nano /etc/init.d/haproxy

sudo mkdir /etc/haproxy
sudo nano /etc/haproxy/haproxy.cfg

At this stage I have not seen any errors.
Then I run
sudo service haproxy start
Failed to start haproxy.service: Unit haproxy.service not found.

Any suggestions how to fix this. And also are there and official guide to compile HAProxy?

HAProxy -vv output do not shows any problemsadministrator@HAProxy:/$ haproxy -vv
HA-Proxy version 2.2.2 2020/07/31 - https://haproxy.org/
Status: long-term supported branch - will stop receiving fixes around Q2 2025.
Known bugs: http://www.haproxy.org/bugs/bugs-2.2.2.html
Running on: Linux 5.8.0-050800-generic #202008022230 SMP Sun Aug 2 22:33:21 UTC 2020 x86_64
Build options :
TARGET = linux-glibc
CPU = native
CC = gcc
CFLAGS = -O2 -march=native -g -Wall -Wextra -Wdeclaration-after-statement -fwrapv -Wno-address-of-packed-member -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-clobbered -Wno-missing-field-initializers -Wno-stringop-overflow -Wno-cast-function-type -Wtype-limits -Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference
OPTIONS = USE_STATIC_PCRE=1 USE_OPENSSL=1.1.1 USE_ZLIB=1

Feature list : +EPOLL -KQUEUE +NETFILTER -PCRE -PCRE_JIT -PCRE2 -PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED +BACKTRACE +STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H +GETADDRINFO +OPENSSL -LUA +FUTEX +ACCEPT4 +ZLIB -SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL -SYSTEMD -OBSOLETE_LINKER +PRCTL +THREAD_DUMP -EVPORTS

Default settings :
bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with multi-threading support (MAX_THREADS=64, default=4).
Built with OpenSSL version : OpenSSL 1.1.1f 31 Mar 2020
Running on OpenSSL version : OpenSSL 1.1.1f 31 Mar 2020
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with network namespace support.
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity(“identity”), deflate(“deflate”), raw-deflate(“deflate”), gzip(“gzip”)
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with PCRE version : 8.39 2016-06-14
Running on PCRE version : 8.39 2016-06-14
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Encrypted password support via crypt(3): yes
Built with gcc compiler version 9.3.0

Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as cannot be specified using ‘proto’ keyword)
fcgi : mode=HTTP side=BE mux=FCGI
: mode=HTTP side=FE|BE mux=H1
h2 : mode=HTTP side=FE|BE mux=H2
: mode=TCP side=FE|BE mux=PASS

Available services : none

Regards
Henning

3 posts - 2 participants

Read full topic

I am getting these
synapse~ synapse/synapse1 0/0/0/-1/5 502 214 - - SHNN 3/1/0/0/0 0/0 “GET / HTTP/1.1”
https _recir_synapse/loopback-for-tls 5/0/1839 2339 SD 2/1/0/0/0 0/0

I saw some posts and tried to remove “mode http” and added tune.http.maxhdr, but does not seem to help.

1 post - 1 participant

Read full topic