@sudharsan23 wrote:

Hi,

Can someone tell me how to configure TCP keepalive timeout in HAProxy.

The request from HAProxy to my server hangs. So I need to timeout the TCP session. I have configured below parameters in my HAProxy. But it fails to timeout within 30s or 1 miniute. It takes very long to get timeout.

So please let me know how to configure TCP keepalivce
timeout in HAProxy.
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout tunnel 30s
timeout client 30s
timeout server 10s

Thanks.
Sudharsan.

Posts: 2

Participants: 2

Read full topic

@shpa wrote:

Hey all,

Seeing a weird issue with HAProxy in TCP Mode.

I have the following configuration:

global
  description haproxy-1
  log 127.0.0.1 local0 info
  maxconn 2000
  uid 200
  gid 200
  chroot /var/empty
  daemon

defaults
  mode tcp
  log global
  option tcplog
  option logasap
  option log-health-checks
  option redispatch
  option tcpka
  retries 3
  timeout connect 5s
  timeout client 50000
  timeout server 50000

listen TM_IN
  bind :7101
  timeout client 3h
  timeout server 3h
  option tcp-check
  balance roundrobin
  server prime_tm server1:7101 check inter 1000
  server backup_tm server2:7101 check inter 1000 backup

listen TC_OUT
  bind :7201
  timeout client 3h
  timeout server 3h
  option tcp-check
  balance roundrobin
  server prime_tc server1:7201 check inter 1000
  server backup_tc server2:7201 check inter 1000 backup

listen stats
  bind :80
  mode http
  option httplog
  option contstats
  stats enable
  stats realm Haproxy\ Statistics
  stats hide-version
  stats uri /stats
  stats auth user:pass

With both servers up and listening:
On the status page the TC_OUT prime is getting marked as 'L4CON in 0ms' with 'Connection Refused' yet data is still flowing to that server. The TC_OUT backup is marked as 'OK'

When I turn off TC_OUT prime listening on 7201 it switches the traffic to backup but the log shows that the health checks now start failing on the backup.

I am wondering why that is happening on only the TC_OUT proxy and not TM_IN. They are logically the same yet TM_IN's prime and backup are both shown as 'OK' and 'UP' when both servers are up and correctly marked as down if either goes down.

Thanks!

Posts: 3

Participants: 2

Read full topic

@Multihomed wrote:

The following acl doesn't work for me:

acl no_waf nbsrv(to_waf) lt 1
use_backend back-www if no_waf
default_backend to_waf

I keep getting error 503 (No server is available to handle this request.) instead of being sent to the backend back-www.

backend to_waf looks like this:

backend to_waf
option forwardfor header X-Forwarded-For
option httpchk HEAD / HTTP/1.0
http-check expect status 404
timeout server 25s
server 10.30.10.2:9000 10.30.10.2:9000 check

Any ideas?

Posts: 3

Participants: 2

Read full topic

@lw3234 wrote:

Hi there,

I recently setup haproxy (Version 1.7 on pfsense) in order to do some tcp routing and therefore to share port 443 with different services.

The services to be used are: Https, OpenVPN, XMPP. The config itself works fine for each of the 3 services. However I was not able to find a way to destinguish successfully between OpenVPN and XMPP.

My current config looks like this:

frontend ssl
    mode tcp
    bind 0.0.0.0:443 name frontend-ssl
    option tcplog
    tcp-request inspect-delay 5s
    tcp-request content accept  if  { req.ssl_hello_type 1 }
    use_backend main-ssl        if  { req.ssl_hello_type 1 }
    use_backend openvpn         if  !{ req.ssl_hello_type 1 } !{ req.len 0 }
    use_backend xmpp            if  { payload(0,5) 3c3f786d6c } !{ req.ssl_hello_type 1 } !{ req.len 0 }
backend main-ssl
    mode tcp
    server main-ssl 127.0.0.1:8443 send-proxy
backend openvpn
    mode tcp
    server openvpn-localhost 127.0.0.1:1194
backend xmpp
    mode tcp
    server xmpp-localhost 127.0.0.1:5222

As you can see payload(0,5) 3c3f786d6c is used to identify the xml payload of an xmpp message. This works for some XMPP clients like pidgin. However, other clients like Xabber cannot connect, their requests seem to be not recognized correctly.

So, question is: How can I destinguish between OpenVPN and XMPP ? Is there a way to identify the payload of OpenVPN ?

Thank you for your help in advance.
Regards,

Posts: 3

Participants: 2

Read full topic

@witoldg wrote:

We are using IP stats socket to manage the haproxy using scripts. Is there any way to limit the access using username and password?

Posts: 1

Participants: 1

Read full topic

@aidofitz wrote:

Hi, please see the screen-grab from the HAProxy monitoring, and note the Sessions Max column in particular. I'm trying to understand how the overall sessions max for the backend can be over 2,000, when the max values for each of 3 active servers in this backend are less than 20? I would have thought that max for the backend overall could never exceed the sum of the individual max values? We have about 10 different HAProxy instances in Production with up to hundreds of backends in each, and my understanding seems to hold true for all except this one! Can anyone help me explain this scenario? Thanks!

Adrian

blob.jpg977x154 97.8 KB

Posts: 2

Participants: 1

Read full topic

@Emalacar wrote:

Hello,

I've set up a test environment with Exchange 2013 and Haproxy loadbalancing services at layer 7. I believe I have the exchange urls setup correctly and my Outlook and ActiveSync clients connect ok. My problem is with loadbalancing SMTP connections to the server..

I am unable to connect over port 25 with putty to the exchange servers. The port is open in firewalld, iptables is off, checking what's listening the haproxy service is listening on port 25. However, when I connect with putty the connection just times out. Likewise, if I try to send an email over smtp I receive the following error...

said: 250 2.1.5 Recipient OK - then a bounce back is sent.

I don't believe that the issue is with exchange as I can connect with putty directly to the CAS servers and send emails that way. Below is my Haproxy configuration, any insight or corrections would be greatly appreciated!

global
log 127.0.0.1 local0 info
maxconn 10000
daemon quiet
tune.ssl.default-dh-param 2048

defaults
log global
mode http
option httplog
option dontlognull
timeout connect 60000ms
timeout client 30000ms
timeout server 60000ms
timeout check 60000ms
stats enable
stats hide-version
stats show-node
stats auth admin:PASSWORD
stats uri /stats

frontend unsecured 192.168.1.1:80
redirect location https://mail.domain.com/owa

frontend fe_ex2013_smtp
mode tcp
bind *:25 name smtp
log global
option tcplog
option dontlognull
option contstats
timeout client 300s
default_backend bk_exchange_2013_smtp

frontend fe_ex2013
mode http
bind *:443 ssl crt /etc/ssl/certs/exchange_certificate
acl autodiscover url_beg /Autodiscover
acl mapi url_beg /mapi
acl rpc url_beg /rpc
acl owa url_beg /owa
acl eas url_beg /microsoft-server-activesync
acl ecp url_beg /ecp
acl ews url_beg /ews
acl oab url_beg /oab
use_backend be_ex2013_autodiscover if autodiscover
use_backend be_ex2013_mapi if mapi
use_backend be_ex2013_rpc if rpc
use_backend be_ex2013_owa if owa
use_backend be_ex2013_eas if eas
use_backend be_ex2013_ecp if ecp
use_backend be_ex2013_ews if ews
use_backend be_ex2013_oab if oab
default_backend be_ex2013

backend be_ex2013_autodiscover
mode http
balance leastconn
option httpchk GET /autodiscover/healthcheck.htm
option log-health-checks
http-check expect status 200
server Server1 10.1.1.1:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt
server Server2 10.1.1.2:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt

backend be_ex2013_mapi
mode http
balance leastconn
option httpchk GET /mapi/healthcheck.htm
option log-health-checks
http-check expect status 200
server Server1 10.1.1.1:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt
server Server2 10.1.1.2:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt

backend be_ex2013_rpc
mode http
balance leastconn
option httpchk GET /rpc/healthcheck.htm
option log-health-checks
http-check expect status 200
server Server1 10.1.1.1:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt
server Server2 10.1.1.2:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt

backend be_ex2013_owa
mode http
balance leastconn
option httpchk GET /owa/healthcheck.htm
option log-health-checks
http-check expect status 200
server Server1 10.1.1.1:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt
server Server2 10.1.1.2:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt

backend be_ex2013_eas
mode http
balance leastconn
option httpchk GET /microsoft-server-activesync/healthcheck.htm
option log-health-checks
http-check expect status 200
server Server1 10.1.1.1:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt
server Server2 10.1.1.2:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt

backend be_ex2013_ecp
mode http
balance leastconn
option httpchk GET /ecp/healthcheck.htm
option log-health-checks
http-check expect status 200
server Server1 10.1.1.1:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt
server Server2 10.1.1.2:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt

backend be_ex2013_ews
mode http
balance leastconn
option httpchk GET /ews/healthcheck.htm
option log-health-checks
http-check expect status 200
server Server1 10.1.1.1:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt
server Server2 10.1.1.2:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt

backend be_ex2013_oab
mode http
balance leastconn
option httpchk GET /oab/healthcheck.htm
option log-health-checks
http-check expect status 200
server Server1 10.1.1.1:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt
server Server2 10.1.1.2:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt

backend be_ex2013
mode http
balance leastconn
server Server1 10.1.1.1:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt
server Server2 10.1.1.2:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt

backend bk_exchange_2013_smtp
mode tcp
balance leastconn
option tcplog
log global
option redispatch
retries 3
source 0.0.0.0 usesrc clientip
option smtpchk HELO mail.domain.com
server Server1 10.1.1.1:25 send-proxy check
server Server2 10.1.1.2:25 send-proxy check

Posts: 1

Participants: 1

Read full topic

@damo_pulsant wrote:

Hi am looking for help on build an ACL for a frontend
I have been looking through google for about a hour for examples to help me understand how to build ACL's for rejecting requests.

my requirements are that clients present and SNI and http 1.1 and host header else reject the request by the front end. as I need SNI for issuing the correct cert and http 1.1 host header for the backend servers.

is there a page where I can get a noobs guide ?

Posts: 1

Participants: 1

Read full topic

@RadForce wrote:

How to make Haproxy transmit IP customers who send mail via SMTP server CAS?

Config smtp (lab)

frontend fe_ex2013_smtp
mode tcp
bind 10.1.100.60:25
default_backend be_ex2013_smtp

backend be_ex2013_smtp
mode tcp
no option http-server-close
balance roundrobin
option log-health-checks
option smtpchk EHLO haproxy.check
server CAS-01 10.1.100.105:25 send-proxy check
server CAS-02 10.1.100.106:25 send-proxy check

backend be_ex2013
mode http
balance roundrobin
server CAS-01 10.1.100.105:443 check ssl inter 15s verify required ca-file /etc/ssl/contoso.crt
server CAS-02 10.1.100.106:443 check ssl inter 15s verify required ca-file /etc/ssl/contoso.crt

Posts: 1

Participants: 1

Read full topic

@mhouts wrote:

I am running HAProxy version 1.5.2.
Using the stats GUI when I try to put a server in to MAINT mode it immediately reverts to being in service.
Message in the haproxy log looks like this:

Jan 23 10:01:07 Server blahblah is going DOWN for maintenance. 8 active and 1 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
Jan 23 10:01:07 Server blahblah is UP/READY (leaving forced maintenance).

Same procedure on HAProxy 1.6.2 works as expected. haproxy.conf looks the same on both versions so I suspect perhaps a problem with the version but I can't find any specific notice about this. Anyone else run into this?

Posts: 2

Participants: 2

Read full topic

@STRML wrote:

We have noticed our idle websocket connections closing too early in 1.7.2.

In 1.6.11, this works fine. We use a configuration very similar to the second "advanced" configuration in http://blog.haproxy.com/2012/11/07/websockets-load-balancing-with-haproxy/.

Idle WebSocket connections are always terminated after the shorter of "timeout client" or "timeout server". If a shorter "timeout server" or "timeout client" is set in the websocket backend, it is respected, but a longer one is not. Explicitly setting "timeout tunnel" or "option http-tunnel" in the websocket backend has no effect.

The same configuration in 1.6.11 has no such issue.

Posts: 2

Participants: 2

Read full topic

@icortes wrote:

Good morning,

Hi, my name is Igor and I have a problem with the logs of HaProxy. I am using HaProxy to balance the SSH connections between some servers and I need to log only the successful connections.

I am trying using the option dontlognull in the frontend section, but it logs me everything, successful and unsuccessful connections.

Is there any possibility of loging only the successful connections? Or at least, know which ones are successful and which ones not.

I also use the option logasap to log the connections before close them, and sometimes log the connection before close it and sometimes not. But well, this is not so important because at the end it log the connection.

A greeting and thank you so much,
Igor.

Posts: 2

Participants: 2

Read full topic

@Jabba wrote:

Hi everybody,

We have 1 HAproxy in front of 3 apache2 servers in different datacenters.
I deployed a new angular 1.6.x project on all apache2 server.

But when i open the app, it redirect me on https://project.name/login on "Not Found The requested URL /login was not found on this server."

if i try to use the /login.html it's works!!

i tried to install the same angular project on a simple apache2 server without haproxy and it's works.

The problem is HAproxy configuration

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon

defaults
log global
option forwardfor
option http-server-close
option httplog
option dontlognull
timeout connect 9000

frontend www-http
bind *:80
mode http
reqadd X-Forwarded-Proto:\ http
default_backend www-backend-http

backend www-backend-http
mode http
cookie SERVERID insert indirect nocache
server s1 77.xxx.xxx.xxx:80 check cookie s1 maxconn 500
server s2 77.xxx.xxx.xxx:80 check cookie s2 maxconn 500
server s3 77.xxx.xxx.xxx:80 check cookie s3 maxconn 500

frontend https-in
bind *:443
option tcplog
default_backend ssl-nodes

backend ssl-nodes
mode tcp
balance roundrobin
stick-table type ip size 10M expire 30m
stick on src
option ssl-hello-chk
server web01 77.xxx.xxx.xxx:443 check
server web02 77.xxx.xxx.xxx:443 check
server web03 77.xxx.xxx.xxx:443 check

Any idea how to solve this issue ?

Posts: 2

Participants: 2

Read full topic

@sjiveson wrote:

Hey all,

I seem to be seeing unexpected behaviour using dynamic DNS resolution - any help or advice you can offer would be much appreciated.

I keep seeing messages like this in the log:

Server backend_name/server_name is going DOWN for maintenance (DNS timeout status). 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.

Running a tcpdump on the DNS queries haproxy generates, I typically see successful DNS responses less than 3 seconds before seeing this error. Often I will see this message 3s before the one above (even with a hold valid value of 30s), I also see it when the server is apparently marked as DOWN:

backend_name/server_name changed its IP from 10.xx.xx.xx to 10.xx.xx.xx by name-dns/name-dns-01

I also often see this message even if the server hasn't been reported as down:

Server backend_name/server_name administratively READY thanks to valid DNS answer.

DNS responses typically arrive in under 30ms.

The show stat resolvers command does not show that any timeouts occurred:

  sent: 10797
  valid: 1034
  update: 493
  cname: 0
  cname_error: 0
  any_err: 869
  nx: 0
  timeout: 0
  refused: 0
  other: 0
  invalid: 0
  too_big: 0
  truncated: 0
  outdated: 260

Posts: 3

Participants: 2

Read full topic

@vineeth wrote:

We have an haproxy setup with cookie url_param cookie based backend stickiness. The main issue we are seeing is that our clients are passing the srv param as part of a JSON payload. clients are sending their srv param in the JSON payload and this is causing their request to fail due to requests are passing to different backends. Any help would be greatly appreciated. The backend setup can be find below.

HA-Proxy version 1.5.4

                    balance url_param srv
                    option  httpclose
                    option  redispatch
                    option  forwardfor
                    reqadd  X-Forwarded-Proto:\ https
                    cookie  pxy50 insert indirect nocache secure domain .example.com maxidle 10m
                    server example1 x.x.x.x:8443 check ssl verify none cookie pxy50srv001A
		server example1_8444 x.x.x.x:8444 check ssl verify none cookie pxy50srv001B
                    server example2 x.x.x.x:8443 check ssl verify none cookie pxy50srv002A
                    serverexample2_8444 x.x.x.x:8444 check ssl verify none cookie pxy50srv002B
                    server example4 x.x.x.x:8443 check ssl verify none cookie pxy50srv004A
                    server example4_8444 x.x.x.x:8444 check ssl verify none cookie pxy50srv004B

Posts: 1

Participants: 1

Read full topic

@sharlee33 wrote:

Hello,

I would like to check client certificat CN using a map file.
This map file contains for each targeted hostname, the authorized CN list.

Test steps :
a) 1st step, find the list of CN for the requested host, in the map file
b) 2nd step, check the client CN in the list retrieved at a)

An example of authorized CN lists map file :
$ cat /tmp/listCERT.checkcert
#host CNs List (separated by /)
server1.xxx.com client0.zzz/client1.zzz/
server2.xxx.com client0.zzz/client2.zzz/

An extract of haproxy configuration file :

acl validcert hdr(host),map_str(/tmp/listCERT.checkcert,nocerts) -m %[sub ssl_c_s_dn(cn)]
http-request deny if !validcert

But this acl configuration does not work

Do you have any idea ?

thanks in advance

regards,
Sharlee33.

Posts: 1

Participants: 1

Read full topic

@Jean_Luc wrote:

Hello Everyone,

I am wondering if it's possible to differentiate backend_use based on existence or absence of cookie in a sticky table.

Stickiness is implicit, from what I understand.
Can it be explicit ? Is there a fetch against sticky table, that can be used in ACL ?

What I'd like to do is allow access to other_backend server, based on cookie set by auth_backend server.

Basically stuff like this:

#########
acl authorized hdr.cookie(appcookie) if my_cookies <--- this is my imagined code

use_backend redir if other_backend !authorized
use_backend other_backend if other_backend authorized
use_backend auth_backend if auth_backend


backend redir
      redirect location https://auth_backend/login

backend auth_backend
      stick-table type string size 1m expire 1d store gpc0
      stick store-response res.cook(appcookie) table my_cookies
      server auth xxx.xxx.xxx.xxxx:80 check

backend other_backend
    server other xxx.xxx.xxx.xxxx:80 check
#########

Or maybe some other approach ? I'd be very gratefull for acknowledging that's doable or not and for some suggestion.

Thank you,
Pawel

Posts: 1

Participants: 1

Read full topic

@gedogarne wrote:

Hi all, my Exchange 2013 owa and activeSync is working quiet well but -> auto discover feature is not redirected correctly.
Ends up with not passing the autodiscover.xml to clients. Help needed

Posts: 1

Participants: 1

Read full topic

@sumeet559 wrote:

running haproxy in debug mode and following is the log

00000001:https.accept(0005)=0006 from [203.153.53.130:57862]
00000001:https.clireq[0006:ffffffff]: PRI * HTTP/2.0
00000001:nodes-http2.srvcls[0006:0007]
00000001:nodes-http2.clicls[0006:0007]
00000001:nodes-http2.closed[0006:0007]

browser saying
ERR_SPDY_PROTOCOL_ERROR

below is my cfg:
frontend https
bind *:443 ssl crt /usr/local/ssl/tlkn_haproxy_bundle.pem alpn h2,http/1.1

acl host_apiv2             hdr(host) -i dapiv2.psqltom.com
reqadd X-Forwarded-Proto:\ https

use_backend nodes-http2 if { ssl_fc_alpn -i h2 }

backend nodes-http2
balance roundrobin
server apiv2-7101 127.0.0.1:7101 check send-proxy
server apiv2-7002 127.0.0.1:7102 check send-proxy
server apiv2-7003 127.0.0.1:7103 check send-proxy
server apiv2-7004 127.0.0.1:7104 check send-proxy

Posts: 2

Participants: 1

Read full topic

@mavnezz wrote:

Hello,

i got a strange problem, but maybe i'm misunderstanding the hole situation.
as you can see in my config, there're 9 rdp backend servers, but in real there are only 5 off them switched on. the last 4 will be installed in future.

in haproxy the status for these rdp servers is "L7OK/0 in 0ms" ´; up and running, displayed in the attachment pic.
any idea whats wrong with my config?

best regards

Julian

frontend ft_rdp
mode tcp
bind 10.1.0.4:3389 name rdp
timeout client 1h
log global
option tcplog
tcp-request inspect-delay 2s
tcp-request content accept if RDP_COOKIE
#tcp-request content reject if { req_ssl_hello_type 1 }
default_backend bk_rdp

backend bk_rdp
mode tcp
balance leastconn
persist rdp-cookie
timeout server 1h
timeout connect 20s
log global
option tcplog
option tcp-check
tcp-check connect port 3389
server SRV-TS01 10.1.0.51:3389 weight 100 check agent-check agent-port 3333 inter 2000 rise 2 fall 3 minconn 0 maxconn 0 on-marked-down shutdown-sessions
server SRV-TS02 10.1.0.52:3389 weight 100 check agent-check agent-port 3333 inter 2000 rise 2 fall 3 minconn 0 maxconn 0 on-marked-down shutdown-sessions
server SRV-TS03 10.1.0.53:3389 weight 100 check agent-check agent-port 3333 inter 2000 rise 2 fall 3 minconn 0 maxconn 0 on-marked-down shutdown-sessions
server SRV-TS04 10.1.0.54:3389 weight 100 check agent-check agent-port 3333 inter 2000 rise 2 fall 3 minconn 0 maxconn 0 on-marked-down shutdown-sessions
server SRV-TS05 10.1.0.55:3389 weight 100 check agent-check agent-port 3333 inter 2000 rise 2 fall 3 minconn 0 maxconn 0 on-marked-down shutdown-sessions
server SRV-TS06 10.1.0.56:3389 weight 100 check agent-check agent-port 3333 inter 2000 rise 2 fall 3 minconn 0 maxconn 0 on-marked-down shutdown-sessions
server SRV-TS07 10.1.0.57:3389 weight 100 check agent-check agent-port 3333 inter 2000 rise 2 fall 3 minconn 0 maxconn 0 on-marked-down shutdown-sessions
server SRV-TS08 10.1.0.58:3389 weight 100 check agent-check agent-port 3333 inter 2000 rise 2 fall 3 minconn 0 maxconn 0 on-marked-down shutdown-sessions
server SRV-TS09 10.1.0.59:3389 weight 100 check agent-check agent-port 3333 inter 2000 rise 2 fall 3 minconn 0 maxconn 0 on-marked-down shutdown-sessions
option redispatch

haproxy.PNG1914x471 47.3 KB

Posts: 4

Participants: 3

Read full topic