I used the old configuration. (version 1.9.7). no problem.
Old config, i look haproxy_stats (LastChk in L4) is good.
but,when update to 2.2.I found GRPC-config problems.
Same configuration when I upgrade to 2.2,the configuration fails. http-grpc can not access.
2.2 config. i look haproxy_stats (LastChk in L7) is bad
I do not know problem is?how fix it.

install haproxy 1.9.7
make TARGET=linux2628 USE_ZLIB=yes PREFIX=/usr/local/haproxy
make install PREFIX=/usr/local/haproxy
------------config------------------------
frontend grpc
    mode http
    option forwardfor
    option http-use-htx
    bind :80 proto h2
    acl k8-grpc hdr_beg(host) -i test0-gogrpc.com
    use_backend k8-cc if k8-grpc
    default_backend xxx
backend k8-cc
    mode http
    option http-use-htx
    option  forwardfor
    balance roundrobin
    server cc1 10.99.1.11:80 proto h2 check
    server cc2 10.99.1.14:80 proto h2 check

1 post - 1 participant

Read full topic

We’ve recently setup HAProxy as one of our application suppliers required it. They supplied a basic configuration which has been working fine. However, we now have another supplier who needs us to accept in traffic on port 443 and forward it to a server on port 6002. So that we wouldn’t have to port forward things we don’t want to, or move servers between networks, I was asked if I could add this into the existing HAProxy setup.

I initially configured another acl which would only trigger if it came from one of the IP ranges that the suppler had specified, but although we could see traffic coming in and being forwarded, they said that the packets coming in made no sense to their application. I then found out that the application is expecting a TCP connection, so I’ve tried adjusting the configuration to separate into 2 different frontends.

The traffic is still not getting through as expected, so I don’t know what else to try at the moment with my limited knowledge of HAProxy. I’ve searched around and it could be an issue where I have port 443 on both an http and tcp frontend?

Below is my current config. I’ve adjusted it to remove sensitive info. I’d appreciate any help that can be given on this issue.

global
log 127.0.0.1:514 local0 info
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 40000
user haproxy
group haproxy
daemon

tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

# turn on stats unix socket
stats socket /var/lib/haproxy/stats

#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------

defaults
log global
option dontlognull
option redispatch
retries 7
timeout http-request 50s
timeout queue 2m
timeout connect 50s
timeout client 2m
timeout server 2m
timeout http-keep-alive 50s
timeout check 50s

# statistics admin level depends on the authenticated user

userlist stats-auth
group admin users admin
user admin password password
group readonly users haproxy
user haproxy password password

#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------

frontend main
bind *:80
mode http
option forwardfor except 127.0.0.0/8
option httplog
stats enable
option http-no-delay

default_backend vendor1
acl h_1 path_beg /h/1/
acl server01_down nbsrv(server01) eq 0
use_backend server01 if h_1 !server01_down

frontend main_https
bind *:443 ssl crt /etc/haproxy/certs/our_cert.pem
mode http
option forwardfor except 127.0.0.0/8
option httplog
stats enable
acl AUTH http_auth(stats-auth)
acl AUTH_ADMIN http_auth_group(stats-auth) admin
stats http-request auth unless AUTH
stats admin if AUTH_ADMIN
stats uri /haproxy?stats
default_backend vendor1_ssl
acl h_1 path_beg /h/1/
acl server01_down nbsrv(server01_ssl) eq 0
use_backend server01_ssl if h_1 !server01_down

frontend vendor2_tcp
bind *:443
mode tcp
option tcplog
# Vendor2 access
acl vendor2_prod src -f /etc/haproxy/ipranges/vendor2_prod.subnets
acl vendor2_dev src -f /etc/haproxy/ipranges/vendor2_dev.subnets
use_backend vendor2_tcp if vendor2_prod || vendor2_dev

backend vendor1
mode http
balance leastconn
option httpchk GET /vendor1web/server/about
option http-no-delay
cookie h insert
server server01 server01:8080 cookie 1 check weight 100 minconn 3000 maxconn 5000

backend vendor1_ssl
mode http
balance leastconn
option httpchk GET /vendor1web/server/about
cookie h insert server server01 server01:8443 cookie 1 ssl verify none check weight 100 minconn 3000 maxconn 5000

backend server01
mode http
reqrep ^([^\ :]*)\ /h/[^/]+/(.*) \1\ /\2
cookie h insert
server server01 server01:8080 cookie 1 check

backend server01_ssl
mode http
reqrep ^([^\ :]*)\ /h/[^/]+/(.*) \1\ /\2
cookie h insert
server server01 server01:8443 cookie 1 check ssl verify none

backend vendor2_tcp
mode tcp
balance leastconn
option tcpka
option tcp-check
server server02 server02:6002 check weight 100 minconn 3000 maxconn 5000

1 post - 1 participant

Read full topic

Hello!

I have written following config file:

frontend http-in
bind *:8010
default_backend gateway

frontend http-in-1
    bind *:8011
    default_backend bucket-1

frontend http-in-2
    bind *:8012
    default_backend bucket-2

backend gateway
    balance url_param hello
    hash-type consistent
    server lb-1-1 localhost:8011
    server lb-1-2 localhost:8012

backend bucket-1
    balance roundrobin
    server server1-1 hello_web_1:4000 check
    server server1-2 hello_web_2:4000 check
    server server1-3 hello_web_3:4000 check

backend bucket-2
    balance roundrobin
    server server2-4 hello_web_4:4000 check
    server server2-5 hello_web_5:4000 check

The idea behind it is to always forward traffic to the same bucket based on parameter in URL and then split it on multiple workers inside bucket.

Following configuration is equal to two loadbalancers behind a gateway. I am not happy with this solution, cause it requires 4 IO operations to process a packet.

I was wondering, could it only forward traffic from one backend to another. In this situation from gateway directly to bucket-1 and bucket-2? This operation should be done on CPU.

1 post - 1 participant

Read full topic

Hello,

i’m a bit stuck setting up my HAProxy reverse proxe in combination with Exchange.

I have several webservers but only 1 public IP so i opted for HAProxy as reverse Proxy.

All my websites work except for the Exchange 2019 - Outlook connection.

When i fire up outlook from an external connection i continuously get prompted for a password.
Internally (or when i configure my hosts file to point to the reverse-proxy) everything works great.

I’m a bit at a loss what the problem could be.
I’ve stripped my config file to remove my public address etc. and i removed the other sites/acl’s.
Can you please take a look at my config and tell me how i f-ed up?

Here is my cfg file: https://pastebin.com/Gk56CmCn

Thanks in advance for any advise

1 post - 1 participant

Read full topic

Hello,

I have a 3 node galera cluster that I loadbalance with HAproxy. We ran into a problem with deadlock when using a certain php function on our sites that uses this setup. I know I can use check backup for db-02 and db-03 but I still want to load balance on all three, any config I can use for this?

The message I get when using the function is: Fatal error: Uncaught Zend_Db_Statement_Mysqli_Exception: Mysqli statement execute error: Got error 35 “Resource deadlock avoided” during COMMIT.

Thanks!

1 post - 1 participant

Read full topic

Is there a way in which I can specify the format of the log-stderr directive in the fcgi-app section? I know I can choose “format raw” or skip the format.

Ideally I would like a way to include things like the client IP address, but also the stderr string in this log output.

1 post - 1 participant

Read full topic

As the https://github.com/haproxy/haproxy/issues/827 described.

I would like to balance https stream using the same pem with the haproxy does. But after haproxy frontend https was proxyed as http stream to my https server. How to make it https again?

1 post - 1 participant

Read full topic

Hi Team,

Last week i came across a strange issue
the application servers are getting restart once we restart the network services in HA cluster configured server.

Kindly advice

1 post - 1 participant

Read full topic

Hi all,

I’m trying to redirect domain to another with same path values. What i have tried is given below.
HA-Proxy version: 2.0.13-2 2020/04/01

In my frontend:
http-request redirect prefix http://example.test.com if { hdr(host) -i https://test.com } { path_reg /[a-z0-9_.-]{0,5} }

This is what i’m trying to achieve
When user access https://test.com/7hjl3 it should redirect to http://example.test.com/7hjl3

Any help with this would be great.

2 posts - 2 participants

Read full topic

my haproxy is auto restarted every few minutes, is it by design? from syslog:

Aug 23 04:24:31 localhost haproxy[64543]: [NOTICE] 235/042431 (64543) : New worker #1 (64544) forked
Aug 23 04:24:38 api-lb systemd[1]: haproxy.service: Succeeded.
Aug 23 04:51:11 api-lb systemd[1]: haproxy.service: Main process exited, code=exited, status=137/n/a
Aug 23 04:51:11 api-lb systemd[1]: haproxy.service: Failed with result 'exit-code'.
Aug 23 04:51:11 api-lb systemd[1]: haproxy.service: Scheduled restart job, restart counter is at 1.
Aug 23 04:52:17 api-lb systemd[1]: haproxy.service: Main process exited, code=exited, status=137/n/a
Aug 23 04:52:17 api-lb systemd[1]: haproxy.service: Failed with result 'exit-code'.
Aug 23 04:52:18 api-lb systemd[1]: haproxy.service: Scheduled restart job, restart counter is at 2.
Aug 23 04:56:15 api-lb systemd[1]: haproxy.service: Main process exited, code=exited, status=137/n/a
Aug 23 04:56:15 api-lb systemd[1]: haproxy.service: Failed with result 'exit-code'.
Aug 23 04:56:16 api-lb systemd[1]: haproxy.service: Scheduled restart job, restart counter is at 3.
Aug 23 04:56:36 api-lb systemd[1]: haproxy.service: Main process exited, code=exited, status=137/n/a
Aug 23 04:56:36 api-lb systemd[1]: haproxy.service: Failed with result 'exit-code'.
Aug 23 04:56:36 api-lb systemd[1]: haproxy.service: Scheduled restart job, restart counter is at 4.
Aug 23 04:59:19 api-lb systemd[1]: haproxy.service: Main process exited, code=exited, status=137/n/a
Aug 23 04:59:19 api-lb systemd[1]: haproxy.service: Failed with result 'exit-code'.
Aug 23 04:59:19 api-lb systemd[1]: haproxy.service: Scheduled restart job, restart counter is at 5.
Aug 23 05:00:20 api-lb systemd[1]: haproxy.service: Main process exited, code=exited, status=137/n/a
Aug 23 05:00:20 api-lb systemd[1]: haproxy.service: Failed with result 'exit-code'.
Aug 23 05:00:21 api-lb systemd[1]: haproxy.service: Scheduled restart job, restart counter is at 6.
Aug 23 05:01:15 api-lb systemd[1]: haproxy.service: Main process exited, code=exited, status=137/n/a
Aug 23 05:01:15 api-lb systemd[1]: haproxy.service: Failed with result 'exit-code'.
Aug 23 05:01:15 api-lb systemd[1]: haproxy.service: Scheduled restart job, restart counter is at 7.
Aug 23 05:04:15 api-lb systemd[1]: haproxy.service: Main process exited, code=exited, status=137/n/a
Aug 23 05:04:15 api-lb systemd[1]: haproxy.service: Failed with result 'exit-code'.
Aug 23 05:04:15 api-lb systemd[1]: haproxy.service: Scheduled restart job, restart counter is at 8.
Aug 23 05:05:23 api-lb systemd[1]: haproxy.service: Main process exited, code=exited, status=137/n/a
Aug 23 05:05:23 api-lb systemd[1]: haproxy.service: Failed with result 'exit-code'.
Aug 23 05:05:24 api-lb systemd[1]: haproxy.service: Scheduled restart job, restart counter is at 9.

it’s running under Ubuntu 20.04.1 LTS with HA-Proxy version 2.0.13-2 2020/04/01 - https://haproxy.org/, main config as:

global
    log /dev/log    local0
    log /dev/log    local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
    stats timeout 30s
    maxconn 80000
    user haproxy
    group haproxy
    daemon

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

defaults
    log global
    mode    http
    option  httplog
    option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http
    maxconn 80000
    retries 3

systemd file: https://gist.github.com/fayland/5b74c8e75e19291b8143ad14f4fab85e

any thoughts? We just do not want to lose the stats b/c each restart will ease the stats. Thanks

1 post - 1 participant

Read full topic

Hello all,

First thank you for such nice piece of software and the documentation

I am using haproxy in massive hosting environment, as one of the components of an infrastructure I am involved with (I can share some more info if you want ).

Anyway, my haproxy.cfg looks more or less like this:

global
  pidfile haproxy.pid
  master-worker

log rsyslogd.socket local0
defaults
  log global
  mode http
  option httplog
  timeout queue 60s
  timeout server 600s
  timeout client 600s
  timeout connect 5s
  retries 3

frontend http
  bind ipv4:<port>

  acl is_host-NNN hdr_dom(host) -i host_NNN.example.com
  use_backend host_NNN-backend if is_host-NNN

backend host-NNN-backend
  timeout server 600s
  timeout connect 5s
  retries 3
  server backend <ipv6-XXX>

Where NNN is in range <0000-9999> (currently I have more than 3000 entries).

If haproxy is run with such configuration in real environment I realised that if I connect to host-123, for which server's is down defined in host-123-backend I receive response from another random backend in the configuration. I see that, as I expect to have 503 from haproxy, but I have 401 or 200 from other backend (which varies on each request).

When I try to reproduce this problem in other environment, all works fine in such case (I got 503), but as soon as I am not starting to connect to other hosts (I am using curl with --resolve in a loop), then I have the problem.

If the backend is up, all responses are correct. I feel that I have problem in my configuration, that’s why I held myself with adding bug in the haproxy issue tracker.

Do you have something to comment about?

I am using haproxy version 2.0.15

Note/SOLVED: Just tried with 2.0.17 and I do not have the problem anymore, but reading http://www.haproxy.org/download/2.0/src/CHANGELOG gives me no clue about which bugfix is that… Would it be BUG/MEDIUM: mux-h1: Disable the splicing when nothing is received?

1 post - 1 participant

Read full topic

I am running HAproxy for my Exchange 2019 Servers.
Everything is working as expected so far. This is my config:

#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------

global
	log 127.0.0.1 local0 debug
	chroot /var/lib/haproxy
	stats socket /var/lib/haproxy/stats mode 660 level admin
	stats timeout 30s
	user haproxy
	group haproxy
	daemon
	
	# Default SSL material locations
	ca-base /etc/ssl/certs
	crt-base /etc/ssl/private
	
	# Default ciphers to use on SSL-enabled listening sockets.
	# For more information, see ciphers(1SSL). This list is from:
	# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
	# https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended-configurations
	ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
	ssl-default-bind-options no-sslv3
	#ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
	#ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets no-sslv3
	tune.ssl.default-dh-param 2048

#---------------------------------------------------------------------
# Defaults section
#---------------------------------------------------------------------

# Regarding timeout client and timeout server: 
# https://discourse.haproxy.org/t/high-number-of-connection-resets-during-transfers-exchange-2013/1158/4

defaults
	log global
	mode http
	option dontlognull
	option http-keep-alive
	option prefer-last-server
	no option httpclose
	no option http-server-close
	no option forceclose
	no option http-tunnel
	balance leastconn
	default-server inter 3s rise 2 fall 3
	timeout client 600s
	timeout http-request 10s
	timeout connect 4s
	timeout server 60s 
	errorfile 400 /etc/haproxy/errors/400.http
	errorfile 403 /etc/haproxy/errors/403.http
	errorfile 408 /etc/haproxy/errors/408.http
	errorfile 500 /etc/haproxy/errors/500.http
	errorfile 502 /etc/haproxy/errors/502.http
	errorfile 503 /etc/haproxy/errors/503.http
	errorfile 504 /etc/haproxy/errors/504.http


#-------------------------------------------------------
# Stats section
#-------------------------------------------------------

listen stats 
	bind *:444 ssl crt /etc/ssl/private/cert.pem
	stats enable
	stats refresh 30s
	stats show-node
	stats auth admin:network21
	stats uri /
	stats admin if TRUE	# Administration allowed
	stats show-legends


#---------------------------------------------------------------------
# Main Front-Ends that proxy to the Back-Ends
#---------------------------------------------------------------------

frontend fe_default
	bind *:80 name http
	bind *:443 name https ssl crt /etc/ssl/private/mail.siedle.de.pem
	capture request header Host len 32
	capture request header User-Agent len 64
	capture response header Content-Length len 10
	maxconn 10000
	acl ssl_connection ssl_fc
	acl letsencrypt path_beg /.well-known/acme-challenge/
	acl path_autodiscover path_beg -i /Autodiscover/Autodiscover.xml
	acl path_activesync path_beg -i /Microsoft-Server-ActiveSync
	acl path_ews path_beg -i /ews/
	acl path_owa path_beg -i /owa/
	acl path_oa path_beg -i /rpc/rpcproxy.dll
	acl path_ecp path_beg -i /ecp/
	acl path_ps path_beg -i /powershell/
	acl path_oab path_beg -i /oab/
	acl path_mapi path_beg -i /mapi/
	acl path_check path_end -i HealthCheck.htm
	http-request redirect scheme https code 302 unless ssl_connection
	http-request redirect scheme https code 301 if !{ ssl_fc }
	http-request deny if path_check
	use_backend be_letsencrypt if letsencrypt
	use_backend be_exchange_https_autodiscover if path_autodiscover
	use_backend be_exchange_https_activesync if path_activesync
	use_backend be_exchange_https_ews if path_ews
	use_backend be_exchange_https_owa if path_owa
	use_backend be_exchange_https_oa if path_oa
	use_backend be_exchange_https_ecp if path_ecp
	use_backend be_exchange_https_ps if path_ps
	use_backend be_exchange_https_oab if path_oab
	use_backend be_exchange_https_mapi if path_mapi
	default_backend be_exchange_https_default

frontend fe_smtp
	mode tcp
	bind *:25 name smtp
	maxconn 100
	default_backend be_smtp

#---------------------------------------------------------------------
# Back-Ends
#---------------------------------------------------------------------

backend be_letsencrypt
	server letsencrypt 127.0.0.1:8888
	
backend be_exchange_https_activesync
	option httpchk GET /Microsoft-Server-ActiveSync/HealthCheck.htm
	http-check expect string 200\ OK
	server ex1 10.32.0.51:443 ssl verify none maxconn 10000 weight 10 check
	server ex2 10.32.0.52:443 ssl verify none maxconn 10000 weight 10 check

backend be_exchange_https_autodiscover
	option httpchk GET /Autodiscover/HealthCheck.htm
	http-check expect string 200\ OK
	server ex1 10.32.0.51:443 ssl verify none maxconn 10000 weight 10 check
	server ex2 10.32.0.52:443 ssl verify none maxconn 10000 weight 10 check
	
backend be_exchange_https_ecp
	option httpchk GET /ECP/HealthCheck.htm
	http-check expect string 200\ OK
	server ex1 10.32.0.51:443 ssl verify none maxconn 10000 weight 10 check
	server ex2 10.32.0.52:443 ssl verify none maxconn 10000 weight 10 check
	
backend be_exchange_https_ews
	option httpchk GET /EWS/HealthCheck.htm
	http-check expect string 200\ OK
	server ex1 10.32.0.51:443 ssl verify none maxconn 10000 weight 10 check
	server ex2 10.32.0.52:443 ssl verify none maxconn 10000 weight 10 check
	
backend be_exchange_https_mapi
	option httpchk GET /mapi/HealthCheck.htm
	http-check expect string 200\ OK
	timeout server 600s
	server ex1 10.32.0.51:443 ssl verify none maxconn 10000 weight 10 check
	server ex2 10.32.0.52:443 ssl verify none maxconn 10000 weight 10 check
	
backend be_exchange_https_oab
	option httpchk GET /OAB/HealthCheck.htm
	http-check expect string 200\ OK
	server ex1 10.32.0.51:443 ssl verify none maxconn 10000 weight 10 check
	server ex2 10.32.0.52:443 ssl verify none maxconn 10000 weight 10 check
	
backend be_exchange_https_oa
	option httpchk GET /RPC/HealthCheck.htm
	http-check expect string 200\ OK
	timeout server 600s
	server ex1 10.32.0.51:443 ssl verify none maxconn 10000 weight 10 check
	server ex2 10.32.0.52:443 ssl verify none maxconn 10000 weight 10 check
	
backend be_exchange_https_owa
	option httpchk GET /owa/HealthCheck.htm
	http-check expect string 200\ OK
	server ex1 10.32.0.51:443 ssl verify none maxconn 10000 weight 10 check
	server ex2 10.32.0.52:443 ssl verify none maxconn 10000 weight 10 check
	
backend be_exchange_https_ps
	server ex1 10.32.0.51:443 ssl verify none maxconn 10000 weight 10 check
	server ex2 10.32.0.52:443 ssl verify none maxconn 10000 weight 10 check
	
backend be_exchange_https_default
	timeout server 60s
	server ex1 10.32.0.51:443 ssl verify none maxconn 10000 weight 10 check
	server ex2 10.32.0.52:443 ssl verify none maxconn 10000 weight 10 check
	
backend be_smtp
	mode tcp
	option smtpchk
	server ex1 10.32.0.51:25 maxconn 100 weight 10 check
	server ex2 10.32.0.52:25 maxconn 100 weight 10 check

Now I want to only allow access to the backends be_exchange_https_ecp and be_exchange_https_ps when the request is coming from 10.0.0.0/8.
I have tried all different methods I could find, for example
use_backend be_exchange_https_ps if path_ecp { src 10.0.0.0/8 } or
http-request deny if path_ecp { src 10.0.0.0/8 } or other non-inline variants but none of them seems to work.

Is there something else wrong with my configuration preventing the ACL from working?
Any help is greatly appreciated!

EDIT:
The HAPrxy is behind a NAT if that makes any difference.

2 posts - 2 participants

Read full topic

Hi I try to do ssl termination on haproxy.
when I run docker pull haproxyserver:9000/path/path:xxx I had
Error response from daemon: Get https://haproxyserver:9000/(..): http: server gave HTTP response to HTTPS client
so I created a certificate. I copied ca.crt file to /etc/docker/certs.d/haproxyserver:9083 and pem file on the haproxyserver
now I got another error
Error response from daemon: Get https://haproxyserver:9000/(...): no basic auth credentials

My configuration:

frontend
        bind *:9000 ssl crt /path_to_pem_file/haproxy.pem
        default_backend port_9000

backend port_9000
        server opscluster01 opscluster01:9083 check

What am I missing, Please help.

1 post - 1 participant

Read full topic

Hi, In the latest HAProxy version there is a problem to check Percona MySQL Cluster state using http-check and clustercheck script. This problem was already described a few years ago https://github.com/olafz/percona-clustercheck/issues/2.

I decided to add 0.1sec sleep after Connection: close response:

    # Percona XtraDB Cluster node local state is 'Synced' => return HTTP 200
    # Shell return-code is 0
    echo -en "HTTP/1.1 200 OK\r\n"
    echo -en "Content-Type: text/plain\r\n"
    echo -en "Connection: close\r\n"
    sleep 0.1
    echo -en "Content-Length: 40\r\n"
    echo -en "\r\n"
    echo -en "Percona XtraDB Cluster Node is synced.\r\n"
    sleep 0.1
    exit 0

The oder way I can use tcp-check:

tcp-check connect port 9200
tcp-check send HEAD\ /\ HTTP/1.1\r\n
tcp-check send \r\n
tcp-check expect rstring HTTP/1\..\ (2..|3..)

Maybe you’ve a better idea?

1 post - 1 participant

Read full topic

Hi !

i’m testing HAProxy for replacement of a old loadbalancer for a university. I have no problem for most of site on the migration but one do not working through HAP for CAS authentification service.

A “%3A80” is adding by HAP on url indifferently on 80 or 443 port
https://casv6.univ-example.com/cas/login?service=https%3A%2F%2Ftoto-qual.univ-example.com**%3A80**%2F

Note: the redirect from http to https is made by backends servers

With an other webapp trough the same frontend and backend, i haven’t the problem.

I was searching on HAP documentation and on the web but i haven’t find what to do… Did you have an idea ?

frontend frontaux_qual_HTTP
bind 1.2.3.4:80
mode http
#no log
description port frontaux-qual HTTP vlan public145
option socket-stats
timeout client 5s
default_backend http_frontaux_qual_backends

frontend frontaux_qual_HTTPS
bind 1.2.3.4:443 ssl crt /etc/ssl/private/star_univ-example_com.pem alpn h2,http/1.1
mode http
description port frontaux-qual HTTPS vlan public145
#no log
option forwardfor
http-request add-header X-Forwarded-Proto https
option socket-stats
timeout client 5s
default_backend https_frontaux_qual_backends

backend http_frontaux_qual_backends
balance roundrobin
stick-table type ip size 200k expire 30m
stick on src
#no log
mode http
option httpchk
server frontal1-qual frontal1-qual.univ-example.com:80 check fall 1 rise 1 fastinter 500 downinter 5000
server frontal2-qual frontal2-qual.univ-example.com:80 check fall 1 rise 1 fastinter 500 downinter 5000
server frontal3-qual frontal3-qual.univ-example.com:80 check fall 1 rise 1 fastinter 500 downinter 5000
server frontal4-qual frontal4-qual.univ-example.com:80 check fall 1 rise 1 fastinter 500 downinter 5000

backend https_frontaux_qual_backends
balance roundrobin
stick-table type ip size 200k expire 30m
stick on src
#no log
mode http
option httpchk
server frontal1-qual frontal1-qual.univ-example.com:443 check fall 1 rise 1 fastinter 500 downinter 5000 ssl verify none
server frontal2-qual frontal2-qual.univ-example.com:443 check fall 1 rise 1 fastinter 500 downinter 5000 ssl verify none
server frontal3-qual frontal3-qual.univ-example.com:443 check fall 1 rise 1 fastinter 500 downinter 5000 ssl verify none
server frontal4-qual frontal4-qual.univ-example.com:443 check fall 1 rise 1 fastinter 500 downinter 5000 ssl verify none

HAP version: 2.0.17-1~bpo10+1

1 post - 1 participant

Read full topic

Hello
I need to create config to forward traffic(haproxysrv1) to other haproxy (haproxysrv2) in other region in cloud and vise versa
Can you please confirm the example config?
Thanks in advance
frontend http-in
bind 0.0.0.0:80
acl prefixed-with-haproxysrv1 path_beg /haproxysrv1/
acl host-is-www-example hdr(host) eq www.example.com
use_backend foo-backend if host-is-www-example prefixed-with-foo
# other rules …
default_backend default-backend

backend foo-backend
http-request set-header Host foo.local
server node1 foo.local:80
# Map url path as ProxyPass does
reqirep ^(GET|POST|HEAD)\ /haproxysrv2/(.) \1\ /\2
# Rewrite redirects as ProxyPassReverse does
acl response-is-redirect res.hdr(Location) -m found
rspirep ^Location:\ (http|https)://haproxysrv2/(.) Location:\ \1://www.example.com/foo/\2 if response-is-redirect
#option forwardfor

1 post - 1 participant

Read full topic

I’m noticed that Haproxy emits same message twice, with prefix like [WARNING] 237/195948 (6) : and without it. I noticed this behavior while trying to run Haproxy in Docker, but with regular syslog setup situation exactly the same.

# docker run -it --rm --name haproxy -v /root/haproxy:/etc/haproxy -p 9101:9101/tcp -p 5432:5432/tcp haproxy:2.0 -f /etc/haproxy/haproxy.cfg
Proxy stats_prometheus started.
Proxy master started.
Proxy replicas started.
[NOTICE] 237/211032 (1) : New worker #1 (7) forked
[WARNING] 237/211032 (7) : Server master/dev-db-02 is DOWN, reason: Layer7 wrong status, code: 503, info: "HTTP status check returned code <3C>503<3E>", check duration: 1ms. 2 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
Server master/dev-db-02 is DOWN, reason: Layer7 wrong status, code: 503, info: "HTTP status check returned code <3C>503<3E>", check duration: 1ms. 2 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
[WARNING] 237/211033 (7) : Server master/dev-db-03 is DOWN, reason: Layer7 wrong status, code: 503, info: "HTTP status check returned code <3C>503<3E>", check duration: 2ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
Server master/dev-db-03 is DOWN, reason: Layer7 wrong status, code: 503, info: "HTTP status check returned code <3C>503<3E>", check duration: 2ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
[WARNING] 237/211033 (7) : Server replicas/dev-db-01 is DOWN, reason: Layer7 wrong status, code: 503, info: "HTTP status check returned code <3C>503<3E>", check duration: 5ms. 2 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
Server replicas/dev-db-01 is DOWN, reason: Layer7 wrong status, code: 503, info: "HTTP status check returned code <3C>503<3E>", check duration: 5ms. 2 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
Connect from 172.17.0.1:45992 to 172.17.0.2:5432 (master/TCP)
Connect from 172.17.0.1:46014 to 172.17.0.2:5432 (master/TCP)

It looks like prefixed messages are emitted by master process (pid 1 in container) and non prefixed ones by worker process (pid 7).

Configuration.

global
    log stdout format raw local0
    maxconn 100
    stats timeout 30s
    pidfile /run/haproxy.pid

defaults
    log global
    mode    tcp
    retries 2
    timeout client 30m
    timeout connect 4s
    timeout server 30m
    timeout check 5s
    option  dontlognull
    default-server init-addr last,libc,none

resolvers localdns
    parse-resolv-conf

listen stats_prometheus
    bind *:9101
    mode http
    option http-use-htx
    http-request use-service prometheus-exporter if { path /metrics }
    stats enable
    stats uri /stats

listen master
    bind *:5432
    option httpchk OPTIONS /master
    http-check expect status 200
    default-server inter 3s fall 3 rise 2 on-marked-down shutdown-sessions
    server dev-db-01 dev-db-01.domain.tld:5432 maxconn 120 check resolvers localdns port 8008
    server dev-db-02 dev-db-02.domain.tld:5432 maxconn 120 check resolvers localdns port 8008
    server dev-db-03 dev-db-03.domain.tld:5432 maxconn 120 check resolvers localdns port 8008

listen replicas
    bind *:5433
    option httpchk OPTIONS /replica
    http-check expect status 200
    default-server inter 3s fall 3 rise 2 on-marked-down shutdown-sessions
    server dev-db-01 dev-db-01.domain.tld:5432 maxconn 120 check resolvers localdns port 8008
    server dev-db-02 dev-db-02.domain.tld:5432 maxconn 120 check resolvers localdns port 8008
    server dev-db-03 dev-db-03.domain.tld:5432 maxconn 120 check resolvers localdns port 8008

If log line completely omitted from global section I still get logs like

# docker run -it --rm --name haproxy -v /root/haproxy:/etc/haproxy -p 9101:9101/tcp haproxy:2.0 -f /etc/haproxy/haproxy.cfg
[NOTICE] 237/204228 (1) : New worker #1 (6) forked
[WARNING] 237/204229 (6) : Server master/dev-db-02 is DOWN, reason: Layer7 wrong status, code: 503, info: "HTTP status check returned code <3C>503<3E>", check duration: 1ms. 2 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
[WARNING] 237/204229 (6) : Server master/dev-db-03 is DOWN, reason: Layer7 wrong status, code: 503, info: "HTTP status check returned code <3C>503<3E>", check duration: 2ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
[WARNING] 237/204230 (6) : Server replicas/dev-db-01 is DOWN, reason: Layer7 wrong status, code: 503, info: "HTTP status check returned code <3C>503<3E>", check duration: 5ms. 2 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
^C[WARNING] 237/205847 (1) : Exiting Master process...
[ALERT] 237/205847 (1) : Current worker #1 (6) exited with code 130 (Interrupt)
[WARNING] 237/205847 (1) : All workers exited. Exiting... (130)

But no connections like

Connect from 172.17.0.1:45992 to 172.17.0.2:5432 (master/TCP)
Connect from 172.17.0.1:46014 to 172.17.0.2:5432 (master/TCP)

are logged.

Question - it is possible to get rid of duplicates while still preserving all other log messages? I.e. it’s possible to suppress messages like

[WARNING] 237/204229 (6) : Server master/dev-db-02 is DOWN...

from master process while still preserving messages like

[NOTICE] 237/204228 (1) : New worker #1 (6) forked

and leaving worker messages

Server master/dev-db-02 is DOWN...

intact.

1 post - 1 participant

Read full topic

this is the haproxy config.
defaults
option forwardfor
log global
option httplog
log 127.0.0.1 local3
option dontlognull
retries 3
option redispatch
timeout connect 5000ms
timeout client 5000ms
timeout server 5000ms

listen stats
bind *:9000
mode http
…
backend testhosts
mode http
balance roundrobin
option httpchk HEAD /sabrix/scripts/menu-common.js
server host1 11.11.11.11:9080 check inter 2000 rise 1 fall 2
server host2 11.11.11.12:9080 check inter 2000 rise 1 fall 2

if service of 11.11.11.11 is down, haproxy will get 503 and 404 error about 2-3 seconds( it depends inter value, if inter value is very small, the number of 404 error will be decreased).

2020-08-25T11:58:14 11.11.11.11:9080 200 POST /tsturl1 HTTP/1.1 2274
2020-08-25T11:58:14 11.11.11.22:9080 200 POST /tsturl1 HTTP/1.1 448
2020-08-25T11:58:14 11.11.11.11:9080 503 POST /tsturl1 HTTP/1.1 0
2020-08-25T11:58:14 11.11.11.11:9080 404 POST /tsturl1 HTTP/1.1 0
2020-08-25T11:58:14 11.11.11.11:9080 200 POST /tsturl1 HTTP/1.1 1503
2020-08-25T11:58:16 11.11.11.22:9080 200 POST /tsturl1 HTTP/1.1 617
2020-08-25T11:58:16 11.11.11.11:9080 404 POST /tsturl1 HTTP/1.1 0
2020-08-25T11:58:16 11.11.11.22:9080 200 POST /tsturl1 HTTP/1.1 618
2020-08-25T11:58:16 11.11.11.11:9080 404 POST /tsturl1 HTTP/1.1 0
2020-08-25T11:58:16 host1 is DOWN, reason: Layer7 wrong status, code: 404, info: “Not Found”, check duration: 0ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. 2020-08-25T11:58:16 11.11.11.22:9080 200 POST /tsturl1 HTTP/1.1 645
2020-08-25T11:58:16 11.11.11.22:9080 200 POST /tsturl1 HTTP/1.1 618\

My question is : why the parameter retry didn’t work ? is it possible for the user always get 200 code rather than 400 error even when one of the backend server down ？ I’m using Haproxy 1.5.18.

1 post - 1 participant

Read full topic

I am using for dovecot this health-check pass through option. Where a bash script is just returning the http response. Although the curl gives me an ok connection, haproxy keeps giving me “Socket error: Connection reset by peer”

Is this because this bash script is not closing the connection properly?

[@temp]$ curl http://test2.local:5001/ -v
* About to connect() to test2.local port 5001 (#0)
*   Trying 192.168.10.22... connected
* Connected to test2.local (192.168.10.22) port 5001 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.44 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: test2.local:5001
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Length: 47
< Content-Type: text/html
<
<html><body>MySQL is running.</body></html>

* Connection #0 to host test2.local left intact
* Closing connection #0

backend config

backend imap
  mode tcp
  balance leastconn
  stick store-request src
  stick-table type ip size 200k expire 30m
  option httpchk GET / HTTP/1.0
  http-check expect status 200
  default-server resolvers dnssvrs1
  server s2 test2.local:10143 check port 5001 send-proxy-v2

dovecot conf

service health-check {
  # example health-check.
  executable = script -p /bin/health-check.sh
  inet_listener health-check {
      # not working env:PORT0
      port = 5001
  }
}

2 posts - 2 participants

Read full topic

where to get the official source install guide for haproxy 2.2.2 ?
it’s better also to guide how to upgrade source install ( 1.* or 2.0.* or 2.1.8) .
since the haproxy version is 1.5.* in centos 7., it will be grateful to guide how to upgrade from 1.5. ( yum install ).

1 post - 1 participant

Read full topic