My problem is that I use websockets with stick-tables and need to periodically update the configuration using external tool. As I understand this process, I will have several PIDs while connections are established, but this doesn’t work as described. Each time I reload the configuration, websocket connection is being dropped.

Reload command:

kill -USR2 `cat /etc/haproxy/haproxy.pid`

Configuration snippet:

global
  pidfile /etc/haproxy/haproxy.pid
  master-worker
  mworker-max-reloads 20
  log stdout local0
  maxconn 500000
  stats socket /var/run/haproxy.sock mode 660 level admin
  stats timeout 30s
  nbproc 1
  nbthread 2
  cpu-map auto:1/1-2 0-1

defaults
  mode http
  log global
  timeout connect 5s
  timeout client 10s
  timeout server 60s
  timeout client-fin 1s
  timeout server-fin 1s
  timeout http-request 10s
  timeout http-keep-alive 300s

  option httplog
  option redispatch
  option dontlognull
  option forwardfor

peers local
  peer haproxy haproxy:1024

frontend stats
  bind :32600
  option http-use-htx
  option dontlog-normal
  http-request use-service prometheus-exporter if { path /metrics }
  stats enable
  stats uri /
  stats refresh 20s

frontend https-in
  bind *:8433 accept-proxy
  mode http

  # Define hosts
  acl host hdr(host) -i doman.com

  ## figure out which one to use
  use_backend servers if host

frontend http-in
  bind :8080 accept-proxy
  mode http
  redirect scheme https code 301 if !{ ssl_fc }

backend servers
  http-request set-header X-Real-IP %[src];
  http-request set-header X-Forwarded-For %[src];
  http-request set-header X-Forwarded-Proto %[src];
  http-request set-header Connection "upgrade"
  http-request set-header Host %[src]

  balance leastconn
  stick-table type string len 80 size 1m expire 8h peers local
  stick on url_param(mrid)

  timeout server  120s
  server1 adress1
  server2 adress2
  ...

Can you help to find if there are another way of graceful termination? Or maybe any thoughts on this topic?

1 post - 1 participant

Read full topic

can haproxy ensure every call to backend server is successful when one of backend server is down ?
i tried to use disable-on-404 parameter.
…
mode http
option httpchk
http-check expect status 200
http-check disable-on-404
balance roundrobin
server host1 11.11.11.11:9080 check inter 2000 rise 1 fall 2
server host2 11.11.11.12:9080 check inter 2000 rise 1 fall 2

but when 11.11.11.11 is down, we still can many 404 errors on 11.11.11.11.

2020-08-25T11:58:14 11.11.11.11:9080 200 POST /tsturl1 HTTP/1.1 2274
2020-08-25T11:58:14 11.11.11.22:9080 200 POST /tsturl1 HTTP/1.1 448
2020-08-25T11:58:14 11.11.11.11:9080 503 POST /tsturl1 HTTP/1.1 0
2020-08-25T11:58:14 11.11.11.11:9080 404 POST /tsturl1 HTTP/1.1 0
2020-08-25T11:58:14 11.11.11.11:9080 200 POST /tsturl1 HTTP/1.1 1503
2020-08-25T11:58:16 11.11.11.22:9080 200 POST /tsturl1 HTTP/1.1 617
2020-08-25T11:58:16 11.11.11.11:9080 404 POST /tsturl1 HTTP/1.1 0
2020-08-25T11:58:16 11.11.11.22:9080 200 POST /tsturl1 HTTP/1.1 618
2020-08-25T11:58:16 11.11.11.11:9080 404 POST /tsturl1 HTTP/1.1 0
…
2020-08-25T11:58:16 host1 is DOWN, reason: Layer7 wrong status, code: 404, info: “Not Found”, check duration: 0ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. 2020-08-25T11:58:16 11.11.11.22:9080 200 POST /tsturl1 HTTP/1.1 645

from the design , when 404 was found, no more access will be directed to this server, but from test, it’s not the truth, can anybody tell me why ?

1 post - 1 participant

Read full topic

Dear HAProxy Community,

we have the following problem: I am using an AntiSpam Mail Appliance from Barracuda (Mail Security Gateway). We use pfSense as a firewall. I am now supposed to send out over 10 IP addresses from our AntiSpam appliance. Basically, this works perfectly (outgoing NAT via RoundRobin). My main problem is currently that the firewall correctly increases the IP address with each new connection, but also always sends out the host name of the appliance with antispam.domain.com. The problem: if we send out over 10 IP addresses, I can always only use antispam.domain.com as reverse DNS. As soon as I enter ip1.antispam.domain.com as reverse DNS for IP 1, the emails are rejected (of course, since the AntiSpam system always sends out via antispam.domain.com).

I hope to find a solution with HAProxy here. It would be best if I send the AntiSpam system via a smarthost, which will then also The host name ip1.antispam.domain.com (ip2.antispam.domain.com), … rewritet is sent via IP 1.

Is this possible with HAProxy?

If I currently only use antispam.domain.com as reverse DNS for all IP addresses, I get an INVALID RDNS error back. Therefore every connection that is established must be sent out via the correct host name.

i can install the HAproxy Package on my pfSense firewall.

Thank you in advance.

1 post - 1 participant

Read full topic

Hi,
Could you help me on below issue?
I have haproxy-2.0.17-1.el7.x86_64 under RHEL7_7.
Here is config:

defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
retries 3
timeout http-request 10s
timeout queue 10s
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 200

frontend main
bind 192.168.10.2:8185
# if SOAPAction is found, route it to APPGW SOAP endpoint
acl soap_hdr req.hdr(SOAPAction) -m found

acl whitelist1 src 192.168.0.0/14
acl whitelist2 src 192.168.1.28/31 192.168.2.213/31 192.168.2.232/31

tcp-request connection reject if !whitelist1 !whitelist2


use_backend cmpsoap if soap_hdr


# if URL is /Air, route to AIR backend
acl cmpair url /Air
use_backend cmpair if cmpair

# if URL is /pretups, route to ERS backend
#acl cmpers url /pretups
acl cmpers url /pretups/C2SReceiver?REQUEST_GATEWAY_CODE=IRIS&REQUEST_GATEWAY_TYPE=EXTGW&LOGIN=test_iris&PASSWORD=25de0ca33253864357b8dd07805c26a1&SOURCE_TYPE=EXTGW&SERVICE_PORT=190
use_backend cmpers if cmpers

default_backend             cmphttp

backend cmpsoap
balance roundrobin
option redispatch
retry-on conn-failure 503
server cmpsoap1 192.168.10.8:8086 maxconn 20 check
server cmpsoap2 192.168.10.11:8086 maxconn 20 check

As you can see, I have retry-on option for conn-failure and 503 error.
But haproxy does not retry to another backend on 503 error during I send SOAP request to frontend 192.168.10.2:8185. Please see haproxy logs were wrote during test:

Aug 25 08:56:17 localhost haproxy[35252]: 192.168.2.213:52079 [25/Aug/2020:08:56:17.553] main cmpsoap/cmpsoap1 0/0/0/78/78 200 4347 - - ---- 1/1/0/0/0 0/0 “POST / HTTP/1.1”
Aug 25 08:56:18 localhost haproxy[35252]: 192.168.2.213:52079 [25/Aug/2020:08:56:18.249] main cmpsoap/cmpsoap2 0/0/1/97/98 200 4347 - - ---- 1/1/0/0/0 0/0 “POST / HTTP/1.1”
Aug 25 08:56:19 localhost haproxy[35252]: 192.168.2.213:52079 [25/Aug/2020:08:56:19.122] main cmpsoap/cmpsoap1 1/0/0/51/52 200 4347 - - ---- 1/1/0/0/0 0/0 “POST / HTTP/1.1”
Aug 25 08:56:20 localhost haproxy[35252]: 192.168.2.213:52079 [25/Aug/2020:08:56:20.005] main cmpsoap/cmpsoap2 0/0/0/90/90 200 4347 - - ---- 1/1/0/0/0 0/0 “POST / HTTP/1.1”

At this moment I started to stop soap server application on 192.168.10.8 host (it is server cmpsoap1 in backend configuration).
And 503 errors appeared in log.

Aug 25 08:56:20 localhost haproxy[35252]: 192.168.2.213:52079 [25/Aug/2020:08:56:20.862] main cmpsoap/cmpsoap1 0/0/0/0/0 503 125 - - ---- 1/1/0/0/0 0/0 “POST / HTTP/1.1”
Aug 25 08:56:21 localhost haproxy[35252]: 192.168.2.213:52079 [25/Aug/2020:08:56:21.406] main cmpsoap/cmpsoap2 0/0/0/99/99 200 4347 - - ---- 1/1/0/0/0 0/0 “POST / HTTP/1.1”
Aug 25 08:56:22 localhost haproxy[35252]: 192.168.2.213:52079 [25/Aug/2020:08:56:22.300] main cmpsoap/cmpsoap1 0/0/0/0/0 503 125 - - ---- 1/1/0/0/0 0/0 “POST / HTTP/1.1”
Aug 25 08:56:23 localhost haproxy[35252]: 192.168.2.213:52079 [25/Aug/2020:08:56:23.235] main cmpsoap/cmpsoap2 0/0/0/74/74 200 4347 - - ---- 1/1/0/0/0 0/0 “POST / HTTP/1.1”

At this moment soap server was almost stopped, and you can see that haproxy started to retry.

Aug 25 08:57:17 localhost haproxy[35252]: 192.168.2.213:52079 [25/Aug/2020:08:57:17.212] main cmpsoap/cmpsoap2 0/0/1/73/74 200 4347 - - ---- 1/1/0/0/+1 0/0 “POST / HTTP/1.1”
Aug 25 08:57:18 localhost haproxy[35252]: 192.168.2.213:52079 [25/Aug/2020:08:57:17.983] main cmpsoap/cmpsoap2 0/0/1/100/101 200 4347 - - ---- 1/1/0/0/+1 0/0 “POST / HTTP/1.1”
Aug 25 08:57:19 localhost haproxy[35252]: 192.168.2.213:52079 [25/Aug/2020:08:57:18.921] main cmpsoap/cmpsoap2 0/0/1/85/86 200 4347 - - ---- 1/1/0/0/+1 0/0 “POST / HTTP/1.1”
Aug 25 08:57:19 localhost haproxy[35252]: 192.168.2.213:52079 [25/Aug/2020:08:57:19.577] main cmpsoap/cmpsoap2 0/0/0/116/116 200 4347 - - ---- 1/1/0/0/+1 0/0 “POST / HTTP/1.1”
Aug 25 08:57:20 localhost haproxy[35252]: 192.168.2.213:52079 [25/Aug/2020:08:57:20.581] main cmpsoap/cmpsoap2 0/0/1/161/162 200 4347 - - ---- 1/1/0/0/+1 0/0 “POST / HTTP/1.1”
Aug 25 08:57:21 localhost haproxy[35252]: 192.168.2.213:52079 [25/Aug/2020:08:57:21.375] main cmpsoap/cmpsoap2 0/0/1/140/141 200 4347 - - ---- 1/1/0/0/+1 0/0 “POST / HTTP/1.1”

After several seconds application was fully stopped. And haproxy started to send requests to soap2 backend server only.

Aug 25 08:57:21 localhost haproxy[35252]: Server cmphttp/cmphttp1 is DOWN, reason: Layer4 connection problem, info: “Connection refused”, check duration: 0ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
Aug 25 08:57:22 localhost haproxy[35252]: Server cmpsoap/cmpsoap1 is DOWN, reason: Layer4 connection problem, info: “Connection refused”, check duration: 0ms. 1 active and 0 backup servers left. 2 sessions active, 0 requeued, 0 remaining in queue.
Aug 25 08:57:22 localhost haproxy[35252]: 192.168.2.213:52079 [25/Aug/2020:08:57:22.414] main cmpsoap/cmpsoap2 0/0/1/73/74 200 4347 - - ---- 1/1/0/0/0 0/0 “POST / HTTP/1.1”
Aug 25 08:57:23 localhost haproxy[35252]: 192.168.2.213:52079 [25/Aug/2020:08:57:23.478] main cmpsoap/cmpsoap2 0/0/1/60/61 200 4347 - - ---- 1/1/0/0/0 0/0 “POST / HTTP/1.1”
Aug 25 08:57:24 localhost haproxy[35252]: 192.168.2.213:52079 [25/Aug/2020:08:57:24.361] main cmpsoap/cmpsoap2 0/0/1/83/84 200 4347 - - ---- 1/1/0/0/0 0/0 “POST / HTTP/1.1”

What do you think what is the reason of such behavior? Why haproxy does not retry on 503 error?

1 post - 1 participant

Read full topic

So, my network is running LXD Containers. I have an Ubuntu 20.4 host running LXD 3.0.
My apps are installed in individual containers.
I have one container running HAproxy 1.8.8.
My host forwards ports 80 and 443 to the HAproxy container.
HAproxy redirects to appropriate container based on the URL.

I need to have SSL for all application containers. It was recommended that I install the Letsencrypt SSL certs in the HAproxy. I have successfully (I think) installed a cert for the sub-domain that I am working on. However browsing to the sub-domain is still “Not Secure”! I am using Chrome.

When I look at the cert with the browser, it is saying it is expired (08/19/2020)? But in HAproxy, certbot certificates indicate the certs expire 2020-11-27?

Ideas?

Thanks,

Ray

1 post - 1 participant

Read full topic

I have two nfs servers in my environment exporting out same content. I want to load balance between them using a tcp reverse proxy (haproxy/nginx). Please advise if this is possible since nfs requires multiple ports (2049/111 etc.). Looking for advice

1 post - 1 participant

Read full topic

Hello,

It seems that haproxy don’t calculate current session properly, as you can see the on screenshot below.

Annotation 2020-08-31 113544784×140 43.1 KB

I’m running : HA-Proxy version 2.0.17-1~bpo10+1 2020/08/02 - https://haproxy.org/ and the configuration for this part is quite basic.
On the server ss -ntp | grep ESTAB | grep X.X.X.X:3128 | wc -l give me 1732 which is more close to the sum of current session.

I didn’t restart or reload the process yet.

Any idea why it happends?

1 post - 1 participant

Read full topic

Hi,

I’m upgrading my HAproxy setup from 2.1 right now and I noticed that a Lua function that works fine in 2.1 is now broken. Inside a sample fetcher, I’m trying to access the common name of the TLS server certificate that was used in this connection:

local cn = txn.sf:ssl_f_s_dn(“CN”)

We have a setup where one out of multiple wildcard certificates is chosen based on the client’s SNI info.

The error I get is:

[ALERT] 243/121119 (14836) : Lua sample-fetch ‘cncheck’: runtime error: cncheck.lua:9: attempt to call a nil value (method ‘ssl_f_s_dn’) from tiserv.lua:9 C function line 3.

I have seen that TLS support was significantly extended in 2.2, but I have no idea why this fetcher is now broken. Does anyone have an idea?

Chris

1 post - 1 participant

Read full topic

I added hard-stop-after to my configuration

global
  hard-stop-after 200s

but after 10 minutes since reload there is still 3 old processes running.

/system.slice/haproxy.service
├─ 1731 /usr/sbin/haproxy -Ws -f /etc/haproxy/conf.d -p /run/haproxy.pid -S /run/haproxy-master.sock -sf 16182 6320 -x /run/haproxy/admin.sock
├─ 6320 /usr/sbin/haproxy -Ws -f /etc/haproxy/conf.d -p /run/haproxy.pid -S /run/haproxy-master.sock -sf 12110 23479 -x /run/haproxy/admin.sock
├─16182 /usr/sbin/haproxy -Ws -f /etc/haproxy/conf.d -p /run/haproxy.pid -S /run/haproxy-master.sock -sf 6320 -x /run/haproxy/admin.sock
└─19335 /usr/sbin/haproxy -Ws -f /etc/haproxy/conf.d -p /run/haproxy.pid -S /run/haproxy-master.sock -sf 16182 6320 -x /run/haproxy/admin.sock

I can only guess one option - old processes does not get new config so this parameter does not apply to them. But on the other side that’s a global level parameter so I expect that master process will do what’s required - terminate old processes.

1 post - 1 participant

Read full topic

Has anyone found a way to get peers working with server-template?

It seems that server-template just fills in ip addresses in the order it gets them from DNS, which means if the DNS server responds in a random order different peers will have the same server ids pointing to different servers. Even if DNS is in a consistent order, if the set of records changes, then if different haproxy peers restart at different times, you can end up in a similar situation.

I’ve opened a feature request at https://github.com/haproxy/haproxy/issues/814 to support this use-case better. But has anyone found a good workaround for this?

The only solution I’ve found is to dynamically generate haproxy config with server lines in a weel-defined order, and restarting/reloading haproxy whenever the DNS changes, which is less than ideal.

1 post - 1 participant

Read full topic

Hello
I would like to setup haproxy to do the following:
Haproxy records visited urls and counts hits for every visited url.
Depending on hit count, if the visited url is above arbitrary threshold of let’s say 3 hits, it would be sent to specific backend, if below it would go to default backend.

Unfortunately I don’t know how to setup stick table storing information I need and use it in acl.
I would be grateful for example how to do that.

2 posts - 1 participant

Read full topic

Hi,
I am new in HAProxy and I have in our quality environment a scenario that works great without ssl.
Now, I want to test with SSL. My scenario is:
OS: Alpine Linux 3.12 (Linux Kernel 5.4.43-1-lts).
HAProxy: 2.1.4

I have read the HAProxy Deployment guide - Infrastructure Layouts Involving TLS - I have tested the SSL/TLS pass-through mode and seem that works more or less well but in the browser the certificate is highlighted like no valid. If I access to web server directly the certificate is considered valid.

Have I to add the FQDN of the HAProxy server in the SAN attribute of the web server certificate?

The other option that I have considered is the SSL/TLS bridging or re-encryption mode. If I have understood well, I need the web server certificate and the private key merged in the same .pem file. Although I am able to generate the certificates for our web servers I am not have the private key (we are CA). So, I can not use this mode, right?

thanks.

2 posts - 1 participant

Read full topic

I am trying to conditionally prepend a subdomain to the path.

Incoming https://<subdomain>.mysite.com/<path>

This should become https://<subdomain>.mysite.com/<subdomain>/<path>

but only if the path does not already start with . For example:

https://abc.mysite.com/jungle should become https://abc.mysite.com/abc/jungle

but https://abc.mysite.com/abc/jungle should not be changed.

I have this in haproxy.cfg. It correctly isolates the subdomain in var(req.store_id) but it prepends to the path enve if the store_id

    acl insti_prod         hdr_reg(host) -i [^.]*.mysite.com

    http-request set-var(req.store_id) req.hdr(host),lower,regsub(\.mysite\.com$,) if insti_prod

    # Pre-pend subdomain to the path if not already there
    http-request set-path /%[var(req.store_id)]%[path] if { var(req.store_id) -m found } !{ path_beg /var(req.store_id) }

Where am I going wrong??

Thanks!

1 post - 1 participant

Read full topic

When running HAProxy with more than one CPU socket, it is [recommended](https://www.haproxy.com/documentation/hapee/2-1r1/configuration/system-tuning/#pin-network-interrupts-to-cores} that HAProxy should run with CPU affinity hence nbproc=2 and each process with its NUMA cores:

:~# lscpu 
Architecture:        x86_64
CPU op-mode(s):      32-bit, 64-bit
CPU(s):              40
On-line CPU(s) list: 0-39
Thread(s) per core:  2
Core(s) per socket:  10
Socket(s):           2
NUMA node(s):        2
NUMA node0 CPU(s):   0,2,4,6,8,10,12,14,16,18,20,22,24,26,28,30,32,34,36,38
NUMA node1 CPU(s):   1,3,5,7,9,11,13,15,17,19,21,23,25,27,29,31,33,35,37,39

When trying to run my HAProxy with the following config:

nbproc 2
nbthread 32
cpu-map auto:1/1-16 1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31
cpu-map auto:2/17-32 0 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30

I get error:

config : cannot enable multiple processes if multiple threads are configured. Please use either nbproc or nbthread but not both.

from the source code, it is not possible to use nbproc>1 and nbthread>1:

 2213     if (global.nbproc > 1 && global.nbthread > 1) {
 2214         ha_alert("config : cannot enable multiple processes if multiple threads are configured. Please use either nbproc or nbthread but not both.\n");
 2215         err_code |= ERR_ALERT | ERR_FATAL;
 2216         goto out;
 2217     }

from Haproxy nbthread config it states using nbthread > This is exclusive with “nbproc” .

I want to optimise Haproxy running on dual socket server and run it in 2 processes where each process is binded to it Numa cores and utilizing the CPU L3 cache. but it seems that it is now impossible in newer HAproxy version.

To get better performance I’m forced to use only one CPU and not both with:

nbproc 1
nbthread 16
cpu-map auto:1/1-16 1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31

How can I optimise HAproxy on 2 sockets CPU and bind each to its own Numa cores?

1 post - 1 participant

Read full topic

I’m trying to use Google Distroless to tighten the security of my HAProxy container workload.

Almost everything is working. Meaning general SSL termination, redirects, acl’s and what not. The only thing that is giving me a headache is mutual-authentication when using the distroless approach. N.B. mutual-authentication works when not using distroless!

I enabled verbose logging and the “error”/result I get is:

SOME_WAN_IP:40472 [30/Aug/2020:20:54:11.213] mutual_auth_clientcert/1: SSL handshake failure     

This is my setup

The dockerfile

FROM haproxy:2.2.2 as build

#
# Initial configuration
#
ARG HAPROXY_USER=haproxy

#
# - Permissions: run as non-root user
# - File copying: needed HAProxy files to /opt for distroless in-sourcing
#
RUN addgroup --gid 1024 ${HAPROXY_USER} && \
    adduser --ingroup ${HAPROXY_USER} --system --shell /bin/bash ${HAPROXY_USER} && \
    mkdir -p /opt/etc && \
    cp -a --parents /usr/local/etc/haproxy /opt && \
    cp -a --parents /usr/local/sbin/haproxy /opt && \
    cp -a --parents /lib/x86_64-linux-gnu/libz.so.* /opt && \
    cp -a --parents /lib/x86_64-linux-gnu/libdl.so.* /opt && \
    cp -a --parents /lib/x86_64-linux-gnu/libpthread.so.* /opt && \
    cp -a --parents /lib/x86_64-linux-gnu/libm.so.* /opt && \
    cp -a --parents /lib/x86_64-linux-gnu/libc.so.* /opt && \
    cp -a --parents /usr/lib/x86_64-linux-gnu/libcrypto.so.* /opt && \
    cp -a --parents /usr/lib/x86_64-linux-gnu/liblua5.3.so.* /opt && \
    cp -a --parents /usr/lib/x86_64-linux-gnu/libpcre2-8.so.* /opt && \
    cp -a --parents /usr/lib/x86_64-linux-gnu/libpcre2-posix.so.* /opt && \
    cp -a --parents /usr/lib/x86_64-linux-gnu/libssl.so.* /opt && \
    cp -a --parents /etc/passwd /opt && \
    cp -a --parents /etc/group /opt

#################
# GO DISTROLESS #
#################
FROM gcr.io/distroless/base-debian10
COPY --from=build /opt /

# Set the container to run as the just created user
USER ${HAPROXY_USER}

#
# Boot value. The -W and -db options are needed in order for HAProxy to work
# with the distroless image
# -W    == indicates to the HAProxy process that it should run in `master-worker mode`
# -db   == disables background mode
#
CMD ["haproxy", "-W", "-db", "-f", "/usr/local/etc/haproxy/haproxy.cfg"]

The HAProxy config

# ---------------------- #
# CONFIG & OVERALL SETUP #
# ---------------------- #
global
        # Global log options
        log stdout format raw local0 info

        # HAProxy configuration security
        daemon
        maxconn 1024

        # Stats
        stats socket /haproxysocket/haproxy.sock mode 660 level admin
        stats timeout 2m

        # Encryption conf.
        ssl-default-bind-options force-tlsv12 prefer-client-ciphers
        ssl-default-bind-ciphers ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1
        ssl-default-server-options force-tlsv12
        ssl-default-server-ciphers ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1
        tune.ssl.default-dh-param 2048

defaults
        log global
        mode http
        option httplog
        option dontlognull
        option forwardfor
        option http-server-close
        timeout connect 5000
        timeout client 50000
        timeout server 50000
        stats realm Haproxy\ Statistics
        stats refresh 10s
        stats uri /haproxy?stats
        stats auth user:pass

# --------- #
# FRONTENDS #
# --------- #
frontend http_front
        bind *:80

        # -------------- #
        # Endpoint rules #
        # -------------- #
        #
        # Other domains letsencrypt request and renew config
        #
        acl letsEncrypt path_beg /.well-known

        # a.domain.com
        acl a-domain hdr_dom(Host) -i a.domain.com
        acl a-domain-path path_beg /test
        http-request redirect code 301 location /test if !a-domain-path a-domain !letsEncrypt 

        # ----------- #
        # Add headers #
        # ----------- #
        http-request set-header X-Forwarded-Proto http

        # ------------------------------------------------ #
        # Set the backend to use for the various endpoints #
        # ------------------------------------------------ #
        # Lighttpd, with HTTP
        use_backend lighttpd_back if a-domain !letsEncrypt

        # Default backend
        default_backend fun-and-games

frontend port443_splitter
        bind :443
        mode tcp

        # -----
        # Layer 4 inspects to split requests to different backends, 
        # for further re-circulation to dedicated TLS frontends.
        # In order to support mutual auth.
        # -----
        tcp-request inspect-delay 5s
        tcp-request content accept if { req_ssl_hello_type 1 }

        # ------------- #
        # ROUTING RULES #
        # ------------- #
        use_backend recir_clientcertenabled if { req_ssl_sni -i a.domain.com }
        default_backend recir_clientcertenabled

frontend mutual_auth_clientcert
        # Bind & conf. for a.domain.com 
        bind abns@mutual-auth-clientcert accept-proxy ssl crt /usr/local/etc/haproxy/pems/ ca-file /usr/local/etc/haproxy/mutualauth/ca.crt verify required crl-file /usr/local/etc/haproxy/mutualauth/ca_crl.pem alpn h2,http/1.1

        # -------------- #
        # Endpoint rules #
        # -------------- #
        # a.domain.com
        acl a-domain hdr(Host) -i a.domain.com
        acl a-domain-path path_beg /test
        http-request redirect code 301 location /test if !a-domain-path a-domain

        # ------------------------------------------------ #
        # Set the backend to use for the various endpoints #
        # ------------------------------------------------ #
        # Lighttpd backend, with HTTPS
        use_backend lighttpd_back if a-domain

frontend https_front
        # Setup HTTPS, load certificate files & advertise support for both HTTP2 & 1
        #bind *:443 ssl crt /usr/local/etc/haproxy/pems/ alpn h2,http/1.1
        bind abns@https-front accept-proxy ssl crt /usr/local/etc/haproxy/pems/ alpn h2,http/1.1

        # -------------- #
        # Endpoint rules #
        # -------------- #
        <JUST IMAGINE THAT THERE IS SOMETHING HERE>

        # ----------- #
        # Add headers #
        # ----------- #
        http-request set-header X-Forwarded-Proto https

        # ------------------------------------------------ #
        # Set the backend to use for the various endpoints #
        # ------------------------------------------------ #

        # Default backend
        default_backend fun-and-games

# -------- #
# BACKENDS #
# -------- #
backend recir_default
        # Re-direct/loopback to all frontends that is not using mutual authentication
        mode tcp
        server loopback-for-tls abns@https-front send-proxy-v2

backend recir_clientcertenabled
        # Used for a.domain.com
        mode tcp
        server loopback-for-tls abns@mutual-auth-clientcert send-proxy-v2

backend lighttpd_back
        redirect scheme https if !{ ssl_fc }
        http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains;"
        compression algo gzip
        compression type text/html text/plain text/css application/javascript
        server localhost_lighttpd lighttpd-something:80 check

backend lighttpd_letsencrypt_back
        server localhost_lighttpd 127.0.0.1:8888 check

backend fun-and-games
        redirect scheme https if !{ ssl_fc }
        server localhost_pihole 192.168.0.20:808 check

Versions

• HAProxy: 2.2.2
• Docker: Docker version 17.09.1-ce, build 0bbe3ac
• The base image used, FROM haproxy:2.2.2 as build, in the dockerfile can be glansed here HAProxy 2.2.2 base image dockerfile. As it can be seen from that dockerfile HAProxy is built with OpenSSL.

Checked and tried

• The certificate is valid (mutual-auth works when I’m not using a distroless image)
• I ran ldd on the HAProxy binary and it looks like I’m good in regards to needed libraries
• I tried running strace on a working container HAProxy workload, with mutual-auth, I was not able to conclude anything really usefull
• There are no errors at container image build time
• To me this is likely somethign I’m not including/copying into the distroless end result in the container image. I’m at fault on what that might be
• I tried my luck the HAProxy Slack channel. I got some initial help but I think this forum fits better for my issue and troubleshooting it. My thread is just slowly disappearing over on Slack.

My hope is that someone here on this forum is able and willing to be me in the right direction. What I’m missing to include in the end-result distroless image or potentially give some insight into how and what componets that are involved when a self-signed certificate is used for mutual-authentication in HAProxy

Thank you very much in advance. Any help is highly regarded

1 post - 1 participant

Read full topic

Hello!

I use the haproxy to serve 5 instances of Wordpress multi sites with 2 webservers as backend. Each instance has its own IP.

In haproxy configuration, I have defined each instance in one frontend as follow:

frontend http_front
   bind IP1:80
   bind IP2:80
   bind IP3:80
   bind IP4:80
   bind IP5:80
   mode http

   http-request capture req.hdr(Host) len 100

   acl asbl_wp dst IP1
   acl eshop_wp dst IP2
   acl simple_wp dst IP3
   acl complexe_wp dst IP4
   acl wp1 dst IP5
   acl url_wpadmin path_beg /wp-admin

   acl https_enabled hdr(host) -m reg -i -f /etc/haproxy/ssl_domain.lst

   redirect scheme https if asbl_wp !{ ssl_fc }
   redirect scheme https if eshop_wp !{ ssl_fc }
   redirect scheme https if complexe_wp !{ ssl_fc }
   redirect scheme https if simple_wp !{ ssl_fc }
   redirect scheme https if https_enabled

   use_backend http_update if url_wpadmin wp1
   use_backend complexe_update if url_wpadmin complexe_wp
   use_backend simple_update if url_wpadmin simple_wp
   use_backend asbl_update if url_wpadmin asbl_wp
   use_backend eshop_update if url_wpadmin eshop_wp

   use_backend http_back if wp1
   use_backend complexe_back if complexe_wp
   use_backend simple_back if simple_wp
   use_backend asbl_back if asbl_wp
   use_backend eshop_back if eshop_wp

I was first wondering if this is a good practice to do it so or would it be better to split each IP in a different frontend definition?

Second question: is it possible to log each request to a different log file (one per frontend or one per IP) ? I use fail2ban to ban malicious IPs.

I am running haproxy version 1.8.14-52e4d43 on a centos7 server.

Thx!

2 posts - 2 participants

Read full topic

HI.

I’m new to haproxy however I have everything working as needed. During testing I did a stupid mistake and specified the wrong CA certificate within “server ca-file”. Finding the root cause of this problem took me very long as the only thing I got was a " SC–" code and a http code of “503” within the logs there was nowhere a hint about anything wrong related to TLS.

To be prepared for future troubleshooting is there any advise what to do in such situations to get a hint that the problem is TLS related (dianostics / logs / whatever)?

Thanks for sharing your experience.

offbyone

1 post - 1 participant

Read full topic

I am new to HAproxy. I am trying to implement below but its not working, I want to use 3 ips, each for HAproxy servers and one for VIP. Configure /etc/hosts file so that test.com will point to VIP. Want to make 2 HAproxy servers to work in master slave HA mode using keepalived. Create self sing cert for haproxy. configure backend server of these HAProxy servers to be www.google.com if i hit https://test.com in local browser it should show the contents of google.com, it should be just proxy to google.com, url on the browser should remain https://test.com while showing google.com

I have installed haproxy,keepalived on centos7 master and slave servers with below configuration

In /etc/haproxy/haproxy.cfg file on master server,

#---------------------------------------------------------------------

main frontend which proxys to the backends

#---------------------------------------------------------------------
frontend main *:80

use_backend static if url_static

default_backend             app

backend app
http-request set-header Host www.google.com
server site google.com:443 ssl verify none check

In /etc/keepalived/keepalived.conf,

vrrp_script chk_haproxy {
script “killall -0 haproxy” # check the haproxy process
interval 2 # every 2 seconds
weight 2 # add 2 points if OK
}

vrrp_instance VI_1 {
interface eth1
state MASTER
virtual_router_id 51
priority 101
virtual_ipaddress {
172.28.128.33
}
track_script {
chk_haproxy
}
}

/etc/hosts - 172.28.128.33 test.com

If i try elinks https://test.com i get unable to retrieve https://test.com Connection refused.

Please note, i have not configured self sign certificate yet.

Can someone please help. Thanks

1 post - 1 participant

Read full topic

Hi,
Since Haproxy starts as root but drops its workers to the haproxy user, I was wondering who needs to own the crt, crl-file and so on? does it need to be the haproxy user or can the subprocesses still get the content if the owner is root?

I’ve been reading the configuration manual entries on these specific arguments but it doesn’t seem to talk about these topics at all.

We are running on RHEL 7, master_worker mode and using user haproxy and group haproxy in the .cfg file.

Thank you for your help!

2 posts - 2 participants

Read full topic

So researching authentication, I came across : https://blog.taragana.com/guide-haproxy-http-basic-authentication-for-specific-sites-ssl-termination-15813

I am running haproxy within an LXD container. No authentication works fine with SSL. However I need to
require authentication to another LXD container that is running a nodejs app. I figured this haproxy authentication would be very simple to implement. And it was. However, it is only working one time. Subsequent access to the same site is not requiring authentication. Is it because I already authenticated?
I am using multiple Chrome tabs. So the first time with Chrome as well as Firefox required authentication but not subsequent to that.

Here is my frontend:

frontend http_lb
  bind *:80
  bind *:443 ssl crt /etc/haproxy/certs/bcast.mydomain.us.pem
  redirect scheme https if !{ ssl_fc }

  acl website hdr(host) -i mydomain.us www.mydomain.us
  acl broadcast hdr(host) -i bcast.mydomain.us
  acl authorized http_auth(AuthUsers)
  http-request auth realm bcast1 if broadcast !authorized
  acl acl_letsencrypt path_beg /.well-known/acme-challenge/
  use_backend be_letsencrypt if acl_letsencrypt
  # acl conf hdr(host) -i conf.mydomain.us
  use_backend mainweb if website
  use_backend bcast1 if broadcast authorized

And backend bcast1:

backend bcast1
  balance leastconn
  http-request set-header X-Client-IP %[src]
  redirect scheme https if ! { ssl_fc }
   server broadcast1 broadcast.lxd:9001 check ssl verify none
  http-request del-header Authorization

So, keep in mind all un-authenticataed access works as SSL. It’s when I add the above cfg, authentication works one time only, then un-authenticated access is allowed.

Thanks and look forward to your responses.

1 post - 1 participant

Read full topic