Quantcast
Channel: HAProxy community - Latest topics
Viewing all 4756 articles
Browse latest View live

Do we need any special steps for haproxy(https) forward to backend(https) servers

December 13, 2020, 7:07 am
$
0
0

both the https are using self-signed certificates.

  1. if i use ssl verify none , i can foward the traffice to the backend server, but i can’t detect the health for the backend servers with “option httpchk” .
    if one server is down, user will failed to open the website if one of the server is working properly.

  2. if i use " check " , 503 error will be reported.

503 Service Unavailable
No server is available to handle this request.

from haproxy log, it show each backend server is down (actually they are fine).

1 post - 1 participant

Read full topic

Search

Problem installing HAProxy

December 14, 2020, 2:34 am
$
0
0

Hi! Installing HAProxy v.2.3 on Ububntu:
make TARGET = linux-glibc
sudo make install

Installation log:

'haproxy' -> '/usr/local/sbin/haproxy'
install: creating directory '/usr/local/share/man/man1'
'doc/haproxy.1' -> '/usr/local/share/man/man1/haproxy.1'
install: creating directory '/usr/local/doc'
install: creating directory '/usr/local/doc/haproxy'
'doc/configuration.txt' -> '/usr/local/doc/haproxy/configuration.txt'
'doc/management.txt' -> '/usr/local/doc/haproxy/management.txt'
'doc/proxy-protocol.txt' -> '/usr/local/doc/haproxy/proxy-protocol.txt'
'doc/seamless_reload.txt' -> '/usr/local/doc/haproxy/seamless_reload.txt'
'doc/architecture.txt' -> '/usr/local/doc/haproxy/architecture.txt'
'doc/peers-v2.0.txt' -> '/usr/local/doc/haproxy/peers-v2.0.txt'
'doc/regression-testing.txt' -> '/usr/local/doc/haproxy/regression-testing.txt'
'doc/cookie-options.txt' -> '/usr/local/doc/haproxy/cookie-options.txt'
'doc/lua.txt' -> '/usr/local/doc/haproxy/lua.txt'
'doc/WURFL-device-detection.txt' -> '/usr/local/doc/haproxy/WURFL-device-detection.txt'
'doc/linux-syn-cookies.txt' -> '/usr/local/doc/haproxy/linux-syn-cookies.txt'
'doc/SOCKS4.protocol.txt' -> '/usr/local/doc/haproxy/SOCKS4.protocol.txt'
'doc/network-namespaces.txt' -> '/usr/local/doc/haproxy/network-namespaces.txt'
'doc/DeviceAtlas-device-detection.txt' -> '/usr/local/doc/haproxy/DeviceAtlas-device-detection.txt'
'doc/51Degrees-device-detection.txt' -> '/usr/local/doc/haproxy/51Degrees-device-detection.txt'
'doc/netscaler-client-ip-insertion-protocol.txt' -> '/usr/local/doc/haproxy/netscaler-client-ip-insertion-protocol.txt'
'doc/peers.txt' -> '/usr/local/doc/haproxy/peers.txt'
'doc/close-options.txt' -> '/usr/local/doc/haproxy/close-options.txt'
'doc/SPOE.txt' -> '/usr/local/doc/haproxy/SPOE.txt'
'doc/intro.txt' -> '/usr/local/doc/haproxy/intro.txt'

Config is correct:

global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

        # Default SSL material locations
#        ca-base /etc/ssl/certs
#        crt-base /etc/ssl/private

        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL). This list is from:
        #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
        # An alternative list with additional directives can be obtained from
        #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
#        ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
#        ssl-default-bind-options no-sslv3
        ## Add the line below
#        tune.ssl.default-dh-param 2048

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout client  50000
        timeout server  50000
#        errorfile 400 /etc/haproxy/errors/400.http
#        errorfile 403 /etc/haproxy/errors/403.http
#        errorfile 408 /etc/haproxy/errors/408.http
#        errorfile 500 /etc/haproxy/errors/500.http
#        errorfile 502 /etc/haproxy/errors/502.http
#        errorfile 503 /etc/haproxy/errors/503.http
#        errorfile 504 /etc/haproxy/errors/504.http
frontend http
    bind *:8000
    default_backend servers

backend servers
    server server 127.0.0.1:81

Startup error:

systemd[1]: haproxy.service: Can't open PID file /var/run/haproxy.pid (yet?) after start: No such file or directory
Dec 14 10:31:48 hapserv systemd[1]: haproxy.service: Failed with result 'protocol'.
Dec 14 10:31:48 hapserv systemd[1]: Failed to start SYSV: HA-Proxy is a TCP/HTTP reverse proxy which is particularly suited for high availability environments..

Please help with the problem

4 posts - 2 participants

Read full topic

HAProxy with HTTP/2 / gRPC fails with persistent connection at client and server is restarted

December 14, 2020, 6:50 am
$
0
0

Issue: When a client is keeping long lived connection for gRPC with HAProxy and backend server restarts (goes down then comes back up again), all the subsequent requests fails with 503 RESET_STREAM even after server comes back up.

Client:

h2load http://<HAProxy-IP>:<Port>/fast -c 1 -n 10 --duration 10000

HAproxy Version: 2.0.14

HAProxy Configuration

global
    daemon
    log 127.0.0.1	local0 info
    maxconn 50000
    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
    ssl-default-bind-options ssl-min-ver TLSv1.1

defaults
    log global
    maxconn 3000
    mode http
    timeout connect 10s
    timeout client 30s
    timeout server 100s
    option httplog
    option http-use-htx
    #option logasap

frontend fe_proxy
    bind 10.33.251.152:15004 proto h2
    default_backend be_servers

backend be_servers
    balance roundrobin
    server 10.20.30.40 10.20.30.40:8081 weight 255 proto h2

HAProxy Logs for failure cases:

   [14/Dec/2020:20:23:21.422] fe_proxy be_servers/10.20.30.40 0/0/-1/-1/40007 503 0 - - sC-- 1/1/0/0/3 0/0 "GET /fast HTTP/2.0"
   [14/Dec/2020:20:24:01.479] fe_proxy be_servers/10.20.30.40 0/0/-1/-1/40006 503 0 - - sC-- 1/1/0/0/3 0/0 "GET /fast HTTP/2.0"
   [14/Dec/2020:20:24:41.543] fe_proxy be_servers/10.20.30.40 0/0/-1/-1/40007 503 0 - - sC-- 1/1/0/0/3 0/0 "GET /fast HTTP/2.0"

When timeout server 100s is set as 30s, it seems to work fine. Is it mandatory to keep timeout server 30s for http/2 case?

Also, after server restarted successfully, it was noticed that HAProxy sends SYN to server, server sends SYN/ACK back and then HAProxy sends RST packet and throws the above log.

Please help with this issue.

1 post - 1 participant

Read full topic

SSL handshake failure on Cloudfront backend server

December 15, 2020, 2:12 am
$
0
0

Hello,
I have a HAProxy instance that should serve as a proxy to Here.com maps, adding the API key to all passing requests. However the following backend configuration fails with messages 'SSL handshake failure

backend freehere_maps_redirect
http-send-name-header Host
http-request set-uri http://%[req.hdr(Host)]%[path]?apiKey=xxxxxxxxxxxxxxxxxxxxxxxxxxxx&%[query]
server 1.base.maps.ls.hereapi.com 1.base.maps.ls.hereapi.com:443 check ssl verify none check resolvers mydns
server 2.base.maps.ls.hereapi.com 2.base.maps.ls.hereapi.com:443 check ssl verify none check resolvers mydns
server 3.base.maps.ls.hereapi.com 3.base.maps.ls.hereapi.com:443 check ssl verify none check resolvers mydns
server 4.base.maps.ls.hereapi.com 4.base.maps.ls.hereapi.com:443 check ssl verify none check resolvers mydns

I have tried adding options like sni str(1.base.maps.ls.hereapi.com), but the error persists. Here is what ssldump shows:

New TCP connection #1: localhost.localdomain(34914) <-> server-205-251-219-9.arn1.r.cloudfront.net(443)
1 1 0.1257 (0.1257) C>S Handshake
ClientHello
Version 3.3
cipher suites
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_DH_DSS_WITH_AES_256_GCM_SHA384
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
TLS_DH_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
TLS_DH_RSA_WITH_AES_256_CBC_SHA256
TLS_DH_DSS_WITH_AES_256_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_DH_RSA_WITH_AES_256_CBC_SHA
TLS_DH_DSS_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA
TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA
TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_DH_DSS_WITH_AES_128_GCM_SHA256
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
TLS_DH_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS_DH_RSA_WITH_AES_128_CBC_SHA256
TLS_DH_DSS_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DH_RSA_WITH_AES_128_CBC_SHA
TLS_DH_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_SEED_CBC_SHA
TLS_DHE_DSS_WITH_SEED_CBC_SHA
TLS_DH_RSA_WITH_SEED_CBC_SHA
TLS_DH_DSS_WITH_SEED_CBC_SHA
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA
TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA
TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_SEED_CBC_SHA
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_IDEA_CBC_SHA
TLS_ECDHE_RSA_WITH_RC4_128_SHA
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
TLS_ECDH_RSA_WITH_RC4_128_SHA
TLS_ECDH_ECDSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_EMPTY_RENEGOTIATION_INFO_SCSV
compression methods
NULL
1 2 0.2422 (0.1164) S>C Alert
level fatal
value handshake_failure
1 3 0.2422 (0.0000) S>C Alert
level warning
value close_notify
1 0.2428 (0.0005) S>C TCP FIN
1 0.2599 (0.0171) C>S TCP RST

However, Curl can establish TLS connection to this server:

New TCP connection #1: localhost.localdomain(60630) <-> server-13-33-243-73.hel50.r.cloudfront.net(443)
1 1 0.2425 (0.2425) C>S Handshake
ClientHello
Version 3.3
cipher suites
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Unknown value 0xcca9
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Unknown value 0xcca8
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
Unknown value 0xccaa
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
compression methods
NULL
1 2 0.3793 (0.1367) S>C Handshake
ServerHello
Version 3.3
session_id[32]=
f8 f2 8b 5b 48 eb bb 7f d8 5c 70 e0 9c 86 30 0d
f7 3d 6c 52 2f 66 b7 33 84 09 1f bb 25 14 d9 f6
cipherSuite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
compressionMethod NULL
1 3 0.3994 (0.0201) S>C Handshake
Certificate
1 4 0.3994 (0.0000) S>C Handshake
ServerKeyExchange
1 5 0.3994 (0.0000) S>C Handshake
ServerHelloDone
and so on

I tried to specify ciphers ECDHE-RSA-AES128-GCM-SHA256 in the server configuration, but the result is the same.

The following HAProxy versions were tested on CentOS7:

HA-Proxy version 1.8.4-1deb90d 2018/02/08
Copyright 2000-2018 Willy Tarreau willy@haproxy.org

Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-unused-label
OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_SYSTEMD=1 USE_PCRE=1

Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
Running on OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2

and

HA-Proxy version 2.2.2 2020/07/31 - https://haproxy.org/
Status: long-term supported branch - will stop receiving fixes around Q2 2025.
Known bugs: http://www.haproxy.org/bugs/bugs-2.2.2.html
Running on: Linux 3.10.0-862.11.6.el7.x86_64 #1 SMP Tue Aug 14 21:49:04 UTC 2018 x86_64
Build options :
TARGET = linux-glibc
CPU = generic
CC = gcc
CFLAGS = -O2 -g -Wall -Wextra -Wdeclaration-after-statement -fwrapv -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-clobbered -Wno-missing-f
ield-initializers -Wtype-limits
OPTIONS = USE_PCRE2=1 USE_LINUX_TPROXY=1 USE_CRYPT_H=1 USE_GETADDRINFO=1 USE_OPENSSL=1 USE_ZLIB=1 USE_SYSTEMD=1

Feature list : +EPOLL -KQUEUE +NETFILTER -PCRE -PCRE_JIT +PCRE2 -PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED +BACKTRACE -STATIC_PCRE -STATIC_PCRE2
+TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H +GETADDRINFO +OPENSSL -LUA +FUTEX +ACCEPT4 +ZLIB -SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51D
EGREES -WURFL +SYSTEMD -OBSOLETE_LINKER +PRCTL +THREAD_DUMP -EVPORTS

Default settings :
bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with multi-threading support (MAX_THREADS=64, default=1).
Built with OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
Running on OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2

What else can be done here?

Thanks
Dimitri

8 posts - 2 participants

Read full topic

HAproxy route to default backend, when req.hdr(host) is not in map file

December 16, 2020, 4:30 am
$
0
0

Hello,

I have configured my HAproxy CE 1.8.19-1+deb10u3 with two backends. To decide which host (req.hdr(host)) belongs to which backend, I use maps, because I can configure them quite easily via REST with Dataplane. But, before I started using haproxy, I already had a lot of vhosts (= subdomains) and if I don’t have to do it, I don’t want to write them all to the map file, just the new ones. Which shouldn’t be a problem, because all my already existing vhosts were configured on one server (= backend), and all new vhosts will be configured either on the same server ( = then don’t create a new map entry) or on the new server ( = then create a new map entry).

So my HAproxy has to look if the called domain (e.g. abc.example.com) is in the map file. If it is, then the backend from the map value should be used. If the host is not in the map file, then a hardcoded backend should be used.

An important point is that when using SSL, the HAproxy should not do an SSL termination (so instead a SSL pass-through) !

Right now I have following configuration (snippet) :

frontend http_in 
  mode http
  bind *:80
  option forwardfor
  option httplog
  use_backend %[req.hdr(host),lower,map_str(/etc/haproxy/maps/my_backends.map,http-hardcoded_backend)]

# HTTPS Frontend
frontend https_in 
  mode tcp
  bind *:443
  option tcplog
  tcp-request inspect-delay 5s
  use_backend %[req.hdr(host),lower,map_str(/etc/haproxy/maps/my_backends.map,https-hardcoded_backend)]

# == BACKEND - SECTION ==
#
# hardcoded_backend = my old server
backend http-hardcoded_backend
  mode http
  option forwardfor
  server OLDSERVER 10.0.150.22:80

backend https-hardcoded_backend
  mode tcp
  option ssl-hello-chk
  server OLDSERVER 10.0.150.22:443

# http(s) backend from map value
backend http-mapvalue
  mode http
  option forwardfor
  server MAPVALUE 10.0.150.20:80

backend https-mapvalue
  mode tcp
  option ssl-hello-chk
  server MAPVALUE 10.0.150.20:443

For HTTP, this works (so when I visit a host, which is inside the host file, I get to the “http-mapvalue” backend. When the host is not in the host file, I get to the “http-hardcoded_backend” ), but over HTTPS I get following error message (with cURL):
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to abc.my.domain:443
one both backends.

EDIT:
By adding tcp-request content accept if { req_ssl_hello_type 1 } I get at least requests and therefore logs on my HAproxy. I guess this works now but for some reason, the haproxy doesnt detect the right backend?

[16/Dec/2020:16:09:09.461] https_in https_in/<NOSRV> -1/-1/14 0 SC 1/1/0/0/0 0/0

On HTTP everything works (still) fine, but on HTTPS, which has the same use_backend line it doesn’t.

2 posts - 2 participants

Read full topic

Url_beg acl help

December 16, 2020, 5:29 pm
$
0
0

Hi guys,
I need to setup an acl as thus,
acl acl1 url_beg /start/xxx/end
where xxx changes but the start and end remains the same.

What can I use? I am not even sure if url_beg can be used for that. I got a bunch of acls working already but they all have fixed path like /download/now, /upload etc. But I do not know how to write an expression that has a variable in the middle.

Thanks in advance,

2 posts - 2 participants

Read full topic

Server is DOWN, reason: Layer7 wrong status, code: 403

December 17, 2020, 4:13 am
$
0
0

Hello,
I am running HAproxy version 2.3.0
My backend servers are listening on port 9020.
Connection to the haproxy(ecsproxy.mydomain) port 9020 failed.

And I’ve got the following errors in my log file:
[WARNING] 351/121109 (19213) : Server web_servers/secsdata01 is DOWN, reason: Layer7 wrong status, code: 403, info: “Forbidden”, check duration: 1ms. 6 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
[ALERT] 351/121111 (19213) : backend ‘web_servers’ has no server available!

  1. Proxy version:
    ecsproxy# haproxy -v
    HA-Proxy version 2.3.0-1c0a722 2020/11/05 - https://haproxy.org/
    Running on: Linux 3.10.0-1160.2.2.el7.x86_64 #1 SMP Sat Oct 17 05:06:47 UTC 2020 x86_64

  2. My HAproxy configuration
    #---- Global settings
    global
    maxconn 256
    user haproxy
    group haproxy
    log 127.0.0.1 local2
    chroot /var/lib/haproxy
    pidfile /var/run/haproxy.pid
    daemon
    #---- Defaults settings
    defaults HTTP
    log global
    mode http
    option httplog
    option dontlognull
    timeout connect 5s
    timeout client 50s
    timeout server 50s
    timeout http-request 10s
    timeout http-keep-alive 10s
    option forwardfor
    balance leastconn
    #---- Frontend Definitions for Object Access
    frontend http-in
    bind *:80
    default_backend web_servers
    # Define the hostnames
    acl host_s3 hdr(host) -i -m dom ecsproxy.mydomain

    # Route to backend
use_backend web_servers if host_s3

#---- Backend Definitions
backend web_servers
# Use the s3 Ping extension to make sure ECS services on node arealive.
option httpchk
http-check connect
http-check send meth GET uri / ver HTTP/1.1 hdr host ecsproxy.mydomain
http-check expect status 200-399

    # List of data nodes.  S3 runs on port 9020.
    server secsdata01 192.168.143.53:9020 check
    server secsdata02 192.168.143.54:9020 check
    server secsdata03 192.168.143.55:9020 check
    server secsdata04 192.168.143.56:9020 check
    server secsdata05 192.168.143.57:9020 check
    server secsdata06 192.168.143.58:9020 check

  1. Log file:
    Using epoll() as the polling mechanism.
    [WARNING] 351/121109 (19213) : Server web_servers/secsdata01 is DOWN, reason: Layer7 wrong status, code: 403, info: “Forbidden”, check duration: 1ms. 6 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
    [WARNING] 351/121109 (19213) : Server web_servers/secsdata02 is DOWN, reason: Layer7 wrong status, code: 403, info: “Forbidden”, check duration: 1ms. 5 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
    [WARNING] 351/121109 (19213) : Server web_servers/secsdata03 is DOWN, reason: Layer7 wrong status, code: 403, info: “Forbidden”, check duration: 1ms. 4 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
    [WARNING] 351/121109 (19213) : Server web_servers/secsdata04 is DOWN, reason: Layer7 wrong status, code: 403, info: “Forbidden”, check duration: 1ms. 3 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
    [WARNING] 351/121109 (19213) : Server web_servers/secsdata05 is DOWN, reason: Layer7 wrong status, code: 403, info: “Forbidden”, check duration: 1ms. 2 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
    [WARNING] 351/121109 (19213) : Server web_servers/secsdata06 is DOWN, reason: Layer7 wrong status, code: 403, info: “Forbidden”, check duration: 3ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
    [NOTICE] 351/121111 (19213) : haproxy version is 2.3.0-1c0a722
    [NOTICE] 351/121111 (19213) : path to executable is /usr/local/sbin/haproxy
    [ALERT] 351/121111 (19213) : backend ‘web_servers’ has no server available!

  2. Check port 9020 on backend: successsful
    ecsproxy# telnet secsdata01 9020
    Trying 192.168.143.53…
    Connected to secsdata01.
    Escape character is ‘^]’.
    ^]
    telnet>

  3. Check HAproxy port 9020: failed
    root@kaya:~# telnet ecsproxy 9020
    Trying 192.168.160.115…
    telnet: Unable to connect to remote host: Connection refused

Please, how can I configure my haproxy to set the backend servers UP?
Any help would be appreciated.

Benarson

2 posts - 2 participants

Read full topic

Haproxy doesnt offer cert without CN name

December 21, 2020, 10:05 pm
$
0
0

Hi all,

I have this haproxy config and my certificate without any CN / SAN field .When i try to connect to the port it fails with handshake error.

global
maxconn 32768
#nbproc 3
nbthread 4
tune.ssl.default-dh-param 2048
log /dev/log local5
stats socket ipv4@127.0.0.1:9999 level admin
stats socket /var/run/haproxy.sock mode 666 level admin
stats timeout 2m
ssl-default-bind-ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:AES256-SHA:AES128-SHA:DHE-RSA-AES128-SHA
ssl-default-bind-options ssl-min-ver TLSv1.0

defaults
log global
mode http
option dontlognull
option redispatch
no option http-use-htx

bind-process 1

This opens port 443 and 8443, and redirects it to 84 Proxy

listen ssl

bind 0.0.0.0:443 tfo ssl crt /usr/local/platform/.security/tomcat/keys/HAProxy_tomcat.pem npn http/1.1 curves P-256:P-384:P-521 prefer-client-ciphers
server http 127.0.0.1:84 send-proxy-v2

frontend http

bind 127.0.0.1:84 tfo accept-proxy
acl is_ssl fc_rcvd_proxy
#acl is_ssl ssl_fc
option nolinger
default_backend localserver

backend localserver
server s1 127.0.0.1:6970

1 post - 1 participant

Read full topic

Search

Haproxy bad performance with web servers

December 22, 2020, 1:07 am
$
0
0

Hello,

I’m encountering a performance problem with Haproxy installed on pfSense .

The problem I encountered corresponds to the number of requests that “Apache” web servers under Debian can absorb.

When we do live stress tests on the servers without using pfSense/haproxy we get answers for 500 requests per second to access a white page on a single server.

While when we use haproxy, we get a maximum of 100 requests per second for a “backend” pool of 3 web servers .

On the haproxy stats interface, I could see that the queries were put on hold in “current conns” which is limited by the “maxconn” variable.

The processors of each machine are not overloaded maximum 15% of use.
The available memory is at least 66% of the total memory.

If you need more information do not hesitate, I will answer quickly.

For example our php sessions are done with memcached.

Our Pfsense uses a single core for haproxy.

We have set very high limits for both frontend and backend maxconn .

To do my tests I use Apache-Jmeter on a machine with 12 “6 + 6” cores and 32GB of RAM.

I wish you a merry christmas

2 posts - 1 participant

Read full topic

"Failed to start HAProxy Load Balancer"

December 24, 2020, 7:18 pm
$
0
0

I am a complete noob at this stuff i really don’t know what i am doing but this is my config file

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats timeout 30s
user haproxy
group haproxy
daemon

defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000

frontend http_front
bind *:80
stats uri /haproxy?stats
default_backend http_back

backend http_back
balance roundrobin
server proxy1 myproxy:port check
server proxy2 myproxy:port check

I typed in haproxy -f /etc/haproxy/haproxy.cfg -db and i got this output

[ALERT] 359/031621 (6151) : parsing [/etc/haproxy/haproxy.cfg:1]: unknown keyword ‘log’ out of section.
[ALERT] 359/031621 (6151) : parsing [/etc/haproxy/haproxy.cfg:2]: unknown keyword ‘log’ out of section.
[ALERT] 359/031621 (6151) : parsing [/etc/haproxy/haproxy.cfg:3]: unknown keyword ‘chroot’ out of section.
[ALERT] 359/031621 (6151) : parsing [/etc/haproxy/haproxy.cfg:4]: unknown keyword ‘stats’ out of section.
[ALERT] 359/031621 (6151) : parsing [/etc/haproxy/haproxy.cfg:5]: unknown keyword ‘user’ out of section.
[ALERT] 359/031621 (6151) : parsing [/etc/haproxy/haproxy.cfg:6]: unknown keyword ‘group’ out of section.
[ALERT] 359/031621 (6151) : parsing [/etc/haproxy/haproxy.cfg:7]: unknown keyword ‘daemon’ out of section.
[ALERT] 359/031621 (6151) : parsing [/etc/haproxy/haproxy.cfg:20] : unknown keyword ‘jstats’ in ‘frontend’ section
[ALERT] 359/031621 (6151) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg
[ALERT] 359/031621 (6151) : Fatal errors found in configuration.

Haproxys status

Dec 25 02:41:58 admin systemd[1]: haproxy.service: Service hold-off time over, scheduling restart.
Dec 25 02:41:58 admin systemd[1]: haproxy.service: Scheduled restart job, restart counter is at 5.
Dec 25 02:41:58 admin systemd[1]: Stopped HAProxy Load Balancer.
Dec 25 02:41:58 admin systemd[1]: haproxy.service: Start request repeated too quickly.
Dec 25 02:41:58 admin systemd[1]: haproxy.service: Failed with result ‘exit-code’.
Dec 25 02:41:58 admin systemd[1]: Failed to start HAProxy Load Balancer.

haproxy -vv

HA-Proxy version 1.8.8-1ubuntu0.11 2020/06/22
Copyright 2000-2018 Willy Tarreau willy@haproxy.org

Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -g -O2 -fdebug-prefix-map=/build/haproxy-_OgGP2/haproxy-1.8.8=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2
OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_SYSTEMD=1 USE_PCRE=1 USE_PCRE_JIT=1 USE_NS=1

Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with OpenSSL version : OpenSSL 1.1.1 11 Sep 2018
Running on OpenSSL version : OpenSSL 1.1.1 11 Sep 2018
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with Lua version : Lua 5.3.3
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Encrypted password support via crypt(3): yes
Built with multi-threading support.
Built with PCRE version : 8.39 2016-06-14
Running on PCRE version : 8.39 2016-06-14
PCRE library supports JIT : yes
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity(“identity”), deflate(“deflate”), raw-deflate(“deflate”), gzip(“gzip”)
Built with network namespace support.

Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
[SPOE] spoe
[COMP] compression
[TRACE] trace

1 post - 1 participant

Read full topic

HTTP/2 backend and :scheme header

December 27, 2020, 8:38 am
$
0
0

I am using HAproxy (2.2.6-1~bpo10+1 2020/12/01) as a reverse proxy for HTTP2 backend
HAproxy is doing TLS termination, connection between HAProxy and backend is cleartext, so BE looks like this

backend bk_howitzer_http_reverse_proxy
  mode http
  server sv_localhost ipv6@[::1]:5000 check proto h2

Problem:
HAproxy sets the HTTP2 pseudoheader :scheme to https, and ASP.NET Core backend drops the request because it expects :http.

dbug: Microsoft.AspNetCore.Server.Kestrel[35]
      Trace id "0HM5AGGHLO7JT:00000003": HTTP/2 stream error "PROTOCOL_ERROR". A Reset is being sent to the stream.
      Microsoft.AspNetCore.Connections.ConnectionAbortedException: The request :scheme header 'https' does not match the transport scheme 'http'.

I already saw in https://github.com/haproxy/haproxy/issues/77 that :scheme now forwarded from incoming TLS request. But since HAProxy is doing TLS termination shouldn’t it send :scheme as http, and use X-Forwarded-Proto instead?

There is a similar problems for linkerd:

Also it seems that Kestrel validation won’t get dropped anyway

So is there any way to force HAproxy to send the :scheme as http?

1 post - 1 participant

Read full topic

TCP connections Rate Limiting using HAProxy

December 30, 2020, 12:38 am
$
0
0

We are planning to use haproxy to rate limiting all the TCP traffic based on the data size. if the data size is more than the configured value then it should be rejected.

Please advise any one have done this kind of setup ?

1 post - 1 participant

Read full topic

HaProxy forward client IP

December 30, 2020, 11:57 pm
$
0
0

Hi,

I am running haproxy -> (192.168.80.90) on pfsense -> (192.168.80.1), In frontend I have checked the “Use “forwardfor” option.” But instead haproxy forwards the 192.168.80.1 address, instead of the clients ip.

Thanks,

# Automaticaly generated, dont edit manually.
# Generated on: 2020-12-31 02:42
global
	maxconn			1000
	log			/var/run/log	local0	info
	stats socket /tmp/haproxy.socket level admin  expose-fd listeners
	uid			80
	gid			80
	nbproc			1
	nbthread			1
	hard-stop-after		15m
	chroot				/tmp/haproxy_chroot
	daemon
	tune.ssl.default-dh-param	2048
	server-state-file /tmp/haproxy_server_state

listen HAProxyLocalStats
	bind 127.0.0.1:2200 name localstats
	mode http
	stats enable
	stats admin if TRUE
	stats show-legends
	stats uri /haproxy/haproxy_stats.php?haproxystats=1
	timeout client 5000
	timeout connect 5000
	timeout server 5000

frontend FrontEndProxy
	bind			192.168.80.90:443 name 192.168.80.90:443   ssl crt-list /var/etc/haproxy/FrontEndProxy.crt_list  
	mode			http
	log			global
	option			socket-stats
	option			http-keep-alive
	option			forwardfor
	acl https ssl_fc
	http-request set-header		X-Forwarded-Proto http if !https
	http-request set-header		X-Forwarded-Proto https if https
	timeout client		30000
	acl			speed	var(txn.txnhost) -m str -i speed.manjot.net
	acl			auth	var(txn.txnhost) -m str -i auth.manjot.net
	acl			jellyfin	var(txn.txnhost) -m str -i jellyfin.manjot.net
	acl			aclcrt_FrontEndProxy	var(txn.txnhost) -m reg -i ^speed\.manjot\.net(:([0-9]){1,5})?$
	acl			aclcrt_FrontEndProxy	var(txn.txnhost) -m reg -i ^auth\.manjot\.net(:([0-9]){1,5})?$
	acl			aclcrt_FrontEndProxy	var(txn.txnhost) -m reg -i ^jellyfin\.manjot\.net(:([0-9]){1,5})?$
	http-request set-var(txn.txnhost) hdr(host)
	use_backend Speed_ipvANY  if  speed aclcrt_FrontEndProxy
	use_backend Auth_ipvANY  if  auth aclcrt_FrontEndProxy
	use_backend Jellyfin_ipvANY  if  jellyfin aclcrt_FrontEndProxy

frontend HTTP-TO-HTTPS
	bind			192.168.80.90:80 name 192.168.80.90:80   
	mode			http
	log			global
	option			http-keep-alive
	option			forwardfor
	acl https ssl_fc
	http-request set-header		X-Forwarded-Proto http if !https
	http-request set-header		X-Forwarded-Proto https if https
	timeout client		30000
	http-request redirect scheme https 

frontend GMFrontEndProxy
	bind			192.168.80.39:443 name 192.168.80.39:443   ssl crt-list /var/etc/haproxy/GMFrontEndProxy.crt_list  
	mode			http
	log			global
	option			http-keep-alive
	timeout client		30000
	acl			gm	var(txn.txnhost) -m str -i gm.manjot.net
	acl			aclcrt_GMFrontEndProxy	var(txn.txnhost) -m reg -i ^gm\.manjot\.net(:([0-9]){1,5})?$
	http-request set-var(txn.txnhost) hdr(host)
	use_backend GM_ipvANY  if  gm aclcrt_GMFrontEndProxy

frontend GM-HTTP-TO-HTTPS
	bind			192.168.80.39:80 name 192.168.80.39:80   
	mode			http
	log			global
	option			http-keep-alive
	timeout client		30000
	http-request redirect scheme https 

backend Speed_ipvANY
	mode			http
	id			100
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	option			httpchk OPTIONS / 
	server			speed 192.168.80.74:443 id 101 ssl check-ssl check inter 1000  verify none crt /var/etc/haproxy/server_clientcert_5f5d1c960d78a.pem 

backend Auth_ipvANY
	mode			http
	id			104
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	option			httpchk OPTIONS / 
	server			Auth 192.168.80.73:443 id 105 ssl check-ssl check inter 1000  verify none crt /var/etc/haproxy/server_clientcert_5f5f10b443a8f.pem 

backend Jellyfin_ipvANY
	mode			http
	id			106
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			jellyfin 192.168.80.18:8920 id 107 ssl check-ssl check inter 1000  verify none crt /var/etc/haproxy/server_clientcert_5f8a7e8154947.pem 

backend GM_ipvANY
	mode			http
	id			102
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	option			httpchk OPTIONS /si/home.do 
	server			GM 192.168.80.38:9001 id 103 check inter 1000

1 post - 1 participant

Read full topic

Get the real-ip on the backend servers with SSL pass-through

December 31, 2020, 2:58 am
$
0
0

Hello,

my backend servers that I have configured on my haproxy are running fail2ban and for that I need the real-ip / malicious ip, otherwise fail2ban would block my haproxy ip as this ip appears in my web server logs.

Over HTTP this works fine with option forwardfor and using the X-Forwarded-For header, but is something like this also possible over HTTPS, while HAproxy only passes SSL and the termination happens on the backend servers?

Here is a snippet of my HAproxy configuration:

        frontend http_in
          mode http
          bind *:80
          option forwardfor
          option httplog
          use_backend http_%[req.hdr(host),lower,map_str(/etc/haproxy/maps/backends.map,servers)]

    frontend https_in
      mode tcp
      tcp-request content accept if { req_ssl_hello_type 1 }
      tcp-request inspect-delay 5s
      bind *:443
      option tcplog
      # option forwardfor -> doesnt work as HAproxy cant edit the header?!
      use_backend https_%[req.ssl_sni(),lower,map(/etc/haproxy/maps/backends.map,servers)]

backend http_servers
  mode http
  option forwardfor
  server a1 10.0.13.37:80 check
  ...

backend https_servers
  mode tcp
  option ssl-hello-chk
  server a1 10.0.13.37:443 check
  server a2 ...

HA-Proxy version 1.7.5-2 2017/05/17
OS: Debian GNU/Linux 9 (stretch) / Linux 4.9.0-14-amd64 #1 SMP Debian 4.9.240-2 (2020-10-30) x86_64 GNU/Linux

2 posts - 2 participants

Read full topic

Haproxy can proxy to multiple separate VMs?

December 31, 2020, 6:54 am
$
0
0

Hello everyone.

I can not find an option to make the proxy work for two (or more for the future virtual machines)

Now we have:
Pool of VM sites that hang on ip 192.168.1.35 and are perfectly proxied by Haproxy. Each site has its own certificate.

I started another VM 192.168.1.33 - (crm, office, etc.) - well damn I can’t get it to work, all the time a certificate is given to one of the machines with the first VM

Here is the config - what am I doing wrong?

frontend MY-SSL
bind *:443
        mode tcp
#       mode http
#       option forwardfor
#       reqadd X-Forwarded-Proto:\ https
        use_backend MY-SSL

backend MY-SSL
        mode tcp
        stick-table type ip size 1m expire 1h
        stick on src
        timeout connect         10s
        timeout client          1m
        timeout server          1m
        option ssl-hello-chk
        server mysite.ru 192.168.1.35:443 send-proxy check



frontend MY-CRM
bind *:443
        mode tcp
#       mode http
        option forwardfor
        reqadd X-Forwarded-Proto:\ https
       use_backend MY-CRM

backend MY-CRM
        mode tcp
        stick-table type ip size 1m expire 1h
        stick on src
        timeout connect         10s
        timeout client          1m
        timeout server          1m
        option ssl-hello-chk
        server crm2.mysite.ru 192.168.1.33:443 send-proxy check
root@HAPROXY:~# curl -I https://crm2.mysite.ru
curl: (51) SSL: no alternative certificate subject name matches target host name 'crm2.mysite.ru'

3 posts - 2 participants

Read full topic

Search

I need HaProxy to keep the sourceIP of the connection

December 31, 2020, 8:35 am
$
0
0

HaProxy seems to delete the source IP info that I need to use to balance a socket.io service for one application. Could you please help me with how to configure Haproxy to keep that information?

Thank you in advance

1 post - 1 participant

Read full topic

SSL Termination working, but page missing CSS

December 31, 2020, 3:59 pm
$
0
0

Hello,

I didnt find anything in my searches for the past hour so here I am asking for help. Please let me know what information you want besides below.

So I have HAProxy running on an Ubuntu20.04 server and its doing SSL offload and hitting a CentOS7 box running CentOS Webpanel with a few internal webpages running on it (2 plain HTML, 1 Wordpress). These webpages are only served over HTTP so that is how the backend is configured to reach them.

The good news is SSL offload is working and the sites load up. And this is were I hit a snag. The Wordpress site is missing all CSS formatting and template backgrounds. Even on default template. I dont have this problem on my home test setup so I am really stumped.

Any tips?

Config (anonymized)

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-C>
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

frontend domainabc_urls
bind 10.0.0.10:80
bind 10.0.0.10:443 ssl crt /etc/ssl/wildcard.pem
http-request redirect scheme https unless { ssl_fc }
acl FIRST_URL hdr_dom(host) -i testing.domainabc.com
acl FIRST_URL hdr_dom(host) -i intratest.domainabc.com
acl FIRST_URL hdr_dom(host) -i intranet.domainabc.com
use_backend webhost-1 if FIRST_URL

backend webhost-1
mode http
cookie iaserverused insert indirect nocache
default-server maxconn 200
server server1 10.0.0.134:80 cookie server1

listen stats
bind *:8404
stats enable
stats uri /monitor
stats refresh 5s
stats auth admin:iapassword

Snip of format issue:
Capture

Any help would be greatly appreciated!

Thank you,
Matt R.

1 post - 1 participant

Read full topic

Dataplane add backend 400 error after 1 success

January 3, 2021, 11:27 pm
$
0
0

Hi im currently trying to use haproxy dataplane api to add backend servers.
It works once but im just getting err code 400 after the first attempt.

My command (only works the first time)

curl -X POST -H “Content-Type: application/json” --user {userParams} \ -d '{ "address": "'{address}’", “check”: “enabled”, “maxconn”: 1, “name”: "’{name}'", "port": '{port}’ }’
{url}/configuration/servers?backend=my_backend&version={version}&force_reload=true”

Is there a step im missing?

1 post - 1 participant

Read full topic

HAProxy v2.2.2 Native Response Generator http-request return

January 4, 2021, 9:07 am
$
0
0

Hi, I am having issues getting the http-request return to work in my current cfg file. We are running HAProxy 2.2.2. I place the following command in an http mode frontend and verify the configuration without error:

http-request return status 200 content-type text/plain file /tmp/haproxy/keys.json if { path-i /adfs/discovery/keys }

I get the following error logged:
[ALERT] 003/114218 (21250): parsing [//haproxy.cfg:68] : error detected in frontend ‘’ while parsing ‘http-request return’ rule error opening file : ‘/tmp/haproxy/keys.json’

as a result the HAProxy service does not start as it needs to load this file into memory upon starting the haproxy service.

The account that we use to run haproxy has rwx to ‘/tmp/haproxy/keys.json’.

What am I doing wrong.

Thanks,
Steve

2 posts - 1 participant

Read full topic

Haproxy log limit 985 characters

January 4, 2021, 7:44 pm
$
0
0

I’m using log_format to JSON.

log-format ‘{“host”:"%H",“time”:"%Tl",“haproxy”:{“conn”:{“act”:%ac,“fe”:%fc,“be”:%bc,“srv”:%sc},“queue”:{“backend”:%bq,“srv”:%sq},“time”:{“tq”:%Tq,“tw”:%Tw,“tc”:%Tc,“tr”:%Tr,“tt”:%Tt},“termination_state”:"%tsc",“retries”:%rc,“network”:{“client_ip”:"%ci",“client_port”:%cp,“frontend_ip”:"%fi",“frontend_port”:%fp},“ssl”:{“version”:"%sslv",“ciphers”:"%sslc"},“request”:{“method”:"%HM",“uri”:"%[capture.req.uri]",“protocol”:"%HV",“header”:{“host”:"%[capture.req.hdr(0)]",“xforwardfor”:"%[capture.req.hdr(1)]",“referer”:"%[capture.req.hdr(2)]"}},“name”:{“backend”:"%b",“frontend”:"%ft",“server”:"%s"},“response”:{“status_code”:%ST,“header”:{“xrequestid”:"%[capture.res.hdr(0)]"}},“bytes”:{“uploaded”:%U,“read”:%B}}}’

But when I check /var/log/haproxy/haproxy.log output always limit 985 characters

1 post - 1 participant

Read full topic

Viewing all 4756 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>