Howdy Folks,

I understand that it is possible to create an acl for IP ranges based on src like:
acl white_list src 192.168.1.0/24 192.168.10.0/24
But is it possible to do the same if the IP is based on an http header? I tried something like:
acl white_list req.hdr(X-Actual-IP) 192.168.1.0/24 192.168.10.0/24
and it doesn’t work, I’m assuming it’s doing a string match which isn’t what I want. Is there a way to treat the value of a request header as an IP in an acl?

Cheers,
Kelvin

1 post - 1 participant

Read full topic

Meanwhile, happy new year to all friends on this forum.

I have never worked with HAProxy and now ask for advice and be directed to a guide to help me solve my problem; which is not having a load balancer, but distributing the web traffic on multiple Apache servers having only one IP address.
For example, in DNS I have domain1.tld and domain2.tld which refer to a single IP address.
However, domain1.tld is managed by the Apache-A server while domain2.tld is managed by the Apache-B server.
From what I understand I have to place HAproxy in front of the two servers, but I did not understand how to route traffic to one or the other.
HAProxy I would put it as a package of the pfSense firewall.

In reality, I will not only have two domains on two Apache servers, but several domains distributed on several servers in a different way.

Moreover:

• some domains will have sub domains
• domains and subdomains will have their own Let’s Encrypt certificate
• some web applications will be reachable using a port number.

To give a concrete example:

• domain1.tld -> Apache-A
• prj.domain1.tld -> Apache-B
• crm.domain1.tld -> Apache-A
• erp.domain2.tld:1000 -> Apache-B
• tools.domain1.tld/tools1 -> Apache-A
• tools.domain1.tld/tools2:3000 -> Apache-A
• tools.domain1.tld/tools3 -> Apache-A

Starting from scratch, today I don’t even know if a distribution as in the example is possible or if it should keep a domain and its subdomains on the same server.

I first read the documentation and probably misread, but I only find references to load balancing.

1 post - 1 participant

Read full topic

Hello,
We over here have a DNS discovery interface that unfortunately, to enable the usage of said DNSs with our customers, our default guest policy includes making all services and nodes, including their health check statuses to be viewable to everyone that can.

We want our customers to view the website, so they’ll check their service and nodes statuses alone, and we have token-based authentication for that (for this purpose, although currently it’s not usable due to, well, the monitor being visible to everyone).

Fortunately enough, we found a way to kinda make it work. We found out that the token is saved in the browser’s localstorage, so we want to tamper with that location to create a bypass to the default policy, and create a separate UI policy - with no services or nodes visible, and let the customer log in with his token in a specified window the DNS discovery UI endpoint already has.

Currently we use HAProxy Community edition for port forwarding from 443 to its port, but my question is - is there a possibility to save to localstorage or run a JS script on the client before the forwarding itself happens? and if not, is there another way to do that job? Unfortunately we can’t tamper with the website itself, since it runs from a binary file.

1 post - 1 participant

Read full topic

My application performs a HTTP request to a front-end of HA-proxy. The back-end forwards this to a server that accepts my request, but then starts a local proseccing for over 150 seconds before it starts transmitting data.
My configuration looks as follows:

global
    pidfile     /var/run/haproxy.pid
    maxconn     100
    daemon

defaults
    timeout connect 5s
    timeout client 120s
    timeout server 120s

frontend scada_104
    mode tcp
    bind *:2404
    acl ifs_1 src {{ ifs_1 }}
    use_backend 104_backend_ifs1 if ifs_1
    acl ifs_2 src {{ ifs_2 }}
    use_backend 104_backend_ifs2 if ifs_2

backend 104_backend_ifs1
    mode tcp
    server vccu-104-ifs1 192.168.56.10:2404 verify none

backend 104_backend_ifs2
    mode tcp
    server vccu-104-ifs2 192.168.56.10:2405 verify none

frontend sam_vvpn_rest
    mode http
    bind *:1443 ssl crt /etc/ssl/certs/sas2.pem
    use_backend sam_backend_vvpn

backend sam_backend_vvpn
   mode http
   server vccu-sam-rest 192.168.56.10:80 verify none

frontend sam_ccu_rest
    mode http
    bind *:443 ssl crt /etc/ssl/certs/sas2.pem
    use_backend sam_backend_ccu

backend sam_backend_ccu
   mode http
   server ccu-sam-rest 192.168.56.10:81 verify none

The font-end used is sam_ccu_rest.
Is there a certain keep-alive system that I should use here or configure here?

1 post - 1 participant

Read full topic

I have a SPOA listening on port 12345 in public cloud. Some bad score IPs or port scanners are making a connection and not sure if they are abruptly closing the connection, but the connection on the SPOA is in CLOSE_WAIT state. SPOA in a loop reading for frames in that fd and over a period of time it hikes the CPU utillization.

spoa.c (read_frame_cb function)

n = read(client->fd, frame->buf + frame->offset,
	 frame->len - frame->offset);
if (n <= 0) {
	if (n < 0) {
		LOG(client->worker, "Frame to read frame : %m");
		goto close;
	}
	return;
}

Ideally the fd should be closed when n is less than or equal to zero. But above its getting closed only when its less than zero. Any reason the fd is alive for n is zero case?

Appreciate your help.

Thanks,
Manickam

1 post - 1 participant

Read full topic

I’m hosting a site for a buddy of mine and while the site works perfectly well at http://www.embr.live http://embr.live and https://www.embr.live we get a 503 error everytime on https://embr.live. We can’t figure out if the problem is in my HAproxy setup or on his PHP config somewhere. Is there anything in this config that would result in https://embr.live not working?

Automaticaly generated, dont edit manually.

Generated on: 2021-01-06 10:44

global
maxconn 1000
log /var/run/log syslog err
stats socket /tmp/haproxy.socket level admin expose-fd listeners
uid 80
gid 80
nbproc 1
nbthread 1
hard-stop-after 15m
chroot /tmp/haproxy_chroot
daemon
tune.ssl.default-dh-param 2048
log-send-hostname HaproxyMasterNode
server-state-file /tmp/haproxy_server_state

listen HAProxyLocalStats
bind 127.0.0.1:2200 name localstats
mode http
stats enable
stats admin if TRUE
stats show-legends
stats uri /haproxy/haproxy_stats.php?haproxystats=1
timeout client 5000
timeout connect 5000
timeout server 5000

frontend HTTPS
bind 135.84.222.92:443 name 135.84.222.92:443 ssl crt-list /var/etc/haproxy/HTTPS.crt_list
mode http
log global
option log-separate-errors
option httplog
option http-keep-alive
timeout client 30000
acl nextcloud var(txn.txnhost) -m str -i nextcloud.mcnair.tech
acl embr var(txn.txnhost) -m sub -i embr.live
acl aclcrt_HTTPS var(txn.txnhost) -m reg -i ^mcnair.tech(:([0-9]){1,5})? acl aclcrt_HTTPS var(txn.txnhost) -m reg -i ^nextcloud\.mcnair\.tech(:([0-9]){1,5})?
acl aclcrt_HTTPS var(txn.txnhost) -m reg -i ^([^.]*).embr.live(:([0-9]){1,5})?$
http-request set-var(txn.txnhost) hdr(host)
use_backend nextcloud_ipvANY if nextcloud aclcrt_HTTPS
use_backend embr_ipvANY if embr aclcrt_HTTPS

frontend HTTP
bind 135.84.222.92:80 name 135.84.222.92:80
mode http
log global
option httplog
option http-keep-alive
timeout client 30000
acl embr var(txn.txnhost) -m sub -i embr.live
http-request set-var(txn.txnhost) hdr(host)
use_backend embr_ipvANY if embr

backend nextcloud_ipvANY
mode http
id 102
log global
http-response set-header Strict-Transport-Security max-age=31536000;
timeout connect 30000
timeout server 30000
retries 3
option httpchk OPTIONS /
acl caldav-endpoint var(txn.txnpath) -m beg -i /.well-known/caldav
acl carddav-endpoint var(txn.txnpath) -m beg -i /.well-known/carddav
http-request set-var(txn.txnpath) path
http-request set-path /remote.php/dav if caldav-endpoint
http-request set-path /remote.php/dav if carddav-endpoint
server nextcloud 10.0.0.26:80 id 103 check inter 1000

backend embr_ipvANY
mode http
id 104
log global
timeout connect 30000
timeout server 30000
retries 3
option httpchk OPTIONS /
server embr 10.0.0.76:80 id 105 check inter 1000

1 post - 1 participant

Read full topic

Hi,

I’m trying to set up an HTTPS/SSL frontend but HAProxy won’t start whenever I add in the ‘bind 443:443 tfo ssl /etc/letsencrypt/live/example.com/fullchain.pem’ line. I’m not sure if there is something wrong with my config or the installation of OpenSSL or HAProxy.

haproxy -v

    HA-Proxy version 2.3.2-d522db7 2020/11/28 - https://haproxy.org/
    Status: stable branch - will stop receiving fixes around Q1 2022.
    Known bugs: http://www.haproxy.org/bugs/bugs-2.3.2.html
    Running on: Linux 4.14.203-156.332.amzn2.x86_64 #1 SMP Fri Oct 30 19:19:33 UTC 2020 x86_64

haproxy -vv

HA-Proxy version 2.3.2-d522db7 2020/11/28 - https://haproxy.org/
Status: stable branch - will stop receiving fixes around Q1 2022.
Known bugs: http://www.haproxy.org/bugs/bugs-2.3.2.html
Running on: Linux 4.14.203-156.332.amzn2.x86_64 #1 SMP Fri Oct 30 19:19:33 UTC 2020 x86_64
Build options :
  TARGET  = linux-glibc
  CPU     = generic
  CC      = cc
  CFLAGS  = -O2 -g -Wall -Wextra -Wdeclaration-after-statement -fwrapv -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-clobbered 
-Wno-missing-field-initializers -Wtype-limits -Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference
  OPTIONS = USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 USE_TFO=1 USE_NS=1
  DEBUG   = 

Feature list : +EPOLL -KQUEUE +NETFILTER +PCRE -PCRE_JIT -PCRE2 -PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED +BACKTRACE -STATIC_PCRE
 -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H +GETADDRINFO +OPENSSL -LUA +FUTEX +ACCEPT4 -CLOSEFROM +ZLIB -SLZ +CPU_AFFI
NITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL -SYSTEMD -OBSOLETE_LINKER +PRCTL +THREAD_DUMP -EVPORTS

Default settings :
  bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with multi-threading support (MAX_THREADS=64, default=1).
Built with OpenSSL version : OpenSSL 1.1.1c  28 May 2019
Running on OpenSSL version : OpenSSL 1.1.1c FIPS  28 May 2019
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with network namespace support.
Built with zlib version : 1.2.7
Running on zlib version : 1.2.7
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with PCRE version : 8.32 2012-11-30
Running on PCRE version : 8.32 2012-11-30
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Encrypted password support via crypt(3): yes
Built with gcc compiler version 7.3.1 20180712 (Red Hat 7.3.1-12)

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
              h2 : mode=HTTP       side=FE|BE     mux=H2
            fcgi : mode=HTTP       side=BE        mux=FCGI
       <default> : mode=HTTP       side=FE|BE     mux=H1
       <default> : mode=TCP        side=FE|BE     mux=PASS

Available services : none

Available filters :
[SPOE] spoe
[CACHE] cache
[FCGI] fcgi-app
[COMP] compression
[TRACE] trace

Config

global
    log /dev/log local0
    log /dev/log local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
    stats timeout 30s
    user haproxy
    group haproxy
    daemon
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256

    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11

    tune.ssl.default-dh-param 2048

defaults
    log global

    mode tcp
    option dontlognull
    timeout connect 5s

    timeout client  300s
    timeout server  300s

frontend tls-in
    bind *:443 tfo ssl /etc/letsencrypt/live/example.com/fullchain.pem
    tcp-request inspect-delay 5s
    tcp-request content accept if HTTP
    use_backend web if HTTP
    default_backend vme

backend web
    server server1 127.0.0.1:444
  
backend vme
    server server1 127.0.0.1:40001

Log

[NOTICE] 006/174126 (2026) : haproxy version is 2.3.2-d522db7
[NOTICE] 006/174126 (2026) : path to executable is /sbin/haproxy
[ALERT] 006/174126 (2026) : parsing [/etc/haproxy/haproxy.cfg:31] : 'bind *:443' unknown keyword '/etc/letsencrypt/live/example.com/full
chain.pem'. Registered keywords :
    [ SSL] allow-0rtt
    [ SSL] alpn <arg>
    [ SSL] ca-file <arg>
    [ SSL] ca-verify-file <arg>
    [ SSL] ca-ignore-err <arg>
    [ SSL] ca-sign-file <arg>
    [ SSL] ca-sign-pass <arg>
    [ SSL] ciphers <arg>
    [ SSL] ciphersuites <arg>
    [ SSL] crl-file <arg>
    [ SSL] crt <arg>
    [ SSL] crt-ignore-err <arg>
    [ SSL] crt-list <arg>
    [ SSL] curves <arg>
    [ SSL] ecdhe <arg>
    [ SSL] force-sslv3
    [ SSL] force-tlsv10
    [ SSL] force-tlsv11
    [ SSL] force-tlsv12
    [ SSL] force-tlsv13
    [ SSL] generate-certificates
    [ SSL] no-ca-names
    [ SSL] no-sslv3
    [ SSL] no-tlsv10
    [ SSL] no-tlsv11
    [ SSL] no-tlsv12
    [ SSL] no-tlsv13
    [ SSL] no-tls-tickets
    [ SSL] ssl
    [ SSL] ssl-min-ver <arg>
    [ SSL] ssl-max-ver <arg>
    [ SSL] strict-sni
    [ SSL] tls-ticket-keys <arg>
    [ SSL] verify <arg>
    [ SSL] npn <arg>
    [ SSL] prefer-client-ciphers
    [STAT] level <arg>
    [STAT] expose-fd <arg>
    [STAT] severity-output <arg>
    [ ALL] accept-netscaler-cip <arg>
    [ ALL] accept-proxy
    [ ALL] backlog <arg>
    [ ALL] id <arg>
    [ ALL] maxconn <arg>
    [ ALL] name <arg>
    [ ALL] nice <arg>
    [ ALL] process <arg>
    [ ALL] proto <arg>
    [ TCP] defer-accept
    [ TCP] interface <arg>
    [ TCP] mss <arg>
    [ TCP] tcp-ut <arg>
    [ TCP] tfo
    [ TCP] transparent
    [ TCP] v4v6
    [ TCP] v6only
    [ TCP] namespace <arg>
    [UNIX] gid <arg>
    [UNIX] group <arg>
    [UNIX] mode <arg>
    [UNIX] uid <arg>
    [UNIX] user <arg>
[ALERT] 006/174126 (2026) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg
[ALERT] 006/174126 (2026) : Fatal errors found in configuration.

Really thanks for any reply!

1 post - 1 participant

Read full topic

When clicking on the Virtual IP link under the Frontend section I am getting a 404 error.

Frontend

image1162×720 62.8 KB

Error

Versions
PfSense Version: 2.4.5-RELEASE-p1 (amd64)
HaProxy Installed version: 1.8.25

3 posts - 2 participants

Read full topic

Jan 7 08:14:52 [xxxx] haproxy[2634]: [WARNING] 006/081452 (2634) : Exiting Master process…
Jan 7 08:14:52 [xxxx] haproxy[2634]: [NOTICE] 006/081452 (2634) : haproxy version is 2.2.5-1ppa1~bionic
Jan 7 08:14:52 [xxxx] haproxy[2634]: [NOTICE] 006/081452 (2634) : path to executable is /usr/sbin/haproxy
Jan 7 08:14:52 [xxxx] haproxy[2634]: [ALERT] 006/081452 (2634) : Current worker #1 (2639) exited with code 143 (Terminated)
Jan 7 08:14:52 [xxxx] haproxy[2634]: [WARNING] 006/081452 (2634) : All workers exited. Exiting… (0)

About every 36-48 hours I’m getting a log entry like this. Somehow its getting a reason to exit and automatically restarts.

Is there a log settings I need to turn on to get debug or other information on this? If I need to update my build or something, no problem.

Thanks in advance!

Fusion

# haproxy -vvv

HA-Proxy version 2.4-dev0-50c03a-40 2020/11/06 - https://haproxy.org/
Status: development branch - not safe for use in production.
Known bugs: Issues · haproxy/haproxy · GitHub
Running on: Linux 4.15.0-111-generic #112-Ubuntu SMP Thu Jul 9 20:32:34 UTC 2020 x86_64
Build options :
TARGET = linux-glibc
CPU = generic
CC = cc
CFLAGS = -O2 -g -Wall -Wextra -Wdeclaration-after-statement -fwrapv -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-clobbered -Wno-missing-field-initializers -Wtype-limits -Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference
OPTIONS = USE_PCRE=1 USE_OPENSSL=1 USE_LUA=1 USE_ZLIB=1 USE_SYSTEMD=1

Feature list : +EPOLL -KQUEUE +NETFILTER +PCRE -PCRE_JIT -PCRE2 -PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED +BACKTRACE -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H +GETADDRINFO +OPENSSL +LUA +FUTEX +ACCEPT4 -CLOSEFROM +ZLIB -SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL +SYSTEMD -OBSOLETE_LINKER +PRCTL +THREAD_DUMP -EVPORTS

Default settings :
bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with multi-threading support (MAX_THREADS=64, default=6).
Built with OpenSSL version : OpenSSL 1.1.1 11 Sep 2018
Running on OpenSSL version : OpenSSL 1.1.1 11 Sep 2018
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with Lua version : Lua 5.3.3
Built with network namespace support.
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity(“identity”), deflate(“deflate”), raw-deflate(“deflate”), gzip(“gzip”)
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with PCRE version : 8.39 2016-06-14
Running on PCRE version : 8.39 2016-06-14
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Encrypted password support via crypt(3): yes
Built with gcc compiler version 7.5.0

Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as cannot be specified using ‘proto’ keyword)
h2 : mode=HTTP side=FE|BE mux=H2
fcgi : mode=HTTP side=BE mux=FCGI
: mode=HTTP side=FE|BE mux=H1
: mode=TCP side=FE|BE mux=PASS

Available services : none

Available filters :
[SPOE] spoe
[CACHE] cache
[FCGI] fcgi-app
[COMP] compression
[TRACE] trace

3 posts - 2 participants

Read full topic

Hello,

I am using haproxy behind a load balancer to bridge a public and a private (k8) network. The load balancer runs the PROXY protocol. I have included the configuration I wrote below. I have confirmed that everything is speaking, and that the LB is using the proxy protocol correctly. The whitelisting of the underlying client is working fine (tested that it both blocks incorrect traffic, and allows correct traffic). However the commented out line is not working. The intention of the commented out line (which uses connection rather than content) is to FIRST filter out anything that does not come from a valid load balancer, since I would assume that without this impersonation would be possible. I have confirmed that the IP’s line up, but still no connection is being made when that line is in place. I can turn OFF accept-proxy and block on it, but then I cannot firewall the client traffic which is the original intent. I am trying to block first on valid proxy, and second on valid proxied client.

frontend ingress
        bind *:9977 accept-proxy
        mode tcp
        acl is_valid_proxy src -f /usr/local/etc/haproxy/proxies.acl
        # tcp-request connection reject if !is_valid_proxy
        acl is_whitelisted src -f /usr/local/etc/haproxy/whitelist.acl
        tcp-request content reject if !is_whitelisted
        use_backend egress

1 post - 1 participant

Read full topic

Hi.
I want to set haproxy & keepalived system and testing failover between 2 servers.
keepalived setting chk_haproxy and if haproxy down, I hope failover.

vrrp_script chk_haproxy {
script “systemctl is-active haproxy”
}

Starting keepalived first.
Haproxy is not starting , so failover start…

But haproxy cannot start before starting keepalived.
Because keepalived have VIP settings, so haproxy bind VIP fail…

I want to start haproxy before keepalived starting in MASTER server.
Thanks for any help.

2 posts - 2 participants

Read full topic

I am running Ubuntu 18.04
My config files and other info are below

log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats timeout 30s
user haproxy
group haproxy
daemon

defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000

frontend http_front
bind *:80
stats uri /haproxy?stats
default_backend http_back

backend http_back
balance roundrobin
server proxy1 myproxy:port check
server proxy2 myproxy:port check```

I typed in haproxy -f /etc/haproxy/haproxy.cfg -db and i got this output

```[ALERT] 359/031621 (6151) : parsing [/etc/haproxy/haproxy.cfg:1]: unknown keyword ‘log’ out of section.
[ALERT] 359/031621 (6151) : parsing [/etc/haproxy/haproxy.cfg:2]: unknown keyword ‘log’ out of section.
[ALERT] 359/031621 (6151) : parsing [/etc/haproxy/haproxy.cfg:3]: unknown keyword ‘chroot’ out of section.
[ALERT] 359/031621 (6151) : parsing [/etc/haproxy/haproxy.cfg:4]: unknown keyword ‘stats’ out of section.
[ALERT] 359/031621 (6151) : parsing [/etc/haproxy/haproxy.cfg:5]: unknown keyword ‘user’ out of section.
[ALERT] 359/031621 (6151) : parsing [/etc/haproxy/haproxy.cfg:6]: unknown keyword ‘group’ out of section.
[ALERT] 359/031621 (6151) : parsing [/etc/haproxy/haproxy.cfg:7]: unknown keyword ‘daemon’ out of section.
[ALERT] 359/031621 (6151) : parsing [/etc/haproxy/haproxy.cfg:20] : unknown keyword ‘jstats’ in ‘frontend’ section
[ALERT] 359/031621 (6151) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg
[ALERT] 359/031621 (6151) : Fatal errors found in configuration.```

Haproxys status

```Dec 25 02:41:58 admin systemd[1]: haproxy.service: Service hold-off time over, scheduling restart.
Dec 25 02:41:58 admin systemd[1]: haproxy.service: Scheduled restart job, restart counter is at 5.
Dec 25 02:41:58 admin systemd[1]: Stopped HAProxy Load Balancer.
Dec 25 02:41:58 admin systemd[1]: haproxy.service: Start request repeated too quickly.
Dec 25 02:41:58 admin systemd[1]: haproxy.service: Failed with result ‘exit-code’.
Dec 25 02:41:58 admin systemd[1]: Failed to start HAProxy Load Balancer.```

haproxy -vv

```HA-Proxy version 1.8.8-1ubuntu0.11 2020/06/22
Copyright 2000-2018 Willy Tarreau [willy@haproxy.org](mailto:willy@haproxy.org)

Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -g -O2 -fdebug-prefix-map=/build/haproxy-_OgGP2/haproxy-1.8.8=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2
OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_SYSTEMD=1 USE_PCRE=1 USE_PCRE_JIT=1 USE_NS=1

Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with OpenSSL version : OpenSSL 1.1.1 11 Sep 2018
Running on OpenSSL version : OpenSSL 1.1.1 11 Sep 2018
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with Lua version : Lua 5.3.3
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Encrypted password support via crypt(3): yes
Built with multi-threading support.
Built with PCRE version : 8.39 2016-06-14
Running on PCRE version : 8.39 2016-06-14
PCRE library supports JIT : yes
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity(“identity”), deflate(“deflate”), raw-deflate(“deflate”), gzip(“gzip”)
Built with network namespace support.

Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
[SPOE] spoe
[COMP] compression
[TRACE] ```

1 post - 1 participant

Read full topic

Hello,

I am having trouble getting Microsoft Remote Desktop Services to redirection remotefx devices. Specifically scanners when connecting through HAProxy. It does work, but the speed is incredibly slow. 5min per page to scan!

It works perfectly fine if I bypass HAProxy when connecting. I am using HAProxy to balance the RDS rdweb servers.

Here is my config

global

#log 127.0.0.1 local2
log /dev/log local0
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon

#turn on stats unix socket
stats socket /var/lib/haproxy/stats

#utilize system-wide crypto-policies
ssl-default-bind-ciphers PROFILE=SYSTEM
ssl-default-server-ciphers PROFILE=SYSTEM

defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000

frontend rds_frontend
bind frontend:443
mode tcp
default_backend rds_gateway

backend rds_gateway
balance source
mode tcp
server server1 server1:443 maxconn 1000 weight 10 check
server server2 server2:443 maxconn 1000 weight 10 check

listen stats
bind backend:8080
stats enable
stats uri /stats
stats refresh 10s
stats admin if LOCALHOST

I am completely at a lose. Any help would be appreciated!

1 post - 1 participant

Read full topic

Hello,
I’m using HAProxy v 2.0.19-aceb6cb running as a plugin on OpnSense v20.7.7.1. I have a few different sites published and working well, however I can’t quite figure out the proper method for creating a publishing configuration for Windows Remote Desktop Gateway 2019. As its a plug in for OpnSense, many of the articles/configurations aren’t as directly applicable.

My goal is to have a URL (rdg.domain.com) publishing an internal server running RDG.

Any pointers available?

Thanks!

1 post - 1 participant

Read full topic

Hi all,

I’d like to redirect favicon requests of backend which haven’t to external link we I’ve hosted this file

In a backend, I tried following set-uri directive, but it does not works.

http-request set-uri https://domain.com/favicon.ico if { path -m str /favicon.ico }

Could someone please help ?
regards
thomas

1 post - 1 participant

Read full topic

Hello, I am trying to configure a MITM like haproxy (to add cookies for incoming requests)
and servers are actually other HTTP proxies.
This is how I am generating the .pem file -

openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout haproxy-ca-key.pem -out haproxy-ca-cert.pem -subj “/C=GB/ST=London/L=London/O=Global Security/OU=IT Department/CN=websiteIamtryingtoMITM.com
**websites like google.com etc.

Followed by -

cat haproxy-ca-cert.pem haproxy-ca-key.pem >> mysite.pem

My configuration -

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # Default ciphers to use on SSL-enabled listening sockets.
    # For more information, see ciphers(1SSL). This list is from:
    #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256::RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
    ssl-default-bind-options no-sslv3
defaults
        log     global
        mode    tcp
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http


frontend front
    mode tcp
    bind 0.0.0.0:8443
    bind 0.0.0.0:443 ssl crt /etc/haproxy/certs/mysite.pem crt-ignore-err all
    redirect scheme https if !{ ssl_fc }
    default_backend web_servers

backend web_servers
    mode tcp
    balance roundrobin

 server Node1009 proxy:1009 ssl verify none
 server Node1010 proxy:1010

output of haproxy -vv

HA-Proxy version 2.2.3-2 2020/09/09 - https://haproxy.org/
Status: long-term supported branch - will stop receiving fixes around Q2 2025.
Known bugs: http://www.haproxy.org/bugs/bugs-2.2.3.html
Running on: Linux 5.8.0-29-generic #31-Ubuntu SMP Fri Nov 6 12:37:59 UTC 2020 x86_64
Build options :
TARGET = linux-glibc
CPU = generic
CC = gcc
CFLAGS = -O2 -g -O2 -fdebug-prefix-map=/build/haproxy-fB8IVI/haproxy-2.2.3=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wall -Wextra -Wdeclaration-after-statement -fwrapv -Wno-address-of-packed-member -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-clobbered -Wno-missing-field-initializers -Wno-stringop-overflow -Wno-cast-function-type -Wtype-limits -Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference
OPTIONS = USE_PCRE2=1 USE_PCRE2_JIT=1 USE_OPENSSL=1 USE_LUA=1 USE_ZLIB=1 USE_SYSTEMD=1

Feature list : +EPOLL -KQUEUE +NETFILTER -PCRE -PCRE_JIT +PCRE2 +PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED +BACKTRACE -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H +GETADDRINFO +OPENSSL +LUA +FUTEX +ACCEPT4 +ZLIB -SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL +SYSTEMD -OBSOLETE_LINKER +PRCTL +THREAD_DUMP -EVPORTS

Default settings :
bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with multi-threading support (MAX_THREADS=64, default=2).
Built with OpenSSL version : OpenSSL 1.1.1f 31 Mar 2020
Running on OpenSSL version : OpenSSL 1.1.1f 31 Mar 2020
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with Lua version : Lua 5.3.3
Built with network namespace support.
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity(“identity”), deflate(“deflate”), raw-deflate(“deflate”), gzip(“gzip”)
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with PCRE2 version : 10.34 2019-11-21
PCRE2 library supports JIT : yes
Encrypted password support via crypt(3): yes
Built with gcc compiler version 10.2.0
Built with the Prometheus exporter as a service

Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as cannot be specified using ‘proto’ keyword)
fcgi : mode=HTTP side=BE mux=FCGI
: mode=HTTP side=FE|BE mux=H1
h2 : mode=HTTP side=FE|BE mux=H2
: mode=TCP side=FE|BE mux=PASS

Available services :
prometheus-exporter

Available filters :
[SPOE] spoe
[COMP] compression
[TRACE] trace
[CACHE] cache

Using haproxy as a proxy on firefox just returns “Secure Connection Failed” , not allowing to make an exception for unsecure certificate.
Clearly I’m doing something wrong, so please if you notice something let me know as this is becoming so frustrating.
What do I even need to do, the SSL/TLS Bridging , or the SSL/TLS Termination should do the job?
Thank you in advance!

1 post - 1 participant

Read full topic

(topic withdrawn by author, will be automatically deleted in 24 hours unless flagged)

1 post - 1 participant

Read full topic

Hi!

Is there any possibilities to define global maxconn parameter value for one haproxy process and known CPU/Memory/Network parameters? I mean without load testes.

All I’ve found in documentation is 3.5. Sizing

thank you in advance

1 post - 1 participant

Read full topic

Now there is a need to receive syslog events via udp. Will it be possible to do this through HAProxy?

1 post - 1 participant

Read full topic

I’m working on a gRPC application that will be served behind HAProxy using the http mode. If the server application immediately (ie. before sending any responses) aborts the response streaming call with specific error, then the client application will receive CANCELLED error instead of the one that was sent. The error details will be Received RST_STREAM with error code 8. I’m working with HAProxy 2.3.2 and grpc 1.34.0.

For each of such requests, HAProxy log entry have SD-- flags set in the session state at disconnection field, eg.

<134>Jan  9 18:09:39 1a8328663d74 haproxy[8]: 172.28.0.4:41698 [09/Jan/2021:18:09:39.346] grpc-server-fe grpc-server-fe/grpc-server-be 0/0/0/-1/+0 -1 +115 - - SD-- 1/1/0/0/0 0/0 "POST http://proxy:6000/service.Service/StreamStream HTTP/2.0"

In the HAProxy documentation those flags are defined as follows:

• S: the TCP session was unexpectedly aborted by the server, or the server explicitly refused it.
• D: the session was in the DATA phase.

Additionally:

SD The connection to the server died with an error during the data transfer. This usually means that haproxy has received an RST from the server or an ICMP message from an intermediate equipment while exchanging data with the server. This can be caused by a server crash or by a network issue on an intermediate equipment.

Knowing that, and having in mind that the HTTP connection was opened with an intention of data streaming, as a workaround I have tried sending an empty gRPC message before raising the error. The solution have helped partially - the error codes could have been received by the client for the most requests, but the issue still happened from time to time.

As a next step I have inspected the network traffic using wireshark. Following is a trace of the HTTP response served by the gRPC server on an event of immediate call abortion:

HyperText Transfer Protocol 2
    Stream: SETTINGS, Stream ID: 0, Length 0
        Length: 0
        Type: SETTINGS (4)
        Flags: 0x01
        0... .... .... .... .... .... .... .... = Reserved: 0x0
        .000 0000 0000 0000 0000 0000 0000 0000 = Stream Identifier: 0
    Stream: HEADERS, Stream ID: 1, Length 88, 200 OK
        Length: 88
        Type: HEADERS (1)
        Flags: 0x05
            .... ...1 = End Stream: True
            .... .1.. = End Headers: True
            .... 0... = Padded: False
            ..0. .... = Priority: False
            00.0 ..0. = Unused: 0x00
        0... .... .... .... .... .... .... .... = Reserved: 0x0
        .000 0000 0000 0000 0000 0000 0000 0001 = Stream Identifier: 1
        [Pad Length: 0]
        Header Block Fragment: 88400c636f6e74656e742d74797065106170706c69636174...
        [Header Length: 120]
        [Header Count: 4]
        Header: :status: 200 OK
        Header: content-type: application/grpc
        Header: grpc-status: 7
        Header: grpc-message: Details sent by the server
    Stream: RST_STREAM, Stream ID: 1, Length 4
        Length: 4
        Type: RST_STREAM (3)
        Flags: 0x00
        0... .... .... .... .... .... .... .... = Reserved: 0x0
        .000 0000 0000 0000 0000 0000 0000 0001 = Stream Identifier: 1
        Error: NO_ERROR (0)

So the server sends response headers with details on error with End Stream and End Headers flags set. And then closes the stream with NO_ERROR code. According to the answer provided in should gRPC server-side half-closing implicitly terminate the client? Stack Overflow question, everything is ok at this stage. I have also briefly reviewed the RFC 7540 and couldn’t find anything that is off in the terms of HTTP/2 protocol.

Quoted gRPC server HTTP response is followed by HAProxy originating TCP ACK, and next, HAProxy dispatches its response to the client.

HyperText Transfer Protocol 2
    Stream: HEADERS, Stream ID: 1, Length 75, 200 OK
        Length: 75
        Type: HEADERS (1)
        Flags: 0x05
            .... ...1 = End Stream: True
            .... .1.. = End Headers: True
            .... 0... = Padded: False
            ..0. .... = Priority: False
            00.0 ..0. = Unused: 0x00
        0... .... .... .... .... .... .... .... = Reserved: 0x0
        .000 0000 0000 0000 0000 0000 0000 0001 = Stream Identifier: 1
        [Pad Length: 0]
        Header Block Fragment: 885f106170706c69636174696f6e2f67727063000b677270...
        [Header Length: 120]
        [Header Count: 4]
        Header: :status: 200 OK
        Header: content-type: application/grpc
        Header: grpc-status: 7
        Header: grpc-message: Details sent by the server
    Stream: RST_STREAM, Stream ID: 1, Length 4
        Length: 4
        Type: RST_STREAM (3)
        Flags: 0x00
            0000 0000 = Unused: 0x00
        0... .... .... .... .... .... .... .... = Reserved: 0x0
        .000 0000 0000 0000 0000 0000 0000 0001 = Stream Identifier: 1
        Error: CANCEL (8)

It can be seen that the flags and all the contents of the HEADERS frame are in place, so the error details are passed to the client, but the code of RST_STREAM has changed to CANCEL. In effect the client recieves all the expected data, but after that it receives unexpected RST_STREAM(CANCEL) that is being mapped on gRPC CANCELLED error, as specified in the gRPC documentation.

In the course of further investigation, I have referred to HAProxy source code. I have discovered that the code is set in the h2_do_shutr function of mux_h2.c (experiments with custom HAProxy builds have proven that it is indeed this place). The involved code branch has the following comment:

a final response was already provided, we don’t want this stream anymore. This may happen when the server responds before the end of an upload and closes quickly (redirect, deny, …)

So those are the details I have managed to gather on the issue. I’m not entirely sure whether the problem lies in the gRPC core (being too messy in the terms of HTTP2 streams handling) or HAProxy (being too careless while rewriting RST_STREAM codes).

The final question is, how can I tune the configuration of HAProxy and gRPC core server to work correctly on an event of immediate call abortion? At the moment, to overcome the issue, I have prepared custom HAProxy build that responds with RST_STREAM(NO_ERROR) on the described circumstances, but this solution feels rather like technology debt.

The minimal HAProxy configuration that reproduces the issue is as follows:

global
    log stdout local0

listen grpc-server-fe
    bind *:6000 proto h2

    mode http
    log global
    option logasap
    option httplog

    timeout connect 5000ms
    timeout client 50000ms
    timeout server 50000ms

    server grpc-server-be server:6000 proto h2

I have prepared a repository with minimal example containing simple python client & server. It also contains docker-compose with network environment including configured HAProxy.

1 post - 1 participant

Read full topic