@aidofitz wrote:

hi folks,

can anyone point me at how to log a possible bug - it's not clear to me how to do this?

For info and comment, the issue appears to be with a change made back in

2014/04/23 : 1.5-dev23
MEDIUM: config: relax use_backend check to make the condition optional

I haven't checked the source code (wouldn't know how to read it!) but from behaviour it appears that the above change is actually also hiding errors in conditions on use_backend. for example, we had an issue where someone making a change to config made a typo of the form:

use_backend x of acl_y

i.e. "of" in place of "if". In pre 1.5 version this config is rejected at start up ('use_backend' requires either 'if' or 'unless' followed by a condition) but in 1.7.1 system starts, reports no error and routes all traffic to backend x. Seems that the check is a bit too relaxed! I would have thought if anything present where a condition would be, then it should be validated - i.e. only a blank rest of line should be construed as no condition

• Adrian

Posts: 2

Participants: 2

Read full topic

@andrea wrote:

I'm running a dockerized metabase instance on rancher server and I'm using haproxy to front the application. Everything runs pretty fine if not that upon first page hit I get the following error page:

HTTP ERROR: 500
Problem accessing /. Reason:
    Communications link failure
The last packet successfully received from the server was 1,758,522 milliseconds ago.  The last packet sent successfully to the server was 2 milliseconds ago.

The fun thing is that a refresh fixes the issue, which comes back after a period of inactivity.
Any suggestion please?

Posts: 1

Participants: 1

Read full topic

@skippyboy wrote:

Hello All. I am quite new to using HAProxy, and have been directed to do something that I can't find any examples of in my google searches.

We will be hosting many different sites, and would like to be able to provide SSL termination, Passthrough, and Bridging/Re-encryption based on the URL.

I have a working config that is performing SSL Termination, and I believe it is also doing Bridging/Re-encryption. Is it possible to also add Passthrough? I found a sample using a domain mapping file that is referred to for checking the request and mapping it to a backend, and this works quite well.

I guess I just need to know if it is possible to support all 3 modes on one haproxy server.

Here is my haproxy.cfg if it may be helpful. (We are in a testing mode right now - so I can make any changes needed.)

Posts: 2

Participants: 2

Read full topic

@CDN224 wrote:

Teams,
Microsoft has now released Exchange 2016, we know from previous setups that 2013 can be done with great results, but 2016 introduces a new "Health Monitoring". Exchange 2016 includes a built-in monitoring solution, known as [Managed Availability].

We know... Since session affinity is not used by the HAProxy load balancer, this means that the load balancer has no knowledge of the target URL or request content. All the load balancer uses is layer 4 information, the IP address and the protocol/port (TCP 443)

According to Microsoft, Managed Availability includes an offline responder. When the offline responder is invoked, the affected protocol (or server) is removed from service.

URL: https://blogs.technet.microsoft.com/exchange/2015/10/08/load-balancing-in-exchange-2016/

My Question, that this forum will get a lot of...
If the load balancer did not utilize the healthcheck.htm in 2016 health probe, then the load balancer would have no knowledge of Exchange's Managed Availability’s removal of (or adding back) a server from the applicable load balancing pool.

So, the end result is that the load balancer would have one view of the world, while Managed Availability (Exchange) would have another view of the world. In this situation, the load balancer could direct requests to a Mailbox server that Managed Availability has marked down, which would result in a negative (or broken) user experience. This is why the recommendation exists to utilize healthcheck.htm in the load balancing health probes.

Can HAProxy accommodate this in it's config file?

Here's what I have so far

---

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
user haproxy
group haproxy
daemon

---

defaults
option dontlognull # Do not log connections with no requests
option redispatch # Try another server in case of connection failure
option contstats # Enable continuous traffic statistics updates
retries 3 # Try to connect up to 3 times in case of failure
timeout connect 5s # 5 seconds max to connect or to stay in queue
timeout http-keep-alive 1s # 1 second max for the client to post next request
timeout http-request 15s # 15 seconds max for the client to send a request
timeout queue 30s # 30 seconds max queued on load balancer
timeout tarpit 1m # tarpit hold tim
backlog 10000 # Size of SYN backlog queue
balance roundrobin # load balancing algorithm
mode tcp # protocol analyzer
option tcplog # log format
log global # log activation
timeout client 300s # client inactivity timeout
timeout server 300s # server inactivity timeout
default-server inter 3s rise 2 fall 3 # default check parameters

---

frontend Exchange_FrontEnd_HTTP
bind 192.168.201.15:80 name web
maxconn 10000
default_backend Exchange_BackEnd_HTTP

backend Exchange_BackEnd_HTTP
server SRV-EX01 192.168.201.235:80 maxconn 10000 check
server SRV-EX02 192.168.201.230:80 maxconn 10000 check backup

frontend Exchange_FrontEnd_SSL
bind 192.168.201.15:443 name ssl
maxconn 10000
default_backend Exchange_BackEnd_SSL

backend Exchange_BackEnd_SSL
server SRV-EX01 192.168.201.235:443 maxconn 10000 check
server SRV-EX02 192.168.201.230:443 maxconn 10000 check backup

frontend Exchange_FrontEnd_SMTP25
bind 192.168.201.15:25 name smtp
maxconn 10000
default_backend Exchange_BackEnd_SMTP25

backend Exchange_BackEnd_SMTP25
server SRV-EX01 192.168.201.235:25 maxconn 10000 check
server SRV-EX02 192.168.201.230:25 maxconn 10000 check backup

frontend Exchange_FrontEnd_SMTP_Secure
bind 192.168.201.15:465 name smtpssl
maxconn 10000
default_backend Exchange_BackEnd_SMTP_Secure

backend Exchange_BackEnd_SMTP_Secure
server SRV-EX01 192.168.201.235:465 maxconn 10000 check
server SRV-EX02 192.168.201.230:465 maxconn 10000 check backup

frontend Exchange_FrontEnd_IMAP
bind 192.168.201.15:143 name imap
maxconn 10000
default_backend Exchange_BackEnd_IMAP

backend Exchange_BackEnd_IMAP
server SRV-EX01 192.168.201.235:143 maxconn 10000 check
server SRV-EX02 192.168.201.230:143 maxconn 10000 check backup

frontend Exchange_FrontEnd_IMAP_Secure
bind 192.168.201.15:993 name imapssl
maxconn 10000
default_backend Exchange_BackEnd_IMAP_Secure

backend Exchange_BackEnd_IMAP_Secure
server SRV-EX01 192.168.201.235:993 maxconn 10000 check
server SRV-EX02 192.168.201.230:993 maxconn 10000 check backup

# frontend Exchange_FrontEnd_POP3
# bind 192.168.201.15:110 name pop3
# maxconn 10000
# default_backend Exchange_BackEnd_POP3

# backend Exchange_BackEnd_POP3
# server SRV-EX01 192.168.201.235:110 maxconn 10000 check
# server SRV-EX02 192.168.201.230:110 maxconn 10000 check backup

# frontend Exchange_FrontEnd_POP3_Secure
# bind 192.168.201.15:995 name pop3ssl
# maxconn 10000
# default_backend Exchange_BackEnd_POP3_Secure

# backend Exchange_BackEnd_POP3_Secure
# server SRV-EX01 192.168.201.235:995 maxconn 10000 check
# server SRV-EX02 192.168.201.230:995 maxconn 10000 check backup

---

#This is the virtual URL/Port to access the stats page

listen stats 192.168.201.15:4711
mode http
balance
timeout client 5000
timeout connect 4000
timeout server 30000
stats enable
stats hide-version
stats uri /

**#This allows you to take down and bring up back end servers. **
**#This will produce an error on older versions of HAProxy. **
**# stats admin if TRUE**

Posts: 1

Participants: 1

Read full topic

@melaleuca wrote:

We have host couple thousand sites and in our office we are constantly checking sites, etc. Every once in a while sites become really slow, but only in the office. After a couple sec they speed up.

Netstat does show TIME_WAIT on the office ip.

I am wondering if I am hitting a limit for source ip. I am not limiting connection on haproxy.

Does anybody have advice on what to check?

Posts: 2

Participants: 2

Read full topic

@jschlyter wrote:

Greetings,

I have an application that authenticates its peers using pre-registered self-signed certificates. When we deploy this application behind a nginx or apache reverse proxy, we use TLS client authentication with "optional_no_ca" and transfer the hash of the certificate to the application using a custom header.

Now I'd like to deploy this application behind HAproxy. Using "verify optional" in combination with "crt-ignore-err all" seems to be the right choice, but it seems HAproxy provides an empty value for %[ssl_c_sha1] upon authentication. This might make sense when you actually require certificate validation, but in this case ANY certificate is valid for the reverse proxy.

There are examples of how to do certificate validation in the application, but I've seen none that uses self-signed certificates.

Is there any way to configure HAproxy to not only accept the self-signed certificate and also make data extracted from the client certificate available? Adding an "optional_no_ca" mode with the same semantics as nginx and apache make sense, but perhaps there are other options. Please advise.

Posts: 1

Participants: 1

Read full topic

@dskriv wrote:

Hello,

I am attempting to setup a pair of HAProxy servers running CentOS 7 to load balance 2 Exchange 2016 servers transparently. We have logging requirements so the client IP address must be logged on the Exchange side. I have non-transparent setup functioning with layer 7. I followed the instructions here: http://blog.haproxy.com/2013/09/16/howto-transparent-proxying-and-binding-with-haproxy-and-aloha-load-balancer/ however when I have 'source 0.0.0.0 usesrc clientip' defined in the backends my pages do not load I also do not see errors logged in /var/log/haproxy.log.

I have verified the tproxy module is loaded:
lsmod | grep -ie tproxy
xt_TPROXY 17327 0
nf_defrag_ipv6 35104 3 xt_socket,xt_TPROXY,nf_conntrack_ipv6
nf_defrag_ipv4 12729 3 xt_socket,xt_TPROXY,nf_conntrack_ipv4

I replaced firewalld with iptables to allow me to follow the documentation.

All servers are in the same subnet: 192.168.5.0/24
keepalived VIP 192.168.5.205
HAProxy-01: 192.168.5.206
HAProxy-01: 192.168.5.207
Ex2016-01: 192.168.5.181
Ex2016-01: 192.168.5.182

I am testing from a different subnet: 192.168.6.0/24

I feel like I am missing something but do not know what.

Here is my config:
global
log 127.0.0.1 local0 info
maxconn 10000
chroot /var/lib/haproxy
daemon
quiet
tune.ssl.default-dh-param 2048

defaults
log global
mode http
option httplog
option dontlognull
timeout connect 30000ms
timeout client 30000ms
timeout server 60000ms
timeout check 60000ms

listen stats
bind 192.168.5.206:8181
mode http
log global
maxconn 10
clitimeout 100s
srvtimeout 100s
contimeout 100s
timeout queue 100s
stats enable
stats hide-version
stats refresh 30s
stats show-node
stats auth admin:
stats uri /haproxy?stats

frontend fe_ex2016
mode http
bind 192.168.5.205:80 transparent
bind 192.168.5.205:443 transparent ssl crt /etc/ssl/certs/ssl_cert.pem
redirect scheme https code 301 if !{ ssl_fc }
acl autodiscover url_beg /Autodiscover
acl mapi url_beg /mapi
acl rpc url_beg /rpc
acl owa url_beg /owa
acl eas url_beg /microsoft-server-activesync
acl ecp url_beg /ecp
acl ews url_beg /ews
acl oab url_beg /oab
use_backend be_ex2016_autodiscover if autodiscover
use_backend be_ex2016_mapi if mapi
use_backend be_ex2016_rpc if rpc
use_backend be_ex2016_owa if owa
use_backend be_ex2016_eas if eas
use_backend be_ex2016_ecp if ecp
use_backend be_ex2016_ews if ews
use_backend be_ex2016_oab if oab
default_backend be_ex2016

backend be_ex2016_autodiscover
mode http
source 0.0.0.0 usesrc clientip
balance roundrobin
option httpchk GET /autodiscover/healthcheck.htm
option log-health-checks
http-check expect status 200
server vm-ex2016-01 192.168.5.181:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt
server vm-ex2016-02 192.168.5.182:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt

backend be_ex2016_mapi
mode http
source 0.0.0.0 usesrc clientip
balance roundrobin
option httpchk GET /mapi/healthcheck.htm
option log-health-checks
http-check expect status 200
server vm-ex2016-01 192.168.5.181:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt
server vm-ex2016-02 192.168.5.182:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt

backend be_ex2016_rpc
mode http
source 0.0.0.0 usesrc clientip
balance roundrobin
option httpchk GET /rpc/healthcheck.htm
option log-health-checks
http-check expect status 200
server vm-ex2016-01 192.168.5.181:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt
server vm-ex2016-02 192.168.5.182:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt

backend be_ex2016_owa
mode http
source 0.0.0.0 usesrc clientip
balance roundrobin
option httpchk GET /owa/healthcheck.htm
option log-health-checks
http-check expect status 200
server vm-ex2016-01 192.168.5.181:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt
server vm-ex2016-02 192.168.5.182:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt

backend be_ex2016_eas
mode http
source 0.0.0.0 usesrc clientip
balance roundrobin
option httpchk GET /microsoft-server-activesync/healthcheck.htm
option log-health-checks
http-check expect status 200
server vm-ex2016-01 192.168.5.181:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt
server vm-ex2016-02 192.168.5.182:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt

backend be_ex2016_ecp
mode http
source 0.0.0.0 usesrc clientip
balance roundrobin
option httpchk GET /ecp/healthcheck.htm
option log-health-checks
http-check expect status 200
server vm-ex2016-01 192.168.5.181:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt
server vm-ex2016-02 192.168.5.182:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt

backend be_ex2016_ews
mode http
source 0.0.0.0 usesrc clientip
balance roundrobin
option httpchk GET /ews/healthcheck.htm
option log-health-checks
http-check expect status 200
server vm-ex2016-01 192.168.5.181:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt
server vm-ex2016-02 192.168.5.182:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt

backend be_ex2016_oab
mode http
source 0.0.0.0 usesrc clientip
balance roundrobin
option httpchk GET /oab/healthcheck.htm
option log-health-checks
http-check expect status 200
server vm-ex2016-01 192.168.5.181:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt
server vm-ex2016-02 192.168.5.182:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt

backend be_ex2016
mode http
source 0.0.0.0 usesrc clientip
balance roundrobin
server vm-ex2016-01 192.168.5.181:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt
server vm-ex2016-02 192.168.5.182:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt

listen smtp
bind 192.168.5.206:25 transparent
mode tcp
source 0.0.0.0 usesrc clientip
option tcplog
balance roundrobin
option smtpchk EHLO mail.mydomain.net
server vm-ex2016-01 192.168.5.181:25 check
server vm-ex2016-02 192.168.5.182:25 check

Posts: 1

Participants: 1

Read full topic

@kingcdavid wrote:

Hi All

Hoping someone will be able to help, we're running a bit of an interesting setup

we have 3 HAProxy nodes running freebsd 11.0 , each host runs 4 jails running haproxy, but only one of the jails is under any real load

we use CARP to balance between the hosts and jails which seems to be working fine

about 1 once every 2/3 months, all the haproxy instances hang, the process keeps running, but doesn't access any more connections, the monitoring socket is unresponsive. it doesn't produce any errors in logs.

these hangs all happen within a couple of seconds, over all jails on all hosts taking down our frontend network, a restart of the haproxy service fixes it.

we use chef for config management, and all the run times are splayed, all the haproxy instances will have different up times

Any one who has an good idea of what could cause this?

Thanks!!

Posts: 1

Participants: 1

Read full topic

@haproxy wrote:

Hello,

I'm not finding much detail on the stick table size settings. Can someone point me in the right direction?

We're running 1.5.18. The latest change log for 1.5.19 mentions some bugs related to segfaults with stick tables. Since upgrading isn't an option for us, and I've narrowed down the problem to our stick table (see below), I think we can possibly configure our way out of daily crashes by fiddling withe the 'size' value, probably making it 500k or larger?

https://www.haproxy.org/download/1.5/src/CHANGELOG

stick-table type ip size 200k expire 5m store gpc0,conn_cur,conn_cnt
acl block_on_path path_beg -i /path/to/login
tcp-request content track-sc1 src if block_on_path
http-request tarpit if { src_conn_cnt ge 15 } block_on_path

In the documentation, some examples of stick tables show the size:204800, so about the same as ours (200k). Other examples I've ran across are all about the same, think the largest was 500. But, what is that number exactly?

Thanks in advance!

HAP (can't believe i scored the username 'haproxy' in this community!)

Posts: 2

Participants: 1

Read full topic

@mahnkong wrote:

Hello,

we are trying to run several instances of HAProxy (v1.7.3) behind a NetScaler VPX (Version 11.0 64.34) and want to use the NetScaler CIP feature so that the original IP of the client can be passed through HAProxy.

The haproxy.cfg listener looks like this:

listen weblistener
    bind *:80 accept-netscaler-cip 4711
    tcp-request connection expect-netscaler-cip layer4
    mode tcp
    option tcplog
    server s1 192.168.0.123:8000 check

The NetScaler sends the CIP Packet as specified here: https://support.citrix.com/article/CTX205670 and the Packet looks as expected after taking a tcpdump and viewing it with wireshark. But the analysis in HAProxy fails with 'CO_ER_CIP_BAD_PROTO' at line 784. (IP Version not v4/v6).

An exemplary CIP Header arriving in HAPRoxy looks like this:

0x00 0x00 0x12 0x67 0x00 0x00 0x00 0x34 0x00 0x01 0x00 0x28 0x45 0x00 0x00 0x28
0x5c 0xef 0x40 0x00 0x3e 0x06 0x39 0x08 0xbe 0x64 0xdc 0x99 0x0a 0x70 0x01 0x6b
0xe3 0xfc 0x00 0x50 0xba 0x67 0x50 0x9e 0x9e 0xcc 0x0e 0xcd 0x50 0x10 0x72 0x10
0xf9 0xfe 0x00 0x00

where the beginning parts are:

Magic Number:    0x00 0x00 0x12 0x67
CIP Length:      0x00 0x00 0x00 0x34
Type:                      0x00 0x01
CIP Header size:           0x00 0x28
IP Version:      0x45 0x00 0x00 0x28

Based on this Header and the specificaton from citrix, the code part in HAProxy which analyses, the CIP seems to be incorrect in 2 places:

1. Line 711
   The "IP Version" bytes start at index 12 as specified by Citrix. Hence the correct increment here would be 12 (instead of 8) in our eyes. We patched the code for testing purposes and with the increment of 12 the IP Version analysis works as expected and also the source ip retrieval worked fine.

2. Line 788
   The line pointer is incremented by the length of the CIP, hence the pointer should be decremented by the amout used in item 1 (8 or 12, depending what is correct)

Does anyone has a deeper knowledge of NetScaler CIP and can review our findings in order to determine the cause of the problem? Maybe the version of our NetScaler is to new or old?

Best regards,
mahnkong

Posts: 3

Participants: 2

Read full topic

@thiago.daconceicao wrote:

Hi all,

I'm new here, sorry for the doubt, but is it possible to do like a proxy transparente using mode tcp, forwarding the incoming trafic HTTPS, and doing the Translate to a HTTP port on my Backends, but all it without to do use of a certificate on Frontend?

Thanks for atention and replies,
Best regards
Thiago Conceição

Posts: 2

Participants: 2

Read full topic

@p3rtinax wrote:

Hi,

I'm using nginx as primary web server,

first question is:
is it possible to migrate fully from nginx to haproxy ? terminating nginx ?!

the problem is this configuration,

Mounting local directories with alias :
location /static {
alias /home/master/static/;
}

Searched alot and couldnt find any solution

please guide me

Posts: 1

Participants: 1

Read full topic

@Markvr wrote:

From reading https://cbonte.github.io/haproxy-dconv/1.8/management.html#4 , when haproxy reloads, a new process is created and binds to the same port as the old one. Then when all connections to the old one have ended, the old process dies.

My question is: during this period when both processes are alive, can new connections go to the old process? There is nothing on the page linked above that explicitly says new connections can't be handled by the old process, but it would seem odd if this was possible. However I'm seeing issues where this appears to be occurring. This causes errors for these new connections because in my situation, the old process no longer has valid backends.

I'm using haproxy inside a Docker container is that is relevant.

haproxy: 1.6.6
kernel: 3.10.0-514.el7.x86_64
docker: 17.03.0-ce

Posts: 3

Participants: 3

Read full topic

@brianb wrote:

Hello,

Currently we host multiple sites behind our HAProxy load balancer, and I would like to prevent Robots from indexing and crawling our sites. I do not want to put a robots.txt on every site we host behind our load balancer, but I would rather have the file on the load balancer itself. Does anyone know if this is possible through use of an ACL or other kinds of config?

Thanks.

Posts: 1

Participants: 1

Read full topic

@id1974 wrote:

I am trying to implement HAProxy with a SAN Cert for multiple sites hosts on the same servers (different IP bindings).
I've had some trouble getting the SAN Cert converted to a pem file, and then applying that properly.

I've been able to get standard http sites working on the same servers.

Any help would be greatly appreciated..

Posts: 1

Participants: 1

Read full topic

@Djedje wrote:

Hi,

I'am using HAProxy 1.5.18 on CentOS 7.3 and Tomcat 8.

HAProxy create a lot of sessions (more 350) on my Tomcat Server! Every 10 seconds, a new session is created. I think it is this line :

option httpchk OPTIONS /

How can I stop the creation of session on Tomcat ? It is a HAProxy configuration ? Or Tomcat configuration ?

Thank you,

Posts: 1

Participants: 1

Read full topic

@vquintans wrote:

Hi, I have a haproxy cluster with two frontends for http and https and many backends which are selected using a domain2backend map.

Some of the backends must be accessed only through HTTPS.

I tried using redirect scheme https code 301 if !{ ssl_fc } in those backends but haproxy seems to be ignoring it.

Configuration excerpt:

global
   maxconn 1024
   debug
   log /sidecar/log local0 debug
   stats socket /var/run/haproxy.sock mode 600 level admin
   stats timeout 2m

defaults
    balance roundrobin
    maxconn 32
    log global
    monitor-uri /haproxy_test

frontend http-in
    bind *:80
    mode http
    option httplog
    option forwardfor
    use_backend %[req.hdr(host),lower,map_dom(/usr/local/etc/haproxy/domain2backend.map)]

frontend https-in
    bind *:443 ssl crt /usr/local/etc/haproxy/ssl
    mode http
    option httplog
    option forwardfor
    http-request add-header X-Proto https if { ssl_fc }
    use_backend %[req.hdr(host),lower,map_dom(/usr/local/etc/haproxy/domain2backend.map)]

backend redmine_www
    redirect scheme https code 301 if !{ ssl_fc }
    server 10.19.12.253:5200 10.19.12.253:5200 check
    server 10.19.11.197:5200 10.19.11.197:5200 check
    server 10.19.13.150:5200 10.19.13.150:5200 check

I am using haproxy version 1.7.3

/ # haproxy -vv
HA-Proxy version 1.7.3 2017/02/28
Copyright 2000-2017 Willy Tarreau <willy@haproxy.org>

Build options :
  TARGET  = linux2628
  CPU     = generic
  CC      = gcc
  CFLAGS  = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement
  OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_LUA=1 USE_PCRE=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.8
Running on zlib version : 1.2.8
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with OpenSSL version : OpenSSL 1.0.2k  26 Jan 2017
Running on OpenSSL version : OpenSSL 1.0.2k  26 Jan 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.39 2016-06-14
Running on PCRE version : 8.39 2016-06-14
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with Lua version : Lua 5.3.3
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
	[COMP] compression
	[TRACE] trace
	[SPOE] spoe

I have been looking for a solution and trying different options without any success.

I would appreciate any help.

Thanks.

P.S. Also in StackOverflow: http://stackoverflow.com/questions/42699540/haproxy-redirect-scheme-in-backend-not-working

Posts: 2

Participants: 2

Read full topic

@apex wrote:

What are your thoughts on which is best? Offloading or Passthrough? Would it be wise to have traffic between the load balancer and servers be unencrypted?

Posts: 1

Participants: 1

Read full topic

@apex wrote:

Are there any good recent articles on HAProxy hardening? Want to ensure a maximum security setup for the load balancer.

Posts: 1

Participants: 1

Read full topic

@jhume wrote:

Is it possible to reuse ssl sessions to a backend without the frontend supporting keep-alive? What we want is effectively a pool of TLS sessions to the backend that can be reused by any frontend session. The frontend is configured with option forceclose in order to make it fast to drain connections from each haproxy box during a rolling restart and to keep some timers more accurate in logs.* We thought that http-reuse aggressive on the backend might give us the TLS session-pooling behavior we want, but it doesn't seem to.

*This is based on commit messages. I can't speak to whether option forceclose actually achieves those.

Posts: 1

Participants: 1

Read full topic