@kr428 wrote:

Folks;
apologies if this is a very basic question: We use docker containers to provide HTTP services which are fronted by haproxy. Right now, we know there are four "instances" living behind ports known to haproxy, and in course of deployment, we replace one by one of these containers.

This works, but it also always causes a bit of pain for various reasons. So, I am looking for a setup such as this:

• I want to provide haproxy with a range of ports where backend servers could be listening, given we will never have all of these services actually running.
• I'm looking for some (straightforward, ideally shell-scriptable) way to send one or multiple backend servers into a mode where they don't accept new connections so I can bring them down as soon as the last active session on them has been terminated. Editing haproxy config file or restarting haproxy shouldn't be involved here.
• Our monitoring environment should have a way to cause an alert if less than backend processes are available to the haproxy.

How do you handle such setups? Any best practises or reading recommendations?
TIA and all the best,
Kristian

Posts: 1

Participants: 1

Read full topic

@mele wrote:

Specs:
Haproxy 1.7.2. running on CentOS7, Intel(R) Xeon(R) CPU E5-2650 v3 @ 2.30GHz.
Haproxy frontend has ~1200 sessions per second.

My question:
I have haproxy 1.7.2 running on CentOS7 with two hexacore CPUs. haproxy runs with default setting of nbproc=1. Here is output of htop:

Bydr5.png783x375 103 KB

How can a single-threaded application utilize more than 100% of CPU? top or atop never show >100% CPU utilization for that process.

Other than that, CPU utilization for haproxy is 0% except some pulses which reach 100%. Here is an excerpt of output of > while :; do top -d1 -n1 -b -p 95949 | grep haproxy ; done where 95949 is haproxy's pid:

95949 haproxy   20   0   84836  65556    968 R   0.0  0.0  11216:48 haproxy

95949 haproxy 20 0 84836 65556 968 S 0.0 0.0 11216:48 haproxy
95949 haproxy 20 0 84836 65556 968 R 0.0 0.0 11216:48 haproxy
95949 haproxy 20 0 84836 65556 968 S 0.0 0.0 11216:48 haproxy
95949 haproxy 20 0 84836 65556 968 S 0.0 0.0 11216:48 haproxy
95949 haproxy 20 0 84836 65556 968 R 0.0 0.0 11216:48 haproxy
95949 haproxy 20 0 84836 65556 968 R 0.0 0.0 11216:48 haproxy
95949 haproxy 20 0 84836 65556 968 R 0.0 0.0 11216:48 haproxy
95949 haproxy 20 0 84836 65556 968 S 0.0 0.0 11216:48 haproxy
95949 haproxy 20 0 84836 65556 968 R 0.0 0.0 11216:48 haproxy
95949 haproxy 20 0 84836 65556 968 S 0.0 0.0 11216:48 haproxy
95949 haproxy 20 0 84836 65556 968 R 100.0 0.0 11216:59 haproxy
95949 haproxy 20 0 84836 65556 968 R 0.0 0.0 11216:59 haproxy
95949 haproxy 20 0 84836 65556 968 R 0.0 0.0 11216:59 haproxy
95949 haproxy 20 0 84836 65556 968 S 0.0 0.0 11216:59 haproxy
95949 haproxy 20 0 84836 65556 968 R 0.0 0.0 11216:59 haproxy
95949 haproxy 20 0 84836 65556 968 S 0.0 0.0 11216:59 haproxy
95949 haproxy 20 0 84836 65556 968 S 0.0 0.0 11216:59 haproxy
95949 haproxy 20 0 84836 65556 968 S 0.0 0.0 11216:59 haproxy
95949 haproxy 20 0 84836 65556 968 S 0.0 0.0 11216:59 haproxy
95949 haproxy 20 0 84836 65556 968 R 0.0 0.0 11216:59 haproxy

What can cause these peaks?

Posts: 2

Participants: 2

Read full topic

@thiago.daconceicao wrote:

How I do to HAProxy starts to logging msg in syslog or another file?
I would like to know the origins of the connections and how this data traffic is being handled
I'm using HAprxy 1.5.4 on a CentOS 6.8

My haproxy.cfg like it:
global
log 127.0.0.1 local2

defaults
mode http
log global
option httplog

frontend main
bind *:13095 ssl crt /etc/ssl/certs/private/192.168.242.60.pem
option httplog
log global
reqadd X-Forwarded-Proto:\ https
default_backend main

Thanks all for your reply.

Posts: 4

Participants: 2

Read full topic

@Washu wrote:

Dear all,

I hav'got some issues with active ftp transfert through HAProxy. You can find my configuration bellow.
Please note that i've no iptable or firewall behind the client the haproxy or the ftp server.
Passive ftp through haproxy is working only active is failing.
Active ftp is working directly (without haproxy)

I've got the following error when I'm tryng to connect :

Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> passive
Passive mode off.
ftp> get toto
local: toto remote: toto
500 Illegal PORT command.
ftp: bind: Address already in use

Can you help me please ?

Thanks !

HAPROXY Configuration :

frontend  FTP-rewrite
        bind xx.xx.xx.xx:21
        bind xx.xx.xx.xx:40001-40250
        mode    tcp
        option tcplog
        log global
        default_backend  FTP-backend

backend FTP-backend
    mode tcp
    balance source
    server  FTP_1 yy.yy.yy.yy check port 21
    server  FTP_2 zz.zz.zz.zz check port 21

FTP Configuration

# Example config file /etc/vsftpd/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=YES
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=002
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# The target log file can be vsftpd_log_file or xferlog_file.
# This depends on setting xferlog_std_format parameter
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# The name of log file when xferlog_enable=YES and xferlog_std_format=YES
# WARNING - changing this filename affects /etc/logrotate.d/vsftpd.log
#xferlog_file=/var/log/xferlog
#
# Switches between logging into vsftpd_log_file and xferlog_file files.
# NO writes to vsftpd_log_file, YES to xferlog_file
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
ascii_upload_enable=YES
ascii_download_enable=YES
#
# You may fully customise the login banner string:
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd/banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#chroot_local_user=YES
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd/chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=YES
#port_enable=NO
#
# This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6
# sockets, you must run two copies of vsftpd with two configuration files.
# Make sure, that one of the listen options is commented !!
#listen_ipv6=YES

pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES


pasv_enable=YES
pasv_promiscuous=YES
#pasv_address=aa.aa.aa.aa
#pasv_addr_resolve=NO
pasv_max_port=40250
pasv_min_port=40001

Posts: 2

Participants: 2

Read full topic

@iha wrote:

I'm new to HAProxy, and have a basic setup running on port 80 and port 443. The frontend on port 443 is looking at the host and sending the traffic to the correct backend based on that. This part is working as expected (and it's awesome!)

Today I'm trying to setup a similar configuration on port 8172. I copied my frontend config block for 443, changed the port to 8172, and restarted HAProxy. It runs as normal.

However, when I send a request to a site in the new frontend block, HAProxy always sends the request on to the default_backend. It seems like I've missed something in configuring this to send it to the proper backend. I've tried setting the mode of the 8172 frontend to http, but the result is the same.

Here's what my frontend definitions look like:

frontend https-www
bind *:443 ssl crt /etc/haproxy/certs/

    option forwardfor
    option http-server-close

    reqadd X-Forwarded-Proto:\ https

    rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains;\ preload
    rspadd X-Frame-Options:\ DENY

    acl host_log.domain.com       hdr(host)       -i log.domain.com
    use_backend backend_log.domain.com if host_log.domain.com

    acl host_demo.domain.com    hdr(host) -i demo.domain.com
    use_backend backend_demo.domain.com if host_demo.domain.com

    default_backend backend_demo.domain.com

frontend webdeploy
mode http
bind *:8172 ssl crt /etc/haproxy/certs/

    option forwardfor
    option http-server-close

    reqadd X-Forwarded-Proto:\ https

    rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains;\ preload
    rspadd X-Frame-Options:\ DENY

    acl host_log.domain.com       hdr(host)       -i log.domain.com
    use_backend backend_log.domain.com if host_log.domain.com

    acl host_demo.domain.com    hdr(host) -i demo.domain.com
    use_backend backend_demo.domain.com if host_demo.domain.com

    default_backend backend_demo.domain.com

Any ideas? I've tried removing the 'mode http' line from the 8172 frontend, but I experience the same result: all requests sent to 8172 get send on to the default backend.

Posts: 3

Participants: 2

Read full topic

@Cogumelos wrote:

Hi All,

I'm currently using AWS LB without any option to iptables connection rate on the LB or Web-Servers.
In HAProxy it's mandatory use the X-Forward-For option or can I use simple NAT?
Using HAProxy I've access to OSI level 3 and 4 to the source ip address in HAProxy and Web-Servers?

Thanks in advance.

Posts: 1

Participants: 1

Read full topic

@ItsIllak wrote:

Very new to HAProxy (moving over from a simple rewrite/proxy based Apache. I'm setting it up in a pretty restricted environment (e.g. I don't have package access and more). I need it to support SSL so I've been building with the following:

System is RHEL6.7

make TARGET=linux2628 USE_OPENSSL=1 USE_ZLIB=1

But I end up with the error:

gcc -g -o haproxy src/haproxy.o src/base64.o src/protocol.o src/uri_auth.o src/standard.o src/buffer.o src/log.o src/task.o src/chunk.o src/channel.o src/listener.o src/lru.o src/xxhash.o src/time.o src/fd.o src/pipe.o src/regex.o src/cfgparse.o src/server.o src/checks.o src/queue.o src/frontend.o src/proxy.o src/peers.o src/arg.o src/stick_table.o src/proto_uxst.o src/connection.o src/proto_http.o src/raw_sock.o src/backend.o src/tcp_rules.o src/lb_chash.o src/lb_fwlc.o src/lb_fwrr.o src/lb_map.o src/lb_fas.o src/stream_interface.o src/stats.o src/proto_tcp.o src/applet.o src/session.o src/stream.o src/hdr_idx.o src/ev_select.o src/signal.o src/acl.o src/sample.o src/memory.o src/freq_ctr.o src/auth.o src/proto_udp.o src/compression.o src/payload.o src/hash.o src/pattern.o src/map.o src/namespace.o src/mailers.o src/dns.o src/vars.o src/filters.o src/flt_http_comp.o src/flt_trace.o src/flt_spoe.o src/cli.o src/ev_poll.o src/ev_epoll.o src/ssl_sock.o src/shctx.o ebtree/ebtree.o ebtree/eb32tree.o ebtree/eb64tree.o ebtree/ebmbtree.o ebtree/ebsttree.o ebtree/ebimtree.o ebtree/ebistree.o -lcrypt -lz -ldl -lssl -lcrypto -ldl
src/ssl_sock.o: In function smp_fetch_ssl_fc_alpn':
/happrd/haproxy1.7.3/src/ssl_sock.c:4925: undefined reference toSSL_get0_alpn_selected'
src/ssl_sock.o: In function ssl_sock_prepare_ctx':
/happrd/haproxy1.7.3/src/ssl_sock.c:2877: undefined reference toSSL_CTX_set_alpn_select_cb'
src/ssl_sock.o: In function ssl_sock_load_sctl':
/happrd/haproxy1.7.3/src/ssl_sock.c:1004: undefined reference toSSL_CTX_add_server_custom_ext'
collect2: ld returned 1 exit status
make: *** [haproxy] Error 1

I'm guessing the OpenSSL Devel version? But I got the latest package available for 6.7 installed by the server maintainers...

Any clue?

Posts: 4

Participants: 2

Read full topic

@cesarjorgemartinez wrote:

I'm a begginer with haproxy/keepalived.

I got a basic configuration with two server app and two loadbalancer with haproxy and keepalived.

In app servers I have app as hostname:port.
In loadbalancer access as loadbalancer:port
But I need to identify the endpoint with a name, then I need to access as: loadbalancer:port/myapp
And if I access as: loadbalancer:port then nothing or error or a redirection.

How can I perform this task?

Regards

Posts: 1

Participants: 1

Read full topic

@nando63 wrote:

Is it possible to run a pair of HA proxy and app servers on the same two servers you are load balancing the application?

Posts: 1

Participants: 1

Read full topic

@server wrote:

Hello All,

I have configure my Haproxy on two Magento servers on APACHE and it balancing perfect.

But in Haproxy statistics i was noticed that my first backend server shows down time for 4sec, for this i have replaced my second backend server to first one, but i still get same issue again.

I dont know why i get down time on my backend server.

Please help me on this.

Thanks

Posts: 1

Participants: 1

Read full topic

@ivanilves wrote:

Dear HAProxy pros,

Do you know if it's possible to log only HTTP requests taking more than X time to complete?
I run a big HAProxy site and if I enable all HTTP request logging, I got hogged.
If I enable only error logging, I get nothing, because I need to log requests having terminated successfully, but being slower than others

Thank you!

Posts: 1

Participants: 1

Read full topic

@sforsyt wrote:

Hi,

Trying to make ACL rules to match common script kiddie scans, which go through a variety of similar urls.
given urls like
/phpmyadmin/setup.php
/myadmin/scripts/setup.php

This works

    acl restricted_pages path_sub -i myadmin
    http-request deny if restricted_pages

This does not

    acl restricted_pages path_sub,url_dec -i myadmin
    http-request deny if restricted_pages

Is there anyway to use the two together?

Thanks

Posts: 1

Participants: 1

Read full topic

@tiagocruz wrote:

Hello!

I would like to set some rules about query parameter URL, based on odd/even for example:

$ curl -I 'localhost:10001/test/?id=1' #  use one backend
$ curl -I 'localhost:10001/test/?id=2' #  user another backend

I can get the ID using

acl has_id urlp(id) -m bool

But I can't use even function, I did't understood the docs

• http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#7.3.1-odd

Also, I'm able to compare the id with some number, like this:

acl has_id urlp(id) -m int ge 666

But can't see if is odd or even.

I also tried to use path_reg but this not works with uri, only with path.

Can you please help me?

Thanks!

Posts: 2

Participants: 1

Read full topic

@antnappi wrote:

Hello everyone,

I'm trying to setup HAProxy with SSL offloading/termination.
Basically I have HAProxy in front of a Docker Container where is running WebLogic.

This is my configuration :

global
ca-base /etc/pki/tls/certs
chroot /var/lib/haproxy
crt-base /etc/pki/tls/certs
daemon
group haproxy
log localhost local0
maxconn 2000
ssl-server-verify none
tune.ssl.default-dh-param 2048
user haproxy

defaults
log global
maxconn 2000
mode http
option redispatch
option httplog
option dontlognull
option log-separate-errors
retries 3
timeout http-request 5s
timeout queue 50000
timeout connect 5000
timeout client 50000
timeout server 50000
timeout check 10s

listen stats
bind *:1936 ssl crt /etc/haproxy/full_cert_host_v2.pem
mode http
stats enable
stats hide-version
stats uri /haproxy?stats
stats realm Haproxy\ Statistics
stats refresh 10s
stats show-legends

listen weblogic
bind :10000 ssl crt /etc/haproxy/full_cert_host_v2.pem
log global
mode http
balance roundrobin
cookie JSESSIONID prefix indirect nocache
maxconn 2002
option httplog
option httpchk HEAD /console
option http-server-close
option forwardfor
timeout check 10s
timeout http-keep-alive 3000
server 172.17.0.2 172.17.0.2:8001 cookie 172.17.0.2 maxconn 256 check inter 2000 rise 2 fall 5.

When I try to connect to https:// host:10000/console I have this :

[root@host haproxy]# wget https:// host:10000/console
--2017-03-31 16:29:57-- https:// host:10000/console
Resolving host (host)... host, hostIPv6
Connecting to host (host)|host|:10000... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: http:// host:10000/console/ [following]
--2017-03-31 16:29:57-- http:// host:10000/console/
Connecting to host (host)|host|:10000... connected.
HTTP request sent, awaiting response... No data received.
Retrying.

instead if I try direct to access to the container I obtain something like that :

[root@host haproxy]# wget 172.17.0.2:8001/console
--2017-03-31 16:34:04-- http:// 172.17.0.2:8001/console
Connecting to 172.17.0.2:8001... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: http:// 172.17.0.2:8001/console/ [following]
--2017-03-31 16:34:04-- http:// 172.17.0.2:8001/console/
Reusing existing connection to 172.17.0.2:8001.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: http:// 172.17.0.2:8001/console/login/LoginForm.jsp [following]
--2017-03-31 16:34:04-- http:// 172.17.0.2:8001/console/login/LoginForm.jsp
Reusing existing connection to 172.17.0.2:8001.
HTTP request sent, awaiting response... 200 OK

Someone could help to figure out how fix it ?
Thank you a lot!

Cheers,
Antonio

Posts: 2

Participants: 2

Read full topic

@astradslme wrote:

Hi Guys,

I have three identical Nextcloud servers in operation. A haproxy takes the round robin. In principle everything works, but only almost.

When im surfing the proxy, im reaching one of the server. However, the login does not work. I surf the individual server directly, everything works flawlessly.

I have noticed that when I log on to the proxy and try to log in, it takes a moment and then I redirected to other nextcloud instance. The url chances from:

http://SERVER/index.php/login --> http://SERVER/index.php/login?redirect_url=/index.php/apps/files/

Config:

> global
>       # for logging section
>     log         127.0.0.1 local2 info
>     chroot      /var/lib/haproxy
>     pidfile     /var/run/haproxy.pid

>       # process' user and group
>     user        haproxy
>     group       haproxy



>       # makes the process fork into background
>     daemon

> defaults
>         timeout connect 30s
>         timeout client 2h
>         timeout server 2h

> frontend http
>         bind SERVEPROXYR:80
>         default_backend nextcloud_pool
>         reqadd X-Forwarded-Proto:\ http



> backend nextcloud_pool
>         mode http
>         #redirect scheme https if !{ ssl_fc }
>         stats enable
>         stats uri /stats
>         stats realm Haproxy\ Statistics
>         stats auth user:password!
>         balance roundrobin
>         server nxt1 SERVER:80 check
>         server nxt2 SERVER:80 check
>         server nxt3 SERVER:80 check

What i have to do?

Thank you so much!

Posts: 1

Participants: 1

Read full topic

@jokstation wrote:

Hello.
I have an HAProxy instance running on a pfsense machine, and three IIS 8 servers.

two of this IIS servers are running on the same network of the internal LAN address of the HAProxy. The third IIS server is running on other datacenter.

I have 3 backends configured to all of this servers, with one active server in each and the other servers as backup.

The diference betwin the three servers configuration is that in the two servers of the same network I have the LAN address configuured, and for the third external server I have the public IP (443 port NATed of course).

The 2 servers that are on the same network works fine with HTTPS protocol, but for the server that is on the external datacenter don't works. I recieve the erros:

"503 Service Unavailable
No server is available to handle this request."

If I try to connect to the third server directly bypassing the HAProxy works.

I was capturing the traffic with wireshark, and I see that the connection to the twor servers that work on the LAN establishes as TLS protocol, but the connection to the external server establishes as SSL protocol. I guess that is the reason why don't works.

I will apreciate your help.

Posts: 1

Participants: 1

Read full topic

@darkelf wrote:

Hi!

Could you please point me how to make stick table based on cookie in 1.7 version?
Internet have a lot of examples but mainly for 1.5 version and it not compatible.

Posts: 1

Participants: 1

Read full topic

@skovarik wrote:

I have a new server that I put into Round Robin for http media requests for Wowza servers. My setup for the haproxy.conf file is listed below. Is it possible that no new requests would have been requested but sent to other machines due to the stick.

How can I check that the new added server is getting the requests and sending output correctly.

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # Default ciphers to use on SSL-enabled listening sockets.
    # For more information, see ciphers(1SSL). This list is from:
    #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
    ssl-default-bind-options no-sslv3

defaults
log global
mode http
option httplog
option tcplog
option dontlognull
retries 6
timeout http-request 10s
timeout queue 1m
timeout connect 5000
timeout client 50000
timeout server 50000
timeout http-keep-alive 10s
timeout check 10s
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

frontend http-554
bind 129.186.162.43:554
mode tcp
maxconn 600
default_backend over-http

frontend http-80
bind 129.186.162.43:80
mode tcp
maxconn 600
default_backend over-http

frontend rtmp-1935
bind 129.186.162.43:1935
mode tcp
maxconn 600
default_backend over-http

backend over-http
mode tcp
balance roundrobin
stick store-request src
stick-table type ip size 200k expire 20m
stick on src
server mediaHTTP4 129.186.142.172:80 weight 10
server mediaHTTP5 129.186.162.194:80 weight 10
server mediaHTTP7 129.186.168.5:80 weight 10

backend over-rtmp
mode tcp
balance roundrobin
stick store-request src
stick-table type ip size 200k expire 20m
stick on src
server mediaRTMP4 129.186.142.172:1935 weight 10
server mediaRTMP5 129.186.162.194:1935 weight 10
server mediaRTMP7 129.186.168.5:1935 weight 10

backend over-rtsp
mode tcp
balance roundrobin
stick store-request src
stick-table type ip size 200k expire 20m
stick on src
server mediaRTSP4 129.186.142.172:554 weight 10
server mediaRTSP5 129.186.162.194:554 weight 10
server mediaRTSP7 129.186.168.5:554 weight 10

Posts: 1

Participants: 1

Read full topic

@pvibhuti wrote:

Hi All,

we are running HAProxy on ubuntu 14.04 system with two MQTT broker. When one of the MQTT node fail, HAProxy is getting restarted(paho client is getting disconnected).

We do not need Paho client to get disconnected as one of the MQTT broker node fails. we would like to know is there any configuration change in haproxy.cfg file or anything else.

Let us know if you need any further information to answer above question.

Thanks

Posts: 4

Participants: 2

Read full topic

@bears wrote:

Hello,

I am trying to configure haproxy with keepalived.

I followed this guide https://www.certdepot.net/rhel7-configure-high-available-load-balancer/

I have haproxy running on both centos 7 vms.

The issue is that the vip ip address starts on both vms as soon as I start keepalived service.

My understanding is that when haproxy and keepalived is running on both vms, only the primary server should have the vip started. However, it starts on both as soon as I start keepalived.

below is the config

master:
cat keepalived.conf
vrrp_script chk_haproxy {
script "killall -0 haproxy"
interval 2
}

vrrp_instance VI_1 {
interface eth0
state MASTER
virtual_router_id 51
priority 101
virtual_ipaddress {
10.143.19.249
}
track_script {
chk_haproxy
}
}

secondary:
cat keepalived.conf
vrrp_script chk_haproxy {
script "killall -0 haproxy"
interval 2
}

vrrp_instance VI_1 {
interface eth0
state BACKUP
virtual_router_id 51
priority 100
virtual_ipaddress {
10.143.19.249
}
track_script {
chk_haproxy
}
}

Posts: 2

Participants: 2

Read full topic