@HiTTi wrote:

Hello community,

i am a nooby with haproxy but until jet i can work with it.

I try to route requests with ftp. or sftp over port 5022 to one webserver.
So i configure:
frontend sftp_frontend
bind *:5022
mode tcp
default_backend httpserver

#ftp routing
acl sftp_in_uri path_beg sftp. ftp. 
use_backend sftp_back if sftp_in_uri

backend sftp_back
server web01 192.168.2.50:5022 check

So i think all requests over port 5022 will be checked. If i enable that. It refused all requests to the webserver and i cant access my websites (Error Connection refused).

For my typo3 configuration it works;
frontend https_frontend
bind *:443
mode tcp
option httpclose
option forwardfor
reqadd X-Forwarded-Proto:\ https
default_backend httpserver

layer7_for_typo3_ssl

acl url_typo3 path_beg /typo3
use_backend typo3_back_ssl if url_typo3

backend typo3_back_ssl
server webserver01-ssl 192.168.122:443 check
server webserver11-ssl 192.168.123:443 check

Have someone an idea why the routing is stopped if i enable the ftp and sftp configuration an maybe why it doesnt work?

All requests with (http:// / https://) ftp.xxxx.com or sftp.xxxxx.com should be routed.

cheers HiTTi

Posts: 1

Participants: 1

Read full topic

@junaid wrote:

Hello Guys,

We are running a website and have 3 servers behind Haproxy. We are getting following log entries
39.40.42.99:53156 [17/May/2017:12:37:21.319] main/2: SSL handshake failure

Can anyone know actual cause of this?

Regards,
Junaid

Posts: 1

Participants: 1

Read full topic

@capricorn wrote:

Hi!

I have one linux box running HAproxy and two windows box running some application on port 8080.
I want that if the service on port 8080 is not responding then HAproxy consider that server is down.
I was thinking to have some script which runs on HAproxy and keep checking port like telnet server1 8080 and if the service is not responding that it will make the server as down state and will not forward any request to this server.

Anyone can suggest something or point me to some material that can help me in this.

Thanks

Posts: 1

Participants: 1

Read full topic

@shefys wrote:

Hi,

Is there any way to run haproxy as non-root with a backend configured inside the namespace?
I tried to setcap cap_sys_admin+ep /usr/sbin/haproxy but it didn't help.

If I start haproxy with user 'haproxy' then it is not able to open connections to the backend servers located within namespace:
setns(5, CLONE_NEWNET) = -1 EPERM (Operation not permitted)
gettimeofday({1495561253, 588872}, NULL) = 0

If I run haproxy as root - everything works.

My config:

frontend netns1_fend
	log global
        mode tcp
        option tcplog
        bind 1.2.3.4:443 namespace netns1
        bind 1.2.4.4:443 namespace netns1
	default_backend netns1_bend

backend netns1_bend
	mode tcp
	option tcplog
	option tcp-check
	server h1 172.16.1.219:443 check namespace netns1
    server h22 172.16.1.90:443 check namespace netns1

Posts: 1

Participants: 1

Read full topic

@crmadhu20 wrote:

Hi All

I have a scenario here, I want to to redirect my frontend acl path_reg /foo/* to /bar/* but the /foo in the browser should not change

frontend test *:80

    acl testfoo          path_reg      /test/foo/*
   use_backend    foobackend   if testfoo

I want to rewrite the /test/foo to /newtest/foo and redirect to same foobackend, but the url in the browser should remain as /test/foo

Posts: 5

Participants: 2

Read full topic

@dashfield wrote:

Hi there.

I'm trying to get HAProxy setup to receive requests on port 443 for a range of different subdomains, then use SNI based ACLs to direct them to an appropriate server for that domain.
The problem is that when I try going to support.domain.com.au it just sends my request to the webserver for cloud.domain.com.au.

I've followed this guide: https://www.haproxy.com/blog/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/

My current (mildly santized) config is below, and any help would be greatly appreciated!

Thanks in advance.

global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL). This list is from:
        #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
        ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
        ssl-default-bind-options no-sslv3

defaults
        log     global
        mode    tcp
        option  tcplog
        option  dontlognull
        timeout connect 15s
        timeout client  15s
        timeout server  15s
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

#Define Frontends

frontend http-in
        bind 10.1.1.1:80
        mode http
        redirect scheme https code 301 if !{ ssl_fc }
		
frontend https-in
        bind 10.1.1.19:443
        mode tcp

		tcp-request inspect-delay 5s
		tcp-request content accept if { req.ssl_hello_type 1 }
		
		default_backend ssl_default

#Define Backends

backend ssl_default
        mode tcp
		
        acl servercloud_acl req.ssl_sni -i cloud.domain.com.au
	    acl serversupport_acl req.ssl_sni -i support.domain.com.au

        use-server servercloud_https if servercloud_acl
	    use-server serversupport_https if serversupport_acl

        option ssl-hello-chk		
        server servercloud_https 192.168.1.1:443 check
        server serversupport_https 192.168.1.2:443 check

Posts: 2

Participants: 2

Read full topic

@zahid.k11 wrote:

Hi Team,

Lets suppose I've configured a my website with domain name "abc.zahid.com" configured in nginx. I also use subdomains like "static1.abc.zahid.com", "static2.abc.zahid.com", "static3.abc.zahid.com" which are configured in same vhost as "abc.zahid.com"

Now I want a simple authentication on my haproxy where anybody who visits "abc.zahid.com" should be prompted (ONLY once) from a username and password. once the desired password is entered it should allow all sub domains as well.

I've done this on my setup on haproxy, however, it is prompting for authorization on every request plz help.

Following is my haproxy config:

userlist UsersFor_kennel
user username insecure-password password

frontend http-mpweb
bind 192.168.1.10:80
reqadd X-Forwarded-Proto:\ http
mode http
option http-server-close

    acl host_zahid hdr(host) -i abc.zahid.com
    use_backend static-backend if host_zahid

    acl host_zahid hdr(host) -i static1.abc.zahid.com
    use_backend static-backend if host_zahid

    acl host_zahid hdr(host) -i static2.abc.zahid.com
    use_backend static-backend if host_zahid

    acl host_zahid hdr(host) -i static3.abc.zahid.com
    use_backend static-backend if host_zahid

backend static-backend

acl AuthOkay_kennel http_auth(UsersFor_kennel)
http-request auth realm kennel if !AuthOkay_kennel

    balance roundrobin
    option http-server-close
    option forwardfor
    cookie mpstatic insert indirect nocache
    option httpchk HEAD /LoadBalancer_HealthCheck.php HTTP/1.0
    server web 192.168.1.20:80 cookie mpstatic1 check

Kindly let me know if any issue with above config.

Best Regards,
Zahid

Posts: 1

Participants: 1

Read full topic

@Gero wrote:

Hi!

I think there is a bug in how timeout server is treated. The documentation says "The inactivity timeout applies when the server is expected to acknowledge or send data." In http mode this response is only due AFTER the request has been send completly, esp. after the full body (file upload!) has finished. Insead, the counter starts ticking much earlier.
This leads to very various problems with upoads and more or less arbitrary timeout values to make site work.

See e.g. here https://bugs.launchpad.net/fuel/+bug/1326082

Gero

Posts: 2

Participants: 2

Read full topic

@kengillies.nz wrote:

The "appsession" directive enabled a cookie to be matched on a prefix rather than the complete cookie name. Eg you could have a cookie named "MYSESSnnnn" match on the "MYSESS" part.

"appsession" has been deprecated at V1.7 and I am trying to use stick tables instead to "stick" sessions on cookies beginning with "MYSESS" but have been unable to work out how to do this.

Can someone point me in the right direction.

Thanks

Posts: 1

Participants: 1

Read full topic

@nmoss wrote:

Hi,

Is it possible to use a certificate with an encrypted private key with haproxy SSL listeners? We are evaluating haproxy for use and due to client security requirements may not have certificates with a unencrypted private keys.

Regards,
Nick Moss

Posts: 1

Participants: 1

Read full topic

@ops wrote:

Hey

I have problem on blocking vulnerability scanners base on http_err_rate,
with this config I can block login bruteforce attacks and redirect them to a sandbox but vulnerability scanner block section not working at all .

can you guys take a look on the config and tell me where is this issues come from ?

https://pastebin.com/raw/g8rDUnTP

api login bruteforce sandbox

acl api_login path_beg -i /login/
acl too_many_loging_attemp sc0_gpc0_rate() gt 3
acl mark_seen sc0_inc_gpc0 gt 0
stick-table type string size 100k store http_err_rate(10s),gpc0_rate(60s) peers main_peer
tcp-request content track-sc0 base32+src if METH_POST api_login
tcp-request connection track-sc1 src
use_backend api-login-sandbox if mark_seen too_many_loging_attemp

vuln scanners sandbox

acl abuse src_http_err_rate gt 3
use_backend scanners-sandbox if abuse

Posts: 1

Participants: 1

Read full topic

@SorokinPA wrote:

Hi guys,
I'd appreciate if anyone can give me couple of suggestions for the issue I have with SSL.
I know that sounds like certificate issue, but it happens only when I have big spike of new connections.

I am running haproxy 1.5.14 on Azure and using SSL termination.
Haproxy works perfectly well when load rises gradually, but everything goes bad if I have instant load.

In normal situation qmax goes up to 3000 and per thread and cpu core is loaded not higher than 75%.

So if I restart haproxy during daily load, haproxy might fill CPU usage up to 100% and be unable to handle more than 700-800 requests per thread.
When it comes to that limit, I see rate of new requests lowers down to 2-5
Haproxy log become mostly filled with tls/1: SSL handshake failure errors.

If I add more haproxy instances into balance, it becomes normal.

I don't have issues with entropy:

cat /proc/sys/kernel/random/entropy_avail
885

I tried to add conneciton rate limits:

maxsessrate 100
maxsslrate 100
maxconnrate 100
that had no effect. Everything stops at about 800 connections and then whole log filled with SSL handshake failures.

I tried to play around with timeouts
changed timeout connect as:
- 500
- 50000
- 30s

No effect

Can anyone suggest anything here? I have no idea how to debug that.

Here is the config file I use:

global
        log /dev/log    local0
        log /dev/log    local1 notice
        stats socket /var/run/haproxy.p1.sock mode 660 group nagios level admin process 1
        stats socket /var/run/haproxy.p2.sock mode 600 level admin process 2
        stats socket /var/run/haproxy.p3.sock mode 600 level admin process 3
        stats socket /var/run/haproxy.p4.sock mode 600 level admin process 4
        stats timeout 2m  #Wait up to 2 minutes for input
        chroot /var/lib/haproxy
        user haproxy
        group haproxy
        daemon
        nbproc 4
        cpu-map 1 0  # first arg is process number (1-based); second arg is cpu number (0-based)
        cpu-map 2 1
        cpu-map 3 2
        cpu-map 4 3

        # SSL/TLS settings
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private
        tune.ssl.default-dh-param 2048
        tune.ssl.cachesize 10000000
        tune.ssl.lifetime 86400
        #tune.ssl.maxrecord 2859
        tune.ssl.maxrecord 1400  # TCP window size
        ssl-default-bind-options no-sslv3 no-tls-tickets
        ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK

        maxconn 60000
        maxsslconn 60000
        # maxsessrate 100
        # maxsslrate 100
        # maxconnrate 100

defaults
        log     global
        option  dontlognull
        option  dontlog-normal
        timeout connect 5000
        timeout client 50000
        timeout server 50000
        bind-process all  # not needed, but worthwhile being explicit

listen stats
        bind :2100 process 1
        bind :2101 process 2
        bind :2102 process 3
        bind :2103 process 4
        mode http
        log global
        stats enable
        stats realm stats_process
        stats uri /
        stats refresh 15s
        stats show-legends
        stats show-node
        stats auth xxxxxxxxxxxxx

frontend tls
        mode tcp
        maxconn 60000
        option tcplog
        bind *:443 ssl crt-list /etc/ssl/private/certificates.txt npn http/1.1
        default_backend frontend_service

backend frontend_service
        mode tcp
        option tcplog
        option httpchk GET /status
        fullconn 60000

        # 2 second 'inter'val between health checks. 2 failures to remove a server. 2 successes to add it back
        default-server inter 8s fall 2 rise 2
        timeout check 8s

        balance leastconn

        server SRV1 SRV1:80 maxconn 2000 check port 3000
        ....
        server SRV60 SRV1:80 maxconn 2000 check port 3000

Thank you!
Pavel

Posts: 4

Participants: 2

Read full topic

@sbonar wrote:

I am trying to use a custom error file and instead I get a 408 request timeout.

My current setup is my haproxy is running behind an ELB out in AWS.

My config is:
global
log 127.0.0.1 local0
log-send-hostname
lua-load /etc/haproxy/validate_jwt.lua
debug
daemon

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        option  logasap
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 403 /etc/haproxy/errorfiles/403error.http

frontend http_front
        bind *:${FE_PORT}
        monitor-uri /api/v1/health

        http-request deny if !{ cook('jwt') -m found } !{ cook('cpAccountsJwt') -m found }

        acl valid_jwt lua.validate_jwt -m bool

        http-request deny if !valid_jwt

        http-response del-header X-Frame-Options

        use_backend %[req.hdr(host),lower,map_dom(/etc/haproxy/aoobm_tunnel.map)]


backend be_1a9109498b16029e409542c8f08ef359-qa2
        server srv0 10.205.176.203:30089
backend be_2514131711c38b63e59fb4d5a7eaf3b6-qa2
        server srv1 10.205.177.110:30091
backend be_3e1adc1008eab307e752a045f0ddc299-qa2
        server srv2 10.205.177.110:30083
backend be_cd35febcca3f445a40ca7bac875d483b-qa2
        server srv3 10.205.176.203:30085
backend be_d8ffc844e247de743a7fbb83154effa5-qa2
        server srv4 10.205.177.110:30087

The 403error.http looks like:

HTTP/1.0 403 Forbidden
Cache-Control: no-cache
Connection: close
Content-Type: text/html


<html>
    <head>
        <title>Connection Permissions Error</title>
    </head>
    <body style="font-family:Trebuchet MS, Helvetica Neue, HelveticaNeue, Helvetica, Lato, Arial, Lucida Grande, sans-serif;background:#fff;pad
ding: 10px 15px;">
        <div style="text-align:center">
            <br>
            <h2 style="font-size:16px">
                You do not have sufficient account privleges to<br/>
                preform the requested action
            </h2>
        </div>
    </body>
</html

In my logs I plainly see HAProxy detecting a 403:

haproxy[84]: 10.205.63.45:31677 [01/Jun/2017:00:53:16.377] http_front http_front/ 0/-1/-1/-1/+0 403 +633 - - PR-- 13/13/0/0/0 0/0 "GET / HTTP/1.1"

What the heck am I doing wrong??

Posts: 2

Participants: 1

Read full topic

@thiago.daconceicao wrote:

I would like to know if is possible to do the IP forward using like round-robin for 2 backends, but the service will be routed is dhcp, ports 67,68 , I guess they are udp ports ...

I want to use dhcp agent relay to a 1 one ip-helper, and this VIP will perform the LB to both backends servers.

Thank you for you reply.

Posts: 1

Participants: 1

Read full topic

@Grimddd wrote:

A client's website is currently under attack, and I've been called in to fix it.

A huge number of IPs (easily over 5,000) is constantly hitting /login, presumably trying to bruteforce their way in.

I've changed the site so the page returns a 500 error, but they're not giving up. Obviously this is no good for the real users, who now can't log in.

Load balancing is done via HAProxy, which I have very little knowledge of (although I have a lot more than I did a few hours ago). I've tried lots of sensible things that I've found online but none seem to have helped, probably because there is such a big block of IPs performing the attack.

Onto the question, then: How can I reject an IP if it hits /login more than X times in Y seconds?

And, subpoint - how can I see a log of rejections so I know it's actually working?

Here is a sample of the haproxy.log:

    Jun  3 14:24:50 hap-server haproxy[11831]: 46.161.62.79:15290 [03/Jun/2017:14:24:49.505] www-https-test~ www-backend/www-03 751/0/202/38/991 500 220 - - ---- 428/428/120/38/0 0/0 "GET /login HTTP/1.1"
    Jun  3 14:24:50 hap-server haproxy[11831]: 46.161.63.132:47804 [03/Jun/2017:14:24:49.505] www-https-test~ www-backend/www-04 751/0/202/38/991 500 220 - - ---- 428/428/119/42/0 0/0 "GET /login HTTP/1.1"
    Jun  3 14:24:50 hap-server haproxy[11831]: 46.161.62.43:53176 [03/Jun/2017:14:24:49.505] www-https-test~ www-backend/www-02 751/0/202/38/991 500 220 - - ---- 428/428/118/38/0 0/0 "GET /login HTTP/1.1"

Posts: 1

Participants: 1

Read full topic

@blackantt wrote:

Can I forward the request to the server which is the fastest server to watch youtube?

Posts: 1

Participants: 1

Read full topic

@AnkitSinghai wrote:

I have to load balance incoming TCP connections but the source is same for all (i.e they all are coming by a gateway), please suggest alternate options that can be used.

Posts: 4

Participants: 2

Read full topic

@junaid wrote:

Hello,

When we are going to have Http2 support in Haproxy. I read this thread(http://discourse.haproxy.org/t/http-2-support-in-1-7/927) and there is no support of it in 1.7 version. Are we going to support in version 1.8?

Regards,
Junaid

Posts: 1

Participants: 1

Read full topic

@blackantt wrote:

for example , if the target IPs is (11.0.0.0, 12.0.0.0, 13.0.0.0,.....), then Haproxy arranges server1 to copy with,
if the target IPs is (211.0.0.0, 212.0.0.0, 213.0.0.0,......), then Haproxy arranges server2 to copy with,

Posts: 1

Participants: 1

Read full topic

@jrcmilanez wrote:

Hello friends, how are you?

Today we changed a lot of web systems and I need to keep the old urls.

The old url is like this:

system.server.com/app

The new url is:

app.server.com/app

So, the main idea is if I point to app folder to the old system.server.com, just redirect to app.server.com/app

My HAProxy is 1.5

Thanks!

Posts: 1

Participants: 1

Read full topic