@majas wrote:
Hello,
We have installed and configured an HA Proxy as Loadbalancer And Redirect
When calling a url should the Redirect
test.de ACL and REDIRECT
acl test_host hdr(host) -i www.test.de
acl cdh_url path -i /cdh
redirect location http://www.test.de:8080/test code 302 if test_host cdh_urlRemain hidden and only the requested URL is displayed in the browser
Has anybody here maybe a tip
Thanks and greetings Andy
Posts: 1
Participants: 1
@drewblin wrote:
Hello!
I can't find in documentation any clear information about haproxy behavior on failed connection in tcp mode.
I have configured 2 backends, balance roundrobin option and health check for both backends.
And when one of the backend fall down, but health check haven't yet marked it as down it is possible that haproxy will try to send new connection to it. And will receive timeout on connection attempt. And what will haproxy do in this situation?
Will it try to connect retries times to this server again? Or will it try another one?
As i understand from documentation option redispatch works only for http mode. So haproxy will not try to connect to other backend? If it so, why option redispatch not works for tcp?
Posts: 1
Participants: 1
@soume86 wrote:
Hello,
I just installed haproxy as reverse proxy for apache under centos 7.
I configured it to do ssl from end to end (client <- ssl -> haproxy <- ssl -> srv_web).
Everything works, the only problem is that at the level of logs apache, it is impossible to have the IP address of the client.
My configuration:
frontend http-in
bind *:80
mode http
option httplog
redirect scheme https code 301 if !{ ssl_fc }
acl acl1 hdr(host) domain.fr
use_backend back1 if acl1frontend https-in
bind *:443 ssl crt cert.pem no-sslv3
mode http
option httplog
acl acl1 hdr(host) domain.fr
use_backend back1 if acl1backend back1
mode http
option httpchk
option forwardfor except 127.0.0.1
http-request add-header X-Forwarded-Proto https if { ssl_fc }
option forwardfor header X-Client
server web-server1 10.10.0.1:8443 ssl verify noneIn apache : httpd.conf
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
Would anyone have an idea?
Thank you in advance
Posts: 1
Participants: 1
@elpd wrote:
Hi,
Is there a formal grammar for the configuration file? Something like antlr grammar or anything else?
Posts: 1
Participants: 1
@silviu wrote:
Hi everyone,
My question here would be:
I am trying to connect more backends different domains- to a single frontend (one public ip address).
Is this possible at all?
First I have a problem with the certificates - I receive the wrong one - the example1.com certificate, even when I try to access the test1.at website.Second: after we accept the that the wrong Certificate was added we get : 503 Service Unavailable- No server is available to handle this request.
Any Idea?
Thanks,
Posts: 1
Participants: 1
@dseira wrote:
Hi,
I'm making some tests with HAProxy to do SSL offloading in Centos 7. I've seen that the cpu easily reach 100% and the haproxy idle pct is almost 0%. The test is just a 1000 clients connections.
I've also done the same tests in ubuntu 16 to compare and the results are better by far.
This is the info of every platform for the tests:
HAproxy configuration (same for both)
global chroot /var/lib/haproxy pidfile /var/run/haproxy.pid maxconn 20000 user haproxy group haproxy daemon tune.ssl.default-dh-param 2048 cpu-map 1 0 ssl-default-bind-options no-sslv3 no-tls-tickets ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA ssl-default-server-options no-sslv3 no-tls-tickets ssl-default-server-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA defaults mode http option http-server-close option forwardfor except 127.0.0.0/8 option redispatch retries 3 timeout http-request 10s timeout queue 1m timeout connect 5s timeout client 1m timeout server 1m timeout http-keep-alive 4s timeout check 10s frontend http bind :80 mode http maxconn 20000 default_backend back1 frontend https bind :443 ssl crt /etc/ssl/test.pem mode http maxconn 20000 default_backend back1 backend back1 balance source mode http option forwardfor option http-server-close timeout check 3s http-check expect rstatus 200 stick-table type ip size 10k stick on src server app1 x.x.x.x:80 weight 1 check inter 10s fall 3 maxconn 1000centos 7 - haproxy 1.7.5 - openssl-1.0.1e-fips
#haproxy -vv HA-Proxy version 1.7.5 2017/04/03 Copyright 2000-2017 Willy Tarreau <willy@haproxy.org> Build options : TARGET = linux2628 CPU = generic CC = gcc CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_PCRE=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 Encrypted password support via crypt(3): yes Built with zlib version : 1.2.7 Running on zlib version : 1.2.7 Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip") Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013 Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Built with PCRE version : 8.32 2012-11-30 Running on PCRE version : 8.32 2012-11-30 PCRE library supports JIT : no (USE_PCRE_JIT not set) Built with Lua version : Lua 5.3.4 Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. Available filters : [COMP] compression [TRACE] trace [SPOE] spoeubuntu 16 - haproxy 1.6.3 - openssl-1.0.2g
#haproxy -vv HA-Proxy version 1.6.3 2015/12/25 Copyright 2000-2015 Willy Tarreau <willy@haproxy.org> Build options : TARGET = linux2628 CPU = generic CC = gcc CFLAGS = -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 OPTIONS = USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_PCRE=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 Encrypted password support via crypt(3): yes Built with zlib version : 1.2.8 Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip") Built with OpenSSL version : OpenSSL 1.0.2g-fips 1 Mar 2016 Running on OpenSSL version : OpenSSL 1.0.2g 1 Mar 2016 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Built with PCRE version : 8.38 2015-11-23 PCRE library supports JIT : no (USE_PCRE_JIT not set) Built with Lua version : Lua 5.3.1 Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll.Graphs - CPU Usage - Idle PCT - 1000 concurrent clients
CentOS 7
Ubuntu 16
The same tests repeated through HTTP offer equal results in the same platform. So it seems something related to the openssl library.
Digging into the syscalls; I've created some flame graphs to see what happen under the hood:
CentOS 7
Ubuntu 16
As you can see, there is the bn_mul_mont function that is in the CPU for a long time in CentOS 7.
Can anyone clarify why in CentOS 7 the use of the CPU is so high? Could be because the openssl library in CentOS 7 uses the FIPS encryption? Does anyone suffer the same behaviour?
Thanks for you help,
David
Posts: 1
Participants: 1
@dareevnab wrote:
Is there a way to get the throughout in haproxy metric system. Thanks.
Posts: 1
Participants: 1
@j.sejo1 wrote:
Hello.
I am use HaProxy on Debian8 Load Balancing for 2 Squid Proxy "No Transparent" port 3128 with Autentication OpenLdap.
All work fine.
But in the log file on Squid (access.log) only show IP of HAproxy but no the IP of Client.
I Try with opcion X-Client but no result.
My haproxy.cfg
listen SQUID 0.0.0.0:3128
mode http
cookie SERVERID insert indirect nocache
balance roundrobin
option httpclose
option forwardfor header X-Client
option forwardfor
server squid1 192.168.1.116:3128 check inter 2000 rise 2 fall 5
server squid2 192.168.1.200:3128 check inter 2000 rise 2 fall 5Thanks for your atention.
Sorry for y English.
Posts: 1
Participants: 1
@Sharis wrote:
Hello,
Can I somehow add whole subnet to back-end?
Example:
server app 192.168.82.0/24:3000 checkIf i try to do this, i get syntax error when I restart haproxy service.
I need this in case, cloud starts to scale-out or scale-in. Or do I need to reconfigure haproxy.cfg manually and restart service?
Posts: 1
Participants: 1
@dvelan wrote:
Hi,
I am using HAProxy 1.6.12 and my backend server is weblgic 12c. when I check the access log from weblogic, the source IP it shows as HAProxy IP.my requirement is the actual IP client address to be forwarded to the backend proxied server. Is there any setup in HAProxy to be done either in frontend and backend parameters?
RHEL7.2 (3.2)
HAProxy 1.6.12
weblogic 12c (backend content server)Regards,
Vel
Posts: 2
Participants: 2
@mattiwei wrote:
Hi there!
I am trying to have HAProxy log the frontend's IP and port for the client side. I am running haproxy 1.5.14 on RHEL 7.2These are the relevant configuration parts:
defaults mode tcp log global log-format %H\ [%t]\ %ci:%cp->%fi:%fp(%ft)\ %bi:%bp->%si:%sp(%s)\ %Tw/%Tc/%Tt\ %U/%B\ %ts\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq listen Test bind 192.168.0.1:2291 # external interface bind 10.0.0.1:2291 # internal interface server test-src2 10.0.1.100:2291 source 10.0.0.2Now: Everything works like a charm, but the log looks like this:
Jun 20 14:50:16 localhost haproxy[16961]: testbox [20/Jun/2017:14:50:11.149] 102.168.0.100:61923->:0(Test) 10.0.0.2:5647->10.0.1.100:2291(test-src2) 1/0/5653 18/48 -- 0/0/0/0/0 0/0As you see, is the log part "%fi:%fp" expanded into ":0 . I would expect the frontend destination IP and port. What am I missing?
Posts: 1
Participants: 1
@Chek69 wrote:
Hi,
i'm trying to load balance sessions to my storefront servers (2 servers), and it doesn't work.
this is my current configuration:
listen StorefrontHA @IP:443
mode tcp
balance source
option httpchk GET /Citrix/Store/discovery
http-check expect status 200
server my_server_02. @IP check port 80
server my_server_01 @IP check port 80Can you tell me where is the problem ?
thanks for your help.
Posts: 3
Participants: 2
@silviu wrote:
Hi everyone,
As i already mentioned in another post, I am using just one front end and more backends.
as for one specific location is a certificate check necessary, i would like to check in that specific backend and for the specific site.
the apache for this section shows like this :Location /api
Allow from all
Satisfy any
SSLRequireSSL
SSLVerifyClient require
SSLVerifyDepth 2
SSLRequire ( %{SSL_CLIENT_S_DN_O} eq "Company name" \
and %{SSL_CLIENT_S_DN_OU} eq "department" \
and %{SSL_CLIENT_S_DN_C} eq "US" \
and %{SSL_CLIENT_S_DN_CN} in { "User_1", "host01" } \
)
ProxyPass 1.1.1.1:8090/api nocanon
ProxyPassReverse 1.1.1.1:8090/api
/LocationAny ideea how I can rewrite from apache to haproxy ?
Thanks and cheers,
Posts: 1
Participants: 1
@stwong wrote:
Hi, we're new to HAproxy and sorry for the newbie question. We setup new server for a path /mypath using configuration like following, e.g. oldweb.mysite.com/mypath -> newweb.mysite.com/mypath
frontend http-in
bind *:80
reqadd X-Forwarded-Proto:\ http
default_backend backend_servers
option forwardforacl go_newweb path_beg /mypath use_backend newweb_backend if go_newwebbackend newweb_backend
server newweb neweb.mysite.com check inter 1000However, boss wants user to see oldweb.mysite.com instead of newweb.mysite.com in the browser address bar. Possible to do so?
Thanks a lot.
Posts: 2
Participants: 2
@AnkitSinghai wrote:
From which version of HAProxy does "Choose the action to perform on the checked servers" under backend section of stats page is available?
Posts: 4
Participants: 2
@newbee wrote:
I have a configuration where I see the number of sessions are evenly distributed to backend server however number of Bytes In and out are very different for all backends. Which is causing uneven load on the backend server and one ends up getting 4k requests however other one gets 10k.
I am using 1.5.8 version with Keepalive and http_tunnel option. Please suggest me how to go about this issue.
Posts: 1
Participants: 1
@mrenkine wrote:
I would need to load balance based on a soap header. I was able to use HTTP header using hdr(myHeader), but I can't figure out how to read an element in the body of the request.
Say my request has an XML containing the following:<s:Envelope ><s:Header><id>123456</id> <s:Header > <s:Envelope >....
How can I get the value in id node to use it to create my hash for the load balancing ? Something likefrontend myFrontend capture request body id len 15 ... backend myBackend balance body(id) hash-type consistentAny help will be appreciated!
Posts: 1
Participants: 1
@caspi wrote:
Hi,
i have following scenario in my environment:
2 Web Servers each hosts 6 web applications hosted on diferent ports.
Servers:
domain : 80
domain : 81
domain : 82
domain : 83
domain : 443 (ssl)
www.domain.com : 444 (ssl)there is a plan to have same port for all websites and change their URL. But not now it will be in near future.
For balancing I would like to have one front end config (1 IP with multiple ports)
How to configure this?
FE and BE config sample for multiple ports with health check. Also two of them are in SSL.
Thanks a lot
Jan
Posts: 2
Participants: 1
@Richie wrote:
Hi
I'm currently running Haproxy on a pfsense box (Actually two boxes for failover).
I have a separate box running an Openvpn appliance.
I have a couple of web servers as well.
The openvpn box listens on UDP1194 and TCP443.
The web servers listen on TCP80 and TCP443.
I have successfully managed to get TCP80 and TCP443 to go to the correct places for the web servers and using SNI I can also get to the openvpn box on TCP443.
However, I can't get the openvpn client to connect to Openvpn on TCP443 externally.
I can connect internally via TCP443. I can also connect internally and externally on UDP1194.
So I know that openvpn is working correctly.
It seems that there is some sort of issue with Haproxy routing the vpn traffic back out again.
Are there any suggestions/examples of this exact situation that would help diagnose the issue?
Logs/diagrams would be helpful, but I'm currently not at home, so doing this on my phone.
Thanks,
Richie
Posts: 2
Participants: 1
@mandevnull wrote:
Hello,
i'm trying to configure 2 backends (citrix storefront) active-active with haproxy. Backends are in https. When i log in node1 and i disconnect the node for test the node2, haproxy not "save" the credentials and i have to log in again. Is it possible to save sessions and pass them to node2 when node1 fails? I have tested several configurations in both tcp mode and http modeExamples:
http mode:
[...]
bind 0.0.0.0:443 ssl crt /etc/pki/tls/private/mycert.pem
[...]
backend mybackend
mode http
cookie SRVNAME insert
server node1 192.168.1.1:443 ssl check cookie app1
server node2 192.168.1.2:443 ssl check cookie app1tcp mode:
[...]
mode tcp
bind 0.0.0.0:443
[...]
backend mybackend
mode tcp
server node1 192.168.1.1:443
server node2 192.168.1.2:443thank you so much
Posts: 5
Participants: 2
