@mandevnull wrote:

Hello, I need to configure haproxy so that if a server down haproxy do not send more tcp requests during the server is down (Automatically)

Is it possible to do this?

thank you so much

Posts: 2

Participants: 2

Read full topic

@dvelan wrote:

Hi,
Can you please help for how to stop/start HAProxy as service in RHEL7.2

I am currently using "haproxy -f /etc/haproxy/haproxy.conf" to start, but what is the exact configuration to stop and start the HAProxy as service (ex: sudo service haproxy stop & start).

HAProxy Version is 1.6.12 on Red Hat Linux 7.2

Regards,
Vel

Posts: 2

Participants: 2

Read full topic

@dvelan wrote:

Dear,
can you please guide me with exact configuration to enable http logging for front-end and back-end.

global
maxconn 2000
chroot /etc/haproxy
log 127.0.0.1:514 local0 notice
daemon

above is my current configuration, when I use "strace -tt -s100 -etrace=sendmsg -p 46895", i can see the log, but could not locate any log files. Am i missing anything?

Regards,
Vel

Posts: 2

Participants: 2

Read full topic

@dvelan wrote:

Team,
by default, when setting "maxconn" in front-end/listen block, the further connection(> maxconn) is queued in Linux SYN BACKLOG , and connections are releases once the connected sessions are released.

I am checking if I can display any custom browser message while connections are staying in queue. Is it possible for HAProxy to do this? if Not, any other way , say from Linux layer?

Your help would be much appreciated.

HAProxy 1.6.12
RHEL 7.2

Regards,
Vel

Posts: 2

Participants: 2

Read full topic

@mattiwei wrote:

Dear all,
I am struggling with a planned setup (yes, it could be done more elegantly, but the solution has to fit into an existing setup):

• haproxy in TCP mode, load-balances between two backend servers.
• an external LB in front needs to be able to check if the frontend (= at least one backend server) is up

Now:
- When the external LB uses a TCP health check, it considers the frontend always up, because the TCP-handshake is successful (haproxy sends a RST right after the TCP handshake, but the external LB (A10) looks only at the SYN/ACK and considers the service is up).
- I can configure a separate HTTP frontend on a different port for testing purposes and have the external LB do an HTTP health check:

listen svc1
  bind 10.0.0.1:5555
  server 192.168.0.1:5555 check

frontend HEALTH-svc1
  bind 10.0.0.1:80 
  mode http
  acl service_dead nbsrv(svc1)  lt 1
  monitor-uri /health
  monitor fail if service_dead

Here's the catch:
I have about 200 TCP mode proxies configured. They all should be health-checked by the external LB, one by one. With the above configuration, I would have to define 200 additional health-check frontends, each using one dedicated TCP port, because this configuration is not intended to work:

*** NOTE CONFIG BELOW DOES NOT WORK, just an example ***
frontend HEALTH-checker
      bind 10.0.0.1:80 
      mode http

      acl svc1_dead nbsrv(svc1)  lt 1
      monitor-uri /health/svc1
      monitor fail if svc1_dead

      acl svc2_dead nbsrv(svc2)  lt 1
      monitor-uri /health/svc2
      monitor fail if svc2_dead

Or have a different approach:

Let haproxy answer to specific URLs with the status of the requested frontend:
GET /health/{frontend_name} => reply with HTTP/200 if frontend is up, HTTP/503 if frontend is down, HTTP/508 if this frontend does not exist.

Is there any way to configure HAProxy to have this functionality? If not: Can I add this to the haproxy wishlist?
Any thoughts on this? Or is there any way to have a similar functionality I missed?

Mathias Weiersmueller

Posts: 1

Participants: 1

Read full topic

@valtjo wrote:

Here's my case:
I got 2 HTTP endpoints, example.com/hello and example1.com/prod/hello.
I'd like company.com/hello to be load balanced between example.com and example1.com, but their paths differ.

company.com/hello -> example.com/hello
company.com/hello -> example1.com/prod/hello

I came across this question on ServerFault but it's quite old by now.
How can I do this with HAProxy? Is there a way to rewrite the URI on a per server basis?

Posts: 1

Participants: 1

Read full topic

@stefws wrote:

Whenever we on admin socket of our haproxy 1.7.4 (and also on earlier versions) run a 'clear counters all' then 'show info' doesn't seem to reset the value of MaxSslRate like for other counters.

Wondering if it's a bug or intented?

Posts: 1

Participants: 1

Read full topic

@mattmonkey wrote:

Hi,

We've noticed a strange change in keep alive behaviour since version 1.7.6 - Connections are being held open until timeout client is met.

The request is served to the client in the normal time, but nothing is logged until the timeout is met. The logs then report the total session duration time as just over the timeout client value and if another request is made by the browser within the timeout the connection is reused.

We'd normally expect the request to be logged straight after completion, the timings reflect the request duration seen from the browser and for the connection only to be reusable within our timeout http-keep-alive which is set much lower than our timeout client.

This is not happening on our backends with option forceclose (we need to do that for certain user agents).

Confirmed it is timeout client driving this behaviour by setting to an usual value e.g. -

timeout client 43s in the config
Request is served to the browser in 615ms
Request timings in log - "Th":155,"Ti":-1,"TR":149,"tq":303,"Tw":0,"Tc":1,"Tr":34,"Ta":43339,"Tt":43339 (We JSON format them)

Has anyone else noticed similar? When we tried to go live on 1.7.6 and later 1.7.7 we saw a massive performance hit because we exhausted our connections (maxconn).

Snippets from our config -

defaults
log global
mode http
balance roundrobin
option abortonclose
option http-server-close
timeout connect 9s
timeout client 60s
timeout server 60s
timeout check 5s
timeout http-keep-alive 5s

backend appserver-backend
http-check send-state
balance roundrobin
cookie JSESSIONID prefix
option httpchk HEAD /monitors/check
option persist
option redispatch
option http-pretend-keepalive

Posts: 1

Participants: 1

Read full topic

@isa wrote:

Hello Everyone

So I have a basic question. Can the value in defaults be overwritten in the backend or frontend?

My problem is I have a new app which needs a longer client/server timeout than the default which in my case is a 60s. I have read that to do this I need to remove timeout client from defaults and add them for each frontend and obviously setting me new app timeout to the desired time. Is ths correct ?

Heres my relevant config.

defaults
  log  global
  maxconn  8000
  option  httplog
  option  redispatch
  option  log-separate-errors
  retries  3
  stats  enable
  timeout  http-request 10s
  timeout  queue 1m
  timeout  connect 10s
  timeout  client 1m
  timeout  server 1m
  timeout  check 10s



frontend rabbit
  bind 10.0.01:5672
  mode tcp
  timeout client 3h
  timeout server 3h
  option dontlog-normal
  option dontlognull
  default_backend rabbit_backend
backend rabbit_backend
  balance roundrobin
  mode tcp
  server rabbitserver1 10.0.0.2:5672 check
  server rabbitserver2 10.0.0.3:5672 check

Posts: 6

Participants: 2

Read full topic

@mandevnull wrote:

Hello, can i use 2 frontends configured with ssl but one frontend in tcp mode and the other in http mode? In the same port (443)

I try this:

frontend http-in
mode http
bind 0.0.0.0:80
bind 0.0.0.0:443 ssl crt /etc/pki/tls/private/cert.pem
option httplog
option dontlognull
option contstats

acl host_host2 hdr(host) -i host2.domain.com   
use_backend host2_cluster if host_host2

frontend https-in
mode tcp
option tcplog
bind 0.0.0.0:443

tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }

acl host_host1 req.ssl_sni -i host1.domain.com  
use_backend host1_cluster if host_host1

I get this error in log (not found the server https://host1.domain.com and not found https://host2.domain.com)

Jun 30 10:04:57 localhost haproxy[4570]: 172.21.6.23:36510 [30/Jun/2017:10:04:57.885] http-in~ http-in/ -1/-1/-1/-1/23 503 212 - - SC-- 6/0/0/0/0 0/0 "GET / HTTP/1.1"

thanks in advance!

Posts: 10

Participants: 2

Read full topic

@jmyoda79 wrote:

I'm trying to test HAPRoxy to see if it would work well for a project ... however I can't seem to get it to start properly and I'm not entirely sure where I'm going wrong. I'm running this on an Ubuntu 16.04 system just for testing purposes on a private network. I installed it via apt and the HAProxy version that was installed was 1.6.13. I start haproxy and it says it started ... but nothing ever happens. It never binds the port (according to netstat), never throws an errors (according the haproxy log or debug), and doesn't do anything. I run haproxy manually with the -d flag and this is the results :

# /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -d
Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.
Using epoll() as the polling mechanism.

It never goes any further ... it just sits there with no other output. I've left it running for 10 - 15 minutes with no other output while I constantly try to connect to the port I specified in the cfg file (7032). The config passes the config check and here is the config that I have setup :

# /usr/sbin/haproxy -c -f /etc/haproxy/haproxy.cfg
Configuration file is valid
# cat /etc/haproxy/haproxy.cfg
global
    log 127.0.0.1 local0
    log 127.0.0.1 local1 notice
    maxconn 392
    user haproxy
    group haproxy
    daemon
defaults
    log global
    retries 2
    timeout connect 3000
    timeout server 5000
    timeout client 5000
listen mysql-cluster
    bind *:7032
    mode tcp
    option mysql-check
    balance roundrobin
    server innodbNode1 192.168.1.111:3306 check
    server innodbNode2 192.168.1.112:3306 check
    server innodbNode3 192.168.1.113:3306 check

I'm really not sure what I'm doing wrong here ... I've got no errors, no problem indicated, yet nothing works. Could someone please point me in the direction of what I'm doing wrong?

Posts: 2

Participants: 1

Read full topic

@gianfcn wrote:

Hello Sharks,

I have the folow scenario:

[ Client ] ----------> [ HaProxy ] ----------> [ Squid1 ] or [ Squid2 ]

Using NTLM Authentication in both Squid. All workin fine excepts by INTERNET EXPLORER.

In Chrome is OK. In Firefox is OK. But the Internet Explorer (11) show always the prompt for credentials ever.

Anyone can help me?

Below my haproxy.cfg
defaults
mode http
option httplog
option dontlognull
option forwardfor except 127.0.0.1/8# Necessario para logar o IP do cliente
option redispatch
retries 7
timeout http-request 10s
timeout queue 1m
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
timeout http-keep-alive 10s
timeout check 10s
frontend squid_frontend
bind *:3128
default_backend squid_backend
option prefer-last-server
option http-keep-alive # Necessario para o NTLM
option forwardfor
backend squid_backend
option prefer-last-server # NTLM
option http-keep-alive # Necessario para o NTLM
server squid126 172.19.0.126:3128 check
server squid127 172.19.0.127:3128 check
server squid128 172.19.0.128:3128 check
balance source

Thanks!

Posts: 6

Participants: 2

Read full topic

@sbonar wrote:

I am trying to remove a cookie value by using the following:

http-request replace-header Cookie (;?\ ?sessionid=[^;];?\ ?)(.|\r\n) \2

If I have read the docs correctly this will find the 'sessionid' cookie value in the Cookie header and replace it with whatever comes after it, whether it is a string or a '\r\n'.

This appears to work, for the most part, but there are times that it also removes the values before it.

1) what am I doing wrong???
2) is there another way to do this??

Scott

Posts: 1

Participants: 1

Read full topic

@rtan wrote:

Hi,

Would it be practical to add a few back-ends with servers without using them, just for plain checking the status of http or other service availability monitoring.

Please advise.

Posts: 2

Participants: 2

Read full topic

@dvelan wrote:

Hi,
I need an assistance to configure the SSL properly in HAProxy 1.6.12, I am aiming to use HTTPS between browser and HAProxy, from HAProxy to backend, it will be HTTP. I loaded the public CA certificate from entrust successfully, I can see the application login page via https, howvere, when trying to login, its says "page cannot be displayed", I am not sure if all the required configuration parameters related SSL are made in config file.

Appreciate you help on this? is there any detailed procedure to configure SSL in HAProxy.

global
maxconn 2000
chroot /etc/haproxy
tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ssl-default-bind-options no-sslv3 force-tlsv12

ssl-server-verify none

ssl-server-verify required
quiet

listen http_proxy
bind :44370 # HAProxy Listen Port
bind :44374 ssl crt /etc/haproxy/certs/sss.starhubsg.sh.pem
reqadd X-Forwarded-Proto:\ https
server server1 :8000

Regards,
Vel

Posts: 1

Participants: 1

Read full topic

@damendieta wrote:

Hi, I'm using haproxy for a Odoo instalation, it is based on docker and I have 3 containers, one for the database, one for odoo and one for hapoxy.

I'm receiving this error:

4/7/2017 08:36:14Traceback (most recent call last):
4/7/2017 08:36:14 File "/usr/lib/python2.7/dist-packages/openerp/service/server.py", line 721, in run
4/7/2017 08:36:14 self.process_work()
4/7/2017 08:36:14 File "/usr/lib/python2.7/dist-packages/openerp/service/server.py", line 754, in process_work
4/7/2017 08:36:14 self.process_request(client, addr)
4/7/2017 08:36:14 File "/usr/lib/python2.7/dist-packages/openerp/service/server.py", line 745, in process_request
4/7/2017 08:36:14 self.server.process_request(client, addr)
4/7/2017 08:36:14 File "/usr/lib/python2.7/SocketServer.py", line 321, in process_request
4/7/2017 08:36:14 self.finish_request(request, client_address)
4/7/2017 08:36:14 File "/usr/lib/python2.7/SocketServer.py", line 334, in finish_request
4/7/2017 08:36:14 self.RequestHandlerClass(request, client_address, self)
4/7/2017 08:36:14 File "/usr/lib/python2.7/SocketServer.py", line 657, in init
4/7/2017 08:36:14 self.finish()
4/7/2017 08:36:14 File "/usr/lib/python2.7/SocketServer.py", line 716, in finish
4/7/2017 08:36:14 self.wfile.close()
4/7/2017 08:36:14 File "/usr/lib/python2.7/socket.py", line 279, in close
4/7/2017 08:36:14 self.flush()
4/7/2017 08:36:14 File "/usr/lib/python2.7/socket.py", line 303, in flush
4/7/2017 08:36:14 self.sock.sendall(view[writeoffset:write_offset+buffer_size])
4/7/2017 08:36:14timeout: timed out

I trace it and it seems to be related to haproxy health checks, I saw a similar problem here:

But I don't know how to configure haproxy to do the right health checks or to disable them.

Someone can help me please.

Daniel.

Posts: 3

Participants: 2

Read full topic

@nick.t wrote:

Hello all.
I'm using HA-Proxy version 1.7.6 and trying to setup some sites with SSL on the IIS web-server behind the HAProxy. My config is below

frontend https-frontend
  bind 192.168.30.133:443 ssl strict-sni crt /etc/haproxy/ssl/
  mode http
  ... (set/modify some headers in request and response)
  use_backend app1 if { hdr_end(host) -i app1.example.com }

backend app1
  mode http
  balance roundrobin

  option httpchk HEAD / HTTP/1.1\r\nHost:app1.example.com
  http-check expect rstatus (2|3)[0-9][0-9]
  default-server inter 5s fall 2 rise 2

  option httpclose
  http-reuse safe
  option forwardfor except 127.0.0.0/8
  http-request set-header X-Client-IP %[src]
  http-request set-header X-Forwarded-Port %[dst_port]
  http-request add-header X-Forwarded-Proto https if { ssl_fc }

  cookie SERVERID insert indirect nocache
  server srv1 1.2.3.4:443 ca-file /etc/haproxy/ssl/app1.example.com.issuer ssl verify required verifyhost app1.example.com check check-ssl

I've tried many combinations with the same result. With health-check is enabled clients get 503 error (as expected since helath-check failed and no more backend servers are available). But even if I remove "ssl" and "httpchk" directives (then health-check seems to be passed "L4OK"), but backend doesn't work - the browser shows errors something like "Secure connection failed" or "Empty response".
Direct connection from the client's workstation to the backend-server is working normally.

Posts: 4

Participants: 2

Read full topic

@Matthieu_HPP wrote:

HI,

I do not manage to install Hapoxy 1.7 on Debian 8.

I followed the instructions give by https://haproxy.debian.net for the stable version

Here is the error message obtained on the last step :

# apt-get install haproxy -t jessie-backports
Lecture des listes de paquets... Fait
Construction de l'arbre des dépendances       
Lecture des informations d'état... Fait
haproxy est déjà la plus récente version disponible.
0 mis à jour, 0 nouvellement installés, 0 à enlever et 80 non mis à jour.
1 partiellement installés ou enlevés.
Après cette opération, 0 o d'espace disque supplémentaires seront utilisés.
Souhaitez-vous continuer ? [O/n] o
Paramétrage de haproxy (1.7.5-2~bpo8+1) ...
**insserv: Script firewall.save.1 is broken: missing end of LSB comment.**
insserv: exiting now!
update-rc.d: error: insserv rejected the script header
dpkg: erreur de traitement du paquet haproxy (--configure) :
 le sous-processus script post-installation installé a retourné une erreur de sortie d'état 1
Des erreurs ont été rencontrées pendant l'exécution :
 haproxy
E: Sub-process /usr/bin/dpkg returned an error code (1)

The file firewall.save.1 is empty. I tryed to put classical headers but the error is still present.

I do have a firewall file for Iptables : /etc/init.d/firewall already field.

Do you have some ideas to solve this issue ?

Many thanks

Matthieu

Posts: 2

Participants: 1

Read full topic

@issuu wrote:

Hi,

We are seeing some weird behaviour after upgrading to HaProxy 1.7 (we have tried 1.7.5, 1.7.6 and 1.7.7)

Our backends are using NodeJs 6 and what happens is that we get log lines like this:

2017-07-05T07:26:04.205735+00:00 haproxy haproxy[6034]: ERR 0.0.0.0:59310 [05/Jul/2017:07:26:04.141] frontend backend/server 0/0/0/63/63 200 11833 - - SDNN 271/270/23/1/0 0/0 {Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36} {} "GET /boletimseptufpr/docs/04.2017_boletim HTTP/1.0"

So when I go and look at the corresponding NodeJs log, I see the request and a a http status code 200 being returned and this is also what I see in the haproxy log - http status code 200 - so how can it be an haproxy ERR and session state SD and at the same time be http status code 200 ???? I don't get it

Anyone here who can explain how it can be http status code 200 and at the same time an ERR

Switching back to version 1.6.8 and the errors disappear.

Thanks

Simon Ellefsen,
Issuu

Posts: 3

Participants: 2

Read full topic

@efcunha wrote:

The following errors are happening:

01-https://www.xxx.com.br/

502 Bad Gateway
The server returned an invalid or incomplete response.

Jul 4 10:48:02 localhost haproxy [1066]: 10.69.39.9:27117 [04/Jul/2017:10:48:01.966] HTTPS-in ~ app-Main/zend02 18/0/0/-1/39 502 6116--PHNN 0/0/0/0/0 0/0 "get/HTTP/1.1"

02-Https://www.xxx.com.br/auth/login

Jul 4 10:48:51 localhost haproxy [1066]: 10.69.39.9:27135 [04/Jul/2017:10:48:51.124] HTTPS-in ~ app-Main/zend02 1/0/1/32/34 200 5461----nn 0/0/0/0/0 0/0 "get/auth/login HTTP/1.1"
Jul 4 10:48:51 localhost haproxy [1066]: 10.69.39.9:27136 [04/Jul/2017:10:48:51.225] HTTPS-in ~ app-Main/zend02 1/0/0/1/2 304 153----nn 2/2/1/1/0 0/0 "get/images/logos.png HTTP/1.1"
Jul 4 10:48:51 localhost haproxy [1066]: 10.69.39.9:27137 [04/Jul/2017:10:48:51.225] HTTPS-in ~ app-Main/zend02 1/0/1/1/3 304 152----nn 1/1/0/0/0 0/0 "get/images/logo_pug.png HTTP/1.1"

Posts: 2

Participants: 2

Read full topic