@laraymond wrote:

Afternoon all, I have read and tested so many things my eyes are bleeding, but basically I had a similar issue with MQTT and mosquitto and have that resolved, but when I test through my HAProxy server, it’s stopping after 2,000 connections (yet direct I can get well over 10k).

I have ulimit -n showing 64k connections for both root and haproxy. When I check the processes I have 3.
/usr/sbin/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid
/usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -Ds . (2 identical ones).

If I check the 2 that are the same (/proc/ID/limits) I see the following;
Max open files 8000035 8000035 files
but the 1st shows;
Max open files 1024 4096 files

I don’t know if that is the issue, but my haproxy.cfg shows the following;
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
maxconn 4000000

# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private

# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
#  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3

defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

listen mqtt
bind *:1883
mode tcp
option tcplog
balance leastconn
server broker_1 192.168.1.231:1883 check

listen mqtt-swd1
bind *:1884
mode tcp
option tcplog
balance leastconn
server broker_1 192.168.1.231:1883 check

So, that single server has a public IP which I mentioned, if I go direct with a test app can make over 10k connections, but when I say go through HAProxy, it stops at exactly 2k connections.

This is running on an amazon AWS linux EC2 server (I can really use any distro) but this should be a non issue.

Any help or .02 is appreciated.

Posts: 1

Participants: 1

Read full topic

@dark_conspiracist wrote:

Hi guys
So we have an Impala setup in one of the production clusters and in order to build HA for the same , we are using haproxy . As you might know Impala is currently not supporting any retry mechanism for failover of coordinators , that’s why we are trying to use the below feature .

Load balancing is working as desired by the way .

However , after putting these configs in , we are facing issues in starting impala shell itself.
Can someone who has worked on Impala HA with haproxy help ?

Posts: 1

Participants: 1

Read full topic

@Chek69 wrote:

Hi everybody,

Im trying to perform many health-checks with option tcp-check instead of the option http-chk.

here’s the configuration that i tried >>

listen XXX virtual/IP@:443
option tcp-check
tcp-check send GET /owa/healthcheck.htm
tcp-check expect string OK
tcp-check send GET /ecp/healthcheck.htm
tcp-check expect string OK
tcp-check send GET /ews/healthcheck.htm
tcp-check expect string OK
tcp-check send GET /oab/healthcheck.htm
tcp-check expect string OK
tcp-check send GET /Autodiscover/healthcheck.htm
tcp-check expect string OK
tcp-check send GET /Microsoft-Server-ActiveSync/healthcheck.htm
tcp-check expect string OK
tcp-check send GET /rpc/healthcheck.htm
tcp-check expect string OK
server server_name IP@ check port 80
server server_name IP@ check port 80

i found this in log file:

***** failed, reason: Layer7 timeout, info: " at step 1 of tcp-check (send)", check duration: 2001ms, status: 0/2 DOWN.

thanks you very much.

Posts: 1

Participants: 1

Read full topic

@Indian_velumani wrote:

Hello,
I have an issue installing HAProxy rest-api in ubantu-14.04. I followed the instructions exactly as documented at http://www.haproxy.com/doc/hapee/1.6r2/api/webbased.html#installation but at the stage where I test the API using

wget -O - 192.168.122.185/api/2/scope/root/l7/farm

I get the following error:

root@ubuntu:/var/log/apache2# wget -O - 192.168.1.5/api/2/scope/root/l7/farm
–2017-08-11 19:11:20-- http://192.168.1.5/api/2/scope/root/l7/farm
Connecting to 192.168.1.5:80… connected.
HTTP request sent, awaiting response… 500 Internal Server Error
2017-08-11 19:11:20 ERROR 500: Internal Server Error.

Also note that in 000-default.conf I configured the module this way because the URL mentioned in /usr/share/doc/hapee-1.6r2-rest-api/examples/apache2.conf gave an Error 400

ProxyPassMatch ^/(api(/.*)?)$ unix:///var/run/hapee-1.6/hapee-rest-api.sock|fcgi://localhost/

Please do contact if any more information is required.

Posts: 1

Participants: 1

Read full topic

@saintobr wrote:

Hi all,

The proxy protocol v2 spec defines TLV fields carrying ssl info like ssl version, used ciphers and server certificate generation key algorithm. However when activating send-proxy-v2-ssl option the only info I get is the ssl version.

How can I get the other fields ?
I know those data are “optional” in the protocol but is there a way to force haproxy sending them ?

For info I tried with haproxy 1.6.3, 1.7.8 and latest 1.8-dev2 but get the same result.

Thanks for your help.

Posts: 1

Participants: 1

Read full topic

@isa wrote:

Hi

I have done a scan on my website using ssllabs and I get this message “This server supports weak Diffie-Hellman (DH) key exchange parameters.” How can I disbale this? Below are my CIPHER Suite config.

ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:!DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

Posts: 1

Participants: 1

Read full topic

@cjohnson wrote:

Hello,

I am attempting to execute a staged roll out of a new backend using weighted load balancing.
sample backend configuration:

mode http
reqidel ^Host:
reqadd Host:\
server api :80 weight 99

#only execute if moa is selected
http-request set-path /mobile-orchestration%[path]
http-request set-query %[query]&apikey=somekey

server moa :443 weight 1 check ssl verify none

The above configuration obviously does not work as desired. the http-request commands will be executed regardless of the server selected.

moa server requires the addition of a path prefix, api server must not have this. How can I modify this configuration such that the changes described by the http-request commands are only executed when the moa server is selected by the load balancer?

Thanks

Posts: 1

Participants: 1

Read full topic

@nospam wrote:

I use haproxy in a SSL termination config, where depending on the URL the traffic is directed to different backends.

I auto generate a SSL certificate using Let’s Encrypt. Clients are just Web browsers and I currently authenticate using usernames and passwords for each backend. I can either enable or disable the authentication. I cannot modify the backends to accept client certificates.

I would like to use client certificates for authentication on the front end and therefore remove the need for username and passwords on the backend. According to this https://arcweb.co/securing-websites-nginx-and-client-side-certificate-authentication-linux/ for nginx some additional lines need to be added to enable client authentication, and once authenticated, the rest of the traffic is encrypted.

How can I achieve the same thing with haproxy?

I’m aware that in some instances certificates can be combined (eg TLS with Client Authentication) but I’m not sure if this is required for haproxy nor how to do it.

On the front end I have the following line related to ssl:

 ` bind 199.99.99.99:443 ssl crt /etc/haproxy/certs/hostname-dh.pem`

What config changes do I need to make to add client authentication?

Posts: 4

Participants: 2

Read full topic

@paul.aviles wrote:

Hello, I have a pair of HAproxy servers in front of a bunch of web and application servers with a single public IP address and at this time they are not using https. We also have an Exchange 2016 server which is not going though HAP and instead is nated on the Cisco ASA to another internal IP so https is on a separate path now.

We use the web server’s name to distribute the traffic as shown in the config below and we would like to put all the web and app servers to use https and also put the Exchange server behind HAP and also make sure that the IP address of the external clients are visible on the backend hosts. In the event of an attack/issue we should be able to see the real IP address being used on each backend servers.

I guess this would also require that each backend server had their own ssl certificate which is Ok.

Can this be done with HAP and can anyone share a sample config if possible?

Really appreciated!

frontend http-in
bind 192.168.0.53:80

option httpclose

ACL

acl is_server1.domain.com            hdr_end(host) -i server1.domain.com

USE_BACKEND

use_backend server1.domain.com       if is_server1.domain.com

BACKEND_SERVER

backend server1.domain.com
     server domain 192.168.0.100:80 weight 1 maxconn 50 check

Posts: 1

Participants: 1

Read full topic

@zhuyijian135757 wrote:

Hi ：
i configurate email-alert. once server down, email-alert is so frequent.
When I open the mailbox, I will receive a lot of mail about alert。
How to set the interval to send a email-alert ？

Posts: 1

Participants: 1

Read full topic

@francisco.biete wrote:

Hi,

I’m having some problems trying to set the initial status of the backend servers on HAProxy restart.
What I want:

• backend servers start as DOWN on HAProxy restart (or clean start), and will be marked UP/DOWN after the checks are run the number of times configured.

What I see:

• backend server start as UP on HAProxy restart (or clean start), and will be marked DOWN after the checks are run…

How can I force the server to start in a DOWN status. I have tried the “disabled” option, but the I have to manually bring them out of that status, so it’s not exactly what I want.

Thanks!

Posts: 1

Participants: 1

Read full topic

@darkelf wrote:

Hi!

I have helath check of website with GET request. Expecting some string in answer. In 1.5 18 it’s works fine.
But when i move this health check to 1.7.3 or 1.7.4 it’s stop working. Server is offline.
strings from config:

option httpchk GET /solr/test/admin/ping?wt=json&distrib=true&indent=true HTTP/1.1\r\nHost:\ www.here.com
http-check expect string “zkConnected”:true

Posts: 2

Participants: 2

Read full topic

@ADV-IT wrote:

Hi All,
On web site www.haproxy.org I see this

• version 1.7 : added server hot reconfiguration, content processing agents, multi-type certs,

B​ut cannot find any info about something NEW regarding Hot Server Reconfiguration process.
In documentation, only old process of reload (/etc/init.d/haproxy reload​) mentioned.​

​What exactly added into v1.7​ for server hot reconfiguration?

Posts: 1

Participants: 1

Read full topic

@qoelhex wrote:

Hi everyone!

Hi, I’m Fábio, a sysadmin, I hope I can learn from here, and, given enough time and debug, providing as well!

At the moment I’m a haproxy newbie trying to balance a quite peculiar web application.

That application provides services for editing simultaneously documents in a cluster configuration. Well, distinct users editing the same document will have to be served by the same server regarding that document, since internal pointers to edit actions in the document are not replicated along the cluster.

So, I can identify the document refered in the URI ( that is distinct between users since the uri contains distinct auth tokens ), and I can trace back based on the session cookie.

As I am a truly newbie I didn’t get yet how to extract with a regex the fileid from the uri.
The regex was ok, using it was not! Here my last attempt in haproxy.cfg backend session:

http-request set-var(req.stickvar) capture.req.uri /https\%3(.*)files\%2(\w)\w+[^%3|&]/

I wasn’t very luck in my googling, alternative syntax ou functions. Time to ask for help, the question is:

How can I use regex to fetch samples and store in a variable?

Because I want to achieve load balancing, sticking the request based on a portion of the uri.

Cheers!

Posts: 1

Participants: 1

Read full topic

@truechimer wrote:

Is it possible to log a request’s SNI in mode tcp? You can access the SNI for routing decisions, so ideally you could access it for logging as well.

Currently using version 1.7.8

Ideally something like the following not working config:

defaults
  log global
  mode tcp
  balance roundrobin

frontend https-in
  mode tcp
  tcp-request inspect-delay 3s
  tcp-request content accept if { req_ssl_hello_type 1 }
  # ideally could capture the SNI something like this
  tcp-request content capture req.ssl_sni len 10
  # log capture slot 0#
  log-format "capture0: %[capture.req.hdr(0)]"
  use_backend test_0 if req.ssl_sni -m end /test

backend test_0

A more full config containing the above settings will log an empty line: capture0: -

Posts: 1

Participants: 1

Read full topic

@albanosdes wrote:

Hello there. I’m in need of a reverse proxy, using only HTTPS.

I have my VM-HaProxy on 192.168.10.5
and my VM-Git with a web interface (Gogs), with NGINX listening to 443 with let’s encrypt crt which has been validated.

I’m only using HTTPS, always rewriting http to https.

The thing is, i’m getting a 400 error (The plain HTTP request was sent to HTTPS port) with the backend line :
server vm-git 192.168.10.11:443 weight 1 maxconn 8192
And a 503 Service Unavailable with the backend line :
server vm-git 192.168.10.11:443 weight 1 maxconn 8192 check ssl verify none

I went to a lot of forums searching for a solution, but found none.

My Iptables rules are OK :
#HTTP, HTTPS
iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT

Debian 8.9 64bits
HA-Proxy version 1.5.8 2014/10/31

---

haproxy.cfg :

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon

    # Default SSL material locations
    # ca-base /etc/ssl/certs
    # crt-base /etc/ssl/private

    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
    ssl-default-bind-options no-sslv3

defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
option forwardfor except 127.0.0.0/8
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

############################################

frontend https-in
bind 192.168.10.5:443 ssl crt /etc/haproxy/cert/gogs.pem
acl gogs hdr(host) gogs.imperial-legion.fr
use_backend backendgogs if gogs
default_backend backendgogs

############################################

backend backendgogs
option httpchk
http-request add-header X-Forwarded-Proto https if { ssl_fc }
server vm-git 192.168.10.11:443 weight 1 maxconn 8192
#server vm-git 192.168.10.11:443 weight 1 maxconn 8192 check ssl verify none

Posts: 2

Participants: 1

Read full topic

@Hoggins wrote:

I’m trying to rewrite the contents of a response from an HTTP backend server. It’s an Icecast server so it answers on HTTP/1.0.

I would like to replace any occurrence of “http://that.server.com:8787/” with “https://that.server.com” (removing the trailing port and changing the scheme)

So my rspirep line looks like this :

rspirep http://that.server.com:8787(.*) https://that.server.com\1

… and all I get is the exact same original content :
http://that.server.com:8787/some_uri

Tried with both rsprep and rspirep in case one of them is misbehaving, no luck.

Is there something I’m missing ?

Posts: 4

Participants: 2

Read full topic

@risshuu wrote:

How do I get haproxy to log less information? Specifically, I don’t care to see the following messages in my logs.

 Aug 24 14:48:57 Machine haproxy[953]: Connect from <ip address>:<port> to <ip address>:<port> (proxy/<protocol>)

Logging information from haproxy.cfg

global
    log /dev/log    local0
    log /dev/log    local1 notice

Also, does anyone know how to get rsyslog.d to not log haproxy information in the syslog log? I have found information for syslog, but not rsyslog.

Posts: 1

Participants: 1

Read full topic

@veniciusgp wrote:

Dear Friends,

I have a doubt

My backend has only 2 servers (vmp103 and vmp104)

You can perform the balancing as follows:

2 requests for vmp103 and 2 requests for VMP104

By the settings the balancemaneto is being done as follows:

1 request for vmp103 and 1 request for vmp104

Is it possible to balance 2 to 2 instead of 1 to 1?

Follows my settings

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user root
group root
daemon

defaults
log global
option dontlognull
mode http
option httplog
stats uri /stats
timeout connect 5000
timeout client 50000
timeout server 50000

frontend http_front
bind *:8089
default_backend http_back

backend http_back
balance roundrobin
option httpchk GET /intacesso/intstatus.do?perfil=HTTP_APROVREQ
server vmp103 10.50.50.103:8080 check
server vmp104 10.50.50.104:8080 check

Best Regards

Posts: 1

Participants: 1

Read full topic

@matejuh wrote:

Haproxy is terminating https connections and forwards requests to backend. When resource returns 204 No-Content and Transfer-Encoding: chunked the curl connection is not closed. When I call resource directly on backend, the connection is closed properly. Can anybody explain this behaviour?

Through haproxy:
curl -X GET https://localhost/example -v
* About to connect() to localhost port 443 (#0)
* Trying 127.0.0.1…
* Connected to localhost (127.0.0.1) port 443 (#0)
> GET /example HTTP/1.1
> User-Agent: curl/7.29.0
> Host: localhost
> Accept: /
>
< HTTP/1.1 204 No Content
< Cache-Control: no-cache, no-store, must-revalidate
< Date: Wed, 23 Aug 2017 13:15:16 GMT
< transfer-encoding: chunked
<
^C

Directly backend:

curl -X GET http://localhost:6083/example -v
* About to connect() to localhost port 6083 (#0)
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 6083 (#0)
> GET /example HTTP/1.1
> User-Agent: curl/7.29.0
> Host: localhost:6083
> Accept: */*
>
< HTTP/1.1 204 No Content
< Cache-Control: no-cache, no-store, must-revalidate
< Date: Wed, 23 Aug 2017 14:19:03 GMT
< transfer-encoding: chunked
<
* Connection #0 to host localhost left intact

Posts: 2

Participants: 2

Read full topic