@johnb wrote:

Hi all,

FTP doesn’t seem to work when I connect to the Virtual IP (VIP), but when I connect to the local IP of one of the two Proxy’s it works fine.
I see it wants to connect, but when the FTP data port comes up (PASV) it stops.
SFTP works fine without a problem so I think it’s something with the passive FTP ports that aren’t being routed correctly?

Log Filezilla:

Status: Resolving address of lb.example.com
Status: Connecting to 192.168.1.10:21…
Status: Connection established, waiting for welcome message…
Status: Server does not support non-ASCII characters.
Status: Logged in
Status: Retrieving directory listing…
Command: PWD
Response: 257 “/” is current directory.
Command: TYPE I
Response: 200 Type set to I.
Command: PASV
Error: Disconnected from server: ECONNABORTED - Connection aborted
Error: Failed to retrieve directory listing
Status: Disconnected from server
Status: Resolving address of lb.example.com
Status: Connecting to 192.168.1.10:21…
Status: Connection established, waiting for welcome message…
Status: Server does not support non-ASCII characters.
Status: Logged in
Status: Retrieving directory listing…
Command: PWD
Response: 257 “/” is current directory.
Command: TYPE I
Response: 200 Type set to I.
Command: PASV
Error: Disconnected from server: ECONNABORTED - Connection aborted
Error: Failed to retrieve directory listing

My setup:
I have two HAProxy servers with Keepalived on them with a VIP.
Behind the two HAProxy servers are two FTP Servers.

Can anyone help me with finding and if possible solving the problem?

Posts: 2

Participants: 2

Read full topic

@anish10dec wrote:

Haproxy sends the request to backend server having Disk I/O Error in which OS goes into read only mode and none of the command works becuase hardware storage controller failure.

Since application i.e. Nginx is running on backed server and application port is reachable and IP is accessible, HAproxy doesnt considers that as down and still sends the request on that faulty server.
Application is running so even the httpcheck for sample check.txt file is successful and thus request on that backend server starts failing as application i.e. Nginx running on it is not able to process the new request.

Is there a way to prevent sending the request to faulty server having Disk I/O Error.

Posts: 4

Participants: 2

Read full topic

@patrickleet wrote:

I’m trying to upload some files that are too large, and I can’t figure out how to configure the request size limit.

Posts: 1

Participants: 1

Read full topic

@wilnzi wrote:

Hi,
Helps please.

I’m trying to configure redirection.
I would like to do that :

if client enters https://example.com it will be redirect to https:://www.site.com

My configuration is :
redirect prefix https://www.site.cm if { hdr(host) -i example.com }

But when the user enters https://example.com it’s redirect to the root folder.

How can i correct this issue ?

Thanks in advance !!

Posts: 1

Participants: 1

Read full topic

@linenoise wrote:

Question regading the configuration of client certificate authentication.
Using the “ca-file” I can specify a CA that issues approved client certificates,
but what if that is an intermediate CA? How do I configure the trusted root CA?
I don’t want to allow client certificates issued directly from the root ca…
Eg, I have an intermediate CA called “Client Sub CA”, that is signed by "Root CA"
If I only specify the “Client Sub CA” in the ca-file haproxy cannot build a complete chain since it
does not know about “Root CA”, but if I concatenate “Root CA” into the ca-file it also
accepts client-certificates issued directly from the “Root CA”.
Is it possible to only accept client certificates issued from “Client Sub CA”?
Ie use a separate ca-bundle for complementary ca-certs (like /etc/pki which haproxy does not seem to use)?

Posts: 1

Participants: 1

Read full topic

@dtoshev wrote:

Hello all,
I am pretty much new to HAProxy, but I need to used it in order to have true-client-ip visibility. Out DDoS provider masks the real IP of the clients. All IP’s that we see in our log are couple of IP’s that we know they are from the subnet of the DDoS provider. For some audit purposes we need to see the real ip address of the client, that’s why we implement HAProxy in front of our server.
The problem here is that I am able to see the real IP address only in the first packet which is fine, but all other sessions that are logged in the server log(like executed commands etc.) are with source IP address of the proxy server.
I need to have the Real IP address signed on all the logs not only the first packet ?

Could you please assist.
Let me know if additional info is needed!

Thank you in advance !

Posts: 2

Participants: 2

Read full topic

@schworak wrote:

I have configuration that works well when HTTPS is in the URL but of course, when it is HTTP, it fails. The problem is, I must specify the port number in the URL. I am using this as a way to test individual servers. So the website name must remain unchanged to work with the SSL cert but I can assign one port (and an associated frontend and backend) in the haproxy.cfg file to route to the correct server.

The problem happens when for what ever reason, HTTPS is not specified but the magic port number is. Some apps do a redirect (code beyond my control) and because the server is only running on port 80 without SSL and haproxy is doing all the SSL work, the app doesn’t realize it needs to redirect to https://… so it just redirects to the http:// version and that is where things break.

My config entry…

frontend port_801
bind *:801 ssl crt /etc/ssl/private/unified-cert-file.pem
capture request header Host len 32
capture request header User-Agent len 90
default_backend server_1_through_801

backend server_1_through_801
option forwardfor
http-request add-header X-CLIENT-IP %[src]
server server1 192.168.10.101:80 check

Now, the question is, how do I make this work so if I specify http://mysite.com:801 that haproxy will still respond but auto redirect to https://mysite.com:801 without throwing a fit?

Any help would be greatly appreciated.

Posts: 1

Participants: 1

Read full topic

@yanggis wrote:

Dear all:
I’m using the fuction ddr_dom(host) to filter some links:
The initial acl rule is as follows:
acl is_newsohu path_beg /vrs_flash hdr_dom(host) -i hot.vrs.sohu.com
use_backend proxy-sohuPhone if is_newsohu
It is not working correctly for the link (see next reply) which should pass the rule, instead of blocked by the rule.

Then I updated the acl rule to this:
acl is_newsohu path_beg /vrs_flash hdr_dom(host) -i hot.vrs.sohu.com:80
use_backend proxy-sohuPhone if is_newsohu

It is still not working either.

Can you guys help me check how to fix this issue?

Posts: 2

Participants: 1

Read full topic

@tasavi wrote:

Hi.
I have used ‘set ssl tls-key’ with the unix command in version 1.6.x.
However, in 1.7.x version, ‘set ssl tls-key’ does not execute with unknown command.
I have just changed the version, and I’m wondering why the command does not run in 1.7.x, which is the command specified in the guide.

---

[root@SI3012-146 ~]# haproxy -vv
HA-Proxy version 1.7.9 2017/08/18
Copyright 2000-2017 Willy Tarreau willy@haproxy.org

Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv
OPTIONS = USE_OPENSSL=1 USE_PCRE=1

Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built without compression support (neither USE_ZLIB nor USE_SLZ are set)
Compression algorithms supported : identity(“identity”)
Built with OpenSSL version : OpenSSL 1.0.2k 26 Jan 2017
Running on OpenSSL version : OpenSSL 1.0.2k 26 Jan 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 7.8 2008-09-05
Running on PCRE version : 7.8 2008-09-05
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built without Lua support
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND

Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
[SPOE] spoe
[TRACE] trace
[COMP] compression

---

[root@SI3012-146 ~]# echo “show tls-keys *” | /usr/bin/socat stdio /var/run/haproxy.stat1

id secret

0 (/etc/haproxy/ssl/tls-ticket.key)

0.0 Wvd6NYlEbXZQc2y26RoipMaXDemegdx7lkE3cWqDHVfxGMPEEMrnhSYkZ5qEL72e
0.1 U2zwaYtNmjmhID7uDOVS+Uvu/2nQcAoyAndHfTNDqT2Yw3QWiajLkIf7dlrdB1Il
0.2 9dGgFVZnSGV2rKQRtAj8lgw4EPlBjF1rnknsOiDlbXUeu0b2HoEqWl5qPqmVWM7N

---

[root@SI3012-146 ~]# echo “set ssl tls-key /etc/haproxy/ssl/tls-ticket.key Md204uGmRboB2gtcHPEa/2GxYnvayIBNY7Vr/YRFX9OgfyzFabQp6PccYhlJ8vzs” | /usr/bin/socat stdio /var/run/haproxy.stat1

Unknown command. Please enter one of the following commands only :
help : this message
prompt : toggle interactive mode with prompt
quit : disconnect
show tls-keys [id|*]: show tls keys references or dump tls ticket keys when id specified
set maxconn global : change the per-process maxconn setting
set rate-limit : change a rate limiting value
set timeout : change a timeout setting
show env [var] : dump environment variables known to the process
show stat resolvers [id]: dumps counters from all resolvers section and
associated name servers
add acl : add acl entry
clear acl : clear the content of this acl
del acl : delete acl entry
get acl : report the patterns matching a sample for an ACL
show acl [id] : report available acls or dump an acl’s contents
add map : add map entry
clear map : clear the content of this map
del map : delete map entry
get map : report the keys and values matching a sample for a map
set map : modify map entry
show map [id] : report available maps or dump a map’s contents
show pools : report information about the memory pools usage
show sess [id] : report the list of current sessions or dump this session
shutdown session : kill a specific session
shutdown sessions server : kill sessions on a server
clear counters : clear max statistics counters (add ‘all’ for all counters)
show info : report information about the running process
show stat : report counters for each proxy and server
show errors : report last request and response errors for each proxy
clear table : remove an entry from a table
set table [id] : update or create a table entry’s data
show table [id]: report table usage stats or dump this table’s contents
disable frontend : temporarily disable specific frontend
enable frontend : re-enable specific frontend
set maxconn frontend : change a frontend’s maxconn setting
show servers state [id]: dump volatile server information (for backend )
show backend : list backends in the current running config
shutdown frontend : stop a specific frontend
disable agent : disable agent checks (use ‘set server’ instead)
disable health : disable health checks (use ‘set server’ instead)
disable server : disable a server for maintenance (use ‘set server’ instead)
enable agent : enable agent checks (use ‘set server’ instead)
enable health : enable health checks (use ‘set server’ instead)
enable server : enable a disabled server (use ‘set server’ instead)
set maxconn server : change a server’s maxconn setting
set server : change a server’s state, weight or address
get weight : report a server’s current weight
set weight : change a server’s weight (deprecated)

=> ‘set ssl tls-key’ is not listed

please help me

Posts: 2

Participants: 2

Read full topic

@NoLifeKing wrote:

Hi!

We’re using HAProxy with SSL termination, and we’d love to go to HTTP/2, but since that’s not possible yet in a frontend…

I had a crazy idea, that I wanted to ask here if it works before I even try something.

If I put up a frontend that is mode tcp (for the sake of SSL Forwarding and H2/ALPN), that connects to a loopback backend that does SSL termination, that which in turn, sends the request to the actual backend servers.

Would this be a possible (yet disencouraged) scenario, to implement HTTP/2 within the HAProxy?

Posts: 4

Participants: 2

Read full topic

@Sandeep.rai2k17 wrote:

While starting haproxy with command #systemctl restart/start haproxy in centos…haproxy-systemd-wrapper spawns haproxy twice. Why it is so? Does it for multiprocessor programming?

Posts: 1

Participants: 1

Read full topic

@PaulE wrote:

I have the following configuration setup which works fine:

frontend http-in
    bind *:80
    mode http
    option  http-server-close
    option  forwardfor
    option  httplog

    acl redirect_domain hdr(Host) -i example1.com
    acl redirect_domain hdr(Host) -i example2.com
    acl redirect_domain hdr(Host) -i example3.com
    http-request redirect location https://my-new-domain.com/ code 302 if redirect_domain

    default_backend web_default

This redirects my example[1-3].com to my-new-domain.com with a 302 redirect (Yes, I want the 302).
Now what I want to achieve is passing the original url to the “my-new-domain.com”, but the problem is that the URL won’t be encoded:

http-request redirect location https://my-new-domain.com/?referer=%[hdr(host)]%[url] code 302 if redirect_domain

This results in the URL to be build like:

https://my-new-domain.com/?referer=example1.com/requested-path/?param1&param2=248

While it should look like:

https://my-new-domain.com/?referer=example1.com%2Frequested-path%2F%3Fparam1%26param2%3D248

Is there any way how I can get HAProxy to apply url encoding to my referer param?

Posts: 1

Participants: 1

Read full topic

@ngocketit wrote:

Hi,

I’m planning to use HAProxy for TCP (not HTTP/HTTPS) traffic load balancing. Does HAProxy support routing to the same instance for the same client? For example, if client A is routed to instance B for the first time and disconnects. Next time, it tries to connect again, how to ensure that A is routed to B?

Posts: 1

Participants: 1

Read full topic

@gsalvin wrote:

Hello ,
I’m a newbie in haproxy .
I’m trying to redirect some https (port 443) to another port number (7443) between the haproxy and the web-server .
I expect the user communicate with 443 port between his browser and the HA , then the HA use port 7443 between itself and the web-server. But what happens is that the url on the user browser is transformed to :7443

here is the haproxy.conf section

###---------------------------------------------------------------------

SSL passthrough

###---------------------------------------------------------------------

frontend proxy443_in
bind *:443
mode tcp
option tcplog
no option checkcache
no option httpclose
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
tcp-request content reject
use_backend sx-ocd.si.fr if { req_ssl_sni -i sx-ocd.si.fr }
use_backend sx-tst.si.fr if { req_ssl_sni -i sx-tst.si.fr }
default_backend proxy443_out
description Frontal TCP Reverse Proxy/Balancer port 443

backend sx-ocd.si.fr
mode tcp
server windhoek 172.16.211.9:443 maxconn 256 check
description SX Production

backend sx-tst.si.fr
mode tcp
server windhoek 172.16.211.9:7443 maxconn 256 check
description SX Base tst
#EOF

Posts: 1

Participants: 1

Read full topic

@dureal99d wrote:

Ok so i have Haproxy on pfsense.

I have 2 servers that have their own certs (domain names) and when i open the firewall for those server individual they are all ok

However as you know port 443 and 80 cannot share and as a result Ha-proxy was suggested to me

I have read that you can share a single IP address and have ha-proxy refer to the proper server using the front end back end scheme but documentation is lacking on the subject matter or at least I have not found any tutorials on how to achieve this.

Any help would be excellent

Posts: 2

Participants: 2

Read full topic

@algar wrote:

Hi all,

I was trying to find something similar but this question does not seem to be answered before, sorry if I didnt find it.

I am deploying with docker machine a haproxy configuration that includes letsencrypt for two subdomains. I got these errors:

haproxy |<7>haproxy-systemd-wrapper: executing /usr/local/sbin/haproxy -p /run/haproxy.pid -f /usr/local/etc/haproxy/haproxy.cfg -Ds
haproxy | [ALERT] 302/150350 (26) : parsing [/usr/local/etc/haproxy/haproxy.cfg:31] : ‘server www’ : could not resolve address ‘www’.
haproxy | [ALERT] 302/150350 (26) : Failed to initialize server(s) addr.
haproxy | <5>haproxy-systemd-wrapper: exit, haproxy RC=1
haproxy | <7>haproxy-systemd-wrapper: executing /usr/local/sbin/haproxy -p /run/haproxy.pid -f /usr/local/etc/haproxy/haproxy.cfg -Ds
haproxy | [ALERT] 302/150352 (29) : parsing [/usr/local/etc/haproxy/haproxy.cfg:31] : ‘server www’ : could not resolve address ‘www’.
haproxy | [ALERT] 302/150352 (29) : Failed to initialize server(s) addr.
haproxy | <5>haproxy-systemd-wrapper: exit, haproxy RC=1
haproxy | <7>haproxy-systemd-wrapper: executing /usr/local/sbin/haproxy -p /run/haproxy.pid -f /usr/local/etc/haproxy/haproxy.cfg -Ds
haproxy | [ALERT] 302/150355 (32) : parsing [/usr/local/etc/haproxy/haproxy.cfg:31] : ‘server www’ : could not resolve address ‘www’.
haproxy | [ALERT] 302/150355 (32) : Failed to initialize server(s) addr.
haproxy | <5>haproxy-systemd-wrapper: exit, haproxy RC=1

This is the configuration (Sorry for the formatting):

global
maxconn 256
lua-load /usr/local/etc/haproxy/acme-http01-webroot.lua
chroot /jail
ssl-default-bind-ciphers AES256+EECDH:AES256+EDH:!aNULL;
tune.ssl.default-dh-param 4096

defaults
mode http
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
option forwardfor
option http-server-close
stats enable
stats uri /stats
stats realm Haproxy\ Statistics
stats auth XXX:XXX

frontend ft_ssl_vip
bind *:443 ssl crt /usr/local/etc/haproxy/certs/ no-sslv3 no-tls-tickets no-tlsv10 no-tlsv11

rspadd Strict-Transport-Security:\ max-age=15768000

# Database redirect from subdomain [alexandrie]
acl db_match_acl      hdr_end(host) -i subdomainA.domain.com
use_backend db_server if db_match_acl

# Testing server redirect from subdomain [meduse]
acl apptest_match_acl      hdr_end(host) -i subdomainB.domain.com
use_backend apptest_server if apptest_match_acl

backend db_server
server db_server XXX.XXX.XXX.XXX:80 check
http-request add-header X-Forwarded-Proto https if { ssl_fc }

backend apptest_server
server apptest_server XXX.XXX.XXX.XXX:80 check
http-request add-header X-Forwarded-Proto https if { ssl_fc }

What I am missing?
Thanks in advance for your support!
HAProxy is great!!!

Posts: 1

Participants: 1

Read full topic

@c.monty wrote:

Hi!
I’m running HAProxy on a LXC with Debian 8. This is working w/o issues.
Now I want to enhance the functionality to work with Radicale, a CalDAV server in LXC (with Alpine Linux).
Radicale share information to configure a reverse proxy with Nginx.

Can you give advise to translate this into a working HAProxy configuration?

THX

Posts: 1

Participants: 1

Read full topic

@hamann wrote:

Hey,

today I tried haproxy 1.8-rc1 with h2 and an http/1.1 backend (varnish 4.x). After first tests with various browsers which complained about content encoding with js/css files and half loaded images, I realized that with h2 the content is crippled.

curl --http1.1 -s -H "Accept-encoding: gzip" https://assets-staging.dieblaue24.com/js/app-a2efa168d5e20b3ddec0dfdd7bdf7754.js | gunzip - && echo ok || echo error
ok

curl --http2 -s -H "Accept-encoding: gzip" https://assets-staging.dieblaue24.com/js/app-a2efa168d5e20b3ddec0dfdd7bdf7754.js | gunzip - && echo ok || echo error
...
gzip: stdin: unexpected end of file
error

Posts: 3

Participants: 2

Read full topic

@witoldg wrote:

A server went down, but HAProxy 1.6.3 kept it in UP state even if check was set and LastChk was L6OK.
The only abnormal thing was check duration still = 0 for hours.
While I reloaded haproxy service it started to fluctuate from 0 to 30 ms.
Anybody saw such behaviour before?

Posts: 1

Participants: 1

Read full topic

@tuxdotnet wrote:

hi all,

I have a change to do for my reverse proxy in ACL to forward to multiple domain with multiple path

i try this conf (format X time with different fqdn/path in my conf …)

acl Coll hdr_dom(host) -m dom reverseproxy.domain.com path_reg ^\/col\/[a-z]+\/RFP[/]?
acl Mon hdr_dom(host) -m dom reverseproxy.domain.com path_reg ^\/sup/[a-z]+\/RFP[/]?
use_backend MColl if Coll
use_backend MMon if Mon

Case 1: the first fqdn/path is call and go to the backend Mcoll
Case 2: the second fqdn/path is call and go to the backend Mcoll

Each backend point to different host

Thanks

Posts: 3

Participants: 1

Read full topic