@Dynamitochondria wrote:

I’ve inherited a Linux (RHEL) server running HAProxy, and the SSL cert for the sites it provides SSL termination for has expired. I’ve been issued a new cert and have it in a PEM file along with the certifying chain.

After digging around the innarwebz, I determined I needed to update haproxy.cfg to bind port 443 to the new cert. Running find produced 6 hits in directories that are pretty obviously date-time references. Looking in their containing directory, there’s a ‘current’ symbolic link to the most recent of the directories. That seemed pretty obvious, so I copied the PEM file to that directory and edited the port 443 line to:

bind :443 ssl crt /opt/ags/services/agsinternaltools/tools/AGSJenkinsMasterLB/2015_05_06_21.26.37/config/new-credential.pem

…and rebooted the server.

But when I hit the site in a browser, it still reports the cert is outdated.

My first guess is that I’m not modfying the right instance of haproxy.cfg.

How do I tell which config file HAProxy is reading?

Is there another step or steps to take that I’m missing?

Posts: 2

Participants: 2

Read full topic

@embcen wrote:

I am going to purchase a VPS and install a Ruby on Rails application with Puma as web server on Ubuntu 16.04
My hosting provider does not offer DDoS protection, so I started to look for open source free to use solutions, and found a useful documentation which also contains HAProxy.
I started to read HAProxy documentation and realized that it is a complex piece of software which functions primarily as load balancer. This might come in handy, however, before proceeding, I would like to be sure if it suits me.
As I said, I was primarily focused on finding DDoS protection.
Also, I would need it on a single, stand alone server, serving the same machine on which it is installed. I found many tutorials, at DigitalOcean as elsewhere (at server-world for instance): all of them seem to assume that the machine where HAProxy is installed should only function as frontend for other backend servers. I wonder if HAProxy can be useful if frontend and backend are represented by a single server/machine.
Considering my needs, I would appreciate if you could suggest me a useful place to start learning configuration and management, logs administration etc.
I wonder, for instance, if the deb packages come with a logrotate file, if the recommended socat, halog, tcpdump, strace packages are installed with HAProxy or should be installed separately, what configuration is suitable for a single VPS, if HAProxy works in conjunction with iptables or other firewalls, how can I make HAProxy listen to both 80 and 443 ports, if it is possible to use sendmail/mailx to send email alerts…

Posts: 1

Participants: 1

Read full topic

@vijaya wrote:

We have configured HAProxy for load balancing WEBSockets. We are facing issue saying websocket backend server not available in haproxy log. But Websocket server is up and running. To further debug this problem, need to enable stats log.Can anyone point us to the link on how to configure stats or how to further debug this problem

Posts: 1

Participants: 1

Read full topic

@Nurza wrote:

I dont know if it’s a bug, or a deprecation in h2:

TL;DR: When I set a h2 frontend with a HTTP 1.1 backend (with the option httpclose, it works without it), half the time the request is corrupted:

user@ubuntu$ curl --http2 -i -k -v https://haproxy
* Rebuilt URL to: https://haproxy/
*   Trying 172.17.0.2...
* TCP_NODELAY set
* Connected to haproxy (172.17.0.2) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd; CN=haproxy
*  start date: Nov  2 08:50:11 2017 GMT
*  expire date: Nov  2 08:50:11 2018 GMT
*  issuer: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd; CN=haproxy
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x563cb9439da0)
> GET / HTTP/1.1
> Host: haproxy
> User-Agent: curl/7.52.1
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 200
HTTP/2 200
< date: Tue, 07 Nov 2017 09:22:23 GMT
date: Tue, 07 Nov 2017 09:22:23 GMT
< server: Apache/2.4.18 (Ubuntu)
server: Apache/2.4.18 (Ubuntu)
< last-modified: Thu, 02 Nov 2017 08:54:37 GMT
last-modified: Thu, 02 Nov 2017 08:54:37 GMT
< etag: "2c39-55cfc234acb0a"
etag: "2c39-55cfc234acb0a"
< accept-language: bytes
accept-language: bytes
< content-length: 11321
content-length: 11321
< vary: Accept-Encoding
vary: Accept-Encoding
< content-type: text/html
content-type: text/html

<

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
...
...
...
</html>

* Curl_http_done: called premature == 1
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, Client hello (1):
curl: (16) Error in the HTTP2 framing layer

How to reproduce:

Set HAProxy h2 frontend with a http 1.1 backend. Full config:

global
        log 127.0.0.1 len 10240   local0
        chroot /var/lib/haproxy
        stats socket /tmp/haproxy mode 666 level admin
        stats timeout 30s
        user haproxy
        group haproxy
        daemon
        tune.ssl.default-dh-param 2048
defaults
        log     global
        mode    tcp
        option  dontlognull
        option  redispatch
        retries 3
        maxconn 5000
        timeout connect 300s
        timeout client  300s
        timeout server  300s
        timeout queue   300s
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http option redispatch
        errorfile 503 /etc/haproxy/errors/503.http option redispatch
        errorfile 504 /etc/haproxy/errors/504.http option redispatch

frontend f_myapp
    mode        http
    capture request header Host len 200
    capture request header User-Agent len 500
    bind 0.0.0.0:443 ssl crt /server.pem ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS no-sslv3 alpn h2,http/1.1
     default_backend https

backend https
    mode                http
    option 		httpclose
    server              worker1 127.0.0.1:80 check inter 2s rise 5 fall 5

The backend is an Apache2 server (2.4.18-2ubuntu3.5)
haproxy -vv:

HA-Proxy version 1.8-rc2-2d34cd-18 2017/11/06
Copyright 2000-2017 Willy Tarreau <willy@haproxy.org>

Build options :
  TARGET  = custom
  CPU     = native
  CC      = gcc
  CFLAGS  = -O2 -march=native -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-unused-label
  OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_POLL=default USE_REGPARM=1 USE_OPENSSL=1 USE_PCRE=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 40960, maxpollevents = 200

Built with OpenSSL version : OpenSSL 1.1.0d  26 Jan 2017
Running on OpenSSL version : OpenSSL 1.1.0f  25 May 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with network namespace support.
Built with zlib version : 1.2.8
Running on zlib version : 1.2.8
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Encrypted password support via crypt(3): yes
Built with PCRE version : 8.38 2015-11-23
Running on PCRE version : 8.38 2015-11-23
PCRE library supports JIT : no (USE_PCRE_JIT not set)

Available polling systems :
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 2 (2 usable), will use poll.

Available filters :
	[SPOE] spoe
	[COMP] compression
	[TRACE] trace

curl --version:

curl 7.52.1 (x86_64-pc-linux-gnu) libcurl/7.52.1 OpenSSL/1.0.2l zlib/1.2.8 libidn2/0.16 libpsl/0.17.0 (+libidn2/0.16) libssh2/1.7.0 nghttp2/1.18.1 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL

I don’t use this option, but it was on a old staging config with a NodeJS backend and the same bug occured.

Posts: 4

Participants: 3

Read full topic

@ghibaudo2017 wrote:

I tried to configure an HTTPS frontend to an internal RDP backend.
On the log I receive the following error:
SSL handshake failure

Is it possible in HAproxy to connect an internal RDP server through an HTTPS connection?

Posts: 1

Participants: 1

Read full topic

@Nurza wrote:

Hello there ! It seems that HAProxy splits Cookie headers.

Example:

Input headers:
cookie: cookie_a=content_a ; cookie_b=content_b

Output headers:
cookie: cookie_a=content_a
cookie: cookie_b=content_b

Am I right ?

I saw that with tcpdump + wireshark, but I am no 100% sure that HAProxy received only one cookie header because I don’t know how to read https content with wireshark (not yet).

If HAProxy splits cookie header, it could be great if it was optional. Because some applications don’t underestand multi cookie headers.

EDIT:

My backend is a HTTP 1.1 backend and I saw this : https://http2.github.io/http2-spec/#CompressCookie
I quote : "If there are multiple Cookie header fields after decompression, these MUST be concatenated into a single octet string using the two-octet delimiter of 0x3B, 0x20 (the ASCII string "; ") before being passed into a non-HTTP/2 context, such as an HTTP/1.1 connection, or a generic HTTP server application. "

EDIT2:

Maybe it’s not HAProxy, but my browser who is splitting cookie headers (chromium & firefox)

Posts: 3

Participants: 3

Read full topic

@badhonsoam wrote:

dear all,
i am configuring haproxy and keeplived and mysql server on same physical machine. but my load balancing is not working. request getting on mysql 1 server only. i am using the keeplived ip for requesting.

Posts: 3

Participants: 2

Read full topic

@ask wrote:

Hi,

I am trying to have one listener both do “TLS passthrough” with SNI (when requesting https://other.example.org/ and terminate TLS for everything else.

The TLS passthrough for other.example.org is working.

Also, when I connect with curl to the unix socket on /var/run/haproxy.sock I get the expected certificate from /etc/haproxy/certs/acme.

However, when I connect to port 443 with another SNI servername I get a TLS handshake error (openssl s_client says 140735681221512:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:.

Ask

global
    log /var/run/log local0 debug
    uid 65534
    gid 65534
    stats socket /var/run/haproxy.stat mode 600 level admin
    maxconn 400
    ulimit-n 81000
    daemon

    ssl-default-bind-options no-sslv3 no-tls-tickets
    ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
    tune.ssl.default-dh-param 1024


defaults
    log global
    option tcplog
    option http-server-close
    #option httpclose
    option redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 20s
    timeout check           10s
    maxconn                 5000

frontend admin
    bind  *:5000
    mode                http
    option              httplog
    default_backend     stats_auth
    monitor-uri         /ping

backend stats_auth
    mode http
    stats enable
    stats auth  admin:verysecret
    stats admin if TRUE
    stats uri     /admin?stats
    stats refresh 30s

frontend tls
  bind *:443
  mode tcp
  tcp-request inspect-delay 5s
  tcp-request content accept if { req_ssl_hello_type 1 }

  use_backend other-tls if { req_ssl_sni -i other.example.org }
  default_backend https-back

backend https-back
    mode tcp
    server https-front unix@/var/run/haproxy.sock send-proxy-v2

frontend https-front
    bind   unix@/var/run/haproxy.sock ssl crt /etc/haproxy/certs/acme/ accept-proxy
    mode   http
    #option httplog
    option forwardfor
    reqdel X-Forwarded-Proto
    reqadd X-Forwarded-Proto:\ https if { ssl_fc }

    default_backend local

frontend http
    bind *:80
    mode   http
    option httplog
    option forwardfor

    reqdel X-Forwarded-Proto
    reqadd X-Forwarded-Proto:\ https if { ssl_fc }

    acl letsencrypt-request path_beg -i /.well-known/acme-challenge/
    redirect scheme https if !{ ssl_fc } !letsencrypt-request

    use_backend other if { hdr(host) -i other.example.org }

    use_backend acmetool if letsencrypt-request
    default_backend local


backend local
    mode   http
    server local 127.0.0.1:8000

backend other
    mode   http
    server other 10.0.0.51:80

backend other-tls
    mode tcp
    server other 10.0.0.51:443

backend acmetool
    mode   http
    server acmetool 127.0.0.1:402

Posts: 1

Participants: 1

Read full topic

@kotarusv wrote:

Hi

Did HAProxy reload let stats info to reset ? In our infra, we reload HAProxy continuously due to our cloud nature of apps onboarding. am seeing uptime on haproxy stats reset to seconds and total sessions count doesn’t represent sum of all sessions?

Srinivas Kotaru

Posts: 4

Participants: 2

Read full topic

@vexed wrote:

Hi All,

I’m new to HAProxy and I’m trying to use it as load balancer for a couple of IIS 10 web servers. My setup is simple:

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon

# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private

# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
#  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3

defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

frontend www-http
bind 10.50.1.40:80

default_backend www-backend

frontend www-https
bind 10.50.1.40:443 ssl crt /etc/haproxy/sslcert.pem
reqadd X-Forwarded-Proto:\ https
#http-response set-header Strict-Transport-Security max-age=31536000;\ includeSubdomains;\ preload
default_backend www-backend

backend www-backend
mode http
balance roundrobin

cookie SERVERID insert indirect nocache
redirect scheme https if !{ ssl_fc }
server web01 10.50.1.30:80 check inter 10s fall 3 rise 2 cookie s1
server web02 10.50.1.31:80 check inter 10s fall 3 rise 2 cookie s2

The log file is showing the below error:

Nov 9 07:09:01 localhost haproxy[74752]: 11.66.82.20:28835 [09/Nov/2017:07:08:59.423] www-https~ www-backend/web01 0/0/0/-1/1753 502 12493 - - PHVN 1/1/0/0/0 0/0 “GET /Contacts/Default.aspx HTTP/1.1”

I ran this command right after I got the error:
sudo echo “show errors” | sudo socat stdio unix-connect:/run/haproxy/admin.sock

The result is rather large: (I have pasted the first page below)

Total events captured on [09/Nov/2017:10:41:22.471] : 75

[09/Nov/2017:10:41:19.791] frontend www-http (#2): invalid request
backend (#-1), server (#-1), event #74
src 104.215.91.84:2881, session #187, session flags 0x00000080
HTTP msg state 26, msg flags 0x00000000, tx flags 0x00000000
HTTP chunk len 0 bytes, HTTP body len 0 bytes
buffer flags 0x00908002, out 0 bytes, total 186 bytes
pending 186 bytes, wrapping at 16392, error at position 0:

00000 \x16\x03\x03\x00\xB5\x01\x00\x00\xB1\x03\x03Z\x040\xCF\xD6TH\.@\xCD
00022+ \xF9;\xE6\x95\xB4h\xC1\xF5\xF4\xD6\xA1l|O-~aBGp\xE8\x00\x00"\xC0,\xC0+
00050+ \xC0$\xC0#\xC0(\xC0’\xC0\n
00060 \xC0\t\xC0\x14\xC0\x13\x00\x9D\x00\x9C\x00=\x00<\x005\x00/\x00\n
00080 \x01\x00\x00f\x00\x00\x00-\x00+\x00\x00(xxxxxx.xxxxxxxxxx.cloudapp
00123+ .azure.com\x00\n
00135 \x00\x06\x00\x04\x00\x18\x00\x17\x00\x0B\x00\x02\x01\x00\x00\r\x00\x14
00153+ \x00\x12\x06\x01\x06\x03\x04\x01\x05\x01\x02\x01\x04\x03\x05\x03\x02
00170+ \x03\x02\x02\x00#\x00\x00\x00\x17\x00\x00\xFF\x01\x00\x01\x00

[09/Nov/2017:10:39:21.824] backend www-backend (#4): invalid response
frontend www-https (#3), server webaue01 (#1), event #42
src 11.66.82.20:32140, session #150, session flags 0x002004cf
HTTP msg state 26, msg flags 0x00000000, tx flags 0xa8000060
HTTP chunk len 0 bytes, HTTP body len 0 bytes
buffer flags 0x80048002, out 0 bytes, total 15368 bytes
pending 15368 bytes, wrapping at 16392, error at position 0:

00000 \x124Vx\x9A\xBC\x00\r:\xD1H\\x08\x00E\x00\xE3\xE9\x02$@\x00\x80\x06
00024+ \x00\x00\n
00027 \xC8\x01\x1E\n
00031 \xC8\x01(\x00P\xA4\xD0\xDA\x82y\x7F\x08\xDE;\xDC\x80\x18\x04\x03\x17
00051+ \xDC\x00\x00\x01\x01\x08\n
00058 \x06’U\xF1\xDD\x8C\xF3XHTTP/1.1 200 OK\r\n
00083 Cache-Control: private\r\n
00107 Content-Type: text/html; charset=utf-8\r\n
00147 Content-Encoding: gzip\r\n
00171 Vary: Accept-Encoding\r\n
00194 Server: Microsoft-IIS/10.0\r\n
00222 X-AspNet-Version: 4.0.30319\r\n
00251 Date: Thu, 09 Nov 2017 10:39:22 GMT\r\n
00288 Content-Length: 58046\r\n
00311 \r\n
00313 \x1F\x8B\x08\x00\x00\x00\x00\x00\x04\x00\xED\xBD\x07\x1CI\x96%&/m\xCA 00335+ {\x7FJ\xF5J\xD7\xE0t\xA1\x08\x80\x13$\xD8\x90@\x10\xEC\xC1\x88\xCD
00357+ \xE6\x92\xEC\x1DiG#)\xAB*\x81\xCAeVe]f\x16@\xCC\xED\x9D\xBC\xF7\xDE{
00383+ \xEF\xBD\xF7\xDE{\xEF\xBD\xF7\xBA;\x9DN’\xF7\xDF\xFF?\fd\x01l\xF6\xCE
00407+ J\xDA\xC9\x9E!\x80\xAA\xC8\x1F?~|\x1F?"~\xE3\xE4\xF1\xEF\xFA\xF4\xCB
00430+ \x937\xBF\xCF\xCB\xD3t\xDE.\xCA#\xFA\xC0\xFE\xCC\xB3YZ\xCC>\xFBh\xDA
00453+ \x96;;\xBF\xFF\xB7\xE9\xCF\xDD\x8F\x8E\x1E/\xF26K\xE7m\xBB\xDA\xCE\x7F
00475+ \xD1\xBA\xB8\xFC\xEC\xA3\x93j\xD9\xE6\xCBv\xFB\xCD\xF5*\xFF(\x9D\xCA_
00496+ \x9F}\xD4\xE6\xEF\xDA\xBB\x80u\x98N\xE7Y\xDD\xE4\xEDg\xEB\xF6|\xFB\xE0
00518+ \xA3\xF4n\x04\xC8\xEF\xBD\xFD\xD5\xF1\xF6I\xB5Xem1)}8g\xA7\x9F\xE5\xB3
00543+ \x0B\xFA\x84^k\x8B\xB6\xCC\t\xB7\x1F\xFB\x8D\x93\xD4{^\xAF\xEB\x8B,=
00565+ \xA1\xE6uV\xBA\xAFh\x0Cw\xE5\x8D\xC7e\xB1|\x9B\xD6y\xF9\xD9GM{]\xE6
00590+ \xCD<\xCF\xDB\x8F\xD2\x960VD\xA7M\xF3Q:\xAF\xF3\xF3\xCF>\xBA{\xF2\xFA
00614+ \xF5\xDDIU\xB5\r\x81[\x8D\x17\xC5rL\xDF\xFE\x1E\x97\x9F\xFD^?Xe\xCF
00638+ \xAA\xCB/\xF3\xF3O\x1F\xDC\x9B\xDF\xFF\xBD\xA7\xAF\xAF~\x11\xA3\xF5
00657+ \xF5\xA1o\xB7\xF3|\x91\x7F\xE3}\x94\xC5\xE4n[e\xD4\x85\xFE\xF8\xC6{
00679+ \xC0(\x98\xECwgY\x9B\xB7\xC5"\x15\xD3\xB7y\xFD\xB3\xD4I\x9B]\x9C-W
00704+ \xEB\xB6\xB9\xBB\xBC\xD8\xA6?\x9A\xED\x02\x7F\x8E-!\x7F\x16\x07H\xDDE
00725+ \xFB\xFEa\xF4\xF8&k\xDE\xBE1\x7F}\xE3\xBD\x1D//\xD6eV\xDF=\xC9\xCA|9
00751+ \xA3\xCE\xD7e9\xD5?n\xDF\xDB\xEB\xDB\xF5&c#\x19\x9FTO\xAAwc\xFE\xF3g
00778+ \xA9\x93\xCF\xEBb\xF6\xB3\xDA\xC1W\xAB\xB2\xCA~\xB6\xBAh\x00\xF5\xEE
00798+ \x17\xF9r\xFD\xBE\x1D\xDCr\xDE\x19\xEA\xDD\xD3Y\xD1V\xF5\xCFR\x17\xD3u
00820+ \xD3V\x8B\xF3"/g\xB7\x87}K\xFA\\xE5\x93UU\xB7Yy{\xC8\xB7\xC5:#\x03T\
00849+ \xFCl\xC9\xF5w\x8B\xE5\xAC\xBA\xFAY\xA28s\xCD7\x0F5\xCF\xEA\xE9\xFC\e
00872+ \x05K\xBF\xDF\x9D\xE5\xDF\xF0\xEC\xD1\xEFw\x97U[\x9C\x17S\xF2 \xAAo~
00895+ \x06\x99\xBC\xDBB\x8E\xED:o\xD6e\xFB\x8D\xF7\xC1\x8Cq\xF7\xA7\x7F\xD1:
00917+ \xAF\xAF\xB7\xD7\xC5\xCF\xA2\x85\xF9\x895Y\xEB\xD7<\x98’\xAF7\xF6\xC1

The strange thing is, the same page works 8 out of 10 times. I can reproduce the error by browsing to the page, then anther, then same page again and so on, and I will receive the 502 error.

I’m not sure what do next with this setup.

Any guidance is much appreciated.

Posts: 2

Participants: 1

Read full topic

@dharanikumarsrvn wrote:

Which SSL implementation is used in HAProxy? Did HAProxy develop its own SSL stack for protocol, Ciphers, and other stuff? I found references to OpenSSL in manual. What role does OpenSSL play in the HAProxy’s SSL stack?

Posts: 1

Participants: 1

Read full topic

@javajoe wrote:

How can I get the management portal to show the number of sessions on tomcat and if possible the number of sessions with a specific attribute “user”? The current number is always 0 but the max seems to be set. For our system, an httpsession with a “user” attribute means there is a logged in user. Would be good if I could see that

Posts: 1

Participants: 1

Read full topic

@johnb wrote:

Hi all,

I have a working loadbalancing config with balance source and hash-type-consistent for my FTP but isn’t sufficient.
It seems that I’m still getting to much connections from one IP address on one of my FTP servers.

If I can send all of the traffic from one customer with one IP address to one FTP server I should have fixed the issue.
How can I send all traffic to FTP server A and traffic coming from a certain external IP address to server B?

Regards,

John

Posts: 1

Participants: 1

Read full topic

@elderone1 wrote:

My Haproxy 1.7.9 instance is using 100% of cpu core - for 10-50min, then all goes to normal.

chart2.png1258x446 16 KB

Couple of mbit/s of traffic.

haproxy -vvv
HA-Proxy version 1.7.9 2017/08/18
Copyright 2000-2017 Willy Tarreau <willy@haproxy.org>

Build options :
  TARGET  = linux2628
  CPU     = native
  CC      = gcc
  CFLAGS  = -O2 -march=native -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv
  OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_STATIC_PCRE=1 USE_TFO=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.8
Running on zlib version : 1.2.8
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with OpenSSL version : OpenSSL 1.0.2g  1 Mar 2016
Running on OpenSSL version : OpenSSL 1.0.2g  1 Mar 2016
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.38 2015-11-23
Running on PCRE version : 8.38 2015-11-23
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built without Lua support
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
        [COMP] compression
        [TRACE] trace
        [SPOE] spoe

Runnig on Ubuntu 16.04

Trace from haproxy process consuming whole core:

No errors in debug log.

Posts: 1

Participants: 1

Read full topic

@networknewb wrote:

Hi Everyone,

New to HAProxy and trying to figure out how to get authentication to work on the front end. using haproxy 1.7.8

What i am aiming to do is the following:

Client -> HAProxy(as a proxy tunnel) -> server/1/2/3/4/5

I am running squid on the back end, everything is working but then i wanted to add authentication to HAProxy as i have white listed my HAProxy VM in the squid configuration which allows access to all connections. Note the ‘#’ are there as that is the configuration that works, when i remove them i get a ‘ERR_TUNNEL_CONNECTION_FAILED’ error.

Always the squid server is also local on another VM where i am using my /64 ipv6 from my ISP. Just trying to learn all these things.

Configuration:

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats timeout 30s
user haproxy
group haproxy
daemon
#userlist Admins
#group AdminGroup users admin
#user admin insecure-password 1234

defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000

frontend http_front
#acl AuthOkay_UsersAuth http_auth(Admins)
#http-request auth realm Admins unless AuthOkay_UsersAuth
bind *:8000
stats uri /haproxy?stats
default_backend http_back

backend http_back
option http-tunnel
server squid0 x.x.x.x:20100 check
server squid1 x.x.x.x:20101 check
server squid2 x.x.x.x:20102 check
server squid3 x.x.x.x:20103 check
server squid4 x.x.x.x:20104 check
balance roundrobin

listen stats
bind *:8181
stats enable
stats uri /
stats realm Haproxy\ Statistics
stats auth test:test

Any tips would be great, Thanks!

Posts: 1

Participants: 1

Read full topic

@adrianw wrote:

I am trying to deploy 1.8 to make use of h2. We have a single HAProxy install in front of several PHP web application servers. We have enjoyed HAProxy for the last several years and have upgraded from 1.5-1.7 without issue. I have been trying to get 1.8-rcX working and everything is OK except under h2 the ajax calls on the site a breaking. We use a CSRF tokens which are linked to the session, the problem is under h2 each ajax request gets a different session ID. Removing h2 fixes the problem.If I request the URLS directly under h2 it works, it is only we they are called via AJAX

This probably isn’t a HAProxy issue, but is there any reason that I would be seeing this behavour under h2, and not http/1.1?

haproxy -vv
HA-Proxy version 1.8-rc3-34650d5 2017/11/11
Copyright 2000-2017 Willy Tarreau willy@haproxy.org

Build options :
TARGET = linux2628
CPU = x86_64
CC = gcc
CFLAGS = -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-unused-label
OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_LUA=1 USE_PCRE=1

Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
Running on OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2
Built with Lua version : Lua 5.3.4
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with network namespace support.
Built with zlib version : 1.2.7
Running on zlib version : 1.2.7
Compression algorithms supported : identity(“identity”), deflate(“deflate”), raw-deflate(“deflate”), gzip(“gzip”)
Encrypted password support via crypt(3): yes
Built with PCRE version : 8.32 2012-11-30
Running on PCRE version : 8.32 2012-11-30
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with multi-threading support.

Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
[SPOE] spoe
[COMP] compression
[TRACE] trace

---

config

global
log 127.0.0.1 local0
maxconn 20000
ssl-server-verify none
user haproxy
group haproxy

# set default parameters to the intermediate configuration
tune.ssl.default-dh-param 2048


# STATS SOCKET
stats socket /var/run/haproxy.stats level admin

# ACCEPT LARGE REQUESTS
tune.bufsize 128000

defaults
log global
mode http
retries 3

maxconn                 20000
timeout connect         15s
timeout client          15s
timeout server          90s
timeout http-request    5s
timeout http-keep-alive 15s

option forwardfor
option httplog
option http-keep-alive
option http-server-close

Redirect all HTTP traffice to HTTPS.

frontend WEB-HTTP-IN
bind :80
option forwardfor

# Redirection Everything else to HTTPS
redirect code 301 scheme https if !{ ssl_fc }

Main HTTS Frontend for our sites.

frontend WEB-HTTPS-IN
option forwardfor

bind 10.0.0.1:443 ssl crt /etc/haproxy/ssl/cert.pem no-sslv3 alpn h2,http/1.1

############# RATE LIMITNG BRUTE FORCE #######################

# Table definition

acl login_request path_beg -i /account/login
tcp-request inspect-delay 10s
acl brute_force        sc1_inc_gpc0 gt 20
stick-table type binary len 20 size 100k expire 300s store gpc0
tcp-request content track-sc1 base32+src if METH_POST login_request
http-request deny if brute_force

############################################################

# Block bad IPs
acl bad_ip hdr_ip(X-Forwarded-For) -f /etc/haproxy/bad_ips.lst
http-request deny if bad_ip

# CAPTURE HEADERS FOR LOGGING
capture request header Host len 64
capture request header x-csrf-token len 64

# Send all other traffic that does match anything else to the WEB-FARM
default_backend WEB-FARM

backend WEB-FARM
balance static-rr

server WEB-011 192.168.70.221:80 check maxconn 12

l

Posts: 1

Participants: 1

Read full topic

@wuppi wrote:

Hello,
I am complete Newbe in HAPROXY and want to use is to redirect Websocket requests coming via port 80 to a different port 8181 on which a custom Websocket-Server is listening. All is supposed to work on the same mashine,
haproxy, Apache and the websocket Server.

I installed haproxy in Version 1.5.8 straight from the Debian 8 repositories.

The Apache Port is reconfigured from Port 80 to 8000. This works.

A properly working Websocket-Call is ws://:8181/demo

My idea is haproxy the websocket calls to ws:///demo to ws://:8181/demo
and to haproxy the Standard http-calls on port 80 to the Apache 8000.

While the Apache-hapoxy-config part seems to be fine, the ws-configuration sucks. I am not sure why and do not know really how to debug.

I was assuming that the line
option http-server-close
from a configuration sample I found would be important but with this line the Service does not start. It Fails with

haproxy.service start request repeated too quickly, refusing to start.
<<

Here is the complete config:
(a check via haproxy -c -f haproxy.cfg does not show errors)

Haproxy Konfig fuer Websockets

Berner Telecom-Dienste © 2018

Achtung: Die Einrueckungen sind TABs!!

global
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
maxconn 2000
chroot /var/lib/haproxy
user haproxy
group haproxy
daemon
option http-server-close

defaults
log global
mode http
option httplog
option dontlognull
retries 3
maxconn 2000
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

frontend public
bind *:80
acl is_websocket hdr(Upgrade) -i WebSocket
acl is_websocket_server hdr_end(host) -i primus0.de/demo:8181
use_backend ws if is_websocket is_websocket_server
default_backend www

backend www
timeout server 30s
server www1 127.0.0.1:8000

backend ws
timeout server 600s
server ws1 127.0.0.1:8181

Any idea how to overcome this?

Best regards

Wuppi

Posts: 2

Participants: 2

Read full topic

@gpascal wrote:

Hi, i installed Gravitee recently and this API manager use 3 part to work: portal, management-api and a gateway
Each part use a specific port and i need help to make my haproxy acl for each one.

My origin url is http://gravitee.mydomain.com to go on the portal part
Management-APi add /management to the end of my url and need 8083 port
Gateway add /api to the end of my url and need 8082 port

So i start to create some acls but nothing work good
For information my haproxy.conf contain lot’s of acl for all the compagny websites.

Thanks for your help

Posts: 1

Participants: 1

Read full topic

@SteinerSE wrote:

I’ve been goggling and looking for guides and tried piecing this together with lo luck whatsoever. What I need to do is direct web traffic to different servers depending on the domain (for now)… I’m using the latest HAProxy (1.7.9 running on an Ubuntu machine (virtual) and my router directs all traffic for port 80 to it.
I’ve been following what guides I could find to the best of my understanding and I finally have the service at least start without failure, but once running it seems it completely ignores all my hostmapping and just sends everything to the default backend.
I have 3 webservers running on 3 different machines with their own static IPs (2 Apache and 1 IIS) and this is the config I’ve come up with.

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
maxconn 256

# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private

# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
#  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# An alternative list with additional directives can be obtained from
#  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3

defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

# My stuff
stats enable
stats uri /hapstats
stats realm "HAProxy\ Statistics"
stats auth steiner:password
stats refresh 5s

frontend http-in
bind *:80

# Define hosts
acl host_tifozi hdr(host) -i tifozi.net
acl host_tabardinn hdr(host) -i yetabardinn.net
acl host_tacticus hdr(host) -i tacticus.org
acl host_secunet hdr(host) -i secunet.se
acl host_windhund hdr(host) -i windhund.biz

# Hostmapping
use_backend Srv_1 if host_tacticus
use_backend Srv_1 if host_windhund
use_backend Srv_2 if host_tifozi
use_backend Srv_2 if host_tabardinn
use_backend Srv_3 if host_secunet
default_backend Srv_1

backend Srv_1
option forwardfor
option httpclose
server Apache_1 10.84.42.4:80 check

backend Srv_2
option forwardfor
option httpclose
server Apache_2 10.84.42.15:80 check

backend Srv_3
option forwardfor
option httpclose
server IIS_1 10.84.42.14:80 check

Please someone help me figure this out and point me in the right direction, I would be immensely grateful!

Posts: 5

Participants: 2

Read full topic

@christoph02 wrote:

Hello,

Is there a PROPFIND filter for HAProxy?
I’d like to add this usefull filter from docu: http-request deny unless METH_GET or METH_POST or METH_OPTIONS
and add soemthing like … or METH_PROFIND (for OWN- or NEXTCLOUD/WEBDAV).

thank you for help

Posts: 2

Participants: 2

Read full topic