@tamal wrote:

Hi,
We are the developers of HAProxy ingress controller called Voyager . One of thing becoming important in distributed systems is support for tracing. We would like to see HAProxy support Opentracing.io.

What is the propose forum for making feature requests?

Thanks,
-Tamal
Email: tamal@appscode.com
Github: https://github.com/tamalsaha

Posts: 1

Participants: 1

Read full topic

@Katochimoto wrote:

Who configured Ubuntu server 16.04 haproxy in transparent mode. Who can help ?

Posts: 1

Participants: 1

Read full topic

@ksl28 wrote:

Hi,

Im having an issue with HA Proxy, that its redirecting all traffic to the default backend.
In an previous config, HA Proxy managed to redirect just fine - so the hostname is defined in the TCP package.

Ive tried several different settings, but cant seem to find a solution that works.

Config:

global
#log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
stats socket /var/run/haproxy.sock mode 600 level admin
stats timeout 2m
maxconn 80000
user haproxy
group haproxy
daemon

defaults
mode http
log global
#option httplog
option dontlognull
timeout client 300s

Statistics

listen stats
bind 192.168.62.148:8040
mode http
stats enable
stats uri /lbstats
stats realm Please\ Login
stats auth admin:admin
stats admin if TRUE

###################################################################################################

FRONTEND - FRONTEND - FRONTEND - FRONTEND - FRONTEND - FRONTEND - FRONTEND - FRONTEND - FRONTEND

###################################################################################################

frontend FT_HTTPS_IN
mode tcp
bind 192.168.62.148:443
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend BCK_RDS_HTTPS if { req_ssl_sni -i remote .domain .dk }
use_backend BCK_RDS_GW_HTTPS if { req_ssl_sni -i rdsgw .domain .dk }
use_backend BCK_OWNCLOUD_HTTPS if { req_ssl_sni -i oc .domain .dk }
use_backend BCK_POC_WEB if { req_ssl_sni -i poc .domain .dk }
option tcp-smart-accept
default_backend BCK_Exchange_HTTPS

###################################################################################################

BACKEND - BACKEND - BACKEND - BACKEND - BACKEND - BACKEND - BACKEND - BACKEND - BACKEND - BACKEND

###################################################################################################

backend BCK_Exchange_HTTPS
mode tcp
retries 3
timeout server 300s
timeout connect 10s
server S1EXCH01 192.168.60.82:443 check #ssl verify none

backend BCK_RDS_GW_HTTPS
mode tcp
retries 3
timeout server 300s
timeout connect 10s
balance roundrobin
server S1TSGW03 192.168.62.90:443 check #ssl verify none
server S1TSGW04 192.168.62.92:443 check #ssl verify none

backend BCK_RDS_HTTPS
mode tcp
retries 3
timeout server 300s
timeout connect 10s
server S1TSWEB01 192.168.62.93:443 check #ssl verify none

backend BCK_OWNCLOUD_HTTPS
mode tcp
retries 3
timeout server 300s
timeout connect 10s
server S1OC03 192.168.62.100:443 check #ssl verify none

backend BCK_POC_WEB
mode tcp
retries 3
timeout server 300s
timeout connect 10s
server S1POC01 192.168.62.91:443 check #ssl verify none

###################################################################################################

HA Proxy Config

###################################################################################################

The topic is short, since i cant seem to find any misconfigured settings.
PS: the domains are seperated by spaces, since new users can only post 2 links in a topic.

Posts: 5

Participants: 3

Read full topic

@reinaldo.gomes wrote:

I need to disable TLSv1.0for one of my webservers, but not for the rest of them.
bind :443 ssl crt /etc/haproxy/merged.pem no-tlsv10 <- works
ssl-default-bind-options no-tlsv10 <- works
server apache 10.0.0.1 no-tlsv10 <- doesn’t work
ssl-default-server-options no-tlsv10 <- doesn’t work

Is there any way to disable a given SSL protocol for specific backend servers, other than using different IPs/frontends?

Posts: 3

Participants: 2

Read full topic

@NoLifeKing wrote:

We have installed HAProxy 1.8.1.1 on our LB-cluster.
And we enabled alpn h2,http/1.1 with great success. Requests were going in as h2, all is well.

Only problem was, that in Chrome and FireFox, some requests also started to behave badly.
Now, I know ASP.NET WebForms is old and everything, but that system was started as that, and we’re slowly converting it to MVC and React.

Anyway… Sometimes, when we use “UpdatePanels” (ajax panels more or less), the requests stall, forever.
But as soon as we turn off h2, it all works perfectly again.

We’re running in http mode, since we are offloading SSL on HAProxy and have only http/1.1 backends (or else we would have to setup redundant certificates on all backend servers).

And we really don’t want to switch to tcp mode, since we want all the logs.

Has anyone else noticed that there’s trouble with ajax/postbacks (or any requests) while running in h2-mode?

HA-Proxy version 1.8.1-1 2017/12/03
Copyright 2000-2017 Willy Tarreau <willy@haproxy.org>

Build options :
  TARGET  = linux2628
  CPU     = generic
  CC      = gcc
  CFLAGS  = -g -O2 -fdebug-prefix-map=/build/haproxy-1.8.1=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2
  OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_SYSTEMD=1 USE_PCRE=1 USE_PCRE_JIT=1 USE_NS=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with OpenSSL version : OpenSSL 1.1.0g  2 Nov 2017
Running on OpenSSL version : OpenSSL 1.1.0f  25 May 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2
Built with Lua version : Lua 5.3.3
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Encrypted password support via crypt(3): yes
Built with multi-threading support.
Built with PCRE version : 8.39 2016-06-14
Running on PCRE version : 8.39 2016-06-14
PCRE library supports JIT : yes
Built with zlib version : 1.2.8
Running on zlib version : 1.2.8
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with network namespace support.

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
        [SPOE] spoe
        [COMP] compression
        [TRACE] trace

Posts: 5

Participants: 2

Read full topic

@Mbart wrote:

Hi,
I would like to replace my current apache reverse proxy with haproxy.
I have defined 2 frontend section: http-input for incoming http requests and https-input for incoming https requests.
In this moment I have only java application as backend server, but in future I wuold like use haproxy to proxy request to IIS .
I have problem to redirect http request to https for some URL.
This is my haproxy confiration:
global
log 127.0.0.1 local2 debug

chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
daemon
ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
defaults
log global
mode http
option dontlognull
option httplog
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 60s
timeout queue 1m
timeout connect 60s
timeout client 60s
timeout server 1m
timeout http-keep-alive 60s
timeout check 60s
maxconn 3000
frontend http-input
bind *:80
mode http
option http-server-close
reqadd X-Forwarded-Proto:\ http
redirect scheme https if { hdr(host) -i mywebsite.mydomain.com } !{ ssl_fc }
frontend https-input
bind *:443 ssl crt /etc/haproxy/cert/mycert.pem
mode http
option http-server-close
reqadd X-Forwarded-Proto:\ https
redirect prefix https://mywebsite.mydomain.com if { hdr(host) -i mywebsite.mydomain.com }
acl is_cu_hdr_nodoaric hdr(host) -i collaudo-wsnodo.aric.it
acl is_hdr_mywebsite hdr(host) -i mywebsite.mydomain.com
use_backend appserver1 if is_hdr_mywebsite

backend			appserver1
mode			http
option			httpclose
option			forwardfor
balance			roundrobin
cookie JSESSIONID prefix nocache
server			appserver1 appserver1.private.intra:8080 cookie appserver1 check inter 5000

In my log file I read this error:
localhost haproxy[17683]: 31.198.67.34:50543 [15/Dec/2017:15:11:37.320] https-input~ https-input/ 70/-1/-1/-1/70 302 151 - - LR-- 0/0/0/0/0 0/0 “GET /context2RA/ HTTP/1.1”

I have googled for 2 days and do not understand where is the problem! Please help me!
Thank you

Posts: 2

Participants: 2

Read full topic

@davidenzomedina wrote:

Hi, I’m new to HAPROXY and I have a problem with some clients that cannot access haproxy services from a specific network on WAN.

When they try to access it from a web browser it keeps waiting for a response. The first thing I figured is routing, but ping works, and when I try to access the stats page y pops out the authentication window, but then it just keeps working and nothing is returned. If I try to direct access the service backends bypassing the haproxy it works.

This is my setting:

• Servers: 2 CentOS 7 with keepalived cluster for HA.
• HAProxy: 1.5.18 (the one that comes with this CentOS version via yum).
• Network: 2 interfaces: ens160 (DMZ) and ens192 (LAN and WAN).
• Routes: default gateway configured for ens160. Specific static routes added for ens192.
• Firewall: ports 80, 443, 9000 and others are opened.
• SELinux: enabled (I tried disabling it, but no luck).

HAProxy Configuration (I modified some sensible info):

#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
    log         127.0.0.1 local2 info

    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     4000
    user        haproxy
    group       haproxy
    daemon

    # turn on stats unix socket
    stats socket /var/lib/haproxy/stats

    tune.ssl.default-dh-param 2048

#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    option                  http-server-close
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 3000
    balance                 leastconn
    default-server          inter 3s rise 2 fall 3

#---------------------------------------------------------------------
# Exchange HTTPS Frontend
#---------------------------------------------------------------------
frontend exchange_https_frontend
    bind *:443 name https ssl crt /etc/ssl/certs/mycert.pem
    mode http
    option http-keep-alive
    no option httpclose
    no option http-server-close
    no option forceclose
    option contstats
    option dontlognull
    log global
    option httplog
    option forwardfor       except 127.0.0.0/8
    timeout client 25s
    timeout http-keep-alive 1s
    timeout http-request 15s
    maxconn 10000
    acl ssl_connection ssl_fc
    acl host_mail hdr(Host) -i my.mail.com
    acl path_slash path /
    acl path_owa path_beg -i /owa/
    acl path_ecp path_beg -i /ecp/
    acl path_ews path_beg -i /ews/
    acl path_activesync path_beg -i /Microsoft-Server-ActiveSync
    acl path_oa path_beg -i /rpc/rpcproxy.dll
    acl path_autodiscover path_beg -i /Autodiscover/Autodiscover.xml
    acl path_ps path_beg -i /Powershell/
    acl path_oab path_beg -i /oab/
    ###acl path_mapi path_beg -i /mapi/
    acl path_check path_end -i HealthCheck.htm
    # HTTP deny rules
    http-request deny if path_check
    # HTTP redirect rules
    http-request redirect scheme https code 302 unless ssl_connection
    http-request redirect location /owa/ code 302 if path_slash host_mail
    # HTTP routing rules
    use_backend exchange_https_owa_backend if path_owa
    use_backend exchange_https_ecp_backend if path_ecp
    use_backend exchange_https_ews_backend if path_ews
    use_backend exchange_https_activesync_backend if path_activesync
    use_backend exchange_https_oa_backend if path_oa
    use_backend exchange_https_autodiscover_backend if path_autodiscover
    use_backend exchange_https_ps_backend if path_ps
    use_backend exchange_https_oab_backend if path_oab
    ###use_backend exchange_https_mapi if path_mapi
    # other services go here
    default_backend exchange_https_default_backend

#---------------------------------------------------------------------
# Exchange HTTPS Backends
#---------------------------------------------------------------------

# Outlook Web Access (OWA):
backend exchange_https_owa_backend
    option http-keep-alive
    option prefer-last-server
    no option httpclose
    no option http-server-close
    no option forceclose
    no option http-tunnel
    option forwardfor
    option httpchk GET /owa/HealthCheck.htm
    http-check expect string 200\ OK
    server server151 192.168.5.151:443 maxconn 10000 weight 10 ssl verify none check
    server server152 192.168.5.152:443 maxconn 10000 weight 10 ssl verify none check
    server server153 192.168.5.153:443 maxconn 10000 weight 10 ssl verify none check
    server server154 192.168.5.154:443 maxconn 10000 weight 10 ssl verify none check

# Exchange Control Panel (ECP):
backend exchange_https_ecp_backend
    option http-keep-alive
    option prefer-last-server
    no option httpclose
    no option http-server-close
    no option forceclose
    no option http-tunnel
    option forwardfor
    option httpchk GET /ECP/HealthCheck.htm
    http-check expect string 200\ OK
    server server151 192.168.5.151:443 maxconn 10000 weight 10 ssl verify none check
    server server152 192.168.5.152:443 maxconn 10000 weight 10 ssl verify none check
    server server153 192.168.5.153:443 maxconn 10000 weight 10 ssl verify none check
    server server154 192.168.5.154:443 maxconn 10000 weight 10 ssl verify none check

# Exchange Web Services (EWS):
backend exchange_https_ews_backend
    option http-keep-alive
    option prefer-last-server
    no option httpclose
    no option http-server-close
    no option forceclose
    no option http-tunnel
    option forwardfor
    option httpchk GET /EWS/HealthCheck.htm
    http-check expect string 200\ OK
    server server151 192.168.5.151:443 maxconn 10000 weight 10 ssl verify none check
    server server152 192.168.5.152:443 maxconn 10000 weight 10 ssl verify none check
    server server153 192.168.5.153:443 maxconn 10000 weight 10 ssl verify none check
    server server154 192.168.5.154:443 maxconn 10000 weight 10 ssl verify none check

# Exchange Active Sync (EAS):
backend exchange_https_activesync_backend
    option http-keep-alive
    option prefer-last-server
    no option httpclose
    no option http-server-close
    no option forceclose
    no option http-tunnel
    option forwardfor
    option httpchk GET /Microsoft-Server-ActiveSync/HealthCheck.htm
    http-check expect string 200\ OK
    server server151 192.168.5.151:443 maxconn 10000 weight 10 ssl verify none check
    server server152 192.168.5.152:443 maxconn 10000 weight 10 ssl verify none check
    server server153 192.168.5.153:443 maxconn 10000 weight 10 ssl verify none check
    server server154 192.168.5.154:443 maxconn 10000 weight 10 ssl verify none check

# Outlook Anywhere (OA):
backend exchange_https_oa_backend
    option http-keep-alive
    option prefer-last-server
    no option httpclose
    no option http-server-close
    no option forceclose
    no option http-tunnel
    option forwardfor
    option httpchk GET /RPC/HealthCheck.htm
    http-check expect string 200\ OK
    server server151 192.168.5.151:443 maxconn 10000 weight 10 ssl verify none check
    server server152 192.168.5.152:443 maxconn 10000 weight 10 ssl verify none check
    server server153 192.168.5.153:443 maxconn 10000 weight 10 ssl verify none check
    server server154 192.168.5.154:443 maxconn 10000 weight 10 ssl verify none check

# Autodiscover (AU):
backend exchange_https_autodiscover_backend
    option http-keep-alive
    option prefer-last-server
    no option httpclose
    no option http-server-close
    no option forceclose
    no option http-tunnel
    option forwardfor
    option httpchk GET /Autodiscover/HealthCheck.htm
    http-check expect string 200\ OK
    server server151 192.168.5.151:443 maxconn 10000 weight 10 ssl verify none check
    server server152 192.168.5.152:443 maxconn 10000 weight 10 ssl verify none check
    server server153 192.168.5.153:443 maxconn 10000 weight 10 ssl verify none check
    server server154 192.168.5.154:443 maxconn 10000 weight 10 ssl verify none check

# PowerShell (PS):
backend exchange_https_ps_backend
    option http-keep-alive
    option prefer-last-server
    no option httpclose
    no option http-server-close
    no option forceclose
    no option http-tunnel
    option forwardfor
    server server151 192.168.5.151:443 maxconn 10000 weight 10 ssl verify none check
    server server152 192.168.5.152:443 maxconn 10000 weight 10 ssl verify none check
    server server153 192.168.5.153:443 maxconn 10000 weight 10 ssl verify none check
    server server154 192.168.5.154:443 maxconn 10000 weight 10 ssl verify none check

# Offline Address Book (OAB):
backend exchange_https_oab_backend
    option http-keep-alive
    option prefer-last-server
    no option httpclose
    no option http-server-close
    no option forceclose
    no option http-tunnel
    option forwardfor
    option httpchk GET /OAB/HealthCheck.htm
    http-check expect string 200\ OK
    server server151 192.168.5.151:443 maxconn 10000 weight 10 ssl verify none check
    server server152 192.168.5.152:443 maxconn 10000 weight 10 ssl verify none check
    server server153 192.168.5.153:443 maxconn 10000 weight 10 ssl verify none check
    server server154 192.168.5.154:443 maxconn 10000 weight 10 ssl verify none check

# Exchange Default Backend:
backend exchange_https_default_backend
    option http-keep-alive
    option prefer-last-server
    no option httpclose
    no option http-server-close
    no option forceclose
    no option http-tunnel
    option forwardfor
    server server151 192.168.5.151:443 maxconn 10000 weight 10 ssl verify none check
    server server152 192.168.5.152:443 maxconn 10000 weight 10 ssl verify none check
    server server153 192.168.5.153:443 maxconn 10000 weight 10 ssl verify none check
    server server154 192.168.5.154:443 maxconn 10000 weight 10 ssl verify none check


#---------------------------------------------------------------------
# Exchange SMTP Settings
#---------------------------------------------------------------------
listen smtp25 *:25
    mode tcp
    option tcplog
    balance leastconn
    option tcp-check
    tcp-check expect string 220
    default-server inter 3s rise 2 fall 3
    server server151 192.168.5.151:25 check
    server server152 192.168.5.152:25 check
    server server153 192.168.5.153:25 check
    server server154 192.168.5.154:25 check

listen smtp587 *:587
    mode tcp
    option tcplog
    balance leastconn
    option tcp-check
    tcp-check expect string 220
    default-server inter 3s rise 2 fall 3
    server server151 192.168.5.151:587 check
    server server152 192.168.5.152:587 check
    server server153 192.168.5.153:587 check
    server server154 192.168.5.154:587 check

#---------------------------------------------------------------------
# HAProxy stats page:
#---------------------------------------------------------------------
listen stats :9000
    mode http
    stats enable
    stats hide-version
    stats realm Haproxy\ Statistics
    stats uri /
    stats auth admin:mypassword

Posts: 2

Participants: 2

Read full topic

@arash wrote:

Hi

is it possible to create a multistep health check in lua ? if yes can you please share a sample with me

thanks

Posts: 1

Participants: 1

Read full topic

@happy wrote:

After ~1.5 weeks uptime healthchecks of local web-server start showing errors “Too many sockets on the process”

It turned out that haproxy process uses 20000+ more file descriptors that it usually needs (in compare to another similar servers with 1.7.9 and much longer uptime).

According to /proc/net/sockstat it holded 10000+ “inuse” UDP-sockets.
Outgoing UDP-connections is used in LUA, but very rare.

Http/2 is disabled, reloads are used very often

Haproxy restart solved the problem and looks like now amount of UDP-sockets is slowly growing again

Posts: 1

Participants: 1

Read full topic

@Mbart wrote:

Hi,
I would like to add default path if it is missing on specific domain request, but with my HA-Proxy version 1.5.18 2016/05/10 I don’t have set-path command!
What I need to do:
when I write in my brwoser https://www.mydomain.com
I must be redirect to https://www.mydomain.com/webapp1

I tried a lot about this problem but I only found rewrite rules when the path is already there.

Posts: 1

Participants: 1

Read full topic

@napo wrote:

Does HAProxy supports RFC 6961 (OCSP multi stapling)? If not, when will HAProxy support this extension?

Posts: 2

Participants: 2

Read full topic

@tasavi wrote:

Hi.
When trying to compile version 1.8.x, the following error occurs.

make TARGET=linux2628

……
src/queue.o: In function __pendconn_free': /root/haproxy-1.8.1/src/queue.c:292: undefined reference to__atomic_sub_fetch’
src/queue.o:/root/haproxy-1.8.1/src/queue.c:299: more undefined references to __atomic_sub_fetch' follow src/queue.o: In functionpendconn_add’:
/root/haproxy-1.8.1/src/queue.c:196: undefined reference to __atomic_add_fetch' /root/haproxy-1.8.1/src/queue.c:198: undefined reference to__atomic_compare_exchange_n’
/root/haproxy-1.8.1/src/queue.c:200: undefined reference to __atomic_add_fetch' /root/haproxy-1.8.1/src/queue.c:188: undefined reference to__atomic_add_fetch’
/root/haproxy-1.8.1/src/queue.c:190: undefined reference to __atomic_compare_exchange_n' src/queue.o: In functionpendconn_get_next_strm’:
/root/haproxy-1.8.1/src/queue.c:128: undefined reference to __atomic_add_fetch' /root/haproxy-1.8.1/src/queue.c:129: undefined reference to__atomic_add_fetch’
src/applet.o: In function __appctx_free': /root/haproxy-1.8.1/include/proto/applet.h:97: undefined reference to__atomic_sub_fetch’
src/memory.o: In function pool_gc': /root/haproxy-1.8.1/src/memory.c:188: undefined reference to__atomic_compare_exchange_n’
/root/haproxy-1.8.1/src/memory.c:209: undefined reference to __atomic_store_n' src/lb_fwrr.o: In functionfwrr_queue_srv’:
/root/haproxy-1.8.1/src/lb_fwrr.c:330: undefined reference to __atomic_sub_fetch' src/lb_fwrr.o: In functionfwrr_update_position’:
/root/haproxy-1.8.1/src/lb_fwrr.c:445: undefined reference to __atomic_add_fetch' /root/haproxy-1.8.1/src/lb_fwrr.c:453: undefined reference to__atomic_add_fetch’
/root/haproxy-1.8.1/src/lb_fwrr.c:454: undefined reference to __atomic_add_fetch' /root/haproxy-1.8.1/src/lb_fwrr.c:457: undefined reference to__atomic_sub_fetch’
/root/haproxy-1.8.1/src/lb_fwrr.c:458: undefined reference to __atomic_add_fetch' /root/haproxy-1.8.1/src/lb_fwrr.c:448: undefined reference to__atomic_sub_fetch’
/root/haproxy-1.8.1/src/lb_fwrr.c:449: undefined reference to __atomic_add_fetch' src/lb_fwrr.o: In functionfwrr_get_srv_next’:
/root/haproxy-1.8.1/src/lb_fwrr.c:362: undefined reference to __atomic_add_fetch' src/hathreads.o: In functionthread_sync_barrier’:
/root/haproxy-1.8.1/src/hathreads.c:108: undefined reference to __atomic_compare_exchange_n' /root/haproxy-1.8.1/src/hathreads.c:109: undefined reference to__atomic_or_fetch’
src/hathreads.o: In function thread_want_sync': /root/haproxy-1.8.1/src/hathreads.c:75: undefined reference to__atomic_or_fetch’
src/hathreads.o: In function thread_exit_sync': /root/haproxy-1.8.1/src/hathreads.c:142: undefined reference to__atomic_and_fetch’
src/hathreads.o: In function thread_sync_barrier': /root/haproxy-1.8.1/src/hathreads.c:108: undefined reference to__atomic_compare_exchange_n’
/root/haproxy-1.8.1/src/hathreads.c:109: undefined reference to __atomic_or_fetch' src/lb_map.o: In functionrecalc_server_map’:
/root/haproxy-1.8.1/src/lb_map.c:116: undefined reference to __atomic_add_fetch' /root/haproxy-1.8.1/src/lb_map.c:125: undefined reference to__atomic_add_fetch’
src/time.o: In function tv_update_date': /root/haproxy-1.8.1/src/time.c:228: undefined reference to__atomic_compare_exchange_n’
collect2: ld returned 1 exit status
make: *** [haproxy] Error 1

Is there anything else I need to compile the 1.8.x version?
There was no problem compiling from version 1.5.x to version 1.7.9 on this server.

Thanks.

Posts: 7

Participants: 2

Read full topic

@sagaxu wrote:

Hi guys,

I have installed haproxy 1.8.1, and here is my configuration file.

global
    daemon
    maxconn 100
    master-worker no-exit-on-failure

defaults
    mode http
    timeout connect 5000ms
    timeout client 50000ms
    timeout server 50000ms

backend gateway
    balance roundrobin
    server server1 172.16.0.42:8088

frontend gateway
    bind unix@/tmp/gateway.socket
    default_backend gateway

I can connect to /tmp/gateway.socket with netcat.
Then I reload the worker by send a SIGUSR2 to the master process.
I can’t connect to /tmp/gateway.socket after the reloading.

The listen socket fd was the same as stdout.

lrwx------ 1 sagaxu sagaxu 64 Dec 21 18:07 0 -> anon_inode:[eventpoll]
lrwx------ 1 sagaxu sagaxu 64 Dec 21 18:07 1 -> socket:[17192229]
lr-x------ 1 sagaxu sagaxu 64 Dec 21 18:07 5 -> pipe:[17154247]
l-wx------ 1 sagaxu sagaxu 64 Dec 21 18:07 6 -> pipe:[17154247]

It was probably closed by the fclose clauses in haproxy.c
fclose(stdin); fclose(stdout); fclose(stderr);

thanks for your attention.

Posts: 1

Participants: 1

Read full topic

@jsumners wrote:

I am updating https://github.com/jsumners/haproxy-rhel7 and want to provide seamless reloads in the default configuration. I am unclear about reloading with multiple stats sockets. Let’s assume we have two stats sockets /run/haproxy.sock1 and /run/haproxy.sock2. Would we do the following for a reload?

> haproxy -c -f /etc/haproxy.cfg -q -x /run/haproxy.sock1 -x /run/haproxy.sock2
> kill -USR2 $(cat /run/haproxy.pid)

Or do we only have to specify the first socket?

Additionally, the documentation suggests using -sf $(cat /run/haproxy.pid) for gracefully terminating old processes. I do not know if this is possible with systemd (without a custom startup script). Will -sf simply read a file specified without having to cat it?

Posts: 1

Participants: 1

Read full topic

@tomciopp wrote:

I’m writing a parser for v1 and v2 of the proxy protocol and I’m having difficulty understanding how to parse UNIX domain sockets. The protocol documentation just states that there are 216 bytes that represent the src and dest but does not go into any detail about how they are encoded. I’ve done a bit of research but I don’t know if what I think is correct and I still have some gaps that need to be filled in.

From what I’ve read on the subject it looks like there are two different naming schemes. The value should resolve to a real path or an abstract path with the difference being that an abstract value begins with a null byte.

For real paths, I believe that each byte should directly translate to ascii and the string should terminate on the first null byte that you encounter.

For abstract paths I am unsure whether they must take up all 108 bytes or if there is some sort of delimiter or length specified in the protocol that I’m missing.

Can anyone clarify what you should do to handle these cases?

Posts: 1

Participants: 1

Read full topic

@fuero wrote:

Hi,

is Brotli compression support somewhere on the roadmap? Seems to gain quite some tracttion.

Regards,
Robert

Posts: 2

Participants: 2

Read full topic

@mmayen wrote:

Hello,

I would like to know how it is possible to communicate with backend in h2 mode.

My conf :

frontend https
        bind *:443 ssl crt /etc/haproxy/certs/ no-tlsv10 alpn h2,http1.1
        mode http
        use_backend my-site.org_HTTP2 if { ssl_fc_alpn -i h2 }

backend my-site.org_HTTP2
	mode http
        server nginx_http2      x.x.x.x:80 send-proxy

But when I “tcpdump” on my backend, I see the request in HTTP/1.1

Thanks for your help.

Best regards,

Posts: 1

Participants: 1

Read full topic

@sysadmin wrote:

Hello, i have a gameserver. Multiple game instance working on same server with different ports.

for example
game 1 : ip:20001
game 2 : ip:20002

games deault port is : 2000. if anyone want to connect to this servers they must we write a port after ip because it’s not working on default port.

Can i redirect this traffic to different ports by domain name.

For example HAProxy listen game’s default port 2000.

If client trying to connect abc.com:2000 haproxy redirect this traffic to 127.0.0.1:2001
if try do abcd.com:2000 haproxy redirect this traffic to 127.0.0.1:2002

Is it possible, if yes how can i do it ?

Thank you.

Posts: 2

Participants: 2

Read full topic

@cwhsu wrote:

I setup a haproxy(1.6.3) on ubuntu 16.04 to load balancing two web servers. From my earlier tests, the web servers can handle over 20k request/s. The web servers were tested against wrk2, and I verified number of requests in log. However, with haproxy in front of web servers, it seems that the request per second is limited to about 6k request/s. Is there anything wrong in haproxy config?

haproxy.cnf

global
    log /dev/log    local0
    log /dev/log    local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin
    stats timeout 30s
    maxconn     102400
    user haproxy
    group haproxy
    daemon

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # Default ciphers to use on SSL-enabled listening sockets.
    # For more information, see ciphers(1SSL). This list is from:
    # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
    ssl-default-bind-options no-sslv3

defaults
    log    global
    mode    http
    option    httplog
    option    dontlognull
    # https://serverfault.com/questions/504308/by-what-criteria-do-you-tune-timeouts-in-ha-proxy-config
    timeout connect 5000
    timeout check 5000
    timeout client  30000
    timeout server  30000
    timeout tunnel  3600s
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http

listen web-test
    mode http
    bind *:80
    balance roundrobin
    option forwardfor
    option http-keep-alive  # connections will no longer be closed after each request
    server test1 SERVER1:80 check maxconn 20000
    server test2 SERVER2:80 check maxconn 20000

If runnign wrk with 3 instances, I get approximately the same result:

./wrk -t4 -c100 -d30s -R4000 http://HAPROXY/
Running 30s test @ http://HAPROXY/
  4 threads and 100 connections
  Thread calibration: mean lat.: 1577.987ms, rate sampling interval: 7139ms
  Thread calibration: mean lat.: 1583.182ms, rate sampling interval: 7180ms
  Thread calibration: mean lat.: 1587.795ms, rate sampling interval: 7167ms
  Thread calibration: mean lat.: 1583.128ms, rate sampling interval: 7147ms
  Thread Stats   Avg      Stdev     Max   +/- Stdev
    Latency     8.98s     2.67s   13.93s    58.43%
    Req/Sec   516.75     11.28   529.00     87.50%
  64916 requests in 30.00s, 51.69MB read
Requests/sec:   2163.75    # Requests/sec decrease slightly
Transfer/sec:      1.72MB

Stats from haproxy:

e9xAp.png721x120 11.5 KB

If running wrk with 1 instance to one of the web server without haproxy:

./wrk -t4 -c100 -d30s -R4000 http://SERVER1
Running 30s test @ http://SERVER1
  4 threads and 100 connections
  Thread calibration: mean lat.: 1.282ms, rate sampling interval: 10ms
  Thread calibration: mean lat.: 1.363ms, rate sampling interval: 10ms
  Thread calibration: mean lat.: 1.380ms, rate sampling interval: 10ms
  Thread calibration: mean lat.: 1.351ms, rate sampling interval: 10ms
  Thread Stats   Avg      Stdev     Max   +/- Stdev
    Latency     1.41ms    0.97ms  22.42ms   96.48%
    Req/Sec     1.05k   174.27     2.89k    86.01%
  119809 requests in 30.00s, 98.15MB read
Requests/sec:   3993.36     # Requests/sec is about 4k
Transfer/sec:      3.27MB

haproxy -vv
HA-Proxy version 1.6.3 2015/12/25
Copyright 2000-2015 Willy Tarreau willy@haproxy.org

Build options :
  TARGET  = linux2628
  CPU     = generic
  CC      = gcc
  CFLAGS  = -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2
  OPTIONS = USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_PCRE=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.8
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with OpenSSL version : OpenSSL 1.0.2g-fips  1 Mar 2016
Running on OpenSSL version : OpenSSL 1.0.2g  1 Mar 2016
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.38 2015-11-23
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with Lua version : Lua 5.3.1
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

HA-Proxy version 1.6.3 2015/12/25
Copyright 2000-2015 Willy Tarreau <willy@haproxy.org>

Build options :
  TARGET  = linux2628
  CPU     = generic
  CC      = gcc
  CFLAGS  = -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2
  OPTIONS = USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_PCRE=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.8
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with OpenSSL version : OpenSSL 1.0.2g-fips  1 Mar 2016
Running on OpenSSL version : OpenSSL 1.0.2g  1 Mar 2016
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.38 2015-11-23
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with Lua version : Lua 5.3.1
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

I know that ab is not a very precise way to test this, but I thought haproxy should give a better result than a single node. However, the results show the opposite.

ab test HAPROXY

ab -n 10000 -c 10 http://HAPROXY/
Requests per second:    4276.18 [#/sec] (mean)

ab test SERVER1

ab -n 10000 -c 10 http://SERVER1/
Requests per second:    9392.66 [#/sec] (mean)

ab test SERVER2

ab -n 10000 -c 10 http://SERVER2/
Requests per second:    8513.28 [#/sec] (mean)

The VM is single core, so there is no need use nbproc. Plus, I monitor the cpu, memory usage, all VMs use less then 30% cpu, and 20% memory. There must be something wrong about the haproxy configs or my system configs.

Posts: 1

Participants: 1

Read full topic

@AlexeySharkov wrote:

Hi
We have a problem working with HAproxy as http balancer for OracleHTTPServers and BI servers as application servers.
End user cannot download huge file.

1. First end user start export huge file.
2. BI say OK download complete but
3. Download file incomplete just like network error appear.
   I cannot understand where exactly problem is. I try without balancer directly to OHS-OK.
   I try come directly to BI servers-OK.

my config is
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 4096
frontend main *:80:
default_backend app
backend app
balance roundrobin
cookie JSESSIONID prefix nocache
server bi11g-httpserver2-p 10.17.34.183:7777 check cookie s1
server bi11g-httpserver1-p 10.17.34.182:7777 check cookie s2

I set haproxy in debug mode and trace my download session:
<I cannot attach log :(>

Schem is

schem.JPG906x577 36 KB

Posts: 1

Participants: 1

Read full topic