@ralf wrote:

Hi Everyone,

I’ve got a working setup where haproxy 1.8.3 successfully balances HTTP traffic. I now want to add TLS / SSL. The result should be, that HTTP and HTTPS work in parallel.

When adding a frontend section for SSL, the configuration fails with:

Parsing [/etc/haproxy/haproxy.cfg.new:27]: failed to parse log-format : format variable 'Tq' is reserved for HTTP mode.

I do have a log-format statement in the defaults:

log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %rc\ %hr\ %hs\ %rt\ %{+Q}r\ %sslc\ %sslv\ body:%[capture.req.hdr(0)]

How can I configured HTTP and HTTPS to work in tandem and keep the log format for HTTP connections?

Posts: 4

Participants: 2

Read full topic

@IanCurtis wrote:

hey ,
i am new to HAProxy , i need to convert the following F5 IRule to HAProxy config file :

when HTTP_RESPONSE {
set newdomain “.domainxyz.com”
#set newcookie [HTTP::cookie names]
foreach newcookie [HTTP::cookie names]
{
HTTP::cookie domain $newcookie $newdomain
#HTTP::cookie domain $newdomain
}

            }

anther thing , how i configure a Failover URL in case the backend servers are dead , like a maintenance web page ?

thank you

Posts: 1

Participants: 1

Read full topic

@stefws wrote:

Considering moving a keepalived HA setup to 1.8.4 from 1.7.9, and are wondering if 1.8 could peer stick-table w/1.7?

In this case we would attempt to fail-over service from active haproxy 1.7 to a 1.8 for a while and if successful later update passive 1.7 also to 1.8 and on error fail back to previous active 1.7 and revert 1.8 node.

Forget about it, just patch both nodes to 1.8.4 …

Posts: 2

Participants: 2

Read full topic

@lemkepf wrote:

Hello Everyone!

I just started logging all haproxy web requests to elasticsearch and have been running some analysis on the long running requests. I came across a high number of requests that are being retried - meaning they hit the “timeout connect 10s” limit and were retrieved successfully.

Our HAProxy box runs on a 1gb/s nic and has at most 30mb/s coming out of it. We have about 400 r/s coming into haproxy and split pretty evenly to our 4 webservers. Looking at the stats we have .8/s retry rate. That seems awfully high to me… I understand that number will never be zero but almost 1 request a second is having to retry.

I’ve been monitoring/logging tons of networking metrics on our webserver side and they seems fine. No queueing on their side, normal cpu (<30%), and around 30mb/s also on a 1gb/s nic.

I’ve set the timeout lower to “3100” and the rate stayed the same.

My main question is what are the normal causes of the high retry rate? Nic being saturated? Our servers sit right next to each other so latency shouldn’t be an issue.

The only other thing I have thought of is we use websockets with haproxy and have a high number of connections (about 6000) at this writing.

Any help or direction in digging into this would be appreciated!
Paul

Posts: 1

Participants: 1

Read full topic

@amotzte wrote:

I’m wondering if there is a way to make haproxy do a “fan-out” to a call. Let’s say I want to make 1 call to haproxy and have it pass that call to all of the endpoint currently active. It this possible?

Posts: 1

Participants: 1

Read full topic

@obugueno wrote:

Dear good, nice to greet you and thank you in advance for your answer, I will use the google translator, excuse me for the writing mistakes. I commented that I maintain a haproxy configuration based on operating system rhel 7.4 and HA-Proxy version 1.5.18.

In relation to the configuration, I have 4 balanced sites, the incident is presented when consuming a service which performs a https redirection and invokes a simple authentication that is done within a weblogic osb “esb.vtr.cl”, I attach the complete configuration of the proxy, in addition to the configuration by weblogic, I hope to receive news soon from you thanked.

When performing tests on http and https without authentication does not present any inconvenience, please support

Haproxy configuration

global
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 10000
user haproxy
group haproxy
daemon
stats socket /var/lib/haproxy/stats
stats socket /var/run/haproxy.sock mode 600 level admin

defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 10000
stats enable
stats uri /stats
stats realm HAProxy\ Statistics
stats auth admin:admin

frontend http-ddrservice
mode http
bind 172.17.113.4:80
reqadd X-Forwarded-Proto:\ http
default_backend vtrddrservicecluster-backend

frontend http-esb
mode http
bind 172.17.113.5:80
reqadd X-Forwarded-Proto:\ http
default_backend esb-vtresbcluster-backend
#acl host_esb hdr(host) -i esb.vtr.cl
#use_backend esb-vtresbcluster-backend if host_esb
#acl host_eps hdr(host) -i eps.vtr.cl
#use_backend eps-vtrepscluster-backend if host_eps
#acl host_ddrservice.vtr.cl hdr(host) -i ddrservice.vtr.cl
#use_backend vtrddrservicecluster-backend if host_ddrservice.vtr.cl
#acl host_visordeboleta.vtr.cl hdr(host) -i visordeboleta.vtr.cl
#use_backend vtrvisorboletacluster-backend if host_visordeboleta.vtr.cl

frontend http-eps
mode http
bind 172.17.113.6:80
reqadd X-Forwarded-Proto:\ http
default_backend eps-vtrepscluster-backend

frontend http-visorboleta
mode http
bind 172.17.113.7:80
reqadd X-Forwarded-Proto:\ http
default_backend vtrvisorboletacluster-backend

frontend https-esb
mode http
bind 172.17.113.5:443 ssl crt /etc/cert/esb.vtr.cl.pem
reqadd X-Forwarded-Proto:\ https
default_backend esb-vtresbcluster-backend
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Request-Start t=%Ts%ms
http-request set-header Host esb.vtr.cl

backend esb-vtresbcluster-backend
mode http
balance leastconn
cookie SERVERID insert indirect nocache
server vtresb01_tigris tigris.vtr.cl:7011 check inter 5000 fastinter 1000 fall 1 rise 1 weight 1 maxconn 10000
server vtresb02_yukon yukon.vtr.cl:7011 check inter 5000 fastinter 1000 fall 1 rise 1 weight 1 maxconn 10000
server vtresb03_eufrates eufrates.vtr.cl:7011 check inter 5000 fastinter 1000 fall 1 rise 1 weight 1 maxconn 10000
server vtresb04_arkansas arkansas.vtr.cl:7011 check inter 5000 fastinter 1000 fall 1 rise 1 weight 1 maxconn 10000

backend eps-vtrepscluster-backend
mode http
balance leastconn
cookie JSESSIONID prefix ## manejo de sesiones
#cookie SERVERID insert indirect nocache ## manejo de sesiones
#redirect scheme https if !{ ssl_fc }
hash-type consistent # afinidad dentro de HAProxy
server belaya.vtr.cl belaya.vtr.cl:8280 check inter 5000 fastinter 1000 fall 1 rise 1 weight 1 maxconn 10000
server cimarron.vtr.cl cimarron.vtr.cl:8280 check inter 5000 fastinter 1000 fall 1 rise 1 weight 1 maxconn 10000

backend vtrddrservicecluster-backend
mode http
balance leastconn
cookie JSESSIONID prefix
cookie SERVERID insert indirect nocache
#redirect scheme https if !{ ssl_fc }
hash-type consistent # afinidad dentro de HAProxy
server svmovilprod01_ural ural.vtr.cl:9081 check inter 5000 fastinter 1000 fall 1 rise 1 weight 1 maxconn 10000
server svmovilprod02_angara angara.vtr.cl:9081 check inter 5000 fastinter 1000 fall 1 rise 1 weight 1 maxconn 10000

backend vtrvisorboletacluster-backend
mode http
balance leastconn
cookie JSESSIONID prefix
cookie SERVERID insert indirect nocache
#redirect scheme https if !{ ssl_fc }
hash-type consistent # afinidad dentro de HAProxy
server vboleta01_murray murray.vtr.cl:8001 check inter 5000 fastinter 1000 fall 1 rise 1 weight 1 maxconn 10000
server vbpresprod02_aldan aldan.vtr.cl:8001 check inter 5000 fastinter 1000 fall 1 rise 1 weight 1 maxconn 10000
[root@muerto ~]#

Simple authentication osb weblogic service

Cliente autentication "basic"
Display Policy "Empty"
Ecuest Encoding “Empty”

Error presented

Posts: 1

Participants: 1

Read full topic

@Racco wrote:

Hi!
Is there a reliable way to check the clients requested destination domain within a TLS connection?
I know I could use req_ssl_sni but the problem is that not all browsers support it. I would like to forbid clients to connect to defined sites, but I wont like to block them on IP. My aim is to block them on the requested SNI, CN of the Server’s Cert or something like that. Do u have an idea?

Posts: 1

Participants: 1

Read full topic

@fsfs wrote:

Hello Everyone!
About tune.bufsize 16384 this setting.
This option can be set in each frontend?
because I need Lua to get post data big.

e.g:
frontend http-get
bind :8000
mode http
bufsize 8192

frontend http-post
bind :8001
mode http
#buffer size 10MB
bufsize 10485760
option http-buffer-request

Posts: 2

Participants: 2

Read full topic

@Akihiro wrote:

I want to configure HAProxy as a tcp pass-through with ssl proxy, but some settings don’t work.

I think ‘ssl verify none’ option at listen directive is work when backend server uses self-signed certificate.
But with ‘ssl verify none’ option with mode tcp, I cannot access backend server with https protocol.
Is it correct behavier?

• This config is not work as https frontend, only http access

global
  chroot /var/lib/haproxy
  user haproxy
  group haproxy
  log 127.0.0.1 local2
  pidfile /var/run/haproxy.pid
  maxconn 40000
  daemon
  stats socket /var/lib/haproxy/stats level admin

defaults
  mode tcp
  log global
  option tcplog
  option dontlognull
  option redispatch
  retries 3
  timeout http-request 10s
  timeout queue 1m
  timeout connect 10s
  timeout client 1m
  timeout server 1m
  timeout http-keep-alive 10s
  timeout check 10s
  maxconn 10000

listen https_web
  mode tcp
  bind *:8443
  balance roundrobin
  option log-health-checks
  reqadd X-Forwarded-Proto:\ http
  server sv1 sv1:8443 maxconn 512 check check-ssl inter 60s ssl verify none
  server sv2 sv2:8443 maxconn 512 backup check check-ssl inter 60s ssl verify none
  server sv3 sv3:8443 maxconn 512 backup check check-ssl inter 60s ssl verify none
  option httpchk GET /health
  http-check expect status 200

• This config is work as https frontend

global
  chroot /var/lib/haproxy
  user haproxy
  group haproxy
  log 127.0.0.1 local2
  pidfile /var/run/haproxy.pid
  maxconn 40000
  daemon
  ssl-server-verify none
  stats socket /var/lib/haproxy/stats level admin

defaults
  mode tcp
  log global
  option tcplog
  option dontlognull
  option redispatch
  retries 3
  timeout http-request 10s
  timeout queue 1m
  timeout connect 10s
  timeout client 1m
  timeout server 1m
  timeout http-keep-alive 10s
  timeout check 10s
  maxconn 10000

listen https_web
  mode tcp
  bind *:8443
  balance roundrobin
  option log-health-checks
  reqadd X-Forwarded-Proto:\ http
  server sv1 sv1:8443 maxconn 512 check check-ssl inter 60s
  server sv2 sv2:8443 maxconn 512 backup check check-ssl inter 60s
  server sv3 sv3:8443 maxconn 512 backup check check-ssl inter 60s
  option httpchk GET /health
  http-check expect status 200

My haproxy build information is below.

HA-Proxy version 1.5.18 2016/05/10
Copyright 2000-2016 Willy Tarreau willy@haproxy.org

Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing -DTCP_USER_TIMEOUT=18
OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_PCRE=1

Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.7
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.32 2012-11-30
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND

Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.

Posts: 2

Participants: 2

Read full topic

@thiagarajanb wrote:

Hello All,

I am configuring HAProxy for the first time, We are using it mainly as a reverse proxy replacing the existing OHS server to redirect to 2 Oracle E-Business Suite DMZ nodes.

We had written rewrite rules to allow and block pages on the existing OHS as below :

RewriteRule ^/OA_MEDIA/.*.(gif|jpg|jpeg|bmp|png|PNG|pdf|PDF)$ - [L]

RewriteRule ^/OA_HTML/.*.(gif|jpg|jpeg|bmp|png|PNG|pdf|PDF)$ - [L]

RewriteRule ^/OA_HTML/.*.(js|css|xss)$ - [L]

This setup was working as expected. Now, We want to replicate the same via HAProxy.

Please help with the syntax samples for writing the above Rewrite rules in HAProxy setup.

Thanks and Regards,
Thiagarajan.

Posts: 1

Participants: 1

Read full topic

@fsfs wrote:

I need save post data to file,
So setting
global
tune.bufsize 8650752
tune.maxrewrite 16384

frontend node-save-post
bind :8080
mode http
option http-buffer-request

After a few hours of running the program
I got this

runtime error: /root/lua/haproxy1.lua:203: Lua: ‘start_response’: response header block too big.

Posts: 7

Participants: 2

Read full topic

@isa wrote:

Hi

I am using unix socket to change the state of nodes on Haproxy for automation. I am able to put it into the following states maint,drain and ready using the below command.

echo “set server $FRONTEND/$NODE state drain” | nc -U /var/lib/haproxy/stats

How do I check if the node is fully drained from command line?

Posts: 1

Participants: 1

Read full topic

@mariaczi wrote:

Hello.
Could someone try to help to solve this inconvenience in HAProxy configuration described here: https://serverfault.com/questions/881424/haproxy-for-redis-sentinel-want-backup-not-down
It is not my post, but I have exactly the same problem.

Regards.

Posts: 1

Participants: 1

Read full topic

@sumansatpathy wrote:

Hi , I’m looking for some help in getting information where I want to understand the option redispatch’s reach on retries. Can I retry my requests on specific errors e.g. including some timeout responses received from my backend server

e.g. haproxy sends request to S1 ( S1 processes the request and realizes its taking so much time in processing and terminates the request with specific error code in HTTP response 503,504 even 500

If I want to retry the request on S2 then S3 which have failed with 500 e.g. for 3retries on round robin basis before abandoning it. Is it possible to configure?

Posts: 1

Participants: 1

Read full topic

@keith4061 wrote:

Hi Everyone
Need some help with redirects.
I want to redirect: https://mysite.com to https://www.mysite.com.

Although all other traffic like /api & /admin should not redirect to www site.

We have our sites on two different servers, hence the problem

Thanks for you help in advance.

Posts: 1

Participants: 1

Read full topic

@fraenki wrote:

Hi,

I’m using HAProxy 1.8.4 on FreeBSD 11.1. Unfortunately it’s unusable, because it consumes 100% CPU a few seconds after startup. I was not able to track this down to a specific option in the configuration file.

Technically speaking is HAProxy still up and running, but in this state the connections behave very strange. For example MySQL connections may or may not work, or they abort or get stuck. Besides that I’m using this HAProxy box for mail and web traffic too. FWIW, this configuration works flawlessly with 1.7.10 (which I was forced to downgrade to).

I’ve tried nbproc 1, nbproc 8, nbthread 1, nbthread 10, no matter what I choose, it always ends up with 100% CPU usage.

The gdb output does not look very useful, or can you spot something useful?

root@host:~ # gdb --pid 58391
GNU gdb (GDB) 8.0.1 [GDB v8.0.1 for FreeBSD]
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-portbld-freebsd11.1".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word".
Attaching to process 58391
Reading symbols from /usr/local/sbin/haproxy...done.
Reading symbols from /lib/libcrypt.so.5...(no debugging symbols found)...done.
Reading symbols from /lib/libz.so.6...(no debugging symbols found)...done.
Reading symbols from /lib/libthr.so.3...(no debugging symbols found)...done.
Reading symbols from /usr/lib/libssl.so.8...(no debugging symbols found)...done.
Reading symbols from /lib/libcrypto.so.8...(no debugging symbols found)...done.
Reading symbols from /usr/local/lib/liblua-5.3.so...(no debugging symbols found)...done.
Reading symbols from /lib/libm.so.5...(no debugging symbols found)...done.
Reading symbols from /lib/libc.so.7...(no debugging symbols found)...done.
Reading symbols from /libexec/ld-elf.so.1...(no debugging symbols found)...done.
[Switching to LWP 100644 of process 58391]
0x000000867b1b8fea in _kevent () from /lib/libc.so.7
(gdb) bt full
#0  0x000000867b1b8fea in _kevent () from /lib/libc.so.7
No symbol table info available.
#1  0x000000867a25fcd2 in ?? () from /lib/libthr.so.3
No symbol table info available.
#2  0x000000000041d85c in _do_poll (p=0x8ab7d0 <cur_poller>, exp=45596037) at src/ev_kqueue.c:115
        status = 2074008608
        count = 45596037
        fd = 200
        delta_ms = 5
        timeout = {tv_sec = 0, tv_nsec = 5000000}
        updt_idx = 0
        en = 0
        eo = 0
        changes = 0
#3  0x000000000050f7be in run_poll_loop () at src/haproxy.c:2424
        next = 45596037
        exp = 45596037
#4  0x000000000050cf10 in run_thread_poll_loop (data=0x867bbfe6c0) at src/haproxy.c:2460
        start_lock = 0
        ptif = 0x89e2f8 <per_thread_init_list>
        ptdf = 0x206
#5  0x0000000000509a90 in main (argc=6, argv=0x793eabda1b38) at src/haproxy.c:3049
        tids = 0x867bbfe6c0
        threads = 0x867bbfe6e0
        i = 1
        err = 0
        retry = 200
        limit = {rlim_cur = 500096, rlim_max = 500096}
        errmsg = "\000\033\332\253>y\000\000p\033\332\253>y\000\000\070\033\332\253>y\000\000\006\000\000\000\000\000\000\000\217c}\310;\"sA\240O\212\000\000\000\000\000\060\033\332\253>y\000\000p\033\332\253>y\000\000\070\033\332\253>y\000\000\006\000\000\000\000\000\000\000\320\032\332\253>y\000\000\322\005 {\206\000\000\000\001\000\000"
        pidfd = 40
(gdb) cont
Continuing.
^C
Program received signal SIGINT, Interrupt.
0x000000867b1b8fea in _kevent () from /lib/libc.so.7
(gdb) bt full
#0  0x000000867b1b8fea in _kevent () from /lib/libc.so.7
No symbol table info available.
#1  0x000000867a25fcd2 in ?? () from /lib/libthr.so.3
No symbol table info available.
#2  0x000000000041d85c in _do_poll (p=0x8ab7d0 <cur_poller>, exp=45597649) at src/ev_kqueue.c:115
        status = 2074006208
        count = 45597649
        fd = 200
        delta_ms = 134
        timeout = {tv_sec = 0, tv_nsec = 134000000}
        updt_idx = 0
        en = 0
        eo = 0
        changes = 0
#3  0x000000000050f7be in run_poll_loop () at src/haproxy.c:2424
        next = 45597649
        exp = 45597649
#4  0x000000000050cf10 in run_thread_poll_loop (data=0x867bbfe6c0) at src/haproxy.c:2460
        start_lock = 0
        ptif = 0x89e2f8 <per_thread_init_list>
        ptdf = 0x206
#5  0x0000000000509a90 in main (argc=6, argv=0x793eabda1b38) at src/haproxy.c:3049
        tids = 0x867bbfe6c0
        threads = 0x867bbfe6e0
        i = 1
        err = 0
        retry = 200
        limit = {rlim_cur = 500096, rlim_max = 500096}
        errmsg = "\000\033\332\253>y\000\000p\033\332\253>y\000\000\070\033\332\253>y\000\000\006\000\000\000\000\000\000\000\217c}\310;\"sA\240O\212\000\000\000\000\000\060\033\332\253>y\000\000p\033\332\253>y\000\000\070\033\332\253>y\000\000\006\000\000\000\000\000\000\000\320\032\332\253>y\000\000\322\005 {\206\000\000\000\001\000\000"
        pidfd = 40
(gdb) cont
Continuing.
^C
Program received signal SIGINT, Interrupt.
0x000000867b1b8fea in _kevent () from /lib/libc.so.7
(gdb) bt full
#0  0x000000867b1b8fea in _kevent () from /lib/libc.so.7
No symbol table info available.
#1  0x000000867a25fcd2 in ?? () from /lib/libthr.so.3
No symbol table info available.
#2  0x000000000041d85c in _do_poll (p=0x8ab7d0 <cur_poller>, exp=45605353) at src/ev_kqueue.c:115
        status = 2074007168
        count = 45605353
        fd = 200
        delta_ms = 32
        timeout = {tv_sec = 0, tv_nsec = 32000000}
        updt_idx = 0
        en = 0
        eo = 0
        changes = 0
#3  0x000000000050f7be in run_poll_loop () at src/haproxy.c:2424
        next = 45605353
        exp = 45605353
#4  0x000000000050cf10 in run_thread_poll_loop (data=0x867bbfe6c0) at src/haproxy.c:2460
        start_lock = 0
        ptif = 0x89e2f8 <per_thread_init_list>
        ptdf = 0x206
#5  0x0000000000509a90 in main (argc=6, argv=0x793eabda1b38) at src/haproxy.c:3049
        tids = 0x867bbfe6c0
        threads = 0x867bbfe6e0
        i = 1
        err = 0
        retry = 200
        limit = {rlim_cur = 500096, rlim_max = 500096}
        errmsg = "\000\033\332\253>y\000\000p\033\332\253>y\000\000\070\033\332\253>y\000\000\006\000\000\000\000\000\000\000\217c}\310;\"sA\240O\212\000\000\000\000\000\060\033\332\253>y\000\000p\033\332\253>y\000\000\070\033\332\253>y\000\000\006\000\000\000\000\000\000\000\320\032\332\253>y\000\000\322\005 {\206\000\000\000\001\000\000"
        pidfd = 40


root@host:~ # haproxy -vv
HA-Proxy version 1.8.4-1deb90d 2018/02/08
Copyright 2000-2018 Willy Tarreau <willy@haproxy.org>

Build options :
  TARGET  = freebsd
  CPU     = generic
  CC      = cc
  CFLAGS  = -pipe -g -fstack-protector -fno-strict-aliasing -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-address-of-packed-member -Wno-null-dereference -Wno-unused-label -DFREEBSD_PORTS
  OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_CPU_AFFINITY=1 USE_ACCEPT4=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_STATIC_PCRE=1 USE_PCRE_JIT=1

Default settings :
  maxconn = 200000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with network namespace support.
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with PCRE version : 8.40 2017-01-11
Running on PCRE version : 8.40 2017-01-11
PCRE library supports JIT : yes
Built with multi-threading support.
Encrypted password support via crypt(3): yes
Built with transparent proxy support using: IP_BINDANY IPV6_BINDANY
Built with Lua version : Lua 5.3.4
Built with OpenSSL version : OpenSSL 1.0.2k-freebsd  26 Jan 2017
Running on OpenSSL version : OpenSSL 1.0.2k-freebsd  26 Jan 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2

Available polling systems :
     kqueue : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use kqueue.

Available filters :
	[TRACE] trace
	[COMP] compression
	[SPOE] spoe

This sounds similar to this report:

But the patch did not solve it for me. Maybe it’s totally unrelated to SSL in general.

Thanks!

• Frank

Posts: 1

Participants: 1

Read full topic

@lemkepf wrote:

Hello,

I’m trying to log if a request is HTTP2 or not. So far I’m not seeing that info with the default “option http-log” settings. I know “ssl_fc_alpn” does exist, but can’t figure out for the life of me how to get it into a custom log.

Thanks,
Paul

Posts: 2

Participants: 1

Read full topic

@Kiruthika wrote:

Hi All,

Can haproxy be used for converting JMS Message to http or viceversa.

Thanks
Kiruthika

Posts: 1

Participants: 1

Read full topic

@stefws wrote:

Upgraded from 1.7.9 to 1.8.4 and now finding that stats shows max counters at unbelievable high numbers
even after a ‘clear counters all’, they climb/bump quick to similar high figures.

Eg. Frontends and Backends ‘Max Session Rate’ or ‘Max Sessions’ are in millions, which isn’t true. They normally very in hundredes in 1.7.9.

Could this be a bug?

Posts: 1

Participants: 1

Read full topic

@Racco wrote:

Hello guys!

I know there are a lot of Users reporting that the browser returns SSL_ERROR_RX_RECORD_TOO_LONG but I did not found any solution for my problem… so I hope that u can help me.

I am using HAProxy as a forwarding proxy! I got any local server and so I am not using load balancing.
To make it easier… my simplified haproxy.conf:

frontend https_front
bind *:443 transparent
mode tcp

some ACLs…

use_backend https_back

backend https_back
mode tcp
source 0.0.0.0 usesrc client
server sv 0.0.0.0

everything works great! UNTIL i change the server config to “server sv 0.0.0.0 ssl”. When I config in this way the Client’s Browser is showing: An error occurred during a connection to www.facebook.com. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG

Why I need the ssl option? I added a fetch method to the source code to read out the common name of the backend-servers certificate and this only works if the ssl option is present - otherwise it seems like that haproxy do not verify the backend connection as a SSL/TLS connection and so I can not get the certificate (in a easy way).

May u have ideas for me… this would save me a lot of time of editing more code.

Posts: 2

Participants: 2

Read full topic