@fsfs wrote:

82372: 1.466959344 accept4(0x8,0x7fffffffe7a0,0x7fffffffe798,0x20000000) = 14 (0xe)
82372: 1.467039572 setsockopt(14,IPPROTO_TCP,TCP_NODELAY,0x578174,4) = 0 (0x0)
82372: 1.467097580 accept4(0x8,0x7fffffffe7a0,0x7fffffffe798,0x20000000) ERR#35 ‘Resource temporarily unavailable’

HA-Proxy version 1.8.4-de425f6 2018/02/26
Copyright 2000-2018 Willy Tarreau willy@haproxy.org

Build options :
TARGET = freebsd
CPU = generic
CC = cc
CFLAGS = -O2 -pipe -fstack-protector -fno-strict-aliasing -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-address-of-packed-member -Wno-null-dereference -Wno-unused-label -DFREEBSD_PORTS
OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_CPU_AFFINITY=1 USE_ACCEPT4=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_STATIC_PCRE=1 USE_PCRE_JIT=1

Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with network namespace support.
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity(“identity”), deflate(“deflate”), raw-deflate(“deflate”), gzip(“gzip”)
Built with PCRE version : 8.40 2017-01-11
Running on PCRE version : 8.40 2017-01-11
PCRE library supports JIT : yes
Built with multi-threading support.
Encrypted password support via crypt(3): yes
Built with transparent proxy support using: IP_BINDANY IPV6_BINDANY
Built with Lua version : Lua 5.3.4
Built with OpenSSL version : OpenSSL 1.0.2k-freebsd 26 Jan 2017
Running on OpenSSL version : OpenSSL 1.0.2k-freebsd 26 Jan 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2

Available polling systems :
kqueue : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use kqueue.

Available filters :
[TRACE] trace
[COMP] compression
[SPOE] spoe

Posts: 1

Participants: 1

Read full topic

@senattcs wrote:

Is there a way to log the HTTP headers going to a backend? I’m getting HTTP 400 Bad Request from a backend server and I need to figure what headers we are sending towards a backend.

Posts: 1

Participants: 1

Read full topic

@darix wrote:

After upgrading my haproxy machine to the beta of openSUSE Leap 15.0 ssl connections did not work anymore. A lot of debugging and testing later, I did a rebuild with openssl 1.0 and it all started working again.
Also RSA certificates were just working. If you have similar issues you might also run into:

The workaround for me was to configure the same curve as used in my SSL cert.

$ openssl x509 -noout -text -in /path/to/cert.pem | grep -B1 'NIST CURVE'
                ASN1 OID: secp384r1 <-
                NIST CURVE: P-384

Then add the curves parameter to your bind line:

bind 0.0.0.0:443   tfo ssl alpn h2,http/1.1 npn h2,http/1.1 crt /path/to/certs/ curves secp384r1
bind :::443 v6only tfo ssl alpn h2,http/1.1 npn h2,http/1.1 crt /path/to/certs/ curves secp384r1

Of course this workaround only works if all your certs use the same curve. Or you will have to do different bind statements for each certificate.

Posts: 1

Participants: 1

Read full topic

@hpb4530 wrote:

Hi I am trying to achieve something like ngx_http_auth_request_module.

I followed this TimWolla/haproxy-auth-request. It works fine with haproxy 1.8.4. But I am getting following error for haproxy 1.7.10:

[ALERT] 071/113202 (13139) : parsing [haproxy.conf:2] : lua runtime error: /usr/share/haproxy/auth-request.lua:56: 'register_action' needs 3 arguments

Is there any workaround to make to it work in haproxy 1.7.10 ? Or any alternative to this lua script ?

Thanks.

Posts: 1

Participants: 1

Read full topic

@Dougs wrote:

A rather odd set of project requirements means I need to implement client SSL authentication using multiple CAs; there will be a mixture of commercial SSL providers and private CAs.

Adding all the relevant root CAs to a single file works fine, unless I add the crl-file directive; once I do that I can’t get a client certificate to work unless I put the client cert’s intermediate cert into my root CA file, which isn’t a practical approach.

How should I be setting up the certificate revocation file for this situation? All the information I can find on client auth with CRL assumes a single root CA is in use.

Is there a trick to combining all the CRLs to make this scenario work?

(currently using haproxy 1.5 on Centos 7.4)

Posts: 2

Participants: 1

Read full topic

@Paul.LKW wrote:

Dear all:
I just installed haproxy-1.8.4 and configured it as basic roundrobin setup, however I find phpmyadmin could not login as every time I typed login ID and password and click Login it will bring forward to next backend server and hence I get a new session ID, so I googled for dualing with cookie/session and find it could be solved by inserting “cookie SESSIONID insert postonly indirect” within the backend section, however after this statement I find it will not go to next server anymore.

Below is my configuration file, anything I am wrong ?

global
daemon
maxconn 256
#user haproxy
#group haproxy
log /var/log local0
log /var/log local1 notice
stats socket /var/run/haproxy/admin.sock mode 660 level admin
stats timeout 30s

    # Default SSL material locations
    #ca-base /etc/ssl/certs
    #crt-base /etc/ssl/private

defaults
mode http
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms

frontend http-800-in
bind *:800 #This port will route to default port 80 defined by below “backend server” section
reqadd X-Forwarded-Proto:\ http
default_backend servers

backend servers
mode http
balance roundrobin
#Add this below to get the clients actually IP address. Without this,
#our application would instead see every incoming request as coming from the load balancer’s IP address
option forwardfor
#Add this to let our applications knows what port to use when redirecting/generating URLs
http-request set-header X-Forwarded-Port %[dst_port]

    #http-request add-header X-Forwarded-Proto https if { ssl_fc }
    option httpchk HEAD / HTTP/1.1\r\nHost:localhost

    ### Below is for http-auth feature ###
    acl draw-auth http_auth(auth_list)
    http-request auth realm draw unless draw-auth

    #Below is our backend server list
    cookie SESSIONID insert postonly indirect
    server ET-POC-RH01 123.45.67.8:80 check cookie check
    server ET-POC-RH02 123.45.67.8:80 check cookie check
    server ET-POC-RH03 123.45.67.8:80 check cookie check

Posts: 1

Participants: 1

Read full topic

@AleksASB wrote:

Hello!

I have such backend section in my config:

backend app-servers
        mode tcp
        balance roundrobin
        stick-table type ip size 900k expire 30m
        stick on src
        option tcp-check
        maxconn 1300
        server app-01 172.1.2.3:443 check port 443
        server app-02 172.1.2.4:443 check port 443
        server app-03 172.1.2.5:443 check port 443
        server app-04 172.1.2.6:443 check port 443

Please help me understand such “what if” scenario:
Client’s IP address is in stick table and he wants to establish another session from the same IP address but his “working” server (e.g. app-01) is full (number of connections = 1300) - this session will:

1. Drop
2. Hang
3. Haproxy put it to another server (e.g. app-02 or app-03) which number of current connections is lower?

And the second question:

is this config:

backend app-servers
            mode tcp
            balance roundrobin
            stick-table type ip size 900k expire 30m
            stick on src
            option tcp-check
            maxconn 1300
            server app-01 172.1.2.3:443 check port 443
            server app-02 172.1.2.4:443 check port 443
            server app-03 172.1.2.5:443 check port 443
            server app-04 172.1.2.6:443 check port 443

equal to this?:

backend app-servers
            mode tcp
            balance roundrobin
            stick-table type ip size 900k expire 30m
            stick on src
            option tcp-check
            server app-01 172.1.2.3:443 check port 443 maxconn 1300
            server app-02 172.1.2.4:443 check port 443 maxconn 1300
            server app-03 172.1.2.5:443 check port 443 maxconn 1300
            server app-04 172.1.2.6:443 check port 443 maxconn 1300

Haproxy version is 1.5.18

Posts: 1

Participants: 1

Read full topic

@happy wrote:

Each reload creates “Connection reset by peer” errors (same as just restart)

Tested with 1.8.3, 1.8.4 and with last commit (703408)

Posts: 2

Participants: 2

Read full topic

@1991priyanshu wrote:

frontend http
bind *:80

Posts: 1

Participants: 1

Read full topic

@armax wrote:

Hi folks,

I am looking for suggestions on how to understand an issue we’re observing in our environment where use have a couple of GRPC service replicas (active/backup) fronted by HAProxy (version 1.6.11). The haproxy configuration looks something like this:

listen stats
  maxconn 2000
  balance leastconn
  bind 127.0.0.1:8888
  mode http
  stats enable
  stats uri /
  stats hide-version
  stats refresh 5s

frontend myservers
  maxconn 2000
  bind 0.0.0.0:12000
  mode tcp
  default_backend myservers

backend myservers
  mode tcp
  balance roundrobin
  server server1 server1:12000 check port 12002 inter 1s
  server server2 server2:12000 check port 12002 inter 1s backup

The gRPC service is littered with traces like:

"transport: http2Server.HandleStreams failed to read frame: read tcp 10.64.37.24:12000-\u003e10.64.37.213:59012: read: connection reset by peer

I was able to pinpoint the presence of the traces to the fact that haproxy connections are not being closed with a FIN flag. Connections closed with a RST flag don’t seem to trigger the trace. It seems also that some connections are closed with the RST packet, others with the FIN flag.

While I can appreciate that closing with RST in legitimate, I wonder what is the source of the flapping and whether there’ is a way to stop it. Has anyone else experienced something of this nature?

Thanks in advance!!
Armando

Posts: 1

Participants: 1

Read full topic

@tamal wrote:

Nginx just announced support for grpc. https://www.nginx.com/blog/nginx-1-13-10-grpc/ . Envoy has supported grpc for sometime. Will HAProxy support grpc protocol?

Is there a proper forum to file feature request from HAProxy ?

Posts: 1

Participants: 1

Read full topic

@senattcs wrote:

For some reason, my earlier post got blocked-hence reposting my question.

I have a HAProxy running with non-root user and one particular request is failing with HTTP 400 Bad request error. I have started HAP with “-d” and all Im seeing is folowing. Please help me in troubleshooting the issue further.

0000004f:http_frontend.clireq[000b:ffffffff]: POST https://x.x.x.x:443/Event/Publish/AccountActivityEvent HTTP/1.1
0000004f:http_frontend.clihdr[000b:ffffffff]: SOAPAction: “createAccountActivityEvent”
0000004f:http_frontend.clihdr[000b:ffffffff]: Content-Type: text/xml;charset=UTF-8
0000004f:http_frontend.clihdr[000b:ffffffff]: User-Agent: Jakarta Commons-HttpClient/3.1
0000004f:http_frontend.clihdr[000b:ffffffff]: Host:x.x.x.x:443
0000004f:http_frontend.clihdr[000b:ffffffff]: Content-Length:1351
0000004f:AccountActivityEvent.createAccountActivityEvent.srvrep[000b:000d]: HTTP/1.1 400 Bad Request
0000004f:AccountActivityEvent.createAccountActivityEvent.srvhdr[000b:000d]: Content-Type: text/plain
0000004f:AccountActivityEvent.createAccountActivityEvent.srvhdr[000b:000d]: Connection: close
0000004f:AccountActivityEvent.createAccountActivityEvent.srvcls[000b:000d]
0000004f:AccountActivityEvent.createAccountActivityEvent.clicls[000b:000d]
0000004f:AccountActivityEvent.createAccountActivityEvent.closed[000b:000d]

Posts: 1

Participants: 1

Read full topic

@iqpkeq wrote:

down vote
favorite

how to export configuration file from the running process Haproxy?(System: Centos7)

the situation is that: I edit the file /etc/haproxy/haproxy.cfg,But it’s an wrong change,I use Vim replace more lines and then quit;

When i realize i’m wrong ,i reopen the file ,Oops! I can not back to the right version; What’s the worst is i haven’t make one bakcup of this file before.

there is only one way ,My Haproxy now is still running.I dare not reload the process. How to export the configuration from the running Process?(Not from the file above.dosen’t work)

Maybe dump from the memory ? It’s not the best way. Any Ideas?

Best regards

Posts: 2

Participants: 2

Read full topic

@Stefanoel wrote:

Hi,
it’s been 20 days since I blocked it without knowing what I did, since it was my first post !!!
I have not received an answer for 20 days, I can not even see my post, at least I would have turned it on other forums.
I’m sorry but my approach to HAproxy was not nice and if so, I will not go on trying it and I’m sorry, I found it very interesting.

Best Regards

Posts: 2

Participants: 2

Read full topic

@bsr wrote:

log         127.0.0.1:514 local1 notice
log         127.0.0.1:514 local2

frontend myservice
bind *:8690
mode http
option httplog
capture request header MyId len 500
log-format %ci:%cp\ [id=%ID]\ [%t]\ %f\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ {%hrl}\ {%hsl}\ %{+Q}r
log 127.0.0.1 local1
default_backend myservice

backend myservice
mode http
option httplog
balance roundrobin
server myservice-01 127.0.0.1:18190 check weight 1
server myservice-02 127.0.0.1:28190 check weight 10

Above is the settings of my HA Proxy config. Using this, i am able to capture custom header named MyId. However is there any way using which i can capture all custom headers.

Thanks

Posts: 1

Participants: 1

Read full topic

@bluex wrote:

Hi,

I need to use haproxy for listening to port 80 and forward the request if it matches the role for that I did this this but I don’t know how I can tell to use the prober back end

frontend httpfw
bind *:80
mode http
acl # what I must write here to defend a domain like test1.com
acl # what I must write here to defend a domain like test2.com

use_backend httptest1 if # how can I told to use this backend if the request comes from test1.com
use_backend httptest2 if # how can I told to use this backend if the request come from test2.com

backend httptest1
mode http
balance source
server httptest1 1.1.1.1:80

backend httptest2
mode http
balance source
server httptest2 2.2.2.2:80

Thanks

Posts: 2

Participants: 2

Read full topic

@prog019 wrote:

Hello. Is there any way to receive client’s real IP in TCP mode without Proxy protocol?

Posts: 2

Participants: 2

Read full topic

@Senanito wrote:

Hi, all

I have a task to restrict access to some part of the site with a certificate.
I have written something after reading posts of @AaronWest and @lukastribus
however, have to admit that didn’t understand it solely.

Let’s say url for all users: https://tapprod.com
Restricted part: https://tapprod.com/tier2/rest/
my backend server lets call: tapprodsrv-02 with ip 172.20.20.20

Here is my config:

defaults
            mode http

frontend HTTPS-IN
	bind		172.20.10.10:443
	tcp-request inspect-delay 5s
	tcp-request content accept if { req_ssl_hello_type 1 }
	use_backend HTTP-OUT-CERT if { req_ssl_sni -i /tier2/rest/ }
	default_backend HTTP-OUT-NOCERT

backend TAPPROD-HTTP-OUT-CERT
      server loopback-for-tls abns@haproxy-clientcert send-proxy-v2
backend TAPPROD-HTTP-OUT-NOCERT
      server loopback-for-tls abns@haproxy-default send-proxy-v2

frontend fe-ssl-clientcert
	mode http
	bind abns@haproxy-clientcert accept-proxy ssl crt /etc/haproxy/ssl/tapprod.pem ca-file /etc/haproxy/ssl/tap-ca.crt verify required 
	use_backend     APPSR01

frontend fe-ssl-default
	mode http
	bind abns@haproxy-default accept-proxy ssl crt /etc/haproxy/ssl/tapprod.pem
	use_backend    APPSR01

backend APPSR01
	server tapprodsrv-02 172.20.20.20:443 check ssl verify none

Came to this point after reading and trying to understand this discussion:

As I understand it creates one more loop using loopback interface to segregate two different traffic.
I guess “abns@haproxy-clientcert” and “abns@haproxy-default” is marking different traffic.
And then loadbalancer listens to traffic coming to loopback interface to redirect it.
But original posts never point to actual backend servers, so I modified it. Not sure if its correct.

Please help to understand and make it work.
Thank you

Posts: 3

Participants: 2

Read full topic

@henryk wrote:

Hello,

I apologize if I’ve used the wrong category, or if this isn’t the place – I was hoping I could get an answer on the HAProxy site itself from a couple experts.

I’ve been thinking that HAProxy could possibly be used as a firewall. I looked at a number of keywords that can reject source ips, redirect requests, reject based on destination + source, listen to ports, and prevent DDOS. This sounds like a good opportunity for a firewall in addition to its other high availability features.

However, I don’t want to shoehorn my idea and use HAProxy for a use case its not intended for, or limited in its capacity. I’ve seen cases where companies are hamstringed because they use software for an unsupported use case – and then instead of using a proper app, hurt because of this.

While possibly creative, I’m curious to know if it is a supported use case – or simply not a good idea. I’ve seen many times people asking about putting HAProxy behind a firewall, but never using HAProxy as a standalone firewall.

Has anyone done this?

Posts: 5

Participants: 2

Read full topic

@chrisp wrote:

Hello,

We would like to remove the trailing slash from the URLs. E.g. www.example.com/stuff/ redirects to www.example.com/stuff

Have tried using reqrep ^(.*?)[/]$ \1 (and variations of it) but that seems to cause an infinite redirect.

Any help is appreciated.

Thanks!

Posts: 1

Participants: 1

Read full topic