@jjacques wrote:

Has anyone had any experience with load balancing Airwatch’s AWCM component? We have an on-premise installation and currently our two AWCM servers are setup in an active/failover manner. As we are migrating to a software load balancer (haproxy), we’d also like to have this switched to have both of the servers being active. According to the Airwatch documentation, persistence is based on a parameter awcmsessionid in either the URI or the http header. They even go a step further to explain how this can be accomplished, if we were using F5.

That being said, based on the information in the following article, can anyone provide details on how to begin with this, or if it’s even possible?
https://support.air-watch.com/articles/115001666028

Thanks

Posts: 1

Participants: 1

Read full topic

@Hartorn wrote:

Hello guys !

I’m having some trouble with configuration in haproxy.
I have a form which is sending a big file in upload to the server.
It is passing through haproxy, and arriving onto the destination server.
Then, the server is making a quite long processing (several minutes).

The problem is, if I set ‘timeout server’ to something like 30sec, the destination server is receiving the whole request twice. Is there some retry setting by default that I missed ?

I would prefer to have an error, in case of timeouts.

I’m on HaProxy 1.5.18, on CentOs 7.
I’m using TCP, and choosing backend based on SNI indication.

Configuration

#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
	# to have these messages end up in /var/log/haproxy.log you will
	# need to:
	#
	# 1) configure syslog to accept network log events.  This is done
	#    by adding the '-r' option to the SYSLOGD_OPTIONS in
	#    /etc/sysconfig/syslog
	#
	# 2) configure local2 events to go to the /var/log/haproxy.log
	#   file. A line like the following can be added to
	#   /etc/sysconfig/syslog
	#
	#    local2.*                       /var/log/haproxy.log
	#
	log         127.0.0.1 local2

	chroot      /var/lib/haproxy
	pidfile     /var/run/haproxy.pid
	maxconn     4000
	user        haproxy
	group       haproxy
	daemon

	# turn on stats unix socket
	stats socket /var/lib/haproxy/stats

	#SSL Tunning
	tune.ssl.default-dh-param 2048

	tune.maxrewrite 16384
	tune.bufsize 32768
#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
	timeout connect         10s
	timeout client          1m
	timeout server          1m


listen stats 0.0.0.0:9000       #Listen on all IP's on port 9000
	mode http
	balance
	timeout client 5000
	timeout connect 4000
	timeout server 30000

	#This is the virtual URL to access the stats page
	stats uri /haproxy_stats        

	#Authentication realm. This can be set to anything. Escape space characters with a backslash.
	stats realm HAProxy\ Statistics 

	#The user/pass you want to use. Change this password!
	stats auth admin:password

	#This allows you to take down and bring up back end servers.
	#This will produce an error on older versions of HAProxy.
	stats admin if TRUE

#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------
frontend VIP_ALL
	bind *:443
	mode tcp

	tcp-request inspect-delay 5s
	tcp-request content accept if { req_ssl_hello_type 1 }

	acl acl_host_frontal req.ssl_sni -i <hostname>

	use_backend bk_ssl_frontal if acl_host_frontal

	default_backend             default

#---------------------------------------------------------------------
# round robin balancing between the various backends
#---------------------------------------------------------------------
backend default


backend bk_ssl_frontal
  mode tcp
  balance roundrobin
  # maximum SSL session ID length is 32 bytes.
  stick-table type binary len 32 size 30k expire 30m
  acl clienthello req_ssl_hello_type 1
  acl serverhello rep_ssl_hello_type 2
  # use tcp content accepts to detects ssl client and server hello.
  tcp-request inspect-delay 5s
  tcp-request content accept if clienthello
  # no timeout on response inspect delay by default.
  tcp-response content accept if serverhello
  stick on payload_lv(43,1) if clienthello
  # Learn on response if server hello.
  stick store-response payload_lv(43,1) if serverhello
  option tcp-check
  server <ServerName> <ip>:443 check port 443

Posts: 6

Participants: 2

Read full topic

@AlphaP wrote:

I’m a new haproxy user, and we have our config running doing roundrobin load balancing working well.

We have several application instances that need to send http requests upon discovery of certain conditions. Sometimes these discoveries are made too close together, and we need to throttle the outbound backend requests to only one session every 30 seconds per backend server to stay within limits.

I have looked through the docs and googled a few rate limit articles, and see where I can set maxconn per server, but still feel lost about the rate limiting. Can someone provide a sample config to make this work? If such rate limiting is possible, are sessions that go over over the rate limit queued or rejected?

Thank you for helping my understanding.

Posts: 1

Participants: 1

Read full topic

@moscardo wrote:

Hi,
I am looking for a a proper configuration for a LDAP backend, so far I have:

frontend ldap_service_front
    mode                  tcp
    bind                  10.11.6.26:389
    log                   global
    description           LDAP Service
    option                socket-stats
    option                tcplog
    option                tcpka
    timeout client        5s
    default_backend       ldap_service_back

backend ldap_service_back
    server                ldap-1-test ldap1test.embl.de:389 check fall 1 rise 1 inter 2s
    server                ldap-2-test ldap2test.embl.de:389 check fall 1 rise 1 inter 2s
    mode                  tcp
    balance               roundrobin
    stick-table           type ip size 200k expire 30m
    stick                 on src
    option                tcpka
    option                ldap-check
    timeout server        2s
    timeout connect       1s

But when I browse the LDAP servers with the Apache LDAP browser, it seems that every one or two checks it close connection and open a new one, so it is impossible to browse it.

I wouldn’t like to bind the source IP to a specific backend node, since I will have so many different clients that will act on differents way, some of them will just open a connection, get some attributes and close it, but some others will open a LDAP connection and will fetch several attributes and afterwards will close is.
So I am somehow looking for some persistency. Well, I am open to any suggestion.

Thanks.

Posts: 3

Participants: 2

Read full topic

@nikhilkapoor04 wrote:

Hi,

When negative value is given for maxconn(-1,-2…-9, 10.) parameter in global section of haproxy.cfg. It is observed that haproxy service starts with successful health check up of backend servers.
But when larger negative value is given then haproxy fails to start and Alert message is shown.

For eg set maxconn value as “-1” in global section of haproxy.cfg and haproxy service is started.
By using the command:- “echo “show info” | socat unix-connect:/var/run/haproxy.stat stdio”
Output:-
Name: HAProxy
Version: 1.8.1
Release_date: 2017/12/03
Nbproc: 1
Ulimit-n: 30
Maxsock: 30
Maxconn: 4294967295
Hard_maxconn: 4294967295
…
…

Above output shows that maxconn value is “4294967295” which is taken randomly.
Is this a bug? If not then why haproxy behaves abnormally for these values?
Can we enhance the check for which will prompt user from not having a negative value of "maxconn"as done for others(such as “inter”)?

Posts: 1

Participants: 1

Read full topic

@proxyuser wrote:

Hi,

I’m doing some experimenting using HAProxy 1.8.5 and automatic service discovery against consul

I’m using the following code which works fine
resolvers consuldns
nameserver dns 127.0.0.1:8600
resolve_retries 3
hold valid 100ms

frontend web
   bind   *:8080
   mode   http
   option http-server-close
   option forceclose

   default_backend sampleservice

backend sampleservice
   server-template srv 1-2 pingpong.service.dc1.consul:8000 inter 1s resolvers consuldns resolve-prefer ipv4 check

what i’d like to know is if it is possible to have server-template detect the port from the SRV record.
I have multiple instance running on the same host for some services so this setup wouldn’t work for what I want to do.
If I drop the :800 of the server-template then it complains that it can’t find any valid servers
Does anyone know if it is possible to do this or if its on a roadmap?

Thanks!

Posts: 1

Participants: 1

Read full topic

@Resist10k wrote:

Hello all, I have Octoprint installed on a raspberry pi and cant seem to figure out how to allow a favicon to show up for the haproxy login. Any help would be awesome

Posts: 1

Participants: 1

Read full topic

@Swapnil wrote:

Has anyone else faced similar issue.

reload with state file does not take the updated IP of the server in latest version. However the changes in ports and status ready/maint are reloaded from state file, but IP address is not.

Any help is appreciated

Posts: 3

Participants: 2

Read full topic

@kaplun wrote:

Hi!

Say that I have the same server (i.e. name/hostname/port) being used for multiple backends. Is there a way to limit the total number of concurrent requests sent to that server, regardless of the specific backend? It seems to me that maxconn is enforced for a specific server in a specific backend. Is there a different option?

E.g. Say I have a server that can accept 30 requests, and is referenced in two backends. Is there a better option than to set its maxconn to 15 in each backend?

Thanks a lot,
Samuele

Posts: 2

Participants: 2

Read full topic

@bliebold wrote:

I have never used HAProxy before and need to configure the existing deployment to do like the title mentions. I have read some “how to’s” and looks to have the certificate loaded correctly but cannot get past this error in the logs.

Server app_backend is DOWN, reason: Layer4 timeout, check duration: 0. 0 active and 0 backup servers left. Running on backup. 0 sessions active, 0 requeued, 0 remaining in queue.
0.
backend app_backend has no server available!

The two servers behind the load balancer can talk ping back and forth without any issues.

Any help would be greatly appreciated…

Thanks,
Blake

Posts: 11

Participants: 2

Read full topic

@scegliau wrote:

Hi,

I’ve a frontend like this:

frontend my_frontend
        mode http
        option httplog
        bind 10.0.0.96:80
        bind 10.0.0.96:82

        acl downtime nbsrv(my_backend) lt 1
        use_backend downtime_backend if downtime
        default_backend my_backend

and 2 backends are:

backend downtime_backend
        mode http
        balance source
        option httpchk
        http-check expect ! rstatus ^5
        option forwardfor
        option http-server-close

        http-request replace-value Host (.*):.* \1

        server downtime 192.168.1.10:80 check inter 5000

and:

backend my_backend
        mode http
        balance roundrobin
        option httpchk GET /index.html
        option forwardfor
        option http-server-close

        option redispatch

        timeout server 300000

        server server1 10.0.0.225:80 check inter 5000
        server server2 10.0.0.226:80 check inter 5000
        server server3 10.0.0.227:80 check inter 5000

In practice we use an acl based on nbsrv to serve a page saying “The service is under maintenance, be patient…” when all servers in backend are down.
This rule works very well and let us keep statistics on requests redirected to downtime pool…but…we have a problem during reload.

We are on haproxy 1.8.5, and configuration has stats socket /tmp/haproxy_http level admin expose-fd listeners directive. Executing a reload we see in log that the old process balanced some requests to downtime pool. It looks like some connections are served by the old process when it has already stopped all backends.

Do someone have the same problem ?
Can you please help me ?

Thanks
andrea

Posts: 1

Participants: 1

Read full topic

@barthur wrote:

Upgrading from 1.6.9 on CentOS 6 x86 to 1.8.5 on CentOS 6 x86_64 I get the following error:

$ sudo service haproxy check
[ALERT] 087/152144 (4953) : parsing [/etc/haproxy/haproxy.cfg:46] : unknown option ‘http-buffer-request’.
[ALERT] 087/152144 (4953) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg
[ALERT] 087/152144 (4953) : Fatal errors found in configuration.

Steps:
wget http://www.haproxy.org/download/1.8/src/haproxy-1.8.5.tar.gz
make TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1
sudo make install

I am using the same config as version 1.6.9 and the docs for 1.8 still refer to option ‘http-buffer-request’.

Any ideas what I’m missing? Let me know if you need more info.

Thanks!

Posts: 1

Participants: 1

Read full topic

@warnox wrote:

Hi,

I’m trying to set up an HTTPS/SSL frontend but HAProxy won’t start whenever I add in the ‘bind *:443 ssl crt /opt/certs/self.pem’ line. I’m not sure if there is something wrong with my config or if HAProxy doesn’t like the certificate. In saying that, I can’t see any certificate related errors in the log.

Version

HA-Proxy version 1.8.4-1deb90d 2018/02/08
Copyright 2000-2018 Willy Tarreau <willy@haproxy.org>

Config

global
   log /dev/log local0
   log /dev/log local1 notice
   chroot /var/lib/haproxy
   stats timeout 30s
   user haproxy
   group haproxy
   daemon

defaults
   log global
   mode http
   option httplog
   option dontlognull
   timeout connect 5000
   timeout client 50000
   timeout server 50000

frontend http_front
        mode http
        bind *:80
        default_backend http_back

backend http_back
        balance roundrobin
        option httpchk GET /index.html
        http-check expect string WEB
        server web1 web1.domain.com:80 check
        server web2 web2.domain.com:80 check

listen stats
        bind :1234
        mode http
        stats enable
        stats hide-version
        stats uri /

frontend ssl_front
        bind *:443 ssl crt /opt/certs/self.pem
        default_backend ssl_back

backend ssl_back
        balance roundrobin
        server web1 web1.domain.com:443 check
        server web2 web2.domain.com:443 check

Certificate

I used known working certs and then tested with creating my own self signed one, but always getting the same result. Below is how I created the PEM file.

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /opt/certs/self.key -out /opt/certs/self.crt
cat self.crt self.key > self.pem

Logs

The logs aren’t very helpful.

Mar 31 20:01:23 centos4 haproxy: [ALERT] 089/200123 (39723) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg
Mar 31 20:01:23 centos4 haproxy: [ALERT] 089/200123 (39723) : Fatal errors found in configuration.
Mar 31 20:01:23 centos4 haproxy: Errors found in configuration file, check it with 'haproxy check'.
Mar 31 20:01:23 centos4 systemd: haproxy.service: control process exited, code=exited status=1

haproxy -dV -f haproxy.cfg
[ALERT] 089/200256 (39900) : Error(s) found in configuration file : haproxy.cfg
[ALERT] 089/200256 (39900) : Fatal errors found in configuration.

Thanks for any help.

Posts: 3

Participants: 2

Read full topic

@cjstone wrote:

Hi,

HA-Proxy version 1.6.3

I’ve been trying several different variations of this:

acl bad_ua hdr(user-agent) -f /etc/haproxy/bad_uas.lst
http-request deny if bad_ua

/bad_uas.lst:

Mozilla/5.0 (Linux; Android) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36

My issue is that I don’t get match for the full string; it will only match if I strip everything up to and including the comma, like:

 like Gecko) Chrome/34.0.1847.131 Safari/537.36

How to I get a match of the full string?

Thanks,

–Chris

Posts: 1

Participants: 1

Read full topic

@senattcs wrote:

I have an HAProxy as a member in A10 and whenever A10 sends “/healthcheck” call- HAProxy needs to return “ACTIVE” word. I was trying-

backend xxx.healthcheck
mode http
timeout server 60s
default-server inter 5s fall 3 rise 2
http-check expect string “ACTIVE”

            errorfile 503 /var/prod/xxx-shared/scripts/HAProxy/hk.http

but definitely I’m doing something wrong- as my tests are showing

503 Service Unavailable
No server is available to handle this request.

instead of ACTIVE word in the response.

contents of hk.http:

HTTP/1.1 200 OK\r\n
Server: Apache-Coyote/1.1\r\n
Content-Type: text/html;charset=UTF-8\r\n

<?xml version="1.0" encoding="UTF-8"?> ACTIVE

Posts: 1

Participants: 1

Read full topic

@serverhack wrote:

Hi all,

I have HAProxy 1.6.3 on Ubuntu deployed with SSL Termination with client side certificates enabled.

I have realised that everytime time our CA publishes a new CRL users cannot connect. They receive a handshake failure error.

I have to restart HAProxy, without changing anything more, in order for it to work again.

Is that the normal behavior?

Tnaks and best regards,

Posts: 1

Participants: 1

Read full topic

@moscardo wrote:

Hi,
I am planning to configure HAProxy through Puppet in order to keep configuration consistent between nodes, but my concerns are, how can I verify the syntax that I set in Puppet is right before deploying to production, and also how would I handle the service reload without knowing when the puppet recipe is going to be applied?

So, how would the workflow be ?

Thanks.

Posts: 1

Participants: 1

Read full topic

@imran wrote:

I want to know is HAProxy 1.7.10 is officially supported on Cygwin? Can HAProxy be used inside Cygwin on Windows production environment?
Is anyone in community using HAProxy with Cygwin on Production? How is the performance of HAProxy 1.7.10 on Cygwin?

Posts: 1

Participants: 1

Read full topic

@Eddiie wrote:

Hello,

I am using HAProxy to load balance a .NET / Net.TCP application.
The application works but if there is an idle of 1 minute or more, an exception is created by the caller -

This channel can no longer be used to send messages as the output session was auto-closed due to a server-initiated shutdown. Either disable auto-close by setting the DispatchRuntime.AutomaticInputSessionShutdown to false, or consider modifying the shutdown protocol with the remote server.

If we remove HAProxy from the middle, wait a minute or more between requests, this message never appears.

What is going on here? More importantly how can I stop this from happening?

It seems like the client (HAProxy in this case) is initiating the close.

frontend lt_dotnet_7078_frontend
    bind *:7078
    mode tcp
    option clitcpka
    default_backend lt_dotnet_backend

backend lt_dotnet_backend
        timeout connect 5000
        option tcp-check
        option tcplog
        option srvtcpka
        mode tcp
        balance roundrobin
        server server02_10.11.20.32_7078 10.11.20.32:7078 check port 7078 inter 200

Help is appreciated.

Posts: 1

Participants: 1

Read full topic

@Ralf68 wrote:

I would like to proxy XMPP with haproxy. But not for loadbalancing which would be easy with mode tcp and different backends. Decission for backend should be based on ‘to’ field in XMPP

<?xml version='1.0'?>
  <stream:stream
      from='ralf@im.example. com'
      to='im.example.com'
      version='1.0'
      xml:lang='en'
      xmlns='jabber:client'
      xmlns:stream='http://etherx.jabber.org/streams'>

This should go to backend with internal IP 10.0.1.11
and to=‘im.example-2. com’ should go to IP 10.0.1.12

I understand:

It is not http, so i have to use mode tcp and cannot do: use_backend server1 if { hdr(host) -i im.example-1. com }

It is not SSL with SNI, so i cannot do: use_backend server1 if { ssl_fc_sni im.example-1. com }
Wondering if that is even possible with haproxy? (perhaps ACL?!)

Posts: 1

Participants: 1

Read full topic