@ascige wrote:

Hi everyone.
I have used haproxy but I would to know if my configuration is good or not.
I try to explain my situation :
I have a load balancer (where I install haproxy ) which has two IP : one public : for example 1.1.1.1 and one private : 172.18.2.1
Then I have 3 webservers which have only one private IP : 172.18.2.2, 172.18.2.3 and 172.18.2.4.
I would that haproxy shift webserver based on load of server.
I attach my configuration. Please, is there someone who confirm that my configuration is good?
Thanks a lot for any suggest.

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon

defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

frontend MT
bind 1.1.1.1:80
reqadd X-Forwarded-Proto:\ http
default_backend MT

backend MT
mode http
stats enable
stats hide-version
stats uri /stats
stats realm Haproxy\ Statistics
stats auth haproxy:jessie # Credentials for HAProxy Statistic report page.
balance source
stick-table type ip size 200k expire 60m
stick on src
option httpchk
option httpclose
option forwardfor
cookie LBN insert indirect nocache
server vweb1 172.18.2.2:80 cookie vweb1 check # backend server #1
server vweb2 172.18.2.3:80 cookie wweb2 check # backend server #2
server vweb3 172.18.2.4:80 cookie vweb3 check # backend server #3

Posts: 1

Participants: 1

Read full topic

@andrian wrote:

Hi All,

Previously i’m apologize if wrong discuss my issue in here, i’m new on haproxy.

I have issue on my haproxy. I plan make cluster with haproxy for SMTP (postfix/25), Webserver (httpd/80) and Resolver DNS (Bind/53).

I’m running for smtp and web it’s work but have problem in dns resolver.

Could you help me for suggestion problem solving this issue?

Below log on my haproxy

smtp (works)
Apr 4 13:53:47 localhost haproxy[8979]: 50.50.50.5:51186 [04/Apr/2018:13:53:46.685] ft_smtp bk_postfix/smtp007-2 1/0/475 368 – 0/0/0/0/0 0/0
Apr 4 13:55:51 localhost haproxy[8979]: 50.50.50.5:51191 [04/Apr/2018:13:55:50.630] ft_smtp bk_postfix/smtp007-1 1/0/398 367 – 0/0/0/0/0 0/0

httpd (works)
Apr 4 13:51:25 localhost haproxy[8979]: 50.50.50.5:51183 [04/Apr/2018:13:51:25.899] ft_web bk_web/syslog-smtp007 1/4/44 18673 – 0/0/0/0/0 0/0

dns (not works)
Apr 4 13:54:50 localhost haproxy[8979]: 50.50.50.5:51189 [04/Apr/2018:13:54:20.696] ft_dns bk_bind/rdns007-1 1/0/30002 0 – 0/0/0/0/0 0/0
Apr 4 13:55:41 localhost haproxy[8979]: 50.50.50.5:51190 [04/Apr/2018:13:55:11.142] ft_dns bk_bind/rdns007-2 1/0/30013 0 – 0/0/0/0/0 0/0

Below my configuration haproxy.cfg:
global
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
user haproxy
group haproxy
maxconn 3000
stats socket /var/lib/haproxy/stats

frontend ft_smtp
bind 10.10.10.5:25
mode tcp
no option http-server-close
timeout client 1m
log global
option tcplog
maxconn 3000
default_backend bk_postfix
backend bk_postfix
mode tcp
no option http-server-close
log global
option tcplog
timeout server 1m
timeout connect 30s
balance roundrobin
server smtp007-1 20.20.20.5:315 check
server smtp007-2 20.20.20.6:317 check

frontend ft_web
bind 10.10.10.5:80
no option http-server-close
timeout client 1m
log global
option tcplog
maxconn 3000
default_backend bk_web
backend bk_web
no option http-server-close
log global
option tcplog
timeout server 1m
timeout connect 30s
balance roundrobin
server syslog-smtp007 30.30.30.4:80 check

frontend ft_dns
bind 10.10.10.5:53
no option http-server-close
timeout client 1m
log global
option tcplog
maxconn 3000
default_backend bk_bind
backend bk_bind
no option http-server-close
log global
option tcplog
timeout server 1m
timeout connect 30s
balance roundrobin
server rdns007-1 40.40.40.2:53 check
server rdns007-2 40.40.40.3:53 check

Below my test use my dns resolver
haproxy007 ~]# nslookup

server 40.40.40.2
Default server: 40.40.40.2
Address: 40.40.40.2#53
google.com
Server: 40.40.40.2
Address: 40.40.40.2#53

Non-authoritative answer:
Name: google.com
Address: 74.125.68.101
Name: google.com
Address: 74.125.68.102
Name: google.com
Address: 74.125.68.113
Name: google.com
Address: 74.125.68.138
Name: google.com
Address: 74.125.68.100
Name: google.com
Address: 74.125.68.139

server 40.40.40.3
Default server: 40.40.40.3
Address: 40.40.40.3#53
google.com
Server: 40.40.40.3
Address: 40.40.40.3#53

Non-authoritative answer:
Name: google.com
Address: 74.125.24.139
Name: google.com
Address: 74.125.24.100
Name: google.com
Address: 74.125.24.113
Name: google.com
Address: 74.125.24.101
Name: google.com
Address: 74.125.24.102
Name: google.com
Address: 74.125.24.138

server 10.10.10.5
Default server: 10.10.10.5
Address: 10.10.10.5#53
google.com
;; connection timed out; trying next origin
;; connection timed out; no servers could be reached

Above if i’m use child my dns resolver it’s work but if i’m use on parrent haproxy problem.

Below I’m test telnet ip parrent haproxy on listen port 53 dns connected:
haproxy007 ~]# telnet 10.10.10.5 53
Trying 10.10.10.5…
Connected to 10.10.10.5.
Escape character is ‘^]’.
quit
Connection closed by foreign host.

And haproxy log :
Apr 5 11:33:07 localhost haproxy[31732]: 10.10.10.5:53274 [05/Apr/2018:11:32:37.234] ft_dns bk_dns/rdns007-2 1/0/30001 0 – 0/0/0/0/0 0/0
Apr 5 11:33:40 localhost haproxy[31732]: 10.10.10.5:53442 [05/Apr/2018:11:33:10.137] ft_dns bk_dns/rdns007-1 1/0/30001 0 – 0/0/0/0/0 0/0

haproxy007 ~]# haproxy -v
HA-Proxy version 1.5.18 2016/05/10
Copyright 2000-2016 Willy Tarreau willy@haproxy.org

Please tell me if you need another information or log on my haproxy.

I’m so appreciate for your help and replies for advice my problem.

Regards,

Andrian

Posts: 1

Participants: 1

Read full topic

@ekta wrote:

Hi,

We recently upgraded to haproxy 1.7.9 , we are facing one issue.

A TLS tunnel is created from frontend system to haproxy and then haproxy creates a TCP connection with another interface after TLS handshake with frontend.

Here after TLS handshake haproxy hangs at getsockopt() system call.

0.000058 getsockopt(2, SOL_IP, 0x50 /* IP_??? */,

earlier we were using 1.5.19 and it was working fine.

Posts: 1

Participants: 1

Read full topic

@vineeth wrote:

Is there any option to change haproxy error response code to json format. Please help.

Posts: 1

Participants: 1

Read full topic

@keevitaja wrote:

Hello!

Making my first steps with ha proxy. So please be kind to me

How can i choose which backend to use for a ssl connection?

frontend http-in
        bind *:80 v4v6
        bind *:443 v4v6
        mode tcp

        acl test_site_eu req.ssl_sni -i test.site.eu
        use_backend ssl_server if test_site_eu

backend ssl_server
        mode tcp
        timeout server 30s
        server ssl_server_1 127.0.0.1:4443

This is not working, but if i remove if from the use_backend statement it kinda does.

http works fine with

acl apache_test_eu hdr(host) -i apache.test.eu

Posts: 1

Participants: 1

Read full topic

@cheenu wrote:

I am planning implement CLIENT - HAPROXY - VARNISH - APPSERVER set up to load balance an E-Commerce web site and the web site has lots of static content. I need help to configure HAPROXY to balance load and also to divert request based on Static and Dynamic content. Static should go to Varnish Cache server and Dynamic to the web servers.

Second requirement is to use CDN also. Is it possible to use Varnish and CDN to gather in HAPROXY and also please recommend any additional settings I have to take care for setting up a E-Commerce site

Posts: 1

Participants: 1

Read full topic

@cheenu wrote:

I have use HA Proxy for Application Load Balancing but I have not used with Varnish and Apache server. We are using CLIENT - HAPROXY - VARNISH - 2 WEB SERVER set up and I need help to configure HAPROXY and VARNISH. Please suggest what needs to be configured in Apache.

It is for hosting an E-Commerce web site, please suggest if I have to make any specific settings for optimal usage.

Posts: 1

Participants: 1

Read full topic

@Emsanator wrote:

Hello

How can I make FTP Connection?

This is conf file:

global
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
#log loghost local0 info
maxconn 4096
chroot /var/lib/haproxy
user haproxy
group haproxy
daemon
#debug
#quiet
stats socket /var/lib/haproxy/stats

defaults
log global
mode http
option httplog
option dontlognull
retries 3
redispatch
maxconn 2000
contimeout 5000
clitimeout 50000
srvtimeout 50000

listen stats
bind *:8080
mode http
option forwardfor
option httpclose
stats enable
stats show-legends
stats refresh 5s
stats uri /stats
stats realm Haproxy\ Statistics
stats auth loadbalancer:loadbalancer
stats admin if TRUE

frontend MAIN
bind *:21
bind *:80
bind *:143
bind *:443
bind *:993
mode http

acl domain1_URL hdr_dom(host) -i domain1.com
acl domain2_URL hdr_dom(host) -i domain2.com
acl domain3_URL hdr_dom(host) -i domain3.com 

use_backend domain1 if domain1_URL
use_backend domain2 if domain2_URL
use_backend domain3 if domain3_URL  

backend domain1
mode http
server web-first 192.168.1.124:80

backend domain2
mode http
server web-second 192.168.1.197:80

backend domain3
mode http
server web-third 192.168.1.197:80

Posts: 1

Participants: 1

Read full topic

@Pessoal2004 wrote:

I need help because I have my web_server in a different datacenter of haproxy_server and I need encrypt the connection,

I have: client => ssl/certbot => Haproxy => http => Apache
I need: client => ssl/certbot => Haproxy => ssl => Apache

If I creat a openssl.privatekey.pem to the haproxy_server and openssl.certificate.pem to the apache_server solve my problem?

frontend http_front
mode http
bind <haproxy_IP_server>:80
bind <haproxy_IP_server>:443 ssl crt /etc/haproxy/certs/example.com.pem

backend haproxy.cfg
mode http
server <apache_server> <IP_apache_server>:81 check ssl verify required ca-file /etc/ssl/certs/openssl.privatekey.pem ???

Posts: 1

Participants: 1

Read full topic

@Pessoal2004 wrote:

Hi,
I have haproxy_server and apache_server in different datacenters, what is the best way to have encrypt connection between them?

Is possible have that encrypt connection with haproxy.cfg or I need a software like stunnel?

Posts: 1

Participants: 1

Read full topic

@Bobby wrote:

Hi, I am trying to serve live video channels from different cameras that I have configured on two backend servers that are configured to serve these requests in the format of following URLs. I am trying to use haproxy as a virtual URL like http://virutalIP/livechannelA/playlist.m3u8 and to forward this to real server http://realserverip/livechannelA/playlist.m3u8. Since the videos are bandwidth intensive, I just need simple round-robin redirects from virtual URL to each physical server. There are close to 10 channels on each server. My main concern is that when the video starts, nothing should pass through haproxy. Is this possible to do that with haproxy? Sorry, I am new to haproxy and any help is appreciated

Posts: 1

Participants: 1

Read full topic

@Exocomp wrote:

I’ve set it up to capture the request header like so:

capture request header x-custom len 10

Later on I set the header value like so:

http-request set-header X-custom 1 if acl_check

The backend reflects the correct header value but the HAProxy log shows what was passed in with the request not the value I changed it to.

What’s the correct way to log the most up to date information, updates to headers that have been done in during processing ?

Posts: 1

Participants: 1

Read full topic

@next40 wrote:

Dear Friends, i have web application crm, please help to find any ideas for release stick session algoritm
User access application via url:
https://web.somesite.com/48c8155f1470878045eaa01f/1c_my_9469_1/*
https://web.somesite.com/account hash/database name/*
then enter db login and password
if authentication success application set cookie vrs_session with value 9c18917b-3706-44e0-967d-36e933fcbf94

I need stick client by /48c8155f1470878045eaa01f/1c_my_9469_1/ + vrs_session or custom cookie this need for calculate unique user sessions per account/database or if possible restrict connection if limit reached. it is possible via HAproxy?

Posts: 1

Participants: 1

Read full topic

@cheenu wrote:

Hello All,

I am using HAProxy version 1.8 for an e-commerce site to LB, Static content routing and SSL termination.

Below is my set up;
CLIENT - HAPROXY - VARNISH(Common for two Web Servers) - APACHE

I have configured the HAProxy script as per below example;

I have two major problems;

1. Web site is accessible but static contents are not loading and getting “Error 503; Backend fetch data failed”
2. Unable to user httpcheck in any of the backend configuration.

The site is configured to use HTTP, I have removed SSL certs for testing.

Please also suggest whether I should use dedicated Varnish Cache server for two web servers or a common varnish cache server is fine.

Posts: 1

Participants: 1

Read full topic

@Mantikor wrote:

Hi.
I’ve try to make LB and HA of internal web-service.
Backend web-servers is MS IIS.
But I get 504 message when try to open main page.

global
   log localhost local0
   log localhost local1 notice
   chroot /var/lib/haproxy
   stats timeout 30s
   user haproxy
   group haproxy
   daemon

tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:etc
    ssl-default-bind-options no-sslv3 no-tls-tickets
    ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:etc
    ssl-default-server-options no-sslv3 no-tls-tickets

defaults
   log global
   mode http
   option httplog
   option dontlognull
   retries 3
   option redispatch
   option forwardfor
   timeout connect 20s
   timeout client 1m
   timeout server 1m

frontend http
   bind *:80
   acl is_domainname hdr(Host) -i domainname
   redirect scheme https if { hdr(host) -i domainname } !{ ssl_fc }
   use_backend domainname_backend if is_domainname

frontend https
   bind *:443 ssl crt /etc/pki/tls/certs/domainname.pem
   acl is_domainname_https hdr(host) -i domainname
   use_backend domainname_backend if is_domainname_https

backend domainname_backend
   balance roundrobin
   http-request set-header X-Forwarded-Port %[dst_port]
   http-request add-header X-Forwarded-Proto https if { ssl_fc }
   cookie srvweb insert
   server srvweb1 10.10.2.150:443 cookie s1 check
   server srvweb2 10.10.2.152:443 cookie s2 check

haproxy.log

Apr 12 12:36:16 localhost haproxy[15110]: 10.1.1.154:48145 [12/Apr/2018:12:35:16.917] https~ domainname_backend/srvweb1 0/0/0/-1/60002 504 194 - - sHNN 2/2/1/0/0 0/0 "GET / HTTP/1.1"
Apr 12 12:36:16 localhost haproxy[15110]: 10.1.1.154:48145 [12/Apr/2018:12:35:16.917] https~ domainname_backend/srvweb1 0/0/0/-1/60002 504 194 - - sHNN 2/2/1/0/0 0/0 "GET / HTTP/1.1"
Apr 12 12:36:16 localhost haproxy[15110]: 10.1.1.154:48146 [12/Apr/2018:12:35:16.921] https~ domainname_backend/srvweb2 0/0/0/-1/60000 504 194 - - sHNN 1/1/0/0/0 0/0 "GET /favicon.ico HTTP/1.1"
Apr 12 12:36:16 localhost haproxy[15110]: 10.1.1.154:48146 [12/Apr/2018:12:35:16.921] https~ domainname_backend/srvweb2 0/0/0/-1/60000 504 194 - - sHNN 1/1/0/0/0 0/0 "GET /favicon.ico HTTP/1.1"

Where is my mistake?

Posts: 1

Participants: 1

Read full topic

@kulbirsaini wrote:

I have 2 docker containers running message daemon using 0mq libraries. The 2 daemons are for HA such that any moment of time only one will be master. The master keeps publishing messages saying i am master.

I want to capture tcp packet data and print in haproxy logs that is received from backend servers. How can i do that?

Posts: 1

Participants: 1

Read full topic

@cheenu wrote:

I am using HAProxy for routing static and dynamic content. We are using Varnish for local static caching and since the web application is expected to access globally we are planning to implement CDN along with Varnish.

Need help to configure HAProxy with both Varnish and CDN.

Posts: 1

Participants: 1

Read full topic

@amir wrote:

Hi,
After “moving” from HAProxy 1.6.3.1 to 1.8.7.0 I encountered a resolving issue.

I would like to resolve the hostname “VMAS” using HAProxy 1.8.7.0
The server line is:
server VMAS VMAS:8090 check ssl verify required ca-file /usr/cti/conf/common/ssl/truststore/viatruststore.pem crt /usr/cti/conf/common/ssl/keystore/viakeystore.pem inter 30000 resolvers mydns resolve-prefer ipv6

reslove.conf
domain domain1.com
search domain1.com domain2.com domain3.com
nameserver 127.0.0.1
options timeout:3
options retrans:1
options retry:1

HAPROXY 1.6.3.1
When using HAProxy 1.6.3.1 I noticed that HAproxy succeed to resolve “VMAS” .It using the search domains and try one domain after another as configured in /resolve.conf and resolving succeed in the 3rd search domain
Example:
VMAS.domain1.com #failed to reslove NX
VMAS.domain2.com #failed to reslove NX
VMAS.domain3.com # success to resolve

HAPROXY 1.8.7.0
When using HAProxy 1.8.7.0 I noticed that HAproxy failed to reslove “VMAS” .
It doesn’t use the “search domains” in resolve .conf.
for example:
it try only VMAS.domain1.com

Seems that HAproxy 1.8.7.0 require FQDN in server line of haproxy.cfg for resolving.
In my example it works only if I insert to server line VMAS.domain3.com
server VMAS vmas.domain3.com:8090 check ssl verify required ca-file /usr/cti/conf/common/ssl/truststore/viatruststore.pem crt /usr/cti/conf/common/ssl/keystore/viakeystore.pem inter 30000 resolvers mydns resolve-prefer ipv6

Is there a way to configure hostname in haproxy.cfg and get resolving in 1.8.7.0 and not FQDN as work for 1.6.3.0 ?

Thanks
Amir

additional information:
HAProxy compile parameters:
make TARGET=linux26 USE_GETADDRINFO=1 USE_OPENSSL=1 CPU=x86_64 ARCH=x86_64 USE_PCRE=1 USE_LIBCRYPT=1 USE_LINUX_SPLICE=1 USE_LINUX_TPROXY=1 ADDLIB=-lz

error in haproxy log when running 1.8.7.0 and query hostname only (VMAS):
Server HAProxy_MO_from_IS4/VMAS is going DOWN for maintenance (DNS NX status). 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.

Relevant part of haproxy.cfg

global
log 127.0.0.1 local0 info #emerg alert crit err warning notice info debug
maxconn 90096
tune.ssl.default-dh-param 2048
uid 55301
gid 55301
nbproc 2
ssl-default-bind-ciphers HIGH:MEDIUM:!aNULL:+SHA1:!MD5:!RC4:!SSLv2:!ADH:!EDH
ssl-default-bind-options no-sslv3 #force-tlsv10
stats socket /var/run/haproxy.sock mode 600 level admin

resolvers mydns
nameserver dns1 127.0.0.1:53
resolve_retries 3
timeout retry 1s
hold valid 60s

defaults
log global
#option tcplog
#option dontlognull
retries 3
maxconn 90096
timeout client 600000
timeout server 60000
timeout connect 5000

listen HAProxy_MO_from_IS4
log global
option tcplog
mode http
acl valid_method method GET POST PUT DELETE HEAD OPTIONS
http-request deny if ! valid_method
bind :58910 v4v6 name MO_Http
balance roundrobin
#http-check disable-on-404
#option httpchk
maxconn 90096
timeout client 480000
timeout server 5000
timeout connect 5000
server VMAS VMAS:8090 check ssl verify required ca-file /usr/cti/conf/common/ssl/truststore/viatruststore.pem crt /usr/cti/conf/common/ssl/keystore/viakeystore.pem inter 30000 resolvers mydns resolve-prefer ipv6

Posts: 1

Participants: 1

Read full topic

@Mahesh wrote:

I am looking at forwarding HTTP (front end) to HTTPS (backend). Backend is not being invoked.
Simplified to only HTTP to HTTP, still no luck.
HA-Proxy version 1.8.7 2018/04/07

Debug mode shows only this
haproxy -f /etc/haproxy/haproxy.cfg -d
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
[TRACE] trace
[COMP] compression
[SPOE] spoe
Using epoll() as the polling mechanism.
00000000:http-in.accept(0004)=0006 from [127.0.0.1:59088] ALPN=
00000000:http-in.clicls[adfd:ffffffff]
00000000:http-in.closed[adfd:ffffffff]

Configuration

global
log 127.0.0.1 local6
#daemon
maxconn 256
defaults
log 127.0.0.1 local6
mode http
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
option forwardfor
option http-server-close
frontend http-in
#log 127.0.0.1 local6
bind *:8091
reqadd X-Forwarded-Proto:\ https
use_backend dcc
backend dcc
mode http
server localhost :9022

Posts: 3

Participants: 2

Read full topic

@serverhack wrote:

Hi,

I’m trying to redirect an url (p.e. https://www.domain.com) to a certain directory inside that domain (https://www,domain.com/login/index.php) but only the first time the user access.

The apache server makes some internal redirection but it would get https://www,domain.com/login/index.php if this is set by the web browser, avoiding the too many redirects error.

I need this to occur only the first time one user logs in, because HAProxy is offloading SSL and asking for a client certificate that I need to rewrite on the url.

Thanks!!!

Posts: 1

Participants: 1

Read full topic