@Michael_A wrote:

Howdy,

First post.

I have a L7 proxy that has backend servers that are actually local (127.0.0.*) TCP proxies. The reason I did this was to encapsulate the two physical ethernet interfaces on the actual backend servers behind the TCP proxy.

When I have a L7 health check that is looking for a “status=ok” response string traverse the TCP proxies, I get a tcp log entry that shows a session state at disconnection of “CD” which is:

C : the TCP session was unexpectedly aborted by the client.
D : the session was in the DATA phase.

This is only happening for the health check requests and not our normal expected traffic. If I remove the health checks the log entries stop.

My first thought was that the might be that the requests are expected to be keepalive and are not. I also thought that perhaps HAProxy might be optimized that once it receives the expected response string from the health check, it would end the connection??

Any insight into this is appreciated. I’d prefer not to have all of these non-actionable tcp log entries in our log files.

Thanks,

Michael

Posts: 1

Participants: 1

Read full topic

@luxame wrote:

Title : Reference Manual for version 1.9
Item : Lua reference manual in HTML
Explain : open the link will get “404 Not Found” message

Posts: 1

Participants: 1

Read full topic

@rihad wrote:

Hi. We have a backend with a single server:

defaults
retries 3
timeout connect 5000
timeout client 100000
timeout server 100000

backend bk_foo
mode tcp
no option http-server-close
log global
option tcplog
timeout server 1m
timeout connect 5s
server foo smtp.example.com:587 check

The problem is that if smtp.example.com becomes unreachable due to network problems, it is marked as down/failed by haproxy and never comes back up even when the server does, until haproxy is reloaded manually. Is there any way to never mark it as down? Thanks.

Posts: 4

Participants: 2

Read full topic

@maarten wrote:

Hi,

I’m trying to get Exchange 2010 working with Outlook Anywhere which uses RPC over HTTPS. I followed https://www.haproxy.com/documentation/haproxy/deployment-guides/exchange-2010/ssl-offload/ but the rpc part is not working. The rpc part gives http 401 errors

When I use another config that only uses ‘mode tcp’, Outlook Anywhere works fine, but then I am not able to use acl’s, right? I need to proxy several websites to different backends based on host headers/paths.

Is there a way to combine http and tcp modes in one configuration?

Posts: 5

Participants: 2

Read full topic

@warnox wrote:

Hi,

I’m testing using proxy servers behind HA Proxy load balancers. The proxy servers on the back end are Symantec’s CSPs (basically Squid running on Windows). Before you ask, no, running Squid on Linux is not supported by Symantec and it does not pass the username through to the cloud service.

With NTLM authentication, most applications work properly. There are a few apps, such as Evernote and Cortana which seem to prompt for credentials endlessly. When going direct to the proxy servers, bypassing the LB, these prompts do not come up.

I’ve set keep alives and persistence in the HA Proxy config but not sure if i’m missing something else. Config below.

frontend CSP_LB
mode tcp
bind *:3128
option http-keep-alive
default_backend CSP_LB_Back

backend CSP_LB_Back
balance source
hash-type consistent
option http-keep-alive
server srv1 srv1:3128 check maxconn 3000
server srv2 srv2:3128 check maxconn 3000

Thanks for any help.

Posts: 3

Participants: 2

Read full topic

@brandon wrote:

My configuration on haproxy:

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
user haproxy
group haproxy
daemon

defaults
option dontlognull # Do not log connections with no requests
option redispatch # Try another server in case of connection failure
option contstats # Enable continuous traffic statistics updates
retries 3 # Try to connect up to 3 times in case of failure
timeout connect 5s # 5 seconds max to connect or to stay in queue
timeout http-keep-alive 1s # 1 second max for the client to post next request
timeout http-request 15s # 15 seconds max for the client to send a request
timeout queue 30s # 30 seconds max queued on load balancer
timeout tarpit 1m # tarpit hold tim
backlog 10000 # Size of SYN backlog queue
balance roundrobin # load balancing algorithm
mode tcp # protocol analyzer
option tcplog # log format
log global # log activation
timeout client 300s # client inactivity timeout
timeout server 300s # server inactivity timeout
default-server inter 3s rise 2 fall 3 # default check parameters

frontend Exchange_FrontEnd_HTTP
bind 192.168.201.15:80 name web
maxconn 10000
default_backend Exchange_BackEnd_HTTP

backend Exchange_BackEnd_HTTP
server SRV-EX01 192.168.201.235:80 maxconn 10000 check
p

frontend Exchange_FrontEnd_SSL
bind 192.168.201.15:443 name ssl
maxconn 10000
default_backend Exchange_BackEnd_SSL

backend Exchange_BackEnd_SSL
server SRV-EX01 192.168.201.235:443 maxconn 10000 check
p

frontend Exchange_FrontEnd_SMTP25
bind 192.168.201.15:25 name smtp
maxconn 10000
default_backend Exchange_BackEnd_SMTP25

backend Exchange_BackEnd_SMTP25
server SRV-EX01 192.168.201.235:25 maxconn 10000 check

frontend Exchange_FrontEnd_SMTP_Secure
bind 192.168.201.15:465 name smtpssl
maxconn 10000
default_backend Exchange_BackEnd_SMTP_Secure

backend Exchange_BackEnd_SMTP_Secure
server SRV-EX01 192.168.201.235:465 maxconn 10000 check

frontend Exchange_FrontEnd_IMAP
bind 192.168.201.15:143 name imap
maxconn 10000
default_backend Exchange_BackEnd_IMAP

backend Exchange_BackEnd_IMAP
server SRV-EX01 192.168.201.235:143 maxconn 10000 check

frontend Exchange_FrontEnd_IMAP_Secure
bind 192.168.201.15:993 name imapssl
maxconn 10000
default_backend Exchange_BackEnd_IMAP_Secure

backend Exchange_BackEnd_IMAP_Secure
server SRV-EX01 192.168.201.235:993 maxconn 10000 check

but does not receive mail. sends but does not receive e-mails
how to improve this configuration on balancing
Does zimbra work with haproxy? is this possible? configuration in zimbra?

Posts: 1

Participants: 1

Read full topic

@HDDimon wrote:

Hey folks!
I’ve configured haproxy like following:

defaults
    log     global
    mode    http
    option  httplog
    option  dontlognull
    retries 3
    option redispatch

frontend myApp
    bind 0.0.0.0:80
    use_backend abc

backend abc
    timeout queue 5000000
    timeout server 5000000
    timeout connect 5000000
    #bind 0.0.0.0:80
    mode http
    stats enable
    stats uri /haproxy?stats
    stats realm Strictly\ Private
    stats auth*
    stats auth*
    balance roundrobin
    #option httpclose
    #option forwardfor
    #option http-keep-alive
    cookie JSESSIONID prefix nocache
    server **** maxconn 1024 cookie check
    server **** maxconn 1024 cookie check

but on stats page i see:

Screen Shot 2018-04-24 at 17.53.21.png2462x152 35.8 KB

How to configure fair round robin?

Thanks!

Posts: 2

Participants: 2

Read full topic

@bela.eitelhuber wrote:

Hello everyone,

I want to use the HAproxy for loadbalancing incoming Mails to two Mailserver.
My chellange now is, that no mail may be discarded.
So can you help me to set up the haproxy, so that he is checking every time the availability of the mailserver while trying to forward a mail to him. That means also it isen’t enough to check every second if the mailserver is availabel. He has to check everytime he have to send an mail, if the mailserver is reachable. And if not to try to send the mail to the other mailserver.

Kind regards
Bela

Posts: 1

Participants: 1

Read full topic

@senattcs wrote:

I have 2 backends which are running on two different virtual host names and need to perform healthchecks on them to loadbalance the traffic.

issue is : only the last healthcheck (prd03) works , not prd02. How I can do healthcheck against 2 virtual hostnames?

here is my config:
backend xxxx.searchCustomer
mode http
balance roundrobin
option httpchk GET /env HTTP/1.1\r\nHost:\ customerlookup.xxx.px-prd02.cf.xxxx.com:443\r\n
option httpchk GET /env HTTP/1.1\r\nHost:\ customerlookup.xxx.px-prd03.cf.xxxx.com:443\r\n
http-check expect rstatus ^200
option httplog
timeout server 60s
default-server inter 10s fall 3 rise 2
server s_CustomerLookupService.searchCustomer2 customerlookup.xxx.px-prd02.cf.xxxx.com:443 check resolvers dns ssl verify none
server s_CustomerLookupService.searchCustomer3 customerlookup.xxx.px-prd03.cf.xxxx.com:443 check resolvers dns ssl verify none

Posts: 1

Participants: 1

Read full topic

@Shankar wrote:

We have a requirement to route requests to multiple backends based on the connection string of a datasource url.
The bottleneck is that on haproxy all these requests would be listened on a port say 31000 and then based on the name of the datasource in the connection string has to be distributed to a different backend.
We can achieve this by listening on different ports but it is mandatory that all requests would listen on same port and the routing has to be based on some other paramater like the datasource name in the connection url

Posts: 1

Participants: 1

Read full topic

@FlangeMonkey wrote:

Hi Guys,

I’ve read some of the posts and blog articles regarding Brute Force protection for Wordpress and Form Based Authentication. I’m looking to do something simular with Basic Authentication. Can this be done?

Thanks,

Posts: 1

Participants: 1

Read full topic

@scratchy wrote:

Hello,

We have trouble using 1.8.8, looks like the backend checks are not working correctly.

As soon as one backend server is being shutdown (in this case data-3-*) often one backend stays in the yellow mode forever. The service on all 10.0.1.2 backends is the same application, with multiple listeners on ports 80, 7081, 7082, …).

In the example haproxy is stuck, and does not take the data-3-8 backend offline.

stats:

grafik.png836x802 72.6 KB

Port ranges on the system are:

net.ipv4.ip_local_port_range = 10000    65534
net.ipv4.ip_local_reserved_ports = 1-10000

haproxy.cfg:

global
            daemon
            log-send-hostname
            log log.domain.net local0 info alert
            log log.domain.net local1 notice alert
            # SSL
            ca-base /etc/ssl/certs
            crt-base /etc/ssl/private
            ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDHE-RSA-AES256-GCM-SHA384:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
            ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
            
            ssl-default-server-ciphers ECDH+AESGCM:DH+AESGCM:ECDHE-RSA-AES256-GCM-SHA384:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
            ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11
            
            stats socket /p/admin.sock mode 777 level admin expose-fd listeners
            
            maxconn 700000
            tune.ssl.default-dh-param 2048
            tune.ssl.cachesize 400000
            tune.ssl.lifetime 1200
            tune.bufsize 32768
            ulimit-n 900000
            
            nbproc 1
            nbthread 36
            cpu-map 1/1-6 0-5
            cpu-map 1/7-12 6-11
            cpu-map 1/13-18 12-17
            cpu-map 1/19-24 24-29
            cpu-map 1/25-30 30-35
            cpu-map 1/31-36 36-41
            
            ssl-engine rdrand  # intel engine available in openssl
            ssl-mode-async
    defaults
            log global                
            fullconn 4000000
            maxconn 700000
            mode    http
            option srvtcpka
            option tcpka
            option http-keep-alive
            option prefer-last-server
            option log-separate-errors
            option dontlognull
            max-keep-alive-queue 16000
            timeout connect 5s
            timeout client  300s
            timeout server  300s
            timeout queue   5s
            timeout tunnel  1h
            default-server inter 5s fall 3 rise 2 maxconn 40000

    frontend www-web
            bind WEB_IP:80 #allow-0rtt tfo alpn h2,http/1.1
            mode http
            timeout client 300s
            
            redirect scheme https
            
    frontend wwws-web
            bind WEB_IP:443 ssl crt /etc/haproxy/server.pem allow-0rtt tfo alpn h2,http/1.1
            bind *:444 ssl crt /etc/haproxy/server.pem allow-0rtt tfo alpn h2,http/1.1
            bind *:445 ssl crt /etc/haproxy/server.pem allow-0rtt tfo alpn h2,http/1.1
            bind *:446 ssl crt /etc/haproxy/server.pem allow-0rtt tfo alpn h2,http/1.1
            bind *:447 ssl crt /etc/haproxy/server.pem allow-0rtt tfo alpn h2,http/1.1
            bind *:448 ssl crt /etc/haproxy/server.pem allow-0rtt tfo alpn h2,http/1.1
            bind *:449 ssl crt /etc/haproxy/server.pem allow-0rtt tfo alpn h2,http/1.1
            bind *:450 ssl crt /etc/haproxy/server.pem allow-0rtt tfo alpn h2,http/1.1
            bind *:451 ssl crt /etc/haproxy/server.pem allow-0rtt tfo alpn h2,http/1.1
            bind *:452 ssl crt /etc/haproxy/server.pem allow-0rtt tfo alpn h2,http/1.1
            bind *:453 ssl crt /etc/haproxy/server.pem allow-0rtt tfo alpn h2,http/1.1
            bind WEB_IP:944 ssl crt /etc/haproxy/server.pem allow-0rtt tfo alpn h2,http/1.1
            timeout client 1h
            
            acl host_api hdr(host) -i api.domain.com
            acl host_dyn hdr(host) -i dyn.domain.com
            acl host_ws hdr(host) -i ws.domain.com
            acl host_push hdr(host) -i push.domain.com
                    
            acl is_websocket_star hdr(Upgrade) -i WebSocket
            
            acl host_lbstats1 hdr(host) -i lbstats1.domain.com
            use_backend websocket-rest-push-backend if host_push
            
            #wss://*.domain.com
            use_backend websocket-rest-backend if is_websocket_star
            
            use_backend www-rest-backend if host_dyn
            use_backend www-rest-backend if host_api
            use_backend www-rest-backend if host_ws
            default_backend www-web-backend
    backend www-rest-backend
            balance roundrobin
            mode http
            option forwardfor
            option allbackups
            
            reqadd x-forwarded-proto:\ https
            option httpchk get /isOnline?type=rest
            
            server data2 10.0.1.1:80 check verify none maxconn 1000
            server data3 10.0.1.2:80 check verify none maxconn 1000
            
    backend websocket-rest-push-backend
            balance leastconn
            mode http
            option forwardfor
            option http-server-close
            option forceclose
            option allbackups
            no option httpclose
            option httpchk get /isOnline?type=ws
            fullconn 4000000
            
            server data2-1 10.0.1.1:80 check verify none
            server data2-2 10.0.1.1:7081 check verify none
            server data2-3 10.0.1.1:7082 check verify none
            server data2-4 10.0.1.1:7083 check verify none
            server data2-5 10.0.1.1:7084 check verify none
            server data2-6 10.0.1.1:7085 check verify none
            server data2-7 10.0.1.1:7086 check verify none
            server data2-8 10.0.1.1:7087 check verify none
            server data2-9 10.0.1.1:7088 check verify none
            server data2-10 10.0.1.1:7089 check verify none
            
            server data3-1 10.0.1.2:80 check verify none
            server data3-2 10.0.1.2:7081 check verify none
            server data3-3 10.0.1.2:7082 check verify none
            server data3-4 10.0.1.2:7083 check verify none
            server data3-5 10.0.1.2:7084 check verify none
            server data3-6 10.0.1.2:7085 check verify none
            server data3-7 10.0.1.2:7086 check verify none
            server data3-8 10.0.1.2:7087 check verify none
            server data3-9 10.0.1.2:7088 check verify none
            server data3-10 10.0.1.2:7089 check verify none
            
    backend websocket-rest-backend
            balance leastconn
            mode http
            option forwardfor
            option http-server-close
            option forceclose
            option allbackups
            no option httpclose
            option httpchk get /isOnline?type=ws
            server data1-1 10.0.1.6:80 check backup verify none
            
            server data2-1 10.0.1.1:80 check verify none
            server data2-2 10.0.1.1:7081 check verify none
            server data2-3 10.0.1.1:7082 check verify none
            server data2-4 10.0.1.1:7083 check verify none
            server data2-5 10.0.1.1:7084 check verify none
            server data2-6 10.0.1.1:7085 check verify none
            server data2-7 10.0.1.1:7086 check verify none
            server data2-8 10.0.1.1:7087 check verify none
            server data2-9 10.0.1.1:7088 check verify none
            server data2-10 10.0.1.1:7089 check verify none
            
            server data3-1 10.0.1.2:80 check verify none
            server data3-2 10.0.1.2:7081 check verify none
            server data3-3 10.0.1.2:7082 check verify none
            server data3-4 10.0.1.2:7083 check verify none
            server data3-5 10.0.1.2:7084 check verify none
            server data3-6 10.0.1.2:7085 check verify none
            server data3-7 10.0.1.2:7086 check verify none
            server data3-8 10.0.1.2:7087 check verify none
            server data3-9 10.0.1.2:7088 check verify none
            server data3-10 10.0.1.2:7089 check verify none
            
    listen stats1
        bind STATS_IP:8001 ssl crt /etc/haproxy/server.pem
        mode http
        stats enable
        stats refresh 7s
        stats realm Haproxy\ Statistics
        stats uri /haproxy?stats
        stats auth xxx:yyy
        default_backend www-web-backend

Posts: 1

Participants: 1

Read full topic

@geekthymia wrote:

This is just for a quick sanity check. I’m not seeing much sign of any mention of haproxy on AIX beyond 5.3. Before I involve myself heavily in it, has anyone attempted a build of haproxy on AIX 7.2 or am I highly likely on a road to nowhere?

TIA.

Posts: 1

Participants: 1

Read full topic

@shlompy wrote:

Unfortunately haproxy documentation is missing some explanation about stats.
show info command provides the following:

Tasks: 300
Run_queue: 5
Idle_pct: 87

I would be glad if someone can provide me some more info.
IIdle_pct is well documented, I just want to confirm my assuption whether the given value indicates the average idle time measured in the last second or something else?

There is no documentation at all for Tasks and Run_queue and have no idea what they mean.

Posts: 1

Participants: 1

Read full topic

@SeanFulton wrote:

I’ve verified this with Haproxy 1.5, 1.7.10 and 1.8.8. I’ve tried many different configurations, including multi-process (1.5 and 1.7) and multi-threading in 1.8.

Here’s the problem:

When using ab to bench a pair of web servers behind haproxy, I get about 9000 requests/sec. with http:, but when I switch to https: (with haproxy terminating the SSL connection), it drops to 250 - 270 requests/sec.

I have tried a number of different configurations recommended both on the Haproxy site and elsewhere, multiple sockets, different ways of assigning processes, etc., and all wind up in that range. I even tried limiting the ciphers selected to a small, “higher performing” set. No luck.

I figured out that the SSL speed is about 2.7% of the non-SSL speed. When I went back and looked at a couple of well-known how-tos I had refered to about speeding up SSL, and when I looked at the data, those guys were only able to get about 3% of the transactions in SSL that they got with non-SSL tests. Most of the docs on squeezing performance out of HaProxy are about http transactions, not SSL.

Here’s what bothers me about this: When I use a single CPU config (nbproc 1/nbthread 1), the CPU usage for the haproxy process goes up to 97% (and we see 250 to 270 requests/second). But when I use 10 threads or 10 processes, the load does get split across the additional threads, but they never go beyond 30% to 50% CPU usage, and I STILL get 250 to 270 requests/second. In fact, with haproxy 1.8.8, I saw four threads at about 35% usage, and the other threads down in the 13% to 19% usage. So even though the load is being shared, it’s not maxing out the hardware the way I would think it should.

If haproxy can max out 1 core, shouldn’t it be able to max out 10 cores and produce higher SSL through-put?

It seems like we could get better throughput if all of the cores/threads were pushing harder, but I’m not sure how to get those results.

This was all on centos 6.

Any thoughts or ideas from anyone on this forum about how we might be able to squeeze more SSL performance? Is there something I am missing?

sean

Posts: 1

Participants: 1

Read full topic

@verdel wrote:

Hello. I have HA-Proxy version 1.8.7.
I use curl --with-negotiate -x http://haproxy:3128 http://gov.ru as client and Squid proxy as backend.

With haproxy i see this:

image.png2132x344 88.3 KB

Why there is no TCP ACK packet between HEAD and HTTP with 407 code? Why haproxy don’t send TCP ACK on first client request?

Posts: 1

Participants: 1

Read full topic

@augustynr wrote:

Hi
I have https traffic coming into my network on port 443, now based on the subdomain of the query I need to send it to correct server on local network.
Any idea how to accomplish this?

Posts: 1

Participants: 1

Read full topic

@txalamar wrote:

Hi,

I have something like this:

frontend app1
 acl app1 hdr(host) -i app1.domain.com
 default_backend app1
 use_backend app1 if app1

frontend app2
 acl app2 hdr(host) -i app2.domain.com
 default_backend app2
 use_backend app2 if app2

backend app1
 mode http
 ...
 option httpchk GET /rest/util/setting HTTP/1.0\r\nHost:\ app1.domain.com:8080\r\n
 ...
 server talaiaclu01-app1 192.168.211.13:8080 cookie server1 maxconn 1000 check inter 5000
 server talaiaclu02-app1 192.168.211.14:8080 cookie server2 maxconn 1000 check inter 5000

backend app2
 mode http
 ...
 option httpchk GET /rest/util/setting HTTP/1.0\r\nHost:\ app2.domain.com:8080\r\n
 ...
 server talaiaclu01-app2 192.168.211.13:8080 cookie server1 maxconn 1000 check inter 5000
 server talaiaclu02-app2 192.168.211.14:8080 cookie server2 maxconn 1000 check inter 5000

This should be sending requests for app1.domain.com only to backend app1. But as per statistics I can see that backend app2 is being hitted. In fact I can see that the frontend is also being hitted by the same request.

In fact the requests are well redirected to the right backend based on the url but statistics are perturbing me. I could understand that all frontends must be hitted to determine which is the right one, but backends should not, right? And the backends nevere receive the requests that are not destinated for them. So it seems to be only a statistics problem.

Kind regards,

Posts: 1

Participants: 1

Read full topic

@JPedroT wrote:

I was able to setup up geofiltering using the tool and info from here

Might be other ways of doing it, but that was what I was able to find.

But that only covers IPv4 and I need IPv6 filtering also, since now all IPv6 traffic is blocked.

Is there a similar tool to the iprange that can create lists for v6 also? Or must I write my own?

Any hints on where to look is greatly appreciated

Btw using Haproxy 1.7 on Debian 8.10.

Posts: 1

Participants: 1

Read full topic

@deepika wrote:

I am using haproxy 1.8.8 and trying to redirect non-www or www-without-ssl to www-ssl page.

Only following is needed to be redirected and domain has thousands of other subdomains that does not needed to be redirected:

1. http://example.com -> https://www.example.com
2. https://example.com -> https://www.example.com
3. http://www.example.com -> https://www.example.com

I am trying with following configuration, but it is not working properly (partial config below):

frontend www
    http-request redirect prefix https://www.%[hdr(host)] code 301 if { hdr(host) -i example.com }
    http-request redirect prefix https://%[hdr(host)] code 301 if { hdr(host) -i www.example.com } !{ ssl_fc }

With above code, (1) and (2) works perfectly but for (3), it gets redirected to https://www.www.example.com

Posts: 1

Participants: 1

Read full topic