Cannot bind socket 80 / 443

May 21, 2018, 7:16 pm

≫ Next: Can I implement switching depending on load on the Tomcat server processors?

≪ Previous: Incoming mails are sent to me by the haproxy IP instead of the remote IP

$

0

0

@blechinger wrote:

I believe I’ve worked out most of the kinks just by reading through the docs and learning how the config is supposed to work. Now I’m running into an issue getting HAProxy to bind to the frontend ports. I’m a bit confused as to why.

HAProxy config: https://pastebin.com/RSVqc9By

Journalctl -xe output: https://pastebin.com/g21Q7he9

netstat doesn’t show that I’ve got anything connected or listening on any of the ports I’m using. I also tried changing the backend ports to 8080 or 82 because I thought the frontend and backend might not want to be the same. That didn’t help though.

What have I misunderstood here? Any insight appreciated.

Thanks!

Posts: 7

Participants: 2

Read full topic

---

Can I implement switching depending on load on the Tomcat server processors?

May 22, 2018, 12:27 am

≫ Next: SSL Handshake issue

≪ Previous: Cannot bind socket 80 / 443

$

0

0

@MinistrBob wrote:

Hello!

Can I implement switching depending on load on the Tomcat server processors?
In the documentation of anything like this I do not find…

There is an algorithm - at leastconn, but we use the traffic to Tomcat servers. As I understand it, this algorithm does not quite fit.

We have individual requests that can load the Tomcat server for a long time. And I would like so that on such loaded servers there would not be distribution of other requests until they are freed.

Posts: 3

Participants: 2

Read full topic

SSL Handshake issue

May 22, 2018, 1:40 am

≫ Next: Certificate to acess backend with TLS

≪ Previous: Can I implement switching depending on load on the Tomcat server processors?

$

0

0

@ruzzetto wrote:

Hi all,
I have a strange issue with haproxy after performed some package upgrades on my RHEL machine. Everything was fine but now when I try to get a resource (the second backend) i got 503 Service Unavailale.

I found error messages:

1. haproxy[9190]: backend jboss-fe-bus has no server available!
2. Server jboss-fe-bus/nodo1 is DOWN, reason: Layer6 invalid response, info: “SSL handshake failure”, check duration: 27ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.

Here’s my haproxy.cfg:

frontend myapp *:80
bind *:80
bind *:443 ssl crt /etc/pki/tls/private/mycertificate.pem
redirect scheme https if !{ ssl_fc }
option forwardfor
acl host_myapp1_bus hdr(host) -i app.mydomain.it
acl is_root path -i /
acl is_myapp1_bus path_beg /MYAPP
acl is_myapp3 path_beg /main-web
redirect code 302 location /MYAPP/ if is_root host_myapp1_bus
use_backend iis if host_myapp1_bus is_myapp1_bus
use_backend jboss-fe-bus if host_myapp1_bus is_myapp3

backend iis
balance roundrobin
cookie SERVERID insert indirect nocache
server nodo1 server01.domain.lan:443 weight 1 maxconn 100 check ssl verify none check cookie s1

backend jboss-fe-bus
balance roundrobin
server nodo1 server02.domain.lan:9443 weight 1 maxconn 100 check ssl verify none

The server “server02.domain.lan” is the same as haproxy.

Maybe new packages change something?
Thanks a lot,
Fabio

Posts: 6

Participants: 2

Read full topic

Certificate to acess backend with TLS

May 22, 2018, 7:52 am

≫ Next: Do not reply with 5xx and 4xx errcodes

≪ Previous: SSL Handshake issue

$

0

0

@tiagocruz wrote:

• nginx:

server {
  listen      10010;
  location / {
    proxy_pass                 https://consumersoa.xxx.com:443;
    proxy_ssl_certificate      /keys/xxxx.messaging_com.crt;
    proxy_ssl_certificate_key  /keys/xxxx.messaging_com.key;
    proxy_ssl_protocols        TLSv1;
  }
}

• haproxy

frontend fe_10010
    bind :10010

backend be_soa
    server soa consumer.xxxx:443 check crt /keys/xxxx.messaging_com force-tlsv10

This is not working… can you tell me where is wrong?

Thanks!

Posts: 3

Participants: 2

Read full topic

Do not reply with 5xx and 4xx errcodes

May 23, 2018, 8:52 am

≫ Next: Problem on URL redirection

≪ Previous: Certificate to acess backend with TLS

$

0

0

@ASA wrote:

Is there is anyway to do not answer with 5xx error even if no backend servers available?
I understand how to change error code from received from backend but I couldn’t find a way to rewrite all error codes for example with empty answer.

Posts: 1

Participants: 1

Read full topic

Problem on URL redirection

May 24, 2018, 7:09 am

≫ Next: Remove HTTP status

≪ Previous: Do not reply with 5xx and 4xx errcodes

$

0

0

@hadi wrote:

Hello everyone,

I want to redirect following domains but I am getting security alert on it the HTTPS one.

cc.com ---->  cc.com//connections?currency=EUR                      [WORKS]
http://cc.com ----> http://cc.com//connections?currency=EUR     [WORKS]
https://cc.com ----> https://cc.com//connections?currency=EUR      [WORKS, but with security warning]
http://www.cc.com --> http://www.cc.com//connections?currency=EUR     [WORKS]
https://www.cc.com --> https://www.cc.com//connections?currency=EUR  [WORKS, but with security warning]

My config is as follows.

# CC Redirect
acl host_cc hdr(host) -i cc.com
acl host_cc hdr_beg(host) -i www.
reqirep ^Host:\ www.(.*)$ Host:\ \1 if host_ff
http-request redirect code 301 location https://www.cc.com//connections?currency=EUR if host_cc

Can you please help me with the config and tell me how can I fix this security warning alerts?
Thank you

Posts: 5

Participants: 2

Read full topic

Remove HTTP status

May 25, 2018, 4:09 am

≫ Next: Routing based on content in body

≪ Previous: Problem on URL redirection

$

0

0

@ASA wrote:

@lukastribus could you help me with the following. I just want completely remove status description from HTTP response. Here is what I’m trying to do:
http-response set-status 204 reason “”. if is_204
But this code leaving dot in response.

I’ve tried also following:
http-response set-status 204 reason . if is_204
But this leaves default description.

Posts: 1

Participants: 1

Read full topic

Routing based on content in body

May 28, 2018, 12:29 am

≫ Next: Implement self created filter

≪ Previous: Remove HTTP status

$

0

0

@isa wrote:

Hi

We need to route traffic based on a version of our application which is passed in the Body of a request. I know this can be done on version 1.6x as below

    acl redirect_v1   req.body -m reg \"version\"\:\"1\"
    acl redirect_v2   req.body -m reg \"version\"\:\"2\"

However we using Haproxy 1.5.18. Any idea how I can do this with 1.5

Posts: 1

Participants: 1

Read full topic

---

Implement self created filter

May 28, 2018, 9:21 am

≫ Next: Backend redirects

≪ Previous: Routing based on content in body

$

0

0

@Racoon21 wrote:

Hello guys!
As already the most of you know, does HAProxy have a new Filter Support Feature, so you can build your own filter.
So i have built my own filter for now and everything is great.
My question now is… Is there another way to build (implement) the filter, then adding it in the Make file?
Can not find anything in the docs or somewhere…

Posts: 1

Participants: 1

Read full topic

Backend redirects

May 29, 2018, 12:57 am

≫ Next: How to add Cookies on http request not on http response

≪ Previous: Implement self created filter

$

0

0

@pathet wrote:

Hello,

we have a little configuration problem, maybe some guru can help us.

Haproxy 1.7.11

blog.example.com = blog
blogde.example.com = blogde

We configured some redirects in the htaccess file of the backend servers.
The redirect should forward from blogde to blog/de/de/. Blogde is an CNAME of blog.

We configured an SSL Cert for “blog” in the frontend config in the Haproxy config. So now the users type in “blogde” and they get an certificate error (SSL_ERROR_BAD_CERT_DOMAIN).
If the users try to reach “blog”, everything is fine.

Is it possible to use the htaccess redirects on the backend servers ?

Thanks in advance.

regards
Patrick

Posts: 1

Participants: 1

Read full topic

How to add Cookies on http request not on http response

May 29, 2018, 2:43 am

≫ Next: 1.7.11 Compression Issue? Parsing errors on response

≪ Previous: Backend redirects

$

0

0

@pankaj.ghadge wrote:

Hi,

Can we add cookies on http request instead of http response like below:

backend app-backend
    mode http
    option httpclose
    balance leastconn
    cookie SERVERID insert indirect nocache
    server app1 10.89.1.10:80 check cookie app1 http-request add-header cookies SERVERID app1
    server app2 10.89.1.20:80 check cookie app2 http-request add-header cookies SERVERID app2

Or

Can we add in URL Parameter in request if SERVERID is not present in URL like below

backend app-backend
     mode http
     option httpclose
     balance leastconn
     cookie SERVERID insert indirect nocache
     server app1 10.89.1.10:80 check cookie app1 http-request set-uri https://%[req.hdr(Host)]%[path]?%[query]&SERVERID=app1 if SERVERID in URL NOT FOUND
     server app2 10.89.1.20:80 check cookie app2 http-request set-uri http://%[req.hdr(Host)]%[path]?%[query]&SERVERID=app2 if SERVERID in URL NOT FOUND

Thanks

Posts: 1

Participants: 1

Read full topic

1.7.11 Compression Issue? Parsing errors on response

May 29, 2018, 6:01 am

≫ Next: 1.8.x Resolvers not working when multiple backend servers share the same hostname \ IP?

≪ Previous: How to add Cookies on http request not on http response

$

0

0

@Ryuzaki wrote:

Hey

We recently upgraded from 1.7.10 to 1.7.11 and we started to notice some sporadic issues in some of the responses in our application. Specifically some searches via Solr started to fail with what looks to be somewhat garbled responses.

We were at a loss at what was causing this until we took HAProxy out of the equation and issue immediately disappeared. Introducing it back in and then switching off compression also sorted the issue.

So I was just wondering if there was any changes to the compression behavior in 1.7.11? We just use gzip compression and not changed anything on our end. Until this is sorted we’ll revert back to 1.7.10.

Cheers,
R

Posts: 3

Participants: 2

Read full topic

1.8.x Resolvers not working when multiple backend servers share the same hostname \ IP?

May 29, 2018, 6:22 am

≫ Next: Stats not reflecting traffic to acl backend

≪ Previous: 1.7.11 Compression Issue? Parsing errors on response

$

0

0

@Ryuzaki wrote:

Hey

I commented on a slightly different issue regarding this but haven’t got a response for a while now so thought it worth creating a new issue with my specific problem to help anyone else.

Basically it seems that the Resolvers functionality doesn’t accommodate for multiple servers in the same backend having the same hostname \ fqdn \ IP but using a different port. E.G.

resolvers serverdns
    nameserver dnsmasq 127.0.0.1:53

backend servers
    mode http
    balance roundrobin
    cookie EXTERNALSERVERID insert indirect nocache
    option forwardfor
    option httpchk /health

    server server1 server1.lab.local:10280 cookie server1 check resolvers serverdns ssl ca-file /etc/haproxy/chain.crt
    server server2 server1.lab.local:10281 cookie server2 check resolvers serverdns ssl ca-file /etc/haproxy/chain.crt
    server server3 server1.lab.local:10282 cookie server3 check resolvers serverdns ssl ca-file /etc/haproxy/chain.crt

With this config I always only get one server UP and the other two are in MAINT. The logs just say there’s no IP:

haproxy[32393]: Server servers/server1 is going DOWN for maintenance (No IP for server ). 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.

This config works fine on 1.7.x so I was wondering if there was a change required in the config from 1.7 to 1.8? If not is there a way I can get this working? This is blocking us from upgrading to 1.8.

Cheers,
R.

Posts: 3

Participants: 2

Read full topic

Stats not reflecting traffic to acl backend

May 29, 2018, 8:24 am

≫ Next: HTTP2 and HTTP1 using SNI or ACLs

≪ Previous: 1.8.x Resolvers not working when multiple backend servers share the same hostname \ IP?

$

0

0

@sbrooks wrote:

I have a simple config with a single ACL and a matching backend. The issue I’m having is that all traffic is showing up under the default backend in the stats page. How do I make the traffic show up under the backend that the acl is pointing to? HA-Proxy version 1.8.8-1 2018/04/19

frontend http-justfoia.com_atlhap1-p-mcci
bind *:80
mode http
redirect scheme https if !{ ssl_fc }

frontend https-justfoia.com_atlhap1-p-mcci
bind *:443
option tcplog
mode tcp
acl aikensc-justfoia-com hdr_dom(host) aikensc.justfoia.com
use_backend aikensc-justfoia-com if aikensc-justfoia-com
default_backend backend-atlwebx-p-mcci

backend aikensc-justfoia-com
mode tcp
balance roundrobin
option httpchk GET /HealthCheck.txt HTTP/1.0\r\nHost:\ aikensc.justfoia.com
http-check expect string I\ am\ Healthy
server https-atlweb1-p-mcci 172.16.64.243:443 check ssl
server https-atlweb2-p-mcci 172.16.64.244:443 check ssl

backend backend-atlwebx-p-mcci
mode tcp
balance roundrobin
server http_atlweb1-p-mcci 172.16.64.243 check port 80
server http_atlweb2-p-mcci 172.16.64.244 check port 80

listen stats
bind *:8000 ssl crt /etc/ssl/private/cert.pem
mode http
stats enable
stats realm Haproxy\ Statistics
stats uri /
stats auth user:pass

Posts: 2

Participants: 2

Read full topic

HTTP2 and HTTP1 using SNI or ACLs

May 30, 2018, 5:14 am

≫ Next: Haproxy 1.8.9 CPU usage increased significantly

≪ Previous: Stats not reflecting traffic to acl backend

$

0

0

@tiagocruz wrote:

Hello guys,

I’m using HA-Proxy version 1.8.8 2018/04/19 with http2

I was using the conf:

frontend fe_main_443
    bind :443 ssl crt /etc/haproxy/keys/ alpn h2,http/1.1

To activate http2, but I have a few backends running ruby thin server that became strange with this.

Note: My ‘keys’ directory has 18 different wildcard certs to be used with https (SNI, host-based)

Using ‘http/1.1,h2’ solved the broken backend, but also disabled the http2 from the others sites.

How can I enable http2 just to some sites, or otherwise, how can I disable http2 to some acl based url?

Thanks!

Posts: 2

Participants: 2

Read full topic

---

Haproxy 1.8.9 CPU usage increased significantly

May 30, 2018, 7:23 am

≫ Next: HAProxy Supported Format?

≪ Previous: HTTP2 and HTTP1 using SNI or ACLs

$

0

0

@ASA wrote:

HA-Proxy version 1.8.9-83616ec 2018/05/18
Copyright 2000-2018 Willy Tarreau willy@haproxy.org

Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -m64 -march=x86-64 -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -fno-strict-overflow -Wno-unused-label
OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1

Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with OpenSSL version : OpenSSL 1.0.1k-fips 8 Jan 2015
Running on OpenSSL version : OpenSSL 1.0.1k-fips 8 Jan 2015
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Encrypted password support via crypt(3): yes
Built with multi-threading support.
Built with PCRE version : 8.21 2011-12-12
Running on PCRE version : 8.21 2011-12-12
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with zlib version : 1.2.8
Running on zlib version : 1.2.8
Compression algorithms supported : identity(“identity”), deflate(“deflate”), raw-deflate(“deflate”), gzip(“gzip”)
Built with network namespace support.

Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
[SPOE] spoe
[COMP] compression
[TRACE] trace

compared to 1.8.8 CPU usage tripled. Full config can be found at Haproxy 1.8.2; 1.8.3 DNS auto discover stop working

Posts: 2

Participants: 2

Read full topic

HAProxy Supported Format?

May 30, 2018, 11:29 pm

≫ Next: HAProxy redispatch option

≪ Previous: Haproxy 1.8.9 CPU usage increased significantly

$

0

0

@lab wrote:

Hey there…

I want to confirm about one of my HAProxy log formats listed below which are currently not being parsed on Loggly. Please see the below logs-

2601:42:1:56db:2088:1808 [29/May/2018:23:26:47.940] prod-front-http prod-bke-http/prod-web4 0/0/0/313/313 200 2963 - - ---- 6/1/0/0/0 0/0 "GET /pro_appointments/dmQ3ZTF3VmNNaG5oWERLajJSK1VZeWdv HTTP/1.1"

172.31.5.1:22923 [31/May/2018:23:26:47.940] prod-front-http prod-bke-http/prod-web4 0/0/0/313/313 200 2963 - - ---- 6/1/0/0/0 0/0 "GET /pro_appointments/dmQ3ZTF3VmNNaG5oWERLajJSK1VZeWdv HTTP/1.1"

Can you please let me know if this is one of the supported log format of HAProxy? I’ll look forward for your fastest response.

Thanks.

Posts: 1

Participants: 1

Read full topic

HAProxy redispatch option

May 31, 2018, 3:01 am

≫ Next: Haproxy configuration problem

≪ Previous: HAProxy Supported Format?

$

0

0

@ajays20078 wrote:

Does the HAP redispatch option redispatch a connection when connecting to a backend fails or does it redispatch a request in a connection if connecting to backend fails?

Consider a case where a client C is interacting with App A with instances I1 and I2 with HAP in between. First the request goes to I1, now before I1 sends back the response, if I1 goes down, is the same request redispatched to I2?

Posts: 3

Participants: 2

Read full topic

Haproxy configuration problem

May 31, 2018, 1:14 pm

≫ Next: Service Unavailable Intermittently (HTTP Proxy)

≪ Previous: HAProxy redispatch option

$

0

0

@smangiagli wrote:

I would like to implement a configuration that allows me to redirect requests to two internal web servers. In the case where it is indicated as url http://sowinproxy the requests must be directed to the server 10.200.80.96, while if the request is http://sowinproxy/blog the requests must be redirected to the 10.200.80.97 server.

frontend http-in
bind :80
acl is_blog path_reg ^/blog/.
use_backend tecadmin_blog if is_blog
default_backend webservers

backend tecadmin_blog
mode http
balance roundrobin
option httpchk
option forwardfor
server web2 10.200.80.97 check

backend webservers
mode http
balance roundrobin
option httpchk
option forwardfor
server web1 10.200.80.96:80 check

The configuration is in the spoiler, but it does not work properly. Can you help me? Thank you

Posts: 2

Participants: 2

Read full topic

Service Unavailable Intermittently (HTTP Proxy)

June 1, 2018, 6:44 am

≫ Next: Config for clustering

≪ Previous: Haproxy configuration problem

$

0

0

@warnox wrote:

Hi,

I’ve configured HA Proxy as the load balancer for a couple of Symantec proxies on the back end. Generally everything is working correctly, but I’m intermittently seeing issues with some websites. One being Twitter and the other one What’s App.

Looking at Twitter, when not working, the following URL does not load, https://twitter.com/push_service_worker.js, but displays a 503 error. Whether the site loads or not, I’m seeing exactly the same request headers, see attached.

If I point the browser to any of the proxy servers on the back-end directly, this error does not occur. I’ve verified this with multiple browsers.

Just wondering what else I can do to trace what is happening here? A basic tcpdump on the haproxy server, shows the request does reach the load balancer.

Thanks for any help.

Posts: 4

Participants: 2

Read full topic