@skrdlant wrote:
Hello,
I am new to Haproxy…
I am trying to configure exlibris Primo accoring to these instructions:
https://knowledge.exlibrisgroup.com/Primo/Implementation_Guides/Configuration/Setting_Up_SSL_for_Local_Primo_Customers#General_DNS_and_LB_ConfigurationPlease, does anybody have experiences with configuring Primo https redirection, or could anybody translate these instructions to HAproxy configuration?
Thanks, elias
Posts: 1
Participants: 1
@fdellwing wrote:
Hi,
we have a haproxy instance handling multiple domains and getting the requests to the correct servers.
We have a nginx server, which runs fine without haproxy and mostly runs fine with haproxy. But one single page returns an 502 error:
Sep 18 15:00:28 dktig-proxy haproxy[2367]: <IP>:41656 [18/Sep/2018:15:00:28.473] ft_https~ bk_dkv/dkv 4/0/0/-1/6 502 16189 - - PH-- 1/1/0/0/0 0/0 "GET /de/suche/comparison/compare.html HTTP/1.1"nginx has not much to say about this:
172.16.3.252 - - [18/Sep/2018:15:00:33 +0200] "GET /de/suche/comparison/compare.html HTTP/1.1" 499 0 "https://<domain>/de/suche/search/memo/show/1/asc/name.html" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36"I already tried setting “accept-invalid-http-response”, but no change.
Here are now coming (relevant parts of) the config and the “show errors” output.
global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin stats timeout 30s user haproxy group haproxy daemon # Descrease the size of the rewrite buffer so that # there is more room to handle large (>8K) headers. See the HAProxy # manual around tune.bufsize and tune.maxrewrite. tune.maxrewrite 4096 # Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/haproxy/cert # Default ciphers to use on SSL-enabled listening sockets. # For more information, see ciphers(1SSL). This list is from: # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS ssl-default-bind-options no-sslv3 tune.ssl.default-dh-param 2048 defaults log global mode http option httplog option dontlognull timeout connect 60s timeout client 300s timeout server 300s timeout http-request 120s errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http frontend ft_http bind :80 mode http option httplog redirect scheme https code 301 if !{ ssl_fc } frontend ft_https bind :443 ssl crt <alot of certs here> strict-sni tcp-request inspect-delay 5s tcp-request content accept if { req_ssl_hello_type 1 } mode http reqadd X-Forwarded-Proto:\ https option httplog acl is_gitlab hdr(host) -i <DOMAIN> acl is_europ hdr(host) -i <DOMAIN> acl is_ip hdr(host) -i <IP> use_backend bk_gitlab if is_gitlab use_backend bk_europ if is_europ tcp-request connection reject if is_ip default_backend bk_dkv backend bk_europ mode http balance roundrobin server gitlab 172.16.3.50:80 backend bk_gitlab mode http balance roundrobin server gitlab 172.16.3.50:80 backend bk_dkv mode http balance roundrobin option accept-invalid-http-response server dkv 172.16.3.45:443 ssl verify noneTotal events captured on [18/Sep/2018:14:58:38.821] : 2 [18/Sep/2018:14:58:36.027] backend bk_dkv (#7): invalid response frontend ft_https (#3), server dkv (#1), event #1 src <IP>:41546, session #83, session flags 0x002004ce HTTP msg state 26, msg flags 0x00000000, tx flags 0xa8000000 HTTP chunk len 0 bytes, HTTP body len 0 bytes buffer flags 0x80048002, out 0 bytes, total 15984 bytes pending 4088 bytes, wrapping at 16392, error at position 0: 00000 n_menu_toolbar.css":1,"modules\\/shortcut\\/shortcut.css":1,"sites\\/a 00067+ ll\\/modules\\/ctools\\/css\\/ctools.css":1,"sites\\/all\\/libraries\\ 00130+ /fancybox\\/source\\/jquery.fancybox.css":1,"sites\\/all\\/modules\\/p 00195+ anels\\/css\\/panels.css":1,"sites\\/all\\/modules\\/devel\\/devel_kru 00259+ mo.css":1,"0":1,"public:\\/\\/pr_suche_sitesallmodulesproxyreset.css": 00327+ 1,"public:\\/\\/pr_suche_sitesallmodulesproxydefault.css":1,"sites\\/a 00394+ ll\\/themes\\/dkg\\/bootstrap\\/dist\\/css\\/bootstrap.min.css":1,"sit 00458+ es\\/all\\/themes\\/dkg\\/bootstrap\\/dist\\/css\\/bootstrap-theme.min 00521+ .css":1,"sites\\/all\\/themes\\/promato\\/smartmenus\\/addons\\/bootst 00585+ rap\\/jquery.smartmenus.bootstrap.css":1,"sites\\/all\\/themes\\/proma 00651+ to\\/css\\/nf-main.css":1,"sites\\/all\\/themes\\/promato\\/css\\/nf-w 00714+ ebform.css":1,"sites\\/all\\/themes\\/promato\\/css\\/nf-news.css":1," 00779+ sites\\/all\\/themes\\/promato\\/css\\/nf-icons.css":1,"sites\\/all\\/ 00842+ themes\\/promato\\/css\\/nf-gallery.css":1,"sites\\/all\\/themes\\/pro 00906+ mato\\/font-awesome\\/css\\/font-awesome.min.css":1,"sites\\/all\\/the 00971+ mes\\/dkv\\/css\\/disable-responsive.css":1,"sites\\/all\\/themes\\/dk 01035+ v\\/css\\/dkv.css":1,"sites\\/all\\/themes\\/dkg\\/css\\/override.css" 01098+ :1}},"fancybox":[],"overlay":{"paths":{"admin":"node\\/*\\/webform\\nn 01165+ ode\\/*\\/webform\\/*\\nnode\\/*\\/webform-results\\nnode\\/*\\/webfor 01226+ m-results\\/*\\nnode\\/*\\/submission\\/*\\nnode\\/*\\/edit\\nnode\\/* 01286+ \\/delete\\nnode\\/*\\/revisions\\nnode\\/*\\/revisions\\/*\\/revert\\ 01346+ nnode\\/*\\/revisions\\/*\\/delete\\nnode\\/add\\nnode\\/add\\/*\\nove 01406+ rlay\\/dismiss-message\\nuser\\/*\\/shortcuts\\nadmin\\nadmin\\/*\\nba 01468+ tch\\ntaxonomy\\/term\\/*\\/edit\\nnode\\/*\\/translate\\nuser\\/*\\/c 01528+ ancel\\nuser\\/*\\/edit\\nuser\\/*\\/edit\\/*\\ntaxonomy\\/*\\/transla 01588+ te\\ntaxonomy\\/*\\/translate\\/*\\ndevel\\/*\\nnode\\/*\\/devel\\nnod 01648+ e\\/*\\/devel\\/*\\ncomment\\/*\\/devel\\ncomment\\/*\\/devel\\/*\\nus 01707+ er\\/*\\/devel\\nuser\\/*\\/devel\\/*\\ntaxonomy\\/term\\/*\\/devel\\n 01766+ taxonomy\\/term\\/*\\/devel\\/*\\nnode\\/*\\/revisions\\/view\\/*\\/*" 01826+ ,"non_admin":"admin\\/structure\\/block\\/demo\\/*\\nadmin\\/reports\\ 01889+ /status\\/php"},"pathPrefixes":["de","en"],"ajaxCallback":"overlay-aja 01958+ x"},"tableHeaderOffset":"Drupal.admin.height","admin_menu":{"destinati 02028+ on":"destination=suche\\/search\\/memo.html","hash":"b2f84c002aa2c65b2 02096+ 56f81e58c48466e","basePath":"\\/de\\/admin_menu","margin_top":1,"posit 02164+ ion_fixed":1,"toolbar":[]},"bootstrap":{"anchorsFix":"1","anchorsSmoot 02234+ hScrolling":"1","formHasError":1,"popoverEnabled":"1","popoverOptions" 02304+ :{"animation":1,"html":0,"placement":"right","selector":"","trigger":" 02374+ click","triggerAutoclose":1,"title":"","content":"","delay":0,"contain 02444+ er":"body"},"tooltipEnabled":"1","tooltipOptions":{"animation":1,"html 02514+ ":0,"placement":"auto left","selector":"","trigger":"hover focus","del 02584+ ay":0,"container":"body"}}});</script>\n 02623 </head>\n 02631 <body class="html not-front logged-in no-sidebars page-suche page-such 02701+ e-search page-suche-search-memohtml i18n-de" >\n 02748 <div id="skip-link">\n 02771 <a href="#main-content" class="element-invisible element-focusable 02841+ ">Skip to main content</a>\n 02868 </div>\n 02877 <div class="region region-page-top">\n 02918 <div id="overlay-disable-message" class="clearfix"><h3 class="elem 02988+ ent-invisible">Options for the administrative overlay</h3><a href="/de 03058+ /user/1/edit?destination=suche/search/memo.html#edit-overlay-control" 03128+ id="overlay-profile-link" class="overlay-exclude element-invisible">If 03198+ you have problems accessing administrative pages on this site, disabl 03268+ e the overlay on your profile page.</a> <a href="/de/overlay/dismiss-m 03338+ essage?destination=suche/search/memo.html&token=jfmKm3UoGUx7x-ruMN 03408+ JGetOoc5_T3hq7BnZhCERKsPw" id="overlay-dismiss-message" class="overlay 03478+ -exclude element-invisible">Dismiss this message.</a></div> </div>\n 03546 <div class="container header-image">\n 03585 \t <!--<a class="logo navbar-btn pull-left" href="/de" title="Hom 03654+ e">\n 03658 <img src="https://<DOMAIN>/sites/all/themes/dkg/logo.png 03728+ " alt="Home" />\n 03744 </a>-->\n 03758 <div class="site_name"><h1 style="color:#11574c;">DEUTSCHE 03828+ S KRANKENHAUSVERZEICHNIS</h1></div>\n 03864 <!--<div class="site_slogan"><span style="font-size:85%;">Servic 03934+ e of the hospitals in berlin and the berlin hospital association in co 04004+ nnection with the german hospital directory</span></div>-->\n 04064 <div class="languaHA-Proxy version 1.6.3 2015/12/25 Copyright 2000-2015 Willy Tarreau <willy@haproxy.org> Build options : TARGET = linux2628 CPU = generic CC = gcc CFLAGS = -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 OPTIONS = USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_PCRE=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 Encrypted password support via crypt(3): yes Built with zlib version : 1.2.8 Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip") Built with OpenSSL version : OpenSSL 1.0.2g-fips 1 Mar 2016 Running on OpenSSL version : OpenSSL 1.0.2g 1 Mar 2016 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Built with PCRE version : 8.38 2015-11-23 PCRE library supports JIT : no (USE_PCRE_JIT not set) Built with Lua version : Lua 5.3.1 Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll.Does someone sees anything odd? What can I try to resolve this problem? Any help is much appreciated.
Posts: 6
Participants: 2
@j_bourdeau wrote:
Hi,
In my network, I have an appliance that I do not fully control. To access its web interface, I must reach it by calling its IP address and that request must be from an IP in the same network as the appliance itself. Because I do not fully control that appliance, I deployed it in a dedicated DMZ.
To defeat its control once, I just did a simple NAT on the firewall. That allowed me to connect the appliance calling it by its IP address over HTTP from anywhere in my network. The moment the client can reach that IP address, the NAT is enough to get the appliance’s web interface working.
Should I create a DNS name for the appliance and call it under that name, that NAT mechanism does not work anymore. Despite the NAT does change the source IP, the HTTP headers now contains that DNS name instead of an IP, so the appliance refuses to work.
My goal is to get that appliance’s web interface managed and secured by HAProxy for me to reach it even from outside the network. That means clients will not be able to call the appliance by IP anymore. So what I need is :
–HAProxy to listen for a dedicated hostname from Internet, over SSL. DONE
–HAProxy to authenticate the clients using a client-side certificate. DONE
–HAProxy to change the Host header in the HTTP request. DONE
–HAProxy to forward the request to the appliance IP address and port. DONEThe problem is with the links sent as a reply by the appliance. They are pointing to the appliance’s internal IP address and port. I need to rewrite all of that to point the client back at the Internet DNS name, port and HTTPS instead of HTTP.
As of now, my backend is configured as :
backend To_Appliance_ipvANY
mode http
id 124
log global
http-response set-header Strict-Transport-Security max-age=15780000;
timeout connect 30000
timeout server 30000
retries 3
option httpchk OPTIONS /
acl AllClients src 0.0.0.0/0
http-request set-header Host 172.16.1.10:3210 if AllClients
rspirep ^Location:\ (http?://172.16.1.10(:[0-9]+)?)?(/.*) Location:\ / if AllClients
http-response set-header Host ext-name.domain.org if AllClients
server Appliance 172.16.1.10:3210 id 125 check inter 1000
That still does not work.
Any idea what I need to do to get that fixed ?
How to have HAProxy makes complete abstraction of protocol, host and port between the client and the server ?
Thanks in advance and I will keep working on that one myself at the same time,
Posts: 1
Participants: 1
@etenburn wrote:
So im new to haproxy, also, im no Linux admin, but i know my way around. i am working with Ubuntu 18.04.
the picture above is an example of what im trying to accomplish.
I have 1 haproxy server and 2 nodes at 2 separate locations, currently set up for testing purposes. Both locations are currently working within the network just fine. What i need, is if SITE 1, NODE 1 goes down, i need all traffic to be forwarded to SITE 2, Node 1…etc.
Eventually, there will be 3 sites all together.
Do i need a haproxy server to load-balance my haproxy servers? Is that a thing?
Posts: 1
Participants: 1
@porton wrote:
Hi, I have been banging my head on this for a few days and I realize I need a little help.
I am trying to set-up an acl that will route traffic to a site that provides a notice when all servers on a backend are down.
I followed the advice on an article called Failover and Worst Case Management with HAProxy, but it only works when you hit the site’s root. If you hit a specific path it fails. So to ensure that once the condition is met I am setting the path on the frontend to be /.
What I am trying to achieve is similar to the functionality provided in Apache’s proxyPass and proxyPassReverse. I have also followed the advice on this article, but It isn’t quite working. Depending on what I tweak, it either passes the notice back to me w/o any of the css & js that provide the formatting or the browser gets into a request loop.
Here is how things are setup.
Notices server (aka backend):
notices.example.com/notices/index.htmlPublic Server:
public.example.com/somepathIf services in
public.example.com/somepathare not available the route traffic tonotices.example.com.Outage/Maintenance ACL
`acl outage_state nbsrv(public) le 1`
acl url_stats path_beg -i /stats
http-request set-path / if outage_state !url_stats
use_backend notices if outage_stateBackend Configuration
backend notices
mode http
# Emulate ProxyPass Reverse from Apache
acl hdr_set_cookie_path res.hdr(Set-Cookie) -m sub Path=
rspirep ^(Set-Cookie:.*)\ Path=(.*) \1\ Path=/notices if hdr_set_cookie_pathThanks!
Posts: 1
Participants: 1
@fotag wrote:
We are trying to, temporarily, route traffic at different backends based on a key’s value in requests body, haproxy.conf and lua script are following.
The problem is that payload could not be processed by json package used. Error message:
Lua sample-fetch 'choose_backend': runtime error: /etc/haproxy/json.lua:185: unexpected character 'P' at line 1 col 1 from [C] global 'error', /etc/haproxy/json.lua:185 upvalue 'decode_error', /etc/haproxy/json.lua:383 upvalue 'parse', /etc/haproxy/json.lua:391 field 'decode', /etc/haproxy/test.lua:4 C function line 2.We tried to print payload (with both print() and trx.log()) or find exact txn.req:dup() returned value structure in documentation but both could not be found anywhere. Any guidance on how to print payload or if there is any other error?
haproxy.cfg
global log /dev/log local0 log /dev/log local1 notice debug chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners stats timeout 30s user haproxy group haproxy daemon lua-load /etc/haproxy/test.lua defaults log global mode http option httplog option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 frontend http-in bind *:80 option http-buffer-request use_backend %[lua.choose_backend] backend proxy_1_backend option httpchk GET / server ser1 1.1.1.1:80 maxconn 45 check backend proxy_2_backend option httpchk GET / server ser2 2.2.2.2:80 maxconn 45 checktest.lua
-- load json library from https://github.com/rxi/json.lua json = loadfile("/etc/haproxy/json.lua")() core.register_fetches("choose_backend", function(txn) -- get request's payload local payload = txn.req:dup() -- transform json to lua table local request_json = json.decode(payload) if request_json.test_key == 111 then return "proxy_1_backend" else return "proxy_2_backend" end end)test requests
# Request should be forwarded to proxy_2_backend curl -vvv -XPOST -d '{"test_key": 222, "someother_key": 222}' http://localhost # Request should be forwarded to proxy_1_backend curl -vvv -XPOST -d '{"test_key": 111, "someother_key": 222}' http://localhost
Posts: 1
Participants: 1
@pmanno wrote:
Hi All,
Working on a solution for a maintenance page based upon:
https://gist.github.com/sts/62d8dd59221ab68661aa
This works really well, but I want to have a SINGLE acl apply to multiple listen/frontend blocks. That way, instead of doing a:
echo "add acl #0 0.0.0.0/0" | nc -U <socket>On every acl instance, I could do it once and have every block see it. Does anyone know if this is possible?
Thanks,
Paul
Posts: 2
Participants: 1
@setec1 wrote:
kinda new to haproxy and could well be i am trying to do something that isn’t possible.
end goal is to have rdp roundrobin with fix max connection of 1 user per server with approx 130 server availble in pool
config is
global
debuglog 127.0.0.1 local2 log 127.0.0.1 local2 info log 127.0.0.1 local2 notice chroot /var/lib/haproxy pidfile /var/run/haproxy.pid maxconn 2000 user haproxy group haproxy daemon # turn on stats unix socket stats socket /var/run/haproxy.statfrontend ft_rdp
bind :3389
mode tcp
timeout client 18h
log global
tcp-request inspect-delay 2s
tcp-request content accept if RDP_COOKIE
option tcplog
default_backend bk_rdpbackend bk_rdp
balance roundrobin
option log-health-checks
option tcp-check
log global
timeout server 18h
timeout connect 4s
timeout check 900ms
default-server inter 60s rise 1 fall 3
server clone2 192.168.122.2:3389 maxconn 1
server clone3 192.168.122.3:3389 maxconn 1
server clone4 192.168.122.4:3389 maxconn 1
server clone5 192.168.122.5:3389 maxconn 1
server clone6 192.168.122.6:3389 maxconn 1
server clone7 192.168.122.7:3389 maxconn 1
server clone8 192.168.122.8:3389 maxconn 1
server clone9 192.168.122.9:3389 maxconn 1
server clone10 192.168.122.10:3389 maxconn 1
server clone11 192.168.122.11:3389 maxconn 1
server clone12 192.168.122.12:3389 maxconn 1
server clone13 192.168.122.13:3389 maxconn 1
server clone14 192.168.122.14:3389 maxconn 1
server clone15 192.168.122.15:3389 maxconn 1
server clone16 192.168.122.16:3389 maxconn 1
server clone17 192.168.122.17:3389 maxconn 1servers are on kvm nat
full list goes to 131 and have tried to check on another port other that 3389 / 22 or 80 etc ,but that causes intermitant round robin which pauses if not hittng connection, having on same port does give required effect of giving all connections untill it runs out of active but we never seem to get full active list.hatop gives 1 DOWN L4CON on effected hosts , rebooting them seems to have little effect but nmap is showing open ports
Nmap scan report for 192.168.122.8
Host is up (0.00077s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
3389/tcp open ms-wbt-serverrestarting haproxy/server results in same host showing same issue and health check never seem to change status to active.
also note this servers will be recycled on exit of rdp session, so we expect to see Connection refused when rebuilding servers but when they are up expect to put in active queue.
logs
logs working as expected
2018-09-21T08:45:34+01:00 localhost haproxy[31360]: Health check for server bk_rdp/clone21 failed, reason: Layer4 timeout, info: " at initial connection step of tcp-check", check duration: 4000ms, status: 0/1 DOWN.
2018-09-21T08:46:34+01:00 localhost haproxy[31360]: Health check for server bk_rdp/clone21 failed, reason: Layer4 connection problem, info: “Connection refused at initial connection step of tcp-check”, check duration: 0ms, status: 0/1 DOWN.
2018-09-21T08:46:34+01:00 localhost haproxy[31360]: Health check for server bk_rdp/clone21 failed, reason: Layer4 connection problem, info: “Connection refused at initial connection step of tcp-check”, check duration: 0ms, status: 0/1 DOWN.
2018-09-21T08:46:34+01:00 localhost haproxy[31360]: Health check for server bk_rdp/clone21 failed, reason: Layer4 connection problem, info: “Connection refused at initial connection step of tcp-check”, check duration: 0ms, status: 0/1 DOWN.
2018-09-21T08:47:34+01:00 localhost haproxy[31360]: Health check for server bk_rdp/clone21 succeeded, reason: Layer4 check passed, check duration: 0ms, status: 3/3 UP.
2018-09-21T08:47:34+01:00 localhost haproxy[31360]: Health check for server bk_rdp/clone21 succeeded, reason: Layer4 check passed, check duration: 0ms, status: 3/3 UP.
2018-09-21T08:47:34+01:00 localhost haproxy[31360]: Health check for server bk_rdp/clone21 succeeded, reason: Layer4 check passed, check duration: 0ms, status: 3/3 UP.
2018-09-21T08:47:34+01:00 localhost haproxy[31360]: Server bk_rdp/clone21 is UP. 23 active and 0 backup servers online. 0 sessions requeued, 0 total in queue.
2018-09-21T08:47:34+01:00 localhost haproxy[31360]: Server bk_rdp/clone21 is UP. 23 active and 0 backup servers online. 0 sessions requeued, 0 total in queue.
2018-09-21T08:47:34+01:00 localhost haproxy[31360]: Server bk_rdp/clone21 is UP. 23 active and 0 backup servers online. 0 sessions requeued, 0 total in queue.fails but never reconnects on checks
2018-09-21T08:33:20+01:00 localhost haproxy[31360]: Health check for server bk_rdp/clone22 failed, reason: Layer4 connection problem, info: “Host is unreachable at initial connection step of tcp-check”, check duration: 3027ms, status: 0/1 DOWN.
Posts: 1
Participants: 1
@MaJo wrote:
Hello all,
I am quite new to HAProxy, and was working on adding encryption to redis-redis communication using HAProxy with SSL termination. Redis does not support encryption. In order to implement setups where trusted parties can access a Redis instance over the internet or other untrusted networks, an additional layer of protection should be implemented, such as an SSL proxy.
My idea is to do this with HAProxy is as below:
TCP TCP+TLS TCPRedis-cli------------------> HAProxy1----------------------------->HAProxy2------------------------>Redis2
Is this a feasible approach using HAProxy to add encryption to redis-redis communication.
I tried using the above and getting Error: server closed connection
[root@serverA]# redis-cli
127.0.0.1:6379> auth pass
Error: Server closed the connection
Posts: 1
Participants: 1
@LaFerrari wrote:
I am having a problem getting my .pem certificate working in my HAProxy configuration. I have been given a .pfx GeoTrust wildcard certificate and 2 other certificates titled IntermediateCA.cer, and ssl_certificate.cer.
After converting these to .pem and restarting the haproxy service I get the error:
unable to load SSL private key from PEM file ‘./cert.pem’
I have verified that the .pem certificate is in the /etc/haproxy folder and that in the /etc/haproxy/haproxy.cfg file I have the correct file location to the certificate. The configuration looks like this bind 10.0.0.50:443 ssl crt ./cert.pem
If I open the .pem certificate with nano I can see that it starts with -----BEGIN PRIVATE KEY------ -----END PRIVATE KEY----- and then there are 3 sections that says -----BEGIN CERTIFICATE----- -----END CERTIFICATE-----
My goal for this is to finish setting up SSL Termination on the server so that I can have session load balancing for my VMware Horizon environment. The .pfx certificate works on a horizon connection server if I use haproxy mode tcp but mode http is not working.
Let me know if you need any further information.
Posts: 1
Participants: 1
@rtan wrote:
Hi,
Facing some slow responses on one of the application.
The Lastchk value on status page is showing upto 2000ms at times and in similar setup another haproxy the Lastchk is ‘0’ (zero).
The haproxy configuration is exact same (except servers and VLAN).
It may be a network issue or very high load.
How haproxy check is performed ? (the ping values from harpoxy to server are fine).Thanks!
Posts: 2
Participants: 2
@alexseys wrote:
Hi
Wandering if anyone has migrated from httpd reverse proxy to haproxy, and could share ways that can be done, besides retyping config file manually.Also is anyone managing haproxy config via puppet and how do you deal with long config files.
Thank you
Posts: 1
Participants: 1
@irving wrote:
I’m trying to use the DNS SRV resolver feature with a local Consul agent and haproxy 1.8.14. I have a basic configuration working, but I’d like to get a specific behaviour when Consul is down, and I’m not sure what the right
timeoutandholdsettings are.The behaviour I want is:
When the local Consul agent is working (DNS SRV queries return VALID answers), re-do the SRV query and update my
server-templateconfiguration every 2 seconds.When the local Consul agent is unavailable, leading to REFUSED or TIMEOUT (or maybe OTHER) errors:
- continue retrying the SRV request every 2 seconds, forever (until the queries start succeeding again)
- keep using the last valid response until queries start succeeding again, with no timeout
Here’s what I have so far, using very large retries and timeouts to simulate “forever”. I’ve done some testing and it seems to work (WEB-APP stayed available when the local consul agent was down for several minutes) but I’d love to get some feedback from someone who understands these settings better.
resolvers consul nameserver consul 127.0.0.1:53 accepted_payload_size 8192 timeout resolve 2s timeout retry 2s resolve_retries 100000 hold other 50000s hold refused 50000s hold timeout 50000s hold nx 5s hold valid 5s hold obsolete 5s listen WEB-APP bind 127.0.0.1:50002 mode http ... server-template web-app 50 _web-app._tcp.service.consul resolvers consul resolve-prefer ipv4 check inter 2s
Posts: 1
Participants: 1
@dinosauriecito wrote:
Hi! I am new to the forum and after learning and searching a lot in Google is I come up here because I wasn’t able to achive the challenge I am going to explain. Before I start, I started to use Haproxy a few months ago and even though I read a lot about proxy pass, forward and redirect, I think I still don’t understand them enough so I will explain with a diagram I made for the case and my words:
So the thing is I want to connect to my home several services(cameras, nextcloud and others) through only port 443 by diferentiating them through dummy paths (I mean by dummy paths, non existing paths).
The reason for this is that lot of outside internet conections have strong firewalls and port 443 is the only port I can use to connect to my home network. I have Openvpn but I can’t ask everyone to use my vpn to connect to a service.
So after some work, I come up with something that seems is on the way but still lacks something:
frontend rules_443_ssl2
bind *:443 ssl crt my_cert.pem
mode tcp
tcp-request inspect-delay 3s
tcp-request content accept if { req.ssl_hello_type 1 }use_backend cam1 if { url_beg /cam1 } use_backend cam2 if { url_beg /cam2 } use_backend nextcloud if { url_beg /nextcloud } default_backend tcp_ovpnbackend cam1
mode http
option forwardfor
option http-server-close
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
http-request set-path %[path,regsub(^/cam1/?,/)] if { path /cam3 } or { path_beg /cam1/ }
server ipcam 192.168.0.147:8081 check fall 3 rise 2 maxconn 50backend cam2
(similar to 1)backend nextcloud
mode http
http-request set-path %[path,regsub(^/nextcloud/?,/)] if { url_beg /nextcloud } or { path_beg /nextcloud }
#reqrep ^([^\ ]\ /)nextcloud[/]?(.) \1\ \2
server nextcloud 127.0.0.1:8084 ssl verify nonebackend tcp_ovpn
mode tcp
option ssl-hello-chk
server ovpn 127.0.0.1:1194 maxconn 50So when I test it this is what happens:
- From my computer’s web browser I type: https://home_IP/cam1
- I get: https://home_IP/main.htm
When I see haproxy log I can see that 1) hits the correct backend(camera 1) but when the backend camera redirects me to its login pagem It doesn’t add the “cam1/login.htm” dummy path and instead sends my directly to “login.htm” and thus I end up in the Openvpn backend which is the default.
So If I type: https://home_IP/cam1/main.htm I reach the camera login but if I login I still get this error.
Thanks in advance!
Posts: 1
Participants: 1
@LaFerrari wrote:
Hello,
I am currently working on making our internal VMware Horizon setup more redundant with the use of HAProxy, Keepalived, and 2 internal connection servers. I am currently able to connect to my horizon VDI with the web browser and use the machine. The issue is when I disconnect the network card from the connection server I am connected to I am unable to immediately reconnect to my VDI. I get 2 errors that I have been disconnected and that I am unable to reconnect. The solution is to refresh and then sign back in. Ideally I would be able to take down a server and have clients automatically connect to the backup server and not have to resign in and not even notice downtime. Here is the configuration of HAproxy, Logs of me disconnect the network interface of INTCONNECT2 and connecting to the backup of INTCONNECT1, and what I see on the web browser. Is there a way to make the fail over seamless?
#---------------------------------------------------------------------
Global settings
#---------------------------------------------------------------------
global
tune.ssl.default-dh-param 2048
log 10.10.200.22 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
stats socket /var/lib/haproxy/stats#---------------------------------------------------------------------
common defaults that all the ‘listen’ and ‘backend’ sections will
use if not designated in their block
#---------------------------------------------------------------------
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
stats enable
stats uri /stats
stats realm Haproxy\ Statistics
stats auth Administrator:Pe@cekeeper#---------------------------------------------------------------------
Redirect to secured
#---------------------------------------------------------------------
frontend unsecured
bind 10.50.0.60:80
reqadd X-Forwarded-Proto:\ http
redirect location https://horizonvdi.example.com#---------------------------------------------------------------------
frontend secured
#---------------------------------------------------------------------
frontend secured
bind 10.50.0.60:443 ssl crt /etc/haproxy/markbrilman.pem
mode http
reqadd X-Forwarded-Proto:\ https
default_backend view#blast
frontend inbound-blast
mode http
bind 10.50.0.60:8443 ssl crt /etc/haproxy/markbrilman.pem
reqadd X-Forwarded-Proto:\ https
default_backend view_blast#pcoip
frontend inbound-pcoip
mode http
bind 10.50.0.60:4172 ssl crt /etc/haproxy/markbrilman.pem
reqadd X-Forwarded-Proto:\ https
default_backend view_pcoip#---------------------------------------------------------------------
balancing between the various backends
#---------------------------------------------------------------------
backend view
mode http
balance source
stick on src
stick-table type ip size 10240k expire 30m
cookie SERVERID insert indirect nocache
server INTCONNECT1 10.50.0.63:443 cookie INTCONNECT1 id 1 weight 1 check ssl verify none check port 443 inter 2000 rise 2 fall 5
server INTCONNECT2 10.50.0.64:443 cookie INTCONNECT2 id 2 weight 1 check ssl verify none check port 443 inter 2000 rise 2 fall 5backend view_blast
mode http
balance source
stick-table type ip size 10240k expire 30m
stick on src
cookie SERVERID insert nocache indirect
server INTCONNECT1 10.50.0.63:8443 cookie INTCONNECT1 id 1 weight 1 check ssl verify none check port 8443 inter 2000 rise 2 fall 5
server INTCONNECT2 10.50.0.64:8443 cookie INTCONNECT2 id 2 weight 1 check ssl verify none check port 8443 inter 2000 rise 2 fall 5backend view_pcoip
mode http
balance source
stick on src
stick-table type ip size 10240k expire 30m
cookie SERVERID insert nocache indirect
server INTCONNECT1 10.50.0.63:4172 cookie INTCONNECT1 id 1 weight 1 check ssl verify none check port 4172 inter 2000 rise 2 fall 5
server INTCONNECT2 10.50.0.64:4172 cookie INTCONNECT2 id 2 weight 1 check ssl verify none check port 4172 inter 2000 rise 2 fall 5Logs:
Posts: 1
Participants: 1
@sarath wrote:
Hi Team,
We are trying to figure our a solution for old applications and clients that are connecting to our endpoint. Some of these old clients do not set SNI during the initial handshake, due to which a default SSL certificate is being shown back to those old clients.
I am trying to find a solution, where an haproxy sitting between the client and our endpoint can add SNI field in the requests, before it forwards to the backend (SSL passthrough. But add SNI before sending the request to backend. SNI should be equal to HOST header of the request).
something like the below…
backend lb
mode tcp
tcp-request inspect-delay 5s
server alb backend.example.com:443 ssl sni req.hdr(host)
frontend https
bind *:443
mode tcp
tcp-request inspect-delay 5s
use_backend lbSo the flow will be something like the below…
- Client’s request without SNI hits haproxy…
- Haproxy adds SNI header, which is equal to HOST header in the HTTP, and forwards it to backend.
SSL certificate selection based on SNI will happen on the backend. Haproxy just need to set SNI to host header value and pass it to backend. Kindly let me know.
Many Thanks
Sarath
Posts: 1
Participants: 1
@entea wrote:
Hello community,
I’m seeing a very small number (0.0025%, ~20-30 req out of 800-1000K daily) of POST requests just being shut down without any response from haproxy:
- The HTTP client has a pool of persistent connections (apache http client 4.5.5)
- HTTP Client is able to send the whole POST request to haproxy
- When HTTP client tries to read the response, haproxy seems just to shut down the connection (this results in an org.apache.http.NoHttpResponseException).
- While checking the access logs of backends I can see, that the failed requests never hit the backends.
I wonder what could be the possible hiccup here, initially I thought that configuring haproxy with smaller
timeout http-keep-alivewould help to avoid a possible (imaginary) race condition, when the backend closes the connection right when haproxy starts forwarding it, but seems like it didn’t help.Setup:
- 2 backends running Apache Tomcat 8.0.33, (connectionTimeout = 20 sec, keepAliveTimeout = 20 sec)
The config:
backend somebackend description http:8080 balance roundrobin option httpchk GET /status http-check expect status 200 default-server inter 250 fall 3 weight 100 timeout server 66000 timeout http-keep-alive 15s server service1 {address1} check server service2 {address2} check defaults log global mode http option httplog option dontlognull option dontlog-normal timeout connect 5000 timeout client 50000 timeout server 50000 timeout client-fin 600s timeout tunnel 1h frontend main bind *:8080-8081 option forwardfor maxconn 6000 use_backend somebackend if { hdr_beg(host) -i old-name.local } use_backend somebackend if { hdr_beg(host) -i current-name.local } use_backend somebackend if { hdr_beg(host) -i a-very-old-name.local }
Posts: 1
Participants: 1
@moscardo wrote:
Hi,
I have a wildcard cert working together with a certificate for a single hostname, but when I replace this last certificate with one that has several Subject Alternative Names I have problems when accessing the website, it is only serving the wildcard but not the multi SAN. Is there any incompatibility with this?line is:
bind 10.11.6.60:443 ssl crt /etc/haproxy/wildcard.pem crt /etc/haproxy/multi-haproxy.bundle.pemThanks.
Posts: 1
Participants: 1
@etenburn wrote:
On DDC_HA_PROXY_SERVER I want to have ddcnode1 and ddcnode2 in a roundrobin while having ftwnode1 as a backup. ONLY If ddcnode1 and ddcnode2 are down, then traffic will forward to ftwnode1.
On FTW_HA_PROXY_SERVER I want ftwnode1 to be the primary, with traffic forwarding to ddcnode1 and ddcnode2 (roundrobin), ONLY if ftwnode1 goes down.
DDC_HA_PROXY_SERVER
listen stats
*bind :9999
stats enable
stats hide-version
stats uri /stats
stats auth admin:admin
frontend webserver
*bind :80
default_backend appserver
backend appserver
balance uri
hash-type consistent
server ddcnode1 172.16.5.30:80 check observe layer7 maxconn 5000 id 1 weight 75
server ddcnode2 172.16.5.31:80 check observe layer7 maxconn 5000 id 2 weight 75
server ftwnode1 10.2.3.200:80 check observe layer7 maxconn 5000 id 3 weight 25
________________________________________________________________________________
FTW_HA_PROXY_SERVER
listen stats
*bind :9999
stats enable
stats hide-version
stats uri /stats
stats auth admin:admin
frontend webserver
*bind :80
default_backend appserver
backend appserver
balance uri
hash-type consistent
server ftwnode1 10.2.3.200:80 check observe layer7 maxconn 5000 id 3 weight 100
server ddcnode1 172.16.5.30:80 check observe layer7 maxconn 5000 id 1 weight 25
server ddcnode2 172.16.5.31:80 check observe layer7 maxconn 5000 id 2 weight 25
Posts: 1
Participants: 1
@Harery wrote:
Hello Dears,
I would like to take the opinion of members and experts
I am currently studying for the technical use HA-PROXY for Real Estate project through a website
Depending on Free / Open SOURCEThe number of clients expected during the day ( 24 Hrs. ) 50,000 customers, they will register data, navigate and browsing some pictures and pdf files, subscribe to postal services and finally upload a number of files and images, the maximum size per file is 3 MB and each user can upload to 5 attachment files
Which mean each client will upload 5 files * 3 MB = 15 MB upload attachments files
*Expected 90% of customers enter within 5 minutes to start the process of registration
My architect plan
• Centos 7 OS for all project
• KeepAlived service to handle the high availability for 2x HAPROXY
• 4x Front End Nodes each will serve (NGINX as web server and Wildfly for Application)
• KeepAlived service to handle the high availability for Backend Data Base
• MYSQL high availability OR using Galera cluster from percona or mariaDBNow I have some question and need help
1- Is the architect sufficient enough?
2- I’ll use ssl what is the best mode according above numbers for HA PROXY TCP or HTTP terminate ssl?
3- I’m never used Galera cluster before does it better or going to classical mode with 2x MySQL nodes active / passiveWaiting for your participation and interested in any change from your point of view
Posts: 1
Participants: 1
