@paraffin wrote:

Hi

We are looking to Load Balance 3 x IIS Web Servers over HTTPS using HAProxy and need session persistence (Sticky Sessions), most users will come from a single external IP as they are office based.

From my reading so far it seems that this is possible but there are not many pfsense based guides out there.

The solution I have come to in my head is as follows

SSL Offload at the pfSense/HAProxy
Route to HTTP traffic internally
Use a cookie based session persistence

Does this sound anywhere near what we need to do in order to achieve our desired outcome?

Does anyone have a similar setups that they could screenshot so I can understand the setup better?

Cheers

Posts: 1

Participants: 1

Read full topic

@mwp wrote:

Hi folks, I'm trying to come up with a scheme by which the backend server port is selected based on some parameters of the request. For example, some requests might go to backend foo, server port M, while others might go to backend foo, server port N. Rather than have backends foo_M and foo_N, I'd like it to be dynamic.

The backend selection works fine, but when I try to define the server with the dynamic port, I get a syntax error. I've tried numerous ways of interpolating the string in the server line, most of which I'm embarrassed to even show because they are obviously not right. Here's an example of what I'm trying to do (HAProxy 1.6+):

backend foo
  server foo1 127.0.0.1:%[var(txn.service_port)]

Is there a proper way to accomplish this? Is it just not possible to have a dynamic port due to some internal operational characteristics of HAProxy?

Failing that, I'm aware that HAProxy will use the original dst_port as the server port if it is omitted. Is there some way to override the value of dst_port before calling use_backend?

I have an idea on how to make this work using a dummy bind address and HTTP redirects, but that is undesirable for obvious reasons. Thank you in advance for any insight you can offer into better options.

Posts: 1

Participants: 1

Read full topic

@jseparovic wrote:

Hi,
We recently introduced a subordinate CA into our haproxy setup (previously we were using a self signed CA to sign the haproxy and client certs)

For some reason we are seeing "SSL client CA chain cannot be verified" on the haproxy logs when testing with s_client.

On the client side we see:
140691807639456:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1259:SSL alert number 48
140691807639456:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184:

I'm stuck on this issue as the CA chains are identical. They contain both the SubCA and the RootCA. The haproxy and client are both signed by the subca.

[root@proxy ~]# openssl s_client -host proxy -port 11443 -cert cert.pem -key key.pem -CAfile cacert.pem
CONNECTED(00000003)
depth=2 CN = AdminCA, O = ACME, C = US
verify return:1
depth=1 CN = ACMESubCA
verify return:1
depth=0 CN = proxy, O = ACME
verify return:1
140691807639456:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1259:SSL alert number 48
140691807639456:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184:

---

Certificate chain
0 s:/CN=proxy/O=ACME
i:/CN=ACMESubCA
1 s:/CN=ACMESubCA
i:/CN=AdminCA/O=ACME/C=US
2 s:/CN=AdminCA/O=ACME/C=US
i:/CN=AdminCA/O=ACME/C=US

---

Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/CN=proxy/O=ACME
issuer=/CN=ACMESubCA

---

Acceptable client certificate CA names
/CN=ACMESubCA
/CN=AdminCA/O=ACME/C=US
Server Temp Key: ECDH, prime256v1, 256 bits

---

SSL handshake has read 4134 bytes and written 3962 bytes

---

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID:
Session-ID-ctx:
Master-Key: A4F5F91B50337BCB74BB7E67AB880B84DF242C6F84FDCBEDBD58746CC40FCB5D5109152D060FC9FCC9331F999611E834
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1473180218
Timeout : 300 (sec)
Verify return code: 0 (ok)

---

The proxy cert verifies ok against the chain
[root@proxy ~]# openssl verify -CAfile proxy-CA.pem proxyCert.pem
proxyCert.pem: OK

The client cert verifies ok against the chain
[root@proxy ~]# openssl verify -CAfile proxy-CA.pem cert.pem
/root/cert.pem: OK

This is only an issue when the CRL from the SubCA is specified.

[root@proy ~]# openssl crl -in crl.pem -noout -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /CN=ACMESubCA
Last Update: Sep 6 00:03:25 2016 GMT
Next Update: Sep 6 00:03:25 2017 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:F6:23:57:B2:F0:B5:77:2A:B3:B2:EC:AA:A6:11:E5:97:C0:52:03:AA

        X509v3 CRL Number: 
            19

Revoked Certificates:
Serial Number: 308D55C0EC639B8D
Revocation Date: Sep 2 20:19:54 2016 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Privilege Withdrawn

Any help would be much appreciated

Cheers,

Jason

Posts: 2

Participants: 1

Read full topic

@ebourgui wrote:

Hi guys,

My configuration:

server1
ha proxy 1.5.14 - centos 7
public ip eth0 : 1.2.3.4
public ip eth0:0 : 5.6.7.8 (ovh ip failover which can point to another haproxy server when failover occured)
||
server3
vsftp server 3.0.2 - centos7
public ip eth0: 9.10.11.12

Only public addresses. server1 and server3 have backups in a pacemaker cluster (active / passive) : server2 (haproxy backup) and server4 (ftp backup)

When I connect in passive mode to server3 : no problem.
When I connect in passive mode to server1 (on 5.6.7.8):

ftp *****.com
Connected to *****.com (5.6.7.8).
220 Welcome to FTP service.
Name (******.com:root): toto
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (9,10,11,12,198,124).
ftp: connect: Connexion terminée par expiration du délai d'attente
=> in english : timeout

I take a look at /var/log/messages on the client and see
Sep 8 12:26:47 ***** kernel: [11686946.541337] Firewall: *TCP_OUT Blocked* IN= OUT=eth2 SRC=******* DST=9.10.11.12 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=45793 DF PROTO=TCP SPT=52258 DPT=50812 WINDOW=29200 RES=0x00 SYN URGP=0 UID=0 GID=0

The client try to connect directly to server3 and not to server1. I think that the packets are blocked because packets should be iptables RELATED to server1 and not to server3 to pass the firewall.
I don't want to change iptables output rules because it concerns a lot of clients.
Is there a way to respond to server1 and not to server3 (or another way to work properly)?

server1 : haproxy.cfg
...
listen ftplb 5.6.7.8:21, 5.6.7.8:50000-50999
mode tcp
option tcplog
server server3 9.10.11.12 check port 21
server server4 13.14.15.16 check port 21

server1 et server3 : iptables
-A INPUT -p tcp -i eth0 -m multiport --dport 21,50000:50999 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT

server3 vsftpd.conf

anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
xferlog_std_format=YES
chroot_local_user=YES
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
allow_writeable_chroot=YES
ftpd_banner=Welcome to FTP service.
pasv_enable=YES
pasv_promiscuous=YES
pasv_min_port=50000
pasv_max_port=50999
dual_log_enable=YES
log_ftp_protocol=YES
port_enable=YES
port_promiscuous=YES
connect_from_port_20=NO
seccomp_sandbox=NO

Any idea?

Regards,
Eric

Posts: 9

Participants: 2

Read full topic

@Chris wrote:

Is it possible to use NTLM with "option httpchk"? I know that the below works, using basic auth:

option httpchk GET /relative/urlstr/ HTTP/1.0\r\nAuthorization:\ Basic\ basic_auth_header

However, what I would ideally like to do is something like the following:

option httpchk GET /relative/urlstr/ HTTP/1.0\r\nAuthorization:\ NTLM\ ntlm_auth_header

Any ideas?

Posts: 2

Participants: 2

Read full topic

@webber wrote:

We have two backend IIS servers which are load balanced and working fine for HTTP and HTTPS passthrough traffic perfectly. They are configured for clientip transparency so their default gateway is necessarily set to the haproxy server (v 1.6.8 on CentOS7). They each have an ip address mapped to a public ip also. When we try to connect via RDP it times out. Then we noticed that we cannot originate traffic from the backend servers to the internet (smtp, smtps, http) and can only ping the local private LAN.

We are using a singe NIC on the haproxy for the listening ips (eth0, eth0:1, eth0:2...) and are using firewalld configured for the transparency to work.

Has anyone else seen this issue? If we change back the default gateway to the Juniper FW the backend servers behave normally. It is the haproxy server that seems to be discarding the packets destined for the internet.

Thanks.

Posts: 2

Participants: 2

Read full topic

@Kal wrote:

Hi,

I use Haproxy (1.6 on Ubuntu 12.04) as a SSL termination proxy in front of a Varnish server. Varnish listen several IPs, for virtual host purpose. So I want Haproxy to listen all IPs, and pass each request to Varnish with the same IP.

The configuration could be :

frontend www-https1
   bind 1.1.1.1:443 ssl  strict-sni crt /var/ssl/
   default_backend www-backend1
backend www-backend1
   server www-1 1.1.1.1:80 check
frontend www-https2
   bind 2.2.2.2:443 ssl  strict-sni crt /var/ssl/
   default_backend www-backend2
backend www-backend2
   server www-1 2.2.2.2:80 check

etc.

But I would prefer a configuration like this :

frontend www-https
   bind :443 ssl  strict-sni crt /var/ssl/pem/
   default_backend www-backend
backend www-backend
   server www-1 ${frontend_ip}:80 check

I saw ${frontend_ip} in similar topics, but it doesn't seem to work... My global configuration works because if a put an IP instead of ${frontend_ip}, it works.

Any idea ?

Thanks,

Posts: 7

Participants: 2

Read full topic

@funbsd wrote:

TProxy does not work in this case:
server local-server 127.0.0.1 source 0.0.0.0 usesrc clientip

I have to delete "usesrc clientip", but then I can not see "clientip".

Is it possible to use backend server 127.0.0.1 with TProxy?
Or any other function to make it work with backend server 127.0.0.1?

Posts: 1

Participants: 1

Read full topic

@Raidok wrote:

I had 4 identical deployments of Haproxy 1.6.5 handling a steady 10-20k concurrent websocket connections each 24/7 with average CPU usage below 50%. A few days ago I decided to upgrade one of them to 1.6.9. The night after the CPU spiked over 70% for a couple of short periods. The next day I thought I should upgrade another server. Next night I had two servers sending me alerts. I'm thinking if I should revert the upgraded ones, try the 3 versions that I have skipped or just wait for the next stable release?
The CPU usage is similar with the older verisons under the same load until 20k connections have been reached. Above 20k the CPU usage goes way higher than the older versions at the same time serving the same clients with the same data.

Other than that, Haproxy is awesome! Keep on going!

BR,

Raido

Posts: 1

Participants: 1

Read full topic

@hkeyland wrote:

Hi all

Im using moodle, the user log into Moodle and navigate, but after 3 or 4 minuts the sesion closed and need to login again, every 3 or 4 minuts always.

I tried to modify diferente parameters

global
log 127.0.0.1 local2 #Log configuration

chroot      /var/lib/haproxy
pidfile     /var/run/haproxy.pid
maxconn     4000                
user        haproxy             #Haproxy running under user and group "haproxy"
group       haproxy
daemon

# turn on stats unix socket
stats socket /var/lib/haproxy/stats

defaults
mode http
log global
option httplog
option dontlognull
#option http-server-close
option http-keep-alive
##option forwardfor except 127.0.0.0/8
##option redispatch
##retries 3
##timeout http-request 10s
##timeout queue 20s
timeout connect 2s
timeout client 10m #La sesion se cierra tras x inactividad del cliente
timeout server 20m #El servidor cierra tu conexión en sin importar el cambio de página
##timeout http-keep-alive 30m #La sesion se cierra tras x inactividad
##timeout check 20m
maxconn 3000
balance source

listen haproxy3-monitoring *:8080 #Haproxy Monitoring run on port 8080
mode http
##option forwardfor
#option httpclose
##option http-server-close
stats enable
stats show-legends
stats refresh 5s
stats uri /statsx #URL for HAProxy monitoring
stats realm Haproxy\ Statistics
stats auth stats:123pormi #User and Password for login to the monitoring dashboard
stats admin if TRUE
stats auth admin:pass

frontend public
bind *:80
##default_backend app-main
###ACL
acl adistanciaBackend hdr_beg(host) -i adistancia.
acl appsBackend hdr_beg(host) -i apps.
acl wwwBackend hdr_beg(host) -i www.
####
use_backend adistancia if adistanciaBackend
##use_backend apps if appsBackend
##use_backend www if wwwBackend

backend app-main

## balance roundrobin #Balance algorithm
## option httpchk HEAD / HTTP/1.1\r\nHost:\ localhost #Check the serveris up and healty - 200 status code
###server ciclope 192.168.2.94:80 check
##server vulcano 192.168.2.96:80 check

backend adistancia
balance roundrobin
#balance source #Balance algorithm
option httpchk HEAD / HTTP/1.1\r\nHost:\ localhost #Check the serveris up and healty - 200 status code
cookie SERVERID insert indirect
##cookie SERVERID rewrite maxlife 120m
##cookie SERVERID prefix nocache maxlife 33m
server vulcano 192.168.2.96:80 check cookie vulcano

backend apps

## balance roundrobin #Balance algorithm
##option httpchk HEAD / HTTP/1.1\r\nHost:\ localhost #Check the serveris up and healty - 200 status code
##cookie SERVERID insert indirect nocache
##server vulcano 192.168.2.96:80 check cookie vulcano
###server ciclope 192.168.2.94:80 check cookie ciclope

backend www
balance roundrobin #Balance algorithm
option httpchk HEAD / HTTP/1.1\r\nHost:\ localhost #Check the serveris up and healty - 200 status code
#server ciclope 192.168.2.94:80 check
server vulcano 192.168.2.96:80 check

Posts: 1

Participants: 1

Read full topic

@xczheng wrote:

In particular, the feature I want to bring up is, in HTTP mode, if a request is tarpitted, it is not configurable to log a 429 status code(not the status code sending back to client). That hard-coded 5XX status code in logs causes some confusion to our availability graphs because it's not really a server side problem.

Posts: 2

Participants: 2

Read full topic

@Maurotb wrote:

Hi,
i have setup an exchange 2016 site (three exchange mbx), in front of site one squid3 as ssl offloading.
I did try to focus squid on MBX1 first , then MBX2 and 3, all work as expected.
Now I made a haproxy server to insert between squid and my mbx's. Squid make ssl offload and focus on haproxy,
this distribute load on 3 mbx.
All works as expected, but sometimes (more often under load), outlook he says it is connected, but inbox
not updating. I can send email, but my inbox do not update until i restart Outlook or i tell to squid to focus on one mbx instead haproxy.
Request are made only with rpc over http, no mapi for now...
My haproxy is 1.5.8, same problem with 1.6
Any tips?
Thanks

global
log /dev/log local0 notice

    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin
    stats timeout 30s
    daemon

defaults
log global
mode http
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

    stats enable
    stats uri /stats
    stats realm Haproxy\ Statistics
    stats auth admin:XXXXXX
    maxconn 100000

option http-keep-alive
option prefer-last-server
no option httpclose
no option http-server-close
no option forceclose
no option http-tunnel
log global
option httplog
option forwardfor
balance leastconn
default-server inter 3s rise 2 fall 3
timeout client 600s
timeout http-request 10s
timeout connect 10s
timeout server 60s

############################################# HTTP

frontend fe_ex
mode http
bind 172.30.1.201:80

acl autodiscover url_beg /Autodiscover
acl ecp url_beg /ecp
acl ews url_beg /EWS
acl mapi url_beg /mapi
acl eas url_beg /Microsoft-Server-ActiveSync
acl oab url_beg /OAB
acl owa url_beg /owa
acl rpc url_beg /rpc

use_backend be_ex_autodiscover if autodiscover
use_backend be_ex_ecp if ecp
use_backend be_ex_ews if ews
use_backend be_ex_mapi if mapi
use_backend be_ex_eas if eas
use_backend be_ex_oab if oab
use_backend be_ex_owa if owa
use_backend be_ex_rpc if rpc
default_backend be_ex

backend be_ex_autodiscover
mode http
balance roundrobin
option httpchk GET /autodiscover/healthcheck.htm
option log-health-checks
http-check expect status 200
server srv-mbx1 172.30.1.203:80 check inter 15s verify none
server srv-mbx2 172.30.1.204:80 check inter 15s verify none
server srv-mbx3 172.30.1.205:80 check inter 15s verify none

backend be_ex_ecp
mode http
balance roundrobin
option httpchk GET /ecp/healthcheck.htm
option log-health-checks
http-check expect status 200
server srv-mbx1 172.30.1.203:80 check inter 15s verify none
server srv-mbx2 172.30.1.204:80 check inter 15s verify none
server srv-mbx3 172.30.1.205:80 check inter 15s verify none

backend be_ex_ews
mode http
balance roundrobin
option httpchk GET /ews/healthcheck.htm
option log-health-checks
http-check expect status 200
server srv-mbx1 172.30.1.203:80 check inter 15s verify none
server srv-mbx2 172.30.1.204:80 check inter 15s verify none
server srv-mbx3 172.30.1.205:80 check inter 15s verify none

backend be_ex_mapi
mode http
balance roundrobin
option httpchk GET /mapi/healthcheck.htm
option log-health-checks
http-check expect status 200
server srv-mbx1 172.30.1.203:80 check inter 15s verify none
server srv-mbx2 172.30.1.204:80 check inter 15s verify none
server srv-mbx3 172.30.1.205:80 check inter 15s verify none

backend be_ex_eas
mode http
balance roundrobin
option httpchk GET /microsoft-server-activesync/healthcheck.htm
option log-health-checks
http-check expect status 200
server srv-mbx1 172.30.1.203:80 check inter 15s verify none
server srv-mbx2 172.30.1.204:80 check inter 15s verify none
server srv-mbx3 172.30.1.205:80 check inter 15s verify none

backend be_ex_oab
mode http
balance roundrobin
option httpchk GET /oab/healthcheck.htm
option log-health-checks
http-check expect status 200
server srv-mbx1 172.30.1.203:80 check inter 15s verify none
server srv-mbx2 172.30.1.204:80 check inter 15s verify none
server srv-mbx3 172.30.1.205:80 check inter 15s verify none

backend be_ex_owa
mode http
balance roundrobin
option httpchk GET /owa/healthcheck.htm
option log-health-checks
http-check expect status 200
server srv-mbx1 172.30.1.203:80 check inter 15s verify none
server srv-mbx2 172.30.1.204:80 check inter 15s verify none
server srv-mbx3 172.30.1.205:80 check inter 15s verify none

backend be_ex_rpc
mode http
balance roundrobin
option httpchk GET /rpc/healthcheck.htm
option log-health-checks
http-check expect status 200
server srv-mbx1 172.30.1.203:80 check inter 15s verify none
server srv-mbx2 172.30.1.204:80 check inter 15s verify none
server srv-mbx3 172.30.1.205:80 check inter 15s verify none

backend be_ex
mode http
balance roundrobin
server srv-mbx1 172.30.1.203:80 check inter 15s verify none
server srv-mbx2 172.30.1.204:80 check inter 15s verify none
server srv-mbx3 172.30.1.205:80 check inter 15s verify none

Posts: 1

Participants: 1

Read full topic

@haboy5258 wrote:

how to get common name from client cert in TLS connection instead of HTTPS. I am using TLS not https and want to get common name from client cert using haproxy 1.6.9 also tried 1.7-dev4 on aws, I am using aws elb+haproxy client certificate ssl and I know use ssl_c_i_dn but how to get/compare the value here is my config: global log 127.0.0.1 local0 maxconn 100000 lua-load /home/ubuntu/a.lua defaults log global mode tcp option tcplog option dontlognull retries 3000 option redispatch timeout queue 1m timeout connect 10s timeout client 1m timeout server 1m timeout http-keep-alive 100s timeout check 10s maxconn 100000

        frontend fort
        mode tcp
        log 127.0.0.1 local0 debug
        bind *:4443 ssl crt /home/ubuntu/host.pem ca-file /home/ubuntu/ca.crt verify required

        bind *:4443
        use_backend ssl-error unless { ssl_c_verify 0 }
        use_backend mos if { ssl_fc_has_crt }
        default_backend %[lua.c]
        backend mos
        balance leastconn
        mode tcp
        server ip-10-252-1-100 10.252.1.131:2983 check inter 5s fall 3 rise 99999999
        server ip-10-252-1-131 10.252.1.131:1983 check backup

        a.lua
        function c(txn)
        local arg2 = txn.sf:ssl_c_i_dn("dn")
        local arg3 = txn.sf:ssl_f_i_dn("dn")
        core.log(core.info, arg3)
        core.log(core.info, arg2)
            return "mos"
        end
        core.register_fetches("c", c)

Posts: 1

Participants: 1

Read full topic

@mmcaughan wrote:

Hi,

Cannot find a good example after a fair amount of googling.

Want to concurrent connection limit based on client part of the URI below.

api.myapp.com/client1/dothis
api.myapp.com/client2/dothis
api.myapp.com/client3/dothis
api.myapp.com/client4/dothis
api.myapp.com/clientN/dothis

Having a hard time figuring how to parse out /clientX/ in to a var to place in a stick table.

Want to limit any particular client to no more than X connections as a safety valve.

Can someone help?

Posts: 1

Participants: 1

Read full topic

@ksl28 wrote:

Hello,

First of all i need to inform that im fairly new to HA Proxy, and is no master at it

The HA proxy setup consists of 2 nodes, running HA Proxy and Keepalived with at floating IP.

Node01: 192.168.62.98
Node02: 192.168.62.99
Floating: Node01: 192.168.62.100
Exchange Server: 192.168.60.86
V-Center: 192.168.61.100 (VESXI.DOMAIN.COM)

We have 1 public IP adress, and want to use port 443 for several purposes (Exchange, VMware, RDS Gateway, etc...)

About a month ago we moved the Exchange HTTPS to go through the HA Proxy setup, and it worked like a charm! When we tried moving the V-Center server to also go through the V-Center, we realized that when trying to access the V-Center server on a hostname, we were redirected to the Exchange OWA.

Im 100% sure that its a configuration failure at our end, and im pretty sure its because of the frontend setup in the haproxy.cfg
Im sorry to have to disturb regarding this, but i cant figure out how to solve it.

Note - the domain have been replaced with domain.com for security reasons.

Config::::

FRONTEND - FRONTEND - FRONTEND - FRONTEND - FRONTEND - FRONTEND - FRONTEND - FRONTEND - FRONTEND

frontend Exchange_WWW_Frontend
mode tcp
bind 192.168.62.100:443
default_backend BCK_Exchange_HTTPS
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend BCK_RDS_HTTPS if { req_ssl_sni -i remote.domain.com }
use_backend BCK_OWNCLOUD_HTTPS if { req_ssl_sni -i oc.domain.com }
use_backend BCK_APP_HTTPS if { req_ssl_sni -i vmm.domain.com }
use_backend BCK_VCENTER_WEB if { req_ssl_sni -i vesxi.domain.com }
option tcp-smart-accept

BACKEND - BACKEND - BACKEND - BACKEND - BACKEND - BACKEND - BACKEND - BACKEND - BACKEND - BACKEND

backend BCK_Exchange_HTTPS
mode tcp
retries 3
timeout server 300s
timeout connect 10s
server S1EXCH02 192.168.60.86:443 check #ssl verify none

backend BCK_RDS_HTTPS
mode tcp
retries 3
timeout server 300s
timeout connect 10s
server S1TSGW02 192.168.62.80:443 check #ssl verify none

backend BCK_OWNCLOUD_HTTPS
mode tcp
retries 3
timeout server 300s
timeout connect 10s
server S1OC02 192.168.60.87:443 check #ssl verify none

backend BCK_APP_HTTPS
mode tcp
retries 3
timeout server 300s
timeout connect 10s
server S1APP01 192.168.62.81:443 check #ssl verify none

backend BCK_VCENTER_WEB
mode tcp
retries 3
timeout server 300s
timeout connect 10s
server S1VC01 192.168.61.100:443 check #ssl verify none

Thanks in advance

Posts: 8

Participants: 2

Read full topic

@bwmetcalf wrote:

Is there anyway to programmatically obtain the uptime metric from haproxy statistics via http without having to scrape the html version of the output? It would be nice to have this information in csv or some other format, but it seems the only way this is exposed is via the /haproxy?stats api. For bonus, it would be nice to see this in unix time rather than having to convert the human readable string.

Thanks.

Posts: 5

Participants: 3

Read full topic

@toriacht wrote:

Hi,

I am configuring my haproxy instance before all my backend servers are alive. For the configuration below If I use a not yet existing ip address all starts fine however if I use a DNS lookup entry e.g. myserver.com it attempts to resolve this and fails to start with "invalid address" error

1. Can i turn off this validation?
2. Why does it validate DNS and not ipaddress?

Many thanks, config below
W

...
...

Checks the path for Websocket CLI service

acl webscktcli_app path_beg /wsktcli-websocket
acl webscktcli_app hdr(Upgrade) -i WebSocket
acl webscktcli_app hdr_beg(Host) -i ws
use_backend bk_websktcli_websocket if webscktcli_app

...
...

failing backend config with URL (mywebskt.com)

---------------------------------------------------------------------

Backend for Websocket CLI

---------------------------------------------------------------------

backend bk_websktcli_websocket
mode http
balance roundrobin
option forwardfor
timeout tunnel 60m
reqadd X-Forwarded-Proto:\ https
cookie myCookie prefix nocache
server wsktcli-1 mywebskt.com:8080 cookie S1 check

working backend config with dummy ipaddress (4.4.4.4)

---------------------------------------------------------------------

Backend for Websocket CLI

---------------------------------------------------------------------

backend bk_websktcli_websocket
mode http
balance roundrobin
option forwardfor
timeout tunnel 60m
reqadd X-Forwarded-Proto:\ https
cookie myCookie prefix nocache
server wsktcli-1 4.4.4.4:8080 cookie S1 check

Posts: 1

Participants: 1

Read full topic

@webber wrote:

I put a new Centos6 haproxy (compiled) system in production with 700+ sites behind it. The load was not high on the proxy or the two backend IIS servers. We were noticing occasional 503 errors on a handful of sites. While getting 503 at the client the site worked directly on the IIS servers. Also I could use curl and wget successfully from haproxy during the issues. After an hour the breif outages were not dissipating and we reverted to our previous load balancer.

Has anyone seen an issue like this that was caused by configuration error or that there is something I can look for?

global
log 127.0.0.1 local2
nbproc 1
# chroot /var/lib/haproxy
# user haproxy
# group haproxy
pidfile /var/run/haproxy.pid
maxconn 90000
spread-checks 2
ssl-server-verify none
ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
ssl-default-bind-options no-sslv3
daemon
stats socket /var/lib/haproxy/stats.sock mode 600 level admin
stats timeout 2m

defaults
maxconn 5000
fullconn 5000
mode http
balance roundrobin
log global
option dontlognull
# option dontlog-normal
option log-separate-errors

option                  http-server-close
option                  abortonclose

## option forwardfor except 127.0.0.0/8
option redispatch
retries 3
hash-type consistent

timeout http-request    10s
timeout queue           60s
timeout connect         10s
timeout client          30s
timeout server          30s
timeout http-keep-alive 10s
timeout check           10s

listen stats
bind 192.168.1.254:8080
mode http
stats enable
stats hide-version
stats realm HAProxy\ Statistics
stats uri /hapstats
stats auth haadmin:**********

listen example1.com
bind 192.168.4.22:80 transparent
option httplog
option forwardfor
# option httpchk OPTIONS * HTTP/1.1\r\nHost:\ example1.com
stick-table type ip size 5000 expire 20m
stick on src
source 0.0.0.0 usesrc clientip
server 192.168.2.17 192.168.2.17:80 minconn 100 maxconn 1000 check inter 5s
server 192.168.3.17 192.168.3.17:80 minconn 100 maxconn 1000 check inter 5s

listen example2.com
bind 192.168.4.22:80 transparent
option httplog
option forwardfor
# option httpchk OPTIONS * HTTP/1.1\r\nHost:\ example2.com
stick-table type ip size 5000 expire 20m
stick on src
source 0.0.0.0 usesrc clientip
server 192.168.2.17 192.168.2.17:80 minconn 100 maxconn 1000 check inter 5s
server 192.168.3.17 192.168.3.17:80 minconn 100 maxconn 1000 check inter 5s

listen fanciersite1.com
bind 192.168.254.71:443 transparent
mode tcp
option tcplog
option tcp-check
stick on src table fanciersite1.com
source 0.0.0.0 usesrc clientip
server 192.168.6.71SSL 192.168.6.71:443 minconn 100 maxconn 1000 check inter 5s
server 192.168.7.71SSL 192.168.7.71:443 minconn 100 maxconn 1000 check inter 5s

listen fanciersite1.com
bind 192.168.254.71:80 transparent
option httplog
option httpchk OPTIONS * HTTP/1.1\r\nHost:\ fanciersite1.com
stick-table type ip size 50k expire 30m
stick on src
source 0.0.0.0 usesrc clientip
server 192.168.6.71 192.168.6.71:80 minconn 100 maxconn 1000 check inter 5s
server 192.168.7.71 192.168.7.71:80 minconn 100 maxconn 1000 check inter 5s

listen fanciersite2.com
bind 192.168.254.73:443 transparent
mode tcp
option tcplog
option tcp-check
stick on src table fanciersite2.com
source 0.0.0.0 usesrc clientip
server 192.168.7.73SSL 192.168.7.73:443 minconn 100 maxconn 1000 check inter 5s
server 192.168.6.73SSL 192.168.6.73:443 minconn 100 maxconn 1000 check inter 5s

listen fanciersite2.com
bind 192.168.254.73:80 transparent
option httplog
option httpchk OPTIONS * HTTP/1.1\r\nHost:\ fanciersite2.com
stick-table type ip size 50k expire 30m
stick on src
source 0.0.0.0 usesrc clientip
server 192.168.7.73 192.168.7.73:80 minconn 100 maxconn 1000 check inter 5s
server 192.168.6.73 192.168.6.73:80 minconn 100 maxconn 1000 check inter 5s

Posts: 1

Participants: 1

Read full topic

@dkhap wrote:

Hey there,

We are running HAProxy v. 1.5.4 in TCP mode and are running into an issue where down hosts are receiving traffic for a short time after HAProxy is reloaded. This eventually gets sorted out and traffic stops going to these hosts (after the healthcheck fails), however there is a spike in failures before this happens. I was looking through the manual to see if there was an option to deal with this case. The closest thing I found was redispatch, but this seems specific to HTTP proxied traffic to specific hosts. Has anyone ran into this issue before? Any suggestions?

Thanks!

Posts: 1

Participants: 1

Read full topic

@dobry wrote:

I have rather typical setup:

1 frontend + 1 backend, tcp mode, in backend I've several ejabberd servers.

Ejabberd backends are stateless and when some of them go down, I'd like client not to know about it and to be redispatched to another ejabberd backend.

Unfortunately it seems that when backend goes down, it send FIN packet to haproxy. This is great, since it allows to remove connection from haproxy to unavailable backend. But then haproxy send FIN packet to client, what makes client to reconnect.

When we use netfilter on haproxy and block sending FIN packet to client, everything seems to be OK: client is unconscious of situation, and continues its session on another ejabberd backend - redispatched by haproxy. Since - as I wrote above - ejabberd cluster is stateless, from application point of view, nothing wrong happen.

Therefore: is there any way to block on haproxy that session termination between client and haproxy? That iptables-way doesn't look like production approach for me, and we're looking for more proper way.

Stay cool!

Posts: 4

Participants: 2

Read full topic