@invoker wrote:
Hy sir, could someone help me please…
i want configure my server to hit https site using haproxy…
i already try so hard to raise my foal… but still fail…my server use http ==> haproxy ==> https://blabla.com
frontend localhost
bind *:80
bind *:443
option tcplog
mode tcp
default_backend nodesbackend nodes
mode tcp
balance roundrobin
option ssl-hello-chk
server web01 xxx.xxx.xxx.xxx:443 checkthis is my config… anyone please help me… thanks
Posts: 2
Participants: 2
@paul wrote:
Hello, I’m new to HAProxy and have hit a snag while evaluating it against our backend. I have found a particular request that seems to generate a 502 Bad Gateway error and was hoping someone could provide some insight into what is returned from the stats port.
“show errors” returns…
[09/Nov/2018:01:44:24.028] backend http_back (#4): invalid response
frontend https_front (#3), server system1 (#1), event #0
src 10.6.7.100:52328, session #0, session flags 0x0000048e
HTTP msg state MSG_HDR_L2_LWS(24), msg flags 0x00000000, tx flags 0x28603000
HTTP chunk len 0 bytes, HTTP body len 0 bytes
buffer flags 0x80008023, out 0 bytes, total 8635 bytes
pending 8635 bytes, wrapping at 16384, error at position 8313:…and the lines around position 8313…
08240 Access-Control-Allow-Credentials: true\r\n
08280 Access-Control-Allow-Methods: *\r\n
08313 Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type,
08383+ Accept, Pragma, Cache-Control, Cache, Expires\r\n
08430 Connection: close\r\nAs far as I can tell it all looks valid to me, and I certainly don’t have this issue when I make the same request via AWS ELB or ALB.
Any bright ideas for further troubleshooting?
Also - this is HAProxy v1.8.
Cheers,
-Paul
Posts: 1
Participants: 1
@mysticalunicorn wrote:
currently im listening on port 443 in TCP mode and my attached backend is moving the traffic to an api on port 443 on the server. no issues there.
I need to have the front end thats listening on port 443 to now have 2 backends and an acl that uses the second backend only when the request is servername/oauththis second backend will also forward to a server on port 443 ( a different server of course )
I have seen the acl rules for http requests but havent found a good example for port 443.
thanks for any help
Posts: 4
Participants: 2
@gytrdun wrote:
Hello, we have backend servers that responds to something like
https://servername1.domain.com:9900/someurl
https://servername2.domain.com:9900/someurlI’m having a hard time figuring out how to get it to work. I’d like to hit http://haproxy.domain.com/someurl, or even http://haproxy.domain.com:9900/someurl.
I’ve tried every iteration that I can find in the haproxy.conf, but nothing seems to work.
This is my current config, which I know is incorrect, but just to let you know where I’m at:
frontend localnodes
bind *:80
bind *:9900
option tcplog
mode tcp
default_backend nodesbackend nodes
mode tcp
balance roundrobin
option tcp-check
server servername1 12.12.12.12:9900 check
Posts: 6
Participants: 2
@Zach wrote:
I have a requirement to use backend servers in remote countries if the user’s home country preference is set to that country.
Right now when a user logs in, I query a haproxy map for their login id and return the two letter country code.
Then their authentication request is directed to that remote region, or local depending on the country code.
This is working.
But I need to come up with some logic for syncing the haproxy map with a global source of truth redis table.
I know I can use socat to add / remove entries to the haproxy map.
But I would like to implement something in haproxy that queries the haproxy map, and if the login id is not found it considers it a cache miss and goes to lua to query the global source of truth redis table, if the user is found there lua then updates the local haproxy map and also updates the proper variable with the country code to pass the users authentication request to the proper country.
Has anyone done anything like this? I am looking for lua examples of how to first connect to Redis, and make queries, then update the local haproxy map.
Thanks
Zach
Posts: 4
Participants: 2
@jpweiss wrote:
Hi everybody,
I have a problem configuring haproxy as a reverse proxy for Bluemind.
When I enter the URL on a browser, it changes to the same address followed by a lot of \ and I get the message “The page isn’t redirecting properly”In the logs of the proxy server, i get :
Nov 13 14:45:25 rproxy haproxy[5244]: 10.5.0.176:35822 [13/Nov/2018:14:45:25.581] https-in~ bk_bluemind/bluemind 0/0/0/1/1 301 381 - - ---- 1/1/0/1/0 0/0 "GET / HTTP/1.1" Nov 13 14:45:25 rproxy haproxy[5244]: 10.5.0.176:35822 [13/Nov/2018:14:45:25.605] https-in~ bk_bluemind/bluemind 0/0/0/1/1 301 382 - - ---- 1/1/0/1/0 0/0 "GET // HTTP/1.1" Nov 13 14:45:25 rproxy haproxy[5244]: 10.5.0.176:35822 [13/Nov/2018:14:45:25.611] https-in~ bk_bluemind/bluemind 0/0/0/1/1 301 383 - - ---- 1/1/0/1/0 0/0 "GET /// HTTP/1.1" Nov 13 14:45:25 rproxy haproxy[5244]: 10.5.0.176:35822 [13/Nov/2018:14:45:25.616] https-in~ bk_bluemind/bluemind 0/0/0/0/1 301 384 - - ---- 1/1/0/1/0 0/0 "GET //// HTTP/1.1" Nov 13 14:45:25 rproxy haproxy[5244]: 10.5.0.176:35822 [13/Nov/2018:14:45:25.620] https-in~ bk_bluemind/bluemind 0/0/0/1/1 301 385 - - ---- 1/1/0/1/0 0/0 "GET ///// HTTP/1.1" Nov 13 14:45:25 rproxy haproxy[5244]: 10.5.0.176:35822 [13/Nov/2018:14:45:25.630] https-in~ bk_bluemind/bluemind 0/0/0/0/0 301 386 - - ---- 1/1/0/1/0 0/0 "GET ////// HTTP/1.1" Nov 13 14:45:25 rproxy haproxy[5244]: 10.5.0.176:35822 [13/Nov/2018:14:45:25.646] https-in~ bk_bluemind/bluemind 0/0/0/0/0 301 387 - - ---- 1/1/0/1/0 0/0 "GET /////// HTTP/1.1" Nov 13 14:45:25 rproxy haproxy[5244]: 10.5.0.176:35822 [13/Nov/2018:14:45:25.656] https-in~ bk_bluemind/bluemind 0/0/0/1/1 301 388 - - ---- 1/1/0/1/0 0/0 "GET //////// HTTP/1.1"In the logs of the bluemind server, i get :
nginx/access.log:10.5.0.43 - - [13/Nov/2018:14:45:25 +0100] "GET ////////////////// HTTP/1.1" 301 178 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:63.0) Gecko/20100101 Firefox/63.0" rt="0.000" uct="-" urt="-" nginx/access.log:10.5.0.43 - - [13/Nov/2018:14:45:25 +0100] "GET /////////////////// HTTP/1.1" 301 178 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:63.0) Gecko/20100101 Firefox/63.0" nginx/access.log:10.5.0.43 - - [13/Nov/2018:14:45:25 +0100] "GET /////////////////// HTTP/1.1" 301 178 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:63.0) Gecko/20100101 Firefox/63.0" rt="0.000" uct="-" urt="-" nginx/access.log:10.5.0.43 - - [13/Nov/2018:14:45:25 +0100] "GET //////////////////// HTTP/1.1" 301 178 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:63.0) Gecko/20100101 Firefox/63.0" nginx/access.log:10.5.0.43 - - [13/Nov/2018:14:45:25 +0100] "GET //////////////////// HTTP/1.1" 301 178 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:63.0) Gecko/20100101 Firefox/63.0" rt="0.000" uct="-" urt="-" nginx/access.log:10.5.0.43 - - [13/Nov/2018:14:45:25 +0100] "GET ///////////////////// HTTP/1.1" 301 178 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:63.0) Gecko/20100101 Firefox/63.0"Here is (part of) my configuration :
frontend https-in mode http bind *:80 bind *:443 ssl crt-list /etc/haproxy/crt-list.txt acl acl_bluemind hdr(host) bluemind.mydomain.fr use_backend bk_bluemind if acl_bluemind default_backend bk_wanda backend bk_bluemind mode http option httpchk http-request set-header X-Forwarded-Proto http if ! { ssl_fc } http-request set-header X-Forwarded-Proto https if { ssl_fc } server bluemind 10.5.0.48:80Does anyone experienced such a problem or have a solution ?
Regards,
Posts: 1
Participants: 1
@sumansatpathy wrote:
Is there any way to configure HAPROXY cfg file to take the keypass from the input or any configuration rather than asking while starting up the application ?
I have created the pem file with the passkey from openssl.
Posts: 1
Participants: 1
@hadi wrote:
Hi,
I have an HAProxy with more than twenty backends and I need to limit access to one specific backend,
CP-API.MACKMIL.COM, to the following internal network subnets:
10.10.0.0/16
10.20.0.0/16
10.30.0.0/16
10.40.0.0/16Currently, with the following query, this domain,
CP-API.MACKMIL.COM, can be accessed from the outside world but I want to limit that.
curl -vvv -H'Host: cp-api.mackmil.com' https://api.mackmil.com/initializationsMy Haproxy config is as follows,
frontend http-https
bind :80 accept-proxy
bind :443 accept-proxy ssl crt /etc/pki/tls/private/wildcard.mackmil.com.pem crt /etc/pki/tls/private/wildcard.mackmil.de.pemacl host_cp hdr(host) -i cp-api.mackmil.com acl host_cp hdr(host) -i cp-api.prod.mackmil.com use_backend app_cp if host_cpbackend app_cp
server swarm-worker_10.10.30.199 10.10.30.199:64042 check
server swarm-worker_10.10.40.114 10.10.40.114:64042 check
server swarm-worker_10.20.40.159 10.20.40.159:64042 check
server swarm-worker_10.20.30.190 10.20.30.190:64042 check
server swarm-worker_10.30.40.143 10.30.40.143:64042 check
server swarm-worker_10.30.40.161 10.30.40.161:64042 check
server swarm-worker_10.40.40.107 10.40.40.107:64042 check
server swarm-worker_10.40.40.107 10.40.40.107:64042 checkI am struggling on applying this restriction in HTTP/HTTPS mode for just this endpoint. How can I apply this restrication for this backend?
Thank you very much in advance for your answers.
Posts: 1
Participants: 1
@sinaowolabi wrote:
Hi!
I am pretty new to haproxy and I would love some help in figuring out how to properly use reqirep and rspirep syntax.
I have a group of backend servers, each with the same
https://bak_srv:8443/backendroot URL path, but each server is for a different external user groups.:8443/backendis a tomcat application.I would like each user group to be able to connect to the same haproxy service, say
https://haproxy/group{1,2,3}, and redirect each group to their backend server, but without changing the haproxy URL. For instance, group one should always seehttps://haproxy/group1(/.*), and haproxy should proxy pages and information fromhttps://bak_srv1:8443/backend(/.*).Currently the rules I have in place are:
frontend group1-inbind *:443 ssl crt /usr/local/etc/haproxy/ssl/domain.pem option http-server-close option forwardfor reqadd X-Forwarded-Proto:\ https reqadd X-Forwarded-Port:\ 443 rspadd Strict-Transport-Security:\ max-age=15768000 default_backend group1-in-backend` backend group1-in-backend stats enable stats auth admin:admin stats uri /haproxy?stats # ^GET /group1(.*) HTTP/1.0$, should be seen by group1_serv as /backend(.*) reqirep ^([^\ ]*)\ /group1/([^\ ]*)\ (.*)$ \1\ /backend\2\ \3 #if response contains Location: header, reinsert the application name in its value rspirep ^(Location:)\ https://([^/]*)/(.*)$ \1\ https://\2/backend/\3 #set cookies rspirep ^(Set-Cookie:.*\ path=)([^\ ]+)(.*)$ \1/group1\2\3 server group1_serv bak_srv_1:8443 ssl verify none`but these rules arent working due to my poor understanding of reqirep and rspirep.
Please can someone show me what I am doing wrong?
Posts: 1
Participants: 1
@nkalev wrote:
Hi,
We have recently moved from HAProxy 1.5.16 version to HAproxy 1.8.14 version and we noticed changed behaviour when health check is configured for a server. The health check will be performed even if a server is put into a maintenance mode, which leads to servers to produce 503 errors when they are still not ready to serve traffic, examples :
Nov 13 11:42:19 <ip-address> haproxy[30218]: Server server_name/ID_12345 is going DOWN for maintenance. 0 active and 1 backup servers left. Running on backup. 0 sessions active, 0 requeued, 0 remaining in queue. Nov 13 11:42:32 <ip-address> haproxy[29329]: Server server_name/ID_12345 is DOWN, reason: Layer4 connection problem, info: "Connection refused", check duration: 0ms. 0 active and 1 backup servers left. Running on backup. 0 sessions active, 0 requeued, 0 remaining in queue. Nov 13 11:42:32 <ip-address> haproxy[29329]: <ip-address>:51667 [13/Nov/2018:11:42:32.571] server_name server_name/ID_23456 0/0/1/47/48 200 9502 - - ---- 11/1/0/1/0 0/0 "POST /path-to/service HTTP/1.1" Nov 13 11:42:36 <ip-address> haproxy[29329]: <ip-address>:58673 [13/Nov/2018:11:42:36.933] server_name server_name/ID_23456 0/0/1/50/51 200 15547 - - ---- 7/1/0/1/0 0/0 "POST /path-to/service HTTP/1.1" Nov 13 11:42:37 <ip-address> haproxy[30218]: <ip-address>:59146 [13/Nov/2018:11:42:37.238] server_name server_name/ID_23456 0/0/1/47/49 200 15980 - - ---- 11/1/0/1/0 0/0 "POST /path-to/service HTTP/1.1" Nov 13 11:42:41 <ip-address> haproxy[29329]: <ip-address>:37371 [13/Nov/2018:11:42:41.334] server_name server_name/ID_23456 0/0/1/38/39 200 10163 - - ---- 14/1/0/1/0 0/0 "POST /path-to/service HTTP/1.1" Nov 13 11:42:42 <ip-address> haproxy[30218]: <ip-address>:38616 [13/Nov/2018:11:42:42.111] server_name server_name/ID_23456 0/0/1/45/46 200 9058 - - ---- 6/1/0/1/0 0/0 "POST /path-to/service HTTP/1.1" Nov 13 11:42:44 <ip-address> haproxy[30218]: <ip-address>:42563 [13/Nov/2018:11:42:44.645] server_name server_name/ID_23456 0/0/1/47/48 200 14814 - - ---- 13/1/0/1/0 0/0 "POST /path-to/service HTTP/1.1" Nov 13 11:42:46 <ip-address> haproxy[29329]: <ip-address>:45652 [13/Nov/2018:11:42:46.557] server_name server_name/ID_23456 0/0/1/46/47 200 14466 - - ---- 11/1/0/1/0 0/0 "POST /path-to/service HTTP/1.1" Nov 13 11:42:48 <ip-address> haproxy[29329]: <ip-address>:48349 [13/Nov/2018:11:42:48.247] server_name server_name/ID_23456 0/0/1/47/48 200 9763 - - ---- 15/1/0/1/0 0/0 "POST /path-to/service HTTP/1.1" Nov 13 11:42:50 <ip-address> haproxy[29329]: Server server_name/ID_12345 is UP, reason: Layer4 check passed, check duration: 0ms. 1 active and 1 backup servers online. 0 sessions requeued, 0 total in queue. Nov 13 11:42:51 <ip-address> haproxy[30218]: <ip-address>:53951 [13/Nov/2018:11:42:51.752] server_name server_name/ID_23456 0/0/1/42/43 200 8973 - - ---- 10/1/0/1/0 0/0 "POST /path-to/service HTTP/1.1" Nov 13 11:42:52 <ip-address> haproxy[30218]: <ip-address>:54762 [13/Nov/2018:11:42:52.246] server_name server_name/ID_23456 0/0/1/29/30 200 7939 - - ---- 9/1/0/1/0 0/0 "POST /path-to/service HTTP/1.1" Nov 13 11:42:53 <ip-address> haproxy[30218]: <ip-address>:56921 [13/Nov/2018:11:42:53.642] server_name server_name/ID_23456 0/0/1/35/36 200 10316 - - ---- 8/1/0/1/0 0/0 "POST /path-to/service HTTP/1.1" Nov 13 11:42:56 <ip-address> haproxy[30218]: <ip-address>:33091 [13/Nov/2018:11:42:56.365] server_name server_name/ID_23456 0/0/1/30/31 200 6769 - - ---- 6/1/0/1/0 0/0 "POST /path-to/service HTTP/1.1" Nov 13 11:43:00 <ip-address> haproxy[30218]: <ip-address>:39712 [13/Nov/2018:11:43:00.513] server_name server_name/ID_23456 0/0/1/31/32 200 6974 - - ---- 10/1/0/1/0 0/0 "POST /path-to/service HTTP/1.1" Nov 13 11:43:01 <ip-address> haproxy[30218]: <ip-address>:41322 [13/Nov/2018:11:43:01.509] server_name server_name/ID_23456 0/0/1/42/43 200 12216 - - ---- 21/1/0/1/0 0/0 "POST /path-to/service HTTP/1.1" Nov 13 11:43:02 <ip-address> haproxy[30218]: <ip-address>:42719 [13/Nov/2018:11:43:02.453] server_name server_name/ID_23456 0/0/0/40/40 200 9517 - - ---- 11/1/0/1/0 0/0 "POST /path-to/service HTTP/1.1" Nov 13 11:43:03 <ip-address> haproxy[30218]: <ip-address>:43670 [13/Nov/2018:11:43:03.028] server_name server_name/ID_23456 0/0/1/41/42 200 11020 - - ---- 11/1/0/1/0 0/0 "POST /path-to/service HTTP/1.1" Nov 13 11:43:09 <ip-address> haproxy[30218]: <ip-address>:53492 [13/Nov/2018:11:43:09.240] server_name server_name/ID_23456 0/0/1/40/41 200 8786 - - ---- 11/1/0/1/0 0/0 "POST /path-to/service HTTP/1.1" Nov 13 11:43:11 <ip-address> haproxy[30218]: <ip-address>:57460 [13/Nov/2018:11:43:11.747] server_name server_name/ID_23456 0/0/0/68/68 200 15486 - - ---- 8/1/0/1/0 0/0 "POST /path-to/service HTTP/1.1" Nov 13 11:43:24 <ip-address> haproxy[30218]: <ip-address>:49279 [13/Nov/2018:11:43:24.381] server_name server_name/ID_23456 0/0/1/65/67 200 27476 - - ---- 14/1/0/1/0 0/0 "POST /path-to/service HTTP/1.1" Nov 13 11:43:25 <ip-address> haproxy[30218]: <ip-address>:51319 [13/Nov/2018:11:43:25.749] server_name server_name/ID_23456 0/0/1/32/33 200 10350 - - ---- 9/1/0/1/0 0/0 "POST /path-to/service HTTP/1.1" Nov 13 11:43:32 <ip-address> haproxy[30218]: <ip-address>:34294 [13/Nov/2018:11:43:32.776] server_name server_name/ID_23456 0/0/1/48/49 200 14869 - - ---- 11/1/0/1/0 0/0 "POST /path-to/service HTTP/1.1" Nov 13 11:43:33 <ip-address> haproxy[30218]: <ip-address>:35563 [13/Nov/2018:11:43:33.582] server_name server_name/ID_23456 0/0/1/37/38 200 8728 - - ---- 10/1/0/1/0 0/0 "POST /path-to/service HTTP/1.1" Nov 13 11:43:35 <ip-address> haproxy[29329]: <ip-address>:38459 [13/Nov/2018:11:43:35.502] server_name server_name/ID_12345 0/0/0/-1/1 -1 0 - - SD-- 17/5/4/4/0 0/0 "POST /path-to/service HTTP/1.1" Nov 13 11:43:39 <ip-address> haproxy[29329]: <ip-address>:45486 [13/Nov/2018:11:43:39.979] server_name server_name/ID_12345 0/0/0/-1/1 -1 0 - - SD-- 11/5/4/4/0 0/0 "POST /path-to/service HTTP/1.1" Nov 13 11:43:40 <ip-address> haproxy[30218]: <ip-address>:45524 [13/Nov/2018:11:43:40.011] server_name server_name/ID_23456 0/0/1/34/35 200 6976 - - ---- 7/1/0/1/0 0/0 "POST /path-to/service HTTP/1.1" Nov 13 11:43:40 <ip-address> haproxy[29329]: <ip-address>:46572 [13/Nov/2018:11:43:40.784] server_name server_name/ID_12345 0/0/1/-1/1 -1 0 - - SD-- 13/5/4/4/0 0/0 "POST /path-to/service HTTP/1.1" Nov 13 11:43:54 <ip-address> haproxy[30218]: <ip-address>:39131 [13/Nov/2018:11:43:54.081] server_name server_name/ID_23456 0/0/1/36/37 200 9358 - - ---- 6/1/0/1/0 0/0 "POST /path-to/service HTTP/1.1" Nov 13 11:43:56 <ip-address> haproxy[29329]: <ip-address>:42944 [13/Nov/2018:11:43:56.645] server_name server_name/ID_12345 0/0/1/-1/18 -1 0 - - SD-- 12/5/4/4/0 0/0 "POST /path-to/service HTTP/1.1" Nov 13 11:44:00 <ip-address> haproxy[29329]: <ip-address>:49436 [13/Nov/2018:11:44:00.734] server_name server_name/ID_12345 0/0/0/-1/1 -1 0 - - SD-- 15/5/4/4/0 0/0 "POST /path-to/service HTTP/1.1" Nov 13 11:44:09 <ip-address> haproxy[29329]: <ip-address>:34196 [13/Nov/2018:11:44:09.123] server_name server_name/ID_12345 0/0/0/-1/1 -1 0 - - SD-- 15/5/4/4/0 0/0 "POST /path-to/service HTTP/1.1" Nov 13 11:44:09 <ip-address> haproxy[29329]: <ip-address>:35345 [13/Nov/2018:11:44:09.849] server_name server_name/ID_12345 0/0/0/-1/1 -1 0 - - SD-- 16/5/4/4/0 0/0 "POST /path-to/service HTTP/1.1" Nov 13 11:44:10 <ip-address> haproxy[29329]: <ip-address>:55591 [13/Nov/2018:11:43:10.556] server_name server_name/ID_12345 0/0/0/-1/60001 504 194 - - sH-- 8/4/3/3/0 0/0 "POST /path-to/service HTTP/1.1" Nov 13 11:44:14 <ip-address> haproxy[29329]: <ip-address>:33254 [13/Nov/2018:11:43:14.261] server_name server_name/ID_12345 0/0/0/-1/60002 504 194 - - sH-- 13/3/2/2/0 0/0 "POST /path-to/service HTTP/1.1" Nov 13 11:44:14 <ip-address> haproxy[30218]: <ip-address>:42456 [13/Nov/2018:11:44:14.366] server_name server_name/ID_23456 0/0/1/49/50 200 14224 - - ---- 4/1/0/1/0 0/0 "POST /path-to/service HTTP/1.1" Nov 13 11:44:18 <ip-address> haproxy[29329]: <ip-address>:49345 [13/Nov/2018:11:44:18.739] server_name server_name/ID_12345 0/0/0/-1/1 -1 0 - - SD-- 14/3/2/2/0 0/0 "POST /path-to/service HTTP/1.1" Nov 13 11:44:19 <ip-address> haproxy[30218]: <ip-address>:50151 [13/Nov/2018:11:44:19.255] server_name server_name/ID_23456 0/0/1/36/37 200 10878 - - ---- 10/1/0/1/0 0/0 "POST /path-to/service HTTP/1.1" Nov 13 11:44:20 <ip-address> haproxy[29329]: <ip-address>:52028 [13/Nov/2018:11:44:20.522] server_name server_name/ID_12345 0/0/4/-1/5 -1 0 - - SD-- 13/3/2/2/0 0/0 "POST /path-to/service HTTP/1.1" Nov 13 11:44:21 <ip-address> haproxy[29329]: <ip-address>:52971 [13/Nov/2018:11:44:21.050] server_name server_name/ID_12345 0/0/0/-1/1 -1 0 - - SD-- 20/3/2/2/0 0/0 "POST /path-to/service HTTP/1.1" Nov 13 11:44:24 <ip-address> haproxy[29329]: <ip-address>:59152 [13/Nov/2018:11:44:24.985] server_name server_name/ID_12345 0/0/0/-1/1 -1 0 - - SD-- 17/3/2/2/0 0/0 "POST /path-to/service HTTP/1.1" Nov 13 11:44:25 <ip-address> haproxy[29329]: <ip-address>:59594 [13/Nov/2018:11:44:25.270] server_name server_name/ID_12345 0/0/0/-1/1 -1 0 - - SD-- 12/3/2/2/0 0/0 "POST /path-to/service HTTP/1.1" Nov 13 11:44:26 <ip-address> haproxy[29329]: <ip-address>:33382 [13/Nov/2018:11:44:26.653] server_name server_name/ID_12345 0/0/0/-1/1 -1 0 - - SD-- 14/3/2/2/0 0/0 "POST /path-to/service HTTP/1.1" Nov 13 11:44:26 <ip-address> haproxy[29329]: <ip-address>:34009 [13/Nov/2018:11:44:26.935] server_name server_name/ID_12345 0/0/0/-1/1 -1 0 - - SD-- 17/3/2/2/0 0/0 "POST /path-to/service HTTP/1.1" Nov 13 11:44:27 <ip-address> haproxy[30218]: <ip-address>:34769 [13/Nov/2018:11:44:27.393] server_name server_name/ID_23456 0/0/1/46/48 200 8453 - - ---- 9/1/0/1/0 0/0 "POST /path-to/service HTTP/1.1" Nov 13 11:44:54 <ip-address> haproxy[29329]: <ip-address>:58565 [13/Nov/2018:11:42:54.619] server_name server_name/ID_12345 0/0/1/-1/120003 504 219 - - sH-- 15/2/1/1/0 0/0 "POST /path-to/service HTTP/1.1" Nov 13 11:44:58 <ip-address> haproxy[29329]: <ip-address>:36502 [13/Nov/2018:11:42:58.480] server_name server_name/ID_12345 0/0/1/-1/120003 504 219 - - sH-- 10/1/0/0/0 0/0 "POST /path-to/service HTTP/1.1" Nov 13 11:45:27 <ip-address> haproxy[30218]: Server server_name/ID_12345 is UP/READY (leaving forced maintenance).
As you can see from the example above server with ID_12345 is forced into maintenance with “disable server” command over the socket, but goes UP because the port tcp check is passing. We however have in the configuration document written that forced maintenance stops health checks as well. Can you advice on how to fix this situation, is that a bug ?
Our current configuration for listen rule looks like this :
listen listenrulename
bind :
mode http
balance leastconn
server ID_12345 : check inter 3000 rise 2 fall 3 maxconn 50 weight 6
server ID_23456 : check inter 3000 rise 2 fall 3 maxconn 50 weight 5 backupRegards,
Nikolay
Posts: 1
Participants: 1
@waynewex wrote:
Hi all,
I’m having an issue with Facebook’s crawler sending me repeated TLS Client Hello messages on port 80. I logged an issue with their developer support but they closed the ticket and stated that they need more information about what is happening. They can’t find anything in their logs that would explain what is happening and no other developer seems to be having this problem (this could suggest that the problem is on my side).
I am receiving about 600 of these requests per hour from Facebook’s crawler.
I managed to capture some of these requests using tcpdump:
10622 15.837038 31.13.127.5 MYSERVERIP TCP 66 47658 → 80 [ACK] Seq=1 Ack=1 Win=61440 Len=0 TSval=1921577847 TSecr=59275252
10701 15.848790 31.13.127.5 MYSERVERIP TCP 583 47658 → 80 [PSH, ACK] Seq=1 Ack=1 Win=61440 Len=517 TSval=1921577859 TSecr=59275252
10702 15.848846 MYSERVERIP 31.13.127.5 HTTP 253 HTTP/1.0 400 Bad request (text/html)
10914 15.927603 31.13.127.5 MYSERVERIP TCP 66 47658 → 80 [FIN, ACK] Seq=518 Ack=189 Win=63488 Len=0 TSval=1921577937 TSecr=59275274
10915 15.927611 MYSERVERIP 31.13.127.5 TCP 66 80 → 47658 [ACK] Seq=189 Ack=519 Win=30080 Len=0 TSval=59275294 TSecr=1921577937
12044 17.419319 31.13.127.5 MYSERVERIP TCP 74 53712 → 80 [SYN] Seq=0 Win=61320 Len=0 MSS=1460 SACK_PERM=1 TSval=1921579431 TSecr=0 WS=2048
12045 17.419337 MYSERVERIP 31.13.127.5 TCP 74 80 → 53712 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=59275667 TSecr=1921579431 WS=128
12125 17.493182 31.13.127.5 MYSERVERIP TCP 66 53712 → 80 [ACK] Seq=1 Ack=1 Win=61440 Len=0 TSval=1921579505 TSecr=59275667
12126 17.501269 31.13.127.5 MYSERVERIP TCP 583 53712 → 80 [PSH, ACK] Seq=1 Ack=1 Win=61440 Len=517 TSval=1921579513 TSecr=59275667
12127 17.501387 MYSERVERIP 31.13.127.5 HTTP 253 HTTP/1.0 400 Bad request (text/html)
12179 17.576974 31.13.127.5 MYSERVERIP TCP 66 53712 → 80 [FIN, ACK] Seq=518 Ack=189 Win=63488 Len=0 TSval=1921579589 TSecr=59275687
What these errors look like in my haproxy log:
Oct 1 19:46:00 LB haproxy[19022]: 69.171.251.8:57356 [01/Oct/2018:19:46:00.903] sitename sitename/ -1/-1/-1/-1/5 400 187 - - PRNN 19/19/0/0/5 0/0 “”
An example of one of the errors:
invalid request
backend mysite (#2), server (#-1), event #127
src 69.171.251.1:61042, session #9717, session flags 0x00000080
HTTP msg state 26, msg flags 0x00000000, tx flags 0x00000000
HTTP chunk len 0 bytes, HTTP body len 0 bytes
buffer flags 0x00808002, out 0 bytes, total 517 bytes
pending 517 bytes, wrapping at 32776, error at position 0:00000 \x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03 B\x9B\xF8\xAE\xFB=\xD7dN
00021+ \x8D\xAD\xCCP\x99\x9C\xEEow#w\n
00033 \xB5\x99\x16g@\x1F{\x9A5H\x00\x00\xAA\xC00\xC0,\xC0(\xC0$\xC0\x14\xC0
00057+ \n
00058 \x00\xA5\x00\xA3\x00\xA1\x00\x9F\x00k\x00j\x00i\x00h\x009\x008\x007
00080+ \x006\xCC\xA9\xCC\xA8\xCC\x14\xCC\x13\xCC\xAA\xCC\x15\x00\x88\x00\x87
00098+ \x00\x86\x00\x85\xC02\xC0.\xC0*\xC0&\xC0\x0F\xC0\x05\x00\x9D\x00=\x005
00120+ \x00\x84\xC0/\xC0+\xC0’\xC0#\xC0\x13\xC0\t\x00\xA4\x00\xA2\x00\xA0\x00
00141+ \x9E\x00g\x00@\x00?\x00>\x003\x002\x001\x000\x00\x9A\x00\x99\x00\x98
00164+ \x00\x97\x00E\x00D\x00C\x00B\xC01\xC0-\xC0)\xC0%\xC0\x0E\xC0\x04\x00
00187+ \x9C\x00<\x00/\x00\x96\x00A\xC0\x12\xC0\x08\x00\x16\x00\x13\x00\x10
00206+ \x00\r\xC0\r\xC0\x03\x00\n
00214 \x00\xFF\x01\x00\x01)\x00\x00\x00\x14\x00\x12\x00\x00\x0Ffb.mysite.c
00242+ om\x00\x0B\x00\x04\x03\x00\x01\x02\x00\n
00254 \x00\x1C\x00\x1A\x00\x17\x00\x19\x00\x1C\x00\e\x00\x18\x00\x1A\x00\x16
00272+ \x00\x0E\x00\r\x00\x0B\x00\x0C\x00\t\x00\n
00284 \x00\r\x00 \x00\x1E\x06\x01\x06\x02\x06\x03\x05\x01\x05\x02\x05\x03
00302+ \x04\x01\x04\x02\x04\x03\x03\x01\x03\x02\x03\x03\x02\x01\x02\x02\x02
00319+ \x033t\x00\x00\x00\x10\x00\x0B\x00\t\x08http/1.1\x00\x15\x00\xAE\x00
00344+ \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
00361+ \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
00378+ \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
00395+ \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
00412+ \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
00429+ \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
00446+ \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
00463+ \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
00480+ \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
00497+ \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
00514+ \x00\x00\x00I went to Server Fault with this issue at the start of the month. My configuration is pretty much the same as it was on one of my last topics on this forum.
Is there any way for me to debug this issue further?
Thanks,
Wayne
Posts: 3
Participants: 2
@ndakotaeq wrote:
Hello, I am troubleshooting an issue most likely related with high load per second.
While investigating I am looking on network capture and I see the delay ~50 sec between client`s SYN sent to haproxy, haproxy sent ACK back to the client but from the haproxy to the server there is delay ~50sec. Looking for any hint where I can look at, is such behavior controlled by kernel or by haproxy ?
Another case I found is that on haproxy stats page In frontend section I can see the session rate limit set to 20 but I never set it to this value, instead I set maxconnrate 280 in global section. Is session rate limit for frontend calculated based on number of frontends ? and is it a limit for both connections to the client and to the server?
haproxy.cfg
global
log /dev/log local0
log /dev/log local1 debug
maxconnrate 280
maxsessrate 280
maxconn 100000
daemon
user haproxy
group haproxy
stats socket /var/run/haproxy.sock level admin
defaults
mode tcp
log global
option tcplog
option dontlognull
timeout connect 5s
timeout client 24h
timeout server 60m
maxconn 100000frontend service_name
bind 50.1.1.3:1234
acl p1234 dst_port 1234
use_backend service_name_1234 if p1234backend service_name_1234
balance leastconn
option independant-streams
server server_vir1 x1:1234 on-marked-down shutdown-sessions check fall 3 rise 2 inter 10s slowstart 200s source 172.1.2.3
server server_vir2 x2:1234 on-marked-down shutdown-sessions check fall 3 rise 2 inter 10s slowstart 200s source 172.1.2.4
server server_vir3 x3:1234 on-marked-down shutdown-sessions check fall 3 rise 2 inter 10s slowstart 200s source 172.1.2.5sysctl config
abi.vsyscall32 = 1
crypto.fips_enabled = 1
debug.exception-trace = 1
debug.kprobes-optimization = 1
debug.panic_on_rcu_stall = 0
dev.hpet.max-user-freq = 64
fs.aio-max-nr = 65536
fs.aio-nr = 0
fs.nr_open = 1048576
fs.overflowgid = 65534
fs.overflowuid = 65534
fs.pipe-max-size = 1048576
fs.pipe-user-pages-hard = 0
fs.pipe-user-pages-soft = 16384
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
fs.quota.allocated_dquots = 0
fs.quota.cache_hits = 0
fs.quota.drops = 0
fs.quota.free_dquots = 0
fs.quota.lookups = 0
fs.quota.reads = 0
fs.quota.syncs = 4
fs.quota.warnings = 1
fs.quota.writes = 0
fs.suid_dumpable = 2
kernel.random.entropy_avail = 3472
kernel.random.poolsize = 4096
kernel.random.read_wakeup_threshold = 64
kernel.random.urandom_min_reseed_secs = 60
kernel.random.write_wakeup_threshold = 896
kernel.randomize_va_space = 2
kernel.real-root-dev = 0
kernel.sched_autogroup_enabled = 0
kernel.sched_cfs_bandwidth_slice_us = 5000
kernel.sched_child_runs_first = 0
kernel.sched_domain.cpu0.domain0.busy_factor = 32
kernel.sched_domain.cpu0.domain0.busy_idx = 2
kernel.sched_domain.cpu0.domain0.cache_nice_tries = 1
kernel.sched_domain.cpu0.domain0.flags = 4143
kernel.sched_domain.cpu0.domain0.forkexec_idx = 0
kernel.sched_domain.cpu0.domain0.idle_idx = 1
kernel.sched_domain.cpu0.domain0.imbalance_pct = 125
kernel.sched_domain.cpu0.domain0.max_interval = 4
kernel.sched_domain.cpu0.domain0.max_newidle_lb_cost = 17558
kernel.sched_domain.cpu0.domain0.min_interval = 2
kernel.sched_domain.cpu0.domain0.name = DIE
kernel.sched_domain.cpu0.domain0.newidle_idx = 0
kernel.sched_domain.cpu0.domain0.wake_idx = 0
kernel.sched_domain.cpu1.domain0.busy_factor = 32
kernel.sched_domain.cpu1.domain0.busy_idx = 2
kernel.sched_domain.cpu1.domain0.cache_nice_tries = 1
kernel.sched_domain.cpu1.domain0.flags = 4143
kernel.sched_domain.cpu1.domain0.forkexec_idx = 0
kernel.sched_domain.cpu1.domain0.idle_idx = 1
kernel.sched_domain.cpu1.domain0.imbalance_pct = 125
kernel.sched_domain.cpu1.domain0.max_interval = 4
kernel.sched_domain.cpu1.domain0.max_newidle_lb_cost = 9445
kernel.sched_domain.cpu1.domain0.min_interval = 2
kernel.sched_domain.cpu1.domain0.name = DIE
kernel.sched_domain.cpu1.domain0.newidle_idx = 0
kernel.sched_domain.cpu1.domain0.wake_idx = 0
kernel.sched_latency_ns = 12000000
kernel.sched_migration_cost_ns = 500000
kernel.sched_min_granularity_ns = 1500000
kernel.sched_nr_migrate = 32
kernel.sched_rr_timeslice_ms = 100
kernel.sched_rt_period_us = 1000000
kernel.sched_rt_runtime_us = 950000
kernel.sched_schedstats = 0
kernel.sched_shares_window_ns = 10000000
kernel.sched_time_avg_ms = 1000
kernel.sched_tunable_scaling = 1
kernel.sched_wakeup_granularity_ns = 2000000
kernel.sem = 250 32000 32 128
kernel.sem_next_id = -1
kernel.shm_next_id = -1
kernel.shm_rmid_forced = 0
kernel.shmall = 18446744073692774399
kernel.shmmax = 18446744073692774399
kernel.shmmni = 4096
kernel.softlockup_all_cpu_backtrace = 0
kernel.softlockup_panic = 0
kernel.stack_tracer_enabled = 0
kernel.sysrq = 16
kernel.tainted = 0
kernel.threads-max = 62405
kernel.timer_migration = 1
kernel.traceoff_on_warning = 0
kernel.unknown_nmi_panic = 1
kernel.usermodehelper.bset = 4294967295 31
kernel.usermodehelper.inheritable = 4294967295 31
kernel.version = #1 SMP Fri Oct 13 10:46:25 EDT 2017
kernel.watchdog = 1
kernel.watchdog_cpumask = 0-1
kernel.watchdog_thresh = 10
kernel.yama.ptrace_scope = 0
net.core.bpf_jit_enable = 0
net.core.busy_poll = 0
net.core.busy_read = 0
net.core.default_qdisc = pfifo_fast
net.core.dev_weight = 64
net.core.message_burst = 10
net.core.message_cost = 5
net.core.netdev_budget = 300
net.core.netdev_max_backlog = 1000
net.core.netdev_rss_key = 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
net.core.netdev_tstamp_prequeue = 1
net.core.optmem_max = 20480
net.core.rmem_default = 212992
net.core.rmem_max = 212992
net.core.rps_sock_flow_entries = 0
net.core.somaxconn = 1024
net.core.warnings = 1
net.core.wmem_default = 212992
net.core.wmem_max = 212992
net.core.xfrm_acq_expires = 30
net.core.xfrm_aevent_etime = 10
net.core.xfrm_aevent_rseqth = 2
net.core.xfrm_larval_drop = 1
net.ipv4.cipso_cache_bucket_size = 10
net.ipv4.cipso_cache_enable = 1
net.ipv4.cipso_rbm_optfmt = 0
net.ipv4.cipso_rbm_strictvalid = 1
net.ipv4.conf.all.accept_local = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.arp_accept = 0
net.ipv4.conf.all.arp_announce = 0
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.all.arp_ignore = 0
net.ipv4.conf.all.arp_notify = 0
net.ipv4.conf.all.bootp_relay = 0
net.ipv4.conf.all.disable_policy = 0
net.ipv4.conf.all.disable_xfrm = 0
net.ipv4.conf.all.force_igmp_version = 2
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.all.medium_id = 0
net.ipv4.conf.all.promote_secondaries = 1
net.ipv4.conf.all.proxy_arp = 0
net.ipv4.conf.all.proxy_arp_pvlan = 0
net.ipv4.conf.all.route_localnet = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.shared_media = 1
net.ipv4.conf.all.src_valid_mark = 0
net.ipv4.conf.all.tag = 0
net.ipv4.conf.default.accept_local = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.arp_accept = 0
net.ipv4.conf.default.arp_announce = 0
net.ipv4.conf.default.arp_filter = 0
net.ipv4.conf.default.arp_ignore = 0
net.ipv4.conf.default.arp_notify = 0
net.ipv4.conf.default.bootp_relay = 0
net.ipv4.conf.default.disable_policy = 0
net.ipv4.conf.default.disable_xfrm = 0
net.ipv4.conf.default.force_igmp_version = 2
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.default.medium_id = 0
net.ipv4.conf.default.promote_secondaries = 1
net.ipv4.conf.default.proxy_arp = 0
net.ipv4.conf.default.proxy_arp_pvlan = 0
net.ipv4.conf.default.route_localnet = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.shared_media = 1
net.ipv4.conf.default.src_valid_mark = 0
net.ipv4.conf.default.tag = 0
net.ipv4.conf.eth0.accept_local = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.eth0.arp_accept = 0
net.ipv4.conf.eth0.arp_announce = 0
net.ipv4.conf.eth0.arp_filter = 0
net.ipv4.conf.eth0.arp_ignore = 0
net.ipv4.conf.eth0.arp_notify = 0
net.ipv4.conf.eth0.bootp_relay = 0
net.ipv4.conf.eth0.disable_policy = 0
net.ipv4.conf.eth0.disable_xfrm = 0
net.ipv4.conf.eth0.force_igmp_version = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.eth0.log_martians = 0
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth0.medium_id = 0
net.ipv4.conf.eth0.promote_secondaries = 1
net.ipv4.conf.eth0.proxy_arp = 0
net.ipv4.conf.eth0.proxy_arp_pvlan = 0
net.ipv4.conf.eth0.route_localnet = 0
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.eth0.secure_redirects = 0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.eth0.shared_media = 1
net.ipv4.conf.eth0.src_valid_mark = 0
net.ipv4.conf.eth0.tag = 0
net.ipv4.conf.eth2.accept_local = 0
net.ipv4.conf.eth2.accept_redirects = 0
net.ipv4.conf.eth2.accept_source_route = 0
net.ipv4.conf.eth2.arp_accept = 0
net.ipv4.conf.eth2.arp_announce = 0
net.ipv4.conf.eth2.arp_filter = 0
net.ipv4.conf.eth2.arp_ignore = 0
net.ipv4.conf.eth2.arp_notify = 0
net.ipv4.conf.eth2.bootp_relay = 0
net.ipv4.conf.eth2.disable_policy = 0
net.ipv4.conf.eth2.disable_xfrm = 0
net.ipv4.conf.eth2.force_igmp_version = 0
net.ipv4.conf.eth2.forwarding = 1
net.ipv4.conf.eth2.log_martians = 0
net.ipv4.conf.eth2.mc_forwarding = 0
net.ipv4.conf.eth2.medium_id = 0
net.ipv4.conf.eth2.promote_secondaries = 1
net.ipv4.conf.eth2.proxy_arp = 0
net.ipv4.conf.eth2.proxy_arp_pvlan = 0
net.ipv4.conf.eth2.route_localnet = 0
net.ipv4.conf.eth2.rp_filter = 1
net.ipv4.conf.eth2.secure_redirects = 0
net.ipv4.conf.eth2.send_redirects = 0
net.ipv4.conf.eth2.shared_media = 1
net.ipv4.conf.eth2.src_valid_mark = 0
net.ipv4.conf.eth2.tag = 0
net.ipv4.conf.lo.accept_local = 0
net.ipv4.conf.lo.accept_redirects = 1
net.ipv4.conf.lo.accept_source_route = 1
net.ipv4.conf.lo.arp_accept = 0
net.ipv4.conf.lo.arp_announce = 0
net.ipv4.conf.lo.arp_filter = 0
net.ipv4.conf.lo.arp_ignore = 0
net.ipv4.conf.lo.arp_notify = 0
net.ipv4.conf.lo.bootp_relay = 0
net.ipv4.conf.lo.disable_policy = 1
net.ipv4.conf.lo.disable_xfrm = 1
net.ipv4.conf.lo.force_igmp_version = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.lo.log_martians = 0
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.lo.medium_id = 0
net.ipv4.conf.lo.promote_secondaries = 0
net.ipv4.conf.lo.proxy_arp = 0
net.ipv4.conf.lo.proxy_arp_pvlan = 0
net.ipv4.conf.lo.route_localnet = 0
net.ipv4.conf.lo.rp_filter = 0
net.ipv4.conf.lo.secure_redirects = 1
net.ipv4.conf.lo.send_redirects = 1
net.ipv4.conf.lo.shared_media = 1
net.ipv4.conf.lo.src_valid_mark = 0
net.ipv4.conf.lo.tag = 0
net.ipv4.icmp_echo_ignore_all = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_errors_use_inbound_ifaddr = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.icmp_msgs_burst = 50
net.ipv4.icmp_msgs_per_sec = 1000
net.ipv4.icmp_ratelimit = 1000
net.ipv4.icmp_ratemask = 6168
net.ipv4.igmp_max_memberships = 20
net.ipv4.igmp_max_msf = 10
net.ipv4.igmp_qrv = 2
net.ipv4.inet_peer_maxttl = 600
net.ipv4.inet_peer_minttl = 120
net.ipv4.inet_peer_threshold = 65664
net.ipv4.ip_default_ttl = 64
net.ipv4.ip_dynaddr = 0
net.ipv4.ip_early_demux = 1
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_use_pmtu = 0
net.ipv4.ip_local_port_range = 1024 65535
net.ipv4.ip_local_reserved_ports =
net.ipv4.ip_no_pmtu_disc = 0
net.ipv4.ip_nonlocal_bind = 1
net.ipv4.ipfrag_high_thresh = 4194304
net.ipv4.ipfrag_low_thresh = 3145728
net.ipv4.ipfrag_max_dist = 64
net.ipv4.ipfrag_secret_interval = 600
net.ipv4.ipfrag_time = 30
net.ipv4.neigh.default.anycast_delay = 100
net.ipv4.neigh.default.app_solicit = 0
net.ipv4.neigh.default.base_reachable_time_ms = 30000
net.ipv4.neigh.default.delay_first_probe_time = 5
net.ipv4.neigh.default.gc_interval = 30
net.ipv4.neigh.default.gc_stale_time = 60
net.ipv4.neigh.default.gc_thresh1 = 128
net.ipv4.neigh.default.gc_thresh2 = 512
net.ipv4.neigh.default.gc_thresh3 = 1024
net.ipv4.neigh.default.locktime = 100
net.ipv4.neigh.default.mcast_solicit = 3
net.ipv4.neigh.default.proxy_delay = 80
net.ipv4.neigh.default.proxy_qlen = 64
net.ipv4.neigh.default.retrans_time_ms = 1000
net.ipv4.neigh.default.ucast_solicit = 3
net.ipv4.neigh.default.unres_qlen = 31
net.ipv4.neigh.default.unres_qlen_bytes = 65536
net.ipv4.neigh.eth0.anycast_delay = 100
net.ipv4.neigh.eth0.app_solicit = 0
net.ipv4.neigh.eth0.base_reachable_time_ms = 30000
net.ipv4.neigh.eth0.delay_first_probe_time = 5
net.ipv4.neigh.eth0.gc_stale_time = 60
net.ipv4.neigh.eth0.locktime = 100
net.ipv4.neigh.eth0.mcast_solicit = 3
net.ipv4.neigh.eth0.proxy_delay = 80
net.ipv4.neigh.eth0.proxy_qlen = 64
net.ipv4.neigh.eth0.retrans_time_ms = 1000
net.ipv4.neigh.eth0.ucast_solicit = 3
net.ipv4.neigh.eth0.unres_qlen = 31
net.ipv4.neigh.eth0.unres_qlen_bytes = 65536
net.ipv4.neigh.eth1.anycast_delay = 100
net.ipv4.neigh.eth1.app_solicit = 0
net.ipv4.neigh.eth1.base_reachable_time_ms = 30000
net.ipv4.neigh.eth1.delay_first_probe_time = 5
net.ipv4.neigh.eth1.gc_stale_time = 60
net.ipv4.neigh.eth1.locktime = 100
net.ipv4.neigh.eth1.mcast_solicit = 3
net.ipv4.neigh.eth1.proxy_delay = 80
net.ipv4.neigh.eth1.proxy_qlen = 64
net.ipv4.neigh.eth1.retrans_time_ms = 1000
net.ipv4.neigh.eth1.ucast_solicit = 3
net.ipv4.neigh.eth1.unres_qlen = 31
net.ipv4.neigh.eth1.unres_qlen_bytes = 65536
net.ipv4.neigh.eth2.anycast_delay = 100
net.ipv4.neigh.eth2.app_solicit = 0
net.ipv4.neigh.eth2.base_reachable_time_ms = 30000
net.ipv4.neigh.eth2.delay_first_probe_time = 5
net.ipv4.neigh.eth2.gc_stale_time = 60
net.ipv4.neigh.eth2.locktime = 100
net.ipv4.neigh.eth2.mcast_solicit = 3
net.ipv4.neigh.eth2.proxy_delay = 80
net.ipv4.neigh.eth2.proxy_qlen = 64
net.ipv4.neigh.eth2.retrans_time_ms = 1000
net.ipv4.neigh.eth2.ucast_solicit = 3
net.ipv4.neigh.eth2.unres_qlen = 31
net.ipv4.neigh.eth2.unres_qlen_bytes = 65536
net.ipv4.neigh.lo.anycast_delay = 100
net.ipv4.neigh.lo.app_solicit = 0
net.ipv4.neigh.lo.base_reachable_time_ms = 30000
net.ipv4.neigh.lo.delay_first_probe_time = 5
net.ipv4.neigh.lo.gc_stale_time = 60
net.ipv4.neigh.lo.locktime = 100
net.ipv4.neigh.lo.mcast_solicit = 3
net.ipv4.neigh.lo.proxy_delay = 80
net.ipv4.neigh.lo.proxy_qlen = 64
net.ipv4.neigh.lo.retrans_time_ms = 1000
net.ipv4.neigh.lo.ucast_solicit = 3
net.ipv4.neigh.lo.unres_qlen = 31
net.ipv4.neigh.lo.unres_qlen_bytes = 65536
net.ipv4.ping_group_range = 1 0
net.ipv4.route.error_burst = 5000
net.ipv4.route.error_cost = 1000
net.ipv4.route.gc_elasticity = 8
net.ipv4.route.gc_interval = 60
net.ipv4.route.gc_min_interval = 0
net.ipv4.route.gc_min_interval_ms = 500
net.ipv4.route.gc_thresh = -1
net.ipv4.route.gc_timeout = 300
net.ipv4.route.max_size = 2147483647
net.ipv4.route.min_adv_mss = 256
net.ipv4.route.min_pmtu = 552
net.ipv4.route.mtu_expires = 600
net.ipv4.route.redirect_load = 20
net.ipv4.route.redirect_number = 9
net.ipv4.route.redirect_silence = 20480
net.ipv4.tcp_abort_on_overflow = 0
net.ipv4.tcp_adv_win_scale = 1
net.ipv4.tcp_allowed_congestion_control = cubic reno
net.ipv4.tcp_app_win = 31
net.ipv4.tcp_autocorking = 1
net.ipv4.tcp_available_congestion_control = cubic reno
net.ipv4.tcp_base_mss = 1024
net.ipv4.tcp_challenge_ack_limit = 2147483647
net.ipv4.tcp_congestion_control = cubic
net.ipv4.tcp_dsack = 1
net.ipv4.tcp_early_retrans = 3
net.ipv4.tcp_ecn = 2
net.ipv4.tcp_fack = 1
net.ipv4.tcp_fastopen = 0
net.ipv4.tcp_fastopen_key = 00000000-00000000-00000000-00000000
net.ipv4.tcp_fin_timeout = 60
net.ipv4.tcp_frto = 2
net.ipv4.tcp_invalid_ratelimit = 500
net.ipv4.tcp_keepalive_intvl = 75
net.ipv4.tcp_keepalive_probes = 9
net.ipv4.tcp_keepalive_time = 7200
net.ipv4.tcp_limit_output_bytes = 262144
net.ipv4.tcp_low_latency = 0
net.ipv4.tcp_max_orphans = 32768
net.ipv4.tcp_max_ssthresh = 0
net.ipv4.tcp_max_syn_backlog = 1280
net.ipv4.tcp_max_tw_buckets = 32768
net.ipv4.tcp_mem = 185361 247148 370722
net.ipv4.tcp_min_tso_segs = 2
net.ipv4.tcp_moderate_rcvbuf = 1
net.ipv4.tcp_mtu_probing = 2
net.ipv4.tcp_no_metrics_save = 0
net.ipv4.tcp_notsent_lowat = -1
net.ipv4.tcp_orphan_retries = 0
net.ipv4.tcp_reordering = 3
net.ipv4.tcp_retrans_collapse = 1
net.ipv4.tcp_retries1 = 3
net.ipv4.tcp_retries2 = 15
net.ipv4.tcp_rfc1337 = 0
net.ipv4.tcp_rmem = 4096 87380 6291456
net.ipv4.tcp_sack = 1
net.ipv4.tcp_slow_start_after_idle = 0
net.ipv4.tcp_stdurg = 0
net.ipv4.tcp_syn_retries = 6
net.ipv4.tcp_synack_retries = 5
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_thin_dupack = 0
net.ipv4.tcp_thin_linear_timeouts = 0
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_tso_win_divisor = 3
net.ipv4.tcp_tw_recycle = 0
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_wmem = 4096 16384 4194304
net.ipv4.tcp_workaround_signed_windows = 0
net.ipv4.udp_mem = 187218 249624 374436
net.ipv4.udp_rmem_min = 4096
net.ipv4.udp_wmem_min = 4096
net.ipv4.vs.am_droprate = 10
net.ipv4.vs.amemthresh = 1024
net.ipv4.vs.backup_only = 0
net.ipv4.vs.cache_bypass = 0
net.ipv4.vs.conn_reuse_mode = 1
net.ipv4.vs.conntrack = 0
net.ipv4.vs.drop_entry = 0
net.ipv4.vs.drop_packet = 0
net.ipv4.vs.expire_nodest_conn = 0
net.ipv4.vs.expire_quiescent_template = 0
net.ipv4.vs.nat_icmp_send = 0
net.ipv4.vs.pmtu_disc = 1
net.ipv4.vs.secure_tcp = 0
net.ipv4.vs.snat_reroute = 1
net.ipv4.vs.sync_ports = 1
net.ipv4.vs.sync_qlen_max = 61800
net.ipv4.vs.sync_refresh_period = 0
net.ipv4.vs.sync_retries = 0
net.ipv4.vs.sync_sock_size = 0
net.ipv4.vs.sync_threshold = 3 50
net.ipv4.vs.sync_version = 1
net.ipv4.xfrm4_gc_thresh = 32768
net.netfilter.nf_conntrack_acct = 0
net.netfilter.nf_conntrack_buckets = 65536
net.netfilter.nf_conntrack_checksum = 1
net.netfilter.nf_conntrack_count = 7575
net.netfilter.nf_conntrack_dccp_loose = 1
net.netfilter.nf_conntrack_dccp_timeout_closereq = 64
net.netfilter.nf_conntrack_dccp_timeout_closing = 64
net.netfilter.nf_conntrack_dccp_timeout_open = 43200
net.netfilter.nf_conntrack_dccp_timeout_partopen = 480
net.netfilter.nf_conntrack_dccp_timeout_request = 240
net.netfilter.nf_conntrack_dccp_timeout_respond = 480
net.netfilter.nf_conntrack_dccp_timeout_timewait = 240
net.netfilter.nf_conntrack_events = 1
net.netfilter.nf_conntrack_events_retry_timeout = 15
net.netfilter.nf_conntrack_expect_max = 1024
net.netfilter.nf_conntrack_generic_timeout = 600
net.netfilter.nf_conntrack_helper = 1
net.netfilter.nf_conntrack_icmp_timeout = 30
net.netfilter.nf_conntrack_log_invalid = 0
net.netfilter.nf_conntrack_max = 1048576
net.netfilter.nf_conntrack_sctp_timeout_closed = 10
net.netfilter.nf_conntrack_sctp_timeout_cookie_echoed = 3
net.netfilter.nf_conntrack_sctp_timeout_cookie_wait = 3
net.netfilter.nf_conntrack_sctp_timeout_established = 432000
net.netfilter.nf_conntrack_sctp_timeout_heartbeat_acked = 210
net.netfilter.nf_conntrack_sctp_timeout_heartbeat_sent = 30
net.netfilter.nf_conntrack_sctp_timeout_shutdown_ack_sent = 3
net.netfilter.nf_conntrack_sctp_timeout_shutdown_recd = 0
net.netfilter.nf_conntrack_sctp_timeout_shutdown_sent = 0
net.netfilter.nf_conntrack_tcp_be_liberal = 0
net.netfilter.nf_conntrack_tcp_loose = 0
net.netfilter.nf_conntrack_tcp_max_retrans = 3
net.netfilter.nf_conntrack_tcp_timeout_close = 10
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_established = 3600
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_last_ack = 30
net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 300
net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 60
net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 120
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_unacknowledged = 300
net.netfilter.nf_conntrack_timestamp = 0
net.netfilter.nf_conntrack_udp_timeout = 30
net.netfilter.nf_conntrack_udp_timeout_stream = 180
net.netfilter.nf_log.0 = NONE
net.netfilter.nf_log.1 = NONE
net.netfilter.nf_log.2 = nfnetlink_log
net.netfilter.nf_log.3 = NONE
net.netfilter.nf_log.4 = NONE
net.netfilter.nf_log.5 = NONE
net.netfilter.nf_log.6 = NONE
net.netfilter.nf_log.7 = NONE
net.netfilter.nf_log.8 = NONE
net.netfilter.nf_log.9 = NONE
net.nf_conntrack_max = 1048576
net.unix.max_dgram_qlen = 512
sunrpc.max_resvport = 1023
sunrpc.min_resvport = 665
sunrpc.nfs_debug = 0x0000
sunrpc.nfsd_debug = 0x0000
sunrpc.nlm_debug = 0x0000
sunrpc.rpc_debug = 0x0000
sunrpc.tcp_fin_timeout = 15
sunrpc.tcp_max_slot_table_entries = 65536
sunrpc.tcp_slot_table_entries = 2
sunrpc.transports = tcp 1048576
sunrpc.transports = udp 32768
sunrpc.transports = tcp-bc 1048576
sunrpc.udp_slot_table_entries = 16
user.max_ipc_namespaces = 31202
user.max_mnt_namespaces = 31202
user.max_net_namespaces = 31202
user.max_pid_namespaces = 31202
user.max_user_namespaces = 0
user.max_uts_namespaces = 31202
vm.admin_reserve_kbytes = 8192
vm.block_dump = 0
vm.dirty_background_bytes = 0
vm.dirty_background_ratio = 10
vm.dirty_bytes = 0
vm.dirty_expire_centisecs = 3000
vm.dirty_ratio = 20
vm.dirty_writeback_centisecs = 500
vm.drop_caches = 0
vm.extfrag_threshold = 500
vm.hugepages_treat_as_movable = 0
vm.hugetlb_shm_group = 0
vm.laptop_mode = 0
vm.legacy_va_layout = 0
vm.lowmem_reserve_ratio = 256 256 32
vm.max_map_count = 65530
vm.memory_failure_early_kill = 0
vm.memory_failure_recovery = 1
vm.min_free_kbytes = 67584
vm.min_slab_ratio = 5
vm.min_unmapped_ratio = 1
vm.mmap_min_addr = 4096
vm.mmap_rnd_bits = 28
vm.mmap_rnd_compat_bits = 8
vm.nr_hugepages = 0
vm.nr_hugepages_mempolicy = 0
vm.nr_overcommit_hugepages = 0
vm.nr_pdflush_threads = 0
vm.numa_zonelist_order = default
vm.oom_dump_tasks = 1
vm.oom_kill_allocating_task = 0
vm.overcommit_kbytes = 0
vm.overcommit_memory = 0
vm.overcommit_ratio = 50
vm.page-cluster = 3
vm.panic_on_oom = 0
vm.percpu_pagelist_fraction = 0
vm.stat_interval = 1
vm.swappiness = 60
vm.user_reserve_kbytes = 131072
vm.vfs_cache_pressure = 100
vm.zone_reclaim_mode = 0hostnamectl
Icon name: computer-vm
Chassis: vm
Virtualization: vmware
Operating System: Red Hat Enterprise Linux Server 7.5 (Maipo)
CPE OS Name: cpe:/o:redhat:enterprise_linux:7.5:GA:server
Kernel: Linux 3.10.0-862.11.6.el7.x86_64
Architecture: x86-64
Posts: 1
Participants: 1
@sinaowolabi wrote:
Hi!
I am trying to use haproxy to direct users to different backends depending on the url in the browser.
All the backends have the same real URL (https://<backend>:8443/backurl).
But with my configuration, haproxy always uses default backend to serve the page, after rewriting.
Please how can I fix this, and make haproxy use only the designated backend, instead of using the default?
Also when I remove the default backend line, haproxy returns a 503 error message.frontend incoming-in bind *:443 ssl crt /usr/local/etc/haproxy/ssl/domain.pem option http-server-close option forwardfor cookie SRVNAME insert reqadd X-Forwarded-Proto:\ https reqadd X-Forwarded-Port:\ 443 # set HTTP Strict Transport Security (HTST) header rspadd Strict-Transport-Security:\ max-age=15768000 #ACLs and URL rewrites... acl url_1 url_beg /back1url acl url_2 url_beg /back2url acl url_3 url_beg /back3url use_backend back_1-backurl if url_1 use_backend back_3-backurl if url_3 use_backend back_2-backurl if url_2 default_backend back_1-backurl backend back_1-backurl cookie JSESSIONID prefix nocache reqrep ^([^\ ]*\ /)back1url[/]?(.*) \1backurl\2 server back_1 10.0.1.202:8443 cookie back_1 ssl verify none backend back_2-backurl cookie JSESSIONID prefix nocache reqrep ^([^\ ]*\ /)back2url[/]?(.*) \1backurl\2 server back_2 10.0.1.200:8443 cookie back_2 ssl verify none backend back_3-backurl cookie JSESSIONID prefix nocache reqrep ^([^\ ]*\ /)back3url[/]?(.*) \1backurl\2 server back_3 10.0.1.233:8443 cookie back_3 ssl verify none`Thanks a lot in advance!
`
Posts: 1
Participants: 1
@sandeepkumaruppala wrote:
Hello all,
I am trying to configure http logs for haproxy. I am able to capture the all the required details except cookies. I am very new to haproxy and not have much knowledge. in haproxy official document I found below command to use in front end,
capture cookie “name” len 32
I am confused what to give at “name” field ? is any predefined names exist like for capturing headers or do I need to explicitly define the name of the cookie in ACL and then use here ?
your help means alot for me
Thanks,
Sandeep Uppala
Posts: 2
Participants: 2
@vinivas wrote:
I am trying to configure my HAProxy to redirec to a certain webpage with Basic Auth without changing the hostname.
backend lf_was_9080 acl auth_lf_was http_auth(lf_was_auth_list) http-request auth realm lf_was_auth_list if !auth_lf_was #mode tcp server lf_was_9080 10.85.200.158:9080/lf4html/login.jsp check redirect code 301 location http://10.85.200.158:9080/lf4html/login.jsp frontend http-in bind *:80 #Configure SSL & Forward Headers bind *:443 ssl crt /etc/ssl/my.platform.com reqadd X-Forwarded-Proto:\ https reqadd X-Forwarded-Port:\ 443 acl lf_was_9080_in hdr(host) -i sys1204.my.platform.com use_backend lf_was_9080 if lf_was_9080_inI do not get any HTTP authentication on the webpage. I also do no want the redirect to happen rather stay on the same address.
Now the haproxy redirects to the page without HTTP authentication.
How can I add the server parameter to point to a page in HAProxy and enable HTTP authentication
Posts: 1
Participants: 1
@waynewex wrote:
I was watching the real time data on Google Analytics and I noticed that page views suddenly dropped by 50% for a small period of time. The drop occurred at 6.28PM.
When I noticed this, I went into the Datadog dashboard and immediately saw the following:
That spike occurred at roughly the exact same moment. The graph above is haproxy.frontend.bytes.in_rate, which Datadog defines as “Rate of bytes in on frontend hosts.”
It jumped from 18 bytes per second to 53 bytes per second.
Does anyone know what might have caused this or how I could further debug these kind of spikes?
Thanks,
Wayne
Posts: 1
Participants: 1
@danielfarkas wrote:
Hello,
I have nginx before haproxy on my Load Balancer. Request is traveling in to haproxy with “proxy_pass” directive. I set a header “X-Forwarded-For” and now, I need to log haproxy requests to logstash. But in log I get local IP adress of HAproxy. Is possible to set something like RPAF in haproxy?Thank you !
Posts: 2
Participants: 2
@MaEh wrote:
Hello togehter,
I am a searching a way to do separated health checks for the “regular” backend-servers and for the backup-server.
Background: we are actually do health check for a special file and the resulting status code. This file isn’t available in the backup-web. To not check the backup-server is our actual interim solution, but it’s better to know, that the backup-web is up and running in emergency casethanks and best regards
Markus
Posts: 1
Participants: 1
@alitahir wrote:
Experts looking for some authentic answer on Haproxy and OpenSSL.
• What is the most recent version of HAProxy that will work with OpenSSL 1.0.2 (or close to that version at version).
• What is the oldest version of OpenSSL that works with the newest version of HAProxy.
Appreciate any quick response on that.
Thanks
ALe
Posts: 1
Participants: 1
@Djuk wrote:
Hello team,
I wan to configure a HAproxy setup using 3 networks. Currently i am using openstack and i havse already configured 3 networks on the heat template.
The desired config is as per below -
- OAM Network so i can only ssh into the node
- Network 1 which refers to incoming imap traffic(front end)
- Network 2 aiming for my back end.
So the idea is to be fed from Network 1 and push this traffic to another configured existing such as Network 2 which backend is put on.
Visio:
Incomming Traffic Network (10.10.100.XXX) -> HAproxy -> Backend Network (10.10.200.XXX).
Thanks
Posts: 1
Participants: 1
