Quantcast
Channel: HAProxy community - Latest topics
Viewing all 4743 articles
Browse latest View live

HAproxy postgresql balancer - binary check for slave/master generation script

$
0
0

@gplv2 wrote:

Hi everyone,

Here is a python generator for an haproxy configuration script that will sense if a postgresql server is a master or a slave by running a query on it with a specific test user (pgc). The user used for that has a trust relation with the db, hence no pw authentication.

See https://github.com/gplv2/haproxy-postgresql

I found the base of this work online, tried to contact the author that had the original idea but I haven’t been able to talk to him and asked about hist implementation. So I analysed this haproxy config, improved upon it and dug into how he implemented this so I could create some python code that generates a custom configuration.

The idea is when you perform failover (promote the slave, demote the master , haproxy will notice that the master changed and use the new master server. We use repmgrd by 2nd Quandrant for this.

The only side effect I haven’t been able to figure out yet is this:

<template1-pgc-2018-12-07 10:12:11 CET>LOG: could not receive data from client: Connection reset by peer
<template1-pgc-2018-12-07 10:12:15 CET>LOG: could not receive data from client: Connection reset by peer
<template1-pgc-2018-12-07 10:12:18 CET>LOG: could not receive data from client: Connection reset by peer

It looks like haproxy terminates the connections dirty , although the test code performs a proper exit. It has not been a real problem so far just an annoyance.

The setup we use is 2 node system where haproxy -> pgbouncer -> postgresql are on the same host , and tests are performed directly to postgresql (pgbouncer is bypassed for testing to ensure connection slots on the database)

for master functionality: if more than 1 master is detected, your cluster has an issue and you should not write to any of them , there is a test included to ensure this.

for an example config : https://github.com/gplv2/haproxy-postgresql/blob/master/haproxy-example.cfg

Hope this inspires others like it did me.

Posts: 1

Participants: 1

Read full topic


Https to http on haproxy 1.8.1

$
0
0

@Sysadmin1 wrote:

Hey I am new to haproxy.
I got a working proxy on port 80 to 8080, and I want to replace port 80 to 443 and use a specific wildcard certificate that is not lets encrypt.

I want to have a specific HTTPS URL - that does not have an apache virtual host.
My example https://publicname.com that resolve it self into privatename

My backend is then port 8080.

The error message is
[ALERT] 340/111702 (61859) : parsing [/tmp//2018-12-07.10:17:01.cfg:41] : ‘bind realpublic ip :443’ : unable to load SSL private key from PEM file ‘/etc/ssl/certs/newfile4.crt.pem’. [ALERT] 340/111702 (61859) : Error(s) found in configuration file : /tmp//2018-12-07.10:17:01.cfg [ALERT] 340/111702 (61859) : Fatal errors found in configuration.

My configuration is

frontend http-in
bind real.public.ip.yes:443 ssl crt /etc/ssl/certs/newfile4.crt.pem
reqadd X-Forwarded-Proto:\ https
acl fronturl hdr(host) eq publicname.com
use_backend test-backend if fronturl

backend test-backend
http-request set-header Host privatename.publicdomain.com (This have an apache virtualhost and is responding perfectly)
server node1 10.0.0.100:8080

Eventually I will add “round-robin” to backend and add more serveres once the front config is working.

Can anyone help?

Posts: 1

Participants: 1

Read full topic

TCP load balancing 2 licensed servers

$
0
0

@fugkev wrote:

I have 2 RFGen servers that use telnet to connect from a client. One server has 150 licenses, the other 100. If the server with 100 has all licenses used, you can still connect but you get an “out of license” message. This makes round-robin and least connections unusable because it still makes the connection. Any ideas?

Posts: 1

Participants: 1

Read full topic

Redirect scheme https unless ssl_fc || map -m found

$
0
0

@loxybjorn wrote:

Hi,

I’d like to redirect to https unless it’s already https or if the Host header is present in a map file and imagine that this would work (this is in the frontend):

redirect scheme https code 302 unless { ssl_fc || hdr(Host),map(no_tls.map) -m found }

…but it doesn’t. Can anyone tell me if it’s possible and if so how to do it?

I’ve also tried the following, but that doesn’t work either:

redirect scheme https code 302 unless { ssl_fc || hdr_dom(Host) foo.bar.org }

I’m using v1.8.14.

Thanks in advance,
Björn

Posts: 1

Participants: 1

Read full topic

Missing stats when reload? (1.8, 1.9-dev10)

$
0
0

@steve wrote:

Hello, I’m testing HAproxy 1.8 and 1.9-dev10.

I have set stats to pull out monitoring result from socket file(instead of csv), and

everything is OK unless I continuously soft reload haproxy(kill -USR2 1).

I set master-worker mode and expose-fd listeners like this.
(stats socket /run/haproxy/admin1.sock mode 666 level admin expose-fd listeners process 1)

When I try soft reloading HAproxy, HAproxy shows great performance without any dropping packets. However, at that time, I see the loss of stats graph(I’m using separate monitoring agent like prometheus + grafana)

anything I have missed or try to?

I appreciate for your advise.

Posts: 1

Participants: 1

Read full topic

How can HAProxy report / aggregate back-ends statuses into one judging on their number (2 out of 3 lets say)

$
0
0

@Djuk wrote:

Hello

is there a way to aggregate all backends into one status judging based on their statuses?

eg: i have 5 backends, and if 3 out of 5 are down than i want to report a single state as down. Same if 1 is down and 4 are up and status shows UP for the backend.

Thank you

Posts: 1

Participants: 1

Read full topic

Haproxy 1.8, how to get virtual path url?

$
0
0

@tkuliah wrote:

Hello,

i have application using rubby, and wont to placed behind haproxy. and result static file like js css and image cannot load / broken. but when accessed via localhost, all static file is loaded.

from the browser it is known that the proxy cannot load the URL:

for example:
when access subdomain sub.domain.com

i knew in browser Request URL for static :

http://sub.domain.com/assets/application-4de6c48f86c316cadff623630f535be12cf5021edde00f5ea950474dbd52e3cf.css

http://sub.domain.com/assets/application-4dc51ee3cd720797a149ee09f6d6f6648689420db499100dec4f29a5e25b1a89.js

and the path to static in folder refer to:
/home/user/webapps/assets/css/file.css
/home/user/webapps/assets/css/file.js

the question is how to configure haproxy for case above?

Thank you

Posts: 2

Participants: 2

Read full topic

Active-passive failover

$
0
0

@wwardwell wrote:

Hello,

I am very new to HAproxy and have been tasked with administering a current config. I am trying to learn and understand a few things. I have two Haproxy loadbalancers in a active-passive config.

  • How do I manually fail-over my active-passive load-balancer config.
  • any recommendations for training material.

Thank you in advance,
Will

Posts: 1

Participants: 1

Read full topic


Ssl_client_certificate and ssl_verify_client to haproxy

$
0
0

@tiagocruz wrote:

Hello guys,

I’m having a hard time trying to convert this snipet from nginx to haproxy:

    ### SSL cert files ###
    ssl                  on;
    ssl_certificate      /keys/xxx.com.pem;
    ssl_certificate_key  /keys/xxx.com.key;
    ssl_client_certificate /keys/client_certs.crt;
    ssl_verify_client on;
    ssl_verify_depth 2;

The goal is to require client to be authenticated through certificate listed in “client_certs.crt”.

Coud you please help with the equivalent in haproxy?

Thanks!!!

Posts: 1

Participants: 1

Read full topic

Trying to install SSL Cert for use with HAPROXY. No luck

$
0
0

@caw001 wrote:

Hello,

I am trying to configure HAPROXY with a SSL Cert for our load balanced web servers. However whenever I try to restart my service, I keep getting a service failure. If I comment out the lines for the cert stuff and just do a simple http setup it works fine. Below is my config. All suggestions are welcome. Thank you for the help.

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # Default ciphers to use on SSL-enabled listening sockets.
    # For more information, see ciphers(1SSL). This list is from:
    #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
    # An alternative list with additional directives can be obtained from
    #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
    ssl-default-bind-options no-sslv3

defaults
log global
mode http
option httplog
option dontlognull
option forwardfor
option http-server-close
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

frontend http_front
bind 10.1.1.33:80
stats uri /haproxy?stats
default_backend http_nextcloud

frontend www-https-public THESE DO NOT WORK
bind 192.168.1.1:443 ssl crt /etc/ssl/private/star.certhere.com.pem
mode https
reqadd X-Forwarded-Proto:\ https
default_backend http_nextcloud

frontend www-https-private THESE DO NOT WORK
bind 10.1.1.33:443 ssl crt /etc/ssl/private/star.certhere.com.pem
mode https
reqadd X-Forwarded-Proto:\ https
default_backend http_nextcloud

#Define Host Header values
acl host_nextcloud hdr(host) -i testbox.box.com

figure out which backed to use

use_backend http_nextcloud if host_nextcloud

backend http_nextcloud
balance roundrobin
cookie JSESSIONID prefix nocache
redirect scheme https if !{ ssl_fc }
server webws1 10.1.1.217:80 check
server webws2 10.1.1.224:80 check

Posts: 1

Participants: 1

Read full topic

Health check showing 404 error

$
0
0

@longnx wrote:

Hi Experts,

I am using haproxy 1.7.9 to do load balancing for my web server.
I am facing issue with back-end heath check. It is showing 404 error but i can access the web site directly without error.
Here is my back end config:

backend b_http_hvmv
mode http
option httpclose
balance roundrobin
option httpchk HEAD / HTTP/1.1\r\nHost:\ mv.xx.yyy.com
option log-health-checks http-check expect status 200
http-check disable-on-404 cookie SERVERID insert indirect nocache
server hvlappswebp01 10.239.72.223:80 cookie hvlappswebp01 check
server hvlappswebp02 10.239.72.192:80 cookie hvlappswebp02 check

Can someone help me?

Thanks!

Posts: 1

Participants: 1

Read full topic

Send-proxy not modifying some traffic with proxy ip/port details

$
0
0

@roobesh wrote:

We are running below version of code

haproxy -vv

HA-Proxy version 1.8.14-1ppa1~trusty 2018/09/23
Copyright 2000-2018 Willy Tarreau willy@haproxy.org

Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2
OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_PCRE=1 USE_PCRE_JIT=1 USE_NS=1

Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014
Running on OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2
Built with Lua version : Lua 5.3.1
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Encrypted password support via crypt(3): yes
Built with multi-threading support.
Built with PCRE version : 8.31 2012-07-06
Running on PCRE version : 8.31 2012-07-06
PCRE library supports JIT : no (libpcre build without JIT?)
Built with zlib version : 1.2.8
Running on zlib version : 1.2.8
Compression algorithms supported : identity(“identity”), deflate(“deflate”), raw-deflate(“deflate”), gzip(“gzip”)
Built with network namespace support.

Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
[SPOE] spoe
[COMP] compression
[TRACE] trace

  • We have send-proxy configured and running fine all these days. Noticed when we started logging, some traffic which passed from haproxy to backend server noticed that send-proxy is not actually modifying the proxy ip/port, instead retaining same client ip/port like below,

PROXY TCP4 192.220.26.39 192.220.26.39 45066 45066
PROXY TCP4 192.220.26.39 192.220.26.39 45075 45075

We tried to sniff the packet the moment it leaves haproxy and above is what we see. This is only happening only sometimes for some traffic and rest of the traffic properly looks good.

Could you please see this is a known bug in the version we running or something known issue ?

Thanks for your help.

-Roobesh G M

Posts: 1

Participants: 1

Read full topic

Monitoring best practices

$
0
0

@Gris13 wrote:

We’ve previously had some issue with performance of our haproxy instances. We’ve had latency issues and the question has been asked how performant is our loadbalancer setup. I’m new to haproxy and was wondering what would be some of the key metrics to watch?

We are looking to try and stress test our environment and in particular haproxy to see at what point haproxy starts to struggle. So the questions that stand out to me are how do we define when it is haproxy that starts to struggle? Is it a particular metric or set of metrics? Are there certain tests that would more accurately test haproxy and not just the backend servers?

We currently use the multithreading setup on 1.8.14, but have been asked if multiprocess is better, but without being able to ascertain how to define which is better it is hard to give an educated answer to that.

Any insight would be much appreciated. If there is anything, of which I’m sure there is, that you need further clarification on I’ll do my best to get those.
Thanks

Posts: 1

Participants: 1

Read full topic

ApacheBench and timeout

$
0
0

@tiagocruz wrote:

Hello,

I’m using ApacheBench Version 2.3 to run some small tests against haproxy 1.7.9 and 1.8.8 but I’m getting timeouts after ~300 requests, example:

Using

defaults
    mode http
    monitor-uri /health_check
    log global
    option dontlognull
    option httplog
    option nolinger
    option forwardfor
    option http-keep-alive
    timeout http-request 60s
    timeout connect 60s
    timeout client 60s
    timeout server 60s

I always get

$ ab  -n500 -c 10 https://edmonton1/health_check
This is ApacheBench, Version 2.3 <$Revision: 1807734 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking edmonton1 (be patient)
Completed 100 requests
Completed 200 requests
Completed 300 requests
apr_pollset_poll: The timeout specified has expired (70007)
Total of 344 requests completed

Note: This not happens with varnish or nginx, running in the same machine.

And 500 requests is just too fast. Running against some varnish machine, for example:

Document Path:          /varnish_health_check
Concurrency Level:      10
Time taken for tests:   1.126 seconds
Complete requests:      500
Failed requests:        0
Non-2xx responses:      500
Total transferred:      99500 bytes

So, I guess that I’m doing something wrong in haproxy configuration…

Thanks!

Posts: 1

Participants: 1

Read full topic

Balance uri / consistent hashing / redispatch 3, not redispatching?

$
0
0

@oskar_s wrote:

Hi!

We have some issues where requests doesn’t seem to rebalance to another host if we do a graceful shutdown, we have “retries 20”, and “option redispatch 3” combined with “balance uri” and “hash-type consistent djb2”, and when we close the listening socket of the service haproxy seems to spend all 20 retries on the same host and then returning a 503 even though it should retry on another host at the third reconnect attempt due to redispatch.

Wanted behaviour is: if connection-refused, pick another server, doesn’t matter if it’s random, just pick some other server which works.

There are a couple of loglines showing the behaviour this error after the config.

Config:

global
log /dev/log len 65535 local0 info alert
log /dev/log len 65535 local1 notice alert
user haproxy
group haproxy
nbproc 1
nbthread 1
maxconn 100000
hard-stop-after 600s # After 10 minutes (clean soft-stop on reloads for mostly tcp connections)
stats socket /var/run/haproxy.sock mode 660 level admin
# server-state-file /var/lib/haproxy/server-state
stats timeout 2m # Wait up to 2 minutes for input
master-worker # Launches one master process and a number of additional worker processes

defaults
log global
mode http
option httplog
timeout connect 3s
timeout client 30s
timeout server 30s
timeout http-request 30s
timeout http-keep-alive 60s
timeout queue 120s
timeout check 10s
retries 20 # Max retry attempts on a single server during connect failures
option redispatch 3 # Allow the redispatch to another server on every Xth retry
option forwardfor # Forward request headers from the original client to the backend
# load-server-state-from-file global
default-server init-addr last,none fastinter 1s rise 2 downinter 1s fall 2 on-error fastinter # Skip DNS resolution on startup (lazy resolution) and aggressive health checking
no option http-server-close # keep backend connections alive
option tcp-smart-connect
option tcp-smart-accept
option splice-auto
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

frontend http-in
bind *:80
log-tag haproxy.requests
maxconn 100000
capture request header User-Agent len 30
capture request header X-Request-ID len 36
capture request header Host len 32
log-format “{“message_type”:“HTTP”,“request_time”:”%t",“host”:"%H",“protocol”:“http”,“http_status”:%ST,“user_agent”:%{+Q}[capture.req.hdr(0)],“unique_id”:%{+Q}[capture.req.hdr(1)],“headers”:"%hr",“endpoint”:"%HP",“backend”:"%b",“backend_name”:%{+Q}[capture.req.hdr(2)],“http_method”:"%HM",“upstream_response_time”:%Tr,“upstream_connect_time”:%Tc,“bytes_read”:%B,“sconn”:"%sc",“bconn”:"%bc",“fconn”:"%fc",“upstream_addr”:"%si",“upstream_port”:"%sp",“server_name”:"%s",“source_addr”:"%bi",“source_port”:"%sp",“retries”:"%rc",“bytes_uploaded”:%U,“session_duration”:%Tt,“termination_state”:"%ts",“http_query_params”:"%HQ",“accept_time”:%Th,“idle_time”:%Ti,“client_time”:%TR,“wait_time”:%Tw,“download_time”:%Td,“active_time”:%Ta}"

use_backend configserver if { hdr(Host) -i configserver }

backend configserver
mode http
option allbackups
balance uri
hash-type consistent djb2
hash-balance-factor 150
server configserver-eu-west-1a-1 10.14.66.188:17914 maxconn 200 check backup
server configserver-eu-west-1a-2 10.14.66.188:17978 maxconn 200 check backup
server configserver-eu-west-1a-3 10.14.66.188:17987 maxconn 200 check backup
server configserver-eu-west-1a-4 10.14.75.245:17961 maxconn 200 check backup
server configserver-eu-west-1a-5 10.14.75.245:18000 maxconn 200 check backup
server configserver-eu-west-1b-6 10.14.80.211:16616 maxconn 200 check
server configserver-eu-west-1b-7 10.14.80.211:16625 maxconn 200 check
server configserver-eu-west-1b-8 10.14.92.90:16854 maxconn 200 check
server configserver-eu-west-1b-9 10.14.92.90:16859 maxconn 200 check

Logs:

message_type:HTTP backend:configserver request_time:21/Dec/2018:03:00:52.624 host:i-04785de9a52f8c57f protocol:http http_status:503 user_agent: unique_id: headers:{||configserver} endpoint:/path1 backend_name:configserver http_method:GET upstream_response_time:-1 upstream_connect_time:-1 bytes_read:213 sconn:0 bconn:0 fconn:1 upstream_addr:10.14.80.211 upstream_port:16636 server_name:configserver-eu-west-1b-9 source_addr:10.14.80.211 source_port:16636 retries:20 bytes_uploaded:98 session_duration:26,951 termination_state:SC http_query_params: accept_time:0 idle_time:6,924 client_time:0 wait_time:18,025 download_time:-1 active_time:20,027 environment_type:prod local_ip:10.14.80.211 cluster:media system_timestamp:December 21st 2018, 04:01:19.000 tags.service:configserver tags.host:i-04785de9a52f8c57f tags.cluster:media tags.local_ip:10.14.80.211 logcount:1 @timestamp:December 21st 2018, 04:01:19.574 _id:zhq1zmcBsOLL-aj_9W0r _type:fluentd _index:haproxy-2018.12.21 _score: -

message_type:HTTP backend:configserver request_time:21/Dec/2018:03:00:50.562 host:i-02d86a4420a5ebf1f protocol:http http_status:503 user_agent: unique_id: headers:{||configserver} endpoint:/path2 backend_name:configserver http_method:GET upstream_response_time:-1 upstream_connect_time:-1 bytes_read:213 sconn:0 bconn:0 fconn:1 upstream_addr:10.14.92.90 upstream_port:16867 server_name:configserver-eu-west-1b-12 source_addr:10.14.92.90 source_port:16867 retries:20 bytes_uploaded:97 session_duration:26,027 termination_state:SC http_query_params: accept_time:0 idle_time:6,001 client_time:0 wait_time:18,023 download_time:-1 active_time:20,026 environment_type:prod local_ip:10.14.92.90 cluster:media system_timestamp:December 21st 2018, 04:01:16.000 tags.service:configserver tags.host:i-02d86a4420a5ebf1f tags.cluster:media tags.local_ip:10.14.92.90 logcount:1 @timestamp:December 21st 2018, 04:01:16.590 _id:shW1zmcBiH4YVdlV0fl7 _type:fluentd _index:haproxy-2018.12.21 _score: -

message_type:HTTP backend:configserver request_time:21/Dec/2018:02:56:55.415 host:i-02d86a4420a5ebf1f protocol:http http_status:503 user_agent: unique_id: headers:{||configserver} endpoint:/path3 backend_name:configserver http_method:GET upstream_response_time:-1 upstream_connect_time:-1 bytes_read:213 sconn:0 bconn:0 fconn:1 upstream_addr:10.14.92.90 upstream_port:16831 server_name:configserver-eu-west-1b-7 source_addr:10.14.92.90 source_port:16831 retries:20 bytes_uploaded:95 session_duration:23,147 termination_state:SC http_query_params: accept_time:0 idle_time:3,117 client_time:0 wait_time:18,026 download_time:-1 active_time:20,030 environment_type:prod local_ip:10.14.92.90 cluster:media system_timestamp:December 21st 2018, 03:57:18.000 tags.service:configserver tags.host:i-02d86a4420a5ebf1f tags.cluster:media tags.local_ip:10.14.92.90 logcount:1 @timestamp:December 21st 2018, 03:57:18.603 _id:KhmyzmcBsOLL-aj_TpV- _type:fluentd _index:haproxy-2018.12.21 _score: -

message_type:HTTP backend:configserver request_time:21/Dec/2018:02:56:58.225 host:i-02d86a4420a5ebf1f protocol:http http_status:503 user_agent: unique_id: headers:{||configserver} endpoint:/path4 backend_name:configserver http_method:GET upstream_response_time:-1 upstream_connect_time:-1 bytes_read:213 sconn:0 bconn:0 fconn:1 upstream_addr:10.14.92.90 upstream_port:16831 server_name:configserver-eu-west-1b-8 source_addr:10.14.92.90 source_port:16831 retries:20 bytes_uploaded:99 session_duration:20,041 termination_state:SC http_query_params: accept_time:0 idle_time:1 client_time:0 wait_time:18,038 download_time:-1 active_time:20,040 environment_type:prod local_ip:10.14.92.90 cluster:media system_timestamp:December 21st 2018, 03:57:18.000 tags.service:configserver tags.host:i-02d86a4420a5ebf1f tags.cluster:media tags.local_ip:10.14.92.90 logcount:1 @timestamp:December 21st 2018, 03:57:18.303 _id:2xmyzmcBsOLL-aj_TpR- _type:fluentd _index:haproxy-2018.12.21 _score: -

Posts: 1

Participants: 1

Read full topic


How to configure TLS client certificate authentication only for specific paths?

$
0
0

@marq wrote:

The following blog post describes how to configure TLS client certificate authentication with HA Proxy: https://loadbalancer.org/blog/client-certificate-authentication-with-haproxy/

This question describes how to enable it based on domain name: How to set ssl verify client for specific domain name

However, I would like to enable it based on url path.
Example:
Required for:
https://my-domain.com/path1
But disabled for:
https://my-domain.com/path2

Note: I am terminating the TLS connection at HA Proxy. So the information should be accessible to HA Proxy.
Before I started using HA Proxy I could do this easily in Apache, by putting the SSLVerifyClient inside a Location block.

Is this possible with HA Proxy? If so, how can it be done?

Posts: 2

Participants: 2

Read full topic

How to check the current status in the external health check?

$
0
0

@odonghwi wrote:

When I perform an external health check, I want to check the status of the current backend server.
However, there are no parameters.
Is there a way to get the current backend server status as a parameter in the external health check program?

The final goal is to call my system API whenever health check status changes. The use of healthcheck log is also being considered.

In this case, what do you usually use?

Posts: 2

Participants: 2

Read full topic

Redirect 301 without loosing URI

$
0
0

@chaatt wrote:

Hello,

I have create a redirect from wiki.charlot.com to wiki.ca.com via the below syntax. The problem which now I am looking at is if a user access wiki.charlot.com/display/test it will be redirected to wiki.ca.com and not to wiki.ca.com/display/test. Thus I am loosing the URI path.

For the redirection I have created an acl

acl wiki_acl_redirect hdr_reg(host) -i ^wiki.(charlot).com$

Then I have used the redirect list below
redirect code 301 location https://wiki.ca.com/ if wiki_acl_redirect

Thankyou and appreciate your help

Posts: 1

Participants: 1

Read full topic

Brotli compression in haproxy

Haproxy 1.9.0 segfault at 7f141e6e3ab8 ip 00007f141e6e3ab8 sp 00007ffea3eab4b8 error 15 in libc-2.17.so[7f141e6e3000+2000]

$
0
0

@safari wrote:

I have a problem with latest haproxy 1.9.0, http traffic is OK, but when running with https traffic, haproxy got segfault errors and crashed. Segfault errors are as below:

[ 6374.791610] haproxy[2741]: segfault at 7f141e6e3ab8 ip 00007f141e6e3ab8 sp 00007ffea3eab4b8 error 15 in libc-2.17.so[7f141e6e3000+2000]
[ 6376.080835] haproxy[2739]: segfault at 60 ip 0000000000000060 sp 00007ffea3eab4b8 error 14 in haproxy-1.9.0[400000+46a000]
[ 6385.632464] haproxy[2762]: segfault at b0 ip 00000000004cc0da sp 00007fff64bd3360 error 4 in haproxy-1.9.0[400000+46a000]
[ 6389.265346] haproxy[2764]: segfault at 0 ip           (null) sp 00007fff64bd3358 error 14 in haproxy-1.9.0[400000+46a000]
[ 6389.546879] traps: haproxy[2766] general protection ip:4cc0da sp:7fff64bd3360 error:0 in haproxy-1.9.0[400000+46a000]
[ 6389.571351] haproxy[2763]: segfault at ffffffffffffffb8 ip ffffffffffffffb8 sp 00007fff64bd3358 error 15
[ 6390.114721] traps: haproxy[2767] general protection ip:4cc0da sp:7fff64bd3360 error:0 in haproxy-1.9.0[400000+46a000]
[ 6391.928882] haproxy[2765]: segfault at ffffffffffffffb8 ip ffffffffffffffb8 sp 00007fff64bd3358 error 15

[ 7565.677404] haproxy[8910]: segfault at 96 ip 00000000004cc0da sp 00007ffcb2fdf250 error 4 in haproxy-1.9.0[400000+46a000]
[ 7566.251417] haproxy[8909]: segfault at ffffffffffffffb8 ip ffffffffffffffb8 sp 00007ffcb2fdf248 error 15
[ 7569.549036] haproxy[8912]: segfault at 0 ip           (null) sp 00007ffcb2fdf248 error 14 in haproxy-1.9.0[400000+46a000]
[ 7570.831296] haproxy[8913]: segfault at 0 ip           (null) sp 00007ffcb2fdf248 error 14 in haproxy-1.9.0[400000+46a000]
[ 7572.139128] traps: haproxy[8911] general protection ip:4cc0da sp:7ffcb2fdf250 error:0 in haproxy-1.9.0[400000+46a000]
[ 7576.601277] traps: haproxy[8908] general protection ip:4cc0da sp:7ffcb2fdf250 error:0 in haproxy-1.9.0[400000+46a000]

haproxy -vv

HA-Proxy version 1.9.0 2018/12/19 - https://haproxy.org/
Build options :
  TARGET  = linux2628
  CPU     = generic
  CC      = gcc
  CFLAGS  = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-old-style-declaration -Wno-ignored-qualifiers -Wno-clobbered -Wno-missing-field-initializers -Wtype-limits
  OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_STATIC_PCRE2=1 USE_PCRE2_JIT=1 USE_TFO=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with OpenSSL version : OpenSSL 1.1.1a  20 Nov 2018
Running on OpenSSL version : OpenSSL 1.1.1a  20 Nov 2018
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with zlib version : 1.2.7
Running on zlib version : 1.2.7
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with PCRE2 version : 10.32 2018-09-10
PCRE2 library supports JIT : yes
Encrypted password support via crypt(3): yes
Built with multi-threading support.

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
              h2 : mode=HTX        side=FE|BE
              h2 : mode=HTTP       side=FE
       <default> : mode=HTX        side=FE|BE
       <default> : mode=TCP|HTTP   side=FE|BE

Available filters :
	[SPOE] spoe
	[COMP] compression
	[CACHE] cache
	[TRACE] trace

Configs related to SSL

    tune.maxaccept  -1
    tune.bufsize  32768
    tune.maxrewrite  8192
    tune.ssl.cachesize  2000000
    tune.ssl.lifetime  600
    tune.ssl.default-dh-param  1024
    tune.ssl.ssl-ctx-cache-size  4096
    ssl-default-bind-options no-sslv3
    ssl-default-server-options no-sslv3
    bind 0.0.0.0:443 ssl crt /path/to/domain.pem ciphers ECDHE+aRSA+AES256+GCM+SHA384:ECDHE+aRSA+AES128+GCM+SHA256:ECDHE+aRSA+AES256+SHA384:ECDHE+aRSA+AES128+SHA256:ECDHE+aRSA+RC4+SHA:ECDHE+aRSA+AES256+SHA:ECDHE+aRSA+AES128+SHA:AES256+GCM+SHA384:AES128+GCM+SHA256:AES128+SHA256:AES256+SHA256:DHE+aRSA+AES128+SHA:RC4+SHA:HIGH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
    .........
    http-request del-header Proxy
    http-request set-header X-Forwarded-Proto https
    http-response set-header Strict-Transport-Security max-age=0

Posts: 1

Participants: 1

Read full topic

Viewing all 4743 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>