@happy wrote:

After some days or weeks normal working Haproxy starts to ignore 30-80% new connections

• No kernel-level errors (even local connections affected)
• No problems with any counters (“clear counters” cli-command do nothing) or fd, sockets and other limits
• Nothing interesting in haproxy stats
• It is rare
• It happens randomly, but have obvious connection to significant load and low (but not overloaded) CPU.
• Appears only on multi-process configs (with extremely often reloads and huge configs)
• Tested up to 1.8.15 (Debian 8, kernel 4.17+)
• Fixed easily by restart

TCP dump for normal request:

19:26:30.457523 IP localhost.59792 > localhost.https: Flags [S], seq 765380153, win 43690, options [mss 65495,sackOK,TS val 448339641 ecr 0,nop,wscale 10], length 0
19:26:30.457549 IP localhost.https > localhost.59792: Flags [S.], seq 2803598966, ack 765380154, win 43690, options [mss 65495,sackOK,TS val 448339641 ecr 448339641,nop,wscale 10], length 0
19:26:30.457596 IP localhost.59792 > localhost.https: Flags [.], ack 1, win 43, options [nop,nop,TS val 448339641 ecr 448339641], length 0
19:26:30.457827 IP localhost.59792 > localhost.https: Flags [P.], seq 1:189, ack 1, win 43, options [nop,nop,TS val 448339641 ecr 448339641], length 188
19:26:30.458425 IP localhost.https > localhost.59792: Flags [P.], seq 1:2749, ack 189, win 44, options [nop,nop,TS val 448339642 ecr 448339641], length 2748
19:26:30.458457 IP localhost.59792 > localhost.https: Flags [.], ack 2749, win 171, options [nop,nop,TS val 448339642 ecr 448339642], length 0
19:26:30.460073 IP localhost.59792 > localhost.https: Flags [P.], seq 189:282, ack 2749, win 171, options [nop,nop,TS val 448339643 ecr 448339642], length 93
19:26:30.460602 IP localhost.https > localhost.59792: Flags [P.], seq 2749:2800, ack 282, win 44, options [nop,nop,TS val 448339644 ecr 448339643], length 51
19:26:30.460720 IP localhost.59792 > localhost.https: Flags [P.], seq 282:388, ack 2800, win 171, options [nop,nop,TS val 448339644 ecr 448339644], length 106
19:26:30.460958 IP localhost.https > localhost.59792: Flags [P.], seq 2800:3017, ack 388, win 44, options [nop,nop,TS val 448339644 ecr 448339644], length 217
19:26:30.460994 IP localhost.https > localhost.59792: Flags [P.], seq 3017:3048, ack 388, win 44, options [nop,nop,TS val 448339644 ecr 448339644], length 31
19:26:30.461016 IP localhost.https > localhost.59792: Flags [F.], seq 3048, ack 388, win 44, options [nop,nop,TS val 448339644 ecr 448339644], length 0
19:26:30.461022 IP localhost.59792 > localhost.https: Flags [.], ack 3048, win 176, options [nop,nop,TS val 448339644 ecr 448339644], length 0
19:26:30.461065 IP localhost.59792 > localhost.https: Flags [P.], seq 388:419, ack 3049, win 176, options [nop,nop,TS val 448339644 ecr 448339644], length 31
19:26:30.461137 IP localhost.59792 > localhost.https: Flags [F.], seq 419, ack 3049, win 176, options [nop,nop,TS val 448339644 ecr 448339644], length 0
19:26:30.461142 IP localhost.https > localhost.59792: Flags [R.], seq 3049, ack 419, win 44, options [nop,nop,TS val 448339644 ecr 448339644], length 0
19:26:30.461161 IP localhost.https > localhost.59792: Flags [R], seq 2803602015, win 0, length 0

TCP dump for failed request:

19:27:27.576816 IP localhost.65360 > localhost.https: Flags [S], seq 578543461, win 43690, options [mss 65495,sackOK,TS val 448396759 ecr 0,nop,wscale 10], length 0
19:27:27.576842 IP localhost.https > localhost.65360: Flags [S.], seq 3967261380, ack 578543462, win 43690, options [mss 65495,sackOK,TS val 448396759 ecr 448396759,nop,wscale 10], length 0
19:27:27.576867 IP localhost.65360 > localhost.https: Flags [.], ack 1, win 43, options [nop,nop,TS val 448396759 ecr 448396759], length 0
19:27:27.577082 IP localhost.65360 > localhost.https: Flags [P.], seq 1:189, ack 1, win 43, options [nop,nop,TS val 448396759 ecr 448396759], length 188
19:27:27.617581 IP localhost.https > localhost.65360: Flags [.], ack 189, win 44, options [nop,nop,TS val 448396799 ecr 448396759], length 0
…client-side timeout - 30 seconds…
19:27:57.606808 IP localhost.65360 > localhost.https: Flags [F.], seq 189, ack 1, win 43, options [nop,nop,TS val 448426787 ecr 448396799], length 0
19:27:57.649591 IP localhost.https > localhost.65360: Flags [.], ack 190, win 44, options [nop,nop,TS val 448426831 ecr 448426787], length 0

Posts: 1

Participants: 1

Read full topic

@simonuk1 wrote:

Is it possible to have SSL termination and also be able to do SNI detection.

I have seen this post that checks for SNI , redirect based on the requested URL and sends anyone that doesnt have SNI enabled brwosers to a default server that says upgrade your browser.

Is there such a config that can be used the SSL termination ?

Thanks

Simon

Posts: 4

Participants: 2

Read full topic

@vasanthpandian wrote:

I wanted to achieve rate limiting based on certain rules.

• I should have only one sticky table.
• For each rule there should be one entry in the table.
  
• Unique Key will be a CRC32 of (IP & URL)
• If we get requests for same URL and from same IP, only then the counter should get incremented.
  So the key will be a combination of IP & Path.

Can someone help me in writing ACLs for the same ?

Also please let me know if this can achieved using lua.
Is there an api which we can use from lua, to increment the counter based on a unique key ?

Posts: 1

Participants: 1

Read full topic

@jbsi wrote:

So here’s the deal - we have 2 HA proxy instances setup behind a google load balancer. The decryption endpoint is the HA proxy instances. Behind HA proxy there’s 6 web servers.

We have ONE client that is having issues accessing the system, they are getting an SSL handshake failure, and they are using java as a client (I’m verifying the version).

In our logs we see thousands of SSL handshake failures. We’re pretty strict, TLS 1.2 only, HSTS, but our cipher support is fairly broad.

They see this in their logs:
" %% Initialized: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]

** TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"

But it just hangs and they get a handshake error.

java.io.IOException: javax.net.ssl.SSLException: SSL peer shut down incorrectly

   at sun.security.ssl.InputRecord.readV3Record(InputRecord.java:581)

   at sun.security.ssl.InputRecord.read(InputRecord.java:533)

I have no idea at this point what to do. Any help would be great.

Posts: 2

Participants: 2

Read full topic

@lee_ars wrote:

This is a minor issue, but it’s driving me crazy. I don’t know why and I apologize in advance for being dumb, but I cannot get HAProxy to use plane-jane IPv4 addresses when adding an X-Forwarded-For header. Regardless of whether I’m using option forwardfor or doing add-header X-Forwarded-For %[src], HAProxy only renders IPv4 addresses as IPv6-mapped IPv4s (so traffic from 123.456.789.123 gets an X-Forwarded-For header that reads ::ffff:123.456.789.123).

This is obviously not a huge problem, but it’s causing annoying issues with downstream applications that aren’t expecting IPv6-mapped IPv4 addresses.

My current workaround is to use a downstream proxy (Varnish, in this case) to edit the headers in flight and remove the ::ffff: if present. This is obviously non-optimal because it adds complexity and overhead, however small.

IPv6 addresses are obviously rendered correctly in the header. HAProxy is bound and listening to ports 80 and 443 for both ipv4 and ipv6 traffic (with bind :::80 v4v6 and bind :::443 v4v6. There is only one backend and traffic is passed to it via UDS.

Any suggestions would be appreciated. I feel like this is a stupid question and there’s probably something really obvious I’m overlooking, but I’ve been screwing with this all day and I’m not sure what it could be. Happy to post configs if necessary.

Happy New Year to everyone

Posts: 1

Participants: 1

Read full topic

@aringail wrote:

I am using HAProxy to provide a proxy around internal containers that are part of an HA control plane. Only one of these nodes is valid to respond to web ui queries at a time. The other one returns a redirect if you try to access it. I am using HAProxy to manage this. It all works fine until the control plane nodes are restarted or fail. They change ip addresses at that point. Because HAProxy caches the DNS entry at startup it can never resolve the new ip addresses.

After some searching I found that I needed to specify a resolver. Hoping for the best I started down that path.

My first attempt started out well, but after a few seconds the primary node dropped out with an error
“Server webui-backend/manager-0 is going DOWN for maintenance (DNS NX status)”

With some research I found that it was likely failing because the resolver can’t handle anything besides FQDN. So I made that change. Now I get a different error:
Server webui-backend/manager-0 is going DOWN for maintenance (unspecified DNS error).

I haven’t had much luck with Googling so I thought I would ask here. Help!

Config:
global
pidfile /var/run/haproxy.pid
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
maxconn 4096

resolvers dns
parse-resolv-conf
resolve_retries 3
timeout resolve 1s
timeout retry 1s
hold other 30s
hold refused 30s
hold nx 30s
hold timeout 30s
hold valid 10s
hold obsolete 30s

defaults
default-server init-addr last,libc,none
mode http
balance leastconn
retries 3
log global
option httplog
option http-server-close
option dontlognull
timeout connect 30ms
timeout check 1000ms
timeout client 30000ms
timeout server 30000ms
option httpchk GET /overview HTTP/1.0\r\nHost:\ manager.example.com
http-check expect status 200

frontend webui
bind *:8081

http-request set-header X-Forwarded-For %[src]
http-request set-header X-Forwarded-Proto https

default_backend webui-backend

backend webui-backend
server manager-0 manager-0.manager.default.svc.cluster.local:9081 check resolvers dns
server manager-1 manager-1.manager.default.svc.cluster.local:9081 check resolvers dns

haproxy -vv:

HA-Proxy version 1.9.0 2018/12/19 - https://haproxy.org/
Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-old-style-declaration -Wno-ignored-qualifiers -Wno-clobbered -Wno-missing-field-initializers -Wtype-limits -Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference
OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_LUA=1 USE_PCRE=1

Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with OpenSSL version : OpenSSL 1.1.0j 20 Nov 2018
Running on OpenSSL version : OpenSSL 1.1.0j 20 Nov 2018
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2
Built with Lua version : Lua 5.3.3
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with zlib version : 1.2.8
Running on zlib version : 1.2.8
Compression algorithms supported : identity(“identity”), deflate(“deflate”), raw-deflate(“deflate”), gzip(“gzip”)
Built with PCRE version : 8.39 2016-06-14
Running on PCRE version : 8.39 2016-06-14
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Encrypted password support via crypt(3): yes
Built with multi-threading support.

Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as cannot be specified using ‘proto’ keyword)
h2 : mode=HTX side=FE|BE
h2 : mode=HTTP side=FE
: mode=HTX side=FE|BE
: mode=TCP|HTTP side=FE|BE

Available filters :
[SPOE] spoe
[COMP] compression
[CACHE] cache
[TRACE] trace

Posts: 2

Participants: 2

Read full topic

@Gab wrote:

Hello ! I am trying to compile HAProxy 1.9.1 with USE_LIBCRYPT=1 (I have the same problem with 1.9.0) :

make -j 8 TARGET=custom \
USE_LIBCRYPT=1 \
USE_LINUX_TPROXY=1 \
USE_ZLIB=1 \
USE_POLL=default \
USE_REGPARM=1 \
USE_OPENSSL=1 \
USE_PCRE=1

But I have a compilation error :

src/auth.c:45:28: error: variable ‘crypt_data’ has initializer but incomplete type
static THREAD_LOCAL struct crypt_data crypt_data = { .initialized = 0 };
^~~~~~~~~~
src/auth.c:45:55: error: ‘struct crypt_data’ has no member named ‘initialized’
static THREAD_LOCAL struct crypt_data crypt_data = { .initialized = 0 };
^~~~~~~~~~~
src/auth.c:45:69: warning: excess elements in struct initializer
static THREAD_LOCAL struct crypt_data crypt_data = { .initialized = 0 };
^
src/auth.c:45:69: note: (near initialization for ‘crypt_data’)
src/auth.c: In function ‘check_user’:
src/auth.c:261:8: warning: implicit declaration of function ‘crypt_r’; did you mean ‘crypt’? [-Wimplicit-function-declaration]
ep = crypt_r(pass, u->pass, &crypt_data);
^~~~~~~
crypt
src/auth.c:261:6: warning: assignment makes pointer from integer without a cast [-Wint-conversion]
ep = crypt_r(pass, u->pass, &crypt_data);
^
src/auth.c: At top level:
src/auth.c:45:39: error: storage size of ‘crypt_data’ isn’t known
static THREAD_LOCAL struct crypt_data crypt_data = { .initialized = 0 };
^~~~~~~~~~
Makefile:985: recipe for target ‘src/auth.o’ failed
make: *** [src/auth.o] Error 1
make: *** Waiting for unfinished jobs…

Do you know what I am doing wrong ? Thank you and have a nice day !

Posts: 2

Participants: 2

Read full topic

@bbelden wrote:

Hello,

We currently run Haproxy 1.7.10 on Debian 9.4 Stretch. We have used Haproxy for Load Balancing for about 4 to 5 years now without much of an issue. We recently read that starting in 1.8 band Haproxy can be multi threaded when ran vs single threaded, so we want to try to take advantage of this.

Unfortunately I am running into some errors when upgrading to 1.8. I do not get any configuration errors, so I believe our haproxy.cfg file is good, but I will post the rest of the errors I am getting below. I can go through the upgrade process like we have done many times, but at the end the Haproxy service fails to start.

Blockquote
root@lab-p02:/usr/src/haproxy-1.8.15# haproxy -vv
HA-Proxy version 1.8.15 2018/12/13
Copyright 2000-2018 Willy Tarreau willy@haproxy.org
Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-null-dereference -Wno-unused-label
OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Built with OpenSSL version : OpenSSL 1.0.2q 20 Nov 2018
Running on OpenSSL version : OpenSSL 1.0.2q 20 Nov 2018
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Encrypted password support via crypt(3): yes
Built with multi-threading support.
Built with PCRE version : 8.39 2016-06-14
Running on PCRE version : 8.39 2016-06-14
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with zlib version : 1.2.8
Running on zlib version : 1.2.8
Compression algorithms supported : identity(“identity”), deflate(“deflate”), raw-deflate(“deflate”), gzip(“gzip”)
Built with network namespace support.
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Available filters :
[SPOE] spoe
[COMP] compression
[TRACE] trace

Blockquote
root@lab-p02:/usr/src/haproxy-1.8.15# service haproxy start
root@lab-p02:/usr/src/haproxy-1.8.15# service haproxy status
● haproxy.service - HAProxy Load Balancer
Loaded: loaded (/etc/systemd/system/haproxy.service; enabled; vendor preset: enabled)
Active: failed (Result: start-limit-hit) since Wed 2019-01-09 09:35:56 EST; 3s ago
Docs: man:haproxy(1)
file:/usr/share/doc/haproxy/configuration.txt.gz
Process: 23113 ExecStart=/usr/local/sbin/haproxy-systemd-wrapper -f ${CONFIG} -p /run/haproxy/haproxy.pid EXTRAOPTS (code=exited, status=0/SUCCESS) Process: 23111 ExecStartPre=/usr/local/sbin/haproxy -f {CONFIG} -c -q (code=exited, status=0/SUCCESS)
Main PID: 23113 (code=exited, status=0/SUCCESS)
Jan 09 09:35:56 lab-p02 systemd[1]: haproxy.service: Service hold-off time over, scheduling restart.
Jan 09 09:35:56 lab-p02 systemd[1]: Stopped HAProxy Load Balancer.
Jan 09 09:35:56 lab-p02 systemd[1]: haproxy.service: Start request repeated too quickly.
Jan 09 09:35:56 lab-p02 systemd[1]: Failed to start HAProxy Load Balancer.
Jan 09 09:35:56 lab-p02 systemd[1]: haproxy.service: Unit entered failed state.
Jan 09 09:35:56 lab-p02 systemd[1]: haproxy.service: Failed with result ‘start-limit-hit’.

Blockquote
– The start-up result is done.
Jan 09 09:35:56 lab-p02 haproxy-systemd-wrapper[23113]: haproxy-systemd-wrapper: executing /usr/local/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /run/haproxy/haproxy.pid -Ds
Jan 09 09:35:56 lab-p02 haproxy-systemd-wrapper[23113]: haproxy-systemd-wrapper: exit, haproxy RC=0
Jan 09 09:35:56 lab-p02 systemd[1]: haproxy.service: Killing process 23116 (haproxy) with signal SIGKILL.
Jan 09 09:35:56 lab-p02 systemd[1]: haproxy.service: Service hold-off time over, scheduling restart.
Jan 09 09:35:56 lab-p02 systemd[1]: Stopped HAProxy Load Balancer.
– Subject: Unit haproxy.service has finished shutting down
– Defined-By: systemd
– Support: https://www.debian.org/support
–
– Unit haproxy.service has finished shutting down.
Jan 09 09:35:56 lab-p02 systemd[1]: haproxy.service: Start request repeated too quickly.
Jan 09 09:35:56 lab-p02 systemd[1]: Failed to start HAProxy Load Balancer.
– Subject: Unit haproxy.service has failed
– Defined-By: systemd
– Support: https://www.debian.org/support
–
– Unit haproxy.service has failed.

Posts: 2

Participants: 1

Read full topic

@projects067 wrote:

I have a small Haproxy server set up with 2 NICs. The OS is CentOS7 and I have configured both NICs on the same subnet per CentOS documentation.

— 192.168.0.1, 192.168.0.2 ---- both on 192.168.0.0/24
192.168.0.1 is used for management and the web gui, 192.168.0.2 is used for the LB traffic.

Traffic coming into the LB hits the 192.168.0.2 address, but seems to be egressing to the 192.168.0.1 address to the backend servers. I’ve tried specifying “source IP” in the config to no avail.

Version is 1.8.16.

If I do the telnet from the LB CLI inside Linux, the routing seems to work correctly, so it seems the LB application itself isn’t going out on the correct interface/IP.

Posts: 1

Participants: 1

Read full topic

@simonuk1 wrote:

Is it possible to define a backend that can be used by all other backend as its last resort.

Ie normal backends will have 2 servers defined, if both those servers are down or then uses the last resort backend.

I know there is the backup flag that can be set per server in the backend config, but that does mean defining it in every backend.

Cheers
Simon

Posts: 1

Participants: 1

Read full topic

@be_tnt wrote:

Hello!

I am using HAProxy 1.8. My haProxy receives http requests on 2 interfaces. I would need to redirect those requests to backend depending on the requested IP.

With an example:

Field A for domain1 is linked to IP1
Field A for domain2 is linked to IP2

HaProxy is listening on both IP1 & IP2 for requests (in my config file, in frontend section, I have bind *:80)

I defined 2 backends:
backend1 send requests on server1 and port 80
backend2 send requests on server1 and port 81

Is this possible using ACL to redirect requests from domain1 to server1 and requests from domain2 to server2?

I guess I can do it by creating multiple frontend sections with a bind on a specific IP but I wanted to know if it would be possible to do it with acl.

Thx in advance!

Posts: 3

Participants: 2

Read full topic

@scarey wrote:

Hoping you can help. I’m seeing an issue with 1.8.14 and also 1.8.16 DNS service discovery where HAProxy no longer picks up changes from DNS. I have a server-template with a single slot and point that at DNS. Initially things work but as randomly as server-state-file reconfigs happen and DNS gets updated with new ports, the backend gets stuck on the previous no longer existing host/port combination. We have multiple servers configured the same way and they randomly get stuck like this.

For example a DNS entry for _testapp_http._tcp.marathon.mesos would point to localhost:24379 at one point in time then that service would go away and re-recreated on localhost:13903 and DNS updated. Most of the time HAProxy picks up the change but occasionally it will stick forever on the old localhost:24379.

A tcpdump of DNS shows the correct new entry being returned:
1 9:36:37.401865 IP localhost.39124 > localhost.domain: 33907+ [1au] SRV? _testapp_http._tcp.marathon.mesos. (63)
19:36:37.402016 IP localhost.domain > localhost.39124: 33907* 1/0/2 SRV localslave.marathon.mesos.:13903 20 25344 (124)

The ‘show stat’ CLI shows the old port:
health_testapp,testapp_health1,0,0,0,0,64,0,0,0,0,0,0,0,0,DOWN,100,1,0,0,1,138,138,1,8,1,0,2,0,0,L4CON,0,0,0,0,0,0,0,0,0,-1,Connection refused,0,0,0,0,Layer4 connection problem,3,2,0,127.0.0.1:24379,http,
health_testapp,BACKEND,0,0,0,1,200,70,4760,14840,0,0,70,0,0,0,DOWN,0,0,0,1,138,138,1,8,0,0,1,1,1,0,0,0,0,70,0,70,0,0,0,0,0,0,-1,0,0,0,0,http,roundrobin,

The server-state-file shows the old port:
8 health_testapp 1 testapp_health1 127.0.0.1 0 0 100 1 201 8 2 0 6 0 0 0 localslave.marathon.mesos 24379 _testapp_http._tcp.marathon.mesos

server-template config is:
server-template testapp_health 1 _testapp_http._tcp.marathon.mesos resolvers localdns resolve-prefer ipv4 maxconn 64 rise 3 fall 2 check inter 10000

I tried using ‘resolve-opts allow-dup-ip’ but it didn’t help. It seems like that slot is permanently stuck for some reason? Some race between the server-state-file reload and DNS updates?

Any workaround or fix would be appreciated.

Thanks,
Steve

Posts: 1

Participants: 1

Read full topic

@Grooth wrote:

i mean documentation about Haproxy stats.
like what is “session” mean or max of what, limit of what on that column

Capture.PNG1269×475 68.7 KB

or someone can describe one by one please… thanks for your attention

Posts: 1

Participants: 1

Read full topic

@odonghwi wrote:

I checked logs with “option log-health-checks” .
However, I can’t find a way to customize that log format.

“Custom log format” seems to only work in tcp mode and http mode.
https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#8.2.4

Is there the method that health check log format customize?

Posts: 1

Participants: 1

Read full topic

@9312ankit wrote:

Hi Guys,
Can somebody please explain me why I see 3 linked haproxy process for a single haproxy service.
As you can see all are interlinked to each other.

[root@anchorevlan-hou02p02-1178 haproxy]# ps -ef | grep haproxy
root 17653 1 0 07:24 ? 00:00:00 /usr/sbin/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg -p /run haproxy.pid
haproxy 17654 17653 0 07:24 ? 00:00:00 /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -Ds
haproxy 17655 17654 0 07:24 ? 00:00:00 /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -Ds

Posts: 1

Participants: 1

Read full topic

@wilnzi wrote:

Hello,

In my configuration i have one apache server with galera that connect to 3 mariadb servers.

Please, with source as balance, it’s possible to use the 3 servers ?

If it yes, must i make another configuration ?

Thanks in advance.

Posts: 1

Participants: 1

Read full topic

@void_in wrote:

I am not much familiar with HAProxy internals so please forgive me if this question has been asked earlier. I have gone through all the HAProxy docs and this forum’s questions related to nbproc setups but couldn’t find anything related to our issue.

So we have a multi-processor machine where I am using nbproc 32 in order to distribute the load and make sure the maximum performance is achieved. However, the downside of using nbproc 32 is that all the processes are performing health checks on the backend server which is creating a lot of load. If we convert it to nbproc 1 and nbthreads 32, the issue seems to be resolved but I am not sure if HAProxy will be utilizing all the CPUs available to it?

Anyone providing help will really be appreciated. We are using HAProxy 1.8.

Posts: 1

Participants: 1

Read full topic

@be_tnt wrote:

Hello!

I have configured HAProxy with SSL (SSL termination solution). For the domain, it works well (exemple: http://example.com to https://example.com). But if the page contains http url, they are not redirected to https. Is this normal? Did I miss something in my config?

To redirect http to https, I have added in my section “frontend_http”:

redirect scheme https if !{ ssl_fc }

Thx!

Posts: 4

Participants: 2

Read full topic

@santory wrote:

how to enable in 2 issue in sslcomodo option in haproxy 1.8

clock(serverHello.gmt_unix_time)
clock(http"Date:"header)
thank

Posts: 1

Participants: 1

Read full topic

@santory wrote:

how to enable npn in ssl on haproxy 1.8

Posts: 1

Participants: 1

Read full topic