@Peter wrote:

We are using HAProxy for a while now and are using a new option: http-check disable-on-404.

For a few days this seemed to be working properly, until servers are ‘switching’.
As you can see, server002 was OK, stating ‘conditionally succeeded’, returning status 404.
Until server002 aws switching to UP temporary, returning status 200. Then it failed, first with “Connection refused”. This of course should result in a failed state. But when the server recovered and returned status 404 again, it was still in the failed state. The only way to get it back as ‘conditionally succeeded’, was reloading HAProxy. I believe this is a bug.

Below the configuration:

backend backend
mode http
balance roundrobin
option allbackups

http-reuse  always

# health checks
option httpchk GET /isActive
http-check disable-on-404
http-check expect status 200
default-server slowstart 30s check inter 10s fall 3 rise 3

server server001 10.10.0.1:8080 weight 100
server server002 10.10.0.2:8080 weight 100

Below the log output:

Jan 29 12:57:22 loadbalancer haproxy[18143]: Health check for server backend/server001 succeeded, reason: Layer7 check passed, code: 200, info: "HTTP status check returned code <3C>200<3E>", check duration: 1ms, status: 3/3 UP.
Jan 29 12:57:22 loadbalancer haproxy[18143]: Health check for server backend/server002 conditionally succeeded, reason: Layer7 check conditionally passed, code: 404, info: "Not Found", check duration: 2ms, status: 3/3 UP.
Jan 29 12:57:22 loadbalancer haproxy[18143]: Server backend/server002 is stopping. 1 active and 0 backup servers online. 0 sessions requeued, 0 total in queue.
Jan 29 13:21:02 loadbalancer haproxy[18143]: Health check for server backend/server001 failed, reason: Layer4 connection problem, info: "Connection refused", check duration: 0ms, status: 2/3 UP.
Jan 29 13:21:02 loadbalancer haproxy[18143]: Health check for server backend/server002 succeeded, reason: Layer7 check passed, code: 200, info: "HTTP status check returned code <3C>200<3E>", check duration: 1ms, status: 3/3 UP.
Jan 29 13:21:02 loadbalancer haproxy[18143]: Server backend/server002 is UP. 2 active and 0 backup servers online. 0 sessions requeued, 0 total in queue.
Jan 29 13:21:12 loadbalancer haproxy[18143]: Health check for server backend/server001 failed, reason: Layer4 connection problem, info: "Connection refused", check duration: 0ms, status: 1/3 UP.
Jan 29 13:21:22 loadbalancer haproxy[18143]: Health check for server backend/server001 failed, reason: Layer4 connection problem, info: "Connection refused", check duration: 0ms, status: 0/3 DOWN.
Jan 29 13:21:22 loadbalancer haproxy[18143]: Server backend/server001 is DOWN. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
Jan 29 13:21:32 loadbalancer haproxy[18143]: Server backend/server002 is UP. 1 active and 0 backup servers online. 0 sessions requeued, 0 total in queue.
Jan 29 13:22:59 loadbalancer haproxy[18143]: Health check for server backend/server001 failed, reason: Layer7 wrong status, code: 404, info: "HTTP status check returned code <3C>404<3E>", check duration: 4ms, status: 0/3 DOWN.
Jan 29 13:23:29 loadbalancer haproxy[18143]: Health check for server backend/server001 succeeded, reason: Layer7 check passed, code: 200, info: "HTTP status check returned code <3C>200<3E>", check duration: 2ms, status: 1/3 DOWN.
Jan 29 13:23:32 loadbalancer haproxy[18143]: Health check for server backend/server002 failed, reason: Layer4 connection problem, info: "Connection refused", check duration: 0ms, status: 2/3 UP.
Jan 29 13:23:39 loadbalancer haproxy[18143]: Health check for server backend/server001 succeeded, reason: Layer7 check passed, code: 200, info: "HTTP status check returned code <3C>200<3E>", check duration: 2ms, status: 2/3 DOWN.
Jan 29 13:23:42 loadbalancer haproxy[18143]: Health check for server backend/server002 failed, reason: Layer4 connection problem, info: "Connection refused", check duration: 0ms, status: 1/3 UP.
Jan 29 13:23:49 loadbalancer haproxy[18143]: Health check for server backend/server001 succeeded, reason: Layer7 check passed, code: 200, info: "HTTP status check returned code <3C>200<3E>", check duration: 3ms, status: 3/3 UP.
Jan 29 13:23:49 loadbalancer haproxy[18143]: Server backend/server001 is UP. 2 active and 0 backup servers online. 0 sessions requeued, 0 total in queue.
Jan 29 13:23:52 loadbalancer haproxy[18143]: Health check for server backend/server002 failed, reason: Layer4 connection problem, info: "Connection refused", check duration: 0ms, status: 0/3 DOWN.
Jan 29 13:23:52 loadbalancer haproxy[18143]: Server backend/server002 is DOWN. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
Jan 29 13:24:19 loadbalancer haproxy[18143]: Server backend/server001 is UP. 1 active and 0 backup servers online. 0 sessions requeued, 0 total in queue.
Jan 29 13:25:12 loadbalancer haproxy[18143]: Health check for server backend/server002 failed, reason: Layer4 timeout, check duration: 10000ms, status: 0/3 DOWN.
Jan 29 13:25:22 loadbalancer haproxy[18143]: Health check for server backend/server002 failed, reason: Layer4 connection problem, info: "Connection refused", check duration: 0ms, status: 0/3 DOWN.
Jan 29 13:25:32 loadbalancer haproxy[18143]: Health check for server backend/server002 failed, reason: Layer7 wrong status, code: 404, info: "HTTP status check returned code <3C>404<3E>", check duration: 4ms, status: 0/3 DOWN.

Posts: 1

Participants: 1

Read full topic

@seb176 wrote:

Nginx uses the leaky bucket method to limit request rate. Nginx http_limit_req_module.

It means that if I set a limit to 100 req/sec, and then I get flooded by 120 req/sec, 100 requests will be served normally but 20 requests will be served by a 503 error.

How can I setup this with Haproxy?

I read a lot of the documentation about sc_http_req_rate but since the rate is always 120 req/sec. I am always returning 503 errors.

frontend main
    bind *:80
    acl foo_limited_req sc_http_req_rate(0) ge 100
    http-request track-sc0 path table Abuse     # Set the URI as the key of the table
    use_backend bk1 if foo_limited_req
    default_backend web

backend web
    server web1 192.168.0.10

backend Abuse
    stick-table type string len 128 size 100K expire 30m store http_req_rate(1s)

backend bk1
     server listenerror 127.0.0.1:81

listen errorlistener
    bind 127.0.0.1:81
    mode http
    errorfile 503 /etc/haproxy/errors/200-tuned.http

I want to serve the flow of 100 req/sec with web backend. And the 20 req/sec surplus with bk1 backend. I am using Haproxy version 1.9.2.

Posts: 1

Participants: 1

Read full topic

@deepagarhaproxy wrote:

How to run HAProxy in FIPs Mode?

There are two types
a. FIPS mode
b. FIPS compliant

We need to run in FIPS mode in HAProxy.
Could HAProxy team share the steps to run HAProxy in FIPS mode?

Posts: 1

Participants: 1

Read full topic

@ingshtrom wrote:

Hello friends! I think I might have found a bug in HAProxy. Honestly, I’ve never thought it would happen because it’s usually rock solid, but I’m not sure what else would cause it.

We run HAProxy in master-worker mode along with also using seamless reloads inside of Docker, which is managed by Kubernetes. The docker tag we were using was haproxy:1.9.2 when this happened. We have since reverted back to haproxy:1.8.14 because that was what was working prior to this error.

The behavior we experienced was during a seamless reload, HAProxy completely crashed with an error message of *** Error in haproxy': free(): invalid pointer: 0x000055b420684028 ***

Here is an export of the logs of one of our HAProxy containers: (see gist)

If you are paying attention, you will notice some logs that do not look native to HAProxy. Those are from our script that wraps HAPRoxy and helps to manage reloading HAProxy inside of a Docker container. Here is that script: (see gist)

Out configuration uses quite a lot of the features that HAProxy exposes, I think, but since the crash, the configuration has been running just fine, so I don’t believe the configuration itself to be the issue. Since we have a decent amount of information in there I would likely need to redact, I will avoid pasting it here for now. I can go through and redact it later and paste it if necessary. I guess I’m curious if the logs provide enough information to debug because I have no idea how to read them once the crash happens.

I also tried to reproduce this by continually reloading HAProxy v1.9.2 in a lower traffic environment, but could not reproduce it.

I did check the mailing list but most of the crashes seem to be due to segfaults, not invalid pointers.

Any thoughts on what could cause this and if it has been seen before?

Posts: 1

Participants: 1

Read full topic

@prasa880 wrote:

Hi,
i want to configure haproxy with http2 so i have enabled “bind :::443 v4v6 ssl crt /etc/httpd/ssl/dissin.pem alpn h2,http/1.1” parameter in haproxy.

next i have configured http2 protocol in apache without haproxy it is working fine . (e.g) “GET /icons/poweredby.png HTTP/2.0” 304"

1. i want know how to enable http2 protocol in haproxy,
2. since my ssl avialable in haproxy backend servers listens port 80. without ssl http2 will work
   please some one help me configure to http2 along with haproxy

Posts: 1

Participants: 1

Read full topic

@Rend wrote:

Hi,
I’m looking for way to see server ip-address that HAPROXY learned during start process. I didn’t managed to find easy method to do it. May be someone faced such issue?

Ex:
server SRV1 serv.example.loc check …

How to see SRV1 ip-addr
Thanks!

Posts: 1

Participants: 1

Read full topic

@Rend wrote:

I use HAPROXY for tcp-loadbalancing. Business requires writing to log-file of start and end session separately. I know option logasap allows to write in log immediately when session was begun. This option cannot be used because when session is terminated haproxy don’t write in log nothing.
How to solve such case? Need help.

Posts: 1

Participants: 1

Read full topic

@alfl wrote:

i have a few external websites which now works with nginx. As i need to host an internal exchange 2013 server (which free nginx doesn’t like) i am looking into haproxy.

I have some urls which i now use like mail.lex-it.com, wiki.lex-it.com and helpdesk.lex-it.com

https://mail.lex-it.com needs to be redirected to the internal exchange 2013 servers

https://wiki.lex-it.com needs to be redirected using url rewrite to internal server https://wiki.lan.local/xwiki

https://helpdesk.lex-it.com needs to be redirected to just an internal server https://helpdesk.lan.local (no further url rewrite)

The mail i still need to figure out but as i am new to the haproxy just wanted to focus in the simpler websites.

The problem i face is with the wiki rewrite which i don’t know how to do and i hope one off you can help me with this.

I have managed to create the following config, but the wiki is bogus offcourse :

–

global
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
maxconn 25000
user haproxy
group haproxy
daemon

defaults
log global
mode http
option httplog
option dontlognull
option forwardfor
option http-server-close
stats enable
# stats auth someuser:somepassword
stats uri /haproxy?stats
retries 3

frontend http-in
bind *:443

    # Define hosts
    acl host_helpdesk hdr(host) -i helpdesk.lex-it.com
    acl host_wiki hdr(host) -i wiki.lex-it.com

    ## figure out which one to use
    use_backend helpdesk_cluster if host_helpdesk
    use_backend wiki_cluster if host_wiki

backend helpdesk_cluster
balance leastconn
option httpclose
option forwardfor
cookie JSESSIONID prefix
server node1 helpdesk.lan.local cookie A check

backend wiki_cluster
balance leastconn
option httpclose
option forwardfor
cookie JSESSIONID prefix
server node1 wiki.lan.local/xwiki cookie A check

Posts: 1

Participants: 1

Read full topic

@mathieuh wrote:

I’d like to log the name given to the socket with the bind “name” option.

The custom log format option %f or %ft for the frontend name don’t include the socket name, and I didn’t see any other log variable to use them.

The log lines (not customizable) used for errors do include the bind name, if defined.

I quickly browsed the source code and couldn’t find any way to access the socket listener name from session variables.

Is this only accessible in the stats page and the error logs?

Posts: 2

Participants: 1

Read full topic

@iYassin wrote:

I am running Raspbian on a Raspberry Pi at home, hosting my own Nextcloud instance using Apache2 as the webserver. In order to make it accessible from outside and look “professional” with my own URL without any port numbers attached, I am using the following setup:

• My domain (let’s call it iyassin.de) is attached to my CentOS-based managed webspace (Uberspace, if anyone knows them)
• Subdomain cloud.iyassin.de is created as a folder in the webroot, containing a .htaccess with the following code in order to direct all traffic to HAproxy:

RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Server} ^$
RewriteRule (.*) http://localhost:12345/$1 [P]

• Managed webspace is running an HAproxy instance listening on port 12345, pointing to nextcloud.mydyndnsservice.eu:443
• Apache2 on Raspberry Pi answers the request using a VirtualHost configuration matching cloud.iyassin.de and serving the correct Letsencrypt SSL certificate that I have copied to the Pi from the managed webspace. It also has its own certificate when accessed directly through nextcloud.mydyndnsservice.eu:443, so that the connection to HAproxy is also encryped.

This used to work perfectly for over a year, redirecting my browser to https://cloud.iyassin.de/index.php/login. A few days ago, it failed - when I access https://cloud.iyassin.de, it’ll redirect now my browser to https://localhost:12345/index.php/login which of course fails.

What could this be caused by? The Apache rewrite is still working, as I can change the port number. The HAproxy is working, as killing it will produce an 503 error instead of the wrong redirection. Also it establishes the connection to my Raspberry Pi as it gets the correct login path, but it just fails to correctly rewrite the URL.

Here’s my haproxy.cfg as well:

global

frontend HTTP
	bind			127.0.0.1:63847
	mode			http
	timeout client		5000
	
	acl			a_example hdr(X-Forwarded-Host) -i cloud.iyassin.de
	use_backend		b_example if a_example

	default_backend		uberspace_81

backend uberspace_81
	mode	http
	timeout connect		3000
	timeout server		3000
	server	uberspace 123.456.789.123:81

backend b_example
	mode	http
	timeout connect		5000
	timeout server		7200000
	server	server1-a nextcloud.mydyndnsservice.eu:443 ssl ca-file /etc/ssl/certs/ca-bundle.trust.crt

Posts: 1

Participants: 1

Read full topic

@marcusm wrote:

If i restart our Ubuntu 18.04 Server with HAProxy 1.8.8 it fails with the error:

service haproxy status

**●** haproxy.service - HAProxy Load Balancer
Loaded: loaded (/lib/systemd/system/haproxy.service; enabled; vendor preset: enabled)
Active: **failed** (Result: exit-code) since Sun 2019-02-03 19:29:25 CET; 2min 43s ago
Docs: man:haproxy(1)
file:/usr/share/doc/haproxy/configuration.txt.gz
Process: 1047 ExecStartPre=/usr/sbin/haproxy -f $CONFIG -c -q $EXTRAOPTS **(code=exited, status=1/FAILURE)**
Feb 03 19:29:25 lb02 systemd[1]: haproxy.service: Service hold-off time over, scheduling restart.
Feb 03 19:29:25 lb02 systemd[1]: haproxy.service: Scheduled restart job, restart counter is at 5.
Feb 03 19:29:25 lb02 systemd[1]: Stopped HAProxy Load Balancer.
Feb 03 19:29:25 lb02 systemd[1]: **haproxy.service: Start request repeated too quickly.**
Feb 03 19:29:25 lb02 systemd[1]: **haproxy.service: Failed with result 'exit-code'.**
Feb 03 19:29:25 lb02 systemd[1]: **Failed to start HAProxy Load Balancer.**

And haproxy.log contains:

Feb  3 19:53:41 lb02 haproxy[869]: [ALERT] 033/195341 (869) : parsing [/etc/haproxy/haproxy.cfg:82] : 'mailer smtp1' : invalid address: 'subdomain.hostname.com' in 'subdomain.hostname.com:25'
Feb  3 19:53:41 lb02 haproxy[869]: [ALERT] 033/195341 (869) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg
Feb  3 19:53:41 lb02 haproxy[869]: [ALERT] 033/195341 (869) : Fatal errors found in configuration.

In haproxy.conf my config looks like:

mailers mymailers01
	 mailer smtp1 subdomain.hostname.com:25

If i manually do “service haproxy restart” it’s working again.

haproxy -vv
HA-Proxy version 1.8.8-1ubuntu0.3 2019/01/11
Copyright 2000-2018 Willy Tarreau <willy@haproxy.org>

Build options :
  TARGET  = linux2628
  CPU     = generic
  CC      = gcc
  CFLAGS  = -g -O2 -fdebug-prefix-map=/build/haproxy-_XfIfg/haproxy-1.8.8=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2
  OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_SYSTEMD=1 USE_PCRE=1 USE_PCRE_JIT=1 USE_NS=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with OpenSSL version : OpenSSL 1.1.0g  2 Nov 2017
Running on OpenSSL version : OpenSSL 1.1.0g  2 Nov 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2
Built with Lua version : Lua 5.3.3
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Encrypted password support via crypt(3): yes
Built with multi-threading support.
Built with PCRE version : 8.39 2016-06-14
Running on PCRE version : 8.39 2016-06-14
PCRE library supports JIT : yes
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with network namespace support.

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
	[SPOE] spoe
	[COMP] compression
	[TRACE] trace

Any idea?

Posts: 1

Participants: 1

Read full topic

@SignalCodec wrote:

The idea is to have 2 servers behind 1 IP, both publishing SSL sites.

I can access the root domain on both with the correct SSL’s.

The issue is when I try and load our page generated by Windows Remote Web Access - I get thrown “ERR_TOO_MANY_REDIRECTS”.
Our website generated by Windows is just the root URL with “/remote” on the end"

I’m trying to get this working before I force http>https redirect, so I know this is missing from the below.

Please help!

Posts: 1

Participants: 1

Read full topic

@KenynMacCormik wrote:

Greetings,

I’m using Exchange 2016 DAG with two servers. Recently I’ve installed pfSense with HAproxy module to ensure web reverse proxy.

My issue is following: MacOS outlook clients are constantly requesting password to connect and RPC over HTTP is not working in my configuration. If I will just forward 443 port to the exchange DAG RPC over HTTP is working fine. If I replace HAproxy with IIS + ARR MacOS clients stops requesting passwords. Does anyone ever faced this issue or something similar?

P.S. Windows Outlook clients working fine in any configuration

The haproxy.cfg file is like following

# Automaticaly generated, dont edit manually.
# Generated on: 2019-01-31 16:22
global
        maxconn                 10000
        log                     syslog1.<my domain>      local0  debug
        stats socket /tmp/haproxy.socket level admin
        uid                     80
        gid                     80
        nbproc                  1
        hard-stop-after         15m
        chroot                          /tmp/haproxy_chroot
        daemon
        tune.ssl.default-dh-param       4096
        log-send-hostname               pfsense
        server-state-file /tmp/haproxy_server_state

listen HAProxyLocalStats
        bind 127.0.0.1:2200 name localstats
        mode http
        stats enable
        stats refresh 10
        stats admin if TRUE
        stats show-legends
        stats uri /haproxy/haproxy_stats.php?haproxystats=1
        timeout client 5000
        timeout connect 5000
        timeout server 5000

frontend http-https-frontend
        bind                    <public ip>:443 name <public ip>:443   ssl crt-list /var/etc/haproxy/http-https-frontend.crt_list
        bind                    <public ip>:80 name <public ip>:80
        mode                    http
        log                     global
        option                  socket-stats
        option                  log-separate-errors
        option                  httplog
        option                  http-keep-alive
        option                  forwardfor
        acl https ssl_fc
        http-request set-header         X-Forwarded-Proto http if !https
        http-request set-header         X-Forwarded-Proto https if https
        maxconn                 10000
        timeout client          30000
        capture request header Host len 32
        capture request header User-Agent len 64
        capture response header Content-Length len 10
        #option httplog
        log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%sslv/%sslc/%[ssl_fc_sni]/%[ssl_fc_session_id]}\ "%[capture.req.method]\ %[capture.req.hdr(0)]%[capture.req.uri]\ HTTP/1.1"
        option  contstats               # Enable continuous traffic statistics updates
        timeout http-keep-alive 30s     # 15 second max for the client to post next request
        timeout http-request 30s        # 15 seconds max for the client to send a request
        acl                     is_ecp  var(txn.txnpath) -m sub -i /ecp/
        acl                     not_https       ssl_fc,not
        acl                     is_portal       var(txn.txnhost) -m str -i portal.<public domain>
        acl                     is_healthcheck  var(txn.txnpath) -m reg -i healthcheck.htm$
        acl                     is_autodiscover var(txn.txnhost) -m str -i autodiscover.<public domain>
        acl                     is_rpc  var(txn.txnpath) -m sub -i /rpc/
        acl                     is_owa  var(txn.txnpath) -m sub -i /OWA/
        acl                     is_ews  var(txn.txnpath) -m sub -i /EWS/
        acl                     is_oab  var(txn.txnpath) -m sub -i /OAB/
        acl                     is_eas  var(txn.txnpath) -m sub -i /EAS/
        acl                     is_mapi var(txn.txnpath) -m sub -i /mapi/
        http-request set-var(txn.txnpath) path
        http-request set-var(txn.txnhost) hdr(host)
        http-response deny  if  is_ecp
        http-response deny  if  is_healthcheck
        http-request redirect scheme https code 301  if  not_https
        use_backend portal-backend_ipvANY  if  is_portal
        use_backend ex-Autodiscover-backend_ipvANY  if  is_autodiscover
        use_backend ex-RPC-backend_ipvANY  if  is_rpc
        use_backend ex-OWA-backend_ipvANY  if  is_owa
        use_backend ex-EWS-backend_ipvANY  if  is_ews
        use_backend ex-OAB-backend_ipvANY  if  is_oab
        use_backend ex-EAS-backend_ipvANY  if  is_eas
        use_backend ex-MAPI-backend_ipvANY  if  is_mapi
        default_backend ex-OWA-backend_ipvANY

frontend smtp-frontend
        bind                    <public ip>:25 name <public ip>:25
        mode                    tcp
        log                     global
        option                  socket-stats
        option                  dontlognull
        option                  dontlog-normal
        maxconn                 10000
        timeout client          300000
        option tcplog
        option contstats
        default_backend ex-smtp-backend_ipvANY

frontend smtptls-frontend
        bind                    <public ip>:587 name <public ip>:587
        mode                    tcp
        log                     global
        option                  dontlognull
        option                  dontlog-normal
        maxconn                 10000
        timeout client          300000
        option tcplog
        option contstats
        default_backend ex-smtptls-backend_ipvANY

frontend smtpssl-frontend
        bind                    <public ip>:465 name <public ip>:465
        mode                    tcp
        log                     global
        option                  dontlognull
        option                  dontlog-normal
        maxconn                 10000
        timeout client          300000
        option tcplog
        option contstats
        default_backend ex-smtpssl-backend_ipvANY

frontend imap-frontend
        bind                    <public ip>:143 name <public ip>:143
        mode                    tcp
        log                     global
        option                  dontlognull
        option                  dontlog-normal
        maxconn                 10000
        timeout client          300000
        option tcplog
        option contstats
        default_backend ex-imap-backend_ipvANY

frontend imaps-frontend
        bind                    <public ip>:993 name <public ip>:993
        mode                    tcp
        log                     global
        option                  dontlognull
        option                  dontlog-normal
        timeout client          300000
        option contstats
        default_backend ex-imaps-backend_ipvANY

frontend pop-frontend
        bind                    <public ip>:110 name <public ip>:110
        mode                    tcp
        log                     global
        option                  dontlognull
        option                  dontlog-normal
        maxconn                 10000
        timeout client          300000
        option tcplog
        option contstats
        default_backend ex-pop-backend_ipvANY

frontend pops-frontend
        bind                    <public ip>:995 name <public ip>:995
        mode                    tcp
        log                     global
        option                  dontlognull
        option                  dontlog-normal
        maxconn                 10000
        timeout client          300000
        option tcplog
        option contstats
        default_backend ex-pops-backend_ipvANY

backend portal-backend_ipvANY
        mode                    http
        id                      103
        log                     global
        stats                   enable
        stats                   uri /haproxy?stats
        stats                   realm .
        timeout connect         30000
        timeout server          30000
        retries                 3
        server                  portal.<my domain> <my local subnet>.11:443 id 104 ssl check inter 1000  verify none

backend ex-Autodiscover-backend_ipvANY
        mode                    http
        id                      105
        log                     global
        stats                   enable
        stats                   uri /haproxy?stats
        stats                   realm .
        balance                 leastconn
        timeout connect         30000
        timeout server          30000
        retries                 3
        option                  httpchk GET /autodiscover/healthcheck.htm
        http-check expect status 200
        option  redispatch              # Try another server in case of connection failure
        server                  ex1 <my local subnet>.3:443 id 101 ssl check inter 3000  verify none
        server                  ex2 <my local subnet>.4:443 id 102 ssl check inter 3000  verify none

backend ex-RPC-backend_ipvANY
        mode                    http
        id                      106
        log                     global
        stats                   enable
        stats                   uri /haproxy?stats
        stats                   realm .
        balance                 leastconn
        timeout connect         30000
        timeout server          30000
        retries                 3
        option                  httpchk GET /RPC/HealthCheck.htm
        http-check expect status 200
        option  redispatch              # Try another server in case of connection failure
        #timeout queue 30s               # 30 seconds max queued on load balancer
        server                  ex1.<my domain> <my local subnet>.3:443 id 101 ssl check inter 1000  verify none
        server                  ex2.<my domain> <my local subnet>.4:443 id 102 ssl check inter 1000  verify none

backend ex-OWA-backend_ipvANY
        mode                    http
        id                      100
        log                     global
        stats                   enable
        stats                   uri /haproxy?stats
        stats                   realm .
        balance                 leastconn
        timeout connect         30000
        timeout server          30000
        retries                 3
        option                  httpchk GET /OWA/HealthCheck.htm
        http-check expect status 200
        option  redispatch              # Try another server in case of connection failure
        server                  ex1.<my domain> <my local subnet>.3:443 id 101 ssl check inter 1000  verify none
        server                  ex2.<my domain> <my local subnet>.4:443 id 102 ssl check inter 1000  verify none

backend ex-EWS-backend_ipvANY
        mode                    http
        id                      107
        log                     global
        stats                   enable
        stats                   uri /haproxy?stats
        stats                   realm .
        balance                 leastconn
        timeout connect         30000
        timeout server          30000
        retries                 3
        option                  httpchk GET /EWS/HealthCheck.htm
        http-check expect status 200
        option  redispatch              # Try another server in case of connection failure
        #timeout queue 30s               # 30 seconds max queued on load balancer
        server                  ex1.<my domain> <my local subnet>.3:443 id 101 ssl check inter 1000  verify none
        server                  ex2.<my domain> <my local subnet>.4:443 id 102 ssl check inter 1000  verify none

backend ex-OAB-backend_ipvANY
        mode                    http
        id                      108
        log                     global
        stats                   enable
        stats                   uri /haproxy?stats
        stats                   realm .
        balance                 leastconn
        timeout connect         30000
        timeout server          30000
        retries                 3
        option                  httpchk GET /OAB/HealthCheck.htm
        http-check expect status 200
        option  redispatch              # Try another server in case of connection failure
        #timeout queue 30s               # 30 seconds max queued on load balancer
        server                  ex1.<my domain> <my local subnet>.3:443 id 101 ssl check inter 1000  verify none
        server                  ex2.<my domain> <my local subnet>.4:443 id 102 ssl check inter 1000  verify none

backend ex-EAS-backend_ipvANY
        mode                    http
        id                      109
        log                     global
        stats                   enable
        stats                   uri /haproxy?stats
        stats                   realm .
        balance                 leastconn
        timeout connect         30000
        timeout server          30000
        retries                 3
        option                  httpchk GET /Microsoft-Server-ActiveSync/HealthCheck.htm
        http-check expect status 200
        option  redispatch              # Try another server in case of connection failure
        #timeout queue 30s               # 30 seconds max queued on load balancer
        server                  ex1.<my domain> <my local subnet>.3:443 id 101 ssl check inter 1000  verify none
        server                  ex2.<my domain> <my local subnet>.4:443 id 102 ssl check inter 1000  verify none

backend ex-MAPI-backend_ipvANY
        mode                    http
        id                      116
        log                     global
        stats                   enable
        stats                   uri /haproxy?stats
        stats                   realm .
        balance                 leastconn
        timeout connect         30000
        timeout server          30000
        retries                 3
        option                  httpchk GET /mapi/HealthCheck.htm
        http-check expect status 200
        option  redispatch              # Try another server in case of connection failure
        #timeout queue 30s               # 30 seconds max queued on load balancer
        server                  ex1.<my domain> <my local subnet>.3:443 id 101 ssl check inter 1000  verify none
        server                  ex2.<my domain> <my local subnet>.4:443 id 102 ssl check inter 1000  verify none

backend ex-smtp-backend_ipvANY
        mode                    tcp
        id                      110
        log                     global
        balance                 leastconn
        timeout connect         5000
        timeout server          30000
        retries                 3
        option redispatch
        option tcp-check
        tcp-check expect string 220
        default-server rise 2 fall 3
        server                  ex1.<my domain> <my local subnet>.3:25 id 111 check inter 3000
        server                  ex2.<my domain> <my local subnet>.4:25 id 112 check inter 3000

backend ex-smtptls-backend_ipvANY
        mode                    tcp
        id                      115
        log                     global
        balance                 leastconn
        timeout connect         5000
        timeout server          30000
        retries                 3
        default-server rise 2 fall 3
        option redispatch
        option tcp-check
        tcp-check expect string 220
        server                  ex1.<my domain> <my local subnet>.3:587 id 111 check inter 3000
        server                  ex2.<my domain> <my local subnet>.4:587 id 112 check inter 3000

backend ex-smtpssl-backend_ipvANY
        mode                    tcp
        id                      121
        log                     global
        balance                 leastconn
        timeout connect         5000
        timeout server          30000
        retries                 3
        option redispatch
        option tcp-check
        tcp-check expect string 220 ssl
        default-server rise 2 fall 3
        server                  ex1.<my domain> <my local subnet>.3:465 id 111 check inter 3000  verify none
        server                  ex2.<my domain> <my local subnet>.4:465 id 112 check inter 3000  verify none

backend ex-imap-backend_ipvANY
        mode                    tcp
        id                      114
        log                     global
        option                  log-health-checks
        balance                 leastconn
        timeout connect         30000
        timeout server          30000
        retries                 3
        option tcp-check
        tcp-check connect
        tcp-check expect string * OK
        server                  ex1.<my domain> <my local subnet>.3:143 id 111 check inter 1000
        server                  ex2.<my domain> <my local subnet>.4:143 id 112 check inter 1000

backend ex-imaps-backend_ipvANY
        mode                    tcp
        id                      117
        log                     global
        balance                 leastconn
        timeout connect         5000
        timeout server          30000
        retries                 3
        option redispatch
        option tcp-check
        tcp-check connect port 993 ssl
        tcp-check expect string * OK
        server                  ex1.<my domain> <my local subnet>.3:993 id 118 check inter 3000  verify none
        server                  ex2.<my domain> <my local subnet>.4:993 id 119 check inter 3000  verify none

backend ex-pop-backend_ipvANY
        mode                    tcp
        id                      120
        log                     global
        option                  log-health-checks
        balance                 leastconn
        timeout connect         5000
        timeout server          30000
        retries                 3
        option tcp-check
        tcp-check connect port 110
        tcp-check expect string +OK
        default-server rise 2 fall 3
        server                  ex1.<my domain> <my local subnet>.3:110 id 111 check inter 5000
        server                  ex2.<my domain> <my local subnet>.4:110 id 112 check inter 5000

backend ex-pops-backend_ipvANY
        mode                    tcp
        id                      113
        log                     global
        option                  log-health-checks
        balance                 leastconn
        timeout connect         5000
        timeout server          30000
        retries                 3
        option tcp-check
        tcp-check connect port 995 ssl
        tcp-check expect string +OK
        default-server rise 2 fall 3
        server                  ex1.<my domain> <my local subnet>.3:995 id 111 check inter 5000  verify none
        server                  ex2.<my domain> <my local subnet>.4:995 id 112 check inter 5000  verify none

When I run “Outlook Connectivity” test from the Microsoft Test Connectivity site I get the following

1.png510×532 23.2 KB

Here is some more details on the RPC over HTTP error

2.png903×388 24.4 KB

Here is an exempt from the haproxy logs

Jan 31 16:29:07 pfsense haproxy[65367]: 13.67.59.89:17280 [31/Jan/2019:16:29:07.405] http-https-frontend~ ex-RPC-backend_ipvANY/ex1.<local domain> 478/0/0/2/480 401 262 - - ---- 766/756/0/1/0 0/0 {mail.<public domain>|MSRPC} {0} {TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384/mail.<public domain>/-} RPC_IN_DATA mail.<public domain>/rpc/rpcproxy.dll HTTP/1.1
Jan 31 16:29:08 pfsense haproxy[65367]: 13.67.59.89:17277 [31/Jan/2019:16:28:55.995] http-https-frontend~ ex-RPC-backend_ipvANY/ex2.<local domain> 12115/0/1/1/12117 401 262 - - ---- 768/758/0/1/0 0/0 {mail.<public domain>|MSRPC} {0} {TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384/mail.<public domain>/-} RPC_IN_DATA mail.<public domain>/rpc/rpcproxy.dll?dd0e139f-324e-408a-8b4a-6574977303cd@<public domain>:6002 HTTP/1.1
Jan 31 16:29:08 pfsense haproxy[65367]: 13.67.59.89:17277 [31/Jan/2019:16:29:08.112] http-https-frontend~ ex-RPC-backend_ipvANY/ex2.<local domain> 227/0/0/1/228 401 262 - - ---- 767/757/0/1/0 0/0 {mail.<public domain>|MSRPC} {0} {TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384/mail.<public domain>/-} RPC_IN_DATA mail.<public domain>/Rpc/RpcProxy.dll?dd0e139f-324e-408a-8b4a-6574977303cd@<public domain>:6001 HTTP/1.1
Jan 31 16:29:12 pfsense haproxy[65367]: 13.67.59.89:17281 [31/Jan/2019:16:29:11.818] http-https-frontend~ ex-RPC-backend_ipvANY/ex1.<local domain> 240/0/1/1/242 401 507 - - ---- 756/746/0/1/0 0/0 {mail.<public domain>|MSRPC} {0} {TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384/mail.<public domain>/-} RPC_IN_DATA mail.<public domain>/Rpc/RpcProxy.dll?dd0e139f-324e-408a-8b4a-6574977303cd@<public domain>:6001 HTTP/1.1
Jan 31 16:29:12 pfsense haproxy[65367]: 13.67.59.89:17281 [31/Jan/2019:16:29:12.059] http-https-frontend~ ex-RPC-backend_ipvANY/ex1.<local domain> 234/0/0/20/254 200 377 - - ---- 756/746/0/1/0 0/0 {mail.<public domain>|MSRPC} {} {TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384/mail.<public domain>/-} RPC_IN_DATA mail.<public domain>/Rpc/RpcProxy.dll?dd0e139f-324e-408a-8b4a-6574977303cd@<public domain>:6001 HTTP/1.1
Jan 31 16:29:12 pfsense haproxy[65367]: 13.67.59.89:17280 [31/Jan/2019:16:29:07.885] http-https-frontend~ ex-RPC-backend_ipvANY/ex1.<local domain> 4667/0/0/1/4668 401 507 - - ---- 755/745/0/1/0 0/0 {mail.<public domain>|MSRPC} {0} {TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384/mail.<public domain>/-} RPC_IN_DATA mail.<public domain>/rpc/rpcproxy.dll?dd0e139f-324e-408a-8b4a-6574977303cd@<public domain>:6001 HTTP/1.1
Jan 31 16:29:12 pfsense haproxy[65367]: 13.67.59.89:17280 [31/Jan/2019:16:29:12.552] http-https-frontend~ ex-RPC-backend_ipvANY/ex1.<local domain> 239/0/0/11/250 200 377 - - ---- 754/744/0/1/0 0/0 {mail.<public domain>|MSRPC} {} {TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384/mail.<public domain>/-} RPC_IN_DATA mail.<public domain>/rpc/rpcproxy.dll?dd0e139f-324e-408a-8b4a-6574977303cd@<public domain>:6001 HTTP/1.1
Jan 31 16:29:16 pfsense haproxy[65367]: 13.67.59.89:17302 [31/Jan/2019:16:29:15.616] http-https-frontend~ ex-RPC-backend_ipvANY/ex1.<local domain> 471/0/1/1/473 401 507 - - ---- 753/743/1/1/0 0/0 {mail.<public domain>|MSRPC} {0} {TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384/mail.<public domain>/-} RPC_OUT_DATA mail.<public domain>/rpc/rpcproxy.dll?dd0e139f-324e-408a-8b4a-6574977303cd@<public domain>:6001 HTTP/1.1
Jan 31 16:29:46 pfsense haproxy[65367]: 13.67.59.89:17280 [31/Jan/2019:16:29:12.803] http-https-frontend~ ex-RPC-backend_ipvANY/ex2.<local domain> 2577/0/1/6/33517 401 262 - - sD-- 753/741/1/0/0 0/0 {mail.<public domain>|MSRPC} {0} {TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384/mail.<public domain>/-} RPC_IN_DATA mail.<public domain>/rpc/rpcproxy.dll?dd0e139f-324e-408a-8b4a-6574977303cd@<public domain>:6001 HTTP/1.1
Jan 31 16:29:46 pfsense haproxy[65367]: 13.67.59.89:17302 [31/Jan/2019:16:29:16.089] http-https-frontend~ ex-RPC-backend_ipvANY/ex1.<local domain> 230/0/0/13/30243 200 346 - - sD-- 752/740/0/0/0 0/0 {mail.<public domain>|MSRPC} {} {TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384/mail.<public domain>/-} RPC_OUT_DATA mail.<public domain>/rpc/rpcproxy.dll?dd0e139f-324e-408a-8b4a-6574977303cd@<public domain>:6001 HTTP/1.1
Jan 31 22:09:46 pfsense haproxy[65367]: 46.0.224.14:13159 [31/Jan/2019:22:09:46.265] http-https-frontend~ ex-RPC-backend_ipvANY/ex2.<local domain> 91/0/1/1/93 401 507 - - ---- 236/232/0/1/0 0/0 {mail.<public domain>|MSRPC} {0} {TLSv1/ECDHE-RSA-AES256-SHA/mail.<public domain>/#0357ٞ▒} RPC_IN_DATA mail.<public domain>/rpc/rpcproxy.dll?6627f89e-fa58-4bb4-bbc4-3afb47028417@<public domain>:6002 HTTP/1.1
Jan 31 22:09:46 pfsense haproxy[65367]: 46.0.224.14:13944 [31/Jan/2019:22:09:46.443] http-https-frontend~ ex-RPC-backend_ipvANY/ex1.<local domain> 78/0/0/1/80 401 507 - - ---- 237/233/1/1/0 0/0 {mail.<public domain>|MSRPC} {0} {TLSv1/ECDHE-RSA-AES256-SHA/mail.<public domain>/o▒rY;$▒cҘ▒P#002▒ԩP*#016o▒▒b▒▒f'▒*E▒[} RPC_OUT_DATA mail.<public domain>/rpc/rpcproxy.dll?6627f89e-fa58-4bb4-bbc4-3afb47028417@<public domain>:6002 HTTP/1.1
Jan 31 22:09:46 pfsense haproxy[65367]: 46.0.224.14:13944 [31/Jan/2019:22:09:46.523] http-https-frontend~ ex-RPC-backend_ipvANY/ex1.<local domain> 20/0/0/2/22 401 262 - - ---- 237/233/1/1/0 0/0 {mail.<public domain>|MSRPC} {0} {TLSv1/ECDHE-RSA-AES256-SHA/mail.<public domain>/o▒rY;$▒cҘ▒P#002▒ԩP*#016o▒▒b▒▒f'▒*E▒[} RPC_OUT_DATA mail.<public domain>/rpc/rpcproxy.dll?6627f89e-fa58-4bb4-bbc4-3afb47028417@<public domain>:6002 HTTP/1.1
Jan 31 22:09:46 pfsense haproxy[65367]: 46.0.224.14:13159 [31/Jan/2019:22:09:46.359] http-https-frontend~ ex-RPC-backend_ipvANY/ex2.<local domain> 64/0/0/2/205 401 262 - - CD-- 236/232/0/0/0 0/0 {mail.<public domain>|MSRPC} {0} {TLSv1/ECDHE-RSA-AES256-SHA/mail.<public domain>/#0357ٞ▒} RPC_IN_DATA mail.<public domain>/rpc/rpcproxy.dll?6627f89e-fa58-4bb4-bbc4-3afb47028417@<public domain>:6002 HTTP/1.1
Feb  1 22:09:58 pfsense haproxy[65367]: 46.0.128.3:7409 [01/Feb/2019:22:09:57.881] http-https-frontend~ ex-RPC-backend_ipvANY/ex1.<local domain> 415/0/1/2/418 401 507 - - ---- 159/153/0/1/0 0/0 {mail.<public domain>|MSRPC} {0} {TLSv1/ECDHE-RSA-AES256-SHA/mail.<public domain>/:E▒X▒▒:#024$▒▒▒,#023▒▒▒▒Q▒H▒Q}#022▒Ip▒▒Bp} RPC_IN_DATA mail.<public domain>/rpc/rpcproxy.dll?6627f89e-fa58-4bb4-bbc4-3afb47028417@<public domain>:6002 HTTP/1.1
Feb  1 22:09:58 pfsense haproxy[65367]: 46.0.128.3:7462 [01/Feb/2019:22:09:58.359] http-https-frontend~ ex-RPC-backend_ipvANY/ex2.<local domain> 89/0/1/1/91 401 507 - - ---- 160/154/1/1/0 0/0 {mail.<public domain>|MSRPC} {0} {TLSv1/ECDHE-RSA-AES256-SHA/mail.<public domain>/▒h$▒,#031p▒#025▒뉬▒#025Şl#012M_▒e▒Xe#020#0159#007̑} RPC_OUT_DATA mail.<public domain>/rpc/rpcproxy.dll?6627f89e-fa58-4bb4-bbc4-3afb47028417@<public domain>:6002 HTTP/1.1
Feb  1 22:09:58 pfsense haproxy[65367]: 46.0.128.3:7462 [01/Feb/2019:22:09:58.450] http-https-frontend~ ex-RPC-backend_ipvANY/ex2.<local domain> 19/0/0/2/21 401 262 - - ---- 160/154/1/1/0 0/0 {mail.<public domain>|MSRPC} {0} {TLSv1/ECDHE-RSA-AES256-SHA/mail.<public domain>/▒h$▒,#031p▒#025▒뉬▒#025Şl#012M_▒e▒Xe#020#0159#007̑} RPC_OUT_DATA mail.<public domain>/rpc/rpcproxy.dll?6627f89e-fa58-4bb4-bbc4-3afb47028417@<public domain>:6002 HTTP/1.1
Feb  1 22:09:58 pfsense haproxy[65367]: 46.0.128.3:7409 [01/Feb/2019:22:09:58.298] http-https-frontend~ ex-RPC-backend_ipvANY/ex1.<local domain> 31/0/0/2/194 401 262 - - CD-- 159/153/0/0/0 0/0 {mail.<public domain>|MSRPC} {0} {TLSv1/ECDHE-RSA-AES256-SHA/mail.<public domain>/:E▒X▒▒:#024$▒▒▒,#023▒▒▒▒Q▒H▒Q}#022▒Ip▒▒Bp} RPC_IN_DATA mail.<public domain>/rpc/rpcproxy.dll?6627f89e-fa58-4bb4-bbc4-3afb47028417@<public domain>:6002 HTTP/1.1

Posts: 1

Participants: 1

Read full topic

@crisrodrigues wrote:

Hey Lukas and haproxy experts,

We’ve been using haproxy 1.8 successfully using:

nbproc 6
.
.
.
listen ssl-offload
   mode tcp
    bind 192.168.5.1:443 ssl crt ... alpn http/1.1,http/1.0 process 1
    bind 192.168.5.1:443 ssl crt ... alpn http/1.1,http/1.0 process 2
    bind 192.168.5.1:443 ssl crt ... alpn http/1.1,http/1.0 process 3
    bind 192.168.5.1:443 ssl crt ... alpn http/1.1,http/1.0 process 4
    bind 192.168.5.1:443 ssl crt ... alpn http/1.1,http/1.0 process 5
    bind 192.168.5.1:443 ssl crt ... alpn http/1.1,http/1.0 process 6

    server clear1 abns@clear1 send-proxy-v2-ssl-cn

This is to follow the advice of best practices to let haproxy use SO_REUSEPORT and distribute the load evenly between all processes.

Now when switching to 1.9 and setting nbproc = 1 and nbthread = 6, the question is: Is the best practice to set a single bind line and will haproxy correctly distribute the load between the threads instead?

Not sure, that’s why I’m asking

Or is the purpose of a dumb offloader a job for nbproc > 0 and forget about the threads?

Our conf is quite more complex, and the idea of using threads is mainly to have the best accuracy for stick-tables and our shaping logic, but if the best practice is to stick with nbproc > 0 for the offloader, we could use 2 different confs, though that’d a little ugly a little more annoying to manage.

Thanks,

Cris

Posts: 2

Participants: 1

Read full topic

@alitahir wrote:

Hi Experts,

Looking for some help. I’ve compiled HAproxy in FIPs mode and while running haproxy I’m getting fingerprint mismatch error. I’ve followed the standard procedure to build a FIPS module using OpenSSL UserGuide 2.0. But not sure what part is missing.

:~$ openssl version
OpenSSL 1.0.2q-fips 20 Nov 2018

:~$ haproxy -vv
error initializing FIPS mode
0:error:2D06B06F:FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not match:fips.c:232:

Posts: 1

Participants: 1

Read full topic

@Kir wrote:

I have an Exchange 2016 as a backend that requires client certificates for accessiong OWA and HAProxy as a reverse proxy. When I try to open OWA from Exchange directly everything is fine: I get a certificate prompt and can choose one that I want. But when I do the same through HAProxy I only get certificate prompt for HAProxy and then browser redirects me to Exchange authentication page without prompting certificate. The part of my config is below.

frontend fe_exch_443
    bind    x.x.x.x:443 ssl crt /etc/ssl/certs/cert.pem ca-file /etc/ssl/certs/cert.crt verify optional crt-ignore-err all
acl ssl_connection ssl_fc
    acl path_owa path_beg -i /owa/
    http-request deny if path_check
    http-request redirect scheme https code 301 if !{ ssl_fc }
    use_backend bk_exchange_https_owa if path_owa
    default_backend be_exch_443
backend bk_exchange_https_owa
    option httpchk GET /owa/HealthCheck.htm
    http-check expect string 200\ OK
    server  exch        x.x.x.x:443  check ssl verify none maxconn 1000 weight 10 check

Any ideas? Thank you!

Posts: 1

Participants: 1

Read full topic

@Siwat2545 wrote:

I am trying to host 2 Wordpress multisite on 2 Domain with HAProxy But i get NOSRV error. I got it working with subdomain but never diffrent domain

Time: Feb 5 20:16:53
IP: 192.168.0.1
Host:
Facility: local0
Priority: err
Tag: haproxy[3970]
Message: 192.168.0.100:54436 [05/Feb/2019:20:16:53.453] MainWebsite~ MainWebsite/ -1/-1/-1/-1/2 400 187 - - CR-- 4/4/0/0/0 0/0 “”
This is my configuration
global
maxconn 10000
log 192.168.0.100 local0 debug
stats socket /tmp/haproxy.socket level admin
gid 80
nbproc 1
hard-stop-after 15m
chroot /tmp/haproxy_chroot
daemon
tune.ssl.default-dh-param 4096
server-state-file /tmp/haproxy_server_state

listen HAProxyLocalStats
	bind 127.0.0.1:2200 name localstats
	mode http
	stats enable
	stats admin if TRUE
	stats show-legends
	stats uri /haproxy/haproxy_stats.php?haproxystats=1
	timeout client 5000
	timeout connect 5000
	timeout server 5000

resolvers globalresolvers
	nameserver cloudflare 1.1.1.1:853
	resolve_retries 3
	timeout retry 1s
	hold valid 10s
frontend custu
	bind			0.0.0.0:44310 name 0.0.0.0:44310   ssl crt-list /var/etc/haproxy/custu.crt_list  
	mode			http
	log			global
	option			http-keep-alive
	option			forwardfor
	acl https ssl_fc
	http-request set-header		X-Forwarded-Proto http if !https
	http-request set-header		X-Forwarded-Proto https if https
	timeout client		3600000
	errorfile			503 /var/etc/haproxy/errorfile_custu_503_error503
	errorfile			504 /var/etc/haproxy/errorfile_custu_504_error504
	acl			cudstudent	var(txn.txnhost) -m end -i cudstudent.com
	acl			siwatinc	var(txn.txnhost) -m end -i siwatinc.com
	acl			aclcrt_custu	var(txn.txnhost) -m reg -i ^siwatinc\.com(:([0-9]){1,5})?$
	acl			aclcrt_custu	var(txn.txnhost) -m reg -i ^([^\.]*)\.siwatinc\.com(:([0-9]){1,5})?$
	http-request set-var(txn.txnhost) hdr(host)
	use_backend mainsite_ipvANY  if  siwatinc aclcrt_custu
	use_backend satitm-node_ipvANY  if  cudstudent aclcrt_custu
	use_backend satitm-node_ipvANY  if   aclcrt_custu
backend mainsite_ipvANY
	mode			http
	id			121
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			135 192.168.0.97:443 id 122 ssl check inter 1000  verify none resolvers globalresolvers 
backend satitm-node_ipvANY
	mode			http
	id			182
	log			global
	balance			roundrobin
	timeout connect		30000
	timeout server		30000
	retries			3
	server			satitm 192.168.0.97:4430 id 183 ssl check inter 1000  verify none resolvers globalresolvers

Posts: 1

Participants: 1

Read full topic

@HenrikBentzen wrote:

Hi,
I’m very new to HAproxy !

I have this question regarding HAproxy and SAML. In my configuration I have a tomcatwebapplication that authenticate via SAML (ADFS) :

web.tomcat.com --------> auth.adfs.com

The authentication of the above setup is working fine. Now I have the challenge that I want to have a HAproxy in front, which will respond to several
different hostnames/alias :

HAproxy01.domain.com
example1.alias1.com
example2.alias2.com

The HAproxy respond fine to all alias’s, but the SAML configuration is only working if the called adress is web.tomcat.com - I know I can configure tomcat to use a proxy URL, but then it would work with that one only.
So the question is, can I configure the HAproxy, so it "wraps " the http call, so whatever is redirected to backend will be with the adress web.tomcat.com (so the SAML will work), and the user only see the alias adress in front ?

I hope that I made myself clear…

Thanks Henrik

Posts: 1

Participants: 1

Read full topic

@Skinnyguinea wrote:

We have HA Proxy setup on 2 servers for forwarding connections to two backend servers that are running Arcos (a tool used to regulate access management to Linux servers)

We have observed that sessions are taking time while connecting through HA proxy. Also few sessions doesn’t connect at all.

Can you let us know how we can troubleshoot this issue? Is there a ready reckoner of steps that need to be tried out in order to diagnose the issue?

Posts: 1

Participants: 1

Read full topic

@mcont wrote:

Hi, this is my first post here.

I would kindly ask for information on using Unix Socket commands to maintain a server member of a backend group.
In the current configuration I have 2 haproxy nodes with keepalive (in master \ backup mode). When I put a server on the “disable” with Unix Socket command on the master node obviously the server goes into maintenance, but remains potentially active (in case of keepalive switch) on the backup node.
My doubt is the following: is it possible to disable \ service a server on both nodes oh haproxy with an unique Unix Socket command?
Thanks !

Posts: 1

Participants: 1

Read full topic