@moscardo wrote:

Hi,
We are trying to migrate E-WorkBook application from NGINX Plus to HAProxy, they developers say that only NGINX Plus is supported, so I never translated a config before and I am not too familiar with it. Can anyone give me a hand? I think the tricky part comes with Upgrade protocol that I don’t really get.

Here is a link to the docu too https://knowledgebasecontent.s3.amazonaws.com/ProductDocumentation/EWB1040/E-WorkBook%2010.4.x%20White%20Paper%20-%20Load%20Balancer%20Configuration.pdf

upstream ewb_web {
    zone upstream_ewb_web 64k;
    sticky cookie srv_id path=/;
server <server 1 IP>:8443; 
server <server 2 IP>:8443; 
    keepalive 32;
}

upstream ewb_desktop {
    zone upstream_ewb_desktop 64k;
server <server 1 IP>:8443; 
server <server 2 IP>:8443; 

}



upstream ewb_web_ir {
    zone ewb_web_ir 64k;
server <server 1 IP>:8443; 
server <server 2 IP>:8443; 
    ip_hash;
 }

# We only set the "Connection" header to upgrade if the "Upgrade:" header is present (as it will be
# for web sockets and EWB Desktop Client connections)
map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      '';
}

# Set a variable for whether a response code is considered a failure (and will not be cached)
map $status $status_is_failure {
    200 0;
    301 0;
    302 0;
    default 1;
}

proxy_cache_path /tmp/nginx-ewb-cache keys_zone=ewb-cache:1m inactive=1d;
proxy_no_cache $status_is_failure;

proxy_http_version 1.1;
proxy_pass_header Server;

# Pass on http Upgrade headers (WebSockets/EWB Desktop Client) so that protocol upgrades work.
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;

# Set up X-Forwarded headers so that WildFly interprets the client's IP correctly
# Note that X-Forwarded-For is set to a specific address, rather than adding the address to a list.
# This prevents an attack whereby a bogus X-Forwarded-For could be supplied in the initial request
# (overriding the client's real IP).
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto https;

# Pass on Host header so that upstream servers see the load balancer
proxy_set_header Host $http_host;

# Default timeouts of 20 minutes
proxy_read_timeout 20m;
proxy_send_timeout 20m;
send_timeout 20m;

server {
    listen      8443 ssl default_server;
    server_name <FQDN OF E-WORKBOOK>;
    status_zone eworkbook;

    ssl_certificate      /etc/nginx/ssl/<CDERTIFICATE FILE>.crt;
    ssl_certificate_key  /etc/nginx/ssl/<CERTIFICATE KEY>.key;

    ssl_session_cache    shared:SSL:1m;
    ssl_session_timeout  10m;

    ssl_ciphers  HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers  on;

    location = / {
        proxy_pass https://ewb_desktop;
        proxy_read_timeout 1h;
        proxy_send_timeout 1h;
	client_max_body_size 0;
    }

    location / {
        proxy_pass https://ewb_web;
        proxy_redirect https://ewb_web $scheme://$host:$server_port;
        proxy_cache ewb-cache;
        client_max_body_size 0;
    }



    location ~/instruments {
        proxy_pass https://ewb_web_ir;
        proxy_buffering off;
        proxy_ignore_client_abort off;
    }

    location /status {
        # If required, add allow/deny or password directives to restrict access to this status information
        status;
    }

    location = /status.html {
        alias /usr/share/nginx/html/status.html;
    }

}

Posts: 1

Participants: 1

Read full topic

@BlackAdderDK wrote:

Hi

I’m trying to get ADFS to work in HAProxy, and it works in simple TCP setup:

defaults
log global
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms

frontend ADFSFrontend
bind 10.0.0.100:443
mode tcp
default_backend ADFSBackend

backend ADFSBackend
mode tcp
balance roundrobin
server 450adfs01 10.0.0.101:443 check
server 450adfs02 10.0.0.102:443 check

On the other hand I can get sni to work… but I can’t get any checks to work here - any ideas?

frontend ADFSFrontend
bind 10.0.0.100:443 ssl crt /etc/ssl/mycert.pem
mode tcp
default_backend ADFSBackend

backend ADFSBackend
mode tcp
balance roundrobin
option httpchk GET /adfs/ls/IdpInitiatedSignon.aspx HTTP/1.0\r\n
http-check expect string Sign\ in
reqadd X-Forwarded-Proto:\ https if { ssl_fc }
server 450adfs01 10.0.0.101:443 ssl verify none sni ssl_fc_sni inter 3s rise 2 fall 3
server 450adfs02 10.0.0.102:443 ssl verify none sni ssl_fc_sni inter 3s rise 2 fall 3

Any comments are welcome

Best regards
Flemming

Posts: 2

Participants: 2

Read full topic

@vamsi wrote:

Hi

Is it possible to hide part of the URL with haproxy, for example

https://site1.domain.com/HIDE/login/

should be visible as https://site1.domain.com/login in the browser.

Thank you.

Posts: 1

Participants: 1

Read full topic

@steve wrote:

I’m trying to change existing Haproxy 1.8.14 to 1.9.4.

When I try to reload HAproxy 1.9.4, I see ALERT
‘[ALERT] 063/071856 (60) : sendmsg()/writev() failed in logger #1: Operation not permitted (errno=1)’

I used Haproxy alpine docker image,
and I guess it is a kind of write access permission.

Any ideas?

Posts: 2

Participants: 2

Read full topic

@Thoufiq wrote:

How many frontend configuration can be done in haproxy? Is there a limit…? Please help

Posts: 1

Participants: 1

Read full topic

@Gayathri wrote:

Gayathri Manoj <gayathri.annur@gmail.com> Tue, Mar 5, 3:50 PM (1 day ago)

to haproxy

Hi All,

I am getting the below error while loading haproxy service.

‘bind :::6971’ : unable to load SSL private key into SSL Context ‘/usr/xxx/yyy/HAProxy.pem.rsa’.

Command used for starting the haproxy service :

haproxy -D -f /usr/local/conf/haproxy.conf

Conf file contains many port and if i comment this particular port then the service is starting.

Tested the below things:

1. Certificate and its key match

2. Executed the test in SELinux permissive mode

3. Order changed for HAProxy_truststore.pem.

Bind command :

bind :::6971 ssl crt /usr/xxx/yyy/HAProxy.pem ca-file /usr/xxx/yyy/HAProxy_truststore.pem verify optional force-tlsv12 ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256 npn http/1.1 curves P-256:P-384:P-521 prefer-client-cip

Thanks,
Gayathri

Posts: 1

Participants: 1

Read full topic

@SeanHaynes wrote:

…Hello all!

I can not tell you how pleased I was to discover HAProxy. What a brilliant piece of kit!

At work I have 3 IIS servers that front a db backend. Historically the company used the MS NLB which has worked to a degree but does nothing but round robin requests with no ability to report node issues, let alone shoot them in the head!

So I was looking for a solution and came across HAProxy - now understand I am not a Linux guru, my exposure has in the past been very very limited so I have had a bit of a learning curve to do.

I have to say that ‘out of the box’ getting a single instance of HAProxy to load balance across the 3 IIS servers was surprisingly easy.

But you know how it is… I decided the better solution would be to have two instances of HAProxy in an ‘Active/Passive’ configuration to provide a good level of resilience.

I have followed a tutorial from ‘Clusters from Scratch’ which was really useful and another from Digital Ocean as well as dipping into many other resources.

As it stands at the moment I have Pacemaker / Corosync / PCS and HAProxy installed on 2 Ubuntu Servers. The cluster is up and running though I am yet to configure fencing and STONITH.

I am now stuck, probably because I’m not seeing the obvious. I have a VIP setup that the cluster uses as a resource, I now need to add HAProxy as a resource in Pacemaker, before I can I need to setup the HAProxy.cfg file.

In some of the tutorials it says that I need to bind the front end to the host IP, other resources say I need to bind the front end to the virtual IP.

Can someone please clarify this for me?

Many thanks!

Posts: 1

Participants: 1

Read full topic

@vsk123 wrote:

Hi,

We have HAPROXY configured for a single application currently and using HTTPS and the SSL connections don’t terminate in HAPROXY. It terminates in the application. https://xxx.yyy.com

Now we want to map one more application to the same domain using different routes/context path.

https://xxx.yyy.com/app1 ===> maps to app1 running on port 1
https://xxx.yyy.com/app2 ===> maps to app2 running on a port 2

Pl. advise how should this be configured.

Posts: 1

Participants: 1

Read full topic

@sinisa wrote:

Hi people.

First of all I have to say I am total newb when it comes to web servers and related things.

I am having problems with something I think should be fairly simple to to.

HA-Proxy version 1.5.18

I need to redirect people from wap.mysite.com to www.mysite.com.

Everything I try does not work.

Do I need fontend and backen config or how do I achieve this.

Thank You

Posts: 1

Participants: 1

Read full topic

@mindeswx wrote:

Hello, I’m looking for some logs visualization solution to help me find unnatural activity, main things i would be looking at

How many times each domain was called
Total bandwidth to port
Filtering domains/ports used by source IP
Number of connections by port.

I have tried datadoghq so far, but still looking for better/ (self hosted?) alternatives.

Thank you!

Posts: 1

Participants: 1

Read full topic

@macguy.ag wrote:

I’m hoping someone can help me figure this out.

I used to have HAProxy set up such that requests on port 80 would redirect to SSL over port 443, and also explicit requests to SSL over port 8443 would also work. Then my CIO decreed that we were moving to using Let’s Encrypt for our SSL certs. I got that working on my HAProxy server, but now there’s no response when I try to go directly to port 8443.

Here’s my complete HAProxy.cfg file:

Configuration gleaned from both the course manual for the Jamf 350 Server Admin certification course,

from https://arstechnica.com/information-technology/2015/05/web-served-how-to-make-your-site-all-https-all-the-time-for-everyone/,

from https://www.digitalocean.com/community/tutorials/how-to-secure-haproxy-with-let-s-encrypt-on-ubuntu-14-04,

and from https://gist.github.com/thisismitch/7c91e9b2b63f837a0c4b

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon

Default SSL material locations

ca-base /etc/ssl/certs
crt-base /etc/ssl/private

Default ciphers to use on SSL-enabled listening sockets.

For more information, see ciphers(1SSL). This list is from:

https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/

ssl-default-bind-ciphers TLS+ECDHE+RSA+WITH+AES+256+GCM+SHA384:TLS+ECDHE+ECDSA+WITH+AES+256+GCM+SHA384:TLS+ECDH+RSA+WITH+AES+256+GCM+SHA384:TLS+ECDH+ECDSA+WITH+AES+256+GCM+SHA384:TLS+ECDHE+RSA+WITH+AES+128+GCM+SHA256:TLS+ECDHE+ECDSA+WITH+AES+128+GCM+SHA256:TLS+ECDH+RSA+WITH+AES+128+GCM+SHA256:TLS+ECDH+ECDSA+WITH+AES+128+GCM+SHA256:TLS+ECDHE+RSA+WITH+AES+256+CBC+SHA384:TLS+ECDHE+ECDSA+WITH+AES+256+CBC+SHA384:TLS+ECDHE+RSA+WITH+AES+256+CBC+SHA:TLS+ECDHE+ECDSA+WITH+AES+256+CBC+SHA:TLS+ECDH+RSA+WITH+AES+256+CBC+SHA384:TLS+ECDH+ECDSA+WITH+AES+256+CBC+SHA384:TLS+ECDH+RSA+WITH+AES+256+CBC+SHA:TLS+ECDH+ECDSA+WITH+AES+256+CBC+SHA:TLS+ECDHE+RSA+WITH+AES+128+CBC+SHA256:TLS+ECDHE+ECDSA+WITH+AES+128+CBC+SHA256:TLS+ECDHE+RSA+WITH+AES+128+CBC+SHA:TLS+ECDHE+ECDSA+WITH+AES+128+CBC+SHA:TLS+ECDH+RSA+WITH+AES+128+CBC+SHA256:TLS+ECDH+ECDSA+WITH+AES+128+CBC+SHA256:TLS+ECDH+RSA+WITH+AES+128+CBC+SHA:TLS+ECDH+ECDSA+WITH+AES+128+CBC+SHA:HIGH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
ssl-default-bind-options no-sslv3 no-tlsv10

Maximum allowed simultaneous connections

maxconn 2048

Crypto key size

tune.ssl.default-dh-param 4096

defaults
log global
mode http
option httplog
option dontlognull
option forwardfor
option http-server-close
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

Frontend definitions

frontend www-http
    bind *:80
    reqadd X-Forwarded-Proto:\ http
    default_backend tomcats

frontend www-https-443
    bind *:443 ssl crt /etc/haproxy/certs/server.mycompany.com.pem
    acl secure dst_port eq 443
    http-request replace-header Host ^(.*?)(:[0-9]+)?$ \1:443
    reqadd X-Forwarded-Proto:\ https
    rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains;\ preload
    rsprep ^Set-Cookie:\ (.*) Set-Cookie:\ \1;\ Secure if secure
    acl letsencrypt-acl path_beg /.well-known/acme-challenge/
    use_backend letsencrypt-backend if letsencrypt-acl
    default_backend tomcats

frontend www-https-8443
    bind *:8443 ssl crt /etc/haproxy/certs/server.mycompany.com.pem
    acl secure dst_port eq 8443
    http-request replace-header Host ^(.*?)(:[0-9]+)?$ \1:8443
    reqadd X-Forwarded-Proto:\ https
    rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains;\ preload
    rsprep ^Set-Cookie:\ (.*) Set-Cookie:\ \1;\ Secure if secure
    acl letsencrypt-acl path_beg /.well-known/acme-challenge/
    use_backend letsencrypt-backend if letsencrypt-acl
    default_backend tomcats

Backend definitions

backend tomcats
    http-request redirect scheme https if !{ ssl_fc }
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
    balance roundrobin
    cookie JSESSIONID prefix nocache
    server webapp1 xxx.xxx.xxx.xxx:8080 check cookie webapp1
    server webapp2 yyy.yyy.yyy.yyy:8080 check cookie webapp2

backend letsencrypt-backend
    server letsencrypt 127.0.0.1:54321

Interestingly, I see no trace of any attempts at communication on port 8443 in my haproxy.log file. I’ll attach that in a reply message if needed.

Posts: 1

Participants: 1

Read full topic

@kiran_kumar_1991 wrote:

Hi,

We’ve configured HAProxy to operate in multi-threaded mode and we’ve seen HAProxy crashing occasionally. Please find the details below:

haproxy -vv
HA-Proxy version 1.8.18 2019/02/06
Copyright 2000-2019 Willy Tarreau willy@haproxy.org
Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -O0 -g -fno-strict-aliasing
OPTIONS = USE_SLZ=1 USE_OPENSSL=1 USE_STATIC_PCRE=1 USE_PCRE_JIT=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Built with network namespace support.
Built with libslz for stateless compression.
Compression algorithms supported : identity(“identity”), deflate(“deflate”), raw-deflate(“deflate”), gzip(“gzip”)
Built with PCRE version : 8.41 2017-07-05
Running on PCRE version : 8.41 2017-07-05
PCRE library supports JIT : yes
Built with multi-threading support.
Encrypted password support via crypt(3): yes
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Available filters :
[TRACE] trace
[COMP] compression
[SPOE] spoe

$ cat /etc/redhat-release
CentOS Linux release 7.4.1708 (Core)

Snippet of HAProxy config file:

global
log /var/lib/tmp/log.sock local0 info alert
stats socket /var/lib/tmp/run/haproxy.sock mode 600 level admin expose-fd listeners
stats timeout 2m
stats maxconn 2
nbproc 1
nbthread 8
maxconn 20000
daemon
pidfile /var/lib/tmp/run/haproxy.pid
ssl-dh-param-file /var/lib/keys/dhparam.pem
tune.ssl.lifetime 86400
tune.ssl.cachesize 600000
ssl-default-bind-options no-tls-tickets ssl-min-ver TLSv1.0

Core dump analysis using GDB:

gdb /opt//external/bin/haproxy core.11974
GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-100.el7_4.1
Copyright © 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type “show copying”
and “show warranty” for details.
This GDB was configured as “x86_64-redhat-linux-gnu”.
For bug reporting instructions, please see:
http://www.gnu.org/software/gdb/bugs/…
Reading symbols from /opt//external/bin/haproxy…done.
[New LWP 11982]
[New LWP 11977]
[New LWP 11976]
[New LWP 11974]
[New LWP 11978]
[Thread debugging using libthread_db enabled]
Using host libthread_db library “/lib64/libthread_db.so.1”.
Core was generated by `/opt//external/bin/haproxy -f /var/lib//runtime/config/ha’.
Program terminated with signal 6, Aborted.
#0 0x00007f559e1f3277 in raise () from /lib64/libc.so.6
Missing separate debuginfos, use: debuginfo-install [redacted]-0.0.0-1141.x86_64
(gdb) bt
#0 0x00007f559e1f3277 in raise () from /lib64/libc.so.6
#1 0x00007f559e1f4968 in abort () from /lib64/libc.so.6
#2 0x00007f559e235d37 in __libc_message () from /lib64/libc.so.6
#3 0x00007f559e23e499 in _int_free () from /lib64/libc.so.6
#4 0x00000000004d047d in deinit_log_buffers () at src/log.c:1387
#5 0x00000000004d0336 in deinit_log_buffers_per_thread () at src/log.c:1365
#6 0x00000000004cbd08 in run_thread_poll_loop (data=0x1f4bf2c) at src/haproxy.c:2485
#7 0x00007f559ec64e25 in start_thread () from /lib64/libpthread.so.0
#8 0x00007f559e2bbbad in clone () from /lib64/libc.so.6

Related code in log.c:

1380 /* Deinitialize log buffers used for syslog messages */
1381 void deinit_log_buffers()
1382 {
1383 free(logheader);
1384 free(logheader_rfc5424);
1385 free(logline);
1386 free(logline_rfc5424);
1387 free(startup_logs);
1388 logheader = NULL;
1389 logheader_rfc5424 = NULL;
1390 logline = NULL;
1391 logline_rfc5424 = NULL;
1392 startup_logs = NULL;
1393 }

Any idea on what could possibly be wrong?

Apologies for the bad formatting. I’m new to this forum and couldn’t figure out how to format the lines properly.

Thank you.

Regards,
Kiran

Posts: 6

Participants: 2

Read full topic

@rayj00 wrote:

I am working on a project that is using multiple LXD containers on Ubuntu 16.04.
The containers all have a single website. The also all have the same
application running that uses port 3000. I’ll just take about one of the containers.

The index.html for the container has an iFrame src that is located in the same container.

I have haproxy in front of the containers. I have installed letsencrypt on the haproxy.
I can access the webpage just fine, but the iFrame is giving me problems and will
not connect.

Is there something special I need with haproxy and https to the container? How do I configure it?

I hope I can get an answer. Been dicking with this issue for months now.

Thanks,

Ray

Posts: 1

Participants: 1

Read full topic

@aminnesotaman wrote:

Hello,

I have haproxy setup as a reverse proxy to serve several web applications. I have it set to pass through ssl. I’ve added a site that is hosted in IIS 10. I have a letsencrypt certificate for it. If I configure the web server without going through the proxy, it works. However, when I add haproxy, browsers give me a Server Connection Failed or similar. I’m stuck. Below is a portion of my config. IPOLPROD is the backend in question.

frontend https
bind *:443
mode tcp
option tcplog
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }

###ACCESS CONTROL LISTS###

#acl for nextcloudprod
acl host_nextcloudprod req_ssl_sni -i nc.example.com

#acl for desktopcentral
acl host_desktopcentral req_ssl_sni -i medc.example.com

#acl for ipolprod
acl host_ipolprod req_ssl_sni -i inventory.example.com

#acl for rocketchat
acl host_rocketchat req_ssl_sni -i chat.example.com

#redirect for nextcloud
use_backend nextcloudprod-https if host_nextcloudprod

#redirect for desktopcentral
use_backend desktopcentral-https if host_desktopcentral

#redirect for ipolprod
use_backend ipolprod-https if host_ipolprod

#redirect for rocket-chat
use_backend rocketchat-https if host_rocketchat

backend nextcloudprod-https
mode tcp
option tcplog
option forwardfor
option ssl-hello-chk
server nextcloudprod 192.168.1.253:9501 check

#backend desktopcentral-https

mode tcp

option forwardfor

option ssl-hello-chk

server desktopcentral 192.168.1.112:8443 check

backend ipolprod-https
mode tcp
option tcplog
option forwardfor
server ipolprod 192.168.1.210:443 check

#backend rocketchat-https
mode tcp
option forwardfor
option ssl-hello-chk
server rocketchat 192.168.1.118:443 check

Posts: 1

Participants: 1

Read full topic

@colmsjo wrote:

I have a haproxy (1.5) configuration that’s been up and running for years without any problems. It stops responding to any connection when I install a new certificate. It starts responding again when I remove the certificate. I’ve bought the certificate at RapidSSL (where I’ve bough my previous certificates). I tried to upgrade to haproxy1-8 but it makes no difference. Any suggestions how I can investigate this?

Posts: 1

Participants: 1

Read full topic

@rayj00 wrote:

So, I have progressed a little with my former issue although things still not working.

To review…I am using port forwarding for various ports to an haproxy server installed on an LXD container.
I also have a container LPC1 with nginx serving pages.

Then I have the following simple frontend:

frontend www_http

    bind *:80 #bind to port 80        
 # it matches if the http host: field mentions any of the hostnames (after the '-i').
    acl host_LPC1 hdr(host) -i lpc1.streamingworld.us
 
# Redirect the connection to the proper server container, depending on the match.
    use_backend cont_LPC1  if host_LPC1

backend cont_LPC1
balance leastconn
# We set the X-Client-IP HTTP header. This is useful if we want the web server to know the real client IP.
http-request set-header X-Client-IP %[src]
# This backend, named here “LPC1”, directs to container “LPC1.lxd”.
server LPC1 LPC1.lxd:80 check

This appears to work as I can display the index.html. Now inside the index.html, I have an iFrame with the src= port 3000 of the same container (LPC1.lxd), so here is what I thought would work for the haproxy:

frontend play
bind *:3000
acl url_static hdr(host) -i lpc1.streamingworld.us/embed/0x35e01199f8137077346fdd476191f1967a52bdb5
use_backend static if url_static

backend static
balance leastconn
#http-request set-header X-Client-IP %[src]
server LPC1play LPC1.lxd:3000 check

I am not sure of either front or backend configurations?

When I run sudo haproxy -f /etc/haproxy/haproxy.cfg -c
Configuration file is valid

But when I restart haproxy, I get:

Mar 9 15:28:44 HAPROXY haproxy[13210]: [WARNING] 067/144947 (13210) : Exiting Master process…
Mar 9 15:28:44 HAPROXY haproxy[13210]: [ALERT] 067/144947 (13210) : Current worker 13211 exited with code 143
Mar 9 15:28:44 HAPROXY haproxy[13210]: [WARNING] 067/144947 (13210) : All workers exited. Exiting… (143)
Mar 9 15:28:44 HAPROXY haproxy[13237]: Proxy www_http started.
Mar 9 15:28:44 HAPROXY haproxy[13237]: Proxy www_http started.
Mar 9 15:28:44 HAPROXY haproxy[13237]: Proxy www_https started.
Mar 9 14:49:47 HAPROXY haproxy[13211]: backend static has no server available!
Mar 9 15:28:44 HAPROXY haproxy[13238]: Server static/LPC1play is DOWN, reason: Layer4 connection problem, info: “Connection refused”, check duration: 0ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
Mar 9 15:28:44 HAPROXY haproxy[13238]: Server static/LPC1play is DOWN, reason: Layer4 connection problem, info: “Connection refused”, check duration: 0ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
Mar 9 15:28:44 HAPROXY haproxy[13238]: backend static has no server available!
Mar 9 15:28:44 HAPROXY haproxy[13237]: Proxy www_https started.
Mar 9 15:28:44 HAPROXY haproxy[13237]: Proxy play started.
Mar 9 15:28:44 HAPROXY haproxy[13237]: Proxy play started.
Mar 9 15:28:44 HAPROXY haproxy[13237]: Proxy static started.
Mar 9 15:28:44 HAPROXY haproxy[13237]: Proxy static started.
Mar 9 15:28:44 HAPROXY haproxy[13237]: Proxy cont_LPC1 started.
Mar 9 15:28:44 HAPROXY haproxy[13237]: Proxy cont_LPC1 started.
Mar 9 15:28:44 HAPROXY haproxy[13237]: Proxy subdomain1 started.

First I’m not sure why I am seeing double outputs?
But worse, why the connection refused?

Your help us much appreciated!

Ray

Posts: 1

Participants: 1

Read full topic

@WhiteOC wrote:

Hello!

Scenario:
1.zip exist on NGINX-1 and NGINX-2 (my backend, which are both reveres-proxy)

8i7U1ir.png706×260 17.9 KB

Client request 1.zip from HAproxy, and it find the least busy server and send that request to that server (NGINX-1 or NGINX-2) BUT without staying in the middle.
I don’t want HAproxy to act as reverse-proxy and pull the data for the client (from the backend),
and then send the data to the client from the HAproxy server.
Instead, I want it to send the user directly to the edge server (nginx).

I assume to do so must use redirect 302?!

I’m trying to make HAproxy to do 2 things and i’m not sure how and if possible.

1. Make HAproxy to do redirect to the backend servers, and not stay as “Man in the middle” between the client and the server.

2. Make HAproxy Load-balance (send to the server with the least bandwidth) between the backends while always sending to the backends with redirect.

So after stage 3 (of the picture), HA doesn’t talk anymore with the client.
Is that possible, and if so how?

I appreciate any help!

Posts: 1

Participants: 1

Read full topic

@michael1234 wrote:

Hi,
Hope somebody can help I have run out of idea’s

Is it possible to run mysql cluster load balancing and https load load balancing on the same instance of haproxy ?

I have the following setup but I receive 10 minutes delay on the application when one of the mysql servers is shutdown I receive 503 error . If I manually restart the haproxy service the application comes back online

Cluster Application ( 2 Nodes )
MYSQL Cluster (2 Nodes )
Keepalive Virtual IP

The application connects to the virtual IP for the database cluster and application

I think I have configured the haproxy frontend or backend incorrectly
Any help would be much appreciated

Config

frontend http_front
mode http
bind *:80
bind *:443 ssl crt /etc/ssl/certs/mycert.pem
stats uri /haproxy?stats
default_backend http_back

backend http_back
mode http
balance roundrobin
cookie JSESSIONID prefix nocache
option forwardfor
option httpchk HEAD / HTTP/1.1\r\nHost:localhost
server FQDN 10.40.3.170:8080 cookie App1 check
server FQDN10.40.3.171:8080 cookie App2 check
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }

Posts: 2

Participants: 2

Read full topic

@Rodman wrote:

Hello team

I have task to reroute socket connection via SSL/TLS port to noSSL port with

I have task to:

1. receive TCP incoming socket connection with SSL/TLS verification (with Let’s Encrypt certificate for domain) - port 3433
2. Decrypt data and resend (no SSL/TLS) data to port 3000 on same server
3. sure keep such socket connection a long time alive

I found such description - https://www.haproxy.com/documentation/haproxy/deployment-guides/tls-infrastructure/#ssl-tls-offloading

But cant understand:

1. this config i have to replace default config?
2. how can i connect Let’s Encrypt certificate?
3. Enable full logs

Help me please on this config.
How real config have to be?

Thanks

Posts: 1

Participants: 1

Read full topic

@Gayathri wrote:

Hi All,

I am getting the below error while starting HAProxy service.

root@ABC keys]# /usr/local/cm/bin/haproxy -D -f /usr/local/cm/conf/haproxy.conf

[ALERT] 026/113546 (22869) : parsing [/usr/local/cm/conf/haproxy.conf:28] : ‘bind :::6971’ : unable to load SSL private key into SSL Context ‘/usr/local/cm/.security/CallManager/keys/HAProxy.pem.rsa’.

I have compared my cert and key corresponding to the HAProxy.pem.rsa and its matching. Could you please help me to solve this issue.

Thanks,
Gayathri

Posts: 1

Participants: 1

Read full topic