@Khuram wrote:

Hi,
I am new in Haproxy Load Balancing and i am doing okay in redirecting traffic on two different URLs. But unable to mask URL for client end because all I want is to redirect traffic from test.uv.edu.pk to test1.uv.edu.pk and test2.uv.edu.pk without changing URL at client end so that client could not see the backend URLs.

Some of my configurations are shared below:

frontend test
bind 192.168.128.10:80
acl is_test.uv.edu.pk hdr(host) -i test.uv.edu.pk
use_backend test_backend_servers if is_test.uv.edu.pk
default_backend test_backend_servers
option forwardfor

 backend test_backend_servers
 mode http
 reqrep ^([^\ ]*)\ (.*) \1\ \2
 balance            roundrobin
server             test1 192.168.128.11:80 maxconn 5000 check
server             test2 192.168.128.12:80 maxconn 5000 check

====================================

Regards,
Khuram

Posts: 1

Participants: 1

Read full topic

@Thoufiq wrote:

Hi, I am running haproxy as loadbalancer.HAProxy configuration is saved in etc/haproxy/haproxy.cfg. Whenever i change the the configuration file, i am restarting the haproxy service to apply the configuration changes.Without restarting the service the changes are not getting applied.Is there any other way to apply the configuration without restart haproxy service.

Posts: 1

Participants: 1

Read full topic

@kustodian wrote:

I have a strange problem with HTTP load balancing. The issue is that number of sessions on the www-https frontend is drastically different compared to its backend. Here is a screenshot from the stats page how it looks like:

Screenshot-20190404-145332.png2709×1323 296 KB

Check the number of sessions on www-https (4934) and on events-backend-https (157). What is even stranger is that if I check the number of established connections on that HAProxy host to the backend servers (which are all listening on 8080), I get this:

[root@events-client-haproxy-01 ~]# ss -nta state established 'dport = 8080' | wc -l
1981

which is a lot more than 157 that HAProxy is reporting.

Other thing that is strange is that on that same frontend session rate is 222, while on the backends that session rate is 1009?

I pasted below the whole config, but the most relevant part is that keep-alive should be used, because it’s not disabled anywhere. Also because option prefer-last-server is set, those keep-alive connections should be reused on the servers. On the servers keep-alive timeout is set to be 30s, which is the same as on HAProxy.

global
    log         /dev/log local2
    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    nbthread 6
    maxconn     300000
    user        haproxy
    group       haproxy
    daemon
    stats socket /var/lib/haproxy/stats expose-fd listeners mode 0777 level admin
    server-state-file /var/lib/haproxy/server-state

defaults
    mode http
    log global
    maxconn 2000
    backlog     4000
    retries 2
    load-server-state-from-file global
    option httplog
    option dontlognull
    option dontlog-normal
    option forwardfor except 127.0.0.0/8
    option redispatch
    option prefer-last-server
    timeout http-request 5s
    timeout queue 5s
    timeout connect 5s
    timeout client 15m
    timeout server 15m
    timeout http-keep-alive 30s
    timeout check 5s

frontend tcp
    bind :7705
    mode tcp
    maxconn 200000
    default_backend events-backend-tcp

frontend www-http
    bind :80 alpn h2,http/1.1
    maxconn 1000
    acl is_trace_track method TRACE TRACK
    http-request deny if is_trace_track
    http-response set-header Strict-Transport-Security max-age=15768000
    default_backend events-backend-https

frontend www-https
    bind :443 ssl crt /etc/pki/tls/private/events.example.com.pem alpn h2,http/1.1
    maxconn 200000
    acl is_trace_track method TRACE TRACK
    http-request deny if is_trace_track
    http-response set-header Strict-Transport-Security max-age=15768000
    default_backend events-backend-https

backend events-backend-tcp
    mode tcp
    balance static-rr
    option tcp-check
    default-server inter 4s rise 2 fall 4 maxconn 50000 check agent-check agent-port 8081
    server events-client-app-01 events-client-app-01:7705
    server events-client-app-02 events-client-app-02:7705
    server events-client-app-03 events-client-app-03:7705
    server events-client-app-04 events-client-app-04:7705
    server events-client-app-05 events-client-app-05:7705

backend events-backend-https
    redirect scheme https if !{ ssl_fc }
    balance static-rr
    option httpchk GET /api/v1/health-check/simple-check
    default-server inter 4s rise 2 fall 4 maxconn 50000 check agent-check agent-port 8081
    server events-client-app-01 events-client-app-01:8080
    server events-client-app-02 events-client-app-02:8080
    server events-client-app-03 events-client-app-03:8080
    server events-client-app-04 events-client-app-04:8080
    server events-client-app-05 events-client-app-05:8080

listen stats
    bind :9000
    mode http
    stats enable
    stats hide-version
    stats uri /
    stats refresh 10s

Any ideas why is this happening?

Posts: 1

Participants: 1

Read full topic

@Wade_Beyers wrote:

Is there any way to make my backends using SSL show as green instead of gray? I have a non SSL backend that shows green when up, but my SSL backends don’t.
Thanks.

Posts: 1

Participants: 1

Read full topic

@Mantikor wrote:

Hi!
I trying to change proxy/balancer from nginx to HAProxy, but something wrong with my config, and web page is blank(but title correct).

nginx config:

listen       443 ssl http2;
...
location / {
    proxy_pass http://10.10.2.2:9310/;
}
location /api/
    proxy_pass http://10.10.2.2:9301/api/2/;
}

HAProxy config:

frontend https
   bind      :443 ssl crt /certs/path alpn h2,http/1.1
   acl root           path -i   /
   use_backend root_ if root
   acl api            path_beg  /api/
   use_backend api_ if api

backend root_
   balance roundrobin
   server back1 10.10.2.2:9310 cookie r1 check
   server back2 10.10.2.3:9310 cookie r2 check

backend api_
  balance roundrobin
  http-request set-uri %[url,regsub(^/api/,/api/2/,)]
  server back1 10.10.2.2:9301 cookie a1 check
  server back2 10.10.2.3:9301 cookie a2 check

What have I done wrong?

Posts: 1

Participants: 1

Read full topic

@kokoriko wrote:

We have nginx server that redirect service requests by server name using proxy pass to upstream:

nginx conf:

server {
server_name requestsproxy-rest.us.example.com;
…
location / {
…
proxy_pass http://Requestsproxy-Rest;

and the upstream file:

least_conn;
server 10.1.1.1:29257 max_fails=4 fail_timeout=1s weight=1;

server 10.1.1.2:21591 max_fails=4 fail_timeout=1s weight=1;

}

We want to create haproxy that service(service) to be able to be accessed via “test.example.com/service/{service}” and the haproxy will forward/redirect the request to different address by the {service} to the nginx.

how do you think we can manage it via haproxy configurations?

Thanks in advanced.

Posts: 1

Participants: 1

Read full topic

@lukastribus wrote:

If you are using Debian Jessie (8) with the packages from haproxy.debian.net, please be advised that ALPN support will be dropped from the packages:

HAProxy from http://haproxy.debian.net on Debian Jessie (8) was relying on OpenSSL from backports for ALPN support. These backports are unsupported since June 2018. I plan to reupload the packages without ALPN support. People relying on that should upgrade to Stretch.

Upgrade to Debian Stretch (9) to remedy this.

Posts: 2

Participants: 1

Read full topic

@Thoufiq wrote:

Hi,

I am running HAProxy as a load balancer and whenever changing the configuration, I need to restart the HAProxy for the configuration changes to be applied. Due to this, we have to schedule a maintenance window for each and every simple configuration change. Is there any other way to change the configurations without restarting HAProxy.Please help.

Posts: 1

Participants: 1

Read full topic

@mindeswx wrote:

Hello! A quick question, is it possible to rewrite response header in http mode if users are connecting to HTTPS websites (I don’t have a certificate installed) ?

Thank you, and have an amazing day!

Posts: 2

Participants: 2

Read full topic

@BlackAdderDK wrote:

Hi

I’m trying to run ADFS and WAP in HAProxy in a simple TCP setup…

ADFS running on 10.0.1.10/24 eth0
WAP running on 10.0.2.10/24 eth1

Default route is set for both nets:

MyHaproxy: #
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.0.1.1 0.0.0.0 UG 0 0 0 eth0
default 10.0.2.1 0.0.0.0 UG 1 0 0 eth1
.
.

Configuration

global
log /dev/log local0
log /dev/log local1 notice
maxconn 6000
tune.ssl.default-dh-param 2048
daemon
chroot /var/lib/haproxy
uid 99
gid 99
ssl-default-server-options force-tlsv12 no-tls-tickets
ssl-default-server-ciphers ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options force-tlsv12 no-tls-tickets
ssl-default-bind-ciphers ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS

defaults
log global
option tcplog
option dontlognull
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms

frontend ADFSFrontend
bind 10.0.1.10:443 interface eth0
mode tcp
default_backend ADFSBackend

frontend WAPFrontend
bind 10.0.2.10:443 interface eth1
mode tcp
default_backend WAPBackend

backend ADFSBackend
mode tcp
balance roundrobin
server 450adfs01 10.0.1.101:443 check
server 450adfs02 10.0.1.102:443 check

backend WAPBackend
mode tcp
balance roundrobin
server 450wap01 10.0.2.101:443 check
server 450wap02 10.0.2.102:443 check

Everything works fine if I access ADFS from everywhere, except from the WAPBackend servers - it seems this fails as the incoming traffic is coming from eth0, but the outgoing is presumed to go out eth1…

If I make ifdown eth1, the traffic is fine.

Best regards
Flemming

Posts: 1

Participants: 1

Read full topic

@ramin_malek wrote:

Hi Dear Friends I have Ip address Range that If user Browser Want Browse any https website For example https://google.com and https://yahoo.com redirect to https://example.com

Please help me

Posts: 1

Participants: 1

Read full topic

@joeg wrote:

I have a squid 4.1 instance and am troubleshooting a strange issue. I have a client that when it communicates with squid appears as a tls/1.0 in the logs although looking at wireshark shows 1.2. Additionally it appears that the client is only requesting elliptic curve ciphers (TLS_ECDHE_ECDSA_WITH_AES_128_GCN_256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECRSA_WITH_AES_128_GCN_256, & TLS_ECDHE_ECRSA_WITH_AES_256_GCN_384) between the the client and the squid server. The squid server then offers many more to the destination server including those presented by the client. The squid and destination server settle on TLS_ECDHE_ECDSA_WITH_AES_128_GCN_256 but the connection fails. It appears that the squid server returns to the client an Alert (Handshake failure (40)) message. The client gets an SSLv3 error message. I have played with various tls-dh and options settings under http_port with no success.

Here is extract of my logs:

src_ssl_negotiated_version=- dst_ssl_negotiated_version=TLS/1.2 src_tls_hello_version=TLS/1.0 dst_tls_hello_version=TLS/1.2 src_tls_max_version=TLS/1.2 dst_tls_max_version=TLS/1.2 src_tls_cipher=- dst_tls_cipher=ECDHE-ECDSA-AES128-GCM-SHA256 ssl_bump=- ssl_bump_mode=bump ssl_sni=bigtable.googleapis.com src_cert_subject="-" src_cert_issuer="-" dst_cert_subject="/C=US/ST=California/L=Mountain View/O=Google LLC/CN=*.googleapis.com" dst_cert_issuer="/C=US/O=Google Trust Services/CN=Google Internet Authority G3" cert_errors="-"

Posts: 3

Participants: 2

Read full topic

@dylan wrote:

I’m TPROXYing to one of three backends for a custom TCP protocol; this is not HTTP.

I’m trying to figure out if there is a way to do a network call (to, for example, have haproxy call http://10.4.2.15:8080/pass/<source IP here> and read a response), and the response will be 1, 2, or 3. If it is 1 or 2, forward tproxy to backend1. If it is a 3, forward tproxy to different backend3. Understandably this will also slow down connects, but that’s acceptable. My backends are running cloudflare’s mmproxy to read the source IP.

I’ve read there is Lua support, but unsure if it is just for scripting basic if statements or if it’s a full lua implementation that also allows for importing libraries(?) or network access.

Posts: 1

Participants: 1

Read full topic

@gertbus wrote:

Currently we are using for our domain : mylab.macsys.be the following configuration

defaults
log global
option dontlognull # Do not log connections with no requests
option redispatch # Try another server in case of connection failure
option contstats # Enable continuous traffic statistics updates
timeout server 30s
timeout connect 60s
timeout client 30s

frontend http_frontend

bind *:80
mode tcp
default_backend web_server_http

backend web_server_http
mode tcp
balance roundrobin
#stick-table type ip size 200k expire 30m
#stick on src
#source 0.0.0.0 usesrc clientip #alctl: connect source and transparent connect
server s1 10.2.0.67:80 check fall 3 rise 2
server s2 10.2.0.68:80 check fall 3 rise 2
server s3 10.2.0.69:80 check fall 3 rise 2

frontend https_frontend

bind *:443
mode tcp
default_backend web_server

backend web_server
mode tcp
balance roundrobin
#stick-table type ip size 200k expire 30m
#stick on src
#source 0.0.0.0 usesrc clientip #alctl: connect source and transparent connect
server s1 10.2.0.67:4431 check fall 3 rise 2
server s2 10.2.0.68:4431 check fall 3 rise 2
server s3 10.2.0.69:4431 check fall 3 rise 2

The problem is we want a new domain (www.ipatient.be with specific certificate) active on the same servers. So i guess based on SNI? The mylab.macsys.be:443 domain is running smooth, and we don’t want to disturb our users with problems.

How can we get both www.macsys.be and www.ipatient.be domain working ? Any ideas regarding configuration ?

Listening ports on our IIS Servers :
macsys.be ==> port 4431 with macsys.be certificate
ipatient.be ==> port 4432 with ipatient.be certificate

Many thanks
De Busser Gert

Posts: 1

Participants: 1

Read full topic

@Christoph wrote:

Hello,

i want to create a http-proxy that redirect every http and https request to a set of to other http-proxys with round-robin.

My problem ist, that these two proxys require both basic authentication and that my proxy itself should also be protected with basic authentication.

So harproxys should only accept connection with the right basic authentication credentials, add some other http basic authentication to the request and redirect the request to one of the targe http proxys.

How can I archive this?

Thanks and regards.
Chris

Posts: 2

Participants: 2

Read full topic

@Mike-Code wrote:

I would like to do URL rewrite which looks like not so easy deal here.

Say I want to replace url’s with mysite.com/boom/23/bam to mysite.com/bam/23/boom

Let’s have following config

acl OLD_PATH path_reg -i /boom/\d+/bam
reqrep ^([^\ :]*) /boom/(\d+)/bam \1 /bam/\2\boom
redirect code 301 prefix / drop-query if OLD_PATH

It looks fine, but the redirect won’t happen because the path has been already replaced, so I can’t use OLD_PATH acl anymore.

Yet, if I create new ACL with the new path (/bam/_/boom) then I’ll be throwing 301 at all requests, not just the ones that required replacing.

How can I have ACL run against the old request line?

Posts: 1

Participants: 1

Read full topic

@Mario wrote:

Hi all !

It’s possible log more then “SSL handshake failure” ?
For example, when a client browser uses an unsupported protocol in haproxy (for example SSL3), only entries are logged in:
SSL handshake failure
Connection closed during SSL handshake

But that’s not enough to say what the cause was.
It can be protocol mismatch … cipher cuite mismatch … incorrect certificate…

Thanks,
Mario

Posts: 1

Participants: 1

Read full topic

@ervig wrote:

I’m newbie with haproxy and I need redirect to https a https server, this is the configuration

frontend https_certificat_parcdesalutmar
bind *:443 ssl crt /etc/haproxy/certificats/test.cat.pem
timeout client 1m

use_backend test_backend if { req_ssl_sni -i test }
default_backend test_backend

backend test_backend
balance roundrobin
server web-first 192.168.1.100:443
server web-second 192.168.1.101:443

I would appreciate your help !!! thank’s

Posts: 1

Participants: 1

Read full topic

@FelixChen wrote:

Hello everyone, I’m Felix as a newbie.

I’d like to implement NFS over HAproxy,
I’ve redirected port 2049,111 but it’s been not working, it seems like NFS protocol is using some of radom ports based on RPC that I could not specific them.

What I think to do is that, it’s possible to dynamically map a fixed source IP to a fixed destination IP? such as 192.168.1.1:any to 192.168.2.1:any(all forwarding)

Thank in advance!!

Posts: 1

Participants: 1

Read full topic

@imneo wrote:

Hello, while testing a new haproxy cluster i’m now facing an issue of poor performance.
I’ll try to provide as much details as i can about the HW, Kernel and haproxy configuration

The main issues i see is are :

1. high cpu usage (100%) of ksoftirqd
2. haproxy is 100% utilized very fast with just

Haproxy version:
/ # haproxy -vv
HA-Proxy version 1.9.6 2019/03/29 - https://haproxy.org/
Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-format-truncation -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-old-style-declaration -Wno-ignored-qualifiers -Wno-clobbered -Wno-missing-field-initializers -Wno-implicit-fallthrough -Wno-stringop-overflow -Wno-cast-function-type -Wtype-limits -Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference
OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_LUA=1 USE_PCRE=1

Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with OpenSSL version : OpenSSL 1.1.1b 26 Feb 2019
Running on OpenSSL version : OpenSSL 1.1.1b 26 Feb 2019
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with Lua version : Lua 5.3.5
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity(“identity”), deflate(“deflate”), raw-deflate(“deflate”), gzip(“gzip”)
Built with PCRE version : 8.42 2018-03-20
Running on PCRE version : 8.42 2018-03-20
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Encrypted password support via crypt(3): yes
Built with multi-threading support.

Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as cannot be specified using ‘proto’ keyword)
h2 : mode=HTX side=FE|BE
h2 : mode=HTTP side=FE
: mode=HTX side=FE|BE
: mode=TCP|HTTP side=FE|BE

Available filters :
[SPOE] spoe
[COMP] compression
[CACHE] cache
[TRACE] trace

OS and Kernel:
Ubuntu 18.04.2
Kernel: 4.15.0-46-generic

HW:
Manufacturer: Dell Inc.
Product Name: PowerEdge R640

CPU:
2X Version: Intel(R) Xeon(R) Gold 5115 CPU @ 2.40GHz

kernel CPU map:

cat /sys/bus/cpu/devices/cpu0/topology/core_siblings_list
0,2,4,6,8,10,12,14,16,18,20,22,24,26,28,30,32,34,36,38

cat /sys/bus/cpu/devices/cpu1/topology/core_siblings_list
1,3,5,7,9,11,13,15,17,19,21,23,25,27,29,31,33,35,37,39

Sysctl and security limits:

ulimits:
      - nofile:250000:250000

    sysctls:
      net.ipv4.conf.all.rp_filter: 1
      net.core.somaxconn: 65534
      net.core.netdev_max_backlog: 100000
      net.ipv4.ip_local_port_range: 1025 65000
      net.ipv4.conf.all.send_redirects: 1
      net.ipv4.ip_nonlocal_bind: 1
      net.ipv4.tcp_abort_on_overflow: 0
      net.ipv4.tcp_fin_timeout: 10
      net.ipv4.tcp_keepalive_time: 300
      net.ipv4.tcp_max_orphans: 262144
      net.ipv4.tcp_max_syn_backlog: 100000
      net.ipv4.tcp_max_tw_buckets: 262144
      net.ipv4.tcp_rmem: 4096 16060 64060
      net.ipv4.tcp_wmem: 4096 16384 262144
      net.ipv4.tcp_reordering: 3
      net.ipv4.tcp_synack_retries: 3
      net.ipv4.tcp_syncookies: 1
      net.ipv4.tcp_syn_retries: 5
      net.ipv4.tcp_timestamps: 0
      net.ipv4.tcp_tw_reuse: 1
      net.netfilter.nf_conntrack_max: 10485760
      net.netfilter.nf_conntrack_tcp_timeout_fin_wait: 30
      net.netfilter.nf_conntrack_tcp_timeout_time_wait: 15

Current haproxy configuration (tried with different nbproc/nbthread got the same behavior)

global
  nbproc 1
  nbthread 10
#  cpu-map auto:1/1-4 0-3
  cpu-map odd 1-20
  tune.http.logurilen 65535

  tune.ssl.default-dh-param  2048
  ssl-default-bind-ciphers TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20
  ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
  ca-base /etc/ssl/certs
  crt-base /etc/ssl/private
  maxconn 500000

defaults
    mode                    http
    option http-server-close
    option forwardfor       except 127.0.0.0/8
    option                  redispatch
    option                  abortonclose
    retries                 3
    timeout http-request    10s
    timeout queue           2s
    timeout connect         5s
    timeout client          2m
    timeout server          2m
    timeout http-keep-alive 10s
    timeout check           5s
    maxconn                 1000

Network:

eno1np0

Screenshot from 2019-04-15 10-03-53.png1899×258 46.3 KB

eno2np1

Screenshot from 2019-04-15 10-05-14.png1901×255 45.6 KB

The test is done using a simple nginx as backend, and apache banchmark (ab) as client running from another node. i’ve tried different test…
ab -k -r -c 1000 -n 1000000

I’m almost sure this issue has something to do with the Network IRQ
As described in haproxy docs i would like to bind the network interfaces to the same CPU haproxy runs on (CPU0) but to the cores which haproxy does not use according to the map in global configuration.

since haproxy only uses “odd” so all “even” cores should be used by the Network interfaces,
At lease according to my understanding.

Nothing i tries made this work any better,
Need advise on how to optimize the kernel… expecting this HW to handle much more traffic

Posts: 1

Participants: 1

Read full topic