Quantcast
Channel: HAProxy community - Latest topics
Viewing all 4733 articles
Browse latest View live

Need SSL termination with HA proxy

$
0
0

@sbcsuman wrote:

Hi Team,
I installed haproxy in ubuntu machine. and after that i edited the haproxy.cfg file.
bind *:18083
mode http
default_backend backendnodes
backend backendnodes
balance roundrobin
option forwardfor
server node1 x.x.x.x:18083 check
server node2 x.x.x.x:18083 check
listen stats
bind :32700
stats enable
stats uri /
stats hide-version
stats auth user:password
Its working fine.but i need SSL termination with HA proxy.
could you please help me this issue.

Posts: 1

Participants: 1

Read full topic


About SRV Records

$
0
0

@olivia wrote:

I’m using HAProxy 1.8.4 and the SRV support it provide.
The stats page look like attached after following is set for backend xyz
server-template srv 1-20 _api._tcp.x.y.com resolvers dns cookie XYZ_SRVNAME check ssl verify none

Few question I have:

  1. Why is the server showing up in maintenance mode days after its record being removed from SRV record?
  2. Is possible to make the server name match the subdomain of the record in SRV record instead of showing up as srv1, srv2 etc? If not, is there plan for future version to support that?
  3. I saw in previous post (Using SRV Record - number of records in DNS not limiting server-template count) that it is expected that the rest of slots are showing up red and down due to SOCKET error, is there plan in future version to make it dynamic or more gracefully handling the empty slots?

(upload://qWtrLM9ukwiy9dJmB1PYwAefTP7.png)

Posts: 1

Participants: 1

Read full topic

SSL loop issues

$
0
0

@mpac wrote:

HAproxy Version 1.9.3 on CENTOS 7

I am new to HAProxy and I have one issue that I can not resolve. I am trying to put a HAProxy server in front of a Microsoft IIS server that is hosting a website

On the front end I am terminating SSL and I want to proxy everything back to the backend on port 80.

My basic configuration below essentially works redirecting everything on 443 to the backend server on port 80. The issue I am having is that there is one part of the website that redirects to itself through HTTPS. this seems to cause a SSL loop and I get in my test machine browser ERR_TOO_MANY_REDIRECTS

I have tested going to the backend on 443 and everything works perfectly but the requirements i have do ask for 80

frontend sandbox-WWW-frondend
bind 10.1.99.152:80
bind 10.1.99.152:443 ssl crt /etc/haproxy/certs/sandboxwwwkey.pem
mode TCP
default_backend sandbox-WWW-backend
log global

backend sandbox-WWW-backend
balance leastconn
redirect scheme https if !{ ssl_fc }
server sandbox3 10.1.99.16:80
log global

Posts: 2

Participants: 2

Read full topic

Problem with logging

$
0
0

@gdevelek wrote:

Greetings,

My HAProxy 1.8.19 on Debian-9 is logging starts and stops but not traffic. Using the logger tool I can log anything I want to the proper files, so I can’t figure out what’s wrong.

Here is my logging config for rsyslog, saved in /etc/rsyslog.d/haproxy.conf.

Thanks for any clues!

$ModLoad imudp
$UDPServerAddress 127.0.0.1
$UDPServerRun 514
$FileOwner dialog
$FileGroup dialog
$FileCreateMode 0644

local0.* -/home/dialog/HAPROXY/logs/haproxy-traffic.log
local0.notice -/home/dialog/HAPROXY/logs/haproxy-admin.log
local0.info -/home/dialog/HAPROXY/logs/haproxy-info.log

…and here is the HAProxy config:

global
daemon
maxconn 256
log 127.0.0.1:514 local0

defaults
log global
option tcplog
mode tcp
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms

frontend fr_server1
log 127.0.0.1:514 local0
bind 0.0.0.0:8000
default_backend bk_server1

backend bk_server1
log 127.0.0.1:514 local0
server srv1 10.1.1.184:2775 maxconn 2048

Posts: 1

Participants: 1

Read full topic

Client Authentication and WAF

$
0
0

@twinturbo wrote:

Does HAP support WAF ( I think this is covered my modsec?? )
Does HAP support client certificate authentication with CRL?

Cheers

Rob

Posts: 1

Participants: 1

Read full topic

ASPNET sites don't respond though LB 1 Centos 7.6.1810

$
0
0

@ABGweb wrote:

Hopefully this makes sense, I require some assistance concerning communication issues with the aspnet websites through HAProxy.

When I updated the OS to Centos 7.6.1810 of one node I found that all of the aspnet sites would not resolve. If I switch to routing the ASPNET sites through a different node which is running CentOS 7.5.1804 they resolve fine.

The HAporxy config for all nodes are the same.

Any ideas?

Posts: 1

Participants: 1

Read full topic

Haproxy redirect multiple webserver

HAProxy on AWS Instance

$
0
0

@Thoufiq wrote:

I am running an instance in AWS and i have installed HAProxy but when i run start HAProxy service i got below error.(OS-Centos)

[ALERT] 108/173540 (10131) : Starting frontend http-in: cannot create listening socket [0.0.0.0;5988]

Its a simple configuration

global
daemon
maxconn 256
defaults
mode tcp
timout connect 5000ms
timout client 50000ms
timeout server 50000ms
frontend http-in
bind *:1-65535
default_backend backend_servers
server sv1 10.1.1.10

Please help

Posts: 1

Participants: 1

Read full topic


Haproxy set variable value from map

$
0
0

@ykiran_k wrote:

I am trying to set a variable value from map contents, base on the path.

 http-request set-var(req.prefdomain) %[path,map_beg(/etc/haproxy/haproxy_path_domain.map)]

here is my map content

 /abc/def/v1        domain1
 /ijk/lmn/v2          domain2

My use case if the path (/abc/def/v1) is configured (in map) to be served on domain1 then i want to restrict the path on domain2. i was try to get the domain1 & domain2 in a custom variable. Using that variable to check the string match & handle routing or deny. Is there a way to get domain1 to prefdomain variable? if so can you suggest the fix for the above http-request line.

Posts: 1

Participants: 1

Read full topic

Not balancing in a round'n'robin behaving

$
0
0

@guelbs wrote:

Hi Folks, hope you all are doing well.

I’ve setup a HAproxy instance to balance two “identical” servers.

The setup is working, but when I execute stress tests on that the sup07 (the balancer), looks like machine sup05 gets two times more requests than machine sup06.

The setup is:

[root@sup07 ~]# cat /etc/haproxy/haproxy.cfg
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon

defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000

frontend Calls_Pool_Diagnostics
bind *:8680/RTDM/PoolDiangostics.jsp
default_backend Balances_Pool_Diagnostics
backend Balances_Pool_Diagnostics
balance roundrobin
server sup05 sup05.brzsupport.sashq-d.openstack.sas.com:8680/RTDM/PoolDiagnostics.jsp check
server sup06 sup06.brzsupport.sashq-d.openstack.sas.com:8680/RTDM/PoolDiagnostics.jsp check

frontend Calls_RTDM_Event
bind *:8680/RTDM/Event
default_backend Balances_RTDM_Event_requests

backend Balances_RTDM_Event_requests
balance roundrobin
server sup05 sup05.brzsupport.sashq-d.openstack.sas.com:8680/RTDM/Event check
server sup06 sup06.brzsupport.sashq-d.openstack.sas.com:8680/RTDM/Event check

frontend HAProxy_page
bind *:80
stats uri /haproxy?stats
backend http_back

Could you help me understand why is it behaving like this?

I appreciate your help.

Posts: 1

Participants: 1

Read full topic

Haproxy not work h2c(proto h2) in http protocol

$
0
0

@criss wrote:

haproxy not work http2(h2/GRPC) in http protocol not working.
my [HAProxy version 1.9.6, released 2019/03/29]
My service is GRPC, Intranet.so we don’t use the HTTPS protocol.
my haproxy-config :
frontend grpc
mode http
option http-use-htx
bind *:8080 proto h2
default_backend http2-server
backend http2-server
mode http
option http-use-htx
server k8s1 10.80.78.1:80 check proto h2
Can you fix this problem?

Posts: 2

Participants: 2

Read full topic

HA Proxy with Floating IP and Keepalived and Domain Alias

$
0
0

@xxandyxx wrote:

Hello everybody,

I would need some help in configuring an HA proxy.

HA Proxy Software: RH-HAProxy18

I would have to build the following config somehow.

						Floating IP with Keepalived
					       10.0.0.1 (test.server.com - Alias Domain on https 443)
							
										
			test1.server.com			        test2.server.com
			IP 10.0.0.2					IP 10.0.0.3
			(https 443)					(https 443)
			keepalived					keepalived
			haproxy						haproxy




			webserver1					webserver2
			https 443					       https 443
			IP 10.0.0.4					IP 10.0.0.5

Ausgeliefert werden sollte der Content von Webserver 1 und 2 ich bekomme das einfach nicht hin, vielleicht kann mir ja jemand etwas helfen.

Danke und Gruß Andy

Posts: 1

Participants: 1

Read full topic

Redirect subdomain to URL

$
0
0

@chromaker wrote:

Hello together,

I would like to redirect my subdomain to an office 365 Sharepoint path. My domain provider cannot handle it, so I would like to use my haproxy service.

So my example is:
Domain: sharepoint.company.com
Should open the URL: https://company.sharepoint.com/_layouts/15/sharepoint.aspx

I tried:

frontend http-in # unsecure
bind *:80
reqadd X-Forwarded-Proto:\ http # Adds http header to end of end of the HTTP request
redirect scheme https code 301 if !{ ssl_fc }

    acl lets_encrypt path_beg /.well-known/acme-challenge/
    acl site_sharepoint_company hdr_end(host) -i sharepoint.comany.com

    http-request redirect code 301 location https://company.sharepoint.com/_layouts/15/sharepoint.aspx if site_sharepoint_company

But it does not work. Do I also need a use_backend?

With best regards
chromaker

Posts: 1

Participants: 1

Read full topic

Manage SSL certificate for hundreds of domain

$
0
0

@huytq209 wrote:

Dear friends,

I have a website working after a haproxy server. My website users can use their domain name and they can provide certificate files via website user admin section. How can i manage these SSL certificates in haproxy? They are user data and i can save them into pem files.

Thanks
Steven Tr.

Posts: 1

Participants: 1

Read full topic

Is it possible to do string match with Host header & a custom variable?

$
0
0

@ykiran_k wrote:

I am trying to see if i can stamp a response header with boolean value true, if the Host header & my custom variable match

   http-response set-header x-prefdomain-match bool(true) if { hdr(Host) -m str %[var(txn.prefdomain)] } 

Can anyone suggest if i am missing anything in the above config line?

Posts: 1

Participants: 1

Read full topic


Haproxy to prevent access to all but selected URLs on a backend

$
0
0

@sinaowolabi wrote:

Hi!

I am trying to setup haproxy to block access to a backend server from a particular IP address.
I need haproxy to allow access to only three URLs on the backend server.
I came up with this, please can someone tell me if this is correct, and will work as expected?

frontend access_control
   maxconn     50000
   bind        *:8080
   mode        http
   option      httplog
   http-request deny if !{ path -i -m beg /url1/path } { src 1.1.1.1 } 
   http-request deny if !{ path -i -m beg /url2 } { src 1.1.1.1 }
   http-request deny if !{ path -i -m beg /url3 } { src 1.1.1.1 }
default_backend access_control_backend

backend access_control_backend
   mode        http
   option      httplog
   server      server1     server1:8080

Posts: 1

Participants: 1

Read full topic

Use_backend with cookie / map

$
0
0

@bd76 wrote:

hi,
I am routing to a backend if a certain cookie exists in the request.
The following works just fine:

acl has_cookie req.cook(lacan_xyz) -m found
use_backend canary_backend if has_cookie

Ideally I would like to use a map definition to avoid having to restart haproxy if/when the cookie name or value changes (from my understanding, making changes to map files can work without a restart). For example:

use_backend %[req.cook(lacan_xyz), map(/etc/haproxy/map_file.map, default_backend)]

In map_file.map, the key would be the cookie value and the value would be the name of a backend definition.

Attempting to do this results in a warning, and my desired functionality not working.

The warning:
Starting haproxy: [WARNING] 115/173343 (16970) : parsing [/etc/haproxy/haproxy.cfg:57] : Ignoring end of truncated ‘acl’ line after ‘req.cook(lacan_xyz),’

The haproxy version being used:
HA-Proxy version 1.6.1 2015/10/20

any insight or suggestions would be most appreciated,
thank you

Posts: 1

Participants: 1

Read full topic

Haproxy + SSL in http mode

$
0
0

@ilovehaproxy wrote:

Hello.
Can you please help me to make a right config for haproxy in next case:
we have 5 domains, every domain have different backend with 5 different ip adresses.
How can I do a right haproxy config to make all 5 SSL certificates works for all 5 domain in http mode?
The reason is: get a real ip adress via https connection.

BTW sorry for my english, Im not a native speaker.

Thanks for your help.

Posts: 1

Participants: 1

Read full topic

Performance drop switching elasticsearch backend from tcp to http?

$
0
0

@m-a.leclercq wrote:

Hi everyone,

I need your opinion on the following situation.

I have two frontends: one is in http mode (website) and the other is in tcp mode (elastic).

Historically the tcp frontend was only used to redirect to our Elasticsearch tcp backend.

However, because of organizational constraints, I need to specifically allow one machine to connect on the website frontend and be redirected to the elastic backend.

I did this using an acl with src <ip> but realized that haproxy would not start because I was referring to an incompatible tcp backend.

[ALERT]  : http frontend 'frontend_https' (/etc/haproxy/haproxy.cfg:0) tries to use incompatible tcp backend 'backend_elastic' (/etc/haproxy/haproxy.cfg:0) in a 'use_backend' rule (see 'mode').

I switched our elastic backend to http mode and haproxy started working again.

My question to you is:

  1. Is this the correct way of doing things ?
  2. Am I going to see a performance drop in my tcp backend since I switched to http mode ?

This website seems to indicate that inspecting the content of the HTTP request is slower and tcp should be preffered. However is there a difference when using backends? since my backend used to be tcp and I am not planning on ever using the http specific features available for this part of my configuration I was wondering if this would affect performance (we have heavy workloads on the elasticsearch backend).

Thank you for your help!

Posts: 1

Participants: 1

Read full topic

100% CPU with haproxy 1.9.7

$
0
0

@safari wrote:

Using haproxy 1.9.7, I got an 100% CPU hang of haproxy process (and no response) with follow config:

  • nbproc 1
  • tune.maxaccept -1

Check with previous haproxy 1.9.6 still works fine.
Increase nbproc to a number > 1 or change tune.maxaccept to a value > 0 still make it works.

It’s a small issue but still weird for a new version upgrade.

Please help to check and fix.
Tks.

Posts: 1

Participants: 1

Read full topic

Viewing all 4733 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>