@jareepuzha wrote:

Hi, We are using haproxy 1.7 with docker image and it is throwing intermittent 503 errors with error code sC, I could see that this is reaching client time out of 15s and after 4 times to connect (3s time to connect).

we are using http-server-close to release backend connections immediately after serving one request.
Is this causing increased connection attempts? can I use http-reuse instead?
Here is my configuration, can you please help me to tune this config.

How can I determine what is the root cause of delay from tcpdump ?

global
ssl-server-verify none
tune.ssl.default-dh-param 2048
tune.maxrewrite 4096
log 127.0.0.1:514 local0
stats socket /opt/haproxy.sock

listen stats #Listen on all IP’s on port 9090
bind *:9090
mode http
balance
timeout client 5000
timeout connect 4000
timeout server 30000
stats enable
stats hide-version
stats refresh 30s
stats show-node
stats uri /haproxy?stats

monitor-uri /status

defaults
log global
mode http
option httplog
option log-health-checks
option dontlognull
timeout client 15000
timeout connect 3000
timeout server 180000
retries 4
option http-server-close

#create new frontend to process 443
frontend https_frontend
bind *:443 ssl crt /opt/ert.pem force-tlsv12
mode http

default_backend backend_https

frontend http_frontend
bind *:80
mode http

default_backend nike_http

#Define backend for above frontend
backend bakend_https
mode http
option httpchk GET /healthchek HTTP/1.1\r\nHost:\ blah
http-check expect ! rstatus ^5
server server blah:443 check inter 40000 ssl verify none

#Define backend for above frontend
backend backend_http
mode http
server blah:80

Posts: 1

Participants: 1

Read full topic

@Firm wrote:

I use very simple config for balancing traffic between 3 backends:

defaults
mode http
option redispatch
retries 3

frontend front_site
  bind *:443 ssl no-sslv3 crt /etc/haproxy/domain.com.pem
  default_backend back_site

backend back_site
  option tcp-check
  balance round-robin
  cookie server_id insert indirect nocache
  server back01 back01:443 ssl verify none check cookie b01
  server back02 back02:443 ssl verify none check cookie b02
  server back03 back03:443 ssl verify none check cookie b03

The problem is that when back01 is down then all new requests come only to back02 (and server_id cookie is set to b02). It looks like Haproxy selects first available server from the list. If I move back03 string before back02 then all requests come to back03 and nothing to back02. Did I miss something in documentation?

Posts: 1

Participants: 1

Read full topic

@avnban wrote:

Hi Everyone,

I am facing an issue with Haproxy. I am trying to send cert files to Harshicorp vault through Haproxy. It works fine if I run cur directly hitting vault servers. But its failing through Haproxy.

Command: curl -vvv --request PUT --cacert rootCAcert.pem --cert clientcrt.pem --key clientkey.pem --data ‘{“name”: “rootca”}’ https://ito028711.hosts.cloud.ford.com/v1/auth/cert/login

Error

1). {“errors”:[“tls connection required”]}

2).{“errors”:[“client certificate must be supplied”]}

Verbose output:

• Hostname was NOT found in DNS cache

• Trying …

• Connected to () port 443 (#0)

• successfully set certificate verify locations:

• CAfile: rootCAcert.pem

CApath: /etc/ssl/certs/

• SSLv3, TLS Unknown, Unknown (22):

• SSLv3, TLS handshake, Client hello (1):

• SSLv2, Unknown (22):

• SSLv3, TLS handshake, Server hello (2):

• SSLv2, Unknown (22):

• SSLv3, TLS handshake, CERT (11):

• SSLv2, Unknown (22):

• SSLv3, TLS handshake, Server key exchange (12):

• SSLv2, Unknown (22):

• SSLv3, TLS handshake, Server finished (14):

• SSLv2, Unknown (22):

• SSLv3, TLS handshake, Client key exchange (16):

• SSLv2, Unknown (20):

• SSLv3, TLS change cipher, Client hello (1):

• SSLv2, Unknown (22):

• SSLv3, TLS handshake, Finished (20):

• SSLv2, Unknown (20):

• SSLv3, TLS change cipher, Client hello (1):

• SSLv2, Unknown (22):

• SSLv3, TLS handshake, Finished (20):

• SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384

• Server certificate:

• subject: C=US; ST=Michigan; L=Dearborn; O=; CN=

• start date: 2019-05-07 15:35:42 GMT

• expire date: 2021-05-07 15:35:42 GMT

• subjectAltName: matched

• issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign Organization Validation CA - SHA256 - G2

• SSL certificate verify ok.

• SSLv2, Unknown (23):

PUT /v1/auth/cert/login HTTP/1.1

User-Agent: curl/7.37.0

Host:

Accept: /

Content-Length: 18

Content-Type: application/x-www-form-urlencoded

• upload completely sent off: 18 out of 18 bytes

• SSLv2, Unknown (23):

< HTTP/1.1 400 Bad Request

< Cache-Control: no-store

< Content-Type: application/json

< Date: Mon, 13 May 2019 19:31:32 GMT

< Content-Length: 51

<

{“errors”:[“client certificate must be supplied”]}

• Connection #0 to host left intact

I see value for Content-Length above is 550 if I hit vault server directly

Posts: 1

Participants: 1

Read full topic

@gosko wrote:

Hi, I am trying to remap a number of directories on my site based on a map file, preserving any trailing components in the path. So if I have the following map file:

/dir1/ /newdir/

and get a request for https://example.org/dir1/foo.txt I would like the request to be served from http://example.org/newdir/foo.txt (not redirected, just silently rewritten)

One difficulty is that the map file may have overlapping entries, where /dir1/ is mapped one place but /dir1/path2/ is mapped elsewhere, in which case I would like /dir1/path2/ to have precedence and the entry for /dir1/ to be ignored. (i.e. the match with the most path components should have highest precedence)

I have been trying to figure out how to implement this and it’s proving to be quite difficult, possibly because I have limited experience with haproxy.

Does anyone have an idea how I might implement something like this? I could share some config snippets if that would help but I really have nothing even close to working.

Part of the issue is that regsub doesn’t allow backreferences so maybe I would need to use reqrep which does, but it seems to be deprecated. Maybe map_regm would be useful, but I don’t know how to get my desired longest-path-has-precedence.

My map file is generated using a separate process and I could consider splitting it into multiple maps if that helps with the precedence issue, but I am hoping that won’t be necessary since the map file is updated during runtime using commands over the socket and I would rather not make that process more complicated.

Posts: 1

Participants: 1

Read full topic

@mustafa.yildirim wrote:

I’m using Consul for dynamic service discovery.

If application port is bigger than 32767, srv_port is not correct.

Configuration:

server-template srv 4 _testsrv._tcp.service.consul inter 1s resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip check

“show servers state” Result:

# be_id be_name srv_id srv_name srv_addr srv_op_state srv_admin_state srv_uweight srv_iweight srv_time_since_last_change srv_check_status srv_check_result srv_check_health srv_check_state srv_agent_state bk_f_forced_id srv_f_forced_id srv_fqdn srv_port srvrecord

4 [testsrv.configuration.abc.com](http://testsrv.configuration.abc.com/) 1 srv1 10.90.21.103 0 96 1 1 20373 15 3 0 14 0 0 0 - 4294934534 _testsrv._tcp.service.consul
4 [testsrv.configuration.abc.com](http://testsrv.configuration.abc.com/) 2 srv2 10.90.21.107 0 96 1 1 20365 15 3 0 14 0 0 0 - 4294934530 _testsrv._tcp.service.consul
4 [testsrv.configuration.abc.com](http://testsrv.configuration.abc.com/) 3 srv3 10.90.21.103 0 96 1 1 20409 15 3 0 14 0 0 0 - 4294934533 _testsrv._tcp.service.consul
4 [testsrv.configuration.abc.com](http://testsrv.configuration.abc.com/) 4 srv4 10.90.21.103 2 0 1 1 20554 15 3 4 6 0 0 0 consul-node-10-90-21-103.node.ayt.consul 4294934535 _testsrv._tcp.service.consul

HAProxy Stat UI gives: 10.90.21.103:-32761 (Negative I think it minus 65536)

IP Address is ok but the port is wrong it should be 32775

I read the code. I think It’s related with this http://git.haproxy.org/?p=haproxy-1.9.git;a=blob;f=src/server.c;h=20f03cefe3deaed01472a24f28374de9f8a4f9b9;hb=HEAD#l2978

Posts: 1

Participants: 1

Read full topic

@asir wrote:

Hi,

I’m trying to make a firewall cluster with load balance. I read that haproxy can help me with the load balance. But…I don’t know how to configure correctly.

I have 3 nodes, a frontend and two backends. The backends have the same iptables configuration. I just want to balance all the network traffic to this “nodes”.

That’s possible? or haproxy is not the tool that I need?

Thanks!

Posts: 1

Participants: 1

Read full topic

@adrsys wrote:

Guys good night,

I’ve updated my tomcat 7 application with java 8, and when I enable balancing with HAproxy who owns the SSL certificate up front. some things do not load on the page. Before I did everything I just updated the apps that are behind in HA. in browser research appears:

The “https: /xxxxxxxxxx/xxx/style/xxxne.css” feature has been blocked due to MIME type (“text / html”) does not match (X-Content-Type-Options: nosniff). [Learn More] TXXx .tp

The “https: //xxxxxxxxx/xxxx/script/xxxine.js” feature has been blocked because MIME type (“text / html”) does not match (X-Content-Type-Options: nosniff).

frontend Local_Server_https
bind *:443 ssl crt /etc/haproxy/certs/xxxxxxxxxx.xxxx.xx.pem
reqadd X-Forwarded-Proto:\ https
default_backend Serv

backend Serv
mode http
balance source
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
option httpchk HEAD / HTTP/1.1rnHost:localhost
server 50 xxxxxxxx:8080 cookie check
server 51 xxxxxxx:8080 cookie check
server 52 xxxxxxx:8080 cookie check

OBS - I had to remove HTTPS to run the application. Haproxy 1.5

haproxy -vv
HA-Proxy version 1.5.19 2016/12/25
Copyright 2000-2016 Willy Tarreau willy@haproxy.org

Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2
OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1

Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.8
Running on zlib version : 1.2.8
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014
Running on OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.31 2012-07-06
Running on PCRE version : 8.31 2012-07-06
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND

Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.

Posts: 1

Participants: 1

Read full topic

@Thoufiq wrote:

We have a haproxy clusters as load balancers.It is working but the HAProxy ip become the source IP in our real server logs but we want the client IPs to be retained till reach the real server. what should i configure to maintain the client IP? Please help

Posts: 1

Participants: 1

Read full topic

@chrisotherwise wrote:

We have installed an haproxy server in front of our web service and API. It decrypts the requests (TLS), parses the headers, then forwards to either our internal servers or our AWS cloud service depending on request parameters (both also TLS).

The service handles about 30 million requests a day. Almost all work fine, but we have a problem with a small number of requests from (ancient) Windows Mobile handhelds. The users of the devices frequently experience problems connecting to our API together with this device-level error message: “Unable to read data from the transport connection”

HaProxy doesn’t log any errors when this problem happens. Due to the handhelds being in client premises we’re also unable to determine whether the bad requests are logged by haproxy as successful as they are surrounded by many genuinely successful requests.

There are no network-level errors reported by the network interface.

Removing haproxy from the equation stops the problem. Putting it back starts the problem again. But I’m at a complete loss as to what might be happening. If anybody has seen anything like this then I’d be very glad to hear from you.

Other information

We compilled this haproxy ourselves as we needed to support SSlv3 (yes I know about the security issues, but we have no choice but to support clients who won’t countenance changing their 500 in-factory devices just because we tell them that they should).

Output from haproxy -vv

Summary

 HA-Proxy version 1.8.19 2019/02/11
Copyright 2000-2019 Willy Tarreau <willy@haproxy.org>

Build options :
  TARGET  = linux2628
  CPU     = generic
  CC      = gcc
  CFLAGS  = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-format-truncation -Wno-null-dereference -Wno-unused-label
  OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_SYSTEMD=1 USE_PCRE=1 USE_PCRE_JIT=1 USE_NS=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with OpenSSL version : OpenSSL 1.0.2r  26 Feb 2019
Running on OpenSSL version : OpenSSL 1.0.2r  26 Feb 2019
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Encrypted password support via crypt(3): yes
Built with multi-threading support.
Built with PCRE version : 8.39 2016-06-14
Running on PCRE version : 8.39 2016-06-14
PCRE library supports JIT : yes
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with network namespace support.

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
        [SPOE] spoe
        [COMP] compression
        [TRACE] trace

Our haproxy.conf (redacted)

Summary

global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
        stats timeout 30s
        user haproxy
        group haproxy
        maxconn 4000
        daemon

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private
        ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
        ssl-default-bind-options ssl-min-ver SSLv3 

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        option http-buffer-request              # Needed to inspect the POST request parameters (CA/WMS)
        timeout connect 5000
        timeout client  50000
        timeout server  600000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

resolvers mydns
  nameserver dns1 8.8.8.8:53
  nameserver dns2 10.200.0.101:53
  nameserver dns3 10.101.1.11:53
  resolve_retries       3
  timeout resolve       1s
  timeout retry         1s
  hold other           30s
  hold refused         30s
  hold nx              30s
  hold timeout         30s
  hold valid           10s
  hold obsolete        30s

listen  stats
        bind 0.0.0.0:8000
        mode            http
        log             global

        maxconn 10

        clitimeout      100s
        srvtimeout      100s
        contimeout      100s
        timeout queue   100s

        stats enable
        stats hide-version
        stats refresh 30s
        stats show-node
        stats auth xxx:xxx
        stats uri  /haproxy?stats


#
# We listen on a single front-end that is bound to both ports 80 and 443. The 443 bind applies the secure certificate.
#
# When a request is received, these parts of the request are scanned:
# - The URL path
# - The REFERER header (needed for some anonymous assets that are loaded at login time)
# - The request body (for POST requests)
#
# If any one of these contains any of the client id strings present in the file "/etc/haproxy/aws_clients"
# then a match is found and the AWS back-end will be used. 
# Otherwise the in-house back-end will be used - either secure or insecure depending on the request.
#

frontend wms

  maxconn 4000
# Looks for the client id in the parameters
  acl aws_path urlp_sub -i -f /etc/haproxy/aws_clients

# Looks for the client id in the URL path
  acl aws_path path_sub -i -f /etc/haproxy/aws_clients

# Looks for the client id in the Referer header
  acl aws_referer req.hdr(Referer) -i -m sub -f /etc/haproxy/aws_clients

# Looks for the client id in the Cookie header
  acl aws_cookie req.hdr(Cookie) -i -m sub -f /etc/haproxy/aws_clients

# Looks for the client id in the POST body. 
  acl aws_param req.body -i -m sub -f /etc/haproxy/aws_clients

# Determines whether this is a secure or insecure request
  acl is_ssl dst_port eq 443

  bind *:80
  bind *:443 ssl crt /etc/ssl/haproxy_pvx.pem
  mode http

# wms_cloud back-end is used if any one of the match criteria is met
  use_backend wms_cloud if aws_path or aws_referer or aws_cookie or aws_param

# Otherwise use ovh either secure or insecure
  use_backend wms_ovh_ssl if is_ssl
  default_backend wms_ovh


# Back-end definitions - cloud, ovh insecure, ovh secure

backend wms_cloud
  mode http
  option httpchk
  server wmscloud1 cloud.ourservice.net:443 check resolvers mydns ssl verify none 

backend wms_ovh
  mode http
  server wms1 10.200.0.110:80

backend wms_ovh_ssl
  fullconn 4000
  mode http
  server wms1 10.200.0.110:443 ssl verify none maxconn 4000

Posts: 1

Participants: 1

Read full topic

@kiranmarla01 wrote:

Hello,
I have two Vault clusters in two halls which can communicate with each other. A Vault primary cluster in Hall 1 and it’s performance replica in hall 2. I have a one HAProxy instance that routes the traffic to the the primary cluster only. Now due to weirdest reasons possible what I need to do is route the traffic to the performance replica backend servers if the http-response status code is 403 (permission denied) when the requests fail to authenticate with the primary cluster.

To try something more simple I’ve tried to add this in the backend

http-response redirect location https://hostname.com code 302 if { status 403 }

But when I look at the stats page I see that there’s no traffic being routed to that server.
My questions are these:

1. Is there a way I can redirect to a backend based on a http-response code
2. Is there a way I can redirect from a backend to another backened based on status code?
3. If the answers to the above are no then how can I possibly solve this problem? (Problem being routing based on http-response code

Kudos if you can also provide me example-syntax for solutions.

Thanks,
Kiran

Posts: 1

Participants: 1

Read full topic

@Sarnava wrote:

I am using HAProxy for load balancing my HTTPS requests. I would like to know if there is any way to customize the selection of backend server based on the request uri returned by each server.

to be precise I want something like "uri " algorithm for HTTPS requests

Posts: 1

Participants: 1

Read full topic

@Tim wrote:

Hi everybody

I see some weird line in the log file as below. According to the document tc is -1 indicates that the connection between HA and backend never established. However the termination state is ---- indicates there is no error ?

The status code is -1 and I wonder if that will be sent back to client? If so it is really weird.

This problem only happens for a very small number of request and both HA and backend servers not busy.

We only see this problem after upgrade from 1.8 to 1.9.2

I am really appreciated if someone can help me to clear this out? Is it a bug of HA or if not what happen with these requests (with status -1)

14.162.149.32:51304 [21/May/2019:17:29:11.483] sale_https~ xxx_sale/api6-8000 0/0/-1/-1/13 -1 439 - - ---- 1245/563/35/5/0 0/0 {sale.xxx.com|} “OPTIONS /api/addressBooks/sync/fetch?BranchId=44299&IncludeRemoved=true&ModifiedDate=%222019-04-18T10:50:12.4764397%2B07:00%22 HTTP/1.1”
171.232.103.112:55108 [21/May/2019:17:29:14.333] sale_https~ xxx_sale/api6 0/0/-1/-1/31 -1 439 - - ---- 1204/522/30/3/0 0/0 {sale.xxx.com|} “OPTIONS /api/addressBooks/sync/fetch?BranchId=37361&IncludeRemoved=true&ModifiedDate=%222019-04-18T12:20:16.6459621%2B07:00%22 HTTP/1.1”
1.55.42.40:8865 [21/May/2019:17:29:17.306] sale_https~ xxx_sale/api6 0/0/-1/-1/35 -1 439 - - ---- 1259/680/45/7/0 0/0 {sale.xxx.com|} “OPTIONS /api/printTemplates/type/3?BranchId=121034 HTTP/1.1”
14.248.85.235:61942 [21/May/2019:17:29:20.753] guarantee~ guarantee/svc4-8000 0/0/-1/-1/8 -1 221 - - ---- 352/13/0/0/0 0/0 “OPTIONS /api/warranty?BranchId=172800&IsSyncData=true&ModifiedDate=%222019-05-15T10:09:29.8300000%2B07:00%22 HTTP/1.1”

Posts: 3

Participants: 2

Read full topic

@gagan wrote:

We have implemented master-master setup in maria-db. Master A is being used for read\write and Master B is used for backups and MIS operations. We have built this setup so that we do not need to promote slave in case of failure.

Now we want to implement HA PROXY for automatic fail over. In case Master A goes down application should switch automatically to Master B.

Now my question is that if Master A goes down and applications start serving from Master B. But when Master A comes online and is not in sync with Master B what will HA PROXY do, will applications get connected to Master A instantly or HA Proxy will check synch status and let Master A synch up with Master B and then allow applications to connect with Master A.

What parameters need to be added in order to achieve this.

HA Proxy configuration:

Posts: 1

Participants: 1

Read full topic

@moscardo wrote:

Hi,
I am trying to have multiple map files used in the same frontend like:

  use_backend %[req.hdr(host),lower,map(/etc/haproxy/web-dom2back.map)]
  use_backend %[req.hdr(host),lower,map(/etc/haproxy/web-dom1back.map)]

But what happens is that when I try to access a website that is defined in web-dom1back.map it doesn’t work before it is not found on the first map and then defaults to something else.

What options do I have here? I just would like to have this setup to have better organized the maps with shorter files.

Thanks.

Posts: 1

Participants: 1

Read full topic

@kaspergrubbe wrote:

Hi,

Setup

I am having two servers running locally, and I have Consul running DNS on 127.0.0.1:8600:

$ dig +short @127.0.0.1 -p 8600 -t srv _whoami-whoami-whoami._tcp.service.consul
1 1 25654 Kaspers-MBP.lan.node.dc1.consul.
1 1 21387 Kaspers-MBP.lan.node.dc1.consul.

This means that the service is running on port 21387 and 25654, if I visit them I see the following:

$ curl http://localhost:21387/
I’m 8235fc9759d6 running on linux/amd64

and:

$ curl http://localhost:25654/
I’m 0d3dc4abb184 running on linux/amd6

I then setup Haproxy to switch between them like this:

global
  maxconn 5000
  pidfile /usr/lib/haproxy/haproxy.pid
  stats socket /home/kasper/haproxy.sock

defaults
  timeout connect 5000
  timeout client  50000
  timeout server  50000
  log     global

listen stats
  bind 0.0.0.0:8999
  mode http
  stats enable
  stats uri /dashboard  # Stats URI
  stats admin if { src 127.0.0.1 }

resolvers consuldns
  nameserver consul 127.0.0.1:8600
  accepted_payload_size 8192

listen whoami
  bind *:8022
  mode http
  option httpchk GET / HTTP/1.0
  balance roundrobin
  server-template srv 2 _whoami-whoami-whoami._tcp.service.consul resolvers consuldns check resolve-opts allow-dup-ip

And when I boot Haproxy it writes the following:

[WARNING] 140/150710 (38827) : Server whoami/srv1 is DOWN, reason: Socket error, check duration: 0ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
[WARNING] 140/150711 (38827) : Server whoami/srv2 is DOWN, reason: Socket error, check duration: 0ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
[ALERT] 140/150711 (38827) : proxy ‘whoami’ has no server available!
[WARNING] 140/150711 (38827) : whoami/srv1 changed its IP from to 127.0.0.1 by consuldns/consul.
[WARNING] 140/150711 (38827) : whoami/srv2 changed its IP from to 127.0.0.1 by DNS cache.
[WARNING] 140/150714 (38827) : Server whoami/srv1 is UP, reason: Layer7 check passed, code: 200, info: “OK”, check duration: 2ms. 1 active and 0 backup servers online. 0 sessions requeued, 0 total in queue.
[WARNING] 140/150715 (38827) : Server whoami/srv2 is UP, reason: Layer7 check passed, code: 200, info: “OK”, check duration: 3ms. 2 active and 0 backup servers online. 0 sessions requeued, 0 total in queue.

When I use show servers state the server show up correctly, with the correct ports:

# be_id be_name srv_id srv_name srv_addr srv_op_state srv_admin_state srv_uweight srv_iweight srv_time_since_last_change srv_check_status srv_check_result srv_check_health srv_check_state srv_agent_state bk_f_forced_id srv_f_forced_id srv_fqdn srv_port srvrecord
3 whoami 1 srv1 127.0.0.1 2 0 1 1 153 15 3 4 6 0 0 0 Kaspers-MBP.lan.node.dc1.consul 25654 _whoami-whoami-whoami._tcp.service.consul
3 whoami 2 srv2 127.0.0.1 2 0 1 1 152 15 3 4 6 0 0 0 Kaspers-MBP.lan.node.dc1.consul 21387 _whoami-whoami-whoami._tcp.service.consul

Issue

However when I visit the service that I setup with Haproxy by going to http://localhost:8022, it doesn’t seem to loadbalance between the different servers because only one of the the names shows up:

interactive.gif972×440 372 KB

Am I missing something?

Posts: 2

Participants: 2

Read full topic

@praveenkumar.2608 wrote:

Hi,

I have a haproxy setup as follow:

Client --> Haproxy (LOCATION A)------> HAProxy(LOCATION B)----> Server

Both HA Proxy are running in TCP mode in both frontend and backend. My server wants to see actual client ip connecting to it, so I have enabled send-proxy on location A haproxy and sending it haproxy at location B. I can proxy header on my server. I can see initial ssl handshake between haproxy at location B and server, but no data is being sent and response not received at the client end.

Location A config :

global
log 127.0.0.1:514 local0 info
log 127.0.0.1:514 local0 debug
#log 127.0.0.1:514 local1 notice
#log loghost local0 info
maxconn 4096
#chroot /usr/share/haproxy
#user haproxy
#group haproxy
daemon
debug
#quiet
#ssl-server-verify none
defaults
mode tcp
log global
option httplog
option dontlognull
option http-server-close
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000

frontend https_in
bind *:443
mode tcp
option tcplog
timeout client 1m
default_backend https

backend https
mode tcp
option tcplog
option log-health-checks
#option redispatch
server halocb x.x.x.x:443 check send-proxy-v2

Location B config :

global
log 127.0.0.1:514 local0 info
log 127.0.0.1:514 local0 debug
#log 127.0.0.1:514 local1 notice
#log loghost local0 info
maxconn 4096
#chroot /usr/share/haproxy
#user haproxy
#group haproxy
daemon
debug
#quiet
#ssl-server-verify none
defaults
mode tcp
log global
option httplog
option dontlognull
option http-server-close
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000

frontend https_in
bind *:443
mode tcp
option tcplog
timeout client 1m
default_backend https

backend https
mode tcp
option tcplog
option log-health-checks
#option redispatch
server halocb mysite.ul.com:443 check ssl verify none

Posts: 2

Participants: 2

Read full topic

@barracksbuilder wrote:

I’m not seeing log entries when a redirect happens. I have the following code:

http-request redirect location %[capture.req.uri,lower,map(/etc/haproxy/additional.map)] code 302

Is there a way to get haproxy to generate log entries when this matches? Logging is working I have:

global
   log 127.0.0.1    local0
defaults
   log     global
   option httplog

Everything else is going nicely into our splunk server.

Posts: 1

Participants: 1

Read full topic

@PEscobarA wrote:

Dear,
I need help … I have a kubernetes cluster with two workers which expose a docker image of my application.
I made the haproxy configuration, which I leave here:

ConfiguracionHAPROXY.jpg807×888 112 KB

The problem I have is that in the HAProxy monitor these two servers appear connected and disconnected, to say something they do not always remain green, but they are alternating between green and red.

HAProxyStats1.jpg1366×625 251 KB

HAProxyStats2.jpg1366×625 249 KB

What can this problem be caused ?.
I ask for your help.
Thank you.

Posts: 2

Participants: 2

Read full topic

@jszjsmith wrote:

Hello,

I have been running HA-Proxy version 1.7.5-2 2017/05/27 from the raspbian repo for several months without issue.

I’d like to now run a more up to date version on Centos for ARM so I’ve compiled both 1.9.0 and 2.0-dev4 on a fresh raspberry pi with CentOS 7 installed. However for both versions i get an immediate segmentation fault.

I dont really know what I’m doing with gdb but I tried running it with gdb and this is the output below; can anyone give me any insights as to what may be happening here?

TIA.
John.

# gdb /usr/local/sbin/haproxy
GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-114.el7
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "armv7hl-redhat-linux-gnueabi".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/local/sbin/haproxy...done.
(gdb) set pagination 0
(gdb) run -f /etc/haproxy/haproxy.cfg -d
Starting program: /usr/local/sbin/haproxy -f /etc/haproxy/haproxy.cfg -d
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/libthread_db.so.1".
warning: Probes-based dynamic linker interface failed.
Reverting to original interface.

Cannot access memory at address 0xc2400000
Missing separate debuginfos, use: debuginfo-install bzip2-libs-1.0.6-13.el7.armv7hl elfutils-libelf-0.172-2.el7.armv7hl elfutils-libs-0.172-2.el7.armv7hl glibc-2.17-260.el7_6.5.armv7hl keyutils-libs-1.5.8-3.el7.armv7hl krb5-libs-1.15.1-37.el7_6.armv7hl libattr-2.4.46-13.el7.armv7hl libcap-2.22-9.el7.armv7hl libcom_err-1.42.9-13.el7.armv7hl libgcc-4.8.5-36.el7_6.2.armv7hl libgcrypt-1.5.3-14.el7.armv7hl libgpg-error-1.12-3.el7.armv7hl libselinux-2.5-14.1.el7.armv7hl lz4-1.7.5-2.el7.armv7hl nss-softokn-freebl-3.36.0-5.el7_5.armv7hl openssl-libs-1.0.2k-16.el7_6.1.armv7hl pcre-8.32-17.el7.armv7hl systemd-libs-219-62.el7_6.6.armv7hl xz-libs-5.2.2-1.el7.armv7hl zlib-1.2.7-18.el7.armv7hl
(gdb) bt
#0  0x76fe46f4 in dl_open_worker () from /lib/ld-linux-armhf.so.3
#1  0x76fdf970 in _dl_catch_error () from /lib/ld-linux-armhf.so.3
#2  0x76fe3c68 in _dl_open () from /lib/ld-linux-armhf.so.3
#3  0x76b6c9c8 in do_dlopen () from /lib/libc.so.6
#4  0x76fdf970 in _dl_catch_error () from /lib/ld-linux-armhf.so.3
#5  0x76b6cad4 in __libc_dlopen_mode () from /lib/libc.so.6
#6  0x76b401a4 in nss_load_library () from /lib/libc.so.6
#7  0x76b40d38 in __nss_lookup_function () from /lib/libc.so.6
#8  0x76b40e90 in __nss_lookup () from /lib/libc.so.6
#9  0x76aee4dc in getpwnam_r@@GLIBC_2.4 () from /lib/libc.so.6
#10 0x76aedc14 in getpwnam () from /lib/libc.so.6
#11 0x00146d78 in cfg_parse_global (file=0x2c7178 "/etc/haproxy/haproxy.cfg", linenum=7, args=0x7efff02c, kwm=<optimized out>) at src/cfgparse-global.c:475
#12 0x000dd7f4 in readcfgfile (file=0x2a9528 "/etc/haproxy/haproxy.cfg") at src/cfgparse.c:2147
#13 0x000d6e64 in init (argc=<optimized out>, argc@entry=4, argv=<optimized out>, argv@entry=0x76a556b0) at src/haproxy.c:1649
#14 0x0002bc90 in main (argc=4, argv=0x76a556b0) at src/haproxy.c:2683

Posts: 1

Participants: 1

Read full topic

@sean.r wrote:

I would like to redirect requests to a “sorry page” during maintenance downtimes. Is it possible to base redirection on whether, or not, a semaphore file is present on my haproxy host?

That is:

If file is present, redirect to sorry page.

Thank you

sean.r

Posts: 1

Participants: 1

Read full topic