@Cyberfusion wrote:

I am using a key - value mapping in HAProxy like this:

use_backend %[req.hdr(host),lower,map_dom(/etc/haproxy/clusters.map)] if !letsencrypt-acl

/etc/haproxy/clusters.map is filled with domain and backend mappings. This works well.

Now, I also need to be able to route by IP. In other words, I want to be able to add an IP to the map file (/etc/haproxy/clusters.map) with a corresponding backend. In order to do this, I changed my config to:

use_backend %[req.hdr(host),lower,map_dom(/etc/haproxy/clusters.map)] if !letsencrypt-acl
use_backend %[req.hdr(ip),lower,map_dom(/etc/haproxy/clusters.map)]
use_backend bk_letsencrypt if letsencrypt-acl

This actually seems to work well, but is this the recommended way to go about this?

Posts: 1

Participants: 1

Read full topic

@machihkfyg wrote:

Hello,

I have experience problem is how to setup customize the error page handle by haproxy. Which need to check the status from backend http server. If the backend http server is return 4XX or 5xx error code. Haproxy can be handle its customized error page.

Thanks All!

Posts: 2

Participants: 2

Read full topic

@newtreme wrote:

I use HAProxy with pfSense. If a backend is down, I get a maintance site. But if only one URL of the backend is offline, the next client will simply be displayed in the backend. How can I create an offline site instead?

Posts: 4

Participants: 2

Read full topic

@machihkfyg wrote:

Hello,

I am looking how to handling maxconn condition.

https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-maxconn

How’s does the haproxy handle if it reach to maxconn?
I would like to see it can return the custom error page if once reach to maxconn .

Thanks all!

Posts: 1

Participants: 1

Read full topic

@go_go_proxy wrote:

We are seeing that during a high traffic tests we are seeing the members are being marked as DOWN form haproxy logs.
We are trying to debug the issue by collecting tcpdumps during high traffic case.
Is there a way to isolate health check messages from the tcpdump. This is a TCP health check.

Posts: 1

Participants: 1

Read full topic

@rajatady wrote:

I am trying to redirect one domain behind my HAProxy load balancer from non-www to www prefix in Rancher over SSL. All the other redirections are working fine. example.com is being redirected to https://www.example. But https://example.com is not being redirected to https://www.example.com.

Here is my config in Rancher:

frontend 80
acl lepath path_beg -i /.well-known/acme-challenge
redirect scheme https code 301 if !{ hdr(host) -i example.com } !lepath !{ ssl_fc }
redirect prefix https://www.example.com code 301 if  { hdr(host) -i example.com } !lepath
redirect prefix https://www.example.com code 301 if  { hdr(host) -i www.example.com } !lepath !{ ssl_fc}

I am fairly new to HAProxy. I have gone through a lot of documentation but none of the configs are working here. Can someone help me out with it?

example.com -> https://www.example.com
www.example.com -> https://www.example.com
http://example.com -> https://www.example.com
http://www.example.com -> https://www.example.com
https://example.com -> https://www.example.com (Not working)

Posts: 4

Participants: 2

Read full topic

@bmf7777 wrote:

i’m trying to modify my haproxy(HA-Proxy version 1.8.8-1ubuntu0.4 2019/01/24) cfg file to run as user haproxy … my config is running fine … if i uncomment the three directives below from my global settings … the proxy no longer works - any ideas what i’m doing wrong ? thanks in advance,

this is my passwd entry for user haproxy …
haproxy:x:126:130::/var/lib/haproxy:/sbin/nologin

global
maxconn 100
daemon
tune.ssl.default-dh-param 2048
log /dev/log local0
log /dev/log local1 notice
log 127.0.0.1 syslog debug
# chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
# user haproxy
# group haproxy

Posts: 5

Participants: 2

Read full topic

@Drew wrote:

Good Afternoon,

I am attempting to do a 301 redirect from my old domain to my new domain, but to have a cookie in the redirect so I can have a popup greeting on my new domain for those who have been redirected. I have tried the following:
frontend https-external
log /dev/log local0 debug
option httplog
mode http
http-request set-header X-This-redirect This-redirect
maxconn 2048
bind vip-web:443 ssl crt /etc/haproxy/certs

And in the redirect itself I have:
acl redirect-friends path_beg /friends
redirect location https://newsite.co.uk/ code 301 set-cookie REDIRECTED if redirect-friends
acl redirect-faq path_beg /faq
redirect location https://newsite.co.uk/frequently-asked-questions code 301 set-cookie REDIRECTED if redirect-faq

The redirects work, and I get to where I want to go, I just don’t see any of the cookies or headers I have set.

What am I doing wrong?

I am running HA-Proxy version 1.6.3 2015/12/25 on Ubuntu 16.04.

Thanks in advance.
Drew

Posts: 4

Participants: 2

Read full topic

@uliromahn wrote:

Is there a size limit for the haproxy.cfg file? If yes, what would that limit be?

Also, what is the time it should take to parse a really large cfg file until HAProxy is ready to accept connections?

Background: we have backends with a LOT of servers! In one example, we have a cfg file with almost 3000 lines. Two backends have a little over 1200 servers each. It appears that sometimes HAProxy takes more than 30 second to parse it and accept connections. This causes our health-check to time out resulting in a restart of pods (our services run in Kubernetes).

Posts: 3

Participants: 2

Read full topic

@jbrahy wrote:

I have to write and check with remote API for each request coming into my haproxy server. Is there a way to send a request with parameters to an API endpoint and based on the response of the endpoint to select a backend.

Posts: 1

Participants: 1

Read full topic

@jbrahy wrote:

(topic withdrawn by author, will be automatically deleted in 24 hours unless flagged)

Posts: 1

Participants: 1

Read full topic

@bmf7777 wrote:

i’m using haproxy 1.8…working well with termination and pass-through…i’m trying to no avail to add location servers with path name appended e.g. below is a front-end and back-end that is working … however … i’m using redir which is fine inside the firewall but i want to go through haproxy and be able to access this server outside the firewall (aka unifi-backend) … foobar-unifi.ddns.net is accesable via nslookup using no-ip.com

question: how to i change
server unifi 192.168.1.16:8443 redir https://192.168.1.16:8443/manage/site/kab9w4dv/dashboard check
to allow for access to server through haproxy by accessing https://foobar-unifi.ddns.net? thanks in advance

frontend https-front
        bind unix@/var/run/haproxy.sock ssl crt /etc/letsencrypt/live/foobar.ddns.net/haproxy.pem accept-proxy
        mode http

        use_backend home-assistant-backend if { ssl_fc_sni -i foobar-ha.ddns.net }
        use_backend nextcloud-backend if { ssl_fc_sni -i farbar-nc.ddns.net }
        use_backend blueiris-backend if { ssl_fc_sni -i foobar-bi.ddns.net }
        use_backend pihole-backend if { ssl_fc_sni -i foobar-dns.ddns.net }
        use_backend unifi-backend if { ssl_fc_sni -i foobar-unifi.ddns.net }
        use_backend unms-backend if { ssl_fc_sni -i foobar-unms.ddns.net }
        use_backend haproxy-backend if { ssl_fc_sni -i foobar-haproxy.ddns.net }
        default_backend blueiris-backend

backend unifi-backend
        mode http
        server unifi 192.168.1.16:8443 redir https://192.168.1.16:8443/manage/site/kab9w4dv/dashboard check
        http-request set-header X-Forwarded-Port %[dst_port]
        http-request add-header X-Forwarded-Proto https if { ssl_fc }

Posts: 3

Participants: 2

Read full topic

@zeff wrote:

Hi all,

I’m experiencing an issue with HAProxy 1.8.14 with TLS 1.1, TLS 1.2 and TLS1.3 and alpn h2 enabled configuration. Sometimes endpoint Chrome browsers throws ‘net::ERR_SPDY_PROTOCOL_ERROR’ exception while sending POST to our web backends via HTTPS. If alpn and h2 are disabled, the error disappear.

Haproxy error logs shows termination code ‘CD’ meaning that client closed the connection. But Chrome shows the exact opposite:
HTTP2_STREAM_ERROR
–> description = “Server reset stream.”
–> net_error = “ERR_SPDY_PROTOCOL_ERROR”

Network sniffer logs on client side shows that the client sent a POST request to the haproxy, but didn’t get a response.

Any idea what can cause those errors, and how can I debug them on haproxy side?

Thanks

Posts: 1

Participants: 1

Read full topic

@Gianfranco wrote:

Hi,
my proxy always serves content from default backend.
This is my cfg:

frontend oracle_front

    bind *:1521
    option tcplog
    mode tcp

    #ACL
    acl host1 hdr(host) -i oracle1.mysite.it

    #Backend
    use_backend host1_1521 if host1

    default_backend dboracle_back

backend host1_1521
    mode tcp
    balance source
    server oracle1 192.168.1.115:1521 check

backend dboracle_back
    mode tcp
    balance source
    server oracle1 192.168.1.113:1521 check

Posts: 2

Participants: 2

Read full topic

@majid021 wrote:

Hi Everyone,

I have simple load balancing scenario.

In my setup, I have HAProxy HA ( haproxy1, haproxy2 ) with a virtual IP (10.0.0.1) and keepalived in both haproxy1, haproxy2.

I am sending the syslogs from a ESX host to the Virtual IP (10.0.0.1), i am able to get the logs in haproxy1 and haproxy2 (checked via tcpdump) from haproxy1/haproxy2, the traffic is not getting forwarded to the backend servers (logstash1, logstash2), all the UDP or TCP ports are open.

I see in few of the posts or blogs about haproxy that the UDP is not supported in it, but to have it get supported, LVS has to be configured at the kernel level to load balance TCP or UDP traffic.

I tried multiple methods to configure LVS in Keepalived to have the traffic forwarded to the backend servers, but could not.

If anybody had encountered issue similar to this, then can you please shed some light into it or share some configs.

The following is the haproxy config and the keep alived configs.

haproxy config:

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon

# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private

# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
#  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# An alternative list with additional directives can be obtained from
#  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3

# Fine-tuned configuration:
nbproc 4 # equal to number of cores
# default maxconn is 2000 (approx)
maxconn 100000
cpu-map 1 0
cpu-map 2 1
cpu-map 3 2
cpu-map 4 3

defaults
log global
mode http
#option httplog
mode tcp

option tcplog

    #option  syslog
option	dontlognull
    timeout connect 5000
    timeout client  50000
    timeout server  50000
    timeout http-keep-alive 10s
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

frontend vip
bind 10.10.10.11:5601
stats enable
default_backend kibana_ui

backend kibana_ui
balance roundrobin
server prod-efk1.abc.com 10.10.10.1:5601 check
server prod-efk2.abc.com 10.10.10.2:5601 check backup

backend elasticsearch
balance roundrobin
server prod-es01.abc.com 10.10.10.3:9200 check
server prod-es02.abc.com 10.10.10.4:9200 check backup
server prod-es03.abc.com 10.10.10.5:9200 check backup

backend logstash
balance roundrobin
# mode tcp
server prod-fag01.abc.com 10.10.10.6:514 check
server prod-fag02.abc.com 10.10.10.7:514 check backup

listen stats
bind 10.10.10.152:1936
mode http
log global
stats enable
stats hide-version
stats realm LoadBalanced\ ELK\ Components
stats uri /haproxy?stats
stats auth haproxy:haproxy

    maxconn 10

    clitimeout      100s
    srvtimeout      100s
    contimeout      100s
    timeout queue   100s

    stats enable
    stats hide-version
    stats refresh 30s
    stats show-node
    stats uri  /

Keep alived config:

vrrp_script chk_haproxy {
#script “killall -0 haproxy”
#script “/usr/sbin/service haproxy status”
script “/usr/bin/pgrep haproxy”
interval 2
#weight 2
}

global_defs {
#router_id prod-haproxy01
#lvs_sync_daemon_interface eth0 VI_1
}

vrrp_instance VI_1 {
interface eth0
state MASTER
virtual_router_id 51
priority 110

unicast_src_ip 10.10.10.8
unicast_peer {
10.10.10.9
}

virtual_ipaddress {
10.10.10.152 # virtual ip address
}
track_script {
chk_haproxy
}
}

Posts: 1

Participants: 1

Read full topic

@fcwan wrote:

We have a haproxy behind the cloudflare, below is our haproxy’s access log

Jun 14 18:09:29 localhost haproxy[69672]: 172.68.253.118:35540 10.50.0.105:80 565 1442 200 GET /json/alert/alert_message.json?_=1560417328974 HTTP/1.1 app main 10.50.0.101 uat123-technology.com Mozilla/5.0 (Windows NT 10.0; WOW64; rv:67.0) Gecko/20100101 Firefox/67.0 21.25.23.35 https://uat123.technology.com/user/login nginx -\

We would like to block the original client ip which is 21.25.23.35 by acl instead of Clouldflare source ip 172.68.253.118, how to archive it, thank you very much!

Following is our haproxy configuration, it works when the haproxy is first tier, but behind Cloudflare it doesn’t work.
acl imip src -f /etc/haproxy/im.zone
acl isip src -f /etc/haproxy/is.zone
acl itip src -f /etc/haproxy/it.zone
acl noip src -f /etc/haproxy/no.zone
acl ptip src -f /etc/haproxy/pt.zone
acl seip src -f /etc/haproxy/se.zone
acl twip src -f /etc/haproxy/tw.zone
acl usip src -f /etc/haproxy/us.zone
acl whitelist src -f /etc/haproxy/white_ip_list
acl blacklist src -f /etc/haproxy/black_ip_list
acl all src 0.0.0.0/0
use_backend app if whitelist
use_backend region if blacklist OR deip OR esip OR frip OR gbip OR hkip OR ieip OR imip OR isip OR itip OR noip OR ptip OR seip OR twip OR usip
use_backend app if all

Posts: 2

Participants: 2

Read full topic

@snoopy wrote:

Hi everybody,

I’m currently moving various former Apache ReverseProxy’d sites to HAProxy.
In Apache I used Basic Auth with LDAP as Backend (authz_ldap).
In HAProxy one can do Basic Auth, too with the need of UserLists. Now I’m wondering, if it is possible to use LDAP as Auth Backend for BasicAuth instead of UserLists in HAProxy … so one can have one centralized UserManagement for different Services…

Thx in advance for any hint!
Snoopy

Posts: 1

Participants: 1

Read full topic

@twisen wrote:

Hi everyone. I’m using Haproxy 1.9 with srv server discovery.
I have a problem with the servers’ weight.
First, i’m configuring it in the srv record in “10” but in HA stats appears always in “1”.
The other problem is that when i change the server weight to 0 (drain), this change doesn’t work.
The Haproxy’s documentation about the srv discovery doesn’t talk about it.
I leave an example of my srv record value: “10 10 8080 10.30.7.254”

Thanks and regards!

Posts: 1

Participants: 1

Read full topic

@danforth wrote:

Hi!

I have two gRPC servers and one fat gRPC client. I wrote my own client load balancer, that just simply use random server to perform request. It works perfect, but it has few disadvantages:

• no health checks
• no server weights (one server is more powerful than another)

I decided two put HAProxy in front of them, so the HAProxy will solve disadvantages of previous scheme and give me possibility to scale easier.

When i finish my HAProxy setup it turns out that performance through HAProxy reduced, and i get a lot of timeout errors (grpc context deadline from my golang client). Now when i connect directly to the slowest node it is more faster in rps (and there is no errors) than when i connect through HAProxy with two servers in backend.

Both client, HAProxy and two upstream servers located in the same data center with ping less than 0.5ms.

I tried to apply few Linux Kernel configs, but mostly they has no impact on performance.

I also tried to install 5.1 linux kernel, and it seems it is now little bit faster, but it still slower than direct connect to the slowest node.

I tried to use proto h2 directive to connect directly without tls, but performance is still poor.

Can somebody explain me how to figure out where is the problem and how to fix it?

Thanks in advance!

Configuration of proxy server machine:

Intel(R) Xeon(R) CPU E3-1246 v3 @ 3.50GHz
32GB RAM

HAProxy version:

 haproxy -v
 HA-Proxy version 1.9.8-1ppa2~bionic 2019/06/13 - https://haproxy.org/

This is my config file:

global
        log stdout local0
        maxconn 50000
        ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
        ssl-default-bind-options ssl-min-ver TLSv1.1
        tune.ssl.default-dh-param 2048

defaults
    log global
    mode http
	timeout connect 5s
	timeout client 30s
	timeout server 30s
	option httplog
	option logasap
	option http-use-htx
       

frontend grpc-proxy
        bind :9000  ssl crt /etc/ssl/private/grpc-balancer.pem alpn h2
        default_backend grpc-feeds

backend grpc-feeds
        balance random

        server grpc-feeds-01    1.2.3.4:9000    ssl verify none alpn h2 check
        server grpc-feeds-02    5.6.7.8:9000    ssl verify none alpn h2 check

Posts: 1

Participants: 1

Read full topic

@scegliau wrote:

This morning I upgraded to version 2.0 (from 1.9.8) and a lot of headers arrive lowercase to the backend.
It’s strange, not all headers but let me say 99% (the only one with capital letter is “Connection: close”).

I think this is not correct…am I wrong ?

Posts: 1

Participants: 1

Read full topic