@PEACE wrote:

i just newbie, i want to build HAproxy with my computer, with localhost using VMware. i have 3 servers, and i done with my configuration. but something happen when i want to start my HAproxy configuration. the configuration FAILED, can u please tell me where is the error with my configuration?
here is my configuration :

global
log /dev/log local0
log 127.0.0.1 local1 notice
maxconn 4096
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon

# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private

# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
#  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# An alternative list with additional directives can be obtained from
#  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3

defaults
log global
mode http
option httplog
option dontlognull
retries 3
option redispatch
maxconn 2000
conntimeout 5000
clitimeout 50000
srvtimeout 50000

listen loadbalance 0.0.0.0:1936
mode http
stats enable
stats uri /haproxy?stats
option httpclose
option forwardfor
balance roundrobin
server webserver1 10.20.20.10:80 check
server webserver2 10.20.20.20:80 check

and the error said :

Image may be NSFW.
Clik here to view.

image.png869×444 9.15 KB

![image|690x352]

i will be appreciate and will get much knowledge from u master, thanks for your attention and your time Image may be NSFW.
Clik here to view.

Posts: 3

Participants: 2

Read full topic

@jvwag wrote:

I have configured a frontend with some header manipulation, mostly for security:

frontend ft_web
  bind :::443 v4v6 ssl crt /etc/haproxy/certs/ alpn h2,http/1.1 curves secp384r1
  reqidel ^x-forwarded.*
  http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains;"
  use_backend bk_group1

backend bk_group1
  server localhost1 localhost:8000 send-proxy check

In this case, the headers are not modified. But when I remove send-proxy from the backend server, and reconfigure my backend to not use the proxy protocol the header manipulations work. I added my bind to indicate I also use http/2.0.

Does the send-proxy directive manipulate the connection mode to tunnel mode?

Posts: 1

Participants: 1

Read full topic

@yogibjorn wrote:

I have a original.com and wish to redirect to alias.com. How do a redirection and keep the URL in the browser.? Is this even possible?

Posts: 1

Participants: 1

Read full topic

@davidolrik wrote:

I have recently installed a HAProxy 2.0.1, but have been experiencing a strange problem where the CPU is maxed out after a little while.

I have tracked the problem down to the build-in prometheus exporter that doesn’t close the connection properly leaving it in CLOSE_WAIT after each hit to /metrics.
After a while it runs out of connections, stops serving requests and maxes out the CPU.

Here is my “stats” config:

frontend stats
    bind *:8404
    option http-use-htx
    http-request use-service prometheus-exporter if { path /metrics }
    stats enable
    stats uri /stats
    stats refresh 10s

haproxy -vv:

HA-Proxy version 2.0.1-1ppa1~bionic 2019/06/27 - https://haproxy.org/
Build options :                                                                                                                                                    [0/137]
TARGET  = linux-glibc
CPU     = generic
CC      = gcc
CFLAGS  = -O2 -g -O2 -fdebug-prefix-map=/build/haproxy-O7_wB6/haproxy-2.0.1=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2
-fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-format-truncation -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-old-style-declaration -Wn
o-ignored-qualifiers -Wno-clobbered -Wno-missing-field-initializers -Wno-implicit-fallthrough -Wno-stringop-overflow -Wtype-limits -Wshift-negative-value -Wshift-overflow
=2 -Wduplicated-cond -Wnull-dereference
OPTIONS = USE_PCRE2=1 USE_PCRE2_JIT=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_ZLIB=1 USE_SYSTEMD=1

Feature list : +EPOLL -KQUEUE -MY_EPOLL -MY_SPLICE +NETFILTER -PCRE -PCRE_JIT +PCRE2 +PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED +REGPARM -STATIC_PCRE -STATI
C_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H -VSYSCALL +GETADDRINFO +OPENSSL +LUA +FUTEX +ACCEPT4 -MY_ACCEPT4 +ZLIB -SLZ +CPU_AFFINITY +TFO +NS +DL +RT
-DEVICEATLAS -51DEGREES -WURFL +SYSTEMD -OBSOLETE_LINKER +PRCTL +THREAD_DUMP -EVPORTS

Default settings :
bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with multi-threading support (MAX_THREADS=64, default=2).
Built with OpenSSL version : OpenSSL 1.1.1  11 Sep 2018
Running on OpenSSL version : OpenSSL 1.1.1  11 Sep 2018
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with Lua version : Lua 5.3.3
Built with network namespace support.
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with PCRE2 version : 10.31 2018-02-12
PCRE2 library supports JIT : yes
Encrypted password support via crypt(3): yes
Built with the Prometheus exporter as a service

Available polling systems :
    epoll : pref=300,  test result OK
    poll : pref=200,  test result OK
    select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
            h2 : mode=HTX        side=FE|BE     mux=H2
            h2 : mode=HTTP       side=FE        mux=H2
    <default> : mode=HTX        side=FE|BE     mux=H1
    <default> : mode=TCP|HTTP   side=FE|BE     mux=PASS

Available services :
        prometheus-exporter

Available filters :
        [SPOE] spoe
        [COMP] compression
        [CACHE] cache
        [TRACE] trace

Posts: 1

Participants: 1

Read full topic

@amirkhalili wrote:

Dear All,

I need to forward my.domain.com/* to the star_backend and my.domain.com/portal to portal_backend.

Tested multiple different configurations in ACL part but unsuccessful!
anyone can help on that?
This is my HAproxy version: HA-Proxy version 1.8.4-1deb90d 2018/02/08

Sincerely
Amir

Posts: 1

Participants: 1

Read full topic

@machihkfyg wrote:

Hello,

I am experience problem when using some load test tools such as Jmeter or Paessler Stress Tool.

The request could not able to pass thru the the haproxy. But it was success while manually access using typical browser. Please advise is it something need special in haproxy or load test tools?

haproxy code

global
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
user haproxy
group haproxy
daemon
maxconn 120
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
defaults
mode http
log global
option dontlognull
option http-server-close
option redispatch
retries 3
timeout http-request 10s
timeout queue 30s
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 110
errorfile 503 /etc/haproxy/errors/503.http
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
frontend main
bind *:80
bind *:443
maxconn 105
mode http
option tcplog
default_backend app
backend app
fullconn 100
balance roundrobin
mode http
option ssl-hello-chk
option httpclose
server web1 10.0.0.6:443 check
listen stats
bind *:1936
mode http
stats enable
stats hide-version
stats realm Haproxy\ Statistics
stats uri /
stats auth xxxx:yyyy
stats refresh 10s

And the log from haproxy is

Jul 9 17:02:10 localhost haproxy[6949]: 220.241.111.222:64279 [09/Jul/2019:17:02:09.958] main app/web1 1/0/69 7 – 0/0/0/0/0 0/0
Jul 9 17:02:10 localhost haproxy[3857]: 220.241.111.222:15595 [09/Jul/2019:17:02:10.073] main app/web1 1/0/61 7 – 0/0/0/0/0 0/0
Jul 9 17:02:10 localhost haproxy[3910]: 220.241.111.222:1335 [09/Jul/2019:17:02:10.364] main app/web1 1/0/68 7 – 0/0/0/0/0 0/0
Jul 9 17:02:10 localhost haproxy[7163]: 220.241.111.222:3574 [09/Jul/2019:17:02:10.707] main main/ -1/-1/0 319 PR 1/0/0/0/0 0/0
Jul 9 17:02:10 localhost haproxy[3910]: 220.241.111.222:52196 [09/Jul/2019:17:02:10.686] main app/web1 1/1/58 7 – 0/0/0/0/0 0/0
Jul 9 17:02:10 localhost haproxy[2025]: 220.241.111.222:50675 [09/Jul/2019:17:02:10.755] main app/web1 1/1/51 7 – 0/0/0/0/0 0/0

Thanks!

Posts: 1

Participants: 1

Read full topic

@fhda-mrapczynski wrote:

Attempting my first use of the DNS SRV features in a non-production environment in AWS.

In general, my configuration works. What I am trying to diagnose now is a long delay of ~5 minutes when I re-deploy a service. HAProxy picks up the DNS change quickly, but seems to take several minutes before that change is completely applied to the backend, and health checks resume. This delay defeats the purpose of dynamic service discovery.

The log events below show what HAProxy reports after the service has been redeployed.

1. Initially health checks fail because the container has restarted or moved to another host
2. At 07:51 the updated SRV record is identified
3. At 07:56 HAProxy finally marks the backend up

The key issue to diagnose is what causes the 5 minute waiting time.

Also, the DNS records currently have a TTL of 0.

Log Entries:

Jul 09 07:50:59 haproxy-internal-20190703-1136AM-579 haproxy[21084]: Health check for server bcm_test/bcm1 failed, reason: Layer4 connection problem, info: "Connection refused", check duration: 0ms, status: 2/3 UP.
Jul 09 07:51:04 haproxy-internal-20190703-1136AM-579 haproxy[21084]: Health check for server bcm_test/bcm1 succeeded, reason: Layer4 check passed, check duration: 0ms, status: 3/3 UP.

Broadcast message from systemd-journald@haproxy-internal-20190703-1136AM-579 (Tue 2019-07-09 07:51:19 PDT):

haproxy[21084]: backend bcm_test has no server available!

Jul 09 07:51:19 haproxy-internal-20190703-1136AM-579 haproxy[21084]: Server bcm_test/bcm1 is going DOWN for maintenance (DNS NX status). 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
Jul 09 07:51:19 haproxy-internal-20190703-1136AM-579 haproxy[21084]: backend bcm_test has no server available!
Jul 09 07:51:19 haproxy-internal-20190703-1136AM-579 haproxy[21084]: bcm_test/bcm1 changed its FQDN from (null) to 18571aeca1584999960dff1a17acf787._bcmmb-test._tcp.docker by 'SRV record'
Jul 09 07:56:21 haproxy-internal-20190703-1136AM-579 haproxy[21084]: Server bcm_test/bcm1 ('18571aeca1584999960dff1a17acf787._bcmmb-test._tcp.docker') is UP/READY (resolves again).
Jul 09 07:56:21 haproxy-internal-20190703-1136AM-579 haproxy[21084]: Server bcm_test/bcm1 administratively READY thanks to valid DNS answer.
Jul 09 07:56:24 haproxy-internal-20190703-1136AM-579 haproxy[21084]: Health check for server bcm_test/bcm1 succeeded, reason: Layer4 check passed, check duration: 0ms, status: 3/3 UP.

HAProxy Configuration:

resolvers aws
    nameserver vpc 169.254.169.253:53
    resolve_retries 256
    timeout retry 5s
    timeout resolve 2s
    hold nx 15s
    hold other 15s
    hold refused 15s
    hold timeout 15s
    hold valid 15s
    hold obsolete 15s

frontend bcm_test
    bind *:32001
    timeout client 30m
    timeout client-fin 30s
    default_backend bcm_test

backend bcm_test
    default-server check inter 5s rise 6
    timeout connect 10s
    timeout server 30m
    server-template bcm 1 _bcmmb-test._tcp.docker check resolvers aws resolve-opts allow-dup-ip

Posts: 1

Participants: 1

Read full topic

@rt516 wrote:

My HAProxy works fine with normal traffic, but when I try to use a traffic generator, captures show packets with the right source / destination / port (80) making it to the front end, but traffic is never sent out of the back end (it is with real / normal traffic). I am using T-Rex Traffic Generator.

I have tried to disable all checks as I’m sure the traffic generator would not pass them, but I can’t seem to figure out what haproxy doesn’t like about the generated traffic - can anyone help?

I have also tried to change mode from http to tcp but this did not make any difference.

ubuntu@ubuntu16:~$ cat /etc/haproxy/haproxy.cfg
global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL). This list is from:
        #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
        # An alternative list with additional directives can be obtained from
        #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
        ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
        ssl-default-bind-options no-sslv3

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

frontend localnodes
     bind 172.16.200.1:80
     mode http
     default_backend nodes


backend nodes
     mode http
     balance roundrobin
     option forwardfor
     http-request set-header X-Forwarded-Port %[dst_port]
     http-request add-header X-Forwarded-Proto https if { ssl_fc }
     #option httpchk HEAD / HTTP/1.1\r\nHost:localhost
     server trex 172.16.100.100:80 
     #server web01 172.16.100.101:80

listen stats 
     bind *:1936
     stats enable
     stats uri /
     stats hide-version
     stats auth ubuntu:antsle

Posts: 3

Participants: 2

Read full topic

@kmoschkau wrote:

Hello, hopefully I am making a simple error, but I cannot get ACLs to work with the Frontend in TCP mode. I receive a 502 error when I add the ACL and no traffic gets redirected to the Backend.

I am working off the documentation here: https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#7.3.5-req.ssl_sni

OS is RedHat Hardened AMI in AWS. The server is behind a public load-balancer. HAProxy version 1.8.15.

I have set the default_backend of the Frontend to several different severs and gotten it to resolve, so I believe my Backend configuration is correct. Here is my config:

global
    log 127.0.0.1 local0
    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     4000
    user        haproxy
    group       haproxy
    daemon
    stats socket /var/lib/haproxy/stats

defaults
    mode                    tcp
    log                     global
    option                  tcplog
    option                  dontlognull
    option http-server-close
    retries                 100
    timeout http-request    30s
    timeout queue           1m
    timeout connect         30s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 1000s
    timeout check           30s

frontend test
    bind *:80
    bind *:443
    mode tcp
    #default_backend test2.domain2
	
    tcp-request inspect-delay 10s
    tcp-request content accept if { req_ssl_hello_type 1 }
    use_backend test1.domain1 if { req.ssl_sni -m end domain1 }

backend test1.domain1
  mode tcp
  option ssl-hello-chk
  server test1.domain1 123.123.123.123:443
  
backend test2.domain2
  mode tcp
  option ssl-hello-chk
  server test2.domain2 hostname.domain.com:443

Log results

Jul  9 17:44:42 localhost haproxy[14846]: 192.168.13.130:32222 [09/Jul/2019:17:44:42.610] test test/<NOSRV> -1/-1/0 0 SC 2/2/0/0/0 0/0
Jul  9 17:44:42 localhost haproxy[14846]: 192.168.13.130:32224 [09/Jul/2019:17:44:42.610] test test/<NOSRV> -1/-1/0 0 SC 1/1/0/0/0 0/0
Jul  9 17:44:48 localhost haproxy[14846]: 192.168.49.111:49208 [09/Jul/2019:17:44:48.618] test test/<NOSRV> -1/-1/0 0 SC 2/2/0/0/0 0/0
Jul  9 17:44:48 localhost haproxy[14846]: 192.168.49.111:49210 [09/Jul/2019:17:44:48.618] test test/<NOSRV> -1/-1/0 0 SC 1/1/0/0/0 0/0
...

Posts: 1

Participants: 1

Read full topic

@GrzegorzWiktorowski wrote:

Is it possible to inspect directly the value of ACL clause during runtime? For example having

acl srv1 path_dir /site1
acl srv2 path_dir /site2

I can only conclude from HAProxy log what is the result of ACLs.

Posts: 1

Participants: 1

Read full topic

@umityayla wrote:

Hello,

We have a node.js websockets service. Due to node.js being singlethread, we are going to create many containers in a server just for sockets. So we decided to turn it into a service but we can’t configure sticky connection. Is there any example that we could do that? (Just to be clear, haproxy will redirect connections to different containers, not to different servers.Also we are going to have more than one host)
Our current docker-compose.yaml but it doesn’t really suceed the sticky connection.

version: '3'

services:

  proxy:
    image: dockercloud/haproxy
    # Won't start until at least one of our app services is up and running.
    depends_on:
      - socket
    environment:
      # The type of load balancing strategy that will be used.
      # - leastconn sends request to the service with the least active requests.
      # - roundrobin rotates the requests around the services.
      - COOKIE = rewrite nocache 
      # Used to identify services.
      - ADDITIONAL_SERVICES=project_dir:socket
    volumes:
      # Since our app services are running on the same port,
      # the HAProxy will use the docker.sock to find the
      # services that it should load balance.
      - /var/run/docker.sock:/var/run/docker.sock
    ports:
      # The internal used by the HAProxy is 80,
      # but we can expose any port that we would like externally.
      # For example, if you are running something else on 80,
      # you probably don't want to expose the HAProxy on 80 as well.
      - 12001:80
    networks:
      - web
    deploy:
      # The HAProxy is assigned as the manager.
      placement:
        constraints: [node.role == manager]

  socket:
    environment:
        - SERVICE_PORTS=9800
    ports:
        - 9800:3000
    image: 'umityayla/socket:latest'
    networks:
        - web

networks:
  web:
    driver: overlay

Posts: 1

Participants: 1

Read full topic

@kmattimore wrote:

I am setting up a reverse proxy that reads a collection of certificates from a directory like:

frontend https-in
bind *:443 ssl crt /etc/haproxy/ssl/

The directory contains single domain certificates as well as SAN certificates. This is all working well, and haproxy is reading all the certificates and serving the proper one through SNI.

I would like to obtain a list of domains available through SNI as HAProxy sees it, for the sake of auditing/sanity/change control. I would also be OK with a list of valid certificates - previously we used crt-list and manually managed that file. However, I am looking for a way to automatically monitor it and detect changes, rather than update the crt-list file every time.

Is this possible? Ideally, HAProxy could do this, either through the command line or the stats page ( rather than using a script+OpenSSL, etc). It seems like it already does it in order to determine all the SNI options, I just can’t find a way to get my hands on that data.

Thanks!

Posts: 2

Participants: 2

Read full topic

@stefws wrote:

Trying to put HAp 1.8.19 in between elastic clients and elastic 6.8.1 ingest/coordinate nodes, but even though HAp have a healthy backend, it claims no service available, when hitting the frontend, hints appreciated, TIA.

tcpdumped reply to clients on HAp

E…@.@…J>.)…R.#…9d…`…P…F…HTTP/1.0 503 Service Unavailable
Cache-Control: no-cache
Connection: close
Content-Type: text/html

503 Service Unavailable

No server is available to handle this request.

tcpdumped HAp health check reply on backend:

E..f..@.@..L>.)E>.)L#.....n.g...P.......HTTP/1.0 200 OK
content-type: application/json; charset=UTF-8
content-length: 487
{
  "name" : "es-i1",
  "cluster_name" : "mxes2data",
  "cluster_uuid" : "SmpMKhEwQs2r0G4eNOBJTA",
  "version" : {
    "number" : "6.8.1",
    "build_flavor" : "default",
    "build_type" : "rpm",
    "build_hash" : "1fad4e1",
    "build_date" : "2019-06-18T13:16:52.517138Z",
    "build_snapshot" : false,
    "lucene_version" : "7.7.0",
    "minimum_wire_compatibility_version" : "5.6.0",
    "minimum_index_compatibility_version" : "5.0.0"
  },
  "tagline" : "You Know, for Search"
}

HAproxy config snippet:

defaults
   maxconn 1024
   email-alert mailers sysadminmailer
   email-alert from "${INSTANCE}@${DOMAIN}"
   email-alert to "${ALERTEE}"
   mode http
   rate-limit sessions 20
   #log global
   #option  httplog
   option  dontlognull             # Do not log connections with no requests
   option  dontlog-normal          # Do not log successfull connections, ie. log on servers
   option  contstats               # Enable continuous traffic statistics updates
   retries 2                       # Try to connect up to 2 times in case of failure
   timeout connect 30s             # max to connect or to stay in queue
   timeout client 30s
   timeout server 30s
   timeout http-keep-alive 1s      # max for the client to post next request
   timeout http-request 15s        # max for the client to send a request
   timeout queue 30s               # max queued on load balancer
   timeout check 60s               # timeout health check read
   backlog 1000                    # Size of SYN backlog queue
   source 0.0.0.0 usesrc clientip  # transparent proxy mode
   balance leastconn

frontend fe-esi
   bind-process 6
   bind ipv4@*:9200 transparent mss 1460
   default_backend be-esi

backend be-esi
   bind-process 6
   option httpchk GET /
   default-server inter 30s downinter 60s rise 2
   server i1 ipv4@es-i1:9200 check

Image may be NSFW.
Clik here to view.

Screenshot 2019-07-13 at 10.31.06.png1418×167 32.3 KB

Posts: 2

Participants: 2

Read full topic

@Skye wrote:

Hi everyone,

In HAProxy it’s easy to keep a TCP connection pool open (using max-conn), but what I’d like to do is to authenticate every new connection to the backend coming from HAProxy.

The authentication follows a custom binary protocol that performs a three-way handshake (three requests).

Health checks are able to describe such binary protocol request / response sequences using tcp-send and tcp-check but I couldn’t find a way to do this for regular connection openings.

Can anybody enlighten me?

Posts: 1

Participants: 1

Read full topic

@bmf7777 wrote:

i have haproxy configured with chroot operation and all is well (HA-Proxy version 2.0.1-1ppa1~bionic 2019/06/27 - https://haproxy.org/) … i’m interested in adding hitless operation …

i’ve added the following to my cfg file (stats socket /var/run/haproxy.sock mode 600 expose-fd listeners level user) …

do i need to specify or place (/var/run/haproxy.sock) in my chroot directory (/var/empty) or is my current configuration correct?

thanks in advance

global
	maxconn 100
	daemon
	tune.ssl.default-dh-param 2048
	chroot /var/empty
	user haproxy
	group haproxy
  	stats socket /var/run/haproxy.sock mode 600 expose-fd listeners level user

Posts: 1

Participants: 1

Read full topic

@jeff wrote:

Hello,

I use HAProxy 1.8.8 as reverse-proxy in product with Linux 4.14 from scratch.
HAProxy brings the SSL dimension to make HTTPS, FTPS (Implicit) and SMTPS (Implicit) based on HTTP, FTP and SMTP.
On this product there are 2 IP interfaces:

• Lan eth0 IP : 192.68.1.150 GW : 192.68.1.21
• Wan ppp0 (modem 3G/4G) IP : 10.160.241.16 GW: 192.200.1.21
  The system integrates a web server, and the ability to send mails.

As a server, everything works perfectly, in Lan and Wan.
As a customer, everything works perfectly in Lan.
The problem occurs in client mode by the Wan, for example for the SMTP.

here are my routing rules:

iproute list table modem3G

default via 192.200.1.21 dev ppp0
10.160.241.16 dev ppp0 src 10.160.241.16

iproute list table main

default via 192.68.1.20 dev eth0
192.68.1.0/24 dev eth0 src 192.68.1.150
192.200.1.21 dev ppp0 src 10.160.241.16

Here is the configuration passed to HAProxy
frontend frt3078899856
mode tcp
bind 127.0.0.1:2525
default_backend bck3078899856

backend bck3078899856
mode tcp
server srv3078899856 smtp.orange.fr:465 ssl verify none

The SMTP connection uses the address 127.0.0.1:2525 as the recipient. (HAProxy)
Without HAProxy, the connection works.

After many hours of research and testing, here is my question:
- How can HAProxy know to use the Wan gateway ?

Last point: If I add the following command, it works.
#route add default ppp0
But I don’t think that is the solution, because it will hide the Lan gateway.

Thank you for your help

Posts: 1

Participants: 1

Read full topic

@LynxNot wrote:

Hi everyone,

I have a simple question about conditionals in config file.

In the following snippet, is there a way to write the “http-request set header” logic in a single statement, i mean without using two different frontends?

frontend web-front
bind 10.102.4.253:80
bind 10.102.4.253:443 ssl crt cert.pem alpn h2,http/1.1

http-request set-header X-Forwarded-Proto http  if !{ ssl_fc }
http-request set-header X-Forwarded-Proto https if  { ssl_fc }

default_backend web-back

Thanks,
BR

Posts: 1

Participants: 1

Read full topic

@mysticalunicorn wrote:

im using haproxy 1.9 in docker container in aws. For some reason it runs for a bit, then drops connections. One weird thing I noticed is when i run a netstat command I see it listening on the right ports, 443 and 8080 because im binding to them in my config file.
In the past I ran it not in docker and it has always worked fine.

When i run netstat its like this :

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 :::8080 :::* LISTEN -
tcp6 0 0 :::443 :::* LISTEN -
tcp6 0 0 :::5666 :::* LISTEN -
udp 0 0 0.0.0.0:68 0.0.0.0:* -
udp 0 0 127.0.0.1:323 0.0.0.0:* -
udp6 0 0 ::1:323 :::* -

I dont know why its :::443 and :::8080 it has always been 0.0.0.0:443 and 0.0.0.0:8080
maybe its only binding to tcp6 and not tcp4

Im binding same way I have done in the past and its always been fine.

frontend blablabla
bind *:443

the only change has been docker.

any ideas ?

Posts: 1

Participants: 1

Read full topic

@mysticalunicorn wrote:

(topic withdrawn by author, will be automatically deleted in 24 hours unless flagged)

Posts: 1

Participants: 1

Read full topic

@Giant wrote:

Hi
We use haproxy version 1.8.16 for our sites. one week ago we saw one site is using our site by means of iframe tag in its site, I think this is a kind of clickjacking. We could stop them with below command in our front end:
rspadd X-Frame-Options:\ SAMEORIGIN
This worked very well and stop them
but we need to except some sites from this. I have found nothing about this issue in internet for haproxy.
Thanks for ur help

Posts: 1

Participants: 1

Read full topic