@Noperson25 wrote:

I just can’t to figure it out !

I want to listen at 443 port (frontend), use SSL offloading and use a Backend server that is outside of our LAN (In Internet) and connect on 443 port with SSL connection as well.

But whatever I try I am getting “503 Service Unavailable”
Btw I test accessing the IP, not the hostname

This is my haproxy.cfg

Automaticaly generated, dont edit manually.

Generated on: 2019-07-17 15:30

global
maxconn 10000
stats socket /tmp/haproxy.socket level admin
uid 80
gid 80
nbproc 1
hard-stop-after 15m
chroot /tmp/haproxy_chroot
daemon
tune.ssl.default-dh-param 2048
server-state-file /tmp/haproxy_server_state

listen HAProxyLocalStats
bind 127.0.0.1:2200 name localstats
mode http
stats enable
stats admin if TRUE
stats show-legends
stats uri /haproxy/haproxy_stats.php?haproxystats=1
timeout client 5000
timeout connect 5000
timeout server 5000

resolvers globalresolvers
nameserver Google 8.8.8.8:53
resolve_retries 3
timeout retry 1s
hold valid 10s

frontend WAN_HTTPS
bind 94.100.100.135:443 name 94.100.100.135:443 ssl crt-list /var/etc/haproxy/WAN_HTTPS.crt_list
mode http
log global
option http-keep-alive
timeout client 30000
acl aclcrt_WAN_HTTPS var(txn.txnhost) -m reg -i ^seznam.cz.cz(:([0-9]){1,5})? acl aclcrt_WAN_HTTPS var(txn.txnhost) -m reg -i ^www\.seznam\.cz(:([0-9]){1,5})?
http-request set-var(txn.txnhost) hdr(host)
use_backend Proxy-old_ipvANY if aclcrt_WAN_HTTPS

backend Proxy-old_ipvANY
mode http
id 103
log global
timeout connect 30000
timeout server 30000
retries 3
option httpchk OPTIONS /
server SERVER1 77.75.74.172:443 id 105 ssl check inter 1000 weight 1 verify none resolvers globalresolvers

Posts: 1

Participants: 1

Read full topic

@john wrote:

I’m trying to document the correct way to proxy to netdata with haproxy, on 127.0.0.1:19999. The problem I’m having is - only when running with a path - the styling fails. I assume I have to do something to rewrite the path, I’m not sure how to translate the known working configuration from nginx to haproxy.

The accepted nginx configuration is:

upstream netdata {
    # the Netdata server
    server 127.0.0.1:19999;
    keepalive 64;
}

server {
    listen 81;
    # the virtual host name of this subfolder should be exposed
    server_name netdata.domain.tld;

       location = /netdata {
                return 301 /netdata/;
        }

        location ~ /netdata/(?<ndpath>.*) {
                proxy_redirect off;
                proxy_set_header Host $host;

                proxy_set_header X-Forwarded-Host $host;
                proxy_set_header X-Forwarded-Server $host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_pass_request_headers on;
                proxy_http_version 1.1;
                proxy_set_header Connection "keep-alive";
                proxy_store off;
                proxy_pass http://netdata/$ndpath$is_args$args;
        }
}

The configuration I’ve tried using is:

frontend http_frontend
    ## HTTP ipv4 and ipv6 on all ips ##
    bind :::80 v4v6
    # URL begins with /netdata
    acl is_netdata url_beg  /netdata
    ## Backends ##
    use_backend     netdata_backend       if is_netdata
    # Other requests go here (optional)
    default_backend www_backend

backend netdata_backend
    option forwardfor
    server      netdata_local     127.0.0.1:19999
    http-request set-header Host %[src]
    http-request set-header X-Forwarded-For %[src]
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request set-header Connection "keep-alive"

I tried using a rewrite to remove the sub path but wasn’t able to get it to work. Is there a equivalent configuration I should be using to the nginx configuration to get the styling working?

Posts: 1

Participants: 1

Read full topic

@sunidhi941 wrote:

hi my haproxy is cannot bind

following is my message displayed
Starting proxy firstbalance: cannot bind socket [global 0.0.0.0:80]
please see my configration file
this how my configration file looks like

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
user haproxy
group haproxy
daemon

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # Default ciphers to use on SSL-enabled listening sockets.
    # For more information, see ciphers(1SSL). This list is from:
    #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
    # An alternative list with additional directives can be obtained from
    #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
    ssl-default-bind-options no-sslv3

defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

Posts: 1

Participants: 1

Read full topic

@seema wrote:

Hi,

We have a requirement to rewrite the domain name from www.domain1.com to www.domain2.com at the haproxy level.

I have tried various options that I found on the internet, but nothing seems to work.

Request inputs from anybody who has done this.

Best Regards,
Seema

Posts: 1

Participants: 1

Read full topic

@rbrooker wrote:

I’m on a 2 core machine with 4 gigs of memory
I have 11 different configs each on its own systemd process to isolate services.
cpu never went above 30% on 1.5 (default available in the CentOS7 repo)
I built 2.0.1 rpm updated the systemd files and no changes to the configs, now on start the cpu spikes and stays there.

Should I be configuring things differently for 2.0.1? or is this just a bug and I need to install another version/patch

uname -a
Linux proxy0 3.10.0-957.1.3.el7.x86_64 #1 SMP Thu Nov 29 14:49:43 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

HA-Proxy version 2.0.1 2019/06/26 - https://haproxy.org/
Build options :
TARGET = linux-glibc
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-old-style-declaration -Wno-ignored-qualifiers -Wno-clobbered -Wno-missing-field-initializers -Wtype-limits
OPTIONS = USE_PCRE=1 USE_PCRE_JIT=1 USE_THREAD=1 USE_REGPARM=1 USE_LINUX_TPROXY=1 USE_OPENSSL=1 USE_ZLIB=1 USE_TFO=1 USE_NS=1 USE_SYSTEMD=1

Feature list : +EPOLL -KQUEUE -MY_EPOLL -MY_SPLICE +NETFILTER +PCRE +PCRE_JIT -PCRE2 -PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED +REGPARM -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H -VSYSCALL +GETADDRINFO +OPENSSL -LUA +FUTEX +ACCEPT4 -MY_ACCEPT4 +ZLIB -SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL +SYSTEMD -OBSOLETE_LINKER +PRCTL +THREAD_DUMP -EVPORTS

Default settings :
bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with multi-threading support (MAX_THREADS=64, default=2).
Built with OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
Running on OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2
Built with network namespace support.
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with zlib version : 1.2.7
Running on zlib version : 1.2.7
Compression algorithms supported : identity(“identity”), deflate(“deflate”), raw-deflate(“deflate”), gzip(“gzip”)
Built with PCRE version : 8.32 2012-11-30
Running on PCRE version : 8.32 2012-11-30
PCRE library supports JIT : yes
Encrypted password support via crypt(3): yes

Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as cannot be specified using ‘proto’ keyword)
h2 : mode=HTX side=FE|BE mux=H2
h2 : mode=HTTP side=FE mux=H2
: mode=HTX side=FE|BE mux=H1
: mode=TCP|HTTP side=FE|BE mux=PASS

Available services : none

Available filters :
[SPOE] spoe
[COMP] compression
[CACHE] cache
[TRACE] trace

Posts: 1

Participants: 1

Read full topic

@uliromahn wrote:

Hello HAProxy Team!

we already reported this right after the release of 1.9 and my former colleague Ashwin N. had a longer communication with Willy about that.
We observed significantly increased latency introduced by HAProxy 1.9 once the requests-per-second (RPS) increases beyond 40-50RPS. After the release of 2.0 we were hoping that the issue may have been resolved, but unfortunately, it is still there.

Here is our observation:

• we upgraded from 1.8.17 to 2.0.2
• we did not change the config file
• we started 2.0.2 using master/worker mode (-Ws and -S command line parameter)
• we have typically between 8 and 10 backends but some backends can have 1000+ servers
• we use HAProxy both as ingress as well as egress for our services, i.e. requests to the service will hit HAProxy on an HTTPS endpoint which will then connect to our service via localhost:8080. Requests to downstream services will be made to service.localhost:80 which HAProxy will then resolve via a host acl to the corresponding backend. Connections to backend servers are using HTTPS.
• we are using roundrobin load balancing scheme

In our environment, we started observing significantly increased p99 latency with 1.9 and 2.0.2. Our service “normally” reports a p99 response time to a downstream service with 600ms. After the upgrade to HAProxy, this p99 latency went up to 1200ms (yes, 1.2 seconds!!). So, it appears that HAProxy 2.0.2 introduces extra latency of up to 600ms! The “average” processing time is measured as 55ms and with HAProxy 2.0.2 it went up to 68ms. So the average latency increase was 13ms!

Also, important to mention: we run about 80 instances of our service in parallel. To test HAProxy 2.0.2, we have deployed the new version to two instances and ran 2.0.2 and 1.8.17 in parallel so we could directly compare the metrics coming from both versions.

This latency increase cannot be seen in low RPS environments below about 40-50RPS and 1.8 and 1.9/2.0 seem to behave exactly the same.

This is a HUGE blocker for us to move from our current HAProxy 1.8.x to the latest since we need to take advantage of the newly introduced connection pooling to backend servers.

Again, Willy should already have enough details from our previous interaction. He mentioned he wanted to look into that and hopefully find a fix but we never heard back…

Any help would be greatly appreciated!

Thank you

P.S. I will be out of the country for one week starting tomorrow without internet connection. So, I will be unable to respond to questions before that.

Posts: 1

Participants: 1

Read full topic

@tomwaller wrote:

Hi all.

I am using HAProxy to facilitate connections to various web management tools for various aspects of my network. I have a frontend listening on 443 which is doing SSL offloading and pushing connections through to various backends on 80/HTTP. I use certs on the frontend to present a secure connection.

This works well for every site, bar one (Zyxel NWA1123-AC access point). I can get to the logon page on HTTPS which is presented with the valid cert from HAProxy, but as soon as I login I get a 404 not found error from NGINX (from pfSense hosting the HAProxy package). The URL seems to be changing to HTTP so it’s no wonder I’m getting this error as I have no listener on that port. It looks like the Zyxel is actually trimming HTTPS from the URL as it probably thinks the connection is plain HTTP because that is what is coming from HAProxy.

Does anyone have any suggestions as to what I can do to provide the access? I’ve got my config below. It’s the ap backend that is giving me grief!

Any help would be much appreciated!

global
	maxconn			10000
	stats socket /tmp/haproxy.socket level admin 
	uid			80
	gid			80
	nbproc			1
	hard-stop-after		15m
	chroot				/tmp/haproxy_chroot
	daemon
	tune.ssl.default-dh-param	2048
	server-state-file /tmp/haproxy_server_state

listen HAProxyLocalStats
	bind 127.0.0.1:2200 name localstats
	mode http
	stats enable
	stats admin if TRUE
	stats show-legends
	stats uri /haproxy/haproxy_stats.php?haproxystats=1
	timeout client 5000
	timeout connect 5000
	timeout server 5000

frontend fe_mgt_443
	bind			10.1.0.1:443 name 10.1.0.1:443   ssl crt-list /var/etc/haproxy/fe_mgt_443.crt_list  
	mode			http
	log			global
	option			http-server-close
	timeout client		30000
	acl			ap	var(txn.txnhost) -m str -i ap.domain.com
	acl			switch	var(txn.txnhost) -m str -i switch.domain.com
	acl			sense	var(txn.txnhost) -m str -i sense.domain.com
	http-request set-var(txn.txnhost) hdr(host)
	use_backend ap_ipvANY  if  ap 
	use_backend switch_ipvANY  if  switch 
	use_backend sense_ipvANY  if  sense 

backend ap_ipvANY
	mode			http
	id			100
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	option			httpchk GET / 
	server			ap.domain.com 10.1.0.3:80 id 101 check inter 10000  

backend switch_ipvANY
	mode			http
	id			102
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			switch.domain.com 10.1.0.2:80 id 103 check inter 1000  

backend sense_ipvANY
	mode			http
	id			104
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	option			httpchk GET / 
	server			sense.domain.com 10.1.0.1:80 id 101 check inter 10000

Posts: 1

Participants: 1

Read full topic

@sagar_haproxy wrote:

Hi,

Basically I’m trying to get a new log format, to achieve this I need to capture some values from front end http request and response.

• For the log format I have added the HAPROXY_HEAD template to the Marathon config and its working fine
• I’m not really sure how to add the below captures to the front end which is for Port 80.

declare capture request len 24
http-request capture req.hdr(X-Request-Id) id 0

Capture the user id from header for logging

declare capture request len 36
http-request capture req.hdr(VDSID) id 1

Capture the ReqAppId from header for logging

declare capture request len 36
http-request capture req.hdr(ReqAppId) id 2

Note : HAPROXY is running in a container and new services always append to the Front end automatically.

When I have tried to add the HAPROXY_HTTP_FRONTEND_HEAD, HAPROX_FRONTEND_HEAD templates but it created another front end for port 80 and services were failing sometimes.

So I want a solution that will append the captures to the existing frontend marathon_http_in??

Thanks for your help.

Posts: 2

Participants: 2

Read full topic

@reymonlu wrote:

Hi,
I want to know if it is possible to filter a request based on the client domains name.
For example, I have a server Web behind my HAproxy and I want only people which are in the domain .domain.com (i.e. the name of their machine are registered like this xxx.domain.com) access to it and deny all other resquests incoming.
I look all over internet just to find that you can filter by src IP but not with something like .domain.com…

Thanks for your help !

Posts: 1

Participants: 1

Read full topic

@jottschi wrote:

Hi Readers,
i try to provide an CRL with haproxy. CRLs are distributed via HTTP.

So my approach:

frontend my-http
  acl is_CRL-h path_beg -i /pki
  use_backend server_CR if is_CRL-h
# all others via https:
http-request redirect scheme https if ! is_CRL-h
 backend server_CR
 mode http
 server myCA 10.123.4.56:80 nocheck

… But it does not work, the …“redirect if is not CRL” seems to be ignored…

Posts: 1

Participants: 1

Read full topic

@ngrigoriev wrote:

Hi,

I am trying to implement some cookie-based session stickiness with HAProxy inside of K8S cluster. I am using 2.0.2-alpine image.

backend dummy-api
  mode http
  option log-health-checks
  option httpchk GET /isalive
  dynamic-cookie-key XXXXX
  cookie SESSION_COOKIE rewrite nocache dynamic
  balance roundrobin
  option httpclose
  server-template srv-ns 8 _http-api-port._tcp.dummy-api-service.default.svc.cluster.local resolvers k8s check check inter 10s downinter 20s fastinter 5s resolve-opts allow-dup-ip

I am observing really odd behavior from HAProxy - it constantly reevaluates the state of this backend and brings the servers up and down every couple of seconds. No server stays around for more than 1-2 minutes. Not to mention that I have 8 pods (all alive and well) and HAProxy sees only 5 or 6 out of them. I see the following pattern in the debug logs:

srv-ns3 changed its FQDN from (null) to api-4.dummy-api-service.default.svc.cluster.local by 'SRV record'
srv-ns4 changed its FQDN from (null) to api-4.dummy-api-service.default.svc.cluster.local by 'SRV record'
srv-ns3 is going DOWN for maintenance (No IP for server ). 5 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
....
srv-ns3 changed its IP from 10.1.1.108 to 10.1.1.109 by DNS cache.
Server dummy-api-service-nosession/srv-ns3 ('api-4.dummy-api-service.default.svc.cluster.local') is UP/READY (resolves again).
Server dummy-api-service-nosession/srv-ns3 administratively READY thanks to valid DNS answer.
dummy-api-service-nosession/srv-ns3 changed its IP from 10.1.1.108 to 10.1.1.109 by DNS cache.
...

I can assure you that the pods themselves are alive and well. In fact, I have attempted an alternativel configuration using just 8 “server” lines - all 8 are green 100% and never go down.

There is something odd about it. I have noticed that the order of the SRV records constantly changes in K8S - but this is expected, the order is not guaranteed in DNS anyway.

P.S. Attempted the same configuration with version 1.9 - same result. When using service-template, the list of available servers constantly changes, they go up and down and some of them never get to UP state.

Posts: 1

Participants: 1

Read full topic

@Exocomp wrote:

After looking through the documentation and testing I’m confused regarding how HAProxy is supposed to work and need some help. I will describe the issue as simple as possible:

haproxy -v
HA-Proxy version 2.0.2 2019/07/16 - https://haproxy.org/

This article https://www.haproxy.com/blog/haproxy-1-9-has-arrived/#connection-management

States the following:

In addition, HAProxy now provides connection pooling. Idle connections between HAProxy and the server are no longer closed immediately if the frontend connection vanishes.

In testing (using http-reuse always) and HTTP/1.1 I find that HAProxy keeps “IDLE” connections in the connection pool only for the timeout configured for “timeout client”. After the “timeout client” HAProxy waits 5 more seconds and then closes the connection with the backend server.

Questions

• Is the above analysis correct and that is how HAProxy connection pooling works using “http-reuse always” and HTTP/1.1?
• Is it possible to specify a timeout other than “timeout client” that controls how long “IDLE” connections are kept in the connection pool?

I specifically called out “timeout client” because using the following configuration only it kept the connection to the backend server alive for the specified duration.

global
        user haproxy
        group haproxy
        daemon
        nbproc 1
defaults
        mode http
        timeout connect 5s
        timeout client 20s
        timeout server 35s
        timeout http-request 50s
        timeout http-keep-alive 300s

frontend myfrontend
        bind 192.168.1.20:80
        default_backend mybackend

backend mybackend
        http-reuse always
        server Server1 192.168.1.30:5003

Using the above configuration use a client that makes a HTTP/1.1 call and keeps the connection “IDLE” and you will find that HAProxy closes the connection after “25 seconds”.

Posts: 1

Participants: 1

Read full topic

@bliminse wrote:

Can someone please clarify which timeouts have to be configured for Server-Sent-Events to work?

There is no explicit reference to SSE in the documentation and after implementing multiple recommendations, e.g., How can I configure HAProxy to work with server sent events? it appears that the settings timeout tunnel, server-fin, client-fin that people suggest have no impact whatsoever.

Timeout client and timeout server let SSE work when their value, e.g., 60 seconds, is higher than the heartbeat frequency, e.g., 45 seconds, at which the backend server produces a CommentEvent in case that no data exists to be sent to the client.

However, Server-Sent-Events won’t work if, e.g., I send ping events every 60 seconds, but the timeout client and timeout server are 45 seconds (regardless of the values of timeout tunnel, timeout server-fin, timeout client-fin).
I was expecting the timeout tunnel (or something similar) to work for SSE and bypass client and server timeout like it’s supposed to do for Websockets, but it looks like timeout client and timeout server are the only settings that work…

Is this the intended behaviour? What’s the recommended configuration if I want to have high event update intervals for Server-Sent-Events, e.g., send a ping event only every 5 minutes if no data is available, ideally whilst maintaining lower timeouts for everything else ?

I’ve pasted configuration below. The behaviour is exactly the same whether I use haproxy 1.9.8 or 2.0.2, HTTP/2 or not, etc.

Thanks in advance!

global
    daemon
    log stdout local0

    ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256
    ssl-default-bind-ciphersuites TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
    
    ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256
    ssl-default-server-ciphersuites TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

    ssl-dh-param-file /etc/haproxy/dhparam.pem

defaults
    log global
    mode http

    option httplog
    option http-server-close
    option http-use-htx

    timeout connect 3s
    # Only when I increase these 2 from 5s to n minutes it works (but it affects other requests than SSE as the sse backend also handles POST/PUT/DELETE requests that have nothing to do with Server-Sent-Events and for which I'd like to maintain the lower 5 secs timeouts)
    timeout client 5s
    timeout server 5s
    # These below don't do anything for SSEs?
    timeout client-fin 10m
    timeout server-fin 10m
    timeout tunnel 10m


frontend https-in
    bind :443 ssl crt /somedir/server.pem alpn h2,http/1.1
    
    bind :80
    redirect scheme https if !{ ssl_fc }
    
    acl sse_url path /sse
    use_backend sse if sse_url

    default_backend otherstuff


backend otherstuff
    server other1 some-ip:3000 check ssl verify none

backend sse
    server sse1 some-ip:3001 check ssl verify none

Posts: 1

Participants: 1

Read full topic

@KenynMacCormik wrote:

Greetings,

I’m using the following configuration of the HAproxy

[root@haproxy1 ~]# haproxy -v
HA-Proxy version 1.8.20 2019/04/25
Copyright 2000-2019 Willy Tarreau <willy@haproxy.org>

defaults
        log     global
        mode    http

        option  httplog
        option  redispatch
        option  http-keep-alive
        option  forwardfor      except 127.0.0.0/8
        option  log-health-checks
        #option dontlognull
        #option dontlog-normal

        no option httpclose

        retries 3
        backlog 10000
        balance leastconn

        timeout connect         30s
        timeout http-keep-alive 15s
        timeout http-request    15s
        timeout queue           30s
        timeout tarpit          1m

        timeout client          30s
        timeout server          30s

        default-server inter 5s rise 2 fall 3

        stats   enable
        stats   refresh 30s
        stats   show-node
        stats   auth    %commented%
        stats   uri     %commented%
frontend web_frt
        bind 192.168.60.7:443 ssl crt-list /etc/haproxy/cer.list
        bind 192.168.60.7:80

        acl     not_https       ssl_fc,not
        acl     is_ca_web       hdr(host)       -m str -i ca.crpt.ru
        acl     is_portal       hdr(host)       -m str -i portal.crpt.ru
        acl     is_autodiscover hdr(host)       -m str -i autodiscover.crpt.ru
        acl     is_rpc          path_beg        -m beg -i /rpc/
        acl     is_owa          path_beg        -m beg -i /owa/
        acl     is_ews          path_beg        -m beg -i /ews/
        acl     is_oab          path_beg        -m beg -i /oab/
        acl     is_eas          path_beg        -m beg -i /eas/
        acl     is_mapi         path_beg        -m beg -i /mapi/
        acl     is_ecp          path_beg        -m beg -i /ecp/
        acl     is_healthcheck  path_beg        -m end -i healthcheck.htm

        use_backend     ca_web                          if is_ca_web

        http-request    deny                            if is_ecp
        http-request    deny                            if is_healthcheck
        #http-request   redirect scheme https code 301  if not_https

        use_backend     autodiscover_bck                if is_autodiscover
        use_backend     rpc_bck                         if is_rpc
        use_backend     owa_bck                         if is_owa
        use_backend     ews_bck                         if is_ews
        use_backend     oab_bck                         if is_oab
        use_backend     eas_bck                         if is_eas
        use_backend     mapi_bck                        if is_mapi
        use_backend     portal_bck                      if is_portal

        default_backend owa_bck

With this configuration I get my ca_web backend working on http. My my real goal is to force all backends, except for ca_web, to work with https. If I uncomment the http-request redirect scheme rule, I will get https redirection for the ca_web backend which is not acceptable. Is there any way to exclude ca_web backend from https redirection?

Posts: 2

Participants: 1

Read full topic

@arlinux wrote:

Hello,
Attached my stats page screenshot

askhaproxy.png1141×131 26.8 KB

My setup is like webrequest lands on haproxy and it forwards to Apache webserver.

Here are my question / clarifications needed:

Under “session rate” - Cur - 13 - Does it mean 13 webrequests are being processed?
If you see under “sessions” - Cur - 250 Max 250 Limit 250 - What does it means?
I observed most of the time “sessions” - Cur values keep more than 200.

“sessions” - Cur - 250 Max 250 Limit 250 - Does it means no more room left to process requests? What option’s do I need to look into to make some room here?

Can someone please guide?
Thank You

Posts: 1

Participants: 1

Read full topic

@ared wrote:

Hi ,
I am trying to scan the response body which we get from the server and match with a regex before forwarding it to the client.
Is there any way we could grab the response body with res.payload().?
Im having a hard time forming an acl to match the response body with a regex.

Idea is to match the response body with regex ,if match occurs then need to set response status code and send an error message.

Any ideas and thoughts on this ?
Thank you.

Posts: 1

Participants: 1

Read full topic

@KillerDAN wrote:

Hello,

Been trying to use option ldap-check against Microsoft Active Directory LDAP Service without success.

Microsoft LDAP is v2 and v3; v3 should be the requirement for this option.

Is there a limitation by design and/ on configuration on Microsoft side ? How to properly set it up ?

Thanks in advance,

Daniel

Posts: 1

Participants: 1

Read full topic

@sisir.ghosh wrote:

Dear Team,

We have a HAProxy server acting as a loadbalancer for our website.
The loadbalancer sends the client request to 3 backend servers which are running Apache 2.2. SSL is configured in all the 3 Apache servers. HAProxy acts as a loadbalancer in SSLPassthrough mode.

Now we want to capture the Client IP in the backend apache servers.
Is it possible in passthrough mode, if so how?

Thanks & regards,
Sisir

Posts: 1

Participants: 1

Read full topic

@GrzegorzWiktorowski wrote:

Is it possible to create the new ACL using others ACL? For example:

acl is_site1 path_dir /site1
acl is_site2 path_dir /site2

The third ACL would take the value in pseudocode like NOT (is_site1 OR is_site2).

My attempts finished with “unknown fetch method” error.

I’ve never come across any example in HAProxy Configuration Manual how to fetch the value of ACLs.

Posts: 1

Participants: 1

Read full topic

@theonlydoo wrote:

Heyo,

based on https://www.haproxy.com/fr/blog/haproxy-exposes-a-prometheus-metrics-endpoint/

I added a stats frontend. It appeared to me that there was no documentation about this endpoint in here.

So, my question is: since the “old” metrics endpoints raises time metrics in milliseconds, why does this endpoint has “seconds” at the highest resolution?

e.g.

haproxy_backend_check_last_change_seconds
haproxy_backend_downtime_seconds_total
haproxy_backend_http_connect_time_average_seconds
haproxy_backend_http_queue_time_average_seconds
haproxy_backend_http_response_time_average_seconds
haproxy_backend_http_total_time_average_seconds
haproxy_backend_last_session_seconds
haproxy_process_start_time_seconds 
haproxy_server_check_last_change_seconds
haproxy_server_downtime_seconds_total
haproxy_server_http_connect_time_average_seconds
haproxy_server_http_queue_time_average_seconds
haproxy_server_http_response_time_average_seconds
haproxy_server_http_total_time_average_seconds
haproxy_server_last_session_seconds

Posts: 1

Participants: 1

Read full topic