@dayfly wrote:

I am trying to setup haproxy with ubuntu 18 but cant figure out how to set everyting up.

I want to use internal 2 servers with 1 public IP, both servers use ports 80 and 443 and have their own subdomain.

Situation
1 Exchange 2016 server exchage.domain.com internal IP 192.168.1.10
1 Ubuntu nextcloud server nextcloud.domain.com internal IP 192.168.1.5
1 ubuntu server with HAProxy installed IP 192.168.1.2
1 Router IP 192.168.1.1

Both servers (exchange and nextcloud) have ssl certs that auto renew from lets encypt and both servers need port 80 and 443 open.

How can i setup HAProxy that trafic for the exchange server and nextcloud server is deliverd to to correct exchange and nextcloud servers ?

Posts: 1

Participants: 1

Read full topic

@rbrooker wrote:

Hello

I’m looking to use Haproxy backup on a series of RabbitMQ clusters, I have it working, all except for when the primary cluster returns… On failback the connections still on the backup cluster persist (causing a split brain).

Is there away to force connections to close (on the backup) if there is a failback (to primary)?

Or even if there is a way to stop a failback (auto back to primary on recovery) occur unless the service is restarted?

I’ve been through lots of docs, but all I can find it stuff saying, ‘yes it will persist’. If I can’t get this functionality the solution is a no go.

Thank you

Posts: 1

Participants: 1

Read full topic

@rbrooker wrote:

---

I’m starting a new thread, because I didn’t want to hyjack another, with only a single part was relevant.
that one is here: 2.0.1 cpu Usage at near 100% after upgrade from 1.5

I ran into an other issue with my amqp connections, such that, <3k connections was/is causing a blockage, so bad that not even the stats page for that service configuration would load. I attached my config, (I upped the maxconn and even added to the backend server definitions.

I down graded from 2.0.1 to 1.8 (based on https://www.softwarecollections.org/en/scls/rhscl/rh-haproxy18/)

Is there a known issue with AMQP and Haproxy?

---

global
daemon
user haproxy
group haproxy

defaults
mode http

    maxconn 15000
    timeout connect 5s
    timeout client  120s
    timeout server  120s

listen stats
bind 10.9.52.16:1978
stats enable
stats realm Haproxy\ Statistics\ RabbitMQ
stats uri /
stats refresh 5s

RabbitMQ

listen rabbit
bind 10.9.52.16:5672 v4v6
balance roundrobin
mode tcp
option tcp-check

    server rabbit-0  10.9.52.31:5672    check inter 2000 rise 2 fall 3 maxconn 5000
    server rabbit-1  10.9.52.32:5672    check inter 2000 rise 2 fall 3 maxconn 5000 
    server rabbit-2  10.9.52.33:5672    check inter 2000 rise 2 fall 3 maxconn 5000

Posts: 1

Participants: 1

Read full topic

@mburisa wrote:

Hi, we’ve observed an increase in backend connect time on all backends under the same frontend as soon as one starts to queue.

Just wondering if this is an expected behaviour or our configuration would benefit from some meaningful tuning?
For this example, bck1 starts to queue up to 10k+ requests on traffic spikes which is not an issue here but we can see at the time that other backends like bck2 (no queue, same load as before) starts to have larger backend connect times which then has a repercussion of processing less traffic (waiting for requests). Latency can spike from nominal 10ms up to 3s…

Some examples of the current configuration:
We are using [HAProxy version 1.8.12-8a200c7, released 2018/06/27]. Running on 1 process and thread.

pid = 14332 (process #1, nbproc = 1, nbthread = 1)
system limits: memmax = unlimited; ulimit-n = 200039
maxsock = 200039; maxconn = 100000; maxpipes = 0

Total number of connections established are way under the set limits (25k/req at max) and queue gets to (10-15k)

defaults
mode http
timeout client 10s
timeout server 1800s
timeout connect 10s
timeout queue 60s
timeout check 1s
load-server-state-from-file global
option forwardfor
no option forceclose
no option tcp-smart-accept
option http-no-delay
log global
log 127.0.0.1 len 5120 local0
option dontlognull
balance leastconn

frontend api
bind :80
bind :443 ssl crt ./
maxconn 100000
option http-buffer-request
…

backend bck1
fullconn 30000
option httpchk HEAD /rmi/status
http-check disable-on-404
server : check slowstart 20s maxconn 20

backend bck2
fullconn 30000
option httpchk HEAD /rmi/status
http-check disable-on-404
server : check slowstart 20s maxconn 500
server : check slowstart 20s maxconn 500
server : check slowstart 20s maxconn 500

Example of metrics from stress tests (no such huge spike as on production traffic but notable)

8_14_queue_connect_latency.png1542×799 51.3 KB

CPU busy is 100% on queue load on the haproxy servers itself and memory load jumps by ~400MB but there is still room to spare on the instances.

Here are the metrics from the production traffic where you can clearly see in red when the queuing occurs, backend connect latency spikes on all backends. So is this an expected behavior or we can further tune the configuration to try and mitigate this? All of this traffic is http/https, haproxies are behind keepalived instances running least connection algorithm. Haven’t seen any difference using round-robin algo.

Thanks and any help appreciated!

Posts: 1

Participants: 1

Read full topic

@midas1989 wrote:

Hello, i have a Question.
I have more terminal server with x2go and one HAProxy for proxy the connection per FQDN to the right server but i have problems with the config.

Can everyone help me for this? (Config Example)?

Thank you and best regards

Posts: 1

Participants: 1

Read full topic

@xychix wrote:

Hi all,

We’ve been using haproxy for a few years nog and have developped a custom log format that works mostly for us. The biggest frustration at the moment is that we can’t seem to get all request headers logged.

Often customers come to us trough corporate proxy servers, from weird clients etc. all of these steps (might) set custom headers. We’d like to get them all in our logs.

now we’ve got the following in our frontend:
http-request capture req.hdr(User-Agent) len 512
http-request capture req.hdr(X-Forwarded-For) len 512

and write the values to log like: useragent:%[capture.req.hdr(1)]\ body:%[capture.req.hdr(0)]\ xforwardfor:%[capture.req.hdr(2)]\

But as said I’d love to do something as:
http-request capture req.hdr_val(*) len 4192

and log %[capture.req.hdr_val*]

and receive . User-Agent:python-requests|Proxy-Server:bluecoat|X-Host:aap.localhost|origin-language:German

or whatever headers are there the pipe symbol was the example seperator. Any seperator would work for me.

Is logging of ALL request headers + their values possible?

Posts: 1

Participants: 1

Read full topic

@GerMalaz wrote:

Hello!

This works:

server server1:3306 maxconn 65536 check inter 5000 rise 3 fall 3 weight 1 agent-send backend1\ server1\n agent-check agent-addr 127.0.0.1 agent-port 9200  agent-inter 15000

This does not:

default-server agent-check agent-addr 127.0.0.1 agent-port 9200 agent-inter 15000

server server1 server1:3306 maxconn 65536 check inter 5000 rise 3 fall 3 weight 1 agent-send server1\ server1\n

gerardo@lb1:~$ sudo haproxy -vv
HA-Proxy version 1.8.19-1 2019/02/12
Copyright 2000-2019 Willy Tarreau willy@haproxy.org

Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -O2 -g -O2 -fdebug-prefix-map=/build/haproxy-1.8.19=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-format-truncation -Wno-null-dereference -Wno-unused-label
OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_SYSTEMD=1 USE_PCRE2=1 USE_PCRE2_JIT=1 USE_NS=1

Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with OpenSSL version : OpenSSL 1.1.1a 20 Nov 2018
Running on OpenSSL version : OpenSSL 1.1.1c 28 May 2019
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with Lua version : Lua 5.3.3
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Encrypted password support via crypt(3): yes
Built with multi-threading support.
Built with PCRE2 version : 10.32 2018-09-10
PCRE2 library supports JIT : yes
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity(“identity”), deflate(“deflate”), raw-deflate(“deflate”), gzip(“gzip”)
Built with network namespace support.

Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
[SPOE] spoe
[COMP] compression
[TRACE] trace

Help is appreciated.
Thanks,
Gerardo

Posts: 1

Participants: 1

Read full topic

@ajohnson1200 wrote:

hey everyone!

Trying to do something that I think should be simple but for whatever reason won’t work… End result I want: an HTTP request for:

http://example.com/foo/bar.jpg

should result in a 302 to

http://acme.com/foo/bar.jpg

but I want the original HTTP request to maintain it’s connection to example.com. My problem is that I see this:

HTTP/1.1 302 Found
Cache-Control: no-cache
Content-length: 0
Location: http://acme.com/foo/bar.jpg
Connection: close

when I want to see this:

HTTP/1.1 302 Found
Location: http://acme.com/foo/bar.jpg
Connection: keep-alive

I’ve tried every combination of adding “option http-keep-alive” to the defaults, frontend and backend sections. The syntax I’m using, inside of a backend config, looks like this:

http-request redirection location http://acme.com/foo/bar.jpg

Is there any way to configure haproxy to not close the original connection to example.com after doing a redirect to acme.com?

Posts: 2

Participants: 2

Read full topic

@matellit wrote:

I have been unable to renew my acme letsencrypt certificates!

I am currently trying to renew the certificate for my four subdomains: organizr.mydomain.com, ombi.mydomain.com, tautulli.mydomain.com, & nextcloud.mydomain.com.

This is the error message that I receive when I “Issue/Renew” :

ACME-MYDOMAIN-COM-PROD
Renewing certificate 
account: ACME-MYDOMAIN-COM-PROD 
server: letsencrypt-production-2 


/usr/local/pkg/acme/acme.sh --issue -d 'organizr.mydomain.com' --standalone --listen-v4 --httpport '4001' -d 'nextcloud.mydomain.com' --standalone --listen-v4 --httpport '4001' -d 'tautulli.mydomain.com' --standalone --listen-v4 --httpport '4001' -d 'ombi.mydomain.com' --standalone --listen-v4 --httpport '4001' --home '/tmp/acme/ACME-MYDOMAIN-COM-PROD/' --accountconf '/tmp/acme/ACME-MYDOMAIN-COM-PROD/accountconf.conf' --force --reloadCmd '/tmp/acme/ACME-MYDOMAIN-COM-PROD/reloadcmd.sh' --log-level 3 --log '/tmp/acme/ACME-MYDOMAIN-COM-PROD/acme_issuecert.log'

Array
(
[path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[port] => 4001
[ipv6] => 
)
[Tue Aug 27 16:40:10 PDT 2019] Standalone mode.
[Tue Aug 27 16:40:10 PDT 2019] Standalone mode.
[Tue Aug 27 16:40:10 PDT 2019] Standalone mode.
[Tue Aug 27 16:40:10 PDT 2019] Standalone mode.
[Tue Aug 27 16:40:10 PDT 2019] Multi domain='DNS:organizr.mydomain.com,DNS:nextcloud.mydomain.com,DNS:tautulli.mydomain.com,DNS:ombi.mydomain.com'
[Tue Aug 27 16:40:10 PDT 2019] Getting domain auth token for each domain
[Tue Aug 27 16:40:12 PDT 2019] Getting webroot for domain='organizr.mydomain.com'
[Tue Aug 27 16:40:12 PDT 2019] Getting webroot for domain='nextcloud.mydomain.com'
[Tue Aug 27 16:40:12 PDT 2019] Getting webroot for domain='tautulli.mydomain.com'
[Tue Aug 27 16:40:12 PDT 2019] Getting webroot for domain='ombi.mydomain.com'
[Tue Aug 27 16:40:12 PDT 2019] Verifying: organizr.mydomain.com
[Tue Aug 27 16:40:12 PDT 2019] Standalone mode server
[Tue Aug 27 16:40:16 PDT 2019] organizr.mydomain.com:Verify error:Invalid response from https://organizr.mydomain.com/.well-known/acme-challenge/jU-F0nzq3xNYEOwmAYXUO8tLA5zNraKPLCQYXdeegfU [xxx.xxx.xxx.myip]: 
[Tue Aug 27 16:40:16 PDT 2019] Please check log file for more details: /tmp/acme/ACME-MYDOMAIN-COM-PROD/acme_issuecert.log

Here are the additional details from acme_issuecert.log:

Any help would be very much appreciated!

Edit: attempt at network diagram

Posts: 2

Participants: 2

Read full topic

@swim2birds wrote:

I have a very generic simple configuration like this:

use_backend static unless { ssl_c_verify 0 }  
use_backend dotwebha-http-10600 if { ssl_c_used }
# fall-through to holding page
default_backend static

The ssl_c_verify doesn’t seem to do anything. If I comment it out it has no effect whether or not you supply a cert.

vru-ws-webtest-b2buat:/# /usr/rbin/haproxy -vv
HA-Proxy version 1.5.18 2016/05/10
Copyright 2000-2016 Willy Tarreau <willy@haproxy.org>

Build options :
  TARGET  = solaris
  CPU     = generic
  CC      = gcc
  CFLAGS  = -m32 -O2 -g -fno-strict-aliasing -fomit-frame-pointer -DFD_SETSIZE=65536 -D_REENTRANT
  OPTIONS = USE_ZLIB=1 USE_OPENSSL=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.3
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 1.0.2j  26 Sep 2016
Running on OpenSSL version : OpenSSL 1.0.2j  26 Sep 2016
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built without PCRE support (using libc's regex instead)

Available polling systems :
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 2 (2 usable), will use poll.

vru-ws-webtest-b2buat:/# uname -a
SunOS vru-ws-webtest-b2buat 5.10 Generic_Virtual sun4v sparc sun4v
vru-ws-webtest-b2buat:/#

Posts: 4

Participants: 2

Read full topic

@nbolivar wrote:

Hi,

We are trying to migrate nginx proxy servers to ha proxy but we are experiencing some issues. We get the following error

4431185516:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1498:SSL alert number 40
4431185516:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:

global
  daemon
  log stdout format raw local0 debug
  tune.ssl.default-dh-param 2048
  ssl-default-bind-ciphers EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:AES256+EECDH:AES256+EDH:DHE-RSA-AES256-SHA

  ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
  ssl-default-bind-options no-tlsv10 no-tlsv11 no-tls-tickets
#  ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
  ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
#  ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
  ssl-default-server-options no-tlsv10 no-tlsv11 no-tls-tickets
  ssl-default-server-ciphers EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:AES256+EECDH:AES256+EDH:DHE-RSA-AES256-SHA

defaults
  log     global
  timeout connect  4s
  timeout client  60s
  timeout server  60s
  option  httplog
  option  httpchk
  option  dontlognull
  default-server init-addr none

resolvers dnsserver1
  nameserver opendns ${DNS_ADDR}:53
  hold valid 1s

frontend http
  mode http
  bind *:443 ssl crt /etc/ssl/haproxy.pem ca-file /etc/ssl/cacert.pem verify required accept-proxy alpn http/1.0,h2,http/1.1
  option  forwardfor
  timeout client 1m
  log     global
  log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%[ssl_c_verify],%[ssl_c_s_dn],%[ssl_c_i_dn]}\ %{+Q}r,\ %{+Q}[ssl_c_der,base64]

  http-request set-header X-Haproxy-Current-Date %T
  http-request set-header X-SSL                  %[ssl_fc]
  http-request set-header X-SSL-Session_ID       %[ssl_fc_session_id,hex]
  http-request set-header X-SSL-Client-Verify    %[ssl_c_verify]
  http-request set-header X-SSL-Client-DN        %{+Q}[ssl_c_s_dn]
  http-request set-header X-SSL-Client-CN        %{+Q}[ssl_c_s_dn(cn)]
  http-request set-header X-SSL-Issuer           %{+Q}[ssl_c_i_dn]
  http-request set-header X-SSL-Client-NotBefore %{+Q}[ssl_c_notbefore]
  http-request set-header X-SSL-Client-NotAfter  %{+Q}[ssl_c_notafter]
  http-request set-header X-SSL-Subject-DN       %{+Q}[ssl_c_s_dn]
  http-request set-header X-SSL-Issuer-DN        %{+Q}[ssl_c_i_dn]
  http-request set-header X-SSL-Client-Subject-DN %{+Q}[ssl_c_s_dn]
  http-request set-header X-SSL-Client-Issuer-DN %{+Q}[ssl_c_i_dn]

  http-request set-header X-SSL-Cipher %[ssl_fc_cipher]
  http-request set-header X-SSL-Protocol %[ssl_fc_protocol]
  http-request set-header X-SSL-Session_ID %[ssl_fc_session_id,hex]
  http-request set-header X-Forwarded-Proto \ https

  default_backend srvs_api

backend srvs_api
  mode    http
  log     global
  option  httpchk HEAD /
  http-check expect status 503
  balance roundrobin
  server api.0 api.core."$DNS_DOMAIN":443 resolvers dnsserver1 check inter 2000 rise 2 fall 5 ssl crt /etc/ssl/haproxy_client.pem ca-file /etc/ssl/service-server-cacert.pem
  server api.1 api.core."$DNS_DOMAIN":443 resolvers dnsserver1 check inter 2000 rise 2 fall 5 ssl crt /etc/ssl/haproxy_client.pem ca-file /etc/ssl/service-server-cacert.pem
  server api.2 api.core."$DNS_DOMAIN":443 resolvers dnsserver1 check inter 2000 rise 2 fall 5 ssl crt /etc/ssl/haproxy_client.pem ca-file /etc/ssl/service-server-cacert.pem
  timeout connect         10s
  timeout server          1m
  http-request set-header X-Forwarded-Port %[dst_port]
  http-request add-header X-Forwarded-Proto https if { ssl_fc }

  http-request set-header X-Forwarded-By %[var(proc.xforwardedby)]
  http-request set-header X-Forwarded-For "${DOCKERIP}:%[dst_port]"
  http-request set-header X-Client-IP %[var(proc.xclientip)]

This is the output of the server startup

HA-Proxy version 2.0.5 2019/08/16 - https://haproxy.org/
Build options :
TARGET = linux-glibc
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-format-truncation -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-old-style-declaration -Wno-ignored-qualifiers -Wno-clobbered -Wno-missing-field-initializers -Wno-implicit-fallthrough -Wno-stringop-overflow -Wno-cast-function-type -Wtype-limits -Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference
OPTIONS = USE_PCRE2=1 USE_PCRE2_JIT=1 USE_GETADDRINFO=1 USE_OPENSSL=1 USE_LUA=1 USE_ZLIB=1

Feature list : +EPOLL -KQUEUE -MY_EPOLL -MY_SPLICE +NETFILTER -PCRE -PCRE_JIT +PCRE2 +PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED -REGPARM -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H -VSYSCALL +GETADDRINFO +OPENSSL +LUA +FUTEX +ACCEPT4 -MY_ACCEPT4 +ZLIB -SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL -SYSTEMD -OBSOLETE_LINKER +PRCTL +THREAD_DUMP -EVPORTS

Default settings :
bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with multi-threading support (MAX_THREADS=64, default=1).
Built with OpenSSL version : OpenSSL 1.1.1c 28 May 2019
Running on OpenSSL version : OpenSSL 1.1.1c 28 May 2019
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with Lua version : Lua 5.3.5
Built with network namespace support.
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with PCRE2 version : 10.33 2019-04-16
PCRE2 library supports JIT : yes
Encrypted password support via crypt(3): yes
Built with the Prometheus exporter as a service

Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
h2 : mode=HTX side=FE|BE mux=H2
h2 : mode=HTTP side=FE mux=H2
<default> : mode=HTX side=FE|BE mux=H1
<default> : mode=TCP|HTTP side=FE|BE mux=PASS

Available services :
prometheus-exporter

Available filters :
[SPOE] spoe
[COMP] compression
[CACHE] cache
[TRACE] trace

Proxy http started.
Proxy srvs_api started.
[NOTICE] 252/055404 (1) : New worker #1 (33) forked
[WARNING] 252/055404 (33) : srvs_api/api.0 changed its IP from to 172.28.4.75 by dnsserver1/opendns.
[WARNING] 252/055404 (33) : Server srvs_api/api.0 ('api.core.qa.au.littlepay.com') is UP/READY (resolves again).
[WARNING] 252/055404 (33) : Server srvs_api/api.0 administratively READY thanks to valid DNS answer.
[WARNING] 252/055404 (33) : srvs_api/api.1 changed its IP from to 172.28.5.93 by DNS cache.
[WARNING] 252/055404 (33) : Server srvs_api/api.1 ('api.core.qa.au.littlepay.com') is UP/READY (resolves again).
[WARNING] 252/055404 (33) : Server srvs_api/api.1 administratively READY thanks to valid DNS answer.
[WARNING] 252/055404 (33) : srvs_api/api.2 changed its IP from to 172.28.6.224 by DNS cache.
[WARNING] 252/055404 (33) : Server srvs_api/api.2 ('api.core.qa.au.littlepay.com') is UP/READY (resolves again).
[WARNING] 252/055404 (33) : Server srvs_api/api.2 administratively READY thanks to valid DNS answer.
srvs_api/api.0 changed its IP from to 172.28.4.75 by dnsserver1/opendns.
Server srvs_api/api.0 ('api.core.qa.au.littlepay.com') is UP/READY (resolves again).
Server srvs_api/api.0 administratively READY thanks to valid DNS answer.
srvs_api/api.1 changed its IP from to 172.28.5.93 by DNS cache.
Server srvs_api/api.1 ('api.core.qa.au.littlepay.com') is UP/READY (resolves again).
Server srvs_api/api.1 administratively READY thanks to valid DNS answer.
srvs_api/api.2 changed its IP from to 172.28.6.224 by DNS cache.
Server srvs_api/api.2 ('api.core.qa.au.littlepay.com') is UP/READY (resolves again).
Server srvs_api/api.2 administratively READY thanks to valid DNS answer.

It would be really appreciated any help
Nestor

Posts: 1

Participants: 1

Read full topic

@czechsys wrote:

Hello,

i am testing using http/2 on backend side. So on ssl backend:

option httpchk HEAD / HTTP/1.1\r\nHost:\ serverA.domain.fqdn\r\n\User-Agent:\ serverA
server serverA ipA:443 check ssl verify none maxconn 1000 alpn h2,http/1.1

This works, if nginx has only http/1.1 enabled.
When i change to

option httpchk HEAD / HTTP/2.0\r\nHost:\ serverA.domain.fqdn\r\n\User-Agent:\ serverA

it still works.

But, when i enable “alpn http2” on nginx side, haproxy fails to checks with L7RSP. What’s correct way to check via http/2 or better way (i am checking working php/source codes availability too). Tested with all headers lowercase and failed too.

Thanks

Posts: 1

Participants: 1

Read full topic

@kotarusv wrote:

Hi

We use a single backend large scale HAPROXY based proxy server. SSL offload happens at this layer. is it possible to disable TLS1.3 for a specific domain/hostname? We have thousand of apps and each app has its own hostname. We use SNI and http mode .

Don’t want to introduce too much complexity to solve this problem for one or two apps who are not compatible with tls 1.3, like new front-ends or additional backends or disable tls1.3 globally at front-end level.

highly appreciated if anyone has good approach.

Srinivas Kotaru

Posts: 2

Participants: 2

Read full topic

@neok wrote:

I have this configuration that balances three squid proxies:
backend squid_pool
balance source
mode tcp
server px1 x.x.x.1:3128 check port 8181 send-proxy inter 2000 rise 2 fall 3
server px2 x.x.x.2:3128 check port 8181 send-proxy inter 2000 rise 2 fall 3
server px3 x.x.x.3:3128 check port 8181 send-proxy inter 2000 rise 2 fall 3

Now I want to change it so that the px3 server remains as reserve in case of failure of px1 or px2 and then, when the fallen server becomes available again (px1 or px2), that the connections return to the server that was back online and that the reserve server returns to be as reserve.
How should I achieve this configuration?
Thank you very much for your help.

Gabriel

Posts: 1

Participants: 1

Read full topic

@vivekjaiswal wrote:

Hi Guys,

We at our company wants to install HAProxy latest stable 2.0 .
We are using AIX 6.1 (in dev) and above(AIX 7.2 in prod) Operating system.

We are facing issue and no documents to install HAProxy in AIX.
Can someone help us with the installation procedure and if possible the configuration procedure as well.

Thanks
Vivek

Posts: 1

Participants: 1

Read full topic

@Emsanator wrote:

Hi,

Yesterday, I installed HAproxy 1.8.6 on CentOS 7 VM and crashed today.

frr.png798×310 21.3 KB

what could be the reason?
thank you.

Posts: 1

Participants: 1

Read full topic

@CipherC wrote:

Hi,

We are using haproxy to provide public services, and found unexpected FIN/RST sent by haproxy, which caused the connection disconnected.

client: 47.93.x.x
server public ip(as haproxy): 139.198.y.y
server private ip (as backend) : 172.19.12.82

Please check attachment for more details:

Jietu20190916-135509.jpg1894×528 346 KB

Haproxy has enabled transparent proxy, so we’ve seen two TCP streams:

• stream 597: client -> haproxy
• stream 598: haproxy -> backend

after normal TLS handshake interfaction between client->haproxy->backend, haproxy sent FIN (#21872) and RST (#21874) to backend directly.

These cause the connection to be interupted, request failed, and client reported:

Exception org.apache.http.NoHttpResponseException ERROR 调用customerHttpClient.execute(request)方法失败，Signals that an I/O exception of some sort has occurred. This class is the general class of exceptions produced by failed or interrupted I/O operations. org.apache.http.NoHttpResponseException: https://xxx:443 failed to respond

And since we don’t see any related packets recieved from client(src client -> dst haproxy), can we say that the haproxy sent the FIN/RST to backend all by itself? Does anybody has any clue why this happened?

haproxy version used:
HA-Proxy version 1.6.13 2017/06/18
Copyright 2000-2017 Willy Tarreau willy@haproxy.org

BTW, this behavior happened rarely, can not be reproduced manually.

Posts: 2

Participants: 1

Read full topic

@Firm wrote:

Typical tcp-check in backend section:

backend backend_redis_write
  mode tcp
  option tcp-check
  tcp-check connect
  tcp-check send AUTH\ password\r\n
  tcp-check expect string +OK
  tcp-check send info\ replication\r\n
  tcp-check expect string role:master
  tcp-check send QUIT\r\n
  tcp-check expect string +OK
  server server1 server1:6379 check inter 1s on-marked-down shutdown-sessions on-marked-up shutdown-backup-sessions
  server server2 server2:6379 check inter 1s on-marked-down shutdown-sessions on-marked-up shutdown-backup-sessions
  server server3 server3:6379 check inter 1s on-marked-down shutdown-sessions on-marked-up shutdown-backup-sessions

With the config above Haproxy host has lots of sockets in TIME_WAIT state. I wonder if it’s possible to use persistent connections for this and not open new connection on next tcp-check sequence run?

Regards,

Posts: 1

Participants: 1

Read full topic

@wesleylc1 wrote:

Hi guys!
We set up a new nginx web server to run the “NextCloud” application, server with subnet 192.168.40.xxx/22, “http and https” traffic redirection made by firewall pfsense 2.4.4 with subnet192.168. 43.xxx/22, I run the HAProxy service version 1.8.17 to direct external access; There are currently two front end configurations, one for port 80 and one for port 443, which work for other systems already deployed.

Below illustrates the settings of this new backend.

• Configuration Applied to Backend
  

  1568236348727-backend.png1154×385 31.4 KB

• Configuration Applied to frontend
  

  1568236607637-front_01.png1153×705 80.4 KB

Default backend, access control lists and actions

1568236771145-captura-de-tela-de-2019-09-11-18-19-19.png849×60 5.62 KB

1568236815617-front_03.png1143×145 14.7 KB

Statistics Report

1568236919807-captura-de-tela-de-2019-09-11-18-21-51.png1573×87 18.3 KB

I have already performed the tests below,

root@server:/usr/share/ca-certificates# nc -zv 192.168.40.xx 80

Connection to 192.168.40.xx 80 port [tcp/http] succeeded!

root@server:/usr/share/ca-certificates# netstat -npa |grep 80

tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1314/nginx: master
tcp6 0 0 :::80 :::* LISTEN 1314/nginx: master
unix 3 STREAM CONNECTED 20809 1/init /run/systemd/journal/stdout
unix 3 STREAM CONNECTED 18026 1/init /run/systemd/journal/stdout
unix 3 STREAM CONNECTED 18680 712/systemd-timesyn
unix 3 STREAM CONNECTED 20801 1/init /run/systemd/journal/stdout
unix 3 STREAM CONNECTED 19805 1/init
unix 3 STREAM CONNECTED 20805 1/init /run/systemd/journal/stdout

root@server:/usr/share/ca-certificates# nmap localhost

Starting Nmap 7.60 ( https://nmap.org ) at 2019-09-11 21:24 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000013s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql

Nmap done: 1 IP address (1 host up) scanned in 1.71 seconds

best regards,
Wesley Santos

Posts: 1

Participants: 1

Read full topic

@jbrahy wrote:

I’m looking for the equivalent of this code block below for requests to www.example.com and example.com. Can I do string concatenation like this?

http-response set-header X-Target  example.com
server web-servers  site.example.com:80 check

This is what I want to try. I just want to know if I’m crazy.

http-response set-header X-Target  %[req.hdr(Host)]
server web-servers  site.%[req.hdr(Host),regsub(^www.,,)]:80 check

HA-Proxy version 1.8.12-8a200c7 2018/06/27

I’m getting this error when I try haproxy -c -f haproxy.test

[root@pm-prod-haproxy05 haproxy]# haproxy -c -f haproxy.test
[ALERT] 259/180932 (16116) : parsing [haproxy.test:40]: ‘http-response set-header’: sample fetch <req.hdr(Host)> may not be reliably used here because it needs ‘HTTP request headers’ which is not available here.
[ALERT] 259/180932 (16116) : Error(s) found in configuration file : haproxy.test
[root@pm-prod-haproxy05 haproxy]#

Posts: 1

Participants: 1

Read full topic