@Samuurai wrote:

Hi,

I’m fairly new to HAProxy so please assume there are multiple errors in my config

I’m trying to proxy two parts of my app.

gcd.abc.com/ => Amazon S3
and
gcd.abc.com/api => API Gateway

My frontends look like this:

frontend http-in
        bind *:80 accept-proxy
        capture request header Host len 64
        
        # Permanent redirect HTTP to HTTPS
        redirect scheme https code 301 if !{ ssl_fc }

frontend https-in
        bind *:443 accept-proxy ssl crt /etc/ssl/xyz.co.pem
        capture request header Host len 64
        
        # HTTP header Security
        http-response del-header (Server|X-AspNet-Version|X-Powered-By)

        acl gcd hdr_beg(host) -i gcd.
        acl gcd_api hdr_beg(host) -i gcd. path_beg /api # I'm fairly sure this is wrong??

        use_backend gcd-static if host_gcd
        use_backend gcd-api if gcd_api

        use_backend fia if { path_beg /service/ifm } #other stuff that works
        use_backend calendar if { path_beg /service/calendar } #more other stuff which works

And my relevant backends look like this:

backend gcd-static
        http-request set-header Host xbc.abc.co.s3-website-eu-west-1.amazonaws.com
        server gcd-static s3.eu-west-1.amazonaws.com:80 check

backend gcd-api
        http-request set-header Host foobar.execute-api.eu-west-1.amazonaws.com
        http-request set-path /gcd/%[path]
        mode http
        option forwardfor
        server gcd-api foobar.execute-api.eu-west-1.amazonaws.com:443 ssl verify none sni str(foobar.execute-api.eu-west-1.amazonaws.com)

I have to admit some of this was copy-paste and I don’t know what some of the things are like sni and I’m not sure how to chain conditions together.

The problem that i’m getting is, I don’t get any data back when I curl like this:

curl -H "Host gcd.xyc.com" http://my_haproxy_ip

The log looks like this

Sep 26 10:45:16 ip-10-100-10-74 haproxy[10871]: 93.109.6.37:54329 [26/Sep/2019:10:45:16.866] http-in http-in/<NOSRV> 0/-1/-1/-1/0 301 105 - - LR-- 1/1/0/0/0 0/0 {gcd.xyz.com} "GET / HTTP/1.1" - - 1-5D8C96BC-5D6D0625D4390A6401CF0050

Posts: 1

Participants: 1

Read full topic

@eyepulp wrote:

TLDR
Is there a way to read a string value from a map and have path_beg treat it like a proper pattern to match against?

The longer version
We manage thousands of domains through a single haproxy config, and we have a limited number of backends (around 6) servicing various portions of each domain’s needs.

Based on customer options, different domains need a different combination of backends for particular routes (the same route might have several backends capable of answering, but it’s specific to each particular domain). This is where it gets messy to hardcode the logic in haproxy, and I’m trying to use maps to keep things very configurable (and we can use the Unix sockets to update the maps).

Currently I’m trying to use a map of domain names as keys with path_beg style patterns as values to choose between several backends. However it doesn’t appear path_beg can accept a string pulled from a map for matching – can anyone confirm, or is there another way to accomplish a similar result?

Using the examples below and curl to test I can set some response headers to verify that haproxy is looking up and receiving the correct values from the map. However, it never matches via path_beg to the strings it pulls from the map. If I hardcode the same strings (routes) path_beg works as expected.

Thanks for taking a look!

haproxy.cfg

#---------------------------------------------------------------------
frontend http-in
    bind *:80
    http-request set-var(txn.domain) req.hdr(Host),field(1,:),lower
    use_backend be-aa if { path_beg -i var(txn.domain),map(/usr/src/app/be-aa.routes.map.txt) }
    use_backend be-bb if { path_beg -i var(txn.domain),map(/usr/src/app/be-bb.routes.map.txt) }

be-aa.routes.map.txt

localhost  /contact

be-bb.routes.map.txt

localhost /api

Posts: 1

Participants: 1

Read full topic

@ykiran_k wrote:

Hello,

As per the documentation https://cbonte.github.io/haproxy-dconv/1.9/configuration.html#4.2-http-request%20tarpit, i tried this

http-request tarpit deny_status 450 if /abc/dev 

I was expected tarpitted request with status code 450 (Custom http code) but it’s still returning 500 (default value), Am i missing any extra param/argument in my config line? My haproxy version is haproxy 1.9.4

Posts: 1

Participants: 1

Read full topic

@mkaatman wrote:

Hey Guys, I know it’s early, but would be interested if anyone has started looking at http/3. Would be neat to be one of the first implementations.

Posts: 1

Participants: 1

Read full topic

@sunnysigara wrote:

Hi, We want to achieve key based rate limiting. For example, let’s say if queries per minute is > 300 for 2m for 5 times then use http tarpit. Note we do not want to block the offender first time but if he repeats the same for more than 5 times.

Api keys are coming on http header as api-key

Here is the portion of the conf file what I want to achieve

frontend http_front
    bind *:80
    #Server 01
    acl server01 hdr_dom(api-key) -i kbcf6c5b2d56d51d89b85

   # ACL Functions for rate_limit
    acl tx_is_api hdr_dom(host) -i -m sub \-api
    acl tx_is_api path_reg -i ^(/v4-)?/api/.*$
    acl has_auth_header req.fhdr(api-key) -m found

    # API specific counters
    acl mark_as_api_abuser   sc0_inc_gpc0(be_429_table_api) gt 0
    acl req_rate_api_abuse   sc0_http_req_rate(be_429_table_api) gt 300


    # API table fetches
    http-request track-sc0 table be_429_table_api if has_auth_header tx_is_api

    # set API call var
    http-request set-var(txn.req_api) bool(true) if tx_is_api

    use_backend be_429_slow_down if tx_is_api mark_as_api_abuser req_rate_api_abuse

backend be_429_table_api
    stick-table type string size 200k expire 2m store gpc0, http_req_rate(60s)

backend be_429_slow_down
  timeout tarpit 5s
  http-request tarpit

What I don’t understand how to achieve that 5 times window ? Should it be acl mark_as_api_abuser sc0_inc_gpc0(be_429_table_api) gt 5 ? Or should I use another counter separately like this?

acl mark_as_api_abuser   sc0_inc_gpc0(be_429_table_api) gt 0
acl acl abuse_cnt src_get_gpc0(Abuse) gt 5 

How the counter will reset in this scenario ?

Also what happens when stick-table is expired ? Lets say user is blocked on 1m 59 sec, will he remain blocked for next 2 min ? What value should I choose as expire in these scenario ?

Please help

Posts: 1

Participants: 1

Read full topic

@macmattias wrote:

On one of servers I got services that needs to be accessed from LAN.
All ot them are containers and a local dns pointing towards the server, but the services are all on different ports. I guess that HAProxy can handle this?

services.donmail.io -> 192.168.1.80 // 8080, 8181 an so on.

Possible?

Posts: 1

Participants: 1

Read full topic

@simonuk1 wrote:

I have internal users that want to access an external API.

The API requires a client certificate to be presented and seems to be using SNI. We dont want to give the users the client certificate and so we want to have a central location the users can get to that will send the request on to the API with the the client certificate.

I am thinking having port 80 for the users to connect to and then SSL outbound from haproxy, that way we dont have to match certs names internally.

Does anyone know if this is even possible.

Appreciate any help with this.

Si

Posts: 1

Participants: 1

Read full topic

@BlackAdderDK wrote:

Hi

For the time being we are running MS ADFS with the configuration shown below - and that works like a charm… unfortunately there’s now need for the src ip to be shown to the ADFS servers - preferly as “X-MS-Forwarded-Client-IP”

I guess that would be possible if running in http-mode, but has anyone done this with ADFS?

global
log /dev/log local0
log /dev/log local1 notice
maxconn 6000
tune.ssl.default-dh-param 2048
daemon
chroot /var/lib/haproxy
uid 0
gid 0
ssl-default-server-options force-tlsv12 no-tls-tickets
ssl-default-server-ciphers ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options force-tlsv12 no-tls-tickets
ssl-default-bind-ciphers ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS

defaults
log global
option tcplog
option dontlognull
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms

frontend ADFSFrontend
bind 10.0.1.100:443 interface eth0
mode tcp
default_backend ADFSBackend

backend ADFSBackend
mode tcp
balance roundrobin
server adfs01 10.0.1.101:443 check
server adfs02 10.0.1.102:443 check

backend Stats
listen stats
bind :9000
mode http
stats enable
stats hide-version
stats refresh 10s
stats show-desc ADFS
stats show-legends
stats realm HAProxyADFS\ Statistics
stats auth stats:stats
stats uri /Stats

Best regards
'Adder

Posts: 1

Participants: 1

Read full topic

@Norbertino wrote:

I am trying to configure Haproxy to balance between postgres replicas. The main task: the request should be redirected to the node with the most current data. Check data relevance runs on master_node:

select client_addr AS client, (pg_wal_lsn_diff(pg_current_wal_lsn(), replay_lsn))::int / 1024 as total_lag from pg_stat_replication;

With this command, I get a list of hosts and replication_lag. For example:

111.111.111.111 | 152
222.222.222.222 | 9
333.333.333.333 | 4700

I need a host with a minimum value. I do not understand three things:

1. How do I pass a replica name to a custom haproxy_checker?
2. How do I compare the values ​​obtained?
3. How to specify haproxy based on the given values ​​to which of the replicas to switch requests to?

Posts: 1

Participants: 1

Read full topic

@FrancisL wrote:

Using haproxy 1.9.11

Would the fact that when I regenerate the haproxy file (if the servers doesnt match the same ordering), then i would send 503’s to the end-users for a short while? or it would be because of something else?

 active and 1 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
[WARNING] 273/061724 (9419) : backend ID mismatch: from server state file: '247', from running config '251'
[WARNING] 273/061724 (9419) : Server xxxxxxx/yyyyyyy is DOWN, changed from server-state after a reload. 2 active and 1 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.

In my backed i also use this:

default-server init-addr last,libc,none resolvers dns resolve-opts allow-dup-ip resolve-prefer ipv4

Posts: 1

Participants: 1

Read full topic

@andreastoom wrote:

Hi,

I am trying to implement a simple action in Lua that is going to save the http response body to a file on disk. Unfortunately I get "unknown runtime error from [C] method 'dup'" everytime I try to read from the txn:res channel/buffer via dup() get() getline(). I get the error when running the latest version of HAProxy via Docker and also when trying with a pre-packaged version of HAProxy 1.9 in Ubuntu 14.04.

I have pasted my play code below - I would really appreciate any pointers that can help me move forward.

haproxy.cfg

global
  maxconn 10000
  daemon
  lua-load /usr/local/etc/haproxy/hello.lua

defaults
  mode http
  log stdout format raw local0 info

frontend fe-http
  bind :80
  http-response lua.save_response_action
  default_backend be-default

hello.lua

local function save_response(txn)
  core.Debug("save_response start!")
  if txn.res:get_in_len() > 0 then
    core.Debug(txn.res:get_in_len())
    core.Debug(txn.res:dup())
  end
  core.Debug("save_response complete!")
end

core.register_action("save_response_action", { 'http-res' }, save_response, 0)

log output

$ docker run --rm --name haproxy-lua -p 9090:80 -v /tmp/haproxy-docker/conf:/usr/local/etc/haproxy:ro haproxy -d -- /usr/local/etc/haproxy/haproxy.cfg
[WARNING] 273/101818 (1) : config : missing timeouts for frontend 'fe-http'.
| While not properly invalid, you will certainly encounter various problems
| with such a configuration. To fix this, please ensure that all following
| timeouts are set to a non-zero value: 'client', 'connect', 'server'.
[WARNING] 273/101818 (1) : config : missing timeouts for backend 'be-default'.
| While not properly invalid, you will certainly encounter various problems
| with such a configuration. To fix this, please ensure that all following
| timeouts are set to a non-zero value: 'client', 'connect', 'server'.
Available polling systems :
    epoll : pref=300,  test result OK
    poll : pref=200,  test result OK
    select : pref=150,  test result FAILED
Total: 3 (2 usable), will use epoll.

Available filters :
        [SPOE] spoe
        [COMP] compression
        [CACHE] cache
        [TRACE] trace
Using epoll() as the polling mechanism.
[NOTICE] 273/101818 (1) : New worker #1 (6) forked
Proxy fe-http started.
Proxy be-default started.
Connect from 192.168.50.1:60192 to 172.17.0.2:80 (fe-http/HTTP)
00000000:fe-http.accept(0006)=000c from [192.168.50.1:60192] ALPN=<none>
00000000:fe-http.clireq[000c:ffffffff]: GET /index.html HTTP/1.1
00000000:fe-http.clihdr[000c:ffffffff]: host: docker-slave:9090
00000000:fe-http.clihdr[000c:ffffffff]: user-agent: curl/7.58.0
00000000:fe-http.clihdr[000c:ffffffff]: accept: */*
00000000:be-default.srvrep[000c:000d]: HTTP/1.1 200 OK
00000000:be-default.srvhdr[000c:000d]: date: Tue, 01 Oct 2019 10:18:22 GMT
00000000:be-default.srvhdr[000c:000d]: server: Apache
00000000:be-default.srvhdr[000c:000d]: vary: X-B3-TraceId,X-B3-SpanId,X-B3-Sampled
00000000:be-default.srvhdr[000c:000d]: last-modified: Mon, 09 Sep 2019 06:35:39 GMT
00000000:be-default.srvhdr[000c:000d]: etag: "1005-59218ff06e2a7"
00000000:be-default.srvhdr[000c:000d]: accept-ranges: bytes
00000000:be-default.srvhdr[000c:000d]: content-length: 4101
Lua function 'save_response_action': unknown runtime error from [C] method 'dup', /usr/local/etc/haproxy/hello.lua:5 C function line 1.
[debug] 273/101822 (6) : save_response start!
[debug] 273/101822 (6) : 4328
[ALERT] 273/101822 (6) : Lua function 'save_response_action': unknown runtime error from [C] method 'dup', /usr/local/etc/haproxy/hello.lua:5 C function line 1.
00000000:be-default.srvcls[000c:000d]
00000000:be-default.clicls[000c:000d]
00000000:be-default.closed[000c:000d]
Connect from 192.168.50.1:60192 to 172.17.0.2:80 (fe-http/HTTP)
00000001:fe-http.accept(0006)=000c from [192.168.50.1:60192] ALPN=<none>
00000001:fe-http.clicls[000c:ffffffff]
00000001:fe-http.closed[000c:ffffffff]
^C[WARNING] 273/101825 (1) : Exiting Master process...
[ALERT] 273/101825 (1) : Current worker #1 (6) exited with code 130 (Interrupt)
[WARNING] 273/101825 (1) : All workers exited. Exiting... (130)

/Andreas

Posts: 1

Participants: 1

Read full topic

@tmallikarjuna wrote:

Hi,

I am able to set custom error files for all errors except 404 error using errorfile and errorloc to redirect error page.

Can someone help me to set custom error page for 404 errrors.
Best Regards,
Tejesh

Posts: 1

Participants: 1

Read full topic

@trococ wrote:

I would like to log if the response is compressed by haproxy or not

this is an example config:

 http-response set-var(txn.comp) yes if { res.comp }    
 http-response set-var(txn.comp) no unless { res.comp }    

log-format compress\ %[txn.comp] 

of course it’s not working.

How can do that?

Posts: 1

Participants: 1

Read full topic

@ilyas wrote:

Hello,

We are using HaProxy 1.8.20 version on Centos 7 with 4 core. We have very high load site (traffic around 250 Mbs per second, in peaks 300 Mbit per second).

We are using acl-rules in config and etc. But the problem is:

1. We had very high CPU Utilization for haproxy process. And we decided to activate multithread mode (nbthread 4) and this is helped to improve situation
2. But sometimes in high load haproxy did not have time to process network packages and we received high recv queue in netstat (see screen: https://i.imgur.com/iy9JpjE.jpg)
3. We activated multiprocess mode (nbproc=2 and nbthread=2) and our queue reset to zero and now all OK…

My question is: which the difference between multiprocess and multithread mode from performance point of view? Why in our case multiprocess better than multithread?

Thank you.

Posts: 1

Participants: 1

Read full topic

@jlecour wrote:

Hi,

I am in a situation where I have a backend with a main server A and a backup server B.
The intention is to have 100% of requests served by server A, and fallback to the server B if A is failing.

But I’d like to be able to switch the roles of the servers. Server B should them serve all the requests and the server A should become the backup i case of B failing.

I don’t want disable server A in HAproxy for it to use server B. because I still want the fallback to be possible.

I’ve found a weird option : having my 2 different configurations and a symlink to one of them to tell wich one HAProxy should use. But it forces me to reload the configuration each time I want to switch, and to maintain 2 different files.

I’ve search in the API and I’ve found my settings I can change (weight…) but nothing about the “backup” attribute of a server.
Also I didn’t find an algorithme which would do this automatically.

Anyone have an idea to solve this use case?

Posts: 1

Participants: 1

Read full topic

@nidheesh wrote:

After upgraded from HAProxy 2.0.7. Packet broadcasted and network lagging. It affects servers in the same subnet. because of this I have reverted to the older version 1.5.18. Please give me a suggestion and which is the reliable version of HAProxy

Posts: 1

Participants: 1

Read full topic

@sgreddy wrote:

Hi,
We have recently implemented Haproxy with two backend servers, and now we are seeing some performance issues with application time got increased, so can you please help me how can i eliminate this slow performance.

image.png942×380 23.2 KB

Posts: 2

Participants: 1

Read full topic

@manperez wrote:

Hi,

I’m testing this to load balance a web applications however the developers are telling me that I cannot have vary: Accept-Encoding over the headers, if I use the web application directly on it’s web server indeed I don’t have that header but passing through HAProxy I get that.

How do I disable it?

Posts: 1

Participants: 1

Read full topic

@abarber wrote:

We are currently running HA-Proxy version 1.5-dev18 2013/04/03 as a reverse proxy for some websites and a VMWare View enviroment.
The issue we are experiencing is that all our sites in the backend are HTTPS and even though we have an HTTP and HTTPS front end configured with http-request redirect scheme https code 301 if !{ ssl_fc } in the HTTP front end, when a user goes to http://site1.com they are not redirected to https://site1.com

I believe it to be something to do with our HTTPS front end looking for the sni but i am more than likely wrong.

i have included the config to see if anyone can see anything obvious.

global
maxconn 4096
pidfile /var/run/haproxy.pid
daemon
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
stats socket /var/run/haproxy.stat mode 600
user haproxy
group haproxy

defaults
# log 127.0.0.1:514 local0 debug
# log 127.0.0.1:514 local1
mode tcp
retries 3
option redispatch
maxconn 2000
contimeout 5000
clitimeout 50000
srvtimeout 50000
#stats enable
#stats auth admin:admin

userlist UsersFor_HAProxyStatistics
group admin users haproxy
user haproxy insecure-password
user stats insecure-password

listen stats *:1936
mode http
stats enable
#stats scope http
#stats scope www
#stats scope static
#stats scope static_httpclose
#stats realm Haproxy\ Statistics
stats uri /haproxy?stats
#stats auth haproxy:
stats refresh 20s
stats show-node
stats show-legends
acl AuthOkay_ReadOnly http_auth(UsersFor_HAProxyStatistics)
acl AuthOkay_Admin http_auth_group(UsersFor_HAProxyStatistics) admin
stats http-request auth realm HAProxy-Statistics unless AuthOkay_ReadOnly
stats admin if AuthOkay_Admin

frontend inbound-http *:80
mode http
http-request redirect scheme https code 301 if !{ ssl_fc }

frontend test :443
mode tcp
#log global

tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend 1_BE if { req_ssl_sni -i yourdomain.com }
use_backend 1_BE if { req_ssl_sni -i yourdomain1.com }
use_backend 2_BE if { req_ssl_sni -i yourdomain2.com }
use_backend 3_BE if { req_ssl_sni -i yourdomain3.com }
use_backend 4_BE if { req_ssl_sni -i yourdomain4.com }
use_backend 5_BE if { req_ssl_sni -i yourdomain5.com }
use_backend 6_BE if { req_ssl_sni -i yourdomain6.com }
use_backend 7_BE if { req_ssl_sni -i yourdomain7.com }
use_backend 7_BE if { req_ssl_sni -i yourdomain8.com }
use_backend 7_BE if { req_ssl_sni -i yourdomain9.com }
use_backend 7_BE if { req_ssl_sni -i yourdomain10.com }
use_backend 7_BE if { req_ssl_sni -i yourdomain11.com }
use_backend 7_BE if { req_ssl_sni -i yourdomain12.com }
use_backend 7_BE if { req_ssl_sni -i yourdomain13.com}
use_backend 7_BE if { req_ssl_sni -i yourdomain14.com}
use_backend 7_BE if { req_ssl_sni -i yourdomain15.com}
use_backend 7_BE if { req_ssl_sni -i yourdomain16.com}
use_backend 8_BE if { req_ssl_sni -i yourdomain17.com}
use_backend 9_BE if { req_ssl_sni -i yourdomain18.com}
use_backend 10_EX_BE if { req_ssl_sni -i yourdomain19.com}
default_backend 1_BE

backend 1_BE
mode tcp
option tcplog
option ssl-hello-chk #make sure we can talk SSL, not just TCP
balance source
server [serverName1] [serverip]:443 check id 1 inter 10s rise 5 fall 2
server [serverName2] [serverip]:443 check id 2 inter 10s rise 5 fall 2

backend 2_BE
#log global
server [serverName3] [serverip]:443

backend 9_BE
#log global
server [serverName4] [serverip]:443

backend 3_BE
#log global
server [serverName5] [serverip]:443

backend 4_BE
#log global
server [serverName6] [serverip]:443

backend 5_BE
#log global
server [serverName7] [serverip]:443

backend 6_BE
#Log global
server [serverName8] [serverip]:443

backend 7_BE
#Log global
server [serverName9] [serverip]:443

backend 8_BE
#log global
server [serverName10] [serverip]:443

backend 10_EX_BE
#log global
server [serverName11] [serverip]:443

Posts: 1

Participants: 1

Read full topic

@fgonzalez wrote:

Hi community,

I leave this initial post because I have in production a HA-Proxy version 1.7.5-2 and I will update it to a new machine (I had thought to put the v2.0.7) and taking advantage of the change configure it in several instances (with several configuration files ), I searched the internet quite a bit and I only found a reference to do this action ( https://elhombrequereventodeinformacion.wordpress.com/2016/12/09/split-haproxy-configuration-in-multiple-files-working-with-systemd/ ) but nothing in official documentation …

Could you tell me where to throw, thanks a greeting!

Posts: 1

Participants: 1

Read full topic