@yosnoop wrote:

Hi, community.

We are using haproxy-1.6.6 with ssl option on CentOS 7.2 and the multi-process mode is on (nbproc 20). When we put a server into maintenance mode by disabling it through CLI, we found the server kept getting requests while it properly works in non-multi-process mode.

We tried to disable the server through all the sockets, to no avail. There is no persist option, either. Is this supposed to work in the multi-process mode in the fist place? Upgrading to haproxy-1.6.9 didn't fix our problem.

Here goes the gist of configuration:
global
log 127.0.0.1 local0 debug
maxconn 8000
maxsslconn 4096
chroot /usr/share/haproxy
uid 99
gid 99
daemon
debug
tune.ssl.default-dh-param 2048
stats socket /tmp/haproxy level admin process 1
stats socket /tmp/haproxy-monitor mode 777 level user process 1
stats socket /tmp/haproxy2 level admin process 2
stats socket /tmp/haproxy3 level admin process 3
stats socket /tmp/haproxy4 level admin process 4
stats socket /tmp/haproxy5 level admin process 5
stats socket /tmp/haproxy6 level admin process 6
stats socket /tmp/haproxy7 level admin process 7
stats socket /tmp/haproxy8 level admin process 8
stats socket /tmp/haproxy9 level admin process 9
stats socket /tmp/haproxy10 level admin process 10
stats socket /tmp/haproxy11 level admin process 11
stats socket /tmp/haproxy12 level admin process 12
stats socket /tmp/haproxy13 level admin process 13
stats socket /tmp/haproxy14 level admin process 14
stats socket /tmp/haproxy15 level admin process 15
stats socket /tmp/haproxy16 level admin process 16
stats socket /tmp/haproxy17 level admin process 17
stats socket /tmp/haproxy18 level admin process 18
stats socket /tmp/haproxy19 level admin process 19
stats socket /tmp/haproxy20 level admin process 20
ssl-default-bind-options no-sslv3
nbproc 20
stats bind-process 20

defaults
log global
mode http
balance leastconn
retries 3
option httplog
option dontlognull
option forwardfor
option redispatch
timeout connect 5s
timeout client 310s
timeout server 310s

frontend www-front
bind 10.24.244.132:443,10.24.244.133:443,10.34.243.132:443,10.34.243.133:443 ssl crt /etc/haproxy/certs/www.pem
default_backend www-end

backend www-end
no log
option httpchk GET /hc/healthcheck.html
http-check expect string CHECK_HEALTH_CHECK_HTML
compression algo gzip
compression type text/html text/plain text/css text/javascript
cookie line0 insert nocache indirect
server 001-101 p1-genesis-front001e:8001 check inter 10s rise 3 fall 3 cookie p1-fr001-101
server 001-102 p1-genesis-front001e:8002 check inter 10s rise 3 fall 3 cookie p1-fr001-102
server 001-201 p1-genesis-front001e:8011 check inter 10s rise 3 fall 3 cookie p1-fr001-201
server 001-202 p1-genesis-front001e:8012 check inter 10s rise 3 fall 3 cookie p1-fr001-202
server 002-101 p1-genesis-front002e:8001 check inter 10s rise 3 fall 3 cookie p1-fr002-101
server 002-102 p1-genesis-front002e:8002 check inter 10s rise 3 fall 3 cookie p1-fr002-102
server 002-201 p1-genesis-front002e:8011 check inter 10s rise 3 fall 3 cookie p1-fr002-201
server 002-202 p1-genesis-front002e:8012 check inter 10s rise 3 fall 3 cookie p1-fr002-202
server 003-101 p1-genesis-front003e:8001 check inter 10s rise 3 fall 3 cookie p1-fr003-101
server 003-102 p1-genesis-front003e:8002 check inter 10s rise 3 fall 3 cookie p1-fr003-102
server 003-201 p1-genesis-front003e:8011 check inter 10s rise 3 fall 3 cookie p1-fr003-201
server 003-202 p1-genesis-front003e:8012 check inter 10s rise 3 fall 3 cookie p1-fr003-202
server 004-101 p1-genesis-front004e:8001 check inter 10s rise 3 fall 3 cookie p1-fr004-101
server 004-102 p1-genesis-front004e:8002 check inter 10s rise 3 fall 3 cookie p1-fr004-102
server 004-201 p1-genesis-front004e:8011 check inter 10s rise 3 fall 3 cookie p1-fr004-201
server 004-202 p1-genesis-front004e:8012 check inter 10s rise 3 fall 3 cookie p1-fr004-202
server 005-101 p1-genesis-front005e:8001 check inter 10s rise 3 fall 3 cookie p1-fr005-101
server 005-102 p1-genesis-front005e:8002 check inter 10s rise 3 fall 3 cookie p1-fr005-102
server 005-201 p1-genesis-front005e:8011 check inter 10s rise 3 fall 3 cookie p1-fr005-201
server 005-202 p1-genesis-front005e:8012 check inter 10s rise 3 fall 3 cookie p1-fr005-202
server 006-101 p1-genesis-front006e:8001 check inter 10s rise 3 fall 3 cookie p1-fr006-101
server 006-102 p1-genesis-front006e:8002 check inter 10s rise 3 fall 3 cookie p1-fr006-102
server 006-201 p1-genesis-front006e:8011 check inter 10s rise 3 fall 3 cookie p1-fr006-201
server 006-202 p1-genesis-front006e:8012 check inter 10s rise 3 fall 3 cookie p1-fr006-202
server 007-101 p1-genesis-front007e:8001 check inter 10s rise 3 fall 3 cookie p1-fr007-101
server 007-102 p1-genesis-front007e:8002 check inter 10s rise 3 fall 3 cookie p1-fr007-102
server 007-201 p1-genesis-front007e:8011 check inter 10s rise 3 fall 3 cookie p1-fr007-201
server 007-202 p1-genesis-front007e:8012 check inter 10s rise 3 fall 3 cookie p1-fr007-202
server 008-101 p1-genesis-front008e:8001 check inter 10s rise 3 fall 3 cookie p1-fr008-101
server 008-102 p1-genesis-front008e:8002 check inter 10s rise 3 fall 3 cookie p1-fr008-102
server 008-201 p1-genesis-front008e:8011 check inter 10s rise 3 fall 3 cookie p1-fr008-201
server 008-202 p1-genesis-front008e:8012 check inter 10s rise 3 fall 3 cookie p1-fr008-202

Thanks.

Posts: 1

Participants: 1

Read full topic

@punitgoel wrote:

I have a requirement where I need to do health check and the exposed
health check api requires a uniqueId header, How can i set this header
to a different unique value in haproxy.cfg file . My configuration is as
below:

backend server_1
mode http
balance roundrobin
option httpchk GET /health HTTP/1.0\r\nuniqueId:\
http-check expect status 200
server app1 127.0.0.1:8083 check

Posts: 1

Participants: 1

Read full topic

@jagbir wrote:

I'd like to understanding and probably calculate/verify approx. how much memory haproxy should consume for serving certain no. of tcp connections (25% SSL). This interests me because when I upgraded haproxy from 1.5.18 to 1.6.9 I am seeing huge drop in memory utilisation (1.5.18 almost consuming 4x more RAM). Would like to understand whether it's due to certain improvements/bug fixes (I've glanced through change log but didn't noticed anything significant in this context or due to something which might be deteriorating my user's experience here and I need to dig deeper?

Putting stats here from two servers (both are same r3.xlarge instance type in AWS serving same purpose):

Server 1 (haproxy 1.5.18):

root@ip-10-0-7-129:~# haproxy -v
HA-Proxy version 1.5.18 2016/05/10

root@ip-10-0-7-129:~# echo "show info" | socat stdio /var/run/haproxy.socket | egrep "CurrConns|CurrSslConns"
CurrConns: 171873
CurrSslConns: 26128

root@ip-10-0-7-129:~# free -g
total used free shared buffers cached
Mem: 29 12 17 0 0 0
-/+ buffers/cache: 11 18
Swap: 0 0 0

root@ip-10-0-7-129:~# ps -ef | grep [h]aproxy
haproxy 20869 1 45 Nov02 ? 21:07:14 /usr/local/sbin/haproxy -f /etc/haproxy/haproxy.cfg -D -p /var/run/haproxy.pid
root@ip-10-0-7-129:~#

Server 2 (haproxy 1.6.9):

root@ip-10-0-7-205:~# haproxy -v
HA-Proxy version 1.6.9 2016/08/30

root@ip-10-0-7-205:~# echo "show info" | socat stdio /var/run/haproxy.socket | egrep "CurrConns|CurrSslConns"
CurrConns: 172815
CurrSslConns: 26321

root@ip-10-0-7-205:~# free -g
total used free shared buffers cached
Mem: 29 3 26 0 0 0
-/+ buffers/cache: 3 26
Swap: 0 0 0

root@ip-10-0-7-205:~# ps -ef | grep [h]aproxy
haproxy 21785 1 50 Nov03 ? 13:55:30 /usr/local/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /var/run/haproxy.pid -D -sf 28197
root@ip-10-0-7-205:~#

Instances are exactly same in terms of configurations/OS/kernel:

$ uname -a
Linux ip-10-0-7-205 3.19.0-69-generic #77~14.04.1-Ubuntu SMP Tue Aug 30 01:29:21 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

Following haproxy compilation command is used for both versions:

make TARGET=linux2628 CPU=native USE_STATIC_PCRE=1 ADDLIB=-lz USE_OPENSSL=1 DLMALLOC_SRC=/home/ubuntu/malloc.c

Any insights will be highly appreciated. Thanks

Posts: 2

Participants: 2

Read full topic

@Lion wrote:

Hello,

I would like to ask for help with correct HAProxy setup.

I have Apache tomcat servers configured with sso_krb.
I need advice if haproxy can act as load balancer in front of SSO server or if i can redirect the incoming request directly against the backend server.
Any help is highly appreciated.

If I login via Haproxy in tcp mode it send its own IP address to backend server and SSO fails:

2016-11-04 11:13:13,621 INFO http-bio-8777-exec-8 [IGatePluginServlet] Request IP-address: 10.249.2.237
2016-11-04 11:13:13,621 INFO http-bio-8777-exec-8 [IGatePluginServlet] Profiling: Startup
2016-11-04 11:13:13,622 INFO http-bio-8777-exec-8 [SSOKerberosServletPlugin] No 'Authorization' in header!
2016-11-04 11:13:13,622 INFO http-bio-8777-exec-8 [IGateProfiling] ?#TOTAL|162|10.249.2.237;plugin/ssokrb;Y;1||
2016-11-04 11:13:14,079 INFO http-bio-8777-exec-8 [IGatePluginServlet] Request IP-address: 10.249.2.237
2016-11-04 11:13:14,079 INFO http-bio-8777-exec-8 [IGatePluginServlet] Profiling: Startup
2016-11-04 11:13:14,080 INFO http-bio-8777-exec-8 [SSOKerberosServletPlugin] Authorization token length: 66
2016-11-04 11:13:14,080 INFO http-bio-8777-exec-8 [SSOKerberosServletPlugin] Kerberos token: TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
2016-11-04 11:13:14,080 INFO http-bio-8777-exec-8 [SSOKerberosServletPlugin] It is probably a NTLM token and not a Kerberos one because it starts with TlRM
2016-11-04 11:13:14,299 ERROR http-bio-8777-exec-8 [SSOKerberosServletPlugin] Token: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
java.lang.RuntimeException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)

When I connect directly to tomcat server from my computer it works:

2016-11-04 14:16:32,068 INFO http-bio-8777-exec-20 [SupportedBrowsersVerification] Verify browser
2016-11-04 14:16:39,303 INFO http-bio-8777-exec-11 [IGatePluginServlet] Request IP-address: 10.242.80.116
2016-11-04 14:16:39,303 INFO http-bio-8777-exec-11 [IGatePluginServlet] Profiling: Startup
2016-11-04 14:16:39,303 INFO http-bio-8777-exec-11 [SSOKerberosServletPlugin] No 'Authorization' in header!
2016-11-04 14:16:39,304 INFO http-bio-8777-exec-11 [IGateProfiling] ?#TOTAL|166|10.242.80.116;plugin/ssokrb;Y;1||
2016-11-04 14:16:40,751 INFO http-bio-8777-exec-11 [IGatePluginServlet] Request IP-address: 10.242.80.116
2016-11-04 14:16:40,752 INFO http-bio-8777-exec-11 [IGatePluginServlet] Profiling: Startup
2016-11-04 14:16:40,752 INFO http-bio-8777-exec-11 [SSOKerberosServletPlugin] Authorization token length: 4310
2016-11-04 14:16:40,752 INFO http-bio-8777-exec-11 [SSOKerberosServletPlugin] Kerberos token: YIIMkwYGKwYBBQUCoIIMhzCCDIOgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCDE0EggxJYIIMRQYJKoZIhvcSAQICAQBuggw0MIIMMKADAgEFoQMCAQ6iBwMFACAAAACjggq5Y...
...
2016-11-04 14:16:40,978 INFO http-bio-8777-exec-11 [SSOKerberosServletPlugin] Security context successfully initialised!
2016-11-04 14:16:40,979 INFO http-bio-8777-exec-11 [giop] ClientConnectionManager: found ClientGIOPConnection to 127.0.0.1:10023 (1cae2b6c)
2016-11-04 14:16:40,980 INFO http-bio-8777-exec-11 [iiop] Connected to 127.0.0.1:10023 from local port 55719
2016-11-04 14:16:41,119 INFO http-bio-8777-exec-11 [SSOKerberosServletPlugin] Use redirect for login page
2016-11-04 14:16:41,119 INFO http-bio-8777-exec-11 [IGateProfiling] ?#TOTAL|167|10.242.80.116;plugin/ssokrb/spise/velocity/session/session_init.vm;Y;367||
2016-11-04 14:16:42,115 INFO http-bio-8777-exec-11 [SupportedBrowsersVerification] Verify browser

Posts: 1

Participants: 1

Read full topic

@sottolski wrote:

Hi,

it's probably dead simple, but I can't figure it out. I have request URLs in a form of

http://hostname.tld/some/subdir/filename.suffix
http://hostname.tld/other/subdir/filename.suffix

The "/some/subdir/" and "/other/subdir/" are more or less random; only the "filename.suffix" is consistent.

Consequently, I can't use the beginning of the path for balancing with "hash-type consistent", but need to balance based only on the filename portion of the URL. Is there something like a negative value for the "depth" parameter (depth -1)? Otherwise, I could probably extract the filename.suffix portion by a regex, add the result as a header, and use that header for the balancing.

frontend
http-request set-header "X-Filename"

backend
hash-type consistent
balance hdr("X-Filename")

In addition, I only want the filename.suffix taken in to account for the consistent hashing, nothing else, especially NOT the Host header.

So basically the question is, how do I add the header with the filename?

Thanks in advance

Sascha

Posts: 1

Participants: 1

Read full topic

@itcanvas wrote:

Currently working on using my current Haproxy server as a single outbound IP address. Currently it is only used as an inbound load balancer. I am setup in AWS, three subnets (different AZ's) and those same servers it is listening to blanace to, I would like to route traffic back out of the HA server so only a single static IP address would need to be whitelisted.

I have been reading on TPROXY, but would this resolve the NAT needs for outbound traffic? Thanks for any assistance!

Below is my config and I am running HA 1.5.12 -

==============
global
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
#log loghost local0 info
maxconn 4096
daemon

defaults
log global
option dontlognull
retries 3
option redispatch
maxconn 40096
timeout connect 5000
timeout client 240000
timeout server 240000
option http-server-close
option log-health-checks

listen httpproxy 0.0.0.0:80
mode http
option forwardfor
option httplog

STATS

stats enable
stats hide-version
stats scope .
stats uri /haproxyadmin?stats
stats realm Proxy\ Statistics
stats auth admin:haproxy!canvas

HEALTH CHECKS

option httpchk GET /someindex.html HTTP/1.1\r\nHost:\ site.site.com
http-check expect ! rstatus ^5 # Accept all 2XX and 3XX errors considering 5XX errors to fail health.
default-server inter 3s fall 3 rise 2

server hostname.com 10.0.1.2:80 check
server hostname.com 10.0.2.2:80 check
server hostname.com 10.0.3.2:80 check
tcp-request content reject if { src -f  /etc/haproxy/blocked.lst }

listen httpsproxy 0.0.0.0:443
mode tcp
option ssl-hello-chk
option tcplog
balance leastconn

HEALTH CHECKS

option httpchk GET /someindex.html HTTP/1.1\r\nHost:\ site.site.com
http-check expect ! rstatus ^5 # Accept all 2XX and 3XX errors considering 5XX errors to fail health.
default-server inter 3s fall 3 rise 2

server hostname.com 10.0.1.2:443 send-proxy check
server hostname.com 10.0.2.2:443 send-proxy check
server hostname.com 10.0.3.2:443 send-proxy check
tcp-request content reject if { src -f  /etc/haproxy/blocked.lst }

==============

Posts: 1

Participants: 1

Read full topic

@jnitecki wrote:

Hello,

My backend server requires servername extension to be included during ClientHello message. I'm using transparent load balancing via HAProxy and it works, but health checks can run only in tcp mode. Enabling ssl-hello-check fails as no server name extension is provided and server closes connection without responding with ServerHello.

Following OpenSSL commands can be used to illustrate what I need:
openssl s_client -servername x.y.z -connect a.b.c.d:443 WORKS
openssl s_client -connect a.b.c.d:443 FAILS HANDSHAKE identically to HAProxy ssl-hello-check

What option shall I use in HAProxy to make it work? I'm using version 1.5.14

Jan

Posts: 1

Participants: 1

Read full topic

@joet2509 wrote:

Hi,

I have an issue with our haproxy setup, cookie persistence works for http but when the site switches to https the user hits another server. We are using https passthrough as we have certificates installed on the servers and dont want encrypted traffic on our network.
Config is below:

frontend http-in
mode http
bind 192.168.1.159:80
reqadd X-Forwarded-Proto:\ http
default_backend http

frontend https-in
mode tcp
option tcplog
bind 192.168.1.159:443
capture cookie ASP.NET_SessionId len 32
default_backend https

---------------------------------------------------------------------

static backend for serving up images, stylesheets and such

---------------------------------------------------------------------

backend static

balance roundrobin

server static 127.0.0.1:4331 check

---------------------------------------------------------------------

Least connections balancing between the various backends

--------------------------------------------------------------------

backend http
balance leastconn
option forwardfor
stick-table type ip size 20k expire 30m
cookie SITEID insert indirect nocache
server server1 x.x.x.x:80 weight 25 cookie server1 check
server server2 x.x.x.x:80 weight 25 cookie server2 check

backend https
mode tcp
option tcplog
stick-table type ip size 200k expire 30m
stick on src
server server1 x.x.x.x:443 check
server server2 x.x.x.x:443 check

Posts: 1

Participants: 1

Read full topic

@OpenProxy wrote:

Hello Guys

I have a little question now i have 2 webserver web01 with arround 100gb diskspace
(full) and a web02 with 50GB.
The problem if i add
web02 to haproxy. customer get sometimes error because they dont find
file xx on web02 or they dont find file yy on web01 how i can say that haproxy look file xx on web02 ? Or look file yy on web01?
Thanks for help

Posts: 1

Participants: 1

Read full topic

@g1001p wrote:

Hi Dear forume
I am checking Redis high availability solution via configuration of master and slave Redis Kubernetes pods and sentinel on top of it. For failover of external client connections, I installed haproxy pod. I encountered with some issue while started testing the configuration:

Redis is closing forwarding connections from HAPROXY - client reporting error

Error: Server closed the connection.

BTW: if Redis is configured with an empty password, the connection is passing OK.

I appreciate any idea and advice.
My HA proxy cfg file has the following entries:

global
daemon
maxconn 500

defaults
mode http
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms

frontend rotatingproxies
bind *:3000
default_backend rotateproxy
option http_proxy
option http-use-proxy-header

backend rotateproxy
option http_proxy
server proxyserver user:pass@domain.com:9999
server proxyserver user:pass@domain.com:9999
balance roundrobin

Posts: 1

Participants: 1

Read full topic

@WScott66 wrote:

I have HAProxy version 1.6.9 installed on 2 VM's which are using keepalived to provide fault tolerance/redundancy.
everything functions correctly except I cannot bounce a node without having to manually start HAProxy.

I have read multiple places that there is a file /etc/default/haproxy, but this file does not exist on my installed using CentOS 7 (EPEL).

Can anyone assist with how I can get the service to start automatically?

Thank you!
Bill S.

Posts: 1

Participants: 1

Read full topic

@Marc wrote:

Hi,

I want to replace a domain by a specific IP address inside the response from backend.

How can I set a digit right after the \1 reference?

rspirep ^Location:\ (https?://)?www.domain.de(.*) Location:\ \1123.45.67.89\2

My suggestions \01123.45 and \g{1}123.45 seem not to work...

Thank You,
Marc

Posts: 1

Participants: 1

Read full topic

@Elia wrote:

Hello

I have problems to configure haproxy correctly to use it as "rdp broker".

Use case:
We have several Windows 7 virtual machines. No terminal services are installed, so that only one rdp connection at the same time per virtual machine is allowed. The virtual machines are divided in several pools/groups. A user should be able to connect to a pool via windows remote desktop client. A free virtual machine in this pool should be automatically chosen for the user. Stickiness is not required.

To achieve this, I tried the following:

DNS-Records like "pool1.foo.bar.com", "pool2.foo.bar.com", etc. pointing to a haproxy server.
A haproxy frontend is listening on port 3389. Newer versions of microsoft's remote desktop client should use SSL to protect the rdp session. The frontend should use the ssl sni to chose a backend. I wrote the following config:

frontend rdpbroker
    mode tcp
    option tcplog
    option clitcpka
    log global
    timeout client 1h
    bind :3389 ssl crt /etc/ssl/foo.bar.com.pem #Same result, when enable this: crt-ignore-err all verify none    
    tcp-request content accept if { req_ssl_hello_type 1 }

    #Same result when enable or disable this:
    #tcp-request inspect-delay 5s
    #tcp-request content accept if RDP_COOKIE

    acl pool1_sni req_ssl_sni -i pool1.foo.bar.com
    acl pool2_sni req_ssl_sni -i pool2.foo.bar.com

    use_backend pool1_bkd if pool1_sni
    use_backend pool2_bkd if pool2_sni
    #default_backend pool1_bkd

backend pool1_bkd
    mode tcp
    option tcplog
    option tcp-check
    log global
    timeout server 1h
    timeout connect 4s
    balance leastconn
    server vm1 vm1.foo.bar.com:3389 maxconn 1
    server vm2 vm1.foo.bar.com:3389 maxconn 1

[...]

My problem is, that the windows rdp client and xfreerdp can't connect to any pool{n}.foo.bar.com-Pool. The ssl negotiation fails:
* xfreerdp: ERRCONNECT_SECURITY_NEGO_CONNECT_FAILED [0x2000C]
* windows rdp client: Can not connect to the remote computer
* haproxy log: rdpbroker/1: SSL handshake failure

When I use "openssl s_client" or curl to connect to pool{n}.foo.bar.com:3389, the ssl connection can be established. So openssl and the cert are not generally broken.

I captured the tcp traffic on the haproxy server when a rdp client tries to connect:

client ------ SYN ------> proxy
client <---- SYN ACK ---- proxy
client ------ ACK ------> proxy
client -- TPKT v3, COTP-Package with RDP cookie --> proxy
client <---- FIN ACK ---- proxy
client ---- FIN ACK ----> proxy
client <------ FIN ------ proxy

The haproxy tears down the tcp connection after the first TPKT package arrived. I don't know why this happen. Is something wrong in my considerations or the configuration?

Update:
I'm using HA-Proxy version 1.5.14 2015/07/02 and HA-Proxy version 1.6.3 2015/12/25

p.s. The following config works, but I can not determine a pool on this way:

    frontend rdpbroker
        mode tcp
        option tcplog
        option clitcpka
        log global
        timeout client 1h
        bind :3389
        tcp-request inspect-delay 5s
        tcp-request content accept if RDP_COOKIE
        default_backend pool1_bkd
    backend pool1_bkd
    [...]

Thank you for your help,
Elia

Posts: 1

Participants: 1

Read full topic

@lists.dg wrote:

Hi everyone,

I am using haproxy 1.5.4 and haproxy 1.5.14 and I would like to know from wich version is the capability of inserting client certificate information in HTTP headers and forward them to the backend available.

Do my versions permit forwarding the following certificate information?:

http-request set-header X-SSL %[ssl_fc]
http-request set-header X-SSL-Session_ID %[ssl_fc_session_id,hex]
http-request set-header X-SSL-Client-Verify %[ssl_c_verify]
http-request set-header X-SSL-Client-DN %{+Q}[ssl_c_s_dn]
http-request set-header X-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
http-request set-header X-SSL-Issuer %{+Q}[ssl_c_i_dn]
http-request set-header X-SSL-Client-NotBefore %{+Q}[ssl_c_notbefore]
http-request set-header X-SSL-Client-NotAfter %{+Q}[ssl_c_notafter]

Thanks in advance,
Daniel

Posts: 1

Participants: 1

Read full topic

@dtorgo wrote:

We have a service which has hashing built into it. This adds a lot of complexity to the service code and we would like to simplify the design. One thought that we had is to move the has map to haproxy and then the service can simply handle requests that come to it. The complication is that the client communicates with this service via websockets.

What I want to do is use a map-based hash-type to distribute the load across the servers that are "UP". This is fairly easy to do. The question that I have is that when a server status changes we want to re-distribute the existing websockets. Is there a way to terminate existing websockets when a hash-map changes so that clients re-establish the websocket to the new correct hash map?

EDIT:
I should add that one thing that we are considering is having an external shell script using the stats socket to check to see if the server config changes (add/remove server to backend OR server status changes UP/DOWN). If it detects a change then we could terminate all connections to all of the servers to force all clients to reconnect by issuing a:
shutdown sessions server /

What we are hoping is that we can have haproxy do this internally rather than us doing it.

Posts: 1

Participants: 1

Read full topic

@witoldg wrote:

Anyone knows how to send persistence cookie with httponly attribute to everyone but admins? By now I'm using 2 backends, one with httponly, the second without it. But is there another way, such as using variables?

Posts: 1

Participants: 1

Read full topic

@Maxsteel wrote:

I am very new to HAProxy. I spent a few hours trying to figure out how to do it but could not get any leads. My requirement is this:

If end point of request is "/special" then I need to check URL_PARAM.

For example: localhost/special?id=10 Based on ID, I need to route it to one of the 3 servers. If id <=3 server1, if id > 3 and id <=6 server2 else server3.

If end point is not /special round robin between all 3 servers.

How do I achieve this? Is it even possible?

Posts: 1

Participants: 1

Read full topic

@Maxsteel wrote:

I want to check url value in a range like this: "456304162255302657" to "456316501914435584" and so on. The numbers are within the range of 64 bit integer, yet the urlp_val comaprison doesn't work here. Why is that?

Posts: 1

Participants: 1

Read full topic

@philipcowgill wrote:

Currently I'm using HAProxy to route traffic through four different servers that offer the same service but are located on different physical boxes. I'm wanting to setup a healthcheck that goes against each individual server with the goal of stopping traffic getting routed when it fails to find a file. Everything that I have read online only shows that you can the check against one server though, for example:

option httpchk GET http://service.com/healthcheck

server server1.service.com 192.168.0.101:80
server server2.service.com 192.168.0.102:80

Is there a way to have the httpchk to do this?

option httpchk GET http://server1.com/healthcheck

server server1.service.com 192.168.0.101:80

option httpchk GET http://server2.com/healthcheck

server server2.service.com 192.168.0.101:80

Posts: 2

Participants: 2

Read full topic

@forbin wrote:

Folks, please forgive the ignorant question. We currently run ldirectord with 1800 virtual services: roughly 1200 tomcats, 500 MySQLs, 26 terminal servers, and some other miscellaneous stuff. We are considering switching to a new load balancer technology. Lots of people like keepalived, and many people say their load balancers are using both keepalived and haproxy. However, I don't understand why haproxy is necessary, since keepalived seems to have everything we need. What is the benefit of running haproxy with keepalived?

Posts: 1

Participants: 1

Read full topic