@moscardo wrote:

Hi,
I am managing my HAProxy configurations through Puppet module and it seems that when there is a modification it sends a Notify[Service] which turns into “systemctl restart haproxy”. I am not sure why they don’t do reload instead… However I need to dump the status of the servers before restarting it, let’s say I have 1 node in drain, after the restart without saving the state this node will come back online.
Any suggestion ? Is it safe to do restart when changing a configuration?

Here is the systemd file in case someon can help:

[Unit]
Description=HAProxy Load Balancer
After=network.target

[Service]
Environment="CONFIG=/etc/haproxy/haproxy.cfg" "PIDFILE=/run/haproxy.pid"
EnvironmentFile=-/etc/sysconfig/haproxy
ExecStartPre=/usr/sbin/haproxy -f $CONFIG -c -q
ExecStart=/usr/sbin/haproxy -Ws -f $CONFIG -p $PIDFILE $OPTIONS
ExecReload=/usr/sbin/haproxy -f $CONFIG -c -q
ExecReload=/etc/haproxy/server-state/update-servers-status.sh
ExecReload=/bin/kill -USR2 $MAINPID
KillMode=mixed
Type=notify

[Install]
WantedBy=multi-user.target

Posts: 1

Participants: 1

Read full topic

@sali wrote:

Hello,

Is there any options to call an url (http) from ha-proxy config once it detects that the active server is down and before it starts serving backup servers? For example, I’m playing with the following config. The frontend is at 8085. LS1/GS1 are active servers and once they are down, it will start serving LS2/GS2. What I need it from is to call an url once haproxy detects that LS1 is down.

defaults
    log     global
    mode    tcp
    option  tcplog
    option  dontlognull
    timeout connect 20s 
    timeout client  20s
    timeout server  20s
    
listen stats
    bind 127.0.0.1:8084
    mode http
    log global
    stats enable
    stats realm Haproxy\ Statistics
    stats uri /

listen LS
    bind 127.0.0.1:8085
    balance roundrobin
    option clitcpka
    option  tcplog
    option  dontlognull
    server LS1 127.0.0.1:20001 check inter 2s fall 2 rise 99999999
    server LS2 127.0.0.1:20011 check inter 2s backup

listen GS
    bind 127.0.0.1:8086
    balance roundrobin
    option clitcpka
    option  tcplog
    option  dontlognull
    server GS1 127.0.0.1:20006 check inter 2s fall 2 rise 99999999
    server GS2 127.0.0.1:20016 check inter 2s backup

Posts: 1

Participants: 1

Read full topic

@jazzl0ver wrote:

Hi. What is the correct way to strip port number in host header? I have an acl:
acl srv_all hdr_end(host) -i mydomain.com

It obviously fails when the host header contains a port number. Thanks in advance!

Posts: 11

Participants: 3

Read full topic

@HaUser17 wrote:

Problem: I have two HA Proxy servers. One of them works fine with TCP pass-through traffic but the other will randomly fail ~1% of connections. The configuration is identical on both servers.

I would like to know if there is some setting I am missing that is causing the problem. Could it be the different CentOS versions?

The failure causes a .NET application to throw the following exception: “System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception. —> System.ComponentModel.Win32Exception: The message or signature supplied for verification has been altered”

HA Proxy is set up to pass through the TCP requests to a series of appliances. The requests use TLS. The back-end round robins between them however even with just a single appliance it has the failures.

Working version:
CentOS Linux release 7.6.1810 (Core)
rh-haproxy18-haproxy-1.8.17-1.el7.x86_64

Error version:
CentOS Linux release 7.7.1908 (Core)
rh-haproxy18-haproxy-1.8.17-1.el7.x86_64

Thanks.

Posts: 1

Participants: 1

Read full topic

@m-a.leclercq wrote:

Hi everyone !

Quick question :
the facts
We are running haproxy 1.8 for the moment and are thinking of upgrading to Haproxy 2.0.7 but something is bugging me regarding the default maxconn.

haproxy -vv for 1.8 does display defaults : maxconn = 2000
however for haproxy 2.0.7 there is no default for maxconn.

We are migrating from 1.8 with nbproc 3 with a global maxconn at 1024 and no other explicit maxconn setting in haproxy.cfg to 2.0.7 with no nbproc setting and a maxconn at 4000 to compensate for the loss of 2 processes.

My question is the following : assuming I don’t want to limit any of my frontend/backend maxconn, is setting maxconn globally at 4000 enough for frontend and backends to inherit this setting or is the default maxconn = 2000 still present even though it is no longer reported by haproxy -vv ?

If this is still the case, that means I need to explicitly set maxconn to 4000 for every backend/frontend and it would make my configuration file quite redundant.

Willy’s comment at the bottom of this offical blog post is a little bit confusing to me with the release of Haproxy 2.0

Thank you for your help !

Posts: 1

Participants: 1

Read full topic

@mario.almeida wrote:

In frontend

stick-table type ip size 2m expire 10m store http_req_rate(10m)
http-request track-sc0 src

and when I view the table it is empty.

echo "show table https-g9" | socat UNIX:/var/lib/haproxy/stats -
# table: https-g9, type: ip, size:102400, used:0

What am I doing wrong?

Posts: 1

Participants: 1

Read full topic

@KenynMacCormik wrote:

Greetings,

I’m using custom log format

log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"

But for some reason it is not logging disconnection codes in the log

Oct 25 11:58:19 localhost haproxy[15881]: <private ip>.60.251:38356 [25/Oct/2019:11:52:59.780] web_https_frt~ owa_bck/ex1 0/0/0/12/319945 200 2315 - - ---- 1758/1710/66/34/0 0/0 {<private domain>|Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KH|||} {|Microsoft-IIS/10.0} "GET /owa/ev.owa2?ns=PendingRequest&ev=PendingNotificationRequest&UA=0&cid=ee488c90-933b-4b5b-9236-a3acc10282c7&brwnm=chrome&X-OWA-CANARY=B7XX2fz6T0-f1FFx7VhB7ODgzLwoWdcI4607ybEBsDJNQfQCDyYxGSG7fQ6ceiRi_qe6llRe6JI.&n=f1 HTTP/1.1"
Oct 25 11:59:58 localhost haproxy[16881]: <private ip>.60.251:50943 [25/Oct/2019:11:59:47.818] web_https_frt~ owa_bck/ex1 0/0/1/12/10698 200 1626 - - ---- 1491/1463/66/34/0 0/0 {<private domain>|Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KH|||} {|Microsoft-IIS/10.0} "GET /owa/ev.owa2?ns=PendingRequest&ev=PendingNotificationRequest&UA=0&cid=2b754478-27b7-4008-a61b-d202d618d5f7&brwnm=chrome&X-OWA-CANARY=nbzWx4xi4Uq0nUtHm8_PJsDzB7ApWdcIbeOx8S1t43EHea-YJ6zqIcmeVZrkWBZcgeg47SP4E60.&n=mz HTTP/1.1"
Oct 25 12:04:59 localhost haproxy[16881]: <private ip>.60.251:55525 [25/Oct/2019:11:59:48.654] web_https_frt~ owa_bck/ex2 0/0/0/7/310385 200 2432 - - ---- 1763/1723/64/33/0 0/0 {<private domain>|Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KH|||} {|Microsoft-IIS/10.0} "GET /owa/ev.owa2?ns=PendingRequest&ev=PendingNotificationRequest&UA=0&cid=6215e237-c13f-455f-9a23-e1a88e837b36&brwnm=chrome&X-OWA-CANARY=NRwD0uFJqE2lKGsD_MaZ_QCigrApWdcIhHZfDv1MXzQW4els1Cbg2rtltRgkRtE5Mg2Gd1TTIGw.&n=3s HTTP/1.1"

Any ideas?

Posts: 1

Participants: 1

Read full topic

@nlindq wrote:

I’ve been working on setting up HAProxy as a Layer 7 NLB for our Microsoft Exchange 2016 cluster to replace a DNS round-robin (for internal) + firewall random DNAT (external) configuration.

Using CentOS 7, I opted to install the latest available RPM version from the IUS yum repository, which turned out to be HAProxy version 2.07.

Relying on a number of different HOWTO and blog articles, I created a configuration which seemed to be well supported (though based on pre-2.0 versions of HAProxy), using http mode and frontend acls to route traffic to individual backends for each Exchange service with backend health checks for each.

Using local hosts file overrides, I was able to test some clients and determined that everything was working well (OWA, ECP, ActiveSync, etc.) with the exception of Outlook clients, which couldn’t seem to authenticate and kept prompting for credentials or claiming the server was unavailable.

I set up a Layer 4 tcp mode configuration as a test, and everything worked perfectly including Outlook, so I figured the issue was related to something I’d missed with the http configuration.

After perusing Discourse for a bit, I added:

option accept-invalid-http-request to the frontend configuration, and
no option http-use-htx to the default configuration.

That seemed to work; the test Outlook clients were now able to authenticate and no more errors or server disconnects were evident.

I updated the internal DNS to point to the HAPRoxy NLB rather than the Exchange servers directly, and at first everything seemed to be working perfectly.

However, after an hour or so as more and more clients switched over to the NLB (DNS propagation delays) all Outlook clients started receiving “diconnected from server” warnings. Restarting Outlook on any given workstation would result in a successfull connection and an immediate burst of receiving/sending queued mail to/from the server, after which the server would show as disconnected once again.

I was unable to see any error messages in the haproxy.log, but figured there might be issues with connection limits, so I bumped up maxconn quite a bit but it didn’t help.

I switched back to my tcp mode configuration, and despite much lower maxconn settings everything is working flawlessly with no client issues reported.

How can I diagnose my http mode configuration for 2.07? Any help would be appreciated.

I have not messed with my system ulimit, as haproxy -vv indicates epoll is supported. I’ve checked SELinux and it’s not currently running in enforcing mode. Firewall logging shows nothing unexpectedly blocked.

I’ve considered trying a 1.8.x install as a diagnostic step, but wanted to check in here first as I expect I’m still missing something.

Posts: 1

Participants: 1

Read full topic

@aka wrote:

Hi guys,
I can’t get the following acls to work as intended.

acl src1 src xx.xx.xx.xx/xx
acl src1 src yy.yy.yy.yy/yy
acl admin hdr_beg(host) -i admin
acl adminservice hdr_beg(host) -i adminservice

http-request deny if !src1 !adminservice admin

What I am trying to do is to block access to IPs other than src1 IPs to admin.domainname.com.
But the result I am getting is, I have access to admin.domainname.com after refreshing the page a few times. First it gives a 403 error but if I keep hitting refresh I am able to access the url.

Is the order of the condition in the action wrong? Could you please tell me what will be the result based on the above’s configuration?

Thanks,
aka

Posts: 1

Participants: 1

Read full topic

@mario.almeida wrote:

If I try to execute any change related command such as enable/disable/set I get message saying “Proxy is disabled.”

Do I have to enable any parameter for this?

Posts: 1

Participants: 1

Read full topic

@quade wrote:

Hi, we use haproxy with round robin on a few servers which works amazingly well
However now we need to use it for tcp sessions from different ports

basically, gps iot devices create connections to our server via TCP
When I run a netstat, I see lots of devices sending data from same IP address but different port
here is a snap shot
TCP myServerIp:9001 141.86.25.16:60046 ESTABLISHED
TCP myServerIp:9001 141.86.25.16:62084 ESTABLISHED
These are not the same device, they are using a mobile/cell network with same IP but different ports

So I would need a configuration for HA proxy to route to different servers based on IP and PORT
All the examples I’ve seen so far just use IP, which would not work well for me as it would batch a bunch of devices to same server.
I guess it would work, but it may overload one server and underload another (if that makes sense)

Something else i’m not sure about, some devices also send data using UDP, and these would also need to be routed to same server, not sure if this would work or if i would just have to route all UDP devices to 1 server

Any feedback, pointers and help appreciated
Thanks
Mark

Posts: 1

Participants: 1

Read full topic

@dragec wrote:

Hi.

I want to set up haproxy which would load balance video streams. For example, backend endpoints are:

http://someserver/video/stream1.ts
http://otherserver/stream/stream1.ts

The questions are:
Is this even possible? Since I have no classic http response, how will I know when the backend server is down?

This works (backend section):

server someserver someserver:80 redir http://someserver/video/stream1.ts check
server otherserver otherserver:80 server redir http://otherserver/stream/stream1.ts check

Frontend:

acl is_iptv path_end .ts
use_backend iptv if is_iptv

But:
How will haproxy know that one of the server is down since there is no http response, but a video stream?

Also, I guess because I use “redir”, haproxy just redirects client to the first backend server and it doesn’t know what is happening, It will always send all clients to first server?

Anyway, is there any example how to deal with load balancing such backends (video streaming servers?), should I even use http, or tcp?

In ideal scenario, I would like the client who is connecting to the frontend .ts not even notice a break in the video stream when one of the backend .ts servers goes down.

Best regards,
Dragan

Posts: 1

Participants: 1

Read full topic

@lowmips wrote:

I have a backend with long running php scripts. Anything above 60s results in a 504 error.

HAProxy v1.8.15
defaults
mode http
log global
option httplog
option dontlognull
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 15m
timeout queue 1m
timeout connect 10s
timeout client 65s
timeout server 65s
timeout tunnel 65s
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000

I’ve tried tweaking the timeout client/server/tunnel, starting at 30 seconds and slowly incrementing up to 60 seconds. That works great. Anything above 60 seconds seems to be ignored, and I see a 504 error on the client.

Oct 28 01:48:33 localhost haproxy[34486]: [IP REDACTED]:17279 [28/Oct/2019:01:48:03.929] main~ hc/hc 0/0/2/-1/30005 504 194 - - sH-- 1/1/0/0/0 0/0 “GET /tools/z_scripts/timeout_test.php HTTP/1.1”
Oct 28 01:50:13 localhost haproxy[34610]: [IP REDACTED]:7454 [28/Oct/2019:01:49:28.560] main~ hc/hc 0/0/3/-1/45004 504 194 - - sH-- 3/3/0/0/0 0/0 “GET /tools/z_scripts/timeout_test.php HTTP/1.1”
Oct 28 01:52:22 localhost haproxy[34717]: [IP REDACTED]:3619 [28/Oct/2019:01:51:27.248] main~ hc/hc 0/0/2/-1/55004 504 194 - - sH-- 1/1/0/0/0 0/0 “GET /tools/z_scripts/timeout_test.php HTTP/1.1”
Oct 28 01:54:10 localhost haproxy[34805]: [IP REDACTED]:12123 [28/Oct/2019:01:53:10.755] main~ hc/hc 0/0/3/60059/60062 504 428 - - ---- 1/1/0/1/0 0/0 “GET /tools/z_scripts/timeout_test.php HTTP/1.1”

the first three are from sub-60 second timeout settings. the last one is using 65 seconds.
I’m pulling my hair out here… any ideas?

Posts: 1

Participants: 1

Read full topic

@bpd wrote:

Hello,

I’d appreciate some help because I’m stuck.
I have a public IP, where behind haproxy i have two servers (VM-s).
server1.mydomain.com
nc.mydomain.com

The problem that the I cannot log in on the e-mail on VM-s, nor log in phpmyadmin if I go withe DNS name.
With the “192.168.97.50/SoGo/” i can connect on the SoGo (and also on the phpmyadmin)
It is as if x does not send data to the VM.

Here is my haproxy.conf
#

global
log /dev/log    local0
log /dev/log    local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
    # Default SSL material locations

ca-base /etc/ssl/certs
crt-base /etc/ssl/private
    # Default ciphers to use on SSL-enabled listening sockets.
    # For more information, see ciphers(1SSL).

ssl-default-bind-ciphers EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5$
#ssl-default-bind-options no-sslv3 no-tls-tickets #disable SSLv3
tune.ssl.default-dh-param 2048 #tune DH to 2048
defaults

log     global

mode    http

option  httplog

option  dontlognull

timeout connect 5000

timeout client  50000

timeout server  50000

errorfile 400 /etc/haproxy/errors/400.http

errorfile 403 /etc/haproxy/errors/403.http

errorfile 408 /etc/haproxy/errors/408.http

errorfile 500 /etc/haproxy/errors/500.http

errorfile 502 /etc/haproxy/errors/502.http

errorfile 503 /etc/haproxy/errors/503.http

errorfile 504 /etc/haproxy/errors/504.http
en ttem beke, elotte is benne volt de nem mukodott fentebb
    log 127.0.0.1:514  local0  info

tune.ssl.default-dh-param 2048
frontend public
    # Listen on port 80
    bind *:80

    # Listen on port 443
    bind *:443 ssl crt /etc/ssl/certs/mydomain.com.pem

    mode http
   # Define ACLs for each domain
    acl server1 hdr(host) -i server1.mydomain.com
    acl nc hdr(host) -i nc.mydomain.com

    # Figure out which backend (= VM) to use
    use_backend server1_server if server1
    use_backend nc_server if nc

backend server1_server
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
    rspadd Strict-Transport-Security:\ max-age=15768000;\ includeSubDomains #enable HSTS header for this backend
    rspadd X-XSS-Protection:\ 1;\ mode=block #enable XSS protection for this backend

    balance leastconn
    option httpclose
    option forwardfor
    cookie JSESSIONID prefix

    # Redirect to server1 VM on port 80
    server server1_server 192.168.97.50:80 cookie A check
    # sajat  Redirect to server1 VM  on port 443 with SSL

server server1_server 192.168.97.50:443 weight 1 maxconn 100 check ssl verify none

http-request del-header Authorization
backend nc_server
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
    rspadd Strict-Transport-Security:\ max-age=15768000;\ includeSubDomains #enable HSTS header for this backend
    rspadd X-XSS-Protection:\ 1;\ mode=block #enable XSS protection for this backend

    balance leastconn
    option httpclose
    option forwardfor
    cookie JSESSIONID prefix

    # Redirect to nc (nextcloud) VM on port 443 with SSL
    server srv01 192.168.97.60:80 cookie A check

#letorolve a v egerol
weight 1 maxconn 100 check ssl verify none
My sogo.log:

"  Oct 28 14:09:46 sogod [3211]: SOGoRootPage Login from ‘192.168.97.1, 192.168.97.10’ for user ‘(null)’ might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0

Oct 28 14:09:46 sogod [3211]: 192.168.97.1, 192.168.97.10 “GET /SOGo/connect HTTP/1.1” 403 34/0 0.002 - - 0

"

Thank you,

Posts: 1

Participants: 1

Read full topic

@daggr wrote:

(topic withdrawn by author, will be automatically deleted in 24 hours unless flagged)

Posts: 1

Participants: 1

Read full topic

@GerMalaz wrote:

frontend https

bind *:443 ssl …
server local 127.0.0.1:8080 send-proxy-v2

frontend http
bind *:80
bind 127.0.0.1:8080 accept-proxy
…

in http, how to check how client connected?
Using nginx behind, setting X-Forwarded-Proto (and Forwarded when available).

frontend https sets them.
want to kill them if client is connecting via http but setting the header(s).

Thanks in advance,
Gerardo

Posts: 1

Participants: 1

Read full topic

@bpd wrote:

Hello,

I’d appreciate some help because I’m stuck.
I have a public IP, where behind haproxy i have two servers (VM-s).
server1.mydomain.com
nc.mydomain.com

The problem that the I cannot log in on the e-mail on VM-s, nor log in phpmyadmin if I go withe DNS name.
With the “192.168.97.50/SoGo/” i can connect on the SoGo (and also on the phpmyadmin)
It is as if x does not send data to the VM.

Here is my haproxy.conf
#

global
log /dev/log    local0
log /dev/log    local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
    # Default SSL material locations

ca-base /etc/ssl/certs
crt-base /etc/ssl/private
    # Default ciphers to use on SSL-enabled listening sockets.
    # For more information, see ciphers(1SSL).

ssl-default-bind-ciphers EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5$
#ssl-default-bind-options no-sslv3 no-tls-tickets #disable SSLv3
tune.ssl.default-dh-param 2048 #tune DH to 2048
defaults

log     global

mode    http

option  httplog

option  dontlognull

timeout connect 5000

timeout client  50000

timeout server  50000

errorfile 400 /etc/haproxy/errors/400.http

errorfile 403 /etc/haproxy/errors/403.http

errorfile 408 /etc/haproxy/errors/408.http

errorfile 500 /etc/haproxy/errors/500.http

errorfile 502 /etc/haproxy/errors/502.http

errorfile 503 /etc/haproxy/errors/503.http

errorfile 504 /etc/haproxy/errors/504.http
en ttem beke, elotte is benne volt de nem mukodott fentebb
    log 127.0.0.1:514  local0  info

tune.ssl.default-dh-param 2048
frontend public
    # Listen on port 80
    bind *:80

    # Listen on port 443
    bind *:443 ssl crt /etc/ssl/certs/mydomain.com.pem

    mode http
   # Define ACLs for each domain
    acl server1 hdr(host) -i server1.mydomain.com
    acl nc hdr(host) -i nc.mydomain.com

    # Figure out which backend (= VM) to use
    use_backend server1_server if server1
    use_backend nc_server if nc

backend server1_server
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
    rspadd Strict-Transport-Security:\ max-age=15768000;\ includeSubDomains #enable HSTS header for this backend
    rspadd X-XSS-Protection:\ 1;\ mode=block #enable XSS protection for this backend

    balance leastconn
    option httpclose
    option forwardfor
    cookie JSESSIONID prefix

    # Redirect to server1 VM on port 80
    server server1_server 192.168.97.50:80 cookie A check
    # sajat  Redirect to server1 VM  on port 443 with SSL

server server1_server 192.168.97.50:443 weight 1 maxconn 100 check ssl verify none

http-request del-header Authorization
backend nc_server
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
    rspadd Strict-Transport-Security:\ max-age=15768000;\ includeSubDomains #enable HSTS header for this backend
    rspadd X-XSS-Protection:\ 1;\ mode=block #enable XSS protection for this backend

    balance leastconn
    option httpclose
    option forwardfor
    cookie JSESSIONID prefix

    # Redirect to nc (nextcloud) VM on port 443 with SSL
    server srv01 192.168.97.60:80 cookie A check

#letorolve a v egerol
weight 1 maxconn 100 check ssl verify none
My sogo.log:

"  Oct 28 14:09:46 sogod [3211]: SOGoRootPage Login from ‘192.168.97.1, 192.168.97.10’ for user ‘(null)’ might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0

Oct 28 14:09:46 sogod [3211]: 192.168.97.1, 192.168.97.10 “GET /SOGo/connect HTTP/1.1” 403 34/0 0.002 - - 0

"

Thank you,

Posts: 1

Participants: 1

Read full topic

@Juan wrote:

Hi, our team is facing a new challenge to use Nginx Web Sever/ Proxy reverse under HA Proxy for load balancer. Nginx Proxy reverse will be for multiple endpoints. (…remember this last statement )

For now, we’ve done with http/https clients with Nginx webserver/proxy reverse. Everything runs ok! But the projects requiered to distribute 3 instances. So, at this point appears our friend HA Proxy. The first thing we did was to check all oficial info and also Infrastructure Layouts Involving TLS with HAP:
SSL/TLS pass-through
SSL/TLS bridging or re-encryption
SSL/TLS offloading
SSL/TLS encryption
Source: https://www.haproxy.com/documentation/haproxy/deployment-guides/tls-infrastructure/
By the way, we used to setup services in classic way: Nginx Proxy -> multiple endpoints

One point of view for setting is to use “proxy to proxy” (exactly as the customer is requiring ). It’s sounds weird. Is this kind of case used on the “real world”? I’m not a guru, but it doesn’t make any sense for me. But, I could be wrong.
The second point of view is to let HAPROXY “kicks in” requests http/https from outside to the multiple endpoints and avoid to use nginx proxy. So nginx will be used as a web server for static content.
So, can someone please help me with this 2 points of view? Which could be right or wrong? Even the point of view, which layout involving tls could be recommended on this scenario? For me it makes sense to mix layouts depends on the case of each endpoint requires.

Thanks!
JM

Posts: 1

Participants: 1

Read full topic

@Actionhenk wrote:

Hi, Im a bit confused regarding use of haproxy with openvpn and/or stunnel and openvpn. Was reading up on using stunnel with openvpn. Then I found a few articles about haproxy doing the same thing as stunnel ?

My goal is to tunnel openvpn through an ssl tunnel so traffic looks as close to https as possible. Is haproxy able to do the same as stunnel ? If so, how would that work regarding certificates ? I am using haproxy already to connect openvpn (i dont have ssl offloading enabled on this frontend, so no cert) … Does the frontend need ssl offloading enabled to build a tunnel like stunnel ?

Thanks!

Posts: 2

Participants: 2

Read full topic

@chmod1986 wrote:

Hi,

I have the following haproxy front and back end defined in production, haproxy is currently serving the traffic without having any issues.

DNS for the application “lgshipsvc.market.net” pointed to ipaddress of the load balancer.

HAPROXY config:
frontend lgshipsvc
bind *:8083
bind *:8084 ssl crt /etc/haproxy/certs/*marketing.pem ciphers AES+EECDH:AES8+EDH force-tlsv12 no-sslv3
mode http
use_backend lgshipsvc

frontend lgshipsvcnettcp
bind *:808
use_backend lgshipsvcnettcp

backend lgshipsvc
balance roundrobin
option http-server-close
option httpchk GET /service.svc HTTP/1.0\r\nHost:\ lgshipsvc.marketing.net
server prod-market6 XX.XXX.XX.XX:8083 check inter 30s
server prod-market7 XX.XXX.XX.XX:8083 check inter 30s

Question:
how the haproxy serving traffic when the frontend for this application doesn’t have the ACL defined?
(The application is listening on port 8083/8084/808)

Posts: 2

Participants: 1

Read full topic