@thetimetolearn wrote:

Hello

I’m looking for some help with figuring out the best way to handle routing URLs with subdirectories to applications hosted on the root of a webserver.

Say I have URL domainx.com/path1, I want users to be sent to an application on server web2 that is running an application in the root of tomcat.

If I use the below config it will send users to that tomcat server but will direct users to 192.168.0.51:8080/path1 not 192.168.0.51:8080 If I move the application to 192.168.0.51:8080/path1 this will work. But what if the application can’t be renamed or relocated. What is the best way to accomplish this?

Thanks for any help in advance!

 	acl url_domainx.com hdr(host) -i domainx.com
	acl url_domainx.com-path1 path_beg -i /path1
	
	use_backend domainx.com if url_domainx.com-path1 url_domainx.com
	use_backend domainx.com if url_domainx.com
 
backend domainx.com
        server web1 192.168.0.50:8080 check
		
backend domainx.com-path1
        server web2 192.168.0.51:8080 check

Posts: 1

Participants: 1

Read full topic

@yuriy.tigiev wrote:

Hello,

I’m looking for a haproxy configuration which will allow me to implement the scheme bellow.

client --(https tlsv1.2)–> haproxy --(https tlsv1)–> legacy server

The current configuration doesn’t work. I hope someone will help me update it for my requirements.

global
log 127.0.0.1 local2
tune.ssl.default-dh-param 2048

defaults
log global
option httplog

timeout connect 10s
timeout client 30s
timeout server 30s
maxconn 1000

frontend https-frontend
mode http
option forwardfor
bind *:8899 ssl crt /root/cert/rootcert.pem
default_backend https-backend

backend https-backend
balance source
mode http
option forwardfor header X-Client
server endpoint 172.30.129.207:8443 check ssl verify none

Posts: 2

Participants: 2

Read full topic

@AbunaE wrote:

Hi,

Can someone help me with my configuration ?

When i go to https://server.domain.com/test (frontend), i need to access a private server at http://privateserver:87/URL/SubURL/ (backend)

Does a http-request set-path /URL/SubURL/ in the backend section is enough ?

Thank you.

Posts: 2

Participants: 2

Read full topic

@jboudoumit wrote:

I am using RHEL 7.6 and found that the highest version of HAProxy is 1.5.18. This version does not recognize sni term (similar case: HAProxy for converting HTTP to HTTPS request with server requiring SNI ).

Which path is supported by HAProxy:

1. Is there an HAProxy on Windows? I know that there is no download for it.
2. Can we install any version of HAProxy like, 2.1 on RHEL 7.6? What are the steps.

thanks,

Posts: 2

Participants: 2

Read full topic

@senattcs wrote:

Do we need any special setup to support SNAT in HAProxy and can someone share sample example or link to documentation on this please?

Posts: 2

Participants: 2

Read full topic

@deanlongstaff wrote:

Hi,

I will explain my setup, I have a few things on my backend:

• Apache Server with multiple virtual hosts on it (wordpress sites)
• Wiki Server (bookstack)
• Ticketing system
• Mail server webui
• UniFi controller (although not sure if this likes reverse proxys)

I need HAProxy to direct traffic to the right server based on the URL, i got this working using acls and two test sites that i set up. But as soon as i tried HTTPS it all went wrong. It would just keep throwing 503 errors etc.

Is there a way just for it to forward traffic to the server and get the SSL from the server if there is one? Or does it all have to be done by reverse proxy?

I will be forever grateful if someone can help me as this is really slowing me down.

Posts: 1

Participants: 1

Read full topic

@tcprbs wrote:

Hi,

I was doing some experiments with HAProxy 2.0 with pool-max-conn and pool-purge-delay options for connection pooling.

Usage:

I have an application making external calls to some backend. I am evaluating using HAProxy between the application and the vendor so that HAProxy would manage connection pool with the backend.

The setup would be: HAProxy would perform SSL connection verification on the backend as part of connection establishment and maintain a connection pool with the backend. The backend does not have TLS SNI extension enabled.

Config:

# Removed log related config for brevity and actual backend addresses. 

global

  stats socket /var/run/haproxy.sock
  ca-base /etc/ssl/certs

defaults
  mode  http
  timeout connect 5s
  timeout client  10s
  timeout server 10s
  timeout http-keep-alive 100s
  option redispatch
  option prefer-last-server
  option http-keep-alive
  retries 3
  compression algo gzip
  timeout http-request 10s

frontend http_internal
  bind *:80 name http_internal

  # stats
  stats enable
  stats uri  /stats
  stats refresh 5s

  acl haproxy_stats url_beg /stats
  use_backend bk_haproxy_stats if haproxy_stats

  acl host_example hdr(host) -i example.com
  use_backend bk_test if host_example

 default_backend bk_test


backend bk_test
  mode http
  http-reuse aggressive # tried different values {safe, aggressive, always}
  server server-1 example.com:443 ssl verify required ca-file ca-certificates.crt pool-max-conn -1 pool-purge-delay 200s 

Observations:

As described in https://www.haproxy.com/blog/haproxy-1-9-has-arrived/#connection-management, if connection between application and HAProxy closes, it should not affect connection between HAProxy and backend server.

I tested by giving a series of requests (20,30,40 etc) via curl to the HAProxy with a gap between each request. I noticed that it does not always reuse the backend connection and creates a new connection again. Each request is from a new curl process.

One such run’s output (total of 40 requests):

Got this data by running packet capture and Lua script:

The "Connection" below is each unique connection between HAProxy and Backend server (identified by the 4-tuple of {IP, port}) and number of times it got used for requests. 

First 2 connections got used 7 times (**not for consecutive requests** though)

Connection -> Number of times used.

Connection 1 -> 7  # used 7 times. 
Connection 2 -> 7
Connection 3 -> 1  # used 1 time and closed. 
Connection 4 -> 1
Connection 5 -> 1
Connection 6 -> 1
Connection 7 -> 1
Connection 8 -> 1
Connection 9 -> 1
Connection 10 -> 1
Connection 11 -> 1
Connection 12 -> 1
Connection 13 -> 1
Connection 14 -> 1
Connection 15 -> 1
Connection 16 -> 1
Connection 17 -> 1
Connection 18 -> 1
Connection 19 -> 1
Connection 20 -> 1
Connection 21 -> 1
Connection 22 -> 1
Connection 23 -> 1
Connection 24 -> 1
Connection 25 -> 1
Connection 26 -> 1
Connection 27 -> 1
Connection 28 -> 1

My understanding is it should not create new connection for every new request to HAProxy and use the connections in pool. The backend server’s response has “Connection: Keep-alive” too.

After the tests, when I ran ss command, it showed only the first 2 connections in ESTABLISHED mode. Also in packet capture, I notice that HAProxy is sending RST to the backend after the response for the other connections except the initial 2 connections.

Is this expected or am I missing anything?

Thanks.

Posts: 1

Participants: 1

Read full topic

@Tim wrote:

Hello there,
I’m a bit confused with Haproxy logging. I found below line at the haproxy-status.log (error log). I wonder why status code is 200 and termination code is CD–?

I don’t know if client get the request sucessful with status code 200 or it terminate the connection before completely get the response (CD–).

I’m stuck with this for a while, appriciated help to clarify this

Jan 15 11:45:29 localhost haproxy[32117]: 113.23.43.43:23094 [15/Jan/2020:11:45:15.544] api_xxx api_xxx/api2-8900 0/0/0/13689/13689 200 5720 - - CD– 598/44/43/14/0 0/0 {xxx} “GET /cashflows?xxx HTTP/1.1” 71172B2B:5A36_C0A86434:1F91_5E1E98DB_CBBFDB:7D7

Posts: 3

Participants: 2

Read full topic

@samotelf wrote:

Hello.
I’m trying to configure a Hikvision CCTV through HAProxy 2.1.1 version.
I can reach the Hikvision CCTV appliance webserver through HAProxy, and I can browse the webpage and the options fine, however I don’t get Live Video.
Here’s my config:

global
log 127.0.0.1:514 local0
chroot /var/lib/haproxy
stats timeout 30s
user haproxy
group haproxy
daemon

defaults
log global
option httplog
mode http
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000

listen stats
bind *:8080
stats enable # Enable stats page
stats hide-version # Hide HAProxy version
stats uri / # Stats URI
stats realm Haproxy\ Statistics # Title Text for popup window
stats auth contoso:contoso # Authentication Credentials

#####################################################

frontend CCTV_frontend
bind *:120
acl sap01-cctv hdr(host) -i sap01-cctv.contoso.com:120
use_backend CCTV_clu01_backend if sap01-cctv

backend CCTV_clu01_backend
mode http
option forwardfor
server server1 10.107.124.3:120 check

#####################################################

frontend RTSP_frontend
bind *:8554
acl sap01-cctv-rtsp hdr(host) -i sap01-cctv.contoso.com:8554
use_backend RTSP_backend if sap01-cctv-rtsp

backend RTSP_backend
mode http
option forwardfor
server server1 10.107.124.3:8554 check

Can anyone please help me and explain to me why this happens?

Thank you kindly.
Best regards

Posts: 1

Participants: 1

Read full topic

@daggr wrote:

Hi,

Recently replaced my HAProxy VM into pfSense HAProxy package instead and that works fine.
I had OpenVPN on a server before but now i want to run it in pfSense as well.
The problem is that i want to run OpenVPN over tcp/443 through HAProxy but i cant get it to work.

Today i’ve set up a frontend which listens to WAN address port 80 (type http /https(offloading)) and redirects to HTTPS.
Then a frontend listening on WAN address port 443 (type http /https(offloading)) with ACLs for different domain names and backends.

I’ve set OpenVPN to listen to TCP/1194 and a backend accordingly.
I’ve tried making a shared frontend but it seems that you can only share the same type (http, tcp and so on).

How should i proceed to configure HAProxy for using tcp/443 to my OpenVPN (on the pfSense machine)?

Thanks!

Posts: 1

Participants: 1

Read full topic

@himala76 wrote:

Hello Everybody

Newbee here is it way to set haproxy with IP address without any port list
I need like this
listing and forwarding any traffic to 192.168.1.2 and forward to 192.168.1.5 and 192.168.1.10

thanks in advanced

Himala

Posts: 1

Participants: 1

Read full topic

@watcher666 wrote:

Hello

My config haproxy.cfg

frontend sait
bind *:7030

acl hdr_sait            hdr_beg(host)   -i sait.ru
acl status_404 status 404
http-response set-header Location https://sait.ru/ErrorPages/404_ru.html if status_404
http-response set-status 302 if status_404

acl status_5xx status 500 502 503 504
http-response set-header Location https://sait.ru/ErrorPages/503.html if status_5xx
http-response set-status 302 if status_5xx

acl path_4 path_beg /ErrorPages/
use_backend bknd_nginx if hdr_sait path_4
use_backend bknd_tomcat if hdr_sait

how can I make sure that the correct http codes 404, 503,500 are given to a higher-standing server. And not 302 ?

I’ve been here so that only nginx does this, but the config test shows warning

frontend sait
bind *:7030

acl hdr_sait            hdr_beg(host)   -i sait.ru
acl status_404 status 404
acl status_5xx status 500 502 503 504

use_backend bknd_nginx if hdr_sait status_404
use_backend bknd_nginx if hdr_sait status_5xx
use_backend bknd_tomcat if hdr_sait

acl ‘status_404’ will never match because it only involves keywords that are incompatible with ‘frontend use-backend rule’

Posts: 1

Participants: 1

Read full topic

@Hein wrote:

Our application has a SOAP API to set up sessions (usually done by an integrating application) that are then consumed by a client. The session is maintained on the server, and the integrating application transfers the session ID to the webbrowser client, ensuring that a particular client connects to the specific session that was set up for them.
We want to load-balance this with HAProxy. Of course we need sticky sessions, and I have it working with a cookie – so far, so good. But that puts a requirement to the integrating application: it has to transfer that cookie (gotten from the response) to the browser of the client. And since we have a plethora of integrating applications that we do not have control over, we’d rather avoid this.
And we already have the/a session ID: it’s returned by the server, and it’s sent with (almost) every subsequent call from the clients to the server. But that session ID is in the contents of the call, and not in a header or cookie.
I’ve found this article that explains how to parse the request with a Lua script, but that is now outdated because txn.req:dup() doesn’t work anymore. And the HTX class that came in as its replacement does not contain methods to get to the body of the HTTP request.

Is this particular use case now impossible with HAProxy 2.0 and up? Or am I missing something?

Posts: 1

Participants: 1

Read full topic

@Vlad wrote:

Hi all,

I need an advice regarding multithreading configuration.

We are using haproxy 2.0.12 on a CentOS8 virtual machine (VMware) with 16 GB of RAM, 4 vCPUs (1 core each) and 1GBPs NIC. This setup has only one frontend (http mode, SSL only) and two backends (http). Currently, the traffic is quite small: we saw maximum up to 400 concurrent connections, with maximal request rate of 42 connections/sec and maximal consumed network bandwidth of 10 MBit/s. But in future we need to handle up to ~5000 concurrent connections, maybe 10000.

And here begins the problem: with the current setup, haproxy consumes up to 35% of CPU power when nbproc 1 and nbthread 4 are set. As soon as I comment out nbthread line and switch to nbproc 4, the CPU load disappears completely: maximum 2% of all 4 CPU’s power is used by haproxy.

I would leave it “as is” with nbproc, but it causes some problems with “independent” stick tables, dedicated stats page for each process etc… So I definitely need to use multithreading.

Here is our config:

global
    maxconn         10000
    stats socket    /var/run/haproxy.stat mode 600 level admin
    log             127.0.0.1:514 local2
    chroot          /var/empty
    pidfile         /var/run/haproxy.pid
    user            haproxy
    group           haproxy
    ssl-default-bind-options no-tlsv13
    ssl-default-bind-ciphers 'HIGH:!aNULL:!MD5'
    tune.ssl.default-dh-param 4096
    tune.ssl.cachesize 1000000
    tune.ssl.lifetime 600
    tune.ssl.maxrecord 1460
    nbproc 1
    nbthread 4
    daemon

defaults
    option contstats
    retries 3 

frontend WEB
    bind            192.168.0.25:80
    bind            192.168.0.25:443 ssl crt /Certs/domain1.pem crt /Certs/domain2.pem
    mode            http
    timeout         http-request 5s 
    timeout         client 30s
    log             global
    option          httplog
    option          dontlognull
    option          forwardfor
    monitor-uri     /healthcheck
    maxconn         8000
    timeout client  30s
    http-request capture req.hdr(Host) len 20

    %%%Some ACLs are defined here%%%

    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
    http-response set-header X-Frame-Options "SAMEORIGIN"
    http-response set-header X-XSS-Protection "1; mode=block"
    http-response set-header X-Content-Type-Options "nosniff"
    http-response set-header X-Permitted-Cross-Domain-Policies "none"
    http-response set-header X-Robots-Tag "all"
    http-response set-header X-Download-Options "noopen"

    # Do not allow more than 10 concurrent tcp connections per IP, or 15 connections in 3 seconds
    tcp-request content reject if { src_conn_rate(Abuse) ge 15 }
    tcp-request content reject if { src_conn_cur(Abuse) ge 10 }
    tcp-request connection track-sc1 src table Abuse

    # Redirect HTTP to HTTPS
    redirect        scheme https code 301 if !{ ssl_fc } 
    default_backend Web-Pool


backend Web-Pool
    mode            http
    balance         roundrobin
    retries         2
    option redispatch
    timeout connect 5s
    timeout server  30s
    timeout queue   30s
    option forwardfor
    option httpchk  HEAD /
    http-check      expect status 200
    cookie          DYNSRV insert indirect nocache
    fullconn        4000 
    http-request set-header X-Client-IP %[src]
    server          httpd01 192.168.0.30:80 check weight 1 inter 2000 rise 2 fall 2 minconn 0 maxconn 0 on-marked-down shutdown-sessions
    server          httpd02 192.168.0.31:80 check weight 2 inter 2000 rise 2 fall 2 minconn 0 maxconn 0 on-marked-down shutdown-sessions

backend Abuse
    stick-table type ip size 1m expire 30m store conn_rate(3s),conn_cur,gpc0,http_req_rate(10s),http_err_rate(20s)

With multi-process config, I use the following settings:
nbproc 4
cpu-map 1 0
cpu-map 2 1
cpu-map 3 2
cpu-map 4 3

I believe something is just wrong in my configuration… Could anybody help me to find the cause of this problem?

Thank you.

Posts: 1

Participants: 1

Read full topic

@harsha.d wrote:

Will Haproxy 2.0 or its later versions support Udp load balancing??. Please help. TIA

Posts: 2

Participants: 2

Read full topic

@Stuart wrote:

Hi,

I’m new to HAProxy and need a little bit of help. I’m running a few things using docker and thus have decided to use HAProxy to forward some internal DNS records that I have created.

However I am getting 503 Service Unavailable No server is available to handle this request when trying to reach any of these addresses, they are all up and working when I connect using the IP address and port. Below is my haproxy.cfg if someone could point me in the right direction.

Thanks!

global
log 127.0.0.1 local2
maxconn 40000
user haproxy
group haproxy
deamon

defaults
mode tcp
log global
option http-server-close
option redispatch
retries 3
timeout connect 5000
timeout client 5000
timeout server 5000

frontend FRONT_END_DEFAULT
bind *:80
mode http
maxconn 10000

acl ACL_HUBLOCAL hdr_dom(host) -i hub.local
acl ACL_HOMEASSISTANT hdr_dom(host) -i homeassistant.local
acl ACL_PIHOLE hdr_dom(host) -i pihole.local

use_backend BACKEND_HUBLOCAL if ACL_HUBLOCAL
use_backend BACKEND_HOMEASSISTANT if ACL_HOMEASSISTANT
use_backend BACKEND_PIHOLE if ACL_PIHOLE

backend BACKEND_HUBLOCAL
balance roundrobin
mode http
server HUBLOCAL 192.168.0.250:81 observe layer7 check fall 3 rise 5 inter 2000 weight 10

backend BACKEND_HOMEASSISTANT
balance roundrobin
mode http
server HOMEASSISTANT 192.168.0.250:8123 observe layer7 check fall 3 rise 5 inter 2000 weight 10

backend BACKEND_PIHOLE
balance roundrobin
mode http
server PIHOLE 192.168.0.250:82 observe layer7 check fall 3 rise 5 inter 2000 weight 10

Posts: 1

Participants: 1

Read full topic

@kevdog wrote:

Hi - I’m really new to using HAproxy as I’ve been proxy either Apache/Ngnix as reverse proxies.

I’m using HA proxy though the pfsense configuration.

My setup is basically

client—>Cloudflare---->pfsense/HAproxy---->Web Server

I’m only interested in using HAproxy as a reverse proxy at this time. I have working Lets Encrypt SSL certs installed on pfsense.

I’ll post my configuration, but in a nutshell I’m getting a Cloudflare 522 error saying there is a connection timeout to the server.

Here is my config with come of the details redacted:

# Automaticaly generated, dont edit manually.
# Generated on: 2020-01-20 18:00
global
	maxconn			1000
	stats socket /tmp/haproxy.socket level admin  expose-fd listeners
	uid			80
	gid			80
	nbproc			1
	nbthread			1
	hard-stop-after		15m
	chroot				/tmp/haproxy_chroot
	daemon
	tune.ssl.default-dh-param	2048
	log-send-hostname		HA
	server-state-file /tmp/haproxy_server_state

listen HAProxyLocalStats
	bind 127.0.0.1:2200 name localstats
	mode http
	stats enable
	stats admin if TRUE
	stats show-legends
	stats uri /haproxy/haproxy_stats.php?haproxystats=1
	timeout client 5000
	timeout connect 5000
	timeout server 5000

frontend front
	bind			<WANIP>:443 name <WANIP>:443   ssl crt-list /var/etc/haproxy/gohilton.com.crt_list  
	mode			http
	log			global
	option			http-keep-alive
	timeout client		30000
	acl			ACL1	var(txn.txnhost) -m str -i <URL>
	http-request set-var(txn.txnhost) hdr(host)
	use_backend back_ipvANY  if  ACL1 

frontend http-to-https-WAN
	bind			<WANIP>:80 name <WANIP>:80   
	mode			http
	log			global
	option			http-keep-alive
	timeout client		30000

backend back_ipvANY
	mode			http
	id			102
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	option			httpchk OPTIONS / 
	server			back 10.0.1.158:80 id 103 check inter 1000

My only concern is that the WAN IP is different than the proxied Cloudflare IP I have listed.
Thanks for any help

Posts: 1

Participants: 1

Read full topic

@MayankRSG wrote:

Below is my haproxy details. I am getting unknown keyword ‘ssl’. registered keywords issue. I am trying to implement ssl termination in haproxy

HA Proxy configuration file

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats timeout 30s
user haproxy
group haproxy
daemon
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000

#frontend
#---------------------------------
frontend http_front
bind *:80
bind *:443 ssl crt /etc/ssl/xip.io/xip.io.pem
mode http
stats uri /haproxy?stats
default_backend http_back

#round robin balancing backend http
#-----------------------------------
backend http_back
balance roundrobin
#balance leastconn
mode http
#server webserver1 10.10.31.179:8000 check # ip_address_of_1st_centos_webserver (RLV4WB01)
#server webserver2 10.10.31.171:8080 check # ip_address_of_2nd_centos_webserver (RLV4WB03)
#server webserver3 10.10.32.51:8000 check # ip_address_of_2nd_centos_webserver (RLV4WB02)
#server webserver4 10.10.31.171:8080 check # ip_address_of_2nd_centos_webserver (RLV4WB03)
server webserver1 10.10.31.188:80 check # (RLV4WB07)
server webserver2 10.10.22.88:80 check backup # (FJFBG32)

[root@rlv4wb02 rightslogic]# haproxy -vv
HA-Proxy version 2.1.2 2019/12/21 - https://haproxy.org/
Status: stable branch - will stop receiving fixes around Q1 2021.
Known bugs: http://www.haproxy.org/bugs/bugs-2.1.2.html
Build options :
TARGET = linux-glibc
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-old-style-declaration -Wno-ignored-qualifiers -Wno-clobbered -Wno-missing-field-initializers -Wtype-limits
OPTIONS =

Feature list : +EPOLL -KQUEUE -MY_EPOLL -MY_SPLICE +NETFILTER -PCRE -PCRE_JIT -PCRE2 -PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED -REGPARM -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H -VSYSCALL +GETADDRINFO -OPENSSL -LUA +FUTEX +ACCEPT4 -MY_ACCEPT4 -ZLIB -SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL -SYSTEMD -OBSOLETE_LINKER +PRCTL +THREAD_DUMP -EVPORTS

Default settings :
bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with multi-threading support (MAX_THREADS=64, default=8).
Built with network namespace support.
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built without PCRE or PCRE2 support (using libc’s regex instead)
Encrypted password support via crypt(3): yes
Built without compression support (neither USE_ZLIB nor USE_SLZ are set).
Compression algorithms supported : identity(“identity”)

Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as cannot be specified using ‘proto’ keyword)
h2 : mode=HTTP side=FE|BE mux=H2
fcgi : mode=HTTP side=BE mux=FCGI
: mode=HTTP side=FE|BE mux=H1
: mode=TCP side=FE|BE mux=PASS

Available services : none

Available filters :
[SPOE] spoe
[CACHE] cache
[FCGI] fcgi-app
[TRACE] trace
[COMP] compression

[root@rlv4wb02 rightslogic]# haproxy -db -f /etc/haproxy/haproxy.cfg
[ALERT] 020/182014 (5791) : parsing [/etc/haproxy/haproxy.cfg:22] : ‘bind *:443’ unknown keyword ‘ssl’. Registered keywords :
[STAT] level
[STAT] expose-fd
[STAT] severity-output
[ TCP] defer-accept
[ TCP] interface
[ TCP] mss
[ TCP] tcp-ut
[ TCP] tfo
[ TCP] transparent
[ TCP] v4v6
[ TCP] v6only
[ TCP] namespace
[ ALL] accept-netscaler-cip
[ ALL] accept-proxy
[ ALL] backlog
[ ALL] id
[ ALL] maxconn
[ ALL] name
[ ALL] nice
[ ALL] process
[ ALL] proto
[UNIX] gid
[UNIX] group
[UNIX] mode
[UNIX] uid
[UNIX] user
[ALERT] 020/182014 (5791) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg
[ALERT] 020/182014 (5791) : Fatal errors found in configuration.

[root@rlv4wb02 rightslogic]# journalctl -xe

– The start-up result is done.
Jan 21 18:30:01 rlv4wb02.rsgsys.com CROND[6124]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Jan 21 18:30:01 rlv4wb02.rsgsys.com CROND[6125]: (pcp) CMD ( /usr/libexec/pcp/bin/pmlogger_daily -p)
Jan 21 18:30:01 rlv4wb02.rsgsys.com systemd[1]: Removed slice User Slice of root.
– Subject: Unit user-0.slice has finished shutting down
– Defined-By: systemd
– Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel

– Unit user-0.slice has finished shutting down.
Jan 21 18:30:01 rlv4wb02.rsgsys.com systemd[1]: Removed slice User Slice of pcp.
– Subject: Unit user-985.slice has finished shutting down
– Defined-By: systemd
– Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel

– Unit user-985.slice has finished shutting down.
Jan 21 18:33:49 rlv4wb02.rsgsys.com sudo[6242]: rightslogic : TTY=pts/0 ; PWD=/home/rightslogic ; USER=root ; COMMAND=/bin/ln -s /usr/local/sbin/haproxy /usr/sbin/haproxy
Jan 21 18:33:49 rlv4wb02.rsgsys.com sudo[6242]: pam_unix(sudo:session): session opened for user root by rightslogic(uid=0)
Jan 21 18:33:49 rlv4wb02.rsgsys.com sudo[6242]: pam_unix(sudo:session): session closed for user root
Jan 21 18:34:13 rlv4wb02.rsgsys.com polkitd[5429]: Registered Authentication Agent for unix-process:6246:217650364 (system bus name :1.23480 [/usr/bin/pkttyagent --notify-fd 5 --fa
Jan 21 18:34:13 rlv4wb02.rsgsys.com systemd[1]: Starting SYSV: HA-Proxy is a TCP/HTTP reverse proxy which is particularly suited for high availability environments…
– Subject: Unit haproxy.service has begun start-up
– Defined-By: systemd
– Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel

– Unit haproxy.service has begun starting up.
Jan 21 18:34:13 rlv4wb02.rsgsys.com haproxy[6253]: /etc/rc.d/init.d/haproxy: line 26: [: =: unary operator expected
Jan 21 18:34:13 rlv4wb02.rsgsys.com haproxy[6253]: [ALERT] 020/183413 (6258) : parsing [/etc/haproxy/haproxy.cfg:22] : ‘bind *:443’ unknown keyword ‘ssl’. Registered keywords :
Jan 21 18:34:13 rlv4wb02.rsgsys.com haproxy[6253]: [STAT] level
Jan 21 18:34:13 rlv4wb02.rsgsys.com haproxy[6253]: [STAT] expose-fd
Jan 21 18:34:13 rlv4wb02.rsgsys.com haproxy[6253]: [STAT] severity-output
Jan 21 18:34:13 rlv4wb02.rsgsys.com haproxy[6253]: [ TCP] defer-accept
Jan 21 18:34:13 rlv4wb02.rsgsys.com haproxy[6253]: [ TCP] interface
Jan 21 18:34:13 rlv4wb02.rsgsys.com haproxy[6253]: [ TCP] mss
Jan 21 18:34:13 rlv4wb02.rsgsys.com haproxy[6253]: [ TCP] tcp-ut
Jan 21 18:34:13 rlv4wb02.rsgsys.com haproxy[6253]: [ TCP] tfo
Jan 21 18:34:13 rlv4wb02.rsgsys.com haproxy[6253]: [ TCP] transparent
Jan 21 18:34:13 rlv4wb02.rsgsys.com haproxy[6253]: [ TCP] v4v6
Jan 21 18:34:13 rlv4wb02.rsgsys.com haproxy[6253]: [ TCP] v6only
Jan 21 18:34:13 rlv4wb02.rsgsys.com haproxy[6253]: [ TCP] namespace
Jan 21 18:34:13 rlv4wb02.rsgsys.com haproxy[6253]: [ ALL] accept-netscaler-cip
Jan 21 18:34:13 rlv4wb02.rsgsys.com haproxy[6253]: [ ALL] accept-proxy
Jan 21 18:34:13 rlv4wb02.rsgsys.com haproxy[6253]: [ ALL] backlog
Jan 21 18:34:13 rlv4wb02.rsgsys.com haproxy[6253]: [ ALL] id
Jan 21 18:34:13 rlv4wb02.rsgsys.com haproxy[6253]: [ ALL] maxconn
Jan 21 18:34:13 rlv4wb02.rsgsys.com haproxy[6253]: [ ALL] name
Jan 21 18:34:13 rlv4wb02.rsgsys.com haproxy[6253]: [ ALL] nice
Jan 21 18:34:13 rlv4wb02.rsgsys.com haproxy[6253]: [ ALL] process
Jan 21 18:34:13 rlv4wb02.rsgsys.com haproxy[6253]: [ ALL] proto
Jan 21 18:34:13 rlv4wb02.rsgsys.com haproxy[6253]: [UNIX] gid
Jan 21 18:34:13 rlv4wb02.rsgsys.com haproxy[6253]: [UNIX] group
Jan 21 18:34:13 rlv4wb02.rsgsys.com haproxy[6253]: [UNIX] mode
Jan 21 18:34:13 rlv4wb02.rsgsys.com haproxy[6253]: [UNIX] uid
Jan 21 18:34:13 rlv4wb02.rsgsys.com haproxy[6253]: [UNIX] user
Jan 21 18:34:13 rlv4wb02.rsgsys.com haproxy[6253]: [ALERT] 020/183413 (6258) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg
Jan 21 18:34:13 rlv4wb02.rsgsys.com haproxy[6253]: [ALERT] 020/183413 (6258) : Fatal errors found in configuration.
Jan 21 18:34:13 rlv4wb02.rsgsys.com haproxy[6253]: Errors found in configuration file, check it with ‘haproxy check’.
Jan 21 18:34:13 rlv4wb02.rsgsys.com systemd[1]: haproxy.service: control process exited, code=exited status=1
Jan 21 18:34:13 rlv4wb02.rsgsys.com systemd[1]: Failed to start SYSV: HA-Proxy is a TCP/HTTP reverse proxy which is particularly suited for high availability environments…
– Subject: Unit haproxy.service has failed
– Defined-By: systemd
– Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel

– Unit haproxy.service has failed.

– The result is failed.
Jan 21 18:34:13 rlv4wb02.rsgsys.com systemd[1]: Unit haproxy.service entered failed state.

Posts: 2

Participants: 2

Read full topic

@sysadmin0505 wrote:

Hello everyone.

I am trying to redirect our legacy sites to a secondary site. I have tried various configurations and I cannot get it to work with a map file. I am able to hard code the entries, and it works. But as the entries are adding up it is becoming increasingly difficult (as you can imagine).

My legacy.map file contains single entries. Basically part of the query string.

cst=8484-29384-1123-48483
cst=4987-63254-987-1547-87
cst=159-98778-6364-15987

You get the idea.

My haproxy.cfg contains a ton of settings I’ve experimented with (commented out over time). Here is the one I am hoping to get the complete result from.

This is on the (only) frontend.

http-request redirect location https://mypage.com/alternate-site.html code 301 if { query map(/etc/haproxy/legacy.map) -m found }

If I do

http-request redirect location https://mypage.com/alternate-site.html code 301 if { query cst=1256-9874-4848-7898 -m found }

it works. But, as we increase these over time, that is going to become a burden to maintain.

Any thoughts or experience with this type of work. I have gone from HAProxy 1.5 to 2.0, but I am still encountering issues with this.

Posts: 1

Participants: 1

Read full topic

@kevdog wrote:

Really new to setting up HAproxy and definitely going through some growing pains here.

I’m accessing my website directly. I’m using pfsense 2.4.4 with haproxy (version 1.8.23) plugin.
I have valid Let’s Encrypt Certificates installed with pfsense for my domain.

I’m trying to use HAProxy simply as a reverse proxy with SSL termination for backend apache web server (only running on port 80).

I’m receiving errors when trying to access the site directly my IP address:
Firefox: An error occurred during a connection to 69.xxx.xxx.xxx. SSL received a record that exceeded the maximum permissible length.

Error code: SSL_ERROR_RX_RECORD_TOO_LONG
Chrome: ERR_SSL_PROTOCOL_ERROR

Here is my HAproxy config file:

# Automaticaly generated, dont edit manually.
# Generated on: 2020-01-21 10:32
global
	maxconn			1000
	stats socket /tmp/haproxy.socket level admin  expose-fd listeners
	gid			80
	nbproc			1
	nbthread			1
	hard-stop-after		15m
	chroot				/tmp/haproxy_chroot
	daemon
	tune.ssl.default-dh-param	2048
	log-send-hostname		url.com-HA
	server-state-file /tmp/haproxy_server_state
	ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
	ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

	ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
	ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

listen HAProxyLocalStats
	bind 127.0.0.1:2200 name localstats
	mode http
	stats enable
	stats admin if TRUE
	stats show-legends
	stats uri /haproxy/haproxy_stats.php?haproxystats=1
	timeout client 5000
	timeout connect 5000
	timeout server 5000

frontend shared-frontend-WAN-and-LAN-merged
	bind			69.xxx.xxx.xxx:443 name 69.xxx.xxx.xxx:443   ssl crt-list /var/etc/haproxy/shared-frontend-WAN-and-LAN.crt_list
	bind			10.0.1.1:443 name 10.0.1.1:443   ssl crt-list /var/etc/haproxy/shared-frontend-WAN-and-LAN.crt_list
	mode			http
	log			global
	option			http-keep-alive
	option			forwardfor
	acl https ssl_fc
	http-request set-header		X-Forwarded-Proto http if !https
	http-request set-header		X-Forwarded-Proto https if https
	timeout client		30000
	acl			ACL1	var(txn.txnhost) -m str -i url.com
	acl			ACL2	var(txn.txnhost) -m str -i www.url.com
	http-request set-var(txn.txnhost) hdr(host)
	use_backend url.com_ipv4  if  ACL1
	use_backend url.com_ipv4  if  ACL2

frontend http-to-https
	bind			69.xxx.xxx.xxx:80 name 69.xxx.xxx.xxx:80
	mode			http
	log			global
	option			http-keep-alive
	timeout client		30000
	redirect scheme https code 301 if !{ ssl_fc }

backend url.com_ipv4
	mode			http
	id			10102
	log			global
	option			log-health-checks
	timeout connect		30000
	timeout server		30000
	retries			3
	source ipv4@ usesrc clientip
	option			httpchk OPTIONS /
	server			url.com 10.0.1.158:80 id 10103 check inter 100

I generated the ssl-default-bind-ciphers/options, ssl-default-server-ciphers/options using the Mozilla SSL generator: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.1&config=intermediate

Thanks for any advice.

Posts: 1

Participants: 1

Read full topic