It's very cool to have DNS finally! I wonder is that possible to do this like?
use_backend us_upstream if {
hdr(Host),dnsname_to_ip_and_map(geo_us.lst) -m str us }
Convert hostname to IP, find IP's geo info, use matched backend.
Thank you.
Bests,
-Igor
On Thu, Jun 18, 2015 at 4:06 PM, Baptiste <bed...@gmail.com> wrote:
> On Wed, Jun 17, 2015 at 5:08 PM, Willy Tarreau <wi...@haproxy.com> wrote:
>> Hi all,
>>
>> the impatient readers among you will have noticed that it's been almost 3
>> weeks since I sent the e-mail announcing the imminent release of 1.6-dev2.
>> That end of merge window has been a nightmare and is not finished, but I
>> thought it would be wise to issue dev2 anyway so that people can test the
>> stuff that has been merged anyway. Lesson learned, for 1.7 we'll have a
>> much shorter merge window so that people don't have enough time to push
>> that much stuff at the last minute :-)
>>
>> To be honnest, I'm far from being satisfied with this version. It's as huge
>> as dev1 (344 commits) despite some things still being pending. Also noticed
>> quite a number of areas that need to be fixed / cleaned up etc. So at least
>> the feature freeze is a good thing.
>>
>> Reading the changelog since 1.6-dev1, in no particular order, I've found :
>>
>> - DNS-based server name resolution : haproxy is now able to periodically
>> ask a set of resolvers for the IP address of some servers and to update
>> them without restarting. This will make life much easier for people
>> running in AWS where IP address change randomly. Some more stuff was
>> planned for this such as marking the server as unresolvable if resolving
>> fails, but we found that people would probably like to have a
>> configurable
>> behaviour. Feedback on this is desired and will drive the next steps.
>>
>> - peers protocol v2 : haproxy 1.6 and 1.5 will not be able to synchronize
>> their stick tables but on the other hand the new protocol is much better
>> and more extensible. First it uses a single connection regardless of the
>> number of tables to synchronize. Second it will support synchronizing
>> much more than just stick tables. For now it replicates all stick-tables
>> contents (including gpc, etc...). This allows reloads to keep entries,
>> rates, etc... as well as to pass them to a backup node in case of a
>> switchover. It's very likely that during 1.7 development we'll further
>> extend the amount of information that can be exchanged.
>>
>> - peers support nbproc > 1 as long as they're referenced by a single
>> process,
>> and peers sections can be disabled (useful for debugging).
>>
>> - config : removed a few deprecated keywords (eg: "reqsetbe"). I wanted to
>> remove "block" as well, and appsession. On the first one I'm not sure,
>> on the second one only Aleks (the author of the feature) provided some
>> feedback and agreed it was probably time for it to go. Expect that we'd
>> get rid of them soon if nobody objects.
>>
>> - pattern cache : a small lru cache applies to pattern matching when it
>> runs from a list (eg: case insensitive string match, regex, etc). This
>> can significantly speed up host header matching or regex matching
>> against a huge list.
>>
>> - support for stateless zip compression with libslz : this doesn't waste
>> memory anymore and compresses about 3 times faster than zlib, at a lower
>> compression ratio.
>>
>> - support for session/transaction/request/response variables : using the
>> "set-var" action in {tcp,http}-{request-response} rulesets, it's possible
>> to assign the result of a sample expression to a variable allocated on
>> the
>> fly and which lasts for all the session, the transaction or just the
>> ephemeral processing being done on the request or response. This makes
>> it possible to keep copies of certain request information and reuse them
>> in the response for example. Some work is still pending on this part,
>> in particular the ability to use variables with in all arithmetic
>> converters which currently only take a constant.
>>
>> - support for declared captures : sometimes it's desired to capture in
>> the backend or response path but that was not possible since only the
>> frontend can assign a capture slot. The solution consists in making
>> it possible to declare a capture slot in the frontend for later use.
>>
>> - servers: in addition to DNS, it's possible to change a server's IP
>> address
>> from the CLI.
>>
>> - ssl: it's now possible to forge SSL certs on the fly. That's convenient
>> when haproxy has to be deployed in front of proxies which already work
>> like this.
>>
>> - device identification : two companies, 51Degrees and DeviceAtlas,
>> provided patches to add support for their respective libs. We're
>> starting to see some demand for such features due to the abundance
>> of smartphones, tablets and I don't-know-what, and both libs come
>> with a free device database, so it seems to be the right timing.
>> The README was updated for both, there you'll find how to build with
>> either solution (or both, I checked and they don't break each other).
>> It would be interesting to get feedback on these features, especially
>> from people who already have access to the full databases and who see
>> a benefit in moving this processing to haproxy instead of having one
>> different implementation per application server. More information is
>> available below for each of them respectively :
>>
>> https://deviceatlas.com/deviceatlas-haproxy-module
>> https://github.com/51Degreesmobi/51Degrees-C
>>
>> - ssl: default DH param groups were replaced with custom ones in order
>> to limit the exposure in case of a targetted attack.
>>
>> - config: support for quotes (nor more backslashes needed before spaces),
>> and stricter control of argument counts so that people who write invalid
>> configs where words were silently ignored don't get trapped anymore. The
>> long-deprecated syntax consisting in putting the ip:port on the "listen"
>> line has now been removed as well since it didn't support any bind option
>> and used to regularly confuse users.
>>
>> - config: environment variables can be used everywhere inside
>> double-quotes,
>> not just in listening addresses.
>>
>> - stats: the CSV dump now knows how to properly quote strings containing
>> commas or quotes. This will make it possible to start adding many
>> counters
>> there (those who are only present in the HTML dump for now).
>>
>> - http-response now supports "redirect" rules. That's sometimes useful to
>> replace a 500 server error with a nice page.
>>
>> - config: duplicated backend names or server names are now completely
>> detected and better reported so that it's easy to know what needs to be
>> fixed.
>>
>> - multiple redispatches are now possible on configurable retry intervals
>> when connection fails to a server.
>>
>> - url_param() and body_param() can check for multiple (or any) parameter.
>> That can be used as a preliminary cleanup for certain invalid requests.
>>
>> - TLS key loading from file and update on the CLI : this will save some
>> reloads for some users and provide better security to SSL users.
>>
>> - "option http-buffer-request" allows request processing to be deferred
>> until the request body is received, thus it's possible to look up a
>> routing key in a POST body (eg: user id).
>>
>> - "option http-ignore-probes" to silent 400/408 on preconnect, and to
>> avoid counting errors in this case.
>>
>> - support for HTTP/0.9 is now disabled by default. It's totally useless
>> and can lead to some security issues by making it easier to forge
>> requests from foreign protocols. In addition, some extra cleanups to
>> comply with RFC7230 were applied. "RTSP" is now allowed as a protocol
>> name for those who want to load-balance RTSP farms (parses like HTTP
>> for basic needs).
>>
>> - lua: implemented a simple memory allocator which makes it possible to
>> limit memory usage.
>>
>> - lots of internal changes (applets now run independantly from streams,
>> sample fetch API changed, etc...).
>>
>> I couldn't complete the response processing changes that I had to interrupt
>> 3 weeks ago to review patches. So most likely this will be postponed to 1.7.
>> We still have a huge amount of work to do to clean what we have. For example
>> session variables are still attached to the stream while they need to move
>> to the session (and the internal variables API must already change for this).
>> The stick-tables still use old types and we could simplify their code by
>> moving that to the common sample types (and remove a conversion stage).
>>
>> We still have pending the patch to retrieve/restore server states across
>> reloads. It needs more work to improve lookups to better resist to config
>> changes (otherwise why would people restart?). We realized that the notion
>> of "state" differs depending on the use case. Some will want to keep only
>> the up/down status. Others might want to keep the dynamic weights and
>> anything that was updated on the CLI, while others would probably prefer
>> to ensure the CLI is dropped upon reloads since the CLI is here to adjust
>> what can be done without restarting, etc. I hope to be able to merge that
>> soon so that we can get some feedback about it. It definitely is useful
>> but we don't know clearly where we want to go with this.
>>
>> As indicated 3 weeks ago, future changes should have a limited impact
>> on code stability (unless they fix bugs of course), and on configuration
>> so that early adopters can quickly update when they face a bug that is
>> fixed. If you're developing something great and intrusive, please keep
>> it for when 1.7 opens.
>>
>> I was told that current version could fail to build on OpenBSD, but there's
>> a patch floating around for this so hopefully this will be resolved soon.
>>
>> Last point, very recently I got a request from someone who desired a bit
>> more signatures in the release process. I don't want to make the whole
>> workflow a pain, but at least now I've switched to signed tags, which is
>> easy to do and happens only once in a while.
>>
>> I'm not appending the changelog, it's too large and boring, really.
>>
>> Usual URLs below :
>> Site index : http://www.haproxy.org/
>> Sources : http://www.haproxy.org/download/1.6/src/devel/
>> Git repository : http://git.haproxy.org/git/haproxy.git/
>> Git Web browsing : http://git.haproxy.org/?p=haproxy.git
>> Changelog : http://www.haproxy.org/download/1.6/src/CHANGELOG
>> Cyril's HTML doc :
>> http://cbonte.github.com/haproxy-dconv/configuration-1.6.html
>>
>> Regards,
>> Willy
>>
>>
>
> It's a great release!!!!
> Looking forward to play with it!
>
> Note that in my lab, 1.6-dev performs slightly better than 1.5.
>
> Baptiste
>
