>> Hi Willy, any new on the strange cookie behavior ? >>
>> Also I ask you for haproxy configuration problem cannot I found a >> solution searching hard on Internet... >To be honest I can't believe this. >Have you tried to read the documentation carefully and more then one >time? >http://lmgtfy.com/?q=haproxy+use+backend+acl+based >http://www.haproxy.org/#docs >https://cbonte.github.io/haproxy-dconv/configuration-1.6.html#7 >https://cbonte.github.io/haproxy-dconv/configuration-1.6.html#7.2 I do not need link for acl... We just use working acl, we ask if you know, there is, a best practice, i.e. to avoid cycle and be more performance and flexibility on request management if we need redirection to ssl. If is best to have separate http frontend for http and https and different backend. But ok. We'll test different configurations. >> 1. We want to redirect all non HTTPS request to HTTPS except some >> request (ex: path_beg based) but we want to have exception like this: >> If Request = http://<dom1>/(A) -> backend1 (http) >> If Request = https://<dom1>/(A) -> SSL Termination -> backend1 >> (http) >> If Request = http://<dom1>/(NOT A) -> Redirect SSL -> SSL >> Termination -> backend1 (http) >> If Request = https://<dom1>/(NOT A) -> SSL Termination -> backend1 >> (http) >http://serverfault.com/questions/589494/haproxy-use-acl-in-backend-shrink-my-config > Maybe you get the idea for a possible solution way. We do not need to redirect to a single server, as stated we just uses acl to redirect to different backend. >> There are best practice for configuration to avoid redundancy in >> configuration file but having best performance, 2 front-end + 2 >> back-end, 2 front-end + 1 back-end, 1 front-end + 1 backend-end ? >> >> 2. In a configuration like that in point 1. (with SSL termination with >> exception) is a good solution to mix backend :80 with :443 servers >> without a risk for redirection loop ? There is as flow chart of >> haproxy request-response flow to can evaluate these configurations ? >Maybe you could find some answer in the design-thoughts directory like. >http://git.haproxy.org/?p=haproxy.git;a=blob;f=doc/design-thoughts/how-it-works.txt;h=2d1cb89a059e477469b2f980e970c22f4af6da66;hb=HEAD >http://git.haproxy.org/?p=haproxy.git;a=tree;f=doc/design-thoughts;h=42c124145020b7c538d6011a7508c45e4e0780e1;hb=HEAD No useful info in this documents… >As far as I know there is not yet a flow chart like >http://redmine.lighttpd.net/projects/lighttpd/repository/entry/trunk/doc/state.dot >You can see the picture when you paste the text into this website. >http://sandbox.kidstrythisathome.com/erdos/ I mean a general flow of request-response management by haproxy including precedence i.e. when acl are evaluated and in which precedence) and sequence of step, so one can evaluate in advance if a possible configuration can be good. An architectural view of haproxy behavior. >> 3. In haproxy.log I see only client request, is there a configuration >> to see also backend server response or the only solution is to use >> debugging to see all traffic ? Also, I use on command line haproxy -d >> to debug, there is a method so we do not need to stop haproxy daemon >> to use command line to do debugging ? so we can debug changes on >> production haproxy ? >https://cbonte.github.io/haproxy-dconv/configuration-1.6.html#3.3 >https://cbonte.github.io/haproxy-dconv/configuration-1.6.html#log No info there. I just used –d option in command line. I cannot found info if such option can be used so such info can be written on the haproxy.log instead of stopping daemon and running haproxy on command line with –d switch. Also in the –d output not all the header information are present, so for some problem we have to divide analysis in different tool output (haproxy –d, tcpdump, ecc.), spreading info on different tools make analysis harder… But ok ! >> 4. what standard syntax haproxy uses for Regular Expression (perl, >> POSIX) ? >http://git.haproxy.org/?p=haproxy.git;a=blob;f=Makefile;h=a1383a38c539fe4f0101a986746d8290ad3eebfa;hb=HEAD#l16 ># USE_PCRE : enable use of libpcre for regex. Recommended. Ok .Thank you. >> 5. What about client certificates ? I think haproxy can SSL Terminate >> also client certificates verification, is so ? What about client >> certificates if backend server have to authenticate client using their >> certificate, can haproxy manage this situation passing client >> certificates to backend server ? >http://lmgtfy.com/?q=haproxy+client+certificate >https://raymii.org/s/tutorials/haproxy_client_side_ssl_certificates.html Ok. On this probably I could look better :D Thank you. Roberto -----Original Message----- From: Aleksandar Lazic [mailto:al-hapr...@none.at] Sent: domenica 26 luglio 2015 23.43 To: mlist Cc: 'Willy Tarreau'; 'Baptiste'; haproxy@formilux.org Subject: RE: cookie prefix strange behavior Hi Roberto. Am 25-07-2015 09:05, schrieb mlist: > Hi Willy, any new on the strange cookie behavior ? > > Also I ask you for haproxy configuration problem cannot I found a > solution searching hard on Internet... To be honest I can't believe this. Have you tried to read the documentation carefully and more then one time? http://lmgtfy.com/?q=haproxy+use+backend+acl+based http://www.haproxy.org/#docs https://cbonte.github.io/haproxy-dconv/configuration-1.6.html#7 https://cbonte.github.io/haproxy-dconv/configuration-1.6.html#7.2 > 1. We want to redirect all non HTTPS request to HTTPS except some > request (ex: path_beg based) but we want to have exception like this: > If Request = http://<dom1>/(A)<http://%3cdom1%3e/(A)> -> > backend1 (http) > If Request = https://<dom1>/(A)<https://%3cdom1%3e/(A)> -> SSL > Termination -> backend1 (http) > If Request = http://<dom1>/(NOT<http://%3cdom1%3e/(NOT> A) -> > Redirect SSL -> SSL > Termination -> backend1 (http) > If Request = https://<dom1>/(NOT<https://%3cdom1%3e/(NOT> A) -> > SSL Termination -> backend1 > (http) http://serverfault.com/questions/589494/haproxy-use-acl-in-backend-shrink-my-config Maybe you get the idea for a possible solution way. > There are best practice for configuration to avoid redundancy in > configuration file but having best performance, 2 front-end + 2 > back-end, 2 front-end + 1 back-end, 1 front-end + 1 backend-end ? > > 2. In a configuration like that in point 1. (with SSL termination with > exception) is a good solution to mix backend :80 with :443 servers > without a risk for redirection loop ? There is as flow chart of > haproxy request-response flow to can evaluate these configurations ? Maybe you could find some answer in the design-thoughts directory like. http://git.haproxy.org/?p=haproxy.git;a=blob;f=doc/design-thoughts/how-it-works.txt;h=2d1cb89a059e477469b2f980e970c22f4af6da66;hb=HEAD http://git.haproxy.org/?p=haproxy.git;a=tree;f=doc/design-thoughts;h=42c124145020b7c538d6011a7508c45e4e0780e1;hb=HEAD As far as I know there is not yet a flow chart like http://redmine.lighttpd.net/projects/lighttpd/repository/entry/trunk/doc/state.dot You can see the picture when you paste the text into this website. http://sandbox.kidstrythisathome.com/erdos/ > 3. In haproxy.log I see only client request, is there a configuration > to see also backend server response or the only solution is to use > debugging to see all traffic ? Also, I use on command line haproxy -d > to debug, there is a method so we do not need to stop haproxy daemon > to use command line to do debugging ? so we can debug changes on > production haproxy ? https://cbonte.github.io/haproxy-dconv/configuration-1.6.html#3.3 https://cbonte.github.io/haproxy-dconv/configuration-1.6.html#log > 4. what standard syntax haproxy uses for Regular Expression (perl, > POSIX) ? http://git.haproxy.org/?p=haproxy.git;a=blob;f=Makefile;h=a1383a38c539fe4f0101a986746d8290ad3eebfa;hb=HEAD#l16 # USE_PCRE : enable use of libpcre for regex. Recommended. > 5. What about client certificates ? I think haproxy can SSL Terminate > also client certificates verification, is so ? What about client > certificates if backend server have to authenticate client using their > certificate, can haproxy manage this situation passing client > certificates to backend server ? http://lmgtfy.com/?q=haproxy+client+certificate https://raymii.org/s/tutorials/haproxy_client_side_ssl_certificates.html > Thank you in advance. Hth > Best Regards Cheers > Roberto Aleks > -----Original Message----- > From: Willy Tarreau [mailto:w...@1wt.eu] > Sent: lunedì 20 luglio 2015 12.15 > To: mlist > Cc: 'Baptiste'; haproxy@formilux.org<mailto:haproxy@formilux.org> > Subject: Re: cookie prefix strange behavior > > On Mon, Jul 20, 2015 at 09:51:28AM +0000, mlist wrote: >> Hi Willy >> >> >> Hi Baptiste, as you can see using prefix or sticky table we found this >> >> invalid cookie problem. >> >> >> >> - Why without haproxy in the middle we do not have this problem ? why a >> >> browser send an INVALID cookie ? >> >> >Because it learned it another way, maybe before you installed haproxy, >> >maybe on a direct connection or anything. >> >> I'm sure enough this is not the case. After we get this behavior, we >> cleaned >> all cookies. After some testing passing only by haproxy for these >> domain, we >> get the problem again, with Chrome and with IE. > > OK, interesting. > >> >> - How we can match absence of prefix ? can be done directly by haproxy ? >> >> > I think haproxy should fix it, yes, otherwise it can continue this way >> > forever. That said, it *will* break existing sessions, but if haproxy >> > applies load balancing, such session will be broken as well. >> >> > What version is this, 1.6-dev or 1.5 ? >> >> What do you mean with: "it *will* break existing sessions" ? if we >> load >> balance web application with haproxy, session coming in must have a >> cookie >> inserted/prefixed by haproxy, I'm wrong ? if so any request with an >> Invalid >> cookie is INVALID :D so no session will be broken... > > What I mean is that if the cookie is invalid, haproxy cannot use the > cookie > to decide what server to send the request to, so it will pick one > server in > the farm which is not necessarily the right one (in fact it has a > (N-1)/N > chance of picking a wrong one in a farm of N servers). That's why I > think > that haproxy should fix this when this happens. Most likely the problem > is > that once a wrong cookie flows from the client to the server, the > server > will not emit this cookie anymore so no prefixing will occur. For this > reason I think that we should remove the invalid cookies from the > requests > when running in prefix mode. > > In order to know exactly how the situation happened, you'll need to > look > through all the logs affecting the client which exhibited the problem. > The > cookie flags will indicate when the cookie was inserted/prefixed, > present > or valid/invalid etc... And maybe we'll find what produces this > situation. > > It is also possible that the cookie is built by the application using > javascript. > >> We compiled from source "HA-Proxy version 1.6-dev2-25f4e3e 2015/07/10" > > OK thanks. Do you know if 1.5 also produces the same problem ? It could > be a regression, though I don't remember that we ever touched that area > recently. > > Willy -- Il messaggio e' stato analizzato alla ricerca di virus o contenuti pericolosi da MailScanner, ed e' risultato non infetto.
