Re: Limit frontend bandwidth rate?
Hi Igor, On Thu, May 02, 2013 at 02:40:05AM +0800, Igor wrote: > Limit frontend bandwidth speed would be handy for some product environment, > is this still planned in 1.5 dev? no, it's marked for 1.6, not 1.5. Willy
Re: Will splice disable l7 content switch?
On Thu, May 02, 2013 at 02:11:58PM +0800, Delta Yeh wrote: > Hi , > If splice is enabled, data won't be copied to user-space. > Does it means l7 and SNI related acl won't work as expected? No, because splicing applies to the body, not to headers, so all L7 still works. Willy
Re: SMTP load balancer.
Hi, My answers inline. > ##start > listen tcp 0.0.0.0:225 > mode tcp > option tcplog > balance leastconn > maxconn 1 > server smtp1 192.168.25.1:25 maxconn 10 > server smtp2 192.168.25.2:25 maxconn 10 > ##end > > So when I have more then 10 connections haproxy will try the second server. No It means no server will deal with more than 10 connections at a time. If one of them reach 10 connections, then all the new incoming connections will be sent to the other server until it reaches 10 connections. Then connections are queued, waiting for a server to finish to process some requests. The leastconn algorithm just means that HAProxy will deliver the next request to server with the less active connections at the moment he has to choose the server to open the new connection. > > Eliezer > Baptiste
Will splice disable l7 content switch?
Hi , If splice is enabled, data won't be copied to user-space. Does it means l7 and SNI related acl won't work as expected? BR, DeltaY
Re: SMTP load balancer.
On 5/2/2013 6:14 AM, Godbach wrote: Hi, Eliezer It seems that smtp1 and smpt2 have the same IP:Port > server smtp1 192.168.25.1:25 maxconn 10 > server smtp2 192.168.25.1:25 maxconn 10 Indeed. I noticed that but forgot to fix it while quoting from the new mail ##start listen tcp 0.0.0.0:225 mode tcp option tcplog balance leastconn maxconn 1 server smtp1 192.168.25.1:25 maxconn 10 server smtp2 192.168.25.2:25 maxconn 10 ##end So when I have more then 10 connections haproxy will try the second server. Eliezer
Re: SMTP load balancer.
On 5/2/2013 5:46 AM, Godbach wrote: On 5/1/2013 8:39 AM, Bryan Talbot wrote: Looks like you've listed the same IP address twice. -Bryan Typo, Thanks. How have I missed that?? Eliezer Hi, Elizer You can use roundrobin instead of leastconn as below: listen tcp 0.0.0.0:225 mode tcp option tcplog balance roundrobin ... Then have a try. :-) Godbach Thanks, I have used the roundrobin. There is another factor in the picture: ##start listen tcp 0.0.0.0:225 mode tcp option tcplog balance leastconn maxconn 1 server smtp1 192.168.25.1:25 maxconn 10 server smtp2 192.168.25.1:25 maxconn 10 ##end the maxconn is causing the first to be with high load and the another one to be with lower load which is what we want to achieve. Eliezer Hi, Eliezer It seems that smtp1 and smpt2 have the same IP:Port > server smtp1 192.168.25.1:25 maxconn 10 > server smtp2 192.168.25.1:25 maxconn 10
Transparent TCP LoadBalancing on FreeBSD
Dear Users, sorry if i open new thread, but i really want to solve this problem.. i manage to compile haproxy via port using TPROXY : haproxy -vv HA-Proxy version 1.5-dev18 2013/04/03 Copyright 2000-2013 Willy Tarreau Build options : TARGET = freebsd CPU = generic CC = cc CFLAGS = -O2 -pipe -fno-strict-aliasing -DFREEBSD_PORTS OPTIONS = USE_TPROXY=1 USE_GETADDRINFO=1 USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 Encrypted password support via crypt(3): yes Built with zlib version : 1.2.7 Compression algorithms supported : identity, deflate, gzip Built with OpenSSL version : OpenSSL 0.9.8y 5 Feb 2013 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes but when i started the service with the "source 0.0.0.0 usesrc clientip" option, the haproxy wont start with this messages: parsing [/usr/local/etc/haproxy.conf:28] : 'usesrc' not allowed here because support for TPROXY was not compiled in. what i should i do to make haproxy compile with transparent option? Rgds ZeN
Re: SMTP load balancer.
On 5/2/2013 5:46 AM, Godbach wrote: On 5/1/2013 8:39 AM, Bryan Talbot wrote: Looks like you've listed the same IP address twice. -Bryan Typo, Thanks. How have I missed that?? Eliezer Hi, Elizer You can use roundrobin instead of leastconn as below: listen tcp 0.0.0.0:225 mode tcp option tcplog balance roundrobin ... Then have a try. :-) Godbach Thanks, I have used the roundrobin. There is another factor in the picture: ##start listen tcp 0.0.0.0:225 mode tcp option tcplog balance leastconn maxconn 1 server smtp1 192.168.25.1:25 maxconn 10 server smtp2 192.168.25.1:25 maxconn 10 ##end the maxconn is causing the first to be with high load and the another one to be with lower load which is what we want to achieve. Eliezer
Re: SMTP load balancer.
On 5/1/2013 8:39 AM, Bryan Talbot wrote: Looks like you've listed the same IP address twice. -Bryan Typo, Thanks. How have I missed that?? Eliezer Hi, Elizer You can use roundrobin instead of leastconn as below: listen tcp 0.0.0.0:225 mode tcp option tcplog balance roundrobin ... Then have a try. :-) Godbach
Limit frontend bandwidth rate?
Limit frontend bandwidth speed would be handy for some product environment, is this still planned in 1.5 dev? Bests, -Igor
Re: Create ACL from a string comparison to a file content
In fact we are reloading haproxy very often since we manage dynamic backends instances based on an AWS EC2 cluster which shrinks and grows according to load. We manage the config file in puppet thats why we need some form of external data source which wont be bound to puppet otherwise the agent will revert any changes we do to it. Once we change this value we will reload haproxy, and we need this value to stay even in case there are other reloads while we put the "maintenanceMode" switch to on, maybe there are better and easier solutions for this. 2013/5/1 Willy Tarreau > Hi Maxime, > > On Wed, May 01, 2013 at 11:27:52AM -0400, Maxime Ducharme wrote: > > Hello > > > > I am trying to create an ACL on 1.4 version where the criterion would be > a > > simple string but not sure it is possible. > > > > something similar to this : > > acl maintenanceMode -f /etc/haproxy/maintenance.mode on > > acl maintenanceMode on -f /etc/haproxy/maintenance.mode > > > > I'd like compare the string "on" from the content of a file without luck > > yet, someone has an idea ? > > It does not do what you wrote unfortunately. Haproxy can load patterns from > a file upon startup and append them to the other patterns declared on the > same line. So basically "-f /etc/haproxy/maintenance.mode on" will match > all patterns from maintenance.mode and "on" against whetever you use the > ACL with. > > At the moment there is no way to fetch constant data to compare to > patterns, > though that can easily be done on 1.5. I think I can add some fetches to do > that as well as for using environment variables. > > However you need to keep in mind that matching against patterns from files > only happens once when you reload the config, so I'm not certain this is > what you need. > > Willy > >
Re: Create ACL from a string comparison to a file content
Hi Maxime, On Wed, May 01, 2013 at 11:27:52AM -0400, Maxime Ducharme wrote: > Hello > > I am trying to create an ACL on 1.4 version where the criterion would be a > simple string but not sure it is possible. > > something similar to this : > acl maintenanceMode -f /etc/haproxy/maintenance.mode on > acl maintenanceMode on -f /etc/haproxy/maintenance.mode > > I'd like compare the string "on" from the content of a file without luck > yet, someone has an idea ? It does not do what you wrote unfortunately. Haproxy can load patterns from a file upon startup and append them to the other patterns declared on the same line. So basically "-f /etc/haproxy/maintenance.mode on" will match all patterns from maintenance.mode and "on" against whetever you use the ACL with. At the moment there is no way to fetch constant data to compare to patterns, though that can easily be done on 1.5. I think I can add some fetches to do that as well as for using environment variables. However you need to keep in mind that matching against patterns from files only happens once when you reload the config, so I'm not certain this is what you need. Willy
Create ACL from a string comparison to a file content
Hello I am trying to create an ACL on 1.4 version where the criterion would be a simple string but not sure it is possible. something similar to this : acl maintenanceMode -f /etc/haproxy/maintenance.mode on acl maintenanceMode on -f /etc/haproxy/maintenance.mode I'd like compare the string "on" from the content of a file without luck yet, someone has an idea ? Thanks
Re: HA Proxy FTP Load Balancing Timeout
Thanks Ben! I would certianly explore more on these lines and let you know. Thanks again. Regards, Alok From: Ben Timby To: Alok Kumar Cc: "haproxy@formilux.org" Sent: Wednesday, May 1, 2013 11:08 AM Subject: Re: HA Proxy FTP Load Balancing Timeout Alok, Sorry have been out of the office for a while. You could try increasing the clitimeout and srctimeout values in your defaults section. These values are ninety and one hundred and twenty seconds respectively. My guess is that tcpka has no effect on "activity" from haproxy's point of view as this tcp traffic would be generated by haproxy itself. Also, after seeing your config, I realize why I was confused. I load balance FTP as well, but I ONLY load balance the command channel via haproxy. The data channels are handled directly by NAT rules. I wrote up my method here: http://ben.timby.com/?page_id=210 The nice thing about this method is that haproxy is still able to distribute load pretty evenly by "user session" not by individual connection. Also, the heavy lifting of transferring large files is then handled in the kernel by netfilter rather than by haproxy. Additionally this means that time outs enforced by haproxy only apply to the command channel, and do not affect the data channels.
Re: HA Proxy FTP Load Balancing Timeout
Alok, Sorry have been out of the office for a while. You could try increasing the clitimeout and srctimeout values in your defaults section. These values are ninety and one hundred and twenty seconds respectively. My guess is that tcpka has no effect on "activity" from haproxy's point of view as this tcp traffic would be generated by haproxy itself. Also, after seeing your config, I realize why I was confused. I load balance FTP as well, but I ONLY load balance the command channel via haproxy. The data channels are handled directly by NAT rules. I wrote up my method here: http://ben.timby.com/?page_id=210 The nice thing about this method is that haproxy is still able to distribute load pretty evenly by "user session" not by individual connection. Also, the heavy lifting of transferring large files is then handled in the kernel by netfilter rather than by haproxy. Additionally this means that time outs enforced by haproxy only apply to the command channel, and do not affect the data channels.
Re: trouble building on solaris
Hi Keith, On Wed, May 01, 2013 at 12:49:38PM +0100, Anderson Keith wrote: > I've taken the snapshot haproxy-ss-20130429 and removed the include entries > from the files above. gcc spat out a couple of warnings (below) but it > compiles and doesn't core dump when executed. Initial testing with our > configurations would show that it works as expected. Great! > Many thanks for your help > > Keith > > Vis: > $ cd haproxy-ss-20130429 > $ gmake TARGET=solaris CPU=ultrasparc USE_STATIC_PCRE=1 USE_OPENSSL=1 > USE_ZLIB=yes > > > > gcc -Iinclude -Iebtree -Wall -O6 -mcpu=v9 -mtune=ultrasparc -g > -fno-strict-aliasing -fomit-frame-pointer -DFD_SETSIZE=65536 -D_REENTRANT > -DTPROXY -DCONFIG_HAP_CRYPT -DNEED_CRYPT_H -DUSE_GETADDRINFO -DUSE_ZLIB > -DENABLE_POLL -DUSE_OPENSSL -DUSE_PCRE -I/usr/local/include > -DCONFIG_HAPROXY_VERSION=\"1.5-dev18\" -DCONFIG_HAPROXY_DATE=\"2013/04/03\" > -c -o src/ssl_sock.o src/ssl_sock.c > src/ssl_sock.c: In function `ssl_sock_infocbk': > src/ssl_sock.c:92: warning: passing arg 1 of `SSL_get_ex_data' discards > qualifiers from pointer target type > src/ssl_sock.c: In function `__ssl_sock_init': > src/ssl_sock.c:3203: warning: implicit declaration of function > `SSL_COMP_get_compression_methods' > src/ssl_sock.c:3203: warning: assignment makes pointer from integer without a > cast > gcc -Iinclude -Iebtree -Wall -O6 -mcpu=v9 -mtune=ultrasparc -g > -fno-strict-aliasing -fomit-frame-pointer -DFD_SETSIZE=65536 -D_REENTRANT > -DTPROXY -DCONFIG_HAP_CRYPT -DNEED_CRYPT_H -DUSE_GETADDRINFO -DUSE_ZLIB > -DENABLE_POLL -DUSE_OPENSSL -DUSE_PCRE -I/usr/local/include > -DCONFIG_HAPROXY_VERSION=\"1.5-dev18\" -DCONFIG_HAPROXY_DATE=\"2013/04/03\" > -c -o src/shctx.o src/shctx.c > src/shctx.c: In function `shctx_get_cb': > src/shctx.c:460: warning: passing arg 2 of `d2i_SSL_SESSION' from > incompatible pointer type I think you're on an old openssl version, I'm used to have the exact same warnings when building with openssl-0.9.6. Willy
RE: trouble building on solaris
Hi Willy, > > Blindly removing the #include from checks.c and > > haproxy-systemd-wrapper.c does get a binary compilation but also an > > (unsurprisingly) eventual core dump. > > It should not cause any error, the stdbool you pointed were not used at > all, so you're facing a different error. > > Would you please download the latest snapshot, we fixed a number of > bugs that may or may not be responsible for this. If you still get the > core, please run it through gdb and issue a "bt full" so that we can > get an idea of what is causing it. At least it works on my old Ultra5 > under solaris 8. > > Thanks, > Willy I've taken the snapshot haproxy-ss-20130429 and removed the include entries from the files above. gcc spat out a couple of warnings (below) but it compiles and doesn't core dump when executed. Initial testing with our configurations would show that it works as expected. Many thanks for your help Keith Vis: $ cd haproxy-ss-20130429 $ gmake TARGET=solaris CPU=ultrasparc USE_STATIC_PCRE=1 USE_OPENSSL=1 USE_ZLIB=yes gcc -Iinclude -Iebtree -Wall -O6 -mcpu=v9 -mtune=ultrasparc -g -fno-strict-aliasing -fomit-frame-pointer -DFD_SETSIZE=65536 -D_REENTRANT -DTPROXY -DCONFIG_HAP_CRYPT -DNEED_CRYPT_H -DUSE_GETADDRINFO -DUSE_ZLIB -DENABLE_POLL -DUSE_OPENSSL -DUSE_PCRE -I/usr/local/include -DCONFIG_HAPROXY_VERSION=\"1.5-dev18\" -DCONFIG_HAPROXY_DATE=\"2013/04/03\" -c -o src/ssl_sock.o src/ssl_sock.c src/ssl_sock.c: In function `ssl_sock_infocbk': src/ssl_sock.c:92: warning: passing arg 1 of `SSL_get_ex_data' discards qualifiers from pointer target type src/ssl_sock.c: In function `__ssl_sock_init': src/ssl_sock.c:3203: warning: implicit declaration of function `SSL_COMP_get_compression_methods' src/ssl_sock.c:3203: warning: assignment makes pointer from integer without a cast gcc -Iinclude -Iebtree -Wall -O6 -mcpu=v9 -mtune=ultrasparc -g -fno-strict-aliasing -fomit-frame-pointer -DFD_SETSIZE=65536 -D_REENTRANT -DTPROXY -DCONFIG_HAP_CRYPT -DNEED_CRYPT_H -DUSE_GETADDRINFO -DUSE_ZLIB -DENABLE_POLL -DUSE_OPENSSL -DUSE_PCRE -I/usr/local/include -DCONFIG_HAPROXY_VERSION=\"1.5-dev18\" -DCONFIG_HAPROXY_DATE=\"2013/04/03\" -c -o src/shctx.o src/shctx.c src/shctx.c: In function `shctx_get_cb': src/shctx.c:460: warning: passing arg 2 of `d2i_SSL_SESSION' from incompatible pointer type Unless otherwise stated, this email has been sent from Fujitsu (Ireland) Limited, "Fujitsu". This email is only for the use of its intended recipient. Its contents are subject to a duty of confidence and may be privileged. Fujitsu does not guarantee that this email has not been intercepted and amended or that it is virus-free. Fujitsu (Ireland) Limited, registered in Ireland No 473572, registered office Airside Business Park, Swords Co Dublin.
Re: trouble building on solaris
On Wed, May 01, 2013 at 05:49:20PM +0900, Simon Horman wrote: > On Wed, May 01, 2013 at 10:15:00AM +0200, Willy Tarreau wrote: > > Hi Keith, > > > > On Tue, Apr 30, 2013 at 09:39:12AM +, keith anderson wrote: > > > Benjamin Polidore writes: > > > > > > > > > > > > > > > sorry, this is 1.5 dev 14. > > > > > > > > thanks.On Wed, Dec 5, 2012 at 9:17 AM, Benjamin Polidore > > > wrote: > > > > src/proxy.c:46: error: initializer element is not constant > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Hi Willy, > > > > > > It seems that this issue has crept into the latest haproxy-1.5-dev18 > > > release. > > > > indeed :-( > > > > I'm CCing Simon and Marc-Antoine who last included stdbool. We fixed this > > already in the past, so I have now added a notice about this in the readme. > > Sorry about that. You don't have to be sorry Simon, we discover lots of surprizes when porting to other OSes, such as Solaris' implementation of isalnum() etc... as macros that don't work as expected on chars, or AIX using unsigned chars by default leading to funny behaviour where that was not expected. This is annoying at first but in the end it teaches us how to write more portable code. > Is the implication that bool, true and false shouldn't be used in haproxy? Yes that's exactly this. I've added a few lines on this in the readme because it's not the first time people get trapped and we can't expect them to be aware of it if it's not documented anywhere. Thanks! Willy
Re: trouble building on solaris
On Wed, May 01, 2013 at 10:15:00AM +0200, Willy Tarreau wrote: > Hi Keith, > > On Tue, Apr 30, 2013 at 09:39:12AM +, keith anderson wrote: > > Benjamin Polidore writes: > > > > > > > > > > > sorry, this is 1.5 dev 14. > > > > > > thanks.On Wed, Dec 5, 2012 at 9:17 AM, Benjamin Polidore > > wrote: > > > src/proxy.c:46: error: initializer element is not constant > > > > > > > > > > > > > > > > > > > > > > Hi Willy, > > > > It seems that this issue has crept into the latest haproxy-1.5-dev18 > > release. > > indeed :-( > > I'm CCing Simon and Marc-Antoine who last included stdbool. We fixed this > already in the past, so I have now added a notice about this in the readme. Sorry about that. Is the implication that bool, true and false shouldn't be used in haproxy? > > Stdbool is not portable, it does not properly work on some OS/gcc > combinations, we need to be careful about it. > > > gcc -Iinclude -Iebtree -Wall -O2 -g -fno-strict-aliasing > > -fomit-frame-pointer -DFD_SETSIZE=65536 -D_REENTRANT -DTPROXY > > -DCONFIG_HAP_CRYPT -DNEED_CRYPT_H -DUSE_GETADDRINFO -DENABLE_POLL > > -DCONFIG_HAPROXY_VERSION=\"1.5-dev18\" -DCONFIG_HAPROXY_DATE=\"2013/04/03\" > > -c -o src/checks.o src/checks.c > > In file included from src/checks.c:28: > > /usr/include/stdbool.h:42:2: #error "Use of is valid only in a > > c99 compilation environment." > > gmake: *** [src/checks.o] Error 1 > > > > Blindly removing the #include from checks.c and > > haproxy-systemd-wrapper.c does get a binary compilation but also an > > (unsurprisingly) eventual core dump. > > It should not cause any error, the stdbool you pointed were not used at > all, so you're facing a different error. > > Would you please download the latest snapshot, we fixed a number of bugs > that may or may not be responsible for this. If you still get the core, > please run it through gdb and issue a "bt full" so that we can get an > idea of what is causing it. At least it works on my old Ultra5 under > solaris 8. > > Thanks, > Willy >
Re: trouble building on solaris
Hi Keith, On Tue, Apr 30, 2013 at 09:39:12AM +, keith anderson wrote: > Benjamin Polidore writes: > > > > > > > sorry, this is 1.5 dev 14. > > > > thanks.On Wed, Dec 5, 2012 at 9:17 AM, Benjamin Polidore > wrote: > > src/proxy.c:46: error: initializer element is not constant > > > > > > > > > > > > > > Hi Willy, > > It seems that this issue has crept into the latest haproxy-1.5-dev18 release. indeed :-( I'm CCing Simon and Marc-Antoine who last included stdbool. We fixed this already in the past, so I have now added a notice about this in the readme. Stdbool is not portable, it does not properly work on some OS/gcc combinations, we need to be careful about it. > gcc -Iinclude -Iebtree -Wall -O2 -g -fno-strict-aliasing > -fomit-frame-pointer -DFD_SETSIZE=65536 -D_REENTRANT -DTPROXY > -DCONFIG_HAP_CRYPT -DNEED_CRYPT_H -DUSE_GETADDRINFO -DENABLE_POLL > -DCONFIG_HAPROXY_VERSION=\"1.5-dev18\" -DCONFIG_HAPROXY_DATE=\"2013/04/03\" > -c -o src/checks.o src/checks.c > In file included from src/checks.c:28: > /usr/include/stdbool.h:42:2: #error "Use of is valid only in a > c99 compilation environment." > gmake: *** [src/checks.o] Error 1 > > Blindly removing the #include from checks.c and > haproxy-systemd-wrapper.c does get a binary compilation but also an > (unsurprisingly) eventual core dump. It should not cause any error, the stdbool you pointed were not used at all, so you're facing a different error. Would you please download the latest snapshot, we fixed a number of bugs that may or may not be responsible for this. If you still get the core, please run it through gdb and issue a "bt full" so that we can get an idea of what is causing it. At least it works on my old Ultra5 under solaris 8. Thanks, Willy