Re: Problems with long connect times

2009-10-12 Thread Hank A. Paulson 

A couple of guesses you might look at -
I have found the stats page to show deceptively low numbers at times.
You might want to check the http log stats that show the 
global/frontend/backend queue numbers around the time those requests. My guess 
is that the cases where you are seeing 3 second times it is that the backends 
are slow to connect or they have reached maxconn. Also, you might want to 
double check that the clients are sending the requests in a timely fashion.


netstat -ant | wc -l

do you have conntrack running as in the recent situation here on the ml?
Any other messages in /var/log/messages?
netstat -s have any growing stats?

I assume you have lots backends if they are all at only maxconn 20


On 10/12/09 5:15 PM, Jonah Horowitz wrote:

I’m having a problem where occasionally under load, the time to complete
the tcp handshake is taking much longer than it should:

Picture (Device Independent Bitmap)

My suspicion is that the number of connections available to the haproxy
server are some how constrained and it can’t answer connections for a
moment. I’m not sure how to debug this. Has anyone else seen something
like this?

According to the haproxy stats page, I’ve never come close to my
connection limit. I’m using about 1000 concurrent connections and my
request rate maxes out at 4400 requests per second. I’m not seeing any
messages in dmesg or my /var/log/messages.

I’m running 1.4-dev3 on Linux 2.6.30.5. My config is below:

TIA,

Jonah

--- compile options ---

make USE_REGPARM=1 USE_STATIC_PCRE=1 USE_LINUX_SPLICE=1 TARGET=linux26
CPU_CFLAGS='-O2 -march=x86-64 -m64'

--- config ---

global

maxconn 2000

pidfile /usr/pkg/haproxy/run/haproxy.pid

stats socket /usr/pkg/haproxy/run/stats

log /usr/pkg/haproxy/jail/log daemon

user daemon

group daemon

defaults

timeout queue 3000

timeout server 3000

timeout client 3000

timeout connect 3000

option splice-auto

frontend stats

bind :8080

mode http

use_backend stats if TRUE

backend stats

mode http

stats enable

stats uri /stats

stats refresh 5s

frontend query

log global

option dontlog-normal

option httplog

bind :80

mode http

use_backend query if TRUE

backend query

mode http

balance roundrobin

option httpchk GET /r?q=LOOKSMARTKEYWORDLISTINGMONITOR&isp=DROPus

option forwardfor

option httpclose

server foo1 foo1:8080 weight 150 maxconn 20 check inter 1000 rise 2 fall 1

server foo2 foo2:8080 weight 150 maxconn 20 check inter 1000 rise 2 fall 1

server foo2 foo3:8080 weight 150 maxconn 20 check inter 1000 rise 2 fall 1

…

Re: multiple applications using HAproxy LB

2009-10-12 Thread Aleksandar Lazic 

On Mon 12.10.2009 14:42, Ryan Schlesinger wrote:


It sounds like what you really want is to put apache (or some other
web server) in front of haproxy to do name based virtual hosting.
Requests for your two domains would work like this:

client -> apache:80 (domain1 virtual host) -> haproxy:8080
client -> apache:80 (domain2 virtual host) -> haproxy:8081

I'm using mod_rewrite in different virtual hosts to proxy requests to
haproxy in exactly this way.  Also, in this setup, a request to
http://ec2XX.compute-1.amazonaws.com
/xhaproxy214591
 would be
caught by your first (default) virtual host and proxied correctly to
haproxy.


How about to use

http://haproxy.1wt.eu/download/1.3/doc/configuration.txt
7.5.3. Matching at Layer 7

###
frontend public
 bind :80
.
.
.
acl dom1 path_dom domain1
acl dom2 path_dom domain2
acl domN path_dom domainN

use_backend bd1 if dom1
use_backend bd2 if dom2
use_backend bdN if domN
use_backend default

backend bd1
.
.

backend bd2
.
.

backend bdN
.
.

backend default
.
.
###

In the src you can find an example in examples/acl-content-sw.cfg


I hope I understood your question correctly.


M2.

Hth

Aleks


On 10/12/2009 02:30 PM, Xia Jiang wrote:


Hello,

I have a question regarding configuration for multiple applications using 
Haproxy.


What I want: use Haproxy to handle LB among multiple instances, which each 
instance can have more than one servers.


What I have:

~~~

# Configuration for one application:

listen domain1 :8080

mode http

balance roundrobin

option httpclose

option forwardfor

stats uri /xhaproxy214591

option httpchk GET /healthcheck214591.php

# Example server line (with optional cookie and check included)

server i-41319a29 10.251.75.47:80 check inter 3000 rise 2 fall 3 
maxconn 650


server i-41319a29 10.251.75.48:80 check inter 3000 rise 2 fall 3 
maxconn 650


listen domain2 :8081

mode http

balance roundrobin

option httpclose

option forwardfor

stats uri /xhaproxy214591

option httpchk GET /healthcheck214591.php

# Example server line (with optional cookie and check included)

server i-71319a19 10.208.217.220:80 check inter 3000 rise 2 fall 3 
maxconn 650


server i-71319a19 10.208.218.220:80 check inter 3000 rise 2 fall 3 
maxconn 650


Question:

1. Do I have to set the one of the application port numbers to be 80? 
Otherwise it won't show me the status page.


2. By setting one of the port number to be "80", I can't access the other 
application.


i.e, by setting domain1 port number to be 80, by hitting 
http://ec2XX.compute-1.amazonaws.com, I can see the index page of 
"10.251.75.47" or "10.251.75.48" but I can't view "10.208.217.220" or 
"10.208.218.220" by hitting 
http://ec2XX.compute-1.amazonaws.com:8081


Thanks!

Your answer will be greatly appreciated.

Xia

Re: multiple applications using HAproxy LB

2009-10-12 Thread Ryan Schlesinger 
It sounds like what you really want is to put apache (or some other web 
server) in front of haproxy to do name based virtual hosting.  Requests 
for your two domains would work like this:


client -> apache:80 (domain1 virtual host) -> haproxy:8080
client -> apache:80 (domain2 virtual host) -> haproxy:8081

I'm using mod_rewrite in different virtual hosts to proxy requests to 
haproxy in exactly this way.  Also, in this setup, a request to 
http://ec2XX.compute-1.amazonaws.com 
/xhaproxy214591 
 would be 
caught by your first (default) virtual host and proxied correctly to 
haproxy.


I hope I understood your question correctly.

Ryan

On 10/12/2009 02:30 PM, Xia Jiang wrote:


Hello,

I have a question regarding configuration for multiple applications 
using Haproxy.


What I want: use Haproxy to handle LB among multiple instances, which 
each instance can have more than one servers.


What I have:

~~~

# Configuration for one application:

listen domain1 :8080

mode http

balance roundrobin

option httpclose

option forwardfor

stats uri /xhaproxy214591

option httpchk GET /healthcheck214591.php

# Example server line (with optional cookie and check included)

server i-41319a29 10.251.75.47:80 check inter 3000 rise 2 fall 
3 maxconn 650


server i-41319a29 10.251.75.48:80 check inter 3000 rise 2 fall 
3 maxconn 650


listen domain2 :8081

mode http

balance roundrobin

option httpclose

option forwardfor

stats uri /xhaproxy214591

option httpchk GET /healthcheck214591.php

# Example server line (with optional cookie and check included)

server i-71319a19 10.208.217.220:80 check inter 3000 rise 2 
fall 3 maxconn 650


server i-71319a19 10.208.218.220:80 check inter 3000 rise 2 
fall 3 maxconn 650


Question:

1. Do I have to set the one of the application port numbers to be 80? 
Otherwise it won't show me the status page.


2. By setting one of the port number to be "80", I can't access the 
other application.


i.e, by setting domain1 port number to be 80, by hitting 
http://ec2XX.compute-1.amazonaws.com, I can see the index page 
of "10.251.75.47" or "10.251.75.48" but I can't view "10.208.217.220" 
or "10.208.218.220" by hitting 
http://ec2XX.compute-1.amazonaws.com:8081


Thanks!

Your answer will be greatly appreciated.

Xia

[PATCH] [MINOR] CSS & HTML fun

2009-10-12 Thread Krzysztof Piotr Oledzki 
>From 6fc49b084ad0f4513c36418dfac1cf1046af66da Mon Sep 17 00:00:00 2001
From: Krzysztof Piotr Oledzki 
Date: Mon, 12 Oct 2009 23:09:08 +0200
Subject: [MINOR] CSS & HTML fun

This patch makes stats page about 30% smaller and
"CSS 2.1" + "HTML 4.01 Transitional" compliant.

There should be no visible differences.

Changes:
 - add DOCTYPE for HTML 4.01 Transitional
 - add missing 
 - remove cols=, AFAIK no modern browser support this property and
   it prevents validation to pass.
 - remove "align: center": there is no such property in css. There is
   however "text-align: center" but it is definitely not what we would
   like to see here.
 - by default align .titre to center
 - by default align .td to right
 - remove all align=right, no longer necessary
 - add class=ac (align center): shorter than "align=center" and use it when
   necessary
 - remove nowrap from td, instead use "white-space: nowrap" in css

Now stats page passes W3C validators for HTML & CSS. We may consider adding
"validated" icons from www.w3.org. ;)
---
 src/dumpstats.c |  128 --
 1 files changed, 66 insertions(+), 62 deletions(-)

diff --git a/src/dumpstats.c b/src/dumpstats.c
index 510d0d2..849e2da 100644
--- a/src/dumpstats.c
+++ b/src/dumpstats.c
@@ -907,6 +907,8 @@ int stats_dump_http(struct session *s, struct buffer *rep, 
struct uri_auth *uri)
if (!(s->data_ctx.stats.flags & STAT_FMT_CSV)) {
/* WARNING! This must fit in the first buffer !!! */

chunk_printf(&msg,
+"http://www.w3.org/TR/html4/loose.dtd\";>\n"
 "Statistics Report for " 
PRODUCT_NAME "%s%s\n"
 "\n"
 "

Re: Small patch for the "appsession" feature

2009-10-12 Thread Aleksandar Lazic 

Hi Cyril,

good catch.

On Mon 12.10.2009 23:03, Cyril Bonté wrote:

Hello,
as discussed previously with Willy Tarreau, I'd like to propose a patch
for the appsession code.
This patch has 2 goals :


[snipp]


diff -Naur haproxy-1.4-dev4/src/proto_http.c 
haproxy-1.4-dev4-appsession/src/proto_http.c
+++ haproxy-1.4-dev4-appsession/src/proto_http.c2009-10-12 
21:56:38.0 +0200
@@ -3557,6 +3557,71 @@


/*
+ * Try to retrieve the server associated to the appsession.
+ * If the server is found, it's assigned to the session.
+ */
+void manage_client_side_appsession(struct session *t, char *buf) {


[snipp]


+}
+
+/*
-#if defined(DEBUG_HASH)
-   Alert("manage_client_side_cookies\n");
-   
appsession_hash_dump(&(t->be->htbl_proxy));
-#endif


After a quick look I think it would be nice to dump  the sessions also
in the client.

BR

Aleks

Small patch for the "appsession" feature

2009-10-12 Thread Cyril Bonté 
Hello,
as discussed previously with Willy Tarreau, I'd like to propose a patch for the 
appsession code.
This patch has 2 goals :

1. I wanted to test the appsession feature with a small PHP code, using 
PHPSESSID.
The problem is that when PHP gets an unknown session id, it creates a new one 
with this ID.
So, when sending an unknown session to PHP, persistance is broken : haproxy 
won't see any new cookie in the response and will never attach this session to 
a specific server.
This also apen when you restart haproxy : the internal hash becomes empty and 
all sessions loose their persistance (load balancing the requests on all 
backend servers, creating a new session on each one).
For a user, it's like the service is unusable.

The patch modifies the code to make haproxy also learn the persistance from the 
client :
if no session is sent from the server, then the session id found in the client 
part (using the URI or the client cookie) is used to associated the server that 
gave the response.

As it's probably not a feature usable in all cases, I added an option to enable 
it (by default it's disabled).
The syntax of appsession becomes :
appsession  len  timeout  [request-learn]

This helps haproxy repair the persistance (with the risk of losing its session 
at the next request, as the user will probably not be load balanced to the same 
server the first time).

2. This patch also tries to reduce the memory usage.
Here is a little example to explain the current behaviour :
- Take a Tomcat server where /session.jsp is valid.
- Send a request using a cookie with an unknown value AND a path parameter with 
another unknown value :
curl -b "JSESSIONID=12345678901234567890123456789012" 
http:///session.jsp;jsessionid=0001
(I know, it's unexpected to have a request like that on a live service)
Here, haproxy finds the URI session ID and stores it in its internal hash (with 
no server associated)
But it also finds the cookie session ID and stores it again.
- As a result, session.jsp sends a new session ID also stored in the internal 
hash, with a server associated.

=> For 1 request, haproxy has stored 3 entries, with only 1 which will be usable

The patch modifies the behaviour to store only 1 entry (maximum).

In attachment, a patch file for haproxy-1.4-dev4.

I hope this helps.

--
Cyril Bonté
diff -Naur haproxy-1.4-dev4/include/proto/proto_http.h haproxy-1.4-dev4-appsession/include/proto/proto_http.h
--- haproxy-1.4-dev4/include/proto/proto_http.h	2009-10-12 06:40:53.0 +0200
+++ haproxy-1.4-dev4-appsession/include/proto/proto_http.h	2009-10-12 21:23:38.0 +0200
@@ -74,6 +74,7 @@
 int apply_filter_to_req_line(struct session *t, struct buffer *req, struct hdr_exp *exp);
 int apply_filters_to_request(struct session *t, struct buffer *req, struct hdr_exp *exp);
 int apply_filters_to_response(struct session *t, struct buffer *rtr, struct hdr_exp *exp);
+void manage_client_side_appsession(struct session *t, char *buf);
 void manage_client_side_cookies(struct session *t, struct buffer *req);
 void manage_server_side_cookies(struct session *t, struct buffer *rtr);
 void check_response_for_cacheability(struct session *t, struct buffer *rtr);
diff -Naur haproxy-1.4-dev4/include/types/proxy.h haproxy-1.4-dev4-appsession/include/types/proxy.h
--- haproxy-1.4-dev4/include/types/proxy.h	2009-10-12 06:40:53.0 +0200
+++ haproxy-1.4-dev4-appsession/include/types/proxy.h	2009-10-12 21:24:42.0 +0200
@@ -124,6 +124,9 @@
 #define PR_O2_INDEPSTR	0x1000	/* independant streams, don't update rex on write */
 #define PR_O2_SOCKSTAT	0x2000	/* collect & provide separate statistics for sockets */
 
+/* bits for proxy->appsession_options */
+#define PR_O_AS_REQL	0x0001  /* learn the session id from the request */
+
 struct error_snapshot {
 	struct timeval when;		/* date of this event, (tv_sec == 0) means "never" */
 	unsigned int len;		/* original length of the last invalid request/response */
@@ -177,6 +180,7 @@
 	char *appsession_name;			/* name of the cookie to look for */
 	int  appsession_name_len;		/* strlen(appsession_name), computed only once */
 	int  appsession_len;			/* length of the appsession cookie value to be used */
+	int  appsession_options;		/* options for appsession */
 	struct appsession_hash htbl_proxy;	/* Per Proxy hashtable */
 	char *capture_name;			/* beginning of the name of the cookie to capture */
 	int  capture_namelen;			/* length of the cookie name to match */
diff -Naur haproxy-1.4-dev4/include/types/session.h haproxy-1.4-dev4-appsession/include/types/session.h
--- haproxy-1.4-dev4/include/types/session.h	2009-10-12 06:40:53.0 +0200
+++ haproxy-1.4-dev4-appsession/include/types/session.h	2009-10-12 21:25:15.0 +0200
@@ -162,6 +162,7 @@
 	int conn_retries;			/* number of connect retries left */
 	int flags;/* some flags describing the session */
 	unsigned term_trace;			/* term trace: 4*8 bits indicating which part

RE: Error responses in statistics

2009-10-12 Thread Stefan Johansson 

Willy,

 

I noticed that we had the dontlognull option already set, but we obviously 
still get these messages.

 

Regards,

Stefan
 
> Date: Mon, 5 Oct 2009 09:41:57 +0200
> From: w...@1wt.eu
> To: phu...@hotmail.com
> CC: haproxy@formilux.org
> Subject: Re: Error responses in statistics
> 
> On Mon, Oct 05, 2009 at 09:20:59AM +0200, Stefan Johansson wrote:
> > 
> > Thank you Willy for the extensive reply.
> > 
> > I have gone through the logs and I have found A LOT of the following:
> > 
> > Oct 1 14:55:33 localhost haproxy[31514]: 131.116.254.198:64398 
> > [01/Oct/2009:14:55:30.550] adt-fusion-public_http 
> > adt-fusion-public_http/adt-fusion-web05 -1/37/-1/-1/36 503 212 - - CRNN 
> > 132/129/81/11/0 0/0 ""
> > 
> > Now, CR indicates that the client disconnected prematurealy right? I am 
> > having issues understanding this together with the timers here, if it was 
> > the backend web server not responding, but 36ms for the whole session would 
> > really indicate otherwise? That can't be a timeout or non response from the 
> > back-end can it?
> 
> The first -1 indicates that the request was not even received.
> Other ones indicate that it did not go further. In my opinion,
> it's just a port scan. The 36 ms alone then account for the
> time between the connect() and close() from the client. You
> can remove them from your logs using "option dontlognull".
> 
> Regards,
> Willy
> 
> 
  
_
Windows Live: Make it easier for your friends to see what you’re up to on 
Facebook.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_2:092009