1.5 Regression

[William Lewis]

Hi,


I'm new to HAProxy but I think I might have found a regression in 1.5

I'm declaring these 2 servers in a backend declaration and using
different ports than for the data to check the aliveness of the backend
nodes such that I can use firewall rules to soft remove a node from the
cluster.

    server coors
coors-priv:8090 cookie coors check port 8091 inter 5000
    server bud bud-priv:8090 cookie bud check port 8092 inter 5000


In 1.4.15 if I firewall port 8091 or 8092 the corresponding node gets
marked in the stats screen as being down and stops accepting traffic.
In the 1.5-dev6 build it doesn't do anything when the ports are
firewalled.


Please get back to me if I can be of any more hep diagnosing this.


Regards

Will Lewis






smime.p7s
Description: S/MIME Cryptographic Signature

Re: using haproxy for https

[Brian Carpio]

Of course you can export the cert and private keys from IIS and use them in 
stunnel. You will need to use OpenSSL to convert the certificate but it will 
work.

Sent from my iPhone

On Apr 10, 2011, at 11:59 AM, "Joseph Hardeman" 
mailto:jwharde...@gmail.com>> wrote:

Hi Guys

The problem is that this is for a customer who is running IIS and already has 
all their certs built for IIS, I don't know if the IIS cert would work with 
stunnel.

I tried the following configuration which I had found and they said it was 
working for them, but I am getting SSL to long errors:

#listen cust1_443
#maxconn 32000
#bind0.0.0.0:443
#mode http
#cookie SERVERID insert indirect nocache
##cookie SERVERID rewrite nocache
#timeout client 70s
#timeout server 70s
#timeout connect 30s
#balance source
#reqadd X-Forwarded-Proto:\ https
#reqadd SSL-TERMINATION:\ ON
#server IIS1-443 192.168.0.206:443 cookie 
iis1ssl check inter 5000 fall 3 rise 1 maxconn 30
##server IIS2-443 192.168.0.207:443 cookie 
iis2ssl check inter 5000 fall 3 rise 1 maxconn 30
#option abortonclose
#option httpclose
#option forwardfor
#retries 3
#option redispatch
#log global
#option httplog
#option ssl-hello-chk
#option dontlognull


With the second IIS server commented out, they are able to serve 1 of their 
largest customer with their SSL site, but I want to be able to load balance the 
requests and at least pin each visitor to IIS server they are sent to.

listen  cust1_443
mode tcp
bind 0.0.0.0:443
option ssl-hello-chk
balance roundrobin
server IIS1-443 192.168.0.206:443 check inter 
5000 fall 3 rise 1 maxconn 300
#   server IIS2-443 192.168.0.207:443 check inter 
5000 fall 3 rise 1 maxconn 300
timeout client 70s
timeout server 70s
timeout connect 30s

Any ideas or thoughts on this?

Thanks

JOe


On Sun, Apr 10, 2011 at 10:26 AM, Brian Carpio 
<bcar...@broadhop.com>
 wrote:
You probably need to ask that question on the stunnel mailing list.


Sent from my iPhone

On Apr 10, 2011, at 8:20 AM, "German Gutierrez" 
<germ...@olx.com> wrote:

> BTW, will this patch ever go upstream? Why stunnel does not have this already?
>
> On Sat, Apr 9, 2011 at 11:43 PM, Vivek Malik 
> <vivek.ma...@gmail.com>
>  wrote:
>> Joe,
>> You need to run as many stunnel instances as number of SSL certificates. If
>> the sites share SSL certificate, then one stunnel instance will do.
>> I run stunnel 4.32 with patch from  
>> http://haproxy.1wt.eu/download/patches/
>> on port 443 and forward it to port 81 on the same machine which is bound to
>> haproxy.
>> My stunnel config looks like
>> cert = /etc/stunnel.pem
>> sslVersion = all
>> chroot = /var/lib/stunnel/
>> setuid = stunnel
>> setgid = stunnel
>> pid = /stunnel.pid
>> socket = l:TCP_NODELAY=1
>> socket = r:TCP_NODELAY=1
>> [https]
>> accept  = 443
>> connect = 127.0.0.1:81
>> TIMEOUTclose = 0
>> xforwardedfor = yes
>> Note that xforwardedfor option only works after the patch is installed.  My
>> haproxy config looks like
>> frontend http
>> bind 0.0.0.0:80
>> reqidel ^X-Forwarded-Proto:.*
>> reqadd X-Forwarded-Proto:\ HTTP
>> option forwardfor
>> frontend https
>> bind 127.0.0.1:81
>> reqidel ^X-Forwarded-Proto:.*
>> reqadd X-Forwarded-Proto:\ HTTPS
>> Note that I am passing a X-Forwarded-Proto to underlying application so that
>> it can logic specific to https calls.
>> Vivek
>> On Sat, Apr 9, 2011 at 4:00 PM, Ben Timby 
>> <bti...@gmail.com> wrote:
>>>
>>> On Sat, Apr 9, 2011 at 2:07 PM, Joseph Hardeman 
>>> <jwharde...@gmail.com>
>>> wrote:
 Hi Guys,

 I was wondering if someone has a good example I could use for proxying
 https
 traffic.  We are trying to proxy multiple sites that use https and I was
 hoping for a way to see how to proxy that traffic between multiple IIS
 servers without having to setup many different backend sections.  The
 way
 the sites are setup they use a couple of cookies but mostly session
 variables to track the user as they do their thing.  Either I need to be
 able to pin the user to a single server using the mode tcp function when
 they come in or be able to use some form of mode http that doesn't break
 the
 SSL function.

>>>

Re: using haproxy for https

[vivek . malik]

Haproxy can't do ssl ... SSL is encrypted from client to Server .. So haproxy 
can't analyze the requests and add headers or look at headers.

You should be able to run haproxy in tcp mode and balance based on source but 
you can't load balance based on cookie or header info unless ssl decryption 
happens before the traffic reaches haproxy.

Vivek
-Original Message-
From: Joseph Hardeman 
Date: Sun, 10 Apr 2011 13:57:24 
To: 
Subject: Re: using haproxy for https

Hi Guys

The problem is that this is for a customer who is running IIS and already
has all their certs built for IIS, I don't know if the IIS cert would work
with stunnel.

I tried the following configuration which I had found and they said it was
working for them, but I am getting SSL to long errors:

#listen cust1_443
#maxconn 32000
#bind0.0.0.0:443
#mode http
#cookie SERVERID insert indirect nocache
##cookie SERVERID rewrite nocache
#timeout client 70s
#timeout server 70s
#timeout connect 30s
#balance source
#reqadd X-Forwarded-Proto:\ https
#reqadd SSL-TERMINATION:\ ON
#server IIS1-443 192.168.0.206:443 cookie iis1ssl check inter 5000
fall 3 rise 1 maxconn 30
##server IIS2-443 192.168.0.207:443 cookie iis2ssl check inter 5000
fall 3 rise 1 maxconn 30
#option abortonclose
#option httpclose
#option forwardfor
#retries 3
#option redispatch
#log global
#option httplog
#option ssl-hello-chk
#option dontlognull


With the second IIS server commented out, they are able to serve 1 of their
largest customer with their SSL site, but I want to be able to load balance
the requests and at least pin each visitor to IIS server they are sent to.

listen  cust1_443
mode tcp
bind 0.0.0.0:443
option ssl-hello-chk
balance roundrobin
server IIS1-443 192.168.0.206:443 check inter 5000 fall 3 rise 1
maxconn 300
#   server IIS2-443 192.168.0.207:443 check inter 5000 fall 3 rise 1
maxconn 300
timeout client 70s
timeout server 70s
timeout connect 30s

Any ideas or thoughts on this?

Thanks

JOe


On Sun, Apr 10, 2011 at 10:26 AM, Brian Carpio  wrote:

> You probably need to ask that question on the stunnel mailing list.
>
>
> Sent from my iPhone
>
> On Apr 10, 2011, at 8:20 AM, "German Gutierrez"  wrote:
>
> > BTW, will this patch ever go upstream? Why stunnel does not have this
> already?
> >
> > On Sat, Apr 9, 2011 at 11:43 PM, Vivek Malik 
> wrote:
> >> Joe,
> >> You need to run as many stunnel instances as number of SSL certificates.
> If
> >> the sites share SSL certificate, then one stunnel instance will do.
> >> I run stunnel 4.32 with patch from
> http://haproxy.1wt.eu/download/patches/
> >> on port 443 and forward it to port 81 on the same machine which is bound
> to
> >> haproxy.
> >> My stunnel config looks like
> >> cert = /etc/stunnel.pem
> >> sslVersion = all
> >> chroot = /var/lib/stunnel/
> >> setuid = stunnel
> >> setgid = stunnel
> >> pid = /stunnel.pid
> >> socket = l:TCP_NODELAY=1
> >> socket = r:TCP_NODELAY=1
> >> [https]
> >> accept  = 443
> >> connect = 127.0.0.1:81
> >> TIMEOUTclose = 0
> >> xforwardedfor = yes
> >> Note that xforwardedfor option only works after the patch is installed.
>  My
> >> haproxy config looks like
> >> frontend http
> >> bind 0.0.0.0:80
> >> reqidel ^X-Forwarded-Proto:.*
> >> reqadd X-Forwarded-Proto:\ HTTP
> >> option forwardfor
> >> frontend https
> >> bind 127.0.0.1:81
> >> reqidel ^X-Forwarded-Proto:.*
> >> reqadd X-Forwarded-Proto:\ HTTPS
> >> Note that I am passing a X-Forwarded-Proto to underlying application so
> that
> >> it can logic specific to https calls.
> >> Vivek
> >> On Sat, Apr 9, 2011 at 4:00 PM, Ben Timby  wrote:
> >>>
> >>> On Sat, Apr 9, 2011 at 2:07 PM, Joseph Hardeman 
> >>> wrote:
>  Hi Guys,
> 
>  I was wondering if someone has a good example I could use for proxying
>  https
>  traffic.  We are trying to proxy multiple sites that use https and I
> was
>  hoping for a way to see how to proxy that traffic between multiple IIS
>  servers without having to setup many different backend sections.  The
>  way
>  the sites are setup they use a couple of cookies but mostly session
>  variables to track the user as they do their thing.  Either I need to
> be
>  able to pin the user to a single server using the mode tcp function
> when
>  they come in or be able to use some form of mode http that doesn't
> break
>  the
>  SSL function.
> 
>  This morning around 5am, I got one site running with only 1 backend
>  using
>  tcp but I really need to be able to load balance it between multiple
>  servers.
> >>>
> >>> Joe, haproxy itself does not do SSL. That said, you can set up an SSL
> >>> server in front of it. Myself, I use s

Re: using haproxy for https

[Joseph Hardeman]

Hi Guys

The problem is that this is for a customer who is running IIS and already
has all their certs built for IIS, I don't know if the IIS cert would work
with stunnel.

I tried the following configuration which I had found and they said it was
working for them, but I am getting SSL to long errors:

#listen cust1_443
#maxconn 32000
#bind0.0.0.0:443
#mode http
#cookie SERVERID insert indirect nocache
##cookie SERVERID rewrite nocache
#timeout client 70s
#timeout server 70s
#timeout connect 30s
#balance source
#reqadd X-Forwarded-Proto:\ https
#reqadd SSL-TERMINATION:\ ON
#server IIS1-443 192.168.0.206:443 cookie iis1ssl check inter 5000
fall 3 rise 1 maxconn 30
##server IIS2-443 192.168.0.207:443 cookie iis2ssl check inter 5000
fall 3 rise 1 maxconn 30
#option abortonclose
#option httpclose
#option forwardfor
#retries 3
#option redispatch
#log global
#option httplog
#option ssl-hello-chk
#option dontlognull


With the second IIS server commented out, they are able to serve 1 of their
largest customer with their SSL site, but I want to be able to load balance
the requests and at least pin each visitor to IIS server they are sent to.

listen  cust1_443
mode tcp
bind 0.0.0.0:443
option ssl-hello-chk
balance roundrobin
server IIS1-443 192.168.0.206:443 check inter 5000 fall 3 rise 1
maxconn 300
#   server IIS2-443 192.168.0.207:443 check inter 5000 fall 3 rise 1
maxconn 300
timeout client 70s
timeout server 70s
timeout connect 30s

Any ideas or thoughts on this?

Thanks

JOe


On Sun, Apr 10, 2011 at 10:26 AM, Brian Carpio  wrote:

> You probably need to ask that question on the stunnel mailing list.
>
>
> Sent from my iPhone
>
> On Apr 10, 2011, at 8:20 AM, "German Gutierrez"  wrote:
>
> > BTW, will this patch ever go upstream? Why stunnel does not have this
> already?
> >
> > On Sat, Apr 9, 2011 at 11:43 PM, Vivek Malik 
> wrote:
> >> Joe,
> >> You need to run as many stunnel instances as number of SSL certificates.
> If
> >> the sites share SSL certificate, then one stunnel instance will do.
> >> I run stunnel 4.32 with patch from
> http://haproxy.1wt.eu/download/patches/
> >> on port 443 and forward it to port 81 on the same machine which is bound
> to
> >> haproxy.
> >> My stunnel config looks like
> >> cert = /etc/stunnel.pem
> >> sslVersion = all
> >> chroot = /var/lib/stunnel/
> >> setuid = stunnel
> >> setgid = stunnel
> >> pid = /stunnel.pid
> >> socket = l:TCP_NODELAY=1
> >> socket = r:TCP_NODELAY=1
> >> [https]
> >> accept  = 443
> >> connect = 127.0.0.1:81
> >> TIMEOUTclose = 0
> >> xforwardedfor = yes
> >> Note that xforwardedfor option only works after the patch is installed.
>  My
> >> haproxy config looks like
> >> frontend http
> >> bind 0.0.0.0:80
> >> reqidel ^X-Forwarded-Proto:.*
> >> reqadd X-Forwarded-Proto:\ HTTP
> >> option forwardfor
> >> frontend https
> >> bind 127.0.0.1:81
> >> reqidel ^X-Forwarded-Proto:.*
> >> reqadd X-Forwarded-Proto:\ HTTPS
> >> Note that I am passing a X-Forwarded-Proto to underlying application so
> that
> >> it can logic specific to https calls.
> >> Vivek
> >> On Sat, Apr 9, 2011 at 4:00 PM, Ben Timby  wrote:
> >>>
> >>> On Sat, Apr 9, 2011 at 2:07 PM, Joseph Hardeman 
> >>> wrote:
>  Hi Guys,
> 
>  I was wondering if someone has a good example I could use for proxying
>  https
>  traffic.  We are trying to proxy multiple sites that use https and I
> was
>  hoping for a way to see how to proxy that traffic between multiple IIS
>  servers without having to setup many different backend sections.  The
>  way
>  the sites are setup they use a couple of cookies but mostly session
>  variables to track the user as they do their thing.  Either I need to
> be
>  able to pin the user to a single server using the mode tcp function
> when
>  they come in or be able to use some form of mode http that doesn't
> break
>  the
>  SSL function.
> 
>  This morning around 5am, I got one site running with only 1 backend
>  using
>  tcp but I really need to be able to load balance it between multiple
>  servers.
> >>>
> >>> Joe, haproxy itself does not do SSL. That said, you can set up an SSL
> >>> server in front of it. Myself, I use stunnel. Stunnel strips the SSL
> >>> and forwards the traffic to haproxy. I have many instances of stunnel
> >>> (one per cert/ip) which all feed a single haproxy http listener.
> >>>
> >>> http://www.stunnel.org/
> >>>
> >>> You could also use another server like nginx, apache etc. to strip the
> >>> SSL. However, I find stunnel well suited as all it does is SSL and it
> >>> is fast and efficient at it (similar to how haproxy does proxyinig
> >>> very well).
> >>>
> >>
>

Re: using haproxy for https

[Brian Carpio]

You probably need to ask that question on the stunnel mailing list.


Sent from my iPhone

On Apr 10, 2011, at 8:20 AM, "German Gutierrez"  wrote:

> BTW, will this patch ever go upstream? Why stunnel does not have this already?
> 
> On Sat, Apr 9, 2011 at 11:43 PM, Vivek Malik  wrote:
>> Joe,
>> You need to run as many stunnel instances as number of SSL certificates. If
>> the sites share SSL certificate, then one stunnel instance will do.
>> I run stunnel 4.32 with patch from http://haproxy.1wt.eu/download/patches/
>> on port 443 and forward it to port 81 on the same machine which is bound to
>> haproxy.
>> My stunnel config looks like
>> cert = /etc/stunnel.pem
>> sslVersion = all
>> chroot = /var/lib/stunnel/
>> setuid = stunnel
>> setgid = stunnel
>> pid = /stunnel.pid
>> socket = l:TCP_NODELAY=1
>> socket = r:TCP_NODELAY=1
>> [https]
>> accept  = 443
>> connect = 127.0.0.1:81
>> TIMEOUTclose = 0
>> xforwardedfor = yes
>> Note that xforwardedfor option only works after the patch is installed.  My
>> haproxy config looks like
>> frontend http
>> bind 0.0.0.0:80
>> reqidel ^X-Forwarded-Proto:.*
>> reqadd X-Forwarded-Proto:\ HTTP
>> option forwardfor
>> frontend https
>> bind 127.0.0.1:81
>> reqidel ^X-Forwarded-Proto:.*
>> reqadd X-Forwarded-Proto:\ HTTPS
>> Note that I am passing a X-Forwarded-Proto to underlying application so that
>> it can logic specific to https calls.
>> Vivek
>> On Sat, Apr 9, 2011 at 4:00 PM, Ben Timby  wrote:
>>> 
>>> On Sat, Apr 9, 2011 at 2:07 PM, Joseph Hardeman 
>>> wrote:
 Hi Guys,
 
 I was wondering if someone has a good example I could use for proxying
 https
 traffic.  We are trying to proxy multiple sites that use https and I was
 hoping for a way to see how to proxy that traffic between multiple IIS
 servers without having to setup many different backend sections.  The
 way
 the sites are setup they use a couple of cookies but mostly session
 variables to track the user as they do their thing.  Either I need to be
 able to pin the user to a single server using the mode tcp function when
 they come in or be able to use some form of mode http that doesn't break
 the
 SSL function.
 
 This morning around 5am, I got one site running with only 1 backend
 using
 tcp but I really need to be able to load balance it between multiple
 servers.
>>> 
>>> Joe, haproxy itself does not do SSL. That said, you can set up an SSL
>>> server in front of it. Myself, I use stunnel. Stunnel strips the SSL
>>> and forwards the traffic to haproxy. I have many instances of stunnel
>>> (one per cert/ip) which all feed a single haproxy http listener.
>>> 
>>> http://www.stunnel.org/
>>> 
>>> You could also use another server like nginx, apache etc. to strip the
>>> SSL. However, I find stunnel well suited as all it does is SSL and it
>>> is fast and efficient at it (similar to how haproxy does proxyinig
>>> very well).
>>> 
>> 
>> 
> 
> 
> 
> -- 
> Germán Gutiérrez
> 
> OLX Operation Center
> OLX Inc.
> Buenos Aires - Argentina
> Phone: 54.11.4775.6696
> Mobile: 54.911.5669.6175
> Skype: errare_est
> Email: germ...@olx.com
> 
> Delivering common sense since 1969 .
> 
> The Nature is not amiable; It treats impartially to all the things.
> The wise person is not amiable; He treats all people impartially.
> 
> No afecta el sitio, no necesita QA.
> 
> 

Re: using haproxy for https

[German Gutierrez]

BTW, will this patch ever go upstream? Why stunnel does not have this already?

On Sat, Apr 9, 2011 at 11:43 PM, Vivek Malik  wrote:
> Joe,
> You need to run as many stunnel instances as number of SSL certificates. If
> the sites share SSL certificate, then one stunnel instance will do.
> I run stunnel 4.32 with patch from http://haproxy.1wt.eu/download/patches/
> on port 443 and forward it to port 81 on the same machine which is bound to
> haproxy.
> My stunnel config looks like
> cert = /etc/stunnel.pem
> sslVersion = all
> chroot = /var/lib/stunnel/
> setuid = stunnel
> setgid = stunnel
> pid = /stunnel.pid
> socket = l:TCP_NODELAY=1
> socket = r:TCP_NODELAY=1
> [https]
> accept  = 443
> connect = 127.0.0.1:81
> TIMEOUTclose = 0
> xforwardedfor = yes
> Note that xforwardedfor option only works after the patch is installed.  My
> haproxy config looks like
> frontend http
>         bind 0.0.0.0:80
>         reqidel ^X-Forwarded-Proto:.*
>         reqadd X-Forwarded-Proto:\ HTTP
>         option forwardfor
> frontend https
>         bind 127.0.0.1:81
>         reqidel ^X-Forwarded-Proto:.*
>         reqadd X-Forwarded-Proto:\ HTTPS
> Note that I am passing a X-Forwarded-Proto to underlying application so that
> it can logic specific to https calls.
> Vivek
> On Sat, Apr 9, 2011 at 4:00 PM, Ben Timby  wrote:
>>
>> On Sat, Apr 9, 2011 at 2:07 PM, Joseph Hardeman 
>> wrote:
>> > Hi Guys,
>> >
>> > I was wondering if someone has a good example I could use for proxying
>> > https
>> > traffic.  We are trying to proxy multiple sites that use https and I was
>> > hoping for a way to see how to proxy that traffic between multiple IIS
>> > servers without having to setup many different backend sections.  The
>> > way
>> > the sites are setup they use a couple of cookies but mostly session
>> > variables to track the user as they do their thing.  Either I need to be
>> > able to pin the user to a single server using the mode tcp function when
>> > they come in or be able to use some form of mode http that doesn't break
>> > the
>> > SSL function.
>> >
>> > This morning around 5am, I got one site running with only 1 backend
>> > using
>> > tcp but I really need to be able to load balance it between multiple
>> > servers.
>>
>> Joe, haproxy itself does not do SSL. That said, you can set up an SSL
>> server in front of it. Myself, I use stunnel. Stunnel strips the SSL
>> and forwards the traffic to haproxy. I have many instances of stunnel
>> (one per cert/ip) which all feed a single haproxy http listener.
>>
>> http://www.stunnel.org/
>>
>> You could also use another server like nginx, apache etc. to strip the
>> SSL. However, I find stunnel well suited as all it does is SSL and it
>> is fast and efficient at it (similar to how haproxy does proxyinig
>> very well).
>>
>
>



-- 
Germán Gutiérrez

OLX Operation Center
OLX Inc.
Buenos Aires - Argentina
Phone: 54.11.4775.6696
Mobile: 54.911.5669.6175
Skype: errare_est
Email: germ...@olx.com

Delivering common sense since 1969 .

The Nature is not amiable; It treats impartially to all the things.
The wise person is not amiable; He treats all people impartially.

No afecta el sitio, no necesita QA.

Re: Transparent front end

[James Bardin]

Hi Sara,

What you've described is basically what haproxy (or any reverse proxy
for that matter) does. Have you tried using it? Did you have any
problems?

-jim


2011/4/10 sara fahmy :
>
>
> Hi every one
> I want to know is it possible to create a transparent front end? so that if
> the client wants to request the server it would call the back end server
> directly without knowing that his request is passed first to the front end
> then redirected to the back end? if yes, how?
> thanks!
>