hdr_end(host) not matching?
I have haproxy running in a small cluster: HA-Proxy version 1.4.16 2011/08/04 Copyright 2000-2010 Willy Tarreau w...@1wt.eu With the following configuration: frontend gde_mtl *:80 acl host_static hdr_end(host) mvdd.net use_backend static if host_static default_backend dynamic If it possible for hdr_end(host) to fail for some reason? We have odd cases (1%) where that rule isn't matched. Could it be that a proxy rewrites the host header? Could someone explain the difference between 'hdr_end' and 'shdr_end'? Thanks
Re: Issue with client connections hanging to haproxy
I appear to have resolved this by using only http-server-close and httpclose in my config. Can anyone chime in and confirm that it would resolve this type of issue? I don't quite understand from the docs. On 2/2/2012 1:32 PM, Baptiste wrote: Hi, You should setup net.ipv4.ip_local_port_range as well to increase allowed opened ports to servers. Your maxconns seems too high, but I doubt this is the source of your issue. cheers On Thu, Feb 2, 2012 at 10:16 PM, Ivan Atorivanat...@gmail.com wrote: Hello. I'm having an issue with connections to haproxy hanging upon the connect stage. My setup is 2 nginx/php-fpm backends with haproxy load balancing them (3 servers total). When connecting directly to the app servers everything is great, but through haproxy my browser hangs at connecting for 1-30 seconds sometimes.. or just never connects requiring a hard refresh. Sysctl and haproxy settings on the load balancer are: net.ipv4.tcp_tw_recycle = 1 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_max_tw_buckets = 36 net.ipv4.tcp_fin_timeout = 20 net.ipv4.ip_local_port_range = 200064000 net.ipv4.tcp_syncookies = 0 net.ipv4.tcp_max_orphans = 262144 net.ipv4.tcp_max_syn_backlog = 262144 net.ipv4.tcp_synack_retries = 2 net.ipv4.tcp_syn_retries = 2 kernel.shmmax = 4294967296 fs.file-max = 1048576 net.core.netdev_max_backlog = 10 net.core.somaxconn = 10 net.core.rmem_max = 8388608 net.ipv4.tcp_rmem = 4096 1048576 8388608 net.core.wmem_max = 8388608 net.ipv4.tcp_wmem = 4096 1048576 8388608 net.ipv4.tcp_mem = 8388608 8388608 8388608 net.core.optmem_max = 40960 global log 127.0.0.1 local0 user haproxy group haproxy daemon maxconn 10 #stats socket /opt/haproxy/etc/sock.haproxy uid 0 gid 0 mode 700 level admin defaults log global option dontlognull balance leastconn retries 3 option redispatch timeout connect 2ms timeout server 3ms timeout client 2ms listen stats hidden:47880 mode http stats enable stats uri /stats stats realm HAProxy\ Statistics stats auth hidden listen www A.B.C.D:80 mode http option httpclose option nolinger timeout client 2ms option httpchk HEAD / HTTP/1.0 option forwardfor cookie SERVERID insert balance leastconn maxconn 5 server app1 10.240.0.2:80 cookie a1 maxconn 25000 check server app2 10.240.0.3:80 cookie a2 maxconn 25000 check #server app3 10.240.0.4:80 cookie a3 maxconn 15000 check backup tcpdump output when this happens: http://pastebin.com/cXE8kWew (note the 8 second hang) 20:46:11.923871 IP MY-CLIENT.55494 MY-SERVER.www: Flags [P.], seq 706215489:706216213, ack 3030317681, win 4280, length 724 20:46:12.118792 IP MY-CLIENT.55494 MY-SERVER.www: Flags [.], ack 2635, win 4280, length 0 20:46:12.303468 IP MY-CLIENT.55494 MY-SERVER.www: Flags [.], ack 5269, win 4280, length 0 20:46:12.303483 IP MY-CLIENT.55494 MY-SERVER.www: Flags [.], ack 7659, win 4280, length 0 20:46:12.303492 IP MY-CLIENT.55494 MY-SERVER.www: Flags [F.], seq 724, ack 7659, win 4280, length 0 20:46:20.111011 IP MY-CLIENT.55493 MY-SERVER.www: Flags [P.], seq 3064322029:3064322755, ack 1531281668, win 4280, length 726 20:46:20.140771 IP MY-CLIENT.55495 MY-SERVER.www: Flags [P.], seq 2914190645:2914191371, ack 2823463340, win 4280, length 726 20:46:20.305019 IP MY-CLIENT.55493 MY-SERVER.www: Flags [.], ack 320, win 4200, length 0 20:46:20.305032 IP MY-CLIENT.55493 MY-SERVER.www: Flags [F.], seq 726, ack 320, win 4200, length 0 20:46:20.324906 IP MY-CLIENT.55495 MY-SERVER.www: Flags [.], ack 709, win 4103, length 0 20:46:20.334540 IP MY-CLIENT.55495 MY-SERVER.www: Flags [F.], seq 726, ack 709, win 4103, length 0 20:46:22.087034 IP MY-CLIENT.55496 MY-SERVER.www: Flags [F.], seq 2675337998, ack 678907057, win 4280, length 0 20:46:22.277682 IP MY-CLIENT.55496 MY-SERVER.www: Flags [R.], seq 1, ack 188, win 0, length 0 Also of interest is the fact that there is about 3k SYN_RECV, 20k TIME_WAIT and 200 ESTABLISHED connections in netstat. Under the errors - resp column of the haproxy stats page for the backend, if I hover over the numbers for backend it says connection resets during transfer: 300k+ client, 0 server. Any help is greatly appreciated, I am stumped. Ivan
Re: Create Backed by Unix Socket
Going from the documentation, there doesn't appear to be functionality for creating/destroying backends. Personally, I have accomplished your task by creating a series of scripts for maintaining the configuration file and reloading it while live. On 2/6/2012 3:21 PM, Dziuba, Ted wrote: Hi, I am wondering if it possible to create an haproxy backend programmatically, using the unix socket facility. I see that you can enable and disable existing back-ends, but I want to add a new one. This is my use case: HTTP server starts on a host, binding to port 0 HTTP server announces itself to a load balancer, asking to be put into the pool Load balancer acknowledges HTTP server and starts sending it traffic Thanks, Ted --- Ted Dziuba Co-Founder, Milo.com t...@milo.com
Re: Create Backed by Unix Socket
John, Where's the documentation for your patch? I'm up for playing with this neat idea even if we don't use it in Prod. Might hook in some suff to haproxyctl if you can output a version number/patch/something so the ctl script can recognize when someone is using this version... On Mon, Feb 6, 2012 at 4:39 PM, Jeff Buchbinder jbuchbin...@ravemobilesafety.com wrote: The api patch I have been working on at https://github.com/jbuchbinder/haproxy has that functionality, but needs more testing. Willy has said that he has no plans to include this patch, primarily due to the potential for configuration issues in dynamically configured frontends, backends, etc. Thanks, Jeff Ivan Ator ivanat...@gmail.com wrote: Going from the documentation, there doesn't appear to be functionality for creating/destroying backends. Personally, I have accomplished your task by creating a series of scripts for maintaining the configuration file and reloading it while live. On 2/6/2012 3:21 PM, Dziuba, Ted wrote: Hi, I am wondering if it possible to create an haproxy backend programmatically, using the unix socket facility. I see that you can enable and disable existing back-ends, but I want to add a new one. This is my use case: HTTP server starts on a host, binding to port 0 HTTP server announces itself to a load balancer, asking to be put into the pool Load balancer acknowledges HTTP server and starts sending it traffic Thanks, Ted --- Ted Dziuba Co-Founder, Milo.com t...@milo.com
Re: Create Backed by Unix Socket
There is an API text file in the root of the git repo with some more information. I try to keep it sync'd with Willy's upstream copy. carlo flores ca...@petalphile.com wrote: John, Where's the documentation for your patch? I'm up for playing with this neat idea even if we don't use it in Prod. Might hook in some suff to haproxyctl if you can output a version number/patch/something so the ctl script can recognize when someone is using this version... On Mon, Feb 6, 2012 at 4:39 PM, Jeff Buchbinder jbuchbin...@ravemobilesafety.commailto:jbuchbin...@ravemobilesafety.com wrote: The api patch I have been working on at https://github.com/jbuchbinder/haproxy has that functionality, but needs more testing. Willy has said that he has no plans to include this patch, primarily due to the potential for configuration issues in dynamically configured frontends, backends, etc. Thanks, Jeff Ivan Ator ivanat...@gmail.commailto:ivanat...@gmail.com wrote: Going from the documentation, there doesn't appear to be functionality for creating/destroying backends. Personally, I have accomplished your task by creating a series of scripts for maintaining the configuration file and reloading it while live. On 2/6/2012 3:21 PM, Dziuba, Ted wrote: Hi, I am wondering if it possible to create an haproxy backend programmatically, using the unix socket facility. I see that you can enable and disable existing back-ends, but I want to add a new one. This is my use case: HTTP server starts on a host, binding to port 0 HTTP server announces itself to a load balancer, asking to be put into the pool Load balancer acknowledges HTTP server and starts sending it traffic Thanks, Ted --- Ted Dziuba Co-Founder, Milo.com t...@milo.commailto:t...@milo.com
HAProxy in Amazon EC2 in peer mode
Hi, I am thinking of the following scenario to implement in AWS. Two HAProxies with SSL stickiness, TCP pass through and in peer mode. Using Amazon ELB to do round robin load balance between the two server. Basically the idea is to create automatic failover for HA proxy servers. Theoretically it should work since both of the servers have the same session information. Am I wrong on this assumption? Thanks Mir
Re: Create Backed by Unix Socket
Oh missed that; cool. Sorry for my mistake with your name while multitasking as well :) On Mon, Feb 6, 2012 at 4:52 PM, Jeff Buchbinder jbuchbin...@ravemobilesafety.com wrote: There is an API text file in the root of the git repo with some more information. I try to keep it sync'd with Willy's upstream copy. carlo flores ca...@petalphile.com wrote: John, Where's the documentation for your patch? I'm up for playing with this neat idea even if we don't use it in Prod. Might hook in some suff to haproxyctl if you can output a version number/patch/something so the ctl script can recognize when someone is using this version... On Mon, Feb 6, 2012 at 4:39 PM, Jeff Buchbinder jbuchbin...@ravemobilesafety.com wrote: The api patch I have been working on at https://github.com/jbuchbinder/haproxy has that functionality, but needs more testing. Willy has said that he has no plans to include this patch, primarily due to the potential for configuration issues in dynamically configured frontends, backends, etc. Thanks, Jeff Ivan Ator ivanat...@gmail.com wrote: Going from the documentation, there doesn't appear to be functionality for creating/destroying backends. Personally, I have accomplished your task by creating a series of scripts for maintaining the configuration file and reloading it while live. On 2/6/2012 3:21 PM, Dziuba, Ted wrote: Hi, I am wondering if it possible to create an haproxy backend programmatically, using the unix socket facility. I see that you can enable and disable existing back-ends, but I want to add a new one. This is my use case: HTTP server starts on a host, binding to port 0 HTTP server announces itself to a load balancer, asking to be put into the pool Load balancer acknowledges HTTP server and starts sending it traffic Thanks, Ted --- Ted Dziuba Co-Founder, Milo.com t...@milo.com
Re: Rate limiting based on arbitrary pattern
Hi Baptiste, Thanks for the confirmation. Since I want to rate limit based on a SessionId, is this something that I should implement? Thanks, Harshad On 4 February 2012 11:25, Baptiste bed...@gmail.com wrote: Hi Harshad, For now, this could work only in HAProxy 1.5, but not in current dev7 version. Up to haproxy 1.5-dev7, you can only apply this kind of tracking on IPs based tables, not on string tables. Willy, EmerivBR told me you would release soon tracking based on string tables. Can you confirm . or not :) ?? cheers On Fri, Feb 3, 2012 at 4:15 PM, Harshad R hrr.222...@gmail.com wrote: Hi, Is it possible to maintain gpc0/connection rate based on an arbitrary pattern fetch? My stick table is based on a header X-Session which is a string pattern. I would like to rate limit based on UID it contains. Backend config: backend app balance roundrobin server app1 127.0.0.1:80 check cookie app1 stick-table type string size 200k store gpc0 stick on uid We have implemented uid as a custom pattern fetch in code with static int pattern_fetch_uid(struct proxy *px, struct session *l4, void *l7, int dir, const struct pattern_arg *arg_p, int arg_i, union pattern_data *data) { struct hdr_ctx ctx; struct http_txn *txn = l7; struct http_msg *msg = txn-req; const char *hdr; int hdr_len; uauth_t uauth; ctx.idx = 0; if(http_find_header2(X-Session, sizeof(X-Session)-1, msg-sol, txn-hdr_idx, ctx)) { return 1; } } static struct pattern_fetch_kw_list pattern_fetch_keywords = {{ },{ { uid, pattern_fetch_uid, NULL, PATTERN_TYPE_STRING, PATTERN_FETCH_REQ }, { NULL, NULL, NULL, 0, 0 }, }}; From the stats output, it is observed that gpc0 is not getting incremented. show table app # table: app, type: string, size:204800, used:8 0xa510398: key=001 use=0 exp=0 server_id=1 gpc0=0 0xa518f18: key=11859 use=0 exp=0 server_id=1 gpc0=0 0xa519188: key=12375 use=0 exp=0 server_id=1 gpc0=0 0xa518d78: key=12603 use=0 exp=0 server_id=1 gpc0=0 0xa5190b8: key=17522 use=0 exp=0 server_id=1 gpc0=0 0xa518fe8: key=31653 use=0 exp=0 server_id=1 gpc0=0 0xa510468: key=31943 use=0 exp=0 server_id=1 gpc0=0 0xa518e48: key=3325 use=0 exp=0 server_id=1 gpc0=0 Is there a generic configuration operation to increment/get gpc0. e.g. stick increment gpc0 acl abuse stick_get_gpc0 gt 10 Also, we would like to use frequency counter for this. e.g. acl abuse stick_get_gpfc0 gt 10 Thanks, Harshad