Re: Please help to configure Haproxy with SSL support
On Fri, Mar 22, 2013 at 6:43 AM, Eswaramoorthy R ram.eas...@gmail.comwrote: so can we recypher the traffic to tomcat servers using haproxy..? any of the following solutions is ok.. 1)Haproxy with HTTPS and other two servers with normal HTTP 2)Haproxy with HTTPS and other two servers also with HTTPS. But which of the above solution works ..? both will works. I don have any previous experience with Haproxy..Am new to this...Please pardon me if this is a silly question.. this is not an HAProxy problem or lack of experience, this is related to architecture... Just decide what you *really* need, then choose the right product. HAProxy or an other one. Don't do the opposite: choose the product then try to arrange your needs to fit the product you chose... ~Eswar On Fri, Mar 22, 2013 at 10:40 AM, Baptiste bed...@gmail.com wrote: no, as per our explanation and your request, there is a single cert in HAProxy. Unless you want to recypher traffic to your tomcat servers. Baptiste On Fri, Mar 22, 2013 at 5:51 AM, Eswaramoorthy R ram.eas...@gmail.comwrote: Thanks all so much for your help and also for updating the article:-) I have a doubt...As per your explanation there are totally 3 certificates placed..They are 1)haproxy.pem 2)cert1 3)cert2 Can you please say to which server each certificate belongs to..? Below is my sample architecture for your reference... [image: Inline image 1] ~ Eswar On Fri, Mar 22, 2013 at 12:54 AM, Robin Lee Powell rlpow...@cytobank.org wrote: On Thu, Mar 21, 2013 at 08:02:03PM +0100, Baptiste wrote: I actually started with http://blog.exceliance.fr/2012/09/10/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/ , but that's out of date; the sni options have changed. Hi Robin I fixed the article today. :D Thanks so much! -Robin image.png
AW: use_backend: brackets/grouping not accepted in condition
Hi Baptiste,
it is IMHO not really clear that brackets are for anonymous ACLs only.
Wouldn't it make sense to support it for use_backend as well?
It just makes things easier in my opinion.
Mit freundlichen Grüßen,
Christian Ruppert
Christian Ruppert
Systemadministrator
Babiel GmbH
Erkrather Str. 224 a
D-40233 Düsseldorf
Tel: 0211-179349 0
Fax: 0211-179349 29
E-Mail: c.rupp...@babiel.com
Internet: http://www.babiel.com
Geschäftsführer: Georg Babiel, Dr. Rainer Babiel, Harald Babiel Amtsgericht
Düsseldorf HRB 38633
~~ DISCLAIMER ~~~
The information transmitted in this electronic mail message may contain
confidential and or privileged materials. Any review, retransmission,
dissemination or other use of or taking of any action in reliance upon, this
information by persons or entities other than the intended recipient is
prohibited. If you receive such e-mails in error, please contact the sender and
delete the material from any computer.
-Ursprüngliche Nachricht-
Von: Baptiste [mailto:bed...@gmail.com]
Gesendet: Donnerstag, 21. März 2013 20:00
An: Christian Ruppert
Cc: haproxy@formilux.org
Betreff: Re: use_backend: brackets/grouping not accepted in condition
Hi Christian,
Brackets are for anonymous ACLs only.
You seem to use named ACLs with brackets so it can't work.
Either you do as you said:
use_backend backend_test if request_domain1 allowed_ip_foo or
request_domain1 allowed_ip_bar
Or with 2 use_backend:
use_backend backend_test if request_domain1 allowed_ip_foo
use_backend backend_test if request_domain1 allowed_ip_bar
Baptiste
On Thu, Mar 21, 2013 at 6:25 PM, Christian Ruppert c.rupp...@babiel.com
wrote:
Hi Guys,
I just tried to simplify some rules and I noticed that brackets {} doesn't
work
with use_backend while it works fine with default_backend.
That doesn't work:
use_backend backend_test if request_domain1 { allowed_ip_foo or
allowed_ip_bar }
That works:
use_backend backend_test if request_domain1 allowed_ip_foo or
request_domain1 allowed_ip_bar
That works as well:
default_backend backend_main if request_domain2 { allowed_ip_foo or
allowed_ip_bar }
I could also use multiple use_backend's but using brackets would make it a
lot easier and better readable IMHO.
https://code.google.com/p/haproxy-docs/wiki/UsingACLs
That also sounds like the brackets should work almost everywhere.
Some actions are only performed upon a valid condition. A condition is a
combination of ACLs with operators. 3 operators are supported :
- AND (implicit)
- OR (explicit with the or keyword or the || operator)
- Negation with the exclamation mark (!)
A condition is formed as a disjunctive form:
[!]acl1 [!]acl2 ... [!]acln { or [!]acl1 [!]acl2 ... [!]acln } ...
Such conditions are generally used after an if or unless statement,
indicating when the condition will trigger the action.
I would really like to see that fixed. Or is that on purpose?
Mit freundlichen Grüßen,
Christian Ruppert
Christian Ruppert
Systemadministrator
Babiel GmbH
Erkrather Str. 224 a
D-40233 Düsseldorf
Tel: 0211-179349 0
Fax: 0211-179349 29
E-Mail: c.rupp...@babiel.com
Internet: http://www.babiel.com
Geschäftsführer: Georg Babiel, Dr. Rainer Babiel, Harald Babiel Amtsgericht
Düsseldorf HRB 38633
~~ DISCLAIMER ~~~
The information transmitted in this electronic mail message may contain
confidential and or privileged materials. Any review, retransmission,
dissemination or other use of or taking of any action in reliance upon, this
information by persons or entities other than the intended recipient is
prohibited. If you receive such e-mails in error, please contact the sender
and
delete the material from any computer.
RE: Unable to clone repo
Hi Nick, in fact, its not very fast. You can try the formilux mirrors, they are kept up-to-date: $ git clone http://master.formilux.org/git/people/willy/haproxy.git/ $ git clone http://master.formilux.org/git/people/willy/haproxy-1.4.git/ Lukas From: tubaguy50...@gmail.com Date: Fri, 22 Mar 2013 09:47:07 -0500 Subject: Unable to clone repo To: haproxy@formilux.org Is there an issue with the Git repo today? I've tried to clone from Texas (USA) and London, both fail fetching objects. Is there a GitHub mirror? Nick
Re: use_backend: brackets/grouping not accepted in condition
On Fri, Mar 22, 2013 at 2:47 AM, Christian Ruppert c.rupp...@babiel.comwrote:
Hi Baptiste,
it is IMHO not really clear that brackets are for anonymous ACLs only.
Wouldn't it make sense to support it for use_backend as well?
Those two are not mutually exclusive: you can use them with use_backend and
they are for anonymous acls.
for example:
use_backend www if METH_POST or {path_beg /static /images /img /css}
-Bryan
AW: use_backend: brackets/grouping not accepted in condition
Hi Bryan,
I am somewhat confused now..
So it sounds like the behavior of the brackets in combination with
default_backend is wrong since it seems to work fine there even with IP ACLs.
And what I meant is, wouldn’t it make sense to support e.g. IP ACLs with either
{} or () or whatever else to allow one to group the rules instead of writing
multiple use_backend lines?
For small stuff, like in my example, it would make it slightly “easier”.
use_backend if somecondition (foo or bar)
vs.
use_backend if someconditoon foo
use_backend if someconditoon bar
Mit freundlichen Grüßen,
Christian Ruppert
Christian Ruppert
Systemadministrator
Babiel GmbH
Erkrather Str. 224 a
D-40233 Düsseldorf
Tel: 0211-179349 0
Fax: 0211-179349 29
E-Mail: c.rupp...@babiel.com
Internet: http://www.babiel.com http://www.babiel.com/
Geschäftsführer: Georg Babiel, Dr. Rainer Babiel, Harald Babiel Amtsgericht
Düsseldorf HRB 38633
~~ DISCLAIMER ~~~
The information transmitted in this electronic mail message may contain
confidential and or privileged materials. Any review, retransmission,
dissemination or other use of or taking of any action in reliance upon, this
information by persons or entities other than the intended recipient is
prohibited. If you receive such e-mails in error, please contact the sender and
delete the material from any computer.
Von: Bryan Talbot [mailto:btal...@aeriagames.com]
Gesendet: Freitag, 22. März 2013 16:35
An: Christian Ruppert
Cc: Baptiste; HAproxy Mailing Lists
Betreff: Re: use_backend: brackets/grouping not accepted in condition
On Fri, Mar 22, 2013 at 2:47 AM, Christian Ruppert c.rupp...@babiel.com wrote:
Hi Baptiste,
it is IMHO not really clear that brackets are for anonymous ACLs only.
Wouldn't it make sense to support it for use_backend as well?
Those two are not mutually exclusive: you can use them with use_backend and
they are for anonymous acls.
for example:
use_backend www if METH_POST or {path_beg /static /images /img /css}
-Bryan
haproxy queue behavior
We are trying to understand the queueing behavior in haproxy better, especially with regard to global queues, queue depth, and weighting upstream servers when using round-robin distribution. A few questions: - How can we balance across upstream servers by using different weight assignments, based on *performance* - For each listen socket, is there a shared queue before individual maxconn queues are filled? Does maxconn per listen socket set the size of this queue? If global maxconn is 1000, listen socket maxconn is 100 and individual server maxconn are set to 10, and we have 2 app servers, what's the total number of requests that will be queued if the app servers are not able to catch up to the traffic? Blake
