Re: Please help to configure Haproxy with SSL support
On Fri, Mar 22, 2013 at 6:43 AM, Eswaramoorthy R ram.eas...@gmail.comwrote: so can we recypher the traffic to tomcat servers using haproxy..? any of the following solutions is ok.. 1)Haproxy with HTTPS and other two servers with normal HTTP 2)Haproxy with HTTPS and other two servers also with HTTPS. But which of the above solution works ..? both will works. I don have any previous experience with Haproxy..Am new to this...Please pardon me if this is a silly question.. this is not an HAProxy problem or lack of experience, this is related to architecture... Just decide what you *really* need, then choose the right product. HAProxy or an other one. Don't do the opposite: choose the product then try to arrange your needs to fit the product you chose... ~Eswar On Fri, Mar 22, 2013 at 10:40 AM, Baptiste bed...@gmail.com wrote: no, as per our explanation and your request, there is a single cert in HAProxy. Unless you want to recypher traffic to your tomcat servers. Baptiste On Fri, Mar 22, 2013 at 5:51 AM, Eswaramoorthy R ram.eas...@gmail.comwrote: Thanks all so much for your help and also for updating the article:-) I have a doubt...As per your explanation there are totally 3 certificates placed..They are 1)haproxy.pem 2)cert1 3)cert2 Can you please say to which server each certificate belongs to..? Below is my sample architecture for your reference... [image: Inline image 1] ~ Eswar On Fri, Mar 22, 2013 at 12:54 AM, Robin Lee Powell rlpow...@cytobank.org wrote: On Thu, Mar 21, 2013 at 08:02:03PM +0100, Baptiste wrote: I actually started with http://blog.exceliance.fr/2012/09/10/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/ , but that's out of date; the sni options have changed. Hi Robin I fixed the article today. :D Thanks so much! -Robin image.png
AW: use_backend: brackets/grouping not accepted in condition
Hi Baptiste, it is IMHO not really clear that brackets are for anonymous ACLs only. Wouldn't it make sense to support it for use_backend as well? It just makes things easier in my opinion. Mit freundlichen Grüßen, Christian Ruppert Christian Ruppert Systemadministrator Babiel GmbH Erkrather Str. 224 a D-40233 Düsseldorf Tel: 0211-179349 0 Fax: 0211-179349 29 E-Mail: c.rupp...@babiel.com Internet: http://www.babiel.com Geschäftsführer: Georg Babiel, Dr. Rainer Babiel, Harald Babiel Amtsgericht Düsseldorf HRB 38633 ~~ DISCLAIMER ~~~ The information transmitted in this electronic mail message may contain confidential and or privileged materials. Any review, retransmission, dissemination or other use of or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you receive such e-mails in error, please contact the sender and delete the material from any computer. -Ursprüngliche Nachricht- Von: Baptiste [mailto:bed...@gmail.com] Gesendet: Donnerstag, 21. März 2013 20:00 An: Christian Ruppert Cc: haproxy@formilux.org Betreff: Re: use_backend: brackets/grouping not accepted in condition Hi Christian, Brackets are for anonymous ACLs only. You seem to use named ACLs with brackets so it can't work. Either you do as you said: use_backend backend_test if request_domain1 allowed_ip_foo or request_domain1 allowed_ip_bar Or with 2 use_backend: use_backend backend_test if request_domain1 allowed_ip_foo use_backend backend_test if request_domain1 allowed_ip_bar Baptiste On Thu, Mar 21, 2013 at 6:25 PM, Christian Ruppert c.rupp...@babiel.com wrote: Hi Guys, I just tried to simplify some rules and I noticed that brackets {} doesn't work with use_backend while it works fine with default_backend. That doesn't work: use_backend backend_test if request_domain1 { allowed_ip_foo or allowed_ip_bar } That works: use_backend backend_test if request_domain1 allowed_ip_foo or request_domain1 allowed_ip_bar That works as well: default_backend backend_main if request_domain2 { allowed_ip_foo or allowed_ip_bar } I could also use multiple use_backend's but using brackets would make it a lot easier and better readable IMHO. https://code.google.com/p/haproxy-docs/wiki/UsingACLs That also sounds like the brackets should work almost everywhere. Some actions are only performed upon a valid condition. A condition is a combination of ACLs with operators. 3 operators are supported : - AND (implicit) - OR (explicit with the or keyword or the || operator) - Negation with the exclamation mark (!) A condition is formed as a disjunctive form: [!]acl1 [!]acl2 ... [!]acln { or [!]acl1 [!]acl2 ... [!]acln } ... Such conditions are generally used after an if or unless statement, indicating when the condition will trigger the action. I would really like to see that fixed. Or is that on purpose? Mit freundlichen Grüßen, Christian Ruppert Christian Ruppert Systemadministrator Babiel GmbH Erkrather Str. 224 a D-40233 Düsseldorf Tel: 0211-179349 0 Fax: 0211-179349 29 E-Mail: c.rupp...@babiel.com Internet: http://www.babiel.com Geschäftsführer: Georg Babiel, Dr. Rainer Babiel, Harald Babiel Amtsgericht Düsseldorf HRB 38633 ~~ DISCLAIMER ~~~ The information transmitted in this electronic mail message may contain confidential and or privileged materials. Any review, retransmission, dissemination or other use of or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you receive such e-mails in error, please contact the sender and delete the material from any computer.
RE: Unable to clone repo
Hi Nick, in fact, its not very fast. You can try the formilux mirrors, they are kept up-to-date: $ git clone http://master.formilux.org/git/people/willy/haproxy.git/ $ git clone http://master.formilux.org/git/people/willy/haproxy-1.4.git/ Lukas From: tubaguy50...@gmail.com Date: Fri, 22 Mar 2013 09:47:07 -0500 Subject: Unable to clone repo To: haproxy@formilux.org Is there an issue with the Git repo today? I've tried to clone from Texas (USA) and London, both fail fetching objects. Is there a GitHub mirror? Nick
Re: use_backend: brackets/grouping not accepted in condition
On Fri, Mar 22, 2013 at 2:47 AM, Christian Ruppert c.rupp...@babiel.comwrote: Hi Baptiste, it is IMHO not really clear that brackets are for anonymous ACLs only. Wouldn't it make sense to support it for use_backend as well? Those two are not mutually exclusive: you can use them with use_backend and they are for anonymous acls. for example: use_backend www if METH_POST or {path_beg /static /images /img /css} -Bryan
AW: use_backend: brackets/grouping not accepted in condition
Hi Bryan, I am somewhat confused now.. So it sounds like the behavior of the brackets in combination with default_backend is wrong since it seems to work fine there even with IP ACLs. And what I meant is, wouldn’t it make sense to support e.g. IP ACLs with either {} or () or whatever else to allow one to group the rules instead of writing multiple use_backend lines? For small stuff, like in my example, it would make it slightly “easier”. use_backend if somecondition (foo or bar) vs. use_backend if someconditoon foo use_backend if someconditoon bar Mit freundlichen Grüßen, Christian Ruppert Christian Ruppert Systemadministrator Babiel GmbH Erkrather Str. 224 a D-40233 Düsseldorf Tel: 0211-179349 0 Fax: 0211-179349 29 E-Mail: c.rupp...@babiel.com Internet: http://www.babiel.com http://www.babiel.com/ Geschäftsführer: Georg Babiel, Dr. Rainer Babiel, Harald Babiel Amtsgericht Düsseldorf HRB 38633 ~~ DISCLAIMER ~~~ The information transmitted in this electronic mail message may contain confidential and or privileged materials. Any review, retransmission, dissemination or other use of or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you receive such e-mails in error, please contact the sender and delete the material from any computer. Von: Bryan Talbot [mailto:btal...@aeriagames.com] Gesendet: Freitag, 22. März 2013 16:35 An: Christian Ruppert Cc: Baptiste; HAproxy Mailing Lists Betreff: Re: use_backend: brackets/grouping not accepted in condition On Fri, Mar 22, 2013 at 2:47 AM, Christian Ruppert c.rupp...@babiel.com wrote: Hi Baptiste, it is IMHO not really clear that brackets are for anonymous ACLs only. Wouldn't it make sense to support it for use_backend as well? Those two are not mutually exclusive: you can use them with use_backend and they are for anonymous acls. for example: use_backend www if METH_POST or {path_beg /static /images /img /css} -Bryan
haproxy queue behavior
We are trying to understand the queueing behavior in haproxy better, especially with regard to global queues, queue depth, and weighting upstream servers when using round-robin distribution. A few questions: - How can we balance across upstream servers by using different weight assignments, based on *performance* - For each listen socket, is there a shared queue before individual maxconn queues are filled? Does maxconn per listen socket set the size of this queue? If global maxconn is 1000, listen socket maxconn is 100 and individual server maxconn are set to 10, and we have 2 app servers, what's the total number of requests that will be queued if the app servers are not able to catch up to the traffic? Blake