Re: haproxy configuration to use forwardfor with websockets
3. is there a way for haproxy to detect this scenario? Or how would I create special block of options/rules for such clients in haproxy config? If yes, can you provide some example? I am digging into this mainly because IE is not sending all headers when sending cross-origin request (not sure if this issue is still present in the latest version of IE, I think I last tested it with IE8) On Sun, May 12, 2013 at 11:34 PM, Baptiste wrote: > Hi, > > My answers inline. > > On Sun, May 12, 2013 at 11:25 PM, Peter Saitz > wrote: > > 1. For http, I should set this to balanace roundrobin and haproxy is > attaching A or B to the cookie, if this A or B is present in cookie for any > following incoming request, then user is directed > > to the same server as his initial request, correct? (cookie is a session > cookie, so once user closes browser it is erased and next time user "gets > the server" on random again. > > That's it. > More details about load-balancing and persistence: > > http://blog.exceliance.fr/2012/03/29/load-balancing-affinity-persistence-sticky-sessions-what-you-need-to-know/ > > > 2. What about websockets? > > the same, since the persistence will occur during the negotiation phase. > > > 3. If cookie is not accepted by client's browser, how can I ensure that > all > > those clients are redirected to a single server? > > then you have to fail over to source IP load-balancing or persistence, > which is not exactly the same. > More details here: > > http://blog.exceliance.fr/2013/04/22/client-ip-persistence-or-source-ip-hash-load-balancing/ > > Baptiste >
Re: haproxy configuration to use forwardfor with websockets
Hi, My answers inline. On Sun, May 12, 2013 at 11:25 PM, Peter Saitz wrote: > 1. For http, I should set this to balanace roundrobin and haproxy is > attaching A or B to the cookie, if this A or B is present in cookie for any > following incoming request, then user is directed > to the same server as his initial request, correct? (cookie is a session > cookie, so once user closes browser it is erased and next time user "gets the > server" on random again. That's it. More details about load-balancing and persistence: http://blog.exceliance.fr/2012/03/29/load-balancing-affinity-persistence-sticky-sessions-what-you-need-to-know/ > 2. What about websockets? the same, since the persistence will occur during the negotiation phase. > 3. If cookie is not accepted by client's browser, how can I ensure that all > those clients are redirected to a single server? then you have to fail over to source IP load-balancing or persistence, which is not exactly the same. More details here: http://blog.exceliance.fr/2013/04/22/client-ip-persistence-or-source-ip-hash-load-balancing/ Baptiste
Re: haproxy configuration to use forwardfor with websockets
3. If cookie is not accepted by client's browser, how can I ensure that all those clients are redirected to a single server? On Sun, May 12, 2013 at 2:21 PM, Peter Saitz wrote: > I see, hmm, reason why I went this way originally was to ensure stickiness > of single browser session. I think I slightly misunderstood the haproxy > documentation first time I red it. > > Is this how it works? > 1. For http, I should set this to balanace roundrobin and haproxy is > attaching A or B to the cookie, if this A or B is present in cookie for any > following incoming request, then user is directed to the same server as his > initial request, correct? (cookie is a session cookie, so once user closes > browser it is erased and next time user "gets the server" on random again. > > 2. What about websockets? > > > On Sun, May 12, 2013 at 5:59 AM, Baptiste wrote: > >> On Sat, May 11, 2013 at 10:47 PM, Peter Saitz >> wrote: >> > A side question: all traffic is directed to B server (second server in >> > configuration), the BAYEUX_BROWSER cookie is attached but it is always >> the >> > "B" one. I have no clue what is wrong, do you see any problem why http >> > traffic should go to single server only? (I tested it by deleting >> manually >> > the BAYEUX_BROWSER cookie in the browser and reload page over and over, >> > always B). Also tcpdump shows that no redirection is against A (first) >> > server. >> >> That's because of your load-balancing algorithm. >> Please move from source to roundrobin and it will work. >> Currently, since your soure IP doesn't change, the source algorithm >> redirect you to the same server. It is a predictive algorithm. >> roundrobin is unpredictive so you may redirected to the next server >> pointed by the algo at the moment the request is processed by HAProxy. >> >> Baptiste >> > >
Re: haproxy configuration to use forwardfor with websockets
I see, hmm, reason why I went this way originally was to ensure stickiness of single browser session. I think I slightly misunderstood the haproxy documentation first time I red it. Is this how it works? 1. For http, I should set this to balanace roundrobin and haproxy is attaching A or B to the cookie, if this A or B is present in cookie for any following incoming request, then user is directed to the same server as his initial request, correct? (cookie is a session cookie, so once user closes browser it is erased and next time user "gets the server" on random again. 2. What about websockets? On Sun, May 12, 2013 at 5:59 AM, Baptiste wrote: > On Sat, May 11, 2013 at 10:47 PM, Peter Saitz > wrote: > > A side question: all traffic is directed to B server (second server in > > configuration), the BAYEUX_BROWSER cookie is attached but it is always > the > > "B" one. I have no clue what is wrong, do you see any problem why http > > traffic should go to single server only? (I tested it by deleting > manually > > the BAYEUX_BROWSER cookie in the browser and reload page over and over, > > always B). Also tcpdump shows that no redirection is against A (first) > > server. > > That's because of your load-balancing algorithm. > Please move from source to roundrobin and it will work. > Currently, since your soure IP doesn't change, the source algorithm > redirect you to the same server. It is a predictive algorithm. > roundrobin is unpredictive so you may redirected to the next server > pointed by the algo at the moment the request is processed by HAProxy. > > Baptiste >
Re: Websockets and RTMP
On 12 May 2013 10:03, pablo platt wrote: > Can you please explain how to use ssl_fc? > I couldn't find it in the configuration docs. > > Please see below the global and defaults sections which I get when > installing the haproxy-1.4.18 deb package on ubuntu 12.04 ssl_fc is only in HAProxy 1.5. Jonathan -- Jonathan Matthews // Oxford, London, UK http://www.jpluscplusm.com/contact.html
Re: haproxy configuration to use forwardfor with websockets
On Sat, May 11, 2013 at 10:47 PM, Peter Saitz wrote: > A side question: all traffic is directed to B server (second server in > configuration), the BAYEUX_BROWSER cookie is attached but it is always the > "B" one. I have no clue what is wrong, do you see any problem why http > traffic should go to single server only? (I tested it by deleting manually > the BAYEUX_BROWSER cookie in the browser and reload page over and over, > always B). Also tcpdump shows that no redirection is against A (first) > server. That's because of your load-balancing algorithm. Please move from source to roundrobin and it will work. Currently, since your soure IP doesn't change, the source algorithm redirect you to the same server. It is a predictive algorithm. roundrobin is unpredictive so you may redirected to the next server pointed by the algo at the moment the request is processed by HAProxy. Baptiste
Re: Websockets and RTMP
Can you please explain how to use ssl_fc? I couldn't find it in the configuration docs. Please see below the global and defaults sections which I get when installing the haproxy-1.4.18 deb package on ubuntu 12.04 The frontend and backend parts are what I thought of using after reading the answer here http://www.mentby.com/Group/haproxy/route-http-connections-to-tcp-backend-instead-of-dropping-in-http-mode.html Do I need to add or remove any of the settings? Thanks global log 127.0.0.1local0 log 127.0.0.1local1 notice #log loghostlocal0 info maxconn 4096 #chroot /usr/share/haproxy user haproxy group haproxy daemon #debug #quiet defaults logglobal modehttp optionhttplog optiondontlognull retries3 option redispatch maxconn2000 contimeout5000 clitimeout5 srvtimeout5 frontend port443 bind :443 mode tcp tcp-request inspect-delay 5s acl traffic_is_ssl req_ssl_ver -gt 0 tcp-request content accept use_backend media_backend if traffic_is_ssl default_backend websocket_backend backend media_backend server media_server 127.0.0.1:1935 backend websocket_backend server websocket-server 127.0.0.1:4443 On Sat, May 11, 2013 at 10:41 PM, Baptiste wrote: > Hi Pablo, > > My answers inline. > > On Sat, May 11, 2013 at 6:20 PM, pablo platt > wrote: > > Hi, > > > > I need to proxy secure websockets and RTMP (normal tcp) on the same port. > > In the future I'll need normal HTTP requests and static files. > > haproxy will pass ssl requests to backend1 and RTMP requests to backend2. > > Processes will be open for a long time (minutes - hours). > > The backends are on the same machine and will be responsible for timeouts > > and pings. > > > > Do I need to change anythinging in the default configuration like > > contimeout, clitimeout and srvtimeout? I'm using the ubuntu 12.04 > package. > > Please paste your configuration. We don't know the default > configuration from each packager and OS ;) > > > > > Is this the correct way to check for ssl requests? > > acl traffic_is_ssl req_ssl_ver -gt 0 > > I would better use ssl_fc. > Using content inspection (tcp-request inspect) rules, you can do the > content switching based on ssl_fc and so split SSL and RTMP traffic to > 2 different farms. > (I guess this is the purpose you're trying to achieve). > > > When nginx will get ssl requests from haproxy it'll see haproxy's IP. > > Can I terminate ssl requests in nginx even when the client IP was > changed? > > IP change has no impact on SSL. > > > Thanks > > > > Baptiste >