The Beautiful Price of Molds
Dear Purchasing Manager, Lovely day!I am Steven from China,which specialize in molds and parts for 5 years. Owning two factories, R&D center. Noted that you are also in this line, Trust we can find a way to cooperate. Our press tool and parts are crazy popular in your market, annual sales amount for only this item to your market is USD1000,000. do u also have interest in them? Steven Chan (Sale Manager) Mob: +86 15921150018 Skype: stevenchanluck Tel : +0086-021-61765566 Fax: +0086-021-61766018 Website:http://www.ferjm.com Add: Xinwei Road,Zhoushi Town,Kunshan City,Jiangsu Province,PRC
RES: RES: Help with kQueue
Hello, Yes, surely ! Seems with kqueue the CPU usage, reduces in 50%, which is great. I am using haproxy as a regular TCP Proxy for tcp applications (not for websites). Do you know if they plan to add FTP Protocol support ? I Know how to configure it work with passive mode, which isn't hard, but would be cool having native support for active mode ! Sincerely, Fred -Mensagem original- De: Lukas Tribus [mailto:luky...@hotmail.com] Enviada em: quinta-feira, 30 de maio de 2013 20:09 Para: Fred Pedrisa; haproxy@formilux.org Assunto: RE: RES: Help with kQueue Hi Fred, > Here is what happens with the latest version, looks like it will use > kqueue !! but select fail ? :D I guess you have a maxsock> FD_SETSIZE condition, which in recent releases disables select(). See [1] and [2]. I'm not sure what bug/change you run into, but I guess its enough to know that the latest release works with both kqueue and poll. Regards, Lukas [1] http://www.mail-archive.com/haproxy@formilux.org/msg09362.html [2] http://haproxy.1wt.eu/git?p=haproxy-1.4.git;a=commit;h=f4096052b9397e29c3638 651e7487c047081c00c
RE: RES: Help with kQueue
Hi Fred, > Here is what happens with the latest version, looks like it will use kqueue > !! but select fail ? :D I guess you have a maxsock> FD_SETSIZE condition, which in recent releases disables select(). See [1] and [2]. I'm not sure what bug/change you run into, but I guess its enough to know that the latest release works with both kqueue and poll. Regards, Lukas [1] http://www.mail-archive.com/haproxy@formilux.org/msg09362.html [2] http://haproxy.1wt.eu/git?p=haproxy-1.4.git;a=commit;h=f4096052b9397e29c3638651e7487c047081c00c
Re: Haproxy issues with rspirep
Hi , Others who have found similar problems with openam application ,have solved it by making changes in tomcat (That solution hasn't worked for us unfortunately) ,Hence the need to solve it at the ssl offloader software. http://lists.forgerock.org/pipermail/openam/2011-June/001870.html Hope someone from the community atleast acknowledges if its a code bug or a configuration problem ,Am losing precious time in the run up to production go live . Regards Syed From: "s...@siezeconsulting.com"Sent: Thu, 30 May 2013 01:58:12 To: "Cyril Bont " Cc: "haproxy@formilux.org" Subject: Re: Haproxy issues with rspirep Hi Cyril , Sorry for the brevity . Haproxy IP = 172.17.25.100 ( fiction IP for clarity) Application server hostname = openamHost Application server IP = 172.17.25.101 Url for ssl offload access https://192.168.0.1/sso/Login Configured haproxy to ssl offload a tomcat based application running on port 8080 (OpenAm specifically). SSL offload happens , traffic is sent to port 8080 but the application sends a redirect URL in return as the following Problematic URL : http://172.17.25.99:80/sso/Login I used the following directive in the frontend of the haproxy configuration rspirep ^Location:\ http://(.*):80(.*) Location:\ http://172.17.25.100:8080\2 if { ssl_fc } Generic problem : Haproxy would capture i assumed the problematic URL and replace it with whatever happens to be "my custom URL"? Specific requirement: The application is wrongly sending the redirect URL , I would ideally want to capture any HTTP url and convert into HTTPS so that haproxy can again re-route it to port 8080 after decryption each time. Finally my simple requirement is to be able to control rewriting URLs at haproxy . haproxy.cfg frontend secured *:443 mode tcp SSL CERT BLAH BLAH rspirep ^Location:\ http://(.*):80(.*) Location:\ http://172.17.25.100:8080\2 if { ssl_fc } default_backend app #- # round robin balancing between the various backends #- backend app mode tcp balance roundrobin server app1 172.17.25.101:8080 check Hope i haven't complicated the problem this time :-) Regards Syed From: Cyril Bonté Sent: Thu, 30 May 2013 01:15:45 To: "s...@siezeconsulting.com" Cc: "haproxy@formilux.org" Subject: Re: Haproxy issues with rspirep Hi Syed, Le 29/05/2013 21:12, s...@siezeconsulting.com a æcopy;crit : > Hello, > > rspirep ^Location:\ http://(.*):80(.*) Location:\ https://\1:443\2 if { ssl_fc } > > The above works but the following doesn't (Location URL is unchanged ) why ? > > rspirep ^Location:\ http://(.*):80(.*) Location:\ http://172.17.25.100:8080\2 if { ssl_fc } There's a lack of details. One configuration line is not enough to understand what you want to achieve. It will be hard to help you. Can you explain your needs and provide your whole configuration (please remove any sensitive data, such as passwords, IPs, ...) ? Are you sure you really want the "ssl_fc" condition here ? > > > Reference : > http://blog.exceliance.fr/2013/02/26/ssl-offloading-impact-on-web-applications/ > > > Regards > Syed -- Cyril Bontæcopy;
Re: Meaning of hrsp_2xx in show stat
IIRC, the meanings are: > # 33. rate: number of sessions per second over last elapsed second == Number of sessions initiated at the TCP level over the last second, irrespective of the HTTP response. "> # 39. hrsp_1xx: http responses with 1xx code > # 40. hrsp_2xx: http responses with 2xx code > # 41. hrsp_3xx: http responses with 3xx code > # 42. hrsp_4xx: http responses with 4xx code > # 43. hrsp_5xx: http responses with 5xx code == Continually incrementing count of [12345]xx response codes (i.e. not a per-period rate). Does this match what you're seeing? Remember that #33 is useful if you're looking at it at a single point in time, but if you're trying to graph it, you might find it more useful to collect "stot" directly and calculate rates from that instead. Jonathan -- Jonathan Matthews // Oxford, London, UK http://www.jpluscplusm.com/contact.html
Re: Block clients based on header in real time?
I continue trying configurations, looking in the list and some blogs, but i can't ban ips from a stick table or i don't know how. The last that i try: backend host:80 stick-table type ip size 1m store gpc0 http-request deny if hdr_sub(True-Client-IP) #How i check here if the True-Client-IP is inside the stick-table? In the table, i put the ips by hand, it looks like this: show table host # table: back-idealista.es-http, type: ip, size:1048576, used:2 0xcae6c4: key=192.168.1.5 use=0 exp=0 gpc0=1 0xcdac34: key=192.168.1.6 use=0 exp=0 gpc0=1 The more similar is this message in the list: http://comments.gmane.org/gmane.comp.web.haproxy/9938 but the problem is that there the ip of the client is inside a header. Thanks, - Mensaje original - De: Ricardo Fraile Para: "haproxy@formilux.org" CC: Enviado: Jueves 30 de Mayo de 2013 12:50 Asunto: Re: Block clients based on header in real time? Hello, Ok, i update the server to 1.5 version but i have some troubles between stick-table and the acl. Before, i had: listen host1 *:80 ... mode http acl block_invalid_client hdr_sub(True-Client-IP) -f true-client-ip.lst block if block_invalid_client ... Now, i try to change the file to a stick table: backend host1 ... stick-table type ip size 1m store gpc0 acl block_invalid_client hdr_ip(True-Client-IP) -- { stick match(host1) } http-request deny if block_invalid_client ... But not work: error detected while parsing ACL 'block_invalid_client' : '{' is not a valid IPv4 or IPv6 address. error detected while parsing an 'http-request deny' condition : no such ACL : 'block_invalid_client'. ¿Is it possible to match http header inside an acl to a stick table? Thanks, - Mensaje original - De: Baptiste Para: Ricardo Fraile CC: "haproxy@formilux.org" Enviado: Miércoles 29 de Mayo de 2013 14:51 Asunto: Re: Block clients based on header in real time? Hi, With latest HAProxy version, you could use a stick table and insert IPs in the stick table through HAProxy socket. Then you can ban all IPs from the stick table. Baptiste On Wed, May 29, 2013 at 1:05 PM, Ricardo Fraile wrote: > Hello, > > > I'm looking for a solution for blocking users based on a header, >x-forwarded-for. I have yet an acl for this but is it possible to update the >list of ips without restart haproxy? > > > Thanks, >
RES: Help with kQueue
# ./haproxy -d -f /proxy/l2cr.cfg -n 8192 Available polling systems : kqueue : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result FAILED Total: 3 (2 usable), will use kqueue. Using kqueue() as the polling mechanism. Here is what happens with the latest version, looks like it will use kqueue !! but select fail ? :D -Mensagem original- De: Lukas Tribus [mailto:luky...@hotmail.com] Enviada em: quinta-feira, 30 de maio de 2013 12:46 Para: Fred Pedrisa; haproxy@formilux.org Assunto: RE: Help with kQueue > # /proxy/haproxy -vv -c -f l2cr.cfg > Available polling systems : > kqueue : pref=300, test result OK > #proxy/haproxy -V -d -f /proxy/lr.cfg -n 8192 Available polling > systems : > select : pref=150, test result OK You are comparing two different configurations, are you sure non of them disables poll and kqueue? Can you run: egrep -i "queue|poll" l2cr.cfg egrep -i "queue|poll" /proxy/lr.cfg diff -u l2cr.cfg /proxy/lr.cfg > 1.4.20 Can you grab the latest tarball at http://haproxy.1wt.eu/, this release is outdated. Lukas
RES: Help with kQueue
Hello, Lr.cfg and l2cr.cfg are both the same files :) -Mensagem original- De: Lukas Tribus [mailto:luky...@hotmail.com] Enviada em: quinta-feira, 30 de maio de 2013 12:46 Para: Fred Pedrisa; haproxy@formilux.org Assunto: RE: Help with kQueue > # /proxy/haproxy -vv -c -f l2cr.cfg > Available polling systems : > kqueue : pref=300, test result OK > #proxy/haproxy -V -d -f /proxy/lr.cfg -n 8192 Available polling > systems : > select : pref=150, test result OK You are comparing two different configurations, are you sure non of them disables poll and kqueue? Can you run: egrep -i "queue|poll" l2cr.cfg egrep -i "queue|poll" /proxy/lr.cfg diff -u l2cr.cfg /proxy/lr.cfg > 1.4.20 Can you grab the latest tarball at http://haproxy.1wt.eu/, this release is outdated. Lukas
RE: Help with kQueue
> # /proxy/haproxy -vv -c -f l2cr.cfg > Available polling systems : > kqueue : pref=300, test result OK > #proxy/haproxy -V -d -f /proxy/lr.cfg -n 8192 > Available polling systems : > select : pref=150, test result OK You are comparing two different configurations, are you sure non of them disables poll and kqueue? Can you run: egrep -i "queue|poll" l2cr.cfg egrep -i "queue|poll" /proxy/lr.cfg diff -u l2cr.cfg /proxy/lr.cfg > 1.4.20 Can you grab the latest tarball at http://haproxy.1wt.eu/, this release is outdated. Lukas
Re: upgraded from 1.5dev18-30 to 1.5dev18-50 and it broke my SSL VPN :-(
On Thu, May 30, 2013 at 3:11 PM, Lukas Tribus wrote: > Hi Arne, > > can you start haproxy with the debug options enabled (-d) and catch the > output while a request fails? > > > Thanks, > > Lukas I ran "sudo haproxy -d -f /etc/haproxy/haproxy.cfg >> haproxy-d.log 2>&1" to capture the log output, I can't see anything obvious... I'd rather send the log to you/Willy than send it to the list Cheers Arne.
RE: upgraded from 1.5dev18-30 to 1.5dev18-50 and it broke my SSL VPN :-(
Hi Arne, can you start haproxy with the debug options enabled (-d) and catch the output while a request fails? Thanks, Lukas
Re: upgraded from 1.5dev18-30 to 1.5dev18-50 and it broke my SSL VPN :-(
On Thu, May 30, 2013 at 2:53 PM, shouldbe q931 wrote: > 18-38 is fine, 18-39 it is broken. > > 18-39 would be the commit > > > http://git.1wt.eu/web?p=haproxy.git;a=commit;h=7c41a1b59b005a75914121a604ede449374b8de7 > working version haproxy -vv HA-Proxy version 1.5-dev18-38 2013/05/07 Copyright 2000-2013 Willy Tarreau Build options : TARGET = linux2628 CPU = native CC = gcc CFLAGS = -O2 -march=native -g -fno-strict-aliasing OPTIONS = USE_LINUX_SPLICE=1 USE_LINUX_TPROXY=1 USE_LIBCRYPT=1 USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 Encrypted password support via crypt(3): yes Built with zlib version : 1.2.3.4 Compression algorithms supported : identity, deflate, gzip Built with OpenSSL version : OpenSSL 1.0.1 14 Mar 2012 Running on OpenSSL version : OpenSSL 1.0.1 14 Mar 2012 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Built with PCRE version : 8.12 2011-01-15 PCRE library supports JIT : no (USE_PCRE_JIT not set) Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. the build options etc on 18-39 are identical the OS is Ubuntu 12.04.2 Cheers Arne
Re: upgraded from 1.5dev18-30 to 1.5dev18-50 and it broke my SSL VPN :-(
18-38 is fine, 18-39 it is broken. 18-39 would be the commit http://git.1wt.eu/web?p=haproxy.git;a=commit;h=7c41a1b59b005a75914121a604ede449374b8de7 I've removed the other parts of the config, but the relevant sections are of the haproxy.cfg look like local@haproxy-2:~$ cat /etc/haproxy/haproxy.cfg global log 127.0.0.1 local0 log 127.0.0.1 local1 notice #log loghostlocal0 info maxconn 4096 stats socket /var/run/haproxy.stat mode 600 level admin chroot /usr/share/haproxy daemon #debug #quiet defaults modehttp contimeout 5000 clitimeout 36 srvtimeout 36 frontend sslexplorerHTTP mode http bind 10.201.253.207:80 option tcpka default_backend BsslexplorerHTTP frontend sslexplorerHTTPS mode http bind 10.201.253.207:443 ssl crt /etc/haproxy/ssl.primarydomain.com.crt ciphers RC4:HIGH:!aNULL:!MD5; option tcpka default_backend BsslexplorerHTTPS backend BsslexplorerHTTP mode http option ssl-hello-chk option tcpka option persist option redispatch stick-table type ip size 1024k expire 30m stick on src server sslexplorer 10.201.253.56 weight 200 check port 443 inter 5000ms rise 3 fall 2 backend BsslexplorerHTTPS mode http option ssl-hello-chk option tcpka option persist option redispatch stick-table type ip size 1024k expire 30m stick on src server sslexplorer 10.201.253.56 ssl weight 200 check port 443 inter 5000ms rise 3 fall 2 listen stats :7000 stats enable stats uri / option httpclose stats auth haproxy:haproxy stats admin if TRUE I don't get much in the way of an error in the SSL Explorer agent beyond a popup saying "The SSL-Explorer Agent failed connect" and the web page displays "failed to sync" Cheers Arne
Re: upgraded from 1.5dev18-30 to 1.5dev18-50 and it broke my SSL VPN :-(
On Thu, May 30, 2013 at 1:28 PM, Lukas Tribus wrote: > Hi Arne! > > >> I'd be very happy to step through individual 1.5dev18 releases after >> 30 untill I find the one that "breaks" SSL Explorer, but I have a >> slight problem in that I haven't got a clue on how to "check out" each >> individual release from git. > > > You can use "git bisect" to do this: > http://webchick.net/node/99 > > > Lukas Hi Lukas, So to go back to 18-30, should I make clean git checkout 9f04853 make TARGET=(etc) then make install (etc) Cheers Arne
RE: upgraded from 1.5dev18-30 to 1.5dev18-50 and it broke my SSL VPN :-(
Hi Arne! > I'd be very happy to step through individual 1.5dev18 releases after > 30 untill I find the one that "breaks" SSL Explorer, but I have a > slight problem in that I haven't got a clue on how to "check out" each > individual release from git. You can use "git bisect" to do this: http://webchick.net/node/99 Lukas
according to the ciphersuite, ECC-based and RSA-based Certificate use
Hi, According to the ciphersuites, I hope to use ECC-based certificate and RSA-based certificate. This is possible? Thanks, seri
upgraded from 1.5dev18-30 to 1.5dev18-50 and it broke my SSL VPN :-(
I run SSL Explorer to provide a secure(ish) method of accessing internal resources. I have HAProxy in front of SSL Explorer doing SSL termination (and limiting the ciper choice to ameliorate BEAST etc). I upgraded from 1.5dev18-30 to 1.5dev18-50 and the SSL Explorer agent now fails to connect :-( I tested bypassing HAProxy and SSL Explorer still works. I'd be very happy to step through individual 1.5dev18 releases after 30 untill I find the one that "breaks" SSL Explorer, but I have a slight problem in that I haven't got a clue on how to "check out" each individual release from git. I appreciate that this is more of a "how to use git" rather than a HAProxy issue. Cheers Arne
RES: Help with kQueue
HA-Proxy version 1.4.20 2012/03/10 Copyright 2000-2012 Willy Tarreau Build options : TARGET = freebsd CPU = generic CC = gcc Default settings : maxconn = 1024, bufsize = 8030, maxrewrite = 1030, maxpollevents = 200 Encrypted password support via crypt(3): no Available polling systems : kqueue : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use kqueue. Without -d, it doesn't uses kQueue either. I used -d just to find out what was happening. -Mensagem original- De: Lukas Tribus [mailto:luky...@hotmail.com] Enviada em: quinta-feira, 30 de maio de 2013 05:22 Para: Fred Pedrisa; haproxy@formilux.org Assunto: RE: Help with kQueue Hi Fred, > #proxy/haproxy -V -d -f /proxy/lr.cfg -n 8192 Available polling > systems : > select : pref=150, test result OK > kqueue : disabled, test result OK > poll : disabled, test result OK > Total: 3 (1 usable), will use select. Using select() as the polling > mechanism. Does it work if you omit "-d"? Can you post the full output of haproxy -vv? What HAproxy version are you using and how did you compile it (what USE_FLAGs)? Lukas
Re: Block clients based on header in real time?
Hello, Ok, i update the server to 1.5 version but i have some troubles between stick-table and the acl. Before, i had: listen host1 *:80 ... mode http acl block_invalid_client hdr_sub(True-Client-IP) -f true-client-ip.lst block if block_invalid_client ... Now, i try to change the file to a stick table: backend host1 ... stick-table type ip size 1m store gpc0 acl block_invalid_client hdr_ip(True-Client-IP) -- { stick match(host1) } http-request deny if block_invalid_client ... But not work: error detected while parsing ACL 'block_invalid_client' : '{' is not a valid IPv4 or IPv6 address. error detected while parsing an 'http-request deny' condition : no such ACL : 'block_invalid_client'. ¿Is it possible to match http header inside an acl to a stick table? Thanks, - Mensaje original - De: Baptiste Para: Ricardo Fraile CC: "haproxy@formilux.org" Enviado: Miércoles 29 de Mayo de 2013 14:51 Asunto: Re: Block clients based on header in real time? Hi, With latest HAProxy version, you could use a stick table and insert IPs in the stick table through HAProxy socket. Then you can ban all IPs from the stick table. Baptiste On Wed, May 29, 2013 at 1:05 PM, Ricardo Fraile wrote: > Hello, > > > I'm looking for a solution for blocking users based on a header, >x-forwarded-for. I have yet an acl for this but is it possible to update the >list of ips without restart haproxy? > > > Thanks, >
Meaning of hrsp_2xx in show stat
Hi All, I'm trying to collect some statistics of haproxy server. Here is what I'm not able to understand. If possible any body can help me out with this. This is the command which is running and giving stats to collectd and the graphs are generated on graphite. " echo 'show stat' | socat - UNIX-CLIENT:$sock " The problem is that the "rate" is showing something different and the hrsp_2xx is showing something different. Can any one have any idea how does the htsp_2xx stats are collected from haproxy. I mean whether it is per seconds/hits all through the logs or anything. This is what it is there in http://haproxy.1wt.eu/download/1.4/doc/configuration.txt # 33. rate: number of sessions per second over last elapsed second # 39. hrsp_1xx: http responses with 1xx code # 40. hrsp_2xx: http responses with 2xx code # 41. hrsp_3xx: http responses with 3xx code # 42. hrsp_4xx: http responses with 4xx code # 43. hrsp_5xx: http responses with 5xx code I can share the script if any body wants to have a look. -- - Ashish
RE: Help with kQueue
Hi Fred, > #proxy/haproxy -V -d -f /proxy/lr.cfg -n 8192 > Available polling systems : > select : pref=150, test result OK > kqueue : disabled, test result OK > poll : disabled, test result OK > Total: 3 (1 usable), will use select. > Using select() as the polling mechanism. Does it work if you omit "-d"? Can you post the full output of haproxy -vv? What HAproxy version are you using and how did you compile it (what USE_FLAGs)? Lukas