The Beautiful Price of Molds

[zhengxiang]

Dear Purchasing Manager,
 
Lovely day!I am Steven from China,which specialize in molds and parts for 5 
years.
Owning two factories, R&D center.


Noted that you are also in this line, Trust we can find a way to cooperate.
 
Our press tool and parts are crazy popular in your market, annual sales amount 
for only this item to your market is USD1000,000.
do u also have interest in them? 


Steven Chan
（Sale Manager）




Mob:  +86 15921150018
Skype: stevenchanluck
Tel : +0086-021-61765566
Fax: +0086-021-61766018
Website:http://www.ferjm.com 
Add: Xinwei Road,Zhoushi Town,Kunshan City,Jiangsu Province,PRC


 




 

RES: RES: Help with kQueue

[Fred Pedrisa]

Hello,

Yes, surely !

Seems with kqueue the CPU usage, reduces in 50%, which is great.

I am using haproxy as a regular TCP Proxy for tcp applications (not for
websites).

Do you know if they plan to add FTP Protocol support ? I Know how to
configure it work with passive mode, which isn't hard, but would be cool
having native support for active mode !

Sincerely,

Fred

-Mensagem original-
De: Lukas Tribus [mailto:luky...@hotmail.com] 
Enviada em: quinta-feira, 30 de maio de 2013 20:09
Para: Fred Pedrisa; haproxy@formilux.org
Assunto: RE: RES: Help with kQueue

Hi Fred,


> Here is what happens with the latest version, looks like it will use 
> kqueue !! but select fail ? :D

I guess you have a maxsock> FD_SETSIZE condition, which in recent releases
disables select(). See [1] and [2].

I'm not sure what bug/change you run into, but I guess its enough to know
that the latest release works with both kqueue and poll.

Regards,
Lukas

[1] http://www.mail-archive.com/haproxy@formilux.org/msg09362.html
[2]
http://haproxy.1wt.eu/git?p=haproxy-1.4.git;a=commit;h=f4096052b9397e29c3638
651e7487c047081c00c   

RE: RES: Help with kQueue

[Lukas Tribus]

Hi Fred,


> Here is what happens with the latest version, looks like it will use kqueue
> !! but select fail ? :D

I guess you have a maxsock> FD_SETSIZE condition, which in recent releases
disables select(). See [1] and [2].

I'm not sure what bug/change you run into, but I guess its enough to know that
the latest release works with both kqueue and poll.

Regards,
Lukas

[1] http://www.mail-archive.com/haproxy@formilux.org/msg09362.html
[2] 
http://haproxy.1wt.eu/git?p=haproxy-1.4.git;a=commit;h=f4096052b9397e29c3638651e7487c047081c00c
   

Re: Haproxy issues with rspirep

[s...@siezeconsulting.com]

Hi ,

Others who have found similar problems with openam application ,have solved it 
by making changes in tomcat (That solution hasn't worked for us unfortunately) 
,Hence the need to solve it at the ssl offloader software.

http://lists.forgerock.org/pipermail/openam/2011-June/001870.html

Hope someone from the community atleast acknowledges if its a code bug or a 
configuration problem ,Am losing precious time in the run up to production go 
live .


Regards
Syed








From: "s...@siezeconsulting.com"
Sent: Thu, 30 May 2013 01:58:12 
To: "Cyril Bont "
Cc: "haproxy@formilux.org"
Subject: Re: Haproxy issues with rspirep
Hi Cyril ,

Sorry for the brevity .

Haproxy IP = 172.17.25.100 ( fiction IP for clarity)
Application server hostname = openamHost
Application server IP = 172.17.25.101
Url for ssl offload access https://192.168.0.1/sso/Login

Configured haproxy to ssl offload a tomcat based application running on port 
8080 (OpenAm specifically).

SSL offload happens , traffic is sent to port 8080 but the application sends a 
redirect URL in return as the following 

Problematic URL : http://172.17.25.99:80/sso/Login 


I used the following directive in the frontend of the haproxy configuration


rspirep ^Location:\ http://(.*):80(.*)  Location:\ 
http://172.17.25.100:8080\2 if { ssl_fc }


Generic problem : Haproxy would capture i assumed the problematic URL and 
replace it with whatever happens to be "my custom URL"?


 Specific requirement: The application is wrongly sending the redirect URL 
, I would ideally want to capture any HTTP url and convert into    
HTTPS so that haproxy can again re-route it to port 8080 after decryption each 
time.

Finally my simple requirement is to be able to control rewriting URLs at 
haproxy .


haproxy.cfg

frontend  secured *:443
   mode  tcp
   SSL CERT BLAH BLAH
   
rspirep ^Location:\ http://(.*):80(.*)  Location:\ 
http://172.17.25.100:8080\2 if { ssl_fc }

 default_backend  app

#-
# round robin balancing between the various backends
#-
backend app
mode  tcp
balance roundrobin
server  app1 172.17.25.101:8080 check

Hope i haven't complicated the problem this time :-)


Regards
Syed 






From: Cyril Bonté 
Sent: Thu, 30 May 2013 01:15:45 
To: "s...@siezeconsulting.com" 
Cc: "haproxy@formilux.org" 
Subject: Re: Haproxy issues with rspirep
Hi Syed,



Le 29/05/2013 21:12, s...@siezeconsulting.com a æcopy;crit :

> Hello,

>

> rspirep ^Location:\ http://(.*):80(.*) Location:\ https://\1:443\2 if { 
ssl_fc }

>

> The above works but the following doesn't (Location URL is unchanged ) why 
?

>

> rspirep ^Location:\ http://(.*):80(.*)  Location:\ 
http://172.17.25.100:8080\2 if { ssl_fc }



There's a lack of details. One configuration line is not enough to 

understand what you want to achieve. It will be hard to help you.



Can you explain your needs and provide your whole configuration (please 

remove any sensitive data, such as passwords, IPs, ...) ?



Are you sure you really want the "ssl_fc" condition here ?



>

>

> Reference :

> 
http://blog.exceliance.fr/2013/02/26/ssl-offloading-impact-on-web-applications/

>

>

> Regards

> Syed





-- 

Cyril Bontæcopy;

Re: Meaning of hrsp_2xx in show stat

[Jonathan Matthews]

IIRC, the meanings are:

> # 33. rate: number of sessions per second over last elapsed second

== Number of sessions initiated at the TCP level over the last second,
irrespective of the HTTP response.

"> # 39. hrsp_1xx: http responses with 1xx code
> # 40. hrsp_2xx: http responses with 2xx code
> # 41. hrsp_3xx: http responses with 3xx code
> # 42. hrsp_4xx: http responses with 4xx code
> # 43. hrsp_5xx: http responses with 5xx code

== Continually incrementing count of [12345]xx response codes (i.e.
not a per-period rate).

Does this match what you're seeing? Remember that #33 is useful if
you're looking at it at a single point in time, but if you're trying
to graph it, you might find it more useful to collect "stot" directly
and calculate rates from that instead.

Jonathan
--
Jonathan Matthews // Oxford, London, UK
http://www.jpluscplusm.com/contact.html

Re: Block clients based on header in real time?

[Ricardo Fraile]

I continue trying configurations, looking in the list and some blogs, but i 
can't ban ips from a stick table or i don't know how. The last that i try:

backend host:80
        stick-table type ip size 1m  store gpc0
        http-request deny if hdr_sub(True-Client-IP) #How i check here if the 
True-Client-IP is inside the stick-table?


In the table, i put the ips by hand, it looks like this:

show table host
# table: back-idealista.es-http, type: ip, size:1048576, used:2
0xcae6c4: key=192.168.1.5 use=0 exp=0 gpc0=1
0xcdac34: key=192.168.1.6 use=0 exp=0 gpc0=1


The more similar is this message in the list: 
http://comments.gmane.org/gmane.comp.web.haproxy/9938 but the problem is that 
there the ip of the client is inside a header.


Thanks,



- Mensaje original -
De: Ricardo Fraile 
Para: "haproxy@formilux.org" 
CC: 
Enviado: Jueves 30 de Mayo de 2013 12:50
Asunto: Re: Block clients based on header in real time?

Hello,

   Ok, i update the server to 1.5 version but i have some troubles between 
stick-table and the acl.

   Before, i had:

listen host1 *:80
    ...
    mode http
    acl block_invalid_client hdr_sub(True-Client-IP) -f true-client-ip.lst
    block if block_invalid_client
    ... 

   Now, i try to change the file to a stick table:

backend host1
    ...

    stick-table type ip size 1m store gpc0
    acl block_invalid_client hdr_ip(True-Client-IP) -- { stick match(host1) }
    http-request deny if block_invalid_client
    ...

    But not work:

    error detected while parsing ACL 'block_invalid_client' : '{' is not a 
valid IPv4 or IPv6 address.
    error detected while parsing an 'http-request deny' condition : no such ACL 
: 'block_invalid_client'.


    ¿Is it possible to match http header inside an acl to a stick table?

Thanks, 




- Mensaje original -
De: Baptiste 
Para: Ricardo Fraile 
CC: "haproxy@formilux.org" 
Enviado: Miércoles 29 de Mayo de 2013 14:51
Asunto: Re: Block clients based on header in real time?

Hi,

With latest HAProxy version, you could use a stick table and insert
IPs in the stick table through HAProxy socket.
Then you can ban all IPs from the stick table.

Baptiste


On Wed, May 29, 2013 at 1:05 PM, Ricardo Fraile  wrote:
> Hello,
>
>
>    I'm looking for a solution for blocking users based on a header, 
>x-forwarded-for. I have yet an acl for this but is it possible to update the 
>list of ips without restart haproxy?
>
>
> Thanks,
>

RES: Help with kQueue

[Fred Pedrisa]

# ./haproxy -d -f /proxy/l2cr.cfg -n 8192
Available polling systems :
 kqueue : pref=300,  test result OK
   poll : pref=200,  test result OK
 select : pref=150,  test result FAILED
Total: 3 (2 usable), will use kqueue.
Using kqueue() as the polling mechanism.

Here is what happens with the latest version, looks like it will use kqueue
!! but select fail ? :D

-Mensagem original-
De: Lukas Tribus [mailto:luky...@hotmail.com] 
Enviada em: quinta-feira, 30 de maio de 2013 12:46
Para: Fred Pedrisa; haproxy@formilux.org
Assunto: RE: Help with kQueue

> # /proxy/haproxy -vv -c -f l2cr.cfg
> Available polling systems :
> kqueue : pref=300,  test result OK

> #proxy/haproxy -V -d -f /proxy/lr.cfg -n 8192 Available polling 
> systems :
> select : pref=150,  test result OK


You are comparing two different configurations, are you sure non of them
disables poll and kqueue? Can you run:

egrep -i "queue|poll" l2cr.cfg
egrep -i "queue|poll" /proxy/lr.cfg
diff -u l2cr.cfg /proxy/lr.cfg


> 1.4.20

Can you grab the latest tarball at http://haproxy.1wt.eu/, this release is
outdated.



Lukas 

RES: Help with kQueue

[Fred Pedrisa]

Hello,

Lr.cfg and l2cr.cfg are both the same files :)

-Mensagem original-
De: Lukas Tribus [mailto:luky...@hotmail.com] 
Enviada em: quinta-feira, 30 de maio de 2013 12:46
Para: Fred Pedrisa; haproxy@formilux.org
Assunto: RE: Help with kQueue

> # /proxy/haproxy -vv -c -f l2cr.cfg
> Available polling systems :
> kqueue : pref=300,  test result OK

> #proxy/haproxy -V -d -f /proxy/lr.cfg -n 8192 Available polling 
> systems :
> select : pref=150,  test result OK


You are comparing two different configurations, are you sure non of them
disables poll and kqueue? Can you run:

egrep -i "queue|poll" l2cr.cfg
egrep -i "queue|poll" /proxy/lr.cfg
diff -u l2cr.cfg /proxy/lr.cfg


> 1.4.20

Can you grab the latest tarball at http://haproxy.1wt.eu/, this release is
outdated.



Lukas 

RE: Help with kQueue

[Lukas Tribus]

> # /proxy/haproxy -vv -c -f l2cr.cfg
> Available polling systems :
> kqueue : pref=300,  test result OK 

> #proxy/haproxy -V -d -f /proxy/lr.cfg -n 8192
> Available polling systems :
> select : pref=150,  test result OK


You are comparing two different configurations, are you sure non of them
disables poll and kqueue? Can you run:

egrep -i "queue|poll" l2cr.cfg
egrep -i "queue|poll" /proxy/lr.cfg
diff -u l2cr.cfg /proxy/lr.cfg


> 1.4.20

Can you grab the latest tarball at http://haproxy.1wt.eu/, this release
is outdated.



Lukas 

Re: upgraded from 1.5dev18-30 to 1.5dev18-50 and it broke my SSL VPN :-(

[shouldbe q931]

On Thu, May 30, 2013 at 3:11 PM, Lukas Tribus  wrote:
> Hi Arne,
>
> can you start haproxy with the debug options enabled (-d) and catch the
> output while a request fails?
>
>
> Thanks,
>
> Lukas


I ran "sudo haproxy -d -f /etc/haproxy/haproxy.cfg >> haproxy-d.log
2>&1" to capture the log output, I can't see anything obvious...

I'd rather send the log to you/Willy than send it to the list

Cheers

Arne.

RE: upgraded from 1.5dev18-30 to 1.5dev18-50 and it broke my SSL VPN :-(

[Lukas Tribus]

Hi Arne,

can you start haproxy with the debug options enabled (-d) and catch the
output while a request fails?


Thanks,

Lukas 

Re: upgraded from 1.5dev18-30 to 1.5dev18-50 and it broke my SSL VPN :-(

[shouldbe q931]

On Thu, May 30, 2013 at 2:53 PM, shouldbe q931  wrote:
> 18-38 is fine, 18-39 it is broken.
>
> 18-39 would be the commit
>
>  
> http://git.1wt.eu/web?p=haproxy.git;a=commit;h=7c41a1b59b005a75914121a604ede449374b8de7
>

working version haproxy -vv

HA-Proxy version 1.5-dev18-38 2013/05/07
Copyright 2000-2013 Willy Tarreau 

Build options :
  TARGET  = linux2628
  CPU = native
  CC  = gcc
  CFLAGS  = -O2 -march=native -g -fno-strict-aliasing
  OPTIONS = USE_LINUX_SPLICE=1 USE_LINUX_TPROXY=1 USE_LIBCRYPT=1
USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.3.4
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 1.0.1 14 Mar 2012
Running on OpenSSL version : OpenSSL 1.0.1 14 Mar 2012
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.12 2011-01-15
PCRE library supports JIT : no (USE_PCRE_JIT not set)

Available polling systems :
  epoll : pref=300,  test result OK
   poll : pref=200,  test result OK
 select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

the build options etc on 18-39 are identical

the OS is Ubuntu 12.04.2

Cheers

Arne

Re: upgraded from 1.5dev18-30 to 1.5dev18-50 and it broke my SSL VPN :-(

[shouldbe q931]

18-38 is fine, 18-39 it is broken.

18-39 would be the commit

 
http://git.1wt.eu/web?p=haproxy.git;a=commit;h=7c41a1b59b005a75914121a604ede449374b8de7

I've removed the other parts of the config, but the relevant sections
are of the haproxy.cfg look like

local@haproxy-2:~$ cat /etc/haproxy/haproxy.cfg

global
log 127.0.0.1   local0
log 127.0.0.1   local1 notice
#log loghostlocal0 info
maxconn 4096
stats socket /var/run/haproxy.stat mode 600 level admin
chroot /usr/share/haproxy
daemon
#debug
#quiet

defaults
modehttp
contimeout  5000
clitimeout  36
srvtimeout  36

frontend sslexplorerHTTP
mode http
bind 10.201.253.207:80
option tcpka
default_backend BsslexplorerHTTP

frontend sslexplorerHTTPS
mode http
bind 10.201.253.207:443 ssl crt
/etc/haproxy/ssl.primarydomain.com.crt ciphers RC4:HIGH:!aNULL:!MD5;
option tcpka
default_backend BsslexplorerHTTPS

backend BsslexplorerHTTP
mode http
option ssl-hello-chk
option tcpka
option  persist
option redispatch
stick-table type ip size 1024k expire 30m
stick on src
server sslexplorer 10.201.253.56 weight 200 check port 443
inter 5000ms rise 3 fall 2

backend BsslexplorerHTTPS
mode http
option ssl-hello-chk
option tcpka
option  persist
option redispatch
stick-table type ip size 1024k expire 30m
stick on src
server sslexplorer 10.201.253.56 ssl weight 200 check port 443
inter 5000ms rise 3 fall 2

listen  stats :7000
stats   enable
stats   uri /
option  httpclose
stats   auth haproxy:haproxy
stats   admin if TRUE

I don't get much in the way of an error in the SSL Explorer agent
beyond a popup saying "The SSL-Explorer Agent failed connect" and the
web page displays "failed to sync"

Cheers

Arne

Re: upgraded from 1.5dev18-30 to 1.5dev18-50 and it broke my SSL VPN :-(

[shouldbe q931]

On Thu, May 30, 2013 at 1:28 PM, Lukas Tribus  wrote:
> Hi Arne!
>
>
>> I'd be very happy to step through individual 1.5dev18 releases after
>> 30 untill I find the one that "breaks" SSL Explorer, but I have a
>> slight problem in that I haven't got a clue on how to "check out" each
>> individual release from git.
>
>
> You can use "git bisect" to do this:
> http://webchick.net/node/99
>
>
> Lukas

Hi Lukas,

So to go back to 18-30, should I

make clean
git checkout 9f04853
make TARGET=(etc)
then make install (etc)

Cheers

Arne

RE: upgraded from 1.5dev18-30 to 1.5dev18-50 and it broke my SSL VPN :-(

[Lukas Tribus]

Hi Arne!


> I'd be very happy to step through individual 1.5dev18 releases after
> 30 untill I find the one that "breaks" SSL Explorer, but I have a
> slight problem in that I haven't got a clue on how to "check out" each
> individual release from git.


You can use "git bisect" to do this:
http://webchick.net/node/99


Lukas 

according to the ciphersuite, ECC-based and RSA-based Certificate use

[Seri]

 
Hi,

According to the ciphersuites, I hope to use ECC-based certificate and 
RSA-based  certificate.

This is possible?

Thanks,
seri

upgraded from 1.5dev18-30 to 1.5dev18-50 and it broke my SSL VPN :-(

[shouldbe q931]

I run SSL Explorer to provide a secure(ish) method of accessing
internal resources.

I have HAProxy in front of SSL Explorer doing SSL termination (and
limiting the ciper choice to ameliorate BEAST etc).

I upgraded from 1.5dev18-30 to 1.5dev18-50 and the SSL Explorer agent
now fails to connect :-(

I tested bypassing HAProxy and SSL Explorer still works.

I'd be very happy to step through individual 1.5dev18 releases after
30 untill I find the one that "breaks" SSL Explorer, but I have a
slight problem in that I haven't got a clue on how to "check out" each
individual release from git.

I appreciate that this is more of a "how to use git" rather than a
HAProxy issue.

Cheers

Arne

RES: Help with kQueue

[Fred Pedrisa]

HA-Proxy version 1.4.20 2012/03/10
Copyright 2000-2012 Willy Tarreau 

Build options :
  TARGET  = freebsd
  CPU = generic
  CC  = gcc

Default settings :
  maxconn = 1024, bufsize = 8030, maxrewrite = 1030, maxpollevents = 200

Encrypted password support via crypt(3): no

Available polling systems :
 kqueue : pref=300,  test result OK
   poll : pref=200,  test result OK
 select : pref=150,  test result OK
Total: 3 (3 usable), will use kqueue.

Without -d, it doesn't uses kQueue either. I used -d just to find out what
was happening.

-Mensagem original-
De: Lukas Tribus [mailto:luky...@hotmail.com] 
Enviada em: quinta-feira, 30 de maio de 2013 05:22
Para: Fred Pedrisa; haproxy@formilux.org
Assunto: RE: Help with kQueue

Hi Fred,


> #proxy/haproxy -V -d -f /proxy/lr.cfg -n 8192 Available polling 
> systems :
> select : pref=150, test result OK
> kqueue : disabled, test result OK
> poll : disabled, test result OK
> Total: 3 (1 usable), will use select. Using select() as the polling 
> mechanism.


Does it work if you omit "-d"?

Can you post the full output of haproxy -vv?
What HAproxy version are you using and how did you compile
it (what USE_FLAGs)?


Lukas 

Re: Block clients based on header in real time?

[Ricardo Fraile]

Hello,

   Ok, i update the server to 1.5 version but i have some troubles between 
stick-table and the acl.

   Before, i had:

listen host1 *:80
    ...
    mode http
    acl block_invalid_client hdr_sub(True-Client-IP) -f true-client-ip.lst
    block if block_invalid_client
    ... 

   Now, i try to change the file to a stick table:

backend host1
    ...

    stick-table type ip size 1m store gpc0
    acl block_invalid_client hdr_ip(True-Client-IP) -- { stick match(host1) }
    http-request deny if block_invalid_client
    ...

    But not work:

    error detected while parsing ACL 'block_invalid_client' : '{' is not a 
valid IPv4 or IPv6 address.
    error detected while parsing an 'http-request deny' condition : no such ACL 
: 'block_invalid_client'.


    ¿Is it possible to match http header inside an acl to a stick table?

Thanks, 




- Mensaje original -
De: Baptiste 
Para: Ricardo Fraile 
CC: "haproxy@formilux.org" 
Enviado: Miércoles 29 de Mayo de 2013 14:51
Asunto: Re: Block clients based on header in real time?

Hi,

With latest HAProxy version, you could use a stick table and insert
IPs in the stick table through HAProxy socket.
Then you can ban all IPs from the stick table.

Baptiste


On Wed, May 29, 2013 at 1:05 PM, Ricardo Fraile  wrote:
> Hello,
>
>
>    I'm looking for a solution for blocking users based on a header, 
>x-forwarded-for. I have yet an acl for this but is it possible to update the 
>list of ips without restart haproxy?
>
>
> Thanks,
>

Meaning of hrsp_2xx in show stat

[Ashish Jaiswal]

Hi All,

I'm trying to collect some statistics of haproxy server. Here is what 
I'm not able to understand.

If possible any body can help me out with this.

This is the command which is running and giving stats to collectd and 
the graphs are generated on graphite.

   " echo 'show stat' | socat - UNIX-CLIENT:$sock "


The problem is that the "rate" is showing something different and the 
hrsp_2xx is showing something different.
Can any one have any idea how does the htsp_2xx stats are collected from 
haproxy. I mean whether it is per seconds/hits all through the logs or 
anything.


This is what it is there in 
http://haproxy.1wt.eu/download/1.4/doc/configuration.txt


# 33. rate: number of sessions per second over last elapsed second
# 39. hrsp_1xx: http responses with 1xx code
# 40. hrsp_2xx: http responses with 2xx code
# 41. hrsp_3xx: http responses with 3xx code
# 42. hrsp_4xx: http responses with 4xx code
# 43. hrsp_5xx: http responses with 5xx code

I can share the script if any body wants to have a look.







--
- Ashish

RE: Help with kQueue

[Lukas Tribus]

Hi Fred,


> #proxy/haproxy -V -d -f /proxy/lr.cfg -n 8192
> Available polling systems :
> select : pref=150, test result OK
> kqueue : disabled, test result OK
> poll : disabled, test result OK 
> Total: 3 (1 usable), will use select. 
> Using select() as the polling mechanism. 


Does it work if you omit "-d"?

Can you post the full output of haproxy -vv?
What HAproxy version are you using and how did you compile
it (what USE_FLAGs)?


Lukas