Re: [PATCH] DOC: fix typo in comments

2013-10-01 Thread Willy Tarreau 
Hi Godbach,

On Mon, Sep 30, 2013 at 11:23:10AM +0800, Godbach wrote:
> Hi Willy,
> 
> There is a patch to fix typo in comments, please check the attachment
> for you information.
> 
> The commit log is as below:
> 
> commit 9824d1b3740ac2746894f1aa611c795366c84210
> Author: Godbach 
> Date:   Mon Sep 30 11:05:42 2013 +0800
> 
> DOC: fix typo in comments
> 
>   0x2000 -> 0x4000
>   vuf -> buf
>   ethod -> Method
> 
> Signed-off-by: Godbach 

Patch applied, thanks!

Willy

Re: about stats socket per process

2013-10-01 Thread Willy Tarreau 
On Mon, Sep 30, 2013 at 04:07:00PM +0400, Avatar wrote:
> I would like to ask you about any perspective in implementation
> statistics socket at each process in nbproc. Do you have any plans to
> work on it?

It was started a few months ago but ended in a maelstorm where many other
things had to be changed (including the peers to stick table relations).
So for now the work was paused, in the hope to start again after we finish
the ongoing things.

Willy

Haproxy SSL certificat exception with root

2013-10-01 Thread Matthieu Boret 
Hi,

I've setup Haproxy 1.5 dev 19 to handle my http and https traffic.

All works fine except when I request the root url in https:
https://mydomain.com

My certificate is a wildcard *.mydomain.com

What is the solution to remove this error? An url rewrite and add www?


My Haproxy configuration:

frontend https-requests
mode http
bind :80
bind :443 ssl crt ./mydomain.pem force-sslv3

acl is_webfront path_reg ^www||^/$(.*)
acl is_api hdr(host) -i api.mydomain.com

use_backend bk_webfront if is_webfront
use_backend bk_api if is_api

default_backend bk_webfront

Thanks


Matthieu

Re: Haproxy SSL certificat exception with root

2013-10-01 Thread David Coulson 

You can't just add mydomain.com to the *.mydomain.com certificate?

Not much you can do with HAProxy here. Since the cert is invalid for 
https://mydomain.com/, users are going to get a SSL error when they connect.


On 10/1/13 6:51 AM, Matthieu Boret wrote:

Hi,

I've setup Haproxy 1.5 dev 19 to handle my http and https traffic.

All works fine except when I request the root url in https: 
https://mydomain.com


My certificate is a wildcard *.mydomain.com 

What is the solution to remove this error? An url rewrite and add www?


My Haproxy configuration:

frontend https-requests
mode http
bind :80
bind :443 ssl crt ./mydomain.pem force-sslv3

acl is_webfront path_reg ^www||^/$(.*)
acl is_api hdr(host) -i api.mydomain.com 

use_backend bk_webfront if is_webfront
use_backend bk_api if is_api

default_backend bk_webfront

Thanks


Matthieu

Re: Haproxy SSL certificat exception with root

2013-10-01 Thread Jonathan Matthews 
On 1 October 2013 11:51, Matthieu Boret  wrote:
> Hi,
>
> I've setup Haproxy 1.5 dev 19 to handle my http and https traffic.
>
> All works fine except when I request the root url in https:
> https://mydomain.com
>
> My certificate is a wildcard *.mydomain.com

This happens because your wildcard does *not* match your
root/naked/apex/etc domain.

In other words, even though it looks like it might, strictly speaking
a request for "foo.com" is not matched by *.foo.com, so the browser
rejects the cert.

This is a problem commonly experienced when people purchase wildcard
certs from a vendor who hasn't added the root domain to the cert in
the SaN field.

> What is the solution to remove this error?

The solution is to use a correctly set up cert. You need to talk to
your cert provider. They may charge you extra for this.

> An url rewrite and add www?

As David said, there is nothing that HAProxy can do to help here.

Regards,
Jonathan
-- 
Jonathan Matthews
Oxford, London, UK
http://www.jpluscplusm.com/contact.html

server timeouts

2013-10-01 Thread Tom Huybrechts 
Hi all,

I'm using haproxy 1.4.23 on Windows Server 2008 to proxy tcp connections to
a single backend server. Usually this is going well, but occasionally a
client has issues: connections get dropped and they are unable to make new
ones.

Investigation of the logs show server-side timeouts:

[01/Oct/2013:12:06:10.653] binary binary/ 5015/-1/5015 0 sQ
40/33/33/0/0 0/1
[01/Oct/2013:12:06:10.653] binary binary/ 5015/-1/5015 0 sQ
39/32/32/0/0 0/2
[01/Oct/2013:12:06:15.934] binary binary/ 5000/-1/5000 0 sQ
42/36/36/0/0 0/1
[01/Oct/2013:12:06:17.231] binary binary/ 5062/-1/5062 0 sQ
42/36/36/0/0 0/2
[01/Oct/2013:12:06:17.247] binary binary/ 5046/-1/5046 0 sQ
41/35/35/0/0 0/3
[01/Oct/2013:12:06:19.856] binary binary/ 5015/-1/5015 0 sQ
40/34/34/0/0 0/4
[01/Oct/2013:12:06:19.856] binary binary/ 5015/-1/5015 0 sQ
39/33/33/0/0 0/5
[01/Oct/2013:12:06:21.012] binary binary/ 5031/-1/5031 0 sQ
38/32/32/0/0 0/5

I have no idea why: the server is not under heavy load.

I have a wireshark dump of one such occasion. I expected to at least see
SYN packets going from haproxy to server in this timeframe, but there where
none. In the meanwhile other connections from haproxy to the same server
continued without problems.

Any hints to what's wrong, or what I can do to investigate further?

Tom

Re: server timeouts

2013-10-01 Thread Baptiste 
Hi tom,

Can you share us your configuration?
HAProxy seems to be queueing the connection (maxconn set to 1??) and
the timeout queue (setup to 5s in your case??) has expired so the
connection is not forwarded to the server.

Of course, I want you to send us some comments with your
configuration, we need to understand why you did configure your
settings :)

Baptiste



On Tue, Oct 1, 2013 at 2:18 PM, Tom Huybrechts  wrote:
> Hi all,
>
> I'm using haproxy 1.4.23 on Windows Server 2008 to proxy tcp connections to
> a single backend server. Usually this is going well, but occasionally a
> client has issues: connections get dropped and they are unable to make new
> ones.
>
> Investigation of the logs show server-side timeouts:
>
> [01/Oct/2013:12:06:10.653] binary binary/ 5015/-1/5015 0 sQ
> 40/33/33/0/0 0/1
> [01/Oct/2013:12:06:10.653] binary binary/ 5015/-1/5015 0 sQ
> 39/32/32/0/0 0/2
> [01/Oct/2013:12:06:15.934] binary binary/ 5000/-1/5000 0 sQ
> 42/36/36/0/0 0/1
> [01/Oct/2013:12:06:17.231] binary binary/ 5062/-1/5062 0 sQ
> 42/36/36/0/0 0/2
> [01/Oct/2013:12:06:17.247] binary binary/ 5046/-1/5046 0 sQ
> 41/35/35/0/0 0/3
> [01/Oct/2013:12:06:19.856] binary binary/ 5015/-1/5015 0 sQ
> 40/34/34/0/0 0/4
> [01/Oct/2013:12:06:19.856] binary binary/ 5015/-1/5015 0 sQ
> 39/33/33/0/0 0/5
> [01/Oct/2013:12:06:21.012] binary binary/ 5031/-1/5031 0 sQ
> 38/32/32/0/0 0/5
>
> I have no idea why: the server is not under heavy load.
>
> I have a wireshark dump of one such occasion. I expected to at least see SYN
> packets going from haproxy to server in this timeframe, but there where
> none. In the meanwhile other connections from haproxy to the same server
> continued without problems.
>
> Any hints to what's wrong, or what I can do to investigate further?
>
> Tom
>

Re: server timeouts

2013-10-01 Thread Tom Huybrechts 
I have maxconn 256 and timeout 5s.

Full configuration below. I don't think there's anything special about it...

Tom





global
daemon
maxconn 256
log localhost local0

defaults
balance source
log global
 option log-separate-errors
option tcplog
mode tcp
timeout connect 5000ms
timeout client 36ms
timeout server 180ms

listen stats :9876
mode http
stats enable
stats uri /

listen dicom_104
bind 10.233.20.140:104
balance roundrobin
server 10.233.20.130 10.233.20.130 maxconn 32 check port 104 inter 2000
server 10.233.23.123 10.233.23.123 maxconn 32 check port 104 inter 2000
listen dicom_105
bind 10.233.20.140:105
balance roundrobin
server 10.233.20.130 10.233.20.130 maxconn 32 check port 105 inter 2000
server 10.233.23.123 10.233.23.123 maxconn 32 check port 105 inter 2000
listen dicom_106
bind 10.233.20.140:106
balance roundrobin
server 10.233.20.130 10.233.20.130 maxconn 32 check port 106 inter 2000
server 10.233.23.123 10.233.23.123 maxconn 32 check port 106 inter 2000
listen dicom_107
bind 10.233.20.140:107
balance roundrobin
server 10.233.20.130 10.233.20.130 maxconn 32 check port 107 inter 2000
server 10.233.23.123 10.233.23.123 maxconn 32 check port 107 inter 2000
listen dicom_108
bind 10.233.20.140:108
balance roundrobin
server 10.233.20.130 10.233.20.130 maxconn 32 check port 108 inter 2000
server 10.233.23.123 10.233.23.123 maxconn 32 check port 108 inter 2000
listen dicom_109
bind 10.233.20.140:109
balance roundrobin
server 10.233.20.130 10.233.20.130 maxconn 32 check port 109 inter 2000
server 10.233.23.123 10.233.23.123 maxconn 32 check port 109 inter 2000

listen hl7_2310
bind 10.233.20.140:2310
balance roundrobin
server 10.233.20.130 10.233.20.130 maxconn 32 check port 2310 inter 2000
server 10.233.23.123 10.233.23.123 maxconn 32 check port 2310 inter 2000
listen hl7_2311
bind 10.233.20.140:2311
balance roundrobin
server 10.233.20.130 10.233.20.130 maxconn 32 check port 2311 inter 2000
server 10.233.23.123 10.233.23.123 maxconn 32 check port 2311 inter 2000
listen hl7_2350
bind 10.233.20.140:2350
balance roundrobin
server 10.233.20.130 10.233.20.130 maxconn 32 check port 2350 inter 2000
server 10.233.23.123 10.233.23.123 maxconn 32 check port 2350 inter 2000
listen hl7_2351
bind 10.233.20.140:2351
balance roundrobin
server 10.233.20.130 10.233.20.130 maxconn 32 check port 2351 inter 2000
server 10.233.23.123 10.233.23.123 maxconn 32 check port 2351 inter 2000
listen hl7_2352
bind 10.233.20.140:2352
balance roundrobin
server 10.233.20.130 10.233.20.130 maxconn 32 check port 2352 inter 2000
server 10.233.23.123 10.233.23.123 maxconn 32 check port 2352 inter 2000
listen hl7_2353
bind 10.233.20.140:2353
balance roundrobin
server 10.233.20.130 10.233.20.130 maxconn 32 check port 2353 inter 2000
server 10.233.23.123 10.233.23.123 maxconn 32 check port 2353 inter 2000
listen hl7_2354
bind 10.233.20.140:2354
balance roundrobin
server 10.233.20.130 10.233.20.130 maxconn 32 check port 2354 inter 2000
server 10.233.23.123 10.233.23.123 maxconn 32 check port 2354 inter 2000
listen hl7_2355
bind 10.233.20.140:2355
balance roundrobin
server 10.233.20.130 10.233.20.130 maxconn 32 check port 2355 inter 2000
server 10.233.23.123 10.233.23.123 maxconn 32 check port 2355 inter 2000
listen hl7_2356
bind 10.233.20.140:2356
balance roundrobin
server 10.233.20.130 10.233.20.130 maxconn 32 check port 2356 inter 2000
server 10.233.23.123 10.233.23.123 maxconn 32 check port 2356 inter 2000
listen hl7_2357
bind 10.233.20.140:2357
balance roundrobin
server 10.233.20.130 10.233.20.130 maxconn 32 check port 2357 inter 2000
server 10.233.23.123 10.233.23.123 maxconn 32 check port 2357 inter 2000
listen hl7_2358
bind 10.233.20.140:2358
balance roundrobin
server 10.233.20.130 10.233.20.130 maxconn 32 check port 2358 inter 2000
server 10.233.23.123 10.233.23.123 maxconn 32 check port 2358 inter 2000
listen hl7_2359
bind 10.233.20.140:2359
balance roundrobin
server 10.233.20.130 10.233.20.130 maxconn 32 check port 2359 inter 2000
server 10.233.23.123 10.233.23.123 maxconn 32 check port 2359 inter 2000
listen hl7_2360
bind 10.233.20.140:2360
balance roundrobin
server 10.233.20.130 10.233.20.130 maxconn 32 check port 2360 inter 2000
server 10.233.23.123 10.233.23.123 maxconn 32 check port 2360 inter 2000
listen hl7_2361
bind 10.233.20.140:2361
balance roundrobin
server 10.233.20.130 10.233.20.130 maxconn 32 check port 2361 inter 2000
server 10.233.23.123 10.233.23.123 maxconn 32 check port 2361 inter 2000

listen collaborator_7070
bind 10.233.20.140:7070
balance roundrobin
server 10.233.20.130 10.233.20.130 maxconn 32 check port 7070 inter 2000
server

Re: Haproxy SSL certificat exception with root

2013-10-01 Thread Matthieu Boret 
Hi David and Jonathan,

Thanks a lot for your help.

Regards,

Matthieu


2013/10/1 Jonathan Matthews 

> On 1 October 2013 11:51, Matthieu Boret  wrote:
> > Hi,
> >
> > I've setup Haproxy 1.5 dev 19 to handle my http and https traffic.
> >
> > All works fine except when I request the root url in https:
> > https://mydomain.com
> >
> > My certificate is a wildcard *.mydomain.com
>
> This happens because your wildcard does *not* match your
> root/naked/apex/etc domain.
>
> In other words, even though it looks like it might, strictly speaking
> a request for "foo.com" is not matched by *.foo.com, so the browser
> rejects the cert.
>
> This is a problem commonly experienced when people purchase wildcard
> certs from a vendor who hasn't added the root domain to the cert in
> the SaN field.
>
> > What is the solution to remove this error?
>
> The solution is to use a correctly set up cert. You need to talk to
> your cert provider. They may charge you extra for this.
>
> > An url rewrite and add www?
>
> As David said, there is nothing that HAProxy can do to help here.
>
> Regards,
> Jonathan
> --
> Jonathan Matthews
> Oxford, London, UK
> http://www.jpluscplusm.com/contact.html
>
>

Re: [PATCH] DOC: fix typo in comments

2013-10-01 Thread Godbach 

On 2013-10-1 15:49, Willy Tarreau wrote:

Hi Godbach,

On Mon, Sep 30, 2013 at 11:23:10AM +0800, Godbach wrote:

Hi Willy,

There is a patch to fix typo in comments, please check the attachment
for you information.

The commit log is as below:

commit 9824d1b3740ac2746894f1aa611c795366c84210
Author: Godbach 
Date:   Mon Sep 30 11:05:42 2013 +0800

 DOC: fix typo in comments

   0x2000 -> 0x4000
   vuf -> buf
   ethod -> Method

 Signed-off-by: Godbach 

Patch applied, thanks!

Willy




Hi Willy,

It seems that you submit the whole text of mail as commit log to 
the git repository.


--
Best Regards,
Godbach

Re: [PATCH] DOC: fix typo in comments

2013-10-01 Thread Willy Tarreau 
On Wed, Oct 02, 2013 at 01:08:50AM +0800, Godbach wrote:
> It seems that you submit the whole text of mail as commit log to 
> the git repository.

Ah yes, you're right :-)

At the moment I applied it, I was fooled by the subject into thinking
it was just the patch itself. I'll be more careful next time. That's
no big deal anyway, just looks ugly :-)

Cheers,
Willy

Re: [PATCH] DOC: fix typo in comments

2013-10-01 Thread Godbach 

On 2013-10-2 1:12, Willy Tarreau wrote:

On Wed, Oct 02, 2013 at 01:08:50AM +0800, Godbach wrote:

 It seems that you submit the whole text of mail as commit log to
the git repository.

Ah yes, you're right :-)

At the moment I applied it, I was fooled by the subject into thinking
it was just the patch itself. I'll be more careful next time. That's
no big deal anyway, just looks ugly :-)

Cheers,
Willy



I got it. It does not matter. :-)

--
Best Regards,
Godbach

Re: server timeouts

2013-10-01 Thread Baptiste 
Hi Tom,

Your global maxconn parameter is not responsible of your issue.
That said it looks very low, so I recommend you to increase it (1000
sounds good to start, depends on your traffic level)

Your server maxconn will queue connection when a server reaches 32
connections only.
Is there any reason why you're having so low value here as well?
It means the 33th connection (and the next ones as well) would be
queued on the server for 5s max (timeout queue).
Increasing the timeout queue won't fix the issue, it will only
increase the latency on the client side.
I would recommend increasing server's maxconn unless you have good
reasons to have so low values. If so, then you'll have to add more
servers in your backend to increase backend capacity.

I also recommend reading HAProxy's documentation related to maxconn.

Baptiste


On Tue, Oct 1, 2013 at 3:28 PM, Tom Huybrechts  wrote:
>
> I have maxconn 256 and timeout 5s.
>
> Full configuration below. I don't think there's anything special about it...
>
> Tom
>
>
>
>
>
> global
> daemon
> maxconn 256
> log localhost local0
>
> defaults
> balance source
> log global
> option log-separate-errors
> option tcplog
> mode tcp
> timeout connect 5000ms
> timeout client 36ms
> timeout server 180ms
>
> listen stats :9876
> mode http
> stats enable
> stats uri /
>
> listen dicom_104
> bind 10.233.20.140:104
> balance roundrobin
> server 10.233.20.130 10.233.20.130 maxconn 32 check port 104 inter 2000
> server 10.233.23.123 10.233.23.123 maxconn 32 check port 104 inter 2000
> listen dicom_105
> bind 10.233.20.140:105
> balance roundrobin
> server 10.233.20.130 10.233.20.130 maxconn 32 check port 105 inter 2000
> server 10.233.23.123 10.233.23.123 maxconn 32 check port 105 inter 2000
> listen dicom_106
> bind 10.233.20.140:106
> balance roundrobin
> server 10.233.20.130 10.233.20.130 maxconn 32 check port 106 inter 2000
> server 10.233.23.123 10.233.23.123 maxconn 32 check port 106 inter 2000
> listen dicom_107
> bind 10.233.20.140:107
> balance roundrobin
> server 10.233.20.130 10.233.20.130 maxconn 32 check port 107 inter 2000
> server 10.233.23.123 10.233.23.123 maxconn 32 check port 107 inter 2000
> listen dicom_108
> bind 10.233.20.140:108
> balance roundrobin
> server 10.233.20.130 10.233.20.130 maxconn 32 check port 108 inter 2000
> server 10.233.23.123 10.233.23.123 maxconn 32 check port 108 inter 2000
> listen dicom_109
> bind 10.233.20.140:109
> balance roundrobin
> server 10.233.20.130 10.233.20.130 maxconn 32 check port 109 inter 2000
> server 10.233.23.123 10.233.23.123 maxconn 32 check port 109 inter 2000
>
> listen hl7_2310
> bind 10.233.20.140:2310
> balance roundrobin
> server 10.233.20.130 10.233.20.130 maxconn 32 check port 2310 inter 2000
> server 10.233.23.123 10.233.23.123 maxconn 32 check port 2310 inter 2000
> listen hl7_2311
> bind 10.233.20.140:2311
> balance roundrobin
> server 10.233.20.130 10.233.20.130 maxconn 32 check port 2311 inter 2000
> server 10.233.23.123 10.233.23.123 maxconn 32 check port 2311 inter 2000
> listen hl7_2350
> bind 10.233.20.140:2350
> balance roundrobin
> server 10.233.20.130 10.233.20.130 maxconn 32 check port 2350 inter 2000
> server 10.233.23.123 10.233.23.123 maxconn 32 check port 2350 inter 2000
> listen hl7_2351
> bind 10.233.20.140:2351
> balance roundrobin
> server 10.233.20.130 10.233.20.130 maxconn 32 check port 2351 inter 2000
> server 10.233.23.123 10.233.23.123 maxconn 32 check port 2351 inter 2000
> listen hl7_2352
> bind 10.233.20.140:2352
> balance roundrobin
> server 10.233.20.130 10.233.20.130 maxconn 32 check port 2352 inter 2000
> server 10.233.23.123 10.233.23.123 maxconn 32 check port 2352 inter 2000
> listen hl7_2353
> bind 10.233.20.140:2353
> balance roundrobin
> server 10.233.20.130 10.233.20.130 maxconn 32 check port 2353 inter 2000
> server 10.233.23.123 10.233.23.123 maxconn 32 check port 2353 inter 2000
> listen hl7_2354
> bind 10.233.20.140:2354
> balance roundrobin
> server 10.233.20.130 10.233.20.130 maxconn 32 check port 2354 inter 2000
> server 10.233.23.123 10.233.23.123 maxconn 32 check port 2354 inter 2000
> listen hl7_2355
> bind 10.233.20.140:2355
> balance roundrobin
> server 10.233.20.130 10.233.20.130 maxconn 32 check port 2355 inter 2000
> server 10.233.23.123 10.233.23.123 maxconn 32 check port 2355 inter 2000
> listen hl7_2356
> bind 10.233.20.140:2356
> balance roundrobin
> server 10.233.20.130 10.233.20.130 maxconn 32 check port 2356 inter 2000
> server 10.233.23.123 10.233.23.123 maxconn 32 check port 2356 inter 2000
> listen hl7_2357
> bind 10.233.20.140:2357
> balance roundrobin
> server 10.233.20.130 10.233.20.130 maxconn 32 check port 2357 inter 2000
> server 10.233.23.123

Re: Can haproxy ACL on cookie -contents-?

2013-10-01 Thread Baptiste 
Hi Dave,

Well, you have more efficient ACLs in latest HAProxy version:
acl shard5 cook(userState) ND

Baptiste

On Fri, Sep 27, 2013 at 8:34 PM, Dave Shevett  wrote:
> Oops, answering my own question here... we figured it out.  The
> expression looks like this:
>
> acl shard5 hdr_reg(Cookie) userState=ND
>
> That'll use a back end called 'shard5' if there's a userState cookie
> with the value ND
>
> On 9/27/13 1:31 PM, Dave Shevett wrote:
>> I've seen a couple posts (here and on stackoverflow) on checking to see
>> if a cookie exists, and setting an ACL based on that, but not what value
>> it has.
>>
>> Am I going to need to use a regexp to parse a header cookie line?  (I
>> want to say 'if a cookie has value x, use backend x, if it has value y,
>> use backend y).
>>
>> Thanks!
>>
>> -d
>
>