Goodbye from our Newsletter

2014-02-28 Thread Tu Informe 
  
  Goodbye from our Newsletter, sorry to see you go.

  You have been unsubscribed from our newsletters.

  This is the last email you will receive from us. Our newsletter system,
phpList,
  will refuse to send you any further messages, without manual intervention
by our administrator.

  If there is an error in this information, you can re-subscribe:
  please go to http://tuinforme.com.ar/lists/?p=subscribe and follow the
steps.

  Thank you

Bytes In Per Second

2014-02-28 Thread Fred Pedrisa 
Hello, Guys !

 

I would like to know if there is a possibility to add a conter for the
number of packets/requests/streams per second like we do with bytes per
second for in/out to haproxy !

 

If so it would be very cool !

 

Fred

Todo lo que Usted Necesita Conocer sobre el Proceso de Conversión a NIIF

2014-02-28 Thread Katherine gonzalez 




Todo lo 
que Usted Necesita Conocer sobre el Proceso de Conversión a NIIFMedellín 
18 - Bogotá 20 de Marzo de 
2014


  
  

  Las 
  Niif son estandares de alta calidad exigidos a nivel global para la 
  preparación de la contabilidad y cuya adopción en Colombia es de 
  obligatorio cumplimiento para toda persona jurídica o natural obligada a 
  llevar y presentar registros contables.Por esta razón, le 
  presentamos este curso que lo preparará para el reconocimiento, medición y 
  presentación de información a revelar bajo dichos estandares, información 
  sumamente necesaria para las áreas financieras y demás áreas funcionales 
  de la empresa. Para ampliar 
  la información y obtener los beneficios de inscripción temprana diligencie 
  sin compromiso los siguientes datos: 
  -Nombre:-Empresa:-Ciudad:-Teléfono:-E-mail: 
  haproxy@formilux.org"Su información jamás será compartida ni comercializada. 
  Garantizamos total confidencialidad y privacidad de sus 
  datos"
  

  Centro de 
  atención telefónica: 01 8000 51 30 51, PBX (4) 444 09 18 
  |
  

  

  Importante: En 
  cumplimiento con la ley 1581 de 2012, queremos comunicarle que si usted no 
  desea recibir la información actualizada con los temas más innovadores de 
  nuestra agenda de eventos de capacitación, puede des-suscribirse de estas 
  invitaciones respondiendo este correo con el asunto Quit. La 
  des-suscripción puede tardar hasta 48 horas. Este correo no puede 
  ser considerado intrusivo ya que cumple con las políticas antispa m 
  internacionales y locales.Este correo ha sido enviado enviado a: 
  haproxy@formilux.org

invitez-moi sur votre site

2014-02-28 Thread Edgar 








Bonjour
Je suis Edgar, le Vendeur Virtuel.
Je suis un travailleur infatigable et j'ai vos intérêts à coeur.
Je vous attends sur le site www.formilux.org.
Rejoignez-moi maintenant   et je vous expliquerai ce que je peux faire pour vous !
A tout de suite.










Pour ne plus recevoir ce mail, suivez ce lien

AW: AW: Keeping statistics after a reload

2014-02-28 Thread Andreas Mock 
Thank you both for answering.

Have a nice weekend
Andreas Mock


Von: Patrick Hemmer [mailto:hapr...@stormcloud9.net]
Gesendet: Freitag, 28. Februar 2014 17:24
An: haproxy@formilux.org
Betreff: Re: AW: Keeping statistics after a reload

I have seen feature requests in the past that when haproxy reloads, to pull the 
health status of the servers so that haproxy knows their state without having 
to health check them. Willy has said he liked the idea 
(http://marc.info/?l=haproxy&m=139064677914723). If this gets implemented, it 
would probably be a minor detail to not only dump the up/down state, but all 
stats.

-Patrick



From: PiBa-NL 
Sent: 2014-02-28 11:15:19 E
To: Andreas Mock , 
haproxy@formilux.org 

Subject: Re: AW: Keeping statistics after a reload

Hi Andreas,

Its not like your question was wrong, but probably there is no good/satisfying 
short answer to this, and it was overrun by other mails...

As far as i know it is not possible to keep this kind information persisted in 
haproxy itself when a config restart is needed.

The -sf only makes sure old connections will nicely be closed when they are 
'done'.

I have 'heard' of statistics gathering tools that use the haproxy unix stats 
socket to query the stats and store the information in a separate database that 
way you could get continued statistics after the config is changed.. I don't 
have any examples on how to do this or have a name of such a tool in mind 
though.. Though googling for "haproxy monitoring" quickly shows some commercial 
tools that have haproxy plugins and probably would provide answers to the 
questions you have.

Maybe others on the list do use programs/scripts/tools to also keep 
historical/cumulative data for haproxy and can share their experience with it?

Greets PiBa-NL

Andreas Mock schreef op 28-2-2014 16:33:

Hi all,

the list is normally really responsive. In this case nobody
gave an answer. So, I don't know whether my question was such a
stupid one that nobody wanted to answer.

So, I bring it up again in the hope someone is answering:
Is there a way to reload the configuration without loosing
current statistics? Or is this conceptually not possible?

Best regards
Andreas Mock

-Ursprüngliche Nachricht-
Von: Andreas Mock [mailto:andreas.m...@drumedar.de]
Gesendet: Montag, 24. Februar 2014 16:36
An: haproxy@formilux.org
Betreff: Keeping statistics after a reload

Hi all,

is there a way to reload a haproxy config without resetting the
statistics shown on the stats page?

I used

haproxy -p /var/run/haproxy.pid -sf $(cat /var/run/haproxy.pid)

to make such a reload. But after that all statistics are reset.

Best regards
Andreas Mock

Re: AW: Keeping statistics after a reload

2014-02-28 Thread Patrick Hemmer 
I have seen feature requests in the past that when haproxy reloads, to
pull the health status of the servers so that haproxy knows their state
without having to health check them. Willy has said he liked the idea
(http://marc.info/?l=haproxy&m=139064677914723). If this gets
implemented, it would probably be a minor detail to not only dump the
up/down state, but all stats.

-Patrick




*From: *PiBa-NL 
*Sent: * 2014-02-28 11:15:19 E
*To: *Andreas Mock , haproxy@formilux.org

*Subject: *Re: AW: Keeping statistics after a reload

> Hi Andreas,
>
> Its not like your question was wrong, but probably there is no
> good/satisfying short answer to this, and it was overrun by other
> mails...
>
> As far as i know it is not possible to keep this kind information
> persisted in haproxy itself when a config restart is needed.
>
> The -sf only makes sure old connections will nicely be closed when
> they are 'done'.
>
> I have 'heard' of statistics gathering tools that use the haproxy unix
> stats socket to query the stats and store the information in a
> separate database that way you could get continued statistics after
> the config is changed.. I don't have any examples on how to do this or
> have a name of such a tool in mind though.. Though googling for
> "haproxy monitoring" quickly shows some commercial tools that have
> haproxy plugins and probably would provide answers to the questions
> you have.
>
> Maybe others on the list do use programs/scripts/tools to also keep
> historical/cumulative data for haproxy and can share their experience
> with it?
>
> Greets PiBa-NL
>
> Andreas Mock schreef op 28-2-2014 16:33:
>> Hi all,
>>
>> the list is normally really responsive. In this case nobody
>> gave an answer. So, I don't know whether my question was such a
>> stupid one that nobody wanted to answer.
>>
>> So, I bring it up again in the hope someone is answering:
>> Is there a way to reload the configuration without loosing
>> current statistics? Or is this conceptually not possible?
>>
>> Best regards
>> Andreas Mock
>>
>> -Ursprüngliche Nachricht-
>> Von: Andreas Mock [mailto:andreas.m...@drumedar.de]
>> Gesendet: Montag, 24. Februar 2014 16:36
>> An: haproxy@formilux.org
>> Betreff: Keeping statistics after a reload
>>
>> Hi all,
>>
>> is there a way to reload a haproxy config without resetting the
>> statistics shown on the stats page?
>>
>> I used
>>
>> haproxy -p /var/run/haproxy.pid -sf $(cat /var/run/haproxy.pid)
>>
>> to make such a reload. But after that all statistics are reset.
>>
>> Best regards
>> Andreas Mock
>>
>>
>>
>
>

Re: FW: SSL OCSP Stapling

2014-02-28 Thread Julien Vehent 
Firefox will most likely move to OCSP stapling only in the next 3 to 6 
months. Classic OCSP is too slow, and too error prone.


We've been working with Riverbed to deploy OCSP Stapling on Stingray 
(formally Zeus) load balancer. They have a solid implementation that can 
be used as a reference. I'd love to see OCSP Stapling in HAProxy, 
because that's a big performance win, but I don't know how hard it would 
be to implement. However, I know a few people in the Firefox security 
team who would be happy to help with design & QA (myself included).


Here's a sample OCSP response from one of our site:

$ openssl s_client -connect monitor.mozillalabs.com:443 -status

CONNECTED(0003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = "GeoTrust, Inc.", CN = GeoTrust SSL CA
verify return:1
depth=0 serialNumber = 8DZwltU1cw7OP-08XVgEwK/bh8Icw4zX, C = US, ST = 
California, L = Mountain View, O = Mozilla Corporation, OU = Mozilla 
Labs, CN = *.mozillalabs.com

verify return:1
OCSP response:
==
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = US, O = "GeoTrust, Inc.", CN = GeoTrust SSL 
OCSP-TGV Responder

Produced At: Feb 22 10:39:04 2014 GMT
Responses:
Certificate ID:
  Hash Algorithm: sha1
  Issuer Name Hash: 3F9B7E858F6044D7D54161744EEB6CEB808629D2
  Issuer Key Hash: 4279541B61CD552B3E63D53C4857F59FFB45CE4A
  Serial Number: 02567C
Cert Status: good
This Update: Feb 22 10:39:04 2014 GMT
Next Update: Mar  1 10:39:04 2014 GMT

Signature Algorithm: sha1WithRSAEncryption
 24:f6:68:ec:e9:f5:17:f9:4e:b6:f5:eb:92:4e:16:94:3e:38:
 5b:69:c8:24:85:28:71:0f:06:2d:03:a2:15:89:87:ca:e9:fb:
 91:9b:ca:9a:ca:b8:2f:f3:dc:a1:d3:e5:3c:53:ec:c7:5b:ac:
 ad:17:c0:0c:00:a1:8f:b6:85:b3:6d:a7:f2:f0:94:4f:e3:44:
 a2:01:59:f6:43:22:a5:f7:22:2d:dd:5e:ec:0f:9f:94:57:31:
 13:f3:f8:eb:62:42:89:12:93:59:83:b4:91:cb:4d:a3:b4:6e:
 04:09:13:89:0f:e2:b8:07:14:0c:49:d3:14:08:41:8c:01:49:
 a9:69:56:33:c7:d1:38:ba:2d:98:f8:82:79:98:a6:be:b5:77:
 90:2d:ca:53:41:7a:c1:14:69:42:99:cc:44:a2:3f:91:b9:c9:
 f9:ef:59:27:15:cf:82:c4:2f:da:e5:b2:94:fa:e6:e6:33:bf:
 73:97:8d:79:c6:25:54:93:22:ec:ad:2d:0e:43:6f:c3:e3:dc:
 8f:4e:2e:96:3f:9c:c3:fe:1b:db:d0:9f:f3:61:cc:6d:93:a8:
 70:93:6f:a7:d6:57:f3:3a:2b:5f:fb:03:01:cc:c3:14:62:04:
 b4:d6:35:bb:18:60:13:fc:cd:af:c4:34:8e:52:85:d6:1c:ca:
 57:9f:b9:bb
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 148819 (0x24553)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=GeoTrust, Inc., CN=GeoTrust SSL CA
Validity
Not Before: May 28 17:35:51 2013 GMT
Not After : May 27 17:35:51 2014 GMT
Subject: C=US, O=GeoTrust, Inc., CN=GeoTrust SSL OCSP-TGV 
Responder

Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b2:c0:91:c8:08:2b:a5:d8:17:2b:28:d3:bc:ef:
b7:2b:8d:ba:00:7e:40:e9:47:7c:30:81:9a:d3:3e:
0d:0f:70:a8:a8:ea:2e:2c:c9:69:6c:e4:1c:bd:cc:
b5:84:98:e6:f0:ae:01:2b:c1:75:96:00:83:96:70:
a4:43:3f:3c:06:fb:06:c1:d5:28:1f:1e:53:62:87:
26:2d:a1:96:c8:50:6d:17:ca:bc:fb:22:2c:ef:9b:
36:12:37:a0:ca:2a:12:03:12:52:eb:f7:fc:b6:88:
ee:d4:24:25:8b:98:80:0b:42:a1:01:c9:ec:a3:9c:
7b:d1:d1:63:10:43:86:db:a4:8b:0e:8e:d3:52:55:
55:9d:b2:e5:19:d5:0a:c2:23:52:51:6c:86:17:79:
c8:b2:39:99:d5:e3:70:40:f7:30:d2:27:ed:c6:7f:
82:95:8b:3e:d1:08:f1:4c:75:2c:3e:f4:9b:96:d5:
85:7d:c5:02:2f:21:a9:63:83:27:75:bd:e2:e3:28:
da:ae:a4:c0:6d:39:2e:92:3b:7a:b3:35:81:2d:37:
89:e4:6c:6d:53:2a:e0:63:b6:22:70:67:dd:6d:07:
93:48:50:62:06:4d:bb:47:0d:b2:b9:4b:6a:bd:1c:
28:b2:b0:a7:46:6b:f8:d7:74:a1:5d:2c:6b:41:95:
dc:75
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:

keyid:42:79:54:1B:61:CD:55:2B:3E:63:D5:3C:48:57:F5:9F:FB:45:CE:4A


OCSP No Check:

X509v3 Extended Key Usage:
OCSP Signing
X509v3 Key Usage: critical
Digital Signature
X509v3 Subject Alternative Name:
DirName:/CN=2048-TGV-333
Signature Algorithm: sha1WithRSAEncryption
 30:0c:30:4e:a2:e8:8d:68:88:f9:93:41:6c:3e:4b:19:ef:42:
 23:72:fe:64:81:21:ad:5c:1a:51:62:f7:9a:2c:f8:ad:85:b5:
 49:c3:ad:0f:b8:70:41:fd:1d:db:18:68:9c:8f:64:4e:f1:18:

Re: AW: Keeping statistics after a reload

2014-02-28 Thread PiBa-NL 

Hi Andreas,

Its not like your question was wrong, but probably there is no 
good/satisfying short answer to this, and it was overrun by other mails...


As far as i know it is not possible to keep this kind information 
persisted in haproxy itself when a config restart is needed.


The -sf only makes sure old connections will nicely be closed when they 
are 'done'.


I have 'heard' of statistics gathering tools that use the haproxy unix 
stats socket to query the stats and store the information in a separate 
database that way you could get continued statistics after the config is 
changed.. I don't have any examples on how to do this or have a name of 
such a tool in mind though.. Though googling for "haproxy monitoring" 
quickly shows some commercial tools that have haproxy plugins and 
probably would provide answers to the questions you have.


Maybe others on the list do use programs/scripts/tools to also keep 
historical/cumulative data for haproxy and can share their experience 
with it?


Greets PiBa-NL

Andreas Mock schreef op 28-2-2014 16:33:

Hi all,

the list is normally really responsive. In this case nobody
gave an answer. So, I don't know whether my question was such a
stupid one that nobody wanted to answer.

So, I bring it up again in the hope someone is answering:
Is there a way to reload the configuration without loosing
current statistics? Or is this conceptually not possible?

Best regards
Andreas Mock

-Ursprüngliche Nachricht-
Von: Andreas Mock [mailto:andreas.m...@drumedar.de]
Gesendet: Montag, 24. Februar 2014 16:36
An: haproxy@formilux.org
Betreff: Keeping statistics after a reload

Hi all,

is there a way to reload a haproxy config without resetting the
statistics shown on the stats page?

I used

haproxy -p /var/run/haproxy.pid -sf $(cat /var/run/haproxy.pid)

to make such a reload. But after that all statistics are reset.

Best regards
Andreas Mock

AW: Keeping statistics after a reload

2014-02-28 Thread Andreas Mock 
Hi all,

the list is normally really responsive. In this case nobody
gave an answer. So, I don't know whether my question was such a
stupid one that nobody wanted to answer.

So, I bring it up again in the hope someone is answering:
Is there a way to reload the configuration without loosing
current statistics? Or is this conceptually not possible?

Best regards
Andreas Mock

-Ursprüngliche Nachricht-
Von: Andreas Mock [mailto:andreas.m...@drumedar.de] 
Gesendet: Montag, 24. Februar 2014 16:36
An: haproxy@formilux.org
Betreff: Keeping statistics after a reload

Hi all,

is there a way to reload a haproxy config without resetting the
statistics shown on the stats page?

I used

haproxy -p /var/run/haproxy.pid -sf $(cat /var/run/haproxy.pid)

to make such a reload. But after that all statistics are reset.

Best regards
Andreas Mock

Re: Haproxy 1.4 url redirection issue

2014-02-28 Thread Amol 
well the application behind haproxy in this case is wordpress on apache2.2, any 
settings there?





On Friday, February 28, 2014 4:57 AM, Baptiste  wrote:
 
It may not fix the issue.
But at least the configuration will do what you expect from it...

That said, the issue may be in the application too :)
It is commonly seen that applications don't behave properly when SSL
offloading is enabled in front of them.

Baptiste



On Thu, Feb 27, 2014 at 4:16 PM, Amol  wrote:
> Thanks Baptiste, let me give that a try
>
>
>
> On Thursday, February 27, 2014 9:37 AM, Baptiste  wrote:
> Hi Amol,
>
> There are a few improvement you can do.
> First update your frontend acl to:
>   acl host_xx hdr(host) -i xx.com
>
> then in your backend, this ACL should never match: "acl login_page
> url_beg  /xyz"
> replace url_beg by path_beg.
>
> Your problem is not there as well.
> I think your application server is sending hardcoded data or Location
> headers.
> analyzing the body of the pages and HAProxy logs may help here.
>
> Baptiste
>
>
>
> On Tue, Feb 25, 2014 at 4:56 PM, Amol  wrote:
>> Hi i am using HA-Proxy version 1.4.12 and i have an issue trying to
>> redirect
>> my website to "http"
>> requirement : when a user types in http://.com he should not
>> be redirected to https://.com
>> currently it does that and some of the video links on our main page do not
>> work (basically vimeo has http links while our page is https so it throws
>> a
>> security exception)
>>
>> at the same time we need users with http://.com/xyz to be
>> redirected to https://.com/xyz (this helps users login to
>> secure application)
>>
>> so under my current configurations i cannot get the first part to work,
>> basically (www..com works and stays http but when i type
>> http://.com it does a redirection to https)
>>
>> frontend http-in
>>        bind xx.xx.xx.xx:80 name http
>>        bind 10.xx.xx.xx:8000 name https # forwared by stunnel
>>
>>        acl host_xx hdr_beg(host) -i xx.com
>>        use_backend xx-http if host_xx
>>        default_backend xx-https
>>
>> backend xx-http
>>        balance roundrobin
>>        cookie BALANCEID insert indirect nocache
>>        option http-server-close
>>        option httpchk OPTIONS /check.txt HTTP/1.1\r\nHost:\ www
>>        server xx-app1 xx.xx.xx.xx:80 cookie A check
>>        server xx-app6 xx.xx.xx.xx:80 cookie B check backup
>>        acl secure dst_port eq 8000
>>        acl login_page url_beg  /xyz
>>        redirect prefix https://xx.com if login_page !secure
>>
>> backend xx-https
>>        mode http
>>        balance roundrobin
>>        cookie BALANCEID insert indirect nocache
>>        option http-server-close
>>        # option forwardfor except 127.0.0.1
>>        option httpchk OPTIONS /check.txt HTTP/1.1\r\nHost:\ www
>>        server xx-app1 xx.xx.xx.xx:80 cookie s1 weight 1 maxconn 5000 check
>>        server xx-app6 xx.xx.xx.xx:80 cookie s2 weight 1 maxconn 5000 check
>> backup
>>
>> any suggestions?
>>
>
>
>

Re: Haproxy 1.4 url redirection issue

2014-02-28 Thread Amol 
could it also be due to the apache settings on the application server where i 
have "setenv HTTPS on" ?



here is a snippet from my apache2 default.conf file


    ServerAdmin webmaster@localhost

    DocumentRoot /var/www
    
        Options FollowSymLinks
        AllowOverride All
    
    
        setenv HTTPS on
        Options FollowSymLinks MultiViews
        AllowOverride All
        Order allow,deny
        allow from all
    




On Friday, February 28, 2014 4:55 AM, Baptiste  wrote:
 
It may not fix the issue.
But at least the configuration will do what you expect from it...

That said, the issue may be in the application too :)
It is commonly seen that applications don't behave properly when SSL
offloading is enabled in front of them.

Baptiste



On Thu, Feb 27, 2014 at 4:16 PM, Amol  wrote:
> Thanks Baptiste, let me give that a try
>
>
>
> On Thursday, February 27, 2014 9:37 AM, Baptiste  wrote:
> Hi Amol,
>
> There are a few improvement you can do.
> First update your frontend acl to:
>   acl host_xx hdr(host) -i xx.com
>
> then in your backend, this ACL should never match: "acl login_page
> url_beg  /xyz"
> replace url_beg by path_beg.
>
> Your problem is not there as well.
> I think your application server is sending hardcoded data or Location
> headers.
> analyzing the body of the pages and HAProxy logs may help here.
>
> Baptiste
>
>
>
> On Tue, Feb 25, 2014 at 4:56 PM, Amol  wrote:
>> Hi i am using HA-Proxy version 1.4.12 and i have an issue trying to
>> redirect
>> my website to "http"
>> requirement : when a user types in http://.com he should not
>> be redirected to https://.com
>> currently it does that and some of the video links on our main page do not
>> work (basically vimeo has http links while our page is https so it throws
>> a
>> security exception)
>>
>> at the same time we need users with http://.com/xyz to be
>> redirected to https://.com/xyz (this helps users login to
>> secure application)
>>
>> so under my current configurations i cannot get the first part to work,
>> basically (www..com works and stays http but when i type
>> http://.com it does a redirection to https)
>>
>> frontend http-in
>>        bind xx.xx.xx.xx:80 name http
>>        bind 10.xx.xx.xx:8000 name https # forwared by stunnel
>>
>>        acl host_xx hdr_beg(host) -i xx.com
>>        use_backend xx-http if host_xx
>>        default_backend xx-https
>>
>> backend xx-http
>>        balance roundrobin
>>        cookie BALANCEID insert indirect nocache
>>        option http-server-close
>>        option httpchk OPTIONS /check.txt HTTP/1.1\r\nHost:\ www
>>        server xx-app1 xx.xx.xx.xx:80 cookie A check
>>        server xx-app6 xx.xx.xx.xx:80 cookie B check backup
>>        acl secure dst_port eq 8000
>>        acl login_page url_beg  /xyz
>>        redirect prefix https://xx.com if login_page !secure
>>
>> backend xx-https
>>        mode http
>>        balance roundrobin
>>        cookie BALANCEID insert indirect nocache
>>        option http-server-close
>>        # option forwardfor except 127.0.0.1
>>        option httpchk OPTIONS /check.txt HTTP/1.1\r\nHost:\ www
>>        server xx-app1 xx.xx.xx.xx:80 cookie s1 weight 1 maxconn 5000 check
>>        server xx-app6 xx.xx.xx.xx:80 cookie s2 weight 1 maxconn 5000 check
>> backup
>>
>> any suggestions?
>>
>
>
>

[no subject]

2014-02-28 Thread DeMarco, Alex 
unsubscribe

Re: reqrep with a match/backref into Host: header?

2014-02-28 Thread Baptiste 
Hi Philipp,

You can't do this in current HAProxy.
That said, it may happen soon, since the you can already use some
header values in the http-request rules:
IE:
http-request redirect code 301 location www.%[hdr(host)]%[req.uri]
unless { hdr_beg(host) -i www }

Note: I tried to use this syntax with reqirep and it does not work ;)

Baptiste

On Fri, Feb 28, 2014 at 12:35 PM, Philipp
 wrote:
> Hi,
>
> current functional setup:
> frontend f
> acl ssfc_dev hdr(host) -m str dev.example.com
> acl ssfc_img hdr(host) -m str img.example.com
> [..]
> reqrep ^GET[\ \t]*/(.*) GET\ /dev.example.com/\1 if ssfc_dev
> reqrep ^GET[\ \t]*/(.*) GET\ /img.example.com/\1 if ssfc_img
>
> the backend webserver treats that accordingly.
> So far so good.. but given that this list will grow over time, it'll be a
> bit of a pain to manage this.
>
> Is there any way to make that happen by dynamic matches instead of a 1:1
> acl/reqrep pairing?
> Generating such a config isnt that much of a problem, but it lacks elegancy
> in my eyes ;-)
>
> TIA
>

Re: 1.5-dev22 crash with kernel messages, 1.4.18 is fine

2014-02-28 Thread Thomas Heil 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,

On 28.02.2014 01:33, Federico Iezzi wrote:
> Guys we fix these problems using a kernel >= 3.8
> With Ubuntu 12.04.4 we are using Kernel 3.8 and 3.11 from Canonical
official repository with out any issue. With 3.5 and stock 3.2 we had a
lot trouble.
I can confirm that 3.4.80+ is running fine even with grsec.
>
> Regards,
> Federico
> Il giorno 27/feb/2014, alle ore 13:01, Sander Klein 
ha scritto:
>
>> Hi,
>>
>> I can confirm that using grsec kernel with haproxy can sometimes be a
bit tricky.
>>
>> For instance, 3.2.54 with grsec crashes with me after ~8 hours while
3.2.55 and 3.2.52 with grsec do not. Kernels with grsec just need more
testing because their stability can vary.
>>
>> Greets,
>>
>> Sander
>>
>>
>> On 27.02.2014 11:29, Cedric Maion wrote:
>>> I agree that it does indeed look like a kernel issue (in the intel eth
>>> driver?), however 1.5 is doing something new that triggers this.
>>> Any idea of a significant 1.4 -> 1.5 change that can affect what is
>>> happening in the kernel?
>>> This kernel is indeed not the stock Ubuntu kernel, but the default one
>>> provided by the hosting company (OVH in that case)... I would really
>>> like not having to recompile the kernel and play too much with the
>>> production environment (sadly this issue never popped in my dev & lab
>>> environments).
>>> So any haproxy related idea would be very welcome...!
>>> On Thu, Feb 27, 2014 at 11:06:38AM +0100, Lukas Tribus wrote:
 Hi,
> Just upgraded a production node from 1.4.18 to 1.5-dev22.
> Ran fine for a couple of minutes then crashed with the following
kernel
> messages:
>
> WARNING: at mm/page_alloc.c:2107 __alloc_pages_nodemask+0x1fd/0x790()
> Hardware name: X9SRE/X9SRE-3F/X9SRi/X9SRi-3F
> Pid: 23190, comm: haproxy Not tainted 3.2.13-grsec--grs-ipv6-64 #1
> Call Trace:
> [] ? __alloc_pages_nodemask+0x1fd/0x790
> [] warn_slowpath_common+0x7b/0xc0
> [] warn_slowpath_null+0x15/0x20
> [] __alloc_pages_nodemask+0x1fd/0x790
 Thats definitely a kernel issue.
 Are you building your own kernel? That doesn't look like the default
 Ubuntu kernel.
 I would suggest to upgrade your kernel to 3.2.55 (of course use an
 updated grsec patch as well). If that doesn't fix the issue, try
 vanilla 3.2.55 (no grsec).
 If the issue persists, report it upstream (either to lkml/netdev or
 grsec, depending whether the vanilla 3.2.55 has the issue or not).
 Regards,
 Lukas
>>
>
>
>


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJTEJa1AAoJEOH/xsXYK8GtvyoQAJXsMyEVXbQWOaa+53MvmA1C
aNs4TruU/Qj3kUZweczH+E/61MWknY7otcOWXHNvrLJkdx2FiLbUSQw6RwnpYcpZ
l6qHBwwx029Al9MNn6uAcTbrAKghx/vgfjYxbtsmExMMbM/el/07GEp/jOMsi5zp
1pkSY9MjbqqlexjTmwKXxkPbp/kIROLRD9CNznCTO8L6j3OYES/b+k7nkXcNWZ6P
OnSswuGvcMNAQtNyzybel1I0nKn7wHfJsApaDlF5IkYXfBc2zotlAvYL1e54uYGx
CqZKpKBcNylzSpC/jFoOSn3ypL2CgJ3OttVeHDLSRPWIUkhrVSGgO2Kl43EhATA2
4mC/RRxOEthmtetsHP9RNU0Pe/igpy/D32o8pOG6E8NyiED9Z7ZfriOIHavoIsbo
FnQ8Lc/BgLYVrsRnbsYFBcv9ODI2D39ROu1Glqrf1jl/t1IkuWKtZQEuKDoQjaVd
khHk4lqpabO/4u13T78n6EoI0DRuUDst+eIsAOiG/5vTnZERGORyGzeXb6JI1V7G
xf6m5f92syA4dqSa7mmtjFxlTa5QaaQqup/kwEL1hjoB5vJyrVP81OCA9xGHnMFG
7OoEl3I1M1L5OJ8msIyA1uehMpbF7O/c8Snr5JY6AZ/X3c8L/vQHUTmlilf+QCmu
s54PVuLFtQlciQ87U7IR
=vU8c
-END PGP SIGNATURE-

reqrep with a match/backref into Host: header?

2014-02-28 Thread Philipp 

Hi,

current functional setup:
frontend f
acl ssfc_dev hdr(host) -m str dev.example.com
acl ssfc_img hdr(host) -m str img.example.com
[..]
reqrep ^GET[\ \t]*/(.*) GET\ /dev.example.com/\1 if ssfc_dev
reqrep ^GET[\ \t]*/(.*) GET\ /img.example.com/\1 if ssfc_img

the backend webserver treats that accordingly.
So far so good.. but given that this list will grow over time, it'll be 
a bit of a pain to manage this.


Is there any way to make that happen by dynamic matches instead of a 
1:1 acl/reqrep pairing?
Generating such a config isnt that much of a problem, but it lacks 
elegancy in my eyes ;-)


TIA

Re: inspecting incoming tcp content

2014-02-28 Thread Baptiste 
Hi,

and where is your problem exactly?

Baptiste

On Tue, Feb 25, 2014 at 7:39 AM, anup katariya  wrote:
> Hi,
>
> I wanted to inspect incoming tcp request. I wanted to something like below
>
> payload(0, 100) match with string like 49=ABC.
>
> Thanks,
> Anup
>
>
>

Re: HAproxy native SSL production release plans

2014-02-28 Thread Baptiste 
Hi Phil,

Let say soon :)
Sooner that ever!
We've never been so close to 1.5
It is a question of a very few weeks.

At haproxy Tech (haproxy.com) we use it in our appliances for a long
time, it is stable enough.

Baptiste


On Wed, Feb 26, 2014 at 5:58 AM, Phil Ayres  wrote:
> I'm looking to release a new set of servers in the next month out so, and I'm 
> wondering if there are plans to release HAproxy with SSL support in a 
> production supported version any time soon?
>
> I see there have been several updates to the current dev line since SSL was 
> released, so I'm keeping my fingers crossed.
>
> I understand you can't commit to anything, but a quick idea of a release 
> timeframe would be great.
>
> Many thanks,
> Phil

Re: Haproxy 1.4 url redirection issue

2014-02-28 Thread Baptiste 
It may not fix the issue.
But at least the configuration will do what you expect from it...

That said, the issue may be in the application too :)
It is commonly seen that applications don't behave properly when SSL
offloading is enabled in front of them.

Baptiste


On Thu, Feb 27, 2014 at 4:16 PM, Amol  wrote:
> Thanks Baptiste, let me give that a try
>
>
>
> On Thursday, February 27, 2014 9:37 AM, Baptiste  wrote:
> Hi Amol,
>
> There are a few improvement you can do.
> First update your frontend acl to:
>   acl host_xx hdr(host) -i xx.com
>
> then in your backend, this ACL should never match: "acl login_page
> url_beg  /xyz"
> replace url_beg by path_beg.
>
> Your problem is not there as well.
> I think your application server is sending hardcoded data or Location
> headers.
> analyzing the body of the pages and HAProxy logs may help here.
>
> Baptiste
>
>
>
> On Tue, Feb 25, 2014 at 4:56 PM, Amol  wrote:
>> Hi i am using HA-Proxy version 1.4.12 and i have an issue trying to
>> redirect
>> my website to "http"
>> requirement : when a user types in http://.com he should not
>> be redirected to https://.com
>> currently it does that and some of the video links on our main page do not
>> work (basically vimeo has http links while our page is https so it throws
>> a
>> security exception)
>>
>> at the same time we need users with http://.com/xyz to be
>> redirected to https://.com/xyz (this helps users login to
>> secure application)
>>
>> so under my current configurations i cannot get the first part to work,
>> basically (www..com works and stays http but when i type
>> http://.com it does a redirection to https)
>>
>> frontend http-in
>>bind xx.xx.xx.xx:80 name http
>>bind 10.xx.xx.xx:8000 name https # forwared by stunnel
>>
>>acl host_xx hdr_beg(host) -i xx.com
>>use_backend xx-http if host_xx
>>default_backend xx-https
>>
>> backend xx-http
>>balance roundrobin
>>cookie BALANCEID insert indirect nocache
>>option http-server-close
>>option httpchk OPTIONS /check.txt HTTP/1.1\r\nHost:\ www
>>server xx-app1 xx.xx.xx.xx:80 cookie A check
>>server xx-app6 xx.xx.xx.xx:80 cookie B check backup
>>acl secure dst_port eq 8000
>>acl login_page url_beg  /xyz
>>redirect prefix https://xx.com if login_page !secure
>>
>> backend xx-https
>>mode http
>>balance roundrobin
>>cookie BALANCEID insert indirect nocache
>>option http-server-close
>># option forwardfor except 127.0.0.1
>>option httpchk OPTIONS /check.txt HTTP/1.1\r\nHost:\ www
>>server xx-app1 xx.xx.xx.xx:80 cookie s1 weight 1 maxconn 5000 check
>>server xx-app6 xx.xx.xx.xx:80 cookie s2 weight 1 maxconn 5000 check
>> backup
>>
>> any suggestions?
>>
>
>
>

Re: Haproxy

2014-02-28 Thread Baptiste 
Hi,

You can also move the mouse on the number itself.
A tooltip will be printed with some details.

Baptiste


On Thu, Feb 27, 2014 at 8:26 PM, Lukas Tribus  wrote:
> Hi.
>
>
>> Hello,I have installed haproxy 1.4.23 on Cnetos 6.3 .And I can see
>> the haproxy stats through WEB,but I don't the meaning of 'Resp'(in the
>> following picture).What does it means?
>
> Its the "eresp" column in the csv output and means "response errors" on
> the server side. It also includes "srv_abrt" (number of data transfers
> aborted by the server).
>
> If you look at the csv output, you can check if the errors are coming
> from srv_abrt or not.
>
>
>
>> 141,138,209,1971 is the meaning
>> of there are 141,138,209,1971 response error on each server ? Or it
>> means there are 141,138,209,1971 response error on each server since
>> the haproxy service started ? In simple,the value means how many
>> response errors per second,or it's a aggregate value?
>
> Its the amount of errors per server since haproxy was started.
>
>
>
> Regards,
>
> Lukas

Re: weights

2014-02-28 Thread Baptiste 
Hi,

this may be due to your load-balancing algorithm and the speed of your servers.
leastconn applies to currently established connections, not to number
of connections established per second.

could you enable haproxy stats page and share us (or to me directly) a
screenshot of it?

You could give a try to 'balance roundrobin' and see what happens.

Baptiste


On Fri, Feb 28, 2014 at 9:41 AM, vijeesh vijayan
 wrote:
> we are using haproxy (1.4)to distribute traffic to 30 of our db nodes.
> we are facing an issue with weights.
>
> sample configs
>
> =
> defaults
> mode   tcp
> retries2
> option redispatch
> maxconn256000
> timeoutconnect   10s
> timeoutclient10s
> timeoutserver10s
>
>
> log global
>
> option dontlognull
>
>
>
> listen newone :4000
> mode tcp
>
> balance leastconn
> option mysql-check user abcd
>
>
> serverx.x.x.3:3306   weight 125   check inter 3s  rise 2  fall 2
>
> server y.com   x.x.x.4:3306   weight 12   check inter 3s  rise 2 fall 2
> server y.com   x.x.x.4:3306   weight 12   check inter 3s  rise 2 fall 2
> =
>
>
>  issue is we are getting only 150qps on server x.com even with weight 125.
>
> but on y.com we are getting 500qps with a weight of 12 , but mentioned
> twice.
>
>
> can you explain why it is so?
>
>
>
> --
> =
> Vijeesh K
> "The temptation to quit will be greatest just before you are about to
> succeed"

weights

2014-02-28 Thread vijeesh vijayan 
we are using haproxy (1.4)to distribute traffic to 30 of our db nodes.
we are facing an issue with weights.

sample configs

=
defaults
mode   tcp
retries2
option redispatch
maxconn256000
timeoutconnect   10s
timeoutclient10s
timeoutserver10s


log global

option dontlognull



listen newone :4000
mode tcp

balance leastconn
option mysql-check user abcd


serverx.x.x.3:3306   weight 125   check inter 3s  rise 2  fall 2

server y.com   x.x.x.4:3306   weight 12   check inter 3s  rise 2 fall 2
server y.com   x.x.x.4:3306   weight 12   check inter 3s  rise 2 fall 2
=


 issue is we are getting only 150qps on server x.com even with weight 125.

but on y.com we are getting 500qps with a weight of 12 , but mentioned
twice.


can you explain why it is so?


-- 
=
Vijeesh K
"The temptation to quit will be greatest just before you are about to
succeed"