Re: Haproxy 1.4 url redirection issue
Hello Amol
Here is an example of the sort of thing I use
The 3 important things for are
ServerName https://servicename.domain.com:443
SetEnv HTTPS on
UseCanonicalName On
VirtualHost *:8080
ServerName https://servicename.domain.com:443
## Vhost docroot
DocumentRoot /var/www/
## Directories, there should at least be a declaration for /var/www
Directory /var/www
Options Indexes ExecCGI
AllowOverride None
Order allow,deny
Allow from all
/Directory
## Logging
LogLevel warn
ServerSignature Off
## Custom fragment
This tricks PHP into believing the script was accessed over SSL
SetEnv HTTPS on
DirectoryIndex index.php
UseCanonicalName On
ErrorLog |/usr/bin/cronolog --link
/var/log/apache2/servicename_error.log
/var/log/apache2/%Y/servicename_error-%Y%m%d.log
LogFormat %h %l %u %t \%r\ %s %b \%{Referer}i\ \%{User-Agent}i\
direct
LogFormat %{X-Forwarded-For}i %l %u %t \%r\ %s %b \%{Referer}i\
\%{User-Agent}i\ proxied
SetEnvIf Remote_Addr ^ direct # make it always set
SetEnvIf X-Forwarded-For ^.*\..*\..*\..* !direct
SetEnvIf X-Forwarded-For ^.*\..*\..*\..* proxied
SetEnvIf Request_URI ^/healthcheck$ !direct
# keep these SetEnvIf Request_URI ^/healthcheck$ !proxied
CustomLog |/usr/bin/cronolog --link
/var/log/apache2/servicename_directaccess
/var/log/apache2/%Y/servicename_directaccess-%Y%m%d.log direct env=direct
CustomLog |/usr/bin/cronolog --link /var/log/apache2/servicename_access
/var/log/apache2/%Y/servicename_access-%Y%m%d.log proxied env=proxied
/VirtualHost
I like to log traffic from the loadbal separately to traffic from the
public and I ignore /healthcheck from the loadbal but not from others.
You'll need to tell haproxy to option forwardfor. Also using cronolog.
Neil
On 1 March 2014 15:27, Baptiste bed...@gmail.com wrote:
Hi
More chance to get an answer from Apache 2.2 and wordpress people...
Baptiste
On Fri, Feb 28, 2014 at 4:12 PM, Amol mandm_z...@yahoo.com wrote:
well the application behind haproxy in this case is wordpress on
apache2.2,
any settings there?
On Friday, February 28, 2014 4:57 AM, Baptiste bed...@gmail.com wrote:
It may not fix the issue.
But at least the configuration will do what you expect from it...
That said, the issue may be in the application too :)
It is commonly seen that applications don't behave properly when SSL
offloading is enabled in front of them.
Baptiste
On Thu, Feb 27, 2014 at 4:16 PM, Amol mandm_z...@yahoo.com wrote:
Thanks Baptiste, let me give that a try
On Thursday, February 27, 2014 9:37 AM, Baptiste bed...@gmail.com
wrote:
Hi Amol,
There are a few improvement you can do.
First update your frontend acl to:
acl host_xx hdr(host) -i xx.com
then in your backend, this ACL should never match: acl login_page
url_beg /xyz
replace url_beg by path_beg.
Your problem is not there as well.
I think your application server is sending hardcoded data or Location
headers.
analyzing the body of the pages and HAProxy logs may help here.
Baptiste
On Tue, Feb 25, 2014 at 4:56 PM, Amol mandm_z...@yahoo.com wrote:
Hi i am using HA-Proxy version 1.4.12 and i have an issue trying to
redirect
my website to http
requirement : when a user types in http://website_name.com he should
not
be redirected to https://website_name.com
currently it does that and some of the video links on our main page do
not
work (basically vimeo has http links while our page is https so it
throws
a
security exception)
at the same time we need users with http://website_name.com/xyz to
be
redirected to https://website_name.com/xyz (this helps users login
to
secure application)
so under my current configurations i cannot get the first part to work,
basically (www.website_name.com works and stays http but when i type
http://website_name.com it does a redirection to https)
frontend http-in
bind xx.xx.xx.xx:80 name http
bind 10.xx.xx.xx:8000 name https # forwared by stunnel
acl host_xx hdr_beg(host) -i xx.com
use_backend xx-http if host_xx
default_backend xx-https
backend xx-http
balance roundrobin
cookie BALANCEID insert indirect nocache
option http-server-close
option httpchk OPTIONS /check.txt HTTP/1.1\r\nHost:\ www
server xx-app1 xx.xx.xx.xx:80 cookie A check
server xx-app6 xx.xx.xx.xx:80 cookie B check backup
acl secure dst_port eq 8000
acl login_page url_beg /xyz
redirect prefix https://xx.com if login_page !secure
backend xx-https
mode http
balance roundrobin
cookie BALANCEID insert indirect nocache
option http-server-close
# option forwardfor except 127.0.0.1
option httpchk OPTIONS /check.txt HTTP/1.1\r\nHost:\ www
server xx-app1 xx.xx.xx.xx:80 cookie s1 weight 1 maxconn 5000
check
Bonobo : 1 jeans acheté -10 euros sur le 2eme article
Title: Document sans nom Cliquez ici pour lire cet e-mail dans votre navigateur. Bonjour $firstname$, Du 25/02 au 09/03 inclus, Profitez de votre offre Jeans : 1 jean achet -10 sur le 2ème article*FEMMEHOMMELOOKBOOKBLOG LIVRAISON ET RETOUR GRATUIT EN MAGASINLIVRAISON SOUS 3 JOURSPAIEMENT SCURIS 300magasins en france Localiser un magasin Suivez-nous sur :*L’offre « 1 jean achet -10 sur le 2ème article » est valable du 25/02 au 09/03/2014 inclus sur le site Bonobo et dans les magasins Bonobo (y compris magasins multi enseignes). La rduction de 10 sur le 2ème article est conditionne par l’achat d’un jeans (hors BNB Limited et Les Limited), la rduction s’appliquera sur le 2ème article achet (hors accessoires, Happy Prices, BNB Limited et Les Limited). Offre non cumulable avec toute autre promotion en cours hors Blue Card et Opration Recyclage. Conformment à la loi « Informatique et Liberts » du 6 janvier 1978, vous disposez d'un droit d'accès, de modification, de rectification et de suppression des donnes vous concernant. Pour l'exercer, vous pouvez vous adresser à : Bonobo La Moinerie /10 impasse du Grand Jardin 35400 SAINT-MALO ou par mail à serviceclientbnb-inter...@bonoboplanet.fr. Merci d'ajouter bon...@newsletter.bonoboplanet.com à votre carnet d'adresses afin de vous assurer que nos e-mailings arrivent dans votre boîte de rception (et non dans celle du courrier indsirable) Si vous ne souhaitez plus recevoir d'offres de notre part, Dsinscrivez vous ici
Bye, bye
We are sorry that you decided to opt-out. We confirm that this email account haproxy@formilux.org has un-subscribed.
Support IP_FREEBIND
Hi, would it be possible to support IP_FREEBIND with HAProxy-1.5 on linux? I'm asking because nonlocal_bind only works for IPv4 and it seems linux upstream does not want to support nonlocal_bind for IPv6. A thread about this can be found here: http://comments.gmane.org/gmane.comp.web.haproxy/7317 Currently I'm binding IP's to a dummy interface so HAProxy can start, but this is starting to become a nightmare. Greets, Sander
Re: Support IP_FREEBIND
On 03.03.2014 14:45, Sander Klein wrote: Hi, would it be possible to support IP_FREEBIND with HAProxy-1.5 on linux? I'm asking because nonlocal_bind only works for IPv4 and it seems linux upstream does not want to support nonlocal_bind for IPv6. A thread about this can be found here: http://comments.gmane.org/gmane.comp.web.haproxy/7317 Currently I'm binding IP's to a dummy interface so HAProxy can start, but this is starting to become a nightmare. Replying to myself... I'm probably looking for the 'transparant' option. Looking at the docs it seems to do what I want... Greets, Sander
RE: Support IP_FREEBIND
Hi, On 03.03.2014 14:45, Sander Klein wrote: Hi, would it be possible to support IP_FREEBIND with HAProxy-1.5 on linux? I'm asking because nonlocal_bind only works for IPv4 and it seems linux upstream does not want to support nonlocal_bind for IPv6. A thread about this can be found here: http://comments.gmane.org/gmane.comp.web.haproxy/7317 Currently I'm binding IP's to a dummy interface so HAProxy can start, but this is starting to become a nightmare. Replying to myself... I'm probably looking for the 'transparant' option. Looking at the docs it seems to do what I want... Yes, the transparent option sets IPV6_TRANSPARENT on IPv6 sockets, which should achieve this. Please let us know if this works for you; we do IP_FREEBIND only on IPv4, not on IPv6. Also, be advised that this is not supported on ancient kernels, support for those things appeared in 2.6.37. You may want to use a 3.x kernel for this. Regards, Lukas
[PATCH] MINOR: set IP_FREEBIND on IPv6 sockets in transparent mode
Lets set IP_FREEBIND on IPv6 sockets as well, this works since Linux 3.3
and doesn't require CAP_NET_ADMIN privileges (IPV6_TRANSPARENT does).
This allows unprivileged users to bind to non-local IPv6 addresses, which
can be useful when setting up the listening sockets or when connecting
to backend servers with a specific, non-local source IPv6 address (at that
point we usually dropped root privileges already).
---
Before this patch an unprivileged bind fails:
setsockopt(5, SOL_IPV6, 0x4b /* IPV6_TRANSPARENT */, [1], 4) = -1 EPERM
(Operation not permitted)
bind(5, {sa_family=AF_INET6, sin6_port=htons(1080), inet_pton(AF_INET6,
2005::1, sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1
EADDRNOTAVAIL (Cannot assign requested address)
After the patch:
setsockopt(5, SOL_IPV6, 0x4b /* IPV6_TRANSPARENT */, [1], 4) = -1 EPERM
(Operation not permitted)
setsockopt(5, SOL_IP, IP_FREEBIND, [1], 4) = 0
bind(5, {sa_family=AF_INET6, sin6_port=htons(1080), inet_pton(AF_INET6,
2005::1, sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = 0
---
src/proto_tcp.c |6 ++
1 file changed, 6 insertions(+)
diff --git a/src/proto_tcp.c b/src/proto_tcp.c
index 11f6331..2b12ef8 100644
--- a/src/proto_tcp.c
+++ b/src/proto_tcp.c
@@ -160,6 +160,9 @@ int tcp_bind_socket(int fd, int flags, struct
sockaddr_storage *local, struct so
#if defined(IPV6_TRANSPARENT)
|| (setsockopt(fd, SOL_IPV6, IPV6_TRANSPARENT,
one, sizeof(one)) == 0)
#endif
+#if defined(IP_FREEBIND)
+ || (setsockopt(fd, SOL_IP, IP_FREEBIND, one,
sizeof(one)) == 0)
+#endif
#if defined(IPV6_BINDANY)
|| (setsockopt(fd, IPPROTO_IPV6, IPV6_BINDANY,
one, sizeof(one)) == 0)
#endif
@@ -787,6 +790,9 @@ int tcp_bind_listener(struct listener *listener, char
*errmsg, int errlen)
#if defined(IPV6_TRANSPARENT)
(setsockopt(fd, SOL_IPV6, IPV6_TRANSPARENT,
one, sizeof(one)) == -1)
#endif
+#if defined(IP_FREEBIND)
+(setsockopt(fd, SOL_IP, IP_FREEBIND, one,
sizeof(one)) == -1)
+#endif
#if defined(IPV6_BINDANY)
(setsockopt(fd, IPPROTO_IPV6, IPV6_BINDANY,
one, sizeof(one)) == -1)
#endif
--
1.7.9.5
Re: inspecting incoming tcp content
Hi, Im not sure if this is the exact issue that Anup was having, and maybe i'm hijacking his thread, if so i'm sorry for that, but when try to check how it works i also having difficulties getting it to work as i expected it to. I'm using HAProxy v1.5dev21 on FreeBSD 8.3. Ive written in a frontend the following which checks for a GET web request to determine which backend to use, this works..: mode tcp tcp-request inspect-delay 5s acl PAYLOADcheck req.payload(0,3) -m bin 474554 use_backend web_80_tcp if PAYLOADcheck tcp-request content accept if PAYLOADcheck However when changing the match line to the following it fails: acl PAYLOADcheck req.payload(0,3) -m str GET or acl PAYLOADcheck req.payload(0,3) -m sub GET or acl PAYLOADcheck req.payload(0,3) -m reg -i GET The req.payload returns a piece of 'binary' data, but the 'compatibility matrix' seems to say that converting for use with sub/reg/others should not be an issue. Then the next step is of course to not match only the first 3 characters but some content further in the 'middle' of the data stream.. Am i missing something ? Or might there be an issue with the implementation? This is currently only for finding if and how that req.payload check can be used. Of course using 'mode http' would be much better for this purpose when running http traffic, but that isn't the purpose of this question.. Ive spoken on irc with mculp who was trying something similar but couldnt get it to work either, and seen a previous question http://comments.gmane.org/gmane.comp.web.haproxy/11942 which seems to have gone without a final solution as well. So the question is, is this possible or might there be some issues in 'converting' the checks? Thanks for your time. Greets PiBa-NL Baptiste schreef op 28-2-2014 10:57: Hi, and where is your problem exactly? Baptiste On Tue, Feb 25, 2014 at 7:39 AM, anup katariya anup.katar...@gmail.com wrote: Hi, I wanted to inspect incoming tcp request. I wanted to something like below payload(0, 100) match with string like 49=ABC. Thanks, Anup
Re: [PATCH] MINOR: set IP_FREEBIND on IPv6 sockets in transparent mode
On Mon, Mar 03, 2014 at 09:10:51PM +0100, Lukas Tribus wrote: Lets set IP_FREEBIND on IPv6 sockets as well, this works since Linux 3.3 and doesn't require CAP_NET_ADMIN privileges (IPV6_TRANSPARENT does). This allows unprivileged users to bind to non-local IPv6 addresses, which can be useful when setting up the listening sockets or when connecting to backend servers with a specific, non-local source IPv6 address (at that point we usually dropped root privileges already). Patch applied, thank you Lukas! Willy
ENOTCONN from recv() on illumos
Hi folks,
I was testing haproxy-1.5-dev22 on SmartOS (an illumos-based system)
and ran into a problem. There's a small window after non-blocking
connect() is called, but before the TCP connection is established,
where recv() may return ENOTCONN. On Linux, the behaviour here seems
to be always to return EAGAIN. The fix is relatively trivial, and
appears to make haproxy work reliably on current SmartOS (see patch
below). It's possible that other UNIX platforms exhibit this
behaviour as well.
Does this fix appear to be acceptable?
--- haproxy-1.5-dev22/src/raw_sock.c2014-02-02 23:41:29.0 +
+++ haproxy-1.5-dev22-PATCHED/src/raw_sock.c2014-03-03
21:38:45.23282 +
@@ -309,7 +309,7 @@
else if (ret == 0) {
goto read0;
}
- else if (errno == EAGAIN) {
+ else if (errno == EAGAIN || errno == ENOTCONN) {
fd_cant_recv(conn-t.sock.fd);
break;
}
Cheers.
--
Joshua M. Clulow
UNIX Admin/Developer
http://blog.sysmgr.org
La actualización Gerencial que le dará - GRANDES RESULTADOS
Habilidades Gerenciales de Alto ImpactoBogotá 11, 12, 13 de Marzo de 2014 Toda empresa, por extraordinaria que sea, es susceptible de caer. No hay ninguna ley de la naturaleza que garantice que los más poderosos puedan permanecer en la cima inevitablemente... pero ¿CÓMO CAEN LOS PODEROSOS? Presentamos un extraordinario seminario que se llevará a cabo en Colombia. ¡No se pierda uno de los eventos más interesantes en el mundo gerencial actual!. Para ampliar la información y obtener los beneficios de inscripción temprana diligencie sin compromiso los siguientes datos: -Nombre:-Empresa:-Ciudad:-Teléfono:-E-mail: haproxy@formilux.org"Su información jamás será compartida ni comercializada. Garantizamos total confidencialidad y privacidad de sus datos" Centro de atención telefónica: 01 8000 51 30 51, PBX (4) 444 09 18 | Importante: En cumplimiento con la ley 1581 de 2012, queremos comunicarle que si usted no desea recibir la información actualizada con los temas más innovadores de nuestra agenda de eventos de capacitación, puede des-suscribirse de estas invitaciones respondiendo este correo con el asunto BAJA. Este correo no puede ser considerado intrusivo ya que cumple con las políticas antispa m internacionales y locales.Este correo ha sido enviado enviado a: haproxy@formilux.org
RE: ENOTCONN from recv() on illumos
Hi Joshua, Hi folks, I was testing haproxy-1.5-dev22 on SmartOS (an illumos-based system) and ran into a problem. There's a small window after non-blocking connect() is called, but before the TCP connection is established, where recv() may return ENOTCONN. On Linux, the behaviour here seems to be always to return EAGAIN. The fix is relatively trivial, and appears to make haproxy work reliably on current SmartOS (see patch below). It's possible that other UNIX platforms exhibit this behaviour as well. Does this fix appear to be acceptable? The same thing was already done for send() in commit 0ea0cf606e1d (BUG: raw_sock: also consider ENOTCONN in addition to EAGAIN) [1]. CC'ing Willy. Regards, Lukas [1] http://haproxy.1wt.eu/git?p=haproxy.git;a=commitdiff;h=0ea0cf606e1da866b1c1e1b25dbe3472ccaaa6d8
Re: ENOTCONN from recv() on illumos
Hi guys, On Tue, Mar 04, 2014 at 12:30:18AM +0100, Lukas Tribus wrote: Hi Joshua, Hi folks, I was testing haproxy-1.5-dev22 on SmartOS (an illumos-based system) and ran into a problem. There's a small window after non-blocking connect() is called, but before the TCP connection is established, where recv() may return ENOTCONN. On Linux, the behaviour here seems to be always to return EAGAIN. The fix is relatively trivial, and appears to make haproxy work reliably on current SmartOS (see patch below). It's possible that other UNIX platforms exhibit this behaviour as well. Does this fix appear to be acceptable? The same thing was already done for send() in commit 0ea0cf606e1d (BUG: raw_sock: also consider ENOTCONN in addition to EAGAIN) [1]. CC'ing Willy. Good point. I've amended the commit message, applied it and tagged it for backport to 1.4 as well. Thanks! willy
Re: Support IP_FREEBIND
Hi Sander, On Mon, Mar 03, 2014 at 04:01:12PM +0100, Lukas Tribus wrote: Hi, On 03.03.2014 14:45, Sander Klein wrote: Hi, would it be possible to support IP_FREEBIND with HAProxy-1.5 on linux? I'm asking because nonlocal_bind only works for IPv4 and it seems linux upstream does not want to support nonlocal_bind for IPv6. A thread about this can be found here: http://comments.gmane.org/gmane.comp.web.haproxy/7317 Currently I'm binding IP's to a dummy interface so HAProxy can start, but this is starting to become a nightmare. Replying to myself... I'm probably looking for the 'transparant' option. Looking at the docs it seems to do what I want... Yes, the transparent option sets IPV6_TRANSPARENT on IPv6 sockets, which should achieve this. Please let us know if this works for you; we do IP_FREEBIND only on IPv4, not on IPv6. Also, be advised that this is not supported on ancient kernels, support for those things appeared in 2.6.37. You may want to use a 3.x kernel for this. Please test the snapshot from this morning, it contains Lukas' patch. Willy
Re: inspecting incoming tcp content
Hi, On Mon, Mar 03, 2014 at 09:12:27PM +0100, PiBa-NL wrote: Hi, Im not sure if this is the exact issue that Anup was having, and maybe i'm hijacking his thread, if so i'm sorry for that, but when try to check how it works i also having difficulties getting it to work as i expected it to. I'm using HAProxy v1.5dev21 on FreeBSD 8.3. Ive written in a frontend the following which checks for a GET web request to determine which backend to use, this works..: mode tcp tcp-request inspect-delay 5s acl PAYLOADcheck req.payload(0,3) -m bin 474554 use_backend web_80_tcp if PAYLOADcheck tcp-request content accept if PAYLOADcheck However when changing the match line to the following it fails: acl PAYLOADcheck req.payload(0,3) -m str GET or acl PAYLOADcheck req.payload(0,3) -m sub GET or acl PAYLOADcheck req.payload(0,3) -m reg -i GET The req.payload returns a piece of 'binary' data, but the 'compatibility matrix' seems to say that converting for use with sub/reg/others should not be an issue. Then the next step is of course to not match only the first 3 characters but some content further in the 'middle' of the data stream.. Am i missing something ? Or might there be an issue with the implementation? What you've done is absolutely correct. It is possible that there's a bug somewhere in the cast. I'm CCing Thierry who has a pending patch set of about 50 patches to rework ACLs (merge ACL+map and allow to update them on-the-fly) to ensure he checks this case. Thanks, Willy
Re: weights
On Sat, Mar 01, 2014 at 11:06:32PM +0530, vijeesh vijayan wrote: Thanks. will share screenshot shortly. roundrobin recommented for mysql also? What Baptiste is explaining is that leastconn focuses on balancing the number of established connections and not the cumulated number of connections. If one server responds slowly and the other responds fast, the slow one will always have a certain number of open connections while the fast one will have very few. Thus it is normal that haproxy will pick the fast one more often than the slow one. And this is precisely the purpose of leastconn. Some people use leastconn to avoid servers which are suffering from some local system perturbations (eg: backups). And in general, what you're observing means exactly that one server is working much better than another one. So round robin will equally distribute the number of requests to your servers, but will degrade the quality of service since the slow one will get more requests than right now, and the fast one will remain mostly idle waiting for the slow one to get its share. Willy
