Re: Haproxy 1.4 url redirection issue
Hello Amol Here is an example of the sort of thing I use The 3 important things for are ServerName https://servicename.domain.com:443 SetEnv HTTPS on UseCanonicalName On VirtualHost *:8080 ServerName https://servicename.domain.com:443 ## Vhost docroot DocumentRoot /var/www/ ## Directories, there should at least be a declaration for /var/www Directory /var/www Options Indexes ExecCGI AllowOverride None Order allow,deny Allow from all /Directory ## Logging LogLevel warn ServerSignature Off ## Custom fragment This tricks PHP into believing the script was accessed over SSL SetEnv HTTPS on DirectoryIndex index.php UseCanonicalName On ErrorLog |/usr/bin/cronolog --link /var/log/apache2/servicename_error.log /var/log/apache2/%Y/servicename_error-%Y%m%d.log LogFormat %h %l %u %t \%r\ %s %b \%{Referer}i\ \%{User-Agent}i\ direct LogFormat %{X-Forwarded-For}i %l %u %t \%r\ %s %b \%{Referer}i\ \%{User-Agent}i\ proxied SetEnvIf Remote_Addr ^ direct # make it always set SetEnvIf X-Forwarded-For ^.*\..*\..*\..* !direct SetEnvIf X-Forwarded-For ^.*\..*\..*\..* proxied SetEnvIf Request_URI ^/healthcheck$ !direct # keep these SetEnvIf Request_URI ^/healthcheck$ !proxied CustomLog |/usr/bin/cronolog --link /var/log/apache2/servicename_directaccess /var/log/apache2/%Y/servicename_directaccess-%Y%m%d.log direct env=direct CustomLog |/usr/bin/cronolog --link /var/log/apache2/servicename_access /var/log/apache2/%Y/servicename_access-%Y%m%d.log proxied env=proxied /VirtualHost I like to log traffic from the loadbal separately to traffic from the public and I ignore /healthcheck from the loadbal but not from others. You'll need to tell haproxy to option forwardfor. Also using cronolog. Neil On 1 March 2014 15:27, Baptiste bed...@gmail.com wrote: Hi More chance to get an answer from Apache 2.2 and wordpress people... Baptiste On Fri, Feb 28, 2014 at 4:12 PM, Amol mandm_z...@yahoo.com wrote: well the application behind haproxy in this case is wordpress on apache2.2, any settings there? On Friday, February 28, 2014 4:57 AM, Baptiste bed...@gmail.com wrote: It may not fix the issue. But at least the configuration will do what you expect from it... That said, the issue may be in the application too :) It is commonly seen that applications don't behave properly when SSL offloading is enabled in front of them. Baptiste On Thu, Feb 27, 2014 at 4:16 PM, Amol mandm_z...@yahoo.com wrote: Thanks Baptiste, let me give that a try On Thursday, February 27, 2014 9:37 AM, Baptiste bed...@gmail.com wrote: Hi Amol, There are a few improvement you can do. First update your frontend acl to: acl host_xx hdr(host) -i xx.com then in your backend, this ACL should never match: acl login_page url_beg /xyz replace url_beg by path_beg. Your problem is not there as well. I think your application server is sending hardcoded data or Location headers. analyzing the body of the pages and HAProxy logs may help here. Baptiste On Tue, Feb 25, 2014 at 4:56 PM, Amol mandm_z...@yahoo.com wrote: Hi i am using HA-Proxy version 1.4.12 and i have an issue trying to redirect my website to http requirement : when a user types in http://website_name.com he should not be redirected to https://website_name.com currently it does that and some of the video links on our main page do not work (basically vimeo has http links while our page is https so it throws a security exception) at the same time we need users with http://website_name.com/xyz to be redirected to https://website_name.com/xyz (this helps users login to secure application) so under my current configurations i cannot get the first part to work, basically (www.website_name.com works and stays http but when i type http://website_name.com it does a redirection to https) frontend http-in bind xx.xx.xx.xx:80 name http bind 10.xx.xx.xx:8000 name https # forwared by stunnel acl host_xx hdr_beg(host) -i xx.com use_backend xx-http if host_xx default_backend xx-https backend xx-http balance roundrobin cookie BALANCEID insert indirect nocache option http-server-close option httpchk OPTIONS /check.txt HTTP/1.1\r\nHost:\ www server xx-app1 xx.xx.xx.xx:80 cookie A check server xx-app6 xx.xx.xx.xx:80 cookie B check backup acl secure dst_port eq 8000 acl login_page url_beg /xyz redirect prefix https://xx.com if login_page !secure backend xx-https mode http balance roundrobin cookie BALANCEID insert indirect nocache option http-server-close # option forwardfor except 127.0.0.1 option httpchk OPTIONS /check.txt HTTP/1.1\r\nHost:\ www server xx-app1 xx.xx.xx.xx:80 cookie s1 weight 1 maxconn 5000 check
Bonobo : 1 jeans acheté -10 euros sur le 2eme article
Title: Document sans nom Cliquez ici pour lire cet e-mail dans votre navigateur. Bonjour $firstname$, Du 25/02 au 09/03 inclus, Profitez de votre offre Jeans : 1 jean achet -10 sur le 2ème article*FEMMEHOMMELOOKBOOKBLOG LIVRAISON ET RETOUR GRATUIT EN MAGASINLIVRAISON SOUS 3 JOURSPAIEMENT SCURIS 300magasins en france Localiser un magasin Suivez-nous sur :*L’offre « 1 jean achet -10 sur le 2ème article » est valable du 25/02 au 09/03/2014 inclus sur le site Bonobo et dans les magasins Bonobo (y compris magasins multi enseignes). La rduction de 10 sur le 2ème article est conditionne par l’achat d’un jeans (hors BNB Limited et Les Limited), la rduction s’appliquera sur le 2ème article achet (hors accessoires, Happy Prices, BNB Limited et Les Limited). Offre non cumulable avec toute autre promotion en cours hors Blue Card et Opration Recyclage. Conformment à la loi « Informatique et Liberts » du 6 janvier 1978, vous disposez d'un droit d'accès, de modification, de rectification et de suppression des donnes vous concernant. Pour l'exercer, vous pouvez vous adresser à : Bonobo La Moinerie /10 impasse du Grand Jardin 35400 SAINT-MALO ou par mail à serviceclientbnb-inter...@bonoboplanet.fr. Merci d'ajouter bon...@newsletter.bonoboplanet.com à votre carnet d'adresses afin de vous assurer que nos e-mailings arrivent dans votre boîte de rception (et non dans celle du courrier indsirable) Si vous ne souhaitez plus recevoir d'offres de notre part, Dsinscrivez vous ici
Bye, bye
We are sorry that you decided to opt-out. We confirm that this email account haproxy@formilux.org has un-subscribed.
Support IP_FREEBIND
Hi, would it be possible to support IP_FREEBIND with HAProxy-1.5 on linux? I'm asking because nonlocal_bind only works for IPv4 and it seems linux upstream does not want to support nonlocal_bind for IPv6. A thread about this can be found here: http://comments.gmane.org/gmane.comp.web.haproxy/7317 Currently I'm binding IP's to a dummy interface so HAProxy can start, but this is starting to become a nightmare. Greets, Sander
Re: Support IP_FREEBIND
On 03.03.2014 14:45, Sander Klein wrote: Hi, would it be possible to support IP_FREEBIND with HAProxy-1.5 on linux? I'm asking because nonlocal_bind only works for IPv4 and it seems linux upstream does not want to support nonlocal_bind for IPv6. A thread about this can be found here: http://comments.gmane.org/gmane.comp.web.haproxy/7317 Currently I'm binding IP's to a dummy interface so HAProxy can start, but this is starting to become a nightmare. Replying to myself... I'm probably looking for the 'transparant' option. Looking at the docs it seems to do what I want... Greets, Sander
RE: Support IP_FREEBIND
Hi, On 03.03.2014 14:45, Sander Klein wrote: Hi, would it be possible to support IP_FREEBIND with HAProxy-1.5 on linux? I'm asking because nonlocal_bind only works for IPv4 and it seems linux upstream does not want to support nonlocal_bind for IPv6. A thread about this can be found here: http://comments.gmane.org/gmane.comp.web.haproxy/7317 Currently I'm binding IP's to a dummy interface so HAProxy can start, but this is starting to become a nightmare. Replying to myself... I'm probably looking for the 'transparant' option. Looking at the docs it seems to do what I want... Yes, the transparent option sets IPV6_TRANSPARENT on IPv6 sockets, which should achieve this. Please let us know if this works for you; we do IP_FREEBIND only on IPv4, not on IPv6. Also, be advised that this is not supported on ancient kernels, support for those things appeared in 2.6.37. You may want to use a 3.x kernel for this. Regards, Lukas
[PATCH] MINOR: set IP_FREEBIND on IPv6 sockets in transparent mode
Lets set IP_FREEBIND on IPv6 sockets as well, this works since Linux 3.3 and doesn't require CAP_NET_ADMIN privileges (IPV6_TRANSPARENT does). This allows unprivileged users to bind to non-local IPv6 addresses, which can be useful when setting up the listening sockets or when connecting to backend servers with a specific, non-local source IPv6 address (at that point we usually dropped root privileges already). --- Before this patch an unprivileged bind fails: setsockopt(5, SOL_IPV6, 0x4b /* IPV6_TRANSPARENT */, [1], 4) = -1 EPERM (Operation not permitted) bind(5, {sa_family=AF_INET6, sin6_port=htons(1080), inet_pton(AF_INET6, 2005::1, sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EADDRNOTAVAIL (Cannot assign requested address) After the patch: setsockopt(5, SOL_IPV6, 0x4b /* IPV6_TRANSPARENT */, [1], 4) = -1 EPERM (Operation not permitted) setsockopt(5, SOL_IP, IP_FREEBIND, [1], 4) = 0 bind(5, {sa_family=AF_INET6, sin6_port=htons(1080), inet_pton(AF_INET6, 2005::1, sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = 0 --- src/proto_tcp.c |6 ++ 1 file changed, 6 insertions(+) diff --git a/src/proto_tcp.c b/src/proto_tcp.c index 11f6331..2b12ef8 100644 --- a/src/proto_tcp.c +++ b/src/proto_tcp.c @@ -160,6 +160,9 @@ int tcp_bind_socket(int fd, int flags, struct sockaddr_storage *local, struct so #if defined(IPV6_TRANSPARENT) || (setsockopt(fd, SOL_IPV6, IPV6_TRANSPARENT, one, sizeof(one)) == 0) #endif +#if defined(IP_FREEBIND) + || (setsockopt(fd, SOL_IP, IP_FREEBIND, one, sizeof(one)) == 0) +#endif #if defined(IPV6_BINDANY) || (setsockopt(fd, IPPROTO_IPV6, IPV6_BINDANY, one, sizeof(one)) == 0) #endif @@ -787,6 +790,9 @@ int tcp_bind_listener(struct listener *listener, char *errmsg, int errlen) #if defined(IPV6_TRANSPARENT) (setsockopt(fd, SOL_IPV6, IPV6_TRANSPARENT, one, sizeof(one)) == -1) #endif +#if defined(IP_FREEBIND) +(setsockopt(fd, SOL_IP, IP_FREEBIND, one, sizeof(one)) == -1) +#endif #if defined(IPV6_BINDANY) (setsockopt(fd, IPPROTO_IPV6, IPV6_BINDANY, one, sizeof(one)) == -1) #endif -- 1.7.9.5
Re: inspecting incoming tcp content
Hi, Im not sure if this is the exact issue that Anup was having, and maybe i'm hijacking his thread, if so i'm sorry for that, but when try to check how it works i also having difficulties getting it to work as i expected it to. I'm using HAProxy v1.5dev21 on FreeBSD 8.3. Ive written in a frontend the following which checks for a GET web request to determine which backend to use, this works..: mode tcp tcp-request inspect-delay 5s acl PAYLOADcheck req.payload(0,3) -m bin 474554 use_backend web_80_tcp if PAYLOADcheck tcp-request content accept if PAYLOADcheck However when changing the match line to the following it fails: acl PAYLOADcheck req.payload(0,3) -m str GET or acl PAYLOADcheck req.payload(0,3) -m sub GET or acl PAYLOADcheck req.payload(0,3) -m reg -i GET The req.payload returns a piece of 'binary' data, but the 'compatibility matrix' seems to say that converting for use with sub/reg/others should not be an issue. Then the next step is of course to not match only the first 3 characters but some content further in the 'middle' of the data stream.. Am i missing something ? Or might there be an issue with the implementation? This is currently only for finding if and how that req.payload check can be used. Of course using 'mode http' would be much better for this purpose when running http traffic, but that isn't the purpose of this question.. Ive spoken on irc with mculp who was trying something similar but couldnt get it to work either, and seen a previous question http://comments.gmane.org/gmane.comp.web.haproxy/11942 which seems to have gone without a final solution as well. So the question is, is this possible or might there be some issues in 'converting' the checks? Thanks for your time. Greets PiBa-NL Baptiste schreef op 28-2-2014 10:57: Hi, and where is your problem exactly? Baptiste On Tue, Feb 25, 2014 at 7:39 AM, anup katariya anup.katar...@gmail.com wrote: Hi, I wanted to inspect incoming tcp request. I wanted to something like below payload(0, 100) match with string like 49=ABC. Thanks, Anup
Re: [PATCH] MINOR: set IP_FREEBIND on IPv6 sockets in transparent mode
On Mon, Mar 03, 2014 at 09:10:51PM +0100, Lukas Tribus wrote: Lets set IP_FREEBIND on IPv6 sockets as well, this works since Linux 3.3 and doesn't require CAP_NET_ADMIN privileges (IPV6_TRANSPARENT does). This allows unprivileged users to bind to non-local IPv6 addresses, which can be useful when setting up the listening sockets or when connecting to backend servers with a specific, non-local source IPv6 address (at that point we usually dropped root privileges already). Patch applied, thank you Lukas! Willy
ENOTCONN from recv() on illumos
Hi folks, I was testing haproxy-1.5-dev22 on SmartOS (an illumos-based system) and ran into a problem. There's a small window after non-blocking connect() is called, but before the TCP connection is established, where recv() may return ENOTCONN. On Linux, the behaviour here seems to be always to return EAGAIN. The fix is relatively trivial, and appears to make haproxy work reliably on current SmartOS (see patch below). It's possible that other UNIX platforms exhibit this behaviour as well. Does this fix appear to be acceptable? --- haproxy-1.5-dev22/src/raw_sock.c2014-02-02 23:41:29.0 + +++ haproxy-1.5-dev22-PATCHED/src/raw_sock.c2014-03-03 21:38:45.23282 + @@ -309,7 +309,7 @@ else if (ret == 0) { goto read0; } - else if (errno == EAGAIN) { + else if (errno == EAGAIN || errno == ENOTCONN) { fd_cant_recv(conn-t.sock.fd); break; } Cheers. -- Joshua M. Clulow UNIX Admin/Developer http://blog.sysmgr.org
La actualización Gerencial que le dará - GRANDES RESULTADOS
Habilidades Gerenciales de Alto ImpactoBogotá 11, 12, 13 de Marzo de 2014 Toda empresa, por extraordinaria que sea, es susceptible de caer. No hay ninguna ley de la naturaleza que garantice que los más poderosos puedan permanecer en la cima inevitablemente... pero ¿CÓMO CAEN LOS PODEROSOS? Presentamos un extraordinario seminario que se llevará a cabo en Colombia. ¡No se pierda uno de los eventos más interesantes en el mundo gerencial actual!. Para ampliar la información y obtener los beneficios de inscripción temprana diligencie sin compromiso los siguientes datos: -Nombre:-Empresa:-Ciudad:-Teléfono:-E-mail: haproxy@formilux.org"Su información jamás será compartida ni comercializada. Garantizamos total confidencialidad y privacidad de sus datos" Centro de atención telefónica: 01 8000 51 30 51, PBX (4) 444 09 18 | Importante: En cumplimiento con la ley 1581 de 2012, queremos comunicarle que si usted no desea recibir la información actualizada con los temas más innovadores de nuestra agenda de eventos de capacitación, puede des-suscribirse de estas invitaciones respondiendo este correo con el asunto BAJA. Este correo no puede ser considerado intrusivo ya que cumple con las políticas antispa m internacionales y locales.Este correo ha sido enviado enviado a: haproxy@formilux.org
RE: ENOTCONN from recv() on illumos
Hi Joshua, Hi folks, I was testing haproxy-1.5-dev22 on SmartOS (an illumos-based system) and ran into a problem. There's a small window after non-blocking connect() is called, but before the TCP connection is established, where recv() may return ENOTCONN. On Linux, the behaviour here seems to be always to return EAGAIN. The fix is relatively trivial, and appears to make haproxy work reliably on current SmartOS (see patch below). It's possible that other UNIX platforms exhibit this behaviour as well. Does this fix appear to be acceptable? The same thing was already done for send() in commit 0ea0cf606e1d (BUG: raw_sock: also consider ENOTCONN in addition to EAGAIN) [1]. CC'ing Willy. Regards, Lukas [1] http://haproxy.1wt.eu/git?p=haproxy.git;a=commitdiff;h=0ea0cf606e1da866b1c1e1b25dbe3472ccaaa6d8
Re: ENOTCONN from recv() on illumos
Hi guys, On Tue, Mar 04, 2014 at 12:30:18AM +0100, Lukas Tribus wrote: Hi Joshua, Hi folks, I was testing haproxy-1.5-dev22 on SmartOS (an illumos-based system) and ran into a problem. There's a small window after non-blocking connect() is called, but before the TCP connection is established, where recv() may return ENOTCONN. On Linux, the behaviour here seems to be always to return EAGAIN. The fix is relatively trivial, and appears to make haproxy work reliably on current SmartOS (see patch below). It's possible that other UNIX platforms exhibit this behaviour as well. Does this fix appear to be acceptable? The same thing was already done for send() in commit 0ea0cf606e1d (BUG: raw_sock: also consider ENOTCONN in addition to EAGAIN) [1]. CC'ing Willy. Good point. I've amended the commit message, applied it and tagged it for backport to 1.4 as well. Thanks! willy
Re: Support IP_FREEBIND
Hi Sander, On Mon, Mar 03, 2014 at 04:01:12PM +0100, Lukas Tribus wrote: Hi, On 03.03.2014 14:45, Sander Klein wrote: Hi, would it be possible to support IP_FREEBIND with HAProxy-1.5 on linux? I'm asking because nonlocal_bind only works for IPv4 and it seems linux upstream does not want to support nonlocal_bind for IPv6. A thread about this can be found here: http://comments.gmane.org/gmane.comp.web.haproxy/7317 Currently I'm binding IP's to a dummy interface so HAProxy can start, but this is starting to become a nightmare. Replying to myself... I'm probably looking for the 'transparant' option. Looking at the docs it seems to do what I want... Yes, the transparent option sets IPV6_TRANSPARENT on IPv6 sockets, which should achieve this. Please let us know if this works for you; we do IP_FREEBIND only on IPv4, not on IPv6. Also, be advised that this is not supported on ancient kernels, support for those things appeared in 2.6.37. You may want to use a 3.x kernel for this. Please test the snapshot from this morning, it contains Lukas' patch. Willy
Re: inspecting incoming tcp content
Hi, On Mon, Mar 03, 2014 at 09:12:27PM +0100, PiBa-NL wrote: Hi, Im not sure if this is the exact issue that Anup was having, and maybe i'm hijacking his thread, if so i'm sorry for that, but when try to check how it works i also having difficulties getting it to work as i expected it to. I'm using HAProxy v1.5dev21 on FreeBSD 8.3. Ive written in a frontend the following which checks for a GET web request to determine which backend to use, this works..: mode tcp tcp-request inspect-delay 5s acl PAYLOADcheck req.payload(0,3) -m bin 474554 use_backend web_80_tcp if PAYLOADcheck tcp-request content accept if PAYLOADcheck However when changing the match line to the following it fails: acl PAYLOADcheck req.payload(0,3) -m str GET or acl PAYLOADcheck req.payload(0,3) -m sub GET or acl PAYLOADcheck req.payload(0,3) -m reg -i GET The req.payload returns a piece of 'binary' data, but the 'compatibility matrix' seems to say that converting for use with sub/reg/others should not be an issue. Then the next step is of course to not match only the first 3 characters but some content further in the 'middle' of the data stream.. Am i missing something ? Or might there be an issue with the implementation? What you've done is absolutely correct. It is possible that there's a bug somewhere in the cast. I'm CCing Thierry who has a pending patch set of about 50 patches to rework ACLs (merge ACL+map and allow to update them on-the-fly) to ensure he checks this case. Thanks, Willy
Re: weights
On Sat, Mar 01, 2014 at 11:06:32PM +0530, vijeesh vijayan wrote: Thanks. will share screenshot shortly. roundrobin recommented for mysql also? What Baptiste is explaining is that leastconn focuses on balancing the number of established connections and not the cumulated number of connections. If one server responds slowly and the other responds fast, the slow one will always have a certain number of open connections while the fast one will have very few. Thus it is normal that haproxy will pick the fast one more often than the slow one. And this is precisely the purpose of leastconn. Some people use leastconn to avoid servers which are suffering from some local system perturbations (eg: backups). And in general, what you're observing means exactly that one server is working much better than another one. So round robin will equally distribute the number of requests to your servers, but will degrade the quality of service since the slow one will get more requests than right now, and the fast one will remain mostly idle waiting for the slow one to get its share. Willy