Re: [PATCH] append-header feature
Hi Sasha, On Fri, May 23, 2014 at 06:50:05PM -0600, Sasha Pachev wrote: > I have made some progress here, and was just > about to call exp_replace() when I realized it does not have a way to > protect against the destination buffer overrun. Would it be OK if I > added the protection? Hmm that's really interesting and is directly related to the growing feature set. Initially, config file lines were very limited and since we used to reserve half of a buffer for rewrites, it was technically not possible to overflow the buffer. Now we have many more possibilities, we can copy certs in headers, support long lines, we reserve less, etc... Thus in practice, it is theorically possible to write some heavy rewrite rules that can overflow the request or response buffer. So yes, please see what you can do to avoid this, and propose that fix as a separate patch tagged "BUG". Thanks! Willy
Re: haproxy hash that honors already connected connections
On Sat, May 24, 2014 at 08:23:04AM +0530, Jai Gupta wrote: > > > What hash should we use in this case or is there any other configuration > > > that we should be using? > > > > It's totally irrelevant to the hash here, because the hash is determinist > > so it ensures that a given input always leads to the same choice of server > > among a similar farm. The problem is that you're dealing with long > > connections and that you want to kill them when server A goes back up. > > > > Haproxy can kill existing connections to backup servers when a server goes > > up, but it does not kill connections to active servers. > > > > We could be having hundreds of active servers. It would not be efficient to > have few spare backup servers for each and every active server, we may also > not be able to load balance in that approach. OK. > > What protocol are you using ? Does it transparently support connections > > being killed every time a server goes up ? I'm asking because that's a > > bit of a mess for the users, you'll reduce reliability by adding more > > servers... And if the protocol supports having connections killed, then > > you'd rather simply reduce the timeout so that they disappear sooner. > > > > Protocol used is websocket and it is supposed to be connected for hours. > Our challenge is to keep all clients with given group attached to one > server, we can't let them spread between multiple servers. > > We aim for both HA and load balancing. Do we have a way out haproxy could > provide? OK so you don't need to switch back and forth between servers within the same group then ? Wouldn't it be better to stick users to the "current" server instead ? That is, incoming connections start to go to a server, whatever it is, and if it fails, then everyone switches to the other one, and remain on it until it dies ? This is easy to do using a stick table, just stick on anything (typically a constant) and the last server will be reminded. Example : backend blah mode http balance roundrobin stick-table type int size 1 expire 1d stick on always_true # just a constant default-server on-marked-down shutdown-sessions server srv1 1.1.1.1:80 check server srv2 1.1.1.2:80 check etc... Willy
Re: haproxy hash that honors already connected connections
Thank for reply Willy. On Fri, May 23, 2014 at 10:42 PM, Willy Tarreau wrote: > On Fri, May 23, 2014 at 09:54:18PM +0530, Jai Gupta wrote: > > We have configured haproxy 1.5 and are using map-based hash (default). > > > > For e.g. we have two backend servers. Server A and Server B. > > Clients 1,2,3,4,5 will go to same backend. > > > > For example > > Client 1,2,3 are connected to Server A as per hash. > > Server A is crashed. > > haproxy shifts clients to Server B. > > Server A recovers. > > Client 4,5 are connected to Server A > > > > Problem is that 1,2,3 remain connected with Server B but as per updated > > hash, they should be connected with Server A. > > > > We want all clients 1,2,3,4,5 to be connected to same Server. > > > > Connection remain connected for very long time so either they need to be > > forcefully disconnected if hash changes or hash should be such that it > > honors already connected connections. > > > > What hash should we use in this case or is there any other configuration > > that we should be using? > > It's totally irrelevant to the hash here, because the hash is determinist > so it ensures that a given input always leads to the same choice of server > among a similar farm. The problem is that you're dealing with long > connections and that you want to kill them when server A goes back up. > > Haproxy can kill existing connections to backup servers when a server goes > up, but it does not kill connections to active servers. > We could be having hundreds of active servers. It would not be efficient to have few spare backup servers for each and every active server, we may also not be able to load balance in that approach. > What protocol are you using ? Does it transparently support connections > being killed every time a server goes up ? I'm asking because that's a > bit of a mess for the users, you'll reduce reliability by adding more > servers... And if the protocol supports having connections killed, then > you'd rather simply reduce the timeout so that they disappear sooner. > Protocol used is websocket and it is supposed to be connected for hours. Our challenge is to keep all clients with given group attached to one server, we can't let them spread between multiple servers. We aim for both HA and load balancing. Do we have a way out haproxy could provide? > Regards > Willy >
Re: [PATCH] append-header feature
>> Good plan. Will do it this way. If I use buffer_replace2() on the >> header repeatedly from under http_res_get_intercept_rule() or >> http_req_get_intercept_rule() it does not appear that it would cause >> any problems - It is already being used from under >> http_remove_header2() which is called from under those functions, but >> maybe I missed something. Did I? >> >> And, is buffer_replace2() the best tool for the job, or would you >> suggest a different call? > > Yes I think it's the appropriate one. Look how the Connection header > is processed for example. You might also be interested in looking at > how reqrep/rsprep are processed in apply_*_filter* with action > ACT_REPLACE. I think it's the closest to what you want to do. Willy: Thanks for the tips. I have made some progress here, and was just about to call exp_replace() when I realized it does not have a way to protect against the destination buffer overrun. Would it be OK if I added the protection? And, a natural question arises as to whether there currently exists a buffer overrun in one or more of the three places where it is currently called. -- Sasha Pachev Fast Running Blog. http://fastrunningblog.com Run. Blog. Improve. Repeat.
Re: Add Domain redirects using API or ?
Hi,
I'm getting a strange error, which is various when I change it in the
frontend.
Is there maybe a typo in yours ?
2014-05-23 16:34 GMT+02:00 Baptiste :
> You can set a map entry, it will erase then create the entry.
> And HAProxy will take it into account on the fly, without doing anything.
> You could even forward traffic to your webservers and let haproxy
> learn the redirect on the fly.
>
> Remember, HAProxy is art:
> https://twitter.com/malditogeek/status/243020846875152384#
>
> Baptiste
>
> On Fri, May 23, 2014 at 4:00 PM, Matt . wrote:
> > So when you remove a line and there is no line like it... just nothing
> > happens as it should ?
> >
> > But what if you add one that is already there ? Will it be added twice ?
> If
> > so and you do a remove will both be removed ?
> >
> >
> > 2014-05-23 15:22 GMT+02:00 Baptiste :
> >>
> >> There is no reply, it is silently performed.
> >>
> >>
> >> Baptiste
> >>
> >> On Fri, May 23, 2014 at 3:07 PM, Matt . wrote:
> >> > Hi,
> >> >
> >> > OK, that is a very good explanation!
> >> >
> >> > It's also very flexible in my opinion.
> >> >
> >> > Does hsproxy give a reply/callback after adding/removing ? I'm not
> sure
> >> > but
> >> > I thought it did.
> >> >
> >> > I also did a reply-all this time, sorry for last time!
> >> >
> >> > Cheers,
> >> >
> >> > Matt
> >> >
> >> >
> >> > 2014-05-23 14:07 GMT+02:00 Baptiste :
> >> >
> >> >> Hi Matt,
> >> >>
> >> >> I'm Ccing the ML since the answer can interest everybody here.
> >> >>
> >> >> > Thanks for you explanation... I found something indeed on the devel
> >> >> > version
> >> >> > yesterday, you can also remove this way I saw ?
> >> >>
> >> >> yes, you can delete content from a map thanks to the socket or
> through
> >> >> information found in HTTP headers.
> >> >>
> >> >> > What do you mean by filecontents on reload ?
> >> >>
> >> >> I mean that the content of the map is read from a flat file.
> >> >> If you modify running map, HAProxy only updates its memory, not the
> >> >> flat
> >> >> file.
> >> >> So after a reload, if the flat file does not contain same content as
> >> >> HAProxy's memory, then updates are lost.
> >> >>
> >> >> > What I add this was is added to memory and not to the file ?
> >> >>
> >> >> exactly
> >> >>
> >> >> > So, I need to sync the file with the memory in some way ?
> >> >>
> >> >> yes.
> >> >> This can be done easily with a tool since you can dump a map content
> >> >> from HAProxy's socket.
> >> >>
> >> >> Baptiste
> >> >>
> >> >>
> >> >> >
> >> >> >
> >> >> > 2014-05-23 10:17 GMT+02:00 Baptiste :
> >> >> >
> >> >> >> Hi Matt,
> >> >> >>
> >> >> >> You have to use HAProxy 1.5.
> >> >> >> You can load redirects from a map file.
> >> >> >> Map file content, 2 columns, with on the left the reference (what
> >> >> >> you're looking from in the client request) and on the right the
> >> >> >> response to send back.
> >> >> >> domain2.com subdomain.domain1.com
> >> >> >>
> >> >> >> Then, in your frontend, simply add:
> >> >> >> http-request redirect code 302 prefix
> >> >> >> http://%[req.hdr(host),map_str(map_redirects.lst)] if {
> >> >> >> req.hdr(Host),map_str(map_redirects.lst) -m found }
> >> >> >>
> >> >> >> Content of map_redirects.lst:
> >> >> >> domain2.com subdomain.domain1.com
> >> >> >>
> >> >> >> If the domain is not listed, then HAProxy will return a 503.
> >> >> >>
> >> >> >> Here are some results:
> >> >> >> GET http://127.0.0.1:8080/ -H "Host: domain2.com"
> >> >> >>
> >> >> >> HTTP/1.1 302 Found
> >> >> >> Cache-Control: no-cache
> >> >> >> Content-length: 0
> >> >> >> Location: http://subdomain.domain1.com/
> >> >> >> Connection: close
> >> >> >>
> >> >> >>
> >> >> >> GET http://127.0.0.1:8080/blah -H "Host: domain2.com"
> >> >> >>
> >> >> >> HTTP/1.1 302 Found
> >> >> >> Cache-Control: no-cache
> >> >> >> Content-length: 0
> >> >> >> Location: http://subdomain.domain1.com/blah
> >> >> >> Connection: close
> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >> GET http://127.0.0.1:8080/ -H "Host: domain1.com"
> >> >> >>
> >> >> >> HTTP/1.0 503 Service Unavailable
> >> >> >> Cache-Control: no-cache
> >> >> >> Connection: close
> >> >> >> Content-Type: text/html
> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >> The content of the map can be updated through the HAProxy socket
> or
> >> >> >> though HTTP headers.
> >> >> >> Read the manual to know how.
> >> >> >>
> >> >> >> Bear in mind HAProxy will reset its memory with the content of the
> >> >> >> file when reloading. So it's up to you to sync the memory of
> HAProxy
> >> >> >> and the content of the file.
> >> >> >>
> >> >> >> Baptiste
> >> >> >>
> >> >> >>
> >> >> >> On Thu, May 22, 2014 at 11:08 PM, Matt .
> >> >> >> wrote:
> >> >> >> > Babtiste,
> >> >> >> >
> >> >> >> > I'm not able to find any solution to add such rewrites, am I
> >> >> >> > looking
> >> >> >> > wrong ?
> >> >> >> >
> >> >> >> > Cheers,
> >> >> >> >
> >> >> >> > Matt
> >> >> >> >
> >> >> >> >
> >> >> >> > 2014-05-22 16:37 GMT+02:00 Matt . :
> >>
A health insurance that covers you wherever you go
If you're having trouble viewing this email, please click here. With our comprehensive health insurance to back you up, you can nurture your individual strengths and achieve what matters most in your life. Get unique benefits from Cigna TTK ProHealth Plus and insure your health for a successful future. No cap on room rent Policy Deductible Health Benefits upto Rs 2000 Worldwide Emergency Cover No cap on room rent Policy Deductible Health Benefits upto Rs 2000 Worldwide Emergency Cover No cap on room rent Policy Deductible Health Benefits upto Rs 2000 Worldwide Emergency Cover Insurance is the subject matter of solicitation For more details on terms & conditions please read the sales brochure carefully before concluding the sale CignaTTK Health Insurance Company Limited –IRDA registration no. 151 CignaTTK ProHealth Insurance Policy, UIN Number: IRDA/NL-HLT/CTTK/P-H/V-I/390/13-14 Compliance number - ADVEM/0011/FEB/13-14 Date of release : March 2014 You have received this mailer from us because you indicated that you would like to receive special offers.To unsubscribe from this offer, please click here to unsubscribe.
Re: debian repository http://haproxy.debian.net/
❦ 23 mai 2014 20:22 +0300, pablo platt : > Something like this for haproxy will bring confident and prevent > confusion and questions. > http://nginx.org/en/linux_packages.html haproxy.debian.net is just a static page. We could host it on haproxy.net if it helps (and apply the same CSS as the remaining of the site). It is also easy to add RPM to this page. -- Identify bad input; recover if possible. - The Elements of Programming Style (Kernighan & Plauger) signature.asc Description: PGP signature
Re: debian repository http://haproxy.debian.net/
On Fri, May 23, 2014 at 08:39:01PM +0300, pablo platt wrote: > If you already have a repository for the commercial version, it'll be great > to have the free version hosted there too, > unless you want this service to be one of the distinguishing factors which > is understandable. > Personally, I think it creates unnecessary confusion and trust issues. It's not a matter of wanting it to be different but that these are not the same maintainers at all, and each one wants his flexibility with his own release tools, cycles and procedures. We won't inflict burden to volunteers who do the job for free on their spare time. Willy
Convierta el Departamento de Co mpras en un Centro de Ga nancias
Cómo Convertir el Departamento de Com pras en un Centro de Ga nanciasBogotá 11 de junio, 2014 Si tiene la presión de reducir costos pero los proveedores lo tienen contra la pared, necesita evaluar los inventarios y flujo de materiales que afectan las ganancias de la empresa... Si realmente quiere convertir su departamento de COMP RAS en un centro estratégico de GA NANCIAS... Asista a este interactivo seminario que utilizan los grandes negociadores para lograr mejores acuerdos con sus proveedores, aprendiendo los pasos clave que debe tomar para maximizar su influencia sobre ellos.No deje pasar la oportunidad de experimentar diferentes situaciones de la "vida real" que lo ayudarán a mejorar sis técnicas de negociación.Para ampliar información y recibir los beneficios de inscripción temprana responda este correo con los siguientes datos: Nombre: Empresa: Ciudad: Teléfono: Email: "Garantizamos total confidencialidad y privacidad de sus datos" Linea Gratuita Nacional: 018000 51 30 51¿Desea dejar de recibir estos emails? Responda con el asunto dejar
Re: debian repository http://haproxy.debian.net/
If you already have a repository for the commercial version, it'll be great to have the free version hosted there too, unless you want this service to be one of the distinguishing factors which is understandable. Personally, I think it creates unnecessary confusion and trust issues. On Fri, May 23, 2014 at 8:29 PM, Willy Tarreau wrote: > On Fri, May 23, 2014 at 08:22:11PM +0300, pablo platt wrote: > > Something like this for haproxy will bring confident and prevent > confusion > > and questions. > > http://nginx.org/en/linux_packages.html > > We're currently preparing something more or less like this for HAPEE > packages (the commercial, supported version). For the free edition, I > think it's better that packages built and maintained by the community > are placed on the respective distros servers. However we could have > cross-links between the two for completeness. > > Willy > >
Re: debian repository http://haproxy.debian.net/
On Fri, May 23, 2014 at 08:22:11PM +0300, pablo platt wrote: > Something like this for haproxy will bring confident and prevent confusion > and questions. > http://nginx.org/en/linux_packages.html We're currently preparing something more or less like this for HAPEE packages (the commercial, supported version). For the free edition, I think it's better that packages built and maintained by the community are placed on the respective distros servers. However we could have cross-links between the two for completeness. Willy
Re: debian repository http://haproxy.debian.net/
Something like this for haproxy will bring confident and prevent confusion and questions. http://nginx.org/en/linux_packages.html On Fri, May 23, 2014 at 8:08 PM, Willy Tarreau wrote: > On Fri, May 23, 2014 at 05:10:49PM +0200, Ghislain wrote: > > Le 23/05/2014 15:23, Baptiste a écrit : > > >It is not provided by us (HAProxy.com) if this is what you mean. > > > > > >Baptiste > > > > > > > > > > yes that's what i meant. Thanks for both answer and thanks for the > > product, and the packages ! > > > > In any case from my high throne in the sky looking under at other petty > > humans i will consider worthy of my trust the debian team, amen ;p > > BTW, I tend to consider part of the haproxy team all people who are deeply > involved in the project. The long-time distro maintainers certainly qualify > as part of the team, so you needn't worry. > > Willy > > >
Re: haproxy hash that honors already connected connections
On Fri, May 23, 2014 at 09:54:18PM +0530, Jai Gupta wrote: > We have configured haproxy 1.5 and are using map-based hash (default). > > For e.g. we have two backend servers. Server A and Server B. > Clients 1,2,3,4,5 will go to same backend. > > For example > Client 1,2,3 are connected to Server A as per hash. > Server A is crashed. > haproxy shifts clients to Server B. > Server A recovers. > Client 4,5 are connected to Server A > > Problem is that 1,2,3 remain connected with Server B but as per updated > hash, they should be connected with Server A. > > We want all clients 1,2,3,4,5 to be connected to same Server. > > Connection remain connected for very long time so either they need to be > forcefully disconnected if hash changes or hash should be such that it > honors already connected connections. > > What hash should we use in this case or is there any other configuration > that we should be using? It's totally irrelevant to the hash here, because the hash is determinist so it ensures that a given input always leads to the same choice of server among a similar farm. The problem is that you're dealing with long connections and that you want to kill them when server A goes back up. Haproxy can kill existing connections to backup servers when a server goes up, but it does not kill connections to active servers. What protocol are you using ? Does it transparently support connections being killed every time a server goes up ? I'm asking because that's a bit of a mess for the users, you'll reduce reliability by adding more servers... And if the protocol supports having connections killed, then you'd rather simply reduce the timeout so that they disappear sooner. Regards Willy
Re: debian repository http://haproxy.debian.net/
On Fri, May 23, 2014 at 05:10:49PM +0200, Ghislain wrote: > Le 23/05/2014 15:23, Baptiste a écrit : > >It is not provided by us (HAProxy.com) if this is what you mean. > > > >Baptiste > > > > > > yes that's what i meant. Thanks for both answer and thanks for the > product, and the packages ! > > In any case from my high throne in the sky looking under at other petty > humans i will consider worthy of my trust the debian team, amen ;p BTW, I tend to consider part of the haproxy team all people who are deeply involved in the project. The long-time distro maintainers certainly qualify as part of the team, so you needn't worry. Willy
haproxy hash that honors already connected connections
We have configured haproxy 1.5 and are using map-based hash (default). For e.g. we have two backend servers. Server A and Server B. Clients 1,2,3,4,5 will go to same backend. For example Client 1,2,3 are connected to Server A as per hash. Server A is crashed. haproxy shifts clients to Server B. Server A recovers. Client 4,5 are connected to Server A Problem is that 1,2,3 remain connected with Server B but as per updated hash, they should be connected with Server A. We want all clients 1,2,3,4,5 to be connected to same Server. Connection remain connected for very long time so either they need to be forcefully disconnected if hash changes or hash should be such that it honors already connected connections. What hash should we use in this case or is there any other configuration that we should be using? Jai
Re: debian repository http://haproxy.debian.net/
❦ 23 mai 2014 17:10 +0200, Ghislain : > /etc/apt/preferences.d/haproxy > > Package: haproxy > Pin: origin haproxy.debian.net, version 1.5* > Pin-Priority: 995 > > Package: * > Pin: origin haproxy.debian.net > Pin-Priority: -10 For me, pinning on both origin and version doesn't work. I suppose you can do this instead: Package: haproxy Pin: origin haproxy.debian.net Pin-Priority: 995 Package: * Pin: origin haproxy.debian.net Pin-Priority: -10 Then, check that it works as expected: apt-cache policy haproxy apt-cache policy haproxy-dbg -- Each module should do one thing well. - The Elements of Programming Style (Kernighan & Plauger) signature.asc Description: PGP signature
Re: debian repository http://haproxy.debian.net/
On 17:10 Fri 23 May , Ghislain wrote: > Le 23/05/2014 15:23, Baptiste a écrit : > >It is not provided by us (HAProxy.com) if this is what you mean. > > > >Baptiste > > > > > > yes that's what i meant. Thanks for both answer and thanks for the product, > and the packages ! > > In any case from my high throne in the sky looking under at other petty > humans i will consider worthy of my trust the debian team, amen ;p Thanks :) > Now that we have cleared this, that raise another question as i may been a > little paranoid as most sysadmin should be so , do you think this: > > /etc/apt/preferences.d/haproxy > > Package: haproxy > Pin: origin haproxy.debian.net, version 1.5* > Pin-Priority: 995 > > Package: * > Pin: origin haproxy.debian.net > Pin-Priority: -10 > > will make sure this repository can never ever touch anything else than the > 'haproxy' package ? I think the Pin: line of the first entry is not valid, the following should work: Package: haproxy Pin: version 1.5* Pin: origin haproxy.debian.net Pin-Priority: 777 Package: * Pin: origin haproxy.debian.net Pin-Priority: -10 You can always check the result using `apt-cache policy haproxy'. You should also allow haproxy-dbg. > > i start to have a repository per process those days if i do not limit > those > a little they will one day come to bite me ! Another option would be to setup your own local repository using e.g. reprepro and import only the packages generated from the "haproxy" source. This is what I've been using at work to control a lot of upstream repositories and stage packages when/if we want to. Note that this repository is only a temporary solution, until 1.5-final is out. Then we will upload it to unstable and wheezy-backports proper. Regards, Apollon
Good news !
Hi all! I've just finished re-arranging the agent-check to support up/down separately from the weight and from the administrative state (ready/drain/maint). It required significant changes to the rest of the check system, but in the end it was really worth it because now servers have their own state and checks only change these states. Also we now have the ability to change these states from the Web stats interface, which becomes really convenient. Those of you following the mailing list know what this means. It was the last show-stopper before the release :-) For sure there are still many things that we can improve, but normally no important feature missing. It is possible that I missed some patches despite having been careful, so if anyone has sent anything that was not yet merged, or if you were waiting for something which we promised long ago and which was not done, please report that now. Depending on what this is, we can still merge it or we'll decide to postpone for 1.6. I'd like to have any pending code merged before dev26 so that most people can test it without having to track snapshots, and after one or two weeks of positive reports (because reports will be positive of course), we can release 1.5 and expect not to break already deployed setups after that. Have a nice week-end, Willy
Re: debian repository http://haproxy.debian.net/
Le 23/05/2014 15:23, Baptiste a écrit : It is not provided by us (HAProxy.com) if this is what you mean. Baptiste yes that's what i meant. Thanks for both answer and thanks for the product, and the packages ! In any case from my high throne in the sky looking under at other petty humans i will consider worthy of my trust the debian team, amen ;p Now that we have cleared this, that raise another question as i may been a little paranoid as most sysadmin should be so , do you think this: /etc/apt/preferences.d/haproxy Package: haproxy Pin: origin haproxy.debian.net, version 1.5* Pin-Priority: 995 Package: * Pin: origin haproxy.debian.net Pin-Priority: -10 will make sure this repository can never ever touch anything else than the 'haproxy' package ? not that i think it will ever have a openssh-server v12 in this repository to replace my system's one but a little "firewall like" policy seems a good health to me , anyone use something similar ? i start to have a repository per process those days if i do not limit those a little they will one day come to bite me ! regards, Ghislain.
Re: [PATCH] Filter input lines by date and time through timestamp
Hello Olivier, On Thu, May 22, 2014 at 04:44:59PM +0200, Olivier Burgard wrote: > Hello, > > I wanted to make a graph with average answer time in nagios that takes only > the last 5 mn of the log. Filtering the log before using halog was too > slow, so I added that filter to halog. > > The patch attached to this mail is a proposal to add a new option : -time > [min][:max] > > The values are min timestamp and/or max timestamp of the lines to be used > for stats. The date and time of the log lines between '[' and ']' are > converted to timestamp and compared to these values. > > Here is an exemple of usage : > cat /var/log/haproxy.log | ./halog -srv -H -q -time $(date --date '-5 min' > +%s) Wow that's excellent! I've long wanted to do it but felt lazy. So of course I've applied it! After looking at it a bit, I found that you called time(), localtime() and mktime() for each line, which is a real waste. So I performed a small change by having a cache of last converted date and by only initializing the timeinfo struct once. Result: 8 times faster here on my machine :-) Thus I merged this change as well. Thanks! Willy
Re: Add Domain redirects using API or ?
I like art! Thanks!!
2014-05-23 16:34 GMT+02:00 Baptiste :
> You can set a map entry, it will erase then create the entry.
> And HAProxy will take it into account on the fly, without doing anything.
> You could even forward traffic to your webservers and let haproxy
> learn the redirect on the fly.
>
> Remember, HAProxy is art:
> https://twitter.com/malditogeek/status/243020846875152384#
>
> Baptiste
>
> On Fri, May 23, 2014 at 4:00 PM, Matt . wrote:
> > So when you remove a line and there is no line like it... just nothing
> > happens as it should ?
> >
> > But what if you add one that is already there ? Will it be added twice ?
> If
> > so and you do a remove will both be removed ?
> >
> >
> > 2014-05-23 15:22 GMT+02:00 Baptiste :
> >>
> >> There is no reply, it is silently performed.
> >>
> >>
> >> Baptiste
> >>
> >> On Fri, May 23, 2014 at 3:07 PM, Matt . wrote:
> >> > Hi,
> >> >
> >> > OK, that is a very good explanation!
> >> >
> >> > It's also very flexible in my opinion.
> >> >
> >> > Does hsproxy give a reply/callback after adding/removing ? I'm not
> sure
> >> > but
> >> > I thought it did.
> >> >
> >> > I also did a reply-all this time, sorry for last time!
> >> >
> >> > Cheers,
> >> >
> >> > Matt
> >> >
> >> >
> >> > 2014-05-23 14:07 GMT+02:00 Baptiste :
> >> >
> >> >> Hi Matt,
> >> >>
> >> >> I'm Ccing the ML since the answer can interest everybody here.
> >> >>
> >> >> > Thanks for you explanation... I found something indeed on the devel
> >> >> > version
> >> >> > yesterday, you can also remove this way I saw ?
> >> >>
> >> >> yes, you can delete content from a map thanks to the socket or
> through
> >> >> information found in HTTP headers.
> >> >>
> >> >> > What do you mean by filecontents on reload ?
> >> >>
> >> >> I mean that the content of the map is read from a flat file.
> >> >> If you modify running map, HAProxy only updates its memory, not the
> >> >> flat
> >> >> file.
> >> >> So after a reload, if the flat file does not contain same content as
> >> >> HAProxy's memory, then updates are lost.
> >> >>
> >> >> > What I add this was is added to memory and not to the file ?
> >> >>
> >> >> exactly
> >> >>
> >> >> > So, I need to sync the file with the memory in some way ?
> >> >>
> >> >> yes.
> >> >> This can be done easily with a tool since you can dump a map content
> >> >> from HAProxy's socket.
> >> >>
> >> >> Baptiste
> >> >>
> >> >>
> >> >> >
> >> >> >
> >> >> > 2014-05-23 10:17 GMT+02:00 Baptiste :
> >> >> >
> >> >> >> Hi Matt,
> >> >> >>
> >> >> >> You have to use HAProxy 1.5.
> >> >> >> You can load redirects from a map file.
> >> >> >> Map file content, 2 columns, with on the left the reference (what
> >> >> >> you're looking from in the client request) and on the right the
> >> >> >> response to send back.
> >> >> >> domain2.com subdomain.domain1.com
> >> >> >>
> >> >> >> Then, in your frontend, simply add:
> >> >> >> http-request redirect code 302 prefix
> >> >> >> http://%[req.hdr(host),map_str(map_redirects.lst)] if {
> >> >> >> req.hdr(Host),map_str(map_redirects.lst) -m found }
> >> >> >>
> >> >> >> Content of map_redirects.lst:
> >> >> >> domain2.com subdomain.domain1.com
> >> >> >>
> >> >> >> If the domain is not listed, then HAProxy will return a 503.
> >> >> >>
> >> >> >> Here are some results:
> >> >> >> GET http://127.0.0.1:8080/ -H "Host: domain2.com"
> >> >> >>
> >> >> >> HTTP/1.1 302 Found
> >> >> >> Cache-Control: no-cache
> >> >> >> Content-length: 0
> >> >> >> Location: http://subdomain.domain1.com/
> >> >> >> Connection: close
> >> >> >>
> >> >> >>
> >> >> >> GET http://127.0.0.1:8080/blah -H "Host: domain2.com"
> >> >> >>
> >> >> >> HTTP/1.1 302 Found
> >> >> >> Cache-Control: no-cache
> >> >> >> Content-length: 0
> >> >> >> Location: http://subdomain.domain1.com/blah
> >> >> >> Connection: close
> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >> GET http://127.0.0.1:8080/ -H "Host: domain1.com"
> >> >> >>
> >> >> >> HTTP/1.0 503 Service Unavailable
> >> >> >> Cache-Control: no-cache
> >> >> >> Connection: close
> >> >> >> Content-Type: text/html
> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >> The content of the map can be updated through the HAProxy socket
> or
> >> >> >> though HTTP headers.
> >> >> >> Read the manual to know how.
> >> >> >>
> >> >> >> Bear in mind HAProxy will reset its memory with the content of the
> >> >> >> file when reloading. So it's up to you to sync the memory of
> HAProxy
> >> >> >> and the content of the file.
> >> >> >>
> >> >> >> Baptiste
> >> >> >>
> >> >> >>
> >> >> >> On Thu, May 22, 2014 at 11:08 PM, Matt .
> >> >> >> wrote:
> >> >> >> > Babtiste,
> >> >> >> >
> >> >> >> > I'm not able to find any solution to add such rewrites, am I
> >> >> >> > looking
> >> >> >> > wrong ?
> >> >> >> >
> >> >> >> > Cheers,
> >> >> >> >
> >> >> >> > Matt
> >> >> >> >
> >> >> >> >
> >> >> >> > 2014-05-22 16:37 GMT+02:00 Matt . :
> >> >> >> >
> >> >> >> >> Hi,
> >> >> >> >>
> >> >> >> >> That is nice, is that in the development versi
Re: Add Domain redirects using API or ?
You can set a map entry, it will erase then create the entry.
And HAProxy will take it into account on the fly, without doing anything.
You could even forward traffic to your webservers and let haproxy
learn the redirect on the fly.
Remember, HAProxy is art:
https://twitter.com/malditogeek/status/243020846875152384#
Baptiste
On Fri, May 23, 2014 at 4:00 PM, Matt . wrote:
> So when you remove a line and there is no line like it... just nothing
> happens as it should ?
>
> But what if you add one that is already there ? Will it be added twice ? If
> so and you do a remove will both be removed ?
>
>
> 2014-05-23 15:22 GMT+02:00 Baptiste :
>>
>> There is no reply, it is silently performed.
>>
>>
>> Baptiste
>>
>> On Fri, May 23, 2014 at 3:07 PM, Matt . wrote:
>> > Hi,
>> >
>> > OK, that is a very good explanation!
>> >
>> > It's also very flexible in my opinion.
>> >
>> > Does hsproxy give a reply/callback after adding/removing ? I'm not sure
>> > but
>> > I thought it did.
>> >
>> > I also did a reply-all this time, sorry for last time!
>> >
>> > Cheers,
>> >
>> > Matt
>> >
>> >
>> > 2014-05-23 14:07 GMT+02:00 Baptiste :
>> >
>> >> Hi Matt,
>> >>
>> >> I'm Ccing the ML since the answer can interest everybody here.
>> >>
>> >> > Thanks for you explanation... I found something indeed on the devel
>> >> > version
>> >> > yesterday, you can also remove this way I saw ?
>> >>
>> >> yes, you can delete content from a map thanks to the socket or through
>> >> information found in HTTP headers.
>> >>
>> >> > What do you mean by filecontents on reload ?
>> >>
>> >> I mean that the content of the map is read from a flat file.
>> >> If you modify running map, HAProxy only updates its memory, not the
>> >> flat
>> >> file.
>> >> So after a reload, if the flat file does not contain same content as
>> >> HAProxy's memory, then updates are lost.
>> >>
>> >> > What I add this was is added to memory and not to the file ?
>> >>
>> >> exactly
>> >>
>> >> > So, I need to sync the file with the memory in some way ?
>> >>
>> >> yes.
>> >> This can be done easily with a tool since you can dump a map content
>> >> from HAProxy's socket.
>> >>
>> >> Baptiste
>> >>
>> >>
>> >> >
>> >> >
>> >> > 2014-05-23 10:17 GMT+02:00 Baptiste :
>> >> >
>> >> >> Hi Matt,
>> >> >>
>> >> >> You have to use HAProxy 1.5.
>> >> >> You can load redirects from a map file.
>> >> >> Map file content, 2 columns, with on the left the reference (what
>> >> >> you're looking from in the client request) and on the right the
>> >> >> response to send back.
>> >> >> domain2.com subdomain.domain1.com
>> >> >>
>> >> >> Then, in your frontend, simply add:
>> >> >> http-request redirect code 302 prefix
>> >> >> http://%[req.hdr(host),map_str(map_redirects.lst)] if {
>> >> >> req.hdr(Host),map_str(map_redirects.lst) -m found }
>> >> >>
>> >> >> Content of map_redirects.lst:
>> >> >> domain2.com subdomain.domain1.com
>> >> >>
>> >> >> If the domain is not listed, then HAProxy will return a 503.
>> >> >>
>> >> >> Here are some results:
>> >> >> GET http://127.0.0.1:8080/ -H "Host: domain2.com"
>> >> >>
>> >> >> HTTP/1.1 302 Found
>> >> >> Cache-Control: no-cache
>> >> >> Content-length: 0
>> >> >> Location: http://subdomain.domain1.com/
>> >> >> Connection: close
>> >> >>
>> >> >>
>> >> >> GET http://127.0.0.1:8080/blah -H "Host: domain2.com"
>> >> >>
>> >> >> HTTP/1.1 302 Found
>> >> >> Cache-Control: no-cache
>> >> >> Content-length: 0
>> >> >> Location: http://subdomain.domain1.com/blah
>> >> >> Connection: close
>> >> >>
>> >> >>
>> >> >>
>> >> >> GET http://127.0.0.1:8080/ -H "Host: domain1.com"
>> >> >>
>> >> >> HTTP/1.0 503 Service Unavailable
>> >> >> Cache-Control: no-cache
>> >> >> Connection: close
>> >> >> Content-Type: text/html
>> >> >>
>> >> >>
>> >> >>
>> >> >>
>> >> >> The content of the map can be updated through the HAProxy socket or
>> >> >> though HTTP headers.
>> >> >> Read the manual to know how.
>> >> >>
>> >> >> Bear in mind HAProxy will reset its memory with the content of the
>> >> >> file when reloading. So it's up to you to sync the memory of HAProxy
>> >> >> and the content of the file.
>> >> >>
>> >> >> Baptiste
>> >> >>
>> >> >>
>> >> >> On Thu, May 22, 2014 at 11:08 PM, Matt .
>> >> >> wrote:
>> >> >> > Babtiste,
>> >> >> >
>> >> >> > I'm not able to find any solution to add such rewrites, am I
>> >> >> > looking
>> >> >> > wrong ?
>> >> >> >
>> >> >> > Cheers,
>> >> >> >
>> >> >> > Matt
>> >> >> >
>> >> >> >
>> >> >> > 2014-05-22 16:37 GMT+02:00 Matt . :
>> >> >> >
>> >> >> >> Hi,
>> >> >> >>
>> >> >> >> That is nice, is that in the development version ? I didn't see
>> >> >> >> it
>> >> >> >> in
>> >> >> >> 1.4
>> >> >> >> as I'm right.
>> >> >> >>
>> >> >> >> I need to forward domain2.com to subdomain.domain1.com
>> >> >> >>
>> >> >> >> and subdomain.domain1.com may be a various of webservers that
>> >> >> >> serve
>> >> >> >> that
>> >> >> >> content.
>> >> >> >>
>> >> >> >> Thanks!
>> >> >> >>
>> >> >> >> Matt
>> >> >> >
>> >>
[PATCH] Filter input lines by date and time through timestamp
Hello, I wanted to make a graph with average answer time in nagios that takes only the last 5 mn of the log. Filtering the log before using halog was too slow, so I added that filter to halog. The patch attached to this mail is a proposal to add a new option : -time [min][:max] The values are min timestamp and/or max timestamp of the lines to be used for stats. The date and time of the log lines between '[' and ']' are converted to timestamp and compared to these values. Here is an exemple of usage : cat /var/log/haproxy.log | ./halog -srv -H -q -time $(date --date '-5 min' +%s) Regards, Olivier halog-timestamp.patch Description: Binary data
Re: Error 408 with Chrome
Hi Kevin, [guys, please could you stop top-posting, it's a total mess to try to respond to this thread, I cannot easily take out the useless parts, thanks]. On Fri, May 23, 2014 at 02:35:21PM +0200, Kevin Maziere wrote: > 2014-05-23 14:34 GMT+02:00 Baptiste : > > > Kevin, > > > > Do you (still) see 408 errors printed in the browser??? > > > > Baptiste > > > > On Fri, May 23, 2014 at 2:17 PM, Kevin Maziere > > wrote: > > > Hi > > > > > > I've just applied the first patch, here are the debug log : > > > > > > In the logs : > > > 2014-05-23T12:03:20+00:00 images-access haproxy[13409]: 127.0.0.1:56596 > > > [23/May/2014:12:03:17.972] ipv4-yyy-443~ ipv4-yyy-443/ > > > -1/-1/-1/-1/2041 408 212 - - cR-- 9/3/0/0/0 0/0 "" Well, here I'm seeing a standard 408 after 2 seconds which should match a timeout http-request of 2 seconds. Can you check if you don't have one ? Also, this observation from the logs doesn't seem consistent with your first claim that the 408 is immediate, here it's only after 2 seconds. Or again we are facing this bogus preconnect feature of Chrome. People complain all the time that not only it connects before you want to go to the site, but above all it displays the error that it receives without checking that it got an error prior to using the connection :-( > > > In the debug log, correspond lines: > > > 2014-05-23T12:03:20+00:00 servername haproxy[13409]: Timeout detected: > > > fe=ipv4-yyy-443 s->flags=0080 txn->flags= req->flags=00c88000 > > > msg->flags= now_ms=687261517 req->analyse_exp=687261515 (-2) At least that's good, it's the first request of the connection and nothing except the regular request timeout occurred. There was an interesting thread here about the nasty behaviour of chrome : https://code.google.com/p/chromium/issues/detail?id=85229#c33 Some people suggest closing without ever emitting the 408. You can do that this way : errorfile 408 /dev/null Note that this fantastic browser breaks HTTP by preventing any server from using the well-defined HTTP status code indicating a timeout occurred. Kévin, I think the reason why you have the issue only on one OS is not related to the OS but to your browsing history on that system. The browser doesn't pre-connect there and you don't have the trouble. Regards, Willy
Re: Add Domain redirects using API or ?
So when you remove a line and there is no line like it... just nothing
happens as it should ?
But what if you add one that is already there ? Will it be added twice ? If
so and you do a remove will both be removed ?
2014-05-23 15:22 GMT+02:00 Baptiste :
> There is no reply, it is silently performed.
>
> Baptiste
>
> On Fri, May 23, 2014 at 3:07 PM, Matt . wrote:
> > Hi,
> >
> > OK, that is a very good explanation!
> >
> > It's also very flexible in my opinion.
> >
> > Does hsproxy give a reply/callback after adding/removing ? I'm not sure
> but
> > I thought it did.
> >
> > I also did a reply-all this time, sorry for last time!
> >
> > Cheers,
> >
> > Matt
> >
> >
> > 2014-05-23 14:07 GMT+02:00 Baptiste :
> >
> >> Hi Matt,
> >>
> >> I'm Ccing the ML since the answer can interest everybody here.
> >>
> >> > Thanks for you explanation... I found something indeed on the devel
> >> > version
> >> > yesterday, you can also remove this way I saw ?
> >>
> >> yes, you can delete content from a map thanks to the socket or through
> >> information found in HTTP headers.
> >>
> >> > What do you mean by filecontents on reload ?
> >>
> >> I mean that the content of the map is read from a flat file.
> >> If you modify running map, HAProxy only updates its memory, not the flat
> >> file.
> >> So after a reload, if the flat file does not contain same content as
> >> HAProxy's memory, then updates are lost.
> >>
> >> > What I add this was is added to memory and not to the file ?
> >>
> >> exactly
> >>
> >> > So, I need to sync the file with the memory in some way ?
> >>
> >> yes.
> >> This can be done easily with a tool since you can dump a map content
> >> from HAProxy's socket.
> >>
> >> Baptiste
> >>
> >>
> >> >
> >> >
> >> > 2014-05-23 10:17 GMT+02:00 Baptiste :
> >> >
> >> >> Hi Matt,
> >> >>
> >> >> You have to use HAProxy 1.5.
> >> >> You can load redirects from a map file.
> >> >> Map file content, 2 columns, with on the left the reference (what
> >> >> you're looking from in the client request) and on the right the
> >> >> response to send back.
> >> >> domain2.com subdomain.domain1.com
> >> >>
> >> >> Then, in your frontend, simply add:
> >> >> http-request redirect code 302 prefix
> >> >> http://%[req.hdr(host),map_str(map_redirects.lst)] if {
> >> >> req.hdr(Host),map_str(map_redirects.lst) -m found }
> >> >>
> >> >> Content of map_redirects.lst:
> >> >> domain2.com subdomain.domain1.com
> >> >>
> >> >> If the domain is not listed, then HAProxy will return a 503.
> >> >>
> >> >> Here are some results:
> >> >> GET http://127.0.0.1:8080/ -H "Host: domain2.com"
> >> >>
> >> >> HTTP/1.1 302 Found
> >> >> Cache-Control: no-cache
> >> >> Content-length: 0
> >> >> Location: http://subdomain.domain1.com/
> >> >> Connection: close
> >> >>
> >> >>
> >> >> GET http://127.0.0.1:8080/blah -H "Host: domain2.com"
> >> >>
> >> >> HTTP/1.1 302 Found
> >> >> Cache-Control: no-cache
> >> >> Content-length: 0
> >> >> Location: http://subdomain.domain1.com/blah
> >> >> Connection: close
> >> >>
> >> >>
> >> >>
> >> >> GET http://127.0.0.1:8080/ -H "Host: domain1.com"
> >> >>
> >> >> HTTP/1.0 503 Service Unavailable
> >> >> Cache-Control: no-cache
> >> >> Connection: close
> >> >> Content-Type: text/html
> >> >>
> >> >>
> >> >>
> >> >>
> >> >> The content of the map can be updated through the HAProxy socket or
> >> >> though HTTP headers.
> >> >> Read the manual to know how.
> >> >>
> >> >> Bear in mind HAProxy will reset its memory with the content of the
> >> >> file when reloading. So it's up to you to sync the memory of HAProxy
> >> >> and the content of the file.
> >> >>
> >> >> Baptiste
> >> >>
> >> >>
> >> >> On Thu, May 22, 2014 at 11:08 PM, Matt .
> >> >> wrote:
> >> >> > Babtiste,
> >> >> >
> >> >> > I'm not able to find any solution to add such rewrites, am I
> looking
> >> >> > wrong ?
> >> >> >
> >> >> > Cheers,
> >> >> >
> >> >> > Matt
> >> >> >
> >> >> >
> >> >> > 2014-05-22 16:37 GMT+02:00 Matt . :
> >> >> >
> >> >> >> Hi,
> >> >> >>
> >> >> >> That is nice, is that in the development version ? I didn't see it
> >> >> >> in
> >> >> >> 1.4
> >> >> >> as I'm right.
> >> >> >>
> >> >> >> I need to forward domain2.com to subdomain.domain1.com
> >> >> >>
> >> >> >> and subdomain.domain1.com may be a various of webservers that
> serve
> >> >> >> that
> >> >> >> content.
> >> >> >>
> >> >> >> Thanks!
> >> >> >>
> >> >> >> Matt
> >> >> >
> >> >> >
> >> >
> >> >
> >
> >
>
Re: Error 408 with Chrome
BTW it seems that Chrone on Ubuntu is not affected, but on mac/windows it is. 2014-05-23 15:02 GMT+02:00 Kevin Maziere : > Hi > > So the patch on the dev25 is just adding > s->req->flags &= ~CF_READ_TIMEOUT; > line previous and before aren't exactly the same than on the patch file, I > do imagine it's because it was for dev22. > > So now both patch are applied. > > 2014-05-23T12:56:32+00:00 servername haproxy[23245]: > xx:xx:xx:xx:xx:xx:xx:xx:60462 [23/May/2014:12:56:30.914] ipv6-xxx-443~ > ipv6-xxx-443/ -1/-1/-1/-1/2016 408 212 - - cR-- 1/1/0/0/0 0/0 > "" > 2014-05-23T12:56:35+00:00 servername haproxy[23245]: > xx:xx:xx:xx:xx:xx:xx:xx:60467 [23/May/2014:12:56:33.718] ipv6-xxx-443~ > ipv6-xxx-443/ -1/-1/-1/-1/2008 408 212 - - cR-- 1/1/0/0/0 0/0 > "" > > And debug line : > > 2014-05-23T12:56:32+00:00 servername haproxy[23245]: Timeout detected: > fe=ipv6-xxx-443 s->flags=0080 txn->flags= req->flags=00c88000 > msg->flags= now_ms=690454434 req->analyse_exp=690454433 (-1) > root@servername:/home/kevin# cat /var/log/debug|grep "2014-05-23T12:56:35" > 2014-05-23T12:56:35+00:00 servername haproxy[23245]: Timeout detected: > fe=ipv6-xxx-443 s->flags=0080 txn->flags= req->flags=00c88000 > msg->flags= now_ms=690457231 req->analyse_exp=690457229 (-2) > > I still see 408 in chrome. > > Kévin > > > 2014-05-23 14:35 GMT+02:00 Kevin Maziere : > > Yes >> >> Each error is reported in the browser. >> >> Kévin >> >> >> 2014-05-23 14:34 GMT+02:00 Baptiste : >> >> Kevin, >>> >>> Do you (still) see 408 errors printed in the browser??? >>> >>> Baptiste >>> >>> On Fri, May 23, 2014 at 2:17 PM, Kevin Maziere >>> wrote: >>> > Hi >>> > >>> > I've just applied the first patch, here are the debug log : >>> > >>> > In the logs : >>> > 2014-05-23T12:03:20+00:00 images-access haproxy[13409]: >>> 127.0.0.1:56596 >>> > [23/May/2014:12:03:17.972] ipv4-yyy-443~ ipv4-yyy-443/ >>> > -1/-1/-1/-1/2041 408 212 - - cR-- 9/3/0/0/0 0/0 "" >>> > 2014-05-23T12:03:20+00:00 images-access haproxy[13409]: >>> 127.0.0.1:56593 >>> > [23/May/2014:12:03:17.977] ipv4-yyy-443~ ipv4-yyy-443/ >>> > -1/-1/-1/-1/2036 408 212 - - cR-- 8/2/0/0/0 0/0 "" >>> > 2014-05-23T12:03:20+00:00 images-access haproxy[13409]: >>> 127.0.0.1:56594 >>> > [23/May/2014:12:03:17.972] ipv4-yyy-443~ ipv4-yyy-443/ >>> > -1/-1/-1/-1/2041 408 212 - - cR-- 7/1/0/0/0 0/0 "" >>> > 2014-05-23T12:03:20+00:00 images-access haproxy[13409]: >>> 127.0.0.1:56595 >>> > [23/May/2014:12:03:17.972] ipv4-yyy-443~ ipv4-yyy-443/ >>> > -1/-1/-1/-1/2043 408 212 - - cR-- 7/1/0/0/0 0/0 "" >>> > >>> > In the debug log, correspond lines: >>> > 2014-05-23T12:03:20+00:00 servername haproxy[13409]: Timeout detected: >>> > fe=ipv4-yyy-443 s->flags=0080 txn->flags= >>> req->flags=00c88000 >>> > msg->flags= now_ms=687261517 req->analyse_exp=687261515 (-2) >>> > 2014-05-23T12:03:20+00:00 servername haproxy[13409]: Timeout detected: >>> > fe=ipv4-yyy-443 s->flags=0080 txn->flags= >>> req->flags=00c88000 >>> > msg->flags= now_ms=687261517 req->analyse_exp=687261515 (-2) >>> > 2014-05-23T12:03:20+00:00 servername haproxy[13409]: Timeout detected: >>> > fe=ipv4-yyy-443 s->flags=0080 txn->flags= >>> req->flags=00c88000 >>> > msg->flags= now_ms=687261517 req->analyse_exp=687261516 (-1) >>> > 2014-05-23T12:03:20+00:00 servername haproxy[13409]: Timeout detected: >>> > fe=ipv4-yyy-443 s->flags=0080 txn->flags= >>> req->flags=00c88000 >>> > msg->flags= now_ms=687261519 req->analyse_exp=687261519 (0) >>> > >>> > I will test the second patch asap >>> > >>> > >>> > 2014-05-23 11:50 GMT+02:00 Baptiste : >>> > >>> >> Well, your log lines says that the response was generated because the >>> >> timeout client has expired... >>> >> Last suggestion for now would to apply the patch porposed by Willy and >>> >> reported by Lukas. >>> >> >>> >> Bapitste >>> >> >>> >> On Fri, May 23, 2014 at 9:47 AM, Kevin Maziere < >>> ke...@kbrwadventure.com> >>> >> wrote: >>> >> > Hi >>> >> > >>> >> > Thanks for your reply. >>> >> > After reading the doc of the option this option is usefull but I'm >>> not >>> >> > sur >>> >> > for my case. >>> >> > I fact the 408 are received immediatly, with no delay or timeout >>> when >>> >> > browsing the website. >>> >> > I indeed with the option still 408 errors >>> >> > >>> >> > Maybe any other ideas ? >>> >> > >>> >> > >>> >> > 2014-05-22 19:29 GMT+02:00 Baptiste : >>> >> > >>> >> >> On Thu, May 22, 2014 at 6:06 PM, Kevin Maziere >>> >> >> >>> >> >> wrote: >>> >> >> > Hi >>> >> >> > >>> >> >> > I've haproxy that send a lots of "HTTP/1.1 408" error code when >>> >> >> > Chrome >>> >> >> > is >>> >> >> > used >>> >> >> > None with firefox. >>> >> >> > >>> >> >> > After few search on google and the mailing list I found some post >>> >> >> > regarding >>> >> >> > haproxy and preconnect, but I don't find any solution. >>> >> >> > >>> >> >> > I'm using latest 1.5-dev haproxy release from the ppa:
Re: debian repository http://haproxy.debian.net/
It is not provided by us (HAProxy.com) if this is what you mean. Baptiste On Fri, May 23, 2014 at 2:06 PM, Apollon Oikonomopoulos wrote: > Hi Ghislain, > > On 14:01 Fri 23 May , Ghislain wrote: >> hello there, >> >> Could you tell me if those packages comes from the haproxy team ? from the >> packages: > > It depends on what you mean by the "haproxy team". They come from the > team that maintains the package in Debian itself, that means Debian > developers and maintainers and not HAProxy developers. > > Regards, > Apollon >
Re: Add Domain redirects using API or ?
There is no reply, it is silently performed.
Baptiste
On Fri, May 23, 2014 at 3:07 PM, Matt . wrote:
> Hi,
>
> OK, that is a very good explanation!
>
> It's also very flexible in my opinion.
>
> Does hsproxy give a reply/callback after adding/removing ? I'm not sure but
> I thought it did.
>
> I also did a reply-all this time, sorry for last time!
>
> Cheers,
>
> Matt
>
>
> 2014-05-23 14:07 GMT+02:00 Baptiste :
>
>> Hi Matt,
>>
>> I'm Ccing the ML since the answer can interest everybody here.
>>
>> > Thanks for you explanation... I found something indeed on the devel
>> > version
>> > yesterday, you can also remove this way I saw ?
>>
>> yes, you can delete content from a map thanks to the socket or through
>> information found in HTTP headers.
>>
>> > What do you mean by filecontents on reload ?
>>
>> I mean that the content of the map is read from a flat file.
>> If you modify running map, HAProxy only updates its memory, not the flat
>> file.
>> So after a reload, if the flat file does not contain same content as
>> HAProxy's memory, then updates are lost.
>>
>> > What I add this was is added to memory and not to the file ?
>>
>> exactly
>>
>> > So, I need to sync the file with the memory in some way ?
>>
>> yes.
>> This can be done easily with a tool since you can dump a map content
>> from HAProxy's socket.
>>
>> Baptiste
>>
>>
>> >
>> >
>> > 2014-05-23 10:17 GMT+02:00 Baptiste :
>> >
>> >> Hi Matt,
>> >>
>> >> You have to use HAProxy 1.5.
>> >> You can load redirects from a map file.
>> >> Map file content, 2 columns, with on the left the reference (what
>> >> you're looking from in the client request) and on the right the
>> >> response to send back.
>> >> domain2.com subdomain.domain1.com
>> >>
>> >> Then, in your frontend, simply add:
>> >> http-request redirect code 302 prefix
>> >> http://%[req.hdr(host),map_str(map_redirects.lst)] if {
>> >> req.hdr(Host),map_str(map_redirects.lst) -m found }
>> >>
>> >> Content of map_redirects.lst:
>> >> domain2.com subdomain.domain1.com
>> >>
>> >> If the domain is not listed, then HAProxy will return a 503.
>> >>
>> >> Here are some results:
>> >> GET http://127.0.0.1:8080/ -H "Host: domain2.com"
>> >>
>> >> HTTP/1.1 302 Found
>> >> Cache-Control: no-cache
>> >> Content-length: 0
>> >> Location: http://subdomain.domain1.com/
>> >> Connection: close
>> >>
>> >>
>> >> GET http://127.0.0.1:8080/blah -H "Host: domain2.com"
>> >>
>> >> HTTP/1.1 302 Found
>> >> Cache-Control: no-cache
>> >> Content-length: 0
>> >> Location: http://subdomain.domain1.com/blah
>> >> Connection: close
>> >>
>> >>
>> >>
>> >> GET http://127.0.0.1:8080/ -H "Host: domain1.com"
>> >>
>> >> HTTP/1.0 503 Service Unavailable
>> >> Cache-Control: no-cache
>> >> Connection: close
>> >> Content-Type: text/html
>> >>
>> >>
>> >>
>> >>
>> >> The content of the map can be updated through the HAProxy socket or
>> >> though HTTP headers.
>> >> Read the manual to know how.
>> >>
>> >> Bear in mind HAProxy will reset its memory with the content of the
>> >> file when reloading. So it's up to you to sync the memory of HAProxy
>> >> and the content of the file.
>> >>
>> >> Baptiste
>> >>
>> >>
>> >> On Thu, May 22, 2014 at 11:08 PM, Matt .
>> >> wrote:
>> >> > Babtiste,
>> >> >
>> >> > I'm not able to find any solution to add such rewrites, am I looking
>> >> > wrong ?
>> >> >
>> >> > Cheers,
>> >> >
>> >> > Matt
>> >> >
>> >> >
>> >> > 2014-05-22 16:37 GMT+02:00 Matt . :
>> >> >
>> >> >> Hi,
>> >> >>
>> >> >> That is nice, is that in the development version ? I didn't see it
>> >> >> in
>> >> >> 1.4
>> >> >> as I'm right.
>> >> >>
>> >> >> I need to forward domain2.com to subdomain.domain1.com
>> >> >>
>> >> >> and subdomain.domain1.com may be a various of webservers that serve
>> >> >> that
>> >> >> content.
>> >> >>
>> >> >> Thanks!
>> >> >>
>> >> >> Matt
>> >> >
>> >> >
>> >
>> >
>
>
Re: Add Domain redirects using API or ?
Hi,
OK, that is a very good explanation!
It's also very flexible in my opinion.
Does hsproxy give a reply/callback after adding/removing ? I'm not sure but
I thought it did.
I also did a reply-all this time, sorry for last time!
Cheers,
Matt
2014-05-23 14:07 GMT+02:00 Baptiste :
> Hi Matt,
>
> I'm Ccing the ML since the answer can interest everybody here.
>
> > Thanks for you explanation... I found something indeed on the devel
> version
> > yesterday, you can also remove this way I saw ?
>
> yes, you can delete content from a map thanks to the socket or through
> information found in HTTP headers.
>
> > What do you mean by filecontents on reload ?
>
> I mean that the content of the map is read from a flat file.
> If you modify running map, HAProxy only updates its memory, not the flat
> file.
> So after a reload, if the flat file does not contain same content as
> HAProxy's memory, then updates are lost.
>
> > What I add this was is added to memory and not to the file ?
>
> exactly
>
> > So, I need to sync the file with the memory in some way ?
>
> yes.
> This can be done easily with a tool since you can dump a map content
> from HAProxy's socket.
>
> Baptiste
>
>
> >
> >
> > 2014-05-23 10:17 GMT+02:00 Baptiste :
> >
> >> Hi Matt,
> >>
> >> You have to use HAProxy 1.5.
> >> You can load redirects from a map file.
> >> Map file content, 2 columns, with on the left the reference (what
> >> you're looking from in the client request) and on the right the
> >> response to send back.
> >> domain2.com subdomain.domain1.com
> >>
> >> Then, in your frontend, simply add:
> >> http-request redirect code 302 prefix
> >> http://%[req.hdr(host),map_str(map_redirects.lst)] if {
> >> req.hdr(Host),map_str(map_redirects.lst) -m found }
> >>
> >> Content of map_redirects.lst:
> >> domain2.com subdomain.domain1.com
> >>
> >> If the domain is not listed, then HAProxy will return a 503.
> >>
> >> Here are some results:
> >> GET http://127.0.0.1:8080/ -H "Host: domain2.com"
> >>
> >> HTTP/1.1 302 Found
> >> Cache-Control: no-cache
> >> Content-length: 0
> >> Location: http://subdomain.domain1.com/
> >> Connection: close
> >>
> >>
> >> GET http://127.0.0.1:8080/blah -H "Host: domain2.com"
> >>
> >> HTTP/1.1 302 Found
> >> Cache-Control: no-cache
> >> Content-length: 0
> >> Location: http://subdomain.domain1.com/blah
> >> Connection: close
> >>
> >>
> >>
> >> GET http://127.0.0.1:8080/ -H "Host: domain1.com"
> >>
> >> HTTP/1.0 503 Service Unavailable
> >> Cache-Control: no-cache
> >> Connection: close
> >> Content-Type: text/html
> >>
> >>
> >>
> >>
> >> The content of the map can be updated through the HAProxy socket or
> >> though HTTP headers.
> >> Read the manual to know how.
> >>
> >> Bear in mind HAProxy will reset its memory with the content of the
> >> file when reloading. So it's up to you to sync the memory of HAProxy
> >> and the content of the file.
> >>
> >> Baptiste
> >>
> >>
> >> On Thu, May 22, 2014 at 11:08 PM, Matt .
> wrote:
> >> > Babtiste,
> >> >
> >> > I'm not able to find any solution to add such rewrites, am I looking
> >> > wrong ?
> >> >
> >> > Cheers,
> >> >
> >> > Matt
> >> >
> >> >
> >> > 2014-05-22 16:37 GMT+02:00 Matt . :
> >> >
> >> >> Hi,
> >> >>
> >> >> That is nice, is that in the development version ? I didn't see it in
> >> >> 1.4
> >> >> as I'm right.
> >> >>
> >> >> I need to forward domain2.com to subdomain.domain1.com
> >> >>
> >> >> and subdomain.domain1.com may be a various of webservers that serve
> >> >> that
> >> >> content.
> >> >>
> >> >> Thanks!
> >> >>
> >> >> Matt
> >> >
> >> >
> >
> >
>
Re: Error 408 with Chrome
Hi So the patch on the dev25 is just adding s->req->flags &= ~CF_READ_TIMEOUT; line previous and before aren't exactly the same than on the patch file, I do imagine it's because it was for dev22. So now both patch are applied. 2014-05-23T12:56:32+00:00 servername haproxy[23245]: xx:xx:xx:xx:xx:xx:xx:xx:60462 [23/May/2014:12:56:30.914] ipv6-xxx-443~ ipv6-xxx-443/ -1/-1/-1/-1/2016 408 212 - - cR-- 1/1/0/0/0 0/0 "" 2014-05-23T12:56:35+00:00 servername haproxy[23245]: xx:xx:xx:xx:xx:xx:xx:xx:60467 [23/May/2014:12:56:33.718] ipv6-xxx-443~ ipv6-xxx-443/ -1/-1/-1/-1/2008 408 212 - - cR-- 1/1/0/0/0 0/0 "" And debug line : 2014-05-23T12:56:32+00:00 servername haproxy[23245]: Timeout detected: fe=ipv6-xxx-443 s->flags=0080 txn->flags= req->flags=00c88000 msg->flags= now_ms=690454434 req->analyse_exp=690454433 (-1) root@servername:/home/kevin# cat /var/log/debug|grep "2014-05-23T12:56:35" 2014-05-23T12:56:35+00:00 servername haproxy[23245]: Timeout detected: fe=ipv6-xxx-443 s->flags=0080 txn->flags= req->flags=00c88000 msg->flags= now_ms=690457231 req->analyse_exp=690457229 (-2) I still see 408 in chrome. Kévin 2014-05-23 14:35 GMT+02:00 Kevin Maziere : > Yes > > Each error is reported in the browser. > > Kévin > > > 2014-05-23 14:34 GMT+02:00 Baptiste : > > Kevin, >> >> Do you (still) see 408 errors printed in the browser??? >> >> Baptiste >> >> On Fri, May 23, 2014 at 2:17 PM, Kevin Maziere >> wrote: >> > Hi >> > >> > I've just applied the first patch, here are the debug log : >> > >> > In the logs : >> > 2014-05-23T12:03:20+00:00 images-access haproxy[13409]: 127.0.0.1:56596 >> > [23/May/2014:12:03:17.972] ipv4-yyy-443~ ipv4-yyy-443/ >> > -1/-1/-1/-1/2041 408 212 - - cR-- 9/3/0/0/0 0/0 "" >> > 2014-05-23T12:03:20+00:00 images-access haproxy[13409]: 127.0.0.1:56593 >> > [23/May/2014:12:03:17.977] ipv4-yyy-443~ ipv4-yyy-443/ >> > -1/-1/-1/-1/2036 408 212 - - cR-- 8/2/0/0/0 0/0 "" >> > 2014-05-23T12:03:20+00:00 images-access haproxy[13409]: 127.0.0.1:56594 >> > [23/May/2014:12:03:17.972] ipv4-yyy-443~ ipv4-yyy-443/ >> > -1/-1/-1/-1/2041 408 212 - - cR-- 7/1/0/0/0 0/0 "" >> > 2014-05-23T12:03:20+00:00 images-access haproxy[13409]: 127.0.0.1:56595 >> > [23/May/2014:12:03:17.972] ipv4-yyy-443~ ipv4-yyy-443/ >> > -1/-1/-1/-1/2043 408 212 - - cR-- 7/1/0/0/0 0/0 "" >> > >> > In the debug log, correspond lines: >> > 2014-05-23T12:03:20+00:00 servername haproxy[13409]: Timeout detected: >> > fe=ipv4-yyy-443 s->flags=0080 txn->flags= >> req->flags=00c88000 >> > msg->flags= now_ms=687261517 req->analyse_exp=687261515 (-2) >> > 2014-05-23T12:03:20+00:00 servername haproxy[13409]: Timeout detected: >> > fe=ipv4-yyy-443 s->flags=0080 txn->flags= >> req->flags=00c88000 >> > msg->flags= now_ms=687261517 req->analyse_exp=687261515 (-2) >> > 2014-05-23T12:03:20+00:00 servername haproxy[13409]: Timeout detected: >> > fe=ipv4-yyy-443 s->flags=0080 txn->flags= >> req->flags=00c88000 >> > msg->flags= now_ms=687261517 req->analyse_exp=687261516 (-1) >> > 2014-05-23T12:03:20+00:00 servername haproxy[13409]: Timeout detected: >> > fe=ipv4-yyy-443 s->flags=0080 txn->flags= >> req->flags=00c88000 >> > msg->flags= now_ms=687261519 req->analyse_exp=687261519 (0) >> > >> > I will test the second patch asap >> > >> > >> > 2014-05-23 11:50 GMT+02:00 Baptiste : >> > >> >> Well, your log lines says that the response was generated because the >> >> timeout client has expired... >> >> Last suggestion for now would to apply the patch porposed by Willy and >> >> reported by Lukas. >> >> >> >> Bapitste >> >> >> >> On Fri, May 23, 2014 at 9:47 AM, Kevin Maziere < >> ke...@kbrwadventure.com> >> >> wrote: >> >> > Hi >> >> > >> >> > Thanks for your reply. >> >> > After reading the doc of the option this option is usefull but I'm >> not >> >> > sur >> >> > for my case. >> >> > I fact the 408 are received immediatly, with no delay or timeout when >> >> > browsing the website. >> >> > I indeed with the option still 408 errors >> >> > >> >> > Maybe any other ideas ? >> >> > >> >> > >> >> > 2014-05-22 19:29 GMT+02:00 Baptiste : >> >> > >> >> >> On Thu, May 22, 2014 at 6:06 PM, Kevin Maziere >> >> >> >> >> >> wrote: >> >> >> > Hi >> >> >> > >> >> >> > I've haproxy that send a lots of "HTTP/1.1 408" error code when >> >> >> > Chrome >> >> >> > is >> >> >> > used >> >> >> > None with firefox. >> >> >> > >> >> >> > After few search on google and the mailing list I found some post >> >> >> > regarding >> >> >> > haproxy and preconnect, but I don't find any solution. >> >> >> > >> >> >> > I'm using latest 1.5-dev haproxy release from the ppa: HA-Proxy >> >> >> > version >> >> >> > 1.5-dev25-a339395 2014/05/10 >> >> >> > >> >> >> > I've tested to add option accept-invalid-http-request but still >> 408, >> >> >> > and >> >> >> > I've quickly removed this option. >> >> >> > >> >> >> > Here is a part of my conf, I maybe have something wrong. >
Re: Error 408 with Chrome
Yes Each error is reported in the browser. Kévin 2014-05-23 14:34 GMT+02:00 Baptiste : > Kevin, > > Do you (still) see 408 errors printed in the browser??? > > Baptiste > > On Fri, May 23, 2014 at 2:17 PM, Kevin Maziere > wrote: > > Hi > > > > I've just applied the first patch, here are the debug log : > > > > In the logs : > > 2014-05-23T12:03:20+00:00 images-access haproxy[13409]: 127.0.0.1:56596 > > [23/May/2014:12:03:17.972] ipv4-yyy-443~ ipv4-yyy-443/ > > -1/-1/-1/-1/2041 408 212 - - cR-- 9/3/0/0/0 0/0 "" > > 2014-05-23T12:03:20+00:00 images-access haproxy[13409]: 127.0.0.1:56593 > > [23/May/2014:12:03:17.977] ipv4-yyy-443~ ipv4-yyy-443/ > > -1/-1/-1/-1/2036 408 212 - - cR-- 8/2/0/0/0 0/0 "" > > 2014-05-23T12:03:20+00:00 images-access haproxy[13409]: 127.0.0.1:56594 > > [23/May/2014:12:03:17.972] ipv4-yyy-443~ ipv4-yyy-443/ > > -1/-1/-1/-1/2041 408 212 - - cR-- 7/1/0/0/0 0/0 "" > > 2014-05-23T12:03:20+00:00 images-access haproxy[13409]: 127.0.0.1:56595 > > [23/May/2014:12:03:17.972] ipv4-yyy-443~ ipv4-yyy-443/ > > -1/-1/-1/-1/2043 408 212 - - cR-- 7/1/0/0/0 0/0 "" > > > > In the debug log, correspond lines: > > 2014-05-23T12:03:20+00:00 servername haproxy[13409]: Timeout detected: > > fe=ipv4-yyy-443 s->flags=0080 txn->flags= req->flags=00c88000 > > msg->flags= now_ms=687261517 req->analyse_exp=687261515 (-2) > > 2014-05-23T12:03:20+00:00 servername haproxy[13409]: Timeout detected: > > fe=ipv4-yyy-443 s->flags=0080 txn->flags= req->flags=00c88000 > > msg->flags= now_ms=687261517 req->analyse_exp=687261515 (-2) > > 2014-05-23T12:03:20+00:00 servername haproxy[13409]: Timeout detected: > > fe=ipv4-yyy-443 s->flags=0080 txn->flags= req->flags=00c88000 > > msg->flags= now_ms=687261517 req->analyse_exp=687261516 (-1) > > 2014-05-23T12:03:20+00:00 servername haproxy[13409]: Timeout detected: > > fe=ipv4-yyy-443 s->flags=0080 txn->flags= req->flags=00c88000 > > msg->flags= now_ms=687261519 req->analyse_exp=687261519 (0) > > > > I will test the second patch asap > > > > > > 2014-05-23 11:50 GMT+02:00 Baptiste : > > > >> Well, your log lines says that the response was generated because the > >> timeout client has expired... > >> Last suggestion for now would to apply the patch porposed by Willy and > >> reported by Lukas. > >> > >> Bapitste > >> > >> On Fri, May 23, 2014 at 9:47 AM, Kevin Maziere > > >> wrote: > >> > Hi > >> > > >> > Thanks for your reply. > >> > After reading the doc of the option this option is usefull but I'm not > >> > sur > >> > for my case. > >> > I fact the 408 are received immediatly, with no delay or timeout when > >> > browsing the website. > >> > I indeed with the option still 408 errors > >> > > >> > Maybe any other ideas ? > >> > > >> > > >> > 2014-05-22 19:29 GMT+02:00 Baptiste : > >> > > >> >> On Thu, May 22, 2014 at 6:06 PM, Kevin Maziere > >> >> > >> >> wrote: > >> >> > Hi > >> >> > > >> >> > I've haproxy that send a lots of "HTTP/1.1 408" error code when > >> >> > Chrome > >> >> > is > >> >> > used > >> >> > None with firefox. > >> >> > > >> >> > After few search on google and the mailing list I found some post > >> >> > regarding > >> >> > haproxy and preconnect, but I don't find any solution. > >> >> > > >> >> > I'm using latest 1.5-dev haproxy release from the ppa: HA-Proxy > >> >> > version > >> >> > 1.5-dev25-a339395 2014/05/10 > >> >> > > >> >> > I've tested to add option accept-invalid-http-request but still > 408, > >> >> > and > >> >> > I've quickly removed this option. > >> >> > > >> >> > Here is a part of my conf, I maybe have something wrong. > >> >> > > >> >> > # Configuration pour haproxy1.5 > >> >> > global > >> >> > log 127.0.0.1 local0 > >> >> > log 127.0.0.1 local1 notice > >> >> > maxconn 4096 > >> >> > #debug > >> >> > #quiet > >> >> > user haproxy > >> >> > group haproxy > >> >> > > >> >> > defaults > >> >> > log global > >> >> > modehttp > >> >> > option httplog > >> >> > retries 3 > >> >> > option redispatch > >> >> > maxconn 2000 > >> >> > timeout server 2h > >> >> > timeout connect 15000 > >> >> > timeout client 15000 > >> >> > option http-keep-alive > >> >> > > >> >> > # Application Frontend > >> >> > > >> >> > frontend ipv4-ip1-80 > >> >> > bind [ipv4]:80 > >> >> > reqadd X-Forwarded-Proto:\ https > >> >> > option http-server-close > >> >> > timeout http-keep-alive 5000 > >> >> > use_backend ipv4-80 > >> >> > frontend ipv4-ip1-443 > >> >> > bind [ipv4]:443 ssl crt /etc/haproxy/certs/wildcard.pem ciphers > >> >> > > >> >> > > >> >> > > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-RC4-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA:RC4-SHA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!E
Re: Error 408 with Chrome
Kevin, Do you (still) see 408 errors printed in the browser??? Baptiste On Fri, May 23, 2014 at 2:17 PM, Kevin Maziere wrote: > Hi > > I've just applied the first patch, here are the debug log : > > In the logs : > 2014-05-23T12:03:20+00:00 images-access haproxy[13409]: 127.0.0.1:56596 > [23/May/2014:12:03:17.972] ipv4-yyy-443~ ipv4-yyy-443/ > -1/-1/-1/-1/2041 408 212 - - cR-- 9/3/0/0/0 0/0 "" > 2014-05-23T12:03:20+00:00 images-access haproxy[13409]: 127.0.0.1:56593 > [23/May/2014:12:03:17.977] ipv4-yyy-443~ ipv4-yyy-443/ > -1/-1/-1/-1/2036 408 212 - - cR-- 8/2/0/0/0 0/0 "" > 2014-05-23T12:03:20+00:00 images-access haproxy[13409]: 127.0.0.1:56594 > [23/May/2014:12:03:17.972] ipv4-yyy-443~ ipv4-yyy-443/ > -1/-1/-1/-1/2041 408 212 - - cR-- 7/1/0/0/0 0/0 "" > 2014-05-23T12:03:20+00:00 images-access haproxy[13409]: 127.0.0.1:56595 > [23/May/2014:12:03:17.972] ipv4-yyy-443~ ipv4-yyy-443/ > -1/-1/-1/-1/2043 408 212 - - cR-- 7/1/0/0/0 0/0 "" > > In the debug log, correspond lines: > 2014-05-23T12:03:20+00:00 servername haproxy[13409]: Timeout detected: > fe=ipv4-yyy-443 s->flags=0080 txn->flags= req->flags=00c88000 > msg->flags= now_ms=687261517 req->analyse_exp=687261515 (-2) > 2014-05-23T12:03:20+00:00 servername haproxy[13409]: Timeout detected: > fe=ipv4-yyy-443 s->flags=0080 txn->flags= req->flags=00c88000 > msg->flags= now_ms=687261517 req->analyse_exp=687261515 (-2) > 2014-05-23T12:03:20+00:00 servername haproxy[13409]: Timeout detected: > fe=ipv4-yyy-443 s->flags=0080 txn->flags= req->flags=00c88000 > msg->flags= now_ms=687261517 req->analyse_exp=687261516 (-1) > 2014-05-23T12:03:20+00:00 servername haproxy[13409]: Timeout detected: > fe=ipv4-yyy-443 s->flags=0080 txn->flags= req->flags=00c88000 > msg->flags= now_ms=687261519 req->analyse_exp=687261519 (0) > > I will test the second patch asap > > > 2014-05-23 11:50 GMT+02:00 Baptiste : > >> Well, your log lines says that the response was generated because the >> timeout client has expired... >> Last suggestion for now would to apply the patch porposed by Willy and >> reported by Lukas. >> >> Bapitste >> >> On Fri, May 23, 2014 at 9:47 AM, Kevin Maziere >> wrote: >> > Hi >> > >> > Thanks for your reply. >> > After reading the doc of the option this option is usefull but I'm not >> > sur >> > for my case. >> > I fact the 408 are received immediatly, with no delay or timeout when >> > browsing the website. >> > I indeed with the option still 408 errors >> > >> > Maybe any other ideas ? >> > >> > >> > 2014-05-22 19:29 GMT+02:00 Baptiste : >> > >> >> On Thu, May 22, 2014 at 6:06 PM, Kevin Maziere >> >> >> >> wrote: >> >> > Hi >> >> > >> >> > I've haproxy that send a lots of "HTTP/1.1 408" error code when >> >> > Chrome >> >> > is >> >> > used >> >> > None with firefox. >> >> > >> >> > After few search on google and the mailing list I found some post >> >> > regarding >> >> > haproxy and preconnect, but I don't find any solution. >> >> > >> >> > I'm using latest 1.5-dev haproxy release from the ppa: HA-Proxy >> >> > version >> >> > 1.5-dev25-a339395 2014/05/10 >> >> > >> >> > I've tested to add option accept-invalid-http-request but still 408, >> >> > and >> >> > I've quickly removed this option. >> >> > >> >> > Here is a part of my conf, I maybe have something wrong. >> >> > >> >> > # Configuration pour haproxy1.5 >> >> > global >> >> > log 127.0.0.1 local0 >> >> > log 127.0.0.1 local1 notice >> >> > maxconn 4096 >> >> > #debug >> >> > #quiet >> >> > user haproxy >> >> > group haproxy >> >> > >> >> > defaults >> >> > log global >> >> > modehttp >> >> > option httplog >> >> > retries 3 >> >> > option redispatch >> >> > maxconn 2000 >> >> > timeout server 2h >> >> > timeout connect 15000 >> >> > timeout client 15000 >> >> > option http-keep-alive >> >> > >> >> > # Application Frontend >> >> > >> >> > frontend ipv4-ip1-80 >> >> > bind [ipv4]:80 >> >> > reqadd X-Forwarded-Proto:\ https >> >> > option http-server-close >> >> > timeout http-keep-alive 5000 >> >> > use_backend ipv4-80 >> >> > frontend ipv4-ip1-443 >> >> > bind [ipv4]:443 ssl crt /etc/haproxy/certs/wildcard.pem ciphers >> >> > >> >> > >> >> > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-RC4-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA:RC4-SHA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!EDH >> >> > reqadd X-Forwarded-Proto:\ https >> >> > option http-server-close >> >> > timeout http-keep-alive 5000 >> >> > use_backend ipv4-80 >> >> > >> >> > frontend ipv6-ip1-80 >> >> > bind ip1:80 >> >> > reqadd X-Forwarded-Proto:\ https >> >> > option http-server-close >> >> > timeout http-keep-alive 5000 >> >> >
Re: Error 408 with Chrome
Hi I've just applied the first patch, here are the debug log : In the logs : 2014-05-23T12:03:20+00:00 images-access haproxy[13409]: 127.0.0.1:56596[23/May/2014:12:03:17.972] ipv4-yyy-443~ ipv4-yyy-443/ -1/-1/-1/-1/2041 408 212 - - cR-- 9/3/0/0/0 0/0 "" 2014-05-23T12:03:20+00:00 images-access haproxy[13409]: 127.0.0.1:56593[23/May/2014:12:03:17.977] ipv4-yyy-443~ ipv4-yyy-443/ -1/-1/-1/-1/2036 408 212 - - cR-- 8/2/0/0/0 0/0 "" 2014-05-23T12:03:20+00:00 images-access haproxy[13409]: 127.0.0.1:56594[23/May/2014:12:03:17.972] ipv4-yyy-443~ ipv4-yyy-443/ -1/-1/-1/-1/2041 408 212 - - cR-- 7/1/0/0/0 0/0 "" 2014-05-23T12:03:20+00:00 images-access haproxy[13409]: 127.0.0.1:56595[23/May/2014:12:03:17.972] ipv4-yyy-443~ ipv4-yyy-443/ -1/-1/-1/-1/2043 408 212 - - cR-- 7/1/0/0/0 0/0 "" In the debug log, correspond lines: 2014-05-23T12:03:20+00:00 servername haproxy[13409]: Timeout detected: fe=ipv4-yyy-443 s->flags=0080 txn->flags= req->flags=00c88000 msg->flags= now_ms=687261517 req->analyse_exp=687261515 (-2) 2014-05-23T12:03:20+00:00 servername haproxy[13409]: Timeout detected: fe=ipv4-yyy-443 s->flags=0080 txn->flags= req->flags=00c88000 msg->flags= now_ms=687261517 req->analyse_exp=687261515 (-2) 2014-05-23T12:03:20+00:00 servername haproxy[13409]: Timeout detected: fe=ipv4-yyy-443 s->flags=0080 txn->flags= req->flags=00c88000 msg->flags= now_ms=687261517 req->analyse_exp=687261516 (-1) 2014-05-23T12:03:20+00:00 servername haproxy[13409]: Timeout detected: fe=ipv4-yyy-443 s->flags=0080 txn->flags= req->flags=00c88000 msg->flags= now_ms=687261519 req->analyse_exp=687261519 (0) I will test the second patch asap 2014-05-23 11:50 GMT+02:00 Baptiste : > Well, your log lines says that the response was generated because the > timeout client has expired... > Last suggestion for now would to apply the patch porposed by Willy and > reported by Lukas. > > Bapitste > > On Fri, May 23, 2014 at 9:47 AM, Kevin Maziere > wrote: > > Hi > > > > Thanks for your reply. > > After reading the doc of the option this option is usefull but I'm not > sur > > for my case. > > I fact the 408 are received immediatly, with no delay or timeout when > > browsing the website. > > I indeed with the option still 408 errors > > > > Maybe any other ideas ? > > > > > > 2014-05-22 19:29 GMT+02:00 Baptiste : > > > >> On Thu, May 22, 2014 at 6:06 PM, Kevin Maziere > > >> wrote: > >> > Hi > >> > > >> > I've haproxy that send a lots of "HTTP/1.1 408" error code when Chrome > >> > is > >> > used > >> > None with firefox. > >> > > >> > After few search on google and the mailing list I found some post > >> > regarding > >> > haproxy and preconnect, but I don't find any solution. > >> > > >> > I'm using latest 1.5-dev haproxy release from the ppa: HA-Proxy > version > >> > 1.5-dev25-a339395 2014/05/10 > >> > > >> > I've tested to add option accept-invalid-http-request but still 408, > and > >> > I've quickly removed this option. > >> > > >> > Here is a part of my conf, I maybe have something wrong. > >> > > >> > # Configuration pour haproxy1.5 > >> > global > >> > log 127.0.0.1 local0 > >> > log 127.0.0.1 local1 notice > >> > maxconn 4096 > >> > #debug > >> > #quiet > >> > user haproxy > >> > group haproxy > >> > > >> > defaults > >> > log global > >> > modehttp > >> > option httplog > >> > retries 3 > >> > option redispatch > >> > maxconn 2000 > >> > timeout server 2h > >> > timeout connect 15000 > >> > timeout client 15000 > >> > option http-keep-alive > >> > > >> > # Application Frontend > >> > > >> > frontend ipv4-ip1-80 > >> > bind [ipv4]:80 > >> > reqadd X-Forwarded-Proto:\ https > >> > option http-server-close > >> > timeout http-keep-alive 5000 > >> > use_backend ipv4-80 > >> > frontend ipv4-ip1-443 > >> > bind [ipv4]:443 ssl crt /etc/haproxy/certs/wildcard.pem ciphers > >> > > >> > > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-RC4-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA:RC4-SHA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!EDH > >> > reqadd X-Forwarded-Proto:\ https > >> > option http-server-close > >> > timeout http-keep-alive 5000 > >> > use_backend ipv4-80 > >> > > >> > frontend ipv6-ip1-80 > >> > bind ip1:80 > >> > reqadd X-Forwarded-Proto:\ https > >> > option http-server-close > >> > timeout http-keep-alive 5000 > >> > use_backend ipv6-80 > >> > frontend ipv6i-p1-443 > >> > bind ip1:443 ssl crt /etc/haproxy/certs/wildcard.pem ciphers > >> > > >> > > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-RC4-SHA:AES128-GCM-SHA256:AES
Re: High 408 Timeouts
Ghislain, 408 in logs is not a big deal and can be avoided by the option dontlognull. The problem is when the 408 is printed into the browser. Baptiste On Fri, May 23, 2014 at 1:43 PM, Ghislain wrote: > Le 22/05/2014 21:45, Mepstein a écrit : >> >> Hi >> >> HA-Proxy version 1.5-dev25-a339395 2014/05/10 >> > > we experience also high 408 rate but we use an old version 1.5.19 so i do > not know for sure if it is us, the haproxy or a simple high rate of bad > clients coming at us. But the recent 2 suject opened about 408 make us > wonder if this is more wide spread due to an external cause. Normal customer > of us experience it but no way to reliably recreate the error we have, so it > could be completly different than yours. > > regards, > Ghislain. >
Re: Add Domain redirects using API or ?
Hi Matt,
I'm Ccing the ML since the answer can interest everybody here.
> Thanks for you explanation... I found something indeed on the devel version
> yesterday, you can also remove this way I saw ?
yes, you can delete content from a map thanks to the socket or through
information found in HTTP headers.
> What do you mean by filecontents on reload ?
I mean that the content of the map is read from a flat file.
If you modify running map, HAProxy only updates its memory, not the flat file.
So after a reload, if the flat file does not contain same content as
HAProxy's memory, then updates are lost.
> What I add this was is added to memory and not to the file ?
exactly
> So, I need to sync the file with the memory in some way ?
yes.
This can be done easily with a tool since you can dump a map content
from HAProxy's socket.
Baptiste
>
>
> 2014-05-23 10:17 GMT+02:00 Baptiste :
>
>> Hi Matt,
>>
>> You have to use HAProxy 1.5.
>> You can load redirects from a map file.
>> Map file content, 2 columns, with on the left the reference (what
>> you're looking from in the client request) and on the right the
>> response to send back.
>> domain2.com subdomain.domain1.com
>>
>> Then, in your frontend, simply add:
>> http-request redirect code 302 prefix
>> http://%[req.hdr(host),map_str(map_redirects.lst)] if {
>> req.hdr(Host),map_str(map_redirects.lst) -m found }
>>
>> Content of map_redirects.lst:
>> domain2.com subdomain.domain1.com
>>
>> If the domain is not listed, then HAProxy will return a 503.
>>
>> Here are some results:
>> GET http://127.0.0.1:8080/ -H "Host: domain2.com"
>>
>> HTTP/1.1 302 Found
>> Cache-Control: no-cache
>> Content-length: 0
>> Location: http://subdomain.domain1.com/
>> Connection: close
>>
>>
>> GET http://127.0.0.1:8080/blah -H "Host: domain2.com"
>>
>> HTTP/1.1 302 Found
>> Cache-Control: no-cache
>> Content-length: 0
>> Location: http://subdomain.domain1.com/blah
>> Connection: close
>>
>>
>>
>> GET http://127.0.0.1:8080/ -H "Host: domain1.com"
>>
>> HTTP/1.0 503 Service Unavailable
>> Cache-Control: no-cache
>> Connection: close
>> Content-Type: text/html
>>
>>
>>
>>
>> The content of the map can be updated through the HAProxy socket or
>> though HTTP headers.
>> Read the manual to know how.
>>
>> Bear in mind HAProxy will reset its memory with the content of the
>> file when reloading. So it's up to you to sync the memory of HAProxy
>> and the content of the file.
>>
>> Baptiste
>>
>>
>> On Thu, May 22, 2014 at 11:08 PM, Matt . wrote:
>> > Babtiste,
>> >
>> > I'm not able to find any solution to add such rewrites, am I looking
>> > wrong ?
>> >
>> > Cheers,
>> >
>> > Matt
>> >
>> >
>> > 2014-05-22 16:37 GMT+02:00 Matt . :
>> >
>> >> Hi,
>> >>
>> >> That is nice, is that in the development version ? I didn't see it in
>> >> 1.4
>> >> as I'm right.
>> >>
>> >> I need to forward domain2.com to subdomain.domain1.com
>> >>
>> >> and subdomain.domain1.com may be a various of webservers that serve
>> >> that
>> >> content.
>> >>
>> >> Thanks!
>> >>
>> >> Matt
>> >
>> >
>
>
Re: debian repository http://haproxy.debian.net/
Hi Ghislain, On 14:01 Fri 23 May , Ghislain wrote: > hello there, > > Could you tell me if those packages comes from the haproxy team ? from the > packages: It depends on what you mean by the "haproxy team". They come from the team that maintains the package in Debian itself, that means Debian developers and maintainers and not HAProxy developers. Regards, Apollon
debian repository http://haproxy.debian.net/
hello there, Could you tell me if those packages comes from the haproxy team ? from the packages: Maintainer: Debian HAProxy Maintainers it seems so, just wanted to be sure :) Regards, Ghislain.
Re: High 408 Timeouts
Le 22/05/2014 21:45, Mepstein a écrit : Hi HA-Proxy version 1.5-dev25-a339395 2014/05/10 we experience also high 408 rate but we use an old version 1.5.19 so i do not know for sure if it is us, the haproxy or a simple high rate of bad clients coming at us. But the recent 2 suject opened about 408 make us wonder if this is more wide spread due to an external cause. Normal customer of us experience it but no way to reliably recreate the error we have, so it could be completly different than yours. regards, Ghislain.
Re: Error 408 with Chrome
Well, your log lines says that the response was generated because the timeout client has expired... Last suggestion for now would to apply the patch porposed by Willy and reported by Lukas. Bapitste On Fri, May 23, 2014 at 9:47 AM, Kevin Maziere wrote: > Hi > > Thanks for your reply. > After reading the doc of the option this option is usefull but I'm not sur > for my case. > I fact the 408 are received immediatly, with no delay or timeout when > browsing the website. > I indeed with the option still 408 errors > > Maybe any other ideas ? > > > 2014-05-22 19:29 GMT+02:00 Baptiste : > >> On Thu, May 22, 2014 at 6:06 PM, Kevin Maziere >> wrote: >> > Hi >> > >> > I've haproxy that send a lots of "HTTP/1.1 408" error code when Chrome >> > is >> > used >> > None with firefox. >> > >> > After few search on google and the mailing list I found some post >> > regarding >> > haproxy and preconnect, but I don't find any solution. >> > >> > I'm using latest 1.5-dev haproxy release from the ppa: HA-Proxy version >> > 1.5-dev25-a339395 2014/05/10 >> > >> > I've tested to add option accept-invalid-http-request but still 408, and >> > I've quickly removed this option. >> > >> > Here is a part of my conf, I maybe have something wrong. >> > >> > # Configuration pour haproxy1.5 >> > global >> > log 127.0.0.1 local0 >> > log 127.0.0.1 local1 notice >> > maxconn 4096 >> > #debug >> > #quiet >> > user haproxy >> > group haproxy >> > >> > defaults >> > log global >> > modehttp >> > option httplog >> > retries 3 >> > option redispatch >> > maxconn 2000 >> > timeout server 2h >> > timeout connect 15000 >> > timeout client 15000 >> > option http-keep-alive >> > >> > # Application Frontend >> > >> > frontend ipv4-ip1-80 >> > bind [ipv4]:80 >> > reqadd X-Forwarded-Proto:\ https >> > option http-server-close >> > timeout http-keep-alive 5000 >> > use_backend ipv4-80 >> > frontend ipv4-ip1-443 >> > bind [ipv4]:443 ssl crt /etc/haproxy/certs/wildcard.pem ciphers >> > >> > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-RC4-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA:RC4-SHA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!EDH >> > reqadd X-Forwarded-Proto:\ https >> > option http-server-close >> > timeout http-keep-alive 5000 >> > use_backend ipv4-80 >> > >> > frontend ipv6-ip1-80 >> > bind ip1:80 >> > reqadd X-Forwarded-Proto:\ https >> > option http-server-close >> > timeout http-keep-alive 5000 >> > use_backend ipv6-80 >> > frontend ipv6i-p1-443 >> > bind ip1:443 ssl crt /etc/haproxy/certs/wildcard.pem ciphers >> > >> > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-RC4-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA:RC4-SHA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!EDH >> > reqadd X-Forwarded-Proto:\ https >> > option http-server-close >> > timeout http-keep-alive 5000 >> > use_backend ipv6-80 >> > >> > >> > >> > # Application Backend >> > backend ipv4-80 >> > balance roundrobin >> > server images-access ip2:80 weight 1 check inter 5000 rise 2 fall >> > 5 >> > >> > backend ipv6-80 >> > balance roundrobin >> > server images-access ip2:80 weight 1 check inter 5000 rise 2 fall >> > 5 >> > >> > >> > And here a some logs : >> > >> > 2014-05-22T15:38:44+00:00 access haproxy[7762]: clientipv6:59374 >> > [22/May/2014:15:38:29.146] ipv6-ip1-443~ ipv6-ip1-443/ >> > -1/-1/-1/-1/15014 408 212 - - cR-- 0/0/0/0/0 0/0 "" >> > 2014-05-22T15:47:53+00:00 access haproxy[7762]: clientipv4:49611 >> > [22/May/2014:15:47:38.768] ipv4-ip1-80 ipv4-ip1-80/ >> > -1/-1/-1/-1/15001 >> > 408 212 - - cR-- 2/2/0/0/0 0/0 "" >> > >> > Thansk for your help >> > >> > Kévin >> >> >> Hi Kevin, >> >> Maybe you could try setup a "timeout http-request" with a lower value >> than your timeout client. >> >> Baptiste > >
RE: Error 408 with Chrome
Hi, > Hi > > Thanks for your reply. > After reading the doc of the option this option is usefull but I'm not > sur for my case. > I fact the 408 are received immediatly, with no delay or timeout when > browsing the website. > I indeed with the option still 408 errors > > Maybe any other ideas ? Could it be related to what Klavs Klavsen reported back in February in the thread "http responses randomly getting RSTs": http://marc.info/?t=13927306625&r=2&w=2 There is a debug patch from Willy to apply on 1.5: http://marc.info/?l=haproxy&m=139292555930452&w=2 Unfortunately, due to lack of feedback, the issue was never fixed. Regards, Lukas
Re: Add Domain redirects using API or ?
Hi Matt,
You have to use HAProxy 1.5.
You can load redirects from a map file.
Map file content, 2 columns, with on the left the reference (what
you're looking from in the client request) and on the right the
response to send back.
domain2.com subdomain.domain1.com
Then, in your frontend, simply add:
http-request redirect code 302 prefix
http://%[req.hdr(host),map_str(map_redirects.lst)] if {
req.hdr(Host),map_str(map_redirects.lst) -m found }
Content of map_redirects.lst:
domain2.com subdomain.domain1.com
If the domain is not listed, then HAProxy will return a 503.
Here are some results:
GET http://127.0.0.1:8080/ -H "Host: domain2.com"
HTTP/1.1 302 Found
Cache-Control: no-cache
Content-length: 0
Location: http://subdomain.domain1.com/
Connection: close
GET http://127.0.0.1:8080/blah -H "Host: domain2.com"
HTTP/1.1 302 Found
Cache-Control: no-cache
Content-length: 0
Location: http://subdomain.domain1.com/blah
Connection: close
GET http://127.0.0.1:8080/ -H "Host: domain1.com"
HTTP/1.0 503 Service Unavailable
Cache-Control: no-cache
Connection: close
Content-Type: text/html
The content of the map can be updated through the HAProxy socket or
though HTTP headers.
Read the manual to know how.
Bear in mind HAProxy will reset its memory with the content of the
file when reloading. So it's up to you to sync the memory of HAProxy
and the content of the file.
Baptiste
On Thu, May 22, 2014 at 11:08 PM, Matt . wrote:
> Babtiste,
>
> I'm not able to find any solution to add such rewrites, am I looking wrong ?
>
> Cheers,
>
> Matt
>
>
> 2014-05-22 16:37 GMT+02:00 Matt . :
>
>> Hi,
>>
>> That is nice, is that in the development version ? I didn't see it in 1.4
>> as I'm right.
>>
>> I need to forward domain2.com to subdomain.domain1.com
>>
>> and subdomain.domain1.com may be a various of webservers that serve that
>> content.
>>
>> Thanks!
>>
>> Matt
>
>
Re: Error 408 with Chrome
Hi Thanks for your reply. After reading the doc of the option this option is usefull but I'm not sur for my case. I fact the 408 are received immediatly, with no delay or timeout when browsing the website. I indeed with the option still 408 errors Maybe any other ideas ? 2014-05-22 19:29 GMT+02:00 Baptiste : > On Thu, May 22, 2014 at 6:06 PM, Kevin Maziere > wrote: > > Hi > > > > I've haproxy that send a lots of "HTTP/1.1 408" error code when Chrome is > > used > > None with firefox. > > > > After few search on google and the mailing list I found some post > regarding > > haproxy and preconnect, but I don't find any solution. > > > > I'm using latest 1.5-dev haproxy release from the ppa: HA-Proxy version > > 1.5-dev25-a339395 2014/05/10 > > > > I've tested to add option accept-invalid-http-request but still 408, and > > I've quickly removed this option. > > > > Here is a part of my conf, I maybe have something wrong. > > > > # Configuration pour haproxy1.5 > > global > > log 127.0.0.1 local0 > > log 127.0.0.1 local1 notice > > maxconn 4096 > > #debug > > #quiet > > user haproxy > > group haproxy > > > > defaults > > log global > > modehttp > > option httplog > > retries 3 > > option redispatch > > maxconn 2000 > > timeout server 2h > > timeout connect 15000 > > timeout client 15000 > > option http-keep-alive > > > > # Application Frontend > > > > frontend ipv4-ip1-80 > > bind [ipv4]:80 > > reqadd X-Forwarded-Proto:\ https > > option http-server-close > > timeout http-keep-alive 5000 > > use_backend ipv4-80 > > frontend ipv4-ip1-443 > > bind [ipv4]:443 ssl crt /etc/haproxy/certs/wildcard.pem ciphers > > > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-RC4-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA:RC4-SHA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!EDH > > reqadd X-Forwarded-Proto:\ https > > option http-server-close > > timeout http-keep-alive 5000 > > use_backend ipv4-80 > > > > frontend ipv6-ip1-80 > > bind ip1:80 > > reqadd X-Forwarded-Proto:\ https > > option http-server-close > > timeout http-keep-alive 5000 > > use_backend ipv6-80 > > frontend ipv6i-p1-443 > > bind ip1:443 ssl crt /etc/haproxy/certs/wildcard.pem ciphers > > > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-RC4-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA:RC4-SHA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!EDH > > reqadd X-Forwarded-Proto:\ https > > option http-server-close > > timeout http-keep-alive 5000 > > use_backend ipv6-80 > > > > > > > > # Application Backend > > backend ipv4-80 > > balance roundrobin > > server images-access ip2:80 weight 1 check inter 5000 rise 2 fall 5 > > > > backend ipv6-80 > > balance roundrobin > > server images-access ip2:80 weight 1 check inter 5000 rise 2 fall 5 > > > > > > And here a some logs : > > > > 2014-05-22T15:38:44+00:00 access haproxy[7762]: clientipv6:59374 > > [22/May/2014:15:38:29.146] ipv6-ip1-443~ ipv6-ip1-443/ > > -1/-1/-1/-1/15014 408 212 - - cR-- 0/0/0/0/0 0/0 "" > > 2014-05-22T15:47:53+00:00 access haproxy[7762]: clientipv4:49611 > > [22/May/2014:15:47:38.768] ipv4-ip1-80 ipv4-ip1-80/ > -1/-1/-1/-1/15001 > > 408 212 - - cR-- 2/2/0/0/0 0/0 "" > > > > Thansk for your help > > > > Kévin > > > Hi Kevin, > > Maybe you could try setup a "timeout http-request" with a lower value > than your timeout client. > > Baptiste >
