RE: balancing edifact files

2014-06-29 Thread Andrey Zakabluk 
? (
---
Hi! I want balancing send and receive EDIFACT files. I have servers what send 
EDIFACT files and receive request from system what got my files. I try  tune 
haproxy 1.5.1 in tcp mode. Can you give advice - can I will use for my action 
haproxy?
Merci.

Re: HAProxy - Load Balancing + GeoIP

2014-06-29 Thread Eliezer Croitoru 

Hey There,

There are couple options to load balance:
DNS or APPLICATION level.

The DNS level is using GeoIP based dns load-balancing that will decide 
based on the srcIP what dns results to send.
The APPLICATION level is to use a default site address that will have a 
302 Redirection based on GeoIP to the nearest site to the client.
You can see one of the examples that is being used on FedoraProject 
download mirrors.

When you try to access the download url at the base domain:
http://download.fedoraproject.org/pub/fedora/linux/releases/20/Live/x86_64/Fedora-Live-Desktop-x86_64-20-1.iso

It will redirect you to the nearest domain based on some admin logic.
The "issue" with it is that you will need to use couple domain naming 
such as:

us..domain.com
eu..domain.com
as..domain.com

Or any naming convention that will fit you.

I do remember that many PCs manufacturers use the application level 
convention for their websites and they use a cookie based redirection.
For example if you choose in the main webpage Japan on the next time you 
will access the website you will be automatically redirected to the 
Japan(asia) mirror based on the choice which was reflected using a cookie.


Eliezer

On 06/29/2014 05:46 PM, Marius Jankunas wrote:

Hello,

First of all congrutalions for HAProxy 1.5.0 release, glad you finally 
finished. :)


If you have some free time maybe could advise or give any hints which could me?
I'm interested in HAProxy, and would like to know is it possible do load 
balancing to servers which are nearest to clients? And even if yes, so could 
this reduce latency, and improve e.g. website loading speed? I tried to draw an 
datagram(see attachment) which shows how i would like to do load balancing.

About Datagram:

Example there are 6 users: 2 from Asia, 2 from Europe, 2 from United states.
All 6 users connecting to main haproxy server first, which stands in EU.

For Asia users ping to main haproxy server is ~ 175ms
For Europe users ping to main haproxy server ~22ms
For United states users ping to main haproxy ~ 76ms

Asia users to Haproxy (Asia) has ping of 15ms
Europe users to Haproxy (EU) has ping of ~17ms
United states users to Haproxy (US) has of ~12ms

All 3 Haproxy (Asia),(EU),(US) servers has ping of +/-35ms to Application 
Server.

I don't know, but feeling this only would great only additional latency for 
users. If yes, how we can make users connect direct to (Asia),(EU),(US) Haproxy 
server by their geo location? Thank you for any reply.


Marius,


FREE 3D MARINE AQUARIUM SCREENSAVER - Watch dolphins, sharks & orcas on your 
desktop!
Check it out at http://www.inbox.com/marineaquarium

Re: HAProxy - Load Balancing + GeoIP

2014-06-29 Thread Łukasz Jagiełło 
Hi,

Did you though maybe about CDN ? You can always pass traffic without
caching and load-balance like you want pointing your "main HAProxy". Check
https://www.fastly.com/.


On Sun, Jun 29, 2014 at 7:46 AM, Marius Jankunas  wrote:

> Hello,
>
> First of all congrutalions for HAProxy 1.5.0 release, glad you finally
> finished. :)
>
>
> If you have some free time maybe could advise or give any hints which
> could me?
> I'm interested in HAProxy, and would like to know is it possible do load
> balancing to servers which are nearest to clients? And even if yes, so
> could this reduce latency, and improve e.g. website loading speed? I tried
> to draw an datagram(see attachment) which shows how i would like to do load
> balancing.
>
> About Datagram:
>
> Example there are 6 users: 2 from Asia, 2 from Europe, 2 from United
> states.
> All 6 users connecting to main haproxy server first, which stands in EU.
>
> For Asia users ping to main haproxy server is ~ 175ms
> For Europe users ping to main haproxy server ~22ms
> For United states users ping to main haproxy ~ 76ms
>
> Asia users to Haproxy (Asia) has ping of 15ms
> Europe users to Haproxy (EU) has ping of ~17ms
> United states users to Haproxy (US) has of ~12ms
>
> All 3 Haproxy (Asia),(EU),(US) servers has ping of +/-35ms to Application
> Server.
>
> I don't know, but feeling this only would great only additional latency
> for users. If yes, how we can make users connect direct to (Asia),(EU),(US)
> Haproxy server by their geo location? Thank you for any reply.
>
>
> Marius,
>
> 
> FREE 3D MARINE AQUARIUM SCREENSAVER - Watch dolphins, sharks & orcas on
> your desktop!
> Check it out at http://www.inbox.com/marineaquarium
>



-- 
Łukasz Jagiełło
lukaszjagielloorg

Re: OCSP and Startssl

2014-06-29 Thread Lukas Tribus 
Hi Igor,


> Hi, list
> 
> I enable OCSP with empty .ocsp file, but it seems not work,
> https://www.ssllabs.com/ssltest/ reports "OCSP No".
> 
> If do "openssl ocsp -issuer s.pem.issuer -cert s.pem -url
> http://ocsp.startssl.com/sub/class2/server/ca -header "HOST"
> "ocsp.startssl.com" -respout s.pem.ocsp", so it works, ssllabs reports
> "OCSP Yes".
> 
> May be like this issue: http://trac.nginx.org/nginx/ticket/465 ?

Expected behavior. HAproxy has no dns resolver and does not
automatically download ocsp informations.

*YOU* need to provide the OCSP data externally, and haproxy will
forward it.


The nginx implementation does everything on its own, the haproxy
implementation does absolutely not do that.



Regards,

Lukas

OCSP and Startssl

2014-06-29 Thread Igor 
Hi, list

I enable OCSP with empty .ocsp file, but it seems not work,
https://www.ssllabs.com/ssltest/ reports "OCSP No".

If do "openssl ocsp -issuer s.pem.issuer -cert s.pem -url
http://ocsp.startssl.com/sub/class2/server/ca -header "HOST"
"ocsp.startssl.com" -respout s.pem.ocsp", so it works, ssllabs reports
"OCSP Yes".

May be like this issue: http://trac.nginx.org/nginx/ticket/465 ?

Bests,
-Igor

Re: backend server ca-file load from directory not working

2014-06-29 Thread Diana Hsu (ditsai) 
Hi Lukas,

I did a strace on WORKING platform and noticed HAProxy v1.5.dev21 ignores 
"ca-file /opt/etc/ca.d/" in the backend server line if "verify required" is not 
enabled.  I think that is the reason why there is no error during startup.  
When I enabled "verify required ca-file /opt/etc/ca.d/" in the backend server 
line, it throws the same error as in HAProxy v1.5.0 platform:

[ALERT] 179/122107 (31559) : Proxy 'SFARM-SSL-PROXY', server 'REMOTE' 
|haproxy.cfg:34] unable to load CA file '/opt/etc/ca.d/'.

In HAProxy v1.5.0 platform, it throws above error regardless "verify required" 
is enabled or not.

Thanks for the advice.  I will enable "verify required ca-file ..." in both 
platforms and load ca-file from a file instead of a directory.

Regards,
Diana


From: Lukas Tribus mailto:luky...@hotmail.com>>
Date: Sunday, June 29, 2014 3:06 AM
To: Microsoft Office User mailto:dit...@cisco.com>>
Cc: "haproxy@formilux.org" 
mailto:haproxy@formilux.org>>
Subject: RE: backend server ca-file load from directory not working

Hi,


Below is the snapshot of strace output, 1st block showing error if
loading ca-file from directory and 2nd block showing no error if
loading ca-file from a file:

I think ca-file doesn't support directories, only the crt option
supports directories.

If you need to specify a CA (to authenticate SSL clients) you need
to point directly to the file.

If on the other hand you just need the CA file to send towards
the client as an intermediate certificate, so that the client can
authenticate the final certificate, just point to the directory
with the crt keyword.


Also read:
ca-file doc:
http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#ca-file%20%28Bind%20options%29

crt doc:
http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.1-crt


Since you didn't configure any verify keywords on the bind line,
I suspect you don't want to do any client SSL authentication at all
and replacing "ca-file" with "crt" on the bind line will achieve
what you need.




Regards,

Lukas

Re: HAProxy - Load Balancing + GeoIP

2014-06-29 Thread Malcolm Turnbull 
Manus,

Yes, that would be a nice potential feature but...
Surely you are a lot better off using an external GSLB capable resilient
DNS i.e.
In ascending price order:

Amazon Route 53
DYN
Neustar
Akami etc.?

http://blog.loadbalancer.org/gslb-why-do-global-server-load-balancers-suck/






On 29 June 2014 15:46, Marius Jankunas  wrote:

> Hello,
>
> First of all congrutalions for HAProxy 1.5.0 release, glad you finally
> finished. :)
>
>
> If you have some free time maybe could advise or give any hints which
> could me?
> I'm interested in HAProxy, and would like to know is it possible do load
> balancing to servers which are nearest to clients? And even if yes, so
> could this reduce latency, and improve e.g. website loading speed? I tried
> to draw an datagram(see attachment) which shows how i would like to do load
> balancing.
>
> About Datagram:
>
> Example there are 6 users: 2 from Asia, 2 from Europe, 2 from United
> states.
> All 6 users connecting to main haproxy server first, which stands in EU.
>
> For Asia users ping to main haproxy server is ~ 175ms
> For Europe users ping to main haproxy server ~22ms
> For United states users ping to main haproxy ~ 76ms
>
> Asia users to Haproxy (Asia) has ping of 15ms
> Europe users to Haproxy (EU) has ping of ~17ms
> United states users to Haproxy (US) has of ~12ms
>
> All 3 Haproxy (Asia),(EU),(US) servers has ping of +/-35ms to Application
> Server.
>
> I don't know, but feeling this only would great only additional latency
> for users. If yes, how we can make users connect direct to (Asia),(EU),(US)
> Haproxy server by their geo location? Thank you for any reply.
>
>
> Marius,
>
> 
> FREE 3D MARINE AQUARIUM SCREENSAVER - Watch dolphins, sharks & orcas on
> your desktop!
> Check it out at http://www.inbox.com/marineaquarium
>



-- 
Regards,

Malcolm Turnbull.

Loadbalancer.org Ltd.
Phone: +44 (0)330 1604540
http://www.loadbalancer.org/

HAProxy - Load Balancing + GeoIP

2014-06-29 Thread Marius Jankunas 
Hello,

First of all congrutalions for HAProxy 1.5.0 release, glad you finally 
finished. :)


If you have some free time maybe could advise or give any hints which could me?
I'm interested in HAProxy, and would like to know is it possible do load 
balancing to servers which are nearest to clients? And even if yes, so could 
this reduce latency, and improve e.g. website loading speed? I tried to draw an 
datagram(see attachment) which shows how i would like to do load balancing.

About Datagram:

Example there are 6 users: 2 from Asia, 2 from Europe, 2 from United states.
All 6 users connecting to main haproxy server first, which stands in EU.

For Asia users ping to main haproxy server is ~ 175ms
For Europe users ping to main haproxy server ~22ms
For United states users ping to main haproxy ~ 76ms

Asia users to Haproxy (Asia) has ping of 15ms
Europe users to Haproxy (EU) has ping of ~17ms
United states users to Haproxy (US) has of ~12ms

All 3 Haproxy (Asia),(EU),(US) servers has ping of +/-35ms to Application 
Server.

I don't know, but feeling this only would great only additional latency for 
users. If yes, how we can make users connect direct to (Asia),(EU),(US) Haproxy 
server by their geo location? Thank you for any reply.


Marius,


FREE 3D MARINE AQUARIUM SCREENSAVER - Watch dolphins, sharks & orcas on your 
desktop!
Check it out at http://www.inbox.com/marineaquarium

RE: backend server ca-file load from directory not working

2014-06-29 Thread Lukas Tribus 
Hi,


> Below is the snapshot of strace output, 1st block showing error if
> loading ca-file from directory and 2nd block showing no error if
> loading ca-file from a file:

I think ca-file doesn't support directories, only the crt option
supports directories.

If you need to specify a CA (to authenticate SSL clients) you need
to point directly to the file.

If on the other hand you just need the CA file to send towards
the client as an intermediate certificate, so that the client can
authenticate the final certificate, just point to the directory
with the crt keyword.


Also read:
ca-file doc:
http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#ca-file%20%28Bind%20options%29

crt doc:
http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.1-crt


Since you didn't configure any verify keywords on the bind line,
I suspect you don't want to do any client SSL authentication at all
and replacing "ca-file" with "crt" on the bind line will achieve
what you need.




Regards,

Lukas

Re: backend server ca-file load from directory not working

2014-06-29 Thread Lukas Tribus 
Hi Diana,


> open("/opt/etc/ca.d/", O_RDONLY) = 3

This (the non working instance) tries to open the
directory, while ...


> open("/opt/etc/ca.d/ca.crt", O_RDONLY) = 3

here (the working instance) we appear to directly
open the crt file.

Can you double check that the configuration is exactly
the same between both instances? Please post the exact
bind [...] line from both working and non working conditions.


Don't you see a:
open("/opt/etc/ca.d/", O_RDONLY) = 3

in the working instances at all? If you do see it, please
include that output as well.




Regards,

Lukas