Re: [PATCH] Memory corruption building Proxy Protocol V2 header

[Dave McCowan]

Hi Willy,

  Yes, I changed my variable names after testing to clean up and
failed.
Is my obvious corrected patch the correct fix?
Or should we clamp down on the use of global chunks being passed downstream?

--Dave


On Wed, Jul 16, 2014 at 4:16 PM, Willy Tarreau  wrote:

> Hi Dave,
>
> On Wed, Jul 16, 2014 at 02:16:52PM -0400, Dave McCowan wrote:
> > Hi Willy, Emeric--
> > A commit on 6/24 changed the way ssl_sock_get_remote_common_name()
> > works.
> > I agree with this refactoring, unfortunately both
> make_proxy_line_v2()
> > and the caller of make_proxy_line_v2() are using the global trash chunk
> as
> > a workspace resulting in a memory overwrite.
>
> Argh! yes you're right, make_proxy_line() is called with trash which is
> not that fun. trash is supposed to be overwritable by any function call
> which is exactly what happens here since the function became deeper.
>
> > I've attached a patch to fix this.
> >
> > Commit comment: Use temporary trash chunk, instead of global trash chunk
> in
> > make_proxy_line_v2() to avoid memory corruption.
>
> Are you sure there is not a bug here :
>
> >   if (srv->pp_opts & SRV_PP_V2_SSL_CN) {
> > + cn_trash = get_trash_chunk();
> >   if
> (ssl_sock_get_remote_common_name(remote, &trash) > 0) {
> > - tlv_len =
> make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len),
> PP2_TYPE_SSL_CN, trash.len, trash.str);
> > + tlv_len =
> make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len),
> PP2_TYPE_SSL_CN, cn_trash->len, cn_trash->str);
>
>
> I'm seeing ssl_sock_get_remote_common_name() write into trash
> and make_tlv() retrieve from cn_trash which is still empty, so
> I don't know how this could have worked in your tests, so maybe
> you checked then cleaned up a bit too much before sending the
> patch ?
>
> Thanks,
> Willy
>
>

Re: Operations this evening

[Willy Tarreau]

Operations are completed, everything is back to normal. For those who
would be doing some filtering, the mail/web server's IP address changed
from 88.191.124.161 to 195.154.117.161, but I'm sure nobody cares :-)

For IPv6 we'll check later, it's been down for some time already.

Willy

Re: Fwd: Error Logs in Haproxy

[Cyril Bonté]

Hi Peter,

Le 16/07/2014 17:28, Peter M Souter a écrit :

Yeah, I looked in the logs before and I couldn't find the errors. But
either I didn't look hard enough or someone's changed the settings since
I last looked:

cat /var/log/capd/haproxy.log | grep 'has no server available!' | wc -l
46

But at least I can confirm I got the correct setup! :)


To complete Baptiste's answer, this is probably because your rsylog 
configuration contains something like :

*.emerg:omusrmsg:*

haproxy has also an option to reduce the range of log levels :
log  [len ]  [max level [min level]]

I tend to use "err" as the value for "min level", in order to never 
reach the "emerg" level : any log with a level lower than err (crit, 
alert, emerg) will be logged as a err level, which prevent such messages 
for logged users when the rsyslog configuration is not guaranted.


See [1] for more details.

As a side note, please don't top post when your reply (and really reply, 
not forward) ;-)


[1] http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#3.1-log

--
Cyril Bonté

Re: Adding Serial Number to POST Requests

[Baptiste]

On Wed, Jul 16, 2014 at 7:04 PM, Jonathan Matthews
 wrote:
> On 16 Jul 2014 16:56, "Zuoning Yin"  wrote:
>>
>> We later also got the help from Willy.  He provided us a configuration
>> which solved our problem. To benefit other people,  I just posted it here.
>
> I had meant to chime in on this thread earlier.
>
> What happens when your HAProxy layer loses state - be it reboot, service
> restart or  data centre power cut? Are you risking resetting the counter and
> overwriting existing data on the backend? Are you in fact treating HAP as a
> single point of truth?
>
> J

That's why I propose to use the unique-id format as well.
You can combine a timestamp with your unique id.
So going back to 0 is not a problem anymore.

Baptiste

Re: Load balancing FTP with HAProxy behind a firewall

[Baptiste]

On Wed, Jul 16, 2014 at 6:34 PM, Dennis Jacobfeuerborn
 wrote:
> On 16.07.2014 15:31, Nicolas Zedde wrote:
>>> -Original Message-
>>> From: Dennis Jacobfeuerborn [mailto:denni...@conversis.de]
>>> Sent: Wednesday, July 16, 2014 1:22 PM
>>> To: haproxy@formilux.org
>>> Subject: Re: Load balancing FTP with HAProxy behind a firewall
>>>
>>> Have you considered using SFTP instead? It's more secure and doesn't suffer
>>> from the data channel issue so its easier to handle and most if not all FTP 
>>> GUI
>>> clients out there (Filezilla, WinSCP, etc.) on the various platforms also 
>>> support
>>> SFTP out of the box.
>>> If you are using ProFTPd on the server its fairly trivial to setup 
>>> including key
>>> support in addition to passwords and chroot.
>>>
>>> FTP still seems to be the default these days even though as a protocol
>>> its...problematic. In 99% of case when someone asks for FTP access I
>>> recommend SFTP instead and this works fine for people. FTP really should be
>>> retired.
>>>
>>> Regards,
>>>   Dennis
>>
>> Hi,
>>
>> SFTP looks like a smart idea to discard the FTP problems. I'll give it a try.
>> Now I still have to find a way to redirect my ftp users to the correct 
>> server using a single public ip / port.
>> Thank you for your help anyway.
>
> Since neither FTP nor SFTP support the concept of virtual hosts the only
> way I see which could work is using SFTP with client certificates. If
> you provide every user with a client certificate you could match the
> certificates common name using "ssl_f_s_dn(CN)" in haproxy and then
> select a backend based on the value.
>
> Regards,
>   Dennis
>

Nice solution :)

Otherwise, one TCP port per "virtual host" :)

Baptiste

Re: ACL ordering/processing

[Pavlos Parissis]

On 16/07/2014 08:31 πμ, Baptiste wrote:
> On Tue, Jul 15, 2014 at 7:14 PM, Pavlos Parissis
>  wrote:
>> On 15/07/2014 05:49 μμ, Baptiste wrote:
>>> On Tue, Jul 15, 2014 at 12:40 AM, bjun...@gmail.com  
>>> wrote:
 Hi folks,


 I've a question regarding the ordering/processing of ACL's.



 Example (HAProxy 1.4.24):


 

 frontend http_in
 .
 .


 acl  is_example.com  hdr_beg(host) -i example.com

 acl  check_id  url_reg   code=(1001|1002|)

 acl  check_id  url_reg   code=(3000|4001|)

 use_backend  node01 if  is_example.com  check_id



 acl  is_example.de  hdr_beg(host) -i example.de

 acl  check_id  url_reg   code=(6573|7890)

 use_backend  node02 if  is_example.de  check_id


 



 I assumed that the "check_id" - ACL from the second block wouldn't be
 combined/OR'ed with the 2 "check_id" - ACL's from the first block
 (because of the other configuration statements in between).



 But they are combined/OR'ed, is this behavior intended ?



 Thanks,
 ---

 Bjoern

>>>
>>> Hi Bjoern,
>>>
>>> ACLs are processed only if they are called by a directive.
>>> When many ACLs are called by a directive, an implicit logical AND is 
>>> applied.
>>> an explicit logical OR can be declared as well
>>> when a AND is applied between many ACLs, HAProxy stops processing them
>>> as soon as one is wrong
>>> when a OR is applied between many ACLs, HAProxy stops processing them
>>> as soon as one is true
>>>
>>> some ACLs are cheaper to run than other, make your choice :)
>>>
>>> Side note, to avoid any mistake in your conf:
>>>   acl  is_example.de  hdr_beg(host) -i example.de
>>> => this will match http://example.de/path/path/blah.php
>>>  or  http://example.de.google.com/path/path/blah.php
>>>
>>> you might want to match this:
>>>   acl  is_example.de  hdr_end(host) -i example.de
>>>
>>
>>
>> Is URI part of Host header?
>>
>> Cheers,
>> Pavlos
>>
>>
>>
> 
> Hi Pavlos,
> 
> not at all, sorry for confusing.

I wasn't confused, just checking that there isn't any specific 'thing'
in HAProxy which will add URI in the specific header, I never thought it
will be such thing.


> Your browser should split your URL in 2 parts:
> - Host header containing the hostname of the service
> - url path
> 
> http://my.domain.tld/path will be sent as
> 
> GET /path HTTP/1.1
> Host: my.domain.tld
> 
> 
> Baptiste
> 




signature.asc
Description: OpenPGP digital signature

Re: [PATCH] Memory corruption building Proxy Protocol V2 header

[Willy Tarreau]

Hi Dave,

On Wed, Jul 16, 2014 at 02:16:52PM -0400, Dave McCowan wrote:
> Hi Willy, Emeric--
> A commit on 6/24 changed the way ssl_sock_get_remote_common_name()
> works.
> I agree with this refactoring, unfortunately both make_proxy_line_v2()
> and the caller of make_proxy_line_v2() are using the global trash chunk as
> a workspace resulting in a memory overwrite.

Argh! yes you're right, make_proxy_line() is called with trash which is
not that fun. trash is supposed to be overwritable by any function call
which is exactly what happens here since the function became deeper.

> I've attached a patch to fix this.
> 
> Commit comment: Use temporary trash chunk, instead of global trash chunk in
> make_proxy_line_v2() to avoid memory corruption.

Are you sure there is not a bug here :

>   if (srv->pp_opts & SRV_PP_V2_SSL_CN) {
> + cn_trash = get_trash_chunk();
>   if (ssl_sock_get_remote_common_name(remote, 
> &trash) > 0) {
> - tlv_len = 
> make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), 
> PP2_TYPE_SSL_CN, trash.len, trash.str);
> + tlv_len = 
> make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), 
> PP2_TYPE_SSL_CN, cn_trash->len, cn_trash->str);


I'm seeing ssl_sock_get_remote_common_name() write into trash
and make_tlv() retrieve from cn_trash which is still empty, so
I don't know how this could have worked in your tests, so maybe
you checked then cleaned up a bit too much before sending the
patch ?

Thanks,
Willy

Re: Conditionally disable TCP_NODELAY

[Lukas Tribus]

Hi Patrick,



> It would be nice to be able to control the usage of TCP_NODELAY. Right
> now it looks like haproxy immediately turns the flag on upon any
> frontend or server connection. When doing bulk data transfers, this can
> have a negative impact on performance.

HAProxy uses MSG_MORE to control whether or not the system merges segments,
so your large bulk transfer will still perform optimally. HAProxy is highly
optimized to do the right thing by default, I don't think there is any
benefit to gain here.

Do you have any reason to doubt haproxy's MSG_MORE handling?



> However I do not think this should be a global option. I would think
> this is an option best turned on and off by ACL rules. You may only
> have certain URLs which return bulk data, or maybe you want to turn it
> off when entering the data phase, or perhaps only when Content-Length
> is greater than a certain amount.
>
> I think there are numerous uses for this feature, but the only other
> request I saw was a mailing list entry from a few months ago
> (http://marc.info/?l=haproxy&m=139176184632622) to which the response
> was to use the http-no-delay option. When I looked into it, this is not
> controlling TCP_NODELAY, and thus not relevant.

Well, it may not directly control TCP_NODELAY, but it controls directly or
indirectly MSG_MORE, so its still relevant as it does affect Nagle and
possibly other things.

Also see:
http://marc.info/?l=haproxy&m=132173719731861&w=2



> Thoughts?

I think there is nothing to gain here.



Regards,

Lukas


  

Re: Binaries for HAProxy.

[Kuldip Madnani]

Thanks Ryan/Peter.

I installed the required devel packages and the compilation went fine but i
could see a message at the bottom(skipping incompatible
/usr/lib/libcrypt.so when searching for -lcrypt) .Is it severe or can be
ignored?

gcc  -g -o haproxy src/haproxy.o src/sessionhash.o src/base64.o
src/protocol.o src/uri_auth.o src/standard.o src/buffer.o src/log.o
src/task.o src/chunk.o src/channel.o src/listener.o src/time.o src/fd.o
src/pipe.o src/regex.o src/cfgparse.o src/server.o src/checks.o src/queue.o
src/frontend.o src/proxy.o src/peers.o src/arg.o src/stick_table.o
src/proto_uxst.o src/connection.o src/proto_http.o src/raw_sock.o
src/appsession.o src/backend.o src/lb_chash.o src/lb_fwlc.o src/lb_fwrr.o
src/lb_map.o src/lb_fas.o src/stream_interface.o src/dumpstats.o
src/proto_tcp.o src/session.o src/hdr_idx.o src/ev_select.o src/signal.o
src/acl.o src/sample.o src/memory.o src/freq_ctr.o src/auth.o
src/compression.o src/payload.o src/hash.o src/pattern.o src/map.o
src/ev_poll.o src/ev_epoll.o src/ssl_sock.o src/shctx.o ebtree/ebtree.o
ebtree/eb32tree.o ebtree/eb64tree.o ebtree/ebmbtree.o ebtree/ebsttree.o
ebtree/ebimtree.o ebtree/ebistree.o   -lcrypt  -lz  -lssl -lcrypto
-L/usr/lib -lpcreposix -lpcre
/usr/bin/ld: skipping incompatible /usr/lib/libcrypt.so when searching for
-lcrypt
/usr/bin/ld: skipping incompatible /usr/lib/libc.so when searching for -lc
gcc -Iinclude -Iebtree -Wall  -O2 -g -fno-strict-aliasing
-DCONFIG_HAP_LINUX_SPLICE -DTPROXY -DCONFIG_HAP_LINUX_TPROXY
-DCONFIG_HAP_CRYPT -DUSE_ZLIB  -DENABLE_POLL -DENABLE_EPOLL
-DUSE_CPU_AFFINITY -DASSUME_SPLICE_WORKS -DUSE_ACCEPT4 -DNETFILTER
-DUSE_GETSOCKNAME -DUSE_OPENSSL  -DUSE_SYSCALL_FUTEX -DUSE_PCRE
-I/usr/include  -DCONFIG_HAPROXY_VERSION=\"1.5.2\"
-DCONFIG_HAPROXY_DATE=\"2014/07/12\" \
  -DSBINDIR='"/usr/local/sbin"' \
   -c -o src/haproxy-systemd-wrapper.o
src/haproxy-systemd-wrapper.c
gcc  -g -o haproxy-systemd-wrapper src/haproxy-systemd-wrapper.o   -lcrypt
 -lz  -lssl -lcrypto -L/usr/lib -lpcreposix -lpcre
/usr/bin/ld: skipping incompatible /usr/lib/libcrypt.so when searching for
-lcrypt
/usr/bin/ld: skipping incompatible /usr/lib/libc.so when searching for -lc



On Wed, Jul 16, 2014 at 9:27 AM, Peter M Souter  wrote:

> > I was trying to compile HAProxy 1.5.2 with SSL support on my box but was
> facing below error.Am i missing some pre requisites.Could anybody help:
>
> Pre-reqs are:
>
> sudo yum -y install pcre-devel gcc make openssl-devel
>
>
> Taken from https://github.com/nmilford/rpm-haproxy
>
> On Wed, Jul 16, 2014 at 3:22 PM, Kuldip Madnani 
> wrote:
>
>> Thanks Ryan/Mathew.
>>
>>
>> Step 1 : tar xzvf haproxy-1.5.2.tar.gz
>>
>> Step 2 : cd haproxy-1.5.2
>>
>> Step 3 : make TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1
>>
>> gcc -Iinclude -Iebtree -Wall  -O2 -g -fno-strict-aliasing
>> -DCONFIG_HAP_LINUX_SPLICE -DTPROXY -DCONFIG_HAP_LINUX_TPROXY
>> -DCONFIG_HAP_CRYPT -DUSE_ZLIB  -DENABLE_POLL -DENABLE_EPOLL
>> -DUSE_CPU_AFFINITY -DASSUME_SPLICE_WORKS -DUSE_ACCEPT4 -DNETFILTER
>> -DUSE_GETSOCKNAME -DUSE_OPENSSL  -DUSE_SYSCALL_FUTEX -DUSE_PCRE
>> -I/usr/local/include  -DCONFIG_HAPROXY_VERSION=\"1.5.2\"
>> -DCONFIG_HAPROXY_DATE=\"2014/07/12\" \
>>   -DBUILD_TARGET='"linux2628"' \
>>   -DBUILD_ARCH='""' \
>>   -DBUILD_CPU='"generic"' \
>>   -DBUILD_CC='"gcc"' \
>>   -DBUILD_CFLAGS='"-O2 -g -fno-strict-aliasing"' \
>>   -DBUILD_OPTIONS='"USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1"' \
>>-c -o src/haproxy.o src/haproxy.c
>> In file included from include/types/proxy.h:34,
>>  from include/proto/log.h:32,
>>  from include/common/cfgparse.h:29,
>>  from src/haproxy.c:61:
>> include/common/regex.h:30:18: error: pcre.h: No such file or directory
>> include/common/regex.h:31:23: error: pcreposix.h: No such file or
>> directory
>> In file included from include/types/proxy.h:34,
>>  from include/proto/log.h:32,
>>  from include/common/cfgparse.h:29,
>>  from src/haproxy.c:61:
>> include/common/regex.h:38: error: expected specifier-qualifier-list
>> before âpcreâ
>> include/common/regex.h:67: error: expected â=â, â,â, â;â, âasmâ or
>> â__attribute__â before âpmatchâ
>> include/common/regex.h:80: warning: type defaults to âintâ in declaration
>> of âregmatch_tâ
>> include/common/regex.h:80: error: expected â;â, â,â or â)â before â*â
>> token
>> include/common/regex.h: In function âregex_execâ:
>> include/common/regex.h:89: warning: implicit declaration of function
>> âpcre_execâ
>> include/common/regex.h:89: error: âconst struct my_regexâ has no member
>> named âregâ
>> include/common/regex.h:89: error: âconst struct my_regexâ has no member
>> named âextraâ
>> include/common/regex.h: In function âregex_exec2â:
>> include/common/regex.h:109: error: âconst struct my_regexâ has no member
>> named âregâ
>> include/common/regex.h:109: error:

Operations this evening

[Willy Tarreau]

Hi all,

a quick mail to tell you that due to an IP address change on the
main server, the mailing list might be inoperant for a few minutes
this evening (european time) and that the web site will be cut for
the same time.

So don't panic even if things don't go as we expect. I'll send
another mail when everything is supposed to be back.

Thanks,
Willy

RE: Using a WhiteList in HAProxy 1.5

[JDzialo John]

Thanks Baptiste and Neil.

I do have multiple subnets I just posted one for the case.  I agree if you have 
only one it’s easier to handle in an acl.

Using deny unless worked perfectly!



From: n...@iamafreeman.com [mailto:n...@iamafreeman.com] On Behalf Of Neil - 
HAProxy List
Sent: Wednesday, July 16, 2014 12:29 PM
To: Baptiste
Cc: JDzialo John; HAProxy
Subject: Re: Using a WhiteList in HAProxy 1.5


Hi

If you only have one range and it does not change often then a acl file should 
be avoided.

http-request deny unless src 123.123.123.123/123

If you have more than one range a acl should be used

Only if you have many or they change often would a file suit.
Is clearer imho

Neil
On 16 Jul 2014 17:10, "Baptiste" mailto:bed...@gmail.com>> 
wrote:
On Wed, Jul 16, 2014 at 5:45 PM, JDzialo John 
mailto:jdzi...@edrnet.com>> wrote:
>
> Hi Guys,
>
>
>
> I want to only allow certain internal company IP addresses to have access to 
> one of my web farms.  I am using haproxy 1.5 on Debian 7.
>
>
>
> I am using a whitelist.lst file with the following contents...
>
>
>
> 10.0.0.0/8
>
>
>
> Here is my frontend configuration...
>
>
>
> frontend https-in
>
> bind *:443 ssl crt /etc/ssl/xxx.cert.chain.pem
>
> http-request allow if { src -f 
> /etc/haproxy/whitelist.lst }
>
> reqadd X-Forwarded-Proto:https
>
> reqadd X-Forwarded-Port:443
>
> timeout client 60
>
>
>
> default-backend web
>
>
>
> However any IP is still allowed through this frontend.  It does not appear to 
> be restricting access to any other IP.  Am I missing something in my 
> configuration?
>
>
>
> Thanks
>
>
>
>
>
> John Dzialo | Linux System Administrator
>
> Direct 203.783.8163 | Main 800.352.0050
>
>
>
> Environmental Data Resources, Inc.
>
> 440 Wheelers Farms Road, Milford, CT 06461
>
> www.edrnet.com | 
> commonground.edrnet.com
>
>
>
>



Hi John,

Please avoid HTML mails...

Give a try to the following configuration:
  http-request deny unless { src -f /etc/haproxy/whitelist.lst }


Baptiste

[PATCH] Memory corruption building Proxy Protocol V2 header

[Dave McCowan]

Hi Willy, Emeric--
A commit on 6/24 changed the way ssl_sock_get_remote_common_name()
works.
I agree with this refactoring, unfortunately both make_proxy_line_v2()
and the caller of make_proxy_line_v2() are using the global trash chunk as
a workspace resulting in a memory overwrite.
I've attached a patch to fix this.

Commit comment: Use temporary trash chunk, instead of global trash chunk in
make_proxy_line_v2() to avoid memory corruption.

Thanks,
--Dave
diff --git a/src/connection.c b/src/connection.c
index 20a911b..e625589 100644
--- a/src/connection.c
+++ b/src/connection.c
@@ -622,6 +622,7 @@ int make_proxy_line_v2(char *buf, int buf_len, struct 
server *srv, struct connec
char *value = NULL;
struct tlv_ssl *tlv;
int ssl_tlv_len = 0;
+   struct chunk *cn_trash;
 #endif
 
if (buf_len < PP2_HEADER_LEN)
@@ -682,8 +683,9 @@ int make_proxy_line_v2(char *buf, int buf_len, struct 
server *srv, struct connec
tlv->verify = 
htonl(ssl_sock_get_verify_result(remote));
}
if (srv->pp_opts & SRV_PP_V2_SSL_CN) {
+   cn_trash = get_trash_chunk();
if (ssl_sock_get_remote_common_name(remote, 
&trash) > 0) {
-   tlv_len = 
make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_TYPE_SSL_CN, 
trash.len, trash.str);
+   tlv_len = 
make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_TYPE_SSL_CN, 
cn_trash->len, cn_trash->str);
ssl_tlv_len += tlv_len;
}
}

Conditionally disable TCP_NODELAY

[Patrick Hemmer]

It would be nice to be able to control the usage of TCP_NODELAY. Right
now it looks like haproxy immediately turns the flag on upon any
frontend or server connection. When doing bulk data transfers, this can
have a negative impact on performance.
However I do not think this should be a global option. I would think
this is an option best turned on and off by ACL rules. You may only have
certain URLs which return bulk data, or maybe you want to turn it off
when entering the data phase, or perhaps only when Content-Length is
greater than a certain amount.

I think there are numerous uses for this feature, but the only other
request I saw was a mailing list entry from a few months ago
(http://marc.info/?l=haproxy&m=139176184632622) to which the response
was to use the http-no-delay option. When I looked into it, this is not
controlling TCP_NODELAY, and thus not relevant.

Thoughts?

-Patrick

Re: Binaries for HAProxy.

[Neil - HAProxy List]

And lets not do too much to dampen any pressure to get haproxy 1.5 into
rhel7 and ubuntu1404

Neil
On 16 Jul 2014 16:12, "Ghislain"  wrote:

>
>
>> Just put http://nd-build-01.linux-appliance.net/repos/centos/
>> haproxy/haproy-centos-6x.repo under /etc/yum.repos.d/
>> and issue yum install haproxy.
>>
>
> of course you do trust the security of your entire server on  this repo ?
> before doing that just be sure of what this implies :)
>
> there is no issue on trusting someone but remember that you trust this
> someone to install software as root on your server and update the package
> when new version comes.
>
>  Do a minimum homework before authorizing repos. I do trust the debian
> team for backported 1.5 haproxy package but nevertheless i asked here if
> they were legit , verified what i could and limited the  package i accept
> from the repo to a minimum just in case. I think the same goes on for
> centOS/Redhat repos, do chack the source and if not sure build yourself  if
> there is no official sources.
>
>
> regards,
> Ghislain.
>
>

Re: Adding Serial Number to POST Requests

[Jonathan Matthews]

On 16 Jul 2014 16:56, "Zuoning Yin"  wrote:
>
> We later also got the help from Willy.  He provided us a configuration
which solved our problem. To benefit other people,  I just posted it here.

I had meant to chime in on this thread earlier.

What happens when your HAProxy layer loses state - be it reboot, service
restart or  data centre power cut? Are you risking resetting the counter
and overwriting existing data on the backend? Are you in fact treating HAP
as a single point of truth?

J

Re: Load balancing FTP with HAProxy behind a firewall

[Dennis Jacobfeuerborn]

On 16.07.2014 15:31, Nicolas Zedde wrote:
>> -Original Message-
>> From: Dennis Jacobfeuerborn [mailto:denni...@conversis.de]
>> Sent: Wednesday, July 16, 2014 1:22 PM
>> To: haproxy@formilux.org
>> Subject: Re: Load balancing FTP with HAProxy behind a firewall
>>
>> Have you considered using SFTP instead? It's more secure and doesn't suffer
>> from the data channel issue so its easier to handle and most if not all FTP 
>> GUI
>> clients out there (Filezilla, WinSCP, etc.) on the various platforms also 
>> support
>> SFTP out of the box.
>> If you are using ProFTPd on the server its fairly trivial to setup including 
>> key
>> support in addition to passwords and chroot.
>>
>> FTP still seems to be the default these days even though as a protocol
>> its...problematic. In 99% of case when someone asks for FTP access I
>> recommend SFTP instead and this works fine for people. FTP really should be
>> retired.
>>
>> Regards,
>>   Dennis
> 
> Hi,
> 
> SFTP looks like a smart idea to discard the FTP problems. I'll give it a try.
> Now I still have to find a way to redirect my ftp users to the correct server 
> using a single public ip / port.
> Thank you for your help anyway.

Since neither FTP nor SFTP support the concept of virtual hosts the only
way I see which could work is using SFTP with client certificates. If
you provide every user with a client certificate you could match the
certificates common name using "ssl_f_s_dn(CN)" in haproxy and then
select a backend based on the value.

Regards,
  Dennis

Re: Using a WhiteList in HAProxy 1.5

[Neil - HAProxy List]

Hi

If you only have one range and it does not change often then a acl file
should be avoided.

http-request deny unless src 123.123.123.123/123

If you have more than one range a acl should be used

Only if you have many or they change often would a file suit.
Is clearer imho

Neil
On 16 Jul 2014 17:10, "Baptiste"  wrote:

> On Wed, Jul 16, 2014 at 5:45 PM, JDzialo John  wrote:
> >
> > Hi Guys,
> >
> >
> >
> > I want to only allow certain internal company IP addresses to have
> access to one of my web farms.  I am using haproxy 1.5 on Debian 7.
> >
> >
> >
> > I am using a whitelist.lst file with the following contents...
> >
> >
> >
> > 10.0.0.0/8
> >
> >
> >
> > Here is my frontend configuration...
> >
> >
> >
> > frontend https-in
> >
> > bind *:443 ssl crt
> /etc/ssl/xxx.cert.chain.pem
> >
> > http-request allow if { src -f
> /etc/haproxy/whitelist.lst }
> >
> > reqadd X-Forwarded-Proto:https
> >
> > reqadd X-Forwarded-Port:443
> >
> > timeout client 60
> >
> >
> >
> > default-backend web
> >
> >
> >
> > However any IP is still allowed through this frontend.  It does not
> appear to be restricting access to any other IP.  Am I missing something in
> my configuration?
> >
> >
> >
> > Thanks
> >
> >
> >
> >
> >
> > John Dzialo | Linux System Administrator
> >
> > Direct 203.783.8163 | Main 800.352.0050
> >
> >
> >
> > Environmental Data Resources, Inc.
> >
> > 440 Wheelers Farms Road, Milford, CT 06461
> >
> > www.edrnet.com | commonground.edrnet.com
> >
> >
> >
> >
>
>
>
> Hi John,
>
> Please avoid HTML mails...
>
> Give a try to the following configuration:
>   http-request deny unless { src -f /etc/haproxy/whitelist.lst }
>
>
> Baptiste
>
>

Re: Using HAProxy to Control Client Cache

[Baptiste]

On Wed, Jul 16, 2014 at 6:11 PM, Baptiste  wrote:
> On Wed, Jul 16, 2014 at 5:56 PM, JDzialo John  wrote:
>>
>> Hi Everyone,
>>
>>
>>
>> I am implementing a cache control policy on all our web servers and was 
>> curious if anyone ever uses haproxy to handle cache control.
>>
>>
>>
>> On IIS we are using Etags, Last-Modified and Cache Control maxage to force 
>> client browsers to check the etag hash.  If the etag value has changed get 
>> the file as normal if it has not changed give a 304 response to the browser 
>> to inform it to use its cached file since it has not changed.
>>
>>
>>
>> Now to haproxy...
>>
>>
>>
>> 1.   Is there a documented way to read headers and manage the cache on 
>> the proxy side to give a 304 response to client browsers and avoid 
>> unnecessary calls to our backend web servers?
>>
>>
>>
>> I'm looking for some very general guidance as to what haproxy offers to help 
>> manage our file cache.
>>
>>
>>
>> Thanks
>>
>>
>>
>>
>>
>> John Dzialo | Linux System Administrator
>>
>> Direct 203.783.8163 | Main 800.352.0050
>>
>>
>>
>> Environmental Data Resources, Inc.
>>
>> 440 Wheelers Farms Road, Milford, CT 06461
>>
>> www.edrnet.com | commonground.edrnet.com
>>
>>
>>
>>
>
>
> Hi John,
>
> There is no way to achieve what you're describing.
> You could use Varnish as a reverse proxy cache for this purpose.
>
> Baptiste


I forgot a link:
http://blog.haproxy.com/2012/08/25/haproxy-varnish-and-the-single-hostname-website/

Baptiste

Re: Using HAProxy to Control Client Cache

[Baptiste]

On Wed, Jul 16, 2014 at 5:56 PM, JDzialo John  wrote:
>
> Hi Everyone,
>
>
>
> I am implementing a cache control policy on all our web servers and was 
> curious if anyone ever uses haproxy to handle cache control.
>
>
>
> On IIS we are using Etags, Last-Modified and Cache Control maxage to force 
> client browsers to check the etag hash.  If the etag value has changed get 
> the file as normal if it has not changed give a 304 response to the browser 
> to inform it to use its cached file since it has not changed.
>
>
>
> Now to haproxy...
>
>
>
> 1.   Is there a documented way to read headers and manage the cache on 
> the proxy side to give a 304 response to client browsers and avoid 
> unnecessary calls to our backend web servers?
>
>
>
> I'm looking for some very general guidance as to what haproxy offers to help 
> manage our file cache.
>
>
>
> Thanks
>
>
>
>
>
> John Dzialo | Linux System Administrator
>
> Direct 203.783.8163 | Main 800.352.0050
>
>
>
> Environmental Data Resources, Inc.
>
> 440 Wheelers Farms Road, Milford, CT 06461
>
> www.edrnet.com | commonground.edrnet.com
>
>
>
>


Hi John,

There is no way to achieve what you're describing.
You could use Varnish as a reverse proxy cache for this purpose.

Baptiste

Re: Using a WhiteList in HAProxy 1.5

[Baptiste]

On Wed, Jul 16, 2014 at 5:45 PM, JDzialo John  wrote:
>
> Hi Guys,
>
>
>
> I want to only allow certain internal company IP addresses to have access to 
> one of my web farms.  I am using haproxy 1.5 on Debian 7.
>
>
>
> I am using a whitelist.lst file with the following contents...
>
>
>
> 10.0.0.0/8
>
>
>
> Here is my frontend configuration...
>
>
>
> frontend https-in
>
> bind *:443 ssl crt /etc/ssl/xxx.cert.chain.pem
>
> http-request allow if { src -f 
> /etc/haproxy/whitelist.lst }
>
> reqadd X-Forwarded-Proto:https
>
> reqadd X-Forwarded-Port:443
>
> timeout client 60
>
>
>
> default-backend web
>
>
>
> However any IP is still allowed through this frontend.  It does not appear to 
> be restricting access to any other IP.  Am I missing something in my 
> configuration?
>
>
>
> Thanks
>
>
>
>
>
> John Dzialo | Linux System Administrator
>
> Direct 203.783.8163 | Main 800.352.0050
>
>
>
> Environmental Data Resources, Inc.
>
> 440 Wheelers Farms Road, Milford, CT 06461
>
> www.edrnet.com | commonground.edrnet.com
>
>
>
>



Hi John,

Please avoid HTML mails...

Give a try to the following configuration:
  http-request deny unless { src -f /etc/haproxy/whitelist.lst }


Baptiste

Using HAProxy to Control Client Cache

[JDzialo John]

Hi Everyone,

I am implementing a cache control policy on all our web servers and was curious 
if anyone ever uses haproxy to handle cache control.

On IIS we are using Etags, Last-Modified and Cache Control maxage to force 
client browsers to check the etag hash.  If the etag value has changed get the 
file as normal if it has not changed give a 304 response to the browser to 
inform it to use its cached file since it has not changed.

Now to haproxy...


1.   Is there a documented way to read headers and manage the cache on the 
proxy side to give a 304 response to client browsers and avoid unnecessary 
calls to our backend web servers?

I'm looking for some very general guidance as to what haproxy offers to help 
manage our file cache.

Thanks


John Dzialo | Linux System Administrator
Direct 203.783.8163 | Main 800.352.0050

Environmental Data Resources, Inc.
440 Wheelers Farms Road, Milford, CT 06461
www.edrnet.com | 
commonground.edrnet.com

[Description: Description: Description: Description: Description: 
EDR_logo4color_EDR_only_80px2]

Re: Adding Serial Number to POST Requests

[Zuoning Yin]

We later also got the help from Willy.  He provided us a configuration
which solved our problem. To benefit other people,  I just posted it here.

 Willy's response ###


> I
> actually asked this question in gmane and Baptiste also suggested that we
> could do this in header.
>
> However, we failed to find an example config about this issue after quite
a
> lot of googling. If possible, would you please provide a config snippet
> which can do our job?
>
> What we need is that:
>
> 1)  Have a counter to count the POST requests
> 2)  When forwarding http requests (both POST and GET), add the value of
> this counter as a header

OK so it's not exactly a request ID since multiple requests will have the
same ID, it's a POST counter.

> Baptiste suggested that we should use some stick table along with some
> counters, but we can't figure out how to do it exactly (Sorry, we are
still
> new to Haproxy).

I understand why he suggested a stick-table : stick-tables allow you to
store a few metrics among which a general purpose counter that you can
increment when you want (gpc0).

> Another question, I found the counter gpc0 is just 32 bit. Is there any
> chance we can have a 64 bit counter?

No, but in a more ugly fashion, what could be done would be to track two
gpc0 (one per stick table) and send them both.

Let's try something like this :

# this is ugly, but we need only one key for the lower 32-bit,
# and one for the higher 32-bit. So we track two constants, one
# which is a boolean false, cast to integer 0, and one which is
# boolean true, cast to integer 1.
tcp-request connection track-sc0 always_false table counter
tcp-request connection track-sc1 always_true table counter

# increment sc0_gpc0 on POST, increment sc1_gpc0 when sc0_gpc0
overflows,
# and send both values as a header in hex form.
http-request set-header X-post-counter %[sc1_get_gpc0]:%[sc0_get_gpc0]
if METH_POST { sc0_inc_gpc0 gt 0 } || METH_POST { sc1_inc_gpc0 gt 0 }

backend counter
stick-table type integer size 2 store gpc0

It will produce an output looking like this :

   GET / HTTP/1.1
   Host: foo
   X-post-counter: 0:521

Here the counter should be interpreted as (0 << 32) + 521. The right word
(521) will wrap after 2^32-1 and the left one will be incremented by one
upon every wrapping.

Regards,
Willy

##


Thanks both Willy and Baptiste!

--Zuoning


On Thu, Jul 10, 2014 at 8:21 PM, Zuoning Yin  wrote:

> Hi Baptiste,
>  Thanks so much for the reply. It is good to know stick table can help
> with my case. I had tried some further googling, but can't find a similar
> example that I can follow. Sorry, I am still new to HAProxy.
>  It will be highly appreciated if you could provide some sample config
> snippet about this particular issue.
>  Before that, please allow me reiterate the goal that we want to
> achieve (I omitted some details in previous POST).
>  We want a global counter for POST requests (I guess we can use gpc0
> here). For every POST request, we need to increase the counter by 1. We
> will also have GET requests, but we don't do anything with the counter for
> GET.  Then when we forward requests to backends, we want to append this
> global counter to the request URL.
>  For example, assume the value of current global counter is 1001, we
> need:
>
>  curl -X POST -H 'Content-Type: application/json' -d
>  '{"key1":"value1"}'  http://localhost:9000/update
>  ==>
>  curl -X POST -H 'Content-Type: application/json' -d
>  '{"key1":"value1"}'  http://localhost:9000/update/1001
>
>  curl -X GET  http://localhost:9000/query
>  ==>
>  curl -X GET  http://localhost:9000/query/1001
>
>  I guess I need to define a counter in a stick table. Then define some
> acl to increase the counter. Then some rewrite rules to use this counter.
> However, I just don't know how to write the config for these tasks.
>
> Thanks,
> --Zuoning
>
>
>
>
>
>
>
>
>
>
> On Thu, Jul 10, 2014 at 6:16 PM, Baptiste  wrote:
>
>> On Thu, Jul 10, 2014 at 11:27 PM, Zuoning Yin 
>> wrote:
>> > Hi All,
>> >  We recently used haproxy as the load balancer in our system and
>> > it really worked great. However,  we still need one extra feature here.
>> >  For every POST request, we want to be able to append an id (or
>> > serial number) to it. Essentially, we are trying to serializing the POST
>> > requests.
>> >  For example,  for the following POST requests,
>> >
>> >  a.1) curl -X POST -H 'Content-Type: application/json' -d
>> > '{"key1":"value1"}'
>> > http://localhost:9000/update
>> >  a.2) curl -X POST -H 'Content-Type: application/json' -d
>> > '{"key2":"value2"}'
>> > http://localhost:9000/update
>> >  a.3) curl -X POST -H 'Content-Type: application/json' -d
>> > '{"key3":"value3"}'
>> > http://localhost:9000/update
>> >
>> > What

Using a WhiteList in HAProxy 1.5

[JDzialo John]

Hi Guys,

I want to only allow certain internal company IP addresses to have access to 
one of my web farms.  I am using haproxy 1.5 on Debian 7.

I am using a whitelist.lst file with the following contents...

10.0.0.0/8

Here is my frontend configuration...

frontend https-in
bind *:443 ssl crt /etc/ssl/xxx.cert.chain.pem
http-request allow if { src -f 
/etc/haproxy/whitelist.lst }
reqadd X-Forwarded-Proto:https
reqadd X-Forwarded-Port:443
timeout client 60

default-backend web

However any IP is still allowed through this frontend.  It does not appear to 
be restricting access to any other IP.  Am I missing something in my 
configuration?

Thanks


John Dzialo | Linux System Administrator
Direct 203.783.8163 | Main 800.352.0050

Environmental Data Resources, Inc.
440 Wheelers Farms Road, Milford, CT 06461
www.edrnet.com | 
commonground.edrnet.com

[Description: Description: Description: Description: Description: 
EDR_logo4color_EDR_only_80px2]

Fwd: Error Logs in Haproxy

[Peter M Souter]

Yeah, I looked in the logs before and I couldn't find the errors. But
either I didn't look hard enough or someone's changed the settings since I
last looked:

cat /var/log/capd/haproxy.log | grep 'has no server available!' | wc -l
46

But at least I can confirm I got the correct setup! :)


On Wed, Jul 16, 2014 at 4:08 PM, Baptiste  wrote:

> On Wed, Jul 16, 2014 at 4:22 PM, Peter M Souter 
> wrote:
> > Hello All!
> >
> > I'm fairly new to Haproxy and I'm configurting it with puppet as a
> reverse
> > proxy for several web apps.
> >
> > An issue I'm running into right now is that we're not getting error logs
> in
> > a file, they're just sent to stdout like so:
> >
> > Message from syslogd@localhost at Jul 16 11:17:06 ...
> > HAPROXY[8271]: backend foo has no server available!
> >
> > Right now the haproxy.cfg looks something like this:
> >
> > global
> > maxconn 4096
> > user haproxy
> > group haproxy
> > daemon
> > log 127.0.0.1 local0 debug
> > log-tag HAPROXY
> >
> > And my rsyslog config looks like this:
> >
> > $ModLoad imudp
> > $UDPServerRun 514
> >
> > local0.* -/var/log/capd/haproxy.log
> >
> > I read through the documentation and saw the log-separate-errors flag,
> if I
> > turn this on will those errors that normally go to stdout go to the
> file? Or
> > will it go to a seperate file that I need to configure in Rsyslog? Thanks
> > Regards
> >
>
> Hi Peter,
>
> Have you looked into /var/log/capd/haproxy.log and look for the errors
> here?
> They should be there ;)
> This is your syslog server which is printing this error on your
> console, not HAProxy.
>
> Second, this is not a parsing error, but an error related to
> load-balancing: HAProxy tells you that there is no servers available
> in your farm .
> none of them where able to positively answer to health checks.
>
> Baptiste
>

Re: Binaries for HAProxy.

[Ghislain]

Just put 
http://nd-build-01.linux-appliance.net/repos/centos/haproxy/haproy-centos-6x.repo 
under /etc/yum.repos.d/

and issue yum install haproxy.


of course you do trust the security of your entire server on  this repo 
? before doing that just be sure of what this implies :)


there is no issue on trusting someone but remember that you trust this 
someone to install software as root on your server and update the 
package when new version comes.


 Do a minimum homework before authorizing repos. I do trust the debian 
team for backported 1.5 haproxy package but nevertheless i asked here if 
they were legit , verified what i could and limited the  package i 
accept from the repo to a minimum just in case. I think the same goes on 
for centOS/Redhat repos, do chack the source and if not sure build 
yourself  if there is no official sources.



regards,
Ghislain.

Re: Error Logs in Haproxy

[Baptiste]

On Wed, Jul 16, 2014 at 4:22 PM, Peter M Souter  wrote:
> Hello All!
>
> I'm fairly new to Haproxy and I'm configurting it with puppet as a reverse
> proxy for several web apps.
>
> An issue I'm running into right now is that we're not getting error logs in
> a file, they're just sent to stdout like so:
>
> Message from syslogd@localhost at Jul 16 11:17:06 ...
> HAPROXY[8271]: backend foo has no server available!
>
> Right now the haproxy.cfg looks something like this:
>
> global
> maxconn 4096
> user haproxy
> group haproxy
> daemon
> log 127.0.0.1 local0 debug
> log-tag HAPROXY
>
> And my rsyslog config looks like this:
>
> $ModLoad imudp
> $UDPServerRun 514
>
> local0.* -/var/log/capd/haproxy.log
>
> I read through the documentation and saw the log-separate-errors flag, if I
> turn this on will those errors that normally go to stdout go to the file? Or
> will it go to a seperate file that I need to configure in Rsyslog? Thanks
> Regards
>

Hi Peter,

Have you looked into /var/log/capd/haproxy.log and look for the errors here?
They should be there ;)
This is your syslog server which is printing this error on your
console, not HAProxy.

Second, this is not a parsing error, but an error related to
load-balancing: HAProxy tells you that there is no servers available
in your farm .
none of them where able to positively answer to health checks.

Baptiste

Re: Binaries for HAProxy.

[Kobus Bensch]

I just downloaded the standard source off haproxy website


Kobus Bensch

*Address:*
*Phone:*
*Email:*22 & 24 | Frederick Sanger Road | Guildford | Surrey | GU2 7YD
0207 871 3890
kobus.ben...@trustpayglobal.com




On 16 July 2014 15:18, Thomas Heil  wrote:

>  Hi,
>
> On 16.07.2014 16:14, Kobus Bensch wrote:
>
>  Hi
>
>  I have built my own RPM with a spec file and it works great. I can share
> the rpm if anybody is interested
>
>  I would be interestet. Can you share your source rpm?
>
>
>
> Kobus Bensch
>
>   *Address:*
> *Phone:*
> *Email:* 22 & 24 | Frederick Sanger Road | Guildford | Surrey | GU2 7YD
> 0207 871 3890
> kobus.ben...@trustpayglobal.com
>
>
>
>
> On 16 July 2014 15:07, Kuldip Madnani  wrote:
>
>> My Linux Distribution is :
>>
>>  Red Hat Enterprise Linux Server release 6.3 (Santiago)
>>
>>
>> On Wed, Jul 16, 2014 at 9:03 AM, Mathew Levett 
>> wrote:
>>
>>>   Hi Kuldip,
>>>
>>>  I think you may need to provide a little more information, it may be
>>> that your Linux distribution may already have haproxy in their repository.
>>> However the information supplied does not really show what your running.
>>> Do you know the distribution name?
>>>
>>>  If its Debian then something like 'apt-get install haproxy' may be all
>>> you need, RedHat based distros may use yum so 'yum install haproxy'.
>>> however its also not that hard to compile the latest version from source
>>> and is well documented in the download file.
>>>
>>>  Usually on a list like this you need to supply as much information as
>>> possible so the people here can help.
>>>
>>>  Kind Regards,
>>>
>>> Mathew
>>>
>>>
>>>  On 16 July 2014 14:50, Kuldip Madnani  wrote:
>>>
 Hi,

  Where can i find the compiled binaries for haproxy.My system
 configuration is this :

  $ uname -a
 Linux  2.6.32-279.22.1.el6.x86_64 #1 SMP Sun Jan 13 09:21:40 EST 2013
 x86_64 x86_64 x86_64 GNU/Linux

  Thanks & Regards,
 Kuldip


>>>
>>
>
> Trustpay Global Limited is an authorised Electronic Money Institution
> regulated by the Financial Conduct Authority registration number 900043.
> Company No 07427913 Registered in England and Wales with registered address
> 130 Wood Street, London, EC2V 6DL, United Kingdom.
>
> For further details please visit our website at www.trustpayglobal.com.
>
> The information in this email and any attachments are confidential and
> remain the property of Trustpay Global Ltd unless agreed by contract. It is
> intended solely for the person to whom or the entity to which it is
> addressed. If you are not the intended recipient you may not use, disclose,
> copy, distribute, print or rely on the content of this email or its
> attachments. If this email has been received by you in error please advise
> the sender and delete the email from your system. Trustpay Global Ltd does
> not accept any liability for any personal view expressed in this message.
>
>
> cheers,
> thomas
>

-- 


Trustpay Global Limited is an authorised Electronic Money Institution 
regulated by the Financial Conduct Authority registration number 900043. 
Company No 07427913 Registered in England and Wales with registered address 
130 Wood Street, London, EC2V 6DL, United Kingdom.

For further details please visit our website at www.trustpayglobal.com.

The information in this email and any attachments are confidential and 
remain the property of Trustpay Global Ltd unless agreed by contract. It is 
intended solely for the person to whom or the entity to which it is 
addressed. If you are not the intended recipient you may not use, disclose, 
copy, distribute, print or rely on the content of this email or its 
attachments. If this email has been received by you in error please advise 
the sender and delete the email from your system. Trustpay Global Ltd does 
not accept any liability for any personal view expressed in this message.

Re: Binaries for HAProxy.

[Peter M Souter]

> I was trying to compile HAProxy 1.5.2 with SSL support on my box but was
facing below error.Am i missing some pre requisites.Could anybody help:

Pre-reqs are:

sudo yum -y install pcre-devel gcc make openssl-devel


Taken from https://github.com/nmilford/rpm-haproxy

On Wed, Jul 16, 2014 at 3:22 PM, Kuldip Madnani 
wrote:

> Thanks Ryan/Mathew.
>
>
> Step 1 : tar xzvf haproxy-1.5.2.tar.gz
>
> Step 2 : cd haproxy-1.5.2
>
> Step 3 : make TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1
>
> gcc -Iinclude -Iebtree -Wall  -O2 -g -fno-strict-aliasing
> -DCONFIG_HAP_LINUX_SPLICE -DTPROXY -DCONFIG_HAP_LINUX_TPROXY
> -DCONFIG_HAP_CRYPT -DUSE_ZLIB  -DENABLE_POLL -DENABLE_EPOLL
> -DUSE_CPU_AFFINITY -DASSUME_SPLICE_WORKS -DUSE_ACCEPT4 -DNETFILTER
> -DUSE_GETSOCKNAME -DUSE_OPENSSL  -DUSE_SYSCALL_FUTEX -DUSE_PCRE
> -I/usr/local/include  -DCONFIG_HAPROXY_VERSION=\"1.5.2\"
> -DCONFIG_HAPROXY_DATE=\"2014/07/12\" \
>   -DBUILD_TARGET='"linux2628"' \
>   -DBUILD_ARCH='""' \
>   -DBUILD_CPU='"generic"' \
>   -DBUILD_CC='"gcc"' \
>   -DBUILD_CFLAGS='"-O2 -g -fno-strict-aliasing"' \
>   -DBUILD_OPTIONS='"USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1"' \
>-c -o src/haproxy.o src/haproxy.c
> In file included from include/types/proxy.h:34,
>  from include/proto/log.h:32,
>  from include/common/cfgparse.h:29,
>  from src/haproxy.c:61:
> include/common/regex.h:30:18: error: pcre.h: No such file or directory
> include/common/regex.h:31:23: error: pcreposix.h: No such file or directory
> In file included from include/types/proxy.h:34,
>  from include/proto/log.h:32,
>  from include/common/cfgparse.h:29,
>  from src/haproxy.c:61:
> include/common/regex.h:38: error: expected specifier-qualifier-list before
> âpcreâ
> include/common/regex.h:67: error: expected â=â, â,â, â;â, âasmâ or
> â__attribute__â before âpmatchâ
> include/common/regex.h:80: warning: type defaults to âintâ in declaration
> of âregmatch_tâ
> include/common/regex.h:80: error: expected â;â, â,â or â)â before â*â token
> include/common/regex.h: In function âregex_execâ:
> include/common/regex.h:89: warning: implicit declaration of function
> âpcre_execâ
> include/common/regex.h:89: error: âconst struct my_regexâ has no member
> named âregâ
> include/common/regex.h:89: error: âconst struct my_regexâ has no member
> named âextraâ
> include/common/regex.h: In function âregex_exec2â:
> include/common/regex.h:109: error: âconst struct my_regexâ has no member
> named âregâ
> include/common/regex.h:109: error: âconst struct my_regexâ has no member
> named âextraâ
> include/common/regex.h: At top level:
> include/common/regex.h:125: error: expected declaration specifiers or
> â...â before âregmatch_tâ
> include/common/regex.h:127: error: expected declaration specifiers or
> â...â before âregmatch_tâ
> include/common/regex.h: In function âregex_freeâ:
> include/common/regex.h:131: warning: implicit declaration of function
> âpcre_freeâ
> include/common/regex.h:131: error: âstruct my_regexâ has no member named
> âregâ
> In file included from include/types/acl.h:33,
>  from include/types/proxy.h:40,
>  from include/proto/log.h:32,
>  from include/common/cfgparse.h:29,
>  from src/haproxy.c:61:
> include/types/server.h:29:25: error: openssl/ssl.h: No such file or
> directory
> In file included from include/types/connection.h:30,
>  from include/types/server.h:36,
>  from include/types/acl.h:33,
>  from include/types/proxy.h:40,
>  from include/proto/log.h:32,
>  from include/common/cfgparse.h:29,
>  from src/haproxy.c:61:
> include/types/listener.h: At top level:
> include/types/listener.h:127: error: expected specifier-qualifier-list
> before âSSL_CTXâ
> In file included from include/types/session.h:35,
>  from include/types/queue.h:29,
>  from include/types/server.h:41,
>  from include/types/acl.h:33,
>  from include/types/proxy.h:40,
>  from include/proto/log.h:32,
>  from include/common/cfgparse.h:29,
>  from src/haproxy.c:61:
> include/types/compression.h:28:18: error: zlib.h: No such file or directory
> In file included from include/types/session.h:35,
>  from include/types/queue.h:29,
>  from include/types/server.h:41,
>  from include/types/acl.h:33,
>  from include/types/proxy.h:40,
>  from include/proto/log.h:32,
>  from include/common/cfgparse.h:29,
>  from src/haproxy.c:61:
> include/types/compression.h:40: error: expected specifier-qualifier-list
> before âz_streamâ
> In file included from include/types/acl.h:33,
>  

Re: Binaries for HAProxy.

[Ryan O'Hara]

On Wed, Jul 16, 2014 at 09:22:46AM -0500, Kuldip Madnani wrote:
> Thanks Ryan/Mathew.
> 
> I was trying to compile HAProxy 1.5.2 with SSL support on my box but was
> facing below error.Am i missing some pre requisites.Could anybody help:
> Step 1 : tar xzvf haproxy-1.5.2.tar.gz
> 
> Step 2 : cd haproxy-1.5.2
> 
> Step 3 : make TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1

You need devel packages if you are building from source. Install
openssl-devel, zlib-devel and pcre-devel.

Ryan


> gcc -Iinclude -Iebtree -Wall  -O2 -g -fno-strict-aliasing
> -DCONFIG_HAP_LINUX_SPLICE -DTPROXY -DCONFIG_HAP_LINUX_TPROXY
> -DCONFIG_HAP_CRYPT -DUSE_ZLIB  -DENABLE_POLL -DENABLE_EPOLL
> -DUSE_CPU_AFFINITY -DASSUME_SPLICE_WORKS -DUSE_ACCEPT4 -DNETFILTER
> -DUSE_GETSOCKNAME -DUSE_OPENSSL  -DUSE_SYSCALL_FUTEX -DUSE_PCRE
> -I/usr/local/include  -DCONFIG_HAPROXY_VERSION=\"1.5.2\"
> -DCONFIG_HAPROXY_DATE=\"2014/07/12\" \
>   -DBUILD_TARGET='"linux2628"' \
>   -DBUILD_ARCH='""' \
>   -DBUILD_CPU='"generic"' \
>   -DBUILD_CC='"gcc"' \
>   -DBUILD_CFLAGS='"-O2 -g -fno-strict-aliasing"' \
>   -DBUILD_OPTIONS='"USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1"' \
>-c -o src/haproxy.o src/haproxy.c
> In file included from include/types/proxy.h:34,
>  from include/proto/log.h:32,
>  from include/common/cfgparse.h:29,
>  from src/haproxy.c:61:
> include/common/regex.h:30:18: error: pcre.h: No such file or directory
> include/common/regex.h:31:23: error: pcreposix.h: No such file or directory
> In file included from include/types/proxy.h:34,
>  from include/proto/log.h:32,
>  from include/common/cfgparse.h:29,
>  from src/haproxy.c:61:
> include/common/regex.h:38: error: expected specifier-qualifier-list before
> âpcreâ
> include/common/regex.h:67: error: expected â=â, â,â, â;â, âasmâ or
> â__attribute__â before âpmatchâ
> include/common/regex.h:80: warning: type defaults to âintâ in declaration
> of âregmatch_tâ
> include/common/regex.h:80: error: expected â;â, â,â or â)â before â*â token
> include/common/regex.h: In function âregex_execâ:
> include/common/regex.h:89: warning: implicit declaration of function
> âpcre_execâ
> include/common/regex.h:89: error: âconst struct my_regexâ has no member
> named âregâ
> include/common/regex.h:89: error: âconst struct my_regexâ has no member
> named âextraâ
> include/common/regex.h: In function âregex_exec2â:
> include/common/regex.h:109: error: âconst struct my_regexâ has no member
> named âregâ
> include/common/regex.h:109: error: âconst struct my_regexâ has no member
> named âextraâ
> include/common/regex.h: At top level:
> include/common/regex.h:125: error: expected declaration specifiers or â...â
> before âregmatch_tâ
> include/common/regex.h:127: error: expected declaration specifiers or â...â
> before âregmatch_tâ
> include/common/regex.h: In function âregex_freeâ:
> include/common/regex.h:131: warning: implicit declaration of function
> âpcre_freeâ
> include/common/regex.h:131: error: âstruct my_regexâ has no member named
> âregâ
> In file included from include/types/acl.h:33,
>  from include/types/proxy.h:40,
>  from include/proto/log.h:32,
>  from include/common/cfgparse.h:29,
>  from src/haproxy.c:61:
> include/types/server.h:29:25: error: openssl/ssl.h: No such file or
> directory
> In file included from include/types/connection.h:30,
>  from include/types/server.h:36,
>  from include/types/acl.h:33,
>  from include/types/proxy.h:40,
>  from include/proto/log.h:32,
>  from include/common/cfgparse.h:29,
>  from src/haproxy.c:61:
> include/types/listener.h: At top level:
> include/types/listener.h:127: error: expected specifier-qualifier-list
> before âSSL_CTXâ
> In file included from include/types/session.h:35,
>  from include/types/queue.h:29,
>  from include/types/server.h:41,
>  from include/types/acl.h:33,
>  from include/types/proxy.h:40,
>  from include/proto/log.h:32,
>  from include/common/cfgparse.h:29,
>  from src/haproxy.c:61:
> include/types/compression.h:28:18: error: zlib.h: No such file or directory
> In file included from include/types/session.h:35,
>  from include/types/queue.h:29,
>  from include/types/server.h:41,
>  from include/types/acl.h:33,
>  from include/types/proxy.h:40,
>  from include/proto/log.h:32,
>  from include/common/cfgparse.h:29,
>  from src/haproxy.c:61:
> include/types/compression.h:40: error: expected specifier-qualifier-list
> before âz_streamâ
> In file included from include/types/acl.h:33,
>  

Re: Binaries for HAProxy.

[Peter M Souter]

I've made a custom RPM I've been using for version 1.5.1 and I've hosted it
here:

https://bitbucket.org/PeteMS/haproxy-rpm-vagrant/downloads

I adapted the spec from https://github.com/nmilford/rpm-haproxy


On Wed, Jul 16, 2014 at 3:18 PM, Ryan O'Hara  wrote:

> On Wed, Jul 16, 2014 at 09:07:48AM -0500, Kuldip Madnani wrote:
> > My Linux Distribution is :
> >
> > Red Hat Enterprise Linux Server release 6.3 (Santiago)
>
> HAProxy is not included in RHEL 6.3. You will need RHEL 6.4 with Load
> Balancer AddOn or RHEL7.
>
> Ryan
>
> > On Wed, Jul 16, 2014 at 9:03 AM, Mathew Levett 
> > wrote:
> >
> > > Hi Kuldip,
> > >
> > > I think you may need to provide a little more information, it may be
> that
> > > your Linux distribution may already have haproxy in their repository.
> > > However the information supplied does not really show what your
> running.
> > > Do you know the distribution name?
> > >
> > > If its Debian then something like 'apt-get install haproxy' may be all
> you
> > > need, RedHat based distros may use yum so 'yum install haproxy'.
>  however
> > > its also not that hard to compile the latest version from source and is
> > > well documented in the download file.
> > >
> > > Usually on a list like this you need to supply as much information as
> > > possible so the people here can help.
> > >
> > > Kind Regards,
> > >
> > > Mathew
> > >
> > >
> > > On 16 July 2014 14:50, Kuldip Madnani  wrote:
> > >
> > >> Hi,
> > >>
> > >> Where can i find the compiled binaries for haproxy.My system
> > >> configuration is this :
> > >>
> > >> $ uname -a
> > >> Linux  2.6.32-279.22.1.el6.x86_64 #1 SMP Sun Jan 13 09:21:40 EST 2013
> > >> x86_64 x86_64 x86_64 GNU/Linux
> > >>
> > >> Thanks & Regards,
> > >> Kuldip
> > >>
> > >>
> > >
>
>

Re: Binaries for HAProxy.

[Kuldip Madnani]

Thanks Ryan/Mathew.

I was trying to compile HAProxy 1.5.2 with SSL support on my box but was
facing below error.Am i missing some pre requisites.Could anybody help:
Step 1 : tar xzvf haproxy-1.5.2.tar.gz

Step 2 : cd haproxy-1.5.2

Step 3 : make TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1

gcc -Iinclude -Iebtree -Wall  -O2 -g -fno-strict-aliasing
-DCONFIG_HAP_LINUX_SPLICE -DTPROXY -DCONFIG_HAP_LINUX_TPROXY
-DCONFIG_HAP_CRYPT -DUSE_ZLIB  -DENABLE_POLL -DENABLE_EPOLL
-DUSE_CPU_AFFINITY -DASSUME_SPLICE_WORKS -DUSE_ACCEPT4 -DNETFILTER
-DUSE_GETSOCKNAME -DUSE_OPENSSL  -DUSE_SYSCALL_FUTEX -DUSE_PCRE
-I/usr/local/include  -DCONFIG_HAPROXY_VERSION=\"1.5.2\"
-DCONFIG_HAPROXY_DATE=\"2014/07/12\" \
  -DBUILD_TARGET='"linux2628"' \
  -DBUILD_ARCH='""' \
  -DBUILD_CPU='"generic"' \
  -DBUILD_CC='"gcc"' \
  -DBUILD_CFLAGS='"-O2 -g -fno-strict-aliasing"' \
  -DBUILD_OPTIONS='"USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1"' \
   -c -o src/haproxy.o src/haproxy.c
In file included from include/types/proxy.h:34,
 from include/proto/log.h:32,
 from include/common/cfgparse.h:29,
 from src/haproxy.c:61:
include/common/regex.h:30:18: error: pcre.h: No such file or directory
include/common/regex.h:31:23: error: pcreposix.h: No such file or directory
In file included from include/types/proxy.h:34,
 from include/proto/log.h:32,
 from include/common/cfgparse.h:29,
 from src/haproxy.c:61:
include/common/regex.h:38: error: expected specifier-qualifier-list before
âpcreâ
include/common/regex.h:67: error: expected â=â, â,â, â;â, âasmâ or
â__attribute__â before âpmatchâ
include/common/regex.h:80: warning: type defaults to âintâ in declaration
of âregmatch_tâ
include/common/regex.h:80: error: expected â;â, â,â or â)â before â*â token
include/common/regex.h: In function âregex_execâ:
include/common/regex.h:89: warning: implicit declaration of function
âpcre_execâ
include/common/regex.h:89: error: âconst struct my_regexâ has no member
named âregâ
include/common/regex.h:89: error: âconst struct my_regexâ has no member
named âextraâ
include/common/regex.h: In function âregex_exec2â:
include/common/regex.h:109: error: âconst struct my_regexâ has no member
named âregâ
include/common/regex.h:109: error: âconst struct my_regexâ has no member
named âextraâ
include/common/regex.h: At top level:
include/common/regex.h:125: error: expected declaration specifiers or â...â
before âregmatch_tâ
include/common/regex.h:127: error: expected declaration specifiers or â...â
before âregmatch_tâ
include/common/regex.h: In function âregex_freeâ:
include/common/regex.h:131: warning: implicit declaration of function
âpcre_freeâ
include/common/regex.h:131: error: âstruct my_regexâ has no member named
âregâ
In file included from include/types/acl.h:33,
 from include/types/proxy.h:40,
 from include/proto/log.h:32,
 from include/common/cfgparse.h:29,
 from src/haproxy.c:61:
include/types/server.h:29:25: error: openssl/ssl.h: No such file or
directory
In file included from include/types/connection.h:30,
 from include/types/server.h:36,
 from include/types/acl.h:33,
 from include/types/proxy.h:40,
 from include/proto/log.h:32,
 from include/common/cfgparse.h:29,
 from src/haproxy.c:61:
include/types/listener.h: At top level:
include/types/listener.h:127: error: expected specifier-qualifier-list
before âSSL_CTXâ
In file included from include/types/session.h:35,
 from include/types/queue.h:29,
 from include/types/server.h:41,
 from include/types/acl.h:33,
 from include/types/proxy.h:40,
 from include/proto/log.h:32,
 from include/common/cfgparse.h:29,
 from src/haproxy.c:61:
include/types/compression.h:28:18: error: zlib.h: No such file or directory
In file included from include/types/session.h:35,
 from include/types/queue.h:29,
 from include/types/server.h:41,
 from include/types/acl.h:33,
 from include/types/proxy.h:40,
 from include/proto/log.h:32,
 from include/common/cfgparse.h:29,
 from src/haproxy.c:61:
include/types/compression.h:40: error: expected specifier-qualifier-list
before âz_streamâ
In file included from include/types/acl.h:33,
 from include/types/proxy.h:40,
 from include/proto/log.h:32,
 from include/common/cfgparse.h:29,
 from src/haproxy.c:61:
include/types/server.h:207: error: expected specifier-qualifier-list before
âSSL_CTXâ
In file included from src/haproxy.c:90:
include/proto/listener.h: In function âbind_conf_allocâ:
include/pro

Error Logs in Haproxy

[Peter M Souter]

Hello All!

I'm fairly new to Haproxy and I'm configurting it with puppet as a reverse
proxy for several web apps.

An issue I'm running into right now is that we're not getting error logs in
a file, they're just sent to stdout like so:

Message from syslogd@localhost at Jul 16 11:17:06 ...
HAPROXY[8271]: backend foo has no server available!

Right now the haproxy.cfg looks something like this:

global
maxconn 4096
user haproxy
group haproxy
daemon
log 127.0.0.1 local0 debug
log-tag HAPROXY

And my rsyslog config looks like this:

$ModLoad imudp
$UDPServerRun 514

local0.* -/var/log/capd/haproxy.log

I read through the documentation and saw the log-separate-errors flag, if I
turn this on will those errors that normally go to stdout go to the file?
Or will it go to a seperate file that I need to configure in Rsyslog?
Thanks Regards

Re: Binaries for HAProxy.

[Mathew Levett]

Hello Kuldip,

Ok in that case you can probably use the following command to install the
binary.

yum install haproxy

however this may be an older 1.4 version, if you want to build the latest
version you can use the guide here and simply skip over the
Transparent/T_Proxy part.

http://blog.loadbalancer.org/setting-up-haproxy-with-transparent-mode-on-centos-6-x/




On 16 July 2014 15:14, Kobus Bensch  wrote:

> Hi
>
> I have built my own RPM with a spec file and it works great. I can share
> the rpm if anybody is interested
>
>
>
> Kobus Bensch
>
> *Address:*
> *Phone:*
> *Email:*22 & 24 | Frederick Sanger Road | Guildford | Surrey | GU2 7YD
> 0207 871 3890
> kobus.ben...@trustpayglobal.com
>
>
>
>
> On 16 July 2014 15:07, Kuldip Madnani  wrote:
>
>> My Linux Distribution is :
>>
>> Red Hat Enterprise Linux Server release 6.3 (Santiago)
>>
>>
>> On Wed, Jul 16, 2014 at 9:03 AM, Mathew Levett 
>> wrote:
>>
>>> Hi Kuldip,
>>>
>>> I think you may need to provide a little more information, it may be
>>> that your Linux distribution may already have haproxy in their repository.
>>> However the information supplied does not really show what your running.
>>> Do you know the distribution name?
>>>
>>> If its Debian then something like 'apt-get install haproxy' may be all
>>> you need, RedHat based distros may use yum so 'yum install haproxy'.
>>> however its also not that hard to compile the latest version from source
>>> and is well documented in the download file.
>>>
>>> Usually on a list like this you need to supply as much information as
>>> possible so the people here can help.
>>>
>>> Kind Regards,
>>>
>>> Mathew
>>>
>>>
>>> On 16 July 2014 14:50, Kuldip Madnani  wrote:
>>>
 Hi,

 Where can i find the compiled binaries for haproxy.My system
 configuration is this :

 $ uname -a
 Linux  2.6.32-279.22.1.el6.x86_64 #1 SMP Sun Jan 13 09:21:40 EST 2013
 x86_64 x86_64 x86_64 GNU/Linux

 Thanks & Regards,
 Kuldip


>>>
>>
>
> Trustpay Global Limited is an authorised Electronic Money Institution
> regulated by the Financial Conduct Authority registration number 900043.
> Company No 07427913 Registered in England and Wales with registered address
> 130 Wood Street, London, EC2V 6DL, United Kingdom.
>
> For further details please visit our website at www.trustpayglobal.com.
>
> The information in this email and any attachments are confidential and
> remain the property of Trustpay Global Ltd unless agreed by contract. It is
> intended solely for the person to whom or the entity to which it is
> addressed. If you are not the intended recipient you may not use, disclose,
> copy, distribute, print or rely on the content of this email or its
> attachments. If this email has been received by you in error please advise
> the sender and delete the email from your system. Trustpay Global Ltd does
> not accept any liability for any personal view expressed in this message.
>



-- 
-- 
With Kind Regards.

Mathew Levett
Loadbalancer.org
http://www.loadbalancer.org
Tel (UK) - +44 (0) 3303801064 (24x7)
Tel (US) - +1 888.867.9504 (Toll Free)(24x7)

Re: Binaries for HAProxy.

[Ryan O'Hara]

On Wed, Jul 16, 2014 at 09:07:48AM -0500, Kuldip Madnani wrote:
> My Linux Distribution is :
> 
> Red Hat Enterprise Linux Server release 6.3 (Santiago)

HAProxy is not included in RHEL 6.3. You will need RHEL 6.4 with Load
Balancer AddOn or RHEL7.

Ryan

> On Wed, Jul 16, 2014 at 9:03 AM, Mathew Levett 
> wrote:
> 
> > Hi Kuldip,
> >
> > I think you may need to provide a little more information, it may be that
> > your Linux distribution may already have haproxy in their repository.
> > However the information supplied does not really show what your running.
> > Do you know the distribution name?
> >
> > If its Debian then something like 'apt-get install haproxy' may be all you
> > need, RedHat based distros may use yum so 'yum install haproxy'.  however
> > its also not that hard to compile the latest version from source and is
> > well documented in the download file.
> >
> > Usually on a list like this you need to supply as much information as
> > possible so the people here can help.
> >
> > Kind Regards,
> >
> > Mathew
> >
> >
> > On 16 July 2014 14:50, Kuldip Madnani  wrote:
> >
> >> Hi,
> >>
> >> Where can i find the compiled binaries for haproxy.My system
> >> configuration is this :
> >>
> >> $ uname -a
> >> Linux  2.6.32-279.22.1.el6.x86_64 #1 SMP Sun Jan 13 09:21:40 EST 2013
> >> x86_64 x86_64 x86_64 GNU/Linux
> >>
> >> Thanks & Regards,
> >> Kuldip
> >>
> >>
> >

Re: Binaries for HAProxy.

[Thomas Heil]

Hi,

On 16.07.2014 16:14, Kobus Bensch wrote:
> Hi
>
> I have built my own RPM with a spec file and it works great. I can
> share the rpm if anybody is interested
>
I would be interestet. Can you share your source rpm?
>
>
> Kobus Bensch
>
> *Address:*  
> *Phone:**
> **Email:* 22 & 24 | Frederick Sanger Road | Guildford | Surrey | GU2 7YD
> 0207 871 3890
> kobus.ben...@trustpayglobal.com 
>
>
>
>
>
> On 16 July 2014 15:07, Kuldip Madnani  > wrote:
>
> My Linux Distribution is : 
>
> Red Hat Enterprise Linux Server release 6.3 (Santiago)
>
>
> On Wed, Jul 16, 2014 at 9:03 AM, Mathew Levett
> mailto:mat...@loadbalancer.org>> wrote:
>
> Hi Kuldip,
>
> I think you may need to provide a little more information, it
> may be that your Linux distribution may already have haproxy
> in their repository. However the information supplied does not
> really show what your running.  Do you know the distribution
> name?
>
> If its Debian then something like 'apt-get install haproxy'
> may be all you need, RedHat based distros may use yum so 'yum
> install haproxy'.  however its also not that hard to compile
> the latest version from source and is well documented in the
> download file.
>
> Usually on a list like this you need to supply as much
> information as possible so the people here can help.
>
> Kind Regards,
>
> Mathew
>
>
> On 16 July 2014 14:50, Kuldip Madnani  > wrote:
>
> Hi,
>
> Where can i find the compiled binaries for haproxy.My
> system configuration is this :
>
> $ uname -a
> Linux  2.6.32-279.22.1.el6.x86_64 #1 SMP Sun Jan 13
> 09:21:40 EST 2013 x86_64 x86_64 x86_64 GNU/Linux
>
> Thanks & Regards,
> Kuldip
>
>
>
>
>
> Trustpay Global Limited is an authorised Electronic Money Institution
> regulated by the Financial Conduct Authority registration number
> 900043. Company No 07427913 Registered in England and Wales with
> registered address 130 Wood Street, London, EC2V 6DL, United Kingdom.
>
> For further details please visit our website at www.trustpayglobal.com
> .
>
> The information in this email and any attachments are confidential and
> remain the property of Trustpay Global Ltd unless agreed by contract.
> It is intended solely for the person to whom or the entity to which it
> is addressed. If you are not the intended recipient you may not use,
> disclose, copy, distribute, print or rely on the content of this email
> or its attachments. If this email has been received by you in error
> please advise the sender and delete the email from your system.
> Trustpay Global Ltd does not accept any liability for any personal
> view expressed in this message.
>

cheers,
thomas

Re: Binaries for HAProxy.

[Thomas Heil]

Hi,


On 16.07.2014 16:07, Kuldip Madnani wrote:
> My Linux Distribution is : 
>
> Red Hat Enterprise Linux Server release 6.3 (Santiago)
>
As far as I know redhat or centos 6.x has only haproxy 1.4 packages in
his repo. You might want to use
my repo at http://nd-build-01.linux-appliance.net/repos/centos/haproxy/

Just put
http://nd-build-01.linux-appliance.net/repos/centos/haproxy/haproy-centos-6x.repo
under /etc/yum.repos.d/
and issue yum install haproxy.

After that you should have 1.5.2 on you box.

> On Wed, Jul 16, 2014 at 9:03 AM, Mathew Levett
> mailto:mat...@loadbalancer.org>> wrote:
>
> Hi Kuldip,
>
> I think you may need to provide a little more information, it may
> be that your Linux distribution may already have haproxy in their
> repository. However the information supplied does not really show
> what your running.  Do you know the distribution name?
>
> If its Debian then something like 'apt-get install haproxy' may be
> all you need, RedHat based distros may use yum so 'yum install
> haproxy'.  however its also not that hard to compile the latest
> version from source and is well documented in the download file.
>
> Usually on a list like this you need to supply as much information
> as possible so the people here can help.
>
> Kind Regards,
>
> Mathew
>
>
> On 16 July 2014 14:50, Kuldip Madnani  > wrote:
>
> Hi,
>
> Where can i find the compiled binaries for haproxy.My system
> configuration is this :
>
> $ uname -a
> Linux  2.6.32-279.22.1.el6.x86_64 #1 SMP Sun Jan 13 09:21:40
> EST 2013 x86_64 x86_64 x86_64 GNU/Linux
>
> Thanks & Regards,
> Kuldip
>
>
>
cheers,
thomas

Re: Binaries for HAProxy.

[Kobus Bensch]

Hi

I have built my own RPM with a spec file and it works great. I can share
the rpm if anybody is interested



Kobus Bensch

*Address:*
*Phone:*
*Email:*22 & 24 | Frederick Sanger Road | Guildford | Surrey | GU2 7YD
0207 871 3890
kobus.ben...@trustpayglobal.com




On 16 July 2014 15:07, Kuldip Madnani  wrote:

> My Linux Distribution is :
>
> Red Hat Enterprise Linux Server release 6.3 (Santiago)
>
>
> On Wed, Jul 16, 2014 at 9:03 AM, Mathew Levett 
> wrote:
>
>> Hi Kuldip,
>>
>> I think you may need to provide a little more information, it may be that
>> your Linux distribution may already have haproxy in their repository.
>> However the information supplied does not really show what your running.
>> Do you know the distribution name?
>>
>> If its Debian then something like 'apt-get install haproxy' may be all
>> you need, RedHat based distros may use yum so 'yum install haproxy'.
>> however its also not that hard to compile the latest version from source
>> and is well documented in the download file.
>>
>> Usually on a list like this you need to supply as much information as
>> possible so the people here can help.
>>
>> Kind Regards,
>>
>> Mathew
>>
>>
>> On 16 July 2014 14:50, Kuldip Madnani  wrote:
>>
>>> Hi,
>>>
>>> Where can i find the compiled binaries for haproxy.My system
>>> configuration is this :
>>>
>>> $ uname -a
>>> Linux  2.6.32-279.22.1.el6.x86_64 #1 SMP Sun Jan 13 09:21:40 EST 2013
>>> x86_64 x86_64 x86_64 GNU/Linux
>>>
>>> Thanks & Regards,
>>> Kuldip
>>>
>>>
>>
>

-- 


Trustpay Global Limited is an authorised Electronic Money Institution 
regulated by the Financial Conduct Authority registration number 900043. 
Company No 07427913 Registered in England and Wales with registered address 
130 Wood Street, London, EC2V 6DL, United Kingdom.

For further details please visit our website at www.trustpayglobal.com.

The information in this email and any attachments are confidential and 
remain the property of Trustpay Global Ltd unless agreed by contract. It is 
intended solely for the person to whom or the entity to which it is 
addressed. If you are not the intended recipient you may not use, disclose, 
copy, distribute, print or rely on the content of this email or its 
attachments. If this email has been received by you in error please advise 
the sender and delete the email from your system. Trustpay Global Ltd does 
not accept any liability for any personal view expressed in this message.

Re: Binaries for HAProxy.

[Kuldip Madnani]

My Linux Distribution is :

Red Hat Enterprise Linux Server release 6.3 (Santiago)


On Wed, Jul 16, 2014 at 9:03 AM, Mathew Levett 
wrote:

> Hi Kuldip,
>
> I think you may need to provide a little more information, it may be that
> your Linux distribution may already have haproxy in their repository.
> However the information supplied does not really show what your running.
> Do you know the distribution name?
>
> If its Debian then something like 'apt-get install haproxy' may be all you
> need, RedHat based distros may use yum so 'yum install haproxy'.  however
> its also not that hard to compile the latest version from source and is
> well documented in the download file.
>
> Usually on a list like this you need to supply as much information as
> possible so the people here can help.
>
> Kind Regards,
>
> Mathew
>
>
> On 16 July 2014 14:50, Kuldip Madnani  wrote:
>
>> Hi,
>>
>> Where can i find the compiled binaries for haproxy.My system
>> configuration is this :
>>
>> $ uname -a
>> Linux  2.6.32-279.22.1.el6.x86_64 #1 SMP Sun Jan 13 09:21:40 EST 2013
>> x86_64 x86_64 x86_64 GNU/Linux
>>
>> Thanks & Regards,
>> Kuldip
>>
>>
>

Re: Binaries for HAProxy.

[Mathew Levett]

Hi Kuldip,

I think you may need to provide a little more information, it may be that
your Linux distribution may already have haproxy in their repository.
However the information supplied does not really show what your running.
Do you know the distribution name?

If its Debian then something like 'apt-get install haproxy' may be all you
need, RedHat based distros may use yum so 'yum install haproxy'.  however
its also not that hard to compile the latest version from source and is
well documented in the download file.

Usually on a list like this you need to supply as much information as
possible so the people here can help.

Kind Regards,

Mathew


On 16 July 2014 14:50, Kuldip Madnani  wrote:

> Hi,
>
> Where can i find the compiled binaries for haproxy.My system configuration
> is this :
>
> $ uname -a
> Linux  2.6.32-279.22.1.el6.x86_64 #1 SMP Sun Jan 13 09:21:40 EST 2013
> x86_64 x86_64 x86_64 GNU/Linux
>
> Thanks & Regards,
> Kuldip
>
>

Binaries for HAProxy.

[Kuldip Madnani]

Hi,

Where can i find the compiled binaries for haproxy.My system configuration
is this :

$ uname -a
Linux  2.6.32-279.22.1.el6.x86_64 #1 SMP Sun Jan 13 09:21:40 EST 2013
x86_64 x86_64 x86_64 GNU/Linux

Thanks & Regards,
Kuldip

RE: Load balancing FTP with HAProxy behind a firewall

[Nicolas Zedde]

> -Original Message-
> From: Dennis Jacobfeuerborn [mailto:denni...@conversis.de]
> Sent: Wednesday, July 16, 2014 1:22 PM
> To: haproxy@formilux.org
> Subject: Re: Load balancing FTP with HAProxy behind a firewall
> 
> Have you considered using SFTP instead? It's more secure and doesn't suffer
> from the data channel issue so its easier to handle and most if not all FTP 
> GUI
> clients out there (Filezilla, WinSCP, etc.) on the various platforms also 
> support
> SFTP out of the box.
> If you are using ProFTPd on the server its fairly trivial to setup including 
> key
> support in addition to passwords and chroot.
> 
> FTP still seems to be the default these days even though as a protocol
> its...problematic. In 99% of case when someone asks for FTP access I
> recommend SFTP instead and this works fine for people. FTP really should be
> retired.
> 
> Regards,
>   Dennis

Hi,

SFTP looks like a smart idea to discard the FTP problems. I'll give it a try.
Now I still have to find a way to redirect my ftp users to the correct server 
using a single public ip / port.
Thank you for your help anyway.

Regards,

Nicolas ZEDDE

Re: Load balancing FTP with HAProxy behind a firewall

[Dennis Jacobfeuerborn]

On 16.07.2014 10:39, Nicolas Zedde wrote:
> Hi everyone,
> 
> I use HAProxy to publish my websites for months now and it works like a 
> charm. Thank you for that.
> Today, I have to setup FTP access through HAProxy and I face the hideous 
> protocol caveats with the data channel.
> I want all FTP traffic to be NATed to HAProxy through my firewall, then 
> distributed to the different FTP Servers through hdr(host) ACLs.
> 
> From what I read, my HAProxy config seems fine but I need to add NAT rules to 
> the HAProxy server in order to forward data channel packets, and set HAProxy 
> as the default gateway on the FTP Servers.
> I can't figure out how to configure these rules in iptables.
> Could someone show an example iptables configuration for that ?
> 
> HAProxy config :
> frontend ftp
>   bind *:21 transparent
>   mode tcp
>   option tcplog
>   acl host_ftp1 hdr(host) -i ftp1.domain.tld
>   acl host_ftp2 hdr(host) -i ftp2.domain.tld
>   use_backend ftp1 if host_ftp1
>   use_backend ftp2 if host_ftp2
> 
> backend ftp1
>   server node1 10.10.10.2:21 check
> backend ftp2
>   server node1 10.10.10.3:21 check
> 
> Thank you for your help,
> 
> Nicolas ZEDDE
> 

Have you considered using SFTP instead? It's more secure and doesn't
suffer from the data channel issue so its easier to handle and most if
not all FTP GUI clients out there (Filezilla, WinSCP, etc.) on the
various platforms also support SFTP out of the box.
If you are using ProFTPd on the server its fairly trivial to setup
including key support in addition to passwords and chroot.

FTP still seems to be the default these days even though as a protocol
its...problematic. In 99% of case when someone asks for FTP access I
recommend SFTP instead and this works fine for people. FTP really should
be retired.

Regards,
  Dennis

Re: Load balancing FTP with HAProxy behind a firewall

[Baptiste]

On Wed, Jul 16, 2014 at 11:47 AM, Rainer Duffner  wrote:
>
>> hdr(host) ACL only applies to HTTP.
>> Furthermore, I'm not sure there is a notion of Host header in FTP ;)
>
>
> Last time I looked (admittedly with 1.4) into FTP+HAProxy, the
> end-result was that it was just not possible.
>
> AFAIK, you can use LVS for that on Linux.
>
>

You can in passive mode if you configure a port range on your server
and open the same port range in your HAProxy:
http://serverfault.com/questions/441721/ftp-through-haproxy

In active mode, you're right, it is not possible directly, you have to
use ipfilter: http://ben.timby.com/?page_id=210

Baptiste

Re: Load balancing FTP with HAProxy behind a firewall

[Rainer Duffner]

> hdr(host) ACL only applies to HTTP.
> Furthermore, I'm not sure there is a notion of Host header in FTP ;)


Last time I looked (admittedly with 1.4) into FTP+HAProxy, the
end-result was that it was just not possible.

AFAIK, you can use LVS for that on Linux.

Re: Load balancing FTP with HAProxy behind a firewall

[Baptiste]

On Wed, Jul 16, 2014 at 10:39 AM, Nicolas Zedde
 wrote:
> Hi everyone,
>
> I use HAProxy to publish my websites for months now and it works like a 
> charm. Thank you for that.
> Today, I have to setup FTP access through HAProxy and I face the hideous 
> protocol caveats with the data channel.
> I want all FTP traffic to be NATed to HAProxy through my firewall, then 
> distributed to the different FTP Servers through hdr(host) ACLs.
>
> From what I read, my HAProxy config seems fine but I need to add NAT rules to 
> the HAProxy server in order to forward data channel packets, and set HAProxy 
> as the default gateway on the FTP Servers.
> I can't figure out how to configure these rules in iptables.
> Could someone show an example iptables configuration for that ?
>
> HAProxy config :
> frontend ftp
>   bind *:21 transparent
>   mode tcp
>   option tcplog
>   acl host_ftp1 hdr(host) -i ftp1.domain.tld
>   acl host_ftp2 hdr(host) -i ftp2.domain.tld
>   use_backend ftp1 if host_ftp1
>   use_backend ftp2 if host_ftp2
>
> backend ftp1
>   server node1 10.10.10.2:21 check
> backend ftp2
>   server node1 10.10.10.3:21 check
>
> Thank you for your help,
>
> Nicolas ZEDDE
>

Hi Nicolas,

hdr(host) ACL only applies to HTTP.
Furthermore, I'm not sure there is a notion of Host header in FTP ;)

Baptiste

Load balancing FTP with HAProxy behind a firewall

[Nicolas Zedde]

Hi everyone,

I use HAProxy to publish my websites for months now and it works like a charm. 
Thank you for that.
Today, I have to setup FTP access through HAProxy and I face the hideous 
protocol caveats with the data channel.
I want all FTP traffic to be NATed to HAProxy through my firewall, then 
distributed to the different FTP Servers through hdr(host) ACLs.

>From what I read, my HAProxy config seems fine but I need to add NAT rules to 
>the HAProxy server in order to forward data channel packets, and set HAProxy 
>as the default gateway on the FTP Servers.
I can't figure out how to configure these rules in iptables.
Could someone show an example iptables configuration for that ?

HAProxy config :
frontend ftp
  bind *:21 transparent
  mode tcp
  option tcplog
  acl host_ftp1 hdr(host) -i ftp1.domain.tld
  acl host_ftp2 hdr(host) -i ftp2.domain.tld
  use_backend ftp1 if host_ftp1
  use_backend ftp2 if host_ftp2

backend ftp1
  server node1 10.10.10.2:21 check
backend ftp2
  server node1 10.10.10.3:21 check

Thank you for your help,

Nicolas ZEDDE

RE: SSL on plain TCP mode

[Lukas Tribus]

Hi Steven,


>> The idea is that haproxy takes the SSL connect, then forwards plain TCP
>> to the mail server on port 25 - thereby providing an SMTP over SSL
>> connection.

Please keep in mind that implicit SSL on a dedicated TCP port (SMTPS, port
465) will work, but STARTSSL on port 25 will not work, as that would require
SMTP and STARTSSL support in haproxy.



Regards,

Lukas