RE: Question on Using HAProxy in a Load-balanced config

2014-07-21 Thread jeff saremi 
Would anyone from the haproxy team be kind enough to shed some light on this 
architecture-related question please? thanks

From: jeffsar...@hotmail.com
To: haproxy@formilux.org
Subject: Question on Using HAProxy in a Load-balanced config
Date: Mon, 21 Jul 2014 08:09:56 -0400




I have this question on using the HAProxy in a load-balanced manner in some 
configurations.
This arrangement is what is described in the following sections in the 
architecture document:

2. HTTP load-balancing with cookie prefixing and high availability
2.1 Variations involving external layer 4 load-balancers
 
The question is how does each proxy keep accurate track of the load on each web 
server? If I assign a maxconn value to my servers in the config files, how does 
one proxy know if what it the max connections are going to be reached or not? 
each proxy knows about the connections itself is establishing and does not know 
about the other proxy?
What I can think of would be to halve the maxconn and put that halved value in 
each config file. The problem with this approach is if one of the proxies goes 
down, the remaining proxy will only load the server(s) up to half of their 
capacity (unless I update their config again).
I'm pretty sure this situation has been thought of otherwise the architecture 
document would not recommend a network arrangement like that.
I'd love to hear the how!

Thanks
Jeff

RE: Using a Whitlist to Redirect Users not on the Whitelist

2014-07-21 Thread JDzialo John 
Hi Guys,

I’m new to haproxy configurations and this may be a very sophomoric question 
but am hoping someone can give me some guidance.  I have read through the 
documentation for haproxy 1.5.2 and haven’t seen a lot of info on using 
whitelist text files to allow traffic from specific originating CIDR subnets.

I have a whitelist of subnets in a text file and want to redirect all traffic 
to a maintenance page other than the CIDR subnets in the whitelist.lst file.

My whitelist.lst file is as follows…

#Allowed Internal Subnets
10.0.0.0/22
172.31.0.0/16
10.1.4.1/22
10.24.8.0/24
10.24.32.0/23
10.24.48.0/24
10.24.56.0/24
172.20.208.0/24
172.24.132.0/22
172.24.152.0/22
172.24.160.0/22
172.24.248.0/24
172.24.64.0/22
172.27.128.0/24
192.168.169.0/24

I am using the following http-request statement

http-request redirect location http://www.foo.com/maintenence unless { src -f 
/etc/haproxy/whitelist.lst }

With this statement all traffic is being redirected whether the client IP is in 
the whitelisted text file of subnets or not.

Is my format for the whitelist.lst file correct?  Is there any special 
formatting I need for haproxy to read it?

Is my http-request statement correct?  Any thoughts on how I can get this to 
work the way I intend.





From: JDzialo John [mailto:jdzi...@edrnet.com]
Sent: Thursday, July 17, 2014 1:38 PM
To: Jonathan Matthews; haproxy
Subject: RE: Using a Whitlist to Redirect Users not on the Whitelist

It was a method I found online without really understanding what 
X-Forwarded-For header does.

Traffic does not pass through a reverse proxy before hitting HAProxy.  It 
should be a direct hit from the client.  Is there a header I can compare to our 
whitelist to reliably get all incoming traffic’s originating IP?

REMOTE_ADDR, CLIENT_IP, etc?

Thanks

From: jonat...@jpluscplusm.com 
[mailto:jonat...@jpluscplusm.com] On Behalf Of Jonathan Matthews
Sent: Thursday, July 17, 2014 1:29 PM
To: haproxy
Subject: Re: Using a Whitlist to Redirect Users not on the Whitelist


On 17 Jul 2014 18:15, "JDzialo John" 
mailto:jdzi...@edrnet.com>> wrote:
> I am creating a whitelist of subnets allowed to access HAPROXY during 
> maintenance.  Basically I want to redirect everyone to our maintenance page 
> other than users in the whitelisted file.
>
> This is not working and is forwarding everyone to the maintenance page 
> despite being a member of a whitelisted subnet. 
> (10.0.0.0/8)
>
> Is using the hdr_ip(X-Forwarded-For) in the acl the way to go

Unless your traffic is passing through another reverse proxy which inserts this 
header before it hits HAProxy, no. Why are you choosing to use that header?

Question on Using HAProxy in a Load-balanced config

2014-07-21 Thread jeff saremi 
I have this question on using the HAProxy in a load-balanced manner in some 
configurations.
This arrangement is what is described in the following sections in the 
architecture document:

2. HTTP load-balancing with cookie prefixing and high availability
2.1 Variations involving external layer 4 load-balancers
 
The question is how does each proxy keep accurate track of the load on each web 
server? If I assign a maxconn value to my servers in the config files, how does 
one proxy know if what it the max connections are going to be reached or not? 
each proxy knows about the connections itself is establishing and does not know 
about the other proxy?
What I can think of would be to halve the maxconn and put that halved value in 
each config file. The problem with this approach is if one of the proxies goes 
down, the remaining proxy will only load the server(s) up to half of their 
capacity (unless I update their config again).
I'm pretty sure this situation has been thought of otherwise the architecture 
document would not recommend a network arrangement like that.
I'd love to hear the how!

Thanks
Jeff

SPDY fails

2014-07-21 Thread Reinis Rozitis 

Hello,
I'm trying to implement the haproxy nginx spdy / ssl offloading setup, but 
somehow it is not working for me.


For simplicity I used https://gist.github.com/igrigorik/8960971 haproxy 
config, but while testing with Chrome and FF the spdy is never enabled nor 
the spdy backend is chosen.



After adding:

log-format [%t]\ %ft\ %b/%s\ %Tw/%Tc/%Tt\ %B\ %tsc\ %ac/%fc/%bc/%sc/%rc\ 
%sq/%bq\ {%sslv/%sslc/%[ssl_fc_sni]/%[ssl_fc_npn]}



The haproxy logs show:

Jul 21 11:55:49 proc238 haproxy[13485]: [21/Jul/2014:11:55:49.326] secure~ 
http_cluster/srv01 0/0/335 240  1/1/0/1/0 0/0 
{TLSv1.2/ECDHE-RSA-AES256-SHA/mydomain.com/http/1.1}
Jul 21 11:55:49 proc238 haproxy[13485]: [21/Jul/2014:11:55:49.661] secure~ 
http_cluster/srv01 0/0/272 240  1/1/0/1/0 0/0 
{TLSv1.2/ECDHE-RSA-AES256-SHA/mydomain.com/http/1.1}



So I imagine the "if { ssl_fc_npn -i spdy/3.1 }"  won't match since 
ssl_fc_npn contains only "http/1.1".


I thought "so whatever I can just force the spdy_cluster as default backend" 
but it breaks down completely eg Chrome complains "Error code: 
ERR_EMPTY_RESPONSE"


The odd thing is that while testing for example with http://spdycheck.org it 
shows all green and that everything is correct - SSL/TLS Detected/Success! 
SPDY is Enabled! ( spdy/3.1 / http/1.1) just not on the actual browsers.


So I'm confused where to look further (eg is the problem on haproxy or nginx 
(though it serves spdy (over ssl) on its own just fine) or on the 
client/browser side)?





---
My versions:

./haproxy -vv
HA-Proxy version 1.6-dev0-09448f7 2014/07/16
Copyright 2000-2014 Willy Tarreau 

Build options :
 TARGET  = linux2628
 CPU = native
 CC  = gcc
 CFLAGS  = -O2 -march=native -g -fno-strict-aliasing
 OPTIONS = USE_OPENSSL=1 USE_PCRE=1

Default settings :
 maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built without zlib support (USE_ZLIB not set)
Compression algorithms supported : identity
Built with OpenSSL version : OpenSSL 1.0.1h 5 Jun 2014
Running on OpenSSL version : OpenSSL 1.0.1h 5 Jun 2014
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.33 2013-05-28
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT 
IP_FREEBIND




./nginx -V
nginx version: nginx/1.7.3
built by gcc 4.7.1 20120723 [gcc-4_7-branch revision 189773] (SUSE Linux)
TLS SNI support enabled
configure 
arguments: --prefix=/data/nginx --with-http_stub_status_module --without-http-cache 
--with-http_ssl_module --with-http_realip_module --with-http_spdy_module

Re: Strange health check behavior

2014-07-21 Thread Pavlos Parissis 
On 21 July 2014 11:03, Szelcsányi Gábor  wrote:

> Thank you for looking into this. I cannot reproduce it with 1.5-dev24. If
> I set the bind-process option at the backend section too (same values with
> frontend) the problem does not occur with 1.5.2. This could be a solution
> for me.
>
>
In my case I didn't have to pin backends to a process.



> Regards,
> Gabor
>
>
> On Sun, Jul 20, 2014 at 7:34 PM, Pavlos Parissis <
> pavlos.paris...@gmail.com> wrote:
>
>> On 18/07/2014 08:33 μμ, Szelcsányi Gábor wrote:
>> > Hi,
>> >
>> > I've been reading the documentation and searching the mail list, but one
>> > thing is not clear for me. I have nbroc 2, 2 frontends pined to a
>> > separate cpu core and 1-1 backend. The bind-process options of these
>> > backends are inherited from their parent frontend.  Thus, are both
>> > processes supposed to do healthcheck for backend servers or just the
>> > desired process should do that?
>> >
>> > example:
>> >
>> > nbproc 2
>> > cpu-map 1 0
>> > cpu-map 2 1
>> > ...
>> >
>> > frontend frn1
>> > bind 10.0.0.10:80  process 1 name frn1
>> > bind-process 1
>> > ...
>> > default_backend bck1
>> >
>> > frontend frn2
>> > bind 10.0.0.10:81  process 2 name frn2
>> > bind-process 2
>> > ...
>> > default_backend bck2
>> >
>> > backend bck1
>> > option httpchk HEAD /healthcheck HTTP/1.1\r\n
>> > ...
>> > server  srv1 10.0.0.1:80  maxconn 5000
>> > weight 50 check inter 5s fall 2 rise 1 slowstart 15s
>> > server  srv2 10.0.0.2:80  maxconn 5000
>> > weight 50 check inter 5s fall 2 rise 1 slowstart 15s
>> >
>> > backend bck2
>> > option httpchk HEAD /healthcheck HTTP/1.1\r\n
>> > ...
>> > server  srv3 10.0.0.3:80  maxconn 5000
>> > weight 50 check inter 5s fall 2 rise 1 slowstart 15s
>> > server  srv4 10.0.0.4:80  maxconn 5000
>> > weight 50 check inter 5s fall 2 rise 1 slowstart 15s
>> >
>> > So the question is should both haproxy processes send health check
>> > queries to srv1 and srv2 or only the first process is designated to do
>> this?
>> > In my setup I see traffic from both processes. If I set 6 or more pinned
>> > frontends with different backends then the health checks can saturate
>> > the backend servers. I tought only the right process should check for
>> > status. The rest could never send traffic to the servers anyway. Am I
>> > wrong or I just missing something?
>> >
>> > I'm using 1.5.2 stable. (released 2014/07/12)
>> > HA-Proxy version 1.5.2 2014/07/12
>> > Copyright 2000-2014 Willy Tarreau mailto:w...@1wt.eu>>
>> >
>> > Build options :
>> >   TARGET  = linux26
>> >   CPU = generic
>> >   CC  = gcc
>> >   CFLAGS  = -O2 -g -fno-strict-aliasing
>> >   OPTIONS = USE_LINUX_SPLICE=1 USE_LINUX_TPROXY=1 USE_LIBCRYPT=1
>> > USE_GETADDRINFO=1 USE_ZLIB=1 USE_EPOLL=1 USE_CPU_AFFINITY=1
>> > USE_OPENSSL=1 USE_STATIC_PCRE=1 USE_TFO=1
>> >
>> >
>> > Regards,
>> > Gabor
>>
>>
>> I can't reproduce the behavior you describe. Below is the test conf I
>> used where I set different User-Agent for the healthcheck on backends in
>> order to make it easier for me to see if process 2 sends checks on
>> foo-server1.
>>
>> nbproc 2
>> cpu-map 1 0
>> cpu-map 2 1
>>
>> frontend  main
>> bind *:80
>> bind-process 1
>> default_backend foo
>>
>> backend foo
>> default-server inter 10s
>> option httpchk GET / HTTP/1.1\r\nHost:\
>> foo.example.com\r\nUser-Agent:\ HAProxy
>> server foo-server1 21.229.28.251:80 check
>>
>>
>> frontend  main2
>> bind *:81
>> bind-process 2
>> default_backend foo2
>>
>> backend foo2
>> default-server inter 10s
>> option httpchk GET / HTTP/1.1\r\nHost:\
>> foo.example.com\r\nUser-Agent:\ HAProxy2
>> server foo-server2 20.229.28.252:80 check
>>
>>
>> # haproxy -vv
>> HA-Proxy version 1.5.2 2014/07/12
>> Copyright 2000-2014 Willy Tarreau 
>>
>> Build options :
>>   TARGET  = linux2628
>>   CPU = generic
>>   CC  = gcc
>>   CFLAGS  =
>>   OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1
>> USE_PCRE=1
>>
>> Default settings :
>>   maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200
>>
>> Encrypted password support via crypt(3): yes
>> Built with zlib version : 1.2.3
>> Compression algorithms supported : identity, deflate, gzip
>> Built with OpenSSL version : OpenSSL 1.0.0-fips 29 Mar 2010
>> Running on OpenSSL version : OpenSSL 1.0.0-fips 29 Mar 2010
>> OpenSSL library supports TLS extensions : yes
>> OpenSSL library supports SNI : yes
>> OpenSSL library supports prefer-server-ciphers : yes
>> Built with PCRE version : 7.8 2008-09-05
>> PCRE library supports JIT : no (USE_PCRE_JIT not set)
>> Built with transparent proxy support using: IP_TRANSPARENT
>> IPV6_TRANSPARENT IP_FREEBIND
>>
>> Available polling systems :
>>   epoll : pref=300,  test result OK
>>poll : pref=200,  test resu

Re: Strange health check behavior

2014-07-21 Thread Szelcsányi Gábor 
Thank you for looking into this. I cannot reproduce it with 1.5-dev24. If I
set the bind-process option at the backend section too (same values with
frontend) the problem does not occur with 1.5.2. This could be a solution
for me.

Regards,
Gabor


On Sun, Jul 20, 2014 at 7:34 PM, Pavlos Parissis 
wrote:

> On 18/07/2014 08:33 μμ, Szelcsányi Gábor wrote:
> > Hi,
> >
> > I've been reading the documentation and searching the mail list, but one
> > thing is not clear for me. I have nbroc 2, 2 frontends pined to a
> > separate cpu core and 1-1 backend. The bind-process options of these
> > backends are inherited from their parent frontend.  Thus, are both
> > processes supposed to do healthcheck for backend servers or just the
> > desired process should do that?
> >
> > example:
> >
> > nbproc 2
> > cpu-map 1 0
> > cpu-map 2 1
> > ...
> >
> > frontend frn1
> > bind 10.0.0.10:80  process 1 name frn1
> > bind-process 1
> > ...
> > default_backend bck1
> >
> > frontend frn2
> > bind 10.0.0.10:81  process 2 name frn2
> > bind-process 2
> > ...
> > default_backend bck2
> >
> > backend bck1
> > option httpchk HEAD /healthcheck HTTP/1.1\r\n
> > ...
> > server  srv1 10.0.0.1:80  maxconn 5000
> > weight 50 check inter 5s fall 2 rise 1 slowstart 15s
> > server  srv2 10.0.0.2:80  maxconn 5000
> > weight 50 check inter 5s fall 2 rise 1 slowstart 15s
> >
> > backend bck2
> > option httpchk HEAD /healthcheck HTTP/1.1\r\n
> > ...
> > server  srv3 10.0.0.3:80  maxconn 5000
> > weight 50 check inter 5s fall 2 rise 1 slowstart 15s
> > server  srv4 10.0.0.4:80  maxconn 5000
> > weight 50 check inter 5s fall 2 rise 1 slowstart 15s
> >
> > So the question is should both haproxy processes send health check
> > queries to srv1 and srv2 or only the first process is designated to do
> this?
> > In my setup I see traffic from both processes. If I set 6 or more pinned
> > frontends with different backends then the health checks can saturate
> > the backend servers. I tought only the right process should check for
> > status. The rest could never send traffic to the servers anyway. Am I
> > wrong or I just missing something?
> >
> > I'm using 1.5.2 stable. (released 2014/07/12)
> > HA-Proxy version 1.5.2 2014/07/12
> > Copyright 2000-2014 Willy Tarreau mailto:w...@1wt.eu>>
> >
> > Build options :
> >   TARGET  = linux26
> >   CPU = generic
> >   CC  = gcc
> >   CFLAGS  = -O2 -g -fno-strict-aliasing
> >   OPTIONS = USE_LINUX_SPLICE=1 USE_LINUX_TPROXY=1 USE_LIBCRYPT=1
> > USE_GETADDRINFO=1 USE_ZLIB=1 USE_EPOLL=1 USE_CPU_AFFINITY=1
> > USE_OPENSSL=1 USE_STATIC_PCRE=1 USE_TFO=1
> >
> >
> > Regards,
> > Gabor
>
>
> I can't reproduce the behavior you describe. Below is the test conf I
> used where I set different User-Agent for the healthcheck on backends in
> order to make it easier for me to see if process 2 sends checks on
> foo-server1.
>
> nbproc 2
> cpu-map 1 0
> cpu-map 2 1
>
> frontend  main
> bind *:80
> bind-process 1
> default_backend foo
>
> backend foo
> default-server inter 10s
> option httpchk GET / HTTP/1.1\r\nHost:\
> foo.example.com\r\nUser-Agent:\ HAProxy
> server foo-server1 21.229.28.251:80 check
>
>
> frontend  main2
> bind *:81
> bind-process 2
> default_backend foo2
>
> backend foo2
> default-server inter 10s
> option httpchk GET / HTTP/1.1\r\nHost:\
> foo.example.com\r\nUser-Agent:\ HAProxy2
> server foo-server2 20.229.28.252:80 check
>
>
> # haproxy -vv
> HA-Proxy version 1.5.2 2014/07/12
> Copyright 2000-2014 Willy Tarreau 
>
> Build options :
>   TARGET  = linux2628
>   CPU = generic
>   CC  = gcc
>   CFLAGS  =
>   OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1
> USE_PCRE=1
>
> Default settings :
>   maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200
>
> Encrypted password support via crypt(3): yes
> Built with zlib version : 1.2.3
> Compression algorithms supported : identity, deflate, gzip
> Built with OpenSSL version : OpenSSL 1.0.0-fips 29 Mar 2010
> Running on OpenSSL version : OpenSSL 1.0.0-fips 29 Mar 2010
> OpenSSL library supports TLS extensions : yes
> OpenSSL library supports SNI : yes
> OpenSSL library supports prefer-server-ciphers : yes
> Built with PCRE version : 7.8 2008-09-05
> PCRE library supports JIT : no (USE_PCRE_JIT not set)
> Built with transparent proxy support using: IP_TRANSPARENT
> IPV6_TRANSPARENT IP_FREEBIND
>
> Available polling systems :
>   epoll : pref=300,  test result OK
>poll : pref=200,  test result OK
>  select : pref=150,  test result OK
> Total: 3 (3 usable), will use epoll.
>
>
> Cheers,
> Pavlos
>
>
>
>

(ECOWAS) CONTRACT SUPPLY

2014-07-21 Thread ECOWAS 
Global  CO, LTD
17 RUE DU PARIS
LOME-TOGO
WEST-AFRICA

Email: thaiwibrahim2...@hotmail.com

Dear Company,

Your good name and address have been recommended to us as an
authorized manufactures/exporters of various items from your country.
To introducing our selves to you, we are agent/consultants, wholesaler
distributors, manufacturers representative
importation general.
Presently we are actively engaged in sourcing of the under listed
items for an urgent contract supply to the Economic Community of
West-Africa States(ECOWAS)and we have been in this line of business
for many successful years satisfying our numerous customers and
government with all their needs. Our recent expansion and desire to
promote trade and industry in your country has afforded us the
opportunity to contact your esteem company for an urgent contract
supply of the under listed items to the ECOWAS.

LED based lighting solutions,Renew Medical Equipments,Mineral Water, Bottled 
Water,
Furnitures,Tires, Vehicles, Trucks,Building Materials,Sanitary
Disposal Units, Canned Food,Pharmaceutical Products, T-Shirts /
Polo,Garments for Ladies, Men and Children,Electronics,Cameras,
Fax Machines, Cosmetics,Soap,Detergent, Industrial Machines, Sanitary
Wares,Rice, Cement,yellow maize, Assorted types of Oil products,fresh 
carrots,Beverages and so on
general goods from your country.

Please if you can supply us with any of the above listed items, do not
hesitate to inform us by mail so that we can stop further negotiations
with other foreign companies for an urgent supply on any of  the
captioned items.
Looking forward hearing from you.

BEST REGARD,
Thaiw Ibrahim(CEO)
Global CO, LTD
17 RUE DU PARIS
LOME-TOGO
WEST-AFRICA
Email: thaiwibrahim2...@hotmail.com