DDoS Mitigtation
Hi all,
I'm trying to use HAProxy 1.5.3 with the technique in article
http://blog.haproxy.com/2012/07/03/http-request-flood-mitigation/ for
mitigating HTTP flood, this is (a part of) my config :
frontend ft_waf
...
stick-table type ip size 1m expire 10s store gpc0,http_req_rate(10s)
tcp-request connection track-sc1 src
tcp-request content reject if { src_get_gpc0 gt 0 }
http-request deny if { src_get_gpc0 gt 0 }
default_backend bk_waf
backend bk_waf
...
acl abuse src_http_req_rate(ft_waf) ge 10
acl flag_abuser src_inc_gpc0(ft_waf)
http-request deny if abuse flag_abuser
But when I restart HAProxy, I got this error :
[root@myserver ~]# /etc/init.d/haproxy restart
Shutting down haproxy: [ OK ]
Starting haproxy: [WARNING] 239/231955 (25210) : parsing acl keyword
'src_inc_gpc0(ft_waf)' :
no pattern to match against were provided, so this ACL will never match.
If this is what you intended, please add '--' to get rid of this warning.
If you intended to match only for existence, please use '-m found'.
If you wanted to force an int to match as a bool, please use '-m bool'.
[ OK ]
Hope anyone can help me this issue. Thank you so much.
Best Regards,
Re: DDoS Mitigtation
On Thu, Aug 28, 2014 at 11:23 AM, Viet Nguyen Chan viet...@gmail.com wrote:
Hi all,
I'm trying to use HAProxy 1.5.3 with the technique in article
http://blog.haproxy.com/2012/07/03/http-request-flood-mitigation/ for
mitigating HTTP flood, this is (a part of) my config :
frontend ft_waf
...
stick-table type ip size 1m expire 10s store gpc0,http_req_rate(10s)
tcp-request connection track-sc1 src
tcp-request content reject if { src_get_gpc0 gt 0 }
http-request deny if { src_get_gpc0 gt 0 }
default_backend bk_waf
backend bk_waf
...
acl abuse src_http_req_rate(ft_waf) ge 10
acl flag_abuser src_inc_gpc0(ft_waf)
http-request deny if abuse flag_abuser
But when I restart HAProxy, I got this error :
[root@myserver ~]# /etc/init.d/haproxy restart
Shutting down haproxy: [ OK ]
Starting haproxy: [WARNING] 239/231955 (25210) : parsing acl keyword
'src_inc_gpc0(ft_waf)' :
no pattern to match against were provided, so this ACL will never match.
If this is what you intended, please add '--' to get rid of this warning.
If you intended to match only for existence, please use '-m found'.
If you wanted to force an int to match as a bool, please use '-m bool'.
[ OK ]
Hope anyone can help me this issue. Thank you so much.
Best Regards,
Hi,
There's a typo in the article, I've fixed it.
Replace the line by
acl flag_abuser src_inc_gpc0(ft_waf) ge 0
and let us know the result.
Baptiste
Re: Busy Poll Support
Hi Ben, On Wed, Aug 27, 2014 at 06:03:54PM -0700, Ben Burkert wrote: Hello, The 3.11 release of the Linux kernel added a new feature for low latency network polling. Using the SO_BUSY_POLL socket option, an application can enable busy polling. This instructs the kernel to poll the network device driver directly for a period of time when the application does a read or poll on the socket before new packets have been recieved. For HAproxy deployments sensitive to latency or jitter, supporting busy polling could provide a mechanism to trade higher CPU load for reduced latency and jitter. I'm intersted in adding a feature to HAproxy for setting SO_BUSY_POLL on a listener socket. I was thinking the socket option could be enabled by setting a busy_poll keyword in the listen section. Is there any interest in accepting patches for such a feature? Better do it on the bind line since each bind line can have its own settings. Look for example at tfo, defer-accept or mss. Also, please see how TFO is enabled in the makefile so that we don't depend on having an up-to-date libc. Basically when we set USE_TFO, the required defines are set if not there yet. You should definitely do the same to ease the transition. Please prefer busy-poll to busy_poll since we're trying to avoid adding more underscores and prefer the more widespread - that's more readable especially at the bottom of a screen. And please post your results :-) Thanks, Willy
Re: DDoS Mitigtation
Great, It works like a charm. Thank you so much :D
Best Regards,
2014-08-28 16:41 GMT+07:00 Baptiste bed...@gmail.com:
On Thu, Aug 28, 2014 at 11:23 AM, Viet Nguyen Chan viet...@gmail.com wrote:
Hi all,
I'm trying to use HAProxy 1.5.3 with the technique in article
http://blog.haproxy.com/2012/07/03/http-request-flood-mitigation/ for
mitigating HTTP flood, this is (a part of) my config :
frontend ft_waf
...
stick-table type ip size 1m expire 10s store gpc0,http_req_rate(10s)
tcp-request connection track-sc1 src
tcp-request content reject if { src_get_gpc0 gt 0 }
http-request deny if { src_get_gpc0 gt 0 }
default_backend bk_waf
backend bk_waf
...
acl abuse src_http_req_rate(ft_waf) ge 10
acl flag_abuser src_inc_gpc0(ft_waf)
http-request deny if abuse flag_abuser
But when I restart HAProxy, I got this error :
[root@myserver ~]# /etc/init.d/haproxy restart
Shutting down haproxy: [ OK ]
Starting haproxy: [WARNING] 239/231955 (25210) : parsing acl keyword
'src_inc_gpc0(ft_waf)' :
no pattern to match against were provided, so this ACL will never match.
If this is what you intended, please add '--' to get rid of this warning.
If you intended to match only for existence, please use '-m found'.
If you wanted to force an int to match as a bool, please use '-m bool'.
[ OK ]
Hope anyone can help me this issue. Thank you so much.
Best Regards,
Hi,
There's a typo in the article, I've fixed it.
Replace the line by
acl flag_abuser src_inc_gpc0(ft_waf) ge 0
and let us know the result.
Baptiste
RE: Application Persistence with WebSockets
I can do it. I should learn the process for submitting changes anyway. I'll base it on 1.6. Thanks for the help. Really appreciate it. - Ryan On Aug 28, 2014 7:18 AM, Lukas Tribus luky...@hotmail.com wrote: Hi Willy, I think that experimenting with (txn-status 200 txn-status != 101) everywhere we currently have a test for 200 should be a good start. I'd rather do this in 1.6-dev first and observe for some time before backporting to 1.5, and why not, 1.4. Understood. Ryan, would you like me to send a patch to adjust those two conditions or do you want to handle it? Either way is fine for me. Thanks, Lukas
Re: Application Persistence with WebSockets
On Thu, Aug 28, 2014 at 07:25:07AM -0500, Ryan Brock wrote: I can do it. I should learn the process for submitting changes anyway. I'll base it on 1.6. Thanks for the help. Really appreciate it. Thanks Ryan. There's nothing fundamental in the way to submit changes. If you want to ensure they're not lost, do not hesitate to Cc someone interested in them (typically, Lukas, Cyril or me in general and you're sure they won't be lost). Regards, Willy
Get upto 18.8% discount on Health Insurance!
If you're having trouble viewing this email, please click here. With our comprehensive health insurance to back you up, you can nurture your individual strengths and achieve what matters most in your life. Get unique benefits from Cigna TTK ProHealth Plus and insure your health for a successful future. No cap on room rent Policy Deductible Health Benefits upto Rs 2000 Worldwide Emergency Cover Pre Hospitalisation Post Hospitalisation Day care expenses Restoration of sum insured Cumulative bonus for no claims Healthy rewards Emergency ambulance expenses Annual health check-up Insurance is the subject matter of solicitation For more details on terms & conditions please read the sales brochure carefully before concluding the sale CignaTTK Health Insurance Company Limited -IRDA registration no. 151 CignaTTK ProHealth Insurance Policy, UIN Number: IRDA/NL-HLT/CTTK/P-H/V-I/390/13-14 Compliance number - ADVEM/0011/FEB/13-14 Click here to Unsubscribe. Date of release : March 2014 Unsubscribe from these emails.Ricoh Business Zone Building 5A, 7th Floor, Cyber City, DLF Phase-2, Gurgaon - 122002 Haryana
Re: ssl nbproc 1 and chrome
Hi Jarno, I'm testing ssl offloading with nbproc 1, and I'm having a (random?) problems with chrome. (This is could related to chrome 408 errors (http://blog.haproxy.com/2014/05/26/haproxy-and-http-errors-408-in-chrome/)). Note that the 408 bug should be fixed in Chrome 37, which was released a few days ago. At first I thought maybe this is related to nbproc 1, but the same problem happens with nbproc 1. (I've also tested with nbproc 1 and moved listening sockets from HTTPS_idp to FE_idp (basically removed the abns@idpproc1 server/bind) and at that time didn't see errors with chrome. (I only tested this way for two days (usually I get the error with chrome maybe once / twice a day))). Looks like this could be related to abstract namespaces. Randomly chrome shows error(empty page) and I get something like this in logs: Aug 28 10:03:24 127.0.0.1 haproxy[22814]: client.ip:33098 [28/Aug/2014:10:03:24.726] FE_idp BE_idp_tomcat/shib1 1/0/2/31/34 302 1284 JSESSIONID=shib1~381restremoved - --VN 2/1/0/1/0 0/0 GET /idp/Authn/UserPassword HTTP/1.1 Aug 28 10:03:24 127.0.0.1 haproxy[22814]: client.ip:33098 [28/Aug/2014:10:03:24.760] FE_idp BE_idp_tomcat/shib1 8/0/3/10/31 401 1178 JSESSIONID=shib1~381restremoved - --VN 2/1/0/1/0 0/0 GET /idp/Authn/Kerberos/Login HTTP/1.1 Aug 28 10:03:24 127.0.0.1 haproxy[22814]: client.ip:33098 [28/Aug/2014:10:03:24.720] HTTPS_idp~ HTTPS_idp/idp_in 4/3/81 2552 -- 0/0/0/0/0 0/0 Aug 28 10:03:24 127.0.0.1 haproxy[22814]: client.ip:33099 [28/Aug/2014:10:03:24.808] FE_idp FE_idp/NOSRV -1/-1/-1/-1/12 400 187 - - CR-- 1/0/0/0/0 0/0 BADREQ Aug 28 10:03:24 127.0.0.1 haproxy[22814]: client.ip:33099 [28/Aug/2014:10:03:24.803] HTTPS_idp~ HTTPS_idp/idp_in 3/3/18 187 -- 0/0/0/0/0 0/0 the line ending with BADREQ indicates an incomplete request. Thats probably when things start to fail. Can anyone spot some stupid timeout? mistakes in my haproxy.cfg ? Or some other config options I should try (maybe try unix-domain socket or 127.0.0.1 socket instead of abns socket) ? Yes, I think its a good idea to try with unix or ip-sockets. Other than that, the strace -tt could indeed be useful. Also, please indicate what exact haproxy and kernel release you are using. Regards, Lukas
Re: ssl nbproc 1 and chrome
Hi, On Thu, Aug 28, Lukas Tribus wrote: Hi Jarno, I'm testing ssl offloading with nbproc 1, and I'm having a (random?) problems with chrome. (This is could related to chrome 408 errors (http://blog.haproxy.com/2014/05/26/haproxy-and-http-errors-408-in-chrome/)). Note that the 408 bug should be fixed in Chrome 37, which was released a few days ago. Good to hear, what I could also test is disable chrome's prefetch (I think it's Predict network actions to improve page load performance). At first I thought maybe this is related to nbproc 1, but the same problem happens with nbproc 1. (I've also tested with nbproc 1 and moved listening sockets from HTTPS_idp to FE_idp (basically removed the abns@idpproc1 server/bind) and at that time didn't see errors with chrome. (I only tested this way for two days (usually I get the error with chrome maybe once / twice a day))). Looks like this could be related to abstract namespaces. Randomly chrome shows error(empty page) and I get something like this in logs: Aug 28 10:03:24 127.0.0.1 haproxy[22814]: client.ip:33098 [28/Aug/2014:10:03:24.726] FE_idp BE_idp_tomcat/shib1 1/0/2/31/34 302 1284 JSESSIONID=shib1~381restremoved - --VN 2/1/0/1/0 0/0 GET /idp/Authn/UserPassword HTTP/1.1 Aug 28 10:03:24 127.0.0.1 haproxy[22814]: client.ip:33098 [28/Aug/2014:10:03:24.760] FE_idp BE_idp_tomcat/shib1 8/0/3/10/31 401 1178 JSESSIONID=shib1~381restremoved - --VN 2/1/0/1/0 0/0 GET /idp/Authn/Kerberos/Login HTTP/1.1 Aug 28 10:03:24 127.0.0.1 haproxy[22814]: client.ip:33098 [28/Aug/2014:10:03:24.720] HTTPS_idp~ HTTPS_idp/idp_in 4/3/81 2552 -- 0/0/0/0/0 0/0 Aug 28 10:03:24 127.0.0.1 haproxy[22814]: client.ip:33099 [28/Aug/2014:10:03:24.808] FE_idp FE_idp/NOSRV -1/-1/-1/-1/12 400 187 - - CR-- 1/0/0/0/0 0/0 BADREQ Aug 28 10:03:24 127.0.0.1 haproxy[22814]: client.ip:33099 [28/Aug/2014:10:03:24.803] HTTPS_idp~ HTTPS_idp/idp_in 3/3/18 187 -- 0/0/0/0/0 0/0 the line ending with BADREQ indicates an incomplete request. Thats probably when things start to fail. Yes, I think GET /idp/Authn/Kerberos/Login response goes to browser (tomcat sends WWW-Authenticate: Negotiate response), but next request from browser (Authorization: Negotiate ...) is MIA. I think I can find the corresponding place in the strace(w/out timestamps) output (strace shows the above log messages), if that is useful I could provide the strace (off list). Can anyone spot some stupid timeout? mistakes in my haproxy.cfg ? Or some other config options I should try (maybe try unix-domain socket or 127.0.0.1 socket instead of abns socket) ? Yes, I think its a good idea to try with unix or ip-sockets. Other than that, the strace -tt could indeed be useful. I'll run with abns socket and try to get strace -tt file and then try with unix or ip-sockets. Also, please indicate what exact haproxy and kernel release you are using. Sorry, forgot to include that: Redhat 7 (kernel: 3.10.0-123.6.3.el7.x86_64) and haproxy -vv (it's 1.5.3 with snapshot 20140731 patches applied): HA-Proxy version 1.5.3 2014/07/25 Copyright 2000-2014 Willy Tarreau w...@1wt.eu Build options : TARGET = linux2628 CPU = generic CC = gcc CFLAGS = -O2 -g -fno-strict-aliasing OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_PCRE=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 Encrypted password support via crypt(3): yes Built with zlib version : 1.2.7 Compression algorithms supported : identity, deflate, gzip Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013 Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Built with PCRE version : 8.32 2012-11-30 PCRE library supports JIT : no (USE_PCRE_JIT not set) Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. Thanks, -Jarno -- Jarno Huuskonen
Re: Busy Poll Support
OK, thanks for the pointers Willy. On Thu, Aug 28, 2014 at 3:13 AM, Willy Tarreau w...@1wt.eu wrote: Hi Ben, On Wed, Aug 27, 2014 at 06:03:54PM -0700, Ben Burkert wrote: Hello, The 3.11 release of the Linux kernel added a new feature for low latency network polling. Using the SO_BUSY_POLL socket option, an application can enable busy polling. This instructs the kernel to poll the network device driver directly for a period of time when the application does a read or poll on the socket before new packets have been recieved. For HAproxy deployments sensitive to latency or jitter, supporting busy polling could provide a mechanism to trade higher CPU load for reduced latency and jitter. I'm intersted in adding a feature to HAproxy for setting SO_BUSY_POLL on a listener socket. I was thinking the socket option could be enabled by setting a busy_poll keyword in the listen section. Is there any interest in accepting patches for such a feature? Better do it on the bind line since each bind line can have its own settings. Look for example at tfo, defer-accept or mss. Also, please see how TFO is enabled in the makefile so that we don't depend on having an up-to-date libc. Basically when we set USE_TFO, the required defines are set if not there yet. You should definitely do the same to ease the transition. Please prefer busy-poll to busy_poll since we're trying to avoid adding more underscores and prefer the more widespread - that's more readable especially at the bottom of a screen. And please post your results :-) Thanks, Willy
Can you balance-out service-checks better?
Hi, we will put haproxy in front of a Zimbra infrastructure (which we have split-up, so that there is a „front end“, with pop, imap, smtp and a „back end“, where the mail sits). I have too haproxy-servers (active/standby via CARP) that are checking the front-ends. I check: - smtp - smtps - submit - pop + pops - imap + imaps from both haproxy-servers simultaneously. If I use the default check frequency, it just bombards the servers with requests that often can’t even finish in the time it takes to launch the next check. If I increase the check-frequency too much, it will take longer to take a server out of the pool in case of failure - and checks still don’t „balance-out“ (or do they?). But they are all more or less connected: if one of them fails, it’s highly likely that all the others will fail, too. So, ideally, I’d like to have something like this: - check service A (maybe POP3) - wait maybe 30s - than check the next service (e.g. POP3S). - if one fails, remove that backend-server from the pool for all services - alternatively, instead of doing the above, re-schedule the checks so the next check happens immediately Does that sound insane? ;-)
Re: Can you balance-out service-checks better?
On Thu, Aug 28, 2014 at 10:31 PM, Rainer Duffner rai...@ultra-secure.de wrote: Hi, we will put haproxy in front of a Zimbra infrastructure (which we have split-up, so that there is a front end, with pop, imap, smtp and a back end, where the mail sits). I have too haproxy-servers (active/standby via CARP) that are checking the front-ends. I check: - smtp - smtps - submit - pop + pops - imap + imaps from both haproxy-servers simultaneously. If I use the default check frequency, it just bombards the servers with requests that often can't even finish in the time it takes to launch the next check. If I increase the check-frequency too much, it will take longer to take a server out of the pool in case of failure - and checks still don't balance-out (or do they?). But they are all more or less connected: if one of them fails, it's highly likely that all the others will fail, too. So, ideally, I'd like to have something like this: - check service A (maybe POP3) - wait maybe 30s - than check the next service (e.g. POP3S). - if one fails, remove that backend-server from the pool for all services - alternatively, instead of doing the above, re-schedule the checks so the next check happens immediately Does that sound insane? ;-) Hi, maybe you could share your HAProxy configuration :) By default, HAProxy tests a service every 3s, which is fine. It just does a tcp connect, so nothing complicated for your server to handle. Can you confirm that if POP fails on a server, it means that IMAP and SMTP will fail too? (this is what I'm understanding from your mail above). Baptiste
Re: Can you balance-out service-checks better?
Am 28.08.2014 um 22:41 schrieb Baptiste bed...@gmail.com: Hi, maybe you could share your HAProxy configuration :) By default, HAProxy tests a service every 3s, which is fine. It just does a tcp connect, so nothing complicated for your server to handle. Since we switched to haproxy-1.5, I changed the checks to do a more or less full layer7-check (except for the SSL-services). Couldn’t get a match for the IMAP string it sends, so skipped that, too. Can you confirm that if POP fails on a server, it means that IMAP and SMTP will fail too? (this is what I'm understanding from your mail above). It’s very likely. All use the same backend-service in the end. There’s an additional pair of SMTP-servers here (ep01+ep02) - they are independent of the other two servers (pm01+pm02). But I’d also like to limit checking there, as of course all the checks for smtp, smtps+submit all go to the same postfix in the end…. Here’s the config. global log 127.0.0.1 local0 log 127.0.0.1 local1 notice #log loghostlocal0 info maxconn 4096 #debug #quiet user www group www daemon defaults log global modehttp retries 2 timeout client 50s timeout connect 5s timeout server 50s option dontlognull option forwardfor option httplog option redispatch balance roundrobin default-server minconn 50 maxconn 100 # Set up application listeners here. frontend pop3-pm mode tcp bind 192.168.185.254:110 maxconn 2000 default_backend pop3-pm-backend frontend imap4-pm mode tcp bind 192.168.185.254:143 maxconn 2000 default_backend imap4-pm-backend frontend pop3s-pm mode tcp bind 192.168.185.254:995 maxconn 2000 default_backend pop3s-pm-backend frontend imap4s-pm mode tcp bind 192.168.185.254:993 maxconn 2000 default_backend imap4s-pm-backend frontend smtp-ep mode tcp bind 192.168.185.254:25 maxconn 2000 default_backend smtp-ep-backend frontend smtps-ep mode tcp bind 192.168.185.254:465 maxconn 2000 default_backend smtps-ep-backend frontend submit-ep mode tcp bind 192.168.185.254:587 maxconn 2000 default_backend submit-ep-backend frontend smtp-zimbra mode tcp bind 192.168.185.253:25 maxconn 2000 default_backend smtp-zimbra-backend frontend http-webmail bind 192.168.185.254:5000 maxconn 6000 default_backend http-webmail-backend # # # backend pop3-pm-backend balance roundrobin mode tcp option tcp-check tcp-check expect string +OK\ POP3\ ready tcp-check send quit\r\n tcp-check expect string +OK server pm01 192.168.185.233:110 check inter 30s fastinter 2s downinter 2s server pm02 192.168.185.234:110 check inter 30s fastinter 2s downinter 2s backend pop3s-pm-backend balance roundrobin mode tcp # this is ssl, so it does not work here # option tcp-check # tcp-check expect string +OK\ POP3\ ready server pm01 192.168.185.233:995 check inter 30s fastinter 2s downinter 2s server pm02 192.168.185.234:995 check inter 30s fastinter 2s downinter 2s backend imap4-pm-backend balance roundrobin mode tcp option tcp-check tcp-check expect rstring OK\ IMAP4\ ready tcp-check send 001 logout\r\n #tcp-check expect string *\ BYE\ Zimbra\ IMAP\ server\ terminating\ connection\r\n001\ OK\ completed server pm01 192.168.185.233:143 check inter 30s fastinter 2s downinter 2s server pm02 192.168.185.234:143 check inter 30s fastinter 2s downinter 2s backend imap4s-pm-backend balance roundrobin mode tcp server pm01 192.168.185.233:993 check inter 30s fastinter 2s downinter 2s server pm02 192.168.185.234:993 check inter 30s fastinter 2s downinter 2s backend smtp-ep-backend balance roundrobin mode tcp option smtpchk HELO mail.this.here server ep01 192.168.185.198:25 check inter 45s fastinter 2s downinter 2s server ep02 192.168.185.199:25 check inter 45s fastinter 2s downinter 2s backend smtps-ep-backend balance roundrobin mode tcp #option smtpchk HELO mail.this.here server ep01 192.168.185.198:465 check inter 45s fastinter 2s downinter 2s server ep02 192.168.185.199:465 check inter 45s fastinter 2s downinter 2s backend submit-ep-backend balance roundrobin mode tcp option smtpchk HELO mail.scalera.ch server ep01 192.168.185.198:587 check inter 45s fastinter 2s downinter 2s server ep02 192.168.185.199:587 check inter 45s fastinter 2s downinter 2s backend smtp-zimbra-backend balance roundrobin mode tcp option smtpchk HELO mail.this.here server pm01 192.168.185.233:25 check inter 45s fastinter 2s downinter 2s server pm02 192.168.185.234:25 check inter 45s fastinter 2s downinter 2s backend http-webmail-backend balance leastconn mode http option httpchk GET / #http-check expect string Webmail Login Page http-check expect string Web Client Login Page http-check disable-on-404 cookie SERVERID insert indirect nocache server pm1 192.168.185.233:80 check maxconn 3000 cookie s1 inter 10s fastinter 2s downinter
Re: Can you balance-out service-checks better?
On Thu, Aug 28, 2014 at 10:51 PM, Rainer Duffner rai...@ultra-secure.de wrote: Am 28.08.2014 um 22:41 schrieb Baptiste bed...@gmail.com: Hi, maybe you could share your HAProxy configuration :) By default, HAProxy tests a service every 3s, which is fine. It just does a tcp connect, so nothing complicated for your server to handle. Since we switched to haproxy-1.5, I changed the checks to do a more or less full layer7-check (except for the SSL-services). Couldn't get a match for the IMAP string it sends, so skipped that, too. Can you confirm that if POP fails on a server, it means that IMAP and SMTP will fail too? (this is what I'm understanding from your mail above). It's very likely. All use the same backend-service in the end. There's an additional pair of SMTP-servers here (ep01+ep02) - they are independent of the other two servers (pm01+pm02). But I'd also like to limit checking there, as of course all the checks for smtp, smtps+submit all go to the same postfix in the end Here's the config. global log 127.0.0.1 local0 log 127.0.0.1 local1 notice #log loghostlocal0 info maxconn 4096 #debug #quiet user www group www daemon defaults log global modehttp retries 2 timeout client 50s timeout connect 5s timeout server 50s option dontlognull option forwardfor option httplog option redispatch balance roundrobin default-server minconn 50 maxconn 100 # Set up application listeners here. frontend pop3-pm mode tcp bind 192.168.185.254:110 maxconn 2000 default_backend pop3-pm-backend frontend imap4-pm mode tcp bind 192.168.185.254:143 maxconn 2000 default_backend imap4-pm-backend frontend pop3s-pm mode tcp bind 192.168.185.254:995 maxconn 2000 default_backend pop3s-pm-backend frontend imap4s-pm mode tcp bind 192.168.185.254:993 maxconn 2000 default_backend imap4s-pm-backend frontend smtp-ep mode tcp bind 192.168.185.254:25 maxconn 2000 default_backend smtp-ep-backend frontend smtps-ep mode tcp bind 192.168.185.254:465 maxconn 2000 default_backend smtps-ep-backend frontend submit-ep mode tcp bind 192.168.185.254:587 maxconn 2000 default_backend submit-ep-backend frontend smtp-zimbra mode tcp bind 192.168.185.253:25 maxconn 2000 default_backend smtp-zimbra-backend frontend http-webmail bind 192.168.185.254:5000 maxconn 6000 default_backend http-webmail-backend # # # backend pop3-pm-backend balance roundrobin mode tcp option tcp-check tcp-check expect string +OK\ POP3\ ready tcp-check send quit\r\n tcp-check expect string +OK server pm01 192.168.185.233:110 check inter 30s fastinter 2s downinter 2s server pm02 192.168.185.234:110 check inter 30s fastinter 2s downinter 2s backend pop3s-pm-backend balance roundrobin mode tcp # this is ssl, so it does not work here # option tcp-check # tcp-check expect string +OK\ POP3\ ready server pm01 192.168.185.233:995 check inter 30s fastinter 2s downinter 2s server pm02 192.168.185.234:995 check inter 30s fastinter 2s downinter 2s backend imap4-pm-backend balance roundrobin mode tcp option tcp-check tcp-check expect rstring OK\ IMAP4\ ready tcp-check send 001 logout\r\n #tcp-check expect string *\ BYE\ Zimbra\ IMAP\ server\ terminating\ connection\r\n001\ OK\ completed server pm01 192.168.185.233:143 check inter 30s fastinter 2s downinter 2s server pm02 192.168.185.234:143 check inter 30s fastinter 2s downinter 2s backend imap4s-pm-backend balance roundrobin mode tcp server pm01 192.168.185.233:993 check inter 30s fastinter 2s downinter 2s server pm02 192.168.185.234:993 check inter 30s fastinter 2s downinter 2s backend smtp-ep-backend balance roundrobin mode tcp option smtpchk HELO mail.this.here server ep01 192.168.185.198:25 check inter 45s fastinter 2s downinter 2s server ep02 192.168.185.199:25 check inter 45s fastinter 2s downinter 2s backend smtps-ep-backend balance roundrobin mode tcp #option smtpchk HELO mail.this.here server ep01 192.168.185.198:465 check inter 45s fastinter 2s downinter 2s server ep02 192.168.185.199:465 check inter 45s fastinter 2s downinter 2s backend submit-ep-backend balance roundrobin mode tcp option smtpchk HELO mail.scalera.ch server ep01 192.168.185.198:587 check inter 45s fastinter 2s downinter 2s server ep02 192.168.185.199:587 check inter 45s fastinter 2s downinter 2s backend smtp-zimbra-backend balance roundrobin mode tcp option smtpchk HELO mail.this.here server pm01 192.168.185.233:25 check inter 45s fastinter 2s downinter 2s server pm02 192.168.185.234:25 check inter 45s fastinter 2s downinter 2s backend http-webmail-backend balance leastconn mode http option httpchk GET / #http-check expect string Webmail Login Page
Re: Can you balance-out service-checks better?
Am 28.08.2014 um 23:21 schrieb Baptiste bed...@gmail.com: Ok, I would create a monitoring backend, such as below: Hey, thanks a lot! I will try this and report back. Best Regards, Rainer
Re: error when start haproxy with init script
Hi Daniel , Yup, I have used the init.haproxy but it doesn't include $ROOT/sbin/init.d/default. Anyway, I switched to haproxy.init and it's ok now. Thank you so much. Best Regards, 2014-08-28 22:34 GMT+07:00 Daniel Dubovik ddubo...@godaddy.com: Hey there! There are three different init scripts in the examples directory. init.haproxy seems to be the one that you used, which has the include for $ROOT/sbin/init.d/default. haproxy.init is the one that is for a CentOS system. Thanks! Dan Dubovik Senior Linux Systems Engineer 480-505-8800 x4257 On 8/27/14, 10:00 PM, Viet Nguyen Chan viet...@gmail.com wrote: Hi all, I'm trying build HAProxy 1.5.3 on CentOS 6.5 (64-bit). The compilation and build is OK but when I copy init script from folder examples to /etc/init.d and start haproxy, I got the error : [root@myserver examples]# /etc/init.d/haproxy start /etc/init.d/haproxy: line 14: /sbin/init.d/default: No such file or directory It's seems that the error was caused because it cannot find the file $ROOT/sbin/init.d/default. So what is this file ? and where can I found it ? Hope to receive your answer. Thanks. Best Regards, VietNC
[PATCH] MEDIUM: enable low latency polling on systems which support it
Hi all, I've started a patch to enable busy poll support for listener sockets. It can be enabled by adding busy-poll in the bind line. For systems that don't define SO_BUSY_POLL, building with the USE flag USE_BPS is required. I built tested this on a ubuntu trusty machine (3.13.0 kernel) and verified with strace that the SO_BUSY_POLL socket is set (it shows up as 0x2e /* SO_??? */, but I think that's fine). Unfortunately, I don't have access to hardware with a network device that supports busy polling, so i'm not able to provide any benchmarks at this time. :-/ I look forward to everyones feedback on these changes. Cheers, -Ben 0001-MEDIUM-enable-low-latency-polling-on-systems-which-s.patch Description: Binary data
