Unsubscription

[Ivan Kurnosov]

Guys, I know it's 142% offtopic here - but what do I do to unsubscribe?

Sending anything to haproxy+unsubscr...@formilux.org

does
not help - there is no response sent back and it starts annoying

Thanks :-0

-- 
With best regards, Ivan Kurnosov

Strange memory usage

[Dmitry Sivachenko]

Hello!

I am using haproxy-1.5.4 on FreeBSD-10.

Upon startup, it looks like this:
  PID USERNAME  THR PRI NICE   SIZERES STATE   C   TIMEWCPU COMMAND
 8459 www 1  370 86376K 28824K CPU16  16   0:16  26.56% haproxy

(about 80MB RES)

After few days of running, it looks like this:

  PID USERNAME  THR PRI NICE   SIZERES STATE   C   TIMEWCPU COMMAND
82720 www 1  360   244M   108M CPU29  29  29.2H  26.95% haproxy

(244MB RES).  

When I do reload, I see that old process is in swread state for some time, and 
swap usage decreases for about 150MB when old process finishes.

Does it mean memory leak is somewhere?  Any additional information I could 
provide will be useful?

Thanks!

Re: SNI in logs

[Eugene Istomin]

Thanks!

I missed this part of doc: "If a variable is named between square brackets 
('[' .. ']') then it is used as a sample expression rule "
---
Best regards,
Eugene Istomin

On Sunday, October 12, 2014 05:24:36 PM Baptiste wrote:
> On Fri, Oct 10, 2014 at 5:54 AM, Eugene Istomin  wrote:
> > Hello,
> > 
> > 
> > 
> > can we log SNI headers (req_ssl_sni) or generally, SNI availability
> > (ssl_fc_has_sni) the same way we log SSL version (%sslv)?
> > 
> > ---
> > 
> > Best regards,
> > 
> > Eugene Istomin
> 
> Hi Eugene,
> 
> You can log sni information using the following sample fetch on a
> log-format directive: %[ssl_fc_sni]
> 
> Baptiste

active/passive stick-table not sticky

[Benjamin Vetter]

Hi,

i'm using the example from 
http://blog.haproxy.com/2014/01/17/emulating-activepassing-application-clustering-with-haproxy/
with haproxy 1.5.4 for a 3 node mysql+galera setup to implement 
active/passive'ness.


global
  log 127.0.0.1 local0
  log 127.0.0.1 local1 notice
  maxconn 8192
  uid 99
  gid 99
  debug
  stats socket/tmp/haproxy

defaults
  log global
  mode http
  option tcplog
  option dontlognull
  retries 3
  maxconn 8192
  timeout connect 5000
  timeout client 30
  timeout server 30

listen mysql-active-passive 0.0.0.0:3309
  stick-table type ip size 1
  stick on dst
  mode tcp
  balance roundrobin
  option httpchk
  server db01 192.168.0.11:3306 check port 9200 inter 12000 rise 3 fall 
3 on-marked-down shutdown-sessions
  server db02 192.168.0.12:3306 check port 9200 inter 12000 rise 3 fall 
3 on-marked-down shutdown-sessions backup
  server db03 192.168.0.13:3306 check port 9200 inter 12000 rise 3 fall 
3 on-marked-down shutdown-sessions backup


I tested the stickyness via this tiny ruby script, which simply connects 
and asks the node for its stored ip address:


require "mysql2"

loop do
  begin
mysql2 = Mysql2::Client.new(:port => 3309, :host => "192.168.0.10", 
:username => "username")

puts mysql2.query("show variables like '%wsrep_sst_rec%'").to_a
mysql2.close
  rescue
# Nothing
  end
end

First, everything's fine. On first run, stick-table gets updated:

# table: mysql-active-passive, type: ip, size:1, used:1
0x1c90224: key=192.168.0.10 use=0 exp=0 server_id=1

Then i shutdown 192.168.0.11. Again, everything's fine, as the stick 
table gets updated to:


# table: mysql-active-passive, type: ip, size:1, used:1
0x1c90224: key=192.168.0.10 use=0 exp=0 server_id=2

and all connections now go to db02.

Then i restart/repair 192.168.0.11, the stick table stays as is (fine), 
such that all connections should still go to db02.

However, the output of my script now starts to say:

...
{"Variable_name"=>"wsrep_sst_receive_address", "Value"=>"192.168.0.11"}
{"Variable_name"=>"wsrep_sst_receive_address", "Value"=>"192.168.0.11"}
{"Variable_name"=>"wsrep_sst_receive_address", "Value"=>"192.168.0.11"}
{"Variable_name"=>"wsrep_sst_receive_address", "Value"=>"192.168.0.11"}
{"Variable_name"=>"wsrep_sst_receive_address", "Value"=>"192.168.0.11"}
{"Variable_name"=>"wsrep_sst_receive_address", "Value"=>"192.168.0.11"}
{"Variable_name"=>"wsrep_sst_receive_address", "Value"=>"192.168.0.11"}
{"Variable_name"=>"wsrep_sst_receive_address", "Value"=>"192.168.0.12"}
{"Variable_name"=>"wsrep_sst_receive_address", "Value"=>"192.168.0.11"}
{"Variable_name"=>"wsrep_sst_receive_address", "Value"=>"192.168.0.11"}
{"Variable_name"=>"wsrep_sst_receive_address", "Value"=>"192.168.0.11"}
{"Variable_name"=>"wsrep_sst_receive_address", "Value"=>"192.168.0.11"}
{"Variable_name"=>"wsrep_sst_receive_address", "Value"=>"192.168.0.11"}
{"Variable_name"=>"wsrep_sst_receive_address", "Value"=>"192.168.0.12"}
{"Variable_name"=>"wsrep_sst_receive_address", "Value"=>"192.168.0.11"}
{"Variable_name"=>"wsrep_sst_receive_address", "Value"=>"192.168.0.11"}
{"Variable_name"=>"wsrep_sst_receive_address", "Value"=>"192.168.0.11"}
{"Variable_name"=>"wsrep_sst_receive_address", "Value"=>"192.168.0.12"}
...

such that sometimes the connection goes to db01 and sometimes to db02.
Do you know what the problem is?

Thanks
  Benjamin

Re: HAProxy in TCP mode, but with L7 checks

[Baptiste]

On Sun, Oct 12, 2014 at 1:34 PM, Hoggins!  wrote:
> Hello list,
>
> This must be a stupid question, but I'm still wondering, because this
> would help me : I would like to perform some load-balancing between two
> HTTP / HTTPS backends. The HTTP operations do not pose a problem, and
> it's actually working absolutely fine, based on L7 checks (specific web
> page that returns OK when all the applicative checks are performed).
>
> Because the underneath application often switches from HTTP to HTTPS, I
> couldn't find a better way to balance it than to use TCP load-balancing
> to achieve this : the HTTP / HTTPS switch is handled by the application
> itself.
>
> Also, I use some websockets that I would like to load-balance.
>
> Anyway, here is the question : for my TCP mode sections, I would like to
> know if it's possible for HAProxy to take decisions based on L7 tests. I
> hope my question is clear, I'm fairly new to this and it might be a very
> fuzzy setup for an expert point of view.
>
> Thanks for your help.
>


Hi Hoggins,

Just perform you 'option httpchk' on your TCP backend.
Then you have 2 options:
- tell HAProxy that the check should be ciphered. See 'check-ssl'
- tell HAProxy to run the check on an unciphered port. See 'port'

Baptiste

Re: SNI in logs

[Baptiste]

On Fri, Oct 10, 2014 at 5:54 AM, Eugene Istomin  wrote:
> Hello,
>
>
>
> can we log SNI headers (req_ssl_sni) or generally, SNI availability
> (ssl_fc_has_sni) the same way we log SSL version (%sslv)?
>
> ---
>
> Best regards,
>
> Eugene Istomin
>
>

Hi Eugene,

You can log sni information using the following sample fetch on a
log-format directive: %[ssl_fc_sni]

Baptiste

Re: 2 services (frontend+backend), both with cookies, failure

[Jarno Huuskonen]

Hi,

On Sat, Oct 11, Kari Mattsson wrote:
> this got repeated for 50+ times when refreshing on Chrome browser. Then to 
> Firefox..
> Oct 11 20:25:17 localhost haproxy[5179]: 10.6.159.238:4248 
> [11/Oct/2014:20:25:14.300] service_1_outside_80 service_1_inside/App_101 
> 3264/0/0/1/+3265 200 +275 - - --NI 1/1/1/1/0 0/0 {service1.example.com} {7|} 
> "GET / HTTP/1.1"
> Oct 11 20:25:22 localhost haproxy[5179]: 10.6.159.238:4252 
> [11/Oct/2014:20:25:22.854] service_2_outside_80 service_2_inside/App_142 
> 0/0/0/1/+1 200 +275 - - --NI 1/1/1/1/0 0/0 {service1.example.com} {5|} "GET / 
> HTTP/1.1"

--NI = client provided no cookie, proxy inserted one

> Oct 11 20:25:27 localhost haproxy[5179]: 10.6.159.238:4254 
> [11/Oct/2014:20:25:27.914] service_2_outside_80 service_2_inside/App_142 
> 0/0/0/1/+1 304 +120 SERVICE_2=app142 - --VN 1/1/1/1/0 0/0 
> {service1.example.com} {|} "GET / HTTP/1.1"
> Oct 11 20:27:31 localhost haproxy[5179]: 10.6.159.238:4283 
> [11/Oct/2014:20:27:31.947] service_1_outside_80 service_1_inside/App_101 
> 0/0/0/1/+1 200 +237 SERVICE_1=app101 - --VN 1/1/1/1/0 0/0 
> {service1.example.com} {7|} "GET / HTTP/1.1"
> 
> Looks like browser will not receive a cookie for the first 2 page loads.
> On third it received... but a wrong cookie.

--VN = client provided valid cookie, proxy didn't set cookie
On the third log line what was supposed to happen ?
Looks like haproxy received SERVICE_2=app142 cookie and the connection
was send to service_2_inside/App_142

> After 2 minutes fourth reload, and if will receive the right cookie.
> Reloading page from this on, keeps it on the browser right frontend/backend.
> Weird.

What are those {service1.example.com} {7|} in logs ? I'm assuming that
SERVICE_1=/SERVICE_2=... is capture cookie SERVICE_1
or capture cookie SERVICE_2 ? 

> Now back to Chrome again for one more page reload:
> Oct 11 20:29:28 localhost haproxy[5179]: 10.6.159.238:4311 
> [11/Oct/2014:20:29:28.561] service_2_outside_80 service_2_inside/App_141 
> 0/0/1/0/+1 200 +237 SERVICE_2=app141 - --VN 1/1/1/1/0 0/0 
> {service1.example.com} {5|} "GET / HTTP/1.1"
> 
> Damn. Chrome falls to wrong frontend/backend.

Where the connection from chrome should have gone ? 

> One more. Fireforx, 2 page re-loads for service1.example.com:
> Oct 11 20:31:52 localhost haproxy[5179]: 10.6.159.238:4350 
> [11/Oct/2014:20:31:52.023] service_2_outside_80 service_2_inside/App_142 
> 0/0/0/1/+1 200 +237 SERVICE_2=app142 - --VN 1/1/1/1/0 0/0 
> {service1.example.com} {5|} "GET / HTTP/1.1"
> Oct 11 20:31:55 localhost haproxy[5179]: 10.6.159.238:4352 
> [11/Oct/2014:20:31:55.419] service_1_outside_80 service_1_inside/App_101 
> 0/0/0/1/+1 200 +237 SERVICE_1=app101 - --VN 1/1/1/1/0 0/0 
> {service1.example.com} {7|} "GET / HTTP/1.1"
> 
> ...first wrong, then right. So, it is flip-floping.

Is the {service1.example.com} captured host header ? The connection goes
to two different frontends (first goes to service_2_outside_80 and
second goes to service_1_outside_80). Should it have gone to the same
frontend ?

Do you have multiple ip addresses for service1.example.com in
/etc/hosts or dns ? (one address for service_1_outside_80 and on one for
service_2_outside_80 ?) 
 
> > - you could also use tcpdump to see what cookies firefox <-> haproxy
> >   send/receive ?

Sorry, what I had in mind was to use tcpdump/wireshark to see what
cookies the client(browser) receives/sends to haproy (for example follow
tcp stream in wireshark).
You can probably use chrome developer tools (ctrl+shift+i) (network)
to see the request/response headers. (Or firebug with firefox).

> Changing from cookie stickiness to source ip...
>   stick-table type ip
>   stick on src
> ...also makes no difference. Same errorneous behaviour.

Do you see any entries in the stick table ? Something like
echo "show table service_2_inside" | nc -U /path/to/stats.socket
(or with socat instead of nc -U).

-Jarno

-- 
Jarno Huuskonen

HAProxy in TCP mode, but with L7 checks

[Hoggins!]

Hello list,

This must be a stupid question, but I'm still wondering, because this
would help me : I would like to perform some load-balancing between two
HTTP / HTTPS backends. The HTTP operations do not pose a problem, and
it's actually working absolutely fine, based on L7 checks (specific web
page that returns OK when all the applicative checks are performed).

Because the underneath application often switches from HTTP to HTTPS, I
couldn't find a better way to balance it than to use TCP load-balancing
to achieve this : the HTTP / HTTPS switch is handled by the application
itself.

Also, I use some websockets that I would like to load-balance.

Anyway, here is the question : for my TCP mode sections, I would like to
know if it's possible for HAProxy to take decisions based on L7 tests. I
hope my question is clear, I'm fairly new to this and it might be a very
fuzzy setup for an expert point of view.

Thanks for your help.



signature.asc
Description: OpenPGP digital signature