Check cookie with backend1 before forwarding to backend2
Hi folks, I was wondering if there is a way to have HAproxy check for an existing Cookie the client sends and have it verify with a specific backend (say backend1). Based on that backends HTTP error code (e.g. 200 or 403), HAproxy should allow forwarding to backend2. Of course this would need to be checked for every request but as this is not a high traffic site that wouldn’t be an issue. Some more insights: I’m currently having a backend whose backend server does not support any user authentication. As of today this backend is protected via HTTP Basic Auth. Another backend in fact does strong user authentication and sets a session cookie for identification. This cookie is also send to the backend I’m currently protecting with basic auth but the backend is unable to verify this cookie in any way. The other backend could of course, e.g. using a simple PHP script just sending back 200 or 403. Can I somehow write an ACL in HAproxy to achieve this kind of behavior? I was studying the docs very carefully but fear I wasn’t able to extract any way out of it. Thanks for helping me out once more. Regards, Julian
I have a question about haproxy.
Nice to meet you. I have a question about haproxy. Question Is it a the address here? best reguard masato.y
Re: email alerts
Hello Andrey, As Maik has previously mentioned that patch will only work on the older version. We have someone working on an updated patch but cannot supply an ETA at the moment as there are a couple of other things in the queue before it. On 24 October 2014 12:59, Andrey Zakabluk a.zakab...@velcom.by wrote: Hi! I use HA-Proxy version 1.5.6 2014/10/18/ . Red hat 6. I want use alert via mail. I find informations about this: --- Patch HAProxy So this brings us on to option 3 patch HAProxy to send the alerts, after all how hard can it be? As I don’t really want to write my own SMTP client or use any other library’s lets go with the easy option of using mailx from the mailutils package as we know it works. The following was written for HAProxy dev18. Now I’m no developer so take the code more of a proof of concept instead of something to add to your production environment. Most of the work is already done for us, as HAProxy has functions for setting a server up or down and also has an array containing the server name, server’s status etc. So all we need to do is add our own function to send the email and parse the email address from the configuration file. This done in the following patch files: cfgparse.c checks.c log.c global.h So in the configuration file I have added the option “email_alert” to the global section with to and from address. http://blog.loadbalancer.org/3-ways-to-send-haproxy-health-check-email-alerts/ - I try add text from patch file in the end original file and make haproxy file. /opt/haproxy/global.h.diff /opt/haproxy/include/types/global.h cat /opt/haproxy/cfgparse.diff /opt/haproxy/haproxy-1.5.6/src/cfgparse.c cat /opt/haproxy/log.diff /opt/haproxy/haproxy-1.5.6/src/log.c cat /opt/haproxy/checks.diff /opt/haproxy/haproxy-1.5.6/src/checks.c And while compiling I have error: [webadmin@srv-lb-qa haproxy-1.5.6_with_diff]$ make TARGET=linux2628 CPU=generic gcc -Iinclude -Iebtree -Wall -O2 -g -fno-strict-aliasing -DCONFIG_HAP_LINUX_SPLICE -DTPROXY -DCONFIG_HAP_LINUX_TPROXY -DCONFIG_HAP_CRYPT -DENABLE_POLL -DENABLE_EPOLL -DUSE_CPU_AFFINITY -DASSUME_SPLICE_WORKS -DUSE_ACCEPT4 -DNETFILTER -DUSE_GETSOCKNAME -DCONFIG_HAPROXY_VERSION=\1.5.6\ -DCONFIG_HAPROXY_DATE=\2014/10/18\ \ -DBUILD_TARGET='linux2628' \ -DBUILD_ARCH='' \ -DBUILD_CPU='generic' \ -DBUILD_CC='gcc' \ -DBUILD_CFLAGS='-O2 -g -fno-strict-aliasing' \ -DBUILD_OPTIONS='' \ -c -o src/haproxy.o src/haproxy.c In file included from include/proto/proxy.h:28, from include/common/cfgparse.h:30, from src/haproxy.c:61: include/types/global.h:207: error: expected identifier or ‘(’ before ‘--’ token include/types/global.h:209: error: stray ‘@’ in program include/types/global.h:209: error: stray ‘@’ in program include/types/global.h:209: error: stray ‘@’ in program include/types/global.h:209: error: stray ‘@’ in program include/types/global.h:213: error: expected identifier or ‘(’ before ‘+’ token include/types/global.h:215: error: expected identifier or ‘(’ before ‘+’ token include/types/global.h:216: error: expected identifier or ‘(’ before ‘+’ token In file included from src/haproxy.c:76: include/types/global.h:207: error: expected identifier or ‘(’ before ‘--’ token include/types/global.h:209: error: stray ‘@’ in program include/types/global.h:209: error: stray ‘@’ in program include/types/global.h:209: error: stray ‘@’ in program include/types/global.h:209: error: stray ‘@’ in program include/types/global.h:213: error: expected identifier or ‘(’ before ‘+’ token include/types/global.h:215: error: expected identifier or ‘(’ before ‘+’ token include/types/global.h:216: error: expected identifier or ‘(’ before ‘+’ token In file included from include/proto/channel.h:35, from src/haproxy.c:85: include/types/global.h:207: error: expected identifier or ‘(’ before ‘--’ token include/types/global.h:209: error: stray ‘@’ in program include/types/global.h:209: error: stray ‘@’ in program include/types/global.h:209: error: stray ‘@’ in program include/types/global.h:209: error: stray ‘@’ in program include/types/global.h:213: error: expected identifier or ‘(’ before ‘+’ token include/types/global.h:215: error: expected identifier or ‘(’ before ‘+’ token include/types/global.h:216: error: expected identifier or ‘(’ before ‘+’ token make: *** [src/haproxy.o] Error 1 Pls help me! I don't know how use patch( -- LOADBALANCER.ORG LTD. www.loadbalancer.org supp...@loadbalancer.org
Re: Check cookie with backend1 before forwarding to backend2
On 28.10.2014, at 10:13, Julian Pawlowski jul...@pawlowski.me wrote:
I was wondering if there is a way to have HAproxy check for an existing
Cookie the client sends and have it verify with a specific backend (say
backend1). Based on that backends HTTP error code (e.g. 200 or 403), HAproxy
should allow forwarding to backend2. Of course this would need to be checked
for every request but as this is not a high traffic site that wouldn’t be an
issue.
Okay I guess I made some progress. Maybe that helps for somebody else to give
me a helping hand in completing this.
My primary backend application now once sends a customized header like these
after the user was successfully authorized:
X-APPNAME-AllowUser: APPSESSION=lkjhgsadkfjhsadjfhg
X-APPNAME-Validity: UNIXTIMESTAMP-until-session-ends
Location: /backend2
I think I can now add some ACLs in the HAproxy configuration of my primary
backend:
acl allowAPPNAMEUserres.hdr(X-APPNAME-AllowUser) -m found
acl disallowAPPNAMEUser res.hdr(X-APPNAME-DisallowUser) -m found
http-response set-map(/var/lib/haproxy/appname_user_sessions.lst)
%[res.hdr(X-APPNAME-AllowUser)] %[res.hdr(X-APPNAME-Validity)] if
allowAPPNAMEUser
http-response del-map(/var/lib/haproxy/appname_user_sessions.lst)
%[res.hdr(X-APPNAME-DisallowUser)] if disallowAPPNAMEUser
I tried these but don’t know if they are actually working cause I wasn’t able
to get anything about it from the logfiles.
Also the map files are not written, even though I created empty files and
ensured r/w access for the HAproxy daemon user.
For /backend2, I think I might just need to add an ACL to my frontend similar
to this but I’m not sure:
use_backend bk_backend2 if {
hdr_sub(cookie),map_str(/var/lib/haproxy/appname_user_sessions.lst) -m found }
About session expiration: I think I cannot have HAproxy make any cleanups on
it’s own beside using the info should a user explicitly use the logout function
via the primary backend (X-APPNAME-DisallowUser ...). The plan is to have a
cronjob running cleaning the appname_user_sessions.lst based on the second
column I added from X-APPNAME-Validity header.
However, I’m still stuck into this somehow.
Any help would be very much appreciated (it’s for an OpenSource project if that
counts).
Many thanks in advance.
Julian
multiple installations on the same macine
could i install multiple instances of HAProxy on one machine? How? thanks
Re: Running multiple haproxy instances to use multiple cores efficiently
Hey Chris, we've been running haproxy with nbproc 12 for quite a while now and it works great for us. We haven't even gotten around to tying interrupts to certain cores, works pretty well without. No need for multiple config files either. Cheers, Conrad On 10/27/2014 07:41 PM, Chris Allen wrote: We're running haproxy on a 2x4 core Intel E5-2609 box. At present haproxy is running on a single core and saturating that core at about 15,000 requests per second. Our application has four distinct front-ends (listening on four separate ports) so it would be very easy for us to run four haproxy instances, each handling one of the four front-ends. This should then allow us to use four of our eight cores. However we won't be able to tie hardware interrupts to any particular core. Is this arrangement likely to give us a significant performance boost? Or are we heading for trouble because we can't tie interrupts to any particular core? Any advice would be much appreciated. Many thanks, Chris.
Re: the order of evaluation of acl's
Hi,
On 10/24/2014 02:12 PM, jeff saremi wrote:
What is the order of evaluation of 'and's and 'or's in a use_backend clause?
This is what the docs say:
[!]acl1 [!]acl2 ... [!]acln { or [!]acl1 [!]acl2 ... [!]acln } ...
and apparently i cannot use paranthesis to group them. However i need to
write something like the following:
use_backend some_backend if ( ( acl1 acl2) or (acl3 acl4) ) or acl5
Why not just break it down into several lines:
use_backend some_backend if acl1 acl2
use_backend some_backend if acl3 acl4
use_backend some_backend if acl5
Especially if you care about the order of execution, this concern is
much more explicitly expressed this way.
Regards,
Conrad
--
Conrad Hoffmann
Traffic Engineer
SoundCloud Ltd. | Rheinsberger Str. 76/77, 10115 Berlin, Germany
Managing Director: Alexander Ljung | Incorporated in England Wales
with Company No. 6343600 | Local Branch Office | AG Charlottenburg |
HRB 110657B
Connection pooling and the Connection header
Hey all, can someone give me a very brief summary of how haproxy handles its connection pooling when the backend server sends Connection: close and/or HTTP/1.0? Or, to be more specific, we have (for certain traffic) an haproxy instance as backend for another haproxy. We are seeing huge increases in sessions_cur when one of the all-the-way-back-ends fail. I noticed that haproxy itself responds with HTTP/1.0 and Connection: close when a backend is unavailable. Would that mess with the connection pooling of the front-most haproxy? And, if so, would there any way to change this behaviour? We cannot rule out that this is an issue caused by how clients react to the errors, but I would nevertheless love to gain some insight into this scenario. Any hints would be greatly appreciated! Thanks, Conrad -- Conrad Hoffmann Traffic Engineer SoundCloud Ltd. | Rheinsberger Str. 76/77, 10115 Berlin, Germany Managing Director: Alexander Ljung | Incorporated in England Wales with Company No. 6343600 | Local Branch Office | AG Charlottenburg | HRB 110657B
RE: Connection pooling and the Connection header
Hi Conrad, Hey all, can someone give me a very brief summary of how haproxy handles its connection pooling when the backend server sends Connection: close and/or HTTP/1.0? Simple: there is no connection pooling at all (yet). When a backend emits Connection: close: - the Connection: close is propagated to the client - all connections belonging to that session (both front and backend) are closed. Or, to be more specific, we have (for certain traffic) an haproxy instance as backend for another haproxy. We are seeing huge increases in sessions_cur when one of the all-the-way-back-ends fail. I noticed that haproxy itself responds with HTTP/1.0 and Connection: close when a backend is unavailable. Would that mess with the connection pooling of the front-most haproxy? And, if so, would there any way to change this behaviour? We cannot rule out that this is an issue caused by how clients react to the errors, but I would nevertheless love to gain some insight into this scenario. Any hints would be greatly appreciated! Well, since the connection is closed, the client will probably retry and if there is no backup backend that can serve the connection, the client may continuously retry, some more aggressively than others, depending on browser and application I suspect. I'm not sure what you expect to happen? Do you have a backup backend that can take the load when the primary fails? Then there should be no problem because the client (when retrying) will be switched to the secondary backend, and everything will work fine. Otherwise, if there is no secondary backend, the application will not work anyway. If maxconn is properly configured, an increase in sessions_cur should not lead to any problems. Regards, Lukas
RE: multiple installations on the same macine
Hi Jeff, could i install multiple instances of HAProxy on one machine? Why would you do that exactly? Please explain, because I feel like you are doing it for the wrong reasons. Maybe what you are trying to achieve can be done more efficiently. How? Would you like to *install* multiple instances, or would you just like to *start* multiple instances with different configurations? Lukas
RE: multiple installations on the same macine
One reason for that would be to separate the flow and configuration of different systems. If i use the same installation for multiple systems (propelled by different teams and agendas)then each time the config file is touched, all systems are likely to be affected and hence the changes would need to be tested against all their requirements.However if i use the same server but different instances, my changes to the configuration would be impacting only the corresponding system. From: luky...@hotmail.com To: jeffsar...@hotmail.com; haproxy@formilux.org Subject: RE: multiple installations on the same macine Date: Tue, 28 Oct 2014 19:17:52 +0100 Hi Jeff, could i install multiple instances of HAProxy on one machine? Why would you do that exactly? Please explain, because I feel like you are doing it for the wrong reasons. Maybe what you are trying to achieve can be done more efficiently. How? Would you like to *install* multiple instances, or would you just like to *start* multiple instances with different configurations? Lukas
RE: multiple installations on the same macine
One reason for that would be to separate the flow and configuration of different systems. If i use the same installation for multiple systems (propelled by different teams and agendas) then each time the config file is touched, all systems are likely to be affected and hence the changes would need to be tested against all their requirements. However if i use the same server but different instances, my changes to the configuration would be impacting only the corresponding system. If thats the issue then I would suggest to install it to different boxes or VMs. Otherwise, HAproxy can be started or installed multiple times without any problem, but you will have to adjust configurations, init-scripts, etc, for example to use unique PID files. You probably also want different chroot paths. Lukas
S5, hiphone 6 styles smartphones of good quality
Dear Purchase manager We sell phones and tablet pcs over 6 years and now will be 6th year of globalsources verified supplier. Part of our hot selling models, prices for your referencesas below: C5000 S5 style 5 inch MTK6572 dual core 512MB+4GB, with 3g, gps, bluetooth.. all funcitons, wholesale price 56-57USD W800 with real CE, ROHS, 4.5 inch MINI S5 1G+4G with 3g, gps, bluetooth.. all funcitons wholesale price is 69USD Octa core S5 F900 5 inch MTK6592 2g+8g star brand 115USD N8800 note 3 style 115USD Iphone 6 styles T6 MTK6582 quad core showing 2g+8g real 1g+4g, 85USD We are sure of good quality and will test one by one carefully before delivery Any questions or requirements, pls do feel free to let us know Regards Website: www.richbrookhk.com http://www.globalsources.com/richbrookhk.co Skype: richbrooksales008 Email: ki...@richbrookhk.com
