Config reload to take out backend server still getting traffic
Hi, I am running haproxy on Ubuntu 14.04. After I added following config: stick-table type ip size 2m expire 5m stick on src Taking out a server and reloading haproxy still sends traffic to that server ever after the stick table expires. For example, I have server s1 server s2 After commenting s1 out and reloading config, s1 still gets traffic. This does not happen without the stick-table and stick on config. Any pointer or explanation? Could not find it in the doc or online. Thanks, -Kasim == Experience is more about knowing what should be avoided than what should be done. -- Kasim
Hi there
Hi! I noticed you have been interested in binary options. Please take a look at the following link and check out their offers! http://partner.binaryoptions-affiliate.com/signup/35084 John If you wish to unsubscribe, reply in the subjet line Unsubscribe so i can take you off my list. Thanks!
Re: rand(x) output limited to x/2
On Wed, Dec 10, 2014 at 10:33:59AM +0100, Vincent Bernat wrote: > ??? 10 décembre 2014 06:00 +0100, Willy Tarreau : > > >> > Assuming that RAND_MAX is always a power of two - 1, 32 could be > >> > replaced by a precomputed value of ffs(RAND_MAX+1)-1. > >> > >> ebtree defines a fls64() function which seems best suited (RAND_MAX+1 > >> could overflow). Here is a proposed patch for this: > > > > Good catch, but I'd rather simply divide by ((u64)RAND_MAX + 1) and > > let gcc notice it's a power of two and implement a hard-coded constant > > shift. There are a lot of things gcc doesn't figure well, but divides > > and multiplies are generally performed optimally :-) > > So, here is an updated patch: Thank you Vincent, I've now applied it to both 1.5 and 1.6. Cheers, Willy
5 conseils experts pour reduire vos impots
Si vous n'arrivez pas à voir cet email, consultez-le en ligne en cliquant sur le lien ci-dessous : Voir le message en ligne Defisc-et-Moi.frMon partenaire en défiscalisation Zéro euro d'impôts pendant 12 ans grâce à la défiscalisation. Ne perdez plus vos impôts, investissez. Vous payez plus de 3 000 euros d'impôts par an ? Des solutions légales existent pour payer moins d'impôts. Découvrez les dans notre guide pratique de défiscalisation édition 2014, c'est gratuit. Cliquez ici pour télécharger le guide (téléchargement sécurisé). Dans notre guide, vous découvrirez les dispositifs de défiscalisation ouvrant droit à des réductions d'impôts. Notre guide a été rédigé par des experts fiscalistes français et est conforme aux lois de finances. Pourquoi demander le guide de défiscalisation Defisc et Moi ? Il contient des extraits des principales lois de défiscalisation en vigueur et vous aide à les comprendre.Découvrez des exemples d'investissements dans de grandes villes de France, des conseils et astuces de nos experts en fiscalité et les erreurs à ne pas comettre. Grâce au guide de défiscalisation 2014 "Defisc et Moi", vous allez découvrir les dispositifs d'investissement locatif ouvrant droit à des réductions d'impôts. Ces dispositifs sont 100% légaux et en conformité avec les lois de finances actuelles, au moment de la rédaction du guide. Notre guide a été rédigé par des experts de l'investissement immobilier, les conseils qui y sont proposés sont issus des meilleurs cabinets fiscalistes francais. Néanmoins, Defisc-et-Moi.fr, ses préposés et partenaires, ne peuvent être tenus pour responsables des erreurs et coquilles éventuelles présentes dans ce guide. Celui-ci n'a qu'un but informatif, il appartient à chacun de se renseigner auprès d'un professionnel de la fiscalité avant de procéder à un investissement. Pour vous désinscrire, suivez le lien ci-dessous : Se désabonner
5 conseils experts pour reduire vos impots
Si vous n'arrivez pas à voir cet email, consultez-le en ligne en cliquant sur le lien ci-dessous : Voir le message en ligne Defisc-et-Moi.frMon partenaire en défiscalisation Zéro euro d'impôts pendant 12 ans grâce à la défiscalisation. Ne perdez plus vos impôts, investissez. Vous payez plus de 3 000 euros d'impôts par an ? Des solutions légales existent pour payer moins d'impôts. Découvrez les dans notre guide pratique de défiscalisation édition 2014, c'est gratuit. Cliquez ici pour télécharger le guide (téléchargement sécurisé). Dans notre guide, vous découvrirez les dispositifs de défiscalisation ouvrant droit à des réductions d'impôts. Notre guide a été rédigé par des experts fiscalistes français et est conforme aux lois de finances. Pourquoi demander le guide de défiscalisation Defisc et Moi ? Il contient des extraits des principales lois de défiscalisation en vigueur et vous aide à les comprendre.Découvrez des exemples d'investissements dans de grandes villes de France, des conseils et astuces de nos experts en fiscalité et les erreurs à ne pas comettre. Grâce au guide de défiscalisation 2014 "Defisc et Moi", vous allez découvrir les dispositifs d'investissement locatif ouvrant droit à des réductions d'impôts. Ces dispositifs sont 100% légaux et en conformité avec les lois de finances actuelles, au moment de la rédaction du guide. Notre guide a été rédigé par des experts de l'investissement immobilier, les conseils qui y sont proposés sont issus des meilleurs cabinets fiscalistes francais. Néanmoins, Defisc-et-Moi.fr, ses préposés et partenaires, ne peuvent être tenus pour responsables des erreurs et coquilles éventuelles présentes dans ce guide. Celui-ci n'a qu'un but informatif, il appartient à chacun de se renseigner auprès d'un professionnel de la fiscalité avant de procéder à un investissement. Pour vous désinscrire, suivez le lien ci-dessous : Se désabonner
Re: [PATCH] MINOR: session: add option to force response on connection/keepalive session errors
On Wed, Dec 10, 2014 at 10:27 AM, Mathias Bogaert wrote: > Would this keep the session open when using errorfile? > We have errorfiles that we explicitly set Connection: close for the client to re-establish a new connection. From my limited understanding (still trying to figure all this wonderful code out), stream_int_retnclose should take care of tearing down the channels/session. Is that not the case? I have been running this in "production" for about a month and it is not leaking memory/fds/sockets. It seems to adequately cover a case we were seeing where the connection would be closed without a response and there was a status code of -1 in the logs when: - connection failures with retries set to or equaled 0 - session error in the server data phase (sometimes)
Re: [PATCH] MINOR: session: add option to force response on connection/keepalive session errors
Would this keep the session open when using errorfile?
On Wed, Dec 10, 2014 at 3:10 PM, Tait Clarridge wrote:
> Sometimes it is necessary to respond to all requests that HAProxy
> receives from clients and
> to not have to wait for the client to retry.
>
> This adds an option called http-respond-on-error, where if there is an
> error in connecting to
> a server or during the session, the proxy will respond with a 504 to
> the client instead of closing the
> session without a response. This is mostly useful for server-to-server
> integrations where the client
> always expects a valid HTTP response for each of their requests and
> will never retry.
>
> This option, when enabled, will also return 504s during keepalive
> sessions if an abort is signalled.
> ---
> doc/configuration.txt | 17 ++
> include/types/proxy.h | 3 ++-
> src/cfgparse.c| 1 +
> src/proto_http.c | 10 +++--
> src/session.c | 61
> +--
> 5 files changed, 72 insertions(+), 20 deletions(-)
>
> diff --git a/doc/configuration.txt b/doc/configuration.txt
> index aa6baab..40c2caf 100644
> --- a/doc/configuration.txt
> +++ b/doc/configuration.txt
> @@ -1353,6 +1353,7 @@ option http-pretend-keepalive(*) X
> X X X
> option http-server-close (*) X X X X
> option http-tunnel (*) X X X X
> option http-use-proxy-header (*) X X X -
> +option http-respond-on-error (*) X X X X
> option httpchkX - X X
> option httpclose (*) X X X X
> option httplogX X X X
> @@ -4360,6 +4361,22 @@ no option http-use-proxy-header
> http-server-close".
>
>
> +option http-respond-on-error
> +no option http-respond-on-error
> + Force valid HTTP response on connection or server response error
> + May be used in sections : defaults | frontend | listen | backend
> + yes |yes | yes | yes
> + Arguments : none
> +
> + Sometimes it is necessary to always serve a valid HTTP response and
> not rely on the
> + client to issue a retry. This is most useful in a server-to-server
> integration where
> + the client expects a valid response for every request that is made.
> +
> + When this option is set, any aborted connection or response will
> trigger a valid HTTP
> + response, and it is best used on backends or proxies where retries
> are disabled.
> +
> + See also : "retries".
> +
> option httpchk
> option httpchk
> option httpchk
> diff --git a/include/types/proxy.h b/include/types/proxy.h
> index 748f4aa..3481046 100644
> --- a/include/types/proxy.h
> +++ b/include/types/proxy.h
> @@ -143,7 +143,8 @@ enum pr_mode {
> #define PR_O2_SRC_ADDR 0x0010 /* get the source ip and port
> for logs */
>
> #define PR_O2_FAKE_KA 0x0020 /* pretend we do keep-alive
> with server eventhough we close */
> -/* unused: 0x0040 */
> +#define PR_O2_RESP_ERR 0x0040 /* Always send back response
> on aborted connection or error */
> +
> #define PR_O2_EXP_NONE 0x /* http-check : no expect rule */
> #define PR_O2_EXP_STS 0x0080 /* http-check expect status */
> #define PR_O2_EXP_RSTS 0x0100 /* http-check expect rstatus */
> diff --git a/src/cfgparse.c b/src/cfgparse.c
> index c8b1546..146377b 100644
> --- a/src/cfgparse.c
> +++ b/src/cfgparse.c
> @@ -189,6 +189,7 @@ static const struct cfg_opt cfg_opts2[] =
> { "tcp-smart-connect",PR_O2_SMARTCON, PR_CAP_BE, 0, 0
> },
> { "independant-streams", PR_O2_INDEPSTR,
> PR_CAP_FE|PR_CAP_BE, 0, 0 },
> { "independent-streams", PR_O2_INDEPSTR,
> PR_CAP_FE|PR_CAP_BE, 0, 0 },
> + { "http-respond-on-error",PR_O2_RESP_ERR,
> PR_CAP_FE|PR_CAP_BE, 0, PR_MODE_HTTP},
> { "http-use-proxy-header",PR_O2_USE_PXHDR, PR_CAP_FE,
> 0, PR_MODE_HTTP },
> { "http-pretend-keepalive", PR_O2_FAKE_KA,
> PR_CAP_FE|PR_CAP_BE, 0, PR_MODE_HTTP },
> { "http-no-delay",PR_O2_NODELAY,
> PR_CAP_FE|PR_CAP_BE, 0, PR_MODE_HTTP },
> diff --git a/src/proto_http.c b/src/proto_http.c
> index f19a69b..e84fd11 100644
> --- a/src/proto_http.c
> +++ b/src/proto_http.c
> @@ -6182,7 +6182,7 @@ skip_content_length:
> * The client is required to retry. We need to close without
> returning
> * any other information so that the client retries.
> */
> - txn->status = 0;
> +
> rep->analysers = 0;
> s->req->analysers = 0;
> channel_auto_close(rep);
> @@ -6190,7 +6190,13 @@ skip_content_length:
> s->logs.level = 0;
> s->rep->flags &= ~CF_EXPECT_MORE; /* speed up sending a
[PATCH] MINOR: session: add option to force response on connection/keepalive session errors
Sometimes it is necessary to respond to all requests that HAProxy
receives from clients and
to not have to wait for the client to retry.
This adds an option called http-respond-on-error, where if there is an
error in connecting to
a server or during the session, the proxy will respond with a 504 to
the client instead of closing the
session without a response. This is mostly useful for server-to-server
integrations where the client
always expects a valid HTTP response for each of their requests and
will never retry.
This option, when enabled, will also return 504s during keepalive
sessions if an abort is signalled.
---
doc/configuration.txt | 17 ++
include/types/proxy.h | 3 ++-
src/cfgparse.c| 1 +
src/proto_http.c | 10 +++--
src/session.c | 61 +--
5 files changed, 72 insertions(+), 20 deletions(-)
diff --git a/doc/configuration.txt b/doc/configuration.txt
index aa6baab..40c2caf 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -1353,6 +1353,7 @@ option http-pretend-keepalive(*) X
X X X
option http-server-close (*) X X X X
option http-tunnel (*) X X X X
option http-use-proxy-header (*) X X X -
+option http-respond-on-error (*) X X X X
option httpchkX - X X
option httpclose (*) X X X X
option httplogX X X X
@@ -4360,6 +4361,22 @@ no option http-use-proxy-header
http-server-close".
+option http-respond-on-error
+no option http-respond-on-error
+ Force valid HTTP response on connection or server response error
+ May be used in sections : defaults | frontend | listen | backend
+ yes |yes | yes | yes
+ Arguments : none
+
+ Sometimes it is necessary to always serve a valid HTTP response and
not rely on the
+ client to issue a retry. This is most useful in a server-to-server
integration where
+ the client expects a valid response for every request that is made.
+
+ When this option is set, any aborted connection or response will
trigger a valid HTTP
+ response, and it is best used on backends or proxies where retries
are disabled.
+
+ See also : "retries".
+
option httpchk
option httpchk
option httpchk
diff --git a/include/types/proxy.h b/include/types/proxy.h
index 748f4aa..3481046 100644
--- a/include/types/proxy.h
+++ b/include/types/proxy.h
@@ -143,7 +143,8 @@ enum pr_mode {
#define PR_O2_SRC_ADDR 0x0010 /* get the source ip and port
for logs */
#define PR_O2_FAKE_KA 0x0020 /* pretend we do keep-alive
with server eventhough we close */
-/* unused: 0x0040 */
+#define PR_O2_RESP_ERR 0x0040 /* Always send back response
on aborted connection or error */
+
#define PR_O2_EXP_NONE 0x /* http-check : no expect rule */
#define PR_O2_EXP_STS 0x0080 /* http-check expect status */
#define PR_O2_EXP_RSTS 0x0100 /* http-check expect rstatus */
diff --git a/src/cfgparse.c b/src/cfgparse.c
index c8b1546..146377b 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -189,6 +189,7 @@ static const struct cfg_opt cfg_opts2[] =
{ "tcp-smart-connect",PR_O2_SMARTCON, PR_CAP_BE, 0, 0 },
{ "independant-streams", PR_O2_INDEPSTR,
PR_CAP_FE|PR_CAP_BE, 0, 0 },
{ "independent-streams", PR_O2_INDEPSTR,
PR_CAP_FE|PR_CAP_BE, 0, 0 },
+ { "http-respond-on-error",PR_O2_RESP_ERR,
PR_CAP_FE|PR_CAP_BE, 0, PR_MODE_HTTP},
{ "http-use-proxy-header",PR_O2_USE_PXHDR, PR_CAP_FE,
0, PR_MODE_HTTP },
{ "http-pretend-keepalive", PR_O2_FAKE_KA,
PR_CAP_FE|PR_CAP_BE, 0, PR_MODE_HTTP },
{ "http-no-delay",PR_O2_NODELAY,
PR_CAP_FE|PR_CAP_BE, 0, PR_MODE_HTTP },
diff --git a/src/proto_http.c b/src/proto_http.c
index f19a69b..e84fd11 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -6182,7 +6182,7 @@ skip_content_length:
* The client is required to retry. We need to close without returning
* any other information so that the client retries.
*/
- txn->status = 0;
+
rep->analysers = 0;
s->req->analysers = 0;
channel_auto_close(rep);
@@ -6190,7 +6190,13 @@ skip_content_length:
s->logs.level = 0;
s->rep->flags &= ~CF_EXPECT_MORE; /* speed up sending a
previous response */
bi_erase(rep);
- stream_int_retnclose(rep->cons, NULL);
+ if (s->fe->options2 & PR_O2_RESP_ERR || s->be->options2 &
PR_O2_RESP_ERR) {
+ txn->status = 504;
+ stream_int_retnclose(rep->cons, http_error_message(s,
HTTP_ERR_504));
+ } else {
+ txn->status
Re: using HAProxy in front of SSO
On Wed, Dec 10, 2014 at 5:35 AM, Vivek Malik wrote: > Hi, > > AFAIK, Haproxy doesn't have a subrequest feature. > > However, there are other design solutions possible to make Haproxy as > SSO filter. I am using Haproxy is a similar fashion. I have coded my > SSO to notify Haproxy whenever a new SSO authentication session is > added. Haproxy adds that session id to the map. When a request comes > to Haproxy, it checks the map for the session id. If session id is not > present, haproxy is set to respond with 302 to the login page. > > You can do the same with a stick_table too instead of a map. However, > you will need in_table() function which is only present in > 1.6-devel as of now. > > Regards, > Vivek A safer alternative would to use HAProxy Enterprise. It embeds all necessary features in a stable (and supported) HAProxy: http://haproxy.com/doc/hapee/1.5/introduction.html#backported-features Baptiste > > On Tue, Dec 9, 2014 at 6:54 PM, Patrick Kaeding > wrote: >> Hello >> >> I'm interested in using HAProxy as my external-facing proxy, in front >> of my applications. I want to implement an SSO application to handle >> authentication (similar to what is described here: >> http://dejanglozic.com/2014/10/07/sharing-micro-service-authentication-using-nginx-passport-and-redis/). >> >> Nginx has the ngx_http_auth_request_module >> (http://nginx.org/en/docs/http/ngx_http_auth_request_module.html), >> which looks like it would work well, but I am wondering if I can do >> this with HAProxy, and not need Nginx as a second layer in front of my >> applicaitons. >> >> Can HAProxy make subrequests to determine how to handle the incoming >> request? Are there any resources I should check out to help with this? >> >> Thanks! >> -- >> Patrick Kaeding >> pkaed...@launchdarkly.com >> >
Re: Modify http response code
On Wed, Dec 10, 2014 at 3:06 PM, Philipp wrote: > Am 10.12.2014 14:55 schrieb Dennis Jacobfeuerborn: > >> Hi, >> is there a way to modify the http code of a response? Right now I use a >> backup server to deliver a static maintenance page but I want it to be >> delivered with a 503 code instead of 200. Is there a way to modify the >> response code like this? > > > I did this approach, e.g. using a dedicated backend instead of 'backup'. > Shortened snippet, but you'd get the idea. > > frontend man > default_backend man-maint > acl www1nb nbsrv(man-www1) gt 0 > use_backend man-www1 if www1 www1nb > > backend man-maint > rsprep ^HTTP/1.1\ 200\ OK HTTP/1.0\ 503\ Service\ Unavailable > server local_maint localhost:8001 > I would rather use: rspirep ^HTTP/1\..\ 200\ OK HTTP/1.0\ 503\ Service\ Unavailable\r\nConnection:\ Close Baptiste
Re: Modify http response code
Am 10.12.2014 14:55 schrieb Dennis Jacobfeuerborn: Hi, is there a way to modify the http code of a response? Right now I use a backup server to deliver a static maintenance page but I want it to be delivered with a 503 code instead of 200. Is there a way to modify the response code like this? I did this approach, e.g. using a dedicated backend instead of 'backup'. Shortened snippet, but you'd get the idea. frontend man default_backend man-maint acl www1nb nbsrv(man-www1) gt 0 use_backend man-www1 if www1 www1nb backend man-maint rsprep ^HTTP/1.1\ 200\ OK HTTP/1.0\ 503\ Service\ Unavailable server local_maint localhost:8001
Re: Modify http response code
On Wed, Dec 10, 2014 at 2:55 PM, Dennis Jacobfeuerborn wrote: > Hi, > is there a way to modify the http code of a response? Right now I use a > backup server to deliver a static maintenance page but I want it to be > delivered with a 503 code instead of 200. Is there a way to modify the > response code like this? > > Regards, > Dennis > Hi Dennis, Yes you can using rspirep. Baptiste
Re: HAProxy and LDAP authentication
On Wed, Dec 10, 2014 at 2:44 PM, LAGARDE ANTOINE wrote: > Hi, > > I've been browsing the mailing list and the documentation but I didn't find > a way to authenticate users using LDAP (and not userlist in configuration) > > I used to have an apache reverse proxying my zimbra mail server that doens't > work anymore with 8.5.1GA. I used to have in my httpd.conf : > > AuthType Basic > AuthName "Blablabla" > AuthBasicProvider ldap > AuthLDAPBindDN "CN=xx,CN=Users,DC=xx,DC=local" > AuthLDAPBindPassword "neverguess" > AuthLDAPURL > "ldap://someip:port/dc=xx,dc=local?sAMAccountName?sub?(objectClass=*)" > NONE > Require ldap-group CN=g_somegroup,OU=SomeOU,DC=xx,DC=local > > Is there a way to get a similar behavior in HAProxy ? > > Cordialement, > -- > Antoine LAGARDE > Technicien Supérieur Informatique > Référent équipe système - CIL > Centre Hospitalier Pierre Oudot > 30 Avenue du Médipole > 38300 BOURGOIN-JALLIEU > Tél : 04.69.15.70.39 > Fax : 04.69.15.71.00 > a.laga...@ch-bourgoin.fr Hi Antoine, HAProxy can't do this, unfortunately. Baptiste
Modify http response code
Hi, is there a way to modify the http code of a response? Right now I use a backup server to deliver a static maintenance page but I want it to be delivered with a 503 code instead of 200. Is there a way to modify the response code like this? Regards, Dennis
HAProxy and LDAP authentication
Hi, I've been browsing the mailing list and the documentation but I didn't find a way to authenticate users using LDAP (and not userlist in configuration) I used to have an apache reverse proxying my zimbra mail server that doens't work anymore with 8.5.1GA. I used to have in my httpd.conf : AuthType Basic AuthName "Blablabla" AuthBasicProvider ldap AuthLDAPBindDN "CN=xx,CN=Users,DC=xx,DC=local" AuthLDAPBindPassword "neverguess" AuthLDAPURL "ldap://someip:port/dc=xx,dc=local?sAMAccountName?sub?(objectClass=*)" NONE Require ldap-group CN=g_somegroup,OU=SomeOU,DC=xx,DC=local Is there a way to get a similar behavior in HAProxy ? Cordialement, -- Antoine LAGARDE Technicien Supérieur Informatique Référent équipe système - CIL Centre Hospitalier Pierre Oudot 30 Avenue du Médipole 38300 BOURGOIN-JALLIEU Tél : 04.69.15.70.39 Fax : 04.69.15.71.00 a.laga...@ch-bourgoin.fr
Re: Override maintainance setting for special source IP
On Wed, Dec 10, 2014 at 1:39 PM, Philipp Kolmann
wrote:
> Hi Baptiste,
>
> Am 10.12.14 um 12:37 schrieb Baptiste:
>>
>> Which version of HAProxy are you running? In 1.5, you can do: use-server
>> htc1 if { src 10.0.0.1 } add as many IPs as needed.
>
>
> Yes I am on 1.5 already. This use-Server directive is specified in the
> config file? or can I push this change via amdin-socket?
You must set it by configuration file, but you can update its content
by the stats socket or an HTTP request:
http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#add%20acl
http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#http-request
(http-request add-acl)
Cheers
Re: Override maintainance setting for special source IP
Hi Baptiste,
Am 10.12.14 um 12:37 schrieb Baptiste:
Which version of HAProxy are you running? In 1.5, you can do:
use-server htc1 if { src 10.0.0.1 } add as many IPs as needed.
Yes I am on 1.5 already. This use-Server directive is specified in the
config file? or can I push this change via amdin-socket?
thanks
Philipp
--
---
DI Mag. Philipp Kolmann mail: kolm...@zid.tuwien.ac.at
Technische Universitaet Wien web: www.zid.tuwien.ac.at
Zentraler Informatikdienst (ZID) tel: +43(1)58801-42011
Wiedner Hauptstr. 8-10, A-1040 WienDVR: 0005886
---
Re: Override maintainance setting for special source IP
On Wed, Dec 10, 2014 at 12:34 PM, Philipp Kolmann
wrote:
> Hi,
>
> we use HAproxy infront of a Exchange 2010 System to balance the load. It
> works very well.
>
> Now we have an issue with one HubTransport Server in the Exchange Farm. I
> have set this Server to maintainance via admin socket:
>
> echo "disable server mail-intern/htc1" | socat stdio
> /var/run/haproxy-admin.sock
>
>
> Config:
>
> listen mail-intern
> bind 128.130.30.55:25 transparent name smtp
> bind 128.130.30.55:80 transparent name http
> bind 128.130.30.55:135 transparent name loc-srv
> bind 128.130.30.55:143 transparent name imap
> bind 128.130.30.55:443 transparent name https
> bind 128.130.30.55:587 transparent name submission
> bind 128.130.30.55:993 transparent name imaps
> bind 128.130.30.55:60001 transparent name RPC_60001
> bind 128.130.30.55:60002 transparent name RPC_60002
> mode tcp
> maxconn 1
> log-format %ci:%cp\ [%t]\ %ft\ %s\ %si:%sp\ %Tw/%Tc/%Tt\ %B\ %ts\
> %ac/%fc/%bc/%sc/%rc\ %sq/%bq
> balance leastconn
> stick-table type ip size 10240k expire 60m peers ha-cluster
> stick on src
>
>server htc1 128.130.30.51: maxconn 1 check
> server htc2 128.130.30.52: maxconn 1 check
>
>
>
> All clients are now redirected to htc2 and don't see the troublesome htc1.
>
> We now would like to debug this issue and specify special source ip
> addresses that get routet to the htc1 in maintainance mode. Is this
> possible?
>
> thanks
> Philipp
>
> --
> ---
> DI Mag. Philipp Kolmann mail: kolm...@zid.tuwien.ac.at
> Technische Universitaet Wien web: www.zid.tuwien.ac.at
> Zentraler Informatikdienst (ZID) tel: +43(1)58801-42011
> Wiedner Hauptstr. 8-10, A-1040 WienDVR: 0005886
> ---
>
Hi Philip,
Which version of HAProxy are you running?
In 1.5, you can do:
use-server htc1 if { src 10.0.0.1 }
add as many IPs as needed.
Baptiste
Re: connection pooling
On Wed, Dec 10, 2014 at 10:10 AM, Aleksandar Lazic wrote: > Hi. > > Am 09-12-2014 22:04, schrieb Pavlos Parissis: > >> Hi, >> >> It has been mentioned that 1.5 version doesn't support connection >> pooling, meaning that 1 TCP session to a backend server can serve >> multiple HTTP requests originated from than 1 client. >> >> Do you guys have plans to introduce this functionality in 1.6 release? > > > There is something like a Roadmap for 1.6 from 2014-07-25 > > http://marc.info/?t=14063093641&r=1&w=2 > >> Cheers, >> Pavlos > > > C A > Well, given the experience of 'http-keep-alive', Willy doesn't want to promise any feature for any version any more :) So it may happen in 1.6, or later. Baptiste
Override maintainance setting for special source IP
Hi, we use HAproxy infront of a Exchange 2010 System to balance the load. It works very well. Now we have an issue with one HubTransport Server in the Exchange Farm. I have set this Server to maintainance via admin socket: echo "disable server mail-intern/htc1" | socat stdio /var/run/haproxy-admin.sock Config: listen mail-intern bind 128.130.30.55:25 transparent name smtp bind 128.130.30.55:80 transparent name http bind 128.130.30.55:135 transparent name loc-srv bind 128.130.30.55:143 transparent name imap bind 128.130.30.55:443 transparent name https bind 128.130.30.55:587 transparent name submission bind 128.130.30.55:993 transparent name imaps bind 128.130.30.55:60001 transparent name RPC_60001 bind 128.130.30.55:60002 transparent name RPC_60002 mode tcp maxconn 1 log-format %ci:%cp\ [%t]\ %ft\ %s\ %si:%sp\ %Tw/%Tc/%Tt\ %B\ %ts\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq balance leastconn stick-table type ip size 10240k expire 60m peers ha-cluster stick on src server htc1 128.130.30.51: maxconn 1 check server htc2 128.130.30.52: maxconn 1 check All clients are now redirected to htc2 and don't see the troublesome htc1. We now would like to debug this issue and specify special source ip addresses that get routet to the htc1 in maintainance mode. Is this possible? thanks Philipp -- --- DI Mag. Philipp Kolmann mail: kolm...@zid.tuwien.ac.at Technische Universitaet Wien web: www.zid.tuwien.ac.at Zentraler Informatikdienst (ZID) tel: +43(1)58801-42011 Wiedner Hauptstr. 8-10, A-1040 WienDVR: 0005886 ---
Re: eliminate per-server queuing?
On Fri, Dec 5, 2014 at 7:20 PM, Daniel Lieberman
wrote:
> On Dec 5, 2014, at 5:21 AM, Baptiste wrote:
>>
>> On Thu, Dec 4, 2014 at 11:50 PM, Daniel Lieberman
>> wrote:
>>> We have a situation where our app servers sometimes get into a bad state,
>>> and hitting a working server is more important than enforcing persistence.
>>> Generally the number of connections to a bad server grows rapidly, so we've
>>> set a maxconn value on the server line which effectively takes a server out
>>> of the pool when the bad state occurs.
>>>
>>> If we fill up the connection slots, the server is almost definitely bad, so
>>> we'd rather not queue at all. Since maxqueue 0 means unlimited, it looks
>>> like the minimum queue size is 1. Is that right? Is there any way to
>>> enforce a redispatch whenever we're at maxconn, without any connections
>>> getting queued?
>>>
>>> Thanks,
>>> -Daniel
>>
>>
>> hi Daniel,
>>
>> We can do this :)
>> I just need to know how you do persistence currently.
>> Please send us your simplest frontend and backend configuration.
>>
>> Baptiste
>
> We do cookie-based persistence, but also use balance source to use consistent
> backends on browsers which don't support cookies (relevant for a significant
> fraction of the mobile users of this app). (In our case, switching app
> servers results an annoying UI quirk, but doesn't break the session.)
>
> Here's one of the relevant fe/be configs (lightly sanitized):
>
> frontend service1
> bind 1.2.3.4:80
> bind 1.2.3.4:81 accept-proxy
> bind-process 1
> default_backend service1
>
> backend service1 bind-process 1
> balance source
> hash-type consistent wt6 avalanche
> option forwardfor
> option http-server-close
> option http-pretend-keepalive
> option httplog
> option httpchk GET /healthCheck.htm HTTP/1.1\r\nHost:\ example.com
>
> cookie SERVERID insert indirect
>
> server app1 app1:8080 cookie app1 maxconn 25 maxqueue 5 weight 100 check
> server app2 app2:8080 cookie app2 maxconn 25 maxqueue 5 weight 100 check
> [and many more app servers]
>
>
> Thanks,
> -Daniel
Hi Daniel,
Here is my proposition:
In your frontend, you monitor the cookie and the number of established
connections to the server.
You switch to an other farm with an other algorithm when the server is full.
This farm will choose an other server and a new cookie will be
generated, compatible with the service one.
That said, there may be collisions (the round robin algorithm could
redirect you to the server already chosen by the source IP hash).
Second issue, if the client doesn't send any cookie, then it will
bypass the rules :/
An alternative to the way below would to use a use-server rule in the
service1 backend, but it would have the limitation as above + a
snowbowl effect since all the traffic from a server would be forced to
go to a single alternative one.
frontend service1
bind 1.2.3.4:80
bind 1.2.3.4:81 accept-proxy
bind-process 1
use_backend bk_roundrobin if { req.cook(SERVERID) app1 } {
srv_conn(service1/app1) ge 25 }
use_backend bk_roundrobin if { req.cook(SERVERID) app2 } {
srv_conn(service1/app2) ge 25 }
default_backend service1
backend service1 bind-process 1
balance source
hash-type consistent wt6 avalanche
option forwardfor
option http-server-close
option http-pretend-keepalive
option httplog
option httpchk GET /healthCheck.htm HTTP/1.1\r\nHost:\ example.com
cookie SERVERID insert indirect
server app1 app1:8080 cookie app1 maxconn 25 maxqueue 5 weight 100 check
server app2 app2:8080 cookie app2 maxconn 25 maxqueue 5 weight 100 check
backend bk_roundrobin bind-process 1
balance roundrobin
option forwardfor
option http-server-close
option http-pretend-keepalive
option httplog
option httpchk GET /healthCheck.htm HTTP/1.1\r\nHost:\ example.com
cookie SERVERID insert indirect
server app1 app1:8080 cookie app1 maxconn 25 maxqueue 5 weight 100 check
server app2 app2:8080 cookie app2 maxconn 25 maxqueue 5 weight 100 check
[SPAM] RE: IR Cut CCTV waterproof Zoom Full HD AHD Camera
Click here to unsubscribe Report Spam Dear Manager, Hello! The New Year 2015 is coming, our company BASCCTV provide you some discounts, and hope that can help you win the clients and increase the sales in the new year. There are some promotional items as below, Should you have any question, or need more information, please don't hesitate to contact me via mail or Skype: bascctv10 Best regards! Limy (Sales and Marketing Department) Bas Science And Technology Limited Add: No.702,7th Floor Building D,Xintang Business Park, Daguan Road, Tianhe District,Guangzhou China Tel:0086-2082170827 Fax:0086-2082170826 Mail:sal...@bascctv.com skype:bascctv10 Web:www.bascctv.com If you don't want to receive these Emails, please click unsubscribe.
Re: rand(x) output limited to x/2
❦ 10 décembre 2014 06:00 +0100, Willy Tarreau : >> > Assuming that RAND_MAX is always a power of two - 1, 32 could be >> > replaced by a precomputed value of ffs(RAND_MAX+1)-1. >> >> ebtree defines a fls64() function which seems best suited (RAND_MAX+1 >> could overflow). Here is a proposed patch for this: > > Good catch, but I'd rather simply divide by ((u64)RAND_MAX + 1) and > let gcc notice it's a power of two and implement a hard-coded constant > shift. There are a lot of things gcc doesn't figure well, but divides > and multiplies are generally performed optimally :-) So, here is an updated patch: >From ec4e0abebcb2258cba550820b316d30137310a52 Mon Sep 17 00:00:00 2001 From: Vincent Bernat Date: Wed, 10 Dec 2014 10:31:37 +0100 Subject: [PATCH] BUG/MEDIUM: sample: fix random number upper-bound random() will generate a number between 0 and RAND_MAX. POSIX mandates RAND_MAX to be at least 32767. GNU libc uses (1<<31 - 1) as RAND_MAX. In smp_fetch_rand(), a reduction is done with a multiply and shift to avoid skewing the results. However, the shift was always 32 and hence the numbers were not distributed uniformly in the specified range. We fix that by dividing by RAND_MAX+1. gcc is smart enough to turn that into a shift: 0x0046ecc8 <+40>:shr$0x1f,%rax --- src/sample.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/sample.c b/src/sample.c index 0ffc76daf3a9..00345a8940eb 100644 --- a/src/sample.c +++ b/src/sample.c @@ -1824,7 +1824,7 @@ smp_fetch_rand(struct proxy *px, struct session *s, void *l7, unsigned int opt, /* reduce if needed. Don't do a modulo, use all bits! */ if (args && args[0].type == ARGT_UINT) - smp->data.uint = ((uint64_t)smp->data.uint * args[0].data.uint) >> 32; + smp->data.uint = ((uint64_t)smp->data.uint * args[0].data.uint) / ((u64)RAND_MAX+1); smp->type = SMP_T_UINT; smp->flags |= SMP_F_VOL_TEST | SMP_F_MAY_CHANGE; -- 2.1.3 -- 10.0 times 0.1 is hardly ever 1.0. - The Elements of Programming Style (Kernighan & Plauger)
Re: connection pooling
Hi. Am 09-12-2014 22:04, schrieb Pavlos Parissis: Hi, It has been mentioned that 1.5 version doesn't support connection pooling, meaning that 1 TCP session to a backend server can serve multiple HTTP requests originated from than 1 client. Do you guys have plans to introduce this functionality in 1.6 release? There is something like a Roadmap for 1.6 from 2014-07-25 http://marc.info/?t=14063093641&r=1&w=2 Cheers, Pavlos C A
Re: connection pooling
On 9 December 2014 at 23:55, Baptiste wrote: > On Tue, Dec 9, 2014 at 10:04 PM, Pavlos Parissis > wrote: > > Hi, > > > > It has been mentioned that 1.5 version doesn't support connection > > pooling, meaning that 1 TCP session to a backend server can serve > > multiple HTTP requests originated from than 1 client. > > > > Do you guys have plans to introduce this functionality in 1.6 release? > > > > Cheers, > > Pavlos > > > > Hi Pavlos, > > I'm speaking on behalf of Willy, so he may complete my answer. > I don't know if this will be available in 1.6, but in order to support > HTTP/2.0, HAProxy will have to support connection pooling. > > OK, kill two birds with one store, great :-) Pavlos
