Re: Lua patchset merged
On Tue, Mar 10, 2015 at 12:40:03AM +0100, Thierry FOURNIER wrote: On Mon, 09 Mar 2015 22:11:56 +0100 Cyril Bonté cyril.bo...@free.fr wrote: I've also seen this commit : MEDIUM: lua: use the Lua-5.3 version of the library [1] This one may be annoying in the short term for some users, because Lua 5.3 is not available in all distributions (for example debian, ubuntu, ...). Currently for such distributions, it requires to recompile Lua 5.3 with a small patch to generate the .so dynamic library. For those who want to make some tests, you can have a look at [2] and [3] and the patches they both provide. Arg, you're right :(. The Lua 5.3 is required for the session timeout. In the same way, it is necessary for the forced-yield. This system forces a yield and permits to haproxy to get the hand for processing other things than Lua. With the version 5.2, this is not possible without frequently Lua error. Maybe I can do cohabitation for 5.2 and 5.3 version. The forced yield will be deactivated with compilation 5.2. The execution timeout remain active. BUt, I'm not sure that is a good idea. Given that there's no way to break an infinite loop before 5.2 and that Lua will be used by people who experiment with scripts, I'd rather stick to 5.3 unless someone finds an acceptable workaround working with 5.2. I'd rather avoid seeing people report unresponsive haproxy just because of bugs in their Lua scripts :-/ Willy
Re: Lua patchset merged
On Tue, Mar 10, 2015 at 02:08:40AM +0100, Thierry FOURNIER wrote: On Tue, 10 Mar 2015 01:05:50 +0100 Cyril Bonté cyril.bo...@free.fr wrote: Hi again, Le 10/03/2015 00:40, Thierry FOURNIER a écrit : On Mon, 09 Mar 2015 22:11:56 +0100 Cyril Bonté cyril.bo...@free.fr wrote: I've seen new commits that have been merged on the git repository. The bad news are that the previous test that I reported (sending a response larger than the buffer) doesn't work anymore :-/ Resulting in : [ALERT] 067/220744 (27176) : Lua function 'hello_world': execution timeout. Hi cyril, This is due to the implementation of the Lua execution timeout. This is a system used to prevent loops in scripts. The Timeout is set by default to 4s. You can see tune.lua.session-timeout, tune.lua.task-timeout and tune.lua.forced-yield http://cbonte.github.io/haproxy-dconv/snapshot/configuration-1.6.html#tune.lua.session-timeout Of course, but it shouldn't take 4 seconds, the answer is immediate in my test case. Actually, I could find that it was reproducible beginning with a response greater or equal to 16392 bytes (I've not read the code yet). Thank you Cyril, the bug is partially reproduced and fixed (the buffer is not sent, but the error timeout is after 4 seconds as expected). I attach the patch. I think that Willy must check this patch, because it is possible than the comparison which I modify, did make sense. Cool, will merge all this, thanks guys. Willy
frequent NOSRV/SC log hits behind AWS ELB
Hello, i am running haproxy version: 1.5.11 on EC2 instances behind an AWS load balancer lately i am noticing a lot of 503 forbidden logs with SC as termination state due to nosrv error my backend servers(which are behind an ELB of their own) are all healthy and responsive moreover i set a loop that checks port 80 between haproxy and backend servers; and it never failed; it was checking the connection every 10 ms this is a log sample: Mar 10 10:33:50 api haproxy[1056]: 172.16.100.169:15235 [10/Mar/2015:10:33:50.905] API API/NOSRV 8/-1/-1/-1/8 503 213 - - SC-- 79/79/0/0/0 0/0 {177.103.215.19|Dalvik/1.6.0 (Linux; U; Android 4.4.4; XT1032 Build/KXB21.14-L1.} POST /api/v2.3/androidevent?buildnumber=1.10 HTTP/1.1 and this is my current config: globallog /dev/loglocal0log /dev/loglocal1 notice chroot /var/lib/haproxystats socket /run/haproxy/admin.sock mode 660 level adminstats timeout 30suser haproxygroup haproxy maxconn 65000daemon # Default SSL material locationsca-base /etc/ssl/certs crt-base /etc/ssl/private # Default ciphers to use on SSL-enabled listening sockets.# For more information, see ciphers(1SSL).ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL ssl-default-bind-options no-sslv3 defaultslog globalmodehttpoption httplog option dontlognulltimeout connect 1timeout client 5 timeout server 5# users which we are redrecting no where, example rejected will die in 50 mstimeout tarpit 50errorfile 400 /etc/haproxy/errors/400.httperrorfile 403 /etc/haproxy/errors/403.httperrorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.httperrorfile 502 /etc/haproxy/errors/502.httperrorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.httpbalance roundrobin # keeps keep alive between client and proxy but disable it between proxy and backednoption http-server-closeoption forwardfor option redispatch retries 99 frontend API bind *:80 maxconn 6 # Blacklist: Deny access to some IPs before anything else is checkedtcp-request content reject if { src -f /etc/haproxy/blacklist.lst } http-request set-header X-custom-http-scheme %[hdr(X-Forwarded-Proto)] stick-table type ip size 500k expire 30s store conn_cur,conn_rate(10s),http_req_rate(10s),http_err_rate(10s) option http-server-close# elb logs pubc ips capture request header X-Forwarded-For len 50capture request header User-Agent len 64acl network_allowed src x.x.x.xacl restricted_page path_beg /restrictedhttp-request deny if restricted_page !network_allowed# direct uris to propper elbacl uri_api path_beg /apiacl uri_wdev path_beg /wdevacl uri_staging path_beg /staging use_backend api if uri_apiuse_backend wdev if uri_wdevuse_backend staging if uri_staging default_backend API backend APIserver API ELB_CNAME:80 check backend wdevserver wdev ELB_CNAME:80 check backend stagingserver staging ELB_CNAME:80 check
Re: frequent NOSRV/SC log hits behind AWS ELB
On Tue, Mar 10, 2015 at 11:48 AM, Roland RoLaNd r_o_l_a_...@hotmail.com wrote: Hello, i am running haproxy version: 1.5.11 on EC2 instances behind an AWS load balancer lately i am noticing a lot of 503 forbidden logs with SC as termination state due to nosrv error my backend servers(which are behind an ELB of their own) are all healthy and responsive moreover i set a loop that checks port 80 between haproxy and backend servers; and it never failed; it was checking the connection every 10 ms this is a log sample: Mar 10 10:33:50 api haproxy[1056]: 172.16.100.169:15235 [10/Mar/2015:10:33:50.905] API API/NOSRV 8/-1/-1/-1/8 503 213 - - SC-- 79/79/0/0/0 0/0 {177.103.215.19|Dalvik/1.6.0 (Linux; U; Android 4.4.4; XT1032 Build/KXB21.14-L1.} POST /api/v2.3/androidevent?buildnumber=1.10 HTTP/1.1 and this is my current config: global log /dev/loglocal0 log /dev/loglocal1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin stats timeout 30s user haproxy group haproxy maxconn 65000 daemon # Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private # Default ciphers to use on SSL-enabled listening sockets. # For more information, see ciphers(1SSL). ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL ssl-default-bind-options no-sslv3 defaults log global modehttp option httplog option dontlognull timeout connect 1 timeout client 5 timeout server 5 # users which we are redrecting no where, example rejected will die in 50 ms timeout tarpit 50 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http balance roundrobin # keeps keep alive between client and proxy but disable it between proxy and backedn option http-server-close option forwardfor option redispatch retries 99 frontend API bind *:80 maxconn 6 # Blacklist: Deny access to some IPs before anything else is checked tcp-request content reject if { src -f /etc/haproxy/blacklist.lst } http-request set-header X-custom-http-scheme %[hdr(X-Forwarded-Proto)] stick-table type ip size 500k expire 30s store conn_cur,conn_rate(10s),http_req_rate(10s),http_err_rate(10s) option http-server-close # elb logs pubc ips capture request header X-Forwarded-For len 50 capture request header User-Agent len 64 acl network_allowed src x.x.x.x acl restricted_page path_beg /restricted http-request deny if restricted_page !network_allowed # direct uris to propper elb acl uri_api path_beg /api acl uri_wdev path_beg /wdev acl uri_staging path_beg /staging use_backend api if uri_api use_backend wdev if uri_wdev use_backend staging if uri_staging default_backend API backend API server API ELB_CNAME:80 check backend wdev server wdev ELB_CNAME:80 check backend staging server staging ELB_CNAME:80 check Hi Roland, This is by ELB design... It can change its IP address based on the load... When this arrives, the only workaround is to reload HAProxy. Soon, HAProxy will perform DNS resolution to kept updated on the fly of server IP address changes. Baptiste
[SPAM] Haproxy, postfix and content-filter
Hi haproxy user's I encounter problems with haproxy 1.5 and 2.11 postfix. I use the option smtpd_upstream_proxy_protocol = haproxy in postfix main.cf to retrieve the source IP of the user instead of the proxy ip. Everything works perfectly if I stop there. The problem is that I would like to add clamsmtpd for mail filtering. This is where things get complicated. I get the following message in the log: Mar 10 14:39:58 smtp-postfix210 postfix/smtpd[4828]: warning: haproxy read: timeout error Mar 10 14:39:58 smtp-postfix210 postfix/smtpd[4828]: connect from unknown[unknown] Mar 10 14:39:58 smtp-postfix210 postfix/smtpd[4828]: disconnect from unknown[unknown] Mar 10 14:39:58 smtp-postfix210 postfix/smtp[4824]: 2CC5D22C52: to=t...@domain.com, relay=127.0.0.1[127.0.0.1]:10025, delay=342, delays=337/0.02/5/0, dsn=4.4.2, status=deferred (lost connection with 127.0.0.1[127.0.0.1] while receiving the initial server greeting) - master.cf scan unix - - - - 20 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes -o max_use=20 127.0.0.1:10026 inet n - - - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_relay_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions=reject_unauth_pipelining -o smtpd_end_of_data_restrictions= -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o receive_override_options=no_address_mappings,no_header_body_checks,no_unknown_recipient_checks - main.cf (a classic one with in addition) content_filter = scan:[127.0.0.1]:10025 smtpd_upstream_proxy_protocol = haproxy - clamsmtpd.conf # -- # SAMPLE CLAMSMTPD CONFIG FILE # -- # # - Comments are a line that starts with a # # - All the options are found below with their defaults commented out # The address to send scanned mail to. # This option is required unless TransparentProxy is enabled OutAddress: 10026 # The maximum number of connection allowed at once. # Be sure that clamd can also handle this many connections #MaxConnections: 64 # Amount of time (in seconds) to wait on network IO #TimeOut: 180 # Address to listen on (defaults to all local addresses on port 10025) Listen: 127.0.0.1:10025 # The address clamd is listening on ClamAddress: /var/run/clamav/clamd.ctl # A header to add to all scanned email #Header: X-AV-Checked: ClamAV using ClamSMTP # Directory for temporary files TempDirectory: /var/spool/clamsmtp # PidFile: location of PID file PidFile: /var/run/clamsmtp/clamsmtpd.pid # Whether or not to bounce email (default is to silently drop) #Bounce: off # Whether or not to keep virus files #Quarantine: off # Enable transparent proxy support #TransparentProxy: off # User to run as User: clamsmtp # Virus actions: There's an option to run a script every time a # virus is found. Read the man page for clamsmtpd.conf for details. Thank you for your help, I'm interested if you have any idea - Nicolas - Mailoo.org mail : nico...@mailoo.org web : https://www.mailoo.org [1] - Pour nous aider : www.mailoo.org/dons [2] Links: -- [1] https://www.mailoo.org [2] http://www.mailoo.org/dons
[SPAM] print wine label
Hi, We are Candidus Printing specialized in wine labels and catalogs printing, good qua1ity and ha1f c0st. For a quick inquiry please reply with size, color, stock, quantity, will send quotation at first time.:) Sorry for the disturble. Best regards! :-) -- HE Yong (Leo) cost-effective considerate printing service, all at: SHENZHEN CANDIDUS PRINTING www.candidusprint.com TEL: +86-755-33073344 Cell: +86-13510244214 Skype: rainbowprinting QQ:446504458
Servicii astrologice gratuite - www.astralia.ro
Bun găsit! Vă invităm să vizitați http://www.astralia.ro - un site care oferă GRATUIT diverse servicii astrologice: - astrograma natală interpretată - previziuni pe domenii de interes - sinastrie (analiza relațională) - hartă compusă - horoscop personalizat și multe ale informații interesante din acest domeniu fascinant! Vă așteptăm! Să aveți parte de armonie și lumină! Astralia
Re:
Willy Tarreau w at 1wt.eu writes: That's intentional, and I'll reject any patch to document it. It's a debugging feature whose format changes between versions or for any reason we see fit when facing a new problem. This can only be used with the code at hand. Would it even be possible to give at least a guideline? After diagnosing many idle timeouts and tunnel timeout issues it was very useful to watch specific sessions and watch the counters. I wouldn't want them documented to be consistent throughout versions but maybe at least a heads up on what the value correlate to for connection diagnostics. Is there a feature request process? Thanks!
Re: Lua patchset merged
All patches merged, thanks Thierry. Willy