Re: Lua patchset merged
On Tue, Mar 10, 2015 at 12:40:03AM +0100, Thierry FOURNIER wrote: On Mon, 09 Mar 2015 22:11:56 +0100 Cyril Bonté cyril.bo...@free.fr wrote: I've also seen this commit : MEDIUM: lua: use the Lua-5.3 version of the library [1] This one may be annoying in the short term for some users, because Lua 5.3 is not available in all distributions (for example debian, ubuntu, ...). Currently for such distributions, it requires to recompile Lua 5.3 with a small patch to generate the .so dynamic library. For those who want to make some tests, you can have a look at [2] and [3] and the patches they both provide. Arg, you're right :(. The Lua 5.3 is required for the session timeout. In the same way, it is necessary for the forced-yield. This system forces a yield and permits to haproxy to get the hand for processing other things than Lua. With the version 5.2, this is not possible without frequently Lua error. Maybe I can do cohabitation for 5.2 and 5.3 version. The forced yield will be deactivated with compilation 5.2. The execution timeout remain active. BUt, I'm not sure that is a good idea. Given that there's no way to break an infinite loop before 5.2 and that Lua will be used by people who experiment with scripts, I'd rather stick to 5.3 unless someone finds an acceptable workaround working with 5.2. I'd rather avoid seeing people report unresponsive haproxy just because of bugs in their Lua scripts :-/ Willy
Re: Lua patchset merged
On Tue, Mar 10, 2015 at 02:08:40AM +0100, Thierry FOURNIER wrote: On Tue, 10 Mar 2015 01:05:50 +0100 Cyril Bonté cyril.bo...@free.fr wrote: Hi again, Le 10/03/2015 00:40, Thierry FOURNIER a écrit : On Mon, 09 Mar 2015 22:11:56 +0100 Cyril Bonté cyril.bo...@free.fr wrote: I've seen new commits that have been merged on the git repository. The bad news are that the previous test that I reported (sending a response larger than the buffer) doesn't work anymore :-/ Resulting in : [ALERT] 067/220744 (27176) : Lua function 'hello_world': execution timeout. Hi cyril, This is due to the implementation of the Lua execution timeout. This is a system used to prevent loops in scripts. The Timeout is set by default to 4s. You can see tune.lua.session-timeout, tune.lua.task-timeout and tune.lua.forced-yield http://cbonte.github.io/haproxy-dconv/snapshot/configuration-1.6.html#tune.lua.session-timeout Of course, but it shouldn't take 4 seconds, the answer is immediate in my test case. Actually, I could find that it was reproducible beginning with a response greater or equal to 16392 bytes (I've not read the code yet). Thank you Cyril, the bug is partially reproduced and fixed (the buffer is not sent, but the error timeout is after 4 seconds as expected). I attach the patch. I think that Willy must check this patch, because it is possible than the comparison which I modify, did make sense. Cool, will merge all this, thanks guys. Willy
frequent NOSRV/SC log hits behind AWS ELB
Hello,
i am running haproxy version: 1.5.11 on EC2 instances behind an AWS load
balancer
lately i am noticing a lot of 503 forbidden logs with SC as termination state
due to nosrv error
my backend servers(which are behind an ELB of their own) are all healthy and
responsive
moreover i set a loop that checks port 80 between haproxy and backend servers;
and it never failed; it was checking the connection every 10 ms
this is a log sample:
Mar 10 10:33:50 api haproxy[1056]: 172.16.100.169:15235
[10/Mar/2015:10:33:50.905] API API/NOSRV 8/-1/-1/-1/8 503 213 - - SC--
79/79/0/0/0 0/0 {177.103.215.19|Dalvik/1.6.0 (Linux; U; Android 4.4.4; XT1032
Build/KXB21.14-L1.} POST /api/v2.3/androidevent?buildnumber=1.10 HTTP/1.1
and this is my current config:
globallog /dev/loglocal0log /dev/loglocal1 notice
chroot /var/lib/haproxystats socket /run/haproxy/admin.sock mode 660
level adminstats timeout 30suser haproxygroup haproxy
maxconn 65000daemon
# Default SSL material locationsca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.# For
more information, see ciphers(1SSL).ssl-default-bind-ciphers
kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
ssl-default-bind-options no-sslv3
defaultslog globalmodehttpoption httplog
option dontlognulltimeout connect 1timeout client 5
timeout server 5# users which we are redrecting no where,
example rejected will die in 50 mstimeout tarpit 50errorfile
400 /etc/haproxy/errors/400.httperrorfile 403
/etc/haproxy/errors/403.httperrorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.httperrorfile 502
/etc/haproxy/errors/502.httperrorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.httpbalance roundrobin
# keeps keep alive between client and proxy but disable it between proxy and
backednoption http-server-closeoption forwardfor
option redispatch retries 99 frontend API bind *:80
maxconn 6 # Blacklist: Deny access to some IPs before
anything else is checkedtcp-request content reject if { src -f
/etc/haproxy/blacklist.lst } http-request set-header
X-custom-http-scheme %[hdr(X-Forwarded-Proto)]
stick-table type ip size 500k expire 30s store
conn_cur,conn_rate(10s),http_req_rate(10s),http_err_rate(10s)
option http-server-close# elb logs pubc ips capture
request header X-Forwarded-For len 50capture request header User-Agent
len 64acl network_allowed src x.x.x.xacl
restricted_page path_beg /restrictedhttp-request deny if
restricted_page !network_allowed# direct uris to
propper elbacl uri_api path_beg /apiacl
uri_wdev path_beg /wdevacl uri_staging path_beg /staging
use_backend api if uri_apiuse_backend wdev if
uri_wdevuse_backend staging if uri_staging
default_backend API
backend APIserver API ELB_CNAME:80 check backend wdevserver
wdev ELB_CNAME:80 check backend stagingserver staging ELB_CNAME:80
check
Re: frequent NOSRV/SC log hits behind AWS ELB
On Tue, Mar 10, 2015 at 11:48 AM, Roland RoLaNd r_o_l_a_...@hotmail.com wrote:
Hello,
i am running haproxy version: 1.5.11 on EC2 instances behind an AWS load
balancer
lately i am noticing a lot of 503 forbidden logs with SC as termination
state due to nosrv error
my backend servers(which are behind an ELB of their own) are all healthy and
responsive
moreover i set a loop that checks port 80 between haproxy and backend
servers; and it never failed; it was checking the connection every 10 ms
this is a log sample:
Mar 10 10:33:50 api haproxy[1056]: 172.16.100.169:15235
[10/Mar/2015:10:33:50.905] API API/NOSRV 8/-1/-1/-1/8 503 213 - - SC--
79/79/0/0/0 0/0 {177.103.215.19|Dalvik/1.6.0 (Linux; U; Android 4.4.4;
XT1032 Build/KXB21.14-L1.} POST /api/v2.3/androidevent?buildnumber=1.10
HTTP/1.1
and this is my current config:
global
log /dev/loglocal0
log /dev/loglocal1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
maxconn 65000
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL).
ssl-default-bind-ciphers
kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
ssl-default-bind-options no-sslv3
defaults
log global
modehttp
option httplog
option dontlognull
timeout connect 1
timeout client 5
timeout server 5
# users which we are redrecting no where, example rejected will die
in 50 ms
timeout tarpit 50
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
balance roundrobin
# keeps keep alive between client and proxy but disable it between
proxy and backedn
option http-server-close
option forwardfor
option redispatch
retries 99
frontend API
bind *:80
maxconn 6
# Blacklist: Deny access to some IPs before anything else is
checked
tcp-request content reject if { src -f /etc/haproxy/blacklist.lst }
http-request set-header X-custom-http-scheme
%[hdr(X-Forwarded-Proto)]
stick-table type ip size 500k expire 30s store
conn_cur,conn_rate(10s),http_req_rate(10s),http_err_rate(10s)
option http-server-close
# elb logs pubc ips
capture request header X-Forwarded-For len 50
capture request header User-Agent len 64
acl network_allowed src x.x.x.x
acl restricted_page path_beg /restricted
http-request deny if restricted_page !network_allowed
# direct uris to propper elb
acl uri_api path_beg /api
acl uri_wdev path_beg /wdev
acl uri_staging path_beg /staging
use_backend api if uri_api
use_backend wdev if uri_wdev
use_backend staging if uri_staging
default_backend API
backend API
server API ELB_CNAME:80 check
backend wdev
server wdev ELB_CNAME:80 check
backend staging
server staging ELB_CNAME:80 check
Hi Roland,
This is by ELB design... It can change its IP address based on the load...
When this arrives, the only workaround is to reload HAProxy.
Soon, HAProxy will perform DNS resolution to kept updated on the fly
of server IP address changes.
Baptiste
[SPAM] Haproxy, postfix and content-filter
Hi haproxy user's I encounter problems with haproxy 1.5 and 2.11 postfix. I use the option smtpd_upstream_proxy_protocol = haproxy in postfix main.cf to retrieve the source IP of the user instead of the proxy ip. Everything works perfectly if I stop there. The problem is that I would like to add clamsmtpd for mail filtering. This is where things get complicated. I get the following message in the log: Mar 10 14:39:58 smtp-postfix210 postfix/smtpd[4828]: warning: haproxy read: timeout error Mar 10 14:39:58 smtp-postfix210 postfix/smtpd[4828]: connect from unknown[unknown] Mar 10 14:39:58 smtp-postfix210 postfix/smtpd[4828]: disconnect from unknown[unknown] Mar 10 14:39:58 smtp-postfix210 postfix/smtp[4824]: 2CC5D22C52: to=t...@domain.com, relay=127.0.0.1[127.0.0.1]:10025, delay=342, delays=337/0.02/5/0, dsn=4.4.2, status=deferred (lost connection with 127.0.0.1[127.0.0.1] while receiving the initial server greeting) - master.cf scan unix - - - - 20 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes -o max_use=20 127.0.0.1:10026 inet n - - - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_relay_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions=reject_unauth_pipelining -o smtpd_end_of_data_restrictions= -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o receive_override_options=no_address_mappings,no_header_body_checks,no_unknown_recipient_checks - main.cf (a classic one with in addition) content_filter = scan:[127.0.0.1]:10025 smtpd_upstream_proxy_protocol = haproxy - clamsmtpd.conf # -- # SAMPLE CLAMSMTPD CONFIG FILE # -- # # - Comments are a line that starts with a # # - All the options are found below with their defaults commented out # The address to send scanned mail to. # This option is required unless TransparentProxy is enabled OutAddress: 10026 # The maximum number of connection allowed at once. # Be sure that clamd can also handle this many connections #MaxConnections: 64 # Amount of time (in seconds) to wait on network IO #TimeOut: 180 # Address to listen on (defaults to all local addresses on port 10025) Listen: 127.0.0.1:10025 # The address clamd is listening on ClamAddress: /var/run/clamav/clamd.ctl # A header to add to all scanned email #Header: X-AV-Checked: ClamAV using ClamSMTP # Directory for temporary files TempDirectory: /var/spool/clamsmtp # PidFile: location of PID file PidFile: /var/run/clamsmtp/clamsmtpd.pid # Whether or not to bounce email (default is to silently drop) #Bounce: off # Whether or not to keep virus files #Quarantine: off # Enable transparent proxy support #TransparentProxy: off # User to run as User: clamsmtp # Virus actions: There's an option to run a script every time a # virus is found. Read the man page for clamsmtpd.conf for details. Thank you for your help, I'm interested if you have any idea - Nicolas - Mailoo.org mail : nico...@mailoo.org web : https://www.mailoo.org [1] - Pour nous aider : www.mailoo.org/dons [2] Links: -- [1] https://www.mailoo.org [2] http://www.mailoo.org/dons
[SPAM] print wine label
Hi, We are Candidus Printing specialized in wine labels and catalogs printing, good qua1ity and ha1f c0st. For a quick inquiry please reply with size, color, stock, quantity, will send quotation at first time.:) Sorry for the disturble. Best regards! :-) -- HE Yong (Leo) cost-effective considerate printing service, all at: SHENZHEN CANDIDUS PRINTING www.candidusprint.com TEL: +86-755-33073344 Cell: +86-13510244214 Skype: rainbowprinting QQ:446504458
Servicii astrologice gratuite - www.astralia.ro
Bun găsit! Vă invităm să vizitați http://www.astralia.ro - un site care oferă GRATUIT diverse servicii astrologice: - astrograma natală interpretată - previziuni pe domenii de interes - sinastrie (analiza relațională) - hartă compusă - horoscop personalizat și multe ale informații interesante din acest domeniu fascinant! Vă așteptăm! Să aveți parte de armonie și lumină! Astralia
Re:
Willy Tarreau w at 1wt.eu writes: That's intentional, and I'll reject any patch to document it. It's a debugging feature whose format changes between versions or for any reason we see fit when facing a new problem. This can only be used with the code at hand. Would it even be possible to give at least a guideline? After diagnosing many idle timeouts and tunnel timeout issues it was very useful to watch specific sessions and watch the counters. I wouldn't want them documented to be consistent throughout versions but maybe at least a heads up on what the value correlate to for connection diagnostics. Is there a feature request process? Thanks!
Re: Lua patchset merged
All patches merged, thanks Thierry. Willy
