Re: Rate-limiting specific path

[joris dedieu]

2015-07-08 15:28 GMT+02:00 Bastien Chong :
> Hi,
>
> I'd like to rate-limit a specific path, by rate-limit I mean continue to
> accept X req/s, and buffer or drop subsequent requests over the limit. That
> is was "rate-limit sessions " does, but is frontend-wise.

It's not optimal but you can use a "pipe"

frontend myfront
   ...
   use_backend pipe_in if { condition }

backend pipe_in
   server pipe_out 127.0.0.1:8080

listen pipe_out
bind 127.0.0.1:8080
rate-limit sessions 10
server ...

> I'm not interested in dropping all requests when the limit is reached,
> objective is to be gentle on the backend, not protect against abuser.

So why not use maxconn (and maybe maxqueue) on your backend ?

Joris

>
> Is there any way to achieve that ?
>
> Thanks,
> Bastien

Super professional spy network camera with Wifi and POE

[Jenny]

DearSirorMadam, Hopethingsarewellwithyou. Bytheway,Wesupply 
oneofourspy=networkcameraswhichsellespeciallywellforyourreference.Every=month 
,weallexportover5000pcstoUSA and Europe.,=welcomeyourinquiries ,thanks. 
OEM,ODMareavailable. ModelNo.:SM-128PWWelookforwardtohearingfromyou.   
BestRegardsJenny   ContactUS:Company 
Name:SmartShineTechnologyCo;Ltd=.Address:2Building,T=ongle IndustryPark 
,NanshanRoad,Nanshan 
Industry,S=henzhen,China.ContacPerson;Jenny=YiTel:0086=1352887=1-267Fax:008675526187082Skype
 : pol=lyyi471Email: pollyyu...@hotmail.com   &nbs=p;  
i...@szsmartshine.com Website: &=nbsp;www.szsmartshine.com=   &nbs=p; .

Alibaba recommend this supplier to you

[Carmen Zhong]

DearPurchasingManager, Gooddaytoyou! Iamcarmen fromEsclightingcompany. 
Gladtoknowth=at 
youwouldbecontinuouslylookingatopportunitiestoexpandy=ourproductsupplyingservices.Ourcompanymustbeyourbestbusiness=partner,specializing
 inmanufacturingtheLED WallWasher,=LEDFlood 
Light,LEDHighBayLights,LEDDownLight,LEDTrack=Lightandsoon for 
morethan6yearsexperience.Besides,o=urlatest panellights 
arelaunchinginthemarket,whichar=esoldatcompetitivepriceandhighinquality.TheCE,ROHSwillspe=akforus.Ifyouwouldliketobethe
 firstoneto 
takeup=themarketshareinthisfield,youcancontactmefreelyandvisitou=rofficialsite.http://dongrui.en.alibaba.com
 Wearehappytosupportyou, lookingforwardtoyour =;reply! Bestregard.  
CarmenZhongESCLIGHTINGTECHNOLOGYL=IMITED 
Address:Haohan=industrialPark,No.6keyuanRoad,High-tech,zone,jiangmencity,Guangdon=g,China
   

Re: simple acl combination query

[Cyril Bonté]

Hi,

Le 06/07/2015 16:22, Lee Musgrave a écrit :

hi,
simple question about acl's

i know i can combine them in monitors

eg:

acl acl1 nbsrv(mysql) eq 0
acl acl2 nbsrv(mssql) eq 0

monitor-uri /dbs

for and:
monitor fail if acl1 acl2

for or:
monitor fail if acl1 || acl2


what i'm not sure about, is for more complicated logical combinations,
can multiple and's and or's be combined, eg:

monitor fail unless (acl1 acl2 acl3) || (acl4 (acl5 || acl6)) || (acl1
|| acl5)


You'll have to rewrite your expression in its disjuntive normal form (DNF).


--
Cyril Bonté

Re: reqrep to lower case

[Laurent Mirguet]

Thank you very much Cyril.

I guess we need to wait 1.6 to be released then.

Regards
Laurent

Le jeudi 9 juillet 2015, Cyril Bonté  a écrit :

> Hi Laurent,
>
> Le 07/07/2015 19:21, Laurent Mirguet a écrit :
>
>> Dear all,
>>
>> We would like to rewrite all urls for a certain backend to their lower
>> case form.
>>
>> We thought on something like
>> reqrep ^([^\ ]*\ )(.*) %[\1,lower]
>>
>> Is it possible to do so with HAProxy ?
>>
>
> I don't see any simple (and maintainable) example except by using the 1.6
> development branch which allows :
>   http-request set-path %[path,lower]
>
> With this rule,
> /Foo will be seen as /foo by the backend
> /Foo?BAR will be seen as /foo?BAR
>
> Wanting to also lowercase the query string ?
>   http-request set-uri %[url,lower]
>
> Using 1.5 stable branch, you may introduce a redirect which is probably
> not what you whant :
>   http-request redirect location %[path,lower]
> or
>   http-request redirect location %[url,lower]
>
> Note : he first one will lose the query string, the second one will
> lowercase the query string
>
> --
> Cyril Bonté
>

Re: reqrep to lower case

[Cyril Bonté]

Hi Laurent,

Le 07/07/2015 19:21, Laurent Mirguet a écrit :

Dear all,

We would like to rewrite all urls for a certain backend to their lower
case form.

We thought on something like
reqrep ^([^\ ]*\ )(.*) %[\1,lower]

Is it possible to do so with HAProxy ?


I don't see any simple (and maintainable) example except by using the 
1.6 development branch which allows :

  http-request set-path %[path,lower]

With this rule,
/Foo will be seen as /foo by the backend
/Foo?BAR will be seen as /foo?BAR

Wanting to also lowercase the query string ?
  http-request set-uri %[url,lower]

Using 1.5 stable branch, you may introduce a redirect which is probably 
not what you whant :

  http-request redirect location %[path,lower]
or
  http-request redirect location %[url,lower]

Note : he first one will lose the query string, the second one will 
lowercase the query string


--
Cyril Bonté

RE: Load Balancing the Load Balancer

[mlist]

Hi, 
we see there is a new feature of HAProxy, peer and share table (sticky-table). 
This peer feature can be used to have in synch stick cookie so if one haproxy 
goes down the other can take over connections ?
There is some HAProxy native feature to have HAProxy nodes configuration in 
synch automatically or we have to rely on external tools like rsync manually or 
as we do on LVS a cron job executing a script to synch configuration ?

What is your choice ?

For the connection limitation, you speak of frontend and per backand server 
minconn / maxconn ? it isn't right to divide by n (n=numero ov HAProxy) 
established total and per server connection ? also if this is not perfect we'll 
have at most always (n * maxconn).

Also... I know that a major pros of L7 load balancing is to manage centrally 
all phase of the communication (sticky, balancing, etc. ), but in Hybrid Cloud 
thinking... is not right to can controll the connection up to a certain point 
and so using some mechanism as L4 load balancer (as LVS) to put in direct 
communication clients and final servers. At least for communications not rely 
on sticky (persistent) session, one can alleviate periodic extraordinary high 
connection rate redirecting connection for some services (L7 acl) in a Public 
Cloud wihout weigh down our Private Cloud infrastructure ? Probably there is 
some other way... We do not see at the moment...



-Original Message-
From: Thierry FOURNIER [mailto:thierry.fourn...@arpalert.org] 
Sent: giovedì 9 luglio 2015 14.51
To: mlist
Cc: 'haproxy@formilux.org'
Subject: Re: Load Balancing the Load Balancer

On Thu, 9 Jul 2015 11:08:58 +
mlist  wrote:

> We have a question about Load Balancing the load balancer... We have as now 2 
> LVS load balancer in active / passive configuration with keepalived.
> We want to introduce L7 load balancer (HAProxy) in active / active 
> configuration, so we have not only HA configuration but also load balanced 
> configuration of load balancer. We think we can do that using the two active 
> / passive LVS machine to load balancing request on 2 HAProxy machine, using 
> correctly persistence (LVS) and stickiness (HAProxy) so application / session 
> behave as expected. We do not found such solution on the Internet, do you 
> think this is a bad design ?


Hi,

this is the classic design, but make sure that the both haproxy
configruation are the same (mainly with the stick cookie name and
values).

You must known that its not really possible to limit the amount of
connexions to your servers because the first haproxy don't known the
current connexions of the second haproxy.

Thierry

-- 
Il messaggio e' stato analizzato alla ricerca di virus o
contenuti pericolosi da MailScanner, ed e'
risultato non infetto.

Re: Load Balancing the Load Balancer

[Thierry FOURNIER]

On Thu, 9 Jul 2015 11:08:58 +
mlist  wrote:

> We have a question about Load Balancing the load balancer... We have as now 2 
> LVS load balancer in active / passive configuration with keepalived.
> We want to introduce L7 load balancer (HAProxy) in active / active 
> configuration, so we have not only HA configuration but also load balanced 
> configuration of load balancer. We think we can do that using the two active 
> / passive LVS machine to load balancing request on 2 HAProxy machine, using 
> correctly persistence (LVS) and stickiness (HAProxy) so application / session 
> behave as expected. We do not found such solution on the Internet, do you 
> think this is a bad design ?


Hi,

this is the classic design, but make sure that the both haproxy
configruation are the same (mainly with the stick cookie name and
values).

You must known that its not really possible to limit the amount of
connexions to your servers because the first haproxy don't known the
current connexions of the second haproxy.

Thierry

Load Balancing the Load Balancer

[mlist]

We have a question about Load Balancing the load balancer... We have as now 2 
LVS load balancer in active / passive configuration with keepalived.
We want to introduce L7 load balancer (HAProxy) in active / active 
configuration, so we have not only HA configuration but also load balanced 
configuration of load balancer. We think we can do that using the two active / 
passive LVS machine to load balancing request on 2 HAProxy machine, using 
correctly persistence (LVS) and stickiness (HAProxy) so application / session 
behave as expected. We do not found such solution on the Internet, do you think 
this is a bad design ?

Roberto

ocsp

[Marc-Antoine]

Hi all,

I have some problem making ocsp stapling working. here is what i did :

I have 8150.pem with chain, cert and key in it.

I have 8150.pem.ocsp that seems ok :

# openssl ocsp -respin 8150.pem.ocsp -text -CAfile alphassl256.chain 
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: 9F10D9EDA5260B71A677124526751E17DC85A62F
Produced At: Jul  9 09:47:04 2015 GMT
Responses:
Certificate ID:
  Hash Algorithm: sha1
  Issuer Name Hash: 84D56BF8098BD307B766D8E1EBAD6596AA6B6761
  Issuer Key Hash: F5CDD53C0850F96A4F3AB797DA5683E669D268F7
  Serial Number: 11216784E7CA1813F3AD922B60EAF6428EE0
Cert Status: good
This Update: Jul  9 09:47:04 2015 GMT
Next Update: Jul  9 21:47:04 2015 GMT

No error/warn at haproxy launching but not sure haproxy is loading .ocsp file 
because no notice in log.

But nothing in tlsextdebug :

echo Q | openssl s_client -connect www.beluc.fr:443 -servername www.beluc.fr  
-tlsextdebug  -status -CApath /etc/ssl/certs
[...]
OCSP response: no response sent
[...]

Do you see smth wrong ? What can i do in order to debug ?

Regards,

-- 
Marc-Antoine

Re: Job Opprtunity

[Richa Gupta]

Hi,
   Could you please let me know if you have any update on below mail.

Regards
Richa


From: Richa Gupta
Sent: 07 July 2015 14:08
To: mail-archive.com/haproxy@formilux.org; haproxy@formilux.org
Subject: Job Opprtunity

Hi,
I am reaching out to you as I am currently recruiting for Senior Software 
Engineer in Dublin Ireland for one of the major company and from looking at 
your profile I feel you have an ideal background for this position.

If you are actively looking at the job market I would be keen to organise at a 
time that suits you.

If the timing is not right please let me know if you have anyone in mind that 
may be interested.

You can contact me directly on 016729000 or mail me ri...@kaizenrecruitment.com

Regards,

Richa

RE: [SPAM] HAProxy soft server turnoff issues

[Lukas Tribus]

Hi Alexander,


> Hello! 
> 
> My name is Alexander and I am writing on behalf of OWOX company, that 
> supports the most visited Ecommerce website in Ukraine 
> (rozetka.com.ua). 
> 
> We are using haproxy as a well-performance server to balance load 
> between our database servers. We are using several DB-servers, and 
> sometimes we need to softly turn off one of them for maintenance. In 
> case, when technical problems occur (like extreme CPU usage or 
> something) while high load hour, we need to prevent application errors 
> and turn off our server from HAProxy softly. It means, we want to 
> complete previously sent requests over haproxy to this server and get 
> response from it, but we don't want to send new requests. 
> 
> I could not find this case in documentation you provide, and did not 
> find a way to do that through the configuration. 

You can set the server mode to "DRAIN" from the admin socket, that
should achieve exactly what you want:

set server / state [ ready | drain | maint ]
http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#9.2-set%20server



Regards,

Lukas

  

Re: Contribution for HAProxy: Peer Cipher based SSL CTX switching

[Emeric Brun]

Hi Dave,

Could you re-indent your code. You've created a lot of unnecessary diffs in 
your patch and there is too much interferences for a clean review.


i.e.

On 07/07/2015 09:21 PM, Dave Zhu (yanbzhu) wrote:
> - if (bind_conf->default_ctx) {
> - memprintf(err, "%sthis version of openssl cannot load multiple 
> SSL
> certificates.\n",
> -   err && *err ? *err : "");
> - return 1;
> - }
> +if (bind_conf->default_ctx) {
> +memprintf(err, "%sthis version of openssl cannot load
> multiple SSL certificates.\n",
> +err && *err ? *err : "");
> +goto end;
> +}

R,
Emeric

[SPAM] HAProxy soft server turnoff issues

[Александр Безпятов]

Hello!

My name is Alexander and I am writing on behalf of OWOX company, that
supports the most visited Ecommerce website in Ukraine (rozetka.com.ua).

We are using haproxy as a well-performance server to balance load between
our database servers. We are using several DB-servers, and sometimes we
need to softly turn off one of them for maintenance. In case, when
technical problems occur (like extreme CPU usage or something) while high
load hour, we need to prevent application errors and turn off our server
from HAProxy softly. It means, we want to complete previously sent requests
over haproxy to this server and get response from it, but we don't want to
send new requests.

I could not find this case in documentation you provide, and did not find a
way to do that through the configuration.

So, the question is: is it possible, or planned to realise, or it's magic,
that never gonna be realised? :)

-
Thanks a lot and best regards,
Alexander Bezpyatov,
Team Leader, OWOX.com

Re: [PATCH] MINOR: Add sample fetch to detect Supported Elliptic Curves Extension

[Nenad Merdanovic]

Hello Lukas,

On 7/9/2015 9:53 AM, Lukas Tribus wrote:
> I like this, I'm glad we have this possibility now. It isn't however an 
> alternative to Dave
> Zhu's work, its rather an additional possibility.
> 
> We still ought to work with Dave to get his proposals merged, imho.
> 

Absolutely, it is by no means an alternative and wasn't envisioned as
such. Due to very simple logic, it is just a faster way to support
ECC+RSA, which I require currently to satisfy my client's needs (that
was also the motivation to create this).

I think Dave's work is the real thing here and will be used eventually
much widely. The only advantage this approach has is that it can be used
where OpenSSL 1.0.2 is not available (For example, Debian stable shipps
1.0.1).

> 
> 
> Thanks!
> 
> Lukas

Regards,
Nenad

Re: [PATCH] MINOR: Add sample fetch to detect Supported Elliptic Curves Extension

[Willy Tarreau]

On Thu, Jul 09, 2015 at 09:53:06AM +0200, Lukas Tribus wrote:
> >  >> The deprecated req_ssl_* keywords were for compatibility with historic 
> > versions
> >>> and should not be introduced right now, so I'd rather not add it now to 
> >>> remove
> >>> it in next version. If you're OK with me removing it by hand I can fix it
> >>> myself, but if you prefer to resubmit that's fine as well. Just let me 
> >>> know!
> >>>
> >>
> >> Sure, you can remove it by hand, no problems there.
> >
> > Perfect, patch merged then!
> 
> I like this, I'm glad we have this possibility now. It isn't however an 
> alternative to Dave
> Zhu's work, its rather an additional possibility.

That's exactly the point and I'm glad Nenad mentionned Dave's work
in his commit message.

> We still ought to work with Dave to get his proposals merged, imho.

Absolutely. I need some of Emeric's availability to review this work. My
limited knowledge of the SSL stack in haproxy tells me Dave's work looks
right but I tend to be wrong when I give my opinion in this area :-)

Willy

RE: [PATCH] MINOR: Add sample fetch to detect Supported Elliptic Curves Extension

[Lukas Tribus]

>  >> The deprecated req_ssl_* keywords were for compatibility with historic 
> versions
>>> and should not be introduced right now, so I'd rather not add it now to 
>>> remove
>>> it in next version. If you're OK with me removing it by hand I can fix it
>>> myself, but if you prefer to resubmit that's fine as well. Just let me know!
>>>
>>
>> Sure, you can remove it by hand, no problems there.
>
> Perfect, patch merged then!

I like this, I'm glad we have this possibility now. It isn't however an 
alternative to Dave
Zhu's work, its rather an additional possibility.

We still ought to work with Dave to get his proposals merged, imho.



Thanks!

Lukas

  

Re: Support Options

[Willy Tarreau]

Hello Michael,

On Wed, Jul 08, 2015 at 05:35:51PM -0400, Michael Holmes wrote:
> Hello,
> 
> Our business has a critical performance issue with our implementation of 
> HAProxy which is affecting our customers daily. I believe the issue is 
> rooted in incomplete or wrongly configured performance tuning.
> 
> I found this information: http://www.haproxy.org/#supp
> 
> I've been trying to get in touch with someone at www.haproxy.com for 
> weeks in order to figure out support options, but contact attempts via 
> web form and phone calls aren't being returned. I would post my 
> situation to this newsgroup as a last resort because it will take a lot 
> of time to write up the case.

I'm quite surprized, as there's always someone here (except during a
few hours at night between the ones leaving late and the ones arriving
early).

Would you prefer to be recontacted directly ? If so, please drop me an
e-mail off-list, as we all try to keep this list as free as possible of
any business activity.

Thanks,
Willy

Re: [PATCH] MINOR: Add sample fetch to detect Supported Elliptic Curves Extension

[Willy Tarreau]

On Thu, Jul 09, 2015 at 09:18:50AM +0200, Nenad Merdanovic wrote:
> >> +req.ssl_ec_ext : boolean
> >> +req_ssl_ec_ext : boolean (deprecated)
> > 
> > The deprecated req_ssl_* keywords were for compatibility with historic 
> > versions
> > and should not be introduced right now, so I'd rather not add it now to 
> > remove
> > it in next version. If you're OK with me removing it by hand I can fix it
> > myself, but if you prefer to resubmit that's fine as well. Just let me know!
> > 
> 
> Sure, you can remove it by hand, no problems there.

Perfect, patch merged then!

Thanks,
Willy

Re: [PATCH] MINOR: Add sample fetch to detect Supported Elliptic Curves Extension

[Nenad Merdanovic]

Hello Willy,

On 7/8/2015 10:44 PM, Willy Tarreau wrote:
[...]

>> +req.ssl_ec_ext : boolean
>> +req_ssl_ec_ext : boolean (deprecated)
> 
> The deprecated req_ssl_* keywords were for compatibility with historic 
> versions
> and should not be introduced right now, so I'd rather not add it now to remove
> it in next version. If you're OK with me removing it by hand I can fix it
> myself, but if you prefer to resubmit that's fine as well. Just let me know!
> 

Sure, you can remove it by hand, no problems there.

Cheers,
Nenad