RE: Load Balancing the Load Balancer
Hi, we see there is a new feature of HAProxy, peer and share table (sticky-table). This peer feature can be used to have in synch stick cookie so if one haproxy goes down the other can take over connections ? There is some HAProxy native feature to have HAProxy nodes configuration in synch automatically or we have to rely on external tools like rsync manually or as we do on LVS a cron job executing a script to synch configuration ? What is your choice ? For the connection limitation, you speak of frontend and per backand server minconn / maxconn ? it isn't right to divide by n (n=numero ov HAProxy) established total and per server connection ? also if this is not perfect we'll have at most always (n * maxconn). Also... I know that a major pros of L7 load balancing is to manage centrally all phase of the communication (sticky, balancing, etc. ), but in Hybrid Cloud thinking... is not right to can controll the connection up to a certain point and so using some mechanism as L4 load balancer (as LVS) to put in direct communication clients and final servers. At least for communications not rely on sticky (persistent) session, one can alleviate periodic extraordinary high connection rate redirecting connection for some services (L7 acl) in a Public Cloud wihout weigh down our Private Cloud infrastructure ? Probably there is some other way... We do not see at the moment... -Original Message- From: Thierry FOURNIER [mailto:thierry.fourn...@arpalert.org] Sent: giovedì 9 luglio 2015 14.51 To: mlist Cc: 'haproxy@formilux.org' Subject: Re: Load Balancing the Load Balancer On Thu, 9 Jul 2015 11:08:58 + mlist ml...@apsystems.it wrote: We have a question about Load Balancing the load balancer... We have as now 2 LVS load balancer in active / passive configuration with keepalived. We want to introduce L7 load balancer (HAProxy) in active / active configuration, so we have not only HA configuration but also load balanced configuration of load balancer. We think we can do that using the two active / passive LVS machine to load balancing request on 2 HAProxy machine, using correctly persistence (LVS) and stickiness (HAProxy) so application / session behave as expected. We do not found such solution on the Internet, do you think this is a bad design ? Hi, this is the classic design, but make sure that the both haproxy configruation are the same (mainly with the stick cookie name and values). You must known that its not really possible to limit the amount of connexions to your servers because the first haproxy don't known the current connexions of the second haproxy. Thierry -- Il messaggio e' stato analizzato alla ricerca di virus o contenuti pericolosi da MailScanner, ed e' risultato non infetto.
Super professional spy network camera with Wifi and POE
DearSirorMadam, Hopethingsarewellwithyou. Bytheway,Wesupply oneofourspy=networkcameraswhichsellespeciallywellforyourreference.Every=month ,weallexportover5000pcstoUSA and Europe.,=welcomeyourinquiries ,thanks. OEM,ODMareavailable. ModelNo.:SM-128PWWelookforwardtohearingfromyou. BestRegardsJenny ContactUS:Company Name:SmartShineTechnologyCo;Ltd=.Address:2Building,T=ongle IndustryPark ,NanshanRoad,Nanshan Industry,S=henzhen,China.ContacPerson;Jenny=YiTel:0086=1352887=1-267Fax:008675526187082Skype : pol=lyyi471Email: pollyyu...@hotmail.com nbs=p; i...@szsmartshine.com Website: =nbsp;www.szsmartshine.com= nbs=p; .
Alibaba recommend this supplier to you
DearPurchasingManager, Gooddaytoyou! Iamcarmen fromEsclightingcompany. Gladtoknowth=at youwouldbecontinuouslylookingatopportunitiestoexpandy=ourproductsupplyingservices.Ourcompanymustbeyourbestbusiness=partner,specializing inmanufacturingtheLED WallWasher,=LEDFlood Light,LEDHighBayLights,LEDDownLight,LEDTrack=Lightandsoon for morethan6yearsexperience.Besides,o=urlatest panellights arelaunchinginthemarket,whichar=esoldatcompetitivepriceandhighinquality.TheCE,ROHSwillspe=akforus.Ifyouwouldliketobethe firstoneto takeup=themarketshareinthisfield,youcancontactmefreelyandvisitou=rofficialsite.http://dongrui.en.alibaba.com Wearehappytosupportyou, lookingforwardtoyournbsp=;reply! Bestregard. CarmenZhongESCLIGHTINGTECHNOLOGYL=IMITED Address:Haohan=industrialPark,No.6keyuanRoad,High-tech,zone,jiangmencity,Guangdon=g,China
Re: Job Opprtunity
Hi, Could you please let me know if you have any update on below mail. Regards Richa From: Richa Gupta Sent: 07 July 2015 14:08 To: mail-archive.com/haproxy@formilux.org; haproxy@formilux.org Subject: Job Opprtunity Hi, I am reaching out to you as I am currently recruiting for Senior Software Engineer in Dublin Ireland for one of the major company and from looking at your profile I feel you have an ideal background for this position. If you are actively looking at the job market I would be keen to organise at a time that suits you. If the timing is not right please let me know if you have anyone in mind that may be interested. You can contact me directly on 016729000 or mail me ri...@kaizenrecruitment.com Regards, Richa
ocsp
Hi all, I have some problem making ocsp stapling working. here is what i did : I have 8150.pem with chain, cert and key in it. I have 8150.pem.ocsp that seems ok : # openssl ocsp -respin 8150.pem.ocsp -text -CAfile alphassl256.chain OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: 9F10D9EDA5260B71A677124526751E17DC85A62F Produced At: Jul 9 09:47:04 2015 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 84D56BF8098BD307B766D8E1EBAD6596AA6B6761 Issuer Key Hash: F5CDD53C0850F96A4F3AB797DA5683E669D268F7 Serial Number: 11216784E7CA1813F3AD922B60EAF6428EE0 Cert Status: good This Update: Jul 9 09:47:04 2015 GMT Next Update: Jul 9 21:47:04 2015 GMT No error/warn at haproxy launching but not sure haproxy is loading .ocsp file because no notice in log. But nothing in tlsextdebug : echo Q | openssl s_client -connect www.beluc.fr:443 -servername www.beluc.fr -tlsextdebug -status -CApath /etc/ssl/certs [...] OCSP response: no response sent [...] Do you see smth wrong ? What can i do in order to debug ? Regards, -- Marc-Antoine
Load Balancing the Load Balancer
We have a question about Load Balancing the load balancer... We have as now 2 LVS load balancer in active / passive configuration with keepalived. We want to introduce L7 load balancer (HAProxy) in active / active configuration, so we have not only HA configuration but also load balanced configuration of load balancer. We think we can do that using the two active / passive LVS machine to load balancing request on 2 HAProxy machine, using correctly persistence (LVS) and stickiness (HAProxy) so application / session behave as expected. We do not found such solution on the Internet, do you think this is a bad design ? Roberto
Re: [PATCH] MINOR: Add sample fetch to detect Supported Elliptic Curves Extension
On Thu, Jul 09, 2015 at 09:18:50AM +0200, Nenad Merdanovic wrote: +req.ssl_ec_ext : boolean +req_ssl_ec_ext : boolean (deprecated) The deprecated req_ssl_* keywords were for compatibility with historic versions and should not be introduced right now, so I'd rather not add it now to remove it in next version. If you're OK with me removing it by hand I can fix it myself, but if you prefer to resubmit that's fine as well. Just let me know! Sure, you can remove it by hand, no problems there. Perfect, patch merged then! Thanks, Willy
Re: Support Options
Hello Michael, On Wed, Jul 08, 2015 at 05:35:51PM -0400, Michael Holmes wrote: Hello, Our business has a critical performance issue with our implementation of HAProxy which is affecting our customers daily. I believe the issue is rooted in incomplete or wrongly configured performance tuning. I found this information: http://www.haproxy.org/#supp I've been trying to get in touch with someone at www.haproxy.com for weeks in order to figure out support options, but contact attempts via web form and phone calls aren't being returned. I would post my situation to this newsgroup as a last resort because it will take a lot of time to write up the case. I'm quite surprized, as there's always someone here (except during a few hours at night between the ones leaving late and the ones arriving early). Would you prefer to be recontacted directly ? If so, please drop me an e-mail off-list, as we all try to keep this list as free as possible of any business activity. Thanks, Willy
Re: [PATCH] MINOR: Add sample fetch to detect Supported Elliptic Curves Extension
On Thu, Jul 09, 2015 at 09:53:06AM +0200, Lukas Tribus wrote: The deprecated req_ssl_* keywords were for compatibility with historic versions and should not be introduced right now, so I'd rather not add it now to remove it in next version. If you're OK with me removing it by hand I can fix it myself, but if you prefer to resubmit that's fine as well. Just let me know! Sure, you can remove it by hand, no problems there. Perfect, patch merged then! I like this, I'm glad we have this possibility now. It isn't however an alternative to Dave Zhu's work, its rather an additional possibility. That's exactly the point and I'm glad Nenad mentionned Dave's work in his commit message. We still ought to work with Dave to get his proposals merged, imho. Absolutely. I need some of Emeric's availability to review this work. My limited knowledge of the SSL stack in haproxy tells me Dave's work looks right but I tend to be wrong when I give my opinion in this area :-) Willy
Re: [PATCH] MINOR: Add sample fetch to detect Supported Elliptic Curves Extension
Hello Willy, On 7/8/2015 10:44 PM, Willy Tarreau wrote: [...] +req.ssl_ec_ext : boolean +req_ssl_ec_ext : boolean (deprecated) The deprecated req_ssl_* keywords were for compatibility with historic versions and should not be introduced right now, so I'd rather not add it now to remove it in next version. If you're OK with me removing it by hand I can fix it myself, but if you prefer to resubmit that's fine as well. Just let me know! Sure, you can remove it by hand, no problems there. Cheers, Nenad
RE: [PATCH] MINOR: Add sample fetch to detect Supported Elliptic Curves Extension
The deprecated req_ssl_* keywords were for compatibility with historic versions and should not be introduced right now, so I'd rather not add it now to remove it in next version. If you're OK with me removing it by hand I can fix it myself, but if you prefer to resubmit that's fine as well. Just let me know! Sure, you can remove it by hand, no problems there. Perfect, patch merged then! I like this, I'm glad we have this possibility now. It isn't however an alternative to Dave Zhu's work, its rather an additional possibility. We still ought to work with Dave to get his proposals merged, imho. Thanks! Lukas
Re: [PATCH] MINOR: Add sample fetch to detect Supported Elliptic Curves Extension
Hello Lukas, On 7/9/2015 9:53 AM, Lukas Tribus wrote: I like this, I'm glad we have this possibility now. It isn't however an alternative to Dave Zhu's work, its rather an additional possibility. We still ought to work with Dave to get his proposals merged, imho. Absolutely, it is by no means an alternative and wasn't envisioned as such. Due to very simple logic, it is just a faster way to support ECC+RSA, which I require currently to satisfy my client's needs (that was also the motivation to create this). I think Dave's work is the real thing here and will be used eventually much widely. The only advantage this approach has is that it can be used where OpenSSL 1.0.2 is not available (For example, Debian stable shipps 1.0.1). Thanks! Lukas Regards, Nenad
[SPAM] HAProxy soft server turnoff issues
Hello! My name is Alexander and I am writing on behalf of OWOX company, that supports the most visited Ecommerce website in Ukraine (rozetka.com.ua). We are using haproxy as a well-performance server to balance load between our database servers. We are using several DB-servers, and sometimes we need to softly turn off one of them for maintenance. In case, when technical problems occur (like extreme CPU usage or something) while high load hour, we need to prevent application errors and turn off our server from HAProxy softly. It means, we want to complete previously sent requests over haproxy to this server and get response from it, but we don't want to send new requests. I could not find this case in documentation you provide, and did not find a way to do that through the configuration. So, the question is: is it possible, or planned to realise, or it's magic, that never gonna be realised? :) - Thanks a lot and best regards, Alexander Bezpyatov, Team Leader, OWOX.com
Re: Contribution for HAProxy: Peer Cipher based SSL CTX switching
Hi Dave, Could you re-indent your code. You've created a lot of unnecessary diffs in your patch and there is too much interferences for a clean review. i.e. On 07/07/2015 09:21 PM, Dave Zhu (yanbzhu) wrote: - if (bind_conf-default_ctx) { - memprintf(err, %sthis version of openssl cannot load multiple SSL certificates.\n, - err *err ? *err : ); - return 1; - } +if (bind_conf-default_ctx) { +memprintf(err, %sthis version of openssl cannot load multiple SSL certificates.\n, +err *err ? *err : ); +goto end; +} R, Emeric
RE: [SPAM] HAProxy soft server turnoff issues
Hi Alexander, Hello! My name is Alexander and I am writing on behalf of OWOX company, that supports the most visited Ecommerce website in Ukraine (rozetka.com.uahttp://rozetka.com.ua). We are using haproxy as a well-performance server to balance load between our database servers. We are using several DB-servers, and sometimes we need to softly turn off one of them for maintenance. In case, when technical problems occur (like extreme CPU usage or something) while high load hour, we need to prevent application errors and turn off our server from HAProxy softly. It means, we want to complete previously sent requests over haproxy to this server and get response from it, but we don't want to send new requests. I could not find this case in documentation you provide, and did not find a way to do that through the configuration. You can set the server mode to DRAIN from the admin socket, that should achieve exactly what you want: set server backend/server state [ ready | drain | maint ] http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#9.2-set%20server Regards, Lukas
Re: Load Balancing the Load Balancer
On Thu, 9 Jul 2015 11:08:58 + mlist ml...@apsystems.it wrote: We have a question about Load Balancing the load balancer... We have as now 2 LVS load balancer in active / passive configuration with keepalived. We want to introduce L7 load balancer (HAProxy) in active / active configuration, so we have not only HA configuration but also load balanced configuration of load balancer. We think we can do that using the two active / passive LVS machine to load balancing request on 2 HAProxy machine, using correctly persistence (LVS) and stickiness (HAProxy) so application / session behave as expected. We do not found such solution on the Internet, do you think this is a bad design ? Hi, this is the classic design, but make sure that the both haproxy configruation are the same (mainly with the stick cookie name and values). You must known that its not really possible to limit the amount of connexions to your servers because the first haproxy don't known the current connexions of the second haproxy. Thierry
Re: reqrep to lower case
Hi Laurent, Le 07/07/2015 19:21, Laurent Mirguet a écrit : Dear all, We would like to rewrite all urls for a certain backend to their lower case form. We thought on something like reqrep ^([^\ ]*\ )(.*) %[\1,lower] Is it possible to do so with HAProxy ? I don't see any simple (and maintainable) example except by using the 1.6 development branch which allows : http-request set-path %[path,lower] With this rule, /Foo will be seen as /foo by the backend /Foo?BAR will be seen as /foo?BAR Wanting to also lowercase the query string ? http-request set-uri %[url,lower] Using 1.5 stable branch, you may introduce a redirect which is probably not what you whant : http-request redirect location %[path,lower] or http-request redirect location %[url,lower] Note : he first one will lose the query string, the second one will lowercase the query string -- Cyril Bonté
Re: reqrep to lower case
Thank you very much Cyril. I guess we need to wait 1.6 to be released then. Regards Laurent Le jeudi 9 juillet 2015, Cyril Bonté cyril.bo...@free.fr a écrit : Hi Laurent, Le 07/07/2015 19:21, Laurent Mirguet a écrit : Dear all, We would like to rewrite all urls for a certain backend to their lower case form. We thought on something like reqrep ^([^\ ]*\ )(.*) %[\1,lower] Is it possible to do so with HAProxy ? I don't see any simple (and maintainable) example except by using the 1.6 development branch which allows : http-request set-path %[path,lower] With this rule, /Foo will be seen as /foo by the backend /Foo?BAR will be seen as /foo?BAR Wanting to also lowercase the query string ? http-request set-uri %[url,lower] Using 1.5 stable branch, you may introduce a redirect which is probably not what you whant : http-request redirect location %[path,lower] or http-request redirect location %[url,lower] Note : he first one will lose the query string, the second one will lowercase the query string -- Cyril Bonté
Re: simple acl combination query
Hi, Le 06/07/2015 16:22, Lee Musgrave a écrit : hi, simple question about acl's i know i can combine them in monitors eg: acl acl1 nbsrv(mysql) eq 0 acl acl2 nbsrv(mssql) eq 0 monitor-uri /dbs for and: monitor fail if acl1 acl2 for or: monitor fail if acl1 || acl2 what i'm not sure about, is for more complicated logical combinations, can multiple and's and or's be combined, eg: monitor fail unless (acl1 acl2 acl3) || (acl4 (acl5 || acl6)) || (acl1 || acl5) You'll have to rewrite your expression in its disjuntive normal form (DNF). -- Cyril Bonté