Re: Can HAProxy loadbalance multiple requests send through single TCP connection
Hi Team, Thanks for the prompt reply, understood it is not possible with out of the box HAProxy configurations. Interested to know, is there any options/plugins available in HAProxy or any tools available to load balance those messages. To explain my query clear, We use Host to Host (HTH) protocol messages and we would like to load balance those messages. The H2H protocol is used to communicate between GDS(Airline reservations systems). Regards, Prabu On Wed, Sep 2, 2015 at 11:47 PM, Bryan Talbot wrote: > TCP really has no notion of "messages", it's all just bytes. So no, this > would not be possible with plain TCP. > > -Bryan > > > On Wed, Sep 2, 2015 at 12:05 PM, Prabu rajan > wrote: > >> Hi Team, >> >> Our client to HAProxy establishes single TCP connection and continues to >> send messages. We would like to know, is there a way to load balance those >> messages across the services sitting behind HAProxy. Please advise. >> >> Regards, >> Prabu >> > >
Re: Can HAProxy loadbalance multiple requests send through single TCP connection
On 04/09/2015 09:34 πμ, Prabu rajan wrote: > Hi Team, > > Thanks for the prompt reply, understood it is not possible with out of > the box HAProxy configurations. Interested to know, is there any > options/plugins available in HAProxy or any tools available to load > balance those messages. To explain my query clear, We use Host to Host > (HTH) protocol messages and we would like to load balance those > messages. The H2H protocol is used to communicate between GDS(Airline > reservations systems). > You need a device which understands that protocol in order to do a proper balancing of those messages. I don't believe HAProxy understands that protocol, therefore can't balance traffic as you want. Cheers, Pavlos signature.asc Description: OpenPGP digital signature
Re: Can HAProxy loadbalance multiple requests send through single TCP connection
Hi Pavlos, Thanks for your response! Cheers, Prabu On Fri, Sep 4, 2015 at 12:04 PM, Pavlos Parissis wrote: > On 04/09/2015 09:34 πμ, Prabu rajan wrote: > > Hi Team, > > > > Thanks for the prompt reply, understood it is not possible with out of > > the box HAProxy configurations. Interested to know, is there any > > options/plugins available in HAProxy or any tools available to load > > balance those messages. To explain my query clear, We use Host to Host > > (HTH) protocol messages and we would like to load balance those > > messages. The H2H protocol is used to communicate between GDS(Airline > > reservations systems). > > > > You need a device which understands that protocol in order to do a > proper balancing of those messages. I don't believe HAProxy understands > that protocol, therefore can't balance traffic as you want. > > Cheers, > Pavlos > >
Re: Haproxy and postfix SMTPS - can't get haproxy and postfix talking to each other
Hi, using your configuration gives me this warnung: [WARNING] 246/103726 (16071) : [/usr/sbin/haproxy.main()] FD limit (85535) too low for maxconn=65000/maxsock=130032. Please raise 'ulimit-n' to 130032 or more to avoid any trouble. Other than that it makes no difference. I think I'm going to just emulate SMTPS by terminating SSL in haproxy and forwarding it to port 25... Best, Luke Well I created a very simple config. /etc/haproxy.cfg global maxconn 65000 ulimit-n 85535 uid 0 gid 0 daemon stats socket /var/run/haproxy.stat level admin nbproc 1 cpu-map all 1 2 ssl-server-verify none tune.ssl.default-dh-param 2048 defaults modetcp no option http-server-close timeout connect 5000 timeout client 5 timeout server 5 listen app1 bind :8080 mode http stats enable stats uri / maxconn 200 frontend ft_smtps bind :465 timeout client 1m default_backend bk_postfix_smtps backend bk_postfix_smtps option tcp-check timeout server 1m timeout connect 5s server mail-1 172.1.1.21:10464 send-proxy check /etc/postfix/master.cf on 172.1.1.21 10464 inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_upstream_proxy_protocol=haproxy Would you mind trying ? 10464 inet n - n - - smtpd instead of 10464 inet n - - - - smtpd For haproxy... The only differnce is that you use chroot and user haproxy.. Cou,ld you please try with the default and global section in the minimal example? cheers thomas -- Mit freundlichen Gruessen, Lukas Erlacher -- Rechnerbetriebsgruppe der Fakultäten Mathematik und Informatik Raum 00.05.042 Tel. 089-289-18258 erlac...@in.tum.de Technische Universität München - Boltzmannstr. 3 - 85748 Garching smime.p7s Description: S/MIME Cryptographic Signature
Re: Haproxy and postfix SMTPS - can't get haproxy and postfix talking to each other
Hi, On 04.09.2015 11:01, Lukas Erlacher wrote: > Hi, > > using your configuration gives me this warnung: > > [WARNING] 246/103726 (16071) : [/usr/sbin/haproxy.main()] FD limit > (85535) too low for maxconn=65000/maxsock=130032. Please raise > 'ulimit-n' to 130032 or more to avoid any trouble. Just adapt -- maxconn 65000 ulimit-n 85535 -- to your favorite values and you're fine. > > Other than that it makes no difference. > I think the problem is the entry in /etc/postfix/master.cf > I think I'm going to just emulate SMTPS by terminating SSL in haproxy > and forwarding it to port 25... but then you need tproxy i think to preserve the client ip > > Best, > Luke > >> >> Well I created a very simple config. >> >> /etc/haproxy.cfg >> global >> maxconn 65000 >> ulimit-n 85535 >> uid 0 >> gid 0 >> daemon >> stats socket /var/run/haproxy.stat level admin >> >> nbproc 1 >> >> cpu-map all 1 2 >> ssl-server-verify none >> >> tune.ssl.default-dh-param 2048 >> >> defaults >> modetcp >> no option http-server-close >> timeout connect 5000 >> timeout client 5 >> timeout server 5 >> >> listen app1 >> bind :8080 >> mode http >> stats enable >> stats uri / >> maxconn 200 >> >> >> frontend ft_smtps >> bind :465 >> timeout client 1m >> default_backend bk_postfix_smtps >> >> backend bk_postfix_smtps >> option tcp-check >> timeout server 1m >> timeout connect 5s >> server mail-1 172.1.1.21:10464 send-proxy check >> >> /etc/postfix/master.cf on 172.1.1.21 >> 10464 inet n - n - - smtpd >>-o smtpd_tls_wrappermode=yes >>-o smtpd_sasl_auth_enable=yes >>-o smtpd_client_restrictions=permit_sasl_authenticated,reject >>-o smtpd_upstream_proxy_protocol=haproxy >> >> >> Would you mind trying ? >> >> 10464 inet n - n - - smtpd >> >> instead of >> >> 10464 inet n - - - - smtpd >> >> For haproxy... >> >> The only differnce is that you use chroot and user haproxy.. Cou,ld you >> please try with the default and global section in the minimal example? >> >> >> cheers >> thomas >> >> >
External-check command problem
We have been seeing the following error when trying to use the
external-check command option.
[ALERT] 246/120705 (25012) : parsing [/etc/haproxy/haproxy.cfg:31] :
'external-check' cannot handle unexpected argument
'/var/lib/loadbalancer.org/check/http_ntlm_proxy_check.sh'.
[ALERT] 246/120705 (25012) : Error(s) found in configuration file :
/etc/haproxy/haproxy.cfg
[ALERT] 246/120705 (25012) : Proxy 'VIP_Name' : 'option
external-check' unable to find required 'external-check command'.
[ALERT] 246/120705 (25012) : Fatal errors found in configuration.
Also the same "cannot handle unexpected argument" error occurs for
"external-check path".
I have tried with the latest build haproxy-ss-20150904 and can
reproduce the problem. I believe it is because it is checking for an
invalid number of arguments but may be completely wrong.
Here is my suggested fix.
--- src/cfgparse.org 2015-09-04 13:26:36.070579303 +0100
+++ src/cfgparse.c 2015-09-04 13:36:31.194587549 +0100
@@ -3349,9 +3349,9 @@
}
if (!strcmp(args[1], "command")) {
- if (alertif_too_many_args(1, file, linenum, args, &err_code))
+ if (alertif_too_many_args(2, file, linenum, args, &err_code))
goto out;
- if (*(args[1]) == 0) {
+ if (*(args[2]) == 0) {
Alert("parsing [%s:%d] : missing argument after '%s'.\n",
file, linenum, args[1]);
err_code |= ERR_ALERT | ERR_FATAL;
@@ -3361,9 +3361,9 @@
curproxy->check_command = strdup(args[2]);
}
else if (!strcmp(args[1], "path")) {
- if (alertif_too_many_args(1, file, linenum, args, &err_code))
+ if (alertif_too_many_args(2, file, linenum, args, &err_code))
goto out;
- if (*(args[1]) == 0) {
+ if (*(args[2]) == 0) {
Alert("parsing [%s:%d] : missing argument after '%s'.\n",
file, linenum, args[1]);
err_code |= ERR_ALERT | ERR_FATAL;
Test config:
global
daemon
stats socket /var/run/haproxy.stat mode 600 level admin
pidfile /var/run/haproxy.pid
log /dev/log local4
maxconn 4
tune.bufsize 16384
tune.maxrewrite 1024
external-check
defaults
mode http
balance roundrobin
timeout connect 4000
timeout client 42000
timeout server 43000
log global
peers loadbalancer_replication
peer lbmaster localhost:7778
peer lbslave localhost:7778
listen VIP_Name
bind 192.168.63.122:80 transparent
mode http
balance leastconn
cookie SERVERID insert nocache indirect
server backup 127.0.0.1:9081 backup non-stick
option external-check
external-check command
/var/lib/loadbalancer.org/check/http_ntlm_proxy_check.sh
option accept-invalid-http-request
option http-keep-alive
option forwardfor
option redispatch
option abortonclose
maxconn 4
option httplog
server RIP_Name 192.168.63.100 weight 100 cookie RIP_Name
check inter 4000 rise 2 fall 2 minconn 0 maxconn 0
on-marked-down shutdown-sessions
thanks,
Ben
--
LOADBALANCER.ORG LTD.
www.loadbalancer.org
supp...@loadbalancer.org
Plastic ProductS
Manufacture of printed products from ABS plastic, acrylic, PET method of vacuum forming. Series production of Letters, signs, light boxes (lightbox), POS material for retail chains.Examples of our work: http://identika.pro/counter_link/presentation_en.pdf Sergey TyshchenkoCEO | IDENTIKA.PROViber: +380505566965 | WhatsApp: +380505566965Skype: t.sergey.ms.tyshche...@identika.pro | identika.pro03040 | Golosiivskyi Ave. 70 | office 502 | Kiev
L’actualité hebdomadaire par RFI - Les Africains de New York face aux violences...
L’actualité hebdomadaire par RFI - 04/09/2015 Visualisez cet email dans votre navigateur http://rfi.nlfrancemm.com/HM?b=cMftFJcfIjBXfxTLY6I64OXGSKoEz3ibsv5jHPHSe5i6x0q3jEmDV2VKEPCr8eD8&c=_t8sH92t1vXbst8Z-RXNiA Les Africains de New York face aux violences contre les jeunes Noirs Comment les immigrés africains de New York réagissent-ils à la vague d’indignation suscitée par les violences policières contre de jeunes Noirs ? Les réponses sont contrastées. Et la solidarité entre communautés peu évidente. http://rfi.nlfrancemm.com/HP?b=DM02gsKWUxOjo2-r16qx2XeERW-O3e84e5eOSoACw46k7AI3IMvsk6_esGszkbcf&c=rw1j5yhPFz07U2OqnQ7wwg Pétrole en Bolivie: la tranquillité perdue des Indiens guaranis Entre le pétrole et les territoires indiens protégés, le gouvernement bolivien a tranché. La priorité est donnée à l’exploration de nouvelles réserves d’hydrocarbures. Dans les régions indigènes menacées, la résistance s’organise. http://rfi.nlfrancemm.com/HP?b=7AzqTPIhQB1b3-2aNoW_d_BiyGSS9cIr3BpB036G14qbb8yAgm4nn_-9FcQWhNux&c=DbBm28sdTr6udPr4zCBTng Jean Hatzfeld: «Je suis un humble sondeur d’âmes» Journaliste et écrivain, Jean Hatzfeld publie son cinquième opus sur le génocide rwandais, avec pour centre de gravité, cette fois, les enfants des massacrés et des massacreurs. Sur les collines de Nyamata, une nouvelle génération témoigne de son désarroi, prisonnière comme ses ancêtres des rancoeurs et des ressentiments. Entretien. http://rfi.nlfrancemm.com/HP?b=7bfl0Az9mX4gKnIlOA6uAHy5TJ9GuxNNm1Oxq2zu1EEscZrOLyyomx2RykinzkOB&c=kK6IJvKShP7389RpcmD4cQ En France, le lobby pro-armes reste très minoritaire Attaque terroriste, fait divers... Autant de drames qui sont l'occasion pour une toute petite minorité de Français de militer pour le droit de porter des armes, assurant qu'une telle réforme serait profitable à la sécurité collective en France. http://rfi.nlfrancemm.com/HP?b=Bcqx1NKuMqVdLZnE4q19JlyGhXoo729whtNeZYN9BE_DmeZFLF83wUkvIhtYiRB9&c=-bCcyghRcstLtui2GSV47A Chute du prix du cuivre: un coup dur pour les groupes miniers Appels sur l’actualité se penche sur le prix du cuivre, qui atteint son plus bas niveau depuis six ans. En cause, la faible demande de la Chine, premier consommateur de la planète. Le cours du métal rouge a plongé de plus de 22% en un an, aiguisant les craintes d'un ralentissement encore plus prononcé sur le marché chinois. Les économies du Chili et du Pérou, parmi les plus importants producteurs et exportateurs mondiaux de cuivre, sont aussi concernées par cette menace, comme le sont, en Afrique, celles de la Zambie et de la RD-Congo. http://rfi.nlfrancemm.com/HP?b=GqYcxTpCeZF_F7v-SXAHXPTZm6q6c0CBUTBvIIQfFQaXLBv84lsC7U1ZZuWnyyIb&c=HEb-Waj1Tzj-utlp7sQdOg Le rire désormais obligatoire à l'hôpital en Argentine C’est la première fois que l’Argentine légifère dans ce domaine. Début août, elle a rendu obligatoires la présence de clowns dans les hôpitaux de la province de Buenos Aires. Les structures hospitalières devront embaucher des artistes dans les services de pédiatrie. Une initiative passée au crible par des associations françaises spécialistes de la question. http://rfi.nlfrancemm.com/HP?b=szjsw-72qcHa-BTf5mwS2LHdvUG9dOtoYU9WwcuAQ8YETXBte-MX_Zl4trDbWyLP&c=y-AFctV1-XF90L5A-OzthQ Le Guaimaro, un arbre pour sauver le climat? Un arbre qui sauverait le climat ? Des scientifiques s’intéressent en effet au Guaimaro, un arbre qui séquestre le CO2 dans le sol. Le Guaimaro pousse dans les écosystèmes tropicaux secs, par exemple dans la Sierra Nevada de Santa Marta en Colombie. Une région d'une biodiversité exceptionnelle. Mais les cultures de marijuana, puis de coca ont détruit une grande partie de la forêt vierge. Le Guaimaro, est, lui aussi, passé à la trappe, il en reste très peu de spécimens. Mais depuis quelques années, cet arbre aux fruits riches en nutriments connaît un véritable engouement. Pour le replanter, des alliances se créent. Ainsi, un scientifique venu pour conserver la biodiversité a dû constater que la science ne suffit pas et qu'il faut s'inspirer des savoirs ancestraux des indigènes de la région, les indiens Kogi et Arhuaco. C'est donc avec eux qu'il sème l'arbre prodigieux. http://rfi.nlfrancemm.com/HP?b=ABgq7Hz_NquZcUoHaycb4ixT3bLVvJ0TuxWB3QaYGfF6kPNFiJcqfLZr6feJaD0w&c=vLvhTKf6SBLS3I0p_OE4HA Hongrie: des barbelés anti-migrants à la frontière serbe Elle devait être terminée le 31 août : avec deux jours d'avance, la Hongrie a achevé la pose de la clôture de barbelés destinée à empêcher l'entrée des milliers de migrants qui se pressent à sa frontière avec la Serbie. C'est ce qu'a annoncé samedi le ministère hongrois de la Défense. Malgré cela, entre 2000 et 3000 réfugiés continuent à affluer chaque jour en Hongrie. Ils arrivent à contourner la clôture. http://rfi.nlfrancemm.com/HP?b=Wnuj1sHsQ5mEUy7vktEO_dRv6cNjgqAtGuCm-sNG_AwTLVpYhRV5vJ8uSncWS5N5&c=BPSk2IJq3wCTMV0iUZPkww Chine: les 70 ans de la capitulation du Japon Drapeaux, banderoles commémoratives et dé
Re: Lua outbound Sockets in 1.6-dev4
Hi, now I reproduce the bug, and I fixed it :)
Can you test the attached patch ?
Thank you,
Thierry
On Thu, 3 Sep 2015 11:55:05 +0200
Thierry FOURNIER wrote:
> On Wed, 2 Sep 2015 10:55:21 -0400
> Michael Ezzell wrote:
>
> > You are NOT able to reproduce? I misunderstood your previous comment.
>
>
> Yes I not reproduce.
>
>
> > Further testing suggests (to me) that this is a timing issue, where HAProxy
> > does not discover that the connection is established, if connection
> > establishment doesn't happen within a very, very short window after the
> > connection is attempted.
> >
> > Previously, I only tested "client talks first" (http) using a different
> > machine as the server.
> >
> > Consider the following new results:
> >
> > server talks first (ssh) - connection to local machine - *works*
> > server talks first (ssh) - connection to a different machine on same LAN -
> > *works*
> > server talks first (ssh) - connection to a different machine across
> > Internet - *works*
> > client talks first (http) - connection to local machine - *works*
> > client talks first (http) - connection to a different machine on same
> > LAN - *does
> > not work*
> > client talks first (http) - connection to a different machine across
> > Internet - *does not work*
> >
> > The difference here seems to be the timing of the connection establishment,
> > and the presence or absence of additional events. (Note that when I say
> > "local machine" I do not mean 127.0.0.1; I am still using the local
> > machine's Ethernet IP when talking to services on the local machine.)
> >
> > When you are testing, are you using a remote machine, so that there is a
> > brief delay in connection establishment? If not, this may explain why you
> > do not see the same behavior, since local connections do not appear to have
> > the same problem.
>
>
> Thank you for your investigation. It make sense. I use always my own
> dev omputer for the functionnal tests. I will try to add some latency
> in the network. And I hope to reproduce your problem.
>
>
> > Most interesting, based on my "timing" theory, I found a workaround, which
> > seems very wrong in principle; so wrong, in fact, that I can't believe I
> > tried it; however, using the following tactic, I am able to make an
> > outgoing socket connection to a different machine, when client talks first.
> >
> > local sock = core.tcp();
> > sock:settimeout(3);
> > local written = sock:send("GET
> > /latest/meta-data/placement/availability-zone HTTP/1.0\r\nHost:
> > 169.254.169.254\r\n\r\n");
> > local connected, con_err = sock:connect("169.254.169.254",80);
> > ...
> >
> > This strange code works. I hope you will agree that writing to the socket
> > before connecting seems very wrong, and I was surprised to find that this
> > code works successfully when connecting to a different machine --
> > presumably because I'm pre-loading the outbound buffer, so the server's
> > response to my request actually triggers an event that does not occur in a
> > condition where the client talks first and when there is a delay in
> > connection establishment, even a very brief delay.
>
>
> I agree, its ugly :) but I understand why its runnings. When the
> connection is established, the send buffer is filled, so HAProxy
> automatically send its data. In this case it is useless to wakeup the
> lua process when the connection is established. When the response data
> are receive the process run perfectly.
>
> The patch that you have talk about (BUG/MEDIUM: lua: outgoing
> connection was broken since 1.6-dev2) doesn't fix correctly the bug :)
>
> I look for this
>
> Thierry
>
>From d649453ddef55c2f36e72b76f95d46cacea39d9d Mon Sep 17 00:00:00 2001
From: Thierry FOURNIER
Date: Fri, 4 Sep 2015 18:25:53 +0200
Subject: [PATCH] BUG/MEDIUM: lua: outgoing connection was broken since
1.6-dev2 (bis)
See commit id bdc97a8795c52af94683db25a4984578e26f4857
Michael Ezzell reported that the following Lua code fails in
dev4 when the TCP is not established immediately (due to a little
bit of latency):
function tricky_socket()
local sock = core.tcp();
sock:settimeout(3);
core.log(core.alert,"calling connect()\n");
local connected, con_err = sock:connect("x.x.x.x",80);
core.log(core.alert,"returned from connect()\n");
if con_err ~= nil then
core.log(core.alert,"connect() failed with error: '" .. con_err .. "'\n");
end
The problem is that the flags who want to wake up the applet are
resetted before each applet call, so the applet must set again the
flags if the connection is not established.
---
src/hlua.c | 8 +++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/hlua.c b/src/hlua.c
index 61e28d0..1e4d47c 100644
--- a/src/hlua.c
+++ b/src/hlua.c
@@ -1461,8 +1461,14 @@ static void hlua_socket_handler(struct appctx *appctx)
return;
}
- if (!(c->flags & CO_FL_CONNECTED)
Question about the status of the connection pool
Dear Developers ;-). Please can you tell me/us what's the status of the backend connection pooling? Are the specs defined? will the connection pooling be ready for 1.6? Is it planned or thought to build it in lua? I'm just al little bit curious about this feature due to the fact that I will need such a feature in a Openshift Enterprise 3 Environment to proxy some external connections like jdbc/odbc/... connections and other TCP-Based protocols. This is the official document for there router, in case it is not known here. https://docs.openshift.com/enterprise/3.0/architecture/core_concepts/routes.html There is a official docker repository for haproxy https://hub.docker.com/_/haproxy/ Is anyone from haproxy community involved into this repo? Best Regards Aleks
certificate generation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hallo, is it possible with HAProxy to generate a certificate for each incoming hostname on the fly? I will use subca for HAProxy. I think to generate the certificates on the fly is cooler, then a certificate for each hostname. I found possibilities to generate the certificate, but this doesn't work :-( bind unix@/var/run/haproxy_ssl_ecc.sock accept-proxy ssl crt /etc/haproxy/ecc_star.rennecke.dyndns.dk.pem ca-sign-file /etc/haproxy/ecc_subca.pem ecdhe secp521r1 user nobody generate-certificates ecc_subca.pem included the the subca and the key. The key has no pass phrase. I will balance some other (fun) TLDs with haproxy - my small home automation project Cheers, Michael - -- Mein aktuelles Projekt: https://0rph3us.github.io/ -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBAgAGBQJV6g3/AAoJEGF+uAbudcb+Y3EP/29hfN4PFB6cyHFP8hpim/Cf 0HT5O0/6HQXeYjTrHZVJKdsjy+HuXTPsvrgzoLvQMW/XYS1VaPKqeraoPP1Hs/RN kXRCJLI6OFpg3XdSuA/XOoZEzlqak73zkJyKKIL+zJjiJwvvlcV77zH7sITxWdqb NAGop15BzphwaFtQuKP/HNkEAX7J/309L4Z0vwx1nBPhxzpo9VEoz1JnCdON58lN mr1r61YhLc/xl/my4QnNXqE7HTi+BNmy5uadjFetgMnqZCaE+h3lfp6+6pi2a7tn tZht4/N0OYiplhYyhvCXLWXLuK5WpO/Q1JlG8jFvDgKrupvqj2IHMnaBAMB+GWL/ cwDYDpWyJO2WuDVgFtHGC8Rp2qJRZRxtG9CsIxBohjwOrni2v88W8lb5V8ky+wfw ZQ6DHTVFF55ciY/Jh0KjbhS0RC8aSeFgXRMhbGlTCV+n5eo4EvJnQQxRBHE87NsM Ok2fWyyVEAfsTTq9ZIQWjWe34t9Bs67ZojNdINzvy6D2guERfGqzUmrZn+K6TPVc 17eRJ6ycLMi8NwoH68JygZ8NmszF4y3vb9fSTvhfLTOqpmZBgLKyENbxKcKIciez 6nJEeR/y1tCfJkIb3IJkSpXcQuwDux7+18k2QvkW48NG+Vl9FbmDECko2ad/iTcG MH5Jc/xPNumL5YvwEkB1 =LOI3 -END PGP SIGNATURE-
Re: Migration from nginx
On Wed, 2 Sep 2015 09:26:25 +0300
Vladimir Mihailenco wrote:
> Hi,
>
> I am trying to migrate existing app written in Go from nginx to HA-Proxy
> version 1.5.14 2015/07/02 on Ubuntu 12.04. nginx/haproxy runs behind F5
> load balancer. My config:
> https://gist.github.com/vmihailenco/9b41016b05cdea821687 . App mainly
> serves POST requests with body size 10-64kb.
>
> First thing that I noticed after stopping nginx and starting haproxy is
> that app spends more time processing requests (same server, same amount of
> requests). E.g. with nginx Go responds within 1-2ms, but with haproxy
> response time is in range of 100-400ms. I guess the reason is that nginx
> buffers incoming request until it is fully read, but haproxy does not. What
> can I do to enable request buffering in haproxy?
>
> From the logs I also see that sometimes Go does not send response headers,
> e.g.
>
> haproxy[6607]: 149.210.205.54:54598 [01/Sep/2015:17:15:01.931] http-in
> goab/s1 0/0/0/-1/1 -1 381 - - SD-- 128/128/6/6/0 0/0 {myhost} "POST /url
> HTTP/1.1"
> haproxy[6607]: 192.243.237.46:34628 [01/Sep/2015:17:15:12.851] http-in~
> goab/s1 224/0/0/1/674 413 381 - - SD-- 128/128/15/15/0 0/0 {myhost} "POST
> /url HTTP/1.1"
Hi,
You can look the documentation about log here:
https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#8.2.3
The termination flags are SD--, so the documentation says:
S : the TCP session was unexpectedly aborted by the server, or
the server explicitly refused it.
D : the session was in the DATA phase.
I suppose that you have some keepalive errors. Try to activate
keepalive between the browser and haproxy, and deactivate between
haproxy and your go server.
Look for the directive "option httpclose".
> So these are 2 identical requests with same response body, but 2nd request
> has status code = -1. I don't understand how that is possible, because if
> app does not set status code Go uses 200 OK status code. And app does not
> crash.
>
> Thanks in advance for any help/advices.
Re: Question about the status of the connection pool
On Fri, 04 Sep 2015 22:30:08 +0200 Aleksandar Lazic wrote: > Dear Developers ;-). > > Please can you tell me/us what's the status of the backend connection > pooling? > > Are the specs defined? > will the connection pooling be ready for 1.6? Hi, In the current 1.6dev version, HAProxy can reuse open keepalive connection between HAPrxy and the server for requests from many clients. Look the documentation about the option "http-reuse". https://cbonte.github.io/haproxy-dconv/snapshot/configuration-1.6.html#http-reuse The option http-reuse with a server maxconn, have the behavior of a pool. > Is it planned or thought to build it in lua? Lua is not really used for establishing connection from HAProxy to the server. So, there are two cases: You want to use the Socket class for establishing TCP connection. In this case, you must write the pool management system (and implementing the HTTP protocol). You use the HAProxy proxy functionalities for forwarding requests to the server. In this case, Lua benefit of all the HAProxy features. It automatically uses the connections pool. > I'm just al little bit curious about this feature due to the fact that I > will need such a feature in a Openshift Enterprise 3 Environment to > proxy some external connections like jdbc/odbc/... connections and other > TCP-Based protocols. > > This is the official document for there router, in case it is not known > here. > > https://docs.openshift.com/enterprise/3.0/architecture/core_concepts/routes.html > > There is a official docker repository for haproxy > > https://hub.docker.com/_/haproxy/ > > Is anyone from haproxy community involved into this repo? I worked a little bit around Docker in order to create an Haproxy Dockerfile, and my biggest problem had to provide an HAProxy package with some specific compilations options, but without installing the compilator in the image/container for obvious security reasons. I don't found solution :) The only way that I found is to provide packages in independent repo. Thierry
Re: certificate generation
Can you explain what the overall goal is? I suspect that even if you could dynamically generate new certificates on the fly, the overhead to do so would be prohibitively expensive. If you are attempting to do this for security, it's probably worth pointing out that it is insanely easy to configure HAProxy to use only strong ciphers that support perfect forward secrecy. Put simply, it negotiates a new and unique 'session key' (called an ephemeral key) between the client and server on each new session. If you are attempting to do this for another reason, maybe you could describe the end goal. Almost certainly there is a more scalable option than dynamically generating new certificates as described. On Sep 4, 2015 5:34 PM, "Michael Rennecke" wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Hallo, > > is it possible with HAProxy to generate a certificate for each > incoming hostname on the fly? I will use subca for HAProxy. I think to > generate the certificates on the fly is cooler, then a certificate for > each hostname. > > I found possibilities to generate the certificate, but this doesn't > work :-( > > bind unix@/var/run/haproxy_ssl_ecc.sock accept-proxy ssl crt > /etc/haproxy/ecc_star.rennecke.dyndns.dk.pem ca-sign-file > /etc/haproxy/ecc_subca.pem ecdhe secp521r1 user nobody > generate-certificates > > ecc_subca.pem included the the subca and the key. The key has no pass > phrase. I will balance some other (fun) TLDs with haproxy - my small > home automation project > > Cheers, > Michael > > > - -- > Mein aktuelles Projekt: > https://0rph3us.github.io/ > -BEGIN PGP SIGNATURE- > Version: GnuPG v2.0.22 (GNU/Linux) > > iQIcBAEBAgAGBQJV6g3/AAoJEGF+uAbudcb+Y3EP/29hfN4PFB6cyHFP8hpim/Cf > 0HT5O0/6HQXeYjTrHZVJKdsjy+HuXTPsvrgzoLvQMW/XYS1VaPKqeraoPP1Hs/RN > kXRCJLI6OFpg3XdSuA/XOoZEzlqak73zkJyKKIL+zJjiJwvvlcV77zH7sITxWdqb > NAGop15BzphwaFtQuKP/HNkEAX7J/309L4Z0vwx1nBPhxzpo9VEoz1JnCdON58lN > mr1r61YhLc/xl/my4QnNXqE7HTi+BNmy5uadjFetgMnqZCaE+h3lfp6+6pi2a7tn > tZht4/N0OYiplhYyhvCXLWXLuK5WpO/Q1JlG8jFvDgKrupvqj2IHMnaBAMB+GWL/ > cwDYDpWyJO2WuDVgFtHGC8Rp2qJRZRxtG9CsIxBohjwOrni2v88W8lb5V8ky+wfw > ZQ6DHTVFF55ciY/Jh0KjbhS0RC8aSeFgXRMhbGlTCV+n5eo4EvJnQQxRBHE87NsM > Ok2fWyyVEAfsTTq9ZIQWjWe34t9Bs67ZojNdINzvy6D2guERfGqzUmrZn+K6TPVc > 17eRJ6ycLMi8NwoH68JygZ8NmszF4y3vb9fSTvhfLTOqpmZBgLKyENbxKcKIciez > 6nJEeR/y1tCfJkIb3IJkSpXcQuwDux7+18k2QvkW48NG+Vl9FbmDECko2ad/iTcG > MH5Jc/xPNumL5YvwEkB1 > =LOI3 > -END PGP SIGNATURE- > >
