[PATCH] MEDIUM: init: allow directory as argument of -f

[Maxime de Roucy]

If -f argument is a directory add all the files (and only files) it
containes to the config files list.
These files are added in lexical order (man alphasort).
Only files with ".cfg" extension are added.
Only non hidden files (not prefixed with ".") are added.
Symlink are followed.
The -f order is still respected:

$ tree -a rootdir
rootdir
├── dir1
│   ├── 1.cfg
│   ├── 2
│   ├── 3.cfg
│   ├── 4.cfg -> 1.cfg
│   ├── 5 -> 1.cfg
│   ├── .6.cfg
│   ├── 7.cfg -> .
│   └── dir4
│   └── 8.cfg
├── dir2
│   ├── 10.cfg
│   └── 9.cfg
├── dir3
│   └── 11.cfg
├── link -> dir3/
├── root1
├── root2
└── root3

$ ./haproxy -C rootdir -f root2 -f dir2 -f root3 -f dir1 \
   -f link -f root1
root2
dir2/10.cfg
dir2/9.cfg
root3
dir1/1.cfg
dir1/3.cfg
dir1/4.cfg
link/11.cfg
root1

This can be useful on systemd where you can't change the haproxy
commande line options on service reload.
---
 doc/haproxy.1 |   8 +--
 doc/management.txt|  44 
 include/common/standard.h |   8 +++
 src/haproxy.c | 128 +-
 src/standard.c|  32 
 5 files changed, 183 insertions(+), 37 deletions(-)

diff --git a/doc/haproxy.1 b/doc/haproxy.1
index a836d5d..08ea9df 100644
--- a/doc/haproxy.1
+++ b/doc/haproxy.1
@@ -6,7 +6,7 @@ HAProxy \- fast and reliable http reverse proxy and load 
balancer
 
 .SH SYNOPSIS
 
-haproxy \-f  [\-L\ ] [\-n\ maxconn] [\-N\ maxconn] 
[\-C\ ] [\-v|\-vv] [\-d] [\-D] [\-q] [\-V] [\-c] [\-p\ ] [\-dk] 
[\-ds] [\-de] [\-dp] [\-db] [\-dM[]] [\-m\ ] [{\-sf|\-st}\ 
pidlist...]
+haproxy \-f  [\-L\ ] [\-n\ maxconn] [\-N\ 
maxconn] [\-C\ ] [\-v|\-vv] [\-d] [\-D] [\-q] [\-V] [\-c] [\-p\ ] 
[\-dk] [\-ds] [\-de] [\-dp] [\-db] [\-dM[]] [\-m\ ] [{\-sf|\-st}\ 
pidlist...]
 
 .SH DESCRIPTION
 
@@ -33,8 +33,10 @@ instances without risking the system's stability.
 .SH OPTIONS
 
 .TP
-\fB\-f \fP
-Specify configuration file path.
+\fB\-f \fP
+Specify configuration file or directory path. If the argument is a directory
+the files (and only files) it containes are added in lexical order (man
+alphasort) ; only non hidden files with ".cfg" extension are added.
 
 .TP
 \fB\-L \fP
diff --git a/doc/management.txt b/doc/management.txt
index e0469aa..69b3c18 100644
--- a/doc/management.txt
+++ b/doc/management.txt
@@ -124,26 +124,30 @@ enforce some settings without touching the configuration 
files. The current
 list of options is :
 
   -- * : all the arguments following "--" are paths to configuration
-file to be loaded and processed in the declaration order. It is mostly
-useful when relying on the shell to load many files that are numerically
-ordered. See also "-f". The difference between "--" and "-f" is that one
-"-f" must be placed before each file name, while a single "--" is needed
-before all file names. Both options can be used together, the command line
-ordering still applies. When more than one file is specified, each file
-must start on a section boundary, so the first keyword of each file must be
-one of "global", "defaults", "peers", "listen", "frontend", "backend", and
-so on. A file cannot contain just a server list for example.
-
-  -f  : adds  to the list of configuration files to be
-loaded. Configuration files are loaded and processed in their declaration
-order. This option may be specified multiple times to load multiple files.
-See also "--". The difference between "--" and "-f" is that one "-f" must
-be placed before each file name, while a single "--" is needed before all
-file names. Both options can be used together, the command line ordering
-still applies. When more than one file is specified, each file must start
-on a section boundary, so the first keyword of each file must be one of
-"global", "defaults", "peers", "listen", "frontend", "backend", and so
-on. A file cannot contain just a server list for example.
+file/directory to be loaded and processed in the declaration order. It is
+mostly useful when relying on the shell to load many files that are
+numerically ordered. See also "-f". The difference between "--" and "-f" is
+that one "-f" must be placed before each file name, while a single "--" is
+needed before all file names. Both options can be used together, the
+command line ordering still applies. When more than one file is specified,
+each file must start on a section boundary, so the first keyword of each
+file must be one of "global", "defaults", "peers", "listen", "frontend",
+"backend", and so on. A file cannot contain just a server list for example.
+
+  -f 

Re: Regarding http basic authentication in haproxy

[Igor Cicimov]

On 13 May 2016 4:19 am, "bln prasad"  wrote:
>
> Hi,
>   I've setup basic http authentication in the frontend. I'm finding that
it's asking for authentication for first time only when i access from the
browser. Once it succeeds it's alway bypasses authentication even if i
access it from other tabs or  re access from sam tab.
>
> Is it expected?

Yes it is expected

If yes then can you please let me know how do i force authentication on
every new tab or from same tab.
>

Only way is to close the browser. Nothing specific to haproxy thats how the
basic auth works.

> Thanks,
> BLN

Votre écran neuf fois plus résistant Réf 72813

[Chloé THOMAS]

 
 
Cordialement, 
Chloé THOMAS 





859649513.png
Description: Binary data
<>

Re: Adding backend server name as request header

[Dennis Jacobfeuerborn]

Hi,
remember that this directive adds a request header and not a response
header i.e. you will not see this header in the response in the browser
but only in the request on the backend server that will serve the
request. There you can copy that information into a response header if
you want.

Regards,
  Dennis

On 12.05.2016 21:15, Guillaume Bourque wrote:
> Hello 
> 
> I looked into the doc to saw that we can put the directive in the backend 
> this is what I added to my config
> 
> http-send-name-header   X-CustomHeader
> 
> But from my user browser I never get this header is there something that I 
> need to enable on the global section in order for this to be working ?
> 
> HA-Proxy version 1.5.4 2014/09/02
> Copyright 2000-2014 Willy Tarreau 
> 
> Build options :
>   TARGET  = linux2628
>   CPU = generic
>   CC  = gcc
>   CFLAGS  = -O2 -g -fno-strict-aliasing
>   OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 
> USE_PCRE=1
> 
> TIA
> 
> Guillaume
> 
> ---
> Le 2016-05-12 à 14:29, Dennis Jacobfeuerborn  a écrit :
> 
>> This is exactly what I'm looking for, thanks!
>> I was looking at the variables in Section 7.3 as I didn't think there
>> would be a dedicated directive for this. Apparently I was wrong :)
>>
>> Regards,
>>  Dennis
>>
>> On 12.05.2016 18:48, Mehdi Ahmadi wrote:
>>> It may be that your after:
>>> ```
>>> http-send-name-header X-CustomHeader
>>> ```
>>> Which would set the ID of the selected server into the header
>>> `X-CustomHeader`.
>>> See the documentation for further details.
>>> http://cbonte.github.io/haproxy-dconv/configuration-1.5.html
>>>
>>>
>>>
>>> On Thu, May 12, 2016 at 6:29 PM, Dennis Jacobfeuerborn <
>>> denni...@conversis.de> wrote:
>>>
 Hi,
 I'm wondering if there is a way to add the name of the server chosen for
 the request as a request header i.e. if the following server is chosen
 for the request:

 server back1 10.1.0.10:8080 check inter 2

 then I'd like to receive this header on the 10.1.0.10 system:

 X-CustomHeader: back1

 Is this possible?

 Regards,
  Dennis


>>>
>>
>>
> 
> 

镍铝合金

[镍铝合金]

你的老朋友邀你来Q群:343257759 抢优惠券

Re: dynamically choosing back-end port

[Derek Brown]

Hi-

I'm wondering if you need any additional information, or if I can provide
any clarification, to get a response to my query.

Thanks, in advance
Derek

On Tue, May 10, 2016 at 3:08 PM, Derek Brown  wrote:

> Sure.
>
> I have a setup where we're using HAProxy to front hundreds of different
> services, each service running on a different port.
>
> I can figure out from the request (for example, the SNI information), which
> service we want to use.  However, for maintenance of the haproxy config
> file,
> it's very desirable to not have several hundred back-ends.
>
> A frontend, with a server configuration with a dynamically chosen port
> seems
> ideal.  It would be the logical equivalent of
>
> server svc1 host:1001 if svc_1
> server svc2 host:1002 if svc_2
>
> etc.
>
> Thanks,
>
> On Tue, May 10, 2016 at 2:53 PM, Baptiste  wrote:
>
>> On Tue, May 10, 2016 at 8:13 PM, Derek Brown 
>> wrote:
>> > Hello-
>> >
>> > I am trying to write a configuration which will allow me to choose the
>> > back-end port dynamically.
>> >
>> > Specifically, I'd like to listen on port 443, and then choose the
>> backend
>> > port based on an http header
>> > in the request.  Something like
>> >
>> > frontend myserver
>> > bind 443
>> > mode http
>> >
>> > server real-server 192.168.1.1:req.hdr(X-My-Header)
>> >
>> > --OR--
>> >server realserver 192.168.1.1:%[req.ssl_sni,lower,map(mapfile)]
>> >
>> >
>> > where mapfile contains
>> > hosta.domain.com 1001
>> > hostb.domain.com 1002
>> >
>> > or similar.
>> >
>> > Is there any facility which would allow this, including the new(er) Lua
>> > capabilities?
>> >
>> > Thanks, in advance
>>
>>
>> Hi Derek,
>>
>> Could you please explain us your use case?
>>
>> Baptiste
>>
>
>

Re: Adding backend server name as request header

[Guillaume Bourque]

Hello 

I looked into the doc to saw that we can put the directive in the backend this 
is what I added to my config

http-send-name-header   X-CustomHeader

But from my user browser I never get this header is there something that I need 
to enable on the global section in order for this to be working ?

HA-Proxy version 1.5.4 2014/09/02
Copyright 2000-2014 Willy Tarreau 

Build options :
  TARGET  = linux2628
  CPU = generic
  CC  = gcc
  CFLAGS  = -O2 -g -fno-strict-aliasing
  OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_PCRE=1

TIA

Guillaume

---
Le 2016-05-12 à 14:29, Dennis Jacobfeuerborn  a écrit :

> This is exactly what I'm looking for, thanks!
> I was looking at the variables in Section 7.3 as I didn't think there
> would be a dedicated directive for this. Apparently I was wrong :)
> 
> Regards,
>  Dennis
> 
> On 12.05.2016 18:48, Mehdi Ahmadi wrote:
>> It may be that your after:
>> ```
>> http-send-name-header X-CustomHeader
>> ```
>> Which would set the ID of the selected server into the header
>> `X-CustomHeader`.
>> See the documentation for further details.
>> http://cbonte.github.io/haproxy-dconv/configuration-1.5.html
>> 
>> 
>> 
>> On Thu, May 12, 2016 at 6:29 PM, Dennis Jacobfeuerborn <
>> denni...@conversis.de> wrote:
>> 
>>> Hi,
>>> I'm wondering if there is a way to add the name of the server chosen for
>>> the request as a request header i.e. if the following server is chosen
>>> for the request:
>>> 
>>> server back1 10.1.0.10:8080 check inter 2
>>> 
>>> then I'd like to receive this header on the 10.1.0.10 system:
>>> 
>>> X-CustomHeader: back1
>>> 
>>> Is this possible?
>>> 
>>> Regards,
>>>  Dennis
>>> 
>>> 
>> 
> 
> 

Empty DNS does not mark server as down

[James Stroehmann]

I am using haproxy version 1.6.3 and my server is defined using dns.
It is an ELB in amazon web services so it changes IP addresses frequently and 
that functionality seems to work fine. 

However, if I delete the DNS entry, the server is not marked down. It then 
keeps sending traffic to the IP address that existed before the DNS entry was 
deleted.

resolvers dns
nameserver AmazonDNS 169.254.169.253:53
hold valid 1s

frontend search
bind :80
default_backend blue

backend blue
server blue elbname.amazon.net:80 resolvers dns check inter 1000

Re: Adding backend server name as request header

[Dennis Jacobfeuerborn]

This is exactly what I'm looking for, thanks!
I was looking at the variables in Section 7.3 as I didn't think there
would be a dedicated directive for this. Apparently I was wrong :)

Regards,
  Dennis

On 12.05.2016 18:48, Mehdi Ahmadi wrote:
> It may be that your after:
> ```
> http-send-name-header X-CustomHeader
> ```
> Which would set the ID of the selected server into the header
> `X-CustomHeader`.
> See the documentation for further details.
> http://cbonte.github.io/haproxy-dconv/configuration-1.5.html
> 
> 
> 
> On Thu, May 12, 2016 at 6:29 PM, Dennis Jacobfeuerborn <
> denni...@conversis.de> wrote:
> 
>> Hi,
>> I'm wondering if there is a way to add the name of the server chosen for
>> the request as a request header i.e. if the following server is chosen
>> for the request:
>>
>> server back1 10.1.0.10:8080 check inter 2
>>
>> then I'd like to receive this header on the 10.1.0.10 system:
>>
>> X-CustomHeader: back1
>>
>> Is this possible?
>>
>> Regards,
>>   Dennis
>>
>>
> 

Regarding http basic authentication in haproxy

[bln prasad]

Hi,
  I've setup basic http authentication in the frontend. I'm finding that
it's asking for authentication for first time only when i access from the
browser. Once it succeeds it's alway bypasses authentication even if i
access it from other tabs or  re access from sam tab.

Is it expected? If yes then can you please let me know how do i force
authentication on every new tab or from same tab.

Thanks,
BLN

Re: Adding backend server name as request header

[Mehdi Ahmadi]

It may be that your after:
```
http-send-name-header X-CustomHeader
```
Which would set the ID of the selected server into the header
`X-CustomHeader`.
See the documentation for further details.
http://cbonte.github.io/haproxy-dconv/configuration-1.5.html



On Thu, May 12, 2016 at 6:29 PM, Dennis Jacobfeuerborn <
denni...@conversis.de> wrote:

> Hi,
> I'm wondering if there is a way to add the name of the server chosen for
> the request as a request header i.e. if the following server is chosen
> for the request:
>
> server back1 10.1.0.10:8080 check inter 2
>
> then I'd like to receive this header on the 10.1.0.10 system:
>
> X-CustomHeader: back1
>
> Is this possible?
>
> Regards,
>   Dennis
>
>

Adding backend server name as request header

[Dennis Jacobfeuerborn]

Hi,
I'm wondering if there is a way to add the name of the server chosen for
the request as a request header i.e. if the following server is chosen
for the request:

server back1 10.1.0.10:8080 check inter 2

then I'd like to receive this header on the 10.1.0.10 system:

X-CustomHeader: back1

Is this possible?

Regards,
  Dennis

Re: Haproxy running on 100% CPU and slow downloads

[Lukas Tribus]

Hi,


Am 12.05.2016 um 14:37 schrieb Sachin Shetty:

Hi Willy,

We are seeing a strange problem  on the patched server. We have several
haproxy servers running but only one with the latest patch, and this
haproxy has frozen twice in last two days, basically it hits max open
connections 2000 on frontend and then stalls. From the logs it has 1999
connections on one of the backends which is nginx, but nginx_status shows
me only a few active connections. It only happens on the patched haproxy
server and does not happen anywhere else. Interesting thing is this
haproxy is not the one doing SSL, we have two haproxies on the same box
with the latest binary, the SSL one seems ok but the non SSL one keeps on
accumulating connections.

Right now, I see connections building on one backend hitting 150 in the
last few hours, but the backend nginx only shows about 20 active
connections.


Can you collect "show sess all" output from the admin socket?

Lukas

Re: Haproxy running on 100% CPU and slow downloads

[Sachin Shetty]

Hi Willy,

We are seeing a strange problem  on the patched server. We have several
haproxy servers running but only one with the latest patch, and this
haproxy has frozen twice in last two days, basically it hits max open
connections 2000 on frontend and then stalls. From the logs it has 1999
connections on one of the backends which is nginx, but nginx_status shows
me only a few active connections. It only happens on the patched haproxy
server and does not happen anywhere else. Interesting thing is this
haproxy is not the one doing SSL, we have two haproxies on the same box
with the latest binary, the SSL one seems ok but the non SSL one keeps on
accumulating connections.

Right now, I see connections building on one backend hitting 150 in the
last few hours, but the backend nginx only shows about 20 active
connections. 


On 5/10/16, 5:47 PM, "Willy Tarreau"  wrote:

>On Tue, May 10, 2016 at 11:10:14AM +0530, Sachin Shetty wrote:
>> We deployed the latest and we saw throughput still dropped around peak
>> hours a bit, then we swithed to nbproc 4 which is holding up ok.
>
>So probably you were reaching the processing limits for a single process,
>that can easily happen with SSL if a lot of rekeying has to be done.
>
>> Note that
>> 4 Cpus was not sufficient earlier, so I believe the latest version is
>> scaling better. 
>
>Good, that confirms that you're not facing these bugs anymore. I'm
>currently
>starting a new release, that will make it easier for you to deploy.
>
>Thanks for the report,
>Willy
>

[PATCH] [RFC]/MINOR: connection: Add server name to proxy protocol v2 header.

[Erik Seres]

If the client provides the server name it intends to connect to, per RFC3546, 
Section 3.1. Server Name Indication, this patch will pass the server name onto 
the backend server as part of the proxy protocol v2 header.

The patch defines the new SSL subtype PP2_TYPE_SSL_SNI and the corresponding 
flag PP2_CLIENT_SNI to accomplish this in an additional TLV.

Please review.

Thank you,
Erik Seres



0001-RFC-MINOR-connection-Add-server-name-to-proxy-protoc.patch
Description: Binary data

Server-sent event and Haproxy

[Kevin Maziere]

Hi

I'm trying to configure Haproxy to work with server_send events (
https://developer.mozilla.org/fr/docs/Server-sent_events/Using_server-sent_events
) and can't find any working configuration yet.


I've tried to set long timeout server and client, to 'option httpclose' on
backend, http tunnel-mode 

Can someone help me ?

Kévin

New Arrival Hot Sell LED corn light.

[Bonnie]

Dear Manager,
Good day!This is Bonnie from Shenzhen Guohui Lighting Equipment Co.,Ltd.Now, 
I'd like to introduce our NEW ARRIVAL LED Corn light to you.This series Corn 
light is our private design, other suppliers don't have this item.
It's IP grade is IP64 waterproof.Now,it is hot sell in the market because not 
only the price is competitive but also the quality is excellent.We have 
introduced it to our customers and received many praises.
I think you can have a try! Yoy will never regret!Please see the picture 
below,please take it as an reference.
Best Regards,Bonnie 
Email : bon...@szguohui.com
 Phone: +86 135 9015 8051 Tel : 86 0755-89728339 Skype: Bonnie lvbingqian   
WhatsAPP: +86 135 9015 
8051  Guohui Lighting Equipment Co., 
Ltd. 
 Website:  www.guohui-light.com  Add: No.71, Xiangyin Rd., 
Nanlian Community, Longgang District, Shenzhen City, China
<>
<>

AW: 100% cpu , epoll_wait()

[Sebastian Heid]

Hi Lukas,

starting from around 200mbit/s in, haproxy processes (nbproc 6) are hitting 
100% cpu regularly (noticed up to 3 processes at the same time with 100%), but 
recover again on its own after some time. 

stracing such a process yesterday showed the following:
epoll_wait(0, {}, 200, 0)   = 0
epoll_wait(0, {}, 200, 0)   = 0
epoll_wait(0, {}, 200, 0)   = 0
epoll_wait(0, {}, 200, 0)   = 0
epoll_wait(0, {}, 200, 0)   = 0
 
Unfortunately I can't do any more debugging in this setup. HAproxy 1.5.14 is 
never near to 10% cpu usage with way higher bandwidth.

Bye,
Sebastian
 
-Ursprüngliche Nachricht-
> Von:Lukas Tribus 
> Gesendet: Mit 11 Mai 2016 22:55
> An: Sebastian Heid ; HAProxy 
> Betreff: Re: 100% cpu , epoll_wait()
> 
> Hi Sebastian,
> 
> 
> Am 11.05.2016 um 16:07 schrieb Sebastian Heid:
> > Hi,
> >
> > I updated from 1.5.17 to 1.5.18 today, but sadly this issue still exits in 
> > the latest version in our environment. However downgrading to 1.5.14 
> > "fixed" the issue for us.
> 
> Seems like a different issue then. Can you elaborate what you are 
> seeing? Sporadic 100% cpu load? Do you have to kill it or does it 
> recover on its own? Can you strace it?
> 
> 
> 
> Thanks,
> 
> Lukas
> 
> 
> 

'src_http_req_rate' is neither a number nor a supported operator

[Madhav Khakhar]

Hi,

I am using src_http_req_rate with a map in an ACL. The configuration is as
follows:

stick-table type ip size 1m expire 60s store http_req_rate(60s)
acl abuse src,map_ip_int(/etc/haproxy/ips.map) -m int lt src_http_req_rate
tcp-request connection reject if abuse !whitelist
tcp-request connection track-sc1 src

/etc/haproxy/ips.map

#ip count
172.17.0.1  5

I checked official documentation which states that the src_http_req_rate is
an integer indeed.

Also, if I replace src_http_req_rate with a static value (for eg:5), it
works.

What am I missing? Please help me out.

Thanks in advance.

- Madhav

Re: Crash with kernel error

[Lukas Tribus]

Hi,


ok, thanks.

This probably has to do with the changes regarding buffers.


If this is a lab setup, my suggestion would be you don't use the init 
scripts to start haproxy, but start it manually from the haproxy 
directory (ulimit -c unlimited; ./haproxy -f configfile), when haproxy 
crashes it should generated a file named "core" in the haproxy directory.


Just make sure you start haproxy as root, it doesn't matter if it 
downgrades privileges to "haproxy" after the start.




Thanks,

Lukas


Am 12.05.2016 um 02:23 schrieb Sasha Litvak:

Lukas,

1.6.3 didn't have any crashes.  These crashes are sporadic and are not 
happening under the load, there is very little traffic as we are not 
running production yet.  The proxy starts fine and can run for hours 
with the crash.
Where would the core be generated?  I set it up running as user 
haproxy would I have to adjust limits for that user?


Thank you for all your help,


On Wed, May 11, 2016 at 4:02 PM, Lukas Tribus > wrote:


Hi Sasha,


so the crash happens sporadically after hours of production
traffic? Or does it crash right away after you start it?


You are saying this started with 1.6.4, what was the version you
used before and that worked fine? 1.6.3?


Before starting haproxy, enable core dumping like this:

ulimit -c unlimited


Confirm its unlimited (right before starting haproxy from this shell):

ulimit -c



Disabling compiler optimizations will make sure the generated
coredump is as meaningful as possible, you can do it like this:

make clean; make CFLAGS="-O0 -g -fno-strict-aliasing
-Wdeclaration-after-statement" TARGET=linux2628 USE_ZLIB=1
USE_OPENSSL=1 USE_PCRE=1


But be advised that there will be performance/cpu impact, so you
better monitor it.


When you have a coredump, you can provide a backtrace with gdb
like this:

gdb  

and issuing a "bt full"




Regards,

Lukas