Re: What can and cannot be done using Lua
On Mon, 30 May 2016 16:35:20 -0400
Louis Munro wrote:
> Hello,
>
> I have been playing a little bit with Lua and HAProxy lately and I would like
> to know what can be achieved, and what is never going to work before I go too
> far down the rabbit hole.
>
> Specifically, I am attempting to dynamically select a backend based on the
> details of the connection and some configuration stored in Redis.
> E.g. I would like to be able to send clients to a different backend depending
> on whether their IP is part of a set, or perhaps even tarpitting such a
> connection.
> That’s only an example, as my plans are to add dynamicism to HAProxy so that
> changing configuration can be done without restarting, as much as possible.
> Are these things possible?
Hi, you can do that you describre. First, you can read the general
introduction:
http://www.arpalert.org/haproxy-lua.html
For using redis, you can deal with cosocket, the API documentation
provides an example with one redis library:
http://www.arpalert.org/src/haproxy-lua-api/1.6/index.html#external-lua-libraries
> I have been able to do things like returning a different URL in a redirect
> from a fetch (as explained in the documentation) or do more complex request
> handling in an applet, but I am not sure the configuration syntax currently
> allow what I want considering that fetches cannot yield, and applets are
> probably not the way to go to achieve something like:
>
> use_backend dynamic if lua.is_dynamic
>
> or
>
> use_backend lua.dispatcher
>
> Any hints or pointer to the one true way from anyone?
You can use an action (who can yield), store the result in a variable,
and use this variable for decisions.
http://www.arpalert.org/src/haproxy-lua-api/1.6/index.html#TXN.set_var
http://cbonte.github.io/haproxy-dconv/configuration-1.6.html#7.3.2-var
core.register_action("select", { "http-req" }, function(txn)
-- deal with redis
-- ...
-- store the result:
txn:set_var("req.action", "backend1")
end)
In the haproxy configuration:
frontend name
http-request lua.select
use_backend backend1 if { var(req.action) -m str backend1 }
or:
frontend name
http-request lua.select
use_backend %[var(req.action)]
Note that I wrote these example from scratch and without tests, some
syntax error can appear.
Don't hesitate to share your work (if it is possible). I try to list
article about haproxy and lua.
http://www.arpalert.org/haproxy-lua-articles.html
Thierry
> Regards,
> --
> Louis Munro
> lmu...@inverse.ca :: www.inverse.ca
> +1.514.447.4918 x125 :: +1 (866) 353-6153 x125
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
> (www.packetfence.org)
>
--
Re: What can and cannot be done using Lua
Hi Thierry,
--
Louis Munro
lmu...@inverse.ca :: www.inverse.ca
+1.514.447.4918 x125 :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
> On Jun 2, 2016, at 7:17 , Thierry FOURNIER
> wrote:
>
> Hi, you can do that you describre. First, you can read the general
> introduction:
>
> http://www.arpalert.org/haproxy-lua.html
>
> For using redis, you can deal with cosocket, the API documentation
> provides an example with one redis library:
>
>
> http://www.arpalert.org/src/haproxy-lua-api/1.6/index.html#external-lua-libraries
>
I have actually already done that (although I may have missed some of the finer
points of the documentation).
I’ve got HAProxy/ Lua / Redis working at the moment and returning a redirect
based on a key in Redis.
>
> You can use an action (who can yield), store the result in a variable,
> and use this variable for decisions.
>
> http://www.arpalert.org/src/haproxy-lua-api/1.6/index.html#TXN.set_var
> http://cbonte.github.io/haproxy-dconv/configuration-1.6.html#7.3.2-var
>
> core.register_action("select", { "http-req" }, function(txn)
> -- deal with redis
> -- ...
> -- store the result:
> txn:set_var("req.action", "backend1")
> end)
>
> In the haproxy configuration:
>
>
> Don't hesitate to share your work (if it is possible). I try to list
> article about haproxy and lua.
Thank you very much.
I will definitely write it up if I get it to do what I want.
The ultimate goal is to integrate this into PacketFence, an open source NAC
solution to which I contribute (https://github.com/inverse-inc/packetfence
).
So the code would end up on github for anyone to reuse.
I think you just gave me what I needed, which is the reassurance that I am not
wasting my time trying to do the impossible.
Best regards,
--
Louis Munro
lmu...@inverse.ca :: www.inverse.ca
+1.514.447.4918 x125 :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
problem with current 1.7 build
I've downloaded & compiled, and so far so good. I'm having a bit of trouble with the configuration, though it's surely my error. My configuration is this client > haproxy -> http proxy P1---> server A |--> http proxy P2---> server B The client is attempting to create a connection to server A or B *via* an http proxy running on port P1 or P2. The client adds a header indicating which proxy it wants to use. So, the client will send CONNECT serverA:port X-my-header: 10001 I've tried a variety of configs, similar to: listen test_dataplane bind :443 mode http option httplog option tcplog log global server squidserver 10.1.1.201:1 In each case, I get the same result (verified with TCPDUMP) which is client connects to haproxy haproxy (correctly) reads X-my-header haproxy (correctly) establishes a TCP connection to the http proxy running on (for example) port 10001 haproxy (correctly) replays the CONNECT request proxy replies with 200 Established haproxy sends 200 Established to client client sends SSL client hello -->error is here<--- haproxy never sends client hello on to the proxy eventually, the connection times out. I went back to 1.6.5, and it behaves as expected.
tcpdump and Haproxy SSL Offloading
Often I need to take tcpdump to analyze haproxy communication to clients and to backend servers. As we use haproxy as SSL termination point (haproxy SSL ofloading), at low levels (so tcpdump level) we see communication with client encrypted. There are simple solution so I can do a tcpdump having unencrypted communication ? Has haproxy some mechanism ? I have 3 haproxy LBs with 2 L4 LBs balancing on haproxy LBs so I want to avoid if possible to make more complex infrastructure introducing some other intermediate proxy to do that, so I make the communication path as simple and equal to normal request path as possible. Roberto
Re: tcpdump and Haproxy SSL Offloading
On Fri, Jun 3, 2016 at 3:14 AM, mlist wrote: > Often I need to take tcpdump to analyze haproxy communication to clients > and to backend servers. > > As we use haproxy as SSL termination point (haproxy SSL ofloading), at low > levels (so tcpdump level) > > we see communication with client encrypted. > If you are not using DHE cyphers (but you should) then you can try ssldump. In case of Diffie-Hellman though new encryption key is generated for each ssl session so you are out of luck here. > There are simple solution so I can do a tcpdump having > > unencrypted communication ? Has haproxy some mechanism ? > Not that I'm aware of but you can try chaining a local proxy where you can see the traffic in clear text before you send the traffic to the backend . > > > I have 3 haproxy LBs with 2 L4 LBs balancing on haproxy LBs so I want to > avoid if possible to make more > > complex infrastructure introducing some other intermediate proxy to do > that, so I make the communication > > path as simple and equal to normal request path as possible. > > > > Roberto > > > > >
您只需要拿起身边的电话,告诉我们需求,余下工作的由我们办理
FOB china FOBsz FOBgz FOBHK一、大陆至香港散货0.68元/公斤; 泡货120元/立方;二、香港送客(提货)、入仓操作收费标准 送客(提货):2 5 0元 空运海运仓:3 0 0元 超600公斤3CBM继重按0.3元/KG收取;2、泡货按50元/CBM收取(入仓杂费实报实销)近期经常外出,有订单当天收货的请给我打电话。 祝你工作顺利、开心快乐! 东莞市南丰物流(香港)有限公司联 系 人:13922925659/ 13662814456 咨询接单QQ:654340993 联系 邮 箱:nanfeng...@163.com运 输 地址:东莞东城牛山景观路1-3栋(市委党校对面)>服务只有起点,满意满意终点<*为了保证你能继续收到我们的优质信息,请将我们加入你的联系人列表。如本类邮件打扰您的工作,请备注邮箱账号回复到本邮箱,我司将不再发送。谢谢
