Re: Use regex for backend selection

[Igor Cicimov]

use_backend %[req.hdr(host),lower]

On Thu, Jun 23, 2016 at 6:21 AM, Mildis  wrote:

> Hi,
>
> I’m in the process of setting HAProxy as an HTTPS frontend switch to
> different backends.
> As I have 10+ different backends, I’d like to replace
>
> acl to-server1 hdr_beg(host) -i server1.domain.tld
> acl to-server2 hdr_beg(host) -i server2.domain.tld
> …
> acl to-serverN hdr_beg(host) -i serverN.domain.tld
>
> use_backend bck-server1 if to-server1
> use_backend bck-server2 if to-server2
> …
> use_backend bck-serverN if to-serverN
>
>
> by something more generic like
>
> use_backend bck-\1 if hdr_reg(host) -i (.*).domain.tld
>
>
> but I can’t find a way to make it work.
>
> Am I on the right path ?
>
> Thanks,
> Mildis
>



-- 
Igor Cicimov | DevOps


p. +61 (0) 433 078 728
e. ig...@encompasscorporation.com 
w*.* www.encompasscorporation.com
a. Level 4, 65 York Street, Sydney 2000

Re: "errorfile 503" doesn't appear to be working

[Michael Ezzell]

My previous post included a couple of spurious spaces after a couple of the
header values.  Corrected here:

HTTP/1.0 503 Service Unavailable[0d][0a]Content-Type:
text/html[0d][0a]Cache-Control: no-cache[0d][0a]Connection:
close[0d][0a][0d][0a]...

Side note: be sure your body is at least 512 bytes, passing it with  or equivalent wording consistent with local policy :) to
disable the ridiculous friendly messages in at least some versions of IE:
http://stackoverflow.com/a/11544049/1695906


On Jun 22, 2016 9:41 PM, "Michael Ezzell"  wrote:
>
>
> On Jun 22, 2016 7:06 PM, "Shawn Heisey"  wrote:
> >
> > I have verified that there is nothing on the line after the headers.  On
> > the recommendation I saw elsewhere, the file is in DOS text format, so
> > each line ends in CRLF, not just LF.  Could the line endings be the
problem?
>
> Most definitely.
>
> Review the file's content with a hex editor or hexdump.
>
> Each line of headers *must* end with \r\n which is 0x0d 0x0a (CR, LF).
This file is used as a raw HTTP response, and the Chrome error suggests
strongly that this is your problem, or this:
>
> After the last header, you *must* have two sets of of those, e.g.:
>
> HTTP/1.0 503 Service Unavailable [0d][0a]Content-Type:
text/html[0d][0a]Cache-Control: no-cache [0d][0a]Connection:
close[0d][0a][0d][0a]...
>
> After that point, you're in the body, so pretty much anything goes, just
keep the whole thing under 16K.
>
> Definitely don't count on an indicator of "file format" to prove that
this is correct.
>
> Copy one of the other files and edit with vim.  You'll see the ^M in the
headers, which of course is the same as \r.  The \n doesn't show in vim
since that's the normal newline.

Re: "errorfile 503" doesn't appear to be working

[Michael Ezzell]

On Jun 22, 2016 7:06 PM, "Shawn Heisey"  wrote:
>
> I have verified that there is nothing on the line after the headers.  On
> the recommendation I saw elsewhere, the file is in DOS text format, so
> each line ends in CRLF, not just LF.  Could the line endings be the
problem?

Most definitely.

Review the file's content with a hex editor or hexdump.

Each line of headers *must* end with \r\n which is 0x0d 0x0a (CR, LF).
This file is used as a raw HTTP response, and the Chrome error suggests
strongly that this is your problem, or this:

After the last header, you *must* have two sets of of those, e.g.:

HTTP/1.0 503 Service Unavailable [0d][0a]Content-Type:
text/html[0d][0a]Cache-Control: no-cache [0d][0a]Connection:
close[0d][0a][0d][0a]...

After that point, you're in the body, so pretty much anything goes, just
keep the whole thing under 16K.

Definitely don't count on an indicator of "file format" to prove that this
is correct.

Copy one of the other files and edit with vim.  You'll see the ^M in the
headers, which of course is the same as \r.  The \n doesn't show in vim
since that's the normal newline.

Re: "errorfile 503" doesn't appear to be working

[Shawn Heisey]

On 6/22/2016 12:45 AM, Jarno Huuskonen wrote:
> On Tue, Jun 21, Shawn Heisey wrote:
>> When I take down the back end server and make a request, I get the
>> browser's standard unavailable page, I do not see the custom page I
>> defined.  Have I done something wrong?
> 
> With "browser's standard unavail. page" do you mean IE with it's
> "helpful" error messages ?

I used chrome.  Didn't try other browsers.

> Does your logs(w/out the "no log" option) show that "be-stg-spark-443"
> returns 503 (and I guess you can compare the custom page filesize with
> log entry) ?

The size of the response in the logs indicate that the file IS being sent.

I changed the first line of the file so it gave a 404 response instead
of 503.  This did NOT work in any browser I tried: Chrome, IE, and Firefox.

When I changed the response code to 200, it started working in IE, but
not Chrome or Firefox.  Because virtually all of the clients out there
are most likely using IE, this is probably good enough ... but I was
really hoping that I could retain a response code indicating an error
response.

Do I need to do something special so that a custom page shows up in all
browsers *without* returning a 200 code?

This is the result in IE with the code set to 200:

https://www.dropbox.com/s/qzvq1dveujtipp5/spark-unavailable-IE-200.png?dl=0

Chrome has always thought the headers were truncated and shows this:

https://www.dropbox.com/s/m02bthxtnk5oiba/spark-unavailable-chrome-200.png?dl=0

When I check firebug in firefox, it shows the 200 response, but no body.

Do I need additional headers in the errorfile?  This is the first part
of that file's contents:

=
HTTP/1.0 200 OK
Cache-Control: no-cache
Connection: close
Content-Type: text/html


=

I have verified that there is nothing on the line after the headers.  On
the recommendation I saw elsewhere, the file is in DOS text format, so
each line ends in CRLF, not just LF.  Could the line endings be the problem?

Thanks,
Shawn

Use regex for backend selection

[Mildis]

Hi,

I’m in the process of setting HAProxy as an HTTPS frontend switch to different 
backends.
As I have 10+ different backends, I’d like to replace

acl to-server1 hdr_beg(host) -i server1.domain.tld
acl to-server2 hdr_beg(host) -i server2.domain.tld
…
acl to-serverN hdr_beg(host) -i serverN.domain.tld

use_backend bck-server1 if to-server1
use_backend bck-server2 if to-server2
…
use_backend bck-serverN if to-serverN

by something more generic like

use_backend bck-\1 if hdr_reg(host) -i (.*).domain.tld

but I can’t find a way to make it work.

Am I on the right path ?

Thanks,
Mildis

MINOR: ssl: close ssl key file on error

[Mildis]

Hi,

Please find attached a patch which corrects ssl_sock.c.

It closes explicitly the FILE opened to read the ssl key file when parsing 
fails to find a valid key.
Previous behavior : returned from the function after having set the error flags 
but not closed the file.

Regards,
Mildis


0001-MINOR-ssl-close-ssl-key-file-on-error.patch
Description: Binary data

Re: Refuse connection if no certificate match

[Holger Just]

Hi Olivier,

Olivier Doucet wrote:
> Is there a way to not present the first loaded certificate and refuse
> connection instead ?

You can use the strict-sni argument on the bind line to force the client
to speak SNI and refuse the TLS handshake otherwise.

See the documentation for details at

http://cbonte.github.io/haproxy-dconv/configuration-1.6.html#5.1-strict-sni

--Holger

Refuse connection if no certificate match

[Olivier Doucet]

Hello,

I'm actually using HTTPS/SNI on HAProxy 1.6

Documentation states the following :

"If no SNI is provided by the client or if the SSL library does not support
TLS extensions, or if the client provides an SNI hostname which does not
match any certificate, then the first loaded certificate will be presented."

Is there a way to not present the first loaded certificate and refuse
connection instead ?
I understand that it will also block non-compatible SNI client, but this is
the behaviour one customer is asking ...

Olivier

How to validate source trustworthiness

[Danny Fullerton]

Hello,

I'm trying to validate haproxy sources but git tags doesn't seems to be
signed using PGP and the HTTPS certificate is self signed.

Providing a signed commit/tags or, at the very least, using a valid TLS
certificate would do the job (it's now free with letsencrypt.org).

regards,

-- 
Danny Fullerton
Mantor Organization

Re: external-check stdout ends up in load-balanced traffic, destroying tcp sessions

[Lukas Erlacher]

Yes I noticed there were more issues with the FD's. Thanks for all of your 
work, I will test 1.6.6 as soon as it hits vbernat's PPA.

Best,
Luke



smime.p7s
Description: S/MIME Cryptographic Signature

RE: Why session rate is bigger than session current?

[Stefan Johansson]

1)  Yes, session rate is connections per second. Sessions are active (open) 
connections in the moment you display the stats page.

2)  My numbers are more or less equal usually, but it could perhaps be that 
you have a lot of HTTP requests that haProxy rejects (e.g. empty or invalid) 
and hence do not forward to the backend. I would await another opinion on that 
one.

Regards

From: 12navi...@gmail.com [mailto:12navi...@gmail.com]
Sent: den 22 juni 2016 10:31
To: haproxy@formilux.org
Subject: Why session rate is bigger than session current?


Hi

I have two questions
1. Why session rate is bigger than sessions?  Is this normal?

2. Why sum of session rate in backend is bigger than from fronted?  (1367 > 
157) it seems fronted forward all packet to all backend?  How can I correct 
this?

Best regards

Re: Saving server state in 1.6.5

[Willy Tarreau]

On Wed, Jun 22, 2016 at 11:00:48AM +0200, Eric Webster wrote:
> Willy,
> 
> I tested the patch on top of the 1.6.5 source as well as a fresh git
> pull for the 1.6 line. In both cases server state was not loaded on
> restart. Anything else I can do to help out or information I can give
> to assist?

Yes, you can save us some time by giving the exact config and commands
you use so that we can quickly reproduce.

Thanks!
Willy

Re: Saving server state in 1.6.5

[Eric Webster]

Willy,

I tested the patch on top of the 1.6.5 source as well as a fresh git
pull for the 1.6 line. In both cases server state was not loaded on
restart. Anything else I can do to help out or information I can give
to assist?

Best,
Eric

On Tue, Jun 21, 2016 at 6:57 PM, Willy Tarreau  wrote:
> On Tue, Jun 21, 2016 at 10:15:06AM +0200, Eric Webster wrote:
>> Since upgrading from 1.6.4 to 1.6.5, server state is not loaded on
>> start. I do not get any errors or warnings, it just doesn't seem to
>> fire. Is this a bug perhaps?
>>
>> What I'm talking about is this kind of setup:
>> http://fossies.org/linux/haproxy/examples/seamless_reload.txt
>>
>> Where I have in my config:
>>   server-state-base  /var/lib/haproxy
>>   load-server-state-from-file  local
>>
>> and the socat loop to dump the state in init. State is dumped, but on
>> reload it just doesn't load any of them.
>
> A fix introduced a regression on server state in 1.6.5 (wrong ID sometimes
> dumped), which could possibly be responsible for what you're observing.
> Since then the attached patch was merged. If you could check with latest
> snapshot or by applying the attached patch on top of 1.6.5 and confirm
> that the issue is gone, that would be great. I'd like to issue 1.6.6 this
> week with all pending fixes. Better ensure we don't leave such a pending
> bug open!
>
> Thanks,
> Willy
>

http-response capture without id

[Kay Fuchs]

Hi,

the following configuration leads to "...while parsing 'http-response
capture' rule : expects 'id', found 'len'":

listen www
bind :8080
mode http
http-request capture req.hdr(X) len 1
http-response capture res.hdr(Y) len 1
server dummy 127.0.0.1:80

The function analogous to "http_action_req_capture" in "proto_http.c"
seems to be missing. If you omit the argument "len 1" the parser
displays "'http-response capture' rule : expects  [ 'len'
 | id  ]" and seems to be prepared for an implicit slot
creation. But maybe the error message is misleading. :-)

Kay Fuchs