Re: undefined symbol: lua_getmetatable in using luasocket

2016-07-18 Thread Cyril Bonté

Hi Sachin,

Le 18/07/2016 à 16:16, Sachin Shetty a écrit :

(...)
However when starting haproxy, I get this error:

[ALERT] 199/063903 (7106) : parsing
[/home/egnyte/haproxy/conf/haproxy.conf:9] : lua runtime error: error
loading module 'socket.core' from file
'/usr/local/lib/lua/5.1/socket/core.so':

/usr/local/lib/lua/5.1/socket/core.so: undefined symbol: lua_getmetatable


From this previous line, it's not a haproxy issue. It looks like you 
are using a lua library for the wrong lua version.

Try to use the library for lua 5.3.




Standalone lua scripts is fine with the require “socket” line and I do
see the output, but it fails to load within haproxy.


Thanks

Sachin








--
Cyril Bonté



Re: Haproxy with SNI and http2 seperation

2016-07-18 Thread Cyril Bonté

Hi Matthias,

Le 18/07/2016 à 10:07, Matthias Fechner a écrit :

Dear all,

I use haproxy 1.6.7 on a FreeBSD host.

I just try to do the following:
Check if hostname is domain1 or domain2 or bladomain3 or ... , mark it
to send the request to nginx
 all other requests should go to apache backend.

Check if client support http2, if yes and nginx acl matches, send it to
nginx with a special port.

All the rest should go to apache backend.

I tried to do this using two acls and 3 backends (apache, nginx,
nginx-http2).

But I could not get it working and I'm not sure what I'm doing wrong.
Here my frontend and backend definition:

frontend www-https
mode tcp

bind 192.168.0.251:8443 ssl crt /usr/local/etc/haproxy/certs/
alpn h2,http/1.1
bind 192.168.200.6:8443 ssl crt /usr/local/etc/haproxy/certs/
alpn h2,http/1.1
bind localhost:443 ssl crt /usr/local/etc/haproxy/certs/ alpn
h2,http/1.1
bind 127.0.0.1:443 ssl crt /usr/local/etc/haproxy/certs/ alpn
h2,http/1.1

acl use_nginx hdr(host) -i domain1 domain2 bladomain3


You probably have an issue here : hdr(host) won't work with mode tcp.
If you wan't to check the domain provided by SNI, you should use 
req.ssl_sni instead.


Have a look to the example provided in the documentation :
http://cbonte.github.io/haproxy-dconv/1.6/configuration.html#req.ssl_sni



acl http2 ssl_fc_alpn -i h2

use_backend nginx-http2-backend if use_nginx http2
use_backend nginx-http-backend if use_nginx

default_backend apache-backend

backend apache-backend
server www-1 127.0.0.1:8081 check

backend nginx-http-backend
server www-1 127.0.0.1:8082 check


backend nginx-http2-backend
mode tcp
http-request add-header X-Forwarded-Proto https
server www-1 127.0.0.1:8083 check send-proxy


Can please someone point me to the mistake I did?
Thanks a lot!

Gruß
Matthias




--
Cyril Bonté



Re: Max connections in HAProxy

2016-07-18 Thread Cyril Bonté

Hi Zhi Chang,

Le 18/07/2016 à 13:30, zhi a écrit :

hi all.

I have some questions about "max_conn" in HAProxy.

First of all, a question about performance in HAProxy. How many
connections can the HAProxy taken, in other words, what the max
connections in HAProxy?


It depends on so much variables : system tuning, available memory, what 
you are doing with those connections (compression, ssl offloading, 
regexes, ...).




Second question, I have a haproxy configuration file like this:
global

maxconn 2000

listen  http_proxy  localhost:81
   server  server1 myip:80 maxconn 3000 check inter 1
   server  server2 myip:80 maxconn 4000 check inter 1

Max connections (3000 + 4000) > 2000, what will happen? I think that
the above connections (3000 + 4000 - 2000 = 5000)will be queued by Linux
kernel and wait for another connection to completed being accepted.


To be complete, there are more maxconn variables :

- a "global" maxconn : this is the max number of connections for all the 
proxies (listen and frontend sections).


http://cbonte.github.io/haproxy-dconv/1.6/configuration.html#maxconn%20(Performance%20tuning)

- a "proxy" maxconn : the max number of connections for this specific 
listen/frontend section (can be inherited from a "defaults" section)


http://cbonte.github.io/haproxy-dconv/1.6/configuration.html#maxconn%20(Alphabetically%20sorted%20keywords%20reference)

- a "bind" maxconn : in cas you provide several bind keywords for a 
proxy but you want to limit them.


http://cbonte.github.io/haproxy-dconv/1.6/configuration.html#maxconn%20(Bind%20options)

- a "server" maxconn : which effectively limit the number of concurrent 
connections to the specified server.


http://cbonte.github.io/haproxy-dconv/1.6/configuration.html#maxconn%20(Server%20and%20default-server%20options)

Once a "proxy" maxconn limit is reached, haproxy will stop accepting new 
connections for that proxy, which will remain in the system backlog.
In the same manner, if the "global" maxconn limit is reached, haproxy 
will stop accepting new connections for everyone.


It is a good practice to have a larger "global" maxconn if you have 
several proxies, so that one proxy won't permit a deny of service on the 
others.


If you expect to have 3000 + 4000 connections on the servers, you surely 
want a "proxy" maxconn greater than 7000 (will queue them in the 
frontend), and a "global" maxconn greater than 7000 too.




My thought is this: params "maxconn" in the global should less than
the total of every members in every listeners.

Does my thought was right?


Greater, except if you wan't to artificially provide some contention 
(there are valid use cases).


For example, you may want something like :
global

maxconn 1


listen  http_proxy  localhost:81
   maxconn 8000
   server  server1 myip:80 maxconn 3000 check inter 1
   server  server2 myip:80 maxconn 4000 check inter 1


Btw, consider using the new syntax to declare the listeing address/port 
(the older syntax is deprecated and won't work if you upgrade from 1.5 
to 1.6):

listen  http_proxy
   bind localhost:81


--
Cyril Bonté



Re: Host name resolution in IPv6 only entry in /etc/hosts

2016-07-18 Thread Nenad Merdanovic
Dropped ML by mistake

On 07/18/2016 11:47 PM, Nenad Merdanovic wrote:
> Hello,
> 
> On 07/18/2016 02:41 PM, Albert Casademont wrote:
>> Hi!
>>
>> I was trying to configure am IPv6 only backend using the hostname in
>> /etc/hosts and the HAProxy kept failing to initialize. As soon as I put
>> an IPV4 address for that hostname in /etc/hosts it worked. I have
>> resorted to manualy putting the IPV6 address in the HAProxy config file,
>> but ideally an IPV6 only hostname should work.
>>
>> Sample config:
>>
>> server test1 test1.domain:80
>>
>> In /etc/hosts
>>
>> ::1 test1.domain
>>
>> It will fail to initialize
>>
> 
> Can you check 'haproxy -vv' to see if HAproxy is compiled with
> USE_GETADDRINFO, if not, compile it with that option "make TARGET=...
> USE_GETADDRINFO=1"
> 
> It should work then, if gai.conf is OK.
> 
> Regards,
> Nenad
> 



Re: Segmentation fault in 1.6.6

2016-07-18 Thread Pavlos Parissis
On 18/07/2016 04:59 μμ, Michał Łowicki wrote:
> Will do but SSL is terminated before reaching HAProxy. Still possible it could
> affect us?
> 

I don't think so, but you should use 1.6.7 anyway in order to avoid surprises
when you enable SSL.

Cheers,
Pavlos



signature.asc
Description: OpenPGP digital signature


Re: Segmentation fault in 1.6.6

2016-07-18 Thread Pavlos Parissis
On 18/07/2016 04:17 μμ, Michał Łowicki wrote:
> Hi,
> 
> I'm using:
> 
> HA-Proxy version 1.6.6 2016/06/26
> Copyright 2000-2016 Willy Tarreau  >
> 
> 
> on:
> 
> cat /proc/version
> Linux version 4.5.0-0.bpo.1-amd64 (debian-ker...@lists.debian.org
> ) (gcc version 4.9.2 (Debian
> 4.9.2-10) ) #1 SMP Debian 4.5.1-1~bpo8+1 (2016-04-20) 
> 
> and found core dump (using HAProxy through Marathon-lb
> ):
> 
> [New LWP 20445]
> Core was generated by `/bin/bash ./run'.
> Program terminated with signal SIGSEGV, Segmentation fault.
> #0  0x004b8f97 in action_lookup (keywords= Cannot access memory at address 0xffe8>, 
> kw= 0xffe0>) at include/proto/action.h:38
> 38include/proto/action.h: No such file or directory.
> 
> Is this a known issue or any clue how to debug it futher?
> 



Please try 1.6.7 version as it addresses a regression in 1.6.6 which causes some
segfaults related to SSL config.

Cheers,
Pavlos



signature.asc
Description: OpenPGP digital signature


Segmentation fault in 1.6.6

2016-07-18 Thread Michał Łowicki
Hi,

I'm using:

> HA-Proxy version 1.6.6 2016/06/26
> Copyright 2000-2016 Willy Tarreau 


on:

> cat /proc/version
> Linux version 4.5.0-0.bpo.1-amd64 (debian-ker...@lists.debian.org) (gcc
> version 4.9.2 (Debian 4.9.2-10) ) #1 SMP Debian 4.5.1-1~bpo8+1 (2016-04-20)

and found core dump (using HAProxy through Marathon-lb
):

> [New LWP 20445]
> Core was generated by `/bin/bash ./run'.
> Program terminated with signal SIGSEGV, Segmentation fault.
> #0  0x004b8f97 in action_lookup (keywords= Cannot access memory at address 0xffe8>,
> kw= 0xffe0>) at include/proto/action.h:38
> 38 include/proto/action.h: No such file or directory.

Is this a known issue or any clue how to debug it futher?

-- 
BR,
Michał Łowicki


undefined symbol: lua_getmetatable in using luasocket

2016-07-18 Thread Sachin Shetty
Hi,

I am trying to load a luasocket script which would make a rest call to a
upstream service to determine the backend

The script is as follows:

³²"

http = require ³socket.http"





function choose_backend(txn, arg1)

core.log(core.info, "Getting Info:" .. arg1)

result, statuscode, content =
http.request("http://localhost:6280/eos/rest/private/gds/l1/1.0/domain/; ..
arg1)

return result

end



core.register_fetches("choose_backend", choose_backend)


³²"

However when starting haproxy, I get this error:

[ALERT] 199/063903 (7106) : parsing
[/home/egnyte/haproxy/conf/haproxy.conf:9] : lua runtime error: error
loading module 'socket.core' from file
'/usr/local/lib/lua/5.1/socket/core.so':

/usr/local/lib/lua/5.1/socket/core.so: undefined symbol: lua_getmetatable



Standalone lua scripts is fine with the require ³socket² line and I do see
the output, but it fails to load within haproxy.



Thanks

Sachin 










Re: gcc 5.4 haproxy lua

2016-07-18 Thread Thomas Heil
Hi,

On 15.07.2016 13:23, Thomas Heil wrote:
> Hi
> 
> With gcc 5.4 and haproxy 1.6.7 I get the following errors.
> 
> --
> src/hlua.o: In function `hlua_yield':
> hlua.c:(.text+0xdd): undefined reference to `lua_yieldk'
> src/hlua.o: In function `hlua_hook':
> hlua.c:(.text+0x14f): undefined reference to `lua_isyieldable'
> hlua.c:(.text+0x1b9): undefined reference to `lua_yieldk'
> src/hlua.o: In function `hlua_sleep_yield':
> hlua.c:(.text+0x925): undefined reference to `lua_tointegerx'
> hlua.c:(.text+0x945): undefined reference to `lua_yieldk'
> src/hlua.o: In function `hlua_load':
> hlua.c:(.text+0x170b): undefined reference to `luaL_loadfilex'
> hlua.c:(.text+0x172e): undefined reference to `lua_pcallk'
> src/hlua.o: In function `hlua_lua2arg':
> hlua.c:(.text+0x18b8): undefined reference to `lua_tointegerx'
> src/hlua.o: In function `hlua_lua2smp':
> --
> 
> Can somebody advice me which library is missing here or do we need
> another include?


there was a problem that an older lua version was allready in the
include path. so except some warnings gcc 5.4 is fine with haproxy 1.5
and 1.6.

sorry for the noise.


> 
> cheers
> 






Host name resolution in IPv6 only entry in /etc/hosts

2016-07-18 Thread Albert Casademont
Hi!

I was trying to configure am IPv6 only backend using the hostname in
/etc/hosts and the HAProxy kept failing to initialize. As soon as I put an
IPV4 address for that hostname in /etc/hosts it worked. I have resorted to
manualy putting the IPV6 address in the HAProxy config file, but ideally an
IPV6 only hostname should work.

Sample config:

server test1 test1.domain:80

In /etc/hosts

::1 test1.domain

It will fail to initialize

Thank you!


Max connections in HAProxy

2016-07-18 Thread zhi
hi all.

I have some questions about "max_conn" in HAProxy.

First of all, a question about performance in HAProxy. How many
connections can the HAProxy taken, in other words, what the max connections
in HAProxy?

Second question, I have a haproxy configuration file like this:

global

maxconn 2000

listen  http_proxy  localhost:81
   server  server1 myip:80 maxconn 3000 check inter 1
   server  server2 myip:80 maxconn 4000 check inter 1

Max connections (3000 + 4000) > 2000, what will happen? I think that
the above connections (3000 + 4000 - 2000 = 5000)will be queued by Linux
kernel and wait for another connection to completed being accepted.

My thought is this: params "maxconn" in the global should less than the
total of every members in every listeners.

Does my thought was right?



Hope for your reply.

Zhi Chang


rate limiting question

2016-07-18 Thread haproxy
Hello,

I have a sticky table for ip checks against high connection rate (for testing 
purposes it's set now to 3 connections in 10 seconds):

frontend lb-useast
...
  tcp-request content track-sc0 src
  stick-table type ip size 500k expire 30s store 
conn_cur,conn_rate(10s),http_req_rate(10s),http_err_rate(10s)
  http-request add-header X-Haproxy-ACL 
%[req.fhdr(X-Haproxy-ACL,-1)]over-3-connections-in-10-seconds, if { 
src_conn_rate gt 3 }
...
  default_backend logger

backend logger
  server localhost localhost:5 send-proxy

frontend logger
...
  acl whitelisted req.fhdr(X-Haproxy-ACL) -m beg whitelisted,
  acl fail-validation req.fhdr(X-Haproxy-ACL) -m found
  http-request deny if !whitelisted fail-validation
...

When I run 3 curl requests in a row, the table shows there were 5 connections 
with 1 failed:
# echo "show table lb-useast" | socat - unix:/var/lib/haproxy/stats
# table: lb-useast, type: ip, size:512000, used:1
0x24b3628: key=x.y.222.4 use=0 exp=26100 conn_rate(1)=5 conn_cur=0 
http_req_rate(1)=3 http_err_rate(1)=1

The curl command is pretty straightforward:
for ((i=1;i<=3;i++)); do curl -s http://uat.my.com/privacy.html > /dev/null; 
echo $i; done

How does haproxy count connections, so it gets 5 instead of 3?

PS haproxy version is 1.5.4

-- 
Best regards,
Alex




Haproxy with SNI and http2 seperation

2016-07-18 Thread Matthias Fechner
Dear all,

I use haproxy 1.6.7 on a FreeBSD host.

I just try to do the following:
Check if hostname is domain1 or domain2 or bladomain3 or ... , mark it
to send the request to nginx
 all other requests should go to apache backend.

Check if client support http2, if yes and nginx acl matches, send it to
nginx with a special port.

All the rest should go to apache backend.

I tried to do this using two acls and 3 backends (apache, nginx,
nginx-http2).

But I could not get it working and I'm not sure what I'm doing wrong.
Here my frontend and backend definition:

frontend www-https
mode tcp

bind 192.168.0.251:8443 ssl crt /usr/local/etc/haproxy/certs/
alpn h2,http/1.1
bind 192.168.200.6:8443 ssl crt /usr/local/etc/haproxy/certs/
alpn h2,http/1.1
bind localhost:443 ssl crt /usr/local/etc/haproxy/certs/ alpn
h2,http/1.1
bind 127.0.0.1:443 ssl crt /usr/local/etc/haproxy/certs/ alpn
h2,http/1.1

acl use_nginx hdr(host) -i domain1 domain2 bladomain3
acl http2 ssl_fc_alpn -i h2

use_backend nginx-http2-backend if use_nginx http2
use_backend nginx-http-backend if use_nginx

default_backend apache-backend

backend apache-backend
server www-1 127.0.0.1:8081 check

backend nginx-http-backend
server www-1 127.0.0.1:8082 check


backend nginx-http2-backend
mode tcp
http-request add-header X-Forwarded-Proto https
server www-1 127.0.0.1:8083 check send-proxy


Can please someone point me to the mistake I did?
Thanks a lot!

Gruß
Matthias

-- 

"Programming today is a race between software engineers striving to
build bigger and better idiot-proof programs, and the universe trying to
produce bigger and better idiots. So far, the universe is winning." --
Rich Cook