Re: Log Backend call
I have created a issue for this. https://github.com/haproxy/haproxy/issues/589 On 19.04.20 00:15, Aleksandar Lazic wrote: > Hi. > > I haven't seen any option to log the request after the `http-request set-... > ` phase. > > Is this covered in %HP or is this the request from the client? > > That's the code and it looks to me that this isn't set after the rewrite > phase. > > http://git.haproxy.org/?p=haproxy.git;a=blob;f=src/log.c;hb=dfad6a41ad9f012671b703788dd679cf24eb8c5a#l2693 > > The use case is that I need to know how the http request looks to the backend > after the backend. > > A tcpdump isn't possible because the backend is a TLS one. > > It would be nice to have also a similar output in the debug mode as for the > client request. > > ``` > > 0002:https-in.accept(0009)=002b from [:::Client-IP:34452] ALPN=h2 > 0002:https-in.clireq[002b:]: GET > https://DOMAIN.com/img/logo-entrypages.png HTTP/2.0 > 0002:https-in.clihdr[002b:]: user-agent: curl/7.65.3 > 0002:https-in.clihdr[002b:]: accept: */* > 0002:https-in.clihdr[002b:]: host: DOMAIN.com > > Suggested output after rewrite > > 0002:https-out.connect(0010)=002b from [:::DEST-IP:DEST-PORT] ALPN=h1 > 0002:https-out.srvreq[002b:]: GET > https://REWRITTEN.com/NEW_PATH/img/logo-entrypages.png HTTP/2.0 > 0002:https-out.srvhdr[002b:]: user-agent: curl/7.65.3 > 0002:https-out.srvhdr[002b:]: accept: */* > 0002:https-out.srvhdr[002b:]: host: REWRITTEN.com > > 0002:be_static.srvrep[002b:002c]: HTTP/1.1 401 Unauthorized > 0002:be_static.srvhdr[002b:002c]: content-length: 131 > 0002:be_static.srvhdr[002b:002c]: content-type: text/html; charset=UTF-8 > 0002:be_static.srvhdr[002b:002c]: www-authenticate: Swift realm="Client" > 0002:be_static.srvhdr[002b:002c]: www-authenticate: Keystone > uri="https://auth.cloud.ovh.net/; > 0002:be_static.srvhdr[002b:002c]: x-trans-id: tx011f76ce9d9f43a09dcea-... > 0002:be_static.srvhdr[002b:002c]: x-openstack-request-id: > tx011f76ce9d9f43a09dcea-... > 0002:be_static.srvhdr[002b:002c]: date: Sat, 18 Apr 2020 21:59:48 GMT > 0002:be_static.srvhdr[002b:002c]: x-iplb-instance: ... > 0002:be_static.srvcls[002b:002c] > 0002:be_static.clicls[002b:002c] > 0002:be_static.closed[002b:002c] > > ``` > > Opinions? > > Regards > > Aleks >
Log Backend call
Hi. I haven't seen any option to log the request after the `http-request set-... ` phase. Is this covered in %HP or is this the request from the client? That's the code and it looks to me that this isn't set after the rewrite phase. http://git.haproxy.org/?p=haproxy.git;a=blob;f=src/log.c;hb=dfad6a41ad9f012671b703788dd679cf24eb8c5a#l2693 The use case is that I need to know how the http request looks to the backend after the backend. A tcpdump isn't possible because the backend is a TLS one. It would be nice to have also a similar output in the debug mode as for the client request. ``` 0002:https-in.accept(0009)=002b from [:::Client-IP:34452] ALPN=h2 0002:https-in.clireq[002b:]: GET https://DOMAIN.com/img/logo-entrypages.png HTTP/2.0 0002:https-in.clihdr[002b:]: user-agent: curl/7.65.3 0002:https-in.clihdr[002b:]: accept: */* 0002:https-in.clihdr[002b:]: host: DOMAIN.com Suggested output after rewrite 0002:https-out.connect(0010)=002b from [:::DEST-IP:DEST-PORT] ALPN=h1 0002:https-out.srvreq[002b:]: GET https://REWRITTEN.com/NEW_PATH/img/logo-entrypages.png HTTP/2.0 0002:https-out.srvhdr[002b:]: user-agent: curl/7.65.3 0002:https-out.srvhdr[002b:]: accept: */* 0002:https-out.srvhdr[002b:]: host: REWRITTEN.com 0002:be_static.srvrep[002b:002c]: HTTP/1.1 401 Unauthorized 0002:be_static.srvhdr[002b:002c]: content-length: 131 0002:be_static.srvhdr[002b:002c]: content-type: text/html; charset=UTF-8 0002:be_static.srvhdr[002b:002c]: www-authenticate: Swift realm="Client" 0002:be_static.srvhdr[002b:002c]: www-authenticate: Keystone uri="https://auth.cloud.ovh.net/; 0002:be_static.srvhdr[002b:002c]: x-trans-id: tx011f76ce9d9f43a09dcea-... 0002:be_static.srvhdr[002b:002c]: x-openstack-request-id: tx011f76ce9d9f43a09dcea-... 0002:be_static.srvhdr[002b:002c]: date: Sat, 18 Apr 2020 21:59:48 GMT 0002:be_static.srvhdr[002b:002c]: x-iplb-instance: ... 0002:be_static.srvcls[002b:002c] 0002:be_static.clicls[002b:002c] 0002:be_static.closed[002b:002c] ``` Opinions? Regards Aleks
New color on www.haproxy.org
Hi. I like the new table on https://www.haproxy.org/ . The color show now much easier which version is in which state ;-) Regards Aleks
Re: [PATCH] MINOR: version: Show uname output in display_version()
Hi Tim, On Sat, Apr 18, 2020 at 04:02:47PM +0200, Tim Duesterhus wrote: > Willy, > > because we ask for the `uname -a` output on the bug tracker, users sometimes > forget to give all the requested information and I'm tired of always having > to redact my machine names I thought I'd combine the `haproxy -vv + uname -a` > into just `uname -a` by adding the results of uname(2) to the version > information within `haproxy -vv`. My understanding is that the uname(2) > behavior is defined in POSIX, thus I expect this to be portable. I think it's an excellent idea, I've just merged it. Thanks! Willy
[PATCH] MINOR: version: Show uname output in display_version()
Willy, because we ask for the `uname -a` output on the bug tracker, users sometimes forget to give all the requested information and I'm tired of always having to redact my machine names I thought I'd combine the `haproxy -vv + uname -a` into just `uname -a` by adding the results of uname(2) to the version information within `haproxy -vv`. My understanding is that the uname(2) behavior is defined in POSIX, thus I expect this to be portable. Best regards Tim Düsterhus Apply with `git am --scissors` to automatically cut the commit message. -- >8 -- This patch adds the sysname, release, version and machine fields from the uname results to the version output. It intentionally leaves out the machine name, because it is usually not useful and users might not want to expose their machine names for privacy reasons. May be backported if it is considered useful for debugging. --- src/haproxy.c | 7 +++ 1 file changed, 7 insertions(+) diff --git a/src/haproxy.c b/src/haproxy.c index d01ddfdab..60db73502 100644 --- a/src/haproxy.c +++ b/src/haproxy.c @@ -46,6 +46,7 @@ #include #include #include +#include #include #include #include @@ -541,6 +542,8 @@ void hap_register_per_thread_free(int (*fct)()) static void display_version() { + struct utsname utsname; + printf("HA-Proxy version %s %s - https://haproxy.org/\n; PRODUCT_STATUS "\n", haproxy_version, haproxy_date); @@ -563,6 +566,10 @@ static void display_version() else printf("Known bugs: " PRODUCT_URL_BUGS "\n", base_version); } + + if (uname() == 0) { + printf("Running on: %s %s %s %s\n", utsname.sysname, utsname.release, utsname.version, utsname.machine); + } } static void display_build_opts() -- 2.26.1
Re: Problem with crl certificate
Hi! Il 17/04/20 18:43, Davide Guarneri ha scritto: crt /etc/haproxy/ssl/cert.pem ca-file /etc/haproxy/ssl/ca-chain.cert.pem verify required crl-file /etc/haproxy/ssl/intermediate.crl.pem I would verify how the certificates and the keys are placed in the files. /etc/haproxy/ssl/cert.pem must contain "both the required certificates and any associated private keys. [...] If your CA requires an intermediate certificate, this can also be concatenated into this file." (from HAProxy documentation) The client certificate is checked against the signature of the CAs defined in /etc/haproxy/ssl/ca-chain.cert.pem Moreover it is checked if the client certificate is listed in the certificate revocation list in /etc/haproxy/ssl/intermediate.crl.pem Hope this helps Ciao! .marcoc
Re: HAProxy concurrent HTTP query limit based on header
Hi, On Fri, 2020-04-17 at 20:22 +0200, Olivier D wrote: > Hello everyone, > I would like to implement a "max concurrent connection" in HAProxy. > This is easy to do at TCP level : > > stick-table type ipv6 size 100k expire 30s store conn_cur > http-request track-sc0 src > http-request deny deny_status 429 if { src_conn_cur ge 20 } > > But now, I want to do the same for concurrent HTTP queries, based on > header 'X-Forwarded-For'. For example, I want to send a 429 error > code if someone is sending an HTTP query when he already have 20 > ongoing. > > My first tries are based on something like this : >stick-table type ipv6 size 100k expire 30s store > http_req_rate(10s) >http-request track-sc0 req.hdr( X-Forwarded-For ) Does it work if you use: http-request track-sc0 req.hdr_ip(X-Forwarded-For) ( https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#7.3.6-req.hdr_ip ) Do you get any entries in the stick-table (show table ... command to stats socket). -Jarno >http-request deny deny_status 429 if { sc0_conn_cur ge 20 } > > but it doesn't seem to work the way I want ... -- Jarno Huuskonen