Re: send-proxy on FreeBSD
Hi Willy, Lukas,
Thank you for your quick replies.
2013/9/3 Willy Tarreau
>
> It would be nice if you could add a "perror("send_proxy")" just before
> goto out_error. I suspect you're getting ENOTCONN that is correctly
> handled in raw_sock.c but not here.
>
./haproxy -f /usr/local/etc/haproxy.conf -d
Available polling systems :
kqueue : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result FAILED
Total: 3 (2 usable), will use kqueue.
Using kqueue() as the polling mechanism.
0001:ddos.accept(0004)=0006 from [127.0.0.1:12187]
0001:ddos.clireq[0006:]: GET / HTTP/1.1
0001:ddos.clihdr[0006:]: User-Agent: curl/7.31.0
0001:ddos.clihdr[0006:]: Host: 127.0.0.1
0001:ddos.clihdr[0006:]: Accept: */*
send_proxy: Socket is not connected
0001:ddos.clicls[0006:0007]
0001:ddos.closed[0006:0007]
Alternately, could you try the following change :
>
>471 - if (errno == EAGAIN)
>471 + if (errno == EAGAIN || errno == ENOTCONN)
>
With this change send-proxy work well :)
Thanks.
--
David BERARD
contact(at)davidberard.fr
GPG|PGP KeyId 0xC8533354
GPG|PGP Key http://davidberard.fr/C8533354.gpgkey
* No electrons were harmed in the transmission of this email *
send-proxy on FreeBSD
Hi,
I've an issue with send-proxy on HAProxy-1.5-dev19 running on FreeBSD.
Since dev13 I can't get send-proxy to work on FreeBSD, connections to
the backend server (another haproxy with accept-proxy bind option) are
imediately closed.
Version dev12 works correctly on FreeBSD, and dev19 on Linux works too.
Connection seem to be closed in stream_interface.c (out_error) :
470 if (ret < 0) {
471 if (errno == EAGAIN)
472 goto out_wait;
473 goto out_error; <<<<<<
474 }
# cat /usr/local/etc/haproxy.conf
global
log /var/run/log local0 debug
maxconn 4096
uid 99
gid 99
daemon
defaults
log global
contimeout 5000
clitimeout 5
srvtimeout 5
retries 0
option redispatch
maxconn 2000
listen ddos 127.0.0.1:80
modehttp
server myserver X.X.X.X:80 send-proxy
# ./haproxy -v
HA-Proxy version 1.5-dev19 2013/06/17
Copyright 2000-2013 Willy Tarreau
# ./haproxy -f /usr/local/etc/haproxy.conf -d
Available polling systems :
kqueue : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result FAILED
Total: 3 (2 usable), will use kqueue.
Using kqueue() as the polling mechanism.
0001:ddos.accept(0004)=0006 from [127.0.0.1:18493]
0001:ddos.clireq[0006:]: GET / HTTP/1.1
0001:ddos.clihdr[0006:]: User-Agent: curl/7.31.0
0001:ddos.clihdr[0006:]: Host: 127.0.0.1
0001:ddos.clihdr[0006:]: Accept: */*
0001:ddos.srvcls[0006:0007]
0001:ddos.clicls[0006:0007]
0001:ddos.closed[0006:0007]
# tcpdump
23:12:17.405476 IP HAPROXY_IP.32958 > SERVER_IP.80: Flags [S], seq 3939228300,
win 65535, options [mss 1460,nop,wscale 8,sackOK,TS val 21313989 ecr 0], length 0
23:12:17.405537 IP SERVER_IP.80 > HAPROXY_IP.32958: Flags [S.], seq 763473061,
ack 3939228301, win 5840, options [mss 1460,nop,nop,sackOK,nop,wscale 7],
length 0
23:12:17.405979 IP HAPROXY_IP.32958 > SERVER_IP.80: Flags [R], seq 3939228301,
win 0, length 0
Best Regards,
________
David BERARD
contact(at)davidberard.fr
* No electrons were harmed in the transmission of this email *
smime.p7s
Description: S/MIME cryptographic signature
Re: add-header and set-header bad header with nginx
Hi Willy, 2012/12/28 Willy Tarreau : > Hi David, > > On Fri, Dec 28, 2012 at 01:46:32AM +0100, David BERARD wrote: >> Hi, >> >> I start to evaluate the new add-header/set-header option, I encountered >> issues. >> I use nginx as web server behind HAProxy, and nginx reply 400 bad >> request at every request. >> >> The header set with add-header/set-header is malformed, I have a null >> character before the end of the >> line, for exemple : >> >> http-request set-header X-SSL-TOTO %[ssl_fc] >> >> set the following header : X-SSL-TOTO: 1\000\r\n >> >> The length of header value seem too big, the following workaround fix >> this issue (not optimal I now): > > OK I see what's happening. I'd rather fix the root cause of this issue, > it's build_logline() which returns an ambiguous length. > > Could you please try the attached patch instead ? It works for me right > here. Works for me too. Thanks :) -- David BERARD contact(at)davidberard.fr * No electrons were harmed in the transmission of this email *
add-header and set-header bad header with nginx
Hi,
I start to evaluate the new add-header/set-header option, I encountered issues.
I use nginx as web server behind HAProxy, and nginx reply 400 bad
request at every request.
The header set with add-header/set-header is malformed, I have a null
character before the end of the
line, for exemple :
http-request set-header X-SSL-TOTO %[ssl_fc]
set the following header : X-SSL-TOTO: 1\000\r\n
The length of header value seem too big, the following workaround fix
this issue (not optimal I now):
diff --git a/src/proto_http.c b/src/proto_http.c
index 535c159..eb10213 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -3112,7 +3112,7 @@ http_check_access_rule(struct proxy *px, struct
list *rules, struct session *s,
trash.str[trash.len++] = ':';
trash.str[trash.len++] = ' ';
trash.len += build_logline(s, trash.str +
trash.len, trash.size -
trash.len, &rule->arg.hdr_add.fmt);
- http_header_add_tail2(&txn->req, &txn->hdr_idx,
trash.str, trash.len);
+ http_header_add_tail2(&txn->req, &txn->hdr_idx,
trash.str, trash.len-1);
break;
}
}
--
David BERARD
contact(at)davidberard.fr
* No electrons were harmed in the transmission of this email *
[PATCH] Change is_ssl acl to ssl_fc acl in example
---
doc/configuration.txt |2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 949a383..225acb7 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -4349,7 +4349,7 @@ redirect scheme[code ] [{if |
unless} ]
redirect code 301 prefix / drop-query append-slash if missing_slash
Example: redirect all HTTP traffic to HTTPS when SSL is handled by haproxy.
-redirect scheme https if !{ is_ssl }
+redirect scheme https if !{ ssl_fc }
See section 7 about ACL usage.
--
1.7.2.5
SSL OCSP Stapling
Hi HAProxy list membrers, Is anybody working on an OCSP Stapling implementation for HAProxy ? If nobody working on it I'm interested. Do you think this is an interesting feature for HAProxy ? Regards, David -- David BERARD contact(at)davidberard.fr GPG|PGP KeyId 0xC8533354 GPG|PGP Key http://davidberard.fr/C8533354.gpgkey * No electrons were harmed in the transmission of this email *
Re: disable server vs 0% weight on server for rolling deploys?
Hi, Le 22 sept. 2012 à 10:49, Baptiste a écrit : > Disable means that the server won't be used anymore by the > load-balance algorithm, hence it won't receive any new connections. > Sticked connection are still routed to this server, for a graceful shutdown. > Setting the weight to 0 would have the same effect. If cookies are used to keep users on the same server, there is a difference between 0 weight server and disabled server. On a disabled server users will be redirected to another server, even if the cookie is set. On a 0 weight server, users with the cookie still use this server. Regards, ________ David BERARD contact(at)davidberard.fr * No electrons were harmed in the transmission of this email * smime.p7s Description: S/MIME cryptographic signature
Re: HAProxy with native SSL support !
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, On 04/Sep - 01:37, Willy Tarreau wrote: >| Have a lot of fun and please report your success/failures, >| Willy Thanks a lot for this useful feature. It works well on a dual PPC64 Linux server. I wrote a small path to add the SSL_OP_CIPHER_SERVER_PREFERENCE OpenSSL option to frontend, if the 'prefer-server-ciphers' keyword is set. https://0x1.fr/files/patchs/haproxy-ss-20120904_prefer_server_ciphers.patch Example : bind 10.11.12.13 ssl /etc/haproxy/ssl/cert.pem ciphers RC4:HIGH:!aNULL:!MD5 prefer-server-ciphers This option mitigate the effect of the BEAST Attack (as I understand), and it equivalent to : - Apache HTTPd SSLHonorCipherOrder option. - Nginx ssl_prefer_server_ciphers option. Maybe it can be useful to add OpenSSL option directly in the haproxy configuration as the 'options' keyword in stunnel. Best regards. - -- ________ David BERARD contact(at)davidberard.fr GPG|PGP KeyId 0xC8533354 GPG|PGP Key http://davidberard.fr/C8533354.gpgkey * No electrons were harmed in the transmission of this email * -BEGIN PGP SIGNATURE- iEYEARECAAYFAlBF/uAACgkQOL7fhchTM1Q0PQCgqbxmjbxKokJ2dFX28dbfjml4 KOcAnja+g7reSbHJVub8P4HYrcz1Q/TG =PD86 -END PGP SIGNATURE-
Re: ha proxy Nagios plugin
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, >| >> >Also, it seems to rely only on the HTTP socket. Do you think >| >> >it can easily be adapted to also support the unix socket, which >| >> >is global and does not require opening a TCP port ? >| >> >| >> The plugin works with Nagios which is not installed on the same host.= So a >| >> remote access in a way or other is mandatory. >| > >| > hey, that obviously makes sense ! If the nagios NRPE plugin is used, the check script can be on the same host. The use of unix socket is simpler in this case. I've made a patch to support unix socket : >---https://github.com/polymorf/check_haproxy Regards, - -- ________ David BERARD contact(at)davidberard.fr GPG|PGP KeyId 0xC8533354 GPG|PGP Key http://davidberard.fr/C8533354.gpgkey * No electrons were harmed in the transmission of this email * -BEGIN PGP SIGNATURE- iEYEARECAAYFAk/HX2EACgkQOL7fhchTM1RetQCZAUpURrnQcXjPlqqhE2N9drgw yz8An1dilDEavCSbX/OE0I5KQ0GK1dmA =pAgu -END PGP SIGNATURE-
Re: ha proxy Nagios plugin
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, >| >> >Also, it seems to rely only on the HTTP socket. Do you think >| >> >it can easily be adapted to also support the unix socket, which >| >> >is global and does not require opening a TCP port ? >| >> >| >> The plugin works with Nagios which is not installed on the same host. So a >| >> remote access in a way or other is mandatory. >| > >| > hey, that obviously makes sense ! If the nagios NRPE plugin is used, the check script can be on the same host. The use of unix socket is more simple in this case. I've made a patch to support unix socket : https://github.com/polymorf/check_haproxy Regards, - -- ________ David BERARD contact(at)davidberard.fr GPG|PGP KeyId 0xC8533354 GPG|PGP Key http://davidberard.fr/C8533354.gpgkey * No electrons were harmed in the transmission of this email * -BEGIN PGP SIGNATURE- iEYEARECAAYFAk/HPmcACgkQOL7fhchTM1S7GgCfYjZqPvugnKv3g79TH9cj6IYj YWcAoKh+QFcndetSBta1Dwbp5APiFuFw =ZpSc -END PGP SIGNATURE-
