Re: send-proxy on FreeBSD
Hi Willy, Lukas, Thank you for your quick replies. 2013/9/3 Willy Tarreau > > It would be nice if you could add a "perror("send_proxy")" just before > goto out_error. I suspect you're getting ENOTCONN that is correctly > handled in raw_sock.c but not here. > ./haproxy -f /usr/local/etc/haproxy.conf -d Available polling systems : kqueue : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result FAILED Total: 3 (2 usable), will use kqueue. Using kqueue() as the polling mechanism. 0001:ddos.accept(0004)=0006 from [127.0.0.1:12187] 0001:ddos.clireq[0006:]: GET / HTTP/1.1 0001:ddos.clihdr[0006:]: User-Agent: curl/7.31.0 0001:ddos.clihdr[0006:]: Host: 127.0.0.1 0001:ddos.clihdr[0006:]: Accept: */* send_proxy: Socket is not connected 0001:ddos.clicls[0006:0007] 0001:ddos.closed[0006:0007] Alternately, could you try the following change : > >471 - if (errno == EAGAIN) >471 + if (errno == EAGAIN || errno == ENOTCONN) > With this change send-proxy work well :) Thanks. -- David BERARD contact(at)davidberard.fr GPG|PGP KeyId 0xC8533354 GPG|PGP Key http://davidberard.fr/C8533354.gpgkey * No electrons were harmed in the transmission of this email *
send-proxy on FreeBSD
Hi, I've an issue with send-proxy on HAProxy-1.5-dev19 running on FreeBSD. Since dev13 I can't get send-proxy to work on FreeBSD, connections to the backend server (another haproxy with accept-proxy bind option) are imediately closed. Version dev12 works correctly on FreeBSD, and dev19 on Linux works too. Connection seem to be closed in stream_interface.c (out_error) : 470 if (ret < 0) { 471 if (errno == EAGAIN) 472 goto out_wait; 473 goto out_error; <<<<<< 474 } # cat /usr/local/etc/haproxy.conf global log /var/run/log local0 debug maxconn 4096 uid 99 gid 99 daemon defaults log global contimeout 5000 clitimeout 5 srvtimeout 5 retries 0 option redispatch maxconn 2000 listen ddos 127.0.0.1:80 modehttp server myserver X.X.X.X:80 send-proxy # ./haproxy -v HA-Proxy version 1.5-dev19 2013/06/17 Copyright 2000-2013 Willy Tarreau # ./haproxy -f /usr/local/etc/haproxy.conf -d Available polling systems : kqueue : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result FAILED Total: 3 (2 usable), will use kqueue. Using kqueue() as the polling mechanism. 0001:ddos.accept(0004)=0006 from [127.0.0.1:18493] 0001:ddos.clireq[0006:]: GET / HTTP/1.1 0001:ddos.clihdr[0006:]: User-Agent: curl/7.31.0 0001:ddos.clihdr[0006:]: Host: 127.0.0.1 0001:ddos.clihdr[0006:]: Accept: */* 0001:ddos.srvcls[0006:0007] 0001:ddos.clicls[0006:0007] 0001:ddos.closed[0006:0007] # tcpdump 23:12:17.405476 IP HAPROXY_IP.32958 > SERVER_IP.80: Flags [S], seq 3939228300, win 65535, options [mss 1460,nop,wscale 8,sackOK,TS val 21313989 ecr 0], length 0 23:12:17.405537 IP SERVER_IP.80 > HAPROXY_IP.32958: Flags [S.], seq 763473061, ack 3939228301, win 5840, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 23:12:17.405979 IP HAPROXY_IP.32958 > SERVER_IP.80: Flags [R], seq 3939228301, win 0, length 0 Best Regards, ________ David BERARD contact(at)davidberard.fr * No electrons were harmed in the transmission of this email * smime.p7s Description: S/MIME cryptographic signature
Re: add-header and set-header bad header with nginx
Hi Willy, 2012/12/28 Willy Tarreau : > Hi David, > > On Fri, Dec 28, 2012 at 01:46:32AM +0100, David BERARD wrote: >> Hi, >> >> I start to evaluate the new add-header/set-header option, I encountered >> issues. >> I use nginx as web server behind HAProxy, and nginx reply 400 bad >> request at every request. >> >> The header set with add-header/set-header is malformed, I have a null >> character before the end of the >> line, for exemple : >> >> http-request set-header X-SSL-TOTO %[ssl_fc] >> >> set the following header : X-SSL-TOTO: 1\000\r\n >> >> The length of header value seem too big, the following workaround fix >> this issue (not optimal I now): > > OK I see what's happening. I'd rather fix the root cause of this issue, > it's build_logline() which returns an ambiguous length. > > Could you please try the attached patch instead ? It works for me right > here. Works for me too. Thanks :) -- David BERARD contact(at)davidberard.fr * No electrons were harmed in the transmission of this email *
add-header and set-header bad header with nginx
Hi, I start to evaluate the new add-header/set-header option, I encountered issues. I use nginx as web server behind HAProxy, and nginx reply 400 bad request at every request. The header set with add-header/set-header is malformed, I have a null character before the end of the line, for exemple : http-request set-header X-SSL-TOTO %[ssl_fc] set the following header : X-SSL-TOTO: 1\000\r\n The length of header value seem too big, the following workaround fix this issue (not optimal I now): diff --git a/src/proto_http.c b/src/proto_http.c index 535c159..eb10213 100644 --- a/src/proto_http.c +++ b/src/proto_http.c @@ -3112,7 +3112,7 @@ http_check_access_rule(struct proxy *px, struct list *rules, struct session *s, trash.str[trash.len++] = ':'; trash.str[trash.len++] = ' '; trash.len += build_logline(s, trash.str + trash.len, trash.size - trash.len, &rule->arg.hdr_add.fmt); - http_header_add_tail2(&txn->req, &txn->hdr_idx, trash.str, trash.len); + http_header_add_tail2(&txn->req, &txn->hdr_idx, trash.str, trash.len-1); break; } } -- David BERARD contact(at)davidberard.fr * No electrons were harmed in the transmission of this email *
[PATCH] Change is_ssl acl to ssl_fc acl in example
--- doc/configuration.txt |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/doc/configuration.txt b/doc/configuration.txt index 949a383..225acb7 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -4349,7 +4349,7 @@ redirect scheme[code ] [{if | unless} ] redirect code 301 prefix / drop-query append-slash if missing_slash Example: redirect all HTTP traffic to HTTPS when SSL is handled by haproxy. -redirect scheme https if !{ is_ssl } +redirect scheme https if !{ ssl_fc } See section 7 about ACL usage. -- 1.7.2.5
SSL OCSP Stapling
Hi HAProxy list membrers, Is anybody working on an OCSP Stapling implementation for HAProxy ? If nobody working on it I'm interested. Do you think this is an interesting feature for HAProxy ? Regards, David -- David BERARD contact(at)davidberard.fr GPG|PGP KeyId 0xC8533354 GPG|PGP Key http://davidberard.fr/C8533354.gpgkey * No electrons were harmed in the transmission of this email *
Re: disable server vs 0% weight on server for rolling deploys?
Hi, Le 22 sept. 2012 à 10:49, Baptiste a écrit : > Disable means that the server won't be used anymore by the > load-balance algorithm, hence it won't receive any new connections. > Sticked connection are still routed to this server, for a graceful shutdown. > Setting the weight to 0 would have the same effect. If cookies are used to keep users on the same server, there is a difference between 0 weight server and disabled server. On a disabled server users will be redirected to another server, even if the cookie is set. On a 0 weight server, users with the cookie still use this server. Regards, ________ David BERARD contact(at)davidberard.fr * No electrons were harmed in the transmission of this email * smime.p7s Description: S/MIME cryptographic signature
Re: HAProxy with native SSL support !
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, On 04/Sep - 01:37, Willy Tarreau wrote: >| Have a lot of fun and please report your success/failures, >| Willy Thanks a lot for this useful feature. It works well on a dual PPC64 Linux server. I wrote a small path to add the SSL_OP_CIPHER_SERVER_PREFERENCE OpenSSL option to frontend, if the 'prefer-server-ciphers' keyword is set. https://0x1.fr/files/patchs/haproxy-ss-20120904_prefer_server_ciphers.patch Example : bind 10.11.12.13 ssl /etc/haproxy/ssl/cert.pem ciphers RC4:HIGH:!aNULL:!MD5 prefer-server-ciphers This option mitigate the effect of the BEAST Attack (as I understand), and it equivalent to : - Apache HTTPd SSLHonorCipherOrder option. - Nginx ssl_prefer_server_ciphers option. Maybe it can be useful to add OpenSSL option directly in the haproxy configuration as the 'options' keyword in stunnel. Best regards. - -- ________ David BERARD contact(at)davidberard.fr GPG|PGP KeyId 0xC8533354 GPG|PGP Key http://davidberard.fr/C8533354.gpgkey * No electrons were harmed in the transmission of this email * -BEGIN PGP SIGNATURE- iEYEARECAAYFAlBF/uAACgkQOL7fhchTM1Q0PQCgqbxmjbxKokJ2dFX28dbfjml4 KOcAnja+g7reSbHJVub8P4HYrcz1Q/TG =PD86 -END PGP SIGNATURE-
Re: ha proxy Nagios plugin
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, >| >> >Also, it seems to rely only on the HTTP socket. Do you think >| >> >it can easily be adapted to also support the unix socket, which >| >> >is global and does not require opening a TCP port ? >| >> >| >> The plugin works with Nagios which is not installed on the same host.= So a >| >> remote access in a way or other is mandatory. >| > >| > hey, that obviously makes sense ! If the nagios NRPE plugin is used, the check script can be on the same host. The use of unix socket is simpler in this case. I've made a patch to support unix socket : >---https://github.com/polymorf/check_haproxy Regards, - -- ________ David BERARD contact(at)davidberard.fr GPG|PGP KeyId 0xC8533354 GPG|PGP Key http://davidberard.fr/C8533354.gpgkey * No electrons were harmed in the transmission of this email * -BEGIN PGP SIGNATURE- iEYEARECAAYFAk/HX2EACgkQOL7fhchTM1RetQCZAUpURrnQcXjPlqqhE2N9drgw yz8An1dilDEavCSbX/OE0I5KQ0GK1dmA =pAgu -END PGP SIGNATURE-
Re: ha proxy Nagios plugin
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, >| >> >Also, it seems to rely only on the HTTP socket. Do you think >| >> >it can easily be adapted to also support the unix socket, which >| >> >is global and does not require opening a TCP port ? >| >> >| >> The plugin works with Nagios which is not installed on the same host. So a >| >> remote access in a way or other is mandatory. >| > >| > hey, that obviously makes sense ! If the nagios NRPE plugin is used, the check script can be on the same host. The use of unix socket is more simple in this case. I've made a patch to support unix socket : https://github.com/polymorf/check_haproxy Regards, - -- ________ David BERARD contact(at)davidberard.fr GPG|PGP KeyId 0xC8533354 GPG|PGP Key http://davidberard.fr/C8533354.gpgkey * No electrons were harmed in the transmission of this email * -BEGIN PGP SIGNATURE- iEYEARECAAYFAk/HPmcACgkQOL7fhchTM1S7GgCfYjZqPvugnKv3g79TH9cj6IYj YWcAoKh+QFcndetSBta1Dwbp5APiFuFw =ZpSc -END PGP SIGNATURE-