Re: SSL certs loading performance regression
I didn't know about the curves parameter, and i don't see performance regression with it. I don't really understand why this kind of parameter can influence certs loading time. Hervé. Le 23/05/2018 à 15:08, Emmanuel Hocdet a écrit : > Hi Hervé, > >> Le 22 mai 2018 à 10:31, Hervé Commowick <herve.commow...@corp.ovh.com> a >> écrit : >> >> Hello HAProxy ML, >> >> I tracked down a performance regression about loading bunch of >> certificates, at least 3x to 5x more time for loading 10 certs since >> this commit >> http://git.haproxy.org/?p=haproxy-1.8.git;a=commitdiff;h=f6b37c67be277b5f0ae60438d796ff29ef19be40 >> >> This regression is 1.8 specific, (no issue in 1.6 or 1.7 branch) >> >> my bind line : >> bind 127.0.0.1:1443 ssl crt ssl10k ecdhe secp384r1 >> >> After some tests with William, it looks like it is also related to >> "ecdhe secp384r1" parameter, i don't really understand why, but without >> this i don't see any regression (and it looks like secp384r1 was >> effectively working in old version) >> > > can you try with « curves » parameter and not the old « ecdhe » ? > >> Let me know if i can test something, from 1min30s to 5min has some >> impacts as you can understand :-) >> > > Manu. >
SSL certs loading performance regression
Hello HAProxy ML, I tracked down a performance regression about loading bunch of certificates, at least 3x to 5x more time for loading 10 certs since this commit http://git.haproxy.org/?p=haproxy-1.8.git;a=commitdiff;h=f6b37c67be277b5f0ae60438d796ff29ef19be40 This regression is 1.8 specific, (no issue in 1.6 or 1.7 branch) my bind line : bind 127.0.0.1:1443 ssl crt ssl10k ecdhe secp384r1 After some tests with William, it looks like it is also related to "ecdhe secp384r1" parameter, i don't really understand why, but without this i don't see any regression (and it looks like secp384r1 was effectively working in old version) Let me know if i can test something, from 1min30s to 5min has some impacts as you can understand :-) Hervé.
Re: SSL custom dhparam problem
diff --git a/src/ssl_sock.c b/src/ssl_sock.c index d0f4d01..c5bd2f9 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -1076,10 +1076,6 @@ int ssl_sock_load_dh_params(SSL_CTX *ctx, const char *file) if (dh) { ret = 1; SSL_CTX_set_tmp_dh(ctx, dh); - /* Setting ssl default dh param to the size of the static DH params - found in the file. This way we know that there is no use - complaining later about ssl-default-dh-param not being set. */ - global.tune.ssl_default_dh_param = DH_size(dh) * 8; } else { /* Clear openssl global errors stack */ On Fri, May 22, 2015 at 10:50 AM, Hervé Commowick her...@gmail.com wrote: Hey Willy, I confirm his patch work as expected, it just need to be modified a bit to apply on 1.5, but not a big deal. Hervé. On Fri, May 22, 2015 at 10:28 AM, Willy Tarreau w...@1wt.eu wrote: Hi Hervé, On Fri, May 22, 2015 at 09:10:36AM +0200, Hervé Commowick wrote: As a temporary solution, i have decided to use a custom DH param for each bind, but anyway, this clearly need a fix :) Did you test Rémi's patch to confirm the origin of the issue ? I think it should probably be fixed before we issue 1.5.13, so we need to decide quickly what has to be done. Willy
Re: SSL custom dhparam problem
Hey Willy, I confirm his patch work as expected, it just need to be modified a bit to apply on 1.5, but not a big deal. Hervé. On Fri, May 22, 2015 at 10:28 AM, Willy Tarreau w...@1wt.eu wrote: Hi Hervé, On Fri, May 22, 2015 at 09:10:36AM +0200, Hervé Commowick wrote: As a temporary solution, i have decided to use a custom DH param for each bind, but anyway, this clearly need a fix :) Did you test Rémi's patch to confirm the origin of the issue ? I think it should probably be fixed before we issue 1.5.13, so we need to decide quickly what has to be done. Willy
SSL custom dhparam problem
Hello, I encounter a problem with dhparam configuration, if i have 2 bind lines, a tune.ssl.default-dh-param 2048, and a custom group dhparam in one of the pem file, ALL bind lines will use 1024, the one with the custom group will work as expected, and the one without will use the default Oakley group 2 instead of the 2048-bit MODP group 14 (thx Remi for the wording, i'm not sure to well understand all of that :)) here is a test config which will fail for 1.1.1.2:443 : global ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA ssl-default-bind-options no-sslv3 tune.ssl.default-dh-param 2048 tune.ssl.maxrecord 1419 tune.ssl.cachesize 5 tune.ssl.lifetime 600 frontend foo bind 1.1.1.1:443 ssl crt certs_with_static_1024_dhparam.pem bind 1.1.1.2:443 ssl crt cert_without_static_dhparam.pem this is clearly a bug amha, thx anyone who can help (Remi ? :) ) Hervé C.
Syslog message size
Hello list, After some discussion in #haproxy channel about MAX_SYSLOG_LEN, i think we should raise this default value from 1024 to 2048. Multiple arguments for that, RFC5426 (http://tools.ietf.org/html/rfc5426#section-3.2) encourage all receivers to support up to 2048 and recommend that syslog senders restrict message sizes such that IP datagrams do not exceed the smallest MTU of the network in use. In our case, the network almost all of us use is loopback, as we usually chain on the loopback, then forward log in the wild if we need. Loopback MTU is 16346, so no limitation here. Syslog daemon used by default in GNU/Linux distribution are rsyslog and syslog-ng, RHEL and Debian use rsyslog, SLES use syslog-ng, all daemons support up to 2048, by default 8192 especially for syslog-ng. http://www.rsyslog.com/doc/rsyslog_conf_global.html http://www.balabit.com/sites/default/files/documents/syslog-ng-pe-4.0-guides/en/syslog-ng-pe-v4.0-guide-admin-en/html-single/index.html#idp8428192 Rsyslog guys says that testing showed that 4k seems to be the typical maximum for UDP based syslog. This is an IP stack restriction. Not always ... but very often *BSD (FreeBSD/OpenBSD) support is not so nice, base syslogd support up to 1024, so maybe we should stick to 1024 only for us. BTW, i think the best should also be to support configurable value in configuration, like a tune.syslog.maxlength or something like that. Hervé. -- Hervé COMMOWICK Ingénieur systèmes et réseaux. http://www.rezulteo.com by Lizeo Online Media Group http://www.lizeo-online-media-group.com/ 42 quai Rambaud - 69002 Lyon (France) ⎮ ☎ +33 (0)4 26 99 03 77
Re: Debian/Ubuntu packages for HAProxy
Hello, To begin, thanks Vincent and the Debian HAProxy team for doing this, it will definitely help reducing rolling questions about haproxy 1.4.8 Something i do in my personal package is to include halog tool, which is in contrib directory, would be great if you can include that too. Thx ! Hervé. On 06/19/2013 11:36 PM, Vincent Bernat wrote: ❦ 8 juin 2013 00:49 CEST, hapr...@serverphorums.com : While it's great to have more Ubuntu packages, especially for the dev version, I took a look at the Ubuntu ecosystem and basically all the packages are missing the USE_ZLIB to enable gzip compression. Gzip compression has been added to the latest uploads. -- Hervé COMMOWICK Ingénieur systèmes et réseaux. http://www.rezulteo.com by Lizeo Online Media Group http://www.lizeo-online-media-group.com/ 42 quai Rambaud - 69002 Lyon (France) ⎮ ☎ +33 (0)4 26 99 03 77
Re: haproxy mysql-check
On 06/18/2013 09:29 AM, Jayadevan M wrote: [...] CREATE USER monitor@haproxy_ip IDENTIFIED WITH 'mysql_native_password'; Verify it is working by doing: select plugin from mysql.user where user='monitor' \G *** 1. row *** plugin: mysql_native_password 1 row in set (0.00 sec) I moved to the latets version of HAProxy and now it is working. Need to do some more testing. Thanks for all the input/directions. Regards, Jayadevan Did you change authentication plugin to make it work ? If this is due to auth plugin, we definitely need to update the documentation. Regards, Hervé. -- Hervé COMMOWICK Ingénieur systèmes et réseaux. http://www.rezulteo.com by Lizeo Online Media Group http://www.lizeo-online-media-group.com/ 42 quai Rambaud - 69002 Lyon (France) ⎮ ☎ +33 (0)4 26 99 03 77
Re: haproxy mysql-check
Ok so it looks like changes i made a while ago to support mysql =5.5, must be ok since haproxy 1.4.16 : http://git.1wt.eu/web?p=haproxy.git;a=commitdiff;h=212f778d6 Regards, Hervé. On 06/18/2013 12:01 PM, Jayadevan M wrote: Did you change authentication plugin to make it work ? If this is due to auth plugin, we definitely need to update the documentation. I did. But that did not help. So I used latest version of HAProxy. That worked. This is the status now - mysql select distinct user,HOST,plugin from mysql.user ; +-+---++ | user| HOST | plugin | +-+---++ | root| localhost || | root| 127.0.0.1 || | root| ::1 || | | localhost || | root| % || | galaxy | % || | haproxy | % || +-+---++ Regards, Jayadevan DISCLAIMER: The information in this e-mail and any attachment is intended only for the person to whom it is addressed and may contain confidential and/or privileged material. If you have received this e-mail in error, kindly contact the sender and destroy all copies of the original communication. IBS makes no warranty, express or implied, nor guarantees the accuracy, adequacy or completeness of the information contained in this email or any attachment and is not liable for any errors, defects, omissions, viruses or for resultant loss or damage, if any, direct or indirect. -- Hervé COMMOWICK Ingénieur systèmes et réseaux. http://www.rezulteo.com by Lizeo Online Media Group http://www.lizeo-online-media-group.com/ 42 quai Rambaud - 69002 Lyon (France) ⎮ ☎ +33 (0)4 26 99 03 77
Re: SSL OCSP Stapling
OCSP is obviously enabled, but not ocsp stapling. On 11/07/2012 05:18 PM, joris dedieu wrote: 2012/11/7 Hervé COMMOWICK herve.commow...@lizeo-group.com: As of now, on client side, it is only working on IE9 (not before not after) and Opera, not so common... It's enable in Firefox for a long time (Edit / Preference / Advanced / Encryption / Validation or search ocsp in about:config). See : https://bugzilla.mozilla.org/show_bug.cgi?id=110161 Look this : http://www.imperialviolet.org/2012/02/05/crlsets.html for Google's thoughts Short : On this basis, we're currently planning on disabling online revocation checks in a future version of Chrome. (There is a class of higher-security certificate, called an EV certificate, where we haven't made a decision about what to do yet.) And this : https://bugzilla.mozilla.org/show_bug.cgi?id=360420#c10 for Mozilla's thoughts. Short : it's busted by design. It can only carry a single response and hardly any sites have only one OCSP certificate in their chain these days. So it doesn't eliminate the OCSP lookup delay, which it's primary attraction. Hervé C. On 11/06/2012 11:02 PM, Willy Tarreau wrote: Hi Lukas, On Tue, Nov 06, 2012 at 04:57:59PM +0100, Lukas Tribus wrote: Don't know if it helps without some knowledge of the nginx source code, but here [1] you can find the patches applied to nginx to introduce ocsp support. Thanks for the pointer. Anyway as you suspect, source code alone doesn't tell much about the real benefits to expect from this feature, nor how it's supposed to be used (especially by clients). Its doesn't seem to be trivial to implement though, because you also need to run (at regular intervals) an OCSP query towards the CA's OCSP server... Amusingly, running a task at regular intervals is the easiest part to do, it's just like health checks. We could decide to dedicate such a task per stapling-enabled bind line and it would not be much of an issue. The overhead would not even be measurable if we were working at insane refresh rates. What's unclear to me is how many clients do support this nowadays, how many servers do, whether or not users are willing to allow outgoing connections to fetch such cert statuses, whether or not non-stapling aware clients would be impacted by the feature (eg: increased handshake size due to advertised extension and data to everyone) etc... I think we need to take more time to study this in details, but until someone comes with a detailed description of what this will bring to his site, I'm not sure anyone will spend more time on this :-/ Regards, Willy -- Hervé COMMOWICK Ingénieur systèmes et réseaux. http://www.rezulteo.com by Lizeo Online Media Group http://www.lizeo-online-media-group.com/ 42 quai Rambaud - 69002 Lyon (France) ⎮ ☎ +33 (0)4 63 05 95 30 -- Hervé COMMOWICK Ingénieur systèmes et réseaux. http://www.rezulteo.com by Lizeo Online Media Group http://www.lizeo-online-media-group.com/ 42 quai Rambaud - 69002 Lyon (France) ⎮ ☎ +33 (0)4 63 05 95 30
Re: Haproxy ssl-hello-chk and check
Hello Kevin, You didn't set the check port, and as you specify server address without port number on server line, it can't work. Add check port 3389 on each server line but i think you can't use persist rdp-cookie if you want to use TLS as in http://support.microsoft.com/kb/895433 because Haproxy will not be able to see RDP Cookies... Hervé. On 10/22/2012 03:34 PM, Kevin COUSIN wrote: Hi, I just setup an HAProxy for a RDS platform. I must set ssl-hello-chk option to get it works, but i can't set server check options with ssl-hello-chk, haproxy said haproxy[5059]: backend FARM has no server available. Is it normal ? Here is my conf: global log 127.0.0.1 local4 maxconn 65535 ulimit-n 131085 defaults log global clitimeout 1h srvtimeout 1h frontend Frontal-RDS bind :3389,:135,:139 default_backend FARM # Options tcp-request inspect-delay 5s tcp-request content accept if RDP_COOKIE timeout client 1h monitor-net 10.20.20.248/29 backend FARM mode tcp persist rdp-cookie balance rdp-cookie #balance leastconn timeout connect 4s log 127.0.0.1 local4 option redispatch option tcpka option tcplog # Pour les connexions RDP sécurisées ? option ssl-hello-chk timeout server 1h # sticky persistence #stick-table type string len 32 size 10k expire 1d #stick on rdp-cookie server SRV1 SRV1.local weight 1 server SRV2 SRV2.local weight 1 listen stats :1936 mode http stats enable stats hide-version stats realm Haproxy\ Statistics stats uri / stats auth user:secret Kevin C. -- Hervé COMMOWICK Ingénieur systèmes et réseaux. http://www.rezulteo.com by Lizeo Online Media Group http://www.lizeo-online-media-group.com/ 42 quai Rambaud - 69002 Lyon (France) ⎮ ☎ +33 (0)4 63 05 95 30
Re: HAProxy with native SSL support !
What a great news ! Let's go testing on internal applications. Congrats to the Exceliance team ! Hervé. On 09/04/2012 08:12 AM, Willy Tarreau wrote: Just for the few who have already downloaded it, I have re-uploaded the snapshot with a fix (I failed my attempt at automatically renaming it so it ended up with the same name). There was a bug affecting the combination of accept-proxy + ssl which I just fixed. Regards, Willy -- Hervé COMMOWICK Ingénieur systèmes et réseaux. http://www.rezulteo.com by Lizeo Online Media Group http://www.lizeo-online-media-group.com/ 42 quai Rambaud - 69002 Lyon (France) ⎮ ☎ +33 (0)4 63 05 95 30
Re: SSL farm
Or you may use PROXY protocol and set send-proxy in your haproxy configuration and ask stud to merge this : https://github.com/bumptech/stud/pull/81 Hervé. On 05/22/2012 05:48 PM, Allan Wind wrote: I read through the last 6 months of archive and the usual answer for SSL support is put nginx/stunnel/stud in front. This, as far as I can tell, means a single server handling SSL, and this is the whathttp://haproxy.1wt.eu/#desi suggest is a non-scalable solution. You can obviously configure haproxy to route ssl connections to a form via the tcp mode, but you then lose the client IP. The transparent keyword is promising but apparently requires haproxy box to be the gateway. Not sure that is possible with our cloud environment. I understand from: http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html#setting-a-session-cache-with-apache-nginx that session reuse (i.e. mod_gnutls in our case) would need to be configured on the backend to permit ssl resume. But how do you go about distributing traffic to a ssl form without losing the client IP? /Allan -- Hervé COMMOWICK Ingénieur systèmes et réseaux. http://www.rezulteo.com by Lizeo Online Media Group http://www.lizeo-online-media-group.com/ 42 quai Rambaud - 69002 Lyon (France) ⎮ ☎ +33 (0)4 63 05 95 30
Re: SSL farm
No, you may have multiple stud. On 05/23/2012 04:12 PM, Allan Wind wrote: On 2012-05-23 11:42:24, Hervé COMMOWICK wrote: Or you may use PROXY protocol and set send-proxy in your haproxy configuration and ask stud to merge this : https://github.com/bumptech/stud/pull/81 This is the single ssl server configuration that I explicitly wanted to avoid. Right? /Allan -- Hervé COMMOWICK Ingénieur systèmes et réseaux. http://www.rezulteo.com by Lizeo Online Media Group http://www.lizeo-online-media-group.com/ 42 quai Rambaud - 69002 Lyon (France) ⎮ ☎ +33 (0)4 63 05 95 30
Re: Sync of sessions..
Hello Joakim, What is synced is the persistence (stick) table, not the tcp sessions, haproxy don't do this, as it is the kernel job to maintains sessions. However, i know some guys who use keepalived with syncd features to do that, but never made a test myself... http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.server_state_sync_demon.html Btw, HTTP traffic are really small requests and is not really affected by TCP connection breakage, so there is really little need for this kind of tricks unless you have mainly long HTTP requests or RDP connections, or something that really needs never-disconnected TCP connections. Regards, Hervé. On 05/04/2012 09:11 AM, Joakim Ohlsson wrote: Hi, I have a question about replication of sessions. I have two haproxy servers (haproxy1 and haproxy2) and try to replicate the sessions with the new feature Peers in version 1.5. It seems to work fine and I can see the entries in the stick tables on both my servers. My hope on this is not to lose my session/connection even if one of the haproxy server is going down. For example, I have established a session via haproxy1 and this server going down. I have a virtual ip and this is now moved to haproxy2. Is it possible to not lose the established session between the client and the backend in this case? I have tried this but the session is disconnected, unfortunately. Thanks in advance Br Joakim -- Hervé COMMOWICK Ingénieur systèmes et réseaux. http://www.rezulteo.com by Lizeo Online Media Group http://www.lizeo-online-media-group.com/ 42 quai Rambaud - 69002 Lyon (France) ⎮ ☎ +33 (0)4 63 05 95 30
Re: Problem: host header keeps the IP of the HAProxy server
reqrep yoursearch yourstring if { srv_id idofyourserver } server's id can be forced with id keyword if needed Regards, Hervé. On Thu, 11 Aug 2011 13:22:36 +0300 Ran S r...@sheinberg.net wrote: Well, I have no idea if this mailing list is active, as I have gotten no response, but I'll give it another try. I managed to change the Host header using ReqRep successfully. However, now I am in a state where one of the backends need this change, and the other one doesn't. How would I go about configuring this? If I put the two backends under one backend node, they both get the ReqRep parameter, and then one of the servers can't work with the replaced host header. If I put them in two backend nodes, how can I get the frontend node to balance between the two? this appears to be the correct way but I can't find the right command. Thanks On Wed, Aug 10, 2011 at 5:00 PM, Ran S r...@sheinberg.net wrote: Hello all, I am trying to use HAProxy for the following configuration: Two Linux servers (node1, node2) running apache (on port 85) and squid and acting as Proxy servers to the Internet I installed HAProxy on node1, and configured it to listen to port 80, and have the backends in their respective apache port 85. While node1 is the only active server in the backend servers list, I can make a request to node1:80 and it will be successfully redirected to the apache port and returned to me. However while node2 is the only active backend server, this flow will fail and I will simply get a blank page with HTTP 200. I think I know why that is. when sniffing on node1, I can see the following request flow: 1. My browser making web the request to node1:80 2. Node1 making the request to node2. But, this is where the problem comes in. The source IP is node1 The Destination IP is node2 However the Host in this request is the node1 IP address So, since node2 backend server is actually a proxy server, it will take the IP address from the Host header it received and make a request to node1 (since it has it in the request's Host header) and the failure will come in. So I guess what I'm asking is what would be the correct option to use in HAproxy in order to have this set up the right way. I copied the configuration file from one of the examples and trimmed it down to the very basic so I can eliminate anything that's causing the problems, so here it is: *global* *daemon* *maxconn 256* * * *defaults* *mode http* *timeout connect 5000ms* *timeout client 5ms* *timeout server 5ms* *balance roundrobin* *option forwardfor* * * *frontend http-in* *bind *:80* *default_backend servers* * * *backend servers* *server node1name node1ip:85* Many thanks in advance for any help! please let me know if you need any more information. Thanks, Ran -- Hervé COMMOWICK, EXOSEC (http://www.exosec.fr/) ZAC des Metz - 3 Rue du petit robinson - 78350 JOUY EN JOSAS Tel: +33 1 30 67 60 65 - Fax: +33 1 75 43 40 70 mailto:hcommow...@exosec.fr
Re: HAProxy Response time performance
As i say, it is not yet released, get the snapshot or wait a week. Hervé. On Thu, 9 Jun 2011 17:43:51 +0800 Igor j...@owind.com wrote: Can't find 1.4.16 at http://haproxy.1wt.eu/download/1.4/src/ ? Bests, -Igor 2011/6/9 Hervé COMMOWICK hcommow...@exosec.fr: Hello Matt, You need to activate logging to see what occurs to your requests, you can use halog tool (in the contrib folder) to filter out fast requests. Other things you can enable to reduce latency is : option tcp-smart-accept option tcp-smart-connect and finally you can test : option splice-response But this one will be dependent of your kind of traffic. next release 1.4.16 have some improvements in latency (http://www.mail-archive.com/haproxy@formilux.org/msg05080.html), i think you can give it a try, take the daily snapshot for this. Regards, Hervé. On Wed, 8 Jun 2011 23:57:38 -0700 Matt Christiansen ad...@nikore.net wrote: Hello, I am wanting to move to HAProxy for my load balancing solution. Over all I have been greatly impressed with it. It has way more throughput and can handle way more connections then our current LB Solution (nginx). I have been noticing one issue in all of our tests though, it seems like in the TP99.9 (and greater) of response times is much MUCH higher then nginx and we have a lot of outliers. Our test makes a call to the VIP and times the time it takes to receive the data back then pauses for a sec or two and makes the next response. In both of the sample results below I did 2000 requests. HAProxy Average: 39.71128451818 Median: 29.4217891182 tp90: 67.48199012481 tp99: 313.29083442688 tp99.9: 562.318801879883 Over 500ms: 10 Over 2000ms: 0 nginx Average: 69.6072148084641 Median: 59.2541694641113 tp90: 87.6350402832031 tp99: 112.42142221222 tp99.9: 180.88918274272 Over 500ms: 0 Over 2000ms: 0 So as you can see a big difference in the TP99.9 and a big difference in the outlier count but the average and median response time are really low. We are running a pretty stock centos 5.6 server install with HAProxy 1.4.15, HAProxy isn't using more then like 4% of the CPU and the System CPU is closer to 12%. I was wondering if you guys had any obvious response time related performance tweaks I can try. If you need more info let me know too. Thanks, Matt C. -- Hervé COMMOWICK, EXOSEC (http://www.exosec.fr/) ZAC des Metz - 3 Rue du petit robinson - 78350 JOUY EN JOSAS Tel: +33 1 30 67 60 65 - Fax: +33 1 75 43 40 70 mailto:hcommow...@exosec.fr -- Hervé COMMOWICK, EXOSEC (http://www.exosec.fr/) ZAC des Metz - 3 Rue du petit robinson - 78350 JOUY EN JOSAS Tel: +33 1 30 67 60 65 - Fax: +33 1 75 43 40 70 mailto:hcommow...@exosec.fr
Re: country/ip database website, needs donations to keep going
Hello Hank, It is not so difficult to generate acls from MaxMind CSV database : http://geolite.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip for COUNTRY in `cut -d, -f5 GeoIPCountryWhois.csv |tr -d \|sort -u`;do fgrep ,\$COUNTRY\, GeoIPCountryWhois.csv|tr -d \|cut -d, --output-delimiter=\- -f 1,2|aggregate -i range -o prefix $COUNTRY_ips.txt;done where aggregate is Simon Horman's tool available here : http://horms.net/projects/aggregate/ Furthermore, it is fast to generate : real0m4.446s user0m2.390s sys 0m1.377s Regards, Hervé. On Mon, 06 Jun 2011 01:18:09 -0700 Hank A. Paulson h...@spamproof.nospammail.net wrote: I recently found this resource: http://www.countryipblocks.net/ on the day they say they are closing due to lack of donations. :( I thought other hap users might be interested in this use case and will hopefully think about donating, too. For one site targeting users in several countries au, nz, etc. to be able to do per-country stats, I am add a header based on the ip: acl ipcc_au src -f /etc/haproxy/au_ips.txt acl ipcc_nz src -f /etc/haproxy/nz_ips.txt reqadd X-Country:\ au if ipcc_au reqadd X-Country:\ nz if ipcc_nz With haproxy and these lists, it is fast and easy to add the country info to requests. Is anyone else doing something similar? Or other sources for this or other similar types of info? -- Hervé COMMOWICK, EXOSEC (http://www.exosec.fr/) ZAC des Metz - 3 Rue du petit robinson - 78350 JOUY EN JOSAS Tel: +33 1 30 67 60 65 - Fax: +33 1 75 43 40 70 mailto:hcommow...@exosec.fr
Re: Apache Compatible HAProxy Log Formatting?
On Wed, 09 Mar 2011 00:40:12 -0800 Joel Krauska jkrau...@gmail.com wrote: Has anyone worked out a way to get HAProxy to output logging in an Apache Combined Log Format? Most log analysis tools out there already speak Apache log format and I was hoping to avoid writing a parser for what is essentially mostly the same information. Anyone got a work around for this situation? Best, Joel Hi Joel, you can try option httplog clf instead of option httplog Regards, Hervé. -- Your Network supports your *BUSINESS !* Appliances de *contrôle d'activité* et d'*optimisation* du réseau EXCELIANCE - Rule your Network ! - www.exceliance.fr ZAC des Metz - 3 Rue du petit robinson 78350 Jouy en Josas Tél: +33 1 30 67 60 74 - Fax: +33 1 75 43 40 70
Re: [RFC] Thinking about RDP-cookie
If i understood carefully, this is what stick-table are able to handle : balance roundrobin stick-table type ip size 200k expire 30m stick on src Regards, Hervé. On Wed, 15 Dec 2010 17:21:31 +0100 L. Alberto Giménez agimenez-hapr...@sysvalve.homelinux.net wrote: On 15/12/2010 15:57, Malcolm Turnbull wrote: On 15 December 2010 14:33, L. Alberto Giménez agimenez-hapr...@sysvalve.homelinux.net wrote: RDP and HTTP have cookies in the application protocol, therefore you can insert or modify a marker/cookie to keep track... How would you insert the marker in standard TCP traffic? The only method I'm aware of is source IP for TCP persistence. Sorry if I didn't explain clearly, but the very-high-level-algorithm would be: -8-- empty tcp-persistence hash table (at initialization time) accept a connection if (remote IP has persistence entry in the has table) get persistent backend (already assigned) else choose a new backend via roundrobin (care about load?) Register IP - backend as a persistent connection end if redirect connection to the chosen backend -8-- Everything would be done at tcp/ip level, so no application knowledge would be needed. I hope that things are clearer now :) Regards, L. Alberto Giménez -- Hervé COMMOWICK, EXOSEC (http://www.exosec.fr/) ZAC des Metz - 3 Rue du petit robinson - 78350 JOUY EN JOSAS Tel: +33 1 30 67 60 65 - Fax: +33 1 75 43 40 70 mailto:hcommow...@exosec.fr
Re: Quick question where the answer is probably no :-).
No you can't, as Haproxy don't know SMTP protocol, but it can be great to add if someone is inspired by this :) Hervé. On Wed, 8 Dec 2010 09:58:40 + Malcolm Turnbull malc...@loadbalancer.org wrote: The new stunnel proxy functionality got me thinking (which is normally a bad thing): With HAProxy is it possible to insert an x-forwarded (or similar) in SMTP? F5 suggest: You could insert the IP in the optional comments field, assuming exchange can access it there. Comments: [IP::client_addr] Or from the postfix documentation: XFORWARD Example In the following example, information sent by the client is shown in bold font. 220 server.example.com ESMTP Postfix EHLO client.example.com 250-server.example.com 250-PIPELINING 250-SIZE 1024 250-VRFY 250-ETRN 250-XFORWARD NAME ADDR PROTO HELO 250 8BITMIME XFORWARD NAME=spike.porcupine.org ADDR=168.100.189.2 PROTO=ESMTP 250 Ok XFORWARD HELO=spike.porcupine.org 250 Ok MAIL FROM:wie...@porcupine.org 250 Ok RCPT TO:u...@example.com 250 Ok DATA 354 End data with CRLF.CRLF . . .message content. . . . 250 Ok: queued as 3CF6B2AAE8 QUIT 221 Bye -- Hervé COMMOWICK, EXOSEC (http://www.exosec.fr/) ZAC des Metz - 3 Rue du petit robinson - 78350 JOUY EN JOSAS Tel: +33 1 30 67 60 65 - Fax: +33 1 75 43 40 70 mailto:hcommow...@exosec.fr
Re: Log parts of POST data ?
Maybe we need something like capture request body with similar argument as http-check expect Hervé. On Fri, 26 Nov 2010 17:59:43 +0100 Damien Hardy damienhardy@gmail.com wrote: Hi there, Is there any chance that I could log a part of the data in a POST request. I want to do some asynchronous stats (with mongodb) against Http log files. getting GET parameters from uri is easy. But it's quite hard to get POST parameter (even the N first char for example). Haproxy is able to search for stickyness (balance uri) in the POST data so maybe it is possible to log it ? Thank you for your answer. Regards, -- Hervé COMMOWICK, EXOSEC (http://www.exosec.fr/) ZAC des Metz - 3 Rue du petit robinson - 78350 JOUY EN JOSAS Tel: +33 1 30 67 60 65 - Fax: +33 1 75 43 40 70 mailto:hcommow...@exosec.fr
Re: Haproxy support for HTTPS (SSL) backend servers
Hello, You can use stunnel for decrypt/recrypt the ssl stuff : stunnel's config : http://vr.pastebin.com/Ay4e9wFk haproxy's config http://vr.pastebin.com/1uDMeavk Regards, Hervé. On Sat, 16 Oct 2010 13:34:04 +0300 Pasi Kärkkäinen pa...@iki.fi wrote: Hello, I'd like to use haproxy to loadbalance a service that uses (only) https in the backend.. service in question cannot be changed to provide http, it's https only. (I know, it's stupid, but I cannot change that unfortunately..) I know I could use the haproxy 'raw' mode, but I need some of the ACL features of haproxy, so I need to use the http mode instead. Does someone have a patch that allows using https on the backend? If there's no such patch, how big changes it would require? I might work on it if there's nothing ready yet.. Thanks! -- Pasi -- Hervé COMMOWICK, EXOSEC (http://www.exosec.fr/) ZAC des Metz - 3 Rue du petit robinson - 78350 JOUY EN JOSAS Tel: +33 1 30 67 60 65 - Fax: +33 1 75 43 40 70 mailto:hcommow...@exosec.fr
Re: AWStats and HAProxy Logs
Hi Kyle, option httplog clf Hervé. On Wed, 15 Sep 2010 11:08:43 -0400 Kyle Brandt k...@stackoverflow.com wrote: Hi All, I am trying to come up with a way that I might combine AWStats ( or a similar system ) with HAProxy logging. Looking at the AWStats custom log options it doesn't seem like HAProxy httplog will fit and I don't see any custom options for HAProxy logging (Perhaps I am missing that?). Has anyone ever plugged HAProxy logs into any analysis software before that they might recommend? Thank you, Kyle Brandt -- Hervé COMMOWICK, EXOSEC (http://www.exosec.fr/) ZAC des Metz - 3 Rue du petit robinson - 78350 JOUY EN JOSAS Tel: +33 1 30 67 60 65 - Fax: +33 1 75 43 40 70 mailto:hcommow...@exosec.fr
Re: haproxy balance uri problem
Hello, Can you see failed check in your stats page ? Because if one of your server goes down, then came back, haproxy will probably send the request to another server. See map-type parameter in http://haproxy.1wt.eu/download/1.4/doc/configuration.txt consistent one will be good for you. Hervé. On Wed, 25 Aug 2010 18:00:01 +0200 Markus Fröhlich markus.froehl...@xidras.com wrote: hi! I'm using HA-Proxy version 1.4.8 2010/06/16 on SLES11 SP1 x64 my backend servers are three squid proxy servers to cache images. what I want: I'd like to cache each picture ONLY on one proxy server for following reasons: * it makes no sense to waste cache capacity and keep the same picture in cache on all three proxy backends * no different versions of the same picture, when the picture got updated and the caching times of the proxies are different - so it is possible, that one proxy shows the old picture and the others the new one so I use balance uri option therefor a hash of the URI will be generated and haproxy will send the same URI / hash always to the same backend proxy assumed the backend server dosnt go down or squid isnt aviable. when I watch the squid access logs of the backend proxies, it works sometimes and sometimes I get the same picture (same URI) from an other proxy. why isnt it persistant?! the testet URIs look like this: http://images5.domain.TLD/image_data/02/29/73/69.crop-100.80-80-80-80.orig.jpg?chk=340293d69ffc5d944a449891869f1a74 http://images5.domain.TLD/image_data/02/53/56/97.crop-100.120-120-120-120.orig.jpg?chk=7914ffc6a00d4702bdc3cdbd83bdbca9 http://images5.domain.TLD/image_data/dynimage/3b267cf984acb80a117454f0f6ae42df/1238e767062f89acba5faa86d994a789.gif?chk=793ecb49681273cbd9667578acbe4951 my haproxy.cfg: global node vvx-haproxy-03 user haproxy group haproxy daemon maxconn 256 defaults modehttp option clitcpka timeout connect 5000ms timeout client 5ms timeout server 5ms option httpchk http-check send-state frontend http-in log /dev/log local0 debug option httplog option logasap option socket-stats bind x.x.x.x:80 acl invalid_src src 0.0.0.0/7 224.0.0.0/3 acl local_dsthdr(host) -i localhost block if invalid_src || local_dst default_backend proxy1 backend proxy1 log /dev/log local1 debug option httplog option tcplog stats enable stats hide-version stats scope . stats uri /xadmin?stats stats realm HAproxy\ Statistics stats auth xadmin:pwd stats show-legends fullconn 1 balance uri len 128 depth 8 option srvtcpka server p-01 10.x.x.x:80 maxconn 32 check inter 1 server p-02 10.x.x.x:80 maxconn 32 check inter 1 server p-03 10.x.x.x:80 maxconn 32 check inter 1 -- Hervé COMMOWICK, EXOSEC (http://www.exosec.fr/) ZAC des Metz - 3 Rue du petit robinson - 78350 JOUY EN JOSAS Tel: +33 1 30 67 60 65 - Fax: +33 1 75 43 40 70 mailto:hcommow...@exosec.fr
Re: use_backend complex rules
Hi, And is implicit so you can (x t) or (d f) Hervé. On Tue, 3 Aug 2010 05:47:20 -0500 Gerardo Corro rob_gar_...@hotmail.com wrote: Hi, Thanks for your email, however and conditions don't work. Is there a workaround? Is there a way to group conditions like if ( x and t) or (d or f) Best regards -- Hervé COMMOWICK, EXOSEC (http://www.exosec.fr/) ZAC des Metz - 3 Rue du petit robinson - 78350 JOUY EN JOSAS Tel: +33 1 30 67 60 65 - Fax: +33 1 75 43 40 70 mailto:hcommow...@exosec.fr
Re: Cookie Size
What do you mean by increase cookie size ? On 07/07/2010 03:13 PM, Falco Schmutz wrote: Hello, Do you know if it s possible to increase cookie size in Listen configuration We used 1.4.8 Haproxy Release. Many thanks -- Falco SCHMUTZ E-mail : fschm...@premaccess.com mailto:fschm...@premaccess.com Mobile : +33 (0)6 80 22 00 29 Fixe Suisse : +41 (0)44 586 77 74 Fax Suisse : +41 (0)26 347 28 90 Fax France : +33 (0)9 72 12 19 25 premaccess sàrl Route des Arsenaux 41 - CP 132 CH-1705 Fribourg, Suisse http://www.premaccess.com
Re: Buffer Size
Oh right, you mean adjust buffer size (to permit large cookies to pass) per listen section. As i know, it is not possible at the moment. Maybe Willy can talk a bit about that ? :) As a workaround (dirty?), you can have a dedicated HAProxy process with his specific configuration. Hervé. On 07/07/2010 04:52 PM, Falco Schmutz wrote: I mean, there is no way to increase without global config (tune.bufsize) ? I juste want to increase one customers. Le 7 juillet 2010 16:48, Hervé COMMOWICK hcommow...@exceliance.fr mailto:hcommow...@exceliance.fr a écrit : What do you mean by increase cookie size ? On 07/07/2010 03:13 PM, Falco Schmutz wrote: Hello, Do you know if it s possible to increase cookie size in Listen configuration We used 1.4.8 Haproxy Release. Many thanks -- Falco SCHMUTZ E-mail : fschm...@premaccess.com mailto:fschm...@premaccess.com Mobile : +33 (0)6 80 22 00 29 Fixe Suisse : +41 (0)44 586 77 74 Fax Suisse : +41 (0)26 347 28 90 Fax France : +33 (0)9 72 12 19 25 premaccess sàrl Route des Arsenaux 41 - CP 132 CH-1705 Fribourg, Suisse http://www.premaccess.com -- Falco SCHMUTZ E-mail : fschm...@premaccess.com mailto:fschm...@premaccess.com Mobile : +33 (0)6 80 22 00 29 Fixe Suisse : +41 (0)44 586 77 74 Fax Suisse : +41 (0)26 347 28 90 Fax France : +33 (0)9 72 12 19 25 premaccess sàrl Route des Arsenaux 41 - CP 132 CH-1705 Fribourg, Suisse http://www.premaccess.com Attention : le présent message et toutes les pièces jointes sont confidentiels et établis a l'attention exclusive du ou des destinataire(s) indique(s). Toute autre diffusion ou utilisation non autorisée est interdite. Si vous recevez ce message par erreur, veuillez immédiatement en avertir l'expéditeur par e-mail en retour, détruire le message et vous abstenir de toute référence aux informations qui y figurent afin d'éviter les sanctions attachées a la divulgation et a l'utilisation d'informations confidentielles. Les messages électroniques sont susceptibles d'altération. Nous déclinons toute responsabilité en cas d'altération ou de falsification du présent message. Warning : this e-mail and any files attached are confidential and intended solely to the named addressee(s). Any unauthorised dissemination or use is strictly prohibited. If you received this e-mail in error, please immediately notify the sender by reply e-mail and then delete the e-mail from your system. Please do not copy, use or make reference to it for any purpose, or disclose its contents to any person : to do so could expose you to sanctions. E-mails can be altered or falsified. We shall not be liable for any alteration or falsification on this e-mail.
Re: Can't get stick match src to work, what am I doing wrong?
Hello Ben, As discussed on IRC channel, you spot a regression on stick-table introduced in 1.4.7, Willy send me the patch that fix that. When you came back from sleeping, can you tell me if it works for you ? (btw it works for me :)) Hervé. On 06/16/2010 09:17 AM, Ben Congleton wrote: Hi guys, I am using haproxy 1.4.7 and I cannot get stick on src to work. It appears to be ignoring my sticky src. I am using a vanilla haproxy. When I use curl to visit my configured proxy I am always cycled to a new server, each time I hit the page. If src stickiness was working I would expect to always connect to the same backend server. I've attached my configuation below, any help would be super appreciated. Thanks again, Ben -- Your Network supports your *BUSINESS !* Appliances de *contrôle d'activité* et d'*optimisation* du réseau EXCELIANCE - Rule your Network ! - www.exceliance.fr ZAC des Metz - 3 Rue du petit robinson 78350 Jouy en Josas Tél: +33 1 30 67 60 74 - Fax: +33 1 75 43 40 70 From 0d91af355b9a9b83f9e31b54e9f734efb5c81cb3 Mon Sep 17 00:00:00 2001 From: Willy Tarreau w...@1wt.eu Date: Wed, 16 Jun 2010 16:01:24 +0200 Subject: [BUG] stick_table: the fix for the memory leak caused a regression Commit d6e9e3b5e320b957e6c491bd92d91afad30ba638 caused recently created entries to be removed as soon as they were created, breaking stickiness. It is not clear whether a use-after-free was possible or not in this case. --- src/session.c |7 --- 1 files changed, 4 insertions(+), 3 deletions(-) diff --git a/src/session.c b/src/session.c index dc2babe..5d089b2 100644 --- a/src/session.c +++ b/src/session.c @@ -802,11 +802,12 @@ int process_store_rules(struct session *s, struct buffer *rep, int an_bit) /* process store request and store response */ for (i = 0; i s-store_count; i++) { - if (stktable_store(s-store[i].table, s-store[i].ts, s-srv-puid) 0) { + if (stktable_store(s-store[i].table, s-store[i].ts, s-srv-puid) 0) stksess_free(s-store[i].table, s-store[i].ts); - s-store[i].ts = NULL; - } + /* always remove pointer to session to ensure we won't free it again */ + s-store[i].ts = NULL; } + s-store_count = 0; /* everything is stored */ rep-analysers = ~an_bit; rep-analyse_exp = TICK_ETERNITY; -- 1.6.0.4
Re: haproxy 1.4.7 segfaults under load around 1k connections
Hello mgades, Willy send me the patch who fix this bug. It is good for me, can you test it on your configuration ? On 06/16/2010 03:16 PM, Morten Gade Sørensen wrote: Hi again Just an update on this issue. I had it crash instantly by telnetting on the CAS_smtp listener port from the host defined in the monitor-net option. It connects and then instantly disconnects without being load-balanced (which is expected behaviour for the monitor-net host). The problem is that haproxy segfaults right after - or maybe after 4-5 tries. If I remove the monitor-net option in the listener section it stops crashing. vr was very helpful in #hapr...@irc.gnu.org and he was able to replicate the error. - Thanks vr!! You're welcome. :) Hervé. -- Your Network supports your *BUSINESS !* Appliances de *contrôle d'activité* et d'*optimisation* du réseau EXCELIANCE - Rule your Network ! - www.exceliance.fr ZAC des Metz - 3 Rue du petit robinson 78350 Jouy en Josas Tél: +33 1 30 67 60 74 - Fax: +33 1 75 43 40 70 From 7ec37ed4e0b24535cd20e12ac2b3774b128f6875 Mon Sep 17 00:00:00 2001 From: Willy Tarreau w...@1wt.eu Date: Wed, 16 Jun 2010 17:17:39 +0200 Subject: [BUG] client: don't add a new session to the list too early Adding a new session to the sessions list too early can cause it to indefinitely remain in the list if a request from a monitor-net comes in TCP mode, because the session will then not be removed from the list. This issue causes crashes very soon after when this happens. It should be backported to 1.3 too. --- src/client.c |3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/src/client.c b/src/client.c index be0c902..476ad9f 100644 --- a/src/client.c +++ b/src/client.c @@ -126,7 +126,6 @@ int event_accept(int fd) { goto out_close; } - LIST_ADDQ(sessions, s-list); LIST_INIT(s-back_refs); s-flags = 0; @@ -146,6 +145,8 @@ int event_accept(int fd) { s-flags |= SN_MONITOR; } + LIST_ADDQ(sessions, s-list); + if ((t = task_new()) == NULL) { /* disable this proxy for a while */ Alert(out of memory in event_accept().\n); EV_FD_CLR(fd, DIR_RD); -- 1.6.0.4
Re: Haproxy + Ajax
This is an old interview, HAProxy (=1.4) now support keepalive on the client side. Don't use http-pretend-keepalive unless your backend server need it (apache doesn't need this) To enable keepalive, you just need to have option http-server-close instead of option httpclose. Regards, Hervé. On 05/21/2010 06:11 PM, eni-urgence wrote: Hello (again). In this interview http://linuxfr.org/2008/09/15/24484.html (in french), Willy Tareau said that there is some problem with php application which use ajax technologie. because haproxy ignore keep alive. Is there a big impact on performance ? My web server are configured with /KeepAlive Off MaxKeepAliveRequests 100 KeepAliveTimeout 15/ and i dont think php redefine this variable. I read that a option http-pretend-keepalive have been added to version 1.4.4. have i any interrest to use this option? Is there any kind of thing about not using ajax and haproxy together? Like haproxy cut the url which can be very long with ajax call. Is someone had experience problem . And what kind? Thank you NICOLE Emerik Newbie french user of haproxy eni-urge...@scan-eco.com www.scan-eco.com www.quickmed.fr -- Hervé COMMOWICK, EXOSEC (http://www.exosec.fr/) ZAC des Metz - 3 Rue du petit robinson - 78350 JOUY EN JOSAS Tel: +33 1 30 67 60 65 - Fax: +33 1 75 43 40 70 mailto:hcommow...@exosec.fr
Re: haproxy question about check
Hello, On 05/21/2010 03:15 PM, eni-urgence wrote: Hello all. I discover haproxy few weeks ago and I want to thanks willy for his very good product. I'm planing to integrate haproxy to our dmz. I want to use haproxy for loadbalancing heavy secure php/ajax applications with cookie persitence: a collaborate scheduler and a image consult extranet. stunnel service will handle https connections and forward decrypted requests to haproxy on port 88. Then haproxy will forward connections to web server on port 10088, 100089 (and so...) on a mass virtual host configuration of apache (see below). In /var/www/vhost-SSL/ on web server, there is some symbolic links to the php sources. Some domains are not linked to same path because they don't provide the same application. So i don't want to have to delete/rename the running.ok file on every path when I want to shutdown the webserver. I want to use the httpcheck on port 10081 and the file running.ok . But I want a soft stop of service. I want haproxy to stop forwarding new connection if he don't find the running.ok file but continue to forward connection if cookie is initialised. so i will configure a backup server with same cookies (like said in Haproxy documentation). Use http-check disable-on-404 for this So now my questions : - is it possible to check only the header like this /HEAD / HTTP/1.0 /for backup server ? option httpchk HEAD / HTTP/1.0 - Like said in the article of willy (http://1wt.eu/articles/2006_lb/),it is good to load balance the encryption/decryption flow too. So a haproxy instance in tcp mode (layer 4), seems to be a good solution. But our applications have to know the client IP for security reasons. I read that a recompiled kernel with tproxy support will forward connections keeping the real client IP. Is that true ? Yes it is, tproxy has been included in mainstream =2.6.28 kernel. Usage of X-Forwarded-For header is preferred if you use stunnel. - I want to manage a multi site configuration keeping the session persistence. How can I manage to do so? I don't understand this question :) Regards, Hervé.
Re: Loadbalancing TCP connections
Hi Chris, You are using an old configuration template, let's go updating : On 05/19/2010 12:10 PM, Chris Sarginson wrote: [...] defaults log global modehttp You want to use tcp load balancing so set mode tcp instead option httplog same reason, set option tcplog instead option forwardfor same reason, delete this line as it is http mode specific option allbackups option dontlognull retries 3 option redispatch maxconn 5000 contimeout 5000 to clarify your configuration and to use new and better keyword set timeout connect 5s instead clitimeout 5 same reason, set timeout client 50s instead srvtimeout 5 same reason, set timeout server 50s instead option httpchk You are about to check tcp server, so delete this line, because tcp check is the default option httpclose This is http mode specific, delete this line You don't create a frontend, so you don't listen for connections. To be able to load balance something, create something like this : frontend sphinx bind :3312 default_backend 5220_sphinx backend 5220_sphinx balance leastconn mode tcp contimeout 5 you don't have to specify it again as you already do this in defaults section, delete this line srvtimeout 5 same reason, to clarify, delete this line server sphinx1 172.31.252.170:3312 check inter 3000 rise 2 fall 2 weight 1 server sphinx2 172.31.252.171:3312 check inter 3000 rise 2 fall 2 weight 1 Running a tcpdump on the server I can see that this is attempting to send HTTP requests to check if the backend is up - is this because of the defaults settings? Yes it is. Cheers, Hervé. -- Your Network supports your *BUSINESS !* Appliances de *contrôle d'activité* et d'*optimisation* du réseau EXCELIANCE - Rule your Network ! - www.exceliance.fr
Re: Redirect 1 time per day
Hello, On 05/18/2010 05:01 PM, Damien Hardy wrote: ii haproxy 1.3.15.2-2+lenny2 fast and reliable load balancing reverse proxy What's is wrong ? Your HAProxy version doesn't include this feature, please update to *at least* the lenny-backports version. Regards, Hervé. -- Your Network supports your *BUSINESS !* Appliances de *contrôle d'activité* et d'*optimisation* du réseau EXCELIANCE - Rule your Network ! -www.exceliance.fr
Re: Latency parameters
http://haproxy.1wt.eu/download/1.4/doc/configuration.txt Search for the keyword latency inside ;-) On 03/24/2010 07:25 AM, Paras Fadte wrote: Hi, Are there specific parameters in HAproxy config which play important role in reducing latency ? Thank you. -plf -- Hervé COMMOWICK, EXOSEC (http://www.exosec.fr/) ZAC des Metz - 3 Rue du petit robinson - 78350 JOUY EN JOSAS Tel: +33 1 30 67 60 65 - Fax: +33 1 75 43 40 70 mailto:hcommow...@exosec.fr
Re: status page question - hanafail
Hi, If i understand well the code, it is the number of failed health analyses. Hervé. On 02/17/2010 02:46 PM, duncan hall wrote: Hi, I've been writing a standalone perl script to parse the csv status page to extract some statistics and build pretty RRD Graphs based on current sessions, status and queues. All is working but I was wondering if anyone could enlighten me to meaning of the hanafail field in 1.4? Thanks in advance, Duncan -- Hervé COMMOWICK, EXOSEC (http://www.exosec.fr/) ZAC des Metz - 3 Rue du petit robinson - 78350 JOUY EN JOSAS Tel: +33 1 30 67 60 65 - Fax: +33 1 75 43 40 70 mailto:hcommow...@exosec.fr
Re: config file simplification?
Hello, Look at default-server parameter in 5. : http://haproxy.1wt.eu/download/1.4/doc/configuration.txt Regards, Hervé. On 01/29/2010 08:43 AM, duncan hall wrote: Quick question (request) I hope, I have a backend group of servers containing a 20 servers, eg: server VM330230a 172.16.10.2:80 cookie A330230a check inter 15s rise 3 fall 1 slowstart 60s minconn 25 maxconn 50 weight 10 server VM330231a 172.16.10.3:80 cookie A330231a check inter 15s rise 3 fall 1 slowstart 60s minconn 25 maxconn 50 weight 10 ... would it be possible in future versions to move some of the repeated part of the configs into a single line in the back end? In my case it would be great to be able to just specify once for the backend the following: check inter 15s rise 3 fall 1 slowstart 60s Thanks Duncan -- Hervé COMMOWICK, EXOSEC (http://www.exosec.fr/) ZAC des Metz - 3 Rue du petit robinson - 78350 JOUY EN JOSAS Tel: +33 1 30 67 60 65 - Fax: +33 1 75 43 40 70 mailto:hcommow...@exosec.fr
[PATCH] mysql-check
Hello all, I have updated the mysql-check with idea and code from Cyril. I send() the authentication packet the same way as the ssl hello packet, i think it is more cleaner than send() in the event_srv_chk_r(). I now handle a correct banner but with error after sending the authentication packet. Cyril, your sizeof oops show me that there is the same bug on ssl-hello-chk so i made a patch for that. Like Cyril says, it could be enhanced with a configurable username, or other things. Documentation is updated, It was tested on 4.0.x, 4.1.x, and 5.x. Feel free to test and report bugs, Regards, Hervé. On 01/14/2010 11:00 PM, Cyril Bonté wrote: Le Jeudi 14 Janvier 2010 22:20:20, Cyril Bonté a écrit : Please find the patch in attachment if you're interested. Oops, 2 bugs were left in that version : 1. the 8 bytes for scramble buff are not needed when there's no password 2. sizeof(MYSQL40_HANDSHAKE_ACK) gives one more byte than required. Sorry for the previous patch. -- Hervé COMMOWICK, EXOSEC (http://www.exosec.fr/) ZAC des Metz - 3 Rue du petit robinson - 78350 JOUY EN JOSAS Tel: +33 1 30 67 60 65 - Fax: +33 1 75 43 40 70 mailto:hcommow...@exosec.fr --- haproxy/src/cfgparse.c 2010-01-14 09:37:09.0 +0100 +++ haproxy.dev/src/cfgparse.c 2010-01-15 16:32:51.958747436 +0100 @@ -4728,9 +4728,9 @@ } if (curproxy-options PR_O_SSL3_CHK) { - curproxy-check_len = sizeof(sslv3_client_hello_pkt); - curproxy-check_req = (char *)malloc(sizeof(sslv3_client_hello_pkt)); - memcpy(curproxy-check_req, sslv3_client_hello_pkt, sizeof(sslv3_client_hello_pkt)); + curproxy-check_len = sizeof(sslv3_client_hello_pkt)-1; + curproxy-check_req = (char *)malloc(sizeof(sslv3_client_hello_pkt)-1); + memcpy(curproxy-check_req, sslv3_client_hello_pkt, sizeof(sslv3_client_hello_pkt)-1); } /* The small pools required for the capture lists */ --- haproxy/src/checks.c 2010-01-15 12:31:49.0 +0100 +++ haproxy.dev/src/checks.c 2010-01-15 12:42:16.165353336 +0100 @@ -748,8 +748,9 @@ /* * This function is used only for server health-checks. It handles the server's - * reply to an HTTP request or SSL HELLO. It calls set_server_check_status() to - * update s-check_status, s-check_duration and s-result. + * reply to an HTTP request, SSL HELLO or MySQL client Auth. It calls + * set_server_check_status() to update s-check_status, s-check_duration + * and s-result. * The set_server_check_status function is called with HCHK_STATUS_L7OKD if * an HTTP server replies HTTP 2xx or 3xx (valid responses), if an SMTP server @@ -865,26 +874,55 @@ set_server_check_status(s, HCHK_STATUS_L7STS, desc); } else if (s-proxy-options2 PR_O2_MYSQL_CHK) { - /* MySQL Error packet always begin with field_count = 0xff - * contrary to OK Packet who always begin whith 0x00 */ + unsigned int first_packet_len; + first_packet_len = ((unsigned int) trash[0]) + (((unsigned int) trash[1]) 8) + (((unsigned int) trash[2]) 16); + + /* MySQL Error packet always begin with field_count = 0xff */ if (trash[4] != '\xff') { - /* We set the MySQL Version in description for information purpose - * FIXME : it can be cool to use MySQL Version for other purpose, - * like mark as down old MySQL server. - */ - if (len 51) { + /* Check if we have only one MySQL packet in buffer */ + if (len == first_packet_len + 4) { +/* We have only one MySQL paquet + * and it seems to be a Handshake Initialization packet + * It is not normal because we must normally have 2 packet + * but it can be good on *real* low latency network + */ + +/* We set the MySQL Version in description for information purpose */ desc = ltrim(trash[5], ' '); set_server_check_status(s, HCHK_STATUS_L7OKD, desc); } + else if (len first_packet_len + 4) { +unsigned int second_packet_len; +second_packet_len = ((unsigned int) trash[first_packet_len+4]) + (((unsigned int) trash[first_packet_len+5]) 8) + (((unsigned int) trash[first_packet_len+6]) 16); +if (len == first_packet_len + 4 + second_packet_len + 4 ) { + /* We have 2 packet and that's good */ + /* Check if the second packet is not a MySQL Error packet */ + if (trash[first_packet_len+8] != '\xff') { + /* No error packet */ + /* We set the MySQL Version in description for information purpose */ + desc = ltrim(trash[5], ' '); + set_server_check_status(s, HCHK_STATUS_L7OKD, desc); + } + else { + /* An error message is attached in the Error packet + * so we can display it ! :) + */ + desc = ltrim(trash[first_packet_len+11], ' '); + set_server_check_status(s, HCHK_STATUS_L7STS, desc); + } +} + } else { -/* it seems we have a OK packet but without a valid length, +/* it seems we have a Handshake Initialization packet but without a valid length, * it must be a protocol error */ -set_server_check_status(s
Re: mysql-check and distant servers
Hi Cyril, I'm happy, because i knew there are better developer than me on this list. This is why i decide to send my code to willy (even if it is not perfect) because i knew this wake up you guys ;) I will try your start of reflection on old mysql server, stay up Hervé. On 01/14/2010 12:28 AM, Cyril Bonté wrote: Hi again Hervé, Le Mercredi 13 Janvier 2010 12:56:30, Hervé COMMOWICK a écrit : Hi Cyril, I know the check is not perfect, because it doesn't handle a correct disconnection. Mysql expect the client to talk, and i think it's weird... in the future, i think it will be better to do a *real* mysql ping, but at the moment, the checks API doesn't let me handle this in a cleaner way. This is not a patch but a start of reflection : In the function event_srv_chk_r(int fd), after this condition : if (trash[4] != -1) { I added this quick and dirty reply : char handshake[] = \x22\x00\x00/* packet length */ \x01/* packet number */ \x00\x00/* client capabilities */ \x00\x00/* extended client capabilities */ \x00\x00\x00\x01/* max packet */ \x08/* charset */ \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 /* reserved (23 bytes) */ \x00/* username (null terminated string) */ \x00; /* empty password */ send(fd, handshake, sizeof(handshake), MSG_DONTWAIT | MSG_NOSIGNAL); After several tests, this finishes the handshake correctly. Note that this packet is only valid for mysql= 4.1 (haproxy would have to check the version to decide which reply to send). At the moment, I have no mysql 4.0 to validate the other reply type. For more information : http://forge.mysql.com/wiki/MySQL_Internals_ClientServer_Protocol#Client_Authentication_Packet I hope this will be helpful. -- Hervé COMMOWICK, EXOSEC (http://www.exosec.fr/) ZAC des Metz - 3 Rue du petit robinson - 78350 JOUY EN JOSAS Tel: +33 1 30 67 60 65 - Fax: +33 1 75 43 40 70 mailto:hcommow...@exosec.fr * , __, _/^\_ ( | _, _ , _ , _|(_)\/(/_(_|/_)(/_/_) * /.-.\* (_/ *`/\`) ,@.*;@, (--|__ _ |_ _ , /_o.I %_\* _| (/_| (/_/_) * (`'--:o(_@; ( /`;--.,__ `') * ;@`o % O,*`'`\ *(`'--)_@ ;o %'()\ * /.,_ `''-...- `) * `==,,.,=== `
Re: mysql-check and distant servers
Hi Cyril, I know the check is not perfect, because it doesn't handle a correct disconnection. Mysql expect the client to talk, and i think it's weird... in the future, i think it will be better to do a *real* mysql ping, but at the moment, the checks API doesn't let me handle this in a cleaner way. as a workaround, you can disable the mysql connection_errors checking by adding max_connect_errors=9 in you my.cnf Regards, Hervé. On 01/13/2010 11:48 AM, cyril.bo...@free.fr wrote: Hi Willy, Be careful with the new mysql-check option introduced in the development branch. http://haproxy.1wt.eu/git?p=haproxy.git;a=commit;h=698ae00fc272bf5f4e159922546347066bd66378 It won't work with distant backends : mysql has a mechanism to block hosts that open connection whithout closing them correctly (depending on the max_connect_errors value on the mysql server). Using the configuration file provided in the commit and a distant server, this quickly results in : [WARNING] 012/111726 (7318) : Server mysql_1/srv1 is DOWN, reason: Layer7 wrong status, code: 0, info: Host 'distant.mysql.server' is blocked because of many connection errors; unblock with 'mysqladmin flush-hosts', check duration: 0ms. [ALERT] 012/111726 (7318) : proxy 'mysql_1' has no server available! -- Hervé COMMOWICK, EXOSEC (http://www.exosec.fr/) ZAC des Metz - 3 Rue du petit robinson - 78350 JOUY EN JOSAS Tel: +33 1 30 67 60 65 - Fax: +33 1 75 43 40 70 mailto:hcommow...@exosec.fr * , __, _/^\_ ( | _, _ , _ , _|(_)\/(/_(_|/_)(/_/_) * /.-.\* (_/ *`/\`) ,@.*;@, (--|__ _ |_ _ , /_o.I %_\* _| (/_| (/_/_) * (`'--:o(_@; ( /`;--.,__ `') * ;@`o % O,*`'`\ *(`'--)_@ ;o %'()\ * /.,_ `''-...- `) * `==,,.,=== `