maxconn default from 1.7 to 2.0

2020-03-05 Thread James Stroehmann 
Maxconn default seems to be set to 2000 in the version 1.7 servers we are 
running, but in the 2.0 server it looks like the default is 114:

[cid:image001.png@01D5F2F2.E89D7BA0]

The 2.0 management guide 
(https://cbonte.github.io/haproxy-dconv/2.0/management.html) shows output from 
version 1.6, I'm wondering why such a low number for default?

looking for help with redirect + acl

2018-07-23 Thread James Stroehmann 

I need help with a current ACL and redirect that looks like this:

acl has_statistical_uri path_beg -i /statistical
http-request redirect code 301 prefix 
https://statistical.example.com/statisticalinsight if has_statistical_uri

When the request like this comes in:
https://statistical.example.com/statistical/example?key=value
it gets redirected to this:
https://statistical.example.com/statisticalinsight/statistical/example?key=value

They would like it to be redirected to:
https://statistical.example.com/statisticalinsight/example?key=value

RE: backend has no server available!

2017-11-13 Thread James Stroehmann 
I had a similar problem, and I believe reducing my ‘hold valid’ setting to 1s 
fixed it.


From: DHAVAL JAISWAL [mailto:dhava...@gmail.com]
Sent: Monday, November 13, 2017 2:31 AM
To: HAproxy Mailing Lists 
Subject: backend has no server available!

[External Email]
I had the following config where we are using AWS ELB for load balancing. 
However, now we are keep getting backend test_cluster has no server available!

Under this ELB two servers attached. Both instance are in healthy state. 
Healthy state we are checking on port 80 and tomcat response sending on port 
8080

internal-testtomcatautoscale-1314784611.ap-southeast-1.elb.amazonaws.com


resolvers testresolver
  nameserver dns1 169.254.169.253:53
  resolve_retries   3
  timeout retry 1s
  hold valid   10s

backend test_cluster
mode http
option forwardfor
fullconn 1
option httpchk /test-testalive
http-check expect string OK
option http-server-close
option abortonclose
balance roundrobin
server server1 
internal-testtomcatautoscale-1314784611.ap-southeast-1.elb.amazonaws.com:8080
 check resolvers testresolver


What could be the cause of this issue. How can i fix it.

RE: OneConnect feature in HAProxy

2017-06-09 Thread James Stroehmann 
Thanks for that, I had not heard of IUS before. This could solve a couple of my 
problems.


From: Gibson, Brian (IMS) [mailto:gibs...@imsweb.com]
Sent: Thursday, June 8, 2017 10:30 AM
To: Stroehmann, James ; Brendan Kearney 
; haproxy@formilux.org
Subject: RE: OneConnect feature in HAProxy

[External Email]
The IUS repos will have 1.7 I believe.

https://ius.io/GettingStarted/

From: James Stroehmann [mailto:james.stroehm...@proquest.com]
Sent: Thursday, June 08, 2017 10:27 AM
To: Brendan Kearney mailto:bpk...@gmail.com>>; 
haproxy@formilux.org<mailto:haproxy@formilux.org>
Subject: RE: OneConnect feature in HAProxy

Thanks for the info - I will look into it but it looks like I'll have to 
upgrade to 1.6 first ... currently I'm using 1.5 out of the standard 
repositories for centos 7.

Any pointers to a yum repo for 1.6 or 1.7?



From: Brendan Kearney [mailto:bpk...@gmail.com]
Sent: Thursday, May 25, 2017 8:36 AM
To: haproxy@formilux.org<mailto:haproxy@formilux.org>
Subject: Re: OneConnect feature in HAProxy

[External Email]
On 05/25/2017 08:26 AM, James Stroehmann wrote:
Is there a feature in HAProxy similar to OneConnect that the F5 LTM has? 
https://www.f5.com/pdf/deployment-guides/oneconnect-tuning-dg.pdf

I am trying to migrate some frontends from an LTM to an HAProxy load balancer, 
and a few of the existing frontends have the OneConnect feature turned on. I 
spoke to the app owner and he believes that it allows us to have less 
connections (and therefore less backend servers) and it enables more seamless 
rolling bounces on the stateless backends.

http-reuse is the directive you are looking for.



Information in this e-mail may be confidential. It is intended only for the 
addressee(s) identified above. If you are not the addressee(s), or an employee 
or agent of the addressee(s), please note that any dissemination, distribution, 
or copying of this communication is strictly prohibited. If you have received 
this e-mail in error, please notify the sender of the error.

RE: OneConnect feature in HAProxy

2017-06-08 Thread James Stroehmann 
Thanks for the info - I will look into it but it looks like I'll have to 
upgrade to 1.6 first ... currently I'm using 1.5 out of the standard 
repositories for centos 7.

Any pointers to a yum repo for 1.6 or 1.7?



From: Brendan Kearney [mailto:bpk...@gmail.com]
Sent: Thursday, May 25, 2017 8:36 AM
To: haproxy@formilux.org
Subject: Re: OneConnect feature in HAProxy

[External Email]
On 05/25/2017 08:26 AM, James Stroehmann wrote:
Is there a feature in HAProxy similar to OneConnect that the F5 LTM has? 
https://www.f5.com/pdf/deployment-guides/oneconnect-tuning-dg.pdf

I am trying to migrate some frontends from an LTM to an HAProxy load balancer, 
and a few of the existing frontends have the OneConnect feature turned on. I 
spoke to the app owner and he believes that it allows us to have less 
connections (and therefore less backend servers) and it enables more seamless 
rolling bounces on the stateless backends.

http-reuse is the directive you are looking for.

OneConnect feature in HAProxy

2017-05-25 Thread James Stroehmann 
Is there a feature in HAProxy similar to OneConnect that the F5 LTM has? 
https://www.f5.com/pdf/deployment-guides/oneconnect-tuning-dg.pdf

I am trying to migrate some frontends from an LTM to an HAProxy load balancer, 
and a few of the existing frontends have the OneConnect feature turned on. I 
spoke to the app owner and he believes that it allows us to have less 
connections (and therefore less backend servers) and it enables more seamless 
rolling bounces on the stateless backends.

RE: Issue with windows IE 11 and Edge

2017-04-07 Thread James Stroehmann 
To close the loop on this, it turns out that one of our cookies did not have a 
'Path' specified, causing many duplicate cookies to be created. When we hit the 
50 cookie IE limit, IE would delete the oldest cookie - which was our 
JSESSIONID cookie, causing the user to get logged out.

The reason this did not happen in other browsers was due to much higher cookie 
limits. Thanks to Willy for the help troubleshooting this. I learned more about 
browser cookies than I ever wanted to know :)


From: Stroehmann, James
Sent: Friday, October 7, 2016 2:44 PM
To: haproxy@formilux.org
Subject: Issue with windows IE 11 and Edge

We have a website that is setup like this:

CDN -> HAPROXY -> ELB -> APACHE -> TOMCAT

We are seeing with IE11 and Edge clients they will randomly lose their session 
and get kicked out to a login screen. Firefox, Chrome and older IE clients 
appear unaffected. Testing at all the different layers, we can reproduce 
against the HAProxy and CDN layers, but not the ELB/Apache/Tomcat layers, which 
leads us to believe the problem lies at the HAProxy layer.We are using HA-Proxy 
version 1.6.3 2015/12/25, compiled from source. I'm not seeing any errors in 
the haproxy logs, any ideas as to where to start troubleshooting?

https://www.haproxy.org SEC_ERROR_REVOKED_CERTIFICATE

2017-02-23 Thread James Stroehmann 
I am getting errors when using https://www.haproxy.org. It appears this is 
because you are using a startcom certificate:

 Issuer   "StartCom Class 1 DV Server CA" ("StartCom 
Ltd." from "IL")

The major browsers have stopped trusting startcom and wosign certificates. Here 
is some more information:
https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/
https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html
https://support.apple.com/en-us/HT202858


[https://letsencrypt.org/ appears to be a free, trusted alternative that 
supports haproxy https://certbot.eff.org/#centosrhel7-haproxy. Disclaimer: I 
have not used them]



[cid:image001.png@01D28DEE.F356A380]



[cid:image002.png@01D28DEE.F356A380]

RE: Issue with windows IE 11 and Edge

2017-02-14 Thread James Stroehmann 
Understood - thanks for the reply. I will set a reminder for myself to send 
something next week. 


-Original Message-
From: Willy Tarreau [mailto:w...@1wt.eu] 
Sent: Tuesday, February 14, 2017 4:54 PM
To: Stroehmann, James 
Cc: 'haproxy@formilux.org' 
Subject: Re: Issue with windows IE 11 and Edge

[External Email]

Hi James,

On Tue, Feb 14, 2017 at 09:10:00PM +0000, James Stroehmann wrote:
> Is there other information I can provide to help troubleshoot this?

The only thing which will work will be a network capture to understand what the 
requests *really* look like. You don't need to send it to the list, a private 
e-mail is fine. However not this week, we're busy finishing a release so it's 
the best way for your e-mail to get lost and forgotten.

Willy

RE: Issue with windows IE 11 and Edge

2017-02-14 Thread James Stroehmann 
: X.X.X.X:56814 
[16/Jan/2017:22:15:08.047] search_ssl blue/blue 3/0/1/1/5 304 85 - -  
4/4/0/1/0 0/0 "GET 
/assets/r20171.1.0.530.1253/ctx/uxframework/images/pq-logo.png HTTP/1.1"
Jan 16 22:15:08 localhost haproxy[25984]: X.X.X.X:56814 
[16/Jan/2017:22:15:08.052] search_ssl blue/blue 306/0/0/1/307 304 189 - -  
4/4/0/1/0 0/0 "GET /extras/webtrends/modifyHit.js HTTP/1.1"


-Original Message-
From: Willy Tarreau [mailto:w...@1wt.eu]
Sent: Tuesday, October 25, 2016 8:55 AM
To: Stroehmann, James 
Cc: 'haproxy@formilux.org' 
Subject: Re: Issue with windows IE 11 and Edge

[External Email]

On Mon, Oct 24, 2016 at 03:14:59PM +, James Stroehmann wrote:
> We have updated our test instance of HAProxy to 1.6.9 but are still 
> able to reproduce the issue.
>
>
> From: Stroehmann, James
> Sent: Friday, October 07, 2016 2:44 PM
> To: haproxy@formilux.org
> Subject: Issue with windows IE 11 and Edge
>
> We have a website that is setup like this:
>
> CDN -> HAPROXY -> ELB -> APACHE -> TOMCAT
>
> We are seeing with IE11 and Edge clients they will randomly lose their 
> session and get kicked out to a login screen. Firefox, Chrome and 
> older IE clients appear unaffected. Testing at all the different 
> layers, we can reproduce against the HAProxy and CDN layers, but not 
> the ELB/Apache/Tomcat layers, which leads us to believe the problem 
> lies at the HAProxy layer.We are using HA-Proxy version 1.6.3 
> 2015/12/25, compiled from source. I'm not seeing any errors in the 
> haproxy logs, any ideas as to where to start troubleshooting?

Well technically speaking what can be said is that adding CDN+haproxy triggers 
the problem. Without your config it's very hard to have any idea about this. It 
will be important to see how you perform your stickiness, how health checks are 
performed (because if your apache servers are regularly seen up and down from 
haproxy, for sure the users will be redistributed to another location). Also 
have you looked at your haproxy stats to see if your servers are seen down from 
time to time ?
And what do you see in haproxy logs for users affected with the problem ?
The termination flags should almost always be "--". If you often see something 
different, it might indicate an issue somewhere in the chain.
Most often with cookie insertion, you'll see "--NI" for new users getting a new 
cookie, and "--VN" for existing visitors posting a valid cookie.
Anything else should be studied.

Regards,
Willy

RE: Haproxy loabalance with cookie

2017-02-08 Thread James Stroehmann 
Try this:

backend app
balance roundrobin
cookie SERVERID insert indirect nocache
server hdp01.example.local 192.168.1.100:7070 check cookie hdp01
server hdp02.example.local 192.168.1.101:7070 check cookie hdp02


From: Hoang Le Trung [mailto:hoangletr...@orenj.com]
Sent: Tuesday, February 7, 2017 9:11 PM
To: Aaron West 
Cc: haproxy@formilux.org
Subject: RE: Haproxy loabalance with cookie

[External Email]
Hi Aaron,

Here is my haproxy configure

frontend kylin-web
bind 192.168.1.120:7077
acl url_static   path_beg   -i /kylin
stats enable
stats uri /haproxy?stats
stats realm Strictly\ Private
default_backend app
#-
backend app
balance roundrobin
server  hdp01.example.local 192.168.1.100:7070   check
server  hdp02.example.local 192.168.1.101:7070   check

HAproxy:

When I login  to LB 192.168.1.120:7077/kylin and do query. I can see request 
loadbalance to all backend server( no need re-authentication). First request to 
HDP01, second request to HDP02 and third request to HDP01……

But when I use RESTful API following this docs 
http://kylin.apache.org/docs16/howto/howto_use_restapi.html
I using cookie to save authentication, that mean client do not need 
re-authentication for each request sent. So problem happen here,
Example when client login to LB, it create JSESSIONID and save to cookie. 
JSESSIONID point to only HDP01 server so all subsequent request go to this 
server. When client authentication again, JSESSIONID point to only HDP02 server 
and all subsequent request go to this server.

So what I want here:
Client login to LB, request sent will be forward balance to HDP01 and HDP02 
server, client no need re-authentication.


Thanks!

From: Aaron West [mailto:aa...@loadbalancer.org]
Sent: Tuesday, February 07, 2017 5:14 PM
To: Hoang Le Trung
Cc: haproxy@formilux.org
Subject: Re: Haproxy loabalance with cookie

Hi Hoang,

Could we get your HAproxy config please, an example of both scenarios would be 
best.

It may help to better to better understand your situation.

Aaron West

Loadbalancer.org Limited
+44 (0)330 380 1064
www.loadbalancer.org

On 7 February 2017 at 01:55, Hoang Le Trung 
mailto:hoangletr...@orenj.com>> wrote:
Hi

I use HAproxy to loadblance my backend servers.
But I have problem when I using cookie.
When a cookie is present, the same backend server is used until it dies. So it 
make overload on this server while other servers free.
If not using cookie, Each client need pass authentication to request data from 
backend servers. It work ok but take long time to finish many requests from 
client.
So any solution for my case, I want use Haproxy to load balance session with 
client and backend server. When client send request, it will forward balance to 
backend servers( not only one server when use cookie). And client do not need 
re-authentication when send subsequent request


Thanks!
Best  Regards,



This e-mail may contain confidential or privileged information. If you received 
this e-mail by mistake, please don't forward it to anyone else, please erase it 
from your device and let me know so I don't do it again.



This e-mail may contain confidential or privileged information. If you received 
this e-mail by mistake, please don't forward it to anyone else, please erase it 
from your device and let me know so I don't do it again.

RE: Issue with windows IE 11 and Edge

2017-01-16 Thread James Stroehmann 
0.530.1253/core/default.css HTTP/1.1"
Jan 16 22:15:07 localhost haproxy[25984]: X.X.X.X:56845 
[16/Jan/2017:22:15:07.053] search_ssl blue/blue 28/0/0/2/30 304 85 - -  
2/2/0/1/0 0/0 "GET /assets/r20171.1.0.530.1253/core/tapestry-console.css 
HTTP/1.1"
Jan 16 22:15:07 localhost haproxy[25984]: X.X.X.X:56845 
[16/Jan/2017:22:15:07.083] search_ssl blue/blue 12/0/1/1/14 304 85 - -  
2/2/0/1/0 0/0 "GET /assets/r20171.1.0.530.1253/core/t5-alerts.css HTTP/1.1"
Jan 16 22:15:07 localhost haproxy[25984]: X.X.X.X:56845 
[16/Jan/2017:22:15:07.098] search_ssl blue/blue 5/0/0/2/7 304 85 - -  
2/2/0/1/0 0/0 "GET /assets/r20171.1.0.530.1253/core/tree.css HTTP/1.1"
Jan 16 22:15:07 localhost haproxy[25984]: X.X.X.X:56845 
[16/Jan/2017:22:15:07.105] search_ssl blue/blue 35/0/0/2/37 304 85 - -  
2/2/0/1/0 0/0 "GET 
/assets/r20171.1.0.530.1253/pqc/javascript/prototip/css/prototip.css HTTP/1.1"
Jan 16 22:15:07 localhost haproxy[25984]: X.X.X.X:56845 
[16/Jan/2017:22:15:07.142] search_ssl blue/blue 215/0/0/2/217 304 85 - -  
2/2/0/1/0 0/0 "GET /assets/r20171.1.0.530.1253/ctx/styles/PageLayout.css 
HTTP/1.1"
Jan 16 22:15:07 localhost haproxy[25984]: X.X.X.X:56845 
[16/Jan/2017:22:15:07.360] search_ssl blue/blue 24/0/0/2/26 304 85 - -  
2/2/0/1/0 0/0 "GET /assets/r20171.1.0.530.1253/ctx/styles/ContentLayout.css 
HTTP/1.1"
Jan 16 22:15:07 localhost haproxy[25984]: X.X.X.X:56845 
[16/Jan/2017:22:15:07.386] search_ssl blue/blue 100/0/0/2/102 304 85 - -  
2/2/0/1/0 0/0 "GET 
/assets/r20171.1.0.530.1253/ctx/uxframework/css/uxf-1.0.0-teal.min.css HTTP/1.1"
Jan 16 22:15:07 localhost haproxy[25984]: X.X.X.X:56845 
[16/Jan/2017:22:15:07.489] search_ssl blue/blue 107/0/1/6/114 304 85 - -  
2/2/0/1/0 0/0 "GET /assets/r20171.1.0.530.1253/ctx/styles/overRide.css HTTP/1.1"
Jan 16 22:15:07 localhost haproxy[25984]: X.X.X.X:56845 
[16/Jan/2017:22:15:07.603] search_ssl blue/blue 43/0/0/2/45 304 85 - -  
2/2/0/1/0 0/0 "GET /assets/r20171.1.0.530.1253/ctx/styles/IE_icons.css HTTP/1.1"
Jan 16 22:15:07 localhost haproxy[25984]: X.X.X.X:56845 
[16/Jan/2017:22:15:07.649] search_ssl blue/blue 48/0/1/1/50 304 85 - -  
2/2/0/1/0 0/0 "GET 
/assets/r20171.1.0.530.1253/ctx/extras/analytics/GTMContainer.js HTTP/1.1"
Jan 16 22:15:07 localhost haproxy[25984]: X.X.X.X:56845 
[16/Jan/2017:22:15:07.699] search_ssl blue/blue 9/0/0/2/11 304 85 - -  
2/2/0/1/0 0/0 "GET /assets/r20171.1.0.530.1253/ctx/extras/pdo/html5shiv.min.js 
HTTP/1.1"
Jan 16 22:15:07 localhost haproxy[25984]: X.X.X.X:56845 
[16/Jan/2017:22:15:07.710] search_ssl blue/blue 50/0/0/8/58 304 85 - -  
2/2/0/1/0 0/0 "GET /assets/r20171.1.0.530.1253/ctx/extras/pdo/respond.min.js 
HTTP/1.1"
Jan 16 22:15:07 localhost haproxy[25984]: X.X.X.X:56845 
[16/Jan/2017:22:15:07.769] search_ssl blue/blue 125/0/1/1/127 304 85 - -  
2/2/0/1/0 0/0 "GET /assets/r20171.1.0.530.1253/core/spacer.gif HTTP/1.1"
Jan 16 22:15:07 localhost haproxy[25984]: X.X.X.X:56845 
[16/Jan/2017:22:15:07.896] search_ssl blue/blue 72/0/1/1/74 304 190 - -  
4/4/3/4/0 0/0 "GET /extras/webtrends/webtrends10.3.7.js HTTP/1.1"
Jan 16 22:15:07 localhost haproxy[25984]: X.X.X.X:56814 
[16/Jan/2017:22:15:05.253] search_ssl blue/blue 2716/0/0/2/2718 304 85 - -  
4/4/2/3/0 0/0 "GET 
/assets/r20171.1.0.530.1253/ctx/uxframework/fonts/Roboto-Regular-webfont.eot? 
HTTP/1.1"
Jan 16 22:15:07 localhost haproxy[25984]: X.X.X.X:56846 
[16/Jan/2017:22:15:07.962] search_ssl blue/blue 7/0/1/2/10 304 85 - -  
4/4/1/2/0 0/0 "GET 
/assets/r20171.1.0.530.1253/ctx/uxframework/fonts/aleo-regular-webfont.eot? 
HTTP/1.1"
Jan 16 22:15:07 localhost haproxy[25984]: X.X.X.X:56847 
[16/Jan/2017:22:15:07.962] search_ssl blue/blue 7/0/0/3/10 304 85 - -  
4/4/0/1/0 0/0 "GET 
/assets/r20171.1.0.530.1253/ctx/uxframework/fonts/RobotoSlab-Regular-webfont.eot?
 HTTP/1.1"
Jan 16 22:15:08 localhost haproxy[25984]: X.X.X.X:56847 
[16/Jan/2017:22:15:07.973] search_ssl blue/blue 41/0/0/2/43 304 85 - -  
4/4/1/2/0 0/0 "GET /assets/r20171.1.0.530.1253/core/field-error-marker.gif 
HTTP/1.1"
Jan 16 22:15:08 localhost haproxy[25984]: X.X.X.X:56814 
[16/Jan/2017:22:15:07.972] search_ssl blue/blue 42/0/0/2/44 304 85 - -  
4/4/0/1/0 0/0 "GET 
/assets/r20171.1.0.530.1253/ctx/uxframework/images/pq-logo-footer.png HTTP/1.1"
Jan 16 22:15:08 localhost haproxy[25984]: X.X.X.X:56814 
[16/Jan/2017:22:15:08.015] search_ssl blue/blue 29/0/0/2/31 304 85 - -  
4/4/0/1/0 0/0 "GET /assets/r20171.1.0.530.1253/core/ajax-loader.gif HTTP/1.1"
Jan 16 22:15:08 localhost haproxy[25984]: X.X.X.X:56814 
[16/Jan/2017:22:15:08.047] search_ssl blue/blue 3/0/1/1/5 304 85 - -  
4/4/0/1/0 0/0 "GET 
/assets/r20171.1.0.530.1253/ctx/uxframework/images/pq-logo.png HTTP/1.1"
Jan 16 22:15:08 localhost haproxy[25984]: X.X.X.X:56814 
[16/Jan/20

RE: Issue with windows IE 11 and Edge

2016-10-24 Thread James Stroehmann 
We have updated our test instance of HAProxy to 1.6.9 but are still able to 
reproduce the issue.


From: Stroehmann, James
Sent: Friday, October 07, 2016 2:44 PM
To: haproxy@formilux.org
Subject: Issue with windows IE 11 and Edge

We have a website that is setup like this:

CDN -> HAPROXY -> ELB -> APACHE -> TOMCAT

We are seeing with IE11 and Edge clients they will randomly lose their session 
and get kicked out to a login screen. Firefox, Chrome and older IE clients 
appear unaffected. Testing at all the different layers, we can reproduce 
against the HAProxy and CDN layers, but not the ELB/Apache/Tomcat layers, which 
leads us to believe the problem lies at the HAProxy layer.We are using HA-Proxy 
version 1.6.3 2015/12/25, compiled from source. I'm not seeing any errors in 
the haproxy logs, any ideas as to where to start troubleshooting?

Issue with windows IE 11 and Edge

2016-10-07 Thread James Stroehmann 
We have a website that is setup like this:

CDN -> HAPROXY -> ELB -> APACHE -> TOMCAT

We are seeing with IE11 and Edge clients they will randomly lose their session 
and get kicked out to a login screen. Firefox, Chrome and older IE clients 
appear unaffected. Testing at all the different layers, we can reproduce 
against the HAProxy and CDN layers, but not the ELB/Apache/Tomcat layers, which 
leads us to believe the problem lies at the HAProxy layer.We are using HA-Proxy 
version 1.6.3 2015/12/25, compiled from source. I'm not seeing any errors in 
the haproxy logs, any ideas as to where to start troubleshooting?

Empty DNS does not mark server as down

2016-05-12 Thread James Stroehmann 
I am using haproxy version 1.6.3 and my server is defined using dns.
It is an ELB in amazon web services so it changes IP addresses frequently and 
that functionality seems to work fine. 

However, if I delete the DNS entry, the server is not marked down. It then 
keeps sending traffic to the IP address that existed before the DNS entry was 
deleted.

resolvers dns
nameserver AmazonDNS 169.254.169.253:53
hold valid 1s

frontend search
bind :80
default_backend blue

backend blue
server blue elbname.amazon.net:80 resolvers dns check inter 1000