MIB
Hi, I want to know if a MIB for HAProxy is available ? Regards, Mathieu
Re: option source
And how it's possible to able the haproxy user to have the CAP_NET_ADMIN capability ? 2015-02-19 9:55 GMT+01:00 Lukas Tribus luky...@hotmail.com: Hi, I'm trying to use he option source of HAProxy in order to have the client's address from my web server. So i add this option in defaults : source 0.0.0.0 usesrc clientip. When I restart HAProxy, i receive back this message : Some configuration options require full privileges, so global.uid cannot be changed. I found that is possible to use this option being root, with comment out following lines in conf : user haproxy group haproxy But for security reason, i need to use this option without being root, i would know if it's possible with changing a configuration? The haproxy user needs to have the CAP_NET_ADMIN capability. That way, you can drop privileges to non-root, but still use the usesrc keyword. Lukas
Re: option source
With this methid we can change the group. But how change the user ? Because i put my new group and user in my conf haproxy, and i receive back cannot find user id Regards, Mathieu 2015-02-19 10:25 GMT+01:00 Jarno Huuskonen jarno.huusko...@uef.fi: Hi, On Thu, Feb 19, Mathieu Sergent wrote: And how it's possible to able the haproxy user to have the CAP_NET_ADMIN capability ? I think you could set(setcap) CAP_NET_ADMIN to haproxy binary: (https://wiki.archlinux.org/index.php/Capabilities http://packetlife.net/blog/2010/mar/19/sniffing-wireshark-non-root-user/) so: setcap cap_net_admin=eip /usr/sbin/haproxy (I didn't test this). 2015-02-19 9:55 GMT+01:00 Lukas Tribus luky...@hotmail.com: Hi, I'm trying to use he option source of HAProxy in order to have the client's address from my web server. So i add this option in defaults : source 0.0.0.0 usesrc clientip. When I restart HAProxy, i receive back this message : Some configuration options require full privileges, so global.uid cannot be changed. I found that is possible to use this option being root, with comment out following lines in conf : user haproxy group haproxy But for security reason, i need to use this option without being root, i would know if it's possible with changing a configuration? The haproxy user needs to have the CAP_NET_ADMIN capability. That way, you can drop privileges to non-root, but still use the usesrc keyword. -- Jarno Huuskonen
option source
Hi, I'm trying to use he option source of HAProxy in order to have the client's address from my web server. So i add this option in defaults : source 0.0.0.0 usesrc clientip. When I restart HAProxy, i receive back this message : Some configuration options require full privileges, so global.uid cannot be changed. I found that is possible to use this option being root, with comment out following lines in conf : #user haproxy #group haproxy But for security reason, i need to use this option without being root, i would know if it's possible with changing a configuration ? Regards, Mathieu
Re: Active/Active
Thanks for your reply. I really want to have two active/active, keepalived can't deal with it. Furthermore, i try to not use a load balancing with dns. Regards, Mathieu 2015-02-16 11:31 GMT+01:00 Jarno Huuskonen jarno.huusko...@uef.fi: Hi, On Mon, Feb 16, Mathieu Sergent wrote: Now i use two HAProxy active/passive with keepalived, which make the load balancing on web servers. I would know if it's possible to use two HAProxy in active/active mode ? I know keepalived can't managed it, because it uses the protocol VRRP. I made researches and it seems to be impossible. You could use(try) multiple ip-addresses with keepalived/haproxy: http://comments.gmane.org/gmane.comp.web.haproxy/15908 and dns round robin between these ip-addresses. (And if you need sticky sessions make sure that both servers use configuration that allows clients to switch between servers). -Jarno -- Jarno Huuskonen
Re: Active/Active
In each proposition, there is a single master (DNS, LVS...), which load-balance on two HAProxy. Me, I try to choose a solution with two master, which will be my two HAProxy. Maybe it's impossible and i dream ^^, but this is what I need. Regards, Mathieu 2015-02-16 12:00 GMT+01:00 Baptiste bed...@gmail.com: On Mon, Feb 16, 2015 at 11:58 AM, Mathieu Sergent mathieu.sergent...@gmail.com wrote: Thanks for your reply. I really want to have two active/active, keepalived can't deal with it. Furthermore, i try to not use a load balancing with dns. Regards, Mathieu With keepalived, you can have 2 nodes, both active/passive in 2 distincts VRRP instances. That said, you would have to load-balance each master node using DNS... If you want to avoid DNS, then use LVS to load-balance your L7 load-balancers. Baptiste
Active/Active
Hi, Now i use two HAProxy active/passive with keepalived, which make the load balancing on web servers. I would know if it's possible to use two HAProxy in active/active mode ? I know keepalived can't managed it, because it uses the protocol VRRP. I made researches and it seems to be impossible. Regards, Mathieu.
Re: Help haproxy
Yes, i have just the option that's make gone right. It's just the option as you know. Regards, Mathieu 2015-02-05 10:03 GMT+01:00 Yuan Long yuan.l...@chinanetcloud.com: Do you have the words option forward for in your config. http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#option%20forwardfor Can you copy/paste your config (without sensitive info if needed). Regards, Long Wu Yuan 龙 武 缘 Sr. Linux Engineer 高级工程师 ChinaNetCloud 云络网络科技(上海)有限公司 | www.ChinaNetCloud.com1238 Xietu Lu, X2 Space 1-601, Shanghai, China | 中国上海市徐汇区斜土路1238号X2空 间1-601室 24x7 Support Hotline: +86-400-618-0024 | Office Tel: +86-(21)-6422-1946 We are hiring! http://careers.chinanetcloud.com | Customer Portal - https://customer-portal.service.chinanetcloud.com/ On Mon, Feb 2, 2015 at 11:45 PM, Sander Klein roe...@roedie.nl wrote: On 02.02.2015 16:33, Mathieu Sergent wrote: Hi Sander, Yes i reloaded the haproxy and my web server too. But no change. And i'm not using proxy protocol. To give you more precisions, on my web server i used tcpdump functions which give me back the header of the requete http. And in this i found my client's address. But this is really strange that i can do it without the forwardfor. The only other thing that I can think of is that your client is behind a proxy server which adds the X-Forward-For header for you... Or you got something strange in your config... Sander
Re: Help haproxy
2015-02-02 16:45 GMT+01:00 Sander Klein roe...@roedie.nl: The only other thing that I can think of is that your client is behind a proxy server which adds the X-Forward-For header for you... Or you got something strange in your config... Sander You're totally right. My client have a proxy server. I feel very sorry for this stupid mistake. Thanks for your time and your help. Regards, Mathieu
Help haproxy
Hi, I try to set up a load balancing with HAProxy and 3 web servers. I want to receive on my web servers the address' client. I read that it is possible with the option source ip usesrc but you need to be root. If you want to not be root, you have to used HAProxy with Tproxy. But Tproxy demand too much system configuration. There is an other solution ? I hope that you have understood my problem. Yours sincerely. Mathieu Sergent PS : Sorry for my English.
Re: Help haproxy
Hi Sander, Yes i reloaded the haproxy and my web server too. But no change. And i'm not using proxy protocol. To give you more precisions, on my web server i used tcpdump functions which give me back the header of the requete http. And in this i found my client's address. But this is really strange that i can do it without the forwardfor. Regards, Mathieu 2015-02-02 16:15 GMT+01:00 Sander Klein roe...@roedie.nl: Hi Mathieu, Pleas keep the list in the CC. On 02.02.2015 15:26, Mathieu Sergent wrote: Thanks for your reply. I just used the option forwardfor in the haproxy configuration. And i can find client's address from my web server (with tcpdump). But if i don't use the option forwardfor, the web server still find the client's address. That's make any sense ? To be honest, that doesn't make any sense to me. Are you sure you have reloaded the haproxy process after you removed the forwardfor? Or, could it be you are using the proxy protocol (send-proxy)? Greets, Sander
