Re: Issue with checks after 2.0.6
Hello, I had the same problem after upgrading from 2.0.5 to 2.0.6. I ignored the mistake and rolled back. I thought the mistake was mine. I use the self compiled versions only privately. The logs, config and build-script are in the attachment. HAProxy runs on a debian 9 VM cheers Michael Am 14.09.19 um 13:08 schrieb GARDAIS Ionel: > Hi, > > I've just upgraded to 2.0.6 and all server checks went erratic. > I had to disable checks for the servers to be reachable. > > The observed behavior was a flip-flap (but mostly down) of server > availability with L4TOUT when the server was considered unresponsive. > > Ionel > > > build-haproxy.sh Description: application/shellscript Sep 16 21:06:13 mail haproxy[21253]: Proxy http started. Sep 16 21:06:13 mail haproxy[21253]: Proxy bk_apache started. Sep 16 21:06:13 mail haproxy[21253]: [NOTICE] 258/210613 (21253) : New worker #1 (21255) forked Sep 16 21:06:13 mail haproxy[21253]: Proxy bk_gogs started. Sep 16 21:06:13 mail haproxy[21253]: Proxy bk_prosody started. Sep 16 21:06:13 mail haproxy[21253]: Proxy bk_smokeping started. Sep 16 21:06:13 mail haproxy[21253]: Proxy bk_odroid started. Sep 16 21:06:13 mail haproxy[21253]: Proxy bk_stats started. Sep 16 21:00:33 mail haproxy[19453]: [WARNING] 258/210033 (19453) : Exiting Master process... Sep 16 21:00:33 mail haproxy[19453]: [ALERT] 258/210033 (19453) : Current worker #1 (19454) exited with code 143 (Terminated) Sep 16 21:00:33 mail haproxy[19453]: [WARNING] 258/210033 (19453) : All workers exited. Exiting... (0) Sep 16 21:00:33 mail haproxy[20273]: Proxy http started. Sep 16 21:00:33 mail haproxy[20273]: Proxy bk_apache started. Sep 16 21:00:33 mail haproxy[20273]: [NOTICE] 258/210033 (20273) : New worker #1 (20274) forked Sep 16 21:00:33 mail haproxy[20273]: Proxy bk_gogs started. Sep 16 21:00:33 mail haproxy[20273]: Proxy bk_prosody started. Sep 16 21:00:33 mail haproxy[20273]: Proxy bk_smokeping started. Sep 16 21:00:33 mail haproxy[20273]: Proxy bk_odroid started. Sep 16 21:00:33 mail haproxy[20273]: Proxy bk_stats started. Sep 16 21:00:34 mail ansible-systemd: Invoked with no_block=False force=None name=haproxy daemon_reexec=False enabled=None daemon_reload=False state=reloaded masked=None scope=None user=None Sep 16 21:00:34 mail haproxy[20273]: [WARNING] 258/210034 (20273) : Reexecuting Master process Sep 16 21:00:34 mail haproxy[20273]: Proxy http started. Sep 16 21:00:34 mail haproxy[20273]: Proxy bk_apache started. Sep 16 21:00:34 mail haproxy[20273]: [WARNING] 258/210034 (20274) : Stopping frontend GLOBAL in 0 ms. Sep 16 21:00:34 mail haproxy[20273]: [WARNING] 258/210034 (20274) : Stopping frontend http in 0 ms. Sep 16 21:00:34 mail haproxy[20273]: Proxy bk_gogs started. Sep 16 21:00:34 mail haproxy[20273]: [NOTICE] 258/210034 (20273) : New worker #1 (20303) forked Sep 16 21:00:34 mail haproxy[20273]: Proxy bk_prosody started. Sep 16 21:00:34 mail haproxy[20273]: [ALERT] 258/210034 (20274) : sendmsg()/writev() failed in logger #1: No such file or directory (errno=2) Sep 16 21:00:34 mail haproxy[20273]: [WARNING] 258/210034 (20274) : Stopping backend bk_apache in 0 ms. Sep 16 21:00:34 mail haproxy[20273]: [WARNING] 258/210034 (20274) : Stopping backend bk_gogs in 0 ms. Sep 16 21:00:34 mail haproxy[20273]: [WARNING] 258/210034 (20274) : Stopping backend bk_prosody in 0 ms. Sep 16 21:00:34 mail haproxy[20273]: [WARNING] 258/210034 (20274) : Stopping backend bk_smokeping in 0 ms. Sep 16 21:00:34 mail haproxy[20273]: [WARNING] 258/210034 (20274) : Stopping backend bk_odroid in 0 ms. Sep 16 21:00:34 mail haproxy[20273]: [WARNING] 258/210034 (20274) : Stopping backend bk_stats in 0 ms. Sep 16 21:00:34 mail haproxy[20273]: [WARNING] 258/210034 (20274) : Proxy GLOBAL stopped (FE: 1 conns, BE: 1 conns). Sep 16 21:00:34 mail haproxy[20273]: [WARNING] 258/210034 (20274) : Proxy http stopped (FE: 0 conns, BE: 0 conns). Sep 16 21:00:34 mail haproxy[20273]: [WARNING] 258/210034 (20274) : Proxy bk_apache stopped (FE: 0 conns, BE: 0 conns). Sep 16 21:00:34 mail haproxy[20273]: [WARNING] 258/210034 (20274) : Proxy bk_gogs stopped (FE: 0 conns, BE: 0 conns). Sep 16 21:00:34 mail haproxy[20273]: [WARNING] 258/210034 (20274) : Proxy bk_prosody stopped (FE: 0 conns, BE: 0 conns). Sep 16 21:00:34 mail haproxy[20273]: [WARNING] 258/210034 (20274) : Proxy bk_smokeping stopped (FE: 0 conns, BE: 0 conns). Sep 16 21:00:34 mail haproxy[20273]: [WARNING] 258/210034 (20274) : Proxy bk_odroid stopped (FE: 0 conns, BE: 0 conns). Sep 16 21:00:34 mail haproxy[20273]: [WARNING] 258/210034 (20274) : Proxy bk_stats stopped (FE: 0 conns, BE: 0 conns). Sep 16 21:00:34 mail haproxy[20273]: Proxy bk_smokeping started. Sep 16 21:00:34 mail haproxy[20273]: Proxy bk_odroid started. Sep 16 21:00:34 mail haproxy[20273]: Proxy bk_stats started. Sep 16 21:00:34 mail haproxy[20273]: libgcc_s.so.1 must be installed for pthread_cancel to work Sep 16 21:00:34 mail haproxy[20273]: [WARNING] 258/210034 (20273) : Former worker #1 (20274) exited
Re: Odd H2 in Chrome...
Hello,
I have also problems with h2 and http 1.1 backends (Apache/2.4.25, gogs)
since the update on haproxy 2.0, see my build script. I would say, all
domains with cookies are broken. Disable h2 or disable htx works works me.
My config:
defaults
log global
modehttp
option httplog
option dontlognull
option tcp-smart-connect
option tcp-smart-accept
# use kernel splice system call to lower latency
option splice-auto
option forwardfor
option socket-stats
no option http-use-htx
timeout http-request 20s
timeout connect 5s
timeout client 50s
timeout server 50s
timeout check 800
frontend http
bind *:80 name http
bind *:443 name https ssl crt /etc/haproxy/certs/foo.pem crt
/etc/haproxy/certs/ ecdhe secp384r1 alpn h2,http/1.1
# bind *:443 name https ssl crt /etc/haproxy/certs/foo.pem crt
/etc/haproxy/certs/ ecdhe secp384r1 alpn http/1.1
compression algo gzip
compression type text/html text/plain text/javascript
application/javascript application/xml text/css
# force https for known domains
acl hostname_has_backend
hdr(Host),lower,map(/etc/haproxy/hostname2backend.map) -m found
http-request redirect scheme https code 301
if !{ ssl_fc } hostname_has_backend
# stats backend
acl stats-acl path_beg /haproxy
use_backend bk_stats
if stats-acl
# routing for known domains
use_backend
bk_%[hdr(Host),lower,map(/etc/haproxy/hostname2backend.map)] if
hostname_has_backend
backend bk_apache
server apache 127.0.0.1:8080 check
Michael
Am 20.06.19 um 17:13 schrieb Lukas Tribus:
> On Thu, 20 Jun 2019 at 09:24, Igor Pav wrote:
>>
>> Hi Lukas,
>>
>> Found when using h2, the request URI to squid is / without
>> http://example.com/, so squid return 400 error...
>
> Can you disable htx and check again:
> no option http-use-htx
>
> in the default section.
>
>
> Lukas
>
build-haproxy.sh
Description: application/shellscript
signature.asc
Description: OpenPGP digital signature
Coding style for coonfig files
Hello, I know this question is stupid. Is there a coding style for config files, like this: http://www.haproxy.org/coding-style.html ? Cheers, Michael signature.asc Description: OpenPGP digital signature
Re: Question about build HAProxy for Solaris 11
Hi,
I don't have a sparc box with solaris for testing. You can try to build
HAproxy by youself. I use this script for build HAProxy for ARM. This
should run on Solaris with some changes.
TARGET=solaris
NB_PROC=
#!/bin/bash
# names of latest versions of each package
export HAPROXY_VERSION=1.6.3
export VERSION_PCRE=pcre-8.38
export VERSION_LIBRESSL=libressl-2.3.2
export VERSION_HAPROXY=haproxy-$HAPROXY_VERSION
# URLs to the source directories
export SOURCE_LIBRESSL=ftp://ftp.openbsd.org/pub/OpenBSD/LibreSSL/
export SOURCE_PCRE=ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/
export SOURCE_HAPROXY=http://www.haproxy.org/download
# clean out any files from previous runs of this script
rm -rf build
mkdir build
# proc for building faster
NB_PROC=$(grep -c ^processor /proc/cpuinfo)
# ensure that we have the required software
#sudo apt-get -y install curl wget build-essential libgd-dev
libgeoip-dev checkinstall git
# grab the source files
echo "Download sources"
wget -P ./build "${SOURCE_PCRE}${VERSION_PCRE}.tar.gz"
wget -P ./build "${SOURCE_LIBRESSL}${VERSION_LIBRESSL}.tar.gz"
wget -P ./build "${SOURCE_HAPROXY}/$(echo $HAPROXY_VERSION | cut -d. -f
1-2)/src/$VERSION_HAPROXY.tar.gz"
# expand the source files
echo "Extract Packages"
cd build || exit 1
tar xfz "${VERSION_HAPROXY}.tar.gz"
tar xfz "${VERSION_LIBRESSL}.tar.gz"
tar xfz "${VERSION_PCRE}.tar.gz"
cd ../ || exit 1
export BPATH="${PWD}/build"
export STATICLIBSSL="${BPATH}/${VERSION_LIBRESSL}"
# build static LibreSSL
echo "Configure & Build LibreSSL"
cd "${STATICLIBSSL}" || exit 1
./configure --prefix="${STATICLIBSSL}/_openssl/" --enable-shared=no &&
make install-strip -j "${NB_PROC}"
# build pcre
export STATICLIPCRE="${BPATH}/${VERSION_PCRE}"
cd "${STATICLIPCRE}" || exit 1
./configure --prefix="${STATICLIPCRE}/_pcre" --enable-shared=no
--enable-utf8 --enable-jit
make -j "${NB_PROC}"
make install
echo "Build HAProxy"
cd "${BPATH}/${VERSION_HAPROXY}" || exit 1
make \
-j "${NB_PROC}" \
TARGET=linux2628 \
USE_STATIC_PCRE=1 \
USE_PCRE_JIT=1 \
PCRE_LIB="${STATICLIPCRE}/_pcre/lib" \
PCRE_INC="${STATICLIPCRE}/_pcre/include" \
USE_OPENSSL=1 \
SSL_INC="${STATICLIBSSL}/_openssl/include" \
SSL_LIB="${STATICLIBSSL}/_openssl/lib" \
USE_ZLIB=1 \
DEFINE="-fstack-protector --param=ssp-buffer-size=4 -Wformat
-Werror=format-security -D_FORTIFY_SOURCE=2"
echo "All done."
echo "become root and type: "
echo " cp build/haproxy-${HAPROXY_VERSION}/haproxy /usr/local/sbin"
On 02.03.2016 02:51, Samuel Crowell wrote:
> I noticed that ya’ll have the binaries for HAProxy 1.4, is there any plan to
> build the executables for newer versions (1.6, etc.)?
>
> It’s hard for me to build from source at work due to missing required
> libraries. It would be nice if I still had the option to grab a version
> already compiled for Solaris.
>
> Thanks for the help and your product is great.
>
> Sam Crowell
>
signature.asc
Description: OpenPGP digital signature
clone traffic with haproxy
Hello, is it possible to send traffic to 2 backends with HAProxy? One backend handle the live traffic and the second is the staging version. If all looks fine, I will switch the backends. I use HAProxy 1.6.3 Cheers, Michael
Re: Stats in frontend
Hi,
thanks exactly this.
Cheers,
Michael
On 12.01.2016 20:04, PiBa-NL wrote:
> Hi,
> I think your looking for this?: option socket-stats
> Regards,
> PiBa-NL
> Op 12-1-2016 om 19:35 schreef Michael Rennecke:
>> Hello,
>>
>> is it possible to show seperate stats every bind line in a frontend? I
>> use haproxy 1.6.3.
>>
>>
>> global
>> maxconn 4000
>>
>> tune.ssl.default-dh-param 4096
>> ssl-default-bind-ciphers CHACHA20+EECDH:AES256+EECDH
>> ssl-default-bind-options force-tlsv12
>>
>> ssl-dh-param-file /etc/haproxy/dh4096.pem
>>
>>
>> user haproxy
>> group nobody
>> daemon
>> chroot /var/lib/haproxy
>>
>> stats socket /var/run/haproxy.sock mode 660 level admin
>>
>> defaults
>> mode http
>> timeout connect 5s
>> timeout client 5s
>> timeout server 5s
>>
>> timeout http-keep-alive 70s
>>
>> stats scope .
>>
>> option forwardfor
>>
>>
>> frontend http-in
>> bind :443 tfo ssl crt /etc/haproxy/certs/foo.example.pem crt
>> /etc/haproxy/certs/ ecdhe secp384r1 name ssl-traffic
>> bind :80 tfo name http-traffic
>> bind :2000 tfo name intern-traffic
>>
>>
>> http-response set-header X-Frame-OptionsDENY
>> http-response set-header X-Content-Type-Options nosniff
>> http-response set-header Strict-Transport-Security
>> max-age=31536000;\ includeSubdomains;\ preload
>>
>>
>> http-request redirect scheme https code 301 if !{ ssl_fc }
>>
>> http-request set-header X-Forwarded-Protohttps
>>
>> use_backend stats if { path_beg /haproxy/stats }
>> use_backend nginx if { hdr(Host) -m beg nginx }
>> use_backend apache if { hdr(Host) -m beg apache }
>>
>> default_backend nginx
>>
>>
>>
>> backend nginx
>> server nginx1 10.0.0.2:81 check
>> server nginx2 10.0.0.3:81 check backup
>>
>>
>> backend apache
>> server apache1 10.0.0.5:82 check
>> server apache2 10.0.0.6:82 check backup
>>
>>
>> backend stats
>> stats enable
>> stats show-legends
>> stats realm Haproxy\ Statistics
>> stats uri /haproxy/stats
>> stats refresh 30s
>>
>
--
Mein aktuelles Projekt:
https://0rph3us.github.io/
Stats in frontend
Hello,
is it possible to show seperate stats every bind line in a frontend? I
use haproxy 1.6.3.
global
maxconn 4000
tune.ssl.default-dh-param 4096
ssl-default-bind-ciphers CHACHA20+EECDH:AES256+EECDH
ssl-default-bind-options force-tlsv12
ssl-dh-param-file /etc/haproxy/dh4096.pem
user haproxy
group nobody
daemon
chroot /var/lib/haproxy
stats socket /var/run/haproxy.sock mode 660 level admin
defaults
mode http
timeout connect 5s
timeout client 5s
timeout server 5s
timeout http-keep-alive 70s
stats scope .
option forwardfor
frontend http-in
bind :443 tfo ssl crt /etc/haproxy/certs/foo.example.pem crt
/etc/haproxy/certs/ ecdhe secp384r1 name ssl-traffic
bind :80 tfo name http-traffic
bind :2000 tfo name intern-traffic
http-response set-header X-Frame-OptionsDENY
http-response set-header X-Content-Type-Options nosniff
http-response set-header Strict-Transport-Security
max-age=31536000;\ includeSubdomains;\ preload
http-request redirect scheme https code 301 if !{ ssl_fc }
http-request set-header X-Forwarded-Protohttps
use_backend stats if { path_beg /haproxy/stats }
use_backend nginx if { hdr(Host) -m beg nginx }
use_backend apache if { hdr(Host) -m beg apache }
default_backend nginx
backend nginx
server nginx1 10.0.0.2:81 check
server nginx2 10.0.0.3:81 check backup
backend apache
server apache1 10.0.0.5:82 check
server apache2 10.0.0.6:82 check backup
backend stats
stats enable
stats show-legends
stats realm Haproxy\ Statistics
stats uri /haproxy/stats
stats refresh 30s
Add a X-Server-Name response header
Hello, can I add the name (or IP-address) of the backend server in a X-Server-Name response Header, like this? (This was a special wish of a developer - don't touch my old software...) backend www http-response set-header X-Server-Name %[backendserver] server www01 10.0.1.10:80 check server www02 10.0.1.11:80 check server www03 10.0.0.12:80 check server www04 10.0.0.13:80 check server www05 10.0.0.14:80 check Cheers, Michael
Re: certificate generation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I will build home automation project (seafile, temperature sensor, open vpn, perintserver, ...). All SSL connections are terminated on a HAProxy. If you use multiple domains. For example a dyndns domain for the intern stuff, a domain for the blog, a domain inside the house. OpenVPN comes with a cool tool easy RSA. It is easy to build a CA with SubCA and generate certificates. It is possible to generate the certificates for all domain. Actual, I use SNI and a pre generated certificate. A buddy mentioned (he work on the same project), that a SubCA and the certificate generation is cooler. We will use elliptic curves for the CA. All our clients can handle elliptic curves certificates. best, Michael On 05.09.2015 04:16, Jeff Palmer wrote: > Can you explain what the overall goal is? I suspect that even if > you could dynamically generate new certificates on the fly, the > overhead to do so would be prohibitively expensive. > > If you are attempting to do this for security, it's probably worth > pointing out that it is insanely easy to configure HAProxy to use > only strong ciphers that support perfect forward secrecy. Put > simply, it negotiates a new and unique 'session key' (called an > ephemeral key) between the client and server on each new session. > > If you are attempting to do this for another reason, maybe you > could describe the end goal. Almost certainly there is a more > scalable option than dynamically generating new certificates as > described. > > On Sep 4, 2015 5:34 PM, "Michael Rennecke" > <michael.renne...@gmail.com <mailto:michael.renne...@gmail.com>> > wrote: > > Hallo, > > is it possible with HAProxy to generate a certificate for each > incoming hostname on the fly? I will use subca for HAProxy. I think > to generate the certificates on the fly is cooler, then a > certificate for each hostname. > > I found possibilities to generate the certificate, but this > doesn't work :-( > > bind unix@/var/run/haproxy_ssl_ecc.sock accept-proxy ssl crt > /etc/haproxy/ecc_star.rennecke.dyndns.dk.pem ca-sign-file > /etc/haproxy/ecc_subca.pem ecdhe secp521r1 user nobody > generate-certificates > > ecc_subca.pem included the the subca and the key. The key has no > pass phrase. I will balance some other (fun) TLDs with haproxy - my > small home automation project > > Cheers, Michael > > > - -- Mein aktuelles Projekt: https://0rph3us.github.io/ -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBAgAGBQJV7eFqAAoJEGF+uAbudcb+fFYQAOx6vcOlggqQbwbiHk+LEBZO scXxNpWXHxNc3ygeDT/SwYLNLJyqXZ4917oudv0Sa+lPERtwZoBB+ucJbFB6kb03 VZbEJEHU/ue9vvDlebxg/RyGIVTZhw5VQo0ipBYhYmCMluyxZavP8n+sRLBfTCvW oAWJvchOevDa0dJMydQoE4vf7p2zXXcrxIqfxqDvgje37gfm5S+r+yaYRz9fcJr7 CVbp+Lf1CnAeFSQyB5vxaqwTBbHlzd6Agbqu3j0b7VcxHds94JwenAh5U7DHiOK4 EH/wGEMJLHdtGqjQTKUs8w6ouP32GVoD2X3CiZ/BsBYK1jGVrDyuusj9zxypHcJ9 wMG/w9FaCLjKPFRikTQN5szS8ifc3CSCH6kRZx1kaTmE4Q7t+nuNMPZuicUDXvHN cLybl/ZOKU25R5ZSTcvQR4nlKbCQP0biSXq1I3odPdQ20TrRk8bWmFQXTHW5e1t+ JL0nSxF58JaJOLgwoZcdeBpKSWzGVqZ3JcH0SkWzVd9gg+RLAYcFv24filPnpmAA X3pXAEE03t6fqwWxl1CaAMwyYrmUPbqqUQwuh4OFR1+hb7TqoPiMvsctWg8HtETH HwaOOxDPhtoqSlscZrugejUvxzWNr6djrHh1gacYR8mAmYwfZaLYmUnHIaBtgJ73 c3yGQGoMS8DprAqPRZ8+ =bInf -END PGP SIGNATURE-
certificate generation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hallo, is it possible with HAProxy to generate a certificate for each incoming hostname on the fly? I will use subca for HAProxy. I think to generate the certificates on the fly is cooler, then a certificate for each hostname. I found possibilities to generate the certificate, but this doesn't work :-( bind unix@/var/run/haproxy_ssl_ecc.sock accept-proxy ssl crt /etc/haproxy/ecc_star.rennecke.dyndns.dk.pem ca-sign-file /etc/haproxy/ecc_subca.pem ecdhe secp521r1 user nobody generate-certificates ecc_subca.pem included the the subca and the key. The key has no pass phrase. I will balance some other (fun) TLDs with haproxy - my small home automation project Cheers, Michael - -- Mein aktuelles Projekt: https://0rph3us.github.io/ -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBAgAGBQJV6g3/AAoJEGF+uAbudcb+Y3EP/29hfN4PFB6cyHFP8hpim/Cf 0HT5O0/6HQXeYjTrHZVJKdsjy+HuXTPsvrgzoLvQMW/XYS1VaPKqeraoPP1Hs/RN kXRCJLI6OFpg3XdSuA/XOoZEzlqak73zkJyKKIL+zJjiJwvvlcV77zH7sITxWdqb NAGop15BzphwaFtQuKP/HNkEAX7J/309L4Z0vwx1nBPhxzpo9VEoz1JnCdON58lN mr1r61YhLc/xl/my4QnNXqE7HTi+BNmy5uadjFetgMnqZCaE+h3lfp6+6pi2a7tn tZht4/N0OYiplhYyhvCXLWXLuK5WpO/Q1JlG8jFvDgKrupvqj2IHMnaBAMB+GWL/ cwDYDpWyJO2WuDVgFtHGC8Rp2qJRZRxtG9CsIxBohjwOrni2v88W8lb5V8ky+wfw ZQ6DHTVFF55ciY/Jh0KjbhS0RC8aSeFgXRMhbGlTCV+n5eo4EvJnQQxRBHE87NsM Ok2fWyyVEAfsTTq9ZIQWjWe34t9Bs67ZojNdINzvy6D2guERfGqzUmrZn+K6TPVc 17eRJ6ycLMi8NwoH68JygZ8NmszF4y3vb9fSTvhfLTOqpmZBgLKyENbxKcKIciez 6nJEeR/y1tCfJkIb3IJkSpXcQuwDux7+18k2QvkW48NG+Vl9FbmDECko2ad/iTcG MH5Jc/xPNumL5YvwEkB1 =LOI3 -END PGP SIGNATURE-
