Re: Issue with checks after 2.0.6
Hello, I had the same problem after upgrading from 2.0.5 to 2.0.6. I ignored the mistake and rolled back. I thought the mistake was mine. I use the self compiled versions only privately. The logs, config and build-script are in the attachment. HAProxy runs on a debian 9 VM cheers Michael Am 14.09.19 um 13:08 schrieb GARDAIS Ionel: > Hi, > > I've just upgraded to 2.0.6 and all server checks went erratic. > I had to disable checks for the servers to be reachable. > > The observed behavior was a flip-flap (but mostly down) of server > availability with L4TOUT when the server was considered unresponsive. > > Ionel > > > build-haproxy.sh Description: application/shellscript Sep 16 21:06:13 mail haproxy[21253]: Proxy http started. Sep 16 21:06:13 mail haproxy[21253]: Proxy bk_apache started. Sep 16 21:06:13 mail haproxy[21253]: [NOTICE] 258/210613 (21253) : New worker #1 (21255) forked Sep 16 21:06:13 mail haproxy[21253]: Proxy bk_gogs started. Sep 16 21:06:13 mail haproxy[21253]: Proxy bk_prosody started. Sep 16 21:06:13 mail haproxy[21253]: Proxy bk_smokeping started. Sep 16 21:06:13 mail haproxy[21253]: Proxy bk_odroid started. Sep 16 21:06:13 mail haproxy[21253]: Proxy bk_stats started. Sep 16 21:00:33 mail haproxy[19453]: [WARNING] 258/210033 (19453) : Exiting Master process... Sep 16 21:00:33 mail haproxy[19453]: [ALERT] 258/210033 (19453) : Current worker #1 (19454) exited with code 143 (Terminated) Sep 16 21:00:33 mail haproxy[19453]: [WARNING] 258/210033 (19453) : All workers exited. Exiting... (0) Sep 16 21:00:33 mail haproxy[20273]: Proxy http started. Sep 16 21:00:33 mail haproxy[20273]: Proxy bk_apache started. Sep 16 21:00:33 mail haproxy[20273]: [NOTICE] 258/210033 (20273) : New worker #1 (20274) forked Sep 16 21:00:33 mail haproxy[20273]: Proxy bk_gogs started. Sep 16 21:00:33 mail haproxy[20273]: Proxy bk_prosody started. Sep 16 21:00:33 mail haproxy[20273]: Proxy bk_smokeping started. Sep 16 21:00:33 mail haproxy[20273]: Proxy bk_odroid started. Sep 16 21:00:33 mail haproxy[20273]: Proxy bk_stats started. Sep 16 21:00:34 mail ansible-systemd: Invoked with no_block=False force=None name=haproxy daemon_reexec=False enabled=None daemon_reload=False state=reloaded masked=None scope=None user=None Sep 16 21:00:34 mail haproxy[20273]: [WARNING] 258/210034 (20273) : Reexecuting Master process Sep 16 21:00:34 mail haproxy[20273]: Proxy http started. Sep 16 21:00:34 mail haproxy[20273]: Proxy bk_apache started. Sep 16 21:00:34 mail haproxy[20273]: [WARNING] 258/210034 (20274) : Stopping frontend GLOBAL in 0 ms. Sep 16 21:00:34 mail haproxy[20273]: [WARNING] 258/210034 (20274) : Stopping frontend http in 0 ms. Sep 16 21:00:34 mail haproxy[20273]: Proxy bk_gogs started. Sep 16 21:00:34 mail haproxy[20273]: [NOTICE] 258/210034 (20273) : New worker #1 (20303) forked Sep 16 21:00:34 mail haproxy[20273]: Proxy bk_prosody started. Sep 16 21:00:34 mail haproxy[20273]: [ALERT] 258/210034 (20274) : sendmsg()/writev() failed in logger #1: No such file or directory (errno=2) Sep 16 21:00:34 mail haproxy[20273]: [WARNING] 258/210034 (20274) : Stopping backend bk_apache in 0 ms. Sep 16 21:00:34 mail haproxy[20273]: [WARNING] 258/210034 (20274) : Stopping backend bk_gogs in 0 ms. Sep 16 21:00:34 mail haproxy[20273]: [WARNING] 258/210034 (20274) : Stopping backend bk_prosody in 0 ms. Sep 16 21:00:34 mail haproxy[20273]: [WARNING] 258/210034 (20274) : Stopping backend bk_smokeping in 0 ms. Sep 16 21:00:34 mail haproxy[20273]: [WARNING] 258/210034 (20274) : Stopping backend bk_odroid in 0 ms. Sep 16 21:00:34 mail haproxy[20273]: [WARNING] 258/210034 (20274) : Stopping backend bk_stats in 0 ms. Sep 16 21:00:34 mail haproxy[20273]: [WARNING] 258/210034 (20274) : Proxy GLOBAL stopped (FE: 1 conns, BE: 1 conns). Sep 16 21:00:34 mail haproxy[20273]: [WARNING] 258/210034 (20274) : Proxy http stopped (FE: 0 conns, BE: 0 conns). Sep 16 21:00:34 mail haproxy[20273]: [WARNING] 258/210034 (20274) : Proxy bk_apache stopped (FE: 0 conns, BE: 0 conns). Sep 16 21:00:34 mail haproxy[20273]: [WARNING] 258/210034 (20274) : Proxy bk_gogs stopped (FE: 0 conns, BE: 0 conns). Sep 16 21:00:34 mail haproxy[20273]: [WARNING] 258/210034 (20274) : Proxy bk_prosody stopped (FE: 0 conns, BE: 0 conns). Sep 16 21:00:34 mail haproxy[20273]: [WARNING] 258/210034 (20274) : Proxy bk_smokeping stopped (FE: 0 conns, BE: 0 conns). Sep 16 21:00:34 mail haproxy[20273]: [WARNING] 258/210034 (20274) : Proxy bk_odroid stopped (FE: 0 conns, BE: 0 conns). Sep 16 21:00:34 mail haproxy[20273]: [WARNING] 258/210034 (20274) : Proxy bk_stats stopped (FE: 0 conns, BE: 0 conns). Sep 16 21:00:34 mail haproxy[20273]: Proxy bk_smokeping started. Sep 16 21:00:34 mail haproxy[20273]: Proxy bk_odroid started. Sep 16 21:00:34 mail haproxy[20273]: Proxy bk_stats started. Sep 16 21:00:34 mail haproxy[20273]: libgcc_s.so.1 must be installed for pthread_cancel to work Sep 16 21:00:34 mail haproxy[20273]: [WARNING] 258/210034 (20273) : Former worker #1 (20274) exited
Re: Odd H2 in Chrome...
Hello, I have also problems with h2 and http 1.1 backends (Apache/2.4.25, gogs) since the update on haproxy 2.0, see my build script. I would say, all domains with cookies are broken. Disable h2 or disable htx works works me. My config: defaults log global modehttp option httplog option dontlognull option tcp-smart-connect option tcp-smart-accept # use kernel splice system call to lower latency option splice-auto option forwardfor option socket-stats no option http-use-htx timeout http-request 20s timeout connect 5s timeout client 50s timeout server 50s timeout check 800 frontend http bind *:80 name http bind *:443 name https ssl crt /etc/haproxy/certs/foo.pem crt /etc/haproxy/certs/ ecdhe secp384r1 alpn h2,http/1.1 # bind *:443 name https ssl crt /etc/haproxy/certs/foo.pem crt /etc/haproxy/certs/ ecdhe secp384r1 alpn http/1.1 compression algo gzip compression type text/html text/plain text/javascript application/javascript application/xml text/css # force https for known domains acl hostname_has_backend hdr(Host),lower,map(/etc/haproxy/hostname2backend.map) -m found http-request redirect scheme https code 301 if !{ ssl_fc } hostname_has_backend # stats backend acl stats-acl path_beg /haproxy use_backend bk_stats if stats-acl # routing for known domains use_backend bk_%[hdr(Host),lower,map(/etc/haproxy/hostname2backend.map)] if hostname_has_backend backend bk_apache server apache 127.0.0.1:8080 check Michael Am 20.06.19 um 17:13 schrieb Lukas Tribus: > On Thu, 20 Jun 2019 at 09:24, Igor Pav wrote: >> >> Hi Lukas, >> >> Found when using h2, the request URI to squid is / without >> http://example.com/, so squid return 400 error... > > Can you disable htx and check again: > no option http-use-htx > > in the default section. > > > Lukas > build-haproxy.sh Description: application/shellscript signature.asc Description: OpenPGP digital signature
Coding style for coonfig files
Hello, I know this question is stupid. Is there a coding style for config files, like this: http://www.haproxy.org/coding-style.html ? Cheers, Michael signature.asc Description: OpenPGP digital signature
Re: Question about build HAProxy for Solaris 11
Hi, I don't have a sparc box with solaris for testing. You can try to build HAproxy by youself. I use this script for build HAProxy for ARM. This should run on Solaris with some changes. TARGET=solaris NB_PROC= #!/bin/bash # names of latest versions of each package export HAPROXY_VERSION=1.6.3 export VERSION_PCRE=pcre-8.38 export VERSION_LIBRESSL=libressl-2.3.2 export VERSION_HAPROXY=haproxy-$HAPROXY_VERSION # URLs to the source directories export SOURCE_LIBRESSL=ftp://ftp.openbsd.org/pub/OpenBSD/LibreSSL/ export SOURCE_PCRE=ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/ export SOURCE_HAPROXY=http://www.haproxy.org/download # clean out any files from previous runs of this script rm -rf build mkdir build # proc for building faster NB_PROC=$(grep -c ^processor /proc/cpuinfo) # ensure that we have the required software #sudo apt-get -y install curl wget build-essential libgd-dev libgeoip-dev checkinstall git # grab the source files echo "Download sources" wget -P ./build "${SOURCE_PCRE}${VERSION_PCRE}.tar.gz" wget -P ./build "${SOURCE_LIBRESSL}${VERSION_LIBRESSL}.tar.gz" wget -P ./build "${SOURCE_HAPROXY}/$(echo $HAPROXY_VERSION | cut -d. -f 1-2)/src/$VERSION_HAPROXY.tar.gz" # expand the source files echo "Extract Packages" cd build || exit 1 tar xfz "${VERSION_HAPROXY}.tar.gz" tar xfz "${VERSION_LIBRESSL}.tar.gz" tar xfz "${VERSION_PCRE}.tar.gz" cd ../ || exit 1 export BPATH="${PWD}/build" export STATICLIBSSL="${BPATH}/${VERSION_LIBRESSL}" # build static LibreSSL echo "Configure & Build LibreSSL" cd "${STATICLIBSSL}" || exit 1 ./configure --prefix="${STATICLIBSSL}/_openssl/" --enable-shared=no && make install-strip -j "${NB_PROC}" # build pcre export STATICLIPCRE="${BPATH}/${VERSION_PCRE}" cd "${STATICLIPCRE}" || exit 1 ./configure --prefix="${STATICLIPCRE}/_pcre" --enable-shared=no --enable-utf8 --enable-jit make -j "${NB_PROC}" make install echo "Build HAProxy" cd "${BPATH}/${VERSION_HAPROXY}" || exit 1 make \ -j "${NB_PROC}" \ TARGET=linux2628 \ USE_STATIC_PCRE=1 \ USE_PCRE_JIT=1 \ PCRE_LIB="${STATICLIPCRE}/_pcre/lib" \ PCRE_INC="${STATICLIPCRE}/_pcre/include" \ USE_OPENSSL=1 \ SSL_INC="${STATICLIBSSL}/_openssl/include" \ SSL_LIB="${STATICLIBSSL}/_openssl/lib" \ USE_ZLIB=1 \ DEFINE="-fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2" echo "All done." echo "become root and type: " echo " cp build/haproxy-${HAPROXY_VERSION}/haproxy /usr/local/sbin" On 02.03.2016 02:51, Samuel Crowell wrote: > I noticed that ya’ll have the binaries for HAProxy 1.4, is there any plan to > build the executables for newer versions (1.6, etc.)? > > It’s hard for me to build from source at work due to missing required > libraries. It would be nice if I still had the option to grab a version > already compiled for Solaris. > > Thanks for the help and your product is great. > > Sam Crowell > signature.asc Description: OpenPGP digital signature
clone traffic with haproxy
Hello, is it possible to send traffic to 2 backends with HAProxy? One backend handle the live traffic and the second is the staging version. If all looks fine, I will switch the backends. I use HAProxy 1.6.3 Cheers, Michael
Re: Stats in frontend
Hi, thanks exactly this. Cheers, Michael On 12.01.2016 20:04, PiBa-NL wrote: > Hi, > I think your looking for this?: option socket-stats > Regards, > PiBa-NL > Op 12-1-2016 om 19:35 schreef Michael Rennecke: >> Hello, >> >> is it possible to show seperate stats every bind line in a frontend? I >> use haproxy 1.6.3. >> >> >> global >> maxconn 4000 >> >> tune.ssl.default-dh-param 4096 >> ssl-default-bind-ciphers CHACHA20+EECDH:AES256+EECDH >> ssl-default-bind-options force-tlsv12 >> >> ssl-dh-param-file /etc/haproxy/dh4096.pem >> >> >> user haproxy >> group nobody >> daemon >> chroot /var/lib/haproxy >> >> stats socket /var/run/haproxy.sock mode 660 level admin >> >> defaults >> mode http >> timeout connect 5s >> timeout client 5s >> timeout server 5s >> >> timeout http-keep-alive 70s >> >> stats scope . >> >> option forwardfor >> >> >> frontend http-in >> bind :443 tfo ssl crt /etc/haproxy/certs/foo.example.pem crt >> /etc/haproxy/certs/ ecdhe secp384r1 name ssl-traffic >> bind :80 tfo name http-traffic >> bind :2000 tfo name intern-traffic >> >> >> http-response set-header X-Frame-OptionsDENY >> http-response set-header X-Content-Type-Options nosniff >> http-response set-header Strict-Transport-Security >> max-age=31536000;\ includeSubdomains;\ preload >> >> >> http-request redirect scheme https code 301 if !{ ssl_fc } >> >> http-request set-header X-Forwarded-Protohttps >> >> use_backend stats if { path_beg /haproxy/stats } >> use_backend nginx if { hdr(Host) -m beg nginx } >> use_backend apache if { hdr(Host) -m beg apache } >> >> default_backend nginx >> >> >> >> backend nginx >> server nginx1 10.0.0.2:81 check >> server nginx2 10.0.0.3:81 check backup >> >> >> backend apache >> server apache1 10.0.0.5:82 check >> server apache2 10.0.0.6:82 check backup >> >> >> backend stats >> stats enable >> stats show-legends >> stats realm Haproxy\ Statistics >> stats uri /haproxy/stats >> stats refresh 30s >> > -- Mein aktuelles Projekt: https://0rph3us.github.io/
Stats in frontend
Hello, is it possible to show seperate stats every bind line in a frontend? I use haproxy 1.6.3. global maxconn 4000 tune.ssl.default-dh-param 4096 ssl-default-bind-ciphers CHACHA20+EECDH:AES256+EECDH ssl-default-bind-options force-tlsv12 ssl-dh-param-file /etc/haproxy/dh4096.pem user haproxy group nobody daemon chroot /var/lib/haproxy stats socket /var/run/haproxy.sock mode 660 level admin defaults mode http timeout connect 5s timeout client 5s timeout server 5s timeout http-keep-alive 70s stats scope . option forwardfor frontend http-in bind :443 tfo ssl crt /etc/haproxy/certs/foo.example.pem crt /etc/haproxy/certs/ ecdhe secp384r1 name ssl-traffic bind :80 tfo name http-traffic bind :2000 tfo name intern-traffic http-response set-header X-Frame-OptionsDENY http-response set-header X-Content-Type-Options nosniff http-response set-header Strict-Transport-Security max-age=31536000;\ includeSubdomains;\ preload http-request redirect scheme https code 301 if !{ ssl_fc } http-request set-header X-Forwarded-Protohttps use_backend stats if { path_beg /haproxy/stats } use_backend nginx if { hdr(Host) -m beg nginx } use_backend apache if { hdr(Host) -m beg apache } default_backend nginx backend nginx server nginx1 10.0.0.2:81 check server nginx2 10.0.0.3:81 check backup backend apache server apache1 10.0.0.5:82 check server apache2 10.0.0.6:82 check backup backend stats stats enable stats show-legends stats realm Haproxy\ Statistics stats uri /haproxy/stats stats refresh 30s
Add a X-Server-Name response header
Hello, can I add the name (or IP-address) of the backend server in a X-Server-Name response Header, like this? (This was a special wish of a developer - don't touch my old software...) backend www http-response set-header X-Server-Name %[backendserver] server www01 10.0.1.10:80 check server www02 10.0.1.11:80 check server www03 10.0.0.12:80 check server www04 10.0.0.13:80 check server www05 10.0.0.14:80 check Cheers, Michael
Re: certificate generation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I will build home automation project (seafile, temperature sensor, open vpn, perintserver, ...). All SSL connections are terminated on a HAProxy. If you use multiple domains. For example a dyndns domain for the intern stuff, a domain for the blog, a domain inside the house. OpenVPN comes with a cool tool easy RSA. It is easy to build a CA with SubCA and generate certificates. It is possible to generate the certificates for all domain. Actual, I use SNI and a pre generated certificate. A buddy mentioned (he work on the same project), that a SubCA and the certificate generation is cooler. We will use elliptic curves for the CA. All our clients can handle elliptic curves certificates. best, Michael On 05.09.2015 04:16, Jeff Palmer wrote: > Can you explain what the overall goal is? I suspect that even if > you could dynamically generate new certificates on the fly, the > overhead to do so would be prohibitively expensive. > > If you are attempting to do this for security, it's probably worth > pointing out that it is insanely easy to configure HAProxy to use > only strong ciphers that support perfect forward secrecy. Put > simply, it negotiates a new and unique 'session key' (called an > ephemeral key) between the client and server on each new session. > > If you are attempting to do this for another reason, maybe you > could describe the end goal. Almost certainly there is a more > scalable option than dynamically generating new certificates as > described. > > On Sep 4, 2015 5:34 PM, "Michael Rennecke" > <michael.renne...@gmail.com <mailto:michael.renne...@gmail.com>> > wrote: > > Hallo, > > is it possible with HAProxy to generate a certificate for each > incoming hostname on the fly? I will use subca for HAProxy. I think > to generate the certificates on the fly is cooler, then a > certificate for each hostname. > > I found possibilities to generate the certificate, but this > doesn't work :-( > > bind unix@/var/run/haproxy_ssl_ecc.sock accept-proxy ssl crt > /etc/haproxy/ecc_star.rennecke.dyndns.dk.pem ca-sign-file > /etc/haproxy/ecc_subca.pem ecdhe secp521r1 user nobody > generate-certificates > > ecc_subca.pem included the the subca and the key. The key has no > pass phrase. I will balance some other (fun) TLDs with haproxy - my > small home automation project > > Cheers, Michael > > > - -- Mein aktuelles Projekt: https://0rph3us.github.io/ -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBAgAGBQJV7eFqAAoJEGF+uAbudcb+fFYQAOx6vcOlggqQbwbiHk+LEBZO scXxNpWXHxNc3ygeDT/SwYLNLJyqXZ4917oudv0Sa+lPERtwZoBB+ucJbFB6kb03 VZbEJEHU/ue9vvDlebxg/RyGIVTZhw5VQo0ipBYhYmCMluyxZavP8n+sRLBfTCvW oAWJvchOevDa0dJMydQoE4vf7p2zXXcrxIqfxqDvgje37gfm5S+r+yaYRz9fcJr7 CVbp+Lf1CnAeFSQyB5vxaqwTBbHlzd6Agbqu3j0b7VcxHds94JwenAh5U7DHiOK4 EH/wGEMJLHdtGqjQTKUs8w6ouP32GVoD2X3CiZ/BsBYK1jGVrDyuusj9zxypHcJ9 wMG/w9FaCLjKPFRikTQN5szS8ifc3CSCH6kRZx1kaTmE4Q7t+nuNMPZuicUDXvHN cLybl/ZOKU25R5ZSTcvQR4nlKbCQP0biSXq1I3odPdQ20TrRk8bWmFQXTHW5e1t+ JL0nSxF58JaJOLgwoZcdeBpKSWzGVqZ3JcH0SkWzVd9gg+RLAYcFv24filPnpmAA X3pXAEE03t6fqwWxl1CaAMwyYrmUPbqqUQwuh4OFR1+hb7TqoPiMvsctWg8HtETH HwaOOxDPhtoqSlscZrugejUvxzWNr6djrHh1gacYR8mAmYwfZaLYmUnHIaBtgJ73 c3yGQGoMS8DprAqPRZ8+ =bInf -END PGP SIGNATURE-
certificate generation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hallo, is it possible with HAProxy to generate a certificate for each incoming hostname on the fly? I will use subca for HAProxy. I think to generate the certificates on the fly is cooler, then a certificate for each hostname. I found possibilities to generate the certificate, but this doesn't work :-( bind unix@/var/run/haproxy_ssl_ecc.sock accept-proxy ssl crt /etc/haproxy/ecc_star.rennecke.dyndns.dk.pem ca-sign-file /etc/haproxy/ecc_subca.pem ecdhe secp521r1 user nobody generate-certificates ecc_subca.pem included the the subca and the key. The key has no pass phrase. I will balance some other (fun) TLDs with haproxy - my small home automation project Cheers, Michael - -- Mein aktuelles Projekt: https://0rph3us.github.io/ -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBAgAGBQJV6g3/AAoJEGF+uAbudcb+Y3EP/29hfN4PFB6cyHFP8hpim/Cf 0HT5O0/6HQXeYjTrHZVJKdsjy+HuXTPsvrgzoLvQMW/XYS1VaPKqeraoPP1Hs/RN kXRCJLI6OFpg3XdSuA/XOoZEzlqak73zkJyKKIL+zJjiJwvvlcV77zH7sITxWdqb NAGop15BzphwaFtQuKP/HNkEAX7J/309L4Z0vwx1nBPhxzpo9VEoz1JnCdON58lN mr1r61YhLc/xl/my4QnNXqE7HTi+BNmy5uadjFetgMnqZCaE+h3lfp6+6pi2a7tn tZht4/N0OYiplhYyhvCXLWXLuK5WpO/Q1JlG8jFvDgKrupvqj2IHMnaBAMB+GWL/ cwDYDpWyJO2WuDVgFtHGC8Rp2qJRZRxtG9CsIxBohjwOrni2v88W8lb5V8ky+wfw ZQ6DHTVFF55ciY/Jh0KjbhS0RC8aSeFgXRMhbGlTCV+n5eo4EvJnQQxRBHE87NsM Ok2fWyyVEAfsTTq9ZIQWjWe34t9Bs67ZojNdINzvy6D2guERfGqzUmrZn+K6TPVc 17eRJ6ycLMi8NwoH68JygZ8NmszF4y3vb9fSTvhfLTOqpmZBgLKyENbxKcKIciez 6nJEeR/y1tCfJkIb3IJkSpXcQuwDux7+18k2QvkW48NG+Vl9FbmDECko2ad/iTcG MH5Jc/xPNumL5YvwEkB1 =LOI3 -END PGP SIGNATURE-