RE: Separated config file support
Maybe it is possible to add an include conf.d in the main config, and after that part all other config files will be automaticly included. Something like apache can do ? Met een vriendelijke groet, Mike Hoffs Mijn-Sleutel Peperstraat 33 6678 AL Oosterhout Tel: +31 (0)24 8200208 tijdens kantoor uren (09:00 - 17:00) Mail: m.ho...@mijn-sleutel.com Website: http://www.mijn-sleutel.com -Oorspronkelijk bericht- Van: Willy Tarreau [mailto:w...@1wt.eu] Verzonden: woensdag 15 juni 2011 22:08 Aan: Harvey Yau CC: haproxy@formilux.org Onderwerp: Re: Separated config file support On Wed, Jun 15, 2011 at 04:02:09PM -0400, Harvey Yau wrote: > On 6/15/11 3:59 PM, Igor wrote: > >Got a very long haproxy.conf, is there any way to separate config file > >by using any directive like include *.conf? > > > >Bests, > >-Igor > > > A config directory would be nice as well. Would make it nice and easy > to rsync config files around as well - pretty nice. You can already specify "-f" multiple times and all files will be merged in memory. Willy
RE: MySQL LB / Backup Config
Use it in combo with drbd and u dont have to make a complex mysql cluster to synchronise your data. Set good commit flush time and data loss of hardware failure is very minimum. Met een vriendelijke groet, Mike Hoffs Van: Ben Timby [mailto:bti...@gmail.com] Verzonden: zaterdag 7 mei 2011 19:22 Aan: Brian Carpio CC: haproxy@formilux.org Onderwerp: Re: MySQL LB / Backup Config On Fri, May 6, 2011 at 5:41 PM, Brian Carpio wrote: Hi, I have a very simple setup for doing load balancing for MySQL DBs. listen mysql_proxy vip01:3306 mode tcp option tcpka balance roundrobin server mysql01 mysql01:3306 weight 1 check inter 10s rise 1 fall 1 server mysql02 mysql02:3306 weight 1 check inter 10s rise 1 fall 1 backup I am using the backup option so that mysql02 ONLY begins to receive traffic if mysql01 is down. The problem with this however is that once mysql01 is back online it begins to receive traffic gain. I would like mysql02 to stay as the primary until mysql02 fails, so basically if mysql01 goes down mysql01 becomes backup. I didnt see much in the docs on how to do this, however i could have missed it Brian, while HAProxy can load balance any protocol, my suggestion to you would be to look into Heartbeat to perform this task for you. It does not load balance like HAProxy, but allows a shared IP address to be migrated between your two nodes. Once you are using Heartbeat, you can adjust the "stickyness" of the MySQL resource to keep it from immediately failing back to the original primary node. For me, Heartbeat has worked very well with both MySQL and PostgreSQL. Not only can it migrate the IP address, but you can also put other scripts or services under it's control so that failing over can also toggle replication settings or anything else you need done. I think in this case Heartbeat is the tool better suited for the job than HAProxy. I personally use Heartbeat with the Pacemaker cluster resource manager. There are a ton of how-to articles for MySQL+Heartbeat out there.
RE: Featurerequest: Scheduled Loadbalancing
Hi, If it is for http traffic, u can also use: option httpchk GET /check.php HTTP/1.0 http-check expect rstring all_is_ok When u don’t want load balancing, make sure the output is other than "all_is_ok" . Then the second server is removed from the pool. Met een vriendelijke groet, Mike Hoffs > did you consider using the control socket for this? > > http://haproxy.1wt.eu/download/1.4/doc/configuration.txt [Section 9.2] > > Some simple cron jobs with socat or a custom script will do the job. If > you generate your configs with some templating system, you can generate > matching crontabs on the fly too. > > Regards, > John
RE: Using haproxy to armour a web server
Haha, i think for the most idiots is next, next, next understandable ;-) What I mean with vmware, is that u can make a vmware image, burn in on dvd with vmware player. I think with some scripting u can also make a nice installer for it to. Long time ago I did some senior admin work at a college, dont trust those &*&(*$#% ever J Met een vriendelijke groet, ---- Mike Hoffs
RE: Using haproxy to armour a web server
I dont know how the community edition Works, but the licensed one is shipped with a nice installer for microsoft and Linux products. It is not browser plugin, but a little program u can start when u need it, it will connect to your vpn server. And setup the routing as you set it up. Met een vriendelijke groet, Mike Hoffs
RE: Using haproxy to armour a web server
I was also thinking about openVPN, we use is for some customers, it is awesome. U can put all the students in one group with only access to that tomcat server. And also it is not that expensive, dont buy a license for the number of students, but the number that u think how many will use It concurrent at a given time. Keep it in mind if u dont find a good solution. Met een vriendelijke groet, Mike Hoffs
RE: Using haproxy to armour a web server
What is the reason that this internal application has to be moved to external ? Outside workers that have to reach the application ? Met een vriendelijke groet, Mike Hoffs
RE: Startup delay problem
> Wait a minute, I did not notice you were running heartbeat. It changes > a lot of things. It's taking the IP over and depending on whether it's > announcing gratuitous ARPs on fail-over and if other equipemnts accept > them, it is possible that you have to wait for a cache to expire somwhere. > Tcpdump will show that a lot better (please get the full captures, not just > screen dumps, as we'll have to dig into the MAC addresses and correlate > them with ARP traffic). Depending on the network topology, u could ping after the heartbeat taken over the ip to the routers from that ip. That solve for us a problem for long term arp caches sometimes.
RE: VM benchmarks
Hi Ariel, If u want i can do some tests on Intel modular server with empty vtrak storage on vmware virtualization platform. Met een vriendelijke groet, Mike Hoffs
RE: i meet a hard problem for your help!
As far as i know acl doesnt work in tcp mode. Met een vriendelijke groet, Mike Hoffs Mijn-Sleutel Peperstraat 33 6678 AL Oosterhout Tel: +31 (0)24 8200208 tijdens kantoor uren (09:00 - 17:00) Mail: m.ho...@mijn-sleutel.com Website: http://www.mijn-sleutel.com <http://www.mijn-sleutel.com/> Van: shengtao [mailto:sheng...@uit.com.cn] Verzonden: vrijdag 22 oktober 2010 8:25 Aan: haproxy Onderwerp: i meet a hard problem for your help! now i have search many articles in order to solve the problem ,but~~ the server haproxy ip:192.168.0.12 /space is a context for a java web project In my proxy.cfg: frontend https_proxy bind :443 mode tcp acl is_ssl req_ssl_ver 2:3.1 tcp-request content accept if is_ssl timeout client 5m option forwardfor default_backend NginxDefine acl req_pubsub_path req_path /space use_backend USpaceDefine2 if req_pubsub_path now when i enter https://192.168.0.12 <https://192.168.0.12> ,it can turn into the NginxDefine,but when i input https://192.168.0.12/space <https://192.168.0.12/space> it can not enter! i have a try to replace the criterion "req_path" with path or url_path and so on,but i doest not matter!why ??? At last,i remember that dealing with the http request is not meet this problem: frontend https=_proxy bind :80 mode tcp timeout client 5m option forwardfor default_backend NginxDefine acl req_pubsub_path req_path /space use_backend USpaceDefine2 if req_pubsub_path i beg your ans: thanks!! 2010-10-22 shengtao
RE: HAProxy Stunnel end-to-end SSL
Have u tried mode tcp ? Met een vriendelijke groet, Mike Hoffs
RE: delivery failed
PLZ delete attachment in this thread, contains virus.
Re: ipv6 implementation forwardfor except
Beantwoorden Allen beantwoorden Doorsturen Van: Mike Hoffs Aan: Willy Tarreau Datum: 10/17/2010 09:40 PM Onderwerp: Re: ipv6 implementation forwardfor except > > > Hi Mike, > > > > > > > Is it possible to implement at forwardfor except ipv6 ? > > > > > > It should not be hard to do. However, as noted in the source, it's a bit > > > useless, because while IPv6 is used over the net, it's particularly rare > > > on the local network, and the "except" keyword is only used to reference > > > your local SSL proxies. Most often, it will only contain 127.0.0.0/8 or > > > your local LAN address. > > > > I know but then we need two entry's for haproxy for one single ipv6 > address that we tunnel to ipv4. > > > > > > > > > Now it is only possible to except a ipv4 address. If that is possible > we > > > can also make the legacy stuff with ssl ipv6 reachable. > > > > > > In my opinion, this is independant. You can very well have your SSL > reverse > > > proxy receive IPv6 traffic and forward it to haproxy on 127.0.0.1 > (IPv4). > > > > > > Do you have a concrete example where it's really needed ? > > > > Yes; > > > > Haproxy is configured to listen on ipv6 at port 80, both should be > reachable (80 & 443). With stunnel we capture 443 traffic, and tunnel it to > the single entry in haproxy. Haproxy is configured with forwardfor, stunnel > also. Now we have 2 ipv6 in the headers, and it would be nice to except the > local ipv6. With the solution to handle it on the local ipv4 should do the > trick but with many ssl hosts its a bit messy. With single entry we keep te > haproxy config clean. > > OK I see. I agree with you that if your setup is IPv6-only, then it makes > sense. It's not a common setup though. I'll try to figure out the required > changes to support that. I think more hosters in the same situation who want to adopt ipv6 also for the legacy stuff will run in this situation. It will be a great addition for us and hopefully for others. We run version 1.4.8 if u want i can test the changes. > > Regards, > Willy > Thanks in advance, Regards, Mike
Re: ipv6 implementation forwardfor except
> Hi Mike, > > > Is it possible to implement at forwardfor except ipv6 ? > > It should not be hard to do. However, as noted in the source, it's a bit > useless, because while IPv6 is used over the net, it's particularly rare > on the local network, and the "except" keyword is only used to reference > your local SSL proxies. Most often, it will only contain 127.0.0.0/8 or > your local LAN address. I know but then we need two entry's for haproxy for one single ipv6 address that we tunnel to ipv4. > > > Now it is only possible to except a ipv4 address. If that is possible we > can also make the legacy stuff with ssl ipv6 reachable. > > In my opinion, this is independant. You can very well have your SSL reverse > proxy receive IPv6 traffic and forward it to haproxy on 127.0.0.1 (IPv4). > > Do you have a concrete example where it's really needed ? Yes; Haproxy is configured to listen on ipv6 at port 80, both should be reachable (80 & 443). With stunnel we capture 443 traffic, and tunnel it to the single entry in haproxy. Haproxy is configured with forwardfor, stunnel also. Now we have 2 ipv6 in the headers, and it would be nice to except the local ipv6. With the solution to handle it on the local ipv4 should do the trick but with many ssl hosts its a bit messy. With single entry we keep te haproxy config clean. > Regards, > Willy regards, Mike
ipv6 implementation forwardfor except
Is it possible to implement at forwardfor except ipv6 ? Now it is only possible to except a ipv4 address. If that is possible we can also make the legacy stuff with ssl ipv6 reachable. Thanks in advance. Met een vriendelijke groet, Mike Hoffs
ipv6 implementation forwardfor except
Is it possible to implement at forwardfor except ipv6 ? Now it is only possible to except a ipv4 address. If that is possible we can also make the legacy stuff with ssl ipv6 reachable. Thanks in advance. Met een vriendelijke groet, Mike Hoffs