Re: HAProxy clustering

[Neil - HAProxy List]

So because one loadbal can reach the service the others can?

Log spam needs getting rid of anyway. Filter it out whether its the in
service or one of the out of service loadbal.

If you have a complex health check that creates load make it a little
smarter and cache its result for a while

On Fri, 16 Dec 2016 at 19:56, Jeff Palmer  wrote:

> backend health should be in on the sticktables that are shared between
>
> all instances,  right?
>
>
>
> With that in mind,  the inactive servers would know the backed states
>
> if a failover were to occur.  no sense in having the log spam, network
>
> traffic, and load from healthchecks that aree essentially useless
>
> (IMO, of course)
>
>
>
>
>
>
>
>
>
> On Fri, Dec 16, 2016 at 2:50 PM, Neil - HAProxy List
>
>  wrote:
>
> > Stephan,
>
> >
>
> > I'm curious...
>
> >
>
> > Why would you want the inactive loadbal not to check the services?
>
> >
>
> > If you really really did want that you do something horrid like tell
>
> > keepalive to block with iptables access to the backends when it does not
> own
>
> > the service ip
>
> >
>
> > but why? you healthchecks should be fairly lightweight?
>
> >
>
> > Neil
>
> >
>
> >
>
> > On 16 Dec 2016 15:44, "Marco Corte"  wrote:
>
> >>
>
> >> Hi!
>
> >>
>
> >> I use keepalived for IP management.
>
> >>
>
> >> I use Ansible on another host to deploy the configuration on the haproxy
>
> >> nodes.
>
> >> This setup gives me better control on the configuration: it is split in
>
> >> several files on the Ansible host, but assembled to a single config
> file on
>
> >> the nodes.
>
> >> This gives also the opportunity to deploy the configuration on one node
>
> >> only.
>
> >> On the Ansible host, the configuration changes are tracked with git.
>
> >>
>
> >> I also considered an automatic replication of the config, between the
>
> >> nodes but... I did not like the idea.
>
> >>
>
> >>
>
> >> .marcoc
>
> >>
>
> >
>
>
>
>
>
>
>
> --
>
> Jeff Palmer
>
> https://PalmerIT.net
>
>

Re: HAProxy clustering

[Neil - HAProxy List]

Stephan,

I'm curious...

Why would you want the inactive loadbal not to check the services?

If you really really did want that you do something horrid like tell
keepalive to block with iptables access to the backends when it does not
own the service ip

but why? you healthchecks should be fairly lightweight?

Neil


On 16 Dec 2016 15:44, "Marco Corte"  wrote:

> Hi!
>
> I use keepalived for IP management.
>
> I use Ansible on another host to deploy the configuration on the haproxy
> nodes.
> This setup gives me better control on the configuration: it is split in
> several files on the Ansible host, but assembled to a single config file on
> the nodes.
> This gives also the opportunity to deploy the configuration on one node
> only.
> On the Ansible host, the configuration changes are tracked with git.
>
> I also considered an automatic replication of the config, between the
> nodes but... I did not like the idea.
>
>
> .marcoc
>
>

Re: rspadd X-Frame-Options:\ ALLOW-FROM

[Neil - HAProxy List]

Hello

the warning explains it.  you are attempting to change a response based on
a request header.

responses dont have access to request headers.

there are ways round that this has come up on the list before so archives
will have an answer or two

Neil

On 15 Oct 2016 16:28, "Amol"  wrote:

> Hi Igor,
> Thanks so much for the reply, here is the error/warning i get when i add
> your config line
>
> sudo /etc/init.d/haproxy restart
>  * Restarting haproxy haproxy [WARNING] 288/112410 (18154) : parsing
> [/etc/haproxy/haproxy.cfg:84] : anonymous acl will never match because it
> uses keyword 'req.hdr' which is incompatible with 'frontend http-response
> header rule'
> [WARNING] 288/112410 (18157) : parsing [/etc/haproxy/haproxy.cfg:84] :
> anonymous acl will never match because it uses keyword 'req.hdr' which is
> incompatible with 'frontend http-response header rule'
>
>[ OK ]
> am i also missing something else? like an acl rule for req.hdr?
>
> --
> *From:* Igor Cicimov 
> *To:* Amol 
> *Cc:* HAproxy Mailing Lists 
> *Sent:* Friday, October 14, 2016 6:27 PM
> *Subject:* Re: rspadd X-Frame-Options:\ ALLOW-FROM
>
> Amol,
>
> On Sat, Oct 15, 2016 at 7:21 AM, Amol  wrote:
>
> Hi,
> I am trying to configure my LB such that it can allow one of my websites
> to render the pages behind this LB.
> i am using Ubuntu 12.04 LTS
> and
> haproxy -v
> HA-Proxy version 1.5.14 2015/07/02
>
> config file entry 
> rspadd X-Frame-Options:\ ALLOW-FROM if https://load.example.com
>
>
> You are missing a condition here, try:
>
> rspadd X-Frame-Options:\ ALLOW-FROM if { req.hdr(Host) -i load.example.com
> }
>
>
>
>
> but i get this error
>
> [ALERT] 287/161307 (22941) : parsing [/etc/haproxy/haproxy.cfg:83] : error
> detected while parsing a 'rspadd' condition : no such ACL : '
> https://load.example.com/'.
> [ALERT] 287/161307 (22941) : Error(s) found in configuration file :
> /etc/haproxy/haproxy.cfg
> [ALERT] 287/161307 (22941) : Fatal errors found in configuration.
> 
>
>
>
> my prior setting was
> config file entry 
> rspadd X-Frame-Options:\ SAMEORIGIN
>
> and that blocked any site from rendering the pages behind this LB. But now
> i want it to allow this one link to open the pages.
>
> Please let me know if anyone has tackled this before.
>
>
>
>
> --
> Igor Cicimov | DevOps
>
>
> p. +61 (0) 433 078 728
> e. ig...@encompasscorporation.com 
> w*.* www.encompasscorporation.com
>
> a.
> Level 4, 65 York Street, Sydney 2000
>
>
>

Re: Inform backend about https for http2 connections

[Neil - HAProxy List]

Hello

if you can have the app not specify the scheme for the css etc.  just use

//site.com/path
or
/path if it is on the same site

On 6 Aug 2016 04:33, "Igor Cicimov"  wrote:

> On 6 Aug 2016 1:31 am, "Matthias Fechner"  wrote:
> >
> > Dear all,
> >
> >
> > I use haproxy in tcp mode to have http2 working.
> > Now I have the problem that the backend has to know if the connection
> > was encrypted or not (some websites using this information to add the
> > schema to css and javascript URIs).
> >
>
> Afaik, since http2 is by default tls encrypted just by specifying h2 as
> protocol to the backend should be enough i guess.
>
> > Normally I think a
> > reqadd X-Forwarded-Proto:\ https
> >
> > should do the trick.
> >
> > Will this work if working in tcp mode or are there other tricks to do
> this?
> >
> >
> > Thanks
> > Matthias
> >
> > --
> >
> > "Programming today is a race between software engineers striving to
> > build bigger and better idiot-proof programs, and the universe trying to
> > produce bigger and better idiots. So far, the universe is winning." --
> > Rich Cook
> >
> >
>

Re: Only using map file when an entry exists

[Neil - HAProxy List]

Thanks Nanad,

That works perfectly, thank you

On 11 March 2016 at 22:37, Nenad Merdanovic  wrote:

> Hello Neil,
>
> You seem to have missed my answer, so I am gonna top post this time :)
>
> http-request redirect location
> %[hdr(host),map(/etc/haproxy/redirect_host.map)] code 301 if {
> hdr(host),map(/etc/haproxy/redirect_host.map) -m found }
>
> Regards,
> Nenad
>
> On 03/11/2016 11:32 PM, Neil - HAProxy List wrote:
> > Hello
> >
> > I've left a little time and no one has said anything more so time for me
> > to act and submit a patch.
> >
> > I want to make functions that can be used in acls and take a map and
> > provide has_key and, for completeness, has_value
> >
> > Are those names uncontroversial/ suitable and, i really hope, is this
> > unnecessary as it already exists.
> >
> > I'm more that a little surprised to find myself the first to want this
> >
> > Cheers
> >
> > Neil
> >
> > On 11 Mar 2016 22:16, "Neil"  > <mailto:n...@iamafreeman.com>> wrote:
> >
> > Hello
> >
> > I've left a little time and no one has said anything more so time
> > for me to act and submit a patch.
> >
> > I want to make functions that can be used in acls and take a map and
> > provide has_key and, for completeness, has_value
> >
> > Are those names uncontroversia/ suitablel and, i really hope, is
> > this unnecessary as it already exists.
> >
> > I'm more that a little sutprised to find myself the first to want
> this
> >
> > Cheers
> >
> > Neil
> >
> > On 3 Mar 2016 18:08, "Neil - HAProxy List"
> >  > <mailto:maillist-hapr...@iamafreeman.com>> wrote:
> >
> > Thanks Conrad,
> >
> > That sort of thing looks better that what I had, and I'll give
> > it a go.
> >
> > I still think this is a bit long winded syntax for something
> > that probably quite a common things to want to do?  A
> > map_contains type boolean function still seems like a good to
> have?
> >
> > Thanks
> >
> > Neil
> >
> > On 3 March 2016 at 13:05, Conrad Hoffmann  > <mailto:con...@soundcloud.com>> wrote:
> >
> > If you are using haproxy >=1.6, you might be able to do
> > something like this:
> >
> > acl no_redir %[req.redir] -m str NO_REDIR
> > http-request set-var(req.redir) \
> > %[hdr(host),map(/etc/haproxy/redirect_host.map,NO_REDIR)]
> > http-request redirect location %[req.redir] code 301 if
> > !no_redir
> >
> > This is completely made up and untested, but I hope you get
> > the idea.
> > Avoids a second map lookup altogether, but also map lookups
> > are quite fast,
> > so unless you map is huge you don't really need to worry
> > about this. Also,
> > double negation, but this is just to give you some idea
> >
> > Cheers,
> > Conrad
> > --
> > Conrad Hoffmann
> > Traffic Engineer
> >
> > SoundCloud Ltd. | Rheinsberger Str. 76/77, 10115 Berlin,
> Germany
> >
> > Managing Director: Alexander Ljung | Incorporated in England
> > & Wales
> > with Company No. 6343600 | Local Branch Office | AG
> > Charlottenburg |
> > HRB 110657B
> >
> >
>

Re: Only using map file when an entry exists

[Neil - HAProxy List]

Hello

I've left a little time and no one has said anything more so time for me to
act and submit a patch.

I want to make functions that can be used in acls and take a map and
provide has_key and, for completeness, has_value

Are those names uncontroversial/ suitable and, i really hope, is this
unnecessary as it already exists.

I'm more that a little surprised to find myself the first to want this

Cheers

Neil
On 11 Mar 2016 22:16, "Neil"  wrote:

> Hello
>
> I've left a little time and no one has said anything more so time for me
> to act and submit a patch.
>
> I want to make functions that can be used in acls and take a map and
> provide has_key and, for completeness, has_value
>
> Are those names uncontroversia/ suitablel and, i really hope, is this
> unnecessary as it already exists.
>
> I'm more that a little sutprised to find myself the first to want this
>
> Cheers
>
> Neil
> On 3 Mar 2016 18:08, "Neil - HAProxy List" <
> maillist-hapr...@iamafreeman.com> wrote:
>
>> Thanks Conrad,
>>
>> That sort of thing looks better that what I had, and I'll give it a go.
>>
>> I still think this is a bit long winded syntax for something that
>> probably quite a common things to want to do?  A map_contains type boolean
>> function still seems like a good to have?
>>
>> Thanks
>>
>> Neil
>>
>> On 3 March 2016 at 13:05, Conrad Hoffmann  wrote:
>>
>>> If you are using haproxy >=1.6, you might be able to do something like
>>> this:
>>>
>>> acl no_redir %[req.redir] -m str NO_REDIR
>>> http-request set-var(req.redir) \
>>> %[hdr(host),map(/etc/haproxy/redirect_host.map,NO_REDIR)]
>>> http-request redirect location %[req.redir] code 301 if !no_redir
>>>
>>> This is completely made up and untested, but I hope you get the idea.
>>> Avoids a second map lookup altogether, but also map lookups are quite
>>> fast,
>>> so unless you map is huge you don't really need to worry about this.
>>> Also,
>>> double negation, but this is just to give you some idea
>>>
>>> Cheers,
>>> Conrad
>>> --
>>> Conrad Hoffmann
>>> Traffic Engineer
>>>
>>> SoundCloud Ltd. | Rheinsberger Str. 76/77, 10115 Berlin, Germany
>>>
>>> Managing Director: Alexander Ljung | Incorporated in England & Wales
>>> with Company No. 6343600 | Local Branch Office | AG Charlottenburg |
>>> HRB 110657B
>>>
>>
>>

Re: Only using map file when an entry exists

[Neil - HAProxy List]

I'm amazed by the number of typos in one message. ;)
On 3 Mar 2016 18:08, "Neil - HAProxy List" 
wrote:

> Thanks Conrad,
>
> That sort of thing looks better that what I had, and I'll give it a go.
>
> I still think this is a bit long winded syntax for something that probably
> quite a common things to want to do?  A map_contains type boolean function
> still seems like a good to have?
>
> Thanks
>
> Neil
>
> On 3 March 2016 at 13:05, Conrad Hoffmann  wrote:
>
>> If you are using haproxy >=1.6, you might be able to do something like
>> this:
>>
>> acl no_redir %[req.redir] -m str NO_REDIR
>> http-request set-var(req.redir) \
>> %[hdr(host),map(/etc/haproxy/redirect_host.map,NO_REDIR)]
>> http-request redirect location %[req.redir] code 301 if !no_redir
>>
>> This is completely made up and untested, but I hope you get the idea.
>> Avoids a second map lookup altogether, but also map lookups are quite
>> fast,
>> so unless you map is huge you don't really need to worry about this. Also,
>> double negation, but this is just to give you some idea
>>
>> Cheers,
>> Conrad
>> --
>> Conrad Hoffmann
>> Traffic Engineer
>>
>> SoundCloud Ltd. | Rheinsberger Str. 76/77, 10115 Berlin, Germany
>>
>> Managing Director: Alexander Ljung | Incorporated in England & Wales
>> with Company No. 6343600 | Local Branch Office | AG Charlottenburg |
>> HRB 110657B
>>
>
>

Re: Only using map file when an entry exists

[Neil - HAProxy List]

Thanks Conrad,

That sort of thing looks better that what I had, and I'll give it a go.

I still think this is a bit long winded syntax for something that probably
quite a common things to want to do?  A map_contains type boolean function
still seems like a good to have?

Thanks

Neil

On 3 March 2016 at 13:05, Conrad Hoffmann  wrote:

> If you are using haproxy >=1.6, you might be able to do something like
> this:
>
> acl no_redir %[req.redir] -m str NO_REDIR
> http-request set-var(req.redir) \
> %[hdr(host),map(/etc/haproxy/redirect_host.map,NO_REDIR)]
> http-request redirect location %[req.redir] code 301 if !no_redir
>
> This is completely made up and untested, but I hope you get the idea.
> Avoids a second map lookup altogether, but also map lookups are quite fast,
> so unless you map is huge you don't really need to worry about this. Also,
> double negation, but this is just to give you some idea
>
> Cheers,
> Conrad
> --
> Conrad Hoffmann
> Traffic Engineer
>
> SoundCloud Ltd. | Rheinsberger Str. 76/77, 10115 Berlin, Germany
>
> Managing Director: Alexander Ljung | Incorporated in England & Wales
> with Company No. 6343600 | Local Branch Office | AG Charlottenburg |
> HRB 110657B
>

Only using map file when an entry exists

[Neil - HAProxy List]

Hello

HA-Proxy version 1.5.15 2015/11/01

I've got a service with some redirects for old virtual hosts to new
locations on main website that I want to store in a map file
/etc/haproxy/redirect_host.map with lines like
www.oldname.com http://www.shiny.net/collections/oldname

My issue is I don't want a redirect to occur when there is no entry in the
map

I started with

  http-request redirect location
%[hdr(host),map(/etc/haproxy/redirect_host.map)] code 301

This would take out the whole site as a request to http://www.shiny.net
gets a redirect with a blank location. (and so does
http://www.shiny.net/collections/oldname) - this is because they are all in
the same frontend

so as a hack around I've taken the first column to another file and gone
with

  acl isRedirectHost hdr(host) -i -f /etc/haproxy/acl_isRedirectHost.txt
  http-request redirect location
%[hdr(host),map(/etc/haproxy/redirect_host.map)] code 301 if isRedirectHost

This works but is yuck (I'd have to automate generating the acl file from
the map - not hard but not clean). Ideally I'd like a way to only redirect
when a value is in the map what would be fine is if there were a
contained_in_map function that I could use something like

  http-request redirect location
%[hdr(host),map(/etc/haproxy/redirect_host.map)] code 301 if
%[hdr(host),contained_in_map(/etc/haproxy/redirect_host.map)]

All other suggestions very welcome too

Thank you,

Neil

conntrack recommendations

[Neil - HAProxy List]

Hello

I'm after a 'definitivish' reference for setting up conntrack

I've been hit by having too small table on some new VMs as ubuntu, by
default, sizes the table by memory size.

Before that I was completely ignorant of the role of conntrack

Having forced the size got rid off that but leaves me thinking I need to
understand this better and do I want to track incoming http connections at
all.  Do I just want to conntrack http connections to backends?

Googling has provided some answers but mainly more questions and it hard to
tell what to follow.

Anyone got a good link?  Something for the haproxy site/manuals to mention?

Thanks,

Neil

Re: Access control for stats page

[Neil - HAProxy List]

Actually

deny if url_hastats !location_trusted !magic_cookie_trusted

You could have another backend with a go away message and use_backend that
rather than deny
On 22 Apr 2015 03:54, "CJ Ess"  wrote:

> Very cool, thank you for the snippets!
>
> On Tue, Apr 21, 2015 at 6:55 PM, Neil - HAProxy List <
> maillist-hapr...@iamafreeman.com> wrote:
>
>> heres are some relevent snips
>> I run this in with same address as the service
>>
>> frontend SSL
>> ...
>> acl url_hastats url_beg /hastats
>> acl location_trusted src 123.123.123.0/24
>> acl magic_cookie_trusted hdr_sub(cookie)
>> magicforthissiteonly=foobar_SHA1value_etc
>> use_backend hastats if url_hastats location_trusted
>> use_backend hastats if url_hastats magic_cookie_trusted
>> deny if url_hastats
>> ...
>>
>> backend hastats
>> mode http
>> stats uri /hastats
>> stats realm Service\ Loadbalancer
>> stats show-desc url.domain:
>> Service Loadbalancerrunning on
>> hostname config version
>> stats show-legends
>> stats auth admin:password
>> stats admin if TRUE
>>
>>
>> On 21 April 2015 at 21:04, Neil - HAProxy List <
>> maillist-hapr...@iamafreeman.com> wrote:
>>
>>> Hello
>>>
>>> Yep there is
>>>
>>> Have a frontend
>>>
>>> Send say /hastats to a hastats backend
>>>
>>> have the backend have its stats URL be /hastats too
>>>
>>> Set the acls in the frontend
>>>
>>> I'll post a config example in a bit.
>>>
>>> Neil
>>> On 21 Apr 2015 20:09, "CJ Ess"  wrote:
>>>
>>>> Is there a way to setup an ACL for the haproxy stats page? We do have
>>>> authentication set up for the URL, but we would feel better if we could
>>>> limit access to a white list of local networks. Is there a way to do that?
>>>>
>>>>
>>
>

Re: Access control for stats page

[Neil - HAProxy List]

heres are some relevent snips
I run this in with same address as the service

frontend SSL
...
acl url_hastats url_beg /hastats
acl location_trusted src 123.123.123.0/24
acl magic_cookie_trusted hdr_sub(cookie)
magicforthissiteonly=foobar_SHA1value_etc
use_backend hastats if url_hastats location_trusted
use_backend hastats if url_hastats magic_cookie_trusted
deny if url_hastats
...

backend hastats
mode http
stats uri /hastats
stats realm Service\ Loadbalancer
stats show-desc url.domain:
Service Loadbalancerrunning on
hostname config version
stats show-legends
stats auth admin:password
stats admin if TRUE


On 21 April 2015 at 21:04, Neil - HAProxy List <
maillist-hapr...@iamafreeman.com> wrote:

> Hello
>
> Yep there is
>
> Have a frontend
>
> Send say /hastats to a hastats backend
>
> have the backend have its stats URL be /hastats too
>
> Set the acls in the frontend
>
> I'll post a config example in a bit.
>
> Neil
> On 21 Apr 2015 20:09, "CJ Ess"  wrote:
>
>> Is there a way to setup an ACL for the haproxy stats page? We do have
>> authentication set up for the URL, but we would feel better if we could
>> limit access to a white list of local networks. Is there a way to do that?
>>
>>

Re: Access control for stats page

[Neil - HAProxy List]

Hello

Yep there is

Have a frontend

Send say /hastats to a hastats backend

have the backend have its stats URL be /hastats too

Set the acls in the frontend

I'll post a config example in a bit.

Neil
On 21 Apr 2015 20:09, "CJ Ess"  wrote:

> Is there a way to setup an ACL for the haproxy stats page? We do have
> authentication set up for the URL, but we would feel better if we could
> limit access to a white list of local networks. Is there a way to do that?
>
>

Re: ldap-check with Active Directory

[Neil - HAProxy List]

Hello

I was thinking of updating the ldap-check but I think I've a better idea.
Macros (well ish).

  send-binary 300c0201 # LDAP bind request "" simple
  send-binary 01 # message ID
  send-binary 6007 # protocol Op
  send-binary 0201 # bind request
  send-binary 03 # LDAP v3
  send-binary 04008000 # name, simple authentication
  expect binary 0a0100 # bind response + result code: success
  send-binary 30050201034200 # unbind request

could be in a file named macros/ldap-simple-bind

then the option
 tcp-check-macro ldap-simple-bind

would use it, I know this is close to includes.

similarly macros/smtp-helo-quit
 connect port 25
 expect rstring ^220
 send QUIT\r\n
 expect rstring ^221


or from
http://blog.haproxy.com/2014/06/06/binary-health-check-with-haproxy-1-5-php-fpmfastcgi-probe-example/
# FCGI_BEGIN_REQUEST
 send-binary   01 # version
 send-binary   01 # FCGI_BEGIN_REQUEST
 send-binary 0001 # request id
 send-binary 0008 # content length
 send-binary   00 # padding length
 send-binary   00 #
 send-binary 0001 # FCGI responder
 send-binary  # flags
 send-binary  #
 send-binary  #
 # FCGI_PARAMS
 send-binary   01 # version
 send-binary   04 # FCGI_PARAMS
 send-binary 0001 # request id
 send-binary 0045 # content length
 send-binary   03 # padding length: padding for content % 8 = 0
 send-binary   00 #
 send-binary 0e03524551554553545f4d4554484f44474554 # REQUEST_METHOD = GET
 send-binary 0b055343524950545f4e414d452f70696e67   # SCRIPT_NAME = /ping
 send-binary 0f055343524950545f46494c454e414d452f70696e67 # SCRIPT_FILENAME
= /ping
 send-binary 040455534552524F4F54 # USER = ROOT
 send-binary 00 # padding
 # FCGI_PARAMS
 send-binary   01 # version
 send-binary   04 # FCGI_PARAMS
 send-binary 0001 # request id
 send-binary  # content length
 send-binary   00 # padding length: padding for content % 8 = 0
 send-binary   00 #

 expect binary 706f6e67 # pong

(though for items like
send-binary 0e03524551554553545f4d4554484f44474554 # REQUEST_METHOD = GET
I'd prefer a
send-as-binary "REQUEST_METHOD = GET"
)

these and many others could be shipped with haproxy.

this seems to make sense to me as they are small contained logical items

Neil

On 30 March 2015 at 23:02, Baptiste  wrote:
>
> you should believe it :)
>
> On Mon, Mar 30, 2015 at 11:34 PM, Neil - HAProxy List
>  wrote:
> > Hello
> >
> > Thanks so much. That worked well, I now get
> > L7OK/0 in 0ms
> > not sure I believe the 0ms but maybe I should
> >
> > Thanks again,
> >
> > Neil
> >
> > On 30 March 2015 at 22:14, Baptiste  wrote:
> >>
> >> On Mon, Mar 30, 2015 at 10:33 PM, Neil - HAProxy List
> >>  wrote:
> >> > Hello
> >> >
> >> > I'm trying to use ldap-check with active directory and the response
> >> > active
> >> > directory gives is not one ldap-check is happy to accept
> >> >
> >> > when I give a 389 directory backend ldap server all is well, when I
use
> >> > AD I
> >> > get 'Not LDAPv3 protocol'
> >> >
> >> > I've done a little poking about and found that
> >> > if ((msglen > 2) ||
> >> > (memcmp(check->bi->data + 2 + msglen,
> >> > "\x02\x01\x01\x61", 4) != 0)) {
> >> > set_server_check_status(check,
> >> > HCHK_STATUS_L7RSP, "Not LDAPv3 protocol");
> >> > is where I'm getting stopped as msglen is 4
> >> >
> >> > Here is tcpdump of 389 directory response (the one that works) 2
packets
> >> > 21:29:34.195699 IP 389.ldap > HAPROXY.57109: Flags [.], ack 15, win
905,
> >> > options [nop,nop,TS val 856711882 ecr 20393440], length 0
> >> > 0x:  0050 5688 7042 0064 403b 2700 0800 4500  .PV.pB.d@
;'...E.
> >> > 0x0010:  0034 9d07 4000 3f06 3523 ac1b e955 ac18  .4..@
.?.5#...U..
> >> > 0x0020:  2810 0185 df15 5cab ffcd 63ba 77d3 8010
 (.\...c.w...
> >> > 0x0030:  0389 2c07  0101 080a 3310 62ca 0137
 ..,...3.b..7
> >> > 0x0040:  2de0 -.
> >> > 21:29:34.195958 IP 389.ldap > HAPROXY.57109: Flags [P.], seq 1:15,
ack
> >> > 15,
> >> > win 905, options [nop,nop,TS val 856711882 ecr 20393440], length 14
> >> > 0x:  0050 5688 7042 0064 403b 2700 0800 4500  .PV.pB.d@
;'...E.
> >> > 0x0010:  0042 9d08 4000 3f06 3514 ac1b e955 ac18  .B..@
.?.5U..
> >> > 0x0020:  2810 0185 df15 5cab ffcd 63ba 77d3 8018
 (.\...c.w...
> >> > 0x0030: 

Re: ldap-check with Active Directory

[Neil - HAProxy List]

Hello

Thanks so much. That worked well, I now get

*L7OK/0 in 0ms*
not sure I believe the 0ms but maybe I should

Thanks again,

Neil

On 30 March 2015 at 22:14, Baptiste  wrote:

> On Mon, Mar 30, 2015 at 10:33 PM, Neil - HAProxy List
>  wrote:
> > Hello
> >
> > I'm trying to use ldap-check with active directory and the response
> active
> > directory gives is not one ldap-check is happy to accept
> >
> > when I give a 389 directory backend ldap server all is well, when I use
> AD I
> > get 'Not LDAPv3 protocol'
> >
> > I've done a little poking about and found that
> > if ((msglen > 2) ||
> > (memcmp(check->bi->data + 2 + msglen,
> > "\x02\x01\x01\x61", 4) != 0)) {
> > set_server_check_status(check,
> > HCHK_STATUS_L7RSP, "Not LDAPv3 protocol");
> > is where I'm getting stopped as msglen is 4
> >
> > Here is tcpdump of 389 directory response (the one that works) 2 packets
> > 21:29:34.195699 IP 389.ldap > HAPROXY.57109: Flags [.], ack 15, win 905,
> > options [nop,nop,TS val 856711882 ecr 20393440], length 0
> > 0x:  0050 5688 7042 0064 403b 2700 0800 4500  .PV.pB.d@;'...E.
> > 0x0010:  0034 9d07 4000 3f06 3523 ac1b e955 ac18  .4..@.?.5#...U..
> > 0x0020:  2810 0185 df15 5cab ffcd 63ba 77d3 8010  (.\...c.w...
> > 0x0030:  0389 2c07  0101 080a 3310 62ca 0137  ..,...3.b..7
> > 0x0040:  2de0 -.
> > 21:29:34.195958 IP 389.ldap > HAPROXY.57109: Flags [P.], seq 1:15, ack
> 15,
> > win 905, options [nop,nop,TS val 856711882 ecr 20393440], length 14
> > 0x:  0050 5688 7042 0064 403b 2700 0800 4500  .PV.pB.d@;'...E.
> > 0x0010:  0042 9d08 4000 3f06 3514 ac1b e955 ac18  .B..@.?.5U..
> > 0x0020:  2810 0185 df15 5cab ffcd 63ba 77d3 8018  (.\...c.w...
> > 0x0030:  0389 e878  0101 080a 3310 62ca 0137  ...x..3.b..7
> > 0x0040:  2de0 300c 0201 0161 070a 0100 0400 0400  -.0a
> >
> > Here is tcpdump of active directory (broken) 1 packet
> >
> > 21:25:24.519883 IP ADSERVER.ldap > HAPROXY.57789: Flags [P.], seq 1:23,
> ack
> > 15, win 260, options [nop,nop,TS val 1870785 ecr 20331021], length 22
> > 0x:  0050 5688 7042 0050 5688 7780 0800 4500  .PV.pB.PV.w...E.
> > 0x0010:  004a 1d7d 4000 8006 34e3 ac18 280d ac18  .J.}@...4...(...
> > 0x0020:  2810 0185 e1bd 5a3f 2ae7 3ced 7b5b 8018  (.Z?*.<.{[..
> > 0x0030:  0104 1d7a  0101 080a 001c 8bc1 0136  ...z...6
> > 0x0040:  3a0d 3084  0010 0201 0161 8400   :.0a
> > 0x0050:  070a 0100 0400 0400
> >
> > this was discussed but not finished before see
> > http://www.serverphorums.com/read.php?10,394453
> >
> > I can see the string \02\01\01\61 is there but not in the correct place
> >
> > Anyone have any ideas about fixing this so that both (and possibly other)
> > ldap implementations work?
> >
> > Thanks,
> >
> > Neil
>
>
> Hi Neil
>
> Yes you can switch to the tcp-check checking method.
> I works with binary protocols as well.
> Here is what I use for the AD in my lab:
>
>  option tcp-check
>  tcp-check connect port 389
>  tcp-check send-binary 300c0201 # LDAP bind request "" simple
>  tcp-check send-binary 01 # message ID
>  tcp-check send-binary 6007 # protocol Op
>  tcp-check send-binary 0201 # bind request
>  tcp-check send-binary 03 # LDAP v3
>  tcp-check send-binary 04008000 # name, simple authentication
>  tcp-check expect binary 0a0100 # bind response + result code: success
>  tcp-check send-binary 30050201034200 # unbind request
>
>
> You could add the same sequence for LDAPs on port 636:
>  tcp-check connect port 636 ssl
>  tcp-check send-binary 300c0201 # LDAP bind request "" simple
>  tcp-check send-binary 01 # message ID
>  tcp-check send-binary 6007 # protocol Op
>  tcp-check send-binary 0201 # bind request
>  tcp-check send-binary 03 # LDAP v3
>  tcp-check send-binary 04008000 # name, simple authentication
>  tcp-check expect binary 0a0100 # bind response + result code: success
>  tcp-check send-binary 30050201034200 # unbind request
>
>
> Note for myself: put this tip on the blog..
>
> Baptiste
>

ldap-check with Active Directory

[Neil - HAProxy List]

Hello

I'm trying to use ldap-check with active directory and the response active
directory gives is not one ldap-check is happy to accept

when I give a 389 directory backend ldap server all is well, when I use AD
I get 'Not LDAPv3 protocol'

I've done a little poking about and found that
if ((msglen > 2) ||
(memcmp(check->bi->data + 2 + msglen,
"\x02\x01\x01\x61", 4) != 0)) {
set_server_check_status(check,
HCHK_STATUS_L7RSP, "Not LDAPv3 protocol");
is where I'm getting stopped as msglen is 4

Here is tcpdump of 389 directory response (the one that works) 2 packets
21:29:34.195699 IP 389.ldap > HAPROXY.57109: Flags [.], ack 15, win 905,
options [nop,nop,TS val 856711882 ecr 20393440], length 0
0x:  0050 5688 7042 0064 403b 2700 0800 4500  .PV.pB.d@;'...E.
0x0010:  0034 9d07 4000 3f06 3523 ac1b e955 ac18  .4..@.?.5#...U..
0x0020:  2810 0185 df15 5cab ffcd 63ba 77d3 8010  (.\...c.w...
0x0030:  0389 2c07  0101 080a 3310 62ca 0137  ..,...3.b..7
0x0040:  2de0 -.
21:29:34.195958 IP 389.ldap > HAPROXY.57109: Flags [P.], seq 1:15, ack 15,
win 905, options [nop,nop,TS val 856711882 ecr 20393440], length 14
0x:  0050 5688 7042 0064 403b 2700 0800 4500  .PV.pB.d@;'...E.
0x0010:  0042 9d08 4000 3f06 3514 ac1b e955 ac18  .B..@.?.5U..
0x0020:  2810 0185 df15 5cab ffcd 63ba 77d3 8018  (.\...c.w...
0x0030:  0389 e878  0101 080a 3310 62ca 0137  ...x..3.b..7
0x0040:  2de0 300c 0201 0161 070a 0100 0400 0400  -.0a

Here is tcpdump of active directory (broken) 1 packet

21:25:24.519883 IP ADSERVER.ldap > HAPROXY.57789: Flags [P.], seq 1:23, ack
15, win 260, options [nop,nop,TS val 1870785 ecr 20331021], length 22
0x:  0050 5688 7042 0050 5688 7780 0800 4500  .PV.pB.PV.w...E.
0x0010:  004a 1d7d 4000 8006 34e3 ac18 280d ac18  .J.}@...4...(...
0x0020:  2810 0185 e1bd 5a3f 2ae7 3ced 7b5b 8018  (.Z?*.<.{[..
0x0030:  0104 1d7a  0101 080a 001c 8bc1 0136  ...z...6
0x0040:  3a0d 3084  0010 0201 0161 8400   :.0a
0x0050:  070a 0100 0400 0400

this was discussed but not finished before see
http://www.serverphorums.com/read.php?10,394453

I can see the string \02\01\01\61 is there but not in the correct place

Anyone have any ideas about fixing this so that both (and possibly other)
ldap implementations work?

Thanks,

Neil

Re: no-sslv3 in default

[Neil - HAProxy List]

Hello

I'd go further. Sslv3 us an obsolete protocol does anyone disagree with
that?
For a start make no-sslv3 the default and have a enable-obsolete-sslv3
option.
Or better make enabling it a compile time option.

Or maybe just get rid of it altogether?

The examples on the web and on this mailing lists archive should be able
for beginners to use without opening themselves up to sslv3 issues. And
it'll save us all having to remember to type 8 chars to disable support for
something our clients do not use.
Cheers
Neil
On 15 Oct 2014 20:11, "Bryan Talbot"  wrote:

> With SSLv3 being so old, and in light of new (POODLE) exploits driving
> additional nails into its coffin, it would be nice to disable SSLv3 in a
> defaults section so that it doesn't get enabled by accident when someone
> adds a new "bind" line.
>
> Docs for 1.5 say that no-sslv3 is not supported in a defaults section.
> Can that option be added and made available in 1.5?
>
> -Bryan
>
>

Re: Adding Serial Number to POST Requests

[Neil - HAProxy List]

Hi

Using peers should prevent the reset when restarting?

Neil
On 16 Jul 2014 21:47, "Baptiste"  wrote:

> On Wed, Jul 16, 2014 at 7:04 PM, Jonathan Matthews
>  wrote:
> > On 16 Jul 2014 16:56, "Zuoning Yin"  wrote:
> >>
> >> We later also got the help from Willy.  He provided us a configuration
> >> which solved our problem. To benefit other people,  I just posted it
> here.
> >
> > I had meant to chime in on this thread earlier.
> >
> > What happens when your HAProxy layer loses state - be it reboot, service
> > restart or  data centre power cut? Are you risking resetting the counter
> and
> > overwriting existing data on the backend? Are you in fact treating HAP
> as a
> > single point of truth?
> >
> > J
>
> That's why I propose to use the unique-id format as well.
> You can combine a timestamp with your unique id.
> So going back to 0 is not a problem anymore.
>
> Baptiste
>
>

Re: Binaries for HAProxy.

[Neil - HAProxy List]

And lets not do too much to dampen any pressure to get haproxy 1.5 into
rhel7 and ubuntu1404

Neil
On 16 Jul 2014 16:12, "Ghislain"  wrote:

>
>
>> Just put http://nd-build-01.linux-appliance.net/repos/centos/
>> haproxy/haproy-centos-6x.repo under /etc/yum.repos.d/
>> and issue yum install haproxy.
>>
>
> of course you do trust the security of your entire server on  this repo ?
> before doing that just be sure of what this implies :)
>
> there is no issue on trusting someone but remember that you trust this
> someone to install software as root on your server and update the package
> when new version comes.
>
>  Do a minimum homework before authorizing repos. I do trust the debian
> team for backported 1.5 haproxy package but nevertheless i asked here if
> they were legit , verified what i could and limited the  package i accept
> from the repo to a minimum just in case. I think the same goes on for
> centOS/Redhat repos, do chack the source and if not sure build yourself  if
> there is no official sources.
>
>
> regards,
> Ghislain.
>
>

Re: Using a WhiteList in HAProxy 1.5

[Neil - HAProxy List]

Hi

If you only have one range and it does not change often then a acl file
should be avoided.

http-request deny unless src 123.123.123.123/123

If you have more than one range a acl should be used

Only if you have many or they change often would a file suit.
Is clearer imho

Neil
On 16 Jul 2014 17:10, "Baptiste"  wrote:

> On Wed, Jul 16, 2014 at 5:45 PM, JDzialo John  wrote:
> >
> > Hi Guys,
> >
> >
> >
> > I want to only allow certain internal company IP addresses to have
> access to one of my web farms.  I am using haproxy 1.5 on Debian 7.
> >
> >
> >
> > I am using a whitelist.lst file with the following contents...
> >
> >
> >
> > 10.0.0.0/8
> >
> >
> >
> > Here is my frontend configuration...
> >
> >
> >
> > frontend https-in
> >
> > bind *:443 ssl crt
> /etc/ssl/xxx.cert.chain.pem
> >
> > http-request allow if { src -f
> /etc/haproxy/whitelist.lst }
> >
> > reqadd X-Forwarded-Proto:https
> >
> > reqadd X-Forwarded-Port:443
> >
> > timeout client 60
> >
> >
> >
> > default-backend web
> >
> >
> >
> > However any IP is still allowed through this frontend.  It does not
> appear to be restricting access to any other IP.  Am I missing something in
> my configuration?
> >
> >
> >
> > Thanks
> >
> >
> >
> >
> >
> > John Dzialo | Linux System Administrator
> >
> > Direct 203.783.8163 | Main 800.352.0050
> >
> >
> >
> > Environmental Data Resources, Inc.
> >
> > 440 Wheelers Farms Road, Milford, CT 06461
> >
> > www.edrnet.com | commonground.edrnet.com
> >
> >
> >
> >
>
>
>
> Hi John,
>
> Please avoid HTML mails...
>
> Give a try to the following configuration:
>   http-request deny unless { src -f /etc/haproxy/whitelist.lst }
>
>
> Baptiste
>
>

Re: 1.5 latest segfault trying to negate acl

[Neil - HAProxy List]

Hi

Thank you, I can confirm this fixes the issue for me

Thanks,

Neil


On 9 April 2014 12:35, Willy Tarreau  wrote:

> Hi guys,
>
> sorry it took that long to take a look at it.
>
> I've just pushed the patch, it's available here :
>
>
> http://git.1wt.eu/web?p=haproxy.git;a=commitdiff_plain;h=6a0b6bd648592e73f42fb8e7341bf984d26ba8dc
>
> The bug happens when the sc0_get_gpc0() statement is applied to an
> explicit table while sc0 is not yet tracked. The implicit table
> already contained the check for the existence of the tracker, but
> not the code doing the lookup in an alternate table.
>
> Thanks for reporting this!
>
> Willy
>
>

1.5 latest segfault trying to negate acl

[Neil - HAProxy List]

Hello

my logs have a uncomforting line


*kernel: [7302179.685736] haproxy[1766]: segfault at 7c ip 7f6629410a9f
sp 7fffdaf98868 error 4 in libc-2.15.so
[7f66292ae000+1b5000]*
We caused this trying to use this config which tries to track the source of
a connection unless it matches a acl
following along the lines of
http://blog.serverfault.com/2010/08/26/1016491873/






































*globalmaxconn 4096user haproxygroup
haproxydefaultsmode   httpretries3
option redispatchmaxconn2000timeout connect
5stimeout client 20stimeout server 60sfrontend http
0.0.0.0:80 maxconn 25000
default_backend be_defaultstick-table type ip size 200 expire 10s
store gpc0acl on_naughtystep sc0_get_gpc0(http) gt 0
use_backend be_badman if on_naughtystep# Both these directives will
make haproxy segfaulttcp-request connection track-sc0 src if
!on_naughtystep# tcp-request connection track-sc0 src unless
on_naughtystep# This one doesn't# tcp-request connection
track-sc0 srcbackend be_defaultbalance roundrobinfullconn
1000server server server:80 maxconn 50 check inter 2000 rise 2 fall
2backend be_badmanblock if TRUE*
haproxy running is compiled from head































*haproxy -vvHA-Proxy version 1.5-dev22 2014/02/03Copyright 2000-2014 Willy
Tarreau >Build options :  TARGET  = linux26  CPU =
generic  CC  = gcc  CFLAGS  = -O2 -g -fno-strict-aliasing  OPTIONS =
USE_LINUX_SPLICE=1 USE_OPENSSL=1 USE_PCRE=1Default settings :  maxconn =
2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200Encrypted
password support via crypt(3): yesBuilt without zlib support (USE_ZLIB not
set)Compression algorithms supported : identityBuilt with OpenSSL version :
OpenSSL 1.0.1 14 Mar 2012Running on OpenSSL version : OpenSSL 1.0.1 14 Mar
2012OpenSSL library supports TLS extensions : yesOpenSSL library supports
SNI : yesOpenSSL library supports prefer-server-ciphers : yesBuilt with
PCRE version : 8.12 2011-01-15PCRE library supports JIT : no (USE_PCRE_JIT
not set)Built with transparent proxy support using: IP_TRANSPARENT
IP_FREEBINDAvailable polling systems :  epoll : pref=300,  test result
OK   poll : pref=200,  test result OK select : pref=150,  test
result OKTotal: 3 (3 usable), will use epoll.*

Any ideas what to do next?

Thanks

Neil

Re: Haproxy 1.4 url redirection issue

[Neil - HAProxy List]

Hello Amol

Here is an example of the sort of thing I use

The 3 important things for are
  ServerName https://servicename.domain.com:443
  SetEnv HTTPS on
  UseCanonicalName On



  ServerName https://servicename.domain.com:443

  ## Vhost docroot
  DocumentRoot /var/www/

  ## Directories, there should at least be a declaration for /var/www

  
Options Indexes ExecCGI
AllowOverride None
Order allow,deny
Allow from all
  

  ## Logging
  LogLevel warn
  ServerSignature Off


  ## Custom fragment
This tricks PHP into believing the script was accessed over SSL
  SetEnv HTTPS on

  DirectoryIndex index.php
  UseCanonicalName On

  ErrorLog "|/usr/bin/cronolog --link
/var/log/apache2/servicename_error.log
/var/log/apache2/%Y/servicename_error-%Y%m%d.log"

  LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
direct
  LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\"
\"%{User-Agent}i\"" proxied
  SetEnvIf Remote_Addr "^" direct # make it always set
  SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" !direct
  SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" proxied
  SetEnvIf Request_URI "^/healthcheck$" !direct

  # keep these SetEnvIf Request_URI "^/healthcheck$" !proxied
  CustomLog "|/usr/bin/cronolog --link
/var/log/apache2/servicename_directaccess
/var/log/apache2/%Y/servicename_directaccess-%Y%m%d.log" direct env=direct
  CustomLog "|/usr/bin/cronolog --link /var/log/apache2/servicename_access
/var/log/apache2/%Y/servicename_access-%Y%m%d.log" proxied env=proxied



I like to log traffic from the loadbal separately to traffic from the
public and I ignore /healthcheck from the loadbal but not from others.
You'll need to tell haproxy to "option forwardfor". Also using cronolog.

Neil


On 1 March 2014 15:27, Baptiste  wrote:

> Hi
>
> More chance to get an answer from Apache 2.2 and wordpress people...
>
> Baptiste
>
> On Fri, Feb 28, 2014 at 4:12 PM, Amol  wrote:
> > well the application behind haproxy in this case is wordpress on
> apache2.2,
> > any settings there?
> >
> >
> >
> >
> > On Friday, February 28, 2014 4:57 AM, Baptiste  wrote:
> > It may not fix the issue.
> > But at least the configuration will do what you expect from it...
> >
> > That said, the issue may be in the application too :)
> > It is commonly seen that applications don't behave properly when SSL
> > offloading is enabled in front of them.
> >
> > Baptiste
> >
> >
> > On Thu, Feb 27, 2014 at 4:16 PM, Amol  wrote:
> >> Thanks Baptiste, let me give that a try
> >>
> >>
> >>
> >> On Thursday, February 27, 2014 9:37 AM, Baptiste 
> wrote:
> >> Hi Amol,
> >>
> >> There are a few improvement you can do.
> >> First update your frontend acl to:
> >>  acl host_xx hdr(host) -i xx.com
> >>
> >> then in your backend, this ACL should never match: "acl login_page
> >> url_beg  /xyz"
> >> replace url_beg by path_beg.
> >>
> >> Your problem is not there as well.
> >> I think your application server is sending hardcoded data or Location
> >> headers.
> >> analyzing the body of the pages and HAProxy logs may help here.
> >>
> >> Baptiste
> >>
> >>
> >>
> >> On Tue, Feb 25, 2014 at 4:56 PM, Amol  wrote:
> >>> Hi i am using HA-Proxy version 1.4.12 and i have an issue trying to
> >>> redirect
> >>> my website to "http"
> >>> requirement : when a user types in http://.com he should
> >>> not
> >>> be redirected to https://.com
> >>> currently it does that and some of the video links on our main page do
> >>> not
> >>> work (basically vimeo has http links while our page is https so it
> throws
> >>> a
> >>> security exception)
> >>>
> >>> at the same time we need users with http://.com/xyz to
> be
> >>> redirected to https://.com/xyz (this helps users login
> to
> >>> secure application)
> >>>
> >>> so under my current configurations i cannot get the first part to work,
> >>> basically (www..com works and stays http but when i type
> >>> http://.com it does a redirection to https)
> >>>
> >>> frontend http-in
> >>>bind xx.xx.xx.xx:80 name http
> >>>bind 10.xx.xx.xx:8000 name https # forwared by stunnel
> >>>
> >>>acl host_xx hdr_beg(host) -i xx.com
> >>>use_backend xx-http if host_xx
> >>>default_backend xx-https
> >>>
> >>> backend xx-http
> >>>balance roundrobin
> >>>cookie BALANCEID insert indirect nocache
> >>>option http-server-close
> >>>option httpchk OPTIONS /check.txt HTTP/1.1\r\nHost:\ www
> >>>server xx-app1 xx.xx.xx.xx:80 cookie A check
> >>>server xx-app6 xx.xx.xx.xx:80 cookie B check backup
> >>>acl secure dst_port eq 8000
> >>>acl login_page url_beg  /xyz
> >>>redirect prefix https://xx.com if login_page !secure
> >>>
> >>> backend xx-https
> >>>mode http
> >>>balance roundrobin
> >>>cookie BALANCEID insert indirect nocache
> >>>option http-server-close
> >>># option forwardfor except 127.0.0.1
> >>>option httpchk OPTIONS /check.

Re: HAProxy Next?

[Neil - HAProxy List]

Hi

I'd like the option of a web based api
to replace the functionality of the web admin pages with a service which
can be used remotely to monitor and control multiple haproxy and provide
any fancy authentication and auditing outside of the haproxy service using
whichever tech seems appropriate.

Exposing the socket via xinetd doesn't really do it, for me at least.

Neil
On 17 Dec 2013 08:16, "Annika Wickert"  wrote:

>  Hi all,
>
>  we did some thinking about how to improve haproxy and which features
> we’d like to see in next versions.
>
>  We came up with the following list and would like to discuss if they can
> be done/should be done or not.
> - One global statssocket which can be switched through to see stats of
> every bind process. And also an overall overview summed up from all
> backends and frontends.
> - One global control socket to control every backend server and set them
> inactive or active on the fly.
> - In general better nbproc > 1 support
> - Include possibility in configfile to maintain one configfile for each
> backend / frontend pair
> - CPU pinning in haproxy without manually using taskset/cpuset
> - sflow output
> - latency metrics at stats interface (frontend and backend, avg, 95%, 90%,
> max, min)
> - accesslist for statssocket or ldap authentication for stats socket
>
>  Are there any others things which would be cool? I hope we can have a
> nice discussion about a “fancy” feature set which could be provided by
> lovely haproxy.
>
>  Best regards,
> Annika
>
>   ---
> Systemadministration
>
>  Travian Games GmbH
> Wilhelm-Wagenfeld-Str. 22
> 80807 München
> Germany
>
>  a.wick...@traviangames.com
> www.traviangames.de
>
>  Sitz der Gesellschaft München
> AG München HRB: 173511
> Geschäftsführer: Siegfried Müller
> USt-IdNr.: DE246258085
>
>  Diese Email einschließlich ihrer Anlagen ist vertraulich und nur für den
> Adressaten bestimmt. Wenn Sie nicht der vorgesehene Empfänger sind,
> bitten wir Sie, diese Email mit Anlagen unverzüglich und vollständig zu
> löschen und uns umgehend zu benachrichtigen.
>
>  This email and its attachments are strictly confidential and are
> intended solely for the attention of the person to whom it is addressed.
> If you are not the intended recipient of this email, please delete it
> including its attachments immediately and inform us accordingly.
>
>

Re: Haproxy rate limit per matching request

[Neil - HAProxy List]

Hello

Chris and I followed this example but found that it limits by url but for
all users. that might be what you want in a slashdotting but its not what
we want for individual users falling asleep with nose on f5(reload) key

we looked at base32+src rather than url but that excludes the url parameters

I've started a separate thread with a new url32+src function.

Neil


On 1 November 2013 18:39, Cyril Bonté  wrote:

> Hi Przemyslaw,
>
> Le 31/10/2013 12:05, Przemysław Hejman a écrit :> Hello guys, it's me one
> again.
>
> >
> > I just wanted to share my experiences after several very simple
> > acceptance tests. First of all, I've found that the whitelist did not
> > work - I had to change my configuration to something like this:
> >
> > global
> > stats socket /tmp/haproxy.sock
> > defaults
> > mode http
> > timeout connect 5000ms
> > timeout client 5ms
> > timeout server 5ms
> > frontend app
> > bind *:8080
> > option http-server-close
> > stick-table type integer size 200k expire 30m store
> http_req_cnt
> > acl white_list src 127.0.0.1 192.168.1.205 192.168.0.133
> > tcp-request content accept if white_list
> > tcp-request content track-sc0 urlp(SID,?)
> > tcp-request content reject if { sc0_http_req_cnt gt 2 }
> > tcp-request inspect-delay 10s
> > default_backend web_servers
> > backend web_servers
> > balance roundrobin
> > server web01 127.0.0.1:80 check inter 1000
> >
> > Therefore, I've decided to do a little test. I've put request sent by
> > curl in a for loop  like this
> > for i in `seq 1 400`; do curl
> > "192.168.0.132:8080/index.html?SID=33?asdf"; done
> >
> > Eveything to seem fine HOWEVER I have noticed that several (about 20)
> > requests randomly PASSED.
>
> Sorry, I didn't have time to reply to the configuration you provided last
> time. But it is normal if it didn't work 100% of the times : this is
> because your forgot to add a line that waits for a layer7 information, as
> Willy said.
>
> The important thing was to add :
> tcp-request content reject if !HTTP
>
>
>
> > Pushing the stick-table and tracking/rejecting operations back to
> > backend definition solved my problem.
>
> Indeed, this is another way to wait for HTTP data to be complete, as a
> HTTP frontend will use the backend only once the headers are received.
>
> Thanks for sharing.
>
> --
> Cyril Bonté
>
>

url32+src - like base32+src but whole url including parameters

[Neil - HAProxy List]

Hello

I have a need to limit traffic to each url from each source address. much
like base32+src but the whole url including parameters (this came from
looking at the recent 'Haproxy rate limit per matching request' thread)

attached is patch that seems to do the job, its a copy and paste job of the
base32 functions

the url32 function seems to work too and using 2 machines to request the
same url locks me out of both if I abuse from either with the url32 key
function and only the one if I use url32_src

Neil


url32+src
Description: Binary data