Mode TCP and acl to choose backend
Hi, I load-balance TCP Port 25 on a haproxy. This works perfect. Now I need to check, if the connection is coming for a special host, then a different backend smtp server should be used. I thought I could use acl and use_backend but this seems only to work for http connections. Has anyone a tip how to achieve this with mode tcp? Thanks Philipp -- --- DI Mag. Philipp Kolmann mail: philipp.kolm...@tuwien.ac.at Technische Universitaet Wien web: www.it.tuwien.ac.at IT Solutions - Applications tel: +43(1)58801-42011 Operngasse 11, A-1040 Wien DVR: 0005886 --- smime.p7s Description: S/MIME Cryptographic Signature
Re: HAproxy transparent proxy and IPv6
Hi, I did some more testing and found the reason why it didn't work: I have added the required ip cmds: post-up ip rule add fwmark 1 lookup 100 post-up ip route add local 0.0.0.0/0 dev lo table 100 post-up ip route add local ::/0 dev lo table 100 ip rule add fwmark 1 lookup 100 only adds the fwmark for IPv4 rule table... ip -6 rule add fwmark 1 lookup 100 did the trick. Maybe that helps somebody else in the future. The whole ip-up/down looks like this now: post-up ip rule add fwmark 1 lookup 100 post-up ip -6 rule add fwmark 1 lookup 100 post-up ip route add local 0.0.0.0/0 dev lo table 100 post-up ip -6 route add local ::/0 dev lo table 100 pre-down ip -6 route del local ::/0 dev lo table 100 pre-down ip route del local 0.0.0.0/0 dev lo table 100 pre-down ip -6 route del from all fwmark 1 lookup 100 pre-down ip route del from all fwmark 1 lookup 100 Thanks Philipp smime.p7s Description: S/MIME Cryptographic Signature
HAproxy transparent proxy and IPv6
Hi, I have setup my test-HAproxy-env according to https://www.haproxy.com/blog/howto-transparent-proxying-and-binding-with-haproxy-and-aloha-load-balancer/ I have setup the Firewall Rules for ipv4 and v6. TEST testha1:~/svnconfig/etc/iptables# iptables -t mangle -vL Chain PREROUTING (policy ACCEPT 163K packets, 291M bytes) pkts bytes target prot opt in out source destination 374K 68M DIVERT tcp -- any any anywhere anywhere socket Chain DIVERT (1 references) pkts bytes target prot opt in out source destination 374K 68M MARK all -- any any anywhere anywhere MARK set 0x1 374K 68M ACCEPT all -- any any anywhere anywhere TEST testha1:~/svnconfig/etc/iptables# ip6tables -t mangle -vL Chain PREROUTING (policy ACCEPT 409K packets, 788M bytes) pkts bytes target prot opt in out source destination 373K 75M DIVERT tcp any any anywhere anywhere socket Chain DIVERT (1 references) pkts bytes target prot opt in out source destination 373K 75M MARK all any any anywhere anywhere MARK set 0x1 373K 75M ACCEPT all any any anywhere anywhere I have added the required ip cmds: post-up ip rule add fwmark 1 lookup 100 post-up ip route add local 0.0.0.0/0 dev lo table 100 post-up ip route add local ::/0 dev lo table 100 listen mail-test-submission bind 128.130.xx.yy:587 transparent name submission mode tcp source 0.0.0.0 usesrc clientip log-format %ci:%cp\ [%t]\ %ft\ %s\ %si:%sp\ %Tw/%Tc/%Tt\ %B\ %ts\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq balance leastconn That works like a charm. In IPv6 I set it up accordingly: listen mail-test-v6-submission bind 2001:629:xx:yy::zz:587 transparent name submission mode tcp source [::] usesrc clientip log-format %ci:%cp\ [%t]\ %ft\ %s\ %si:%sp\ %Tw/%Tc/%Tt\ %B\ %ts\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq balance leastconn There with the source line it fails to connect. I see on the outside interface a Syn, Syn->Ack, Ack TCP flow, but on the inside (HAproxy to application Server) I see only Syn, Syn-Ack, Syn, Syn-Ack traffic. HAproxy (1.8.19-1, Debian Buster) is running as root. Anyone has such a setup running and may be able to help. I haven't found any hints on this problem... Thanks Philipp -- --- DI Mag. Philipp Kolmann mail: philipp.kolm...@tuwien.ac.at Technische Universitaet Wien web: www.it.tuwien.ac.at IT Solutions - Applications tel: +43(1)58801-42011 Operngasse 11, A-1040 Wien DVR: 0005886 --- smime.p7s Description: S/MIME Cryptographic Signature
server - Add Port to with range
Hi, I need to reverse proxy a range of TCP ports via HAproxy. It works just fine, but now I have a list of open Ports in the Webinterface with no idea which port is which: listen xx bind 0.1.2.3:8100-8150 transparent name repos mode tcp timeout client 12h log-format %ci:%cp\ [%t]\ %ft\ %s\ %si:%sp\ %Tw/%Tc/%Tt\ %B\ %ts\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq option tcp-check tcp-check connect port 8100 server name 172.1.2.3 maxconn 1 check I see 51 lines with 'name' in the statistics report. I searched the docs but couldn't find a possibility to add the port to the name. My Idea would be to be able to specify server name-%p 172.1.2.3 maxconn 1 check and in the statistics it would read name-8100 name-8101 etc... Is this already possible? Thanks Philipp -- --- DI Mag. Philipp Kolmann mail: philipp.kolm...@tuwien.ac.at Technische Universitaet Wien web: www.it.tuwien.ac.at IT Solutions - Applications tel: +43(1)58801-42011 Operngasse 11, A-1040 Wien DVR: 0005886 --- smime.p7s Description: S/MIME Cryptographic Signature
Re: Adding Configuration parts via File
Hi Jarno, On 3/8/19 4:57 PM, Jarno Huuskonen wrote: Yes(probably:), something like this might work for you: acl is_redirect_match path,map_beg(redir.map) -m found http-request redirect code 302 location %[path,map_beg(redir.map)] if is_redirect_match Thanks a lot for your help. That works fantastic! Philipp -- --- DI Mag. Philipp Kolmann mail: philipp.kolm...@tuwien.ac.at Technische Universitaet Wien web: www.it.tuwien.ac.at IT Solutions - Applications tel: +43(1)58801-42011 Operngasse 11, A-1040 Wien DVR: 0005886 --- smime.p7s Description: S/MIME Cryptographic Signature
Re: Adding Configuration parts via File
On 3/8/19 2:50 PM, Patrick Hemmer wrote: You can use external files in two cases. See the following blog articles: https://www.haproxy.com/blog/introduction-to-haproxy-acls/ (search for "acl file") https://www.haproxy.com/blog/introduction-to-haproxy-maps/ Hi, thanks for the hint with the maps. This looks quite promising for my other issue I am facing: acl mandant_IT_email path_beg -i /it/Service-One http-request redirect code 302 location "/long/URL/84" if mandant_IT_email Is there any possibility to achive such a redirect if path_beg via maps? http-request redirect code 302 location *value* if path_beg *key * Thanks Philipp ** smime.p7s Description: S/MIME Cryptographic Signature
Re: Adding Configuration parts via File
Hi Bruno, On 3/8/19 2:26 PM, Bruno Henc wrote: I don't think there is a capability to include a list of ACLs. However, you can load the ip addresses once via the -f parameter: acl is_admin src -f /etc/haproxy/admin_ip_list.txt Thanks that sounds like a solution for my IP List issue... I do have to admit that including ACLs is a neat idea. Alternatively, global ACLs would be nice. Well I have another use case where including a file would be very handy: We have some short-cuts that we want to generate from our application and redirect to the long-urls via HAproxy: acl mandant_IT_email path_beg -i /it/service1 acl mandant_IT_email path_beg -i /it/serviceOne acl mandant_IT_email path_beg -i /it/Service-1 acl mandant_IT_email path_beg -i /it/Service-One http-request redirect code 302 location "/long/URL/84" if mandant_IT_email acl mandant_IT path_beg -i /comp1 acl mandant_IT path_beg -i /comp acl mandant_IT path_beg -i /compName http-request redirect code 302 location "/long/URL/1" if mandant_IT These ACLs we would love to generate from our Database into a file which gets used by HAproxy include statement. Does this workaround solve your use case? Regarding the IP Adresses it works as expected. The include statement (or whatever) still would be very welcome for other things but IP lists. Thanks for the hint, Philipp smime.p7s Description: S/MIME Cryptographic Signature
Adding Configuration parts via File
Hi, I have ACLs for Source-IPs for Admins for several services. These ACLs are identical for multiple listener-sections. Would it be possible to have a file with several acl snipplets and source that at the proper section of the config file multiple times? I haven't found anything in the docs that would make this possible. My wished Setup: admin_acl.conf: acl is_admin src 10.0.0.1 acl is_admin src 10.0.0.2 acl is_admin src 10.0.0.3 acl is_admin src 10.0.0.4 haproxy.cfg: listen service1 bind 10.1.0.10:80 include admin_acl.conf more parameters ... listen service2 bind 10.1.0.20:80 include admin_acl.conf more parameters ... listen service3 bind 10.1.0.30:80 include admin_acl.conf more parameters ... The admin_acl needs to be maintained only once and can be used multiple times. Is this already possible? Could such an include option be made for the config files? thanks Philipp -- --- DI Mag. Philipp Kolmann mail: philipp.kolm...@tuwien.ac.at Technische Universitaet Wien web: www.it.tuwien.ac.at IT Solutions - Applications tel: +43(1)58801-42011 Operngasse 11, A-1040 Wien DVR: 0005886 --- smime.p7s Description: S/MIME Cryptographic Signature
RESEND [PATCH] Testing/ Minor: Add a testcase for my multi-port + multi-server listener
Hi, I had a patch for my issue with multi-port + multi-server listener that got fixed in 1.7.10 that seems to have gotten forgotten. I add this patch again. Thanks for considering adding it to the test cases. thanks Philipp -- --- DI Mag. Philipp Kolmann mail: philipp.kolm...@tuwien.ac.at Technische Universitaet Wien web: www.it.tuwien.ac.at IT Solutions - Applications tel: +43(1)58801-42011 Wiedner Hauptstr. 8-10, A-1040 WienDVR: 0005886 --- From 944610de46bb3b23d514a12699690fd2acffc2a2 Mon Sep 17 00:00:00 2001 From: Philipp Kolmann <phil...@kolmann.at> Date: Tue, 24 Oct 2017 11:32:22 +0200 Subject: [PATCH] Add a testcase for my multi-port + multi-server listener issue --- tests/tcp-check.cfg | 11 +++ 1 file changed, 11 insertions(+) diff --git a/tests/tcp-check.cfg b/tests/tcp-check.cfg index 16d2836e..56aba53c 100644 --- a/tests/tcp-check.cfg +++ b/tests/tcp-check.cfg @@ -13,6 +13,17 @@ listen stats bind : stats uri / +listen multi-tcp-check +bind :80 +mode tcp +option tcp-check +tcp-check connect port 9001 +tcp-check connect port 9002 + +server server1 127.0.0.1: check +server server2 127.0.0.2: check +server server3 127.0.0.3: check + backend tcp9000 option tcp-check server srv 127.0.0.1:9000 check inter 1s -- 2.11.0 smime.p7s Description: S/MIME Cryptographic Signature
[PATCH] Add a testcase for my multi-port + multi-server listener
Hi, I had a patch for my issue with multi-port + multi-server listener that got fixed in 1.7.10 that seems to have gotten forgotten. I add this patch again. Thanks for considering adding it to the test cases. thanks Philipp -- --- DI Mag. Philipp Kolmann mail: philipp.kolm...@tuwien.ac.at Technische Universitaet Wien web: www.it.tuwien.ac.at IT Solutions - Applications tel: +43(1)58801-42011 Wiedner Hauptstr. 8-10, A-1040 WienDVR: 0005886 --- From 944610de46bb3b23d514a12699690fd2acffc2a2 Mon Sep 17 00:00:00 2001 From: Philipp Kolmann <phil...@kolmann.at> Date: Tue, 24 Oct 2017 11:32:22 +0200 Subject: [PATCH] Add a testcase for my multi-port + multi-server listener issue --- tests/tcp-check.cfg | 11 +++ 1 file changed, 11 insertions(+) diff --git a/tests/tcp-check.cfg b/tests/tcp-check.cfg index 16d2836e..56aba53c 100644 --- a/tests/tcp-check.cfg +++ b/tests/tcp-check.cfg @@ -13,6 +13,17 @@ listen stats bind : stats uri / +listen multi-tcp-check +bind :80 +mode tcp +option tcp-check +tcp-check connect port 9001 +tcp-check connect port 9002 + +server server1 127.0.0.1: check +server server2 127.0.0.2: check +server server3 127.0.0.3: check + backend tcp9000 option tcp-check server srv 127.0.0.1:9000 check inter 1s -- 2.11.0 smime.p7s Description: S/MIME Cryptographic Signature
Re: Debian upgrade to haproxy 1.7.5: tcp-check fails with Socket error, info: "No port available for the TCP connection"
On 10/04/17 11:38, kolm...@zid.tuwien.ac.at wrote: I test also 1.7.9 debian backported and it still fails. Is my configuration so out of this world? I would prefer not to have a sepereate listener for every port I route through haproxy. Hi, I tested last 1.8.dev3 today and my error with multiple ports beeing in tcp-check is not there anymore. I bisected the code and found the commit, that fixed my problem: f411cce456dabbe3cf6637f2bb11435af0499ae7 is the first fixed commit commit f411cce456dabbe3cf6637f2bb11435af0499ae7 Author: Willy Tarreau <w...@1wt.eu> Date: Wed Oct 4 16:21:19 2017 +0200 MINOR: checks: don't create then kill a dummy connection before tcp-checks When tcp-checks are in use, a connection starts to be created, then it's destroyed so that tcp-check can recreate its own. Now we directly move to tcpcheck_main() when it's detected that tcp-check is in use. :04 04 a4695d29907baeac642ae68e1f7d8776d8b93aea 66a28a0fb9257f20e8513d5c28ca99cb0bd66b72 M src @Willy: thanks for taking a look at this issue. Is it possible to backport the changes to tcp-check to 1.7? Additionally I added a multi-port, multi-host listener to the tcp-check test config. See attached patch file. thanks Philipp -- --- DI Mag. Philipp Kolmann mail: philipp.kolm...@tuwien.ac.at Technische Universitaet Wien web: www.zid.tuwien.ac.at Zentraler Informatikdienst (ZID) tel: +43(1)58801-42011 Wiedner Hauptstr. 8-10, A-1040 WienDVR: 0005886 --- >From 944610de46bb3b23d514a12699690fd2acffc2a2 Mon Sep 17 00:00:00 2001 From: Philipp Kolmann <phil...@kolmann.at> Date: Tue, 24 Oct 2017 11:32:22 +0200 Subject: [PATCH] Add a testcase for my multi-port + multi-server listener issue --- tests/tcp-check.cfg | 11 +++ 1 file changed, 11 insertions(+) diff --git a/tests/tcp-check.cfg b/tests/tcp-check.cfg index 16d2836e..56aba53c 100644 --- a/tests/tcp-check.cfg +++ b/tests/tcp-check.cfg @@ -13,6 +13,17 @@ listen stats bind : stats uri / +listen multi-tcp-check +bind :80 +mode tcp +option tcp-check +tcp-check connect port 9001 +tcp-check connect port 9002 + +server server1 127.0.0.1: check +server server2 127.0.0.2: check +server server3 127.0.0.3: check + backend tcp9000 option tcp-check server srv 127.0.0.1:9000 check inter 1s -- 2.11.0
Re: Debian upgrade to haproxy 1.7.5: tcp-check fails with Socket error, info: "No port available for the TCP connection"
Hi Lukas,
On 06/19/17 21:23, Lukas Tribus wrote:
Am 19.06.2017 um 11:27 schrieb Philipp Kolmann:
This config works in 1.5.8 but fails to tcp-check in 1.7.5.
The errors in the logfile look like this:
Jun 19 10:52:57 testha2 haproxy[5042]: Server mail-exchtest-smtp/mbx13a is DOWN, reason:
Socket error, info: "No port available for the TCP connection", check duration:
0ms. 3 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in
queue.
Bug introduced in 95db2bcfee ("MAJOR: check: find out which port to use
for health check at run time"), the AF check in line 1521 does not trigger
in this case ("tcp-check connect port" configuration).
Partially reverting the check to the old one appears to work, but that's
probably not the correct fix.
diff --git a/src/checks.c b/src/checks.c
index 1af862e..5a34609 100644
--- a/src/checks.c
+++ b/src/checks.c
@@ -1518,7 +1518,7 @@ static int connect_conn_chk(struct task *t)
conn->addr.to = s->addr;
}
- if ((conn->addr.to.ss_family == AF_INET) || (conn->addr.to.ss_family == AF_INET6)) {
+ if (check->port) {
int i = 0;
i = srv_check_healthcheck_port(check);
thanks for the patch. I added the changed line and rebuilt the debian
Package. Now the Ports come up again.
A quick config workaround, that reduces the check to a single port consist
in adding "port 25" to each server configuration (after the check keyword).
Adding the Port works for the SMTP Setup. For IMAP, where the Port is
SSL enabled it still fails:
listen mail-exchtest-imap
bind 128.130.xx.yy:143 transparent name imap
bind 128.130.xx.yy:993 transparent name imaps
mode tcp
log-format %ci:%cp\ [%t]\ %ft\ %s\ %si:%sp\ %Tw/%Tc/%Tt\ %B\
%ts\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq
#balance roundrobin
#stick-table type ip size 20k peers testha-cluster
#stick on src
maxconn 8765
option tcp-check
default-server inter 3s rise 2 fall 3
tcp-check connect port 143
tcp-check expect string *\ OK
tcp-check connect port 993 ssl
tcp-check expect string *\ OK
server mbx13a 128.130.xx.yy1: maxconn 5000 check ca-file
/etc/ssl/certs/ca-certificates.crt port 993
server mbx13b 128.130.xx.yy2: maxconn 5000 check ca-file
/etc/ssl/certs/ca-certificates.crt port 993
server mbx13c 128.130.xx.yy3: maxconn 5000 check ca-file
/etc/ssl/certs/ca-certificates.crt port 993
server mbx13d 128.130.xx.yy4: maxconn 5000 check ca-file
/etc/ssl/certs/ca-certificates.crt port 993
Jun 29 16:11:26 testha2 haproxy[11469]: Server mail-exchtest-imap/mbx13d
is DOWN, reason: Socket error, info: "TCPCHK error establishing
connection at step 3", check duration: 4ms. 3 active and 0 backup
servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
Jun 29 16:11:26 testha2 haproxy[11469]: Server mail-exchtest-imap/mbx13b
is DOWN, reason: Socket error, info: "TCPCHK error establishing
connection at step 3", check duration: 4ms. 2 active and 0 backup
servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
Jun 29 16:11:26 testha2 haproxy[11469]: Server mail-exchtest-imap/mbx13a
is DOWN, reason: Socket error, info: "TCPCHK error establishing
connection at step 3", check duration: 4ms. 1 active and 0 backup
servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
Jun 29 16:11:26 testha2 haproxy[11469]: Server mail-exchtest-imap/mbx13c
is DOWN, reason: Socket error, info: "TCPCHK error establishing
connection at step 3", check duration: 4ms. 0 active and 0 backup
servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
Jun 29 16:11:26 testha2 haproxy[11469]: proxy mail-exchtest-imap has no
server available!
Thanks
Philipp
--
---
DI Mag. Philipp Kolmann mail: kolm...@zid.tuwien.ac.at
Technische Universitaet Wien web: www.zid.tuwien.ac.at
Zentraler Informatikdienst (ZID) tel: +43(1)58801-42011
Wiedner Hauptstr. 8-10, A-1040 WienDVR: 0005886
---
Debian upgrade to haproxy 1.7.5: tcp-check fails with Socket error, info: "No port available for the TCP connection"
Hi, I have tested the Debian upgrade from jessie to strech on a test-box and now my config doens't work anymore with haproxy 1.7.5. I also tested it an a jessie box with backported haproxy 1.7.5. I see the same error there. My config for looks like this: global log /dev/loglocal0 log /dev/loglocal1 notice chroot /var/lib/haproxy user haproxy group haproxy daemon stats socket /var/run/haproxy-admin.sock user root group root mode 0600 level admin stats socket /var/run/haproxy.sock user root group nagios mode 0660 stats bind-process 1 maxconn 4 tune.bufsize24576 tune.chksize24576 ssl-default-bind-ciphers ECDHE+aRSA+AES256+GCM+SHA384:ECDHE+aRSA+AES128+GCM+SHA256:ECDHE+aRSA+AES256+SHA384:ECDHE+aRSA+AES128+SHA256:ECDHE+aRSA+AES256+SHA:ECDHE+aRSA+AES128+SHA:AES256+GCM+SHA384:AES128+GCM+SHA256:AES128+SHA256:AES256+SHA256:DHE+aRSA+AES128+SHA:HIGH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4 ssl-default-bind-options no-sslv3 no-tls-tickets tune.ssl.default-dh-param 2048 defaults log global modehttp option httplog option dontlognull option socket-stats option redispatch # Try another server in case of connection failure option contstats # Enable continuous traffic statistics updates option abortonclose timeout client 7200s #alctl: client inactivity timeout server 7200s #alctl: server inactivity timeout timeout connect 5s # 5 seconds max to connect or to stay in queue timeout queue 30s # 30 seconds max queued on load balancer peers testha-cluster peer testha1 128.130.xx.yy1:1024 peer testha2 128.130.xx.yy2:1024 listen mail-exchtest-smtp bind 128.130.xx.yy6:25 transparent name smtp bind 128.130.xx.yy6:587 transparent name submission mode tcp log-format %ci:%cp\ [%t]\ %ft\ %s\ %si:%sp\ %Tw/%Tc/%Tt\ %B\ %ts\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq balance roundrobin stick-table type ip size 20k peers testha-cluster stick on src maxconn 8765 option tcp-check tcp-check connect port 25 tcp-check expect string 220 tcp-check connect port 587 tcp-check expect string 220 server mbx13a 128.130.xx.zz1: maxconn 5000 check server mbx13b 128.130.xx.zz2: maxconn 5000 check server mbx13c 128.130.xx.zz3: maxconn 5000 check server mbx13d 128.130.xx.zz4: maxconn 5000 check This config works in 1.5.8 but fails to tcp-check in 1.7.5. The errors in the logfile look like this: Jun 19 10:52:57 testha2 haproxy[5042]: Server mail-exchtest-smtp/mbx13a is DOWN, reason: Socket error, info: "No port available for the TCP connection", check duration: 0ms. 3 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. Jun 19 10:52:57 testha2 haproxy[5042]: Server mail-exchtest-smtp/mbx13b is DOWN, reason: Socket error, info: "No port available for the TCP connection", check duration: 0ms. 2 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. Jun 19 10:52:57 testha2 haproxy[5042]: Server mail-exchtest-smtp/mbx13c is DOWN, reason: Socket error, info: "No port available for the TCP connection", check duration: 0ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. Jun 19 10:52:57 testha2 haproxy[5042]: Server mail-exchtest-smtp/mbx13d is DOWN, reason: Socket error, info: "No port available for the TCP connection", check duration: 0ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. Jun 19 10:52:57 testha2 haproxy[5042]: proxy mail-exchtest-smtp has no server available! I haven't found any messages with this bug and how to fix it, Thanks Philipp -- ------- DI Mag. Philipp Kolmann mail: kolm...@zid.tuwien.ac.at Technische Universitaet Wien web: www.zid.tuwien.ac.at Zentraler Informatikdienst (ZID) tel: +43(1)58801-42011 Wiedner Hauptstr. 8-10, A-1040 WienDVR: 0005886 ---
Re: [PATCH] Support statistics in multi-process mode
Hi Willi, On 09/14/15 12:17, Willy Tarreau wrote: OK I now found a moment to spare some time on your patch. During my first lecture I didn't understand that it relied on SIGUSR2 to aggregate counters. I'm seeing several issues with that approach : I never had the intent to look like I did the patch. The original mail is from Hiep Nguyen, hie...@vccloud.vn (CCed). I just wanted to re-raise the topic again, since the mail from Hiep seemed to have drowned and I am interested in this feature. @Hiep: Please look at Willi's suggestions. Thanks Philipp -- --- DI Mag. Philipp Kolmann mail: kolm...@zid.tuwien.ac.at Technische Universitaet Wien web: www.zid.tuwien.ac.at Zentraler Informatikdienst (ZID) tel: +43(1)58801-42011 Wiedner Hauptstr. 8-10, A-1040 WienDVR: 0005886 ---
Re: [PATCH] Support statistics in multi-process mode
Hi Willy, I saw once a message that you forgot about this patch, but never saw any comment on this ever again: On 04/24/15 12:34, root wrote: From: HiepNV <hie...@vccloud.vn> Signed-off-by: root <hie...@vccloud.vn> --- Makefile | 4 +- include/proto/shm_proxy.h | 28 +++ src/dumpstats.c | 59 ++- src/haproxy.c | 48 - src/shm_proxy.c | 439 ++ 5 files changed, 571 insertions(+), 7 deletions(-) create mode 100644 include/proto/shm_proxy.h create mode 100644 src/shm_proxy.c http://comments.gmane.org/gmane.comp.web.haproxy/21470 Could you please recheck, if that would be a possible feature? thanks Philipp -- --- DI Mag. Philipp Kolmann mail: kolm...@zid.tuwien.ac.at Technische Universitaet Wien web: www.zid.tuwien.ac.at Zentraler Informatikdienst (ZID) tel: +43(1)58801-42011 Wiedner Hauptstr. 8-10, A-1040 WienDVR: 0005886 ---
Override maintainance setting for special source IP
Hi, we use HAproxy infront of a Exchange 2010 System to balance the load. It works very well. Now we have an issue with one HubTransport Server in the Exchange Farm. I have set this Server to maintainance via admin socket: echo disable server mail-intern/htc1 | socat stdio /var/run/haproxy-admin.sock Config: listen mail-intern bind 128.130.30.55:25 transparent name smtp bind 128.130.30.55:80 transparent name http bind 128.130.30.55:135 transparent name loc-srv bind 128.130.30.55:143 transparent name imap bind 128.130.30.55:443 transparent name https bind 128.130.30.55:587 transparent name submission bind 128.130.30.55:993 transparent name imaps bind 128.130.30.55:60001 transparent name RPC_60001 bind 128.130.30.55:60002 transparent name RPC_60002 mode tcp maxconn 1 log-format %ci:%cp\ [%t]\ %ft\ %s\ %si:%sp\ %Tw/%Tc/%Tt\ %B\ %ts\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq balance leastconn stick-table type ip size 10240k expire 60m peers ha-cluster stick on src server htc1 128.130.30.51: maxconn 1 check server htc2 128.130.30.52: maxconn 1 check All clients are now redirected to htc2 and don't see the troublesome htc1. We now would like to debug this issue and specify special source ip addresses that get routet to the htc1 in maintainance mode. Is this possible? thanks Philipp -- --- DI Mag. Philipp Kolmann mail: kolm...@zid.tuwien.ac.at Technische Universitaet Wien web: www.zid.tuwien.ac.at Zentraler Informatikdienst (ZID) tel: +43(1)58801-42011 Wiedner Hauptstr. 8-10, A-1040 WienDVR: 0005886 ---
Re: Override maintainance setting for special source IP
Hi Baptiste,
Am 10.12.14 um 12:37 schrieb Baptiste:
Which version of HAProxy are you running? In 1.5, you can do:
use-server htc1 if { src 10.0.0.1 } add as many IPs as needed.
Yes I am on 1.5 already. This use-Server directive is specified in the
config file? or can I push this change via amdin-socket?
thanks
Philipp
--
---
DI Mag. Philipp Kolmann mail: kolm...@zid.tuwien.ac.at
Technische Universitaet Wien web: www.zid.tuwien.ac.at
Zentraler Informatikdienst (ZID) tel: +43(1)58801-42011
Wiedner Hauptstr. 8-10, A-1040 WienDVR: 0005886
---
Session counter doesnt increase for stats socket
Hi, I have several haproxy installations running on HAProxy version 1.5.4, released 2014/09/02 (debian packet) and I see no counting up on the stats socket session counter. The Bytes-counter count up on every reload, but the sessions total stay and don't get updated on every reload (as I was used to have). listen stats bind 128.130.XX.XX:80 name IPv4 bind 2001:629:XX::XX:80 transparent name IPv6 mode http stats enable stats realm Haproxy\ Statistics stats uri / acl stats-access src 127.0.0.1 acl stats-access src 128.130.XX.XX acl stats-access src 2001:629:XX::XX # wspk.zid http-request deny if ! stats-access thanks Philipp -- --- DI Mag. Philipp Kolmann mail: kolm...@zid.tuwien.ac.at Technische Universitaet Wien web: www.zid.tuwien.ac.at Zentraler Informatikdienst (ZID) tel: +43(1)58801-42011 Wiedner Hauptstr. 8-10, A-1040 WienDVR: 0005886 ---
Re: SAProuter behind HAproxy
Hi Lukas, On 05/15/14 20:12, Lukas Tribus wrote: I can login in the SAP-Gui and a connection is established: May 15 10:10:54 ha1 haproxy[2294]: 128.130.YY.61:50947 [15/May/2014:10:10:54.680] router-zap router-12a 128.130.XXX.63:3299 1/30/86 3306 -- 0/0/0/0/0 0/0 and then the connection is dropped and I see an error in the GUI: May 15 10:12:04 ha1 haproxy[2294]: 128.130.YY.61:50948 [15/May/2014:10:10:54.789] router-zap router-12a 128.130.XXX.63:3299 1/0/69959 19629 sD 0/0/0/0/0 0/0 sD means (from the docs [1]): The server did not send nor acknowledge any data for as long as the timeout server setting during the data phase. This is often caused by too short timeouts on L4 equipments before the server (firewalls, load-balancers, ...), as well as keep-alive sessions maintained between the client and the server expiring first on haproxy. Does the description ring any bell (firewall with short timeouts, etc)? Still, its strange, because timeout server is configured with 2 hours in your case. Well strange thing is, that between HAproxy and the SAProuter box (windows machine) is no firewall or anything. Same subnet. If the client connects directly to the SAProuter windows box, everything works as expected So I doubt that the issue behinde the SAProuter, but somewhere within HAproxy, or some config Can you: - post the output of ./haproxy -vv root@ha1:~# haproxy -vv HA-Proxy version 1.5-dev24-8860dcd 2014/04/26 Copyright 2000-2014 Willy Tarreau w...@1wt.eu Build options : TARGET = linux2628 CPU = generic CC = gcc CFLAGS = -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 Encrypted password support via crypt(3): yes Built with zlib version : 1.2.8 Compression algorithms supported : identity, deflate, gzip Built with OpenSSL version : OpenSSL 1.0.1g 7 Apr 2014 Running on OpenSSL version : OpenSSL 1.0.1e 11 Feb 2013 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Built with PCRE version : 8.30 2012-02-04 PCRE library supports JIT : no (USE_PCRE_JIT not set) Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. - do a show errors [2] on the admin socket after a failure Nothing shown here :( root@ha1:~# echo show errors | socat stdio /var/run/haproxy-admin.sock Total events captured on [16/May/2014:09:01:22.717] : 0 root@ha1:~# - provide a tcpdump capture of the backend session (full packets with -s0, but mind proprietary and authentication data) I have attached the dmp of tcpdump -s0 -w haproxy.backend.dmp host router-12a.zap.tuwien.ac.at or host router-12b.zap.tuwien.ac.at Thanks Philipp -- --- DI Mag. Philipp Kolmann mail: kolm...@zid.tuwien.ac.at Technische Universitaet Wien web: www.zid.tuwien.ac.at Zentraler Informatikdienst (ZID) tel: +43(1)58801-42011 Wiedner Hauptstr. 8-10, A-1040 WienDVR: 0005886 --- haproxy.backend.dmp.gz Description: application/gzip
Re: SAProuter behind HAproxy
On 05/16/14 09:19, Cyril Bonté wrote: Hi, Le 15/05/2014 20:12, Lukas Tribus a écrit : Still, its strange, because timeout server is configured with 2 hours in your case. I answer quickly and will look at this thread tonight too, but this is not true : the configuration is confusing because it declares timeout client 7200s #alctl: client inactivity then srvtimeout 5 Philipp, please remove this second one from your configuration. Mercy Cyril, I didn't see that line. It was in the original debian package and it slipped when I added my custom lines... Now it seems stable. And the 50 secs were quite the right timeout, then it happened. At least the fast check now suggests, that it works now as expected. Thanks a lot, Philipp -- --- DI Mag. Philipp Kolmann mail: kolm...@zid.tuwien.ac.at Technische Universitaet Wien web: www.zid.tuwien.ac.at Zentraler Informatikdienst (ZID) tel: +43(1)58801-42011 Wiedner Hauptstr. 8-10, A-1040 WienDVR: 0005886 ---
SAProuter behind HAproxy
Hi, has anyone achieved to load-balance a SAProuter behind a HAproxy? SAProuter is a little peace of Software, that takes the a TCP session on Port 3299 and forwards it to the backend SAP-ERP Systems. It has one frontend IP and one TCP Port. As far as I see it, it should be quite easy to put HAproxy before this setup? I have the following config: global log /dev/loglocal0 log /dev/loglocal1 notice chroot /var/lib/haproxy user haproxy group haproxy daemon stats socket /var/run/haproxy.sock user root group nagios mode 0660 stats socket /var/run/haproxy-admin.sock user root group root mode 0600 level admin stats bind-process 1 maxconn 4 tune.bufsize24576 tune.chksize24576 defaults log global modehttp option httplog option dontlognull option socket-stats option redispatch # Try another server in case of connection failure option contstats # Enable continuous traffic statistics updates option abortonclose timeout client 7200s #alctl: client inactivity timeout server 7200s #alctl: server inactivity timeout timeout connect 5s # 5 seconds max to connect or to stay in queue timeout queue 30s # 30 seconds max queued on load balancer srvtimeout 5 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http listen stats bind 128.130.XXX.61:80 mode http stats enable stats realm Haproxy\ Statistics stats uri / acl stats-access src 127.0.0.1 block if ! stats-access peers zapha-cluster peer ha1 128.130.XXX.61:1024 peer ha2 128.130.XXX.62:1024 listen router-zap bind 128.130.XXX.60:3299 transparent name saprouter mode tcp log-format %ci:%cp\ [%t]\ %ft\ %s\ %si:%sp\ %Tw/%Tc/%Tt\ %B\ %ts\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq balance roundrobin stick-table type ip size 20k peers zapha-cluster stick on src maxconn 8765 server router-12a 128.130.XXX.63: maxconn 5000 check server router-12b 128.130.XXX.64: maxconn 5000 check I can login in the SAP-Gui and a connection is established: May 15 10:10:54 ha1 haproxy[2294]: 128.130.YY.61:50947 [15/May/2014:10:10:54.680] router-zap router-12a 128.130.XXX.63:3299 1/30/86 3306 -- 0/0/0/0/0 0/0 and then the connection is dropped and I see an error in the GUI: May 15 10:12:04 ha1 haproxy[2294]: 128.130.YY.61:50948 [15/May/2014:10:10:54.789] router-zap router-12a 128.130.XXX.63:3299 1/0/69959 19629 sD 0/0/0/0/0 0/0 Has anyone an idea, if this setup is possible? thanks Philipp -- --- DI Mag. Philipp Kolmann mail: kolm...@zid.tuwien.ac.at Technische Universitaet Wien web: www.zid.tuwien.ac.at Zentraler Informatikdienst (ZID) tel: +43(1)58801-42011 Wiedner Hauptstr. 8-10, A-1040 WienDVR: 0005886 ---
GIT RSS and ATOM feeds links
Hi Willy, thanks a lot for haproxy. It's a great piece of software. I wanted to add the RSS feed [1] of the git log to my browser which works fine. Only issue is that that the link references to port 81: linkhttp://git.1wt.eu:81/web?p=haproxy.git;a=commitdiff;h=472b1ee115f45129ea3fc19e26f85b3ec9715abe/link but this port is not open. If you got some seconds to spare maybe you could fix this. thanks Philipp [1] http://git.1wt.eu/web?p=haproxy.git;a=rss -- --- DI Mag. Philipp Kolmann mail: kolm...@zid.tuwien.ac.at Technische Universitaet Wien web: www.zid.tuwien.ac.at Zentraler Informatikdienst (ZID) tel: +43(1)58801-42011 Wiedner Hauptstr. 8-10, A-1040 WienDVR: 0005886 ---
Re: IPv6 vrrp and bind transparent
On 2013-03-27 11:22, Lukas Tribus wrote: What kernel are you running? You need at least 2.6.37 to do this with non-local IPv6 binds. Thanks to Lukas and Emeric, that was exactly the issue. Thanks for pointing me to the right direction. Philipp
IPv6 vrrp and bind transparent
Hi, I am new to the list. Please excuse if this has been discussed before, but I didn't find it in the archives. I have 2 linux boxes sharing ipv4 addressess for high available LDAP Access to our AD infrastructure with keepalived and then forwarding the requests to our 3 AD Servers. With ipv4 it works without issues: listen dc-intern-ldap bind 128.130.30.20:389 transparent mode tcp option tcplog log global balance leastconn server dc01 128.130.30.21:389 maxconn 5000 check server dc02 128.130.30.22:389 maxconn 5000 check server dc03 128.130.30.23:389 maxconn 5000 check if 128.130.30.20 is not assiged on the secondary node, nothing fails. when keepalived switches over, everything works as expected. with 1.5-dev13 I read the ipv6 transparent works now as well: listen dc-intern-ldap-v6 bind 2001:629:1005:30::20:389 transparent mode tcp option tcplog log global balance leastconn server dc01 2001:629:1005:30::21:389 maxconn 5000 check server dc02 2001:629:1005:30::22:389 maxconn 5000 check server dc03 2001:629:1005:30::23:389 maxconn 5000 check Sadly, this fails on the secondary server, since 2001:629:1005:30::20 is not currently active: Starting haproxy: haproxy[ALERT] 085/083351 (31506) : Starting proxy dc-intern-ldap-v6: cannot bind socket [2001:629:1005:30::20:389] failed! Have I don't something wrong? I would like to also provide IPv6 access to our LDAP infrastructure (and www later on as well). thanks Philipp
