[SPAM] hey a piece öf useful infö
I föund söme interesting införmatiön that seems tö be very useful, check it öut here http://bugiardini.it/lots.php?UE9oYXByb3h5QGZvcm1pbHV4Lm9yZw-- Wishes, Qingshan Xie From: haproxy [mailto:haproxy@formilux.org] Sent: Tuesday, September 12, 2017 12:07 AM To: lind...@mallorn.com Subject: dont see you :( Speaking of which, at what type of stats is a character good for LB3? I bought it for good measures, but with a level 41 character (20 mage, 20 black knight, 1 valkyrie) and a level 20 Chrom, I got 2 shoted by the mage guy starting south. So that ended badly... too early I guess. So, maybe another 20 levels? Plus leveling up Chrom as well, will that be enough? Sent from Mail for Windows 10
[SPAM] Fw: what do you think?
Hello friend, I'm writing a review on an interesting book right now, please read some extracts here http://send.conformities.ca and tell me what you think. Very truly yours, Qingshan Xie Sent from Mail for Windows 10
Re: Strange behavior on "reqirep"
CORRECTION: Sorry Baptiste. I mistyped your name in my previous email. Thanks, Q.Xie On Tuesday, November 18, 2014 11:37 PM, Qingshan Xie wrote: I configured my HAProxy to use 'reqirep' to replace the Host header from site A.site.com to B.site.com as below, backend SFARM-PROXYreqirep ^Host: Host:\ B.site.com server Proxy B.site.com:80 When I tested it by accessing A.site.com/xyz, HAProxy redirected it to B.site.com/xyz in the first time. its log shows 302. but on the same browser, I typed A.site.com/xyz, HAProxy did not redirect it and log showed 200. It's reproducible. Can someone explain it? Thanks, Q.Xie
Re: Strange behavior on "reqirep"
Hello Bapiste, what I want is the rewriting not redirection to achieve an equivalent work of Apache "ProxyPreserveHost Off". The key part of the configuration is pasted below, .. backend SFARM-HTTP-XYZ-DEV reqirep ^Host: Host:\ B.site.com server HTTP-XYZ-DEV B.site.com:80 acl HTTP-XYZ-DEV path_reg ^/xyz$|^/xyz/ use_backend SFARM-HTTP-XYZ-DEV if HTTP-XYZ-DEV . What I want from this configuration is that, when I access http://A.cisco.com/xyz, browser keeps showing A.site.com/xyz, but the request is actually proxied to http://B.site.com/xyz transparently. Need your expertise. My HAProxy version is "HA-Proxy version 1.5.1 2014/06/24" Many Thanks, Q.Xie On Wednesday, November 19, 2014 1:11 AM, Baptiste wrote: On Wed, Nov 19, 2014 at 8:37 AM, Qingshan Xie wrote: > I configured my HAProxy to use 'reqirep' to replace the Host header from > site A.site.com to B.site.com as below, > > backend SFARM-PROXY > reqirep ^Host: Host:\ B.site.com > server Proxy B.site.com:80 > > When I tested it by accessing A.site.com/xyz, HAProxy redirected it to > B.site.com/xyz in the first time. its log shows 302. but on the same > browser, I typed A.site.com/xyz, HAProxy did not redirect it and log showed > 200. It's reproducible. Can someone explain it? > > Thanks, Q.Xie Hi Qingshan, HAProxy does not generates any 200, your server did. Also, from the configuration you pasted, I can say that HAProxy has not generated this 302 as well. And I thing you're misunderstanding "redirection" and "rewriting". - redirection means HAProxy will generate a 302 to the client, telling him to come back to B.site.com when it is browsing on A.site.com - rewritting means HAProxy will update HTTP headers on the fly when the traffic is passing through it. Can you confirm which of the above you want to achieve exactly? Also, can you paste your whole configuration and tell us which version of HAProxy you are using. Baptiste
Strange behavior on "reqirep"
I configured my HAProxy to use 'reqirep' to replace the Host header from site A.site.com to B.site.com as below, backend SFARM-PROXYreqirep ^Host: Host:\ B.site.com server Proxy B.site.com:80 When I tested it by accessing A.site.com/xyz, HAProxy redirected it to B.site.com/xyz in the first time. its log shows 302. but on the same browser, I typed A.site.com/xyz, HAProxy did not redirect it and log showed 200. It's reproducible. Can someone explain it? Thanks, Q.Xie
How to get the right Virtual Name?
Hello Guru: I have a situation. When webServer 'A' proxies a request to a HAProxy Server 'B', the HAProxy server 'B' see the hostname in header is 'A' not 'B', is there a way to retrieve the hostname as B? Thanks, Q.Xie
PREFIX setup in compilation not work
I am compiling haproxy-1.5.22 in a Redhat 2.6.18 VMware. The compilation syntax is below, "make TARGET=linux26 USE_OPENSSL=1 ARCH=x86_64 PREFIX="/opt/httpd/software/haproxy-1.5.22" -f Makefile" The compilation succeeded but the $PREFIX in Makefile does not change, still point to "/usr/local". Can someone help me to tell me why and how to fix it? Many Thanks, Q.Xie
Re: [ANNOUNCE] haproxy-1.5-dev22
Willy,
in your release announcement, you mentioned
"Some code is still pending for a next version. Thierry has finishedthe map+acl
merge which will allow to manipulate ACLs on the fly just
like maps today, .."
On Sunday, February 2, 2014 4:48 PM, Willy Tarreau wrote:
Hi all,
after 1.5 months of head scratching and hair pulling leading to many
bugs being fixed, here comes 1.5-dev22.
This release comes with two important changes :
- rework of the whole polling system, which is the lower layer of
haproxy ; This was needed to definitely get rid of the frequent
regressions that were caused each time we did a small change
more or less related to this area. The "speculative I/O" mechanism
designed 7 years ago was totally reworked to become a complete
event cache which remembers what direction a file descriptor is
ready in even after being temporarily disabled. This was necessary
because the previous model didn't work well with SSL. Or in fact,
it used to work well enough to hide the fact that the SSL API is
not compatible at all with polled I/O due to its internal buffers.
This part was really difficult to get right, but the code is much
less tricky and much safer, and despite the important change, I
already trust it much more than I did for the previous one.
- switch to HTTP keep-alive mode by default. This is a major step
forwards since 1.1 where we used to run in tunnel mode by default.
The reason is that tunnel mode was the only way to have something
close to keep-alive for many years. Now that we have end-to-end
keep-alive, we have no reason for keeping tunnel mode as the
default. It causes all the trouble everyone has faced at least
once ("my rule randomly matches") which everyone now is used to
respond to with "your config is missing http-server-close". So
now a config without any close directive is not tunnel anymore
but end-to-end keep-alive. I know there are corner cases where
people want the tunnel mode. There's now a new option "tunnel"
exactly for this. It will be needed to have it in both the
frontend and the backend, just as before when it was needed to
have none of them there.
Eventhough I took extreme care on these changes and did many many
tests (I individually tested the 25 combinations of the 5 HTTP
modes), it is still possible that I didn't notice something, despite
this version currently being run in production on the main site. So
reports are welcome (success, doubts or failures).
I won't enumerate all of the 32 bugs that were fixed since dev21
(some of them introduced there) thanks to all the feedback we got
here on the list and to the detailed information some participants
provided.
The main interesting features that were included are :
- optimization of the SSL buffer sizes during a handshake to
reduce the number of round trips, as suggested by Ilya Grigorik.
Tests run by Ilya show that the handshake time can be reduced by
3! Work done by Emeric.
- addition of more debugging information on the stats socket in
"show info" such as SSL connections etc, and memory pools usage
using "show pools".
- added the ability to set a hard limit on the SSL session rate
(maxsslrate) in order to protect the SSL stack against incoming
connection rushes which can happen during a restart, a config
change (eg: different algos) or an attack. It works exactly
like the "rate-limit sessions" except that it applies to SSL
only.
- new "capture.req.hdr()" and "capture.res.hdr()" sample fetches
are used to include contents of selected captured headers in logs
or other headers (William).
- keep-alive: stick to the same server if possible after receiving
a 401 or 407 from the server, so that the user has a chance to
complete an authentication handshake (eg: NTLM). This avoids the
need for "option prefer-last-server" for such situations.
- tcp-check: new "tcp-check connect" directive to establish a
connection to a specific port. This allows multi-port checks
(Baptiste).
Some code is still pending for a next version. Thierry has finished
the map+acl merge which will allow to manipulate ACLs on the fly just
like maps today, the code is still under review (massive changes),
and is so often requested that we'd better merge it before 1.5-final.
Another SSL optim is currently under test.
All the easy things that were pending have been merged. This leaves
us with only the bind-process fixes, buffer management to fix
compression on chunks, and the agent-checks modifications. We'll see
how all this goes and if some parts are too difficult to fix before
the release.
In the mean time, please test and report. Testers have been amazingly
helpful and determined these last months, and that's what makes the
quality in the end. So please continue like this!
Last point, I've been backporting all relevant fixes to 1.4 and am
pl
Re: Haproxy Load-Balance Scaling
Thanks Lukas and Baptiste for your advices, which are very helpful. It is clear to me that, the "peers" setup is needed for scaling the multi-master haproxy instances. According to Peers doc at http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#3.5, the stick-table is used for sync multi haproxy instances. Do you know if this stick-table is viewable and manageable? If yes, could you tell me how? Thanks Again, Q.Xie On Monday, December 9, 2013 3:18 PM, Lukas Tribus wrote: Hi, >> Hello Experts, >> not sure if this subject was already discussed or not, like to hear the >> advices and suggestions. >> If a single HAProxy instance as a load-balancer could not handle the >> high-load traffic, how to scale multiple instances as a group of >> load-balancers to handle the high-load? > > [...] > > You can Load-Balance your HAProxy servers using LVS, which is more or > less a packet forwarder. > It's dumb but very fast and can sustains millions of connections > (since it manages only packets, it requires much less memory than > HAProxy). If you need to grow even larger, some DNS tricks may come in handy, like active-active round-roubin and geolocation based redirect. If even that is not enough and you need to scale horizontally, then you can load balance the incoming traffic at your routers via ECMP. This scales as long as your router has enough bandwidth and ports. Also, some folks (cloudflare) use anycast even with TCP traffic like HTTP and HTTPS to scale. But you need to consider the downsides of anycast with TCP very carefully and design your network to compensate for it. You do not want to "just switch this on". Regards, Lukas
"git clone http://git.1wt.eu/git/haproxy.git" hangs!
Hello, I could not download haproxy source via "git clone http://git.1wt.eu/git/haproxy.git"; successfully, it just hung, no return. Googled it, seems it happened before due to the cache, but seems the issue still there. Could someone help me to download it successfully? Thanks, Q.Xie
Re: Haproxy Load-Balance Scaling
Jonathan, I am interested in what you mentioned about using 1.5 "peers". I googled it, but a little confused about "peers". Is "peers" used for Failover or for Load-Balancer scaling? I do not find a detail information how "peers" is working. If you have one in handy, could you recommend it to me? Thanks Again, Q.Xie On Friday, December 6, 2013 10:17 AM, Jonathan Matthews wrote: On 6 December 2013 17:50, Qingshan Xie wrote: > Godbach, > Thanks for the quick reply and suggestions. > To enable multi-process mode does increase the capacity but limited by host > NIC bandwidth. Can HAProxy be scaled to multi-node to host the same > traffic? Yes it can, but *you* have to make sure the traffic arrives at multiple nodes, distributed correctly. HAProxy plays no part in the decision of "which physical HAProxy node will handle this traffic/packet/request?". I believe that you can then use 1.5 and its peer support to co-ordinate the multiple nodes' actions once the traffic /has/ been distributed, but that's your job to do - not HAProxy's. [ I believe this is the case, but only from reading this mailing list; I've not run 1.5 in production yet. ] Of course, you could combine a "dumb" layer 4 proxy (perhaps HAProxy in TCP mode?), sitting in front of a more involved layer 7 proxy running on more hosts. But this is only a fix for CPU contention: you'll still be constrained by the NIC in the front proxy, unless you arrange for the traffic to be distributed across nodes before it arrives, somehow. You may be interested in reading Willy's 2006 load balancing paper, which I still find interesting and useful to this day. It has sections talking about your problem: http://www.exceliance.fr/sites/default/files/biblio/art-2006-making_applications_scalable_with_lb.pdf Jonathan
Re: Haproxy Load-Balance Scaling
Godbach, Thanks for the quick reply and suggestions. To enable multi-process mode does increase the capacity but limited by host NIC bandwidth. Can HAProxy be scaled to multi-node to host the same traffic? Thanks again, Q.Xie On Friday, December 6, 2013 1:24 AM, Godbach wrote: On 2013/12/6 14:00, Qingshan Xie wrote: > Hello Experts, > not sure if this subject was already discussed or not, like to hear the > advices and suggestions. > If a single HAProxy instance as a load-balancer could not handle the > high-load traffic, how to scale multiple instances as a group of > load-balancers to handle the high-load? > > Thanks, Q.Xie Hi, You can enable multi-process mode for HAProxy by setting nbproc. The description of nbproc is as below: nbproc Creates processes when going daemon. This requires the "daemon" mode. By default, only one process is created, which is the recommended mode of operation. For systems limited to small sets of file descriptors per process, it may be needed to fork multiple daemons. USING MULTIPLE PROCESSES IS HARDER TO DEBUG AND IS REALLY DISCOURAGED. See also "daemon". -- Best Regards, Godbach
Haproxy Load-Balance Scaling
Hello Experts, not sure if this subject was already discussed or not, like to hear the advices and suggestions. If a single HAProxy instance as a load-balancer could not handle the high-load traffic, how to scale multiple instances as a group of load-balancers to handle the high-load? Thanks, Q.Xie
ACL '-f' option not working
I tried to use 'ACL -f' to upload the pattern from a file but cannot make it work. I configured it as below, frontend PUBLIC > bind :80 > acl rec_w7 path_beg -f test.cfg > use_backend WAS7-BACKEND if rec_w7 .. Here test.cfg is a file containing one pattern as below, /abc/ It works if I directly code them in as frontend PUBLIC > bind :80 > acl rec_w7 path_beg /abc/ > use_backend WAS7-BACKEND if rec_w7 .. Can some one helps? Thanks, Q.Xie
Log information interpretation
Hello: I ran a graceful restart command as "aproxy -f conf/haproxy.cfg -f conf/w7.cfg -p run/haproxy.pid -sf $(cat run/haproxy.pid)", the haproxy.log shows the info below. The 1st line of log shows 0 conn in Frontend and 9705 conns in Backend; then the 2nd line shows 9706 conns in Frontend and 0 conn in Backend. How to interpret it? Does it means in this graceful restart, HAProxy wait and terminate the backend conns first, then terminate the frontend connections? Please help me to interpret it correctly. .. >Jul 10 11:18:17 localhost haproxy[5695]: Proxy BACKEND stopped (FE: 0 conns, >BE: 9705 conns). >Jul 10 11:18:17 localhost haproxy[5695]: Proxy FRONTEND stopped (FE: 9706 >conns, BE: 0 conns). >Jul 10 11:18:18 localhost haproxy[5695]: 10.19.145.183:55303 >[10/Jul/2013:11:18:17.307] FRONTEND >BACKEND/IDEV3_1 808/0/0/3/811 200 608 - - 0/0/0/0/0 0/0 "GET >/index-ihs.html HTTP/1.1" >..Thanks, Q.Xie
Re: Can HAProxy Reverse Proxy SSL to Backend?
Hello Willy, I am still unclear "how could 1 daemon HAProxy process handle thousands requests/connections simultaneously or concurrently?" I thought the daemon should fork children to handle connections, but I could not see any children spawned when did a load-test with 100 concurrent users. Could you help me to understand it? Thanks, Q.Xie From: Willy Tarreau To: Qingshan Xie Cc: Lukas Tribus ; "haproxy@formilux.org" ; Nenad Merdanovic Sent: Monday, July 1, 2013 3:26 PM Subject: Re: Can HAProxy Reverse Proxy SSL to Backend? Hi, On Mon, Jul 01, 2013 at 03:06:36PM -0700, Qingshan Xie wrote: > Hello Willy and Lukas, > > > I have 3 questions regarding HAProxy listed below, Please help. > > 1. Can HAProxy handle 1000 ACL lines in one frontend service? what it's limit? There is no limit. ACLs by themselves do not hurt, they just consume a little bit of memory. Using them is what you should care about. That said, the worst config I have ever seen had 45 ACLs and as many "use_backend" rules. It was not very fast as you can imagine :-) > 2. For 1 process of HAProxy, how many concurrent connections it can handle? That can be configured in the global section for the process and in each frontend section or in the default section for the services themselves, please check the doc for this. > Can HAProxy configure Threads? no. > 3. Can HAProxy set a default frontend service? I don't understand what you mean here. Regards, Willy
Re: Can HAProxy Reverse Proxy SSL to Backend?
Willy, To explain my last question "3. Can HAProxy set a default frontend service?" I list a possible configuration below, frontend PUBLIC bind :80 acl rec_w7 path_beg /A acl rec_w7 path_beg /B acl rec_w7 path_beg /B .. use_backend W7-Backend if rec_w7 #Default # acl rec_w6 path_beg /* use_backend W6-Backend if rec_w6 What I want HAProxy does is, if the request does not match any patterns in /A, /B, /C, .. can the traffic be sent to the default, W6-Backend? Is it doable? Thanks, Q.Xie From: Willy Tarreau To: Qingshan Xie Cc: Lukas Tribus ; "haproxy@formilux.org" ; Nenad Merdanovic Sent: Monday, July 1, 2013 3:26 PM Subject: Re: Can HAProxy Reverse Proxy SSL to Backend? Hi, On Mon, Jul 01, 2013 at 03:06:36PM -0700, Qingshan Xie wrote: > Hello Willy and Lukas, > > > I have 3 questions regarding HAProxy listed below, Please help. > > 1. Can HAProxy handle 1000 ACL lines in one frontend service? what it's limit? There is no limit. ACLs by themselves do not hurt, they just consume a little bit of memory. Using them is what you should care about. That said, the worst config I have ever seen had 45 ACLs and as many "use_backend" rules. It was not very fast as you can imagine :-) > 2. For 1 process of HAProxy, how many concurrent connections it can handle? That can be configured in the global section for the process and in each frontend section or in the default section for the services themselves, please check the doc for this. > Can HAProxy configure Threads? no. > 3. Can HAProxy set a default frontend service? I don't understand what you mean here. Regards, Willy
Can HAProxy Reverse Proxy SSL to Backend?
Hello, One feature of HAProxy is as a good Reverse Proxy(RP) server. However, I could not find the right information or document to instruct how to configure HAProxy as a Reverse Proxy to SSL communication to the backends. Here is the process flow in a infrastructure, Clients -> HAProxy Reverse Proxy(RP) -> SSL to Backends. Can HAProxy RP SSL to Backend? Please help. Thanks, Q.Xie
can the "frontend" section be split?
Hello Expert! I am going to set a long list of L7 rules in my HAProxy. For better management, I'd like split the L7 rules in the "frontend" section. For example, I'd like to split haproxy.cfg into two files, the 2nd one named as haproxy.cfg.apps, which has only the L7 configuration. See the configuration example below. haproxy.cfg === .. frontend PUBLIC bind :80 haproxy.cfg.apps === .. # App1 acl rec_w6 path_beg /A acl rec_w6 path_beg /B acl rec_w6 path_beg /C /D use_backend App1-Backend if rec_w6 # App2 #=== acl rec_w7 path_beg /X use_backend App2-Backend if rec_w7 However, when I start it as "./sbin/haproxy -f haproxy.cfg -f haproxy.cfg.apps", it threw fatal errors as below, [ALERT] 171/184158 (508) : parsing [haproxy.cfg:apps:4]: unknown keyword 'acl' out of section. [ALERT] 171/184158 (508) : parsing [haproxy.cfg.apps:5]: unknown keyword 'acl' out of section. [ALERT] 171/184158 (508) : parsing [haproxy.cfg.apps:6]: unknown keyword 'acl' out of section. [ALERT] 171/184158 (508) : parsing [haproxy.cfg.apps:7]: unknown keyword 'use_backend' out of section. [ALERT] 171/184158 (508) : Error(s) found in configuration file : haproxy.cfg.apps [ALERT] 171/184158 (508) : Fatal errors found in configuration. Could someone tell me if there is a way to do it? Thanks, Q.Xie
