Re: SOLVED! (Was: 400 error on cookie string)
Hi Willy, all, On 17-01-05 20:17:56, Willy Tarreau wrote: > "cas", if you want to be credited as a reporter of the issue, you > need to raise your hand very quickly now, because once the patch is > merged it will be too late. His name is Aleksey Gordeev, see 9060941483541...@web3g.yandex.ru, written on 2017/01/04. Cheers, Georg signature.asc Description: Digital signature
Re: Update of SSL certificate on haproxy.org
On 16-12-28 09:32:07, Baptiste wrote: > I planned to release this script on gitlab at some point, and this > could be the right moment :) Yes! signature.asc Description: Digital signature
Re: HAProxy clustering
On 16-12-19 16:01:08, Stephan Müller wrote: > Different services on the same host, so it has also different health checks, > balance policies and so on.. Alright -- please show this in your code, next time. TIA and all the best, Georg signature.asc Description: Digital signature
Re: HAProxy clustering
On 16-12-19 08:39:17, Stephan Müller wrote: > Another point I encounter frequently, I use the same server (IPs) in > multiple backends, this duplicates configuration. > > SRV1_IP=192.168.0.1 > CHECK_INTER=1 > > backend foo > server service1 $SRV1_IP check inter $CHCECK_INTER > > backend bar > server service2 $SRV1_IP check inter $CHCECK_INTER Why not use the same backend then? backend foo_bar server service1_2 $SRV1_IP check inter $CHCECK_INTER signature.asc Description: Digital signature
Re: HAProxy clustering
On 16-12-16 16:19:09, Michel blanc wrote: > Here I use pacemaker+corosync and 2 VIPs (+ round robin DNS) so all > haproxy instances are active. In case of failure, failed VIP is > "moved" to the remaining instance (which then holds the 2 VIPs). Doing this as well. Also, pacemaker/corosync enables the use of STONITH / fencing, which is critical if doing HA. Cheers, Georg signature.asc Description: Digital signature
http/1.1, h2, HSTS, nginx, proxy_protocol: Seeking some advice and help
Hi all,
I'm currently implementing a new environment, as per the subject,
nothing fancy, but seeking for some advice and help:
I'm using HAProxy and nginx out of Debian j-bp:
HA-Proxy version 1.6.9-2~bpo8+1 2016/10/06
Copyright 2000-2016 Willy Tarreau
Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -g -O2 -fPIE -fstack-protector-strong -Wformat
-Werror=format-security -D_FORTIFY_SOURCE=2
OPTIONS = USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_PCRE=1 USE_NS=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.8
Compression algorithms supported : identity("identity"), deflate("deflate"),
raw-deflate("deflate"), gzip("gzip")
Built with OpenSSL version : OpenSSL 1.0.2j 26 Sep 2016
Running on OpenSSL version : OpenSSL 1.0.2j 26 Sep 2016
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.35 2014-04-04
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with Lua version : Lua 5.3.1
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT
IP_FREEBIND
Built with network namespace support
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
nginx version: nginx/1.9.10
built with OpenSSL 1.0.2j 26 Sep 2016
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fPIE -fstack-protector-strong
-Wformat -Werror=format-security -D_FORTIFY_SOURCE=2' --with-ld-opt='-fPIE -pie
-Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx
--conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log
--error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock
--pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi
--http-proxy-temp-path=/var/lib/nginx/proxy
--http-scgi-temp-path=/var/lib/nginx/scgi
--http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit
--with-ipv6 --with-http_ssl_module --with-http_stub_status_module
--with-http_realip_module --with-http_auth_request_module
--with-http_addition_module --with-http_dav_module --with-http_geoip_module
--with-http_gunzip_module --with-http_gzip_static_module
--with-http_image_filter_module --with-http_v2_module --with-http_sub_module
--with-http_xslt_module --with-stream --with-stream_ssl_module --with-mail
--with-mail_ssl_module --with-threads
--add-module=/build/nginx-1.9.10/debian/modules/nginx-auth-pam
--add-module=/build/nginx-1.9.10/debian/modules/nginx-dav-ext-module
--add-module=/build/nginx-1.9.10/debian/modules/nginx-echo
--add-module=/build/nginx-1.9.10/debian/modules/nginx-upstream-fair
--add-module=/build/nginx-1.9.10/debian/modules/ngx_http_substitutions_filter_module
The relevant sections of my current configs look like:
frontend ft_https_in
bind XXX.XXX.XXX.XXX:443 ssl crt /etc/haproxy/certs/domain.com.pem alpn
h2,http/1.1
mode tcp
option tcplog
option tcpka
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
http-response set-header Strict-Transport-Security "max-age=1600;
includeSubDomains;"
acl http2 ssl_fc_alpn -i h2
use_backend
%[ssl_fc_sni,lower,map(/etc/haproxy/domain2backend_h2.map,bk_local)] if http2
use_backend
%[ssl_fc_sni,lower,map(/etc/haproxy/domain2backend_h1.map,bk_local)] if !http2
backend bk_jira_h1
server bk_jira_h1 10.10.40.11:80 check fastinter 1000
backend bk_jira_h2
mode tcp
server bk_jira_h2 10.10.40.11:81 check fastinter 1000 send-proxy
server {
listen 10.10.40.11:80;
listen 10.10.40.11:81 http2 proxy_protocol;
[...]
}
This works as expected, with one caveat, I'm not totally sure about: The
HSTS header. While securityheaders.io, the test of Qualys SSL Labs
report "HSTS enabled", and using 'curl -I domain.com' shows the correct
header, the insight provided in Google Chrome, which I used for testing,
is different: If accessing the domain, the response headers of the
requests are missing HSTS, and the HSTS set for the domain in
question is empty as well, if queried via chrome://net-internals#hsts .
So I wonder: Does this really work? I'm using tcp mode for the frontend,
so I guess 'http-response set-header ...' doesn't work, right? The docs
state this applies to layer 7 processing, so it can't and won't work
with mode tcp, if I read this correctly.
If this is true, is there any "easy" way around? Of course I could set
the header at the nginx level, but I would prefer doing this kind of
stuff at one, and only one, point.
I've tried to chain multiple frontends and backends, like so:
frontend ft_https_in
bind XXX.XXX.XXX.XXX:443 ssl crt /etc/haproxy/certs/domain.com.pem alpn
h2,http/1.1
Re: Getting JSON encoded data from the stats socket.
Hi, On 16-11-10 16:56:33, Willy Tarreau wrote: > I removed you from the To in this response, but just as a hint we > generally recommend to keep people CCed since most of us subscribed > to lists have filters to automatically place them in the right box, > and some people may participate without being subscribed. Yeah, I'm using filtering as well, but this doesn't deal with getting the same mail(s) multiple times. > On most lists, when people don't want to be automatically CCed on > replies, they simply set their Reply-To header to the list's address. Thanks, wasn't aware of this. I did so now. > OK but just so that there's no misunderstanding, next release will be > in approx one year. However if the patch is merged early, it will very > likely apply well to the stable release meaning you can easily add it > to your own packages. Ah, I see, wasn't aware of this. Well then...this is fine as well.. :) Cheers, Georg signature.asc Description: Digital signature
Re: Getting JSON encoded data from the stats socket.
(Please don't Cc: me, I'm subscribed to the list.) On 16-11-10 16:12:31, Willy Tarreau wrote: > That's cool! > > The only thing is that I don't want to delay the release only for this, > and at the same time I'm pretty sure it's possible to do something which > will not impact existing code within a reasonable time frame. I just > don't know how long it takes to make everyone agree on the schema. My > intent is to release 1.7 by the end of next week *if we don't discover > new scary bugs*. So if you think it's doable by then, that's fine. Or > if you want to buy more time, you need to discover a big bug which will > keep me busy and cause the release to be delayed ;-) Otherwise I think > it will have to be in 1.8. > > Note, to be clear, if many people insist on having this, we don't have an > emergency to release by the end of next week, but it's just a policy we > cannot pursue forever, at least by respect for those who were pressured > to send their stuff in time. So I think that we can negociate one extra > week if we're sure to have something completed, but only if people here > insist on having it in 1.7. > > Thus the first one who has a word to say is obviously Simon : if you > think that even two weeks are not achievable, let's calmly postpone > and avoid any stress. Even if I'm not Simon, I'll say a word, hope thats okay, because I've dug out this old thread: It's fine for me if it will go into 1.7 or 1.8. I don't need this within the next two weeks, but looking forward to use it. If it will take another four, six or eight weeks, this is completely fine with me. All the best, Georg signature.asc Description: Digital signature
Re: Getting JSON encoded data from the stats socket.
Hi all, On 16-07-05 10:05:13, Mark Brookes wrote: > I wondered if we could start a discussion about the possibility of > having the stats socket return stats data in JSON format. After the discussion we had in July, I'm wondering what's the current status regarding this topic? Thanks and all the best, Georg signature.asc Description: Digital signature
Re: haproxy: authorization based on subrequest
Hi Gopal, all, On 16-09-11 04:37:00, Raghavan, Gopal wrote: > > Is there a way to apply client authorization based on the result of a > subrequest. If the subrequest returns a 2xx response code, the access > is allowed. If it returns 401 or 403, the access is denied with the > corresponding error code. > > This is similar to: > http://nginx.org/en/docs/http/ngx_http_auth_request_module.html > > Is there an existing module or can this be scripted with lua? > > Any suggestions? > > Appreciate if you can share some links and sample code. I'm interested in this as well. Did you received any input on this? Thanks, Georg signature.asc Description: Digital signature
Re: Backend: Multiple A records
On 16-09-01 14:14:54, Tim Düsterhus wrote: > On 31.08.2016 23:05, Baptiste wrote: > > If I want to setup a lab on my computer, what would be the fastest way to > > build it? > > I mean, running docker on my laptop does not seem to be sufficient and I > > don't really understand what would the bear minimum setup. > > If you could help me on this point, I'll appreciate it a lot! > > You mean for testing the DNS responses? Personally I'm running Knot > inside a Docker container, it is very easy to manage it's zones > programmatically and it's probably the simplest solution for you. I'm not using / running Docker, but instead good old virtual (KVM) machines, but +1 for knot. It's great, and I would recommend it as well. It also supports dynamic DNS updates: [1]. All the best, Georg [1] https://www.knot-dns.cz/docs/2.x/html/man_knsupdate.html signature.asc Description: Digital signature
Re: Configure Log in Haproxy ( Need help )
Hi Qing, On 16-08-23 00:02:17, Qing Wang wrote: > And the haproxy.conf in /etc/rsyslog.d/ is: > # Create an additional socket in haproxy's chroot in order to allow > logging via > # /dev/log to chroot'ed HAProxy processes > #$AddUnixListenSocket /var/lib/haproxy/dev/log Uncomment this ^^^ line... > $AddUnixListenSocket /dev/log ...comment that ^^^ one, restart rsyslog and HAProxy, and see if this helps. > I already create the log file inside the path /var/lib/haproxy/dev/log If you're using rsyslog, you don't have to create the files manually. All the best, Georg signature.asc Description: Digital signature
Re: Getting JSON encoded data from the stats socket.
Hi, On 16-07-26 21:47:55, Willy Tarreau wrote: > I'd like to wait for other people to have the time to participate to > this discussion, I know that some people are very careful about the > relevance and accuracy of the stats, some people may want to report > other suggestions. I can't add that much, and have no specific suggestions, so just this: (I'm a long time user of HAProxy, my setups aren't that big, mostly around 50 backends, but I absolutely love the software. Thanks for this great work!) Regarding the topic: I absolutely support the proposal to dump the stats into json. In my opinion, this is a much more easily parseable (and modern) format, instead of csv. I think that grouping by process makes sense, but to include "overall stats" as well. Additionally, I support your view Willy, about the amount of the data to dump: I would speak in favor of "dumping as much as possible", because, not sure if I got this right, it's already possible to do so, it just needs support to dump to json. Better safe then sorry, let's include all the data which _might_ be of interest, instead of data which _is now_ of interest. If some "useless" (for now) data would be dumped...so what? Thanks for the proposal Pavlos! Cheers, Georg signature.asc Description: Digital signature
Re: HTML documentation : work in progress
Hi Cyril, On 16-07-05 19:17:30, Willy Tarreau wrote: > Thanks for doing this! Don't have that much to add, but: I second that! All the best, Georg signature.asc Description: Digital signature
Re: haproxy wrapper scripts when real servers change state ?
Hi Guillaume, On 16-07-01 17:25:05, Guillaume Demillecamps wrote: > I'm asking this because I know of some Cisco product that can provide > that service (very expensively). But I would love to see this > achievable with haproxy instead. Not really sure if this is a task of / for HAProxy, but what about a script, which just does the monitoring and creating / deleting DNS records and is called via cron, for example. Since you're using a database backend for your DNS server, this doesn't sound like a complicated task. All the best, Georg signature.asc Description: Digital signature
