Re: FW: Question regarding backend connection rates

[Willy Tarreau]

Hi Dominik,

On Mon, Nov 22, 2021 at 10:31:15AM +, Froehlich, Dominik wrote:
> For ongoing connections (not total), the stats page shows a tooltip stating
> 
> 
>   *   Current Active Connections
>   *   Current Used Connections
>   *   Current Idle Connections (broken down into safe and unsafe idle 
> connections)
> 
> What is the difference between active and used connections? Which number
> combined with idle connections reflects the current number of open
> connections on the OS level? (i.e. using resources like fds, buffers, ports)

You had me look at the code to figure the exact detail :-/

They're not computed the same way but I think that this results in them
being equivalent nowadays:
  - active is server->cur_sess, which is incremented whenever we need to
establish a connection to a server, possibly after leaving the queue;

  - used is the number of server connections used, that is maintained at
the idle pool layer for statistics.

Functionally speaking, even though they are not computed at the same place
and for the same reasons, I think they're the same. And except in rare
cases in my tests (slight timing differences), I think they're the same
now. Previously when idle connections couldn't be shared between threads
it would have been more complicated as one would be a sum of stuff that
could not necessarily be usable though. That's probably something we need
to consider cleaning for future versions.

> My ultimate goal is to answer the question "how loaded is this machine?" vs.
> a limit of open connections.

Got it. Then use either (or focus on active which is the historical one).
It's incremented only when under use. And use "used+idle" to know the number
of established connections at the OS level.

> What's the difference between safe and unsafe idle connections? Is it related
> to the http-reuse directive, e.g. private vs. non-private reusable
> connections?

Yes that's in part it. A safe connection is one which has proven that it was
reusable (it got reused at least once) an on which we're OK with sending the
first request of a connection because it's reasonably safe. An unsafe
connection is one that has processed 0 or 1 request only. When you use
"http-reuse always", this makesk no difference, both are always used.

Willy

Re: FW: Question regarding backend connection rates

[Froehlich, Dominik]

Hi Willy,

Thanks for the response, yes I think that clarifies the rates for me.

I have another question you probably could help me with:

For ongoing connections (not total), the stats page shows a tooltip stating


  *   Current Active Connections
  *   Current Used Connections
  *   Current Idle Connections (broken down into safe and unsafe idle 
connections)

What is the difference between active and used connections? Which number 
combined with idle connections reflects the current number of open connections 
on the OS level? (i.e. using resources like fds, buffers, ports)
My ultimate goal is to answer the question “how loaded is this machine?” vs. a 
limit of open connections.

What’s the difference between safe and unsafe idle connections? Is it related 
to the http-reuse directive, e.g. private vs. non-private reusable connections?

Thank you so much,
D

From: Willy Tarreau 
Date: Saturday, 20. November 2021 at 10:01
To: Froehlich, Dominik 
Cc: haproxy@formilux.org 
Subject: Re: FW: Question regarding backend connection rates
Hi Dominik,

On Fri, Nov 19, 2021 at 08:42:40AM +, Froehlich, Dominik wrote:
> However, the number of "current sessions" at the backend is almost 0 all the
> time (between 0 and 5, the number of servers). When I look at the "total
> sessions" at the backend after the test, it tells me that 99% of connections
> have been reused. So in my book, when a connection is reused no new
> connection needs to be opened, that's why I am so stumped about the backend
> session rate. If 99% of sessions are reused, why is the rate of new sessions
> not 0?

This is because the "sessions" counter indicates the number of sessions
that used this backend. Sessions are idle in the frontend waiting for a
new request, and once the request is analysed by the frontend rules, it's
routed to a backend, at which point the counter is incremented. As such,
in a backend you'll essentially see as many sessions as requests.

The "new connections" counter, that was added after keep-alive support
was introduced many years ago will, however, indicate the real number of
new connections that had to be established to servers. And this is the
same for each "server" line by the way.

I've sometimes been wondering whether it could make sense to change the
"sessions/total" column in the stats page to show the number of new
connections instead, but it seems to me that it would not bring much
value and will only result in causing confusion to existing users. Given
that in both cases one will have to hover on the field to get the details,
it would not help I guess.

Hoping this helps,
Willy

Fw: [PATCH v2 1/4] MINOR: cli/proxy: add `srv_use_ssl` to `show servers state`

[Wokash Wolsku]

I want to control the rate of submission to a SVN server, via https and hope 
someone can assist.  The main problem is to slow down some clients which have 
to up load a large amount of data so as not to deny service to others.  The 
clients are not rogue, they have to up load large image and video files, but, 
when they do this all the resource gets denied to other clients with small 
uploads.  I am trying to see how to do this with haproxy as an intermediary.  
As the uploads are one file, the number of https requests does not seem the 
right way to go and this is via webdav anyway so I am not sure of these get 
counted as separate http requests.  Is there a way to limit bandwidth raw for a 
given IP address (which can be used in this situaiton to identify individual 
clients).

best

Wocash

Re: FW: HAProxy: Information request

[Sander Klein]

Hi,

please be aware you are posting to a public mailinglist. You might want
to check where you sent your emails.

Regards,

Sander Klein



On 2020-02-27 22:14, EMEA Request wrote:

Hi Team,

Apologies for delayed response.

Can you please help with the details provided below and provide a
quote.

Thanks and Regards,

 [3]

 Anandita Sharma | Procurement Specialist –GSDC| SoftwareONE

 anandita.sha...@softwareone.com [4]  | www.softwareone.com [3]
 Phone no : +91 8950320646

 Check out: Why SoftwareONE? [8] | PyraCloud [9] | Customer
Transformation [10]

From: Parsons, Branden 
Sent: Thursday, February 27, 2020 8:14 PM
To: Sharma, Anandita 
Subject: RE: HAProxy: Information request

Hi Anandita

Please see below

On AWS,  but not sure on the number of connections, can they get a
quote without knowing that? We will set up a call once we have an idea
of price?

With kind regards,

Branden Parsons

Internal Sales Executive

SoftwareONE UK Ltd

Direct. +44 203 3729 481

From: Sharma, Anandita 
Sent: 24 February 2020 14:16
To: Parsons, Branden 
Subject: FW: HAProxy: Information request

Hi Branden,

FYI

 [3]

 Anandita Sharma | Procurement Specialist –GSDC| SoftwareONE

 anandita.sha...@softwareone.com [4]  | www.softwareone.com [3]
 Phone no : +91 8950320646

 Check out: Why SoftwareONE? [8] | PyraCloud [9] | Customer
Transformation [10]

From: Anamarija Murgic 
Sent: Friday, January 17, 2020 7:23 PM
To: EMEA Request 
Cc: Sean Meroth 
Subject: Re: HAProxy: Information request

Hi Anandita,

Thanks for letting me know.

Have a great weekend!

Best,
Anamarija

On 17/01/2020 1:34 PM, EMEA Request wrote:


Hi Anamarija ,

Apologies for delay in reply.

Our team is in contact with customer for some clarifications.

Will get back to you after clarifying.

Thanks and Regards,

[3]

Anandita Sharma | Procurement Specialist –GSDC| SoftwareONE

anandita.sha...@softwareone.com [4]  | www.softwareone.com [3]
Phone no : +91 8950320646

Check out: Why SoftwareONE? [5] | PyraCloud [6] | Customer
Transformation [7]

From: Anamarija Murgic 
Sent: Tuesday, January 14, 2020 4:20 PM
To: Sharma, Anandita 
Cc: Sean Meroth 
Subject: Re: HAProxy: Information request

Hello Anandita,

I am following up on my previous email as I haven't heard back from
you. Please let me know when is a good time to talk?

Looking forward to hearing from you soon.

Thanks,
Anamarija

On 07/01/2020 6:08 PM, Anamarija Murgic wrote:


Hi Anandita,

My colleagues forwarded me your email request sent to our Open
source email asking for the product information.

We have both, ALOHA LB, virtual or hardware and we have our
software only HAProxy Enterprise Edition (HAPEE) that you would
install on your their own infrastructure.  HAProxy Enterprise
Edition (HAPEE) comes as an annual subscription per server while
ALOHA appliances prices are based on the application performance
you need to sustain.

It would be very helpful to know:

- Are they using current appliance on Azure or AWS
- The number of new connections (HTTP or HTTPS) per second
- The number of concurrent connections per second.

Also, if possible at all, if you can share with us their current
ADC configuration.

In general, we've found that it's best to get some more context in
a quick conference call that will help us understand the use case
of TheTrainline.com. Then we can make the best recommendation for
you and the project and go over pricing.

Please let me know your availability this week, tomorrow or Friday
afternoon?

Thanks,
Anamarija

--

Anamarija Murgic

Sr. Account Executive

HAProxy Technologies - Powering your uptime!

15 Avenue Raymond Aron | 92160 Antony, France

+385 99 44 11 521 | www.haproxy.com [1] | Unsubscribe [2]


--

Anamarija Murgic

Sr. Account Executive

HAProxy Technologies - Powering your uptime!

15 Avenue Raymond Aron | 92160 Antony, France

+385 99 44 11 521 | www.haproxy.com [1] | Unsubscribe [2]


--

Anamarija Murgic

Sr. Account Executive

HAProxy Technologies - Powering your uptime!

15 Avenue Raymond Aron | 92160 Antony, France

+385 99 44 11 521 | www.haproxy.com [11] | Unsubscribe [12]

Links:
--
[1]
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.haproxy.com_d=DwMDaQc=-5LgSL_TkF3nGRQI95ci6eeFVMQ5VESHPf5koMIAxOAr=t_QP427c6yP1s5t47wSRYPnCW5oQW71pV6vHdqbRap8m=SdHBecwJYxDvk1OEHAJB19YxCUoN___V5z6l1bRc8Dws=VjsyrZ9hejKpS-zBGVukDcHhAXXYjJsF8nVP92Ocg6Ue>
 [2]
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.haproxy.com_manage-2Demail-2Dpreferences_d=DwMDaQc=-5LgSL_TkF3nGRQI95ci6eeFVMQ5VESHPf5koMIAxOAr=t_QP427c6yP1s5t47wSRYPnCW5oQW71pV6vHdqbRap8m=SdHBecwJYxDvk1OEHAJB19YxCUoN___V5z6l1bRc8DwsgFR5QK4GXUhO2mbkb-MDVmXX-OZjVZlHwRZsF3UOBUe>
 [3] http://www.softwareone.com/
[4] http://@softwareone.com
[5]
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.youtube.com_watch-3Fv-3DeGTUj4NtJP0d=DwMDaQc=-5LgSL_TkF3nGRQI95ci6eeFVMQ5VESHPf5koMIAxOAr=SfBJQfW0uf0NVY4ThIcrA41fo_36SpqIxi1clzEeEm4m=xWyRYnbDHfxkJ1P67Cs1weTnSNlfmzS78tzHZs

FW: HAProxy: Information request

[EMEA Request]

Hi Team,

Apologies for delayed response.


Can you please help with the details provided below and provide a quote.



Thanks and Regards,
[cid:image002.jpg@01D5ED7C.621F1730]<http://www.softwareone.com/>

 Anandita Sharma | Procurement Specialist –GSDC| SoftwareONE
 anandita.sha...@softwareone.com<http://@softwareone.com>  | 
www.softwareone.com<http://www.softwareone.com/>
 Phone no : +91 8950320646
 Check out: Why SoftwareONE?<https://www.youtube.com/watch?v=eGTUj4NtJP0> | 
PyraCloud<https://www.youtube.com/watch?v=cr1hcu7Hs5Q> | Customer 
Transformation <https://youtu.be/16iCTnSZ5Bg>


From: Parsons, Branden 
Sent: Thursday, February 27, 2020 8:14 PM
To: Sharma, Anandita 
Subject: RE: HAProxy: Information request

Hi Anandita

Please see below

On AWS,  but not sure on the number of connections, can they get a quote 
without knowing that? We will set up a call once we have an idea of price?


With kind regards,

Branden Parsons
Internal Sales Executive
SoftwareONE UK Ltd
Direct. +44 203 3729 481

[cid:image003.png@01D5EDE1.0F69E3C0]


From: Sharma, Anandita 
mailto:anandita.sha...@softwareone.com>>
Sent: 24 February 2020 14:16
To: Parsons, Branden 
mailto:branden.pars...@softwareone.com>>
Subject: FW: HAProxy: Information request

Hi Branden,

FYI

[cid:image002.jpg@01D5ED7C.621F1730]<http://www.softwareone.com/>

 Anandita Sharma | Procurement Specialist –GSDC| SoftwareONE
 anandita.sha...@softwareone.com<http://@softwareone.com>  | 
www.softwareone.com<http://www.softwareone.com/>
 Phone no : +91 8950320646
 Check out: Why SoftwareONE?<https://www.youtube.com/watch?v=eGTUj4NtJP0> | 
PyraCloud<https://www.youtube.com/watch?v=cr1hcu7Hs5Q> | Customer 
Transformation <https://youtu.be/16iCTnSZ5Bg>


From: Anamarija Murgic mailto:amur...@haproxy.com>>
Sent: Friday, January 17, 2020 7:23 PM
To: EMEA Request 
mailto:request.e...@softwareone.com>>
Cc: Sean Meroth mailto:smer...@haproxy.com>>
Subject: Re: HAProxy: Information request


Hi Anandita,

Thanks for letting me know.

Have a great weekend!

Best,
Anamarija
On 17/01/2020 1:34 PM, EMEA Request wrote:
Hi Anamarija ,


Apologies for delay in reply.

Our team is in contact with customer for some clarifications.

Will get back to you after clarifying.


Thanks and Regards,

[cid:image002.jpg@01D5ED7C.621F1730]<http://www.softwareone.com/>

 Anandita Sharma | Procurement Specialist –GSDC| SoftwareONE
 anandita.sha...@softwareone.com<http://@softwareone.com>  | 
www.softwareone.com<http://www.softwareone.com/>
 Phone no : +91 8950320646
 Check out: Why 
SoftwareONE?<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.youtube.com_watch-3Fv-3DeGTUj4NtJP0=DwMDaQ=-5LgSL_TkF3nGRQI95ci6eeFVMQ5VESHPf5koMIAxOA=SfBJQfW0uf0NVY4ThIcrA41fo_36SpqIxi1clzEeEm4=xWyRYnbDHfxkJ1P67Cs1weTnSNlfmzS78tzHZsav_sw=Vd7RBkNvf9TqXJiab-O6xjHNdcd5QkTnwa3rkWTsecE=>
 | 
PyraCloud<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.youtube.com_watch-3Fv-3Dcr1hcu7Hs5Q=DwMDaQ=-5LgSL_TkF3nGRQI95ci6eeFVMQ5VESHPf5koMIAxOA=SfBJQfW0uf0NVY4ThIcrA41fo_36SpqIxi1clzEeEm4=xWyRYnbDHfxkJ1P67Cs1weTnSNlfmzS78tzHZsav_sw=4HiBOIUN4Fhklo2hF0T-B49X5Nr_D18fUp-z8ywF3OY=>
 | Customer Transformation 
<https://urldefense.proofpoint.com/v2/url?u=https-3A__youtu.be_16iCTnSZ5Bg=DwMDaQ=-5LgSL_TkF3nGRQI95ci6eeFVMQ5VESHPf5koMIAxOA=SfBJQfW0uf0NVY4ThIcrA41fo_36SpqIxi1clzEeEm4=xWyRYnbDHfxkJ1P67Cs1weTnSNlfmzS78tzHZsav_sw=q-wjavsg4_qOzi6w0tcjeFV1zaTHkK3U5YaPEyp8F6E=>


From: Anamarija Murgic <mailto:amur...@haproxy.com>
Sent: Tuesday, January 14, 2020 4:20 PM
To: Sharma, Anandita 
<mailto:anandita.sha...@softwareone.com>
Cc: Sean Meroth <mailto:smer...@haproxy.com>
Subject: Re: HAProxy: Information request


Hello Anandita,

I am following up on my previous email as I haven't heard back from you. Please 
let me know when is a good time to talk?

Looking forward to hearing from you soon.

Thanks,
Anamarija
On 07/01/2020 6:08 PM, Anamarija Murgic wrote:

Hi Anandita,

My colleagues forwarded me your email request sent to our Open source email 
asking for the product information.

We have both, ALOHA LB, virtual or hardware and we have our software only 
HAProxy Enterprise Edition (HAPEE) that you would install on your their own 
infrastructure.  HAProxy Enterprise Edition (HAPEE) comes as an annual 
subscription per server while ALOHA appliances prices are based on the 
application performance you need to sustain.

It would be very helpful to know:

- Are they using current appliance on Azure or AWS
- The number of new connections (HTTP or HTTPS) per second
- The number of concurrent connections per second.

Also, if possible at all, if you can share with us their current ADC 
configuration.

In general, we've found that it's best to get some more context in a quick 
conference call that will help us understand the use case of TheTrainline.com. 
Then we 

Re: FW: HAProxy??

[Bruno Henc]

Hello Austin, for any sales inquiries regarding HAProxy Enterprise 
Edition please contact sales @ haproxy . com or use


the webform at https://www.haproxy.com/contact-us/ .

The mailing list is for the discussion of HAProxy Community Edition.

I have forward your email to the sales team which will reach out to you 
with further information.


Regards,

On 7/11/19 3:15 PM, Austin Getz wrote:


Hello Team,

Can you please provide two quotes for the below for ETS?




--
Bruno Henc
Support Engineer
HAProxy Technologies - Powering your uptime!
375 Totten Pond Road, Suite 302 | Waltham, MA 02451, US
+1 (844) 222-4340 | www.haproxy.com 

Re: FW: HAProxy??

[Aleksandar Lazic]

Dear Austin Getz.

Am 11.07.2019 um 15:15 schrieb Austin Getz:
> Hello Team,
> 
> Can you please provide two quotes for the below for ETS?
> 
> ETS Needs to purchase the Enterprise Edition of HA Proxy
> (https://www.haproxy.com/products/haproxy-enterprise-edition/) so that we have
> support from the vendor and can maintain high availability in AWS. We will
> require two licenses: one for PROD and one for non-PROD – quantities subject 
> to
> change.

I strongly suggest to contact cont...@haproxy.com for the enterprise edition.

Fyi: this is the public mailing list for the OSS project.

Current Archive: https://www.mail-archive.com/haproxy@formilux.org/

> Thank you.

Best regards
Aleks

> *Austin Getz *| SHI International Corp |Inside Account Manager |
> austin_g...@shi.com | _www.shi.com_
> 
> Office:732-868-8910 | Fax: 732-868-8911
> 
> https://myshi.com/marketing/companystandards/PublishingImages/2014-05-01_SHI.jpg
> 
> 
> */Innovative Solutions. World Class Support./**/ /* 
> 
> https://myshi.com/marketing/companystandards/PublishingImages/2014-02-21_Connect.pnghttps://myshi.com/marketing/companystandards/PublishingImages/2014-02-21_Facebook.png
> https://myshi.com/marketing/companystandards/PublishingImages/2014-02-21_Twitter.png
> https://myshi.com/marketing/companystandards/PublishingImages/2014-02-21_LinkedIn.png
> https://myshi.com/marketing/companystandards/PublishingImages/2014-02-21_RSS.png
> https://myshi.com/marketing/companystandards/PublishingImages/2014-05-01_YouTube.png
> 
> 
>  
> 
>  
> 
>   
> 
> This message has originated from an *External Source*. Please use proper
> judgment and caution when opening attachments, clicking links, or responding 
> to
> this email.
> 
>  
> 
> 
> 
> Tom,
> 
>  
> 
> ETS Needs to purchase the Enterprise Edition of HA Proxy
> (https://www.haproxy.com/products/haproxy-enterprise-edition/) so that we have
> support from the vendor and can maintain high availability in AWS. We will
> require two licenses: one for PROD and one for non-PROD – quantities subject 
> to
> change.
> 
>  
> 
> Do you work with HAProxy?
> 
>  
> 
> Regards,
> 
>  
> 
> Glenn
> 
>  
> 
>  
> 
> 
> 
> This e-mail and any files transmitted with it may contain privileged or
> confidential information. It is solely for use by the individual for whom it 
> is
> intended, even if addressed incorrectly. If you received this e-mail in error,
> please notify the sender; do not disclose, copy, distribute, or take any 
> action
> in reliance on the contents of this information; and delete it from your 
> system.
> Any other use of this e-mail is prohibited.
> 
>  
> 
> Thank you for your compliance.
> 
> 

FW: HAProxy??

[Austin Getz]

Hello Team,

Can you please provide two quotes for the below for ETS?

ETS Needs to purchase the Enterprise Edition of HA Proxy 
(https://www.haproxy.com/products/haproxy-enterprise-edition/) so that we have 
support from the vendor and can maintain high availability in AWS. We will 
require two licenses: one for PROD and one for non-PROD – quantities subject to 
change.

Thank you.

Austin Getz | SHI International Corp |Inside Account Manager | 
austin_g...@shi.com | www.shi.com
Office:732-868-8910 | Fax: 732-868-8911
[https://myshi.com/marketing/companystandards/PublishingImages/2014-05-01_SHI.jpg]
Innovative Solutions. World Class Support.
[https://myshi.com/marketing/companystandards/PublishingImages/2014-02-21_Connect.png][https://myshi.com/marketing/companystandards/PublishingImages/2014-02-21_Facebook.png][https://myshi.com/marketing/companystandards/PublishingImages/2014-02-21_Twitter.png][https://myshi.com/marketing/companystandards/PublishingImages/2014-02-21_LinkedIn.png][https://myshi.com/marketing/companystandards/PublishingImages/2014-02-21_RSS.png][https://myshi.com/marketing/companystandards/PublishingImages/2014-05-01_YouTube.png]



This message has originated from an External Source. Please use proper judgment 
and caution when opening attachments, clicking links, or responding to this 
email.



Tom,

ETS Needs to purchase the Enterprise Edition of HA Proxy 
(https://www.haproxy.com/products/haproxy-enterprise-edition/) so that we have 
support from the vendor and can maintain high availability in AWS. We will 
require two licenses: one for PROD and one for non-PROD – quantities subject to 
change.

Do you work with HAProxy?

Regards,

Glenn




This e-mail and any files transmitted with it may contain privileged or 
confidential information. It is solely for use by the individual for whom it is 
intended, even if addressed incorrectly. If you received this e-mail in error, 
please notify the sender; do not disclose, copy, distribute, or take any action 
in reliance on the contents of this information; and delete it from your 
system. Any other use of this e-mail is prohibited.


Thank you for your compliance.

Re: FW: LUA and doing things

[Arnall]

Hello,

Le 24/09/2018 à 12:29, Franks Andy (IT Technical Architecture Manager) a 
écrit :


Sorry to be a nag, but anyone any ideas with this. Or is it just 
indicated to regularly parse log files (seems a bit of a hacky solution).


Thanks!

*From:*Franks Andy (IT Technical Architecture Manager) 
[mailto:andy.fra...@sath.nhs.uk]

*Sent:* 21 September 2018 13:20
*To:* haproxy@formilux.org
*Subject:* LUA and doing things

Hi all,

  Just hopefully a really quick question.. I would like to use LUA to, 
on connection use of a specific backend service, do something (like 
write an entry to a log file for example). I realise the example here 
is possibly locking etc but I’m not too worried at this point about that.


LUA seems, with my basic knowledge, to expect to do something to the 
traffic – for example I have this :


frontend test_84

  bind 0.0.0.0:84

  mode http

  default_backend bk_test_84

backend bk_test_84

  mode http

  stick on src table connections_test_84

  server localhost 127.0.0.1:80

I have a working lua script to do something like core.Alert(“hello 
world”).


The thing I would like to do is run this script without any effect on 
traffic – if I try and use ‘http-request’ or ‘stick on’ or similar 
keywords which can use lua scripts, they want me to program in some 
action that decides what criteria to stick on or what to do with that 
http-request. I just want something to “fire” and do nothing but run 
the lua script and carry on. Can I do it?


Please forgive my noobiness.

Thanks

Andy

I think you can find usefull documentation here : 
https://www.arpalert.org/haproxy-lua.html


concepts, API documentation ...

For your purpose why don't you just use :

backend bk_test_84
  mode http
  stick on src table connections_test_84
  http-request lua.myfunction
  server localhost 127.0.0.1:80

and in your lua file :

function myfunction(txn)

 //do what you want

end

core.register_action("myfunction", { "http-req" }, myfunction)

You have an exemple here : 
https://www.arpalert.org/src/haproxy-lua-api/1.7/index.html


core.register_action("hello-world", { "tcp-req", "http-req" }, function(txn)
   txn:Info("Hello world")
end)

with

frontend http_frt
  mode http
  http-request lua.hello-world

FW: LUA and doing things

[Franks Andy (IT Technical Architecture Manager)]

Sorry to be a nag, but anyone any ideas with this. Or is it just indicated to 
regularly parse log files (seems a bit of a hacky solution).
Thanks!


From: Franks Andy (IT Technical Architecture Manager) 
[mailto:andy.fra...@sath.nhs.uk]
Sent: 21 September 2018 13:20
To: haproxy@formilux.org
Subject: LUA and doing things

Hi all,
  Just hopefully a really quick question.. I would like to use LUA to, on 
connection use of a specific backend service, do something (like write an entry 
to a log file for example). I realise the example here is possibly locking etc 
but I'm not too worried at this point about that.
LUA seems, with my basic knowledge, to expect to do something to the traffic - 
for example I have this :

frontend test_84
  bind 0.0.0.0:84
  mode http
  default_backend bk_test_84

backend bk_test_84
  mode http
  stick on src table connections_test_84
  server localhost 127.0.0.1:80

I have a working lua script to do something like core.Alert("hello world").
The thing I would like to do is run this script without any effect on traffic - 
if I try and use 'http-request' or 'stick on' or similar keywords which can use 
lua scripts, they want me to program in some action that decides what criteria 
to stick on or what to do with that http-request. I just want something to 
"fire" and do nothing but run the lua script and carry on. Can I do it?
Please forgive my noobiness.

Thanks
Andy

FW: Bug report: custom errorfile configuration does not work (BUT IT ACTUALLY DOES, SORRY)

[Master Yeti]

You may consider my previous e-mail as not sent.

A local `curl` request on the VPS did actually return the custom error message.
Problem is still not resolved, but it must have to do with some other proxy 
that caches the data, which probably has nothing to do with haproxy in this 
case.

Have a good one.


Van: Master Yeti 
Verzonden: zondag 19 augustus 2018 18:38
Aan: haproxy@formilux.org
Onderwerp: Bug report: custom errorfile configuration does not work

Configuration file at /etc/haproxy/haproxy.cfg:
global
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
stats socket /var/lib/haproxy/stats

defaults
errorfile 503 /usr/share/haproxy/503.http
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000

frontend nonsecure_entry *:80
redirect scheme https

frontend secure_entry *:443
default_backend myapp

backend myapp
errorfile 503 /usr/share/haproxy/503.http
balance roundrobin
server myapp1 127.0.0.1:8080 check

The configuration file is pretty much left to default, as you can see. The 
important lines are the ones defining the errorfile 503.

I have edited the /usr/share/haproxy/503.http to a custom HTML page:
HTTP/1.0 503 Service Unavailable
Cache-Control: no-cache
Connection: close
Content-Type: text/html



503 Error
This custom error-page is not displayed :(


Please note that I did use CRLF instead of just LF to comply with the HTTP 
protocol.

However, the result is that this custom 503 errorfile is never used by HAProxy. 
Neither is there an error displayed that something went wrong.

I know it is not an issue in my setup, because I disabled the HAProxy service, 
and then there was no error-page at all (browser timeout).
And I also verified that the given configuration file was actually used.
I also made sure that the 503.http is readable and owned by haproxy:haproxy 
(verified with su haproxy -s /bin/bash followed by cat 
/usr/share/haproxy/503.http which displayed the file).

The version I am using:
haproxy -v
HA-Proxy version 1.5.18 2016/05/10
Copyright 2000-2016 Willy Tarreau 

What is very peculiar, is that there is no warning/error message in the server 
output. As you can see, I just restarted it again, and everything seems normal:
 haproxy.service - HAProxy Load Balancer
   Loaded: loaded (/usr/lib/systemd/system/haproxy.service; enabled; vendor 
preset: disabled)
   Active: active (running) since Sun 2018-08-19 18:32:00 CEST; 2s ago
 Main PID: 7136 (haproxy-systemd)
   CGroup: /system.slice/haproxy.service
   7136 /usr/sbin/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg 
-p /run/haproxy.pid
   7137 /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p 
/run/haproxy.pid -Ds
   7138 /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p 
/run/haproxy.pid -Ds

Aug 19 18:32:00 MASKED systemd[1]: Started HAProxy Load Balancer.
Aug 19 18:32:00 MASKED systemd[1]: Starting HAProxy Load Balancer...
Aug 19 18:32:00 MASKED haproxy-systemd-wrapper[7136]: haproxy-systemd-wrapper: 
executing /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -Ds

I've looked into the source code on your github page, and I see that the 503 I 
am getting is precisely the output from the source code in proto_http.c, which 
is:
[HTTP_ERR_503] =
"HTTP/1.0 503 Service Unavailable\r\n"
"Cache-Control: no-cache\r\n"
"Connection: close\r\n"
"Content-Type: text/html\r\n"
"\r\n"
"503 Service Unavailable\nNo server is available to handle 
this request.\n\n",

Additionally I verified that there was no caching going on, this was an actual 
response from haproxy. Therefore, the resulting observation is that haxproxy is 
effectively ignoring the errorfile definition in the configuration file - 
without warning or error.


Best regards, Yeti;

FW: Need Help!

[Ray Jender]

-Original Message-
From: Ray Jender [mailto:rayjen...@gmail.com] 
Sent: Tuesday, June 26, 2018 9:34 AM
To: 'Jonathan Matthews' 
Subject: RE: Need Help!

Thanks for the response Jonathan,

Could you explain how I can set up the 4 front-ends?  I am confused on how the 
routing would look?
How HAproxy would evaluate the incoming rtmp?

Thanks,

Ray

-Original Message-
From: jonat...@jpluscplusm.com [mailto:jonat...@jpluscplusm.com] On Behalf Of 
Jonathan Matthews
Sent: Tuesday, June 26, 2018 5:56 AM
To: haproxy 
Cc: rayjen...@gmail.com
Subject: Re: Need Help!

You may not have had many replies as your email was marked as spam.
You might want to address this by, amongst other things, using plain text and 
not HTML.

On 24 June 2018 at 18:32, Ray Jender  wrote:
> I am sending rtmp from OBS with the streaming set to  rtmp://”HAproxy 
> server
> IP”:1935/LPC1

> frontend rtmp-in
> mode tcp
> acl url_LPCX path_beg -i /LPC1/
> use_backend LPC1-backend if url_LPCX

> And here is the log after restarting HAproxy with mode=http:
> And here is the log after restarting HAproxy with mode=tcp:

You can't usefully use HTTP mode, as the traffic isn't HTTP.

Haproxy doesn't speak RTMP so, in TCP mode, haproxy doesn't know how to extract 
path information (or anything protocol-specific) from the traffic.

It can't evaluate the ACL "url_LPCX", so you can't select a backend based on it.

Your best option is to have 4 frontends (or listeners) on 4 different ports, 
and route using that information.

Jonathan

Fw:

[Bobby]

Hello,

Our travel agency is offering 50% Off on all Airlines & Hotel Bookings.

This offer is valid only for today.

Call Toll Free (855) 976-2535

Bobby

Travel Deals America

Fw:

[Bruce]

Hello,

You can claim 50% discount on airline tickets if you book today.

We're looking to offload a lot of airline miles today.

Call Now! (855) 971-1553 Toll Free

Ticket Deals 123

FW: Your exhibition stand at Engine Expo 2018

[Brendan C]

Hello Again,

If you are attending the IEX Insulation Expo in Cologne this May (or indeed any 
shows on the European Mainland or the UK) we would like to offer you a 
complimentary 3D Design for your stand. Just send us your brief (Please check 
the questions under my signature below for the information we need) and we will 
send you a no obligation quality design. All we ask in return is that you use 
us to construct the stand if you want to use our design.


  *   We specialize in Stand builds throughout Germany, Spain, Italy and the 
UK. With production facilities and labor partners in Poland and  each of these 
countries,  we can offer close to the  best priced quality and professional 
stands in the European market place.
  *   We have built hundreds of stands in all the major venues around Europe 
(frequently extending that to other parts of the world including Asia and The 
Middle East). We know how to cut through all the red tape, in all the 
languages, to ensure our clients turn up to a perfect stand that is built 
within brief, budget and on time.
  *   We offer a complete solution - Design, drawings, fabrication, 
installation, removal, storage, furniture, AV, Electrics, Graphics, 
documentation, approvals and professional project management.

Just take a minute to reply to this email and we will aim to send you back a 
professional 5 page 3D design within 5 working days.

Thanks for your attention and I look forward to hearing back from you,




Brendan Coote
European Commercial and  Projects Director

[BusinessCardLogo Adjusted]

41 High StreetPoznan
East Grinstead   Poland
West Sussex, RH19 3AF

Mobile: 0044 (0) 7789 500055
Office: 0044 (0) 1290 3202119

www.globalexhibitionworks.com
brend...@globalexhibitionworks.com




Briefing requirements:-
1.   Size of your stand (Length x width)?
2.   How many sides are open?
3.   Will your require meeting room (s). Open/Closed/Semi Open?
4.   Will you require Kitchen or Storage Room (s)?
5.   Bar Area?
6.   Reception Area?
7.   Presentation Area?
8.   Will you want to display any of your products and require us to design 
promotional display structures for these. Please elaborate with quantities, 
size and description.
9.   Will you require backlights for your Graphics? (Increase cost of 
graphics by 50%)
10.   Hanging Signage from Ceiling? (Will involve a hoisting/rigging fee from 
the organisors)
11.   Material preference. (Steel, Wood, Laminate)
12.   Raised floor? Carpet/Laminate/Wood Finish?
13.   Any other needs or ideas?
14.   What is your budget?

Fw:

[Patrick]

Hello,

You can avail Flat 50% Off on all Airlines & Hotels.

There are no hidden costs etc.

We're able to offer you such a high discount because we buy airline miles and travel vouchers from market at very low rates.

Limited Promotion. Call Toll Free (855) 425-6766

Thanks,

Patrick

Travel USA

[SPAM] Fw: Self-Affirmation Audio "Think Lean - Get Lean"

[panrbl]

Hi! The simplest and most powerful secrets to  overcoming life's common obstacles.How to tap into  "invisible" sources of motivation  to stay  on track  with your goals. A  powerful, but rarely used, mind-trick to reverse negative situations into positive ones.Check it  out continue

Re: FW: https status codes

[Aleksandar Lazic]

Hi Andy.

Franks Andy (IT Technical Architecture Manager) wrote on 26.07.2017:


> -Original Message-
> From: Franks Andy (IT Technical Architecture Manager) 
> Sent: 26 July 2017 13:52
> To: 'Aleksandar Lazic'
> Subject: RE: https status codes

> Thanks Alexander.
> I'd imagine that
>
> option httpchk GET /Login/Heartbeat HTTP/1.1\r\nHost:\ rsh-cp-iis1
>
> presents the same rsh-cp-iis1 to both the iis1 and iis2 server? It
> seems to work like this with the way I got it working, i.e. option
> httpchk GET https://rsh-cp-iis1/Login/Heartbeat, but I would need
> rsh-cp-iis1 "name" to be presented to that server, and iis2 to the
> iis2 server and so on, could be an eventual list of quite a few backends.

as I understand you right you want to do something like this.

pseudo code:

for host in iis1 iis2 ... iisN do
  check GET /Login/Heartbeat HTTP/1.1\r\nHost:\ $host

I don't know if this is possible with lua, with 'normal' haproxy I don't 
think so that this is possible.

But should the vhost not be the same on all servers?

> I'll have a look at the resolver you suggested though..
> Thanks again
> Andy

> -Original Message-
> From: Aleksandar Lazic [mailto:al-hapr...@none.at] 
> Sent: 26 July 2017 12:00
> To: Franks Andy (IT Technical Architecture Manager)
> Cc: haproxy@formilux.org
> Subject: Re: https status codes

> Hi Andy,

> Franks Andy (IT Technical Architecture Manager) wrote on 26.07.2017:

>> Hi all,
>>
>> HAProxy 1.7.6
>>  
>>   I have a hopefully easy question to answer - I'm trying to do server 
>> checks against 2x IIS nodes which require sending of the destination 
>> host name (virtual hosts) before delivering content. I'm trying to 
>> work out how to send the backend  server name with the check request. 
>> At the moment the IIS server
>>
>> isn't seeing the name, rather an IP address as far as I can tell, and 
>> responding with a 404.
>>  
>> This is the config
>>  
>>backend bk_web_ssl
>>   mode http
>>   option httplog
>>   option httpchk GET https://rsh-cp-iis1/Login/Heartbeat

> As described in the doc you just need to add the host header.

> http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#4-option%20httpchk

> option httpchk GET /Login/Heartbeat HTTP/1.1\r\nHost:\ rsh-cp-iis1


>>   http-check expect rstatus 200
>>   balance roundrobin
>>   stick on src table connections
>>   cookie SERVERID insert nocache indirect
>>   server RSH-CP-IIS1 192.168.176.175:443 cookie 1 check ssl
>>   server RSH-CP-IIS2 192.168.176.176:443 cookie 2 check ssl
>>  
>>  
>> I can sort of get it to work on one of the two by including that 
>> servers name in the option httpchk line as seen:
>>  
>>   option httpchk GET https://rsh-cp-iis1/Login/Heartbeat
>>  
>> .. but would rather just do option httpchk GET /Login/Heartbeat
>>  
>> ..And something like 
>>   server RSH-CP-IIS1 RSH-CP-IIS1:443 cookie 1 check ssl
>>   server RSH-CP-IIS2 RSH-CP-IIS2:443 cookie 2 check ssl

> When you want to use names you will need to add a resolver in 1.7.

> http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#5.3
>   
>> Is there some keyword I'm missing somewhere or a better way of doing this?
>>  
>> Thanks
>> Andy

-- 
Best Regards
Aleks

FW: https status codes

[Franks Andy (IT Technical Architecture Manager)]

-Original Message-
From: Franks Andy (IT Technical Architecture Manager) 
Sent: 26 July 2017 13:52
To: 'Aleksandar Lazic'
Subject: RE: https status codes

Thanks Alexander.
I'd imagine that 
option httpchk GET /Login/Heartbeat HTTP/1.1\r\nHost:\ rsh-cp-iis1
presents the same rsh-cp-iis1 to both the iis1 and iis2 server? It seems to 
work like this with the way I got it working, i.e. option httpchk GET 
https://rsh-cp-iis1/Login/Heartbeat, but I would need rsh-cp-iis1 "name" to be 
presented to that server, and iis2 to the iis2 server and so on, could be an 
eventual list of quite a few backends.

I'll have a look at the resolver you suggested though..
Thanks again
Andy

-Original Message-
From: Aleksandar Lazic [mailto:al-hapr...@none.at] 
Sent: 26 July 2017 12:00
To: Franks Andy (IT Technical Architecture Manager)
Cc: haproxy@formilux.org
Subject: Re: https status codes

Hi Andy,

Franks Andy (IT Technical Architecture Manager) wrote on 26.07.2017:

> Hi all,
>
> HAProxy 1.7.6
>  
>   I have a hopefully easy question to answer - I'm trying to do server 
> checks against 2x IIS nodes which require sending of the destination 
> host name (virtual hosts) before delivering content. I'm trying to 
> work out how to send the backend  server name with the check request. 
> At the moment the IIS server
>
> isn't seeing the name, rather an IP address as far as I can tell, and 
> responding with a 404.
>  
> This is the config
>  
>backend bk_web_ssl
>   mode http
>   option httplog
>   option httpchk GET https://rsh-cp-iis1/Login/Heartbeat

As described in the doc you just need to add the host header.

http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#4-option%20httpchk

option httpchk GET /Login/Heartbeat HTTP/1.1\r\nHost:\ rsh-cp-iis1


>   http-check expect rstatus 200
>   balance roundrobin
>   stick on src table connections
>   cookie SERVERID insert nocache indirect
>   server RSH-CP-IIS1 192.168.176.175:443 cookie 1 check ssl
>   server RSH-CP-IIS2 192.168.176.176:443 cookie 2 check ssl
>  
>  
> I can sort of get it to work on one of the two by including that 
> servers name in the option httpchk line as seen:
>  
>   option httpchk GET https://rsh-cp-iis1/Login/Heartbeat
>  
> .. but would rather just do option httpchk GET /Login/Heartbeat
>  
> ..And something like 
>   server RSH-CP-IIS1 RSH-CP-IIS1:443 cookie 1 check ssl
>   server RSH-CP-IIS2 RSH-CP-IIS2:443 cookie 2 check ssl

When you want to use names you will need to add a resolver in 1.7.

http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#5.3
  
> Is there some keyword I'm missing somewhere or a better way of doing this?
>  
> Thanks
> Andy

--
Best Regards
Aleks

[SPAM] Fw: what do you think?

[Qingshan Xie]

Hello friend, 

I'm writing a review  on  an  interesting book right now, please  read  some 
extracts here http://send.conformities.ca and tell me  what you  think.


Very truly yours, Qingshan Xie


Sent from Mail for Windows 10

PAYMENT CONFIRMATION - FW: OV14229PA0620339 - OTT Payment Advice

[Sarah]

Attention,
 
Attached is the  payment transferred to your bank account for INV-
081116 as directed by our customer to you, we are sorry for the delay.
Please review for your reference PDF id is INVOICEPAYMENT1.
 
Thanks & Best Regards,
 
Sarah
 
           
-- Forwarded message --
From: WELLS FARGO BANK N.A
Date: Mon, Mar 6, 2017 at 4:47 PM
Subject: REMITTANCE 
To: Sales Manager
 
 
 
 
SWIFT Text :- US$ . - Message copy
Instance Type and Transmission -- -
    Notification (Transmission) of Original sent to SWIFT (ACK)
    Network Delivery Status   : Network Ack
    Priority/Delivery         : Normal
--- Message Header 



TT-Invoice-Payment.pdf
Description: Binary data

Fw:

[John]

Fw: haproxy@formilux.org

[Ralph]

Fw:

[Victor]

Fw: Amazon Business - Guaranteed Results

[Brandon]

Title: Hello




Hello,

If you ever thought of starting a business on Amazon, we can help you.

We're based in San Diego and we've helped more than 100 sellers reach income of $30k to $80k Per Month within just few months.

Even if you're completely new to online business, you can earn $10k Per Month within 60 days. It's our Guarantee.

Call Us Toll Free for More Info (855) 271-0184

Best,

Brandon

Fw: lighting fixtures required for 3 projects in mid east

[shum.vincent]

 
Besidesthecustomziedrecessedlightingfi=xturesintheUS.Wealsorequirethelightingfixturesbelow=,for3projectsintheMidEast:
 seethespecsbelow: 
Pleasenote,besidesqualityneedbegood,&=nbsp;thepricemustalsobeverycompetitive,sowecoulddirectlyfo=rwardyourquotationtocustomeranddiscuss.
 1-DecorativeChandler SuitingApartments( HallsBedRooms):Qnt.350pcs 
2-2X36WFlorescentTypesforCarParks,=IP65Qnt.500pcs 
3-2X36WFlorissantTypeforCarPa=rk,IP65alongwithEMBatteryfor3Hours  =sp; 
Qnt.150pcs 4-20W,LEDDownLight,IP44OrMo=re, RoundwhiteShape,=5000KNonDimmable
 Qnt.900pcs 
5-10W,LED,SpotLight,IP20,RoundWh=iteFinishShape3000K,NonDimmableQnt.2,250pcs 
6-MirrorLight,IP44,between60=to80cmLength:Qnt.360pcs 
7-LEDExitLight,IP54orMoreQnt.200pcs 
8-LEDEmergencyLight,RoundShade3Hou=rsNonMaintain,IP540rMoreQnt.300pcs 
9-CoridorsAutomatic MotionSensorsQnt.70pcs 
10-AluDaiCast,BluckHeadIP65,White=RoundShape,2,18WPLQnt.50pcs  
Pleasenote,whenyoumakequotations:1.thepriceshouldbeex-works,excludi=nglightsourceandballasts/drivers2.thelightsourceshouldbequotedspe=arately3.thecontrolgear(ballastsorLEDdri=vers)shouldbequotedseparately4.yourquotationsheetsmustbeinexce=lfile,shouldnotbePDForwordfiles!5.foreachitem,atyourquotation,mus=tbeindicating:
 productimagesproductsizesmaterialswattage
systemlumenou=tput@stablestatus, notinitialstatus!
colortemperatu=res6.warrantymustbe3years,sincedate=ofleavingfromyourfactoryforthefirsttime.
  
onthisSunday,whencustomercomebackto=work,wewillnegotiatewiththe,becausetheyarenotworkinginFrid=ayandSaturday!
 Lookingforwardtoyourpromptreply!  
KindRegards,VincentManagerChinaMobile=:+8613570439296  
VKSCO.,LTD&=nbsp;UNIT04,7/F,BRIGHTWAYTOWER,NO.33MONGKOKROAD,KOWLOON,HK=Email:shum.vinc...@outlook.com
 

FW: superlightings new wall lights (AD)

[vincent shum]

Newsletter@superlightingsThesemonthwehadlaunched3kindsofwalllights.MadeofaluminumhousingandPMMAdiffuser.Ourmaincapacityistomanufacturerthelinearlightingsystem=saccordingtoyourdesignsandideas.Forproductdatasheets,ple=asegoto=A0www.super-ligh=tings.comIfyoudidnotgettheproductdatasheet,pleasefeelfreeto=letusknow,wewillsendtoyoubyemailrespectively.Moreprojectimagesforcreativecustomizedlinearlightingsys=temsalsouploadedhttp://www.super-lightings.com/projects.htmlKindregards,VincentShumSalesDirectorSUPERLIGHTINGSCO.,LTDNO.4,SANXIANG,SHANGCUNDONGSTREE=T,TANGGE,SHIJING,BAIYUN,GUANGZHOUZIPCODE510450SKYPE:common.heartwechat:ShumKingTseungWHAT=92SUP=:+8613570439296Mobilephone:+8613570439296E:vincent@su=perlightings.comShu=m.vinc...@outlook.comw:www.super-lightings.com

---
Avast 防毒软件已对此电子邮件执行病毒检查。
https://www.avast.com/antivirus

Fw: requiring round pendant lighting fixture customized

[vkands.hongk...@gmail.com]

We 
requireonesetofLEDlightingfixtureasperattached=.Couldyoupleaseprovideproductdatasheetandofficialquotation=sheet?ex-works,inUSD,excludingtax,excludingtransportationcosts.Alsoneedtoknowtheestimateddeliverytimesincedayofpayment=.Awatingyourpromptyreply!VincentShum+8613570439296VKANDSCO.,LTD=
 UNIT04,7/F,BRIGHTWAYTOWER, 
NO.33MONGKOKROAD,KOWLOON,HONGKONGEmail:vkands.hongk...@gmail.com   

---
Avast 防毒软件已对此电子邮件执行病毒检查。
https://www.avast.com/antivirus

Fw: requiring round pendant lamp customized

[vkands.hongk...@gmail.com]

We 
requireonesetofLEDlightingfixtureasperattached=.Couldyoupleaseprovideproductdatasheetandofficialquotation=sheet?ex-works,inUSD,excludingtax,excludingtransportationcosts.Alsoneedtoknowtheestimateddeliverytimesincedayofpayment=.Awatingyourpromptyreply!VincentShum+8613570439296VKANDSCO.,LTD=
 UNIT04,7/F,BRIGHTWAYTOWER, 
NO.33MONGKOKROAD,KOWLOON,HONGKONGEmail:vkands.hongk...@gmail.com   

---
Avast 防毒软件已对此电子邮件执行病毒检查。
https://www.avast.com/antivirus

FW: haproxy log

[Cohen Galit]

Hello!

Can you examine the logger below?
I'm afraid I have a configuration problem in haproxy config, maybe in one of 
the timeout limits.
These lines are printed only after load tests are starting to  fail over tcp 
against 5 imap servers round robin.

We are load testing over than  1M create sockets.

Here is the configuration:

global
log 127.0.0.1  local0 debug  #emerg  alert  crit   errwarning 
notice info  debug
maxconn 90096
tune.ssl.default-dh-param 2048
uid 55301
   gid 55301

defaults
logglobal
modetcp
option tcplog
option dontlognull
retries 3
maxconn 90096
timeout client 60
timeout server 6
timeout connect 5000

listen HAProxy_VVM
log global
option tcplog
mode tcp
bind :50143 name VVM_PLAIN
bind :50443 name VVM_SSL
   #bind :50993 name VVM_TLS
balance roundrobin
#option tcp-check
#tcp-check connect port 50443 ssl  # USED FOR MIST VVM HEALTH CHECK. DO 
NOT COMMENT OR CHANGE THIS LINE.
#tcp-check expect string *\ OK
maxconn 90096
timeout client 60
timeout server 12
timeout connect 5000
#server mips 10.45.92.35 check verify none inter 3
server cas-au53 10.106.75.53 check verify none inter 3
server cas-au61 10.106.75.61 check verify none inter 3
server cas-au62 10.106.75.62 check verify none inter 3
server cas-au63 10.106.75.63 check verify none inter 3
server cas-au132 10.106.138.132 check verify none inter 3



Thanks,
Galit

From: Kuterman Itzik
Sent: Sunday, December 13, 2015 12:09 PM
To: Cohen Galit
Subject: haproxy log?


Dec 13 10:55:15 localhost.localdomain haproxy[11803]: 10.106.161.146:34747 
[13/Dec/2015:10:55:05.698] HAProxy_VVM HAProxy_VVM/cas-au53 1/0/ 966 -- 
447/447/447/88/0 0/0
Dec 13 10:55:15 localhost.localdomain haproxy[11803]: 10.106.161.163:63043 
[13/Dec/2015:10:55:05.751] HAProxy_VVM HAProxy_VVM/cas-au63 1/0/ 966 -- 
445/445/445/89/0 0/0
Dec 13 10:55:15 localhost.localdomain haproxy[11803]: 10.106.161.163:63043 
[13/Dec/2015:10:55:05.751] HAProxy_VVM HAProxy_VVM/cas-au63 1/0/ 966 -- 
445/445/445/89/0 0/0
Dec 13 10:55:15 localhost.localdomain haproxy[11803]: 10.106.161.166:49649 
[13/Dec/2015:10:55:05.807] HAProxy_VVM HAProxy_VVM/cas-au53 1/0/10004 966 -- 
443/443/443/88/0 0/0
Dec 13 10:55:15 localhost.localdomain haproxy[11803]: 10.106.161.166:49649 
[13/Dec/2015:10:55:05.807] HAProxy_VVM HAProxy_VVM/cas-au53 1/0/10004 966 -- 
443/443/443/88/0 0/0
Dec 13 10:55:15 localhost.localdomain haproxy[11803]: 10.106.161.162:14719 
[13/Dec/2015:10:55:05.923] HAProxy_VVM HAProxy_VVM/cas-au61 1/0/9998 1239 -- 
442/442/442/88/0 0/0
Dec 13 10:55:15 localhost.localdomain haproxy[11803]: 10.106.161.162:14719 
[13/Dec/2015:10:55:05.923] HAProxy_VVM HAProxy_VVM/cas-au61 1/0/9998 1239 -- 
442/442/442/88/0 0/0
Dec 13 10:55:16 localhost.localdomain haproxy[11803]: 10.106.161.164:17564 
[13/Dec/2015:10:55:06.025] HAProxy_VVM HAProxy_VVM/cas-au63 1/0/ 1238 -- 
443/443/443/89/0 0/0
Dec 13 10:55:16 localhost.localdomain haproxy[11803]: 10.106.161.164:17564 
[13/Dec/2015:10:55:06.025] HAProxy_VVM HAProxy_VVM/cas-au63 1/0/ 1238 -- 
443/443/443/89/0 0/0
Dec 13 10:55:16 localhost.localdomain haproxy[11803]: 10.106.161.164:17565 
[13/Dec/2015:10:55:06.032] HAProxy_VVM HAProxy_VVM/cas-au132 1/0/ 1239 -- 
443/443/443/89/0 0/0


"This e-mail message may contain confidential, commercial or privileged 
information that constitutes proprietary information of Xura, Inc. or its 
subsidiaries. If you are not the intended recipient of this message, you are 
hereby notified that any review, use or distribution of this information is 
absolutely prohibited and we request that you delete all copies and contact us 
by e-mailing to: secur...@xura.com. Thank You."

Re: RE : FW: HAProxy

[Willy Tarreau]

On Mon, Oct 12, 2015 at 04:48:41AM +, Cédric Petter wrote:
> Thanks Willy and thanks Thierry Fournier too (He answers some days before and
> didn't get the time to test before)
> 
> It work like a charm now :-)

Great!

> It's weird but no blogs speaks about this. All blogs I found do redirect to
> 80 on backend. Or they use 443 but there is nothing in the config explained
> :-(

Well maybe that leaves an opportunity for you to post a blog article
somewhere. Also, please keep in mind that the documentation is supposed
to be used before blogs, although I admit it's a bit large now and I
understand why some people prefer too look for a blog post before reading
all the doc!

Regards,
Willy

RE : FW: HAProxy

[Cédric Petter]

Thanks Willy and thanks Thierry Fournier too (He answers some days before and 
didn't get the time to test before)

It work like a charm now :-)
It's weird but no blogs speaks about this. All blogs I found do redirect to 80 
on backend. Or they use 443 but there is nothing in the config explained :-(

So I really appreciate your help. 
It saves me some sleep hours :-)

Kind Regards

Cédric Petter
VP of Support & IT

BPA Solutions
Headquarters – Switzerland

Build Closer Relationships with SharePoint

p. +41 24 524 25 50
e. cedric.pet...@bpa-solutions.net


De : Willy Tarreau [w...@1wt.eu]
Date d'envoi : samedi 10 octobre 2015 08:12
À : Cédric Petter
Cc: haproxy@formilux.org
Objet : Re: FW: HAProxy

Hello Cédric,

On Tue, Oct 06, 2015 at 01:56:41PM +, Cédric Petter wrote:
> Bonjour
>
> First of all, if I need to explain in English, please tell me.

Yes the list is in english, but I understood your problem so I'll
put out a quick summary and will respond :-)

> Je suis bloqué avec HAProxy sur une VM.
> J'ai un serveur Debian 8.2 avec HAProxy 1.5.14.
> Et "derrière", j'ai 2 serveurs Windows avec IIS 8.5 & SharePoint 2013.
>
> Cela fonctionne bien en HTTP, mais pas en HTTPS.
> avec HTTPS j'ai soit des erreurs 503 & 504 en altérnance.
> Si quelqu'un à une idée ca serait cool.

In short Cedric faces an issue where he gets errors 503/504 on haproxy
when passing HTTPS requests to IIS but that's OK with HTTP.

Cedric, the problem is that you are connecting to port 443 in clear
because you didnt specify "ssl" on the server lines :

   backend www-backend-https
 server www-1 192.168.1.2:443 check
 server www-2 192.168.1.3:443 check

Just add "ssl" at the end of the line and it will work better. You'll
get a warning upon startup that you need to add "ssl-verify-none" or
to put a CA file. If haproxy and the servers are on the same local
network and you consider this network to be safe, you can easily add
that option.

Additionnally, maybe you don't even need to pass again via port 443
and you can pass everything to port 80 ? That can make a simpler
config and avoid to re-encrypt+decrypt.

Last, since you're on haproxy 1.5, if you're observing important
CPU usage when using SSL, you can enable HTTP keep-alive to the
servers by removing this line :

   option http-server-close

It will use more memory by maintaining more connections though.

Regards,
Willy

Re: FW: HAProxy

[Willy Tarreau]

Hello Cédric,

On Tue, Oct 06, 2015 at 01:56:41PM +, Cédric Petter wrote:
> Bonjour
> 
> First of all, if I need to explain in English, please tell me.

Yes the list is in english, but I understood your problem so I'll
put out a quick summary and will respond :-)

> Je suis bloqué avec HAProxy sur une VM.
> J'ai un serveur Debian 8.2 avec HAProxy 1.5.14.
> Et "derrière", j'ai 2 serveurs Windows avec IIS 8.5 & SharePoint 2013.
> 
> Cela fonctionne bien en HTTP, mais pas en HTTPS.
> avec HTTPS j'ai soit des erreurs 503 & 504 en altérnance.
> Si quelqu'un à une idée ca serait cool.

In short Cedric faces an issue where he gets errors 503/504 on haproxy
when passing HTTPS requests to IIS but that's OK with HTTP.

Cedric, the problem is that you are connecting to port 443 in clear
because you didnt specify "ssl" on the server lines :

   backend www-backend-https
 server www-1 192.168.1.2:443 check
 server www-2 192.168.1.3:443 check

Just add "ssl" at the end of the line and it will work better. You'll
get a warning upon startup that you need to add "ssl-verify-none" or
to put a CA file. If haproxy and the servers are on the same local
network and you consider this network to be safe, you can easily add
that option.

Additionnally, maybe you don't even need to pass again via port 443
and you can pass everything to port 80 ? That can make a simpler
config and avoid to re-encrypt+decrypt.

Last, since you're on haproxy 1.5, if you're observing important
CPU usage when using SSL, you can enable HTTP keep-alive to the
servers by removing this line :

   option http-server-close

It will use more memory by maintaining more connections though.

Regards,
Willy

FW: HAProxy

[Cédric Petter]

Bonjour

First of all, if I need to explain in English, please tell me.

Je suis bloqué avec HAProxy sur une VM.
J'ai un serveur Debian 8.2 avec HAProxy 1.5.14.
Et "derrière", j'ai 2 serveurs Windows avec IIS 8.5 & SharePoint 2013.

Cela fonctionne bien en HTTP, mais pas en HTTPS.
avec HTTPS j'ai soit des erreurs 503 & 504 en altérnance.
Si quelqu'un à une idée ca serait cool.
Voilà ma config

global
log /dev/loglocal0
log /dev/loglocal1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
maxconn 2048
tune.ssl.default-dh-param 2048
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
ssl-default-bind-ciphers 
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3 defaults
log global
modehttp
option forwardfor
option http-server-close
option  httplog
option  dontlognull
timeout connect 5000
timeout client  5
timeout server  5
frontend www-http
bind *:80
default_backend www-backend
frontend www-https
bind *:443 ssl crt ./monfichier.pem
default_backend www-backend-https backend www-backend
server www-1 192.168.1.2:80 check
server www-2 192.168.1.3:80 check backend www-backend-https
server www-1 192.168.1.2:443 check
server www-2 192.168.1.3:443 check

Cédric Petter
cedric.pet...@bpa-solutions.net 

Fw: Re: Purchase Steel Informing

[sales02]

Dear Manager,
 
Hope this email finds you well.

We are a professional fashion intelligent product manufacturer in Shenzhen(near 
 Hongkong),China. It's glad to write you with keen hope to recommend our new 
product—I6 Bluetooth Holster！


 
Features:
1.Super Wide-Angle Lens:Bigger world,real picture!
2.The Charm of 180°Fish-eye Lens:See the world in a wonderful view!
3.Microscopic Lens:Wonders lie in your discovering!
4.Bluetooth connecting shooting .Extreme mood,hiking world!
5.Self-timer mode:Selfie by the wide-angle lens with automatic face-lift and 
higher resolution
Competitive Advantages
1. Stable quality 
2. OEM, ODM welcome
3.Equipped by experienced Engineering & Marketing staff.
4.ISO9001-2008 and ISO14001:2004 certificated.
 
If you are interested in it, please feel free to contact us for details.
Looking forward to your prompt reply.
Thanks and Best Regards
 
Re: Do you have Smartphone Camera Lenses?--China WISDOM 

Best Regards
Bill song
---
CHINA WISDOM 
 

Re: FW: SSL offloading in HAProxy

[Baptiste]

Hi,

SSL offloading in front of IMAPs (port 993) is supported.
If you try to do STARTTLS over IMAP, it is not supported.

Baptiste



On Wed, Jul 15, 2015 at 10:38 AM, Cohen Galit galit.co...@comverse.com wrote:
 Hello HAProxy team,



 I see that the SSL offloading for http protocol is already supported (
 http://blog.haproxy.com/2012/09/10/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/
 )

 I would like to know if there is an option of SSL offloading for IMAP
 protocol.



 Thanks,

 Galit



 From: Avrahami David
 Sent: Wednesday, July 01, 2015 3:50 PM
 To: Cohen Galit
 Cc: Sabban Gili; Meltser Tiran
 Subject: SSL offloading in HAProxy



 Hi Galit,



 Can you please post the below question to HAProxy forum?



 I see that the SSL offloading for http protocol is already supported (
 http://blog.haproxy.com/2012/09/10/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/
 )

 I would like to know if there is an option of SSL offloading for IMAP
 protocol.





 Best Regards,

 David Avrahami

 Security SE

 Tel: +972-3-6452374

 Mobile: +972-544382374

 Email: david.avrah...@comverse.com



 
 “This e-mail message may contain confidential, commercial or privileged
 information that constitutes proprietary information of Comverse Inc. or its
 subsidiaries. If you are not the intended recipient of this message, you are
 hereby notified that any review, use or distribution of this information is
 absolutely prohibited and we request that you delete all copies and contact
 us by e-mailing to: secur...@comverse.com. Thank You.”

FW: SSL offloading in HAProxy

[Cohen Galit]

Hello HAProxy team,

I see that the SSL offloading for http protocol is already supported ( 
http://blog.haproxy.com/2012/09/10/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/
 )
I would like to know if there is an option of SSL offloading for IMAP protocol.

Thanks,
Galit

From: Avrahami David
Sent: Wednesday, July 01, 2015 3:50 PM
To: Cohen Galit
Cc: Sabban Gili; Meltser Tiran
Subject: SSL offloading in HAProxy

Hi Galit,

Can you please post the below question to HAProxy forum?

I see that the SSL offloading for http protocol is already supported ( 
http://blog.haproxy.com/2012/09/10/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/
 )
I would like to know if there is an option of SSL offloading for IMAP protocol.


Best Regards,
David Avrahami
Security SE
Tel: +972-3-6452374
Mobile: +972-544382374
Email: david.avrah...@comverse.commailto:david.avrah...@comverse.com


This e-mail message may contain confidential, commercial or privileged 
information that constitutes proprietary information of Comverse Inc. or its 
subsidiaries. If you are not the intended recipient of this message, you are 
hereby notified that any review, use or distribution of this information is 
absolutely prohibited and we request that you delete all copies and contact us 
by e-mailing to: secur...@comverse.com. Thank You.

FW: Choosing servers based on IP address

[Franks Andy (IT Technical Architecture Manager)]

I guess not then! I did see something about the newer version having
some lua based choice of server, but it may have nothing to do with what
I'm after.

Not to worry.

Thanks

Andy

 

From: Franks Andy (IT Technical Architecture Manager)
[mailto:andy.fra...@sath.nhs.uk] 
Sent: 02 June 2015 09:12
To: haproxy@formilux.org
Subject: Choosing servers based on IP address

 

Hi all,

  Quick question - can anyone think of a way to change a server's weight
based on some criteria, for example source IP address? It would be so
useful when dealing with a common service that has two distinct sites,
and rules in place that stop access to resources from the wrong site,
like Exchange (where you can't access your mailbox from the wrong
site-based CAS server).

I found a patch that does dynamic server weighting at a preset time for
all clients, but not a per-client weighting scheme.

If I can't do this, could I do it with LVS does anybody know?

Thanks

Andy

Re: FW: SSL OCSP Stapling

[Julien Vehent]

Firefox will most likely move to OCSP stapling only in the next 3 to 6 
months. Classic OCSP is too slow, and too error prone.


We've been working with Riverbed to deploy OCSP Stapling on Stingray 
(formally Zeus) load balancer. They have a solid implementation that can 
be used as a reference. I'd love to see OCSP Stapling in HAProxy, 
because that's a big performance win, but I don't know how hard it would 
be to implement. However, I know a few people in the Firefox security 
team who would be happy to help with design  QA (myself included).


Here's a sample OCSP response from one of our site:

$ openssl s_client -connect monitor.mozillalabs.com:443 -status

CONNECTED(0003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = GeoTrust, Inc., CN = GeoTrust SSL CA
verify return:1
depth=0 serialNumber = 8DZwltU1cw7OP-08XVgEwK/bh8Icw4zX, C = US, ST = 
California, L = Mountain View, O = Mozilla Corporation, OU = Mozilla 
Labs, CN = *.mozillalabs.com

verify return:1
OCSP response:
==
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = US, O = GeoTrust, Inc., CN = GeoTrust SSL 
OCSP-TGV Responder

Produced At: Feb 22 10:39:04 2014 GMT
Responses:
Certificate ID:
  Hash Algorithm: sha1
  Issuer Name Hash: 3F9B7E858F6044D7D54161744EEB6CEB808629D2
  Issuer Key Hash: 4279541B61CD552B3E63D53C4857F59FFB45CE4A
  Serial Number: 02567C
Cert Status: good
This Update: Feb 22 10:39:04 2014 GMT
Next Update: Mar  1 10:39:04 2014 GMT

Signature Algorithm: sha1WithRSAEncryption
 24:f6:68:ec:e9:f5:17:f9:4e:b6:f5:eb:92:4e:16:94:3e:38:
 5b:69:c8:24:85:28:71:0f:06:2d:03:a2:15:89:87:ca:e9:fb:
 91:9b:ca:9a:ca:b8:2f:f3:dc:a1:d3:e5:3c:53:ec:c7:5b:ac:
 ad:17:c0:0c:00:a1:8f:b6:85:b3:6d:a7:f2:f0:94:4f:e3:44:
 a2:01:59:f6:43:22:a5:f7:22:2d:dd:5e:ec:0f:9f:94:57:31:
 13:f3:f8:eb:62:42:89:12:93:59:83:b4:91:cb:4d:a3:b4:6e:
 04:09:13:89:0f:e2:b8:07:14:0c:49:d3:14:08:41:8c:01:49:
 a9:69:56:33:c7:d1:38:ba:2d:98:f8:82:79:98:a6:be:b5:77:
 90:2d:ca:53:41:7a:c1:14:69:42:99:cc:44:a2:3f:91:b9:c9:
 f9:ef:59:27:15:cf:82:c4:2f:da:e5:b2:94:fa:e6:e6:33:bf:
 73:97:8d:79:c6:25:54:93:22:ec:ad:2d:0e:43:6f:c3:e3:dc:
 8f:4e:2e:96:3f:9c:c3:fe:1b:db:d0:9f:f3:61:cc:6d:93:a8:
 70:93:6f:a7:d6:57:f3:3a:2b:5f:fb:03:01:cc:c3:14:62:04:
 b4:d6:35:bb:18:60:13:fc:cd:af:c4:34:8e:52:85:d6:1c:ca:
 57:9f:b9:bb
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 148819 (0x24553)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=GeoTrust, Inc., CN=GeoTrust SSL CA
Validity
Not Before: May 28 17:35:51 2013 GMT
Not After : May 27 17:35:51 2014 GMT
Subject: C=US, O=GeoTrust, Inc., CN=GeoTrust SSL OCSP-TGV 
Responder

Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b2:c0:91:c8:08:2b:a5:d8:17:2b:28:d3:bc:ef:
b7:2b:8d:ba:00:7e:40:e9:47:7c:30:81:9a:d3:3e:
0d:0f:70:a8:a8:ea:2e:2c:c9:69:6c:e4:1c:bd:cc:
b5:84:98:e6:f0:ae:01:2b:c1:75:96:00:83:96:70:
a4:43:3f:3c:06:fb:06:c1:d5:28:1f:1e:53:62:87:
26:2d:a1:96:c8:50:6d:17:ca:bc:fb:22:2c:ef:9b:
36:12:37:a0:ca:2a:12:03:12:52:eb:f7:fc:b6:88:
ee:d4:24:25:8b:98:80:0b:42:a1:01:c9:ec:a3:9c:
7b:d1:d1:63:10:43:86:db:a4:8b:0e:8e:d3:52:55:
55:9d:b2:e5:19:d5:0a:c2:23:52:51:6c:86:17:79:
c8:b2:39:99:d5:e3:70:40:f7:30:d2:27:ed:c6:7f:
82:95:8b:3e:d1:08:f1:4c:75:2c:3e:f4:9b:96:d5:
85:7d:c5:02:2f:21:a9:63:83:27:75:bd:e2:e3:28:
da:ae:a4:c0:6d:39:2e:92:3b:7a:b3:35:81:2d:37:
89:e4:6c:6d:53:2a:e0:63:b6:22:70:67:dd:6d:07:
93:48:50:62:06:4d:bb:47:0d:b2:b9:4b:6a:bd:1c:
28:b2:b0:a7:46:6b:f8:d7:74:a1:5d:2c:6b:41:95:
dc:75
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:

keyid:42:79:54:1B:61:CD:55:2B:3E:63:D5:3C:48:57:F5:9F:FB:45:CE:4A


OCSP No Check:

X509v3 Extended Key Usage:
OCSP Signing
X509v3 Key Usage: critical
Digital Signature
X509v3 Subject Alternative Name:
DirName:/CN=2048-TGV-333
Signature Algorithm: sha1WithRSAEncryption
 30:0c:30:4e:a2:e8:8d:68:88:f9:93:41:6c:3e:4b:19:ef:42:
 23:72:fe:64:81:21:ad:5c:1a:51:62:f7:9a:2c:f8:ad:85:b5:
 49:c3:ad:0f:b8:70:41:fd:1d:db:18:68:9c:8f:64:4e:f1:18:
 

Re: FW: HA PROXY _ Product

[shouldbe q931]

On Fri, Mar 8, 2013 at 7:19 AM, Shabbir shab...@amdtechserve.com wrote:


 Team HA PROXY,





 Kindly share the product  Support price of HA PROXY.



 Requesting for an early reply..





 Thanks  Best Regards



 Shabbir

 9980552272



 A.M.D TECHNOLOGY SERVICES

 #3/1, S6, S.R COMPLEX

 KMARAJ ROAD

 BANGALORE 560042

 INDIA


a few seconds of using Google would lead you to http://haproxy.1wt.eu/#supp

FW: HA PROXY _ Product

[Shabbir]

 

Team HA PROXY,

 

 

Kindly share the product  Support price of HA PROXY.

 

Requesting for an early reply..

 

 

Thanks  Best Regards

 

Shabbir

9980552272

 

A.M.D TECHNOLOGY SERVICES

#3/1, S6, S.R COMPLEX

KMARAJ ROAD

BANGALORE 560042

INDIA

Fw: dfgdfh

[fghdfhhf]

2012-11-27



fghdfhhf



发件人：fghdfhhf
发送时间：2012-11-27 23:30
主题：dfgdfh
收件人：fghdfhhffghdf...@yeah.net
抄送：



2012-11-27



fghdfhhffghdf...@yeah.netinline: sddfg(1).jpg

Re: FW: SSL OCSP Stapling

[Alexandre Biancalana]

On Tue, Nov 6, 2012 at 8:08 PM, Willy Tarreau w...@1wt.eu wrote:


 I believe the official word at one point was that OCSP stapling of chains
 should be accomplished by including the entire chain in the OCSP request,
 delivering that compound OCSP response via the TLS Certificate Status Request
 extension.

 And do you know how large this could be for average web sites ? Maybe
 there is a cross-over point where doing so has a more negative impact
 than letting the client check by itself ?

CloudFlare´s announcement about OCSP (and a partnership with
GlobalSign) makes they https client sites 30% faster.

http://techcrunch.com/2012/11/01/cloudflare-globalsign-make-ssl-faster/

Re: FW: SSL OCSP Stapling

[Karel Sedláček]

On Tue, Nov 6, 2012 at 11:08 PM, Willy Tarreau w...@1wt.eu wrote:

  I would say the periodic-request aspect of it is pretty trivial; you add a
  timer to the event loop that expires in some configurable amount of time,
  e.g. a bit before the last OCSP response expires, and you cache the result
  until it expires or a more recent result overwrites it. Given that the
  overhead of making a single OCSP request for the cert inside HAProxy is very
  low, you can easily do this every few minutes with no perceivable overhead.
  Obviously some logic re: failing requests and retrying has to be 
  implemented,
  which amounts to nothing more than a formulation for how much time to wait
  until retrying again.

 I confirm that this part it clearly nothing.

  The user should also be able to configure whether to
  deliver an expired OCSP response or none at all in the case that an upstream
  OCSP response cannot be received by the time the currently cached response
  expires.

 That's one of the points of attention, I agree.

  A single timer and single cache slot are used for each certificate chain. 
  The
  timer is reset with a new value when:
  - a request fails; in this case we need
to use our retry/backoff algorithm to decide how long to wait before
retrying;
  - a request succeeds; in this case we need to use our expires algorithm,
which can be parameterized over the expiration time of the OCSP response, 
  to
decide how long to wait before trying to get a fresh response.

 Hmmm OK it's per certificate... Obviously in fact. So that probably means
 some funny mechanisms to connect to various places depending on the cert
 chain (eg: for those connecting via proxies, etc...).

  One thing to keep in mind is that OCSP stapling in many libraries has (or
  had, at one point) buggy or nonexistent support for OCSP payloads containing
  multiple certificates,

 That's a very useful and interesting piece of information.

  and a bit of research should be done prior to
  implementation to discover the current state of the world in this regard.

 I agree!

  I believe the official word at one point was that OCSP stapling of chains
  should be accomplished by including the entire chain in the OCSP request,
  delivering that compound OCSP response via the TLS Certificate Status 
  Request
  extension.

 And do you know how large this could be for average web sites ? Maybe
 there is a cross-over point where doing so has a more negative impact
 than letting the client check by itself ?

There might be such a point, but arguably one could let the user
decide when it is reached simply by enabling/disabling OCSP stapling.
Note also that it's pretty easy to imagine that each certificate could
have its own OCSP stapling options, which override whatever the
specified global defaults are. Running OCSP against a 3-cert chain, I
get a DER-encoded response that is 1866 bytes. In a typical
configuration this represents a negligible amount of caching and
bandwidth overhead.



 Thanks for your comments and suggestions!
 Willy

FW: problem with haproxy reload

[Senthil]

 

Hi,

 

  We faced with haproxy, we have a script which deletes the

  frontend and backend entries of haproxy based on name and does a reload of

  haproxy after haproxy file check is done.

  

   

  

  In one such scenario after deleting the frontend and backend and reloading

  we found that haproxy was in stop state

  

   

  

  Below are the logs which shows the backend was started again during reload

   but the frontends were not started and the same are  shown in logs  after
we manually restarted

  haproxy

  

  

  

 Any feedback regarding this will be very useful.

 

Regards

Senthil

 

 

 

May 18 19:36:10 indya-lb haproxy[7375]: Stopping frontend ssl_frontend_1 in
0 ms.

  

  May 18 19:36:10 indya-lb haproxy[7375]: Stopping backend
ssl_frontend_1BACK  in 0 ms.

  

  May 18 19:36:10 indya-lb haproxy[7375]: Stopping frontend ssl_frontend_2
in  0 ms.

  

  May 18 19:36:10 indya-lb haproxy[7375]: Stopping backend
ssl_frontend_2BACK  in 0 ms.

  

  May 18 19:36:10 indya-lb haproxy[7375]: Stopping frontend Star in 0 ms.

  

  May 18 19:36:10 indya-lb haproxy[7375]: Stopping backend StarBACK in 0 ms.

  

  May 18 19:36:10 indya-lb haproxy[7375]: Stopping frontend Staging in 0 ms.

  

  May 18 19:36:10 indya-lb haproxy[7375]: Stopping backend StagingBACK in 0
ms.

  

  May 18 19:36:10 indya-lb haproxy[13147]: Proxy ssl_frontend_2BACK started.

  

  May 18 19:36:10 indya-lb haproxy[13147]: Proxy StarBACK started.

  

  May 18 19:36:10 indya-lb haproxy[13147]: Proxy StagingBACK started.

  

  May 18 19:36:10 indya-lb haproxy[7375]: Proxy ssl_frontend_1 stopped (FE:
3886 conns, BE: 0 conns).

  

  May 18 19:36:10 indya-lb haproxy[7375]: Proxy ssl_frontend_1BACK stopped
(FE: 0 conns, BE: 3583 conns).

  

  May 18 19:36:10 indya-lb haproxy[7375]: Proxy ssl_frontend_2 stopped (FE:
0  conns, BE: 0 conns).

  

  May 18 19:36:10 indya-lb haproxy[7375]: Proxy ssl_frontend_2BACK stopped
(FE: 0 conns, BE: 0 conns).

  

  May 18 19:36:10 indya-lb haproxy[7375]: Proxy Star stopped (FE: 60927284
conns, BE: 0 conns).

  

  May 18 19:36:10 indya-lb haproxy[7375]: Proxy StarBACK stopped (FE: 0
conns,  BE: 59690087 conns).

  

  May 18 19:36:10 indya-lb haproxy[7375]: Proxy Staging stopped (FE: 0
conns,  BE: 0 conns).

  

  May 18 19:36:10 indya-lb haproxy[7375]: Proxy StagingBACK stopped (FE: 0
conns, BE: 0 conns).

  

  May 18 20:09:32 indya-lb haproxy[13204]: Proxy ssl_frontend_2 started.

  

  May 18 20:09:32 indya-lb haproxy[13204]: Proxy ssl_frontend_2BACK started.

  

  May 18 20:09:32 indya-lb haproxy[13204]: Proxy Star started.

  

  May 18 20:09:32 indya-lb haproxy[13204]: Proxy StarBACK started.

  

  May 18 20:09:32 indya-lb haproxy[13204]: Proxy Staging started.

  

  May 18 20:09:32 indya-lb haproxy[13204]: Proxy StagingBACK started.

 

 

 We are the using the init script to reload haproxy service haproxy reload
in centos and the script is as follows

 

#!/bin/sh

  

  #

  

  # chkconfig: - 85 15

  

  # description: HA-Proxy is a TCP/HTTP reverse proxy which is particularly

  suited

  

   \

  

  #  for high availability environments.

  

  # processname: haproxy

  

  # config: /etc/haproxy.cfg

  

  # pidfile: /var/run/haproxy.pid

  

   

  

  # Source function library.

  

  if [ -f /etc/init.d/functions ]; then

  

. /etc/init.d/functions

  

  elif [ -f /etc/rc.d/init.d/functions ] ; then

  

. /etc/rc.d/init.d/functions

  

  else

  

exit 0

  

  fi

  

   

  

  # Source networking configuration.

  

  . /etc/sysconfig/network

  

   

  

  # Check that networking is up.

  

  [ ${NETWORKING} = no ]  exit 0

  

   

  

  [ -f /etc/haproxy.cfg ] || exit 1

  

   

  

  RETVAL=0

  

   

  

  start() {

  

/usr/sbin/haproxy -c -q -f /etc/haproxy.cfg

  

if [ $? -ne 0 ]; then

  

  echo Errors found in configuration file.

  

  return 1

  

fi

  

   

  

echo -n Starting HAproxy: 

  

daemon /usr/sbin/haproxy -D -f /etc/haproxy.cfg -p /var/run/haproxy.pid

  

RETVAL=$?

  

echo

  

[ $RETVAL -eq 0 ]  touch /var/lock/subsys/haproxy

  

return $RETVAL

  

  }

  

   

  

  stop() {

  

echo -n Shutting down HAproxy: 

  

 killproc haproxy -USR1

  

RETVAL=$?

  

echo

  

[ $RETVAL -eq 0 ]  rm -f /var/lock/subsys/haproxy

  

[ $RETVAL -eq 0 ]  rm -f /var/run/haproxy.pid

  

return $RETVAL

  

  }

  

   

  

  restart() {

  

/usr/sbin/haproxy -c -q -f /etc/haproxy.cfg

  

if [ $? -ne 0 ]; then

  

  echo Errors found in configuration file, check it with 'haproxy

  check'.

  

  return 1

  

fi

  

stop

  

start

  

  }

  

   

  

  check() {

  

/usr/sbin/haproxy -c -q -V -f /etc/haproxy.cfg

  

  }

  

   

  

  rhstatus() {

  

status haproxy

  

  }

  

   

  

  condrestart() {

  

[ -e /var/lock/subsys/haproxy ]  restart || :

  

  }

  

   

Re: FW: problem with haproxy reload

[Carlo Flores]

Its toally dirty, but we have our wrapper check for such exceptions, then
force a listener if an haproxy listener doesn't exist after a
reload/restart to the existing (now dead) haproxy process. I've grown to
not fret about such dirty when running haproxy dev branch, but ymmv.

https://github.com/flores/haproxyctl

On Wednesday, June 6, 2012, Senthil sent...@netmagicsolutions.com wrote:


 Hi,



   We faced with haproxy, we have a script which deletes the

   frontend and backend entries of haproxy based on name and does a reload
of

   haproxy after haproxy file check is done.







   In one such scenario after deleting the frontend and backend and
reloading

   we found that haproxy was in stop state







   Below are the logs which shows the backend was started again during
reload

but the frontends were not started and the same are  shown in logs
after we manually restarted

   haproxy







  Any feedback regarding this will be very useful.



 Regards

 Senthil







 May 18 19:36:10 indya-lb haproxy[7375]: Stopping frontend ssl_frontend_1
in  0 ms.



   May 18 19:36:10 indya-lb haproxy[7375]: Stopping backend
ssl_frontend_1BACK  in 0 ms.



   May 18 19:36:10 indya-lb haproxy[7375]: Stopping frontend
ssl_frontend_2 in  0 ms.



   May 18 19:36:10 indya-lb haproxy[7375]: Stopping backend
ssl_frontend_2BACK  in 0 ms.



   May 18 19:36:10 indya-lb haproxy[7375]: Stopping frontend Star in 0 ms.



   May 18 19:36:10 indya-lb haproxy[7375]: Stopping backend StarBACK in 0
ms.



   May 18 19:36:10 indya-lb haproxy[7375]: Stopping frontend Staging in 0
ms.



   May 18 19:36:10 indya-lb haproxy[7375]: Stopping backend StagingBACK in
0  ms.



   May 18 19:36:10 indya-lb haproxy[13147]: Proxy ssl_frontend_2BACK
started.



   May 18 19:36:10 indya-lb haproxy[13147]: Proxy StarBACK started.



   May 18 19:36:10 indya-lb haproxy[13147]: Proxy StagingBACK started.



   May 18 19:36:10 indya-lb haproxy[7375]: Proxy ssl_frontend_1 stopped
(FE:  3886 conns, BE: 0 conns).



   May 18 19:36:10 indya-lb haproxy[7375]: Proxy ssl_frontend_1BACK
stopped  (FE: 0 conns, BE: 3583 conns).



   May 18 19:36:10 indya-lb haproxy[7375]: Proxy ssl_frontend_2 stopped
(FE: 0  conns, BE: 0 conns).



   May 18 19:36:10 indya-lb haproxy[7375]: Proxy ssl_frontend_2BACK
stopped  (FE: 0 conns, BE: 0 conns).



   May 18 19:36:10 indya-lb haproxy[7375]: Proxy Star stopped (FE:
60927284  conns, BE: 0 conns).



   May 18 19:36:10 indya-lb haproxy[7375]: Proxy StarBACK stopped (FE: 0
conns,  BE: 59690087 conns).



   May 18 19:36:10 indya-lb haproxy[7375]: Proxy Staging stopped (FE: 0
conns,  BE: 0 conns).



   May 18 19:36:10 indya-lb haproxy[7375]: Proxy StagingBACK stopped (FE:
0  conns, BE: 0 conns).



   May 18 20:09:32 indya-lb haproxy[13204]: Proxy ssl_frontend_2 started.



   May 18 20:09:32 indya-lb haproxy[13204]: Proxy ssl_frontend_2BACK
started.



   May 18 20:09:32 indya-lb haproxy[13204]: Proxy Star started.



   May 18 20:09:32 indya-lb haproxy[13204]: Proxy StarBACK started.



   May 18 20:09:32 indya-lb haproxy[13204]: Proxy Staging started.



   May 18 20:09:32 indya-lb haproxy[13204]: Proxy StagingBACK started.





  We are the using the init script to reload haproxy service haproxy
reload in centos and the script is as follows



 #!/bin/sh



   #



   # chkconfig: - 85 15



   # description: HA-Proxy is a TCP/HTTP reverse proxy which is
particularly

   suited



\



   #  for high availability environments.



   # processname: haproxy



   # config: /etc/haproxy.cfg



   # pidfile: /var/run/haproxy.pid







   # Source function library.



   if [ -f /etc/init.d/functions ]; then



 . /etc/init.d/functions



   elif [ -f /etc/rc.d/init.d/functions ] ; then



 . /etc/rc.d/init.d/functions



   else



 exit 0



   fi







   # Source networking configuration.



   . /etc/sysconfig/network







   # Check that networking is up.



   [ ${NETWORKING} = no ]  exit 0

 --
  CAUTION - Disclaimer * This e-mail
contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the
use of the addressee(s). If you are not the intended recipient, please
notify the sender by e-mail and delete the original message. Further, you
are not to copy, disclose, or distribute this e-mail or its contents to any
other person and any such actions are unlawful. This e-mail may contain
viruses. Netmagic Solutions Pvt. Ltd. has taken every reasonable precaution
to minimize this risk, but is not liable for any damage you may sustain as
a result of any virus in this e-mail. You should carry out your own virus
checks before opening the e-mail or attachment. Netmagic Solutions Pvt.
Ltd. reserves the right to monitor and review the content of all messages
sent to or from this e-mail address. Messages sent to or from this e-mail
address may be stored on the Netmagic Solutions Pvt. Ltd.'s e-mail system.
* End of Disclaimer 

FW: haproxy conditional healthchecks/failover

[Zulu Chas]

am I wildly off course or is this config salvageable?






  Hi!
 
  I'm trying to use HAproxy to support the concepts of offline, in
  maintenance mode, and not working servers.
 
 Any good reason to do that???
 (I'm a bit curious)

Sure.  I want to be able to mark a machine offline by creating a file (as 
opposed to marking it online by creating a file), which is why I can't use 
disable-on-404 below.  This covers situations where I need to take a machine 
out of public-facing operation for some reason, but perhaps I still want it to 
be able to render pages etc -- maybe I'm testing a code deployment once it's 
already deployed in order to verify the system is ready to be marked online.
I also want to be able to mark a machine down for maintenance by creating a 
file, maintenance.html, which apache will nicely rewrite URLs to etc. during 
critical deployment phases or when performing other maintenance.  In this case, 
I don't want it to render pages (usually to replace otherwise nasty-looking 500 
error pages with a nice html facade).
For normal operations, I want the machine to be up.  But if it's not 
intentionally placed offline or in maintenance and the machines fail 
heartbeat checks, then the machine is not working and should not be served 
requests.
Does this make sense?
 
   I have separate health checks
  for each condition and I have been trying to use ACLs to be able to switch
  between backends.  In addition to the fact that this doesn't seem to work,
  I'm also not loving having to repeat the server lists (which are the same)
  for each backend.
 
 Nothing weird here, this is how HAProxy configuration works.
Cool, but variables would be nice to save time and avoid potential 
inconsistencies between sections.
  -- I think it's more like if any of
  these succeed, mark this server online -- and that's what's making this
  scenario complex.
 
 euh I might misunderstanding something.
 There is nothing more simple that if the health check is successful,
 then the server is considered healthy...

Since it's not strictly binary, as described above, it's a bit more complex.

  frontend staging 0.0.0.0:8080
# if the number of servers *not marked offline* is *less than the total
  number of app servers* (in this case, 2), then it is considered degraded
acl degraded nbsrv(only_online) lt 2
 
 
 This will match 0 and 1
 
# if the number of servers *not marked offline* is *less than one*, the
  site is considered down
acl down nbsrv(only_online) lt 1
 
 
 This will match 0, so you're both down and degraded ACL covers the
 same value (0).
 Which may lead to an issue later
 
# if the number of servers without the maintenance page is *less than the
  total number of app servers* (in this case, 2), then it is
  considered maintenance mode
acl mx_mode nbsrv(maintenance) lt 2
 
# if the number of servers without the maintenance page is less than 1,
  we're down because everything is in maintenance mode
acl down_mx nbsrv(maintenance) lt 1
 
 
 Same remark as above.
 
 
# if not running at full potential, use the backend that identified the
  degraded state
use_backend only_online if degraded
use_backend maintenance if mx_mode
 
# if we are down for any reason, use the backend that identified that fact
use_backend backup_only if down
use_backend backup_only if down_mx
 
 
 Here is the problem (see above).
 The 2 use_backend above will NEVER match, because the degraded ad
 mx_mode ACL overlaps their values!

Why would they never match?  Aren't you saying they *both* should match and 
wouldn't it then take action on the final match and switch the backend to 
maintenance mode?  That's what I want.  Maintenance mode overrides offline mode 
as a failsafe (since it's more restrictive) to prevent page rendering.
 Do you know the disable-on-404 option?
 it may help you make your configuration in the right way (not
 considering a 404 as a healthy response).
 

Yes, but what I actually would need is enable-on-404 :)
Thanks for your feedback!  I'm definitely open to other options, but I'm hoping 
to not have to lose the flexibility described above!
-chaz

  

Re: FW: haproxy conditional healthchecks/failover

[Willy Tarreau]

On Tue, May 29, 2012 at 08:32:29PM +, Zulu Chas wrote:
 
 am I wildly off course or is this config salvageable?
 

To be honnest, your mail with overly long lines (half a kilobyte) is painful
to read, and once I made the effort of reading it, I didn't understand why
you're trying to cross-dress something which already exists and works.
 
The disable-on-404 is made to permit enabling/disabling a server by a simple
touch or rm. It appears that you want to exactly swap these two commands,
it really makes no sense to me to modify haproxy to support such a swap in a
script.

Another reason for disabling on 404 is that it will not accidently enable a
server which was started from an unmounted docroot file system. With your
method, it would still start it.

Also, the suggested way of dealing with very specific health checks is to
write a CGI or servlet to handle the various situations. Most people are
already doing this, and if you absolutely want to use rm to start the
server and touch to stop it, then 5 lines of shell in a CGI will do it.

Regards,
Willy

FW: T-shirt and baseball caps manufacture

[Danie]

Dear customer

 

We are QingDao Good Garment Co.,Ltd.

 

we mainly produce t-shirts and polo shirts,all kinds of baseball caps
and fitted caps, and etc.  

 

We can provide the special service according to your requirements and
your logo design due to the professional designers, 

 

manufacture teams and advanced equipments in our company.

 

Please visit our website: http://www.good-garment.com
http://www.good-garment.com/ 

 

Looking forward to our friendly cooperation.

 

 

Email: sa...@good-garment.com

FW: Tech Site Seeks Parkers - Traffic Doubles Every Quarter

[Alexander Boggs]

Title: TTC


Leading
Technology Site Seeks New PartnersThe
Techno Club Boasts...
$2,300+ in revenue over the past 12 months100%+ revenue growth over the past 12 months130%+ traffic growth over the past 3 months (verified
by Alexa)Average Visitor Annual Income - $42, 186
The above numbers speak for themselves.
Revenue
doubling annually and traffic doubling quarterly, you will not
find a site growing faster than that. 

The Techno Club offers access to the most
sought after demographic: technology professionals and early adopters. The
costs to maintain the business is only in supplying content and the current
owner is willing to stay on to ensure continuity. He is looking for new
owners so that he can focus on writing. Reply if you would
like to take The Techno Club to the next level. 

Best Regards,Alexander BoggsVP
TechnologyEli Boggs Media




2885 Sanford
Avenue, South West #15918 Grandville, Michigan 49418 if you would like
to never hear from us again head to obsidianpunch.
com/unsub

Fw: Notification of Protection for Google Search Right About formilux

[Martin]

Dear , 


I got your email address from my colleague, saying that you are the person in 
charge. We are a professional internet service provider organization in Asia, 
having the business around the world. Recently we have received an application 
from one of our customer Loquen LTD, who have been claiming  to register 
formilux as their company's Google's Trademark Keyworld which can be used in 
google searching service. The successful registration will directly affect the 
search result on Google. And we know that your company is the owner of this 
keyword, so we need to contact you to see if you have any relationship with 
them or you consigned them to use this keyword. If it is true, we will then 
complete their registration within 3 workdays, if you do not have any 
relationship with them, please let us know ASAP in order to protect your 
interests.


Best Regards,


Martin
Auditing Department Director
HongKong Net 


Tel: 00852-3060 6608 
Fax: 00852 - 3072 3949 
Email mar...@hknetos.com  
Web: http://www.hknet.com 

PLEASE CONSIDER THE ENVIRONMENT BEFORE YOU PRINT THIS E-MAILThis email (and 
attachments) contains information from HongKong Net Center Limited, which may 
be CONFIDENTIAL or PRIVILEGED. If you are not the intended recipient, you must 
not disclose, copy, distribute or use the contents of this information. If you 
have received this email in error, please notify sender immediately and delete 
all copies. This email may also be subject to COPYRIGHT. No part of it may be 
reproduced, adapted or transmitted without the written consent of the copyright 
owner.
QQ截图未命名.jpg