subject:"Need help\?"

RFC: receive side scaling, need help with approach to port ranges

2019-07-16 Thread Richard Russo

Here are my current patches for comments.

-- 
  Richard Russo
  to...@enslaves.us

On Fri, Jul 5, 2019, at 12:23 PM, Richard Russo wrote:
> Hi,
> 
> I've been experimenting with Recieve Side Scaling (RSS) for a tcp proxy 
> application. The basic idea with RSS is by configuring the NICs, 
> kernel, and application to use the same CPU for a given socket, cross 
> CPU locking and communication is eliminated or at least significantly 
> reduced. On my system, configuring RSS allowed me to handle about three 
> times as many sessions before reaching CPU saturation, with the 
> remaining bottleneck seeming to be kernel processing around socket 
> creation and closing which requires cross cpu coordination. 
> 
> Aligning the incoming sockets is very simple, setting a socket option 
> (IP_RSS_LISTEN_BUCKET) on the listen socket restricts the accepted 
> socket to that bucket, and that's straight forward to add to the tcp 
> listener code, and configuration.
> 
> Aligning outgoing sockets is trickier -- there's no kernel help with a 
> socket option or otherwise, an application has to run the hash 
> (toeplitz) on the 4-tuple of {local ip, local port, remote ip, remote 
> port } and only use an outgoing port if the hash matches.  I've had 
> trouble finding a good approach to handle this.
> 
> The simplest thing would be to run the hash when a port is assigned by 
> port_range and return the port if it hashes to the wrong bucket; but if 
> you've already used all the acceptable ports for that port range, you 
> spend a lot of time hashing the ports that are still in the range, 
> without making any progress.
> 
> If you have a port range per rss bucket, you could hash on port 
> assignment, and not return the ports in case they hash to a wrong 
> bucket; but in the case that the remote ip changes because you've 
> configured it to use DNS or if you change the IP via "set server addr", 
> the previously computed hashes are no longer valid -- you would really 
> want to try all the ports again.
> 
> What I ended up with was a lock on port ranges (instead of atomics as 
> used in 07425de71777b688e77a9c70a7088c13e66e41e9 BUG/MEDIUM: 
> port_range: Make the ring buffer lock-free), adding a revision counter 
> to the port range, and resetting the port range whenever the server IP 
> changed. To avoid running the hash during steady state, and because 
> checking all the ports when the range needs to be filled, I also made 
> port range filing incremental. 
> 
> This approach works, but it feels complicated, and it made my config 
> much more verbose --- I had to duplicate my frontend sections, one for 
> each RSS bucket, which sends to corresponding duplicated backends for 
> each bucket; the backends had additional configuration to indicate the 
> RSS bucket (and the number of buckets). Incidentally, because each RSS 
> bucket has a distinct set of ports, and because my use case doesn't use 
> any features which benefit from coordination within HAProxy (such as 
> stick tables etc), this makes it possible to run in process mode rather 
> than threaded mode without running into a lot of port already in use 
> warnings/errors that would happen otherwise when sharing a port range.
> 
> If it's helpful for the discussion, I can share my patches as-is, but 
> if there are better ideas on how to structure this, I'd rather try to 
> get the changes done in a nice way before sharing.
> 
> Thanks!
> 
> -- 
>   Richard Russo
>   to...@enslaves.us
> 
>

0001-Allow-for-binding-listen-sockets-to-a-provided-RSS-b.patch
Description: Binary data


0002-Revert-BUG-MEDIUM-port_range-Make-the-ring-buffer-lo.patch
Description: Binary data


0003-add-port_range-locking-to-protect-against-concurrent.patch
Description: Binary data


0004-refill-port-ranges-when-addresses-change.patch
Description: Binary data


0005-Allow-for-RSS-aligned-port-selection-for-outgoing-co.patch
Description: Binary data

receive side scaling, need help with approach to port ranges

2019-07-05 Thread Richard Russo

Hi,

I've been experimenting with Recieve Side Scaling (RSS) for a tcp proxy 
application. The basic idea with RSS is by configuring the NICs, kernel, and 
application to use the same CPU for a given socket, cross CPU locking and 
communication is eliminated or at least significantly reduced. On my system, 
configuring RSS allowed me to handle about three times as many sessions before 
reaching CPU saturation, with the remaining bottleneck seeming to be kernel 
processing around socket creation and closing which requires cross cpu 
coordination. 

Aligning the incoming sockets is very simple, setting a socket option 
(IP_RSS_LISTEN_BUCKET) on the listen socket restricts the accepted socket to 
that bucket, and that's straight forward to add to the tcp listener code, and 
configuration.

Aligning outgoing sockets is trickier -- there's no kernel help with a socket 
option or otherwise, an application has to run the hash (toeplitz) on the 
4-tuple of {local ip, local port, remote ip, remote port } and only use an 
outgoing port if the hash matches.  I've had trouble finding a good approach to 
handle this.

The simplest thing would be to run the hash when a port is assigned by 
port_range and return the port if it hashes to the wrong bucket; but if you've 
already used all the acceptable ports for that port range, you spend a lot of 
time hashing the ports that are still in the range, without making any progress.

If you have a port range per rss bucket, you could hash on port assignment, and 
not return the ports in case they hash to a wrong bucket; but in the case that 
the remote ip changes because you've configured it to use DNS or if you change 
the IP via "set server addr", the previously computed hashes are no longer 
valid -- you would really want to try all the ports again.

What I ended up with was a lock on port ranges (instead of atomics as used in 
07425de71777b688e77a9c70a7088c13e66e41e9 BUG/MEDIUM: port_range: Make the ring 
buffer lock-free), adding a revision counter to the port range, and resetting 
the port range whenever the server IP changed. To avoid running the hash during 
steady state, and because checking all the ports when the range needs to be 
filled, I also made port range filing incremental. 

This approach works, but it feels complicated, and it made my config much more 
verbose --- I had to duplicate my frontend sections, one for each RSS bucket, 
which sends to corresponding duplicated backends for each bucket; the backends 
had additional configuration to indicate the RSS bucket (and the number of 
buckets). Incidentally, because each RSS bucket has a distinct set of ports, 
and because my use case doesn't use any features which benefit from 
coordination within HAProxy (such as stick tables etc), this makes it possible 
to run in process mode rather than threaded mode without running into a lot of 
port already in use warnings/errors that would happen otherwise when sharing a 
port range.

If it's helpful for the discussion, I can share my patches as-is, but if there 
are better ideas on how to structure this, I'd rather try to get the changes 
done in a nice way before sharing.

Thanks!

-- 
  Richard Russo
  to...@enslaves.us

Re: Need help on CVE-2019-11323

2019-05-16 Thread Willy Tarreau

Hi,

On Fri, May 17, 2019 at 02:54:05AM +, ??? wrote:
> Recently I found an issue CVE-2019-11323, it already fixed in 1.9.7
> 
> But it looks like all other haproxy branches affected by this issue according 
> to the following link.
> 
> 
> https://www.cvedetails.com/cve/CVE-2019-11323/
> 
> CVE-2019-11323 : HAProxy before 1.9.7 mishandles a reload with rotated keys, 
> which triggers use of uninitialized, and very predictable, 
> H
> www.cvedetails.com
> CVE-2019-11323 : HAProxy before 1.9.7 mishandles a reload with rotated keys, 
> which triggers use of uninitialized, and very predictable, HMAC keys. This is 
> related to an include/types/ssl_sock.h error.
> 
> 
> Unfortunately I'm using haproxy 1.7.11, I don't want to upgrade 1.9 right now.
(...)

I've just checked right now and only 1.9.2 and above have the affected feature,
the version details in the CVE are thus incorrect. It was developed in 2.0-dev
and was backported to 1.9 earlier this year to adapt to newer OpenSSL versions.
So on 1.8 and earlier you're not affected.

Hoping this helps,
Willy

Need help on CVE-2019-11323

2019-05-16 Thread 白晨红

Hi guys,



I need your help.


Recently I found an issue CVE-2019-11323, it already fixed in 1.9.7

But it looks like all other haproxy branches affected by this issue according 
to the following link.


https://www.cvedetails.com/cve/CVE-2019-11323/

CVE-2019-11323 : HAProxy before 1.9.7 mishandles a reload with rotated keys, 
which triggers use of uninitialized, and very predictable, 
H
www.cvedetails.com
CVE-2019-11323 : HAProxy before 1.9.7 mishandles a reload with rotated keys, 
which triggers use of uninitialized, and very predictable, HMAC keys. This is 
related to an include/types/ssl_sock.h error.


Unfortunately I'm using haproxy 1.7.11, I don't want to upgrade 1.9 right now.


So I checked haproxy 1.7 release, no new version, just 1.7.11.


And then I checked the code fix in 1.9 branch and compared with 1.7 branch.

https://git.haproxy.org/?p=haproxy.git;a=commitdiff;h=8ef706502aa2000531d36e4ac56dbdc7c30f718d;hp=646b7741bc683d6c6b43342369afcbba33d7b6ec

I couldn't find the same code in 1.7 branch, it looks like this issue just 
existed in 1.9 branch.

I don't understand why this issue affected all branches in cvedetails site.

Can somebody help confirm this,  CVE-2019-11323 didn't affect 1.7 branch, is it 
right?

Thanks,

John







Thanks

Re: need help with sftp and http config on a single config file

2018-10-19 Thread Imam Toufique

Aah.., I see , it’s been awhile I have this, I seem to vaguely remember
about this now.

Yes I have sshd running on port 22, let me try a higher port for the
proxy.  But I can keep the 22 port number for my backend sftp servers,
correct?

Thanks Jarno, I appreciate your help very much!

—imam

On Fri, Oct 19, 2018 at 12:02 AM Jarno Huuskonen 
wrote:

> Hi,
>
> On Thu, Oct 18, Imam Toufique wrote:
> > *[root@crsplabnet2 examples]# haproxy -c -V -f /etc/haproxy/haproxy.cfg*
> > *Configuration file is valid*
> >
> > *when trying to start HA proxy, i see the following:*
> >
> > *[root@crsplabnet2 examples]# haproxy -D -f /etc/haproxy/haproxy.cfg -p
> > /var/run/haproxy.pid*
> > *[ALERT] 290/234618 (5889) : Starting frontend www-ssh-proxy: cannot bind
> > socket [0.0.0.0:22 ]*
>
> Do you have sshd already running on the haproxy server ?
> (Use netstat -tunapl / ss (something like ss -tlnp '( dport = :ssh or
> sport = :ssh )')
> to see if sshd is already listening on port 22).
>
> If you've sshd running on port 22 then you have to use different port or
> ipaddress for sshd / haproxy(www-ssh-proxy)
>
> -Jarno
>
> --
> Jarno Huuskonen
>
-- 
Regards,
*Imam Toufique*
*213-700-5485*

Re: need help with sftp and http config on a single config file

2018-10-19 Thread Jarno Huuskonen

Hi,

On Thu, Oct 18, Imam Toufique wrote:
> *[root@crsplabnet2 examples]# haproxy -c -V -f /etc/haproxy/haproxy.cfg*
> *Configuration file is valid*
> 
> *when trying to start HA proxy, i see the following:*
> 
> *[root@crsplabnet2 examples]# haproxy -D -f /etc/haproxy/haproxy.cfg -p
> /var/run/haproxy.pid*
> *[ALERT] 290/234618 (5889) : Starting frontend www-ssh-proxy: cannot bind
> socket [0.0.0.0:22 ]*

Do you have sshd already running on the haproxy server ?
(Use netstat -tunapl / ss (something like ss -tlnp '( dport = :ssh or sport = 
:ssh )')
to see if sshd is already listening on port 22).

If you've sshd running on port 22 then you have to use different port or
ipaddress for sshd / haproxy(www-ssh-proxy)

-Jarno

-- 
Jarno Huuskonen

need help with sftp and http config on a single config file

2018-10-19 Thread Imam Toufique

Hi,

I am working on a setup where I can host sftp and http from the same HA
proxy frontend, as I am having trouble with it.

here is my config file:
-

global
   log /dev/log local0
   log /dev/log local1 notice
   chroot /var/lib/haproxy
   stats timeout 30s
   user haproxy
   group haproxy
   daemon

defaults
   log global
   mode http
   option tcplog
   option dontlognull
   timeout connect 5000
   timeout client 5
   timeout server 5

frontend http_front
   bind *:80
   stats uri /haproxy?stats
   default_backend http_back
   mode http
   option forwardfor   # forward IP
   http-request set-header X-Forwarded-Port %[dst_port]
   http-request add-header X-Forwarded-Proto https if { ssl_fc }

backend http_back
   balance roundrobin # roundrobin is rotate customers into backend server
   server  web1 10.1.100.156:80 check inter 2000 cookie w1
   server  web2 10.1.100.160:80 check inter 2000 cookie w1
   timeout connect 90
   timeout server 90

frontend www-ssh-proxy
  bind *:22
  mode tcp
  default_backend www-ssh-proxy-backend

backend www-ssh-proxy-backend
   mode tcp
   balance roundrobin
   stick-table type ip size 200k expire 30m
   stick on src
   default-server inter 1s
   server web1 10.1.100.156:22 check id 1
   server web2 10.1.100.160:22 check id 2

I would like SFTP and HTTP to live happily in the same HA proxy config.
When I run the configuration check, everything seems to be fine.

*[root@crsplabnet2 examples]# haproxy -c -V -f /etc/haproxy/haproxy.cfg*
*Configuration file is valid*

*when trying to start HA proxy, i see the following:*

*[root@crsplabnet2 examples]# haproxy -D -f /etc/haproxy/haproxy.cfg -p
/var/run/haproxy.pid*
*[ALERT] 290/234618 (5889) : Starting frontend www-ssh-proxy: cannot bind
socket [0.0.0.0:22 ]*

*I am not sure what I am doing wrong here.  I have not setup sftp and
http in one system before.*

*Can you please give me a hand with this? *

*thanks a lot!*



-- 
Regards,
*Imam Toufique*
*213-700-5485*

FW: Need Help!

2018-06-26 Thread Ray Jender

-Original Message-
From: Ray Jender [mailto:rayjen...@gmail.com] 
Sent: Tuesday, June 26, 2018 9:34 AM
To: 'Jonathan Matthews' 
Subject: RE: Need Help!

Thanks for the response Jonathan,

Could you explain how I can set up the 4 front-ends?  I am confused on how the 
routing would look?
How HAproxy would evaluate the incoming rtmp?

Thanks,

Ray

-Original Message-
From: jonat...@jpluscplusm.com [mailto:jonat...@jpluscplusm.com] On Behalf Of 
Jonathan Matthews
Sent: Tuesday, June 26, 2018 5:56 AM
To: haproxy 
Cc: rayjen...@gmail.com
Subject: Re: Need Help!

You may not have had many replies as your email was marked as spam.
You might want to address this by, amongst other things, using plain text and 
not HTML.

On 24 June 2018 at 18:32, Ray Jender  wrote:
> I am sending rtmp from OBS with the streaming set to  rtmp://”HAproxy 
> server
> IP”:1935/LPC1

> frontend rtmp-in
> mode tcp
> acl url_LPCX path_beg -i /LPC1/
> use_backend LPC1-backend if url_LPCX

> And here is the log after restarting HAproxy with mode=http:
> And here is the log after restarting HAproxy with mode=tcp:

You can't usefully use HTTP mode, as the traffic isn't HTTP.

Haproxy doesn't speak RTMP so, in TCP mode, haproxy doesn't know how to extract 
path information (or anything protocol-specific) from the traffic.

It can't evaluate the ACL "url_LPCX", so you can't select a backend based on it.

Your best option is to have 4 frontends (or listeners) on 4 different ports, 
and route using that information.

Jonathan

Re: Need Help!

2018-06-26 Thread Jonathan Matthews

You may not have had many replies as your email was marked as spam.
You might want to address this by, amongst other things, using plain
text and not HTML.

On 24 June 2018 at 18:32, Ray Jender  wrote:
> I am sending rtmp from OBS with the streaming set to  rtmp://”HAproxy server
> IP”:1935/LPC1

> frontend rtmp-in
> mode tcp
> acl url_LPCX path_beg -i /LPC1/
> use_backend LPC1-backend if url_LPCX

> And here is the log after restarting HAproxy with mode=http:
> And here is the log after restarting HAproxy with mode=tcp:

You can't usefully use HTTP mode, as the traffic isn't HTTP.

Haproxy doesn't speak RTMP so, in TCP mode, haproxy doesn't know how
to extract path information (or anything protocol-specific) from the
traffic.

It can't evaluate the ACL "url_LPCX", so you can't select a backend based on it.

Your best option is to have 4 frontends (or listeners) on 4 different
ports, and route using that information.

Jonathan

Need Help!

2018-06-24 Thread Ray Jender

So, I am trying to forward incoming rtmp to a HAproxy server to a container
that has the media server on the same server.

I am sending rtmp from OBS with the streaming set to  rtmp://"HAproxy server
IP":1935/LPC1

 

And here is my haproxy.cfg:

 

ray@LPC-HAproxy:/etc/haproxy$ cat haproxy.cfg

 

global

log /dev/loglocal0

log /dev/loglocal1 notice

chroot /var/lib/haproxy

stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd
listeners

stats timeout 30s

user haproxy

group haproxy

daemon

 

# Default SSL material locations

ca-base /etc/ssl/certs

crt-base /etc/ssl/private

 

# Default ciphers to use on SSL-enabled listening sockets.

# For more information, see ciphers(1SSL). This list is from:

#  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/

# An alternative list with additional directives can be obtained
from

#
https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=hapro
xy

ssl-default-bind-ciphers
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RS
A+AES:!aNULL:!MD5:!DSS

ssl-default-bind-options no-sslv3

 

defaults

log global

modehttp

option  httplog

option  dontlognull

timeout connect 5000

timeout client  5

timeout server  5

errorfile 400 /etc/haproxy/errors/400.http

errorfile 403 /etc/haproxy/errors/403.http

errorfile 408 /etc/haproxy/errors/408.http

errorfile 500 /etc/haproxy/errors/500.http

errorfile 502 /etc/haproxy/errors/502.http

errorfile 503 /etc/haproxy/errors/503.http

errorfile 504 /etc/haproxy/errors/504.http

 

frontend rtmp-in

mode tcp

bind *:1935

acl url_LPCX path_beg -i /LPC1/

use_backend LPC1-backend if url_LPCX

#acl url_LPCX path_beg -i /LPC2/

#use_backend LPC2-backend if url_LPCX

#use_backend LPC2-backend if url_LPC2

#use_backend LPC3-backend if url_LPC3

#use_backend LPC4-backend if url_LPC4

default_backend LPC1-backend

 

backend LPC1-backend

server 10.28.172.115:1935 check

#backend LPC2-backend

#server 10.28.172.116:1935 check

#backend LPC2-backend

#backend LPC3-backend

#backend LPC4-backend

 

And here is the log after restarting HAproxy with mode=http:

 

Jun 24 13:25:12 LPC-HAproxy haproxy[3498]: [WARNING] 174/132002 (3498) :
Exiting Master process...

Jun 24 13:25:12 LPC-HAproxy haproxy[3498]: [ALERT] 174/132002 (3498) :
Current worker 3500 exited with code 143

Jun 24 13:25:12 LPC-HAproxy haproxy[3498]: [WARNING] 174/132002 (3498) : All
workers exited. Exiting... (143)

Jun 24 13:25:13 LPC-HAproxy haproxy[3530]: Proxy rtmp-in started.

Jun 24 13:25:13 LPC-HAproxy haproxy[3530]: Proxy rtmp-in started.

Jun 24 13:25:13 LPC-HAproxy haproxy[3530]: Proxy LPC1-backend started.

Jun 24 13:25:13 LPC-HAproxy haproxy[3530]: Proxy LPC1-backend started.

 

And here is the log after restarting HAproxy with mode=tcp:

 

Jun 24 13:14:29 LPC-HAproxy haproxy[3348]: [WARNING] 174/130935 (3348) :
Exiting Master process...

Jun 24 13:14:29 LPC-HAproxy haproxy[3348]: [ALERT] 174/130935 (3348) :
Current worker 3352 exited with code 143

Jun 24 13:14:29 LPC-HAproxy haproxy[3348]: [WARNING] 174/130935 (3348) : All
workers exited. Exiting... (143)

Jun 24 13:14:29 LPC-HAproxy haproxy[3384]: [WARNING] 174/131429 (3384) :
parsing [/etc/haproxy/haproxy.cfg:26] : 'option httplog' not usable with
frontend 'rtmp-in' (needs 'mode http'). Falling back to 'option tcplog'.

Jun 24 13:14:29 LPC-HAproxy haproxy[3384]: Proxy rtmp-in started.

Jun 24 13:14:29 LPC-HAproxy haproxy[3384]: Proxy rtmp-in started.

Jun 24 13:14:29 LPC-HAproxy haproxy[3384]: Proxy LPC1-backend started.

Jun 24 13:14:29 LPC-HAproxy haproxy[3384]: Proxy LPC1-backend started.

 

And here is the error when I start the stream:

 

When mode = http:

 

Jun 24 13:20:28 LPC-HAproxy haproxy[3500]: 192.168.0.5:58373
[24/Jun/2018:13:20:28.665] rtmp-in rtmp-in/ -1/-1/-1/-1/0 400 188 - -
PR-- 1/1/0/0/0 0/0 ""

 

When mode = tcp:

 

Jun 24 13:15:54 LPC-HAproxy haproxy[3386]: 192.168.0.5:58356
[24/Jun/2018:13:15:54.814] rtmp-in LPC1-backend/ -1/-1/0 188 PR
1/1/0/0/3 0/0

 

One thing that confuses me is that all of the tutorials/examples are for
doing load balancing.  In my case I only want to do forwarding

based on the incoming rtmp.  Note LPC can be LPC1-4.  And subsequently
should forwarded to container 1-4, which are named LPC1-4

in lxc.

 

Can anyone help?   


Thanks,

 

Ray

Re: Need help?

2018-03-19 Thread Willy Tarreau

Hi Nikhil,

On Sat, Mar 17, 2018 at 05:39:29PM +, Nikhil Kapoor wrote:
> Actually, I just wanted to deeply understand the code of haproxy. So just
> wanted to know which tool should i use in order to understand the code. Is it
> only gdb that you all use or any other?

Well, gdb is not suited to read code. You'd rather need an editor or
an IDE to help you follow the code. Gdb can serve to place break points
at certain locations however.

What I could suggest you is to take a look at these places particularly :
  - run_poll_loop() : this one is the main loop, iterating between polling,
processing I/O and processing tasks ;

  - listener_accept() : it's where an incoming connection is accepted

  - session_new() : it's called some time after listener_accept(), and
creates a new session ;

  - stream_new() : it creates a fresh new stream on a session ;

  - process_stream() : it calls all analysers subscribed to a stream, and
deals with timeouts, events etc... It's where the main tcp/http stuff
happens ; 

  - cfg_parse_listen() : it's where most of the config keywords are still
parsed (many of them have moved to other locations now). This will
help you figure how config elements are allocated and initialized,
how certain callbacks or analysers are enabled and why/when ;

  - check_config_validity() : some validity checks are run on the config
there late in the boot process, some config elements are resolved,
and some default values are assigned. I think it's also where we
assign an ID to the backends and servers if they don't have one yet.
It will definitely help you understand the relations between various
elements.

Before this, take a look inside doc/internals, and particularly the file
"entities.pdf" which shows how a stream is attached to objects surrounding
it.

Hoping this helps,
Willy

Need help?

2018-03-17 Thread Nikhil Kapoor

Hi,

I hope u all are doing well. It feels great to be a part of haproxy community. 

Actually, I just wanted to deeply understand the code of haproxy. So just 
wanted to know which tool should i use in order to understand the code. Is it 
only gdb that you all use or any other?

Please help me as i am willing to contribute to haproxy. 

Regards
Nikhil Kapoor

Re: cannot bind socket - Need help with config file

2018-01-11 Thread Lukas Tribus

Hello,


On 11 January 2018 at 16:36, Jonathan Matthews  wrote:
> On 11 January 2018 at 00:03, Imam Toufique  wrote:
>> So, I have everything in the listen section commented out:
>>
>> frontend main
>>bind :2200
>>default_backend sftp
>>timeout client 5d
>>
>>
>> #listen stats
>> #   bind *:2200
>> #   mode tcp
>> #   maxconn 2000
>> #   option redis-check
>> #   retries 3
>> #   option redispatch
>> #   balance roundrobin
>>
>> #use_backend sftp_server
>> backend sftp
>> balance roundrobin
>> server web 10.0.15.21:2200 check weight 2
>> server nagios 10.0.15.15:2200 check weight 2
>>
>> Is that what I need, right?
>
> I suspect you won't need to have your *backend*'s ports changed to
> 2200. Your SSH server on those machines is *probably* also your SFTP
> server

That's exactly right, your backend destination port should probably
22, there is no need to bump that one to 2200.



> As an aside, it's not clear why you're trying to do this. You've
> already hit the host-key-changing problem, and unless you have a
> *very* specific use case, your users will hit the "50% of the time I
> connect, my files have gone away" problem soon. So you've probably got
> to solve the shared-storage problem on your backends ... which turns
> them in to stateless SFTP-to-FS servers.
>
> In my opinion adding haproxy as a TCP proxy in your architecture adds
> very little, if anything. If I were you, I'd strongly consider just
> sync'ing the same host key to each server, putting their IPs in a
> low-TTL DNS record, and leaving haproxy out of the setup.

With DNS round-robin instead of haproxy you have the same exact
requirements regarding SSH keys and filesystem synchronization, with
all the disadvantages (no health checks, no direct control of the
actual load-balancing, no stats, no logs, etc).

I'm really not sure why you'd recommend DNS RR instead of haproxy
here. Load-balancing a single-port TCP protocol between 2 backends is
a bread and butter use-case for haproxy.



Regards,
Lukas

Re: cannot bind socket - Need help with config file

2018-01-11 Thread Jonathan Matthews

On 11 January 2018 at 00:03, Imam Toufique  wrote:
> So, I have everything in the listen section commented out:
>
> frontend main
>bind :2200
>default_backend sftp
>timeout client 5d
>
>
> #listen stats
> #   bind *:2200
> #   mode tcp
> #   maxconn 2000
> #   option redis-check
> #   retries 3
> #   option redispatch
> #   balance roundrobin
>
> #use_backend sftp_server
> backend sftp
> balance roundrobin
> server web 10.0.15.21:2200 check weight 2
> server nagios 10.0.15.15:2200 check weight 2
>
> Is that what I need, right?

I suspect you won't need to have your *backend*'s ports changed to
2200. Your SSH server on those machines is *probably* also your SFTP
server. I don't recall if you can serve a different/sync'd host key
per port in sshd, but this might be a reason to run a different daemon
on a higher port as you're doing.

As an aside, it's not clear why you're trying to do this. You've
already hit the host-key-changing problem, and unless you have a
*very* specific use case, your users will hit the "50% of the time I
connect, my files have gone away" problem soon. So you've probably got
to solve the shared-storage problem on your backends ... which turns
them in to stateless SFTP-to-FS servers.

In my opinion adding haproxy as a TCP proxy in your architecture adds
very little, if anything. If I were you, I'd strongly consider just
sync'ing the same host key to each server, putting their IPs in a
low-TTL DNS record, and leaving haproxy out of the setup.

J

Re: cannot bind socket - Need help with config file

2018-01-10 Thread Imam Toufique

Thanks, Lukas!  Sorry, I think I have been just replying to you by
accidentally hitting the 'reply' button.

So, I have everything in the listen section commented out:

frontend main
   bind :2200
   default_backend sftp
   timeout client 5d


#listen stats
#   bind *:2200
#   mode tcp
#   maxconn 2000
#   option redis-check
#   retries 3
#   option redispatch
#   balance roundrobin

#use_backend sftp_server
backend sftp
balance roundrobin
server web 10.0.15.21:2200 check weight 2
server nagios 10.0.15.15:2200 check weight 2

Is that what I need, right?

thanks.

On Wed, Jan 10, 2018 at 4:00 PM, Lukas Tribus  wrote:

> Hello Imam,
>
>
> On Wed, Jan 10, 2018 at 11:49 PM, Imam Toufique 
> wrote:
> > Lukas,
> >
> > Sorry to keep on dragging this, I am confused here.  I will admit that I
> > have not had the time to read the documentation on this.  From what I was
> > able to read, I slapped togather this config to get me started.
> >
> > I am not sure exactly what the 'listen' part do.  From what I can
> gather, I
> > found this in the user documentation:
>
> Again please "Reply-All" so the mailing list remains CC'ed.
>
>
> The frontend and listen functionality overlap, they can do the same
> thing, with a slightly different syntax. You either use a frontend OR
> a listen section. You don't use both for the same exact purpose.
>
> The frontend is fine, just delete everything related to the listen
> section and that's it.
>
>
>
>
> Regards,
> Lukas
>



-- 
Regards,
*Imam Toufique*
*213-700-5485*

Re: cannot bind socket - Need help with config file

2018-01-10 Thread Lukas Tribus

Hello Imam,

On Wed, Jan 10, 2018 at 11:49 PM, Imam Toufique  wrote:
> Lukas,
>
> Sorry to keep on dragging this, I am confused here.  I will admit that I
> have not had the time to read the documentation on this.  From what I was
> able to read, I slapped togather this config to get me started.
>
> I am not sure exactly what the 'listen' part do.  From what I can gather, I
> found this in the user documentation:

Again please "Reply-All" so the mailing list remains CC'ed.

The frontend and listen functionality overlap, they can do the same
thing, with a slightly different syntax. You either use a frontend OR
a listen section. You don't use both for the same exact purpose.

The frontend is fine, just delete everything related to the listen
section and that's it.

Regards,
Lukas

Re: cannot bind socket - Need help with config file

2018-01-10 Thread Lukas Tribus

Hi Imam,

On Tue, Jan 9, 2018 at 6:54 PM, Imam Toufique  wrote:
> Hi Lukus,
>
> thanks again for your continued help and support!  Here is my config file
> with updates now:
>
> frontend main
>bind :2200
>default_backend sftp
>timeout client 5d
>
>
> listen stats
>bind *:2200
>mode tcp
>maxconn 2000
>option redis-check
>retries 3
>option redispatch
>balance roundrobin
>
>
> Please correct me if you see something that is not right.

That's wrong. You are again configuring 2 services on a single port.
In this case, the kernel will load-balance between the two causing
chaos.

What is the "listen stats" section supposed to do anyway in your
configuration? Why do you need a main frontend and this listen
section?

> You asked about my SSH/SFTP use-case.  Basically, here is my use-case.  I
> have several SFTP servers that I would like to load-balance.  I was thinking
> about using HAProxy to load-balance SFTP connections between my SFTP
> servers.  As I was testing my setup yesterday, I was sending sftp file
> transfers to the HAproxy node, I noticed that HAProxy node CPU usage was
> pretty high.  I am beginning to wonder if it is the right setup for my
> environment.
> Is HAProxy is the right solution for SFTP server load-balancing?

Load-balancing SSH/SFTP generally should be very easy to do, as SSH
only uses a single port and doesn't have any layering violations (as
opposed to FTP).
The only thing to be aware of is the public key issue with different
servers, as you are load-balancing between them. Use the same private
key on all the backend server to avoid this problem.

As for the high CPU usage, I'd recommend fixing the configuration
first, before troubleshooting the CPU load. You may see strange
effects due to unintended load-balancing.

The rule is is simple: you are specifying the same listening port more
than once in the configuration, then something is and will go wrong.
You must have one single reference to port 2200 only.

Lukas

Re: cannot bind socket - Need help with config file

2018-01-09 Thread Imam Toufique

Hi Lukus,

thanks again for your continued help and support!  Here is my config file
with updates now:

frontend main
   bind :2200
   default_backend sftp
   timeout client 5d


listen stats
   bind *:2200
   mode tcp
   maxconn 2000
   option redis-check
   retries 3
   option redispatch
   balance roundrobin


Please correct me if you see something that is not right.

You asked about my SSH/SFTP use-case.  Basically, here is my use-case.  I
have several SFTP servers that I would like to load-balance.  I was
thinking about using HAProxy to load-balance SFTP connections between my
SFTP servers.  As I was testing my setup yesterday, I was sending sftp file
transfers to the HAproxy node, I noticed that HAProxy node CPU usage was
pretty high.  I am beginning to wonder if it is the right setup for my
environment.
Is HAProxy is the right solution for SFTP server load-balancing?

thanks

On Tue, Jan 9, 2018 at 2:12 AM, Lukas Tribus  wrote:

> Hello Imam,
>
>
> On Tue, Jan 9, 2018 at 2:30 AM, Imam Toufique  wrote:
> >
> > Hi Jonathan, and Lucas,
> >
> > Thanks for your replies.  With your help, I was able to get it work
> > partially.
>
> Please always CC the mailing list though.
>
>
>
> > frontend main *:2200
> >#bind *:22
> >default_backend sftp
> >timeout client 1h
>
> While this works, it's causing a lot of confusion. Please do follow my
> advice and DON'T specify the port in the frontend/listen line. Use the
> bind directive instead.
> So in this case:
>
> > frontend main
> >bind :2200
> >default_backend sftp
> >timeout client 1h
>
> It's much more readable like this.
>
>
>
> > listen stats
> > #bind *:22
>
> You disbled your stats section with this configuration. Either decide
> for a port, or remove it if you don't need it.
>
>
>
> > But haproxy starts and I was able to get ssh to one of the servers.  Now
> I
> > have a different problem where I get a ssh ket fingerprint error warning
> and
> > my connection drops.
> >
> > I get the error below:
> >
> > [vagrant@db ~]$ ssh file -p 2200
> > @@@
> > @WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
> > @@@
> > IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
> > Someone could be eavesdropping on you right now (man-in-the-middle
> attack)!
> > It is also possible that a host key has just been changed.
> > The fingerprint for the RSA key sent by the remote host is
> > SHA256:MHkXThp4cSltDn0/mRsq7Se+qcDz6cz1dD+kCiyE9e0.
> > Please contact your system administrator.
> > Add correct host key in /home/vagrant/.ssh/known_hosts to get rid of this
> > message.
> > Offending ECDSA key in /home/vagrant/.ssh/known_hosts:4
> > RSA host key for [file]:2200 has changed and you have requested strict
> > checking.
> > Host key verification failed
> >
> > It looks like host keys are changing, and the host key becomes unknown to
> > both servers that are behind HAProxy.  what do you recommend doing in a
> case
> > like this?
>
> That's what happens when you load-balance between 2 different SSH
> servers with a different private key. What is it that you want to
> achieve in the first place?
>
>
>
> cheers,
> lukas
>



-- 
Regards,
*Imam Toufique*
*213-700-5485*

Re: cannot bind socket - Need help with config file

2018-01-09 Thread Lukas Tribus

Hello Imam,


On Tue, Jan 9, 2018 at 2:30 AM, Imam Toufique  wrote:
>
> Hi Jonathan, and Lucas,
>
> Thanks for your replies.  With your help, I was able to get it work
> partially.

Please always CC the mailing list though.



> frontend main *:2200
>#bind *:22
>default_backend sftp
>timeout client 1h

While this works, it's causing a lot of confusion. Please do follow my
advice and DON'T specify the port in the frontend/listen line. Use the
bind directive instead.
So in this case:

> frontend main
>bind :2200
>default_backend sftp
>timeout client 1h

It's much more readable like this.



> listen stats
> #bind *:22

You disbled your stats section with this configuration. Either decide
for a port, or remove it if you don't need it.



> But haproxy starts and I was able to get ssh to one of the servers.  Now I
> have a different problem where I get a ssh ket fingerprint error warning and
> my connection drops.
>
> I get the error below:
>
> [vagrant@db ~]$ ssh file -p 2200
> @@@
> @WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
> @@@
> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
> Someone could be eavesdropping on you right now (man-in-the-middle attack)!
> It is also possible that a host key has just been changed.
> The fingerprint for the RSA key sent by the remote host is
> SHA256:MHkXThp4cSltDn0/mRsq7Se+qcDz6cz1dD+kCiyE9e0.
> Please contact your system administrator.
> Add correct host key in /home/vagrant/.ssh/known_hosts to get rid of this
> message.
> Offending ECDSA key in /home/vagrant/.ssh/known_hosts:4
> RSA host key for [file]:2200 has changed and you have requested strict
> checking.
> Host key verification failed
>
> It looks like host keys are changing, and the host key becomes unknown to
> both servers that are behind HAProxy.  what do you recommend doing in a case
> like this?

That's what happens when you load-balance between 2 different SSH
servers with a different private key. What is it that you want to
achieve in the first place?



cheers,
lukas

Re: cannot bind socket - Need help with config file

2018-01-08 Thread Lukas Tribus

Hello Imam,


On Mon, Jan 8, 2018 at 11:24 AM, Jonathan Matthews
 wrote:
> On Mon, 8 Jan 2018 at 08:29, Imam Toufique  wrote:
>>
>> [ALERT] 007/081940 (1416) : Starting frontend sftp-server: cannot bind
>> socket [0.0.0.0:22]
>> [ALERT] 007/081940 (1416) : Starting proxy stats: cannot bind socket
>> [10.0.15.23:22]
>> [ALERT] 007/081940 (1416) : Starting proxy stats: cannot bind socket
>> [0.0.0.0:22]
>
>
> I would strongly suspect that the server already has something bound to port
> 22. It's probably your SSH daemon.
>
> You'll need to fix that, by dedicating either a different port or interface
> to the SFTP listener.

Correct.

Also:
- you can't bind the stats socket to the same port as your actual frontend
- you are binding twice for the stats socket already (you must not
have "bind :ABC" AND listen stats 1.2.3.4:ABC as that will cause 2
different sockets to be created - don't specify IP and port in the
"listen" line to avoid that kind of confusing)


Lukas

Re: cannot bind socket - Need help with config file

2018-01-08 Thread Jonathan Matthews

On Mon, 8 Jan 2018 at 08:29, Imam Toufique  wrote:

> [ALERT] 007/081940 (1416) : Starting frontend sftp-server: cannot bind
> socket [0.0.0.0:22]
> [ALERT] 007/081940 (1416) : Starting proxy stats: cannot bind socket [
> 10.0.15.23:22]
> [ALERT] 007/081940 (1416) : Starting proxy stats: cannot bind socket [
> 0.0.0.0:22]
>

I would strongly suspect that the server already has something bound to
port 22. It's probably your SSH daemon.

You'll need to fix that, by dedicating either a different port or interface
to the SFTP listener.

J

> --
Jonathan Matthews
London, UK
http://www.jpluscplusm.com/contact.html

cannot bind socket - Need help with config file

2018-01-08 Thread Imam Toufique

Hi,

I need some help figuring out why my config below is failing to start the
haproxy daemon.  I am totally new to this.

Below is my confg:


global
#   local2.* /var/log/haproxy.log
#
   log 127.0.0.1 local2
   #local2.* /var/log/haproxy.log
   chroot /var/log/haproxy
   #stats timeout 30s
   user haproxy
   group haproxy
   daemon

defaults
   log global
   mode tcp
   option tcplog
   option dontlognull
   timeout connect 5000
   timeout client 5
   timeout server 5


frontend sftp-server
   bind *:22
   default_backend sftp_server
   timeout client 1h


listen stats 10.0.15.23:22
bind :22
mode tcp
maxconn 2000
option redis-check
retries 3
option redispatch
balance roundrobin

use_backend sftp_server
backend sftp_server
balance roundrobin
server web 10.0.15.21:22 check weight 2
server nagios 10.0.15.15:22 check weight 2

When I run a config check, i get this:

[root@file haproxy]# haproxy -f ./haproxy.cfg -c
Configuration file is valid

when I try to start haproxy, I get the following error:

[root@file haproxy]# haproxy -f ./haproxy.cfg -d
Available polling systems :
  epoll : pref=300,  test result OK
   poll : pref=200,  test result OK
 select : pref=150,  test result FAILED
Total: 3 (2 usable), will use epoll.
Using epoll() as the polling mechanism.
[ALERT] 007/081940 (1416) : Starting frontend sftp-server: cannot bind
socket [0.0.0.0:22]
[ALERT] 007/081940 (1416) : Starting proxy stats: cannot bind socket [
10.0.15.23:22]
[ALERT] 007/081940 (1416) : Starting proxy stats: cannot bind socket [
0.0.0.0:22]

In the config above, I am trying to setup 2 SFTP servers load-balanced with
haproxy.  I would like to use port 22 , for sftp.

Please help, I need to get this going.

thanks.

Re: Need help to reolsve haproxy issue

2017-01-23 Thread Praveen Koppula

 Sorry for the late reply, I was on unplanned leave.

What I observed in my investigation, when I commented below line it's
working as expected. Means even after reboot the machine the haproxy
service get started automatically.
#stats socket /etc/haproxy/haproxysock level admin
I'm not sure what is the significance of this line.
Can we proceed with this in our configuration or will it cause any
issues further?

NOTE : I couldn't find haproxy-wrapper under below location
/usr/sbin> ls -ltr *haproxy*
-rwxr-xr-x 1 root root  35152 Sep  3  2014 haproxy-halog
-rwxr-xr-x 1 root root 788672 Sep  3  2014 haproxy
lrwxrwxrwx 1 root root 19 Jan  9 01:47 rchaproxy -> /etc/init.d/haproxy

Thanks in advance.

On Mon, Jan 16, 2017 at 11:43 AM, Aaron West  wrote:
> I've not personally had any issues with systemd which I know doesn't mean
> there isn't any... However, on closer inspection, it gets started through a
> wrapper "haproxy-systemd-wrapper" for me :
>
> [Unit]
> Description=HAProxy Load Balancer
> After=network.target
>
> [Service]
> ExecStartPre=/usr/local/sbin/haproxy -f /etc/haproxy/haproxy.cfg -c -q
> ExecStart=/usr/local/sbin/haproxy-systemd-wrapper -f
> /etc/haproxy/haproxy.cfg -$
> ExecReload=/bin/kill -USR2 $MAINPID
> KillMode=mixed
> Restart=always
>
> [Install]
> WantedBy=multi-user.target
>
> So definitely check if you are using that wrapper or not if systemd is being
> used.
>
> Otherwise, my feeling is that for whatever reason you cannot access the
> socket previously created due to permissions... I mean I can get the same
> error trying to start HAproxy as an unprivileged user who cannot write to
> the file/directory.
>
> Aaron West
>
> Loadbalancer.org Limited
> +44 (0)330 380 1064
> www.loadbalancer.org
>
> On 16 January 2017 at 16:21, Baptiste  wrote:
>>
>> Might be a systemd dependency issue, where the socket is not created
>> before the process is started.
>>
>> Baptiste
>>
>> On Mon, Jan 16, 2017 at 4:46 PM, Aaron West 
>> wrote:
>>>
>>> Hi Praveen,
>>>
>>> Am I right in assuming it's a socket for the stats page? Also what user
>>> is starting HAproxy because maybe it doesn't have permissions to create the
>>> socket?
>>>
>>> We might need your whole config or at least the GLOBAL section...
>>>
>>> Aaron West
>>>
>>> Loadbalancer.org Limited
>>> +44 (0)330 380 1064
>>> www.loadbalancer.org
>>>
>>> On 16 January 2017 at 15:38, Praveen Koppula
>>>  wrote:

 Some content was missing. Adding again.

 When we reboot our machine (Where haproxy installed) teh haproxy going
 to be down and it's not starting after machine boot.
 When we force to start haproxy service getting below error.
 Error: Starting haproxy [ALERT] 047/083514 : Starting frontend GLOBAL:
 error when trying to preserve previous UNIX socket
 [/etc/haproxy/haproxysock] startproc: exit status of parent of
 /usr/sbin/haproxy: 1 Failed

 On Mon, Jan 16, 2017 at 10:32 AM, Praveen Koppula
  wrote:
>
> Can you please help me on this.
>
> Haproxy version is : 1.5.4-2.1
>
> Thanks in advance


>>>
>>
>

Re: Need help to reolsve haproxy issue

2017-01-16 Thread Aaron West

I've not personally had any issues with systemd which I know doesn't mean
there isn't any... However, on closer inspection, it gets started through a
wrapper "haproxy-systemd-wrapper" for me :

[Unit]
Description=HAProxy Load Balancer
After=network.target

[Service]
ExecStartPre=/usr/local/sbin/haproxy -f /etc/haproxy/haproxy.cfg -c -q
ExecStart=/usr/local/sbin/haproxy-systemd-wrapper -f
/etc/haproxy/haproxy.cfg -$
ExecReload=/bin/kill -USR2 $MAINPID
KillMode=mixed
Restart=always

[Install]
WantedBy=multi-user.target

So definitely check if you are using that wrapper or not if systemd is
being used.

Otherwise, my feeling is that for whatever reason you cannot access the
socket previously created due to permissions... I mean I can get the same
error trying to start HAproxy as an unprivileged user who cannot write to
the file/directory.

Aaron West

Loadbalancer.org Limited
+44 (0)330 380 1064
www.loadbalancer.org

On 16 January 2017 at 16:21, Baptiste  wrote:

> Might be a systemd dependency issue, where the socket is not created
> before the process is started.
>
> Baptiste
>
> On Mon, Jan 16, 2017 at 4:46 PM, Aaron West 
> wrote:
>
>> Hi Praveen,
>>
>> Am I right in assuming it's a socket for the stats page? Also what user
>> is starting HAproxy because maybe it doesn't have permissions to create the
>> socket?
>>
>> We might need your whole config or at least the GLOBAL section...
>>
>> Aaron West
>>
>> Loadbalancer.org Limited
>> +44 (0)330 380 1064
>> www.loadbalancer.org
>>
>> On 16 January 2017 at 15:38, Praveen Koppula <
>> praveenkumarkopp...@gmail.com> wrote:
>>
>>> Some content was missing. Adding again.
>>>
>>> When we reboot our machine (Where haproxy installed) teh haproxy going
>>> to be down and it's not starting after machine boot.
>>> When we force to start haproxy service getting below error.
>>> Error: Starting haproxy [ALERT] 047/083514 : Starting frontend GLOBAL:
>>> error when trying to preserve previous UNIX socket
>>> [/etc/haproxy/haproxysock] startproc: exit status of parent of
>>> /usr/sbin/haproxy: 1 Failed
>>>
>>> On Mon, Jan 16, 2017 at 10:32 AM, Praveen Koppula <
>>> praveenkumarkopp...@gmail.com> wrote:
>>>
 Can you please help me on this.

 Haproxy version is : 1.5.4-2.1

 Thanks in advance

>>>
>>>
>>
>

Re: Need help to reolsve haproxy issue

2017-01-16 Thread Baptiste

Might be a systemd dependency issue, where the socket is not created before
the process is started.

Baptiste

On Mon, Jan 16, 2017 at 4:46 PM, Aaron West  wrote:

> Hi Praveen,
>
> Am I right in assuming it's a socket for the stats page? Also what user is
> starting HAproxy because maybe it doesn't have permissions to create the
> socket?
>
> We might need your whole config or at least the GLOBAL section...
>
> Aaron West
>
> Loadbalancer.org Limited
> +44 (0)330 380 1064
> www.loadbalancer.org
>
> On 16 January 2017 at 15:38, Praveen Koppula <
> praveenkumarkopp...@gmail.com> wrote:
>
>> Some content was missing. Adding again.
>>
>> When we reboot our machine (Where haproxy installed) teh haproxy going to
>> be down and it's not starting after machine boot.
>> When we force to start haproxy service getting below error.
>> Error: Starting haproxy [ALERT] 047/083514 : Starting frontend GLOBAL:
>> error when trying to preserve previous UNIX socket
>> [/etc/haproxy/haproxysock] startproc: exit status of parent of
>> /usr/sbin/haproxy: 1 Failed
>>
>> On Mon, Jan 16, 2017 at 10:32 AM, Praveen Koppula <
>> praveenkumarkopp...@gmail.com> wrote:
>>
>>> Can you please help me on this.
>>>
>>> Haproxy version is : 1.5.4-2.1
>>>
>>> Thanks in advance
>>>
>>
>>
>

Re: Need help to reolsve haproxy issue

2017-01-16 Thread Aaron West

Hi Praveen,

Am I right in assuming it's a socket for the stats page? Also what user is
starting HAproxy because maybe it doesn't have permissions to create the
socket?

We might need your whole config or at least the GLOBAL section...

Aaron West

Loadbalancer.org Limited
+44 (0)330 380 1064
www.loadbalancer.org

On 16 January 2017 at 15:38, Praveen Koppula 
wrote:

> Some content was missing. Adding again.
>
> When we reboot our machine (Where haproxy installed) teh haproxy going to
> be down and it's not starting after machine boot.
> When we force to start haproxy service getting below error.
> Error: Starting haproxy [ALERT] 047/083514 : Starting frontend GLOBAL:
> error when trying to preserve previous UNIX socket
> [/etc/haproxy/haproxysock] startproc: exit status of parent of
> /usr/sbin/haproxy: 1 Failed
>
> On Mon, Jan 16, 2017 at 10:32 AM, Praveen Koppula <
> praveenkumarkopp...@gmail.com> wrote:
>
>> Can you please help me on this.
>>
>> Haproxy version is : 1.5.4-2.1
>>
>> Thanks in advance
>>
>
>

Re: Need help to reolsve haproxy issue

2017-01-16 Thread Aaron West

There are some very knowledgeable people on this list so I'm sure someone
can help, however, what might the problem actually be?

Aaron West

Loadbalancer.org Limited
+44 (0)330 380 1064
www.loadbalancer.org

On 16 January 2017 at 15:32, Praveen Koppula 
wrote:

> Can you please help me on this.
>
> Haproxy version is : 1.5.4-2.1
>
> Thanks in advance
>

Re: Need help to reolsve haproxy issue

2017-01-16 Thread Praveen Koppula

Some content was missing. Adding again.

When we reboot our machine (Where haproxy installed) teh haproxy going to
be down and it's not starting after machine boot.
When we force to start haproxy service getting below error.
Error: Starting haproxy [ALERT] 047/083514 : Starting frontend GLOBAL:
error when trying to preserve previous UNIX socket
[/etc/haproxy/haproxysock] startproc: exit status of parent of
/usr/sbin/haproxy: 1 Failed

On Mon, Jan 16, 2017 at 10:32 AM, Praveen Koppula <
praveenkumarkopp...@gmail.com> wrote:

> Can you please help me on this.
>
> Haproxy version is : 1.5.4-2.1
>
> Thanks in advance
>

Need help to reolsve haproxy issue

2017-01-16 Thread Praveen Koppula

Can you please help me on this.

Haproxy version is : 1.5.4-2.1

Thanks in advance

You need help?

2016-11-05 Thread Victoria Xusa

Need Help ?

Look no further.

Your answer is just a click away.

There’s a new method on the block
that people are finding works for them.

And I figured out how to gain access.

Explore this tried and tested new method here.

Have a good day

Talk soon,
Victoria

Moral story of the day:
Once upon a time there lived a cat that loved to read. At night, when
everybody was asleep, she would put on the spectacles and read the BIG BOOK
FOR CATS.

One day, she read in the book: If you want a mouse for dinner, repeat the
following rhyme: In this house there is a mouse, where is the mouse, where
is the mouse? The cat looked up from the book and found that there was a
mouse on the top of the table. The cat repeated the rhyme and soon found
the same mouse on the bed. Then she jumped upon the bed to catch the mouse
and the mouse was gone!

The mouse was very clever. Suddenly he squeaked, “Oh, dear cat, run, run
fast! There is dog after you!” The cat left the mouse and was ready to
jump out of the window. The mouse sat near his hole and said, “Ha-ha-ha!
Dear cat that was the trick I learnt from the BIO BOOK FOR MICE!” And the
mouse ran into his hole!

MORAL :An intelligent person should not think that others are illiterate.

Subscription info:

If you no longer want to receive updates, use the unsubscribe link that is
at the very bottom of this email.
Stay subscribed you will receive carefully picked recommendations, no cost
gifts and marketing downloads and we can get a commission, if you click and
buy on links in this email.
If you feel that the content is inappropriate reply to this email.

Unsubscribe me from this list

To stop receiving these
emails:http://victorinoxusa.com/unsubscribe.php?M=246361=7acfbfdbd56352a99dfce9243371b5d7=2=14

Need help with configuration its not working on a new Archlinux VPS

2016-09-28 Thread Jeffrey Scott Flesher Gmail

This is the haproxy.cfg file I have been running for years on an Ubuntu
12 VPS, I just installed this on an Archlinux VPS and its not working.

Note:
    acl has_path path /
reqirep ^([^\ :]*)\ /(.*) \1\ /ww/\2 if has_path
This is because its a Wt app and needs a url that starts off with a ww
in this case:
http://wittywizard.org/ww/en/blue/

and I do not want the www
    redirect prefix http://wittywizard.org code 301 if { hdr(host)
-i www.wittywizard.org }

wittywizard.org is on the new Archlinux VPS, the other sites are under the 
Ubuntu VPS

I am running monit.

If you see anything that needs to be changed or delete let me know, I am not 
very good at this, I just need it to work and need help.

Thanks for any help.

# nano -c /etc/haproxy/haproxy.cfg
global
log 127.0.0.1 local0 
log 127.0.0.1 local1 notice
maxconn 4096
user haproxy
group haproxy
daemon
defaults
log global
modehttp
option  httplog
option  dontlognull
retries 3
option  redispatch
maxconn 1000
timeout connect 5000
timeout client 5
timeout server 5
option http-server-close
timeout http-keep-alive 3000
option forwardfor
frontend wt
bind 216.117.149:80
    option http-server-close
timeout http-keep-alive 3000
reqidel ^Client-IP:.*
reqidel ^X-Forwarded-For:.*
option forwardfor
# Set inside Witty Wizard main.cpp
acl has_path path /
reqirep ^([^\ :]*)\ /(.*) \1\ /ww/\2 if has_path
    redirect prefix http://wittywizard.org code 301         if {
hdr(host) -i www.wittywizard.org }
redirect prefix http://lightwizzard.com code 301       if {
hdr(host) -i www.lightwizzard.com }
redirect prefix http://thedarkwizzard.com code 301  if { hdr(host)
-i www.thedarkwizzard.com }
redirect prefix http://greywizzard.com code 301       if {
hdr(host) -i www.greywizzard.com }
redirect prefix http://rodremelin.com code 301        if {
hdr(host) -i www.rodremelin.com }
# Note: see wthttpd.sh session-id-prefix
acl srv1 url_sub wtd=wt-8060
acl srv1_up nbsrv(bck1) gt 0
use_backend bck1 if srv1_up srv1
#
# Second Thread
# Note: see wthttpd.sh session-id-prefix
# acl srv2  url_sub wtd=wt-8061
# acl srv2_up nbsrv(bck2) gt 0
# use_backend bck2 if srv2_up srv2 has_ww_uri
#
default_backend bck_lb
backend bck_lb
balance roundrobin
server srv1 216.117.149.91:8060 track bck1/srv1
# server srv2 108.59.251.28:8060 track bck1/srv1
backend bck1
balance roundrobin
server srv1 216.117.149.91:8060 check
# server srv2 108.59.251.28:8060 check
backend bck2
balance roundrobin
server srv2 216.117.149.91:8061 check
# server srv2 108.59.251.28:8060 check
# EOF #

Re: Need help to configure ha proxy

2016-09-07 Thread Harish Chander

Hi,


Will you please help me in configuration on HAPROXY.


Example - api.example.com

server api01 10.0.0.10:80 check

server api02 10.0.0.11:80 check


Requirement -

10 Backend server and every backend with host name and 2 server under backend 
with roundrobin. Now issue is if we deploy on Prod, with jenkins, once deploy 
tomcat/apache will restart and use another server. During restart request fails 
those send on server 01 because this server goes under restart.


How to handel that.


AWS we do with ELB, before deployment server take out from elb then deploy then 
attach and make the inservice.


Regard's
Harish Chander
8529142143

  *




From: Jeff Palmer <j...@palmerit.net>
Sent: Tuesday, August 30, 2016 7:05 PM
To: Harish Chander
Cc: haproxy@formilux.org
Subject: Re: Need help to configure ha proxy

This config appears to be a decent start.  and looks to meet your
requirements for http.

Now you just need another frontend configured for 443,  it would match
the :80 frontend, aside from port, using SSL, and a path to the
certificates.



On Tue, Aug 30, 2016 at 8:47 AM, Harish Chander
<harish.chan...@hotmail.com> wrote:
> Hi,
>
>
> I shall be really thankful you if you help in configure haproxy or its
> possible or not.
>
>
> External ELB - In external AWS ELB i have 2 Ha proxy server
>
>
> HA Proxy
>
> connect
>
> haproxy > beta.example.com
>
> beta.example.com > api-example.com
>
>
> beta.example.com server work's on 80 and 443 both, If i add A Name in DNS of
> direct server IP then work everything.
>
>
> Requirement - beta.example.com should work on both 443 and 80. now its
> working for 80 only. Please help me out. you can call me +918529142143 any
> time.
>
>
> Current haproxy conf under below
>
>
>
> haproxy.conf
>
>
> global
>
> log /dev/log local0
>
> log /dev/log local1 notice
>
> chroot /var/lib/haproxy
>
> stats socket /run/haproxy/admin.sock mode 660 level admin
>
> stats timeout 30s
>
> user haproxy
>
> group haproxy
>
> daemon
>
>
> # Default SSL material locations
>
> ca-base /etc/ssl/certs
>
> crt-base /etc/ssl/private
>
>
> # Default ciphers to use on SSL-enabled listening sockets.
>
> # For more information, see ciphers(1SSL). This list is from:
>
> #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
>
> ssl-default-bind-ciphers
> ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
>
> ssl-default-bind-options no-sslv3
>
>
> defaults
>
> log global
>
> mode http
>
> option httplog
>
> option dontlognull
>
> timeout connect 5000
>
> timeout client  5
>
> timeout server  5
>
>
> frontend haproxy
>
>bind *:80
>
>stats uri /stats
>
>stats realm Strictly\ Private
>
>stats auth pass:word
>
>
> # Define hosts
>
> #urls
>
> acl beta.example hdr(host) -i beta.example.com
>
>
>
> acl api.example hdr(host) -i api-example.com
>
>
>
> #cluster
>
> use_backend b.example if beta.example
>
>
> use_backend z.api if api.example
>
>
> #Frontend Server
>
>
> backend b.example
>
> mode http
>
> balance roundrobin
>
> option forwardfor
>
>server server01 10.0.0.1:80 check
>
>
> ##API
>
> backend z.api
>
> mode http
>
> balance roundrobin
>
> option forwardfor
>
> server api01 192.168.1.1:80 check
>
>
>
> Regard's
> Harish Chander
> 8529142143
>
>



--
Jeff Palmer
https://PalmerIT.net

Re: Need help to configure ha proxy

2016-09-02 Thread Harish Chander

For same i need your help will you please help me, and today i have new 
requirement. back to example.com backend will run on 80 and 8080


example.com will run on 80 and 443 will you share the conf file ?? i shall be 
really thankfull to you


Regard's
Harish Chander
8529142143

  *




From: Jeff Palmer <j...@palmerit.net>
Sent: Tuesday, August 30, 2016 7:05 PM
To: Harish Chander
Cc: haproxy@formilux.org
Subject: Re: Need help to configure ha proxy

This config appears to be a decent start.  and looks to meet your
requirements for http.

Now you just need another frontend configured for 443,  it would match
the :80 frontend, aside from port, using SSL, and a path to the
certificates.



On Tue, Aug 30, 2016 at 8:47 AM, Harish Chander
<harish.chan...@hotmail.com> wrote:
> Hi,
>
>
> I shall be really thankful you if you help in configure haproxy or its
> possible or not.
>
>
> External ELB - In external AWS ELB i have 2 Ha proxy server
>
>
> HA Proxy
>
> connect
>
> haproxy > beta.example.com
>
> beta.example.com > api-example.com
>
>
> beta.example.com server work's on 80 and 443 both, If i add A Name in DNS of
> direct server IP then work everything.
>
>
> Requirement - beta.example.com should work on both 443 and 80. now its
> working for 80 only. Please help me out. you can call me +918529142143 any
> time.
>
>
> Current haproxy conf under below
>
>
>
> haproxy.conf
>
>
> global
>
> log /dev/log local0
>
> log /dev/log local1 notice
>
> chroot /var/lib/haproxy
>
> stats socket /run/haproxy/admin.sock mode 660 level admin
>
> stats timeout 30s
>
> user haproxy
>
> group haproxy
>
> daemon
>
>
> # Default SSL material locations
>
> ca-base /etc/ssl/certs
>
> crt-base /etc/ssl/private
>
>
> # Default ciphers to use on SSL-enabled listening sockets.
>
> # For more information, see ciphers(1SSL). This list is from:
>
> #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
Hardening Your Web Server's SSL Ciphers · Homepage of 
...<https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/>
hynek.me
There are many wordy articles on configuring your web server's TLS ciphers. 
This is not one of them. Instead I will share a configuration which is both 
compatible ...



>
> ssl-default-bind-ciphers
> ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
>
> ssl-default-bind-options no-sslv3
>
>
> defaults
>
> log global
>
> mode http
>
> option httplog
>
> option dontlognull
>
> timeout connect 5000
>
> timeout client  5
>
> timeout server  5
>
>
> frontend haproxy
>
>bind *:80
>
>stats uri /stats
>
>stats realm Strictly\ Private
>
>stats auth pass:word
>
>
> # Define hosts
>
> #urls
>
> acl beta.example hdr(host) -i beta.example.com
>
>
>
> acl api.example hdr(host) -i api-example.com
>
>
>
> #cluster
>
> use_backend b.example if beta.example
>
>
> use_backend z.api if api.example
>
>
> #Frontend Server
>
>
> backend b.example
>
> mode http
>
> balance roundrobin
>
> option forwardfor
>
>server server01 10.0.0.1:80 check
>
>
> ##API
>
> backend z.api
>
> mode http
>
> balance roundrobin
>
> option forwardfor
>
> server api01 192.168.1.1:80 check
>
>
>
> Regard's
> Harish Chander
> 8529142143
>
>



--
Jeff Palmer
https://PalmerIT.net

Re: Need help to configure ha proxy

2016-08-30 Thread Jeff Palmer

This config appears to be a decent start.  and looks to meet your
requirements for http.

Now you just need another frontend configured for 443,  it would match
the :80 frontend, aside from port, using SSL, and a path to the
certificates.



On Tue, Aug 30, 2016 at 8:47 AM, Harish Chander
 wrote:
> Hi,
>
>
> I shall be really thankful you if you help in configure haproxy or its
> possible or not.
>
>
> External ELB - In external AWS ELB i have 2 Ha proxy server
>
>
> HA Proxy
>
> connect
>
> haproxy > beta.example.com
>
> beta.example.com > api-example.com
>
>
> beta.example.com server work's on 80 and 443 both, If i add A Name in DNS of
> direct server IP then work everything.
>
>
> Requirement - beta.example.com should work on both 443 and 80. now its
> working for 80 only. Please help me out. you can call me +918529142143 any
> time.
>
>
> Current haproxy conf under below
>
>
>
> haproxy.conf
>
>
> global
>
> log /dev/log local0
>
> log /dev/log local1 notice
>
> chroot /var/lib/haproxy
>
> stats socket /run/haproxy/admin.sock mode 660 level admin
>
> stats timeout 30s
>
> user haproxy
>
> group haproxy
>
> daemon
>
>
> # Default SSL material locations
>
> ca-base /etc/ssl/certs
>
> crt-base /etc/ssl/private
>
>
> # Default ciphers to use on SSL-enabled listening sockets.
>
> # For more information, see ciphers(1SSL). This list is from:
>
> #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
>
> ssl-default-bind-ciphers
> ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
>
> ssl-default-bind-options no-sslv3
>
>
> defaults
>
> log global
>
> mode http
>
> option httplog
>
> option dontlognull
>
> timeout connect 5000
>
> timeout client  5
>
> timeout server  5
>
>
> frontend haproxy
>
>bind *:80
>
>stats uri /stats
>
>stats realm Strictly\ Private
>
>stats auth pass:word
>
>
> # Define hosts
>
> #urls
>
> acl beta.example hdr(host) -i beta.example.com
>
>
>
> acl api.example hdr(host) -i api-example.com
>
>
>
> #cluster
>
> use_backend b.example if beta.example
>
>
> use_backend z.api if api.example
>
>
> #Frontend Server
>
>
> backend b.example
>
> mode http
>
> balance roundrobin
>
> option forwardfor
>
>server server01 10.0.0.1:80 check
>
>
> ##API
>
> backend z.api
>
> mode http
>
> balance roundrobin
>
> option forwardfor
>
> server api01 192.168.1.1:80 check
>
>
>
> Regard's
> Harish Chander
> 8529142143
>
>



-- 
Jeff Palmer
https://PalmerIT.net

Re: Configure Log in Haproxy ( Need help )

2016-08-23 Thread ge...@riseup.net

Hi Qing,

On 16-08-23 00:02:17, Qing Wang wrote:
> And the haproxy.conf in /etc/rsyslog.d/ is:
> # Create an additional socket in haproxy's chroot in order to allow
> logging via
> # /dev/log to chroot'ed HAProxy processes
> #$AddUnixListenSocket /var/lib/haproxy/dev/log

Uncomment this ^^^ line...

> $AddUnixListenSocket /dev/log

...comment that ^^^ one, restart rsyslog and HAProxy, and see if
this helps.

> I already create the log file inside the path /var/lib/haproxy/dev/log

If you're using rsyslog, you don't have to create the files manually. 

All the best,
Georg


signature.asc
Description: Digital signature

Need Help : Haproxy as server with CA signed cert to fetch self-signed client certificate

2016-08-09 Thread Deepak Agarwal

Hi Baptiste,
As discussed, Please help with inputs on the following.
http://discourse.haproxy.org/t/haproxy-as-server-with-ca-signed-cert-to-fetch-self-signed-client-certificate/551
http://discourse.haproxy.org/t/how-to-fetch-ssl-subjectaltname-san-extension-data-in-haproxy/539
 
Thanks,
Deepak

New projects need help

2016-07-28 Thread jerrychen

Hi,=20AreyoudealingwithLEDlights?ThisisJerryfromShenzhenGuohuiLightingEquipmentCo.,Ltd.ALED=originalmanufactuer.LEDfloodlight,highbay,cornlightareourbest-sellers.Plslinkourwebsite:www.guohui-light.com;ifyouwanttoknowmorea=boutourproduct.Thanksinadvance!JerryChenSalesManager=20GuohuiLightingEquipmentCo.,Ltd.www.guohui-light.com=20Ph:860755-89728339=20Mob:008618684678473Skype:jerry_chenbin=2051800071#XiangYinRd,NanLianCommunity,LongGangDistrict,ShenZhen,GuangDong,China

1 2 >

1 - 100 of 110 matches

Mail list logo