Re: help for configuration between http and tcp mode

2017-07-09 Thread M 
Hi,

> 
> Because your Host header is certainly "influxdb-drp.example.net:8086", not 
> "influxdb-drp.example.net". You can verify this with this acl instead :
>  acl host_influxdb-drp.example.net hdr(host) -i influxdb-drp.example.net:8086
> 
> Or you can even capture the header in your logs, it's quite useful to debug 
> acls ;-)
> 

You are right. The port was missing from acl :(

Using "capture request header Host len 150"  was effectively showing it in log:

Jul  9 18:54:59 kalinga haproxy[46185]: 192.168.246.17:59204 
[09/Jul/2017:18:54:59.275] https_influxdb~ influxdb-drp.example.net/https_8086 
0/0/1/0/1 200 332 - -  1/1/0/0/0 0/0 {influxdb-drp.example.net:8086} "GET 
/query?q=SHOW%20DATABASES HTTP/1.1"

Thank you.

Regards,
M.

Re: help for configuration between http and tcp mode

2017-07-09 Thread Cyril Bonté 

Hi,

Le 09/07/2017 à 17:58, M a écrit :

Hi,

It seems the error is related to acl and I don’t yet understand why > [...]
frontend https_influxdb
   bind 192.168.246.17:8086 ssl crt /data/ssl_certs no-sslv3 ciphers 
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:!NULL:!aNULL:!RC4:!RC2:!MEDIUM:!LOW:!EXPORT:!DES:!MD5:!PSK:!3DES
   mode http
[...]
   acl host_influxdb-drp.example.net hdr(host) -i influxdb-drp.example.net
   use_backend influxdb-drp.example.net if host_influxdb-drp.example.net
[...]
#curl -G https://influxdb-drp.example.net:8086/query -u admin:'xxx' --data-urlencode 
"q=SHOW DATABASES"
503 Service Unavailable
No server is available to handle this request.


Jul  9 15:46:16 kalinga haproxy[50375]: 192.168.246.17:57242 
[09/Jul/2017:15:46:16.665] https_influxdb~ https_influxdb/ -1/-1/135 212 
SC 4/0/0/0/0 0/0

The acl is not matching under this frontend :-(
[...] 
Why acl is matching only on frontend https and not on frontend https_influxdb?


Because your Host header is certainly "influxdb-drp.example.net:8086", 
not "influxdb-drp.example.net". You can verify this with this acl instead :
  acl host_influxdb-drp.example.net hdr(host) -i 
influxdb-drp.example.net:8086


Or you can even capture the header in your logs, it's quite useful to 
debug acls ;-)



--
Cyril Bonté

Re: help for configuration between http and tcp mode

2017-07-09 Thread M 
Hi,

It seems the error is related to acl and I don’t yet understand why.

I have done additional tests with configuration: 

———

frontend https
  bind 0.0.0.0:443 ssl crt /data/ssl_certs no-sslv3 ciphers 
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:!NULL:!aNULL:!RC4:!RC2:!MEDIUM:!LOW:!EXPORT:!DES:!MD5:!PSK:!3DES
  mode http
  option dontlognull

  reqadd X-Forwarded-Proto:\ https

  option http-server-close
  option forwardfor

  acl host_piwigo.example.org hdr(host) -i piwigo.example.org
  use_backend piwigo.example.org if host_piwigo.example.org

  acl host_wordpress.example.com hdr(host) -i wordpress.example.com
  use_backend wordpress.example.com if host_wordpress.example.com

  # adding redirection on https tcp/443 fronted:
  acl host_influxdb-drp.example.net hdr(host) -i influxdb-drp.example.net
  use_backend influxdb-drp.example.net if host_influxdb-drp.example.net


frontend https_influxdb
  bind 192.168.246.17:8086 ssl crt /data/ssl_certs no-sslv3 ciphers 
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:!NULL:!aNULL:!RC4:!RC2:!MEDIUM:!LOW:!EXPORT:!DES:!MD5:!PSK:!3DES
  mode http
  option dontlognull

  reqadd X-Forwarded-Proto:\ https

  option http-server-close
  option forwardfor

  #default_backend influxdb-drp.example.net # to test later with a default 
backend as acl seems not working 

  acl host_influxdb-drp.example.net hdr(host) -i influxdb-drp.example.net
  use_backend influxdb-drp.example.net if host_influxdb-drp.example.net

backend influxdb-drp.example.net
  mode http
  server https_8086 127.0.0.1:8086 check ssl verify none

———

Backend is answering on https on tcp/8086. 

Testing against frontend https on tcp/443, it is working:

#curl -G https://influxdb-drp.example.net:443/query -u admin:'xxx' 
--data-urlencode "q=SHOW DATABASES"
{"results":[{"statement_id":0,"series":[{"name":"databases","columns":["name"],"values":[["_internal"]]}]}]}

Jul  9 15:46:32 kalinga haproxy[50375]: 192.168.246.17:59154 
[09/Jul/2017:15:46:31.900] https~ influxdb-drp.example.net/https_8086 0/1/132 
332 -- 5/5/0/0/0 0/0

The acl has matched to forward to the expected backend.

Testing against frontend https_influxdb on tcp/8086, it is failing:

#curl -G https://influxdb-drp.example.net:8086/query -u admin:'xxx' 
--data-urlencode "q=SHOW DATABASES"
503 Service Unavailable
No server is available to handle this request.


Jul  9 15:46:16 kalinga haproxy[50375]: 192.168.246.17:57242 
[09/Jul/2017:15:46:16.665] https_influxdb~ https_influxdb/ -1/-1/135 212 
SC 4/0/0/0/0 0/0

The acl is not matching under this frontend :-(

When testing by uncommenting following line:
  #default_backend influxdb-drp.example.net
in order to add a default backend, it is working:

#curl -G https://influxdb-drp.example.net:8086/query -u admin:'xxx' 
--data-urlencode "q=SHOW DATABASES"
{"results":[{"statement_id":0,"series":[{"name":"databases","columns":["name"],"values":[["_internal"]]}]}]}

Jul  9 15:46:32 kalinga haproxy[50375]: 192.168.246.17:59154 
[09/Jul/2017:15:46:31.900] https~ influxdb-drp.example.net/https_8086 0/1/132 
332 -- 5/5/0/0/0 0/0

Why acl is matching only on frontend https and not on frontend https_influxdb?

Haproxy version is the latest stable 1.7.8.


Regards,
M.

> Le 8 juil. 2017 à 22:19, M  a écrit :
> 
> Hi,
> 
> I don't understand why http mode is no able provide a backend server whereas 
> at same time tcp mode is able to do it. 
> 
> I am trying to setup Haproxy in front of an Influxdb database running on 
> HTTPS.
> 
> When frontend is configured on http mode, requests are failing with NOSRV 
> error.
> When fronted is configure on tcp mod, requests are working. 
> 
> Example below with http mode on tcp/8086 port and tcp mode on tcp/8087 with 
> same backend:
> 
> #curl -G https://influxdb-drp.example.net:8086/query -u admin:'' 
> --data-urlencode "q=SHOW DATABASES"
> 503 Service Unavailable
> No server is available to handle this request.
> 
> 
> Haproxy log showing NOSRV and SC:
> Jul  8 19:59:44 kalinga haproxy[26228]: 192.168.246.17:52946 
> [08/Jul/2017:19:59:44.661] https_influxdb~ https_influxdb/ -1/-1/136 
> 212 SC 0/0/0/0/0 0/0
> 
> 
> #curl -G https://influxdb-drp.example.net:8087/query -u admin:'' 
> --data-urlencode "q=SHOW DATABASES"
> {"results":[{"statement_id":0,"series":[{"name":"databases","columns":["name"],"values":[["_internal"]]}]}]}
> 
> Haproxy log:
> Jul  8 20:00:16 kalinga haproxy[26228]: 192.168.246.17:37142 
> [08/Jul/2017:20:00:16.672] https_influxdb_tcp~ 
> influxdb-drp.example.net/https_8086 0/2/123 332 -- 1/1/0/0/0 0/0
> 
> Haproxy configuration file:
> 
> ---

Re: help for configuration between http and tcp mode

2017-07-08 Thread Andrew Smalley 
Hello M

Looking at your configuration you are trying to use HTTPS/TCP/SSL
Connection for HTTP

frontend https_influxdb
  bind 192.168.246.17:8086 ssl crt /data/ssl_certs no-sslv3 ciphers
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:
ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-
RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:
DHE-RSA-AES128-SHA:DES-CBC3-SHA:!NULL:!aNULL:!RC4:!RC2:!
MEDIUM:!LOW:!EXPORT:!DES:!MD5:!PSK:!3DES
  mode http
  option dontlognull

I would make this assuming port 8086 is a HTTP Connection

frontend https_influxdb
  bind 192.168.246.17:8086
  mode http
  option dontlognull


TCP Mode will work with any connection however HTTP will only work with
unencrypted HTTP Type traffic as it is application aware.

Also TCP Mode is really Layer4 and non application aware.

Andrew Smalley

Loadbalancer.org Ltd.
www.loadbalancer.org 






+1 888 867 9504 / +44 (0)330 380 1064
asmal...@loadbalancer.org

Leave a Review
 | Deployment
Guides

| Blog 

On 8 July 2017 at 21:19, M  wrote:

> Hi,
>
> I don't understand why http mode is no able provide a backend server
> whereas at same time tcp mode is able to do it.
>
> I am trying to setup Haproxy in front of an Influxdb database running on
> HTTPS.
>
> When frontend is configured on http mode, requests are failing with NOSRV
> error.
> When fronted is configure on tcp mod, requests are working.
>
> Example below with http mode on tcp/8086 port and tcp mode on tcp/8087
> with same backend:
>
> #curl -G https://influxdb-drp.example.net:8086/query -u admin:''
> --data-urlencode "q=SHOW DATABASES"
> 503 Service Unavailable
> No server is available to handle this request.
> 
>
> Haproxy log showing NOSRV and SC:
> Jul  8 19:59:44 kalinga haproxy[26228]: 192.168.246.17:52946
> [08/Jul/2017:19:59:44.661] https_influxdb~ https_influxdb/ -1/-1/136
> 212 SC 0/0/0/0/0 0/0
>
>
> #curl -G https://influxdb-drp.example.net:8087/query -u admin:''
> --data-urlencode "q=SHOW DATABASES"
> {"results":[{"statement_id":0,"series":[{"name":"databases",
> "columns":["name"],"values":[["_internal"]]}]}]}
>
> Haproxy log:
> Jul  8 20:00:16 kalinga haproxy[26228]: 192.168.246.17:37142
> [08/Jul/2017:20:00:16.672] https_influxdb_tcp~ influxdb-drp.example.net/
> https_8086 0/2/123 332 -- 1/1/0/0/0 0/0
>
> Haproxy configuration file:
>
> 
> ---
>
> global
> log /dev/log local1 debug
> maxconn 4096
> debug
> tune.ssl.default-dh-param 4096
>
> defaults
> log global
> modetcp
> option  tcplog
> retries 3
> option redispatch
> maxconn 4000
> timeout connect 5000ms
> timeout client 5ms
> timeout server 5ms
>
> frontend https_influxdb
>   bind 192.168.246.17:8086 ssl crt /data/ssl_certs no-sslv3 ciphers
> ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:
> ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-
> RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:
> DHE-RSA-AES128-SHA:DES-CBC3-SHA:!NULL:!aNULL:!RC4:!RC2:!
> MEDIUM:!LOW:!EXPORT:!DES:!MD5:!PSK:!3DES
>   mode http
>   option dontlognull
>
>   reqadd X-Forwarded-Proto:\ https
>
>   option http-server-close
>   option forwardfor
>
>   acl host_influxdb-drp.example.net hdr(host) -i influxdb-drp.example.net
>   use_backend influxdb-drp.example.net if host_influxdb-drp.example.net
>
> frontend https_influxdb_tcp
>   bind 192.168.246.17:8087 ssl crt /data/ssl_certs no-sslv3 ciphers
> ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:
> ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-
> RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:
> DHE-RSA-AES128-SHA:DES-CBC3-SHA:!NULL:!aNULL:!RC4:!RC2:!
> MEDIUM:!LOW:!EXPORT:!DES:!MD5:!PSK:!3DES
>   mode tcp
>   option dontlognull
>   option http-server-close
>   option tcplog
>
>   default_backend influxdb-drp.example.net
>
> backend influxdb-drp.example.net
>   mode http
>   server https_8086 127.0.0.1:8086 check ssl verify none
>
> 
> ---
>
> How can I configure Haproxy to work on http mode?
>
> M.
>

help for configuration between http and tcp mode

2017-07-08 Thread M 
Hi,

I don't understand why http mode is no able provide a backend server whereas at 
same time tcp mode is able to do it. 

I am trying to setup Haproxy in front of an Influxdb database running on HTTPS.

When frontend is configured on http mode, requests are failing with NOSRV error.
When fronted is configure on tcp mod, requests are working. 

Example below with http mode on tcp/8086 port and tcp mode on tcp/8087 with 
same backend:

#curl -G https://influxdb-drp.example.net:8086/query -u admin:'' 
--data-urlencode "q=SHOW DATABASES"
503 Service Unavailable
No server is available to handle this request.


Haproxy log showing NOSRV and SC:
Jul  8 19:59:44 kalinga haproxy[26228]: 192.168.246.17:52946 
[08/Jul/2017:19:59:44.661] https_influxdb~ https_influxdb/ -1/-1/136 212 
SC 0/0/0/0/0 0/0


#curl -G https://influxdb-drp.example.net:8087/query -u admin:'' 
--data-urlencode "q=SHOW DATABASES"
{"results":[{"statement_id":0,"series":[{"name":"databases","columns":["name"],"values":[["_internal"]]}]}]}

Haproxy log:
Jul  8 20:00:16 kalinga haproxy[26228]: 192.168.246.17:37142 
[08/Jul/2017:20:00:16.672] https_influxdb_tcp~ 
influxdb-drp.example.net/https_8086 0/2/123 332 -- 1/1/0/0/0 0/0

Haproxy configuration file:

---

global
log /dev/log local1 debug
maxconn 4096
debug
tune.ssl.default-dh-param 4096

defaults
log global
modetcp
option  tcplog
retries 3
option redispatch
maxconn 4000
timeout connect 5000ms
timeout client 5ms
timeout server 5ms

frontend https_influxdb
  bind 192.168.246.17:8086 ssl crt /data/ssl_certs no-sslv3 ciphers 
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:!NULL:!aNULL:!RC4:!RC2:!MEDIUM:!LOW:!EXPORT:!DES:!MD5:!PSK:!3DES
  mode http
  option dontlognull

  reqadd X-Forwarded-Proto:\ https

  option http-server-close
  option forwardfor

  acl host_influxdb-drp.example.net hdr(host) -i influxdb-drp.example.net
  use_backend influxdb-drp.example.net if host_influxdb-drp.example.net

frontend https_influxdb_tcp
  bind 192.168.246.17:8087 ssl crt /data/ssl_certs no-sslv3 ciphers 
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:!NULL:!aNULL:!RC4:!RC2:!MEDIUM:!LOW:!EXPORT:!DES:!MD5:!PSK:!3DES
  mode tcp
  option dontlognull
  option http-server-close
  option tcplog

  default_backend influxdb-drp.example.net

backend influxdb-drp.example.net
  mode http
  server https_8086 127.0.0.1:8086 check ssl verify none

---

How can I configure Haproxy to work on http mode?

M.