subject:"use env variables in bind for bind options"

Re: use env variables in bind for bind options

2016-05-20 Thread Aleksandar Lazic


Hi Holger

Am 20-05-2016 17:02, schrieb Holger Just:

Hi Aleks,

Aleksandar Lazic wrote:

My conclusion is that with or without " the ${...} is not substituted,
at least in the bind line.


From your output, it looks like you are using an older version of
HAProxy.


yep.


[root@4a9889bfd2ac conf]# haproxy -vv
HA-Proxy version 1.5.14 2015/07/02
Copyright 2000-2015 Willy Tarreau 

Build options :
  TARGET  = linux2628
  CPU = generic
  CC  = gcc
  CFLAGS  = -O2 -g -fno-strict-aliasing -DTCP_USER_TIMEOUT=18
  OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 
USE_PCRE=1


Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 
200


Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.7
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.32 2012-11-30
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with transparent proxy support using: IP_TRANSPARENT 
IPV6_TRANSPARENT IP_FREEBIND


Available polling systems :
  epoll : pref=300,  test result OK
   poll : pref=200,  test result OK
 select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.



The behavior of quoted strings in the config changed in HAProxy
1.6. It appears you are using an older version (e.g. 1.5) which does
indeed not support this syntax.

That said, even on HAProxy 1.5.14, I have been able to validate your
syntax (there without the quotes).

Please ensure you are using a resonably up-to-date version of HAProxy
(which you can verify with `haproxy -vv`) and that you actually set all
used environment variables with their respective values when starting
HAProxy.


Okay I have now used more or less recent versions ;-).

curl -vO 
http://www.haproxy.org/download/1.7/src/snapshot/haproxy-ss-20160520.tar.gz

curl -vO http://www.haproxy.org/download/1.6/src/haproxy-1.6.5.tar.gz
curl -vO http://www.haproxy.org/download/1.5/src/haproxy-1.5.18.tar.gz


The last one is crucial as HAProxy does not replace environment
variables in the config file if the environment variable is not 
actually

defined. From your original output, it appears you are not defining the
${ROUTER_SERVICE_HTTPS_PORT_BIND_OPTONS} variable in the environment
which thus results in the parse error.


Looks like you are right.

test_env_haproxy.conf 
https://gist.github.com/anonymous/4c9af7b622d072c7a58d85d5794e0fa7


20.05.2016 22:30 export PORT=8081
20.05.2016 22:30 export PORT_OPTS="accept-proxy"

OK
haproxy-1.6.5/haproxy -f test_env_haproxy.conf -d
haproxy-ss-20160520/haproxy -f test_env_haproxy.conf -d

NOK
haproxy-1.5.18/haproxy -f test_env_haproxy.conf -d

Thanks.

Best regards
Aleks

Re: use env variables in bind for bind options

2016-05-20 Thread Holger Just

Hi Aleks,

Aleksandar Lazic wrote:
> My conclusion is that with or without " the ${...} is not substituted,
> at least in the bind line.

>From your output, it looks like you are using an older version of
HAProxy. The behavior of quoted strings in the config changed in HAProxy
1.6. It appears you are using an older version (e.g. 1.5) which does
indeed not support this syntax.

That said, even on HAProxy 1.5.14, I have been able to validate your
syntax (there without the quotes).

Please ensure you are using a resonably up-to-date version of HAProxy
(which you can verify with `haproxy -vv`) and that you actually set all
used environment variables with their respective values when starting
HAProxy.

The last one is crucial as HAProxy does not replace environment
variables in the config file if the environment variable is not actually
defined. From your original output, it appears you are not defining the
${ROUTER_SERVICE_HTTPS_PORT_BIND_OPTONS} variable in the environment
which thus results in the parse error.

Regards,
Holger

Re: use env variables in bind for bind options

2016-05-20 Thread Aleksandar Lazic


Hi Holger.

Am 20-05-2016 15:49, schrieb Holger Just:

Hi Aleks,

Aleksandar Lazic wrote:

### bind :${ROUTER_SERVICE_HTTP_PORT}
${ROUTER_SERVICE_HTTP_PORT_BIND_OPTONS} ###

It's look to me that this is not possible.


To quote from Section 2.3 of configuration.txt:


Those variables are interpreted only within double quotes. Variables
are expanded during the configuration parsing. Variable names must be
preceded by a dollar ("$") and optionally enclosed with braces ("{}")
similarly to what is done in Bourne shell.


Thus, it should work once you enclose your bind values into double
quotes (without the potential linebreak added by my mail client):

bind ":${ROUTER_SERVICE_HTTP_PORT}"
"${ROUTER_SERVICE_HTTP_PORT_BIND_OPTONS}"

This will however prevent you from setting multiple (space-separated)
bind options as they will only be recognized as a single value due to
the quotes.


Thanks for answer.

Here the tests which I have done.

#
bind ":${ROUTER_SERVICE_HTTP_PORT}" 
"${ROUTER_SERVICE_HTTP_PORT_BIND_OPTONS}"


+ /usr/sbin/haproxy -f /var/lib/haproxy/conf/haproxy.config -p 
/var/lib/haproxy/run/haproxy.pid
[ALERT] 140/141739 (19) : parsing 
[/var/lib/haproxy/conf/haproxy.config:55] : 'bind' : invalid address: 
'"' in '":${ROUTER_SERVICE_HTTP_PORT}"'
[ALERT] 140/141739 (19) : Error(s) found in configuration file : 
/var/lib/haproxy/conf/haproxy.config

[ALERT] 140/141739 (19) : Fatal errors found in configuration.
#

#
bind :"${ROUTER_SERVICE_HTTP_PORT}" 
"${ROUTER_SERVICE_HTTP_PORT_BIND_OPTONS}"


+ /usr/sbin/haproxy -f /var/lib/haproxy/conf/haproxy.config -p 
/var/lib/haproxy/run/haproxy.pid
[ALERT] 140/142049 (18) : parsing 
[/var/lib/haproxy/conf/haproxy.config:55] : 'bind' : invalid character 
'"' in port number '"9080"' in ':"${ROUTER_SERVICE_HTTP_PORT}"'
[ALERT] 140/142049 (18) : Error(s) found in configuration file : 
/var/lib/haproxy/conf/haproxy.config

[ALERT] 140/142049 (18) : Fatal errors found in configuration.
#

#
bind :${ROUTER_SERVICE_HTTP_PORT} 
"${ROUTER_SERVICE_HTTP_PORT_BIND_OPTONS}"


+ /usr/sbin/haproxy -f /var/lib/haproxy/conf/haproxy.config -p 
/var/lib/haproxy/run/haproxy.pid
[ALERT] 140/142259 (19) : parsing 
[/var/lib/haproxy/conf/haproxy.config:55] : 'bind 
:${ROUTER_SERVICE_HTTP_PORT}' unknown keyword 
'"${ROUTER_SERVICE_HTTP_PORT_BIND_OPTONS}"'. Registered keywords :

[ ALL] accept-proxy
[ ALL] backlog 
[ ALL] id 
[ ALL] maxconn 
[ ALL] name 
[ ALL] nice 
[ ALL] process 
[UNIX] gid 
[UNIX] group 
[UNIX] mode 
[UNIX] uid 
[UNIX] user 
[STAT] level 
[ TCP] defer-accept
[ TCP] interface 
[ TCP] mss 
[ TCP] tcp-ut 
[ TCP] tfo
[ TCP] transparent
[ TCP] v4v6
[ TCP] v6only
[ SSL] alpn 
[ SSL] ca-file 
[ SSL] ca-ignore-err 
[ SSL] ciphers 
[ SSL] crl-file 
[ SSL] crt 
[ SSL] crt-ignore-err 
[ SSL] crt-list 
[ SSL] ecdhe 
[ SSL] force-sslv3
[ SSL] force-tlsv10
[ SSL] force-tlsv11
[ SSL] force-tlsv12
[ SSL] no-sslv3
[ SSL] no-tlsv10
[ SSL] no-tlsv11
[ SSL] no-tlsv12
[ SSL] no-tls-tickets
[ SSL] ssl
[ SSL] strict-sni
[ SSL] verify 
[ SSL] npn 
[ALERT] 140/142259 (19) : Error(s) found in configuration file : 
/var/lib/haproxy/conf/haproxy.config

[ALERT] 140/142259 (19) : Fatal errors found in configuration.
#

My conclusion is that with or without " the ${...} is not substituted, 
at least in the bind line.


Best regards
aleks

Re: use env variables in bind for bind options

2016-05-20 Thread Holger Just

Hi Aleks,

Aleksandar Lazic wrote:
> ### bind :${ROUTER_SERVICE_HTTP_PORT} 
> ${ROUTER_SERVICE_HTTP_PORT_BIND_OPTONS} ###
> 
> It's look to me that this is not possible.

To quote from Section 2.3 of configuration.txt:

> Those variables are interpreted only within double quotes. Variables 
> are expanded during the configuration parsing. Variable names must be
> preceded by a dollar ("$") and optionally enclosed with braces ("{}")
> similarly to what is done in Bourne shell.

Thus, it should work once you enclose your bind values into double
quotes (without the potential linebreak added by my mail client):

bind ":${ROUTER_SERVICE_HTTP_PORT}"
"${ROUTER_SERVICE_HTTP_PORT_BIND_OPTONS}"

This will however prevent you from setting multiple (space-separated)
bind options as they will only be recognized as a single value due to
the quotes.

Regards,
Holger

use env variables in bind for bind options

2016-05-20 Thread Aleksandar Lazic


Hi.

Today I tried some fancy stuff ;-).

https://github.com/git001/openshift_custom_haproxy_ext/commit/d30fdb4fae0988b9a35ee43fef5cf247ae822f6f#diff-f81691f60803593ee683f75fb91cdd03

###
bind :${ROUTER_SERVICE_HTTP_PORT} 
${ROUTER_SERVICE_HTTP_PORT_BIND_OPTONS}

###

It's look to me that this is not possible.


/usr/sbin/haproxy -f /var/lib/haproxy/conf/haproxy.config -p 
/var/lib/haproxy/run/haproxy.pid
[ALERT] 140/092135 (19) : parsing 
[/var/lib/haproxy/conf/haproxy.config:55] : 'bind 
:${ROUTER_SERVICE_HTTP_PORT}' unknown keyword 
'${ROUTER_SERVICE_HTTP_PORT_BIND_OPTONS}'. Registered keywords :

[ ALL] accept-proxy
[ ALL] backlog 
[ ALL] id 
[ ALL] maxconn 
[ ALL] name 
[ ALL] nice 
[ ALL] process 
[UNIX] gid 
[UNIX] group 
[UNIX] mode 
[UNIX] uid 
[UNIX] user 
[STAT] level 
[ TCP] defer-accept
[ TCP] interface 
[ TCP] mss 
[ TCP] tcp-ut 
[ TCP] tfo
[ TCP] transparent
[ TCP] v4v6
[ TCP] v6only
[ SSL] alpn 
[ SSL] ca-file 
[ SSL] ca-ignore-err 
[ SSL] ciphers 
[ SSL] crl-file 
[ SSL] crt 
[ SSL] crt-ignore-err 
[ SSL] crt-list 
[ SSL] ecdhe 
[ SSL] force-sslv3
[ SSL] force-tlsv10
[ SSL] force-tlsv11
[ SSL] force-tlsv12
[ SSL] no-sslv3
[ SSL] no-tlsv10
[ SSL] no-tlsv11
[ SSL] no-tlsv12
[ SSL] no-tls-tickets
[ SSL] ssl
[ SSL] strict-sni
[ SSL] verify 
[ SSL] npn 
[ALERT] 140/092135 (19) : parsing 
[/var/lib/haproxy/conf/haproxy.config:81] : 'bind 
:${ROUTER_SERVICE_HTTPS_PORT}' unknown keyword 
'${ROUTER_SERVICE_HTTPS_PORT_BIND_OPTONS}'.
[ALERT] 140/092135 (19) : Error(s) found in configuration file : 
/var/lib/haproxy/conf/haproxy.config

[ALERT] 140/092135 (19) : Fatal errors found in configuration.


Looks like that bind_find_kw() is not able to do the ENV evaluation in  
${...} syntax


http://git.haproxy.org/?p=haproxy-1.5.git;a=blob;f=src/cfgparse.c#l2319
http://git.haproxy.org/?p=haproxy-1.5.git;a=blob;f=src/listener.c#l538

That's the reason why I get the error massage.

http://git.haproxy.org/?p=haproxy-1.5.git;a=blob;f=src/cfgparse.c#l2361

What do you think make it sense to add the possibility for 
bind_find_kw() to parse first the ${...} content and then go further in 
the process?


If you ask 'Why he want to do this'.

I want to be able to add some options to the bind line, currently 
accept-proxy, dynamically in a docker/openshift image to avoid to build 
the image just to add a bind option.


I need to do this because we run openshift router in front of AWS ELB 
and want to be able to do this


http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/enable-proxy-protocol.html

I want to be able to just make a

oc env dc/router ROUTER_SERVICE_HTTP_PORT_BIND_OPTONS="accept-proxy"

if the ELB is configured with the proxy protocol option.

For Openshift I will add a PR to add similar like with 
ROUTER_SERVICE_HTTP_PORT


https://github.com/openshift/origin/blob/master/images/router/haproxy/conf/haproxy-config.template#L67

but for plain haproxy it would nice to have this feature also ;-)

Opinions?

Best regards
Aleks

Re: use env variables in bind for bind options

Re: use env variables in bind for bind options

Re: use env variables in bind for bind options

Re: use env variables in bind for bind options

use env variables in bind for bind options

5 matches

Site Navigation

Mail list logo

Footer information