Hello,
On 15 April 2018 at 21:53, Shawn Heisey wrote:
> I'm working on making my application capable of handling service restarts on
> the back end with zero loss or interruption. It runs on two servers behind
> haproxy.
>
> At application shutdown, I'm setting a flag that makes the healthcheck
Hello Willy,
On 6 April 2018 at 14:14, Willy Tarreau wrote:
>> The confusion often arises because haproxy accepts a resolver
>> configuration where no resolvers are configured. Maybe we should
>> reject the configuration when a resolver is referred to in the servers
>> lines, but no actual resol
Hi Willy,
On 6 April 2018 at 11:14, Willy Tarreau wrote:
>> I don't think we need a new config know.
>
> Just thinking, is the goal *not to have to* configure "resolve" on
> server lines in this case, or to avoid having to pre-configure the
> resolvers themselves when they're the same as the sy
Hello Baptiste,
> - (for Lukas) what do you think is better, a configuration option to trigger
> parsing of resolv.conf or as proposed, if no nameserver are found, we use
> resolv.conf as a failback?
I don't think we need a config knob for this; currently we don't do
anything when no nameserver
Hello Emeric,
On 12 January 2018 at 15:57, Emeric Brun wrote:
> Hi All,
>
> FYI: upgrading to next openssl-1.1.1 could break your prod if you're using a
> forced cipher list because
> handshake will fail regardless the tls protocol version if you don't specify
> a cipher valid for TLSv1.3
> in
Hello,
On 22 March 2018 at 11:49, matei marius wrote:
> When I try to access the service from the same IP class with haproxy I see
> the packets having incorrect checksum.
This is most likely due to offloading techniques such as TX
checksumming, where tcpdump will not see the final packet (so a
Hello,
On 8 March 2018 at 06:36, Moomjian, Chad wrote:
> Thanks for the information, Lukas. I'm confused why this is not a default
> option though. Can you think of a time when you would ever want the exact
> same binding in multiple places in the config?
noreuseport is not something that rea
Hello Chad,
On 7 March 2018 at 03:34, Moomjian, Chad wrote:
> Haproxy Developers,
>
>
>
> I recently modified a configuration file for haproxy, and after setting it
> up, I noticed that about half of my requests came back with a 503 error, and
> the other half came back with the correct elements
Hello,
On 6 March 2018 at 11:38, Adrian Veith wrote:
> I had this hang in haproxy after trying out kernel 4.16.0-041600rc1
> after starting haproxy for some minutes. Now I am back on kernel
> 4.15.0-10-generic and everything seems ok so far.
Yeah, this is a kernel bug, you need the fix:
netfilt
Hello Richard,
On 2 March 2018 at 19:37, Richard Lee wrote:
>
> We recently updated our linux kernel from 4.14.19 to 4.14.22, and now haproxy
> hangs forever in a system call:
>
> $ ps -lfC haproxy
> F S UIDPID PPID C PRI NI ADDR SZ WCHAN STIME TTY TIME CMD
> 1 D root
Hello Dave,
On 2 March 2018 at 01:09, Dave Cottlehuber wrote:
> I have 2 TLS cert bundles that I'd like to serve off haproxy, using a single
> IP. Both certs have multiple SANs in them.
>
> - our main production site: api,beta,www.example.com using EV cert
> - a lets-encrypt cert bundle for old
Hello Baptiste,
On 26 February 2018 at 16:04, Baptiste wrote:
> Your use case is right and I perfectly understand it and it makes sense to
> me.
> that said, in my use case, I was using (and meaning) SRV records and using
> consul / kubernetes as backend servers.
> What I saw is that when the re
Responded on discourse:
https://discourse.haproxy.org/t/haproxy-installation-for-an-solaris/2167
Hello Baptiste,
On 21 February 2018 at 19:59, Lukas Tribus wrote:
> Baptiste, I don't think you'd find the symptoms I have in mind
> acceptable on a load-balancer, so there has to be a misunderstanding
> here. I would like to do some tests, maybe I can come up with a sim
Hello Baptiste,
I'm sorry if my comments are blunt, but I think this discussion is
important and I do not want my messages to be ambiguous. I do
appreciate all the work you are doing in the DNS subsystem.
On 21 February 2018 at 18:05, Baptiste wrote:
>> However in Haproxy the administrator *
Hello Sander,
make sure you use "option http-keep-alive" as http mode, specifically
httpclose will cause issue with H2.
If that's not it, please share the configuration; also you may want to
try enabling proxy_ignore_client_abort in the nginx backend [1].
cheers,
lukas
[1]
http://nginx.org/
Hello Baptiste,
On 21 February 2018 at 08:45, Baptiste wrote:
>> Is this downgrade at good thing in the first place? Doesn't it hide
>> configuration and network issues, make troubleshooting more complex
>> and the haproxy behavior less predictable?
>
>
> It is an rfc recommendation (rfc number
Hello Baptiste,
On 19 February 2018 at 18:59, Baptiste wrote:
> Hi guys,
>
> While working with consul, I discovered a "false positive" corner case which
> triggers a downgrade of the accepted_payload_size.
Is this downgrade at good thing in the first place? Doesn't it hide
configuration and ne
Hello,
On 18 February 2018 at 09:58, Dmitry Sivachenko wrote:
>
>> On 15 Feb 2018, at 17:58, Bernard Spil wrote:
>> Hi Lukas,
>>
>> Agree. Updated patch attached.
>>
>> Bernard.
>
>
> Is this patch good, Lukas?
> Any plans to integrate it?
Just two notes: I would patch src/cfgparse.c and
inclu
Hello,
On 15 February 2018 at 13:42, Bernard Spil wrote:
> Hello HAProxy maintainers,
>
> https://github.com/Sp1l/haproxy/tree/20180215-fix-no-NPN
>
> Fix build with OpenSSL without NPN capability
>
> OpenSSL can be built without NEXTPROTONEG support by passing
> -no-npn to the configure script.
Hi Pieter,
On 7 February 2018 at 11:15, Pieter Vogelaar wrote:
> I have a http frontend “default-http” and “default-https”. In the access log
> is the ~ (tilde) character appended to the default-https frontend name, like
> “default-https~”.
>
>
> Why is that?
As per:
http://cbonte.github.io/hap
On 2 February 2018 at 17:44, wrote:
> I`m having problems with running haproxy 1.8 on CentOS 7.4 and originally I
> planned to post my setup, logs and more. But while thinking about this I
> started to doubt that what I am trying is correct.
> Let me explain what I'm doing, perhaps there is a b
Remove the old suggestion to use http-server-close mode, from the
beginnings of keep-alive mode in commit 16bfb021 "MINOR: config: add
option http-keep-alive").
We made http-keep-alive default in commit 70dffdaa "MAJOR: http:
switch to keep-alive mode by default".
---
doc/configuration.txt | 3 --
Hello Martin,
On 1 February 2018 at 17:18, Martin Goldstone wrote:
> Hi,
>
> We've been using haproxy in docker for quite some time to provide reverse
> proxy facilities for many and varied application servers. Typically, we've
> always used option http-server-close in the config, except for ra
Hello,
On 1 February 2018 at 04:43, wrote:
> Thanks for reply, any plan to support this requirement?
>
> If a backend server get killed when processing request, that haproxy
> re-forwarad the request to another backend server?
No, this is problematic for a number of reasons. First of all this
Hello,
On 1 February 2018 at 03:13, Mariam Abboush wrote:
> Hello dear HAproxy stuff
>
>
> How can I configure HAproxy to a specific implementation of TLS, I mean for
> example " Mbed TLS" which is a security library dedicated to the embedded
> systems.
You can't.
Haproxy supports OpenSSL, and
Hello,
On 31 January 2018 at 03:00, wrote:
> Hello,
>
> What exactly does option redispatch do?
As per the documentation:
http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#4-option%20redispatch
"In HTTP mode, if a server designated by a cookie is down, clients may
definitely stick
Hello Igor,
On 25 January 2018 at 15:22, Igor Cicimov
wrote:
>> Upgrade to the *current* LTS release, which is Ubuntu Xenial. It ships
>> OpenSSL 1.0.2.
>
>
> For sure I don't have to update the whole distro to get the newest openssl
> :-)
You mean you expect to replace a system library from on
Hello,
On 25 January 2018 at 14:53, Igor Cicimov
wrote:
>
> Hi,
>
> The info below, that openssl version fort he build is little bit oldish isn't
> it?
>
> # haproxy -vv
> [...]
> Built with OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014
> Running on OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014
> [
Hello,
On 25 January 2018 at 13:26, Igor Cicimov
wrote:
> Hi,
>
> I was testing haproxy 1.8 from the ppa repository and noticed it is not
> build with alpn support so just wonder why?
Which OS exactly?
Lukas
Hello Christopher,
On 16 January 2018 at 15:01, Bart Geesink wrote:
> Hi,
>
> We have an issue in haproxy > 1.8 on CentOS when using SSL in the server
> configuration. Haproxy sometimes logs a http status code "-1" followed
> by the termination_state SDxx. This happens every few requests. When
>
Hey guys,
On 15 January 2018 at 20:49, Willy Tarreau wrote:
> Samuel,
>
> While running a few tests with Christopher's patch in order to integrate
> it, I managed to find a case where I'm still seeing quite a number of
> calls to epoll_wait(0)=0. Studying the patch, I found that there's a
> corne
Hello,
On 13 January 2018 at 20:57, Pavlos Parissis wrote:
> On 13/01/2018 04:22 μμ, Lukas Tribus wrote:
>> Hello,
>>
>>
>> On 13 January 2018 at 15:17, Pavlos Parissis
>> wrote:
>>>> Not exactly, the moment you force a cipher list that does no
Hello,
On 13 January 2018 at 15:17, Pavlos Parissis wrote:
>> Not exactly, the moment you force a cipher list that does not include a
>> TLSv1.3 cipher in the server side (which has TLSv1.3 enabled) the TLS
>> handshake will break regardless of what is in the Client hello.
>>
>
> But, can we hav
Hello,
On 11 January 2018 at 16:36, Jonathan Matthews wrote:
> On 11 January 2018 at 00:03, Imam Toufique wrote:
>> So, I have everything in the listen section commented out:
>>
>> frontend main
>>bind :2200
>>default_backend sftp
>>timeout client 5d
>>
>>
>> #listen stats
>> # bi
Hello Imam,
On Wed, Jan 10, 2018 at 11:49 PM, Imam Toufique wrote:
> Lukas,
>
> Sorry to keep on dragging this, I am confused here. I will admit that I
> have not had the time to read the documentation on this. From what I was
> able to read, I slapped togather this config to get me started.
>
Hi Imam,
On Tue, Jan 9, 2018 at 6:54 PM, Imam Toufique wrote:
> Hi Lukus,
>
> thanks again for your continued help and support! Here is my config file
> with updates now:
>
> frontend main
>bind :2200
>default_backend sftp
>timeout client 5d
>
>
> listen stats
>bind *:2200
>
Hello Imam,
On Tue, Jan 9, 2018 at 2:30 AM, Imam Toufique wrote:
>
> Hi Jonathan, and Lucas,
>
> Thanks for your replies. With your help, I was able to get it work
> partially.
Please always CC the mailing list though.
> frontend main *:2200
>#bind *:22
>default_backend sftp
>ti
Hello Imam,
On Mon, Jan 8, 2018 at 11:24 AM, Jonathan Matthews
wrote:
> On Mon, 8 Jan 2018 at 08:29, Imam Toufique wrote:
>>
>> [ALERT] 007/081940 (1416) : Starting frontend sftp-server: cannot bind
>> socket [0.0.0.0:22]
>> [ALERT] 007/081940 (1416) : Starting proxy stats: cannot bind socket
>
Hello,
On Fri, Jan 5, 2018 at 4:44 PM, William Lallemand
wrote:
> I'm able to reproduce, looks like it happens with the nbthread parameter only,
> I'll try to find the problem in the code.
FYI there is a report on discourse mentioning this problem, and the
poster appears to be able to reproduce
Hello Pierre,
On Fri, Jan 5, 2018 at 11:48 AM, Pierre Cheynier wrote:
> Hi list,
>
> We've recently tried to upgrade from 1.8.0 to 1.8.1, then 1.8.2, 1.8.3
> on a preprod environment and noticed that the reload is not so seamless
> since 1.8.1 (easily getting TCP RSTs while reloading).
>
> Havin
Hi Angelo,
On Thu, Jan 4, 2018 at 11:11 PM, Angelo Hongens wrote:
> On 03-01-2018 17:39, Lukas Tribus wrote:
>>
>> To compile Haproxy 1.8 with threads, at least GCC 4.7 is needed.
>> CentOs 6 only ships GCC 4.4.7, therefor compilation fails.
>> You can disabl
Hi Willy,
On Wed, Jan 3, 2018 at 10:04 PM, Willy Tarreau wrote:
>> To compile Haproxy 1.8 with threads, at least GCC 4.7 is needed.
>> CentOs 6 only ships GCC 4.4.7, therefor compilation fails.
>
> If these are the only failures, maybe we can try and see if we find
> equivalent builtins for olde
Hello,
On Wed, Jan 3, 2018 at 9:51 PM, Willy Tarreau wrote:
> On Wed, Jan 03, 2018 at 09:31:47PM +0100, Willy Tarreau wrote:
>> Oh I think you've just put your finger on it. I remember taking care
>> of handling 0-sized frames, and facing certain difficulties with them
>> (eg: sometimes returnin
Hello,
On Wed, Jan 3, 2018 at 5:56 PM, Willy Tarreau wrote:
>> When moving the affected HREM code above the "return 0" branch, Edge
>> works fine again.
>>
>> The attached patch fixes the issue for me, please give it a try.
>
> The problem with doing this is that when we have to stop transferrin
Hello Devendra,
On Wed, Jan 3, 2018 at 5:29 PM, Devendra Joshi
wrote:
> Hi,
>
> I am using Haproxy 1.7-stable version and its working fine.
> now i am upgrading to 1.8-stable, but i am getting error.
>
> do i need to update some package for this or can work with existing config.
>
> OS : CentOS
Hello Peter,
On Wed, Jan 3, 2018 at 2:59 PM, Lukas Tribus wrote:
> I will come back later and take a deeper look at both strace and the capture.
So, this is broken since c4134ba8b0 ("BUG/MEDIUM: h2: don't switch the
state to HREM before end of DATA frame").
And indeed Edge
Hello Peter,
On Wed, Jan 3, 2018 at 12:00 PM, Peter Lindegaard Hansen
wrote:
>
> Hi List,
>
> We updated one of our haproxy boxes to the newly released 1.8.3 - thanks!
>
> Then we got reports of IE being slow, when we looked into the claims we found
> that it seems to related to POSTs that resp
Hello,
On Wed, Jan 3, 2018 at 9:02 AM, Pavlos Parissis
wrote:
> On 03/01/2018 08:50 πμ, Maximilian Böhm wrote:
>> Debian (Jessie) distributes Haproxy 1.5.8.3
>>
>
> Well, Debian users can also use https://haproxy.debian.net/ to get any
> version they want.
> For more details, please read
> http
Hello Willy,
regarding soft-stop H2 behavior, we may have room for improvement.
We often have "timeout client" (H2) in the 30 - 60 seconds range,
while "timeout http-keep-alive" (H1) may only be a few seconds (or
less). When we soft-stop a process we add "Connection: close" to all
H1 responses
Hi Jim,
On Fri, Dec 29, 2017 at 10:14 PM, Jim Freeman wrote:
> Looks like libresolv 's res_ninit() parses out /etc/resolv.conf 's
> nameservers [resolv.h], so haproxy won't have to parse it either ...
>
> Will keep poking.
Do give it some time to discuss the implementation here first though,
be
Hello,
On Fri, Dec 29, 2017 at 7:00 PM, Jim Freeman wrote:
> I'm a bit befuddled by the different nameserver config 'twixt these 2 modes?
> [ Methinks I grok the need for an internal non-libc/libresolv resolver ]
>
> Why isn't the the /etc/resolv.conf start-time config used (or at least
> availa
Hello Mariusz,
On Fri, Dec 29, 2017 at 4:17 PM, Mariusz Kalota wrote:
> Ok. I fixed it.
> My currently working config:
>
> listen https-test-5
> bind *:5
> mode tcp
> balance roundrobin
> option httpchk GET /somefile.asmx HTTP/1.1\r\nHost test.site.local:5
> server server1 192.168.0
Hi Willy,
On Fri, Dec 29, 2017 at 3:58 PM, Willy Tarreau wrote:
> On Fri, Dec 29, 2017 at 03:42:30PM +0100, Willy Tarreau wrote:
>> OK I managed to reproduce it with nghttp using --expect-continue to
>> force it to leave a pause before sending the data. And indeed there
>> the data are immediate
Hello,
On Fri, Dec 29, 2017 at 3:24 PM, Mariusz Kalota wrote:
> Hello, thanks for reply.
>
> I would like to forward the encrypted HTTPS transparently to the
> backend. I would like to check health my backend servers, but not only
> on layer 4, but on layer 7. So I have to get /somefile.asmx, an
Hello,
On Fri, Dec 29, 2017 at 3:05 PM, Willy Tarreau wrote:
>> Haproxy calls shutdown() after the HTTP payload was transmitted, nginx
>> in the default configuration or nc for that matter closes the
>> connection (we see recvfrom = 0) and then we close():
>
> I can't reproduce this one for now.
Hello,
On Fri, Dec 29, 2017 at 3:06 PM, Mariusz Kalota wrote:
> I have two serwers. Servers need client certificate to give answer. My
> configuration is like this:
>
> listen https-test-5
> bind *:5
> mode tcp
> balance roundrobin
> option httpchk GET /somefile.asmx
> server server1 19
Hello,
On Fri, Dec 29, 2017 at 2:45 PM, Mariusz Kalota wrote:
> Hello,
> I would like to ask about new feature in haproxy 1.8:
> check-sni
>
> Please give me some example how I can use this.
It's as simple as:
check-sni
So a backend would look like this for example:
backend secure_wwwfarm
s
Hello,
On Fri, Dec 29, 2017 at 2:31 PM, Willy Tarreau wrote:
> On Fri, Dec 29, 2017 at 11:45:55AM +0100, Lukas Tribus wrote:
>> The FIN behavior comes from a48c141f4 ("BUG/MAJOR: connection: refine
>> the situations where we don't send shutw()"), which also hit
Hello,
On Fri, Dec 29, 2017 at 11:22 AM, Lukas Tribus wrote:
> It's that:
> - when sending the POST request to the backend server, haproxy sends a
> FIN before the server responds
> - nginx doesn't like that and closes the request (you will see nginx
> error code
Hello,
On Fri, Dec 29, 2017 at 8:13 AM, Willy Tarreau wrote:
> Yep. For what it's worth, it's been enabled for about one month on haproxy.org
> and till now we didn't get any bad report, which is pretty encouraging.
It appears to run 1.7.5 though:
http://demo.haproxy.org/
>> For now, I'll p
Hello,
On Thu, Dec 28, 2017 at 10:26 PM, Lucas Rolff wrote:
>> the output of the http2 golang test and can you please both clarify which OS
>> you reproduce this on?
>
> If I visit http2 golang test, I also don’t see it, and I saw it in developer
> tools (Because dev tools shouldn’t put header
Hello,
On Thu, Dec 28, 2017 at 12:29 PM, Lukas Tribus wrote:
> Hello,
>
>
>> But in this example, you're using HTTP/1.1, The "Connection" header is
>> perfectly valid for 1.1. It's HTTP/2 which forbids it. There is no
>> inconsistency here.
>
Hello,
On Thu, Dec 28, 2017 at 4:18 PM, Andrew Smalley
wrote:
>
> Hi Lukas
>
> Thank you for the correction. I didn't even think about using CAP_SYS_ADMIN
> to give a standard user more privs.
>
> Out of interest would CAP_NET_BIND_SERVICE not be a better choice than
> giving haproxy full adm
Hello,
On 28 December 2017 at 11:24, Senthil Naidu
wrote:
>
> Hi,
>
> Is there any way to run haproxy as non-root with backend configured inside
> the
> namespace as seen below but the same shows “general socket error” , if we run
> the same by removing the user and group from haproxy and run
Hello,
> But in this example, you're using HTTP/1.1, The "Connection" header is
> perfectly valid for 1.1. It's HTTP/2 which forbids it. There is no
> inconsistency here.
For me a request like this:
$ curl -kv --http2 https://localhost/111 -H "Connection: keep-alive"
-d "bla=bla"
Fired multiple
Hello,
> I'm sorry but I don't understand what you call "this" above nor what you
> mean by "updating the config".
>
> If the server is running in http2 mode, and servicing connections, updating
> the config as shown below is no longer instantaneous. Takes over 5 minutes.
So what you are saying
Hello Lucas,
On Wed, Dec 27, 2017 at 9:24 PM, Lucas Rolff wrote:
> Can't even compose an email correctly..
>
> So:
>
> I experience the same issue however with nginx as a backend.
>
> I tried enabling “option httplog” within my frontend, it's rather easy for
> me to replicate, it affects a few
Hello Pieter,
On Tue, Dec 26, 2017 at 1:08 AM, PiBa-NL wrote:
> Hi Lucas, William,
>
> I've made a patch which 'i think' fixes the issue with fclose called 'to
> often?'.
> Can you guys verify?
I can confirm the patch fixes the issue reported; whether it does it
"the correct way" - I don't know
Hello,
as per the report from sagaxu on discourse:
https://discourse.haproxy.org/t/listen-socket-closed-after-reloading-by-sigusr2/1925
It appears master-worker reload (USR2 to the master process) is
currently broken.
When sending USR2 to the master process, all sockets are closed and
while a w
Hell Chris,
2017-12-11 20:04 GMT+01:00 Christian Bönning :
> Hi,
>
> I recently switched from nginx to haproxy 1.8 for SSL termination and load
> balancing in front of my application but saw an odd behaviour with "alpn
> h2,http/1.1" enabled on my frontend.
>
> I'm running a single haproxy inst
Hello Willy,
2017-12-07 19:55 GMT+01:00 Willy Tarreau :
> Guys,
>
> just to warn you, there's currently an issue affecting HTTP/2 with POST
> payloads to "slow" servers.
Ok, the POST issue is obviously more important, but just to provide a
complete picture we also have those 2 minor issues left
Hello,
as reported by Martin Brauer:
https://discourse.haproxy.org/t/config-frontend-global-has-no-bind-directive/1858
If we configure "stats timeout", but no corresponding socket, haproxy
emits a bogus warning at startup about the "frontend GLOBAL" not
having a bind directive:
global
#stats s
Hello Christopher,
2017-12-01 20:59 GMT+01:00 Christopher Lane :
>
> gist with backtrace, -vv output, and config file. Also strace.
>
> https://gist.github.com/jayalane/c6dbe7918aa9635b62c874d20f57dfec
>
> It does all the listens and then right after the first epoll is done it has
> this segv.
continuing ...
2017-12-04 9:21 GMT+01:00 Lukas Tribus :
> More specifically this requires SSL renegotiation, which has been
> removed in TLSv1.3 to further simplify things, so even Apache won't be
> able to do this once you upgrade to TLSv1.3.
>
> So really thi
Hello,
2017-12-02 12:32 GMT+01:00 Vincent Bernat :
> If verify mode is set to optional, on browsers, this will still trigger
> the dialog box to get a certificate from the user. AFAIK, there is no
> way to achieve what Apache is doing using HAProxy: there is no code to
> change SSL parameters aft
Clarifies that in HTTP2 we don't consider "timeout http-keep-alive", but
"timeout client" instead.
---
Willy, feel free to change the wording or drop the note in the "timeout
client" section, I think the important information is in http-keep-alive
section.
Thanks,
Lukas
---
doc/configuration.txt
Hi,
2017-11-24 15:52 GMT+01:00 Willy Tarreau :
>> - "timeout http-keep-alive" is not used
>
> I thought about trying to use it instead of timeout.client but felt
> uncertain about this. Maybe it would make more sense. What's your
> opinion ?
See below.
>> Should http-keep-alive be limited to
Hi Willy,
2017-11-24 10:43 GMT+01:00 Willy Tarreau :
> So in the end here's what I've done :
>
> - implemented a new "reject" HTTP action. I initially started with
> "close" and while documenting it I noticed it does exactly the same
> as the tcp-request "reject" action, and we already
Hello,
2017-11-23 11:57 GMT+01:00 张伟 <18618373...@163.com>:
>
>
> Hi Lukas. Thank you for your reply.
> I use haproxy as tcp load balancer. There are many client logs saying
> responses reach client more than 10 seconds after sending request. Is this
> just caused by network? I add some more i
Hello 18618373702,
2017-11-23 10:51 GMT+01:00 张伟 <18618373...@163.com>:
>
> Hi. I encounter a problem when using haproxy. Can you give me some advice?
>
> Here is the problem:
> There are many connections with high send-q state. 457/(8701/2) is almost
> 10%. This only happens between haproxy and
The 1.7 release did not update the first paragraph in README, but 1.7
is now stable. Update README as to not confuse users.
This is for 1.7 only.
---
README | 11 ++-
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/README b/README
index 8f674d3..8be7fa1 100644
--- a/README
+
Hello Guy,
2017-11-23 8:59 GMT+01:00 guy shilo :
> Hello
>
> I need to install HAproxy so I visited the project web site and downloaded
> the latest stable version (1.7 according to the table in the site).
>
> When I extracted the file and looked at the readme file I was surprised to
> see a warn
Hello Willy,
2017-11-22 6:50 GMT+01:00 Willy Tarreau :
> Hi Lukas,
>
> On Wed, Nov 22, 2017 at 01:43:32AM +0100, Lukas Tribus wrote:
>> In fact this confuses Chrome and leads to a hung connection that clears
>> only by "timeout client" or "timeout server&qu
Since af1e4f5167 ("MEDIUM: h2: perform a graceful shutdown on "Connection:
close"") we send GOAWAY with last stream identifier set to 2^31-1, as per
the RFC suggestion [1]. However that is only part of what the RFC suggests
if we want to close the connection gracefully; after at least 1 RTT we
woul
Hello,
2017-11-21 13:54 GMT+01:00 Daniel Schneller :
> However, I still wonder if there is a good way to discern these from
> “actual"bad requests in the stats, so that we can rely on the error counters
> to show “real” problems.
>
> Some kind of “haproxy-to-haproxy” health checking that does not
Hallo Daniel,
2017-11-21 10:08 GMT+01:00 Daniel Schneller :
> However, I see lots of 4xx errors counted on the central LBs. I have tracked
> those down to being caused by the health checks of all the sidecars,
> checking in every few seconds to see if their backends are healthy.
>
> The log shows
Since we switched to notify mode in the systemd unit file in commit
d6942c8, haproxy won't start if the daemon keyword is present in the
configuration.
This change makes sure that haproxy remains in foreground when using
systemd mode and adds a note in the documentation.
---
doc/configuration.txt
Since we switched to notify mode in the systemd unit file in commit
d6942c8, haproxy won't start if the daemon keyword is present in the
configuration.
Update the unit file with -db to disable background mode in all
circumstances and add a note in the documentation.
---
contrib/systemd/haproxy.se
Hello,
2017-11-21 11:18 GMT+01:00 Willy Tarreau :
>> That's not it, the hold-off timer is only a consequence of this
>> problem.
>
> OK but if it's really 100ms, it can be a problem for people loading GeoIP
> maps of millions of entries, or large configs (the largest I saw had 30
> backends a
Hello,
2017-11-21 8:39 GMT+01:00 William Lallemand :
> On Tue, Nov 21, 2017 at 07:16:19AM +0100, Willy Tarreau wrote:
>>
>> I really don't like this. My fears with becoming more systemd-friendly
>> was that we'd make users helpless when something decides not to work
>> just to annoy them, and th
Hello Tim,
2017-11-20 15:58 GMT+01:00 Tim Düsterhus :
> From: Tim Duesterhus
>
> This patch adds support for `Type=notify` to the systemd unit.
>
> Supporting `Type=notify` improves both starting as well as reloading
> of the unit, because systemd will be let known when the action completed.
I
Hello,
2017-11-19 11:09 GMT+01:00 Haim Ari :
>
> Hello,
>
>
> Our haproxy sends logs through rsyslog (UDP) many messages are "chopped"
> after ~ 1300 characters
>
> After some testing i think the limit is MTU
>
>
> What would be the right way to handle this so that all messages (~3K) will
> arr
2017-11-16 16:24 GMT+01:00 omer kirkagaclioglu :
> Hi Lukas,
>
> Thanks for the quick answer. I am using haproxy on another service which
> consists of GET requests with very small query parameters. It load balances
> to a backend with 4 servers with 3K-20K requests per second. This time I
> see 3
Hello Dan,
2017-11-15 17:01 GMT+01:00 Moore, Dan :
> Hello all,
>
>
>
> I just want to confirm something regarding timeouts. I have them set
> globally but have one application group which is requesting longer timeouts.
> Does setting them in a frontend override the global timeouts?
You mean th
Hello,
2017-11-10 23:43 GMT+01:00 PiBa-NL :
> Okay have been running with haproxy-ss-20171017 for a day now. Sofar it
> sticks to <1% cpu usage.
FYI a similar report is on discourse, on linux without splicing
involved. Upgrading from 1.7.9 to haproxy-ss-20171017 appears to have
solved the proble
Hello,
2017-11-07 17:55 GMT+01:00 Krishna Kumar (Engineering)
:
> Hi Lukas,
>
> On Tue, Nov 7, 2017 at 6:46 PM, Lukas Tribus wrote:
>
>> I'd suggest to use maxconn. This limits the amount of connections opened
>> to a single server, and is therefor equivalent to
Hello,
>> If you don't require specific source IP's per server, than just remove
>> the "source ip:port-range" keyword altogether, the kernel will take
>> care of everything. Just make sure that your sysctls permit a similar
>> source port range.
>
> thanks. That helps.
>
>
>> If you need specifi
Hello,
2017-11-07 10:46 GMT+01:00 Krishna Kumar (Engineering)
:
> Hi all,
>
> I am trying to implement request rate limiting to protect our servers from
> too
> many requests. While we were able to get this working correctly in the
> frontend section, it is required to implement the same in the
Hallo Michael,
2017-11-06 22:47 GMT+01:00 Michael Schwartzkopff :
> Am 06.11.2017 um 22:39 schrieb Baptiste:
>> On Mon, Nov 6, 2017 at 10:14 PM, Michael Schwartzkopff wrote:
>>
>>> Hi,
>>>
>>> I have a problem setting up a haproxy 1.6.13 that starts several
>>> processes. In the config I have n
401 - 500 of 1690 matches
Mail list logo