I've looked at this previous question HAProxy health check and see that the HAProxy directives have changed significantly in this area. The "monitor" directive seems to be the modern way to do this.
I want to have a proxy running in tcp mode, that's capable of reporting its availability to clients.
I can have a separate listener in http mode, that gives a 200OK response:
frontend main
# See "bind" documentation at https://docs.haproxy.org/2.6/configuration.html#4.2-bind
# The proxy will listen on all interfaces for connections to the specified port.
# Connections MUST use the Proxy Protocol (v1 or v2).
# The proxy can ialso Listen on ipv4 and ipv6.
bind :::5000 accept-proxy
bind *:5000 accept-proxy
mode tcp
# Detailed connection logging
log global
option tcplog
# Only certain hosts (sending MTAs) can use this proxy, enforced via ACL
acl valid_client_mta_hosts src 127.0.0.1 172.31.25.101
tcp-request connection reject if !valid_client_mta_hosts
use_backend out
frontend health_check
mode http
bind :::5001
bind *:5001
monitor-uri /haproxy_test
log global # comment this out to omit healthchecks from the logs
however that seems to admit the possibility that 5001 might be up, but there's a problem with 5000.
Is there a way to enable monitoring directly of the mode tcp frontend with recent directives?
Here's a possible workaround:
Use a client that can add the proxy header, to ping the tcp front-end.
Make a request toward the proxy health service.
The source and dest of the request can be the "loopback" address.
./happie 35.90.110.253:5000 127.0.0.1:0 127.0.0.1:5001
Sending header version 2
00000000 0d 0a 0d 0a 00 0d 0a 51 55 49 54 0a 21 11 00 0c |.......QUIT.!...|
00000010 7f 00 00 01 7f 00 00 01 00 00 13 89 |............|
HTTP/1.1 200 OK
content-length: 58
cache-control: no-cache
content-type: text/html
<html><body><h1>200 OK</h1>
Service ready.
</body></html>
You can use track for health checks on different ports.
Example code
backend be_static
# more config options
server static_stor host:5000 track be_static_check_stor/static_check more_server_params
# check backend
backend be_static_check_stor
# more config options
server static_check host:5001 check more_server_params
Related
i just want to save log for backend request and the restarting of haproxy service in haproxy,
this is the configuration of my haproxy.
[appadmin#sltxh5gvt4c rsyslog.d]$ cat /etc/rsyslog.conf
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# Save haproxy log
local3.* /var/log/haproxylog/haproxy.log
# Save keepalived log
local2.* /var/log/keepalived/keepalived.log
++++++++++ this is haproxy.cfg
defaults
option forwardfor
log global
option httplog
log 127.0.0.1 local3
frontend case3
bind :80
mode http
log global
option httpclose
timeout client 5000
acl sabrix path_beg -i /sabrix
acl geolink path_beg -i /axis2
use_backend sabrix_servers if sabrix
use_backend us_geolink if geolink
capture request header Host len 64
capture request header User-Agent len 128
capture request header X-Forwarded-For len 100
capture request header Referer len 200
capture response header Server len 40
capture response header Server-ID len 40
log-format %ci:%cp\ %si:%sp\ %ST\ %r\ %b\ %f\ %bi\
+++++++++++++++++++++++++ haproxy.log
2020-06-14T23:33:36+08:00 localhost haproxy[27891]: 10.12.12.12:42164 -:- 400 <BADREQ> case3 case3 -
2020-06-14T23:33:42+08:00 localhost haproxy[27891]: 10.12.12.12:42204 -:- 400 <BADREQ> case3 case3 -
2020-06-14T23:33:48+08:00 localhost haproxy[27891]: 10.12.12.12:42244 -:- 400 <BADREQ> case3 case3 -
i don't want to save such logs in my haproxy.log, how to change my configuration files ?
thanks
You can't do this in haproxy, the best way to discard this log lines is with rsyslog.
:msg, contains, "BADREQ" ~
There are more information about discarding unwanted messages in this document.
https://www.rsyslog.com/discarding-unwanted-messages/
This looks similar to this question.
rsyslog filtering and forwarding
i tried to edit /etc/rsyslog.conf
# ignore BADREQ in haproxy.log
:msg, contains, "BADREQ" /var/log/haproxylog/haproxy.log
or
# ignore BADREQ in haproxy.log
:msg, contains, "BADREQ" stop
both don't work.
i check haproxy.cfg, i got the answer, we just need add
option dontlognull
to haproxy.cfg
If I want to alert the traffic with the snort rule alert:
Ethernet II, Src: Xircom_c5:7c:38 (00:10:a4:c5:7c:38), Dst: 3comCorp_a8:61:24 (00:60:08:a8:61:24)
Try to use:
alert tcp any any -> any any (content:"|00 60 08 a8 61 24|"; content:"|00 10 a4 c5 7c 38|"; nocase; msg:"Alert")
It looks not working.....
Snort does not work at MAC address level, it works with TCP, UDP, ICMP and IP protocols.
Your rule is a tcp rule and therefore will have a minimum 20 byte header, possibly up to 60 bytes depending on options.
Since snort content rules only match in the payload, this means that each of your content terms content:"|00 60 08 a8 61 24|" and content:"|00 10 a4 c5 7c 38|" will only match after the initial header (20 - 60 bytes).
I'm implementing data deciphering into my Java application using javax.smartcardio APIs. I'm using Yubikey NEO smart card element. I managed to:
Select OpenPGP applet CW=9000.
Present the right PIN to the applet CW=9000.
Encrypt data using matching certificate using Bouncy Castle
The encrypted message is OK (or at lest usable). I successfully deciphered ASCII armored version of it it using gpg tool and the Yubikey.
I'm not able to replicate the same thing with Java.
My encrypted data length is 313 bytes
I'm sending two APDUs (Yubikey does not seem to support extended ones)
The result is CW=6f00
The key is 2048 bit long - I tried truncating the data to 256 bytes as mentioned in GPG source code but without any success.
The APDUs I'm using:
10 2a 80 86 ca 00 85 ..data.. d1 99 00 (208 bytes) cw=9000
00 2a 80 86 70 0f e9 ..data.. 71 85 00 (118 bytes) cw=6700
I'm fairly new to HAProxy so just looking for a little direction here. Here's a log of the problem and the config for that as well. I'm trying to force specific destination ports to use a specific backend and it's not working.
Dec 18 18:49:34 localhost HAPLB[8405]: x.x.x.x:64725 [18/Dec/2014:18:49:27.157] 890_imappop_25 890_imappop_25-smtp/<NOSRV> -1/-1/7084 187 PR 225/35/35/0/3 0/0
backend 890_imappop_25-smtp
balance roundrobin
option redispatch
stick-table type ip size 60k peers mypeers
server filter1-mail 192.168.115.38:25 check
server filter2-mail 192.168.115.39:25 check
listen 890_imappop_25
bind 192.168.115.100:25
mode tcp
balance roundrobin
option redispatch
option tcplog
log 127.0.0.1 local0 debug
stick-table type ip size 60k peers mypeers
acl smtp_25 dst_port 25
acl smtp_225 dst_port 225
acl smtp_587 dst_port 587
use_backend 890_imappop_25-smtp if smtp_25
use_backend 890_imappop_225-smtp if smtp_225
use_backend 890_imappop_587-smtp if smtp_587
server imappop1-mail 192.168.115.42:25 check
server imappop2-mail 192.168.115.43:25 check
The fix was to add mode tcp to the backend section, so in this case it was defaulting to HTTP which obviously SMTP doesn't know how to talk to. Can't believe I forgot that.
backend 890_imappop_25-smtp
balance roundrobin
mode tcp
option redispatch
stick-table type ip size 60k peers mypeers
server filter1-mail 192.168.115.38:25 check
server filter2-mail 192.168.115.39:25 check
I have an HAProxy HTTP Frontend in my HAProxy config like so:
frontend myaddress.net :10098
bind :80,:8080
mode http
log global
option http-server-close
timeout client 14400000
timeout connect 60000
timeout tunnel 14400000
timeout http-request 14400000
capture request header User-Agent len 64
capture request header Accept-language len 64
capture request header x-forward len 15
capture request header host len 64
capture request header X-Orig-Base len 64
capture request header X-Orig-Host len 64
capture request header X-Orig-Proto len 64
reqadd X-Original-host:\ myaddress.net
acl is-ssl hdr(X-Orig-Proto) https
acl is-http hdr(X-Orig-Proto) http
redirect code 301 prefix https://myaddress.net if is-http
default_backend BACKEND_myaddress.net:catchall
It points to a backend defined like so:
backend BACKEND_myaddress.net:catchall
timeout server 4h
balance leastconn
server myserver myserver:8080 check inter 5s rise 3 fall 1
I've got it working to listen on port 80, then forward to 8080 on the backend server, but now I'm trying to make it also listen on port 8080 on the frontend (don't ask me why, it's a lame requirement).
As you can see, I've got a line that says bind :80,:8080. I thought that would make the frontend also listen on port 8080, but it's not appearing to listen on port 8080.
Is there something I'm missing in this configuration? How can I make a frontend listen on port 8080 and 80, which then forwards to the backend server on port 8080?
Try this in your frontend section:
bind :80
bind :8080
bind 0.0.0.0:80
bind 0.0.0.0:8080
Works for me !