I am using below haproxy configuration, I see only haproxy service start stop logs in /var/log/haproxy but I do not see logs for calls which makes to haproxy.
#---------------------------------------------------------------------
# Example configuration for a possible web application. See the
# full configuration options online.
#
# http://haproxy.1wt.eu/download/1.4/doc/configuration.txt
#
#---------------------------------------------------------------------
#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
# to have these messages end up in /var/log/haproxy.log you will
# need to:
#
# 1) configure syslog to accept network log events. This is done
# by adding the '-r' option to the SYSLOGD_OPTIONS in
# /etc/sysconfig/syslog
#
# 2) configure local2 events to go to the /var/log/haproxy.log
# file. A line like the following can be added to
# /etc/sysconfig/syslog
#
# local2.* /var/log/haproxy.log
#
#log 127.0.0.1 local2
log /dev/log local0 debug
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
ssl-default-bind-options no-sslv3
tune.ssl.default-dh-param 2048
#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------
frontend main *:5000
acl url_static path_beg -i /static /images /javascript /stylesheets
acl url_static path_end -i .jpg .gif .png .css .js
log /dev/log local0 debug
option tcplog
use_backend static if url_static
default_backend app
#---------------------------------------------------------------------
# static backend for serving up images, stylesheets and such
#---------------------------------------------------------------------
backend static
balance roundrobin
server static 127.0.0.1:4331 check
#---------------------------------------------------------------------
#---------------------------------------------------------------------
# round robin balancing between the various backends
#---------------------------------------------------------------------
backend app
balance roundrobin
server app1 127.0.0.1:5001 check
server app2 127.0.0.1:5002 check
server app3 127.0.0.1:5003 check
server app4 127.0.0.1:5004 check
Server running RHEL7 and it has selinux enforcing. I have followed all the steps in this link to setup rsyslog for haproxy which selinux enforce. But only logs shows is haproxy service start/stop logs, it doesn't show traffic logs.
https://www.digitalocean.com/community/tutorials/how-to-configure-haproxy-logging-with-rsyslog-on-centos-8-quickstart
Recently I have installed several haproxy services, Centos 6 and 5, I guess.
Config haproxy.cfg contains:
global
log 127.0.0.1 local2 info
Also, I have created a new file in /etc/rsyslog.d/haproxy.conf (I guess it does the job)
# Collect log with UDP
$ModLoad imudp
$UDPServerAddress 127.0.0.1
$UDPServerRun 514
# Creating separate log files based on the severity
local2.* /var/log/haproxy.log
After restarting rsyslog daemon, haproxy started writing to log.
P.S. After tests I have added as defaults to stop unnecessary info
option dontlog-normal
Related
can you help me with that issue,
i have 2 old domains (www.rvsite.com,rvsite.com) and want to redirect it to new domain www.rv-site.com with haproxy.
haproxy.cfg
# Global settings
#---------------------------------------------------------------------
global
log /dev/log local0 info
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
ssl-server-verify none
user haproxy
group haproxy
daemon
#---------------------------------------------------------------------
defaults
log global
timeout client 10m
timeout connect 10m
timeout server 10m
mode http
option tcplog
option http-keep-alive
option http-use-htx
#---------------------------------------------------------------------
frontend rvsite-front
mode http
log global
option forwardfor
bind *:80 alpn h2,http/1.1
bind *:443 ssl crt /etc/ssl/rv-ssl/rv.pem crt /etc/ssl/rv-ssl/rvsite.pem
acl rvredirect hdr(host) -i rvsite.com www.rendezvous.com
http-request redirect scheme https code 301 unless { ssl_fc }
use_backend rvsite-back if rvredirect
default_backend rvsite-back
backend rvsite-back
mode http
log global
server backend 10.3.3.236:8443 check ssl verify none
On different hosts, there are two identical sites on IIS web servers, access to them is open on two ports 443 and 9000, if I turn on both hosts in haproxy, then when the site page is opened, an endless page refresh cycle occurs. It works if you disable one of the catches or specify the weight as srv1 weight 100 srv2 weight 0. How can I fix this?
My haproxy config:
global
# to have these messages end up in /var/log/haproxy.log you will
# need to:
#
# 1) configure syslog to accept network log events. This is done
# by adding the '-r' option to the SYSLOGD_OPTIONS in
# /etc/sysconfig/syslog
#
# 2) configure local2 events to go to the /var/log/haproxy.log
# file. A line like the following can be added to
# /etc/sysconfig/syslog
#
# local2.* /var/log/haproxy.log
#
log 127.0.0.1 local2
# log /dev/log local0
# log /dev/log local1 notice
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 10000
user haproxy
group haproxy
daemon
# turn on stats unix socket
stats socket /var/lib/haproxy/stats mode 666 level user
ssl-default-bind-options no-sslv3
ssl-default-bind-ciphers EECDH:+AES256:-3DES:RSA+AES:RSA+3DES:!NULL:!RC4
# ssl-server-verify none
defaults
mode http
log global
option httplog
option dontlognull
#option http-server-close
#option forwardfor except 127.0.0.0/8
#option redispatch
retries 10
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 150s
timeout http-keep-alive 65s
timeout check 10s
maxconn 10000
log-format "%{+Q}o\ client = %ci:%cp, server = %si:%sp path = %HU, status = %ST, %b, t_простоя = %Ti, t_отклика = %Tr, t_сеанса = %Tt, request = %r, byte = %B"
frontend stats
bind *:8404
http-request use-service prometheus-exporter if { path /metrics }
no log
stats enable
stats uri /stats
stats refresh 10s
stats auth adm:123
frontend http
bind *:80
mode http
redirect scheme https if !{ ssl_fc }
frontend https
bind *:443 ssl crt /etc/haproxy/tls/haproxy.pem alpn h2,http/1.1
bind *:9000 ssl crt /etc/haproxy/tls/haproxy.pem alpn h2,http/1.1
option forwardfor
option http-keep-alive
http-request add-header X-Forwarded-Proto https
http-request set-header X-Client-IP %[src]
errorloc 404 https://xxxx.com/500
errorloc 500 https://xxxx.com/500
errorloc 503 https://xxxx.com/500
errorloc 504 https://xxxx.com/500
use_backend https if { hdr(host) -i xxxx.com }
use_backend 9000 if { hdr(host) -i xxxx.com:9000 }
backend https
balance roundrobin
server srv1 192.168.1.11:443 check cookie srv1 weight 80 ssl verify none
server srv2 192.168.1.111:443 check cookie srv2 weight 20 ssl verify none
backend 9000
balance roundrobin
server srv1 192.168.1.11:9000 check cookie srv1 weight 80 ssl verify none
server srv2 192.168.1.111:9000 check cookie srv2 weight 20 ssl verify none
You are using the "cookie" strategy for loadbalancing, but no way to set this cookie :
balance roundrobin
server srv1 192.168.1.11:443 check cookie srv1 weight 80 ssl verify none
server srv2 192.168.1.111:443 check cookie srv2 weight 20 ssl verify none
As a result, the client communicates with both server alternatively. This does not suit well with IIS (and/or underlying technos).
Simply tell HAProxy which cookie to use/set. For example, a cookie named SERVERID :
balance roundrobin
cookie SERVERID insert indirect nocache
server srv1 192.168.1.11:443 check cookie srv1 weight 80 ssl verify none
server srv2 192.168.1.111:443 check cookie srv2 weight 20 ssl verify none
If the client already has a SERVERID cookie, then HAProxy sends the traffic to the corresponding server.
If the client does not have a SERVERID cookie, then HAProxy chooses and instructs the client to Set-Cookie: SERVERID=s1 for example.
Source : https://www.haproxy.com/blog/load-balancing-affinity-persistence-sticky-sessions-what-you-need-to-know/
I have an issue where an API vendor requires a static IP to connect to it and I do not have the ability to configure a static IP for the requests, so I am looking at using HAProxy as my gateway/proxy to the API.
It was very easy to configure HAProxy in a basic form and have it proxy my requests, but I'm finding that some requests return no response while others do.
The API requests will use PUT, POST and GET methods. My config is very similar to default. I'm using HAProxy 1.8.
Two questions;
Is HAProxy the right tool for this? Will anything else work? I'm even happy to pay for a commercial tool that does the job.
If it is the right tool, is there any reason why some GET requests return responses and some dont? The response code is still 200 but I have no access to logs on the API vendor side to troubleshoot.
#---------------------------------------------------------------------
# Example configuration for a possible web application. See the
# full configuration options online.
#
# http://haproxy.1wt.eu/download/1.4/doc/configuration.txt
#
#---------------------------------------------------------------------
#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
# to have these messages end up in /var/log/haproxy.log you will
# need to:
#
# 1) configure syslog to accept network log events. This is done
# by adding the '-r' option to the SYSLOGD_OPTIONS in
# /etc/sysconfig/syslog
#
# 2) configure local2 events to go to the /var/log/haproxy.log
# file. A line like the following can be added to
# /etc/sysconfig/syslog
#
# local2.* /var/log/haproxy.log
#
#log 127.0.0.1 local2
log 127.0.0.1:514 local0
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------
#frontend main *:5000
# acl url_static path_beg -i /static /images /javascript /stylesheets
# acl url_static path_end -i .jpg .gif .png .css .js
#
# use_backend static if url_static
# default_backend app
frontend api_proxy
bind *:6109
mode http
# capture response header
default_backend remote_api_server
backend remote_api_server
#replace 10.10.10.10 with the actual Ip address
mode http
http-request set-header Host myhost.com.au
server server1 myhost.com.au:443 ssl verify none
#---------------------------------------------------------------------
# static backend for serving up images, stylesheets and such
#---------------------------------------------------------------------
#backend static
# balance roundrobin
# server static 127.0.0.1:4331 check
#---------------------------------------------------------------------
# round robin balancing between the various backends
#---------------------------------------------------------------------
#backend app
# balance roundrobin
# server app1 127.0.0.1:5001 check
# server app2 127.0.0.1:5002 check
# server app3 127.0.0.1:5003 check
# server app4 127.0.0.1:5004 check
So, the use of HAProxy continued to not behave the way I expected so I tried doing what I needed in nginx and it was so easy.
Ultimately, this block does exactly what I need.
server {
listen 6109;
location / {
proxy_redirect off;
proxy_pass_header Server;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Scheme $scheme;
proxy_set_header Host myhost.com.au;
proxy_set_header X-NginX-Proxy true;
proxy_connect_timeout 5;
proxy_read_timeout 240;
proxy_intercept_errors on;
proxy_pass https://myhost.com.au:443;
}
}
This is on an EC2 instance so I have a load balancer in front of it handling SSL.
I have setup HAPROXY on top of Apache which is working fine but I am not able make api call from other domain, It was CORS issues so I added
rspadd Access-Control-Allow-Origin:\ *
But still it is not adding response headers in api call.
Please let me know. Is there any other way to achieve it?
Here is my whole haproxy.cfg file
global
log 127.0.0.1 local2
#log 127.0.0.1 local1 notice
#log loghost local0 info
#log /dev/log local0 info
log-tag haproxy
maxconn 4096
chroot /usr/share/haproxy
uid 99
gid 99
daemon
debug
#quiet
defaults
log global
mode http
option httplog
option dontlognull
retries 3
redispatch
maxconn 2000
contimeout 5000
clitimeout 5000
srvtimeout 5000
frontend https
#bind *:80
bind *:443 ssl crt /etc/ssl/certs/server.bundle.pem
option http-buffer-request
declare capture request len 400000
http-request capture req.body id 0
log-format {"%[capture.req.hdr(0)]"}
# /opt/causeway/etc/libwebsockets-cpa.pem
acl httpsapi path_beg /API
use_backend serv_https_api if httpsapi
default_backend default_apache
frontend http
bind *:80
#bind *:443 ssl crt /etc/ssl/certs/server.bundle.pem
acl api path_beg /api
use_backend serv_api if api
default_backend default_apache
backend default_apache
server apache 127.0.0.1:81
backend serv_api
server server1 127.0.0.1:7687
rspadd Access-Control-Allow-Origin:\ *
rspadd Access-Control-Max-Age:\ 31536000
backend serv_https_api
server server2 127.0.0.1:7687
rspadd Access-Control-Allow-Origin:\ *
rspadd Access-Control-Max-Age:\ 31536000
# mode tcp
# log global
# tcp-request inspect-delay 5s
# tcp-request content accept if { req.ssl_hello_type 1 }
Any help highly appriciated.
Followed the myriads of tutorials and still no go. I don't need haproxy to handle SSL as I'm passing https directly to the nginx SSL port and XMPP also has its own encryption.
Here is what I have (MY.DOMAIN is valid for the nginx SSL cert). Everything always falls through to XMPP. I'm also open to reversing the approach - does anyone have a reliable way to detect XMPP (with SSL)?
global
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
defaults
mode http
log global
option httplog
option dontlognull
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 120s
timeout queue 1m
timeout connect 10s
timeout client 1440m # Modified
timeout server 1440m # Modified
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
frontend main
mode tcp
bind :443
tcp-request inspect-delay 5s
#Neither of these work:
#use_backend www-ssl if { req.ssl_hello_type 1 }
use_backend www-ssl if { req.ssl_sni -i MY.DOMAIN }
default_backend xmpp
option tcplog
log global
backend xmpp
mode tcp
option tcplog
server app1 127.0.0.1:5222
backend www-ssl
mode tcp
server www-ssl 127.0.0.1:1443
The above configuration actually is working. I had some redirect on the backend that confused me.
I'm not 100% sure that it's working all the time (for example, curl is getting XMPP and I'm not sure what's so different about curl's SSL), but at least for Chrome requests the HTTPS detection is working.
UPDATE: adding this to frontend makes it work for curl and browsers:
acl content_present req_len gt 0
tcp-request content accept if content_present