I try to send firewall logs to syslog using UDP. Between the syslog and the firewall I have an HAProxy cluster.
I saw that the flow arrives to the HAProxy but when I activate debug mode there is no communication between the HAProxy and the syslog.
I use port 2000 with UDP protocol.
My HAproxy version is :
HAProxy version 2.5.5-1~bpo11+1 2022/03/14 - https://haproxy.org/
Status: stable branch - will stop receiving fixes around Q1 2023.
Known bugs: http://www.haproxy.org/bugs/bugs-2.5.5.html
Running on: Linux 5.10.0-12-amd64 #1 SMP Debian 5.10.103-1 (2022-03-07) x86_64
The configuration of HA proxy :
global
log stderr format iso local7
# log /dev/log local0
# log /dev/log local1 notice
# chroot /var/lib/haproxy
# stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
# stats timeout 30s
# user root
# group root
# daemon
# Default SSL material locations
#ca-base /etc/ssl/certs
#crt-base /etc/ssl/private
# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
#ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY13>
#ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
#ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
log-forward sylog-loadb
# VIP of HA proxy
dgram-bind 10.10.10.1:2000
bind 10.10.10.1:2000
# IP of my syslog server
log 10.10.10.2:2000 sample 1:2 local0
log 10.10.10.3:2000 sample 2:2 local0
Please have you any idea about where the problem could be ?
Thank you.
Best regards.
Related
I am trying to load balance two server using HAProxy v1.8 but in my case the backends are domain names instead of IP addresses.
My HAProxy config looks like this:
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
pidfile /var/run/rh-haproxy18-haproxy.pid
user haproxy
group haproxy
daemon
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
spread-checks 21
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# An alternative list with additional directives can be obtained from
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 10000
balance roundrobin
frontend https-443
bind *:443
mode http
option httplog
acl ACL_global.domain.com hdr(host) -i global.domain.com
use_backend www-443-app if ACL_global.domain.com
backend www-443-app
balance roundrobin
mode http
option httpchk GET /health
option forwardfor
http-check expect status 200
server backendnode1 app1.domain.com:443 check
server backendnode2 app2.domain.com:443 check
frontend health-443
bind *:8443
acl backend_dead nbsrv(www-443-app) lt 1
monitor-uri /haproxy_status
monitor fail if backend_dead
listen stats # Define a listen section called "stats"
bind :9000 # Listen on localhost:9000
mode http
stats enable # Enable stats page
stats hide-version # Hide HAProxy version
stats realm Haproxy\ Statistics # Title text for popup window
stats uri /haproxy_stats # Stats URI
stats auth haproxy:passwd # Authentication credentials
However, the health check is not passing. When I checked the stat page it says: Layer7 invalid response.
I checked if I can connect to the backend domains from my HAProxy server and I am successfully able to do so.
curl -X GET -I https://app1.domain.com/health
HTTP/2 200
cache-control: no-cache, private, max-age=0
content-type: application/json
expires: Thu, 01 Jan 1970 00:00:00 UTC
pragma: no-cache
x-accel-expires: 0
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
date: Wed, 28 Jul 2021 12:05:09 GMT
content-length: 18
x-envoy-upstream-service-time: 0
endpoint: health
version: 1.0.0
server: istio-envoy
Is there something that I am missing in my configuration or something that I need to change to make this work?
You're missing ssl keyword for server lines. You may also want to set sni
backend foo
default-server ssl check verify none
server backendnode1 app1.domain.com:443 sni str('app1.domain.com')
server backendnode2 app2.domain.com:443 sni str('app2.domain.com')
You should also decide if you want to verify SSL certificates of your backend servers. Can you trust the connection? Is it your network? Haproxy encourages you to verify, but requires supplying CA certificate for them to verify. You can also add verifyhost and check-sni settings if you verify certificate:
backend foo
default-server ssl check verify required
server backendnode1 app1.domain.com:443 sni str('app1.domain.com') check-sni 'app1.domain.com' verifyhost 'app1.domain.com' ca-file /path/to/CA1.pem
server backendnode2 app2.domain.com:443 sni str('app2.domain.com') check-sni 'app2.domain.com' verifyhost 'app2.domain.com' ca-file /path/to/CA2.pem
We are facing an issue to start the haproxy we installed.
We are using ubuntu 16.04 and the version installed is:
HA-Proxy version 1.6.3 2015/12/25
Copyright 2000-2015 Willy Tarreau
The folder /run/haproxy is created
Everything is dowloaded correctly.
Its uninstalled, and then installed with the same errors, so we desperatly seek help.
This is the folder /etc/default/haproxy
# Defaults file for HAProxy
#
# This is sourced by both, the initscript and the systemd unit file, so do not
# treat it as a shell script fragment.
# Change the config file location if needed
#CONFIG="/etc/haproxy/haproxy.cfg"
ENABLED=1
# Add extra flags here, see haproxy(1) for a few options
#EXTRAOPTS="-de -m 16"
Here is /etc/haproxy/haproxy.cfg
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DE$
ssl-default-bind-options no-sslv3
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend myfrontend
bind *:80
mode http
default_backend mybackend
backend mybackend
mode http
balance roundrobin
option httpchkHEAD / HTTP/1.1\r\nHost:\localhost
server web1 10.10.2.110:80 check weight 10
server web2 10.10.2.111:80 check weight 20
server web3 10.10.2.112:80 check weight 30
Here is the error message:
● haproxy.service - HAProxy Load Balancer
Loaded: loaded (/lib/systemd/system/haproxy.service; enabled; vendor preset: enabled)
Active: inactive (dead) (Result: exit-code) since Thu 2018-04-19 14:35:21 UTC; 5s ago
Docs: man:haproxy(1)
file:/usr/share/doc/haproxy/configuration.txt.gz
Process: 29395 ExecStartPre=/usr/sbin/haproxy -f ${CONFIG} -c -q (code=exited, status=1/FAILURE)
Main PID: 28467 (code=exited, status=0/SUCCESS)
Apr 19 14:35:20 dats42-lb systemd[1]: Failed to start HAProxy Load Balancer.
Apr 19 14:35:20 dats42-lb systemd[1]: haproxy.service: Unit entered failed state.
Apr 19 14:35:20 dats42-lb systemd[1]: haproxy.service: Failed with result 'exit-code'.
Apr 19 14:35:21 dats42-lb systemd[1]: haproxy.service: Service hold-off time over, scheduling restart.
Apr 19 14:35:21 dats42-lb systemd[1]: Stopped HAProxy Load Balancer.
Apr 19 14:35:21 dats42-lb systemd[1]: haproxy.service: Start request repeated too quickly.
Apr 19 14:35:21 dats42-lb systemd[1]: Failed to start HAProxy Load Balancer.
Anyone who can help? :)
in your /etc/haproxy/haproxy.cfg file under the global section, there is this entry - stats socket /run/haproxy/admin.sock mode 660 level admin
check if admin.sock file is getting created. also check if there is the directory path existing for that file to be created.
I installed a HAPROXY for balance between two servers. Unfortunately the HAPROXY return random ERR_EMPTY_RESPONSE. I installed the stats also but the stats does not appear frequently because sometimes the stats is shown. I double check with some friends my configuration and I did not found problems.
defaults
timeout connect 3000ms
timeout server 10000ms
timeout client 10000ms
global
log 127.0.0.1 local0 notice
maxconn 2000
user haproxy
group haproxy
frontend stats
bind *:1936
mode http
stats enable
stats hide-version
stats realm Haproxy\ Statistics
stats uri /
stats auth user:password
frontend http_in
bind *:80
acl is_audio hdr_end(host) -i subdomain.myserver.com
acl is_proxystats hdr_end(host) -i stats.myserver.com
use_backend srv_audio if is_audio
use_backend srv_stats if is_proxystats
# acl url_blog path_beg /blog
# use_backend blog_back if url_blog
default_backend srv_audio
backend srv_audio
balance roundrobin
server audio1 10.10.10.1:80 check
server audio2 10.10.10.2:80 check
backend srv_stats
server Local 127.0.0.1:1936
My configuration:
HA Proxy version 1.6.3 (package 1.6.3-1ubuntu0.1 amd64)
Ubuntu 16.04.2 LTS
Cloud Machine on AWS LightSail 512KB RAM
System with all packages updated.
I already read the answer of similar question at HAProxy random HTTP 503 errors and the answer is not the same. As suggested there the command netstat -tulpn | grep 80 does not show two HAPROXY running:
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
But ps ax | grep haproxy returns:
22890 ? Ss 0:00 /usr/sbin/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid
22891 ? S 0:00 /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -Ds
22894 ? Ss 0:31 /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -Ds
Well, I dig more into HAProxy and read a lot of tutorials and I believe I found the solution.
I did two changes:
Changed hdr_end(host) to hdr_dom(host)
Added mode httpto: frontend http_in, backend srv_audio and backend srv_stats
Now, HAPROXY is very stable without bizarre behavior
This is all new to me. Please bear with me. Sorry if I don't phrase my problem correctly. I'd like to set ip floating to use HAproxy and Keepalived.
I have the following ips:
LB1: 192.168.1.27 #first load balancer
LB2: 192.168.1.32 #second load balancer
www1: 192.168.1.28 #first web server
www2: 192.168.1.29 #second web server
floating ip: 192.168.1.200
When I turn off load balancer 1 (LB1), traffic is not getting redirected to floating ip. I don't know what to check so I can make this whole setup run successfully. I suspect that LB2 is the problem (apart from me:)) as the floating ip doesn't do its job when LB1 is down.
I also followed the checking process section on the link below '8. Verify proper failover' but to no avail:
How to create Floating IP and use it to configure HAProxy.
Individually, the 5 ips work fine only when HAproxy is on. That's all I can say.
Could you please help me? Thanks.
EDIT
My config:
HAPROXY INSTALL on lb1
global
log 127.0.0.1 local2
daemon
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
defaults
log global
mode http
option httplog
timeout connect 5000
timeout client 50000
timeout server 50000
retries 3
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
listen stats
bind :1936
stats enable
stats hide-version
stats realm Loadbalanced\ Servers
stats uri /haproxy?stats
stats auth haproxy:haproxy
frontend http-in
bind *:80
default_backend webservers
backend webservers
balance roundrobin
option httpchk GET /haproxy_check
stick-table type ip size 20k peers mypeer
server www1 192.168.1.28:80 cookie LSW_WWW1 check inter 500 fall 3 rise 2
server www2 192.168.1.29:80 cookie LSW_WWW2 check inter 500 fall 3 rise 2
peers mypeer
peer lb1hostname 192.168.1.27:1024
peer lb2hostname 192.168.1.32:1024 backup
HAPROXY install on lb2:
global
log 127.0.0.1 local2
daemon
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
defaults
log global
mode http
option httplog
timeout connect 5000
timeout client 50000
timeout server 50000
retries 3
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
listen stats
bind :1936
stats enable
stats hide-version
stats realm Loadbalanced\ Servers
stats uri /haproxy?stats
stats auth haproxy:haproxy
frontend http-in
bind *:80
default_backend webservers
backend webservers
balance roundrobin
option httpchk GET /haproxy_check
server www1 192.168.1.28:80 cookie LSW_WWW1 check inter 500 fall 3 rise 2
server www2 192.168.1.29:80 cookie LSW_WWW2 check inter 500 fall 3 rise 2
KEEPALIVED ON LB1
vrrp_script chk_haproxy {
script "pidof haproxy"
interval 2}
vrrp_instance VI_1 {
interface eth0
state MASTER
virtual_router_id 51
priority 200
virtual_ipaddress {
192.168.1.200
}
track_script {
chk_haproxy
}}
KEEPALIVED ON LB2
vrrp_script chk_haproxy {
script "pidof haproxy"
interval 2}
vrrp_instance VI_1 {
interface eth0
state BACKUP
virtual_router_id 51
priority 100
virtual_ipaddress {
192.168.1.200
}
track_script {
chk_haproxy
}}
On LB1 and LB2, in Keepalived:
nano /etc/sysctl.conf
added net.ipv4.ip_nonlocal_bind=1
sysctl -p
on lb1:
sudo service keepalived alived stop
then checked if lb2 is working. It is!!! But when Haproxy on LB1 is down, traffic still doesn't get redirected to LB2.
It could indicate problem with arp update when failover ip, check arp table on your devices if floating ip points to lb2 mac addr
I'm trying to start haproxy (version 1.5.8 2014/10/31) with an "empty" config file and I get:
user#server:~$ sudo service haproxy start
[....] Starting haproxy: haproxy[ALERT] 126/120540 (7363) : Starting frontend GLOBAL: cannot bind UNIX socket [/run/haproxy/admin.sock]
altough it's enabled:
user#server:~$ cat /etc/default/haproxy
# Set ENABLED to 1 if you want the init script to start haproxy.
ENABLED=1
Configuration file:
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL).
ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
ssl-default-bind-options no-sslv3
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
Does anyone have an idea why it can't start?
Haproxy needs to write to /run/haproxy/admin.sock but it wont create the directory for you. Create the directory /run/haproxy/ first or set stats socket to a different path.
I ran into this problem and had to remove the /run/haproxy/admin.sock file for HAProxy to restart successfully. I can only think it became corrupted after I aborted a yum update command. Oops! 😅
After updating pfSense from 2.4.5 to 2.5.2 I was facing this issue.
As #datacarl said, using command mkdir -p /run/haproxy/ from pfSense CLI works great.
Couple things with this. Know not the newest convo.
Anything i create in the /run folder disappears after reboot.
If I move to /var/lib/haproxy rather than /run/haproxy it starts fine manually as root.
If I reboot it fails. Not sure if it's because it's trying to use haproxy on reboot? if I su haproxy it says the account isn't available but think that's because it's set to nologin.