I am trying to pass dynamic value based on user_id in haproxy for my java Rest Services.
localhost:/AAA/BBB/{userid}
Following Statement are example
localhost:/AAA/BBB/1
localhost:/AAA/BBB/2
localhost:/AAA/BBB/3
I want to pass it through haproxy . I have following configuration..
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL).
ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4- SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend http
bind *:80
acl msg-listing-read path_end -i /AAA/BBB/{user_id}
use_backend ppl-be-msg-listing-read-dev if msg-listing-read
backend ppl-be-msg-listing-read-dev
balance roundrobin
server ppl-msg-listing-read-dev localhost:8080 maxconn 32 check
listen stats
bind 0.0.0.0:81
stats enable
stats uri /
Any idea will be appreciated and Thanks in Advance.
Related
I'm trying to configure a frontend bound to port X, but I want to pass the traffic to my backend on port Y.
For example, let's say X=1337 and Y=8000, I want to basically have something like :
frontend myfrontend
bind *:1337
# some directive to pass traffic on port 8000
default_backend mybackend
backend mybackend
server myserver SERVER_IP
Keep in mind that my actual current config looks like this (minus irrelevant sections) :
defaults
mode tcp
default_backend mybackend
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend myfrontend1
# for example here I want to bind to 3000 and forward to 30000, instead of binding to 30000 directly
bind *:30000
frontend myfrontend2
# for example here I want to bind to 4000 and forward to 30100, instead of binding to 30100 directly
bind *:30100
# and many other frontends...
backend mybackend
mode tcp
balance roundrobin
server server1 PRIVATE_IP1_HERE
server server2 PRIVATE_IP2_HERE
It's basically a Kubernetes cluster, server1 and server2 are nodes I'm load balancing. And because I'm using NodePorts for my services, I'm restricted to ports 30000-32767 only.
You can set the backend port, listing your servers:
frontend myfrontend1
bind *:1337
mode tcp
use_backend mybackend
backend mybackend1
mode tcp
option tcp-check
balance roundrobin
server server1 PRIVATE_IP1_HERE:8080 check
server server2 PRIVATE_IP2_HERE:8080 check
Although if you have multiple frontends, that should connect different ports on the same set of servers: you would need to define separate backends:
frontend myfrontendN
bind *:1337
mode tcp
use_backend mybackendN
backend mybackendN
mode tcp
option tcp-check
balance roundrobin
server server1 PRIVATE_IP1_HERE:N check
server server2 PRIVATE_IP2_HERE:N check
I have a Haproxy to redirect from https://sede.example.com.br to https://sede.example.pub. The problem the Haproxy configuration is not following the redirection.
If I test with the curl command passing -L argument (follow redirects), it works fine
curl -L https://sede.example.com.br
But I need to work without the -L option, because and have an API system that make some Post and Get operation and doesn't follow redirection. So I need do that in the Haproxy.
The configuration:
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# An alternative list with additional directives can be obtained from
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend http-in
option httplog
bind *:80
bind *:443 ssl crt /usr/local/etc/haproxy/haproxy.cfg/certs/
timeout http-request 60s
timeout http-keep-alive 4s
acl https ssl_fc
http-request set-header X-Forwarded-Proto http if !https
http-request set-header X-Forwarded-Proto https if https
stats uri /haproxy?examplehaproxystats74581257445
log-format %{+Q}o\ %{-Q}ci\ -\ -\ [%T]\ %r\ %ST\ %B\ \"\"\ \"\"\ %cp\ %ms\ %ft\ %b\ %s\ \%Tq\ $
acl sede_acl req.hdr(host) -i -m str sede.example.com.br
redirect code 301 prefix https://sede.example.pub if sede_acl
Any ideia in my configuration?
Well you can try the following snipplet, it's untested but I hope you get the idea
frontend http-in
option httplog
bind *:80
bind *:443 ssl crt /usr/local/etc/haproxy/haproxy.cfg/certs/
timeout http-request 60s
timeout http-keep-alive 4s
acl https ssl_fc
http-request set-header X-Forwarded-Proto http if !https
http-request set-header X-Forwarded-Proto https if https
stats uri /haproxy?examplehaproxystats74581257445
log-format %{+Q}o\ %{-Q}ci\ -\ -\ [%T]\ %r\ %ST\ %B\ \"\"\ \"\"\ %cp\ %ms\ %ft\ %b\ %s\ \%Tq\ $
acl sede_acl req.hdr(host) -i -m str sede.example.com.br
# redirect code 301 prefix https://sede.example.pub if sede_acl
use_backend sede_acl if sede_acl
backend sede_acl
http-request set-header Host sede.example.pub
server sede-server sede.example.pub:443 sni sede.example.pub ssl
I have an angular client that calls a rest service deployed on an application server. Between the two stands a haproxy that forwards the requests coming from the client to the REST service. When using Internet explorer and the response time is greater than 1 minute, when the REST service returns, the response is not sent to the client. The client still waits for the response.
This seems to be a haproxy issue since when bypassing haproxy, the request returns as expected after ~3-4 minutes.
I have tried all the different timeouts (client, server, http-request) but nothing seems to solve this.
My haproxy configuration can be found below:
global
log /dev/log local0
#log /dev/log local1 notice
#chroot /var/lib/haproxy
#stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
maxconn 2000
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
tune.maxrewrite 1024
tune.bufsize 32768
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# An alternative list with additional directives can be obtained from
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
log global
mode http
option httplog
option dontlognull
option log-separate-errors
option redispatch
retries 3
timeout connect 5000
timeout client 1200s
timeout server 1200s
errorfile 400 /var/log/haproxy/errors/400.http
errorfile 403 /var/log/haproxy/errors/403.http
errorfile 408 /var/log/haproxy/errors/408.http
errorfile 500 /var/log/haproxy/errors/500.http
errorfile 502 /var/log/haproxy/errors/502.http
errorfile 503 /var/log/haproxy/errors/503.http
errorfile 504 /var/log/haproxy/errors/504.http
listen haproxy-monitoring
bind *:1900
mode http
stats enable # Enable satistics
stats uri /haproxy?stats # Dashboard URL
stats realm Strictly\ Private
stats auth haproxyanalytics:haproxyanalytics # Username / Password
stats hide-version # Hide the version of HAProxy used
# APACHE web servers
#frontend haproxy-apache
# bind *:8001 transparent
# mode http
# default_backend apache-nodes
frontend http-in
bind *:80 transparent
acl has_special_uri path_beg /cxf
use_backend rest-service if has_special_uri
default_backend apache-web
backend apache-web
mode http
balance roundrobin
option forwardfor # ensures the forwarded request includes the actual client IP address
option httpclose
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
#option httpchk HEAD / HTTP/1.1\r\nHost:localhost # defines the check HAProxy uses to test if a web server is still valid for forwarding requests
server "apache-1" ${CURRENT_NODE_IP}:${APACHE_PORT} check
backend rest-service
mode http
balance roundrobin
option forwardfor # ensures the forwarded request includes the actual client IP address
option httpclose
option accept-invalid-http-request
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
#option httpchk HEAD / HTTP/1.1\r\nHost:localhost # defines the check HAProxy uses to test if a web server is still valid for forwarding requests
server "karaf-1" ${CURRENT_NODE_IP}:${KARAF_REST_PORT} check
I have setup haproxy -X with two backend server Y and Z
My problem is when I call X (haproxy) it redirects correctly to Y or Z but URL is also changed (Containing Y or Z IP), So now I am talking directly to WebServer instead of haProxy Server.
is there a way to retain haProxy IP in requests ?
haproxy.cfg
global
log 127.0.0.1 local0
maxconn 2000
user haproxy
group haproxy
defaults
log global
mode http
option httplog
option dontlognull
contimeout 5000
clitimeout 50000
srvtimeout 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend LB
bind *:80
reqadd X-Forwarded-Proto:\ http
option httplog
default_backend LB
backend LB
mode http
stats enable
stats hide-version
stats uri /stats
stats realm Haproxy\ Statistics
stats auth haproxy:redhat # Credentials for HAProxy Statistic report page.
balance roundrobin # Load balancing will work in round-robin process.
option httpchk
option httpclose
option forwardfor
option httplog
cookie LB insert
server web1-srv 10.164.29.225:80 cookie web1-srv check # backend server.
server web2-srv 10.164.27.31:80 cookie web2-srv check # backend server.
(Ubuntu 16.04, 6 cores, 24GB Ram, Haproxy 1.8.0)
I've read so much about how easy haproxy is, so we set it up, did some basic testing / load testing and things looked good. Put it into production last night, things look good, until we start getting production traffic. I have to restart haproxy every few minutes b/c sites just stop responding. The stats website isnt showing me any stats that look alarming, and the machine is hardly using any resources.
Basically here is what we see - We restart haproxy, everything works great, then a few minutes later we have to restart it again (under production load).
Looking at the stats page I see the backend gets to around 50k sessions and then stuff just stops working.
Here is my config, can you check it out and help me understand how I should tune it?
global
log 127.0.0.1:22514 local2 debug
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
tune.ssl.default-dh-param 2048
defaults
log global
mode http
option httplog
option dontlognull
option http-server-close
timeout connect 50000000
timeout client 50000000
timeout server 50000000
maxconn 80000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend loadbalanced_main
log global
bind *:80
mode http
redirect scheme https if !{ ssl_fc }
acl web1 hdr(host) -i -m sub 1.a.com
acl web2 hdr(host) -i -m sub 2.a.com
acl web3 hdr(host) -i -m sub 3.a.com
use_backend ordweb1 if web1
use_backend ordweb2 if web2
use_backend ordweb3 if web3
default_backend loadbalanced_nodes
frontend loadbalanced_main_ssl
log global
bind *:443 ssl crt /etc/ssl/private/a.com.pem crt /etc/ssl/private/b.com.pem
reqadd X-Forwarded-Proto:\ https
acl web1 hdr(host) -i -m sub 1.a.com
acl web1 hdr(host) -i -m sub 1.b.com
acl web2 hdr(host) -i -m sub 2.a.com
acl web2 hdr(host) -i -m sub 2.b.com
acl web3 hdr(host) -i -m sub 3.a.com
acl web3 hdr(host) -i -m sub 3.b.com
use_backend ordweb1 if web1
use_backend ordweb2 if web2
use_backend ordweb3 if web3
default_backend loadbalanced_nodes
backend ordweb1
mode http
redirect scheme https if !{ ssl_fc }
balance roundrobin
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
option httpchk HEAD / HTTP/1.1\r\nHost:localhost
server ordweb1 10.154.18.100:80 cookie check
backend ordweb2
mode http
redirect scheme https if !{ ssl_fc }
balance roundrobin
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
option httpchk HEAD / HTTP/1.1\r\nHost:localhost
server ordweb2 10.154.18.8:80 cookie check
backend ordweb3
mode http
redirect scheme https if !{ ssl_fc }
balance roundrobin
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
option httpchk HEAD / HTTP/1.1\r\nHost:localhost
server ordweb3 10.154.18.9:80 cookie check
backend loadbalanced_nodes
mode http
redirect scheme https if !{ ssl_fc }
balance roundrobin
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
option httpchk HEAD / HTTP/1.1\r\nHost:localhost
cookie SRV insert indirect nocache
server ordweb1 10.154.18.100:80 check cookie ordweb1
server ordweb2 10.154.18.8:80 check cookie ordweb2
server ordweb3 10.154.18.9:80 check cookie ordweb3
listen stats
bind *:1936
stats enable
stats uri /
stats hide-version
stats auth nope:blah