We have a haproxy that load balances two servers say app1 and app2 . We have set weights for each of these for instance app1 has weights 255 and the other has app2 0. If any case app1 goes down how to transfer the session and connection seamless to app. Is there we can achieve it through haproxy. We will attach our haproxy config below kindly guide us
global
log 127.0.0.1 local0
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
stats socket /etc/haproxy/haproxysock level admin
daemon defaults
mode http
log global
option dontlognull
option http-server-close
option httplog
option redispatch
timeout connect 10000
timeout client 300000
timeout server 300000
maxconn 60000
retries 3
stats uri /haproxy_stats
stats realm HAProxy\ Statistics
stats auth hadmin:unMetric_2012
frontend main *:5000
acl is_app path_beg -i /static /images /javascript /stylesheets /js
acl is_app path_end -i .jpg .gif .png .css .js
acl is_app path_end -i /app/
use_backend app if is_app
default_backend app backend static
balance roundrobin
server static 127.0.0.1:4331 check backend app option httpchk GET /app
balance roundrobin
reqrep ^([^\ :]*)/app((/?.*)*) \1/app\2
cookie uid preserve indirect
stick-table type string len 40 size 5M expire 60m
stick store-response set-cookie(sid) table app stick on cookie(sid) table app
stick on url_param(sid) table app server app1 demo1.unmetric.com:8080 cookie s1 weight 255 check
server app2 demo2.unmetric.com:8080 cookie s2 weight 0 check
haproxy does not handle your backend app session replication.
It uses cookie or request parameter for stickiness but your backend app should handle its session replication by itself.
Related
I use HAproxy for the first time. This is my HAproxy conf. file and everything works right without FTP connection.
Also, Installed pure-ftp on other guest servers, do I have to make a change in guest machines?
I can not access the servers via FTP.
global
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
#log loghost local0 info
maxconn 4096
chroot /var/lib/haproxy
user haproxy
group haproxy
daemon
#debug
#quiet
stats socket /var/lib/haproxy/stats
defaults
log global
mode http
option httplog
option dontlognull
retries 3
redispatch
maxconn 2000
contimeout 5000
clitimeout 50000
srvtimeout 50000
listen stats
bind *:8080
mode http
option forwardfor
option httpclose
stats enable
stats show-legends
stats refresh 5s
stats uri /stats
stats realm Haproxy\ Statistics
stats auth hello:world
stats admin if TRUE
frontend MAIN
bind *:21
bind *:80
bind *:143
bind *:443
bind *:993
mode http
acl server1_URL hdr_dom(host) -i domain1.com
acl server2_URL hdr_dom(host) -i domain2.com
use_backend server1 if server1_URL
use_backend server2 if server2_URL
backend server1
mode http
server web-first 192.168.1.2:80
backend server2
mode http
server web-first 192.168.1.3:80
I tried this: it did not work
listen FTP :21,:10000-10250
mode tcp
server ftp01 192.168.1.2 check port 21
server ftp01 192.168.1.3 check port 21
What should I do for it?
Thank you.
You'll need to set the ForcePassiveIP setting in the pure-ftpd configuration file. It should be set to the ip of the frontend proxy. Also, make sure the PassivePortRange setting matches what you have in your HAproxy configuration.
The FTP protocol is not straightforward to proxy as it makes multiple connections, though doing it at the tcp layer ought to be okay.
i want to make one website(lets say blocked.com) that is not accessible from my country to be accessible for my clients throue the custom url like notblocked.com using haproxy.
i have my haproxy box configured on the vps outside of the country. the main problem is,that website sending url redirection on the response body using javascript function and my clients getting redirected to the original web address.
how can i intersept the response body and change the domain name in the java scrip to my domain (notblocked.com) .
haproxy configuration
global
log 127.0.0.1 local0
maxconn 4000
maxsslconn 256
tune.ssl.default-dh-param 2048
daemon
uid 99
gid 99
defaults
log global
mode http
option httplog
option dontlognull
timeout server 5s
timeout connect 5s
timeout client 5s
stats enable
stats refresh 10s
stats uri /stats
frontend https_frontend
bind *:443 ssl crt /etc/ssl/certs/kstore.pem
no option http-server-close
mode http
default_backend web_server
http-request set-header Host blocked.com
backend web_server
mode http
balance roundrobin
server srv01 1.2.3.4:443 weight 1 maxconn 100 check ssl verify none
thanks
The Haproxy documentation (http://cbonte.github.io/haproxy-dconv/1.7/intro.html#3.3.2) lists as a basic feature:
authentication with the backend server lets the backend server it's really the expected haproxy node that is connecting to it
I have been attempting to do just that and have been unable to. So here's the question:
How do I send a request off to a backend with self signed certificates for authentication. The front-end request that uses this backend, is just http.
Here's my haproxy.cfg file:
global
maxconn 4096
daemon
log 127.0.0.1 local0
defaults
log global
option dontlognull
retries 3
option redispatch
maxconn 2000
timeout connect 5s
timeout client 15min
timeout server 15min
frontend public
bind *:8213
use_backend api if { path_beg /api/ }
default_backend web
backend web
mode http
server blogweb1 127.0.0.1:4000
backend api
mode tcp
acl clienthello req.ssl_hello_type 1
tcp-request inspect-delay 5s
tcp-request content accept if clienthello
server blogapi 127.0.0.1:8780
I eventually got this to start working. I believe what was throwing me off was the fact that after doing a haproxy -f <configFile> -st it didn't actually close the process like I thought it would. So, none of my changes/updates took. I kill -9 the tens of haproxy service and reran the command (haproxy -f ) and now it's working.
Now, this is a hypothesis, albeit one I am very confident in. I will still present my final configuration just in case someone will glean something from here. I used https://www.haproxy.com/doc/aloha/7.0/deployment_guides/tls_layouts.html. That link answers the question I had of "how do you authenticate to the backend using ssl" like the docs say you can.
global
maxconn 4096
daemon
log 127.0.0.1 local0
defaults
log global
option dontlognull
retries 3
option redispatch
maxconn 2000
timeout connect 5s
timeout client 15min
timeout server 15min
frontend public
bind *:443
mode http
use_backend api if { path_beg /api/ }
backend api
mode http
option httplog
server blogapi 127.0.0.1:4430 ssl ca-file <caFile.Pem> crt <clientCert.pem> verify required
I have an application that is deployed on tomee server. For load balancing the requests we have configure HAProxy with 'roundrobin' algorithm. But I am not able to login to my application with this algorithm . In the login page, after entering the application login credentials it is redirected to the same login page. There are no errors in the log. Where as if I change the algorithm to 'source' , we are able to login to the application. Below is the HAProxy configuration:
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
user haproxy
group haproxy
daemon
nbproc 1
stats socket /var/lib/haproxy/stats
defaults
mode http
log global
option httplog
option dontlognull
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
frontend abc-virtual
bind 1.2.3.4:1111
default_backend abc-servers
backend abc-servers
balance roundrobin
mode http
stats enable
stats uri /haproxy?status
server abc-qa-server1 1.2.3.4:8080 check weight 40
server abc-qa-server2 1.2.3.5:8080 check weight 40
yes, you can only use "source" rather than roundrobin .
I'm running HAProxy 1.4.24 behind LB. SSL terminates on LB. I want to redirect http requests to https. I have following config:
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
frontend httpIn *:7258
maxconn 100000
option forwardfor header x-forwarded-for
acl is_http hdr(X-Forwarded-Proto) http
redirect scheme https code 301 if is_http
default_backend app
backend app
balance roundrobin
cookie LBSTICKY insert indirect nocache httponly secure maxlife 8h
server app1 10.10.10.10:8080 cookie app1
server app2 10.10.10.11:8080 cookie app2
My problem is the line
redirect scheme https code 301 if is_http
which generates the following error when running haproxy -f /etc/haproxy/haproxy.cfg -c :
[ALERT] 026/210541 (8482) : parsing [/etc/haproxy/haproxy.cfg:67] : 'redirect' expects 'code', 'prefix', 'location', 'set-cookie', 'clear-cookie', 'drop-query' or 'append-slash' (was 'scheme').`
I rechecked documentation which says I'm using correct syntax for redirect. Any ideas?
redirect scheme is indeed not available in HAProxy 1.4.24. Right now, it is available in HAProxy 1.5-dev13 and newer as well as in HAProxy 1.4.25 and newer, including the haproxy-1.4 master.
The documentation you had a look at was probably the one by Cyril Bonté which currently is generated from the 1.4 master, not the 1.4.24 release.
As such, you could either upgrade to one of the named versions or work around the limitation. A common workaround is to use redirect prefix like this
redirect prefix https://domain.com if is_http { hdr(host) -i domain.com }
This rule has to be enumerated for each hostname where you want the redirect to happen.
This option is available on HAProxy 1.5...
You have to use redirect location in 1.4 branch for this purpose.
Baptiste