Quantcast
Channel: Serverphorums.com - HAProxy
Viewing all 11674 articles
Browse latest View live

Re: Segfault / 1.8.5 / 9a083d1428b

March 27, 2018, 5:30 am
$
0
0
Hi Thierry,

On Tue, Mar 27, 2018 at 12:23:24AM +0200, Thierry Fournier wrote:
> (gdb) print h2s->cs->data_cb
> $3 = (const struct data_cb *) 0x0

Still this one ? :-(

> Tell me if you want the binary and the core, I will sent you.

Yes please, contact me off-list for this. I'm on several apparently
different ones, but I'm keeping my fingers crossed hoping they're all
different side effects from the same one!

Willy
Search

Re: email alert not working with 1.8.5

March 27, 2018, 7:10 am
$
0
0
Le 26/03/2018 à 16:58, Johan Hendriks a écrit :
> I just updated haproxy to 1.8.5 on my FreeBSD 11-Stable server.
>
> I just noticed we do not receive any email notifications anymore when a
> server goes down.
> We did not change the config.
>
> This is what i have in my config (relevant part)
>
> default
> # Mailer config
>     mailers alert-mailers
>     timeout mail 20s
>     mailer smtp1 localhost:25
>
> backend
>
> backend be_www0001
>     mode http
>     option http-server-close
>     option httpchk get /
>     http-check expect string www0001
>     default-server inter 3s fall 3 rise 2
>     email-alert mailers alert-mailers
>     email-alert from lb01@mydomain.nl
>     email-alert to push@haproxy.mydomain.nl
>
> In the maillog nothing comes in. I can send mail normally from the system.
> Also can connect and send with telnet from localhost on port 25.
>

Hi Johan,

You're right. Email alerts stopped working since the commit 2f3a56b4f
("BUG/MINOR: tcp-check: use the server's service port as a fallback").

The server's port is used instead of the mailer's one. I will send a
patch to fix this issue.

Thanks
--
Christopher Faulet

[PATCH] BUG/MINOR: email-alert: Set the mailer port during alert initialization

March 27, 2018, 7:10 am
$
0
0
Hi,

This patch fixes an issue about email alerts reported by Johan. It must
be backported in 1.8.

Johan, could you confirm it fixes the bug ?

Thanks
--
Christopher Faulet

IP rate limiting on EC2 and 100% CPU usage

March 27, 2018, 7:30 am
$
0
0
Hi,

I am using latest haproxy with EC2 elastic load balancer configured to
proxy TCP:443 <-> TCP:443 to support HTTP2. PROXY protocol is enabled to
get original IP address.

IP rate limiting is done using following config:

frontend fe_http
bind *:443 accept-proxy ssl crt ... no-sslv3 alpn h2,http/1.1

stick-table type ip size 256k expire 10s store http_req_rate(10s)
tcp-request inspect-delay 5s
# Must use "content" because of PROXY protocol.
tcp-request content track-sc0 src

acl check_http_req_rate sc0_http_req_rate ge 256
tcp-request content reject if check_http_req_rate
use_backend be_429_slow_down if check_http_req_rate

backend be_429_slow_down
errorfile 503 /etc/haproxy/errors/429.http

It works and is helpful until some point when haproxy consumes 100% CPU on
1 of 4 available cores and requests start failing. It can be that I need
better/more hardware, but I wonder if there is anything I can improve in my
config to lower CPU usage? Thanks in advance.

Logging actual fetched URL after request is re-written

March 27, 2018, 10:00 am
$
0
0
Hi all,
Logging with HTTP as standard, the %{+Q}r log variable records the requested URL in the logs. I'd like to also record the URL that's actually fetch after an http-request set-path directive is given (for debugging purposes). It's linked to an application that provides next to no debugging, and tcpdump isn't much help either - having it in haproxy logs would be really useful.
Can I do this or am I thinking too much outside the box? I tried setting a dynamic variable and then setting that in the frontend log-format, but it didn't seem to record anything even despite populating the variable.
Thanks

Re: Logging actual fetched URL after request is re-written

March 27, 2018, 10:10 am
$
0
0
Greetings,


On 03/27/2018 12:49 PM, Franks Andy (IT Technical Architecture Manager)
wrote:
>
> Hi all,
>
>   Logging with HTTP as standard, the %{+Q}r log variable records the
> requested URL in the logs. I’d like to also record the URL that’s
> actually fetch after an http-request set-path directive is given (for
> debugging purposes). It’s linked to an application that provides next
> to no debugging, and tcpdump isn’t much help either – having it in
> haproxy logs would be really useful.
>
> Can I do this or am I thinking too much outside the box? I tried
> setting a dynamic variable and then setting that in the frontend
> log-format, but it didn’t seem to record anything even despite
> populating the variable.
>

You should be able to add "http-request capture path len 32" at the end
of a frontend to capture the path after all the modifications.
Variables should work too, though without knowing exactly what your
variable rules looked like I can't guess as to why it didn't capture
anything.

- Chad
>
> Thanks
>

Re: Logging actual fetched URL after request is re-written

March 27, 2018, 10:10 am
$
0
0
Greetings,

Sorry, pressed wrong button so didn't include on CC.


On 03/27/2018 01:03 PM, Chad Lavoie wrote:
>
> Greetings,
>
>
> On 03/27/2018 12:49 PM, Franks Andy (IT Technical Architecture
> Manager) wrote:
>>
>> Hi all,
>>
>>   Logging with HTTP as standard, the %{+Q}r log variable records the
>> requested URL in the logs. I’d like to also record the URL that’s
>> actually fetch after an http-request set-path directive is given (for
>> debugging purposes). It’s linked to an application that provides next
>> to no debugging, and tcpdump isn’t much help either – having it in
>> haproxy logs would be really useful.
>>
>> Can I do this or am I thinking too much outside the box? I tried
>> setting a dynamic variable and then setting that in the frontend
>> log-format, but it didn’t seem to record anything even despite
>> populating the variable.
>>
>
> You should be able to add "http-request capture path len 32" at the
> end of a frontend to capture the path after all the modifications.
> Variables should work too, though without knowing exactly what your
> variable rules looked like I can't guess as to why it didn't capture
> anything.
>
> - Chad
>>
>> Thanks
>>
>

Re: Logging actual fetched URL after request is re-written

March 27, 2018, 10:20 am
$
0
0
Hi,

Le 27/03/2018 à 18:49, Franks Andy (IT Technical Architecture Manager) a
écrit :
> Hi all,
>
>   Logging with HTTP as standard, the %{+Q}r log variable records the
> requested URL in the logs. I’d like to also record the URL that’s
> actually fetch after an http-request set-path directive is given (for
> debugging purposes). It’s linked to an application that provides next to
> no debugging, and tcpdump isn’t much help either – having it in haproxy
> logs would be really useful.
>
> Can I do this or am I thinking too much outside the box? I tried setting
> a dynamic variable and then setting that in the frontend log-format, but
> it didn’t seem to record anything even despite populating the variable.

You should share your configuration to help diagnose what was wrong in it.
Something like this should work :
http-request set-path /rewritten
http-request set-var(txn.path_rewrite) path

log-format %{+Q}r\ %{+Q}[var(txn.path_rewrite)]


--
Cyril Bonté
Search

haproxy=1.8.5 stuck in thread syncing

March 28, 2018, 12:50 am
$
0
0
Hi!

Yesterday one of our haproxies (1.8.5) with nbthread=8 set in its config
stuck with 800% CPU usage. Some responses were served successfully but many
of them just timed out. perf top showed this:
59.19% [.] thread_enter_sync
32.68% [.] fwrr_get_next_server

We made a core and here is a full bt:
Core was generated by `/usr/sbin/haproxy'.
#0 0x000055a9807b984b in fwrr_get_next_server (p=p@entry=0x55a982e91c40,
srvtoavoid=srvtoavoid@entry=0x55a982eb7940) at src/lb_fwrr.c:473
473 HA_SPIN_LOCK(LBPRM_LOCK, &p->lbprm.lock);
(gdb) bt
#0 0x000055a9807b984b in fwrr_get_next_server (p=p@entry=0x55a982e91c40,
srvtoavoid=srvtoavoid@entry=0x55a982eb7940) at src/lb_fwrr.c:473
#1 0x000055a98078ab5d in assign_server (s=0x7f4bbc0906a0) at
src/backend.c:604
#2 0x000055a98078be6d in assign_server_and_queue (s=s@entry=0x7f4bbc0906a0)
at src/backend.c:872
#3 0x000055a98078d333 in srv_redispatch_connect (s=s@entry=0x7f4bbc0906a0)
at src/backend.c:1284
#4 0x000055a9807369d8 in sess_prepare_conn_req (s=0x7f4bbc0906a0) at
src/stream.c:1094
#5 process_stream (t=<optimized out>) at src/stream.c:2219
#6 0x000055a9807b1e68 in process_runnable_tasks () at src/task.c:311
#7 0x000055a980766ff4 in run_poll_loop () at src/haproxy.c:2399
#8 run_thread_poll_loop (data=<optimized out>) at src/haproxy.c:2461
#9 0x00007f4bcd00d184 in start_thread () from
/lib/x86_64-linux-gnu/libpthread.so.0
#10 0x00007f4bcc28b03d in clone () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) thread apply all bt

Thread 8 (Thread 0x7f4bcd888980 (LWP 133188)):
#0 fwrr_update_position (grp=0x55a982e92858, grp=0x55a982e92858,
s=0x55a982e9a2f0) at src/lb_fwrr.c:454
#1 fwrr_get_next_server (p=p@entry=0x55a982e91c40,
srvtoavoid=srvtoavoid@entry=0x55a982e9a2f0) at src/lb_fwrr.c:521
#2 0x000055a98078ab5d in assign_server (s=0x7f4bc05ed8c0) at
src/backend.c:604
#3 0x000055a98078be6d in assign_server_and_queue (s=s@entry=0x7f4bc05ed8c0)
at src/backend.c:872
#4 0x000055a98078d333 in srv_redispatch_connect (s=s@entry=0x7f4bc05ed8c0)
at src/backend.c:1284
#5 0x000055a9807369d8 in sess_prepare_conn_req (s=0x7f4bc05ed8c0) at
src/stream.c:1094
#6 process_stream (t=<optimized out>) at src/stream.c:2219
#7 0x000055a9807b1e68 in process_runnable_tasks () at src/task.c:311
#8 0x000055a980766ff4 in run_poll_loop () at src/haproxy.c:2399
#9 run_thread_poll_loop (data=<optimized out>) at src/haproxy.c:2461
#10 0x000055a9806d1a57 in main (argc=<optimized out>, argv=<optimized out>)
at src/haproxy.c:3050

Thread 7 (Thread 0x7f4bb3fff700 (LWP 133195)):
#0 0x000055a9807bbad6 in thread_sync_barrier (barrier=0x55a980a2f4e0
<barrier>) at src/hathreads.c:110
#1 thread_enter_sync () at src/hathreads.c:123
#2 0x000055a98076705e in sync_poll_loop () at src/haproxy.c:2376
#3 run_poll_loop () at src/haproxy.c:2431
#4 run_thread_poll_loop (data=<optimized out>) at src/haproxy.c:2461
#5 0x00007f4bcd00d184 in start_thread () from
/lib/x86_64-linux-gnu/libpthread.so.0
#6 0x00007f4bcc28b03d in clone () from /lib/x86_64-linux-gnu/libc.so.6

Thread 6 (Thread 0x7f4bc89d8700 (LWP 133194)):
#0 0x000055a9807bbad6 in thread_sync_barrier (barrier=0x55a980a2f4e0
<barrier>) at src/hathreads.c:110
#1 thread_enter_sync () at src/hathreads.c:123
#2 0x000055a98076705e in sync_poll_loop () at src/haproxy.c:2376
#3 run_poll_loop () at src/haproxy.c:2431
#4 run_thread_poll_loop (data=<optimized out>) at src/haproxy.c:2461
#5 0x00007f4bcd00d184 in start_thread () from
/lib/x86_64-linux-gnu/libpthread.so.0
#6 0x00007f4bcc28b03d in clone () from /lib/x86_64-linux-gnu/libc.so.6

Thread 5 (Thread 0x7f4bc91d9700 (LWP 133193)):
#0 0x000055a9807b984b in fwrr_get_next_server (p=p@entry=0x55a982e91c40,
srvtoavoid=srvtoavoid@entry=0x55a982eb28a0) at src/lb_fwrr.c:473
#1 0x000055a98078ab5d in assign_server (s=0x7f4bc0aa4690) at
src/backend.c:604
#2 0x000055a98078be6d in assign_server_and_queue (s=s@entry=0x7f4bc0aa4690)
at src/backend.c:872
#3 0x000055a98078d333 in srv_redispatch_connect (s=s@entry=0x7f4bc0aa4690)
at src/backend.c:1284
#4 0x000055a9807369d8 in sess_prepare_conn_req (s=0x7f4bc0aa4690) at
src/stream.c:1094
#5 process_stream (t=<optimized out>) at src/stream.c:2219
#6 0x000055a9807b1e68 in process_runnable_tasks () at src/task.c:311
#7 0x000055a980766ff4 in run_poll_loop () at src/haproxy.c:2399
#8 run_thread_poll_loop (data=<optimized out>) at src/haproxy.c:2461
#9 0x00007f4bcd00d184 in start_thread () from
/lib/x86_64-linux-gnu/libpthread.so.0
#10 0x00007f4bcc28b03d in clone () from /lib/x86_64-linux-gnu/libc.so.6

Thread 4 (Thread 0x7f4bc99da700 (LWP 133192)):
---Type <return> to continue, or q <return> to quit---
#0 0x000055a9807bbad6 in thread_sync_barrier (barrier=0x55a980a2f4e0
<barrier>) at src/hathreads.c:110
#1 thread_enter_sync () at src/hathreads.c:123
#2 0x000055a98076705e in sync_poll_loop () at src/haproxy.c:2376
#3 run_poll_loop () at src/haproxy.c:2431
#4 run_thread_poll_loop (data=<optimized out>) at src/haproxy.c:2461
#5 0x00007f4bcd00d184 in start_thread () from
/lib/x86_64-linux-gnu/libpthread.so.0
#6 0x00007f4bcc28b03d in clone () from /lib/x86_64-linux-gnu/libc.so.6

Thread 3 (Thread 0x7f4bca1db700 (LWP 133191)):
#0 0x000055a9807bbad6 in thread_sync_barrier (barrier=0x55a980a2f4e0
<barrier>) at src/hathreads.c:110
#1 thread_enter_sync () at src/hathreads.c:123
#2 0x000055a98076705e in sync_poll_loop () at src/haproxy.c:2376
#3 run_poll_loop () at src/haproxy.c:2431
#4 run_thread_poll_loop (data=<optimized out>) at src/haproxy.c:2461
#5 0x00007f4bcd00d184 in start_thread () from
/lib/x86_64-linux-gnu/libpthread.so.0
#6 0x00007f4bcc28b03d in clone () from /lib/x86_64-linux-gnu/libc.so.6

Thread 2 (Thread 0x7f4bca9dc700 (LWP 133190)):
#0 thread_sync_barrier (barrier=0x55a980a2f4e0 <barrier>) at
src/hathreads.c:110
#1 thread_enter_sync () at src/hathreads.c:123
#2 0x000055a98076705e in sync_poll_loop () at src/haproxy.c:2376
#3 run_poll_loop () at src/haproxy.c:2431
#4 run_thread_poll_loop (data=<optimized out>) at src/haproxy.c:2461
#5 0x00007f4bcd00d184 in start_thread () from
/lib/x86_64-linux-gnu/libpthread.so.0
#6 0x00007f4bcc28b03d in clone () from /lib/x86_64-linux-gnu/libc.so.6

Thread 1 (Thread 0x7f4bcb1dd700 (LWP 133189)):
#0 0x000055a9807b984b in fwrr_get_next_server (p=p@entry=0x55a982e91c40,
srvtoavoid=srvtoavoid@entry=0x55a982eb7940) at src/lb_fwrr.c:473
#1 0x000055a98078ab5d in assign_server (s=0x7f4bbc0906a0) at
src/backend.c:604
#2 0x000055a98078be6d in assign_server_and_queue (s=s@entry=0x7f4bbc0906a0)
at src/backend.c:872
#3 0x000055a98078d333 in srv_redispatch_connect (s=s@entry=0x7f4bbc0906a0)
at src/backend.c:1284
#4 0x000055a9807369d8 in sess_prepare_conn_req (s=0x7f4bbc0906a0) at
src/stream.c:1094
#5 process_stream (t=<optimized out>) at src/stream.c:2219
#6 0x000055a9807b1e68 in process_runnable_tasks () at src/task.c:311
#7 0x000055a980766ff4 in run_poll_loop () at src/haproxy.c:2399
#8 run_thread_poll_loop (data=<optimized out>) at src/haproxy.c:2461
#9 0x00007f4bcd00d184 in start_thread () from
/lib/x86_64-linux-gnu/libpthread.so.0
#10 0x00007f4bcc28b03d in clone () from /lib/x86_64-linux-gnu/libc.so.6

Version info:
# haproxy -vv
HA-Proxy version 1.8.5-1 2018/03/26
Copyright 2000-2018 Willy Tarreau <willy@haproxy.org>

Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4
-Wformat -Werror=format-security -D_FORTIFY_SOURCE=2
OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1 USE_THREAD=1
USE_OPENSSL=1 USE_LUA=1 USE_PCRE=1 USE_PCRE_JIT=1 USE_TFO=1 USE_NS=1

Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014
Running on OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2
Built with Lua version : Lua 5.3.1
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT
IP_FREEBIND
Encrypted password support via crypt(3): yes
Built with multi-threading support.
Built with PCRE version : 8.31 2012-07-06
Running on PCRE version : 8.31 2012-07-06
PCRE library supports JIT : no (libpcre build without JIT?)
Built with zlib version : 1.2.8
Running on zlib version : 1.2.8
Compression algorithms supported : identity("identity"),
deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with network namespace support.

Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
[SPOE] spoe
[COMP] compression
[TRACE] trace

Please take a look.

--
Best regards,
Maksim Kupriianov

Re: haproxy=1.8.5 stuck in thread syncing

March 28, 2018, 1:30 am
$
0
0
Le 28/03/2018 à 09:36, Максим Куприянов a écrit :
> Hi!
>
> Yesterday one of our haproxies (1.8.5) with nbthread=8 set in its config
> stuck with 800% CPU usage. Some responses were served successfully but
> many of them just timed out. perf top showed this:
>  59.19%  [.] thread_enter_sync
>  32.68%  [.] fwrr_get_next_server
>

Hi,

Could you share your configuration please ? It will help to diagnose the
problem. In your logs, what is the values of srv_queue and backend_queue
fields ?

Thanks,
--
Christopher Faulet

RE: Logging actual fetched URL after request is re-written

March 28, 2018, 5:10 am
$
0
0
Thanks Chad,
I found that setting the path in the frontend (instead of the backend) removed the selection of backend based on the path via acl, presumably because the rewrite is set before the acl is processed ; bit of a catch 22.
It's possible I misunderstand an implied concept of ordering the config but the acl was before we altered the path, which is where I'd imagine it should be to do the acl bit first. HA seems to like any backend selection stuff to be later in the frontend config I think too, so no go there - I couldn't select the backend before rewriting the path.
I also couldn't get the http-request capture path len 32 bit to work without using the log display of capture.req.hdr(idx) instead of just %[path] or path in there, said it needed access to the http headers which it didn't have, or something similar.

I found that I can record the rewritten URL though - just for reference I ended up realising from Cyril's example that I was using the wrong scope - setting a variable in the backend against the "req" scope didn't work, but the "txn" did record the necessary in the logs.


frontend ft_web_ssl
...
acl audioserve path_beg -i /audioserve
log-format %ci:%cp\ [id=%ID]\ [%t]\ %f\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ {%hrl}\ {%hsl}\ %{+Q}r\ %{+Q}[var(txn.filteredurl)]
use_backend bk_audioserve_3000 if audioserve
...

backend bk_audioserve_3000
mode http
option httplog
# issue with double slashes on certain URLs - need to raise with audioserve coder - https://github.com/izderadicka/audioserve
# also remove the /audioserve/ virtual directory as this app works from the root as a node.js webapp.
http-request set-var(txn.filteredurl) capture.req.uri,regsub(/audioserve[/]?,/,g),regsub(//,/,g)
http-request set-path %[var(txn.filteredurl)]
server www.andyjfranks.uk 127.0.0.1:3000

Thanks chaps!
Andy


From: Chad Lavoie [mailto:clavoie@haproxy.com]
Sent: 27 March 2018 18:04
To: haproxy@formilux.org
Cc: Franks Andy (IT Technical Architecture Manager)
Subject: Re: Logging actual fetched URL after request is re-written


Greetings,

Sorry, pressed wrong button so didn't include on CC.


On 03/27/2018 01:03 PM, Chad Lavoie wrote:

Greetings,

On 03/27/2018 12:49 PM, Franks Andy (IT Technical Architecture Manager) wrote:
Hi all,
Logging with HTTP as standard, the %{+Q}r log variable records the requested URL in the logs. I'd like to also record the URL that's actually fetch after an http-request set-path directive is given (for debugging purposes). It's linked to an application that provides next to no debugging, and tcpdump isn't much help either - having it in haproxy logs would be really useful.
Can I do this or am I thinking too much outside the box? I tried setting a dynamic variable and then setting that in the frontend log-format, but it didn't seem to record anything even despite populating the variable.

You should be able to add "http-request capture path len 32" at the end of a frontend to capture the path after all the modifications.
Variables should work too, though without knowing exactly what your variable rules looked like I can't guess as to why it didn't capture anything.

- Chad

Thanks

Cookies, load balancing, stick tables.

March 28, 2018, 5:20 am
$
0
0
Hi all,
Hopefully an easy one, but I can't really find the solution.
We've come up with a control system for haproxy, where we manually can clear stick table entries from a GUI. We're also using a cookie to set the server in a backend as we're expecting to deal with clients behind a nat device..

It's the customers (just internal IT in another dept) request that they should be able to close down a stick table entry and have the client not be able to go to that stick-table selected server AT ALL, even when presenting a cookie.
It seems to me that HA is designed to allow these cookie selected server connections irrespective of the stick table entries, so there are two ways to continue to me:


1) Have the application remove the separate cookie we insert when the application gets logged off or times out (timeout happens at 15 minutes of app idle time).

2) We get HAProxy to control the expiry time of the cookie we send over, and refresh that expiry each time a transaction happens.

3) Live with the imbalance of clients from NATted source ip addresses and ditch the cookie insertion.

We would all prefer #2, since the devs don't want to spend time redeveloping, and HAProxy can seemingly do just about anything! #3 would work, but removing entries from the stick table during testing or certain maintenance may well remove more than just the intended target.

Any ideas?
Thanks
Andy

Re: haproxy=1.8.5 stuck in thread syncing

March 28, 2018, 5:20 am
$
0
0
Hi!

I'm sorry but configuration it's too huge too share (over 100 different
proxy sections). This is also the reason I can't exactly determine the
failing section. Is there a way to get this data from core-file?

2018-03-28 11:18 GMT+03:00 Christopher Faulet <cfaulet@haproxy.com>:

> Le 28/03/2018 à 09:36, Максим Куприянов a écrit :
>
>> Hi!
>>
>> Yesterday one of our haproxies (1.8.5) with nbthread=8 set in its config
>> stuck with 800% CPU usage. Some responses were served successfully but many
>> of them just timed out. perf top showed this:
>> 59.19% [.] thread_enter_sync
>> 32.68% [.] fwrr_get_next_server
>>
>>
> Hi,
>
> Could you share your configuration please ? It will help to diagnose the
> problem. In your logs, what is the values of srv_queue and backend_queue
> fields ?
>
> Thanks,
> --
> Christopher Faulet
>

OCSP response missing in v1.8

March 28, 2018, 6:00 am
$
0
0
Hello,

We were using HAProxy 1.7 for a while in combination with a cron job
that fetches OCSP Staple data, stores it with the certificates as
..ocsp files per the [documentation][] and then uses 'set ssl
ocsp-response' on the administration [socket][] to update the running
server instance. We recently decided to finally upgrade to 1.8 and
everything seemed to be working well until we noticed that the OCSP
response is no longer being sent from the server.

Running a quick Git Bisect reveals
f6b37c67be277b5f0ae60438d796ff29ef19be40 introduced this regression in
the haproxy-1.8 tree. My uneducated initial guess is that it seems as
the default context has information about the certificate but not
about the OCSP Staple, however I am not familiar with how the contexts
are handled there. Is there someone who minds looking into this or at
least giving pointers so that I can try and propose a PATCH?

Cheers,
Valter J.

[documentation]:
https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#5.1-crt
[socket]: https://cbonte.github.io/haproxy-dconv/1.8/management.html#9.3

Re: email alert not working with 1.8.5

March 28, 2018, 6:50 am
$
0
0
Op 27/03/2018 om 16:01 schreef Christopher Faulet:
> Le 26/03/2018 à 16:58, Johan Hendriks a écrit :
>> I just updated haproxy to 1.8.5 on my FreeBSD 11-Stable server.
>>
>> I just noticed we do not receive any email notifications anymore when a
>> server goes down.
>> We did not change the config.
>>
>> This is what i have in my config (relevant part)
>>
>> default
>> # Mailer config
>>      mailers alert-mailers
>>      timeout mail 20s
>>      mailer smtp1 localhost:25
>>
>> backend
>>
>> backend be_www0001
>>      mode http
>>      option http-server-close
>>      option httpchk get /
>>      http-check expect string www0001
>>      default-server inter 3s fall 3 rise 2
>>      email-alert mailers alert-mailers
>>      email-alert from lb01@mydomain.nl
>>      email-alert to push@haproxy.mydomain.nl
>>
>> In the maillog nothing comes in. I can send mail normally from the
>> system.
>> Also can connect and send with telnet from localhost on port 25.
>>
>
> Hi Johan,
>
> You're right. Email alerts stopped working since the commit 2f3a56b4f
> ("BUG/MINOR: tcp-check: use the server's service port as a fallback").
>
> The server's port is used instead of the mailer's one. I will send a
> patch to fix this issue.
>
> Thanks
Thank you Christopher.
I rechecked with 1.8.4 and then my e-mail alerts are working again.

Thanks for your time.

regards
Johan Hendriks
Search

Re: Warning: upgrading to openssl master+ enable_tls1_3 (coming v1.1.1) could break handshakes for all protocol versions .

March 28, 2018, 7:50 am
$
0
0
Hello Emeric,


On 12 January 2018 at 15:57, Emeric Brun <ebrun@haproxy.com> wrote:
> Hi All,
>
> FYI: upgrading to next openssl-1.1.1 could break your prod if you're using a forced cipher list because
> handshake will fail regardless the tls protocol version if you don't specify a cipher valid for TLSv1.3
> in your cipher list.
>
> https://github.com/openssl/openssl/issues/5057
>
> https://github.com/openssl/openssl/issues/5065
>
> Openssl's team doesn't seem to consider this as an issue and I'm just bored to discuss with them.


FYI OpenSSL did a 180 on this, they are implemented a new API call to
set TLSv1.3 ciphers and enable them by default:

https://github.com/mattcaswell/openssl/commit/d93e832a82087a5f9bcf7d93ed7ae21bc6c1fed0

https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_ciphersuites.html



cheers,
lukas

Re: Warning: upgrading to openssl master+ enable_tls1_3 (coming v1.1.1) could break handshakes for all protocol versions .

March 28, 2018, 8:40 am

Re: Segfault on haproxy 1.7.10 with state file and slowstart

March 28, 2018, 1:40 pm
$
0
0
Hi Willy, Baptiste

It looks like this was the intended behaviour as per the documentation. But
it looks to be simple to enable the init-addr behaviour for IP addresses as
well. Can you please review the attached patch, this is against devel.

Re: haproxy=1.8.5 stuck in thread syncing

March 29, 2018, 2:30 am
$
0
0
Le 28/03/2018 à 14:16, Максим Куприянов a écrit :
> Hi!
>
> I'm sorry but configuration it's too huge too share (over 100 different
> proxy sections). This is also the reason I can't exactly determine the
> failing section. Is there a way to get this data from core-file?
>
> 2018-03-28 11:18 GMT+03:00 Christopher Faulet <cfaulet@haproxy.com
> <mailto:cfaulet@haproxy.com>>:
>
> Le 28/03/2018 à 09:36, Максим Куприянов a écrit :
>
> Hi!
>
> Yesterday one of our haproxies (1.8.5) with nbthread=8 set in
> its config stuck with 800% CPU usage. Some responses were served
> successfully but many of them just timed out. perf top showed this:
>   59.19%  [.] thread_enter_sync
>   32.68%  [.] fwrr_get_next_server
>
>
> Hi,
>
> Could you share your configuration please ? It will help to diagnose
> the problem. In your logs, what is the values of srv_queue and
> backend_queue fields ?
>

Hi,

Ok, I partly reproduce your problem using a backend, with an hundred
servers and a maxconn to 2 for each one. In this case, I observe same
CPUs consumption. I have no timeouts (it probably depends on your
values) but performances are quite low.

I think you're hitting a limitation of the current design. We have no
mechanism to migrate entities between threads. So to force threads
wakeup, we use the sync point. It was not designed to be called very
often. In your case, it eats all the CPU.

I attached 3 patches. They add a mechanism to wakeup threads selectively
without any lock or loop. They must be applied on HAProxy 1.8 (it will
not work on the upstream). So you can check if it fixes your problem or
not. It will be useful to validate it is a design limitation and not a bug.

This is just an experimentation. I hope it works well but I didn't do a
lot of testing. If yes, I'll then discuss with Willy if it is pertinent
or not to do the threads wakeup this way. But, in all cases, it will
probably not be backported in HAProxy 1.8.

--
Christopher Faulet

patch (cleanup unused labels)

March 29, 2018, 3:20 am
$
0
0
please review the patch attached

cheers,
Ilya Shipitsin
Viewing all 11674 articles
Browse latest View live
Search