How does the HAProxy Data Plane API guarantee consistency between instances?

The HAProxy Data Plane API is an executable (details on GitHub here) which runs with HAProxy and provides a REST API which can be used to configure HAProxy during its execution, thus providing a control plan for HAProxy.

If multiple instances of HAProxy are running, how do you ensure configuration consistency across all instances? For example, if the configuration of an instance is changed via a REST call to the API, how can this change be communicated to all instances?

debian – HAProxy + Dovecote + Gluster

I am looking to install 2 dovecote servers behind HAProxy using gluster for a high availability solution. From the reading I did, it seems that dovecot strongly suggests using the dovecot manager when both dovecot servers have access to the same file system.

However – in this case where the traffic is first routed via HAProxy, would it even work in this configuration?

Currently I plan to use balance source in haproxy to gain affinity. I also put mmap_disable = yes.

Are there any recommendations on how best to manage this configuration?

Thank you!

What type of server should HAproxy obtain for approximately 9,000 online users at the same time?

Hello

I would like to have your recommendations on the specifications of a HAproxy server that I would like to put online for about 9000 users at the same time …

I prefer to have a dedicated server …

I would also like your opinion on how to develop a MariaDB database around 80 GB with 80% of reads and 20% of writes …

Should I use Maxscale or Proxysql? Keep all servers synchronized at the same time or keep one server for writes and the rest for reads? How to scale the records also?

I find the sharding a bit complex for now …

Thank you

too many nic interrupts caused a performance problem on the haproxy server

I have an 18.04.1 Ubuntu server running with an 8-core processor and an 8-gigabyte memory. it's a cloud server based on KVM virtualization. I use haproxy 1.8.8 to spread the load on my servers. the problem is when i run load-test on my server with ab tool or wrk, i can see that only one of the cpu is 100% filled (core7), and because of too much of it (soft interrupts ), I checked File / proc / interrupts:

      CPU0       CPU1       CPU2       CPU3       CPU4       CPU5       CPU6       CPU7
  0:         30          0          0          0          0          0          0          0   IO-APIC   2-edge      timer
  1:          0          9          0          0          0          0          0          0   IO-APIC   1-edge      i8042
  6:          0          0          0          3          0          0          0          0   IO-APIC   6-edge      floppy
  8:          0          0          1          0          0          0          0          0   IO-APIC   8-edge      rtc0
  9:          0          0          0          0          0          0          0          0   IO-APIC   9-fasteoi   acpi
 10:          0          0        102          0          0          0          0   24228261   IO-APIC  10-fasteoi   virtio0, eth1, eth0
 11:          0          0          0          0          0          0          0         32   IO-APIC  11-fasteoi   uhci_hcd:usb1
 12:         15          0          0          0          0          0          0          0   IO-APIC  12-edge      i8042
 14:          0          0          0          0          0          0          0          0   IO-APIC  14-edge      ata_piix
 15:          0          0          0          0          0          0    1453248          0   IO-APIC  15-edge      ata_piix
 24:          0          0          0          0          0          0          0          0   PCI-MSI 131072-edge      virtio1-config
 25:          0          0          0          0         15          0          0          0   PCI-MSI 131073-edge      virtio1-virtqueues
 26:          0          0          0          0       5791    2805745          0          0   PCI-MSI 114688-edge      ahci(0000:00:07.0)
NMI:          0          0          0          0          0          0          0          0   Non-maskable interrupts
LOC:   14654751    6657243    5811366    5270649   14966993    4797078    5687129    8545399   Local timer interrupts
SPU:          0          0          0          0          0          0          0          0   Spurious interrupts
PMI:          0          0          0          0          0          0          0          0   Performance monitoring interrupts
IWI:          0          0          0          0          0          0          0          1   IRQ work interrupts
RTR:          0          0          0          0          0          0          0          0   APIC ICR read retries
RES:    2572806    2980772    2435576    2151656    1887449    2366833    2404309    1967901   Rescheduling interrupts
CAL:     638862     508650     531191     579853     596146     636037     652622     655700   Function call interrupts
TLB:      62859      43397      20200       6237       4423      11681      18652       4408   TLB shootdowns
TRM:          0          0          0          0          0          0          0          0   Thermal event interrupts
THR:          0          0          0          0          0          0          0          0   Threshold APIC interrupts
DFR:          0          0          0          0          0          0          0          0   Deferred Error APIC interrupts
MCE:          0          0          0          0          0          0          0          0   Machine check exceptions
MCP:       4706       4706       4706       4706       4706       4706       4706       4706   Machine check polls
HYP:          0          0          0          0          0          0          0          0   Hypervisor callback interrupts
ERR:          0
MIS:          0
PIN:          0          0          0          0          0          0          0          0   Posted-interrupt notification event
NPI:          0          0          0          0          0          0          0          0   Nested posted-interrupt event

which shows me that there are many interrupts sent by the network card;

options that I tried and that have no effect:

  1. I tried to disable irqbalance,
  2. use smp_affinity to spread the irq 10 value across multiple cores (this
    does not even work, irq 10 just pasted with a kernel no matter how
    I change smp_affinity, even though I've read articles that say
    in this situation that will not make the performance better)
  3. increase in the size of the MTU up to 9,000
  4. increase the size of the Rx ring buffer until 2048
  5. and a lot of settings sysctl!

I've also noticed that I have a lot of rx errors in my eth0:

eth0: flags=4163  mtu 1500
    inet 185.8.174.227  netmask 255.255.255.0  broadcast 185.8.174.255
    inet6 fe80::84f9:91ff:fe5e:c862  prefixlen 64  scopeid 0x20
    ether 86:f9:91:5e:c8:62  txqueuelen 1000  (Ethernet)
    RX packets 19862876  bytes 8071862301 (8.0 GB)
    RX errors 1746656  dropped 0  overruns 0  frame 1746656
    TX packets 22127410  bytes 13038619281 (13.0 GB)
    TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

here is my haproxy.cfg global section:

global
nbproc 2

#log /dev/log   local0
#log /dev/log   local1 notice
chroot /var/lib/haproxy
#stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
#stats timeout 30s
user haproxy
group haproxy
daemon
maxconn 10000
   # tune.ssl.default-dh-param 2048


# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private

# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
#  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# An alternative list with additional directives can be obtained from
#  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
#ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
#ssl-default-bind-options no-sslv3

so what's wrong with my server? any help would be accepted.

HAProxy as a TCP load balancer (SSL link) does not work?

I have some difficulties configuring HAProxy as a TCP Load Balancer (Layer 4) and would like to have your opinion on it.

I have followed many guides on the Web and I have arrived at this configuration (showing no error in the logs, it starts well):

note: real domain names are hidden

#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
 daemon
 user                haproxy
 group               haproxy
 log                 /dev/log local6 debug
 maxconn             50000
 chroot              /var/lib/haproxy
 pidfile             /var/run/haproxy.pid

#---------------------------------------------------------------------
# common defaults 
#---------------------------------------------------------------------
defaults
 mode                 tcp
 log                  global
 option               dontlognull
 timeout connect      5000
 timeout client       50000
 timeout server       50000

#---------------------------------------------------------------------
# dedicated stats page
#---------------------------------------------------------------------
listen stats
 mode http
 bind :22222
 stats enable
 stats uri            /haproxy?stats
 stats realm          Haproxy Statistics
 stats auth           xxxxxx:xxxxxxxx
 stats refresh        30s

#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------
frontend main_https_listen
 bind *:443
 mode                tcp
 option              tcplog

# -------------------------------
# ACLs - SIT
# -------------------------------

acl acl_SIT_CI5      req.ssl_sni -i url1.domain.net
acl acl_SIT_HR8      req.ssl_sni -i url2.domain.net

# -------------------------------
# Conditions - SIT
# -------------------------------

use_backend backend_SIT_CI5 if acl_SIT_CI5
use_backend backend_SIT_HR8 if acl_SIT_HR8

#---------------------------------------------------------------------
# Backends
#---------------------------------------------------------------------

backend backend_SIT_CI5
 mode tcp
 balance source
 option ssl-hello-chk
 server server_SIT_CI5_1 host1.domain.net:443 check
 server server_SIT_CI5_2 host2.domain.net:443 check

backend backend_SIT_HR8
 mode tcp
 balance source
 option ssl-hello-chk
 server server_SIT_HR8_1 host1.domain.net:443 check
 server server_SIT_HR8_2 host2.domain.net:443 check

I pointed host1.domain.net to my haIPx (it has a keepalived configuration with a virtual IP address).

now, when accessing https://host1.domain.net, I have an error This page can not be displayed. Enable TLS 1.0, TLS 1.1, and 1.2 in the advanced settings and try logging in to https://host1.domain.net again..

Do you have any idea what I did wrong?
In addition, do I need to configure some certificates when listening on 443?
(Even if I do not want these certificates to be decrypted or whatever, I only want HAProxy to act as a proxy).

a haproxy -vv given:

HA-Proxy version 1.5.18 2016/05/10
Copyright 2000-2016 Willy Tarreau 

Build options :
  TARGET  = linux2628
  CPU     = generic
  CC      = gcc
  CFLAGS  = -O2 -g -fno-strict-aliasing -DTCP_USER_TIMEOUT=18
  OPTIONS = USE_LINUX_TPROXY=1 USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1     USE_OPENSSL=1 USE_PCRE=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.7
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 1.0.2k-fips  26 Jan 2017
Running on OpenSSL version : OpenSSL 1.0.2k-fips  26 Jan 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.32 2012-11-30
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT     IP_FREEBIND

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

load balancing – Nginx equivalent of HAproxy cookie prefix

We are migrating from HAProxy to nginx. With HAProxy, we use something like this

cookie SESSIONID prefix
server websvr1 192.168.1.71:80 weight 1 maxconn 512 cookie 1 check
server websvr2 192.168.1.72:80 weight 1 maxconn 512 cookie 2 check

This will allow the client to send cooke as 1~SESSIONID and HAProxy will remove the prefix.

Can Nginx achieve the same goal?

single sign-on – SSO with HAProxy error ALOHA 11

I have configured single sign-on using the unique signature of the template (V1.2.3)
When I try to connect, I have this error:
"Application prohibited by the administrative rules"

And this one "user.err HAProxy-sso: (03) The domain variable is not set. Deny" in the system log

I really do not know where this domain variable should be set ..

Thanks for the help!

Can not get HTTP redirection to https when using multiple engines in haproxy?

So, basically, I have 2 different applications running on the 5000 and 30000 ports on a single ubuntu server. Both of these applications must be mapped using haproxy. using their respective port numbers.

what i have tried until now

frontend http-in
    mode    http

    bind *:80
    bind *:443 ssl crt /etc/ssl/private/mydomain.pem
    http-request redirect scheme https code 301 if !{ ssl_fc }
    acl path-employeeListnew              path_beg -i /
    use_backend backend1               if path-employeeListnew

    acl path-employeeList              path_beg -i /ProcessDesigner
    use_backend backend1               if path-employeeList

    acl path-employeeListfinal            path_beg -i /ProcessCore
    use_backend backend2               if path-employeeListfinal

backend backend1
    mode    http

    option  httplog
    option  forwardfor
    reqrep  ^((^ :)+) /ProcessDesigner/?(.*)$  1 /2

    server  backend1  206.189.22.155:30000


backend backend2
    mode    http

    option  httplog
    option  forwardfor
    reqrep  ^((^ :)+) /ProcessCore/?(.*)$  1 /2

    server  backend2 206.189.22.155:5000

Using this configuration, I can access only the first application at https://206.189.22.155/ProcessDesigner, but when I try to access the second application at https: //206.189 .22.155 / ProcessCore, I get 404 not found (nginx / 1.17.4). I'm starting to think that I have to use multiple interfaces for this. What exactly is the problem here?

HAProxy – Dynamic update of SSL certificates without reloading

We currently use HAProxy to handle TLS terminations for thousands of domains, all of which have a regular rotation of Let's Encrypt.

The proper configuration looks like this:

frontend https-in

    bind *:443 ssl strict-sni no-sslv3 crt /usr/src/data/certs/

and /usr/src/data/certs/ is filled with a bunch of .pem files.

SSL certificates change all the time because they must be renewed individually or new domains are added / removed from our system. At the moment, we are solving this by writing all the certificates of /usr/src/data/certs/ and perform a zero reload time haproxy shutdown. This is tedious because we have a very large memory spike when reloading because the new instance reads in the full load of certificates and the old instance continues to run.

We are currently looking at some of the capabilities of the HAProxy Unix Socket commands and see the many things we can make dynamic (ACL, Maps, etc.). I wonder if we can take a similar approach to synchronize certificates and avoid constant reload behavior.

Use HAProxy 1.9 to experiment, but we are not married to a particular version for that. Thank you for any help or suggestion!

HAProxy: how to wait a little before trying again

I have a HAProxy load balancer (v2.0) in front of many web servers.

When I restart the web servers, the TCP socket remains closed for a few seconds (about 10 seconds). For this reason, I would like to try unsuccessful login attempts after a few seconds.

I'm already using option redispatchHowever, it seems that this does not solve my problem. The problem is that the request is retried immediately (after 1s), thus causing all attempts to fail. From the HAProxy documentation:

In order to avoid immediate reconnections on a server being restarted,
a min delay ("timeout connect", one second) is applied before
a new attempt occurs.

Is there an option to wait a little longer (eg 10 seconds) before trying again? Or do you have another solution?