I am configuring the haproxy.cfg file for haproxy. i need to add cipher suite in this file. for that i am using bind command. My bind command is as below.
bind 0.0.0.0:443 ssl crt /etc/ssl/certs/private1.pem nosslv3
prefer-server-ciphers ciphers
TLSv1+HIGH:!SSLv2:!aNULL:!eNULL:!3DES:#STRENGTH
With bind command bind *:443 it is working fine. once i add the other arguments its throwing error.
After including this command in haproxy.cfg file and restarting the haproxy service. i am getting the error.
**
[ALERT] 164/074924 (31084) : parsing [/etc/haproxy/haproxy.cfg:80] : 'bind' only supports the 'transparent', 'defer-accept', 'name', 'id', 'mss' and 'interface' options.
[ALERT] 164/074924 (31084) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg
[ALERT] 164/074924 (31084) : Fatal errors found in configuration.
Errors in configuration file, check with haproxy check.
**
For resolving this issue i tried to install "libssl-dev" package. but i am not able to install that package also.
**Please guide me to do this. and i need to know is it neccesary to give the pem file entry in bind, or i can directly include cipher itself like this.
bind *:8443 ciphers TLSv1+HIGH:!SSLv2:!aNULL:!eNULL:!3DES:#STRENGTH**
Appending my haproxy.cfg file below.
**#---------------------------------------------------------------------
# Example configuration for a possible web application. See the
# full configuration options online.
#
# http://haproxy.1wt.eu/download/1.4/doc/configuration.txt
#
#---------------------------------------------------------------------
#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
# to have these messages end up in /var/log/haproxy.log you will
# need to:
#
# 1) configure syslog to accept network log events. This is done
# by adding the '-r' option to the SYSLOGD_OPTIONS in
# /etc/sysconfig/syslog
#
# 2) configure local2 events to go to the /var/log/haproxy.log
# file. A line like the following can be added to
# /etc/sysconfig/syslog
#
# local2.* /var/log/haproxy.log
#
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
#---------------------------------------------------------------------
# main frontend which proxys to the backends
frontend inbound
mode http
bind 0.0.0.0:443 ssl crt /etc/ssl/certs/private1.pem nosslv3 prefer-server-ciphers ciphers TLSv1+HIGH:!SSLv2:!aNULL:!eNULL:!3DES:#STRENGTH
# static backend for serving up images, stylesheets and such
#---------------------------------------------------------------------
backend postgresqlcluster1
mode http
balance roundrobin
server postgres1 192.44.9.101:8080 check**
You need to be using 1.5-dev19+ (current is 15.-dev26) to utilize any of the ssl functionality; based on the error and the config excerpt, it looks like you are running 1.4.
Related
I have the following setup in HAProxy
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
defaults
log global
retries 2
option dontlognull
timeout connect 10000
timeout server 600000
timeout client 600000
frontend https
bind 5.x.x.x:443
default_backend https
backend https
mode tcp
balance roundrobin
option tcp-check
server traefik 192.168.128.5:9443 check fall 3 rise 2
And it works as expected, the backend server "traefik" is doing the SSL termination of the requests.
The thing is the client source IP I get in the backend server is the HAProxy's IP and I would like to pass the source IP to the backend server.
Is it possible at all? because I tried all the options I saw in internet.
Thanks.
At the end the solution was to use https://www.haproxy.com/blog/haproxy/proxy-protocol/ as it is supported by HAProxy and traefik.
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
defaults
log global
retries 2
option dontlognull
timeout connect 10000
timeout server 600000
timeout client 600000
frontend https
bind 5.x.x.x:443
default_backend https
backend https
mode tcp
balance roundrobin
option tcp-check
server traefik 192.168.128.5:9443 check fall 3 rise 2 send-proxy
And enabling traefik's entrypoint Proxy Protocol as described here: https://docs.traefik.io/configuration/entrypoints/#proxyprotocol
what is the equivalent of Nginx pass_proxy this in HAProxy
location /{
proxy_pass https://WebApplication.azurewebsites.net;
}
I tried to test this configuration but I receive 404 when I point to any backend server with the below configuration without using ACLs on root for example with self signed certificate
#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
log /dev/log local0
log /dev/log local1 notice
user haproxy
group haproxy
maxconn 16000
stats socket /var/lib/haproxy/stats level admin
tune.bufsize 32768
tune.maxrewrite 1024
tune.ssl.default-dh-param 2048
daemon
#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
#---------------------------------------------------------------------
#HAProxy Monitoring Config
#---------------------------------------------------------------------
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
#---------------------------------------------------------------------
# FrontEnd Configuration
#---------------------------------------------------------------------
frontend fe_http_sne_in
bind *:443 ssl crt /etc/ssl/private/mydomain.pem
option forwardfor
default_backend be_default
backend be_default
mode http
option forwardfor
http-request add-header X-Forwarded-For %[src]
server srv02 www.google.com:443 ssl verify none
I receive 404 when pointing to any backend server tested with bing, google as urls ...
I suggest to use the following config
frontend fe_http_sne_in
bind *:443 ssl crt /etc/ssl/private/mydomain.pem
option forwardfor
use_backend be_sne_insecure if { path_beg /test}
default_backend be_default
backend be_default
...
backend be_sne_insecure
mode http
option forwardfor
http-request replace-header Host .* WebApplication.azurewebsites.net
server srv01 WebApplication.azurewebsites.net:443 ssl verify none
In the Blog post Introduction to HAProxy ACLs is the acl explained
I'm trying to serve SonarQube using Caddy. I'm able to view the site, but it returns 502 Bad Gateway. The service appears to be up and running. Also curling locally is rejected.
curl
curl -I 0.0.0.0:9000
curl: (7) Failed to connect to 0.0.0.0 port 9000: Connection refused
sonar.properties
#--------------------------------------------------------------------------------------------------
# WEB SERVER
# Web server is executed in a dedicated Java process. By default heap size is 512Mb.
# Use the following property to customize JVM options.
# Recommendations:
#
# The HotSpot Server VM is recommended. The property -server should be added if server mode
# is not enabled by default on your environment:
# http://docs.oracle.com/javase/8/docs/technotes/guides/vm/server-class.html
#
# Startup can be long if entropy source is short of entropy. Adding
# -Djava.security.egd=file:/dev/./urandom is an option to resolve the problem.
# See https://wiki.apache.org/tomcat/HowTo/FasterStartUp#Entropy_Source
#
#sonar.web.javaOpts=-Xmx512m -Xms128m -XX:+HeapDumpOnOutOfMemoryError
# Same as previous property, but allows to not repeat all other settings like -Xmx
#sonar.web.javaAdditionalOpts=
# Binding IP address. For servers with more than one IP address, this property specifies which
# address will be used for listening on the specified ports.
# By default, ports will be used on all IP addresses associated with the server.
#sonar.web.host=0.0.0.0
# Web context. When set, it must start with forward slash (for example /sonarqube).
# The default value is root context (empty value).
#sonar.web.context=
# TCP port for incoming HTTP connections. Default value is 9000.
#sonar.web.port=9000
sonar.web.https.port=8999
Caddyfile
https://....com {
tls self_signed
gzip
proxy / 0.0.0.0:9000
}
http://....com {
tls off
gzip
proxy / 127.0.0.1:9000
}
0.0.0.0 is not a routable address. It is used by servers as a "meta-address" to specify that it should listen on all available addresses as opposed to just one. So a server can listen on 0.0.0.0, but a client cannot make requests to 0.0.0.0. Your Caddyfile should look like this:
https://....com {
tls self_signed
gzip
proxy / 127.0.0.1:9000
}
http://....com {
tls off
gzip
proxy / 127.0.0.1:9000
}
And local cURL requests should look like this: curl 127.0.0.1:9000
I want to make Lighttpd works with websocket (Socket.IO) and it appears the only way to do so is to install an additionnal module: mod_websocket. I followed these steps but I think I don't get the right /path/to/lighttpd_top_srcdir. I used /usr/lib/lighttpd as I saw all the modules in here when I ls-ed it.
Apparently, I need to reinstall Lighttpd, am I right?
So far, I got
copy mod_websocket files into /usr/lib/lighttpd
cp src/mod_websocket*.{h,c} /usr/lib/lighttpd/src
cp: target « /usr/lib/lighttpd/src » is not a directory
I need to do this because the error I get when trying to make websockets work is the following: WebSocket connection to 'ws://<myURL>/socket.io/1/websocket/agXkznae1gmlDTutzJyk' failed: Unrecognized frame opcode: 5 (I use Google Chrome v33.0.1750.154).
Is there another way to make websockets work with Lighttpd or do I need to change webserver?
Many thanks!
I resolved my problem!
I used HAProxy instead of Lighttpd mod_proxy as specified in this question
Here is my conf file (amend <...> per your configuration):
# this config needs haproxy-1.1.28 or haproxy-1.2.1
global
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
maxconn 4096
uid 99
gid 99
daemon
defaults
log global
mode http
option httplog
option dontlognull
retries 3
option http-use-proxy-header
option redispatch
option http-server-close
maxconn 2000
contimeout 5000
clitimeout 50000
srvtimeout 50000
frontend public
bind *:80
acl is_example hdr_end(host) -i <URL.toyourwebsite.com>
acl is_websocket hdr(Upgrade) -i WebSocket
acl is_websocket path_beg -i /websockets
use_backend ws if is_websocket is_example
default_backend www
backend ws
balance roundrobin
option forwardfor # This sets X-Forwarded-For
timeout queue 5000
timeout server 86400000
timeout connect 86400000
server apiserver localhost:<PORT> weight 1 maxconn 1024 check
And I made Lighttpd listened to the 8080 port (otherwise HAProxy wouldn't start).
I have Ubuntu 12.04LTS running. My webserver is Tomcat 7.0.42 and I use HAProxy as proxy server. My application is a servlet application which uses websockets.
Sometime when I request my page I get "502 Bad Gateway" error on some resources not on all, but on some. I think that this has something to do with my HAProxy configuration, which is the following:
global
maxconn 4096 # Total Max Connections. This is dependent on ulimit
nbproc 1
defaults
mode http
option http-server-close
option httpclose
# option redispatch
no option checkcache # test against 502 error
frontend all 0.0.0.0:80
timeout client 86400000
default_backend www_backend
acl is_websocket hdr(Upgrade) -i WebSocket
acl is_websocket hdr_beg(Host) -i ws
use_backend socket_backend if is_websocket
backend www_backend
balance roundrobin
option forwardfor # This sets X-Forwarded-For
timeout server 30000
timeout connect 4000
server apiserver localhost:8080 weight 1 maxconn 1024 check
backend socket_backend
balance roundrobin
option forwardfor # This sets X-Forwarded-For
timeout queue 5000
timeout server 86400000
timeout connect 86400000
server apiserver localhost:8080 weight 1 maxconn 1024 check
What do I have to change to prevent the 502 error?
First, enable haproxy logging. It will simply tell you why it is giving the 502's. My guess is that the backend "localhost:8080" is simply not able to keep up or is not able to get a connection within 4000ms "timeout connect 4000".
You may have exceeded some of the default limits in HAProxy. Try adding the following to global section:
tune.maxrewrite 4096
tune.http.maxhdr 202
Your should replace your defaults with these ones :
# Set balance mode
balance random
# Set http mode
mode http
# Set http keep alive mode (https://cbonte.github.io/haproxy-dconv/2.3/configuration.html#4)
option http-keep-alive
# Set http log format
option httplog
# Dont log empty line
option dontlognull
# Dissociate client from dead server
option redispatch
# Insert X-Forwarded-For header
option forwardfor
Don't use http-server-close, it is likely the cause of your problems.
Keep-alive will have a connection with client and server at both side.
It is working fine with websockets as well.
And if you enable the check on the server you need to as well configure it with something like this :
# Enable http check
option httpchk
# Use server configuration
http-check connect default
# Use HEAD on / with HTTP/1.1 protocol for Host example.com
http-check send meth HEAD uri / ver HTTP/1.1 hdr Host example.com
# Expect status 200 to 399
http-check expect status 200-399