Welcome! Log In Create A New Profile

Advanced

Multiple Config Files Use Leads to Lockout

Posted by [email protected] 
Dear HAProxy Community,



We are seeking your guidance with regard to the following issue we are
facing with our HAProxy use.



------

ISSUE

-------

When we use a single monolithic config file (haproxy.cfg), HAPRoxy launches
fine and we are able to access our products that use HTTP/TCP (WebSockets)
and RTMP.



When we launch HAProxy using multiple config files in a directory, HAProxy
launches fine. However, our products do not allow administrator to login
(i.e., locks out). We have to reset the password to login. Once the admin
logs out, again it locks out the administrator and the password has to be
reset to login.



How is using multiple HAProxy config files in a directory connected to
logging in to our WebSocket product?



----

DETAILS

----

We are running HAProxy as a daemon service. We are using HAProxy init
script from HAProxy's Github source. /etc/init.d/haproxy has the following
lines:



Option 1: When using SINGLE Config FILE

CFG=haproxy-1.7.5/conf/$BASENAME.cfg



Option 2: When using a config DIRECTORY (conf.modular) with multiple files
in alphanumerical order, namely global, defaults, frontend, backend, dns
resolver and statistics:

CFG=haproxy-1.7.5/conf.modular



Environment:

HAProxy version: 1.7.5

CentOS 7.2

Lua 5.3

Zlib compression

PCRE 8.3x

OpenSSL 1.0.2k





Thank you.



Sincerely,



Hemant K. Sabat



Coscend Communications Solutions

Web site: http://www.coscend.com/ www.Coscend.com

------------------------------------------------------------------

Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education,
Telepresence Services, on the fly.

------------------------------------------------------------------

CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail
Messages from Coscend Communications Solutions' posted at:
http://www.coscend.com/Terms_and_Conditions.html
http://www.Coscend.com/Terms_and_Conditions.html
Pavlos Parissis
Re: Multiple Config Files Use Leads to Lockout
April 07, 2017 10:20PM
On 07/04/2017 06:00 μμ, [email protected] wrote:
> Dear HAProxy Community,
>
>
>
> We are seeking your guidance with regard to the following issue we are facing
> with our HAProxy use.
>
>
>
> ------
>
> ISSUE
>
> -------
>
> When we use a single monolithic config file (haproxy.cfg), HAPRoxy launches fine
> and we are able to access our products that use HTTP/TCP (WebSockets) and RTMP.
>
>
>
> When we launch HAProxy using multiple config files in a directory, HAProxy
> launches fine. However, our products do not allow administrator to login (i.e.,
> locks out). We have to reset the password to login. Once the admin logs out,
> again it locks out the administrator and the password has to be reset to login.
>
>
>
> How is using multiple HAProxy config files in a directory connected to logging
> in to our WebSocket product?
>
>
>
> ----
>
> DETAILS
>
> ----
>
> We are running HAProxy as a daemon service. We are using HAProxy init script
> from HAProxy’s Github source. /etc/init.d/haproxy has the following lines:
>

May I ask why you are using the SysVinit and not systemd to start haproxy? You
are using CentOS 7.2, which uses systemd, thus my question.

>
>
> Option 1: When using SINGLE Config FILE
>
> CFG=haproxy-1.7.5/conf/$BASENAME.cfg
>
>
>
> Option 2: When using a config DIRECTORY (conf.modular) with multiple files in
> alphanumerical order, namely global, defaults, frontend, backend, dns resolver
> and statistics:
>
> CFG=haproxy-1.7.5/conf.modular
>
>

Without seeing the actual configuration, it would be quite difficult to get a
useful response. Can you share a sanitized version of your configuration?

Cheers,
Pavlos
Hello Pavlos,

Below we have provided both the information you requested. Your guidance would be appreciated.
(1) Sanitized version of HAProxy configuration is below. Please help us identify why using multiple HAProxy config files in a directory forces us to reset our password to our WebSocket product for us to login? Single haproxy.cfg file works perfectly with the same configuration.

(2) >> May I ask why you are using the SysVinit and not systemd to start haproxy? You are using CentOS 7.2, which uses systemd,
Thank you for guiding us to use systemd. Today, we created a haproxy.service executable file in /usr/lib/systemd/system/haproxy.service, but failed to start HAProxy. The haproxy.service file is below. What did we do wrong?


----
HAProxy configuration file (sanitized)
----
global
log 127.0.0.1 local2
log-tag haproxy
pidfile /var/run/haproxy.pid
user haproxy
group haproxy
nbproc 1
maxconn 5000
spread-checks 5
debug
chroot "/usr/local/haproxy-1.7.5/lib"
stats socket ""/usr/local/haproxy-1.7.5/lib/haproxy.sock"

maxsslconn 256
tune.ssl.default-dh-param 4096
ca-base /etc/pki/CA/ssl.cert

crt-base /etc/pki/CA/ssl.key
ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
ssl-default-bind-options no-sslv3 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
ssl-default-server-options no-sslv3 no-tls-tickets

maxcomprate 1
maxcompcpuusage 50
tune.comp.maxlevel 5

defaults
mode http
log global
option httplog
option http-server-close
option redispatch
retries 3
backlog 10000
timeout client 50000ms
timeout connect 5000ms
timeout server 50000ms
timeout http-keep-alive 10s
timeout http-request 15s
timeout queue 30s
timeout check 10s
timeout tarpit 60s
default-server inter 3s rise 2 fall 3
option forwardfor
option abortonclose
maxconn 50000
compression algo gzip
compression offload
compression type text/html "text/html; charset=utf-8" text/html;charset=utf-8 text/plain text/css text/javascript application/x-javascript application/javascript application/ecmascript application/rss+xml application/atomsvc+xml application/atom+xml application/atom+xml;type=entry application/atom+xml;type=feed application/cmisquery+xml application/cmisallowableactions+xml application/cmisatom+xml application/cmistree+xml application/cmisacl+xml application/msword application/vnd.ms-excel application/vnd.ms-powerpoint image/svg+xml
errorfile 400 /usr/local/haproxy-1.7.5/errors/400.http
....

frontend webapps-frontend
bind *:443 name https ssl crt /etc/pki/CA/pem.ecc
log global
option forwardfor
option httplog clf
http-request set-header X-Forwarded-Port %[dst_port]
acl host_coscend_http req.hdr(Host) coscend.com
acl host_coscend_https req.hdr(Host) coscend.com
acl path_subdomain_cc_classic path_beg -i "/CoscendCC"
use_backend subdomain_cc_classic-backend if host_coscend_https path_subdomain_cc_classic
default_backend webapps-backend

backend webapps-backend
log global
balance roundrobin
option http-server-close
http-request set-header X-Forwarded-Port %[dst_port]
option httpchk HEAD / HTTP/1.1\r\nHost:localhost
server Demo <IP>:Port cookie pad-p check

backend subdomain_cc_classic-backend
timeout tunnel 3600s
rspirep ^(Location:)\ http://(.*)$ Location:\ https://\2
server Production <IP>:<Port> cookie cc-p check

-----
Using systemd to start HAProxy with following haproxy.service FAILED
------
[Unit]
Description=HAProxy Load Balancer
After=network.target

[Service]
Environment="CONFIG=/usr/local/haproxy-1.7.5/conf/haproxy.cfg" "PIDFILE=/var/run/haproxy.pid" "LOCKFILE=/var/lock/subsys/haproxy"
ExecStartPre=/usr/local/sbin/haproxy -f $CONFIG -c -q
ExecStart=/usr/local/sbin/haproxy-systemd-wrapper -D -V -f $CONFIG -p $PIDFILE
ExecReload=/usr/local/sbin/haproxy -f $CONFIG -c -q
KillMode=mixed
Restart=always

[Install]
WantedBy=multi-user.target


Thank you.

Sincerely,

Hemant K. Sabat

Coscend Communications Solutions
Web site: www.Coscend.com
------------------------------------------------------------------
Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education, Telepresence Services, on the fly…
------------------------------------------------------------------
CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages from Coscend Communications Solutions' posted at: http://www.Coscend.com/Terms_and_Conditions.html




-----Original Message-----
From: Pavlos Parissis [mailto:[email protected]]
Sent: Friday, April 7, 2017 3:11 PM
To: HAProxy.Insights@Coscend.com; 'haproxy' <[email protected]>
Subject: Re: Multiple Config Files Use Leads to Lockout

On 07/04/2017 06:00 μμ, [email protected] wrote:
> Dear HAProxy Community,
>
>
>
> We are seeking your guidance with regard to the following issue we are
> facing with our HAProxy use.
>
>
>
> ------
>
> ISSUE
>
> -------
>
> When we use a single monolithic config file (haproxy.cfg), HAPRoxy
> launches fine and we are able to access our products that use HTTP/TCP (WebSockets) and RTMP.
>
>
>
> When we launch HAProxy using multiple config files in a directory,
> HAProxy launches fine. However, our products do not allow
> administrator to login (i.e., locks out). We have to reset the
> password to login. Once the admin logs out, again it locks out the administrator and the password has to be reset to login.
>
>
>
> How is using multiple HAProxy config files in a directory connected to
> logging in to our WebSocket product?
>
>
>
> ----
>
> DETAILS
>
> ----
>
> We are running HAProxy as a daemon service. We are using HAProxy init
> script from HAProxy’s Github source. /etc/init.d/haproxy has the following lines:
>

May I ask why you are using the SysVinit and not systemd to start haproxy? You are using CentOS 7.2, which uses systemd, thus my question.

>
>
> Option 1: When using SINGLE Config FILE
>
> CFG=haproxy-1.7.5/conf/$BASENAME.cfg
>
>
>
> Option 2: When using a config DIRECTORY (conf.modular) with multiple
> files in alphanumerical order, namely global, defaults, frontend,
> backend, dns resolver and statistics:
>
> CFG=haproxy-1.7.5/conf.modular
>
>

Without seeing the actual configuration, it would be quite difficult to get a useful response. Can you share a sanitized version of your configuration?

Cheers,
Pavlos
Hello Pavlos,

An update: Following your guidance, we have successfully transitioned from using 'system V init' to 'systemd' in order to start/stop/reload HAProxy. Thank you for helping us advance with times.

We would appreciate your guidance on why using multiple HAProxy config files in a directory forces us to reset our password to our WebSocket product for us to login? HAPRoxy configuration is in the previously posted message.
Sincerely,
Hemant K. Sabat

-----Original Message-----
From: [email protected] [mailto:[email protected]]
Sent: Saturday, April 8, 2017 4:18 AM
To: 'Pavlos Parissis' <[email protected]>; 'haproxy' <[email protected]>
Subject: RE: Multiple Config Files Use Leads to Lockout

Hello Pavlos,

Below we have provided both the information you requested. Your guidance would be appreciated.
(1) Sanitized version of HAProxy configuration is below. Please help us identify why using multiple HAProxy config files in a directory forces us to reset our password to our WebSocket product for us to login? Single haproxy.cfg file works perfectly with the same configuration.

(2) >> May I ask why you are using the SysVinit and not systemd to start haproxy? You are using CentOS 7.2, which uses systemd, Thank you for guiding us to use systemd. Today, we created a haproxy.service executable file in /usr/lib/systemd/system/haproxy.service, but failed to start HAProxy. The haproxy.service file is below. What did we do wrong?


----
HAProxy configuration file (sanitized)
----
global
log 127.0.0.1 local2
log-tag haproxy
pidfile /var/run/haproxy.pid
user haproxy
group haproxy
nbproc 1
maxconn 5000
spread-checks 5
debug
chroot "/usr/local/haproxy-1.7.5/lib"
stats socket ""/usr/local/haproxy-1.7.5/lib/haproxy.sock"

maxsslconn 256
tune.ssl.default-dh-param 4096
ca-base /etc/pki/CA/ssl.cert

crt-base /etc/pki/CA/ssl.key
ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
ssl-default-bind-options no-sslv3 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
ssl-default-server-options no-sslv3 no-tls-tickets

maxcomprate 1
maxcompcpuusage 50
tune.comp.maxlevel 5

defaults
mode http
log global
option httplog
option http-server-close
option redispatch
retries 3
backlog 10000
timeout client 50000ms
timeout connect 5000ms
timeout server 50000ms
timeout http-keep-alive 10s
timeout http-request 15s
timeout queue 30s
timeout check 10s
timeout tarpit 60s
default-server inter 3s rise 2 fall 3
option forwardfor
option abortonclose
maxconn 50000
compression algo gzip
compression offload
compression type text/html "text/html; charset=utf-8" text/html;charset=utf-8 text/plain text/css text/javascript application/x-javascript application/javascript application/ecmascript application/rss+xml application/atomsvc+xml application/atom+xml application/atom+xml;type=entry application/atom+xml;type=feed application/cmisquery+xml application/cmisallowableactions+xml application/cmisatom+xml application/cmistree+xml application/cmisacl+xml application/msword application/vnd.ms-excel application/vnd.ms-powerpoint image/svg+xml
errorfile 400 /usr/local/haproxy-1.7.5/errors/400.http
....

frontend webapps-frontend
bind *:443 name https ssl crt /etc/pki/CA/pem.ecc
log global
option forwardfor
option httplog clf
http-request set-header X-Forwarded-Port %[dst_port]
acl host_coscend_http req.hdr(Host) coscend.com
acl host_coscend_https req.hdr(Host) coscend.com
acl path_subdomain_cc_classic path_beg -i "/CoscendCC"
use_backend subdomain_cc_classic-backend if host_coscend_https path_subdomain_cc_classic
default_backend webapps-backend

backend webapps-backend
log global
balance roundrobin
option http-server-close
http-request set-header X-Forwarded-Port %[dst_port]
option httpchk HEAD / HTTP/1.1\r\nHost:localhost
server Demo <IP>:Port cookie pad-p check

backend subdomain_cc_classic-backend
timeout tunnel 3600s
rspirep ^(Location:)\ http://(.*)$ Location:\ https://\2
server Production <IP>:<Port> cookie cc-p check

-----
Using systemd to start HAProxy with following haproxy.service FAILED
------
[Unit]
Description=HAProxy Load Balancer
After=network.target

[Service]
Environment="CONFIG=/usr/local/haproxy-1.7.5/conf/haproxy.cfg" "PIDFILE=/var/run/haproxy.pid" "LOCKFILE=/var/lock/subsys/haproxy"
ExecStartPre=/usr/local/sbin/haproxy -f $CONFIG -c -q ExecStart=/usr/local/sbin/haproxy-systemd-wrapper -D -V -f $CONFIG -p $PIDFILE ExecReload=/usr/local/sbin/haproxy -f $CONFIG -c -q KillMode=mixed Restart=always

[Install]
WantedBy=multi-user.target


Thank you.

Sincerely,

Hemant K. Sabat

Coscend Communications Solutions
Web site: www.Coscend.com
------------------------------------------------------------------
Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education, Telepresence Services, on the fly…
------------------------------------------------------------------
CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages from Coscend Communications Solutions' posted at: http://www.Coscend.com/Terms_and_Conditions.html




-----Original Message-----
From: Pavlos Parissis [mailto:[email protected]]
Sent: Friday, April 7, 2017 3:11 PM
To: HAProxy.Insights@Coscend.com; 'haproxy' <[email protected]>
Subject: Re: Multiple Config Files Use Leads to Lockout

On 07/04/2017 06:00 μμ, [email protected] wrote:
> Dear HAProxy Community,
>
>
>
> We are seeking your guidance with regard to the following issue we are
> facing with our HAProxy use.
>
>
>
> ------
>
> ISSUE
>
> -------
>
> When we use a single monolithic config file (haproxy.cfg), HAPRoxy
> launches fine and we are able to access our products that use HTTP/TCP (WebSockets) and RTMP.
>
>
>
> When we launch HAProxy using multiple config files in a directory,
> HAProxy launches fine. However, our products do not allow
> administrator to login (i.e., locks out). We have to reset the
> password to login. Once the admin logs out, again it locks out the administrator and the password has to be reset to login.
>
>
>
> How is using multiple HAProxy config files in a directory connected to
> logging in to our WebSocket product?
>
>
>
> ----
>
> DETAILS
>
> ----
>
> We are running HAProxy as a daemon service. We are using HAProxy init
> script from HAProxy’s Github source. /etc/init.d/haproxy has the following lines:
>

May I ask why you are using the SysVinit and not systemd to start haproxy? You are using CentOS 7.2, which uses systemd, thus my question.

>
>
> Option 1: When using SINGLE Config FILE
>
> CFG=haproxy-1.7.5/conf/$BASENAME.cfg
>
>
>
> Option 2: When using a config DIRECTORY (conf.modular) with multiple
> files in alphanumerical order, namely global, defaults, frontend,
> backend, dns resolver and statistics:
>
> CFG=haproxy-1.7.5/conf.modular
>
>

Without seeing the actual configuration, it would be quite difficult to get a useful response. Can you share a sanitized version of your configuration?

Cheers,
Pavlos
Pavlos Parissis
Re: Multiple Config Files Use Leads to Lockout
April 17, 2017 08:40PM
On 08/04/2017 08:26 μμ, [email protected] wrote:
> Hello Pavlos,
>
> An update: Following your guidance, we have successfully transitioned from
> using 'system V init' to 'systemd' in order to start/stop/reload HAProxy. Thank
> you for helping us advance with times.
>
> We would appreciate your guidance on why using multiple HAProxy config files
> in a directory forces us to reset our password to our WebSocket product for us
> to login?

I don't believe the way configuration files are loaded has anything to do with the
behavior you observe. It sounds that the application demands user affinity as only
a single application server can serve the traffic from a single user.

Have you tried to use 'balance source' to stick requests from a single user to
a particular server?

This
https://blog.haproxy.com/2012/03/29/load-balancing-affinity-persistence-sticky-sessions-what-you-need-to-know/
could be a useful article to read.

Cheers,
Pavlos
Sorry, only registered users may post in this forum.

Click here to login