Line 381: | Line 381: | ||
|- |
|- |
||
| '''<tt>-m end</tt>''' || suffix match || |
| '''<tt>-m end</tt>''' || suffix match || |
||
⚫ | |||
+ | |||
+ | ====Sample Fetch Methods==== |
||
+ | |||
⚫ | |||
+ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
+ | |||
⚫ | |||
⚫ | |||
+ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
+ | |} |
||
+ | |||
⚫ | |||
+ | |||
+ | {| class='wikitable' style='margin-left:40px' |
||
+ | ! Method !! Type !! Description !! Remarks |
||
+ | |- |
||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
+ | |- |
||
⚫ | |||
⚫ | |||
+ | | |
||
+ | |- |
||
⚫ | |||
⚫ | |||
+ | | |
||
+ | |- |
||
⚫ | |||
⚫ | |||
+ | | |
||
+ | |- |
||
+ | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.6-http_auth_group <tt><nowiki>http_auth_group(<userlist>)</nowiki></tt>] |
||
⚫ | |||
⚫ | |||
|} |
|} |
||
Line 468: | Line 535: | ||
|} |
|} |
||
− | ==== |
+ | ====Monitoring==== |
− | * [ |
+ | * [https://cbonte.github.io/haproxy-dconv/1.8/management.html#9 Statistics and monitoring] |
− | {| class='wikitable |
+ | {| class='wikitable' |
− | ! |
+ | ! Metric !! Types !! Description !! Remarks |
|- |
|- |
||
+ | | '''<tt>pxname</tt>''' || LFBS || proxy name || |
||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
− | |||
⚫ | |||
⚫ | |||
− | |||
⚫ | |||
⚫ | |||
|- |
|- |
||
+ | | '''<tt>svname</tt>''' || LFBS || service name || <nowiki><tt>FRONTEND | BACKEND | ...</tt></nowiki> |
||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
|- |
|- |
||
+ | | '''<tt>qcur</tt>''' || ..BS || current queued requests || |
||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
|- |
|- |
||
+ | | '''<tt>qmax</tt>''' || ..BS || max value of <tt>qcur</tt> || |
||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
|- |
|- |
||
+ | | '''<tt>scur</tt>''' || LFBS || current sessions || |
||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
− | |||
⚫ | |||
− | |||
⚫ | |||
⚫ | |||
|- |
|- |
||
+ | | '''<tt>smax</tt>''' || LFBS || max sessions || |
||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
|- |
|- |
||
+ | | '''<tt>slim</tt>''' || LFBS || configured session limit || |
||
⚫ | |||
⚫ | |||
⚫ | |||
|- |
|- |
||
+ | | '''<tt>stot</tt>''' || LFBS || cumulative number of sessions || |
||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
|} |
|} |
||
Revision as of 11:52, 4 June 2019
HAProxy
- http://www.haproxy.org/
- Desc. : a free, very fast and reliable solution offering high availability, load balancing, and proxying for TCP and HTTP-based applications
- License:
- Written in:
- Sources:
References
- HAProxy official documentation
- HAProxy 1.8
Proxy ----------- Gateway
|
+----- Forward Proxy
|
+----- Reverse Proxy ----------- SSL Acceleration Proxy
|
+----- SSL Termination Proxy
|
+----- Load Balancer
- SSL Forward Proxy Overview
- SSL Forward Proxy
- TLS termination proxy
- SSL pass-through proxy
- What HAProxy is and isn't
- It will not see IP packets nor UDP datagrams, will not perform NAT or even less DSR (direct server return, without passing through the LB again)
- Everything curl > Proxies
- HAProxy Configuration
config = global + defaults* + frontend* + backend* + listen*
global = process management and security parameters
+ performance tuning parameters
+ debugging parameters
+ user lists
+ peers
+ mailers
Global Parameters
Process management and security parameters
Parameter | Description | Remarks |
---|---|---|
cpu-map | Specifies CPU sets for process or thread sets | Linux 2.6+, |
log | Adds a global syslog server | |
nbproc <number> | Creates <number> processes when going daemon | default: 1 |
nbthread <number> | Creates <number> threads for each created processes | |
ulimit-n | Sets the maximum number of per-process file-descriptors | Recommended not to use this option |
ssl-default-bind-options | Sets default ssl-options to force on all "bind" lines. |
Performance tuning parameters
Parameter | Description | Remarks |
---|---|---|
tune.ssl.cachesize <number> | Sets the size of the global SSL session cache, in a number of blocks. | default: 20,000 |
tune.ssl.lifetime <timeout> | Sets how long a cached SSL session may remain valid in seconds. | default: 300s (5 min) |
Access control parameters
Parameter | Description | Remarks |
---|---|---|
user <username> [password|insecure-password <password>] [groups <group>,<group>,(...)] | Adds user <username> to the current userlist. |
Proxy Keywords
Keywords | Description | DF/FE/LI/BE | Remarks |
---|---|---|---|
mode { tcp|http|health } | Set the running mode or protocol of the instance | ||
bind [<address>]:<port_range> [, ...] [param*] | Define one or several listening addresses and/or ports in a frontend | X/O/O/X | |
tcp-request inspect-delay <timeout> | Set the maximum allowed time to wait for data during content inspection | ||
tcp-response content <action> [{if | unless} <condition>] | Perform an action on a session response depending on a layer 4-7 condition | ||
option http_proxy | Enable or disable plain HTTP proxy mode | Forward Proxy | |
option http-keep-alive | Enable or disable HTTP keep-alive from client to server | ||
option httpclose | Enable or disable passive HTTP connection closing | "Connection: close" headerDeprecated | |
option forwardfor | Enable insertion of the X-Forwarded-For header to requests sent to servers | "X-Forwarded-For" header
| |
option socket-stats | Enable or disable collecting & providing separate statistics for each socket. | ||
capture request header <name> len <length> | Capture and log the last occurrence of the specified request header. | X/O/O/X | Not for Back-end |
source <addr>[:<port>] [usesrc ...] | Set the source address for outgoing connections | ||
server <name> <address>[:[port]] [param*] | Declare a server in a backend | ||
default-server [param*] | Change default options for a server in a backend | O/X/O/O | default-server inter 4s rise 2 fall 3 |
- http-request
- defines a set of rules which apply to layer 7 processing.
Action | Description | Remarks |
---|---|---|
http-request allow | Stops the evaluation of the rules and lets the request pass the check. | |
http-request deny | Stops the evaluation of the rules and immediately rejects the request. | |
http-request auth | Stops the evaluation of the rules and immediately responds with an HTTP 401 or 407 error code to invite the user to present a valid user name and password |
Timeout
Keywords | Description | Remarks |
---|---|---|
timeout connect <timeout> | Set the maximum time to wait for a connection attempt to a server to succeed | |
timeout server <timeout> | Set the maximum inactivity time on the server side | |
timeout client <timeout> | Set the maximum inactivity time on the client side | |
timeout tunnel <timeout> | Set the maximum inactivity time on the client and server side for tunnels | |
timeout server-fin <timeout> | Set the inactivity timeout on the server side for half-closed connections | |
timeout client-fin <timeout> | Set the inactivity timeout on the client side for half-closed connections | |
timeout http-request <timeout> | Set the maximum allowed time to wait for a complete HTTP request | |
timeout http-keep-alive <timeout> | Set the maximum allowed time to wait for a new HTTP request to appear |
Logging
Keywords | Description | DF/FE/LI/BE | Remarks |
---|---|---|---|
option httplog | Enable logging of HTTP request, session state and timers | O/O/O/X | Not for Back-end |
option dontlognull | Enable or disable logging of null connections | O/O/O/X | |
option dontlog-normal | Enable or disable logging of normal, successful connections | O/O/O/X | |
option log-health-checks | Enable or disable logging of health checks status updates | O/X/O/O | |
log-format | Specifies the log format string to use for traffic logs | O/O/O/X |
Health Check
Keywords | Description | Remarks |
---|---|---|
option httpchk <method> <uri> <version> | Enable HTTP protocol to check on the servers health |
Statistics
Keywords | Description | DF/FE/LI/BE | Remarks |
---|---|---|---|
stats enable | Enable statistics reporting with default settings | O/O/O/O | |
stats admin { if | unless } <cond> | Enable statistics admin level if/unless a condition is matched | X/O/O/O | |
stats auth <user>:<passwd> | Enable statistics with authentication and grant access to an account | O/O/O/O |
Bind Options
Options | Description | Remarks |
---|---|---|
ca-ignore-err | Sets a comma separated list of errorIDs to ignore during verify at depth > 0 | |
crt-ignore-err | Sets a comma separated list of errorIDs to ignore during verify at depth == 0 | |
no-sslv3 | Disables support for SSLv3 on any sockets instantiated from the listener when SSL is supported | |
ssl-min-ver | Enforces use of <version> or upper on SSL connections instantiated
from this listener |
TLSv1.0 | TLSv1.1 | TLSv1.2 | TLSv1.3 |
alpn | Enables the TLS ALPN extension and advertises the specified protocol list as supported on top of ALPN. | ALPN (on Wikipedia) |
npn | Enables the NPN TLS extension and advertises the specified protocol list as supported on top of NPN. |
Server Options
Options | Description | Remarks |
---|---|---|
maxconn | specifies the maximal number of concurrent connections that will be sent to this server. | |
check | Enables health checks on the server. | |
inter <delay> | Sets the interval between two consecutive health checks to <delay> milliseconds. | default: 2000ms |
check-ssl | Forces encryption of all health checks over SSL, regardless of whether the server uses SSL or not for the normal traffic. | |
ssl | Enables SSL ciphering on outgoing connections to the server. | |
verify [none|required] |
ACL
acl <aclname> <criterion> [flags] [operator] [<value>] ...
acl <aclname> <sample fetch method> [flags] [operator] [<value>] ...
Element | Description | Remarks |
---|---|---|
ACL Name (aclname) | [-_.:A-Za-z0-9]* | |
Flags (flags) | -i, -f, -m, -n, -M, -u, -- |
ACL Flags
Flag | Description | Remarks |
---|---|---|
-i | ignore case during matching of all subsequent patterns. | |
-m found | only check if the requested sample could be found in the stream, but do not compare it against any pattern. | |
-m bool | check the value as a boolean. | |
-m int | match the value as an integer. | |
-m len | match the sample's length as an integer. | |
-m str | exact match | |
-m sub | substring match | |
-m reg | regex match | |
-m beg | prefix match | |
-m end | suffix match |
Sample Fetch Methods
- Fetching samples at Layer 4 : TCP/IP
Method | Type | Description | Remarks |
---|---|---|---|
src
|
ip | This is the source IPv4 address of the client of the session |
Method | Type | Description | Remarks |
---|---|---|---|
req.payload_lv
|
binary | Extracts a binary block whose size is specified at <offset1> for <length> bytes | |
res.payload_lv
|
binary | extracts a binary block whose size is specified at <offset1> for <length> bytes, and which starts at <offset2> if specified or just after the length in the response buffer. | |
req.ssl_hello_type
|
integer | Returns an integer value containing the type of the SSL hello message found in the request buffer if the buffer contains data that parse as a complete SSL (v3 or superior) client hello message. | |
res.ssl_hello_type
|
integer | Returns an integer value containing the type of the SSL hello message found in the response buffer if the buffer contains data that parses as a complete SSL (v3 or superior) hello message |
- Fetching samples at Layer 7 : HTTP
Method | Type | Description | Remarks |
---|---|---|---|
req.hdr([<name>[,<occ>]]) | string | Extracts the last occurrence of header <name> in an HTTP request | When used from an ACL, all occurrences are iterated over until a match is found |
res.hdr([<name>[,<occ>]]) | string | Extracts the last occurrence of header <name> in an HTTP response. | |
hdr([<name>[,<occ>]]) | string | Equivalent to req.hdr() when used on requests, and to res.hdr() when used on responses | |
http_auth(<userlist>) | boolean | Returns a boolean indicating whether the authentication data received from the client match a username & password stored in the specified userlist. | |
http_auth_group(<userlist>) | string | Returns a string corresponding to the user name found in the authentication data received from the client if both the user name and password are valid according to the specified userlist. | ACL derivatives |
Logging
Log Fields
Field | Name | Type | Description | Remarks |
---|---|---|---|---|
%ci | client_ip | IP | ||
%ft | frontend_name_transport | string | '~' suffix for SSL | |
%b | backend_name | string | ||
%si | server_IP | IP | target address | |
%Tq | Th + Ti + TR | numeric | total time to get the client request from the accept date or since the emission of the last byte of the previous response | HTTP mode only |
%Tw | Tw | numeric | total time spent in the queues waiting for a connection slot. | |
%Tc | Tc | numeric | total time to establish the TCP connection to the server. | |
%Tr | response time | numeric | server response time | HTTP mode only |
%Tt | Tt | numeric | total session duration time | |
%ST | status_code | numeric | ||
%B | bytes_read | numeric | from server to client | |
%ts | termination_state | string | ||
%sq | srv_queue | numeric | ||
%bq | backend_queue | numeric | ||
%hr | captured_request_headers | string | default style | |
%r | http_request | string | HTTP mode only |
Timings Events
first request 2nd request
|<-------------------------------->|<-------------- ...
t tr t tr ...
---|----|----|----|----|----|----|----|----|--
: Th Ti TR Tw Tc Tr Td : Ti ...
:<---- Tq ---->: :
:<-------------- Tt -------------->:
:<--------- Ta --------->:
Event | Name | Description | Remarks |
---|---|---|---|
Th | handshakes | total time to accept tcp connection and execute handshakes for low level protocols. | |
Ti | idle | the idle time before the HTTP request. | |
TR | Request | total time to get the client request. | |
Tq | total time to get the client request from the accept date or since the emission of the last byte of the previous response. | Th + Ti + TR | |
Tw | waiting | total time spent in the queues waiting for a connection slot. | |
Tc | connection | total time to establish the TCP connection to the server. | |
Tr | response | server response time | |
Td | data | the data transmission time | Tt - (Th + Ti + TR + Tw + Tc + Tr) |
Ta | active | total active time for the HTTP request | |
Tt | total | total session duration time |
Monitoring
Metric | Types | Description | Remarks |
---|---|---|---|
pxname | LFBS | proxy name | |
svname | LFBS | service name | <tt>FRONTEND | BACKEND | ...</tt> |
qcur | ..BS | current queued requests | |
qmax | ..BS | max value of qcur | |
scur | LFBS | current sessions | |
smax | LFBS | max sessions | |
slim | LFBS | configured session limit | |
stot | LFBS | cumulative number of sessions |
Readings
- What’s New in HAProxy 1.8(Nov 1, 2017)
- Install and Configure HAProxy Load Balancer on Ubuntu 16.04 (Feb 06, 2017)
- How to install HAProxy 1.8 on Ubuntu 16 (DECEMBER 30, 2017)
ppa:vbernat/haproxy-1.8
- An Introduction to HAProxy and Load Balancing Concepts (May 13, 2014)
- Running HAProxy
haproxy -f /etc/haproxy.cfg
- Rewriting HTTP Requests, Methods, or Headers
- Getting the most out of HAProxy (2013/10/16)
- Use HAProxy to load balance 300k concurrent tcp socket connections: Port Exhaustion, Keep-alive and others
- HAProxy error: Some configuration options require full privileges, so global.uid cannot be changed (Aug 19 '14)
ACL
- Introduction to HAProxy ACLs (Sep 13, 2018)
- Writing Conditions
Proxying
SSL
- SSL offloading impact on web applications (Feb 26, 2013)
- SSL offloading == SSL acceleration
- How To Implement SSL Termination With HAProxy on Ubuntu 14.04 (July 10, 2014)
- SSL Client certificate management at application level (Oct 3, 2012)
- Handling SSL/TLS
- Client Certificate Authentication with HAProxy (August 15, 2017)
- SSL Client certificate information in HTTP headers and logs ( Jun 13, 2013)
- Pass-through SSL with HAProxy (Feb 8, 2015)
- HPKP: HTTP Public Key Pinning with HAProxy(2015-01-27)
- HAProxy and HTTP Strict Transport Security (HSTS) header in HTTP redirects (Jun 9, 2015)
- HAProxy SNI (NOV 30TH, 2016)
- HAProxy - Speeding up SSL (Apr 27, 2017)
- TLS termination: stunnel, nginx & stud (August 23, 2011)
- Scaling out SSL (Nov 7, 2011)
WebSockets
- Websockets load-balancing with HAProxy (Nov 7, 2012)
HTTP/2
- Configuring HAProxy with HTTP2 support (Jan 8, 2018)
- No HTTP/2 is supported for now on the backend
- HTTP/2 support is still considered EXPERIMENTAL
Load Balancing
- AWS : LOAD BALANCING WITH HAPROXY (HIGH AVAILABILITY PROXY)
- Load Balancing with HAProxy (JULY 15, 2014)
- Using HAPROXY as an SSL gateway(January 28th, 2014)
- Enhanced SSL load-balancing with Server Name Indication (SNI) TLS extension (Apr 13, 2012)
Logging and Statistics
- HAProxy Logging in Ubuntu Lucid (2010/08/11)
- HAProxy Load Balancer setup including logging on Debian (June 7, 2013)
- Logging haproxy check results / problems (Aug 9 '10)
- option log-health-checks
- Introduction to HAProxy Logging (Feb 8, 2019)
- How to collect HAProxy metrics (March 9, 2018)
- How to restart rsyslog daemon on ubuntu (Sep 1 '10)
Health Check
- haproxy heartbeat with backend based on http post (Aug 3 '15)
- option httpchk POST ${ENDPOINT} HTTP/1.0\r\nContent-Type:\ application/json\r\nContent-Length:\ 16\r\n\r\n{\"body\":\"json\"}
Throttling
- Use a Load Balancer as a First Row of Defense Against DDOS (Feb 27, 2012)
Samples
Typical Sample for Reverse Proxy
# References
# http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#3
# http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4
# https://kvz.io/blog/2010/08/11/haproxy-logging/
global
daemon
log /var/lib/haproxy/dev/log local0 info
log /var/lib/haproxy/dev/log local1 notice
ca-base /etc/haproxy/ssl/trusted
crt-base /etc/haproxy/ssl
maxconn 2048
tune.ssl.default-dh-param 2048
#https://disablessl3.com/
ssl-default-bind-options no-sslv3
defaults
mode http
log global
option forwardfor
timeout connect 5s
timeout client 10s
timeout server 10s
timeout tunnel 600s
timeout server-fin 10s
timeout client-fin 10s
timeout http-request 5s
timeout http-keep-alive 2s
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
listen stats
bind 192.168.1.11:8070
stats enable
stats hide-version
stats realm HAProxy\ Statistics
stats uri /stats
frontend http
bind 192.168.1.11:8080
option httplog
option dontlognull
log-format %ci\ [%t]\ %ft\ %b\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %ts\ %sq/%bq\ %{+Q}r
http-request set-header X-Haproxy-Current-Date %T
http-request set-header X-Forwarded-Proto http
default_backend http-rear
frontend https
bind 192.168.1.11:8443 ssl crt server-tls.pem ca-file ca.crt
# bind 192.168.1.11:8443 ssl crt server-tls.pem ca-file ca.crt verify optional crt-ignore-err all ca-ignore-err all # For mutual auth
option httplog
option dontlognull
log-format %ci\ %ft\ %b\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %ts\ %sq/%bq\ %{+Q}r
#http-request deny deny_status 400 unless { ssl_fc }
#http-request deny deny_status 400 unless { ssl_c_used }
#http-request deny deny_status 400 unless { ssl_c_verify 0 }
# setup request header for logging or backend usage
# https://www.haproxy.com/blog/ssl-client-certificate-information-in-http-headers-and-logs/
# https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-http-request
http-request set-header X-Haproxy-Current-Date %T
http-request set-header X-SSL %[ssl_fc]
http-request set-header X-SSL-Session_ID %[ssl_fc_session_id,hex]
http-request set-header X-SSL-Client-Verify %[ssl_c_verify]
http-request set-header X-SSL-Client-DN %{+Q}[ssl_c_s_dn]
http-request set-header X-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
http-request set-header X-SSL-Issuer %{+Q}[ssl_c_i_dn]
http-request set-header X-SSL-Client-NotBefore %{+Q}[ssl_c_notbefore]
http-request set-header X-SSL-Client-NotAfter %{+Q}[ssl_c_notafter]
http-request set-header X-Forwarded-Proto https
default_backend http-rear
frontend ws
bind 192.168.1.11:8090
acl is_connection_upgrade hdr(Connection) -i upgrade
acl is_upgrade_websocket hdr(Upgrade) -i websocket
acl has_websocket_key hdr_cnt(Sec-WebSocket-Key) eq 1
acl has_websocket_ver hdr_cnt(Sec-WebSocket-Version) eq 1
http-request deny unless is_connection_upgrade is_upgrade_websocket has_websocket_key has_websocket_ver
default_backend ws-rear
frontend wss
bind 192.168.1.11:8453 ssl crt server-tls.pem ca-file ca.crt
# bind 192.168.1.11:8453 ssl crt server-tls.pem ca-file ca.crt verify optional crt-ignore-err all ca-ignore-err all # For mutual auth
#http-request deny deny_status 400 unless { ssl_fc }
#http-request deny deny_status 400 unless { ssl_c_used }
#http-request deny deny_status 400 unless { ssl_c_verify 0 }
acl is_connection_upgrade hdr(Connection) -i upgrade
acl is_upgrade_websocket hdr(Upgrade) -i websocket
acl has_websocket_key hdr_cnt(Sec-WebSocket-Key) eq 1
acl has_websocket_ver hdr_cnt(Sec-WebSocket-Version) eq 1
http-request deny unless is_connection_upgrade is_upgrade_websocket has_websocket_key has_websocket_ver
default_backend ws-rear
backend http-rear
server s1 127.0.0.1:80 check
backend ws-rear
server s1 127.0.0.1:90 check
Typical Sample for Forward Proxy
# Sample HAProxy configuration for dedicated forward proxy
# References
# https://stackoverflow.com/questions/49433417/setup-https-forward-proxy-with-haproxy
# https://serverfault.com/questions/477642/using-haproxy-for-transparent-forwarding-and-selective-redirection
global
daemon
log /var/lib/haproxy/dev/log local0 info
log /var/lib/haproxy/dev/log local1 notice
ca-base /etc/haproxy/ssl/trusted
crt-base /etc/haproxy/ssl
maxconn 2048
tune.ssl.default-dh-param 2048
ssl-default-bind-options no-sslv3
userlist users
group regular-users
user tom password ... groups regular-users
defaults
mode http
log global
timeout connect 5s
timeout client 10s
timeout server 10s
timeout tunnel 600s
timeout server-fin 10s
timeout client-fin 10s
timeout http-request 5s
timeout http-keep-alive 2s
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
listen stats
bind 192.168.1.11:8070
stats enable
stats hide-version
stats realm HAProxy\ Statistics
stats uri /stats
stats auth proxyadmin:p8dp8d
resolvers dns
nameserver dns1 8.8.8.8
nameserver dns2 8.8.4.4
hold valid 10s
frontend http
bind 192.168.1.11:8080
option http-use-proxy-header
option httplog
option dontlognull
log-format %ci\ [%t]\ %ft\ %b\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %ts\ %sq/%bq\ %{+Q}r
acl is-allowed-users http_auth_groups(users) regular-users
http-request auth unless is-allowed-users # 407 for unauthorized access
default_backend outside
backend outside
option httpclose
option http_proxy
Wireshark
- http://www.wireshark.org/
- Desc. : lets you capture and interactively browse the traffic running on a computer network.
References
Operator | Symbol | Description | Remarks |
---|---|---|---|
eq |
== |
Equal | |
ne |
!= |
Not Equal | |
gt |
> |
Greater Than | |
lt |
< |
Less Than | |
ge |
>= |
Greater than or Equal to | |
le |
<= |
Less than or Equal to | |
contains |
Does the protocol, field or slice contain a value | ||
matches |
~ |
Does the protocol or text string match the given case-insensitive Perl-compatible regex | |
[i:j] |
Slices with i = start_offset, j = length | ||
[i-j] |
Slices with i = start_offset, j = end_offset, inclusive | ||
[i] |
Slices with i = start_offset, length = 1 | ||
[:j] |
Slices with start_offset = 0, length = j | ||
[i:] |
Slices with start_offset = i, end_offset = end_of_field | ||
and |
&& |
Logical AND | |
or |
|| |
Logical OR | |
not |
! |
Logical NOT |
Protocol | Typical Fields | Description | Remarks |
---|---|---|---|
tcp |
port |
Transmission Control Protocol | |
ip |
addr, dst, src |
Internet Protocol Version 4 | |
http |
Hypertext Transfer Protocol | ||
ssl |
Secure Sockets Layer | ||
websocket | WebSocket |
Readings
- How To Set Up a Capture
- Loopback capture setup
- Wireshark basics 101: A simple concise tutorial for beginners (August 17, 2013)
- How to Use Wireshark to Capture, Filter and Inspect Packets
- Wireshark: A Guide to Color My Packets (1st July 2014)
- Getting Started with Wireshark (11, 07, 2014)
- Let me tell you about Wireshark 2.0 (November 6, 2015)
- Wireshark Wiki / SSL
- Why wireshark cannot display TLS/SSL(23 Jun '14)
Edit -> Preferences -> Protocols -> HTTP -> SSL/TLS Ports
- Wireshark Wiki / WebSocket: websocket filter
Tips and Tricks
Typical display filters
ip.src == 192.168.1.31 and ip.addr == 203.252.150.28 and http
tcpdump
- http://www.tcpdump.org/
- Desc. : a powerful command-line packet analyzer
- License :
- Sources :
tcpdump [ -AbdDefhHIJKlLnNOpqStuUvxX# ] [ -B buffer_size ]
[ -c count ] [ -C file_size ]
[ -E spi@ipaddr algo:secret,... ]
[ -F file ] [ -G rotate_seconds ] [ -i interface ]
[ --immediate-mode ] [ -j tstamp_type ] [ -m module ]
[ -M secret ] [ --number ] [ --print ] [ -Q in|out|inout ]
[ -r file ] [ -s snaplen ] [ -T type ] [ --version ]
[ -V file ] [ -w file ] [ -W filecount ] [ -y datalinktype ]
[ -z postrotate-command ] [ -Z user ]
[ --time-stamp-precision=tstamp_precision ]
[ expression ]
Options
Option | Description | Remarks |
---|---|---|
-n |
Don't convert addresses | |
-i interface |
Listen on interface | |
-A |
Print each packet (minus its link level header) in ASCII | Handy for capturing web pages |
-s n |
Snarf n bytes of data from each packet rather than the default of 262144 bytes | Setting n to 0 sets it to the default of 262144 |
-x |
When parsing and printing, in addition to printing the headers of each packet, print the data of each packet (minus its link level header) in hex |
- 12 Tcpdump Commands – A Network Sniffer Tool (September 13, 2012)
- Capture Packets with Tcpdump (2013-04-25)
- Using tcpdump to see HTTP requests and responses (17 April, 2010)
tcpdump -n -i eth0 -A tcp port 80
- How to filter tcpdump output based on packet length (Mar 26 '12)
tcpdump -n -i eth0 -A -x tcp port 443 and greater 100
Filter Expression
pcap-filter
man page : explains filter expressions
Primitive | Description | Remarks |
---|---|---|
host host | True if either the IPv4/v6 source or destination of the packet is host | |
dst host host | True if the IPv4/v6 destination field of the packet is host | |
src host host | True if the IPv4/v6 source field of the packet is host | |
port port | True if either the source or destination port of the packet is port. | |
dst port port | True if the packet is ip/tcp, ip/udp, ip6/tcp or ip6/udp and has a destination port value of port. | |
src port port | True if the packet has a source port value of port. | |
ip proto protocol | True if the packet is an IPv4 packet of protocol type protocol. | |
tcp | = ip proto tcp |