HAProxy 1.8.0 (opens in new tab)

(mail-archive.com)

147 pointsrjgray8y ago23 comments

23 comments

I really am amazed at the stability and quality of the HAProxy project and that since it's inception many , many years ago.

We use it on many of our projects and it has always been a very reliable piece of software, even at high traffic.

Kudos Willy and team, congratulations on the release!

-b

navinsylvester8y ago

Totally agree. Want to show the appreciation in beers. I wish there are options other than paypal.

fermuch8y ago

> haproxy can now be built with native systemd support using USE_SYSTEMD=1 and starting it with -Ws (systemd-aware master-worker mode).

What features/integrations make sense for a proxy with systemd? I'd assume it's only a unit that comes with the package, but that "-Ws" makes me wonder if there're deeper integrations.

TimWolla8y ago

I was the person creating the patch. For now all it does is compiling in support for `Type=notify` (using sd_notify [1]) in the unit file: haproxy is able to notify systemd when it completed the `start` or the `reload`.

In the future this could be extended to support systemd's socket passing and status messages. The latter allowing you to show a short string in `systemctl status haproxy`. See this example for php-fpm:

    [root@example~]systemctl status php7.0-fpm.service 
    ● php7.0-fpm.service - The PHP 7.0 FastCGI Process Manager
       Loaded: loaded (/lib/systemd/system/php7.0-fpm.service; enabled)
       Active: active (running) since Sat 2017-11-25 13:28:22 CET; 1 day 8h ago
         Docs: man:php-fpm7.0(8)
     Main PID: 4624 (php-fpm7.0)
       Status: "Processes active: 3, idle: 29, Requests: 1203613, slow: 545, Traffic: 10.1req/sec"
    *snip*

See the mailing list thread for the full discussion of the feature: https://www.mail-archive.com/haproxy@formilux.org/msg27874.h...

[1] https://www.freedesktop.org/software/systemd/man/sd_notify.h...

KamiNuvini8y ago

I actually had/have an issue with the systemd-wrapper haproxy uses in 1.7 where systemd gets confused when doing a reload + a restart before all sessions are closed. This caused haproxy to completely stop accepting connections until the systemd timeout kicked in and sent a kill -9

I reported it and was told it might not affect 1.8 since the systemd-wrapper is removed there, so gonna give this a try soon. See this thread: https://www.mail-archive.com/haproxy@formilux.org/msg27404.h...

(And I switched to only doing a reload notify in Ansible together with the hard-stop-after option in haproxy which is OK for me as well in 1.7)

ThinkingGuy8y ago

If anyone is wondering, as I was, what haproxy is, it's a "reliable, high performance TCP/HTTP load balancer."

http://www.haproxy.org/

JeanMarcS8y ago

Great ! I'm using it since 1.4 on projects that are reliable because of it. It's a great software.

Now I know what my week R&D time will be : HTTP2 in HAProxy !

zaarn8y ago

I do hope that HAProxy might support ACME at some point, I'm currently stuck on Traefik which has been breaking some traffic but I rely heavily on dynamically issued LE certs.

Otherwise, outside of SSL, HAProxy has been very pleasant in my experience.

ajcornett8y ago

We are using https://github.com/janeczku/haproxy-acme-validation-plugin to provide ACME support directly in HAProxy without an extra backend. Example:

    frontend example.com
        bind 192.168.1.100:80
    
        # Redirect ACME domain validations
        acl url_acme_http01 path_beg /.well-known/acme-challenge/
        http-request use-service lua.acme-http01 if METH_GET url_acme_http01
    
        # Redirect all plain HTTP traffic to HTTPS
        redirect scheme https code 301 if !{ ssl_fc }

mschuster918y ago

Where's your problem? Spin up a certbot docker container and use this here in haproxy:

    frontend http_in
      bind *:80
      bind *:443 ssl crt /path/to/letsencrypt/data/mydomain.pem
      acl path_letsencrypt path_beg /.well-known/acme-challenge
      use_backend letsencrypt if path_letsencrypt
    backend letsencrypt
      mode http
      server server-letsencrypt MYLOCALIP:8080

For the letsencrypt docker image, I use mesosphere/letsencrypt-dcos with a patched run.sh that triggers a docker kill -s HUP on the haproxy container.

zaarn8y ago

My problem is usually that I rely heavily on traefik being able to very easily issue certificates simply by having a backend with a hostname present.

If I, for example, configure my PHP VM to be reachable over "test.example.org" in Traefik, then Traefik will automatically try to issue a certificate for this domain once it detects the config change.

On HAProxy this is not as easy as I need to tell both LE and HAP about the new backend.

If it was integrated, I would only have to tell HAP.

1 more reply

tuyguntn8y ago

Can you share your experience with Traefik? We also wanted to integrate it into our stack. What problems do you have? How it scales?

zaarn8y ago

My major problem with Traefik is that if you aren't using the defined stacks and opt for file configuration it can be a bit exhausting to configure, TOML is a rather repetitive format.

It also lacks support for HTTP streaming for non-standard HTTP (I wish there was an option to just enable streaming on a host) which sucks for some enterprise software, and streaming for entire hosts so my nextcloud instance always has to wait for the traefik host to buffer the response before being able to download the file to the browser.

However, in terms of scaling and being able to get a SSL-terminating or SSL-handover reverse proxy going it's a breeze and it handles decent load very well.

foobarbazetc8y ago

Amazing work. Thanks haproxy team!

ssijak8y ago

Do people really announce new releases just over email and things like mail-archive or? Those mail archives always looked strange to me for some unknown reason.

geraldcombs8y ago

For going on 20 years, yes. I even add hashes for each package (i.e. the tarball & platform installers) to the end of the message and sign it. I find it odd and inconvenient when projects don't announce releases via email.

stmw8y ago

Agree

fermuch8y ago

If there is a mailing list for the software, why not send releases information over there? It makes a lot of sense to me. I'm also subscribed to several, and some software also announce patches or security related stuff on mail lists. I see mail as a low barrier of entry (every developer has an email address).

What else would you use to notify interested people and be able to receive feedback at the same time?

sams998y ago

Sure I think it makes sense to have this on the forum as well as a shadow post or something, I posted this https://discourse.haproxy.org/t/haproxy-1-8-officially-relea... will see if willy would like to keep this and perhaps create an announcemet category. Ultimately his call, but there has been a lot of 1.8 discussion on the forum lately.

AdamJacobMuller8y ago

Not only do people do it, but not too long ago it was the ONLY way people did it.

ci5er8y ago

How else would they do it?

j / k navigate · click thread line to collapse

23 comments

bbeausej8y ago

I really am amazed at the stability and quality of the HAProxy project and that since it's inception many , many years ago.

We use it on many of our projects and it has always been a very reliable piece of software, even at high traffic.

Kudos Willy and team, congratulations on the release!

-b

navinsylvester8y ago

Totally agree. Want to show the appreciation in beers. I wish there are options other than paypal.

fermuch8y ago

> haproxy can now be built with native systemd support using USE_SYSTEMD=1 and starting it with -Ws (systemd-aware master-worker mode).

What features/integrations make sense for a proxy with systemd? I'd assume it's only a unit that comes with the package, but that "-Ws" makes me wonder if there're deeper integrations.

TimWolla8y ago

    [root@example~]systemctl status php7.0-fpm.service 
    ● php7.0-fpm.service - The PHP 7.0 FastCGI Process Manager
       Loaded: loaded (/lib/systemd/system/php7.0-fpm.service; enabled)
       Active: active (running) since Sat 2017-11-25 13:28:22 CET; 1 day 8h ago
         Docs: man:php-fpm7.0(8)
     Main PID: 4624 (php-fpm7.0)
       Status: "Processes active: 3, idle: 29, Requests: 1203613, slow: 545, Traffic: 10.1req/sec"
    *snip*

See the mailing list thread for the full discussion of the feature: https://www.mail-archive.com/haproxy@formilux.org/msg27874.h...

[1] https://www.freedesktop.org/software/systemd/man/sd_notify.h...

KamiNuvini8y ago

(And I switched to only doing a reload notify in Ansible together with the hard-stop-after option in haproxy which is OK for me as well in 1.7)

ThinkingGuy8y ago

If anyone is wondering, as I was, what haproxy is, it's a "reliable, high performance TCP/HTTP load balancer."

http://www.haproxy.org/

JeanMarcS8y ago

Great ! I'm using it since 1.4 on projects that are reliable because of it. It's a great software.

Now I know what my week R&D time will be : HTTP2 in HAProxy !

zaarn8y ago

I do hope that HAProxy might support ACME at some point, I'm currently stuck on Traefik which has been breaking some traffic but I rely heavily on dynamically issued LE certs.

Otherwise, outside of SSL, HAProxy has been very pleasant in my experience.

ajcornett8y ago

We are using https://github.com/janeczku/haproxy-acme-validation-plugin to provide ACME support directly in HAProxy without an extra backend. Example:

    frontend example.com
        bind 192.168.1.100:80
    
        # Redirect ACME domain validations
        acl url_acme_http01 path_beg /.well-known/acme-challenge/
        http-request use-service lua.acme-http01 if METH_GET url_acme_http01
    
        # Redirect all plain HTTP traffic to HTTPS
        redirect scheme https code 301 if !{ ssl_fc }

mschuster918y ago

Where's your problem? Spin up a certbot docker container and use this here in haproxy:

    frontend http_in
      bind *:80
      bind *:443 ssl crt /path/to/letsencrypt/data/mydomain.pem
      acl path_letsencrypt path_beg /.well-known/acme-challenge
      use_backend letsencrypt if path_letsencrypt
    backend letsencrypt
      mode http
      server server-letsencrypt MYLOCALIP:8080

For the letsencrypt docker image, I use mesosphere/letsencrypt-dcos with a patched run.sh that triggers a docker kill -s HUP on the haproxy container.

zaarn8y ago

My problem is usually that I rely heavily on traefik being able to very easily issue certificates simply by having a backend with a hostname present.

On HAProxy this is not as easy as I need to tell both LE and HAP about the new backend.

If it was integrated, I would only have to tell HAP.

1 more reply

tuyguntn8y ago

Can you share your experience with Traefik? We also wanted to integrate it into our stack. What problems do you have? How it scales?

zaarn8y ago

My major problem with Traefik is that if you aren't using the defined stacks and opt for file configuration it can be a bit exhausting to configure, TOML is a rather repetitive format.

However, in terms of scaling and being able to get a SSL-terminating or SSL-handover reverse proxy going it's a breeze and it handles decent load very well.

foobarbazetc8y ago

Amazing work. Thanks haproxy team!

ssijak8y ago

Do people really announce new releases just over email and things like mail-archive or? Those mail archives always looked strange to me for some unknown reason.

geraldcombs8y ago

stmw8y ago

Agree

fermuch8y ago

What else would you use to notify interested people and be able to receive feedback at the same time?

sams998y ago

AdamJacobMuller8y ago

Not only do people do it, but not too long ago it was the ONLY way people did it.

ci5er8y ago

How else would they do it?

j / k navigate · click thread line to collapse