Ubuntu 20.04 (Focal Fossa) has disabled all TLS versions < TLSv1.2 by default in openssl. In case you still need TLS 1.0 (for e.x. because of legacy clients), you can enable it with the following (HAProxy 2.0.14): bind *:443 ssl crt /etc/haproxy/certs/ ssl-min-ver TLSv1.0 ciphers ALL:@SECLEVEL=1
Prefiltering log events with rsyslog to greatly reduce fail2ban CPU load
Assume you have a service (web, mail, lb etc.) and you want to watch the logs of this service with fail2ban and take actions if specific log patterns occur. If your service is busy and have a high log volume/high log traffic, fail2ban can quickly eats up much cpu while trying to match regular expressions […]
HAProxy High Availability using RHI, Quagga and OSPF
Usually, you can use VRRP + keepalived for making HAProxy redundant and providing a good service availability. In day-to-day operations, there are many cases where you have to take down a whole HAProxy host. For example, server reboots (because of kernel/os updates), hardware maintenance, new version of os distribution or installing/upgrading new HAProxy versions. For […]
Testing new HAProxy versions with some sort of A/B Testing
Recently, i have been thinking about better methods to bring new HAProxy versions into production without taking too much risk. We’re using HAProxy 1.5 in production and want to do a smooth migration to 1.6. As you know, every update can be critical, even more on a critical component like a load balancer or if […]
Adding random delay for specific HTTP Requests with HAProxy + Lua
Lately, i wanted to delay specific http requests and i wanted to have a random delay for every of these requests (for example in a range from 1000ms to 2000ms). One possible use case was to absorb and slow down traffic bursts that came from bots/crawlers/spiders or abusers (bad behavior clients in general). I’ve classified […]
HAProxy – Tracking multiple sample fetches in stick-table
Recently i’ve searched a way to do rate-limiting in HAProxy based on multiple client identifiers. The standard example you can find in the docs or in many tutorials is to track on “src” (source ip). Track on “src” is fine in most cases, but can be a problem if users are behind NAT/mobile gateways where […]