Unexpected HAPROXY acl behaviour tcp payload routing - tcp

I am setting up simple tcp connection routing using HAProxy acl's. The idea is to route connections depending on request content having two flavors: read and write requests.
For testing I made a simple tcp client/server setup using perl. Strangely enough about 10-40% of the ACL's fail and are sent to the default backend.
The ACL's should find the substring 'read' or 'write' and route accordingly, but this is not allways the case.
Sending a read/write request using nc (netcat) has the same effect.
I tested this configuration with mode=http and everything works as expected.
I also tested with reg, sub and bin, to no avail.
The example server setup is as follows:
HAProxy instance, listens on port 8000
Client (creates tcp connection to proxy and sends user input (read/write string) to server through port 8000, after which it closes the connection)
Server1 (write server), listens on port 8001
Server2 (read server), listens on port 8002
Server3 (default server), listens on port 8003
My HAProxy configuration file looks is:
global
log /dev/log local0 debug
#daemon
maxconn 32
defaults
log global
balance roundrobin
mode tcp
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
frontend tcp-in
bind *:8000
tcp-request inspect-delay 3s
acl read req.payload(0,4) -m sub read
acl write req.payload(0,5) -m sub write
use_backend read_servers if read
use_backend write_server if write
default_backend testFault
backend write_server
server server1 127.0.0.1:8001 maxconn 32
backend read_servers
server server2 127.0.0.1:8002 maxconn 32
backend testFault
server server3 127.0.0.1:8003 maxconn 32
The client code (in perl):
use IO::Socket::INET;
# auto-flush on socket
#$| = 1;
print "connecting to the server\n";
while(<STDIN>){
# create a connecting socket
my $socket = new IO::Socket::INET (
PeerHost => 'localhost',
PeerPort => '8000',
Proto => 'tcp',
);
die "cannot connect to the server $!\n" unless $socket;
# data to send to a server
$req = $_;
chomp $req;
$size = $socket->send($req);
print "sent data of length $size\n";
# notify server that request has been sent
shutdown($socket, 1);
# receive a response of up to 1024 characters from server
$response = "";
$socket->recv($response, 1024);
print "received response: $response\n";
$socket->close();
}
The server (perl code):
use IO::Socket::INET;
if(!$ARGV[0]){
die("Usage; specify a port..");
}
# auto-flush on socket
$| = 1;
# creating a listening socket
my $socket = new IO::Socket::INET (
LocalHost => '0.0.0.0',
LocalPort => $ARGV[0],
Proto => 'tcp',
Listen => 5,
Reuse => 0
);
die "cannot create socket $!\n" unless $socket;
print "server waiting for client connection on port $ARGV[0]\n";
while(1){
# waiting for a new client connection
my $client_socket = $socket->accept();
# get information about a newly connected client
my $client_address = $client_socket->peerhost();
my $client_port = $client_socket->peerport();
print "connection from $client_address:$client_port\n";
# read up to 1024 characters from the connected client
my $data = "";
$client_socket->recv($data, 1024);
print "received data: $data\n";
# write response data to the connected client
$data = "ok";
$client_socket->send($data);
# notify client that response has been sent
shutdown($client_socket, 1);
$client_socket->close();
print "Connection closed..\n\n";
}
$socket->close();


Binary data in haproxy is tricky. Probably some bug, but the following worked for me on haproxy 1.7.9.
I am trying to build a thrift proxy server which can route to appropriate backend based on the user_id in the payload.
frontend thriftrouter
bind *:10090
mode tcp
option tcplog
log global
log-format "%ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq captured_user:%[capture.req.hdr(0)] req.len:%[capture.req.hdr(1)]"
tcp-request inspect-delay 100ms
tcp-request content capture req.payload(52,10) len 10
tcp-request content capture req.len len 10
tcp-request content accept if WAIT_END
acl acl_thrift_call req.payload(2,2) -m bin 0001 # Thrift CALL method
acl acl_magic_field_id req.payload(30,2) -m bin 270f # Magic field number 9999
# Define access control list for each user
acl acl_user_u1 req.payload(52,10) -m sub |user1|
acl acl_user_u2 req.payload(52,10) -m sub |user2|
# Route based on the user. No default backend so that one always has to set it
use_backend backend_1 if acl_user_u1 acl_magic_field_id acl_thrift_call
use_backend backend_2 if acl_user_u2 acl_magic_field_id acl_thrift_call
When matching binary data in acl, make sure you're looking at the right number of bytes, for substring to work properly. Or use the hex conversion method and match on hex bytes.


Dont I feel silly. Re-reading the HAProxy documentation I found the following directive (fetch method) that fixes the issue:
tcp-request content accept if WAIT_END
That solved the unexpected behaviour.

Related

How to resolve Coturn Configuration Issues: Unable to Bind fd 29 to 127.0.0.1:3478

I am trying to build a TURN server using Coturn configured on an AWS instance. I have set the following incoming security groups:
-0b2ed368e187eb2b1 22 TCP 0.0.0.0/0 SSH – –
sgr-003d18fd1b201dd42 3478 - 3479 TCP 0.0.0.0/0 TLS/TCP – –
sgr-0cc11343f95a2b395 32355 - 65535 TCP 0.0.0.0/0 TLS/TCP – –
sgr-0ce03cb3e6b05fb57 32355 - 65535 UDP 0.0.0.0/0 TLS/TCP – –
sgr-04d3824d3597c819b 3478 - 3479 UDP 0.0.0.0/0 TLS/TCP
And my configuration file looks like:
#
# Listener interface device (optional, Linux only).
# NOT RECOMMENDED.
#
#listening-device=eth0
listening-port=3478
tls-listening-port=5349
#alt-tls-listening-port=0
# Some network setups will require using a TCP reverse proxy in front
# of the STUN server. If the proxy port option is set a single listener
# is started on the given port that accepts connections using the
# haproxy proxy protocol v2.
# (https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)
#
#tcp-proxy-port=5555
# Listener IP address of relay server. Multiple listeners can be specified.
# If no IP(s) specified in the config file or in the command line options,
# then all IPv4 and IPv6 system IPs will be used for listening.
#
listening-ip=XXX.XX.XX.XXX
#aux-server=172.17.19.110:33478
# If no relay IP(s) specified, then the turnserver will apply the default
# policy: it will decide itself which relay addresses to be used, and it
# will always be using the client socket IP address as the relay IP address
# of the TURN session (if the requested relay address family is the same
# as the family of the client socket).
relay-ip=XXX.XX.XX.XXX
#relay-ip=2607:f0d0:1002:51::5
# By default, this value is empty, and no address mapping is used.
# (Uses EC2 instance public/private ips)
external-ip=X.XX.XX.XXX/XXX.XX.XX.XXX
#
#relay-threads=0
# Lower and upper bounds of the UDP relay endpoints:
# (default values are 49152 and 65535)
#
min-port=3478
max-port=65535
# Uncomment to run TURN server in 'normal' 'moderate' verbose mode.
# By default the verbose mode is off.
verbose
# Uncomment to use fingerprints in the TURN messages.
# By default the fingerprints are off.
#
fingerprint
# Uncomment to use long-term credential mechanism.
# By default no credentials mechanism is used (any user allowed).
#
lt-cred-mech
# This option is the opposite of lt-cred-mech.
# (TURN Server with no-auth option allows anonymous access).
# If neither option is defined, and no users are defined,
# then no-auth is default. If at least one user is defined,
# in this file, in command line or in usersdb file, then
# lt-cred-mech is default.
#
#no-auth
# Enable prometheus exporter
# If enabled the turnserver will expose an endpoint with stats on a prometheus format
# this endpoint is listening on a different port to not conflict with other configurations.
#
# You can simply run the turnserver and access the port 9641 and path /metrics
#
# For mor info on the prometheus exporter and metrics
# https://prometheus.io/docs/introduction/overview/
# https://prometheus.io/docs/concepts/data_model/
#
#prometheus
# TURN REST API flag.
# (Time Limited Long Term Credential)
# Flag that sets a special authorization option that is based upon authentication secret.
#
# This feature's purpose is to support "TURN Server REST API", see
# "TURN REST API" link in the project's page
# https://github.com/coturn/coturn/
#
# This option is used with timestamp:
# usercombo -> "timestamp:userid"
# turn user -> usercombo
# turn password -> base64(hmac(secret key, usercombo))
#
# This allows TURN credentials to be accounted for a specific user id.
# If you don't have a suitable id, then the timestamp alone can be used.
# This option is enabled by turning on secret-based authentication.
# The actual value of the secret is defined either by the option static-auth-secret,
# or can be found in the turn_secret table in the database (see below).
#
# Read more about it:
# - https://tools.ietf.org/html/draft-uberti-behave-turn-rest-00
# - https://www.ietf.org/proceedings/87/slides/slides-87-behave-10.pdf
#
# Be aware that use-auth-secret overrides some parts of lt-cred-mech.
# The use-auth-secret feature depends internally on lt-cred-mech, so if you set
# this option then it automatically enables lt-cred-mech internally
# as if you had enabled both.
#
#
# Note that you can use only one auth mechanism at the same time! This is because,
# both mechanisms conduct username and password validation in different ways.
#
# Use either lt-cred-mech or use-auth-secret in the conf
# to avoid any confusion.
#
#use-auth-secret
# 'Static' authentication secret value (a string) for TURN REST API only.
# If not set, then the turn server
# will try to use the 'dynamic' value in the turn_secret table
# in the user database (if present). The database-stored value can be changed on-the-fly
# by a separate program, so this is why that mode is considered 'dynamic'.
#
#static-auth-secret=XXXXXXXXXXXX
# Server name used for
# the oAuth authentication purposes.
# The default value is the realm name.
#server-name=blackdow.carleon.gov
# Flag that allows oAuth authentication.
#
#oauth
# 'Static' user accounts for the long term credentials mechanism, only.
# This option cannot be used with TURN REST API.
# 'Static' user accounts are NOT dynamically checked by the turnserver process,
# so they can NOT be changed while the turnserver is running.
#
user=XXXXXX:XXXXXX
#user=username2:key2
# OR:
#user=username1:password1
#user=username2:password2
#
# Keys must be generated by turnadmin utility. The key value depends
# on user name, realm, and password:
# Example:
# $ turnadmin -k -u ninefingers -r north.gov -p youhavetoberealistic
# Output: 0xbc807ee29df3c9ffa736523fb2c4e8ee
# ('0x' in the beginning of the key is what differentiates the key from
# password. If it has 0x then it is a key, otherwise it is a password).
#
# The corresponding user account entry in the config file will be:
#
#user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee
# Or, equivalently, with open clear password (less secure):
#user=ninefingers:youhavetoberealistic
#
# SQLite database file name.
#
# The default file name is /var/db/turndb or /usr/local/var/db/turndb or
# /var/lib/turn/turndb.
#
#userdb=/var/db/turndb
# PostgreSQL database connection string in the case that you are using PostgreSQL
# as the user database.
# This database can be used for the long-term credential mechanism
# and it can store the secret value for secret-based timed authentication in TURN REST API.
# See http://www.postgresql.org/docs/8.4/static/libpq-connect.html for 8.x PostgreSQL
# versions connection string format, see
# http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-CONNSTRING
# for 9.x and newer connection string formats.
#
#psql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> connect_timeout=30"
# MySQL database connection string in the case that you are using MySQL
# as the user database.
# This database can be used for the long-term credential mechanism
# and it can store the secret value for secret-based timed authentication in TURN REST API.
#
# Optional connection string parameters for the secure communications (SSL):
# ca, capath, cert, key, cipher
# (see http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html for the
# command options description).
# Use the string format below (space separated parameters, all optional):
#
#mysql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> port=<port> connect_timeout=<seconds> red_timeout=<seconds>"
# If you want to use an encrypted password in the MySQL connection string,
# then set the MySQL password encryption secret key file with this option.
#
# Warning: If this option is set, then the mysql password must be set in "mysql-userdb" in an encrypted format!
# If you want to use a cleartext password then do not set this option!
#
# This is the file path for the aes encrypted secret key used for password encryption.
#
#secret-key-file=/path/
#redis-userdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
# Redis status and statistics database connection string, if used (default - empty, no Redis stats DB used).
#redis-statsdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
realm=XXXX.amazonaws.com
#check-origin-consistency
#total-quota=0
#max-bps=0
#
# Uncomment if no TCP client listener is desired.
# By default TCP client listener is always started.
#
#no-tcp
# Uncomment if no TLS client listener is desired.
# By default TLS client listener is always started.
#
#no-tls
# Uncomment if no DTLS client listener is desired.
# By default DTLS client listener is always started.
#
#no-dtls
# Uncomment if no UDP relay endpoints are allowed.
#no-tcp-relay
#stale-nonce=600
#channel-lifetime=600
#permission-lifetime=300
# Certificate file.
# Use an absolute path or path relative to the
# configuration file.
# Use PEM file format.
#
#cert=/usr/local/etc/turn_server_cert.pem
# Private key file.
# Use an absolute path or path relative to the
#pkey-pwd=...
# Allowed OpenSSL cipher list for TLS/DTLS connections.
# Default value is "DEFAULT".
#
#cipher-list="DEFAULT"
# CA file in OpenSSL format.
# Forces TURN server to verify the client SSL certificates.
# By default this is not set: there is no default value and the client
# certificate is not checked.
#
#ec-curve-name=prime256v1
# Use 566 bits predefined DH TLS key. Default size of the key is 2066.
#
#dh566
# Use 1066 bits predefined DH TLS key. Default size of the key is 2066.
#
#dh1066
# Use custom DH TLS key, stored in PEM format in the file.
# Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file.
#
#dh-file=<DH-PEM-file-name>
# Flag to prevent stdout log messages.
# By default, all log messages go to both stdout and to
# the configured log file. With this option everything will
# go to the configured log only (unless the log file itself is stdout).
#
#no-stdout-log
# In the runtime, the logfile can be reset with the SIGHUP signal
# to the turnserver process.
#
log-file=/var/log/coturn/coturn.log
#secure-stun
# Mobility with ICE (MICE) specs support.
#
#mobility
#no-cli
#Local system IP address to be used for CLI server endpoint. Default value
# is 127.0.0.1.
#
#cli-ip=127.0.0.1
# CLI server port. Default is 5766.
#cli-port=5766
The output is as follows:
ERROR: Cannot open log file for writing: /var/log/coturn/coturn_2022-10-22.log
0: : log file opened: /var/log/turn_47167_2022-10-22.log
0: : Relay address to use: 172.xx.xx.xxx
0: : Whitelisting external-ip private part: 172.xx.xx.xxx
0: : Config file found: /etc/turnserver.conf
0: :
RFC 3489/5389/5766/5780/6062/6156 STUN/TURN Server
Version Coturn-4.5.2 'dan Eider'
0: :
Max number of open files/sockets allowed for this process: 1048576
0: :
Due to the open files/sockets limitation,
max supported number of TURN Sessions possible is: 524000 (approximately)
0: :
==== Show him the instruments, Practical Frost: ====
0: : TLS supported
0: : DTLS supported
0: : DTLS 1.2 supported
0: : TURN/STUN ALPN supported
0: : Third-party authorization (oAuth) supported
0: : GCM (AEAD) supported
0: : OpenSSL compile-time version: OpenSSL 3.0.2 15 Mar 2022 (0x30000020)
0: :
0: : SQLite supported, default database location is /var/lib/turn/turndb
0: : Redis supported
0: : PostgreSQL supported
0: : MySQL supported
0: : MongoDB is not supported
0: :
0: : Default Net Engine version: 3 (UDP thread per CPU core)
=====================================================
0: : Domain name:
0: : Default realm:
0: : ERROR:
CONFIG ERROR: Empty cli-password, and so telnet cli interface is disabled! Please set a non empty cli-password!
0: : WARNING: cannot find certificate file: turn_server_cert.pem (1)
0: : WARNING: cannot start TLS and DTLS listeners because certificate file is not set properly
0: : WARNING: cannot find private key file: turn_server_pkey.pem (1)
0: : WARNING: cannot start TLS and DTLS listeners because private key file is not set properly
0: : NO EXPLICIT LISTENER ADDRESS(ES) ARE CONFIGURED
0: : ===========Discovering listener addresses: =========
0: : Listener address to use: 127.0.0.1
0: : Listener address to use: 172.xx.xx.xxx
0: : Listener address to use: ::1
0: : =====================================================
0: : Total: 1 'real' addresses discovered
0: : =====================================================
0: : pid file created: /var/run/turnserver.pid
0: : IO method (main listener thread): epoll (with changelist)
0: : Wait for relay ports initialization...
0: : relay 172.xx.xx.xxx initialization...
0: : relay 172.xx.xx.xxx initialization done
0: : Relay ports initialization done
0: : IO method (general relay thread): epoll (with changelist)
0: : turn server id=1 created
bind: Address already in use
0: : Trying to bind fd 12 to <127.0.0.1:3478>: errno=98
Cannot bind local socket to addr: Address already in use
0: : Cannot bind TLS/TCP listener socket to addr 127.0.0.1:3478
0: : Trying to bind TLS/TCP listener socket to addr 127.0.0.1:3478, again...
0: : IO method (general relay thread): epoll (with changelist)
0: : turn server id=0 created
0: : IPv4. UDP listener opened on: 127.0.0.1:3478
0: : IPv4. UDP listener opened on: 127.0.0.1:3479
0: : IPv4. UDP listener opened on: 172.xx.xx.xxx:3478
0: : IPv4. UDP listener opened on: 172.xx.xx.xxx:3479
0: : IPv6. UDP listener opened on: ::1:3478
0: : IPv6. UDP listener opened on: ::1:3479
0: : Total General servers: 2
bind: Address already in use
0: : Trying to bind fd 29 to <127.0.0.1:3478>: errno=98
Cannot bind local socket to addr: Address already in use
0: : Cannot bind TLS/TCP listener socket to addr 127.0.0.1:3478
0: : Trying to bind TLS/TCP listener socket to addr 127.0.0.1:3478, again...
0: : IO method (admin thread): epoll (with changelist)
0: : IO method (auth thread): epoll (with changelist)
0: : IO method (auth thread): epoll (with changelist)
0: : SQLite DB connection success: /var/lib/turn/turndb
bind: Address already in use
0: : Trying to bind fd 12 to <127.0.0.1:3478>: errno=98
Cannot bind local socket to addr: Address already in use
0: : Cannot bind TLS/TCP listener socket to addr 127.0.0.1:3478
0: : Trying to bind TLS/TCP listener socket to addr 127.0.0.1:3478, again...
bind: Address already in use
0: : Trying to bind fd 29 to <127.0.0.1:3478>: errno=98
Cannot bind local socket to addr: Address already in use
0: : Cannot bind TLS/TCP listener socket to addr 127.0.0.1:3478
0: : Trying to bind TLS/TCP listener socket to addr 127.0.0.1:3478, again...
bind: Address already in use
0: : Trying to bind fd 12 to <127.0.0.1:3478>: errno=98
Cannot bind local socket to addr: Address already in use
0: : Cannot bind TLS/TCP listener socket to addr 127.0.0.1:3478
0: : Trying to bind TLS/TCP listener socket to addr 127.0.0.1:3478, again...
bind: Address already in use
0: : Trying to bind fd 29 to <127.0.0.1:3478>: errno=98
Cannot bind local socket to addr: Address already in use
0: : Cannot bind TLS/TCP listener socket to addr 127.0.0.1:3478
0: : Trying to bind TLS/TCP listener socket to addr 127.0.0.1:3478, again...
bind: Address already in use
0: : Trying to bind fd 12 to <127.0.0.1:3478>: errno=98
Cannot bind local socket to addr: Address already in use
0: : Cannot bind TLS/TCP listener socket to addr 127.0.0.1:3478
0: : Trying to bind TLS/TCP listener socket to addr 127.0.0.1:3478, again...
bind: Address already in use
0: : Trying to bind fd 29 to <127.0.0.1:3478>: errno=98
Cannot bind local socket to addr: Address already in use
0: : Cannot bind TLS/TCP listener socket to addr 127.0.0.1:3478
0: : Trying to bind TLS/TCP listener socket to addr 127.0.0.1:3478, again...
bind: Address already in use
0: : Trying to bind fd 12 to <127.0.0.1:3478>: errno=98
Cannot bind local socket to addr: Address already in use
0: : Cannot bind TLS/TCP listener socket to addr 127.0.0.1:3478
0: : Trying to bind TLS/TCP listener socket to addr 127.0.0.1:3478, again...
bind: Address already in use
0: : Trying to bind fd 29 to <127.0.0.1:3478>: errno=98
Cannot bind local socket to addr: Address already in use
0: : Cannot bind TLS/TCP listener socket to addr 127.0.0.1:3478
0: : Trying to bind TLS/TCP listener socket to addr 127.0.0.1:3478, again...
bind: Address already in use
0: : Trying to bind fd 12 to <127.0.0.1:3478>: errno=98
Cannot bind local socket to addr: Address already in use
0: : Cannot bind TLS/TCP listener socket to addr 127.0.0.1:3478
0: : Trying to bind TLS/TCP listener socket to addr 127.0.0.1:3478, again...
ETA netstat results:
tcp 0 0 172.31.XX.XXX:3478 0.0.0.0:* LISTEN 51761/turnserver
tcp 0 0 172.31.XX.XXX:3478 0.0.0.0:* LISTEN 51761/turnserver
udp 0 0 172.31.XX.XXX:3478 0.0.0.0:* 51761/turnserver
udp 0 0 172.31.XX.XXX:3478 0.0.0.0:* 51761/turnserver
I'm trying to figure out why UDP cannot have the port. It also will not allow me to gather candidates using Trickle ICE, which is problematic (and I am guessing means our components would not be able to use it for communication).
I have never used Coturn or configured a server from scratch and this is part of a sponsored agile project, so I do not have time to keep being stuck on it. Unfortunately, no one else on my team knows anything about Turn servers either. Any help is greatly appreciated!

Update in case anyone else runs into this issue:
It was a permissions issue. Ensure you use sudo systemctl kill coturn (To kill any existing instance/service)
Then call sudo turnserver -c /etc/turnserver.conf which will properly load the config file and not deny allocation of listening ports.

HAProxy - Reject connection if flodding server

i want to reject the connection if the user spams the server with requests. My current config looks like this:
frontend http_front
bind *:80
log global
stick-table type ip size 1m expire 1m store gpc0,http_req_rate(10s)
# Increase gpc0 if requests in last 10s where greater than 10
acl conn_rate_abuse src_http_req_rate gt 10
acl mark_as_abuser src_inc_gpc0 gt 0
tcp-request connection track-sc1 src
# Reject if gpc0 greater than 1
tcp-request connection reject if conn_rate_abuse mark_as_abuser
default_backend http_back
The Socket- Output looks like this
0x1e455c0: key=10.23.27.55 use=0 exp=51149 gpc0=0 http_req_rate(10000)=422
What am i doing wrong?!
Edit://
With this code it works, but shouldnt it work with only the code above?
backend http_back
balance roundrobin
acl abuse src_http_req_rate(http_front) ge 10
tcp-request content reject if abuse
server test1 ip1:80 check
server test2 ip2:80 check
HA-Proxy version 1.6.4 2016/03/13

How to send syslog over TCP in syslog server

I am sending syslog on UDP to remotehost its working fine but while i am sending log on tcp then logs are not routing to remote host.
I am using syslog server on FreeBSD8.3
can anybody tell me how to send logs to remote host on TCP using syslog server.
Thanks in advance.

One issue I just ran into while trying to send log messages to an rsyslog server listening on tcp port 10514 was that it requires a last byte of 0A or line feed. I discovered this tcpdumping net cat as that was working but a socket connection was not. For ex the following will not work (the 155 is for local3 + err level) :
import socket
syslogSocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
syslogSocket.connect(('127.0.0.1', 10514))
syslogSocket.send('<155>TEST FROM PYTOHON\000')
syslogSocket.close()
But this will work:
import socket
syslogSocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
syslogSocket.connect(('127.0.0.1', 10514))
syslogSocket.send('<155>TEST FROM PYTOHON\n')
syslogSocket.close()
To get the 155 check out a page like:
http://linux.byexamples.com/archives/412/syslog-sending-log-from-remote-servers-to-syslog-daemon/
Since PRI = (facility << 3) + severity
And local3 facility == 19
And severity err = 3
PRI = (19<<3) + 3
152 + 3
155

haproxy with miltiple backend

We are trying to configure two back end with https in haproxy load balancing scenario.
We tried ssl termination, hrd_beg , … but could not come to expected result
As in every configuration we tried requests are being transferred to default back end only and not to other back end.
Below is my configuration file.
global
log 127.0.0.1 local0 notice
log 127.0.0.1 local1 debug
maxconn 5000 # Total Max Connections. This is dependent on ulimit
daemon
quiet
nbproc 1 # Number of processing cores. Dual Dual-core Opteron is 4 cores for example.
chroot /usr/share/haproxy
user haproxy
group haproxy
#stats socket /var/run/haproxy.stat mode 600
defaults
log global
# Setting options
option dontlognull #Disable logging of null connections as these can pollute the logs
option redispatch # Enable session redistribution in case of connection failure, which is important in a HA environment
option tcp-smart-accept # Performance tweak, saving one ACK packet during the accept sequence
option tcp-smart-connect # Performance tweak, saving of one ACK packet during the connect sequence
# Setting timeouts
timeout connect 5s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 5s
retries 3
# Slowloris protection
timeout http-request 10s # Slowloris protection
timeout tarpit 1m # tarpit hold time
timeout queue 1m
backlog 10000
frontend ap_ft_https
bind *:443 ssl crt /home/mykey.pem
mode tcp
acl dcall url_sub dc
use_backend dc_bk_https if dcall
use_backend ap_bk_https if { hdr_beg(host) -i ap }
use_backend dc_bk_https if { hdr_beg(host) -i dc }
default_backend ap_bk_https
# Configuration for AP Portals
backend ap_bk_https
mode tcp
balance roundrobin # Load Balancing algorithm
reqadd X-Forwarded-Proto:\ https
#option tcplog
default-server inter 5s rise 2 fall 5
server server1 x.x.x.x:443 weight 1 maxconn 512 check
# server server2 x.x.x.x:443 weight 1 maxconn 512 check
#Configuration for DC Portals
backend dc_bk_https
mode tcp
balance roundrobin # Load Balancing algorithm
reqadd X-Forwarded-Proto:\ https
#option tcplog
default-server inter 5s rise 2 fall 5
server server1 x.x.x.x:443 weight 1 maxconn 512 check
server server2 x.x.x.x:443 weight 1 maxconn 512 check
#HAProxy Stats configuration
listen stats
mode http
bind 0.0.0.0:8880
clitimeout 100s
srvtimeout 100s
contimeout 100s
timeout queue 100s
stats enable
stats hide-version
stats refresh 30s
stats show-node
stats uri /haproxy?stats
stats realm Admin\ Portal\ HAProxy\ Statistics
stats auth admin:xxxx
My Web addresses starts like apxxx.domain.com and dcxxx.domain.com.
I want to configure haproxy such a way that if request is for apxxx.domain.com then it should go to haproxy backend ap_bk_https and the same way if it is for dcxxx.domain.com it should go to haproxy backend dc_bk_https.
Your help will be appreciated!

/****************************************************/
ROUTING BY SUB-Domain
frontend http-in
bind *:80
acl app_ap hdr_end(host) -i apxxx.domain.com
acl app_dc hdr_end(host) -i dcxxx.domain.com
use_backend ap_bk_https if app_ap
use_backend dc_bk_https if app_dc
Now all request from apxxx.domain.com and dcxxx.domain.com will be redirected to your respected backends.
/**********************************/
/*************** OLD ANSWER ************************///
Basically what you want is to route by domain name.
Here's an example which does exactly what you want. Have a look at it. Its simple .
http://seanmcgary.com/posts/haproxy---route-by-domain-name
/** OLD ANSWER ENDS ************/
I hope this will solve your problem.

xinetd cannot nmap echo server remotely

I've configured xinetd and I want to access echo service remotely. The point is, when y do:
nmap localhost
it appears
PORT STATE SERVICE
7/tcp open echo
But when i make
nmap [remote IP]
it doesn't appears
> PORT STATE SERVICE
21/tcp open ftp
23/tcp open telnet
80/tcp open http
and I don't know why
Here is the /etc/xinetd.d/echo
> service echo
{
disable = no
type = INTERNAL
id = echo-stream
socket_type = stream
protocol = tcp
user = root
wait = no
}
And here is the /etc/xinetd.conf
# Simple configuration file for xinetd
#
# Some defaults, and include /etc/xinetd.d/
defaults {
# Please note that you need a log_type line to be able to use log_on_success
# and log_on_failure. The default is the following :
# log_type = SYSLOG daemon info
}
includedir /etc/xinetd.d
Thanks by the way! Cheers!

I found the error: It was that I've been using the wrong IP.
Thank anyone

Resources