haproxytechblog/blog20211111-01a.sh

## blog20211111-01a.sh
$ socat stdio tcp4-connect:127.0.0.1:9999
prompt
>

## blog20211111-01b.sh
> experimental-mode on

## blog20211111-01c.sh
> add server be_app/dynserv 10.0.1.5:80 check
New server registered.

## blog20211111-01d.sh
> enable server be_app/dynserv

## blog20211111-01e.sh
> enable health be_app/dynserv

## blog20211111-01f.sh
> set server be_app/dynserv state maint

## blog20211111-01g.sh
> del server be_app/dynserv
Server deleted.

## blog20211111-01h.cfg
frontend fe_main
  http-request set-var-fmt(txn.from) "addr=%[src]:%[src_port]"

## blog20211111-02a.cfg
frontend fe_main
  http-request set-var(txn.from_addr) src
  http-request set-var(txn.from_port) src_port
  http-request set-var(txn.from) str("addr"),concat('=',txn.from_addr),concat(':',txn.from_port)

## blog20211111-02b.cfg
defaults frontend-defaults
  log global
  mode http
  option httplog
  option dontlognull
  timeout client  10m
  http-request redirect scheme https unless { ssl_fc }

frontend mysite from frontend-defaults
  mode http
  bind :80
  bind :443 ssl crt /etc/haproxy/ssl/cert.pem
  default_backend webservers

## blog20211111-02c.sh
# View the summary
$ echo "show acl" | sudo socat stdio /run/haproxy/api.sock
# id (file) description
0 (/etc/haproxy/acls/denylist.acl) pattern loaded from file '/etc/haproxy/acls/denylist.acl' used by acl at file '/etc/haproxy/haproxy.cfg' line 34. curr_ver=0 next_ver=0 entry_cnt=3

# Display all records in the acl file
$ echo "show acl /etc/haproxy/acls/denylist.acl" | sudo socat stdio /run/haproxy/api.sock
0x55e1de7e2260 10.0.40.1
0x55e1de7e22b0 10.0.40.2
0x55e1de7e2300 10.0.40.3

## blog20211111-02d.cfg
global
  nbthread 40

frontend fe_main
  bind 192.168.50.10:80 thread 1-20 name website
  bind 192.168.50.11:80 thread 21-40 name api

## blog20211111-02e.cfg
global
  nbthread 40

frontend fe_main
  bind 192.168.50.10:80 thread 1-10 name website-1
  bind 192.168.50.10:80 thread 11-20 name website-2

  bind 192.168.50.11:80 thread 21-30 name api-1
  bind 192.168.50.11:80 thread 31-40 name api-2

## blog20211111-03.cfg
frontend fe_main
  bind 192.168.50.10:80 name website-1
  bind 192.168.50.10:80 name website-2

## blog20211111-03a.cfg
frontend fe_main
  bind 192.168.50.10:80 shards 2 name website

## blog20211111-03b.sh
$ haproxy -cc 'feature(PROMEX)'

# Check the exit status
$ echo $?

## blog20211111-04.sh
$ echo -e "set ssl crl-file crlfile.pem <<\n$(cat rootCRL.pem)\n" | \
socat /var/run/haproxy.stat -
$ echo "commit ssl crl-file crlfile.pem" | socat /var/run/haproxy.stat -

## blog20211111-05.sh
$ echo "show ssl crl-file" | socat /var/run/haproxy.master -
# transaction
*crlfile.pem
# filename
crlfile.pem

$ echo "show ssl crl-file crlfile.pem" | socat /var/run/haproxy.master -
Filename: /home/jdoe/work/haproxy/reg-tests/ssl/crlfile.pem
Status: Used

Certificate Revocation List #1:
Version 1
Signature Algorithm: sha256WithRSAEncryption
Issuer: /C=FR/O=HAProxy Technologies/CN=Intermediate CA2
Last Update: Apr 23 14:45:39 2021 GMT
Next Update: Sep  8 14:45:39 2048 GMT
Revoked Certificates:
Serial Number: 1008
Revocation Date: Apr 23 14:45:36 2021 GMT

Certificate Revocation List #2:
Version 1
Signature Algorithm: sha256WithRSAEncryption
Issuer: /C=FR/O=HAProxy Technologies/CN=Root CA
Last Update: Apr 23 14:30:44 2021 GMT
Next Update: Sep  8 14:30:44 2048 GMT
No Revoked Certificates.

## blog20211111-06.sh
$ echo -e "set ssl ca-file cafile.pem <<\n$(cat rootCA.crt)\n" | \
socat /var/run/haproxy.stat -
$ echo "commit ssl ca-file cafile.pem" | socat /var/run/haproxy.stat -

## blog20211111-07.sh
$ echo "show ssl ca-file" | socat /var/run/haproxy.master -
# transaction
*cafile.crt - 2 certificate(s)
# filename
cafile.crt - 1 certificate(s)

$ echo "show ssl ca-file cafile.crt" | socat /var/run/haproxy.master -
Filename: /home/jdoe/work/haproxy/reg-tests/ssl/set_cafile_ca2.crt
Status: Used

Certificate #1:
Serial: 11A4D2200DC84376E7D233CAFF39DF44BF8D1211
notBefore: Apr  1 07:40:53 2021 GMT
notAfter: Aug 17 07:40:53 2048 GMT
Subject Alternative Name:
Algorithm: RSA4096
SHA1 FingerPrint: A111EF0FEFCDE11D47FE3F33ADCA8435EBEA4864
Subject: /C=FR/ST=Some-State/O=HAProxy Technologies/CN=HAProxy Technologies CA
Issuer: /C=FR/ST=Some-State/O=HAProxy Technologies/CN=HAProxy Technologies CA

$ echo "show ssl ca-file *cafile.crt:2" | socat /var/run/haproxy.master -
Filename: */home/jdoe/work/haproxy/reg-tests/ssl/set_cafile_ca2.crt
Status: Unused

Certificate #2:
Serial: 587A1CE5ED855040A0C82BF255FF300ADB7C8136
[...]

## blog20211111-08.lua
local httpclient = core.httpclient()
local response = httpclient:get("http://127.0.0.1:9000/?s=9999")
core.Debug("Status: ".. res.status .. ", Reason : " .. res.reason ..
           ", Len:" .. string.len(res.body) .. "\n")

## blog20211111-09.cfg
frontend fe_main
  http-request redirect code 301 location %[base,map(old-uris.map)] ignore-empty
	> add server be_app/dynserv 10.0.1.5:80 check
	New server registered.
	frontend fe_main
	http-request set-var-fmt(txn.from) "addr=%[src]:%[src_port]"
	frontend fe_main
	http-request set-var(txn.from_addr) src
	http-request set-var(txn.from_port) src_port
	http-request set-var(txn.from) str("addr"),concat('=',txn.from_addr),concat(':',txn.from_port)
	defaults frontend-defaults
	log global
	mode http
	option httplog
	option dontlognull
	timeout client 10m
	http-request redirect scheme https unless { ssl_fc }

	frontend mysite from frontend-defaults
	mode http
	bind :80
	bind :443 ssl crt /etc/haproxy/ssl/cert.pem
	default_backend webservers
	# View the summary
	$ echo "show acl" \| sudo socat stdio /run/haproxy/api.sock
	# id (file) description
	0 (/etc/haproxy/acls/denylist.acl) pattern loaded from file '/etc/haproxy/acls/denylist.acl' used by acl at file '/etc/haproxy/haproxy.cfg' line 34. curr_ver=0 next_ver=0 entry_cnt=3

	# Display all records in the acl file
	$ echo "show acl /etc/haproxy/acls/denylist.acl" \| sudo socat stdio /run/haproxy/api.sock
	0x55e1de7e2260 10.0.40.1
	0x55e1de7e22b0 10.0.40.2
	0x55e1de7e2300 10.0.40.3
	global
	nbthread 40

	frontend fe_main
	bind 192.168.50.10:80 thread 1-20 name website
	bind 192.168.50.11:80 thread 21-40 name api
	frontend fe_main
	bind 192.168.50.10:80 name website-1
	bind 192.168.50.10:80 name website-2
	$ haproxy -cc 'feature(PROMEX)'

	# Check the exit status
	$ echo $?
	$ echo -e "set ssl crl-file crlfile.pem <<\n$(cat rootCRL.pem)\n" \| \
	socat /var/run/haproxy.stat -
	$ echo "commit ssl crl-file crlfile.pem" \| socat /var/run/haproxy.stat -
	$ echo "show ssl crl-file" \| socat /var/run/haproxy.master -
	# transaction
	*crlfile.pem
	# filename
	crlfile.pem

	$ echo "show ssl crl-file crlfile.pem" \| socat /var/run/haproxy.master -
	Filename: /home/jdoe/work/haproxy/reg-tests/ssl/crlfile.pem
	Status: Used

	Certificate Revocation List #1:
	Version 1
	Signature Algorithm: sha256WithRSAEncryption
	Issuer: /C=FR/O=HAProxy Technologies/CN=Intermediate CA2
	Last Update: Apr 23 14:45:39 2021 GMT
	Next Update: Sep 8 14:45:39 2048 GMT
	Revoked Certificates:
	Serial Number: 1008
	Revocation Date: Apr 23 14:45:36 2021 GMT

	Certificate Revocation List #2:
	Version 1
	Signature Algorithm: sha256WithRSAEncryption
	Issuer: /C=FR/O=HAProxy Technologies/CN=Root CA
	Last Update: Apr 23 14:30:44 2021 GMT
	Next Update: Sep 8 14:30:44 2048 GMT
	No Revoked Certificates.