haproxytechblog/blog20200619-01.sh

## blog20200619-01.sh
# Add new empty certificate
$ echo "new ssl cert /etc/haproxy/certs/wildcard.demo.haproxy.net.pem" |socat tcp-connect:127.0.0.1:9999 -
New empty certificate store '/etc/haproxy/certs/wildcard.demo.haproxy.net.pem'!

# Create transaction with certificate data
$ echo -e -n "set ssl cert /etc/haproxy/certs/wildcard.demo.haproxy.net.pem <<\n$(cat /tmp/wildcard.demo.haproxy.net.pem)\n\n" |socat tcp-connect:127.0.0.1:9999 -
Transaction created for certificate /etc/haproxy/certs/wildcard.demo.haproxy.net.pem!

# Commit certificate into memory for use
$ echo "commit ssl cert /etc/haproxy/certs/wildcard.demo.haproxy.net.pem" |socat tcp-connect:127.0.0.1:9999 -
Committing /etc/haproxy/certs/wildcard.demo.haproxy.net.pem
Success!

## blog20200619-02.sh
$ echo "add ssl crt-list /etc/haproxy/crt.lst /etc/haproxy/certs/wildcard.demo.haproxy.net.pem" |socat tcp-connect:127.0.0.1:9999 -
Inserting certificate '/etc/haproxy/certs/wildcard.demo.haproxy.net.pem' in crt-list '/etc/haproxy/crt.lst'.
Success!

## blog20200619-03.sh
$ echo "show ssl cert" |socat tcp-connect:127.0.0.1:9999  -
# filename
certs/test.local.pem.ecdsa
certs/test.local.pem.rsa

## blog20200619-04.sh
$ echo "show ssl cert certs/test.local.pem.ecdsa" |socat tcp-connect:127.0.0.1:9999  -
Filename: certs/test.local.pem.ecdsa
Status: Used
Serial: 0474204BCBAEFD4271A9E77AACC35BA92D42
notBefore: Apr 28 11:07:59 2020 GMT
notAfter: Jul 27 11:07:59 2020 GMT
Subject Alternative Name: DNS:test.local, DNS:test.local
Algorithm: EC256
SHA1 FingerPrint: B3B9F41ECD74422EE0DD7A8C7F35CFA3C398CA82
Subject: /CN=test.local
Issuer: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
Chain Subject: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
Chain Issuer: /O=Digital Signature Trust Co./CN=DST Root CA X3

## blog20200619-05.sh
$ echo "show ssl crt-list" |socat tcp-connect:127.0.0.1:9999 -
/etc/haproxy/crt.lst

$ echo "show ssl crt-list /etc/haproxy/crt.lst" |socat tcp-connect:127.0.0.1:9999 -
# /etc/haproxy/crt.lst
/etc/haproxy/certs/test.local.pem.ecdsa [alpn h2,http/1.1]
/etc/haproxy/certs/wildcard.demo.haproxy.net.pem

## blog20200619-06.cfg
ssl-default-bind-curves X25519:P-256

## blog20200619-07.cfg
http-request return content-type image/x-icon file /etc/haproxy/favicon.ico if { path /favicon.ico }

## blog20200619-08.cfg
http-request return status 200 content-type "text/plain; charset=utf-8" lf-string "Hey there! \xF0\x9F\x90\x98 \nYou're accessing: %[req.hdr(host)]:%[dst_port]%[var(txn.lock_emoji)]\nFrom: %[src].\nYou've made a total of %[sc_http_req_cnt(0)] requests.\n" if { path /hello }

## blog20200619-09.sh
$ curl -k https://demo.haproxy.local/hello
Hey there! 🐘
You're accessing: demo.haproxy.local:443🔒
From: 192.168.1.25
You've made a total of 7 requests.

## blog20200619-10.cfg
http-errors test.local
    errorfile 400 /etc/haproxy/errorfiles/test.local/400.http
    errorfile 403 /etc/haproxy/errorfiles/test.local/403.http

http-errors demo.haproxy.net
    errorfile 400 /etc/haproxy/errorfiles/demo.haproxy.net/400.http
    errorfile 403 /etc/haproxy/errorfiles/demo.haproxy.net/403.http

## blog20200619-11.cfg
http-request deny errorfiles test.local if { req.hdr(host) test.local } { src 127.0.0.1 }

## blog20200619-12.cfg
backend be_main
    errorfiles test.local

## blog20200619-13.cfg
backend servers
    option httpchk HEAD /health HTTP/1.1\r\nHost:\ test.local
    server srv1 192.168.1.5:80 check

## blog20200619-14.cfg
backend servers
    option httpchk
    http-check send meth HEAD uri /health ver HTTP/1.1 hdr Host test.local
    server srv1 192.168.1.5:80 check

## blog20200619-15.cfg
backend servers
    option httpchk
    http-check send meth POST uri /health hdr Content-Type "application/json;charset=UTF-8" hdr Host www.mwebsite.com body "{\"id\": 1, \"field\": \"value\"}"
    server srv1 192.168.1.5:80 check

## blog20200619-16.cfg
backend servers
    option httpchk
    http-check connect ssl alpn h2
    http-check send meth HEAD uri /health ver HTTP/2 hdr Host www.test.local
    server srv1 192.168.1.5:443 check

## blog20200619-17.cfg
backend servers
    option httpchk

    http-check connect port 8080
    http-check send meth HEAD uri /health

    http-check connect port 8081
    http-check send meth HEAD uri /up

    server server1 127.0.0.1:80 check

## blog20200619-18.cfg
ring requests0
    description "request logs"
    format rfc3164
    maxlen 1200
    size 32764
    timeout connect 5s
    timeout server 10s
    server request-log 127.0.0.1:6514

## blog20200619-19.cfg
log ring@requests0 local7

## blog20200619-20.sh
$ echo "show events requests0" |socat tcp-connect:127.0.0.1:9999 -
<189>Jun 14 15:58:33 haproxy[22071]: Proxy fe_main started.
<190>Jun 14 15:58:40 haproxy[22072]: ::ffff:127.0.0.1:55344 [14/Jun/2020:15:58:40.071] fe_main be_main/server1 0/0/0/1/1 200 799 - - ---- 1/1/0/0/0 0/0 "GET / HTTP/1.1"

## blog20200619-21.sh
call trace(20):
      |       0x53e2dc [eb 16 48 63 c3 48 c1 e0]: wdt_handler+0x10c
      |    0x800e02cfe [e8 5d 83 00 00 8b 18 8b]: libthr:pthread_sigmask+0x53e
      |    0x800e022bf [48 83 c4 38 5b 41 5c 41]: libthr:pthread_getspecific+0xdef
      | 0x7ffffffff003 [48 8d 7c 24 10 6a 00 48]: main+0x7fffffb416f3
      |    0x801373809 [85 c0 0f 84 6f ff ff ff]: libc:__sys_gettimeofday+0x199
      |    0x801373709 [89 c3 85 c0 75 a6 48 8b]: libc:__sys_gettimeofday+0x99
      |    0x801371c62 [83 f8 4e 75 0f 48 89 df]: libc:gettimeofday+0x12
      |       0x51fa0a [48 89 df 4c 89 f6 e8 6b]: ha_thread_dump_all_to_trash+0x49a
      |       0x4b723b [85 c0 75 09 49 8b 04 24]: mworker_cli_sockpair_new+0xd9b
      |       0x4b6c68 [85 c0 75 08 4c 89 ef e8]: mworker_cli_sockpair_new+0x7c8
      |       0x532f81 [4c 89 e7 48 83 ef 80 41]: task_run_applet+0xe1

## blog20200619-22.cfg
tcp-request connection track-sc0 src,debug(track-sc)

## blog20200619-23.sh
$ echo "show events buf0"|socat /var/run/haproxy.sock -
<0>2020-06-10T20:54:59.960865 [debug] track-sc: type=ipv4 <192.168.1.17>

## blog20200619-24.sh
[NOTICE] 165/231825 (7274) : haproxy version is 2.2.0
[NOTICE] 165/231825 (7274) : path to executable is ./haproxy

## blog20200619-25.cfg
http-after-response set-header Via "%[res.ver] haproxy"

## blog20200619-26.cfg
# strip /foo, e.g. turn /foo/bar?q=1 into /bar?q=1
http-request replace-path /foo/(.*) /\1 if { url_beg /foo/ }

## blog20200619-27.cfg
lua-prepend-path /usr/share/haproxy-lua/?/init.lua
lua-prepend-path /usr/share/haproxy-lua/?.lua

## blog20200619-28.lua
local reply = txn:reply()
reply:set_status(400, "Bad request")
reply:add_header("content-length", "text/html")
reply:add_header("cache-control", "no-cache")
reply:add_header("cache-control", "no-store")
reply:set_body("<html><body><h1>invalid request<h1></body></html>")
txn:done(reply)

## blog20200619-29.cfg
http-request redirect location '%[url,regsub("(foo|bar)([0-9]+)?","\2\1",i)]'

## blog20200619-30.sh
$ echo "show table fe_main  data.http_req_cnt gt 1 data.http_req_rate gt 3" |socat tcp-connect:127.0.0.1:9999 -
# table: fe_main, type: ip, size:1048576, used:1
0x55e7888c2100: key=192.168.1.17 use=0 exp=7973 http_req_cnt=7 http_req_rate(10000)=7

## blog20200619-31.cfg
use-server %[hdr(srv)] if { hdr(srv) -m found }
server app1 172.31.31.151:10000 check
server app2 172.31.31.174:10000 check

## blog20200619-32.sh
$ curl -H 'srv: app2' https://localhost/

## blog20200619-33.sh
$ echo "expert-mode on; debug dev memstats;" |socat /var/run/haproxy.sock -

ev_epoll.c:260            CALLOC  size:         9600  calls:         4  size/call:   2400
ssl_sock.c:4555           CALLOC  size:           64  calls:         1  size/call:     64
ssl_sock.c:2735           MALLOC  size:          342  calls:         3  size/call:    114
ssl_ckch.c:913            CALLOC  size:           88  calls:         1  size/call:     88
ssl_ckch.c:773            CALLOC  size:           56  calls:         1  size/call:     56
ssl_ckch.c:759            CALLOC  size:          122  calls:         1  size/call:    122
cfgparse-ssl.c:1041       STRDUP  size:           12  calls:         1  size/call:     12
cfgparse-ssl.c:1038       STRDUP  size:          668  calls:         1  size/call:    668
cfgparse-ssl.c:253        STRDUP  size:           12  calls:         1  size/call:     12
cfgparse-ssl.c:202        STRDUP  size:         1336  calls:         2  size/call:    668
hlua.c:8007              REALLOC  size:        15328  calls:         7  size/call:   2189
hlua.c:7997               MALLOC  size:       137509  calls:      1612  size/call:     85
cfgparse.c:4098           CALLOC  size:          256  calls:         8  size/call:     32
cfgparse.c:4075           CALLOC  size:          600  calls:        15  size/call:     40
	# Add new empty certificate
	$ echo "new ssl cert /etc/haproxy/certs/wildcard.demo.haproxy.net.pem" \|socat tcp-connect:127.0.0.1:9999 -
	New empty certificate store '/etc/haproxy/certs/wildcard.demo.haproxy.net.pem'!

	# Create transaction with certificate data
	$ echo -e -n "set ssl cert /etc/haproxy/certs/wildcard.demo.haproxy.net.pem <<\n$(cat /tmp/wildcard.demo.haproxy.net.pem)\n\n" \|socat tcp-connect:127.0.0.1:9999 -
	Transaction created for certificate /etc/haproxy/certs/wildcard.demo.haproxy.net.pem!

	# Commit certificate into memory for use
	$ echo "commit ssl cert /etc/haproxy/certs/wildcard.demo.haproxy.net.pem" \|socat tcp-connect:127.0.0.1:9999 -
	Committing /etc/haproxy/certs/wildcard.demo.haproxy.net.pem
	Success!
	$ echo "add ssl crt-list /etc/haproxy/crt.lst /etc/haproxy/certs/wildcard.demo.haproxy.net.pem" \|socat tcp-connect:127.0.0.1:9999 -
	Inserting certificate '/etc/haproxy/certs/wildcard.demo.haproxy.net.pem' in crt-list '/etc/haproxy/crt.lst'.
	Success!
	$ echo "show ssl cert" \|socat tcp-connect:127.0.0.1:9999 -
	# filename
	certs/test.local.pem.ecdsa
	certs/test.local.pem.rsa
	$ echo "show ssl cert certs/test.local.pem.ecdsa" \|socat tcp-connect:127.0.0.1:9999 -
	Filename: certs/test.local.pem.ecdsa
	Status: Used
	Serial: 0474204BCBAEFD4271A9E77AACC35BA92D42
	notBefore: Apr 28 11:07:59 2020 GMT
	notAfter: Jul 27 11:07:59 2020 GMT
	Subject Alternative Name: DNS:test.local, DNS:test.local
	Algorithm: EC256
	SHA1 FingerPrint: B3B9F41ECD74422EE0DD7A8C7F35CFA3C398CA82
	Subject: /CN=test.local
	Issuer: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
	Chain Subject: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
	Chain Issuer: /O=Digital Signature Trust Co./CN=DST Root CA X3
	$ echo "show ssl crt-list" \|socat tcp-connect:127.0.0.1:9999 -
	/etc/haproxy/crt.lst

	$ echo "show ssl crt-list /etc/haproxy/crt.lst" \|socat tcp-connect:127.0.0.1:9999 -
	# /etc/haproxy/crt.lst
	/etc/haproxy/certs/test.local.pem.ecdsa [alpn h2,http/1.1]
	/etc/haproxy/certs/wildcard.demo.haproxy.net.pem
	$ curl -k https://demo.haproxy.local/hello
	Hey there! 🐘
	You're accessing: demo.haproxy.local:443🔒
	From: 192.168.1.25
	You've made a total of 7 requests.
	http-errors test.local
	errorfile 400 /etc/haproxy/errorfiles/test.local/400.http
	errorfile 403 /etc/haproxy/errorfiles/test.local/403.http

	http-errors demo.haproxy.net
	errorfile 400 /etc/haproxy/errorfiles/demo.haproxy.net/400.http
	errorfile 403 /etc/haproxy/errorfiles/demo.haproxy.net/403.http
	backend servers
	option httpchk HEAD /health HTTP/1.1\r\nHost:\ test.local
	server srv1 192.168.1.5:80 check
	backend servers
	option httpchk
	http-check send meth HEAD uri /health ver HTTP/1.1 hdr Host test.local
	server srv1 192.168.1.5:80 check
	backend servers
	option httpchk
	http-check send meth POST uri /health hdr Content-Type "application/json;charset=UTF-8" hdr Host www.mwebsite.com body "{\"id\": 1, \"field\": \"value\"}"
	server srv1 192.168.1.5:80 check