HAProxy 1.9 Has Landed

blog20181219-01.cfg

option http-use-htx

blog20181219-02.cfg

# alpn requires that the server is using openssl 1.0.2 or above
server server1 192.168.1.16:443 ssl verify none  alpn h2

blog20181219-03.cfg

frontend fe_main
    mode http
    # Enable HTX, the new native http representation
    option  http-use-htx 
    bind *:80 
    bind *:443 ssl crt /etc/hapee-1.8/certs/www.example.com.pem alpn h2,http/1.1
    default_backend be_main

backend be_main
    mode http
    option http-use-htx
    server server1 192.168.1.13:443 ssl verify none alpn h2

blog20181219-04.cfg

server server1 192.168.1.13:80 proto h2

blog20181219-05.cfg

http-request early-hint Link "</style.css>; rel=preload; as=style"
http-request early-hint Link "</script.js>; rel=preload; as=script"

blog20181219-06.sh

$ haproxy -W -S /var/run/haproxy-master-socket  -f /etc/haproxy/haproxy.cfg

blog20181219-07.sh

$ socat /tmp/master-socket readline
master> help
  help           : this message
  prompt         : toggle interactive mode with prompt
  quit           : disconnect
  @<relative pid> : send a command to the <relative pid> process
  @!<pid>        : send a command to the <pid> process
  @master        : send a command to the master process
  show cli sockets : dump list of cli sockets
  show proc      : show processes status
  reload         : reload haproxy

blog20181219-08.sh

master> show proc
#<PID>          <type>          <relative PID>  <reloads>       <uptime>
910             master          0               0               0d 00h04m49s
# workers
911             worker          1               0               0d 00h04m49s

blog20181219-09.sh

master> @1 show info
Name: HAProxy
Version: 1.9-dev9
Release_date: 2018/12/02
Nbthread: 1
Nbproc: 1
Process_num: 1
Pid: 911
...

blog20181219-10.sh

$ echo "show map" | socat /var/run/haproxy.sock stdio
# id (file) description
-1 (/etc/haproxy/maps/hosts.map) pattern loaded from file '/etc/haproxy/maps/hosts.map' used by map at file '/etc/hapee-1.8/hapee-lb.cfg' line 94

$ echo -e "add map #-1 <<\ntest1 be_one\ntest2 be_two\n" | socat  /var/run/haproxy.sock stdio

$ echo "show map #-1" | socat /var/run/haproxy.sock stdio
0x217aa80 test1 be_one
0x2190010 test2 be_two

blog20181219-11.sh

$ echo -e "add map #-1 <<\n$(cat data.map)\n" | socat /var/run/haproxy.sock stdio

blog20181219-11a.sh

$ echo -e "set ssl ocsp-response <<\n$(base64 /etc/haproxy/certs/haproxy.com.pem.ocsp)\n" |socat /var/run/haproxy.sock stdio

blog20181219-11b.sh

#!/bin/bash

# Certificates path and names
DIR="/etc/haproxy/certs"
CERT="haproxy.com.pem"
RUNTIME_API=/var/run/haproxy.sock

# Get the issuer URI, download it's certificate and convert into PEM format
ISSUER_URI=$(openssl x509 -in ${DIR}/${CERT} -text -noout | grep 'CA Issuers' | cut -d: -f2,3)
ISSUER_NAME=$(echo ${ISSUER_URI##*/} | while read -r fname; do echo ${fname%.*}; done)
wget -q -O- $ISSUER_URI | openssl x509 -inform DER -outform PEM -out ${DIR}/${ISSUER_NAME}.pem

# Get the OCSP URL from the certificate
ocsp_url=$(openssl x509 -noout -ocsp_uri -in ${DIR}/${CERT})

# Extract the hostname from the OCSP URL
ocsp_host=$(echo $ocsp_url | cut -d/ -f3)

# Create/update the ocsp response file and update HAProxy
openssl ocsp -noverify -no_nonce -issuer ${DIR}/${ISSUER_NAME}.pem -cert ${DIR}/${CERT} -url $ocsp_url -header Host $ocsp_host -respout ${DIR}/${CERT}.ocsp
echo -e "set ssl ocsp-response <<\n$(base64 ${DIR}/${CERT}.ocsp)\n" |socat $RUNTIME_API stdio
exit 0

blog20181219-12.sh

$ echo "show activity" |socat /var/run/haproxy.sock stdio
thread_id: 0
date_now: 1544214246.727292
loops: 3174
wake_cache: 1660
wake_tasks: 89
wake_signal: 0
poll_exp: 1749
poll_drop: 168
poll_dead: 0
poll_skip: 0
fd_skip: 0
fd_lock: 0
fd_del: 0
conn_dead: 0
stream: 695
empty_rq: 1901
long_rq: 0
cpust_ms_tot: 0
cpust_ms_1s: 0
cpust_ms_15s: 0
avg_loop_us: 145

blog20181219-13.cfg

global
    profiling.tasks on

blog20181219-14.sh

$ echo "set profiling tasks on" |socat /var/run/haproxy.sock -

blog20181219-15.sh

$ echo "show profiling" |socat /var/run/haproxy.sock -
Per-task CPU profiling              : on      # set profiling tasks {on|off}

blog20181219-16.cfg

log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r cpu_calls:%[cpu_calls] cpu_ns_tot:%[cpu_ns_tot] cpu_ns_avg:%[cpu_ns_avg] lat_ns_tot:%[lat_ns_tot] lat_ns_avg:%[lat_ns_avg]"

blog20181219-17.cfg

log-format "%ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq cpu_calls:%[cpu_calls] cpu_ns_tot:%[cpu_ns_tot] cpu_ns_avg:%[cpu_ns_avg] lat_ns_tot:%[lat_ns_tot] lat_ns_avg:%[lat_ns_avg]"

blog20181219-18.cfg

acl is_jscss path_end .js .css
acl is_image path_end .png .jpg .jpeg
http-request set-priority-class int(1) if is_jscss
http-request set-priority-class int(10) if is_image
http-request set-priority-class int(100) if !is_jscss !is_image

blog20181219-19.cfg

balance random

blog20181219-20.cfg

log stdout local0

blog20181219-21.cfg

log fd@1 local0

blog20181219-22.cfg

log stdout  format raw  local0

blog20181219-23.vtc

# Shipped with the commit fixing the bug.

varnishtest "Stick Table: Crash when accessing unknown key."
feature ignore_unknown_macro

server s0 {
    rxreq
    txresp
} -start

haproxy h0 -conf {
    defaults
        timeout connect 5000ms
        timeout client 50000ms
        timeout server 50000ms

    frontend test
        mode http
        bind "fd@${fe1}"
        stick-table type ip size 1m expire 1h store gpc0
        http-request deny if { src,table_trackers(test) eq 1 }
        http-request deny if { src,in_table(test) }
        http-request deny deny_status 200
} -start

client c0 -connect ${h0_fe1_sock} {
    txreq -url "/"
    rxresp
    expect resp.status == 200
} -run

blog20181219-24.sh

export HAPROXY_PROGRAM=$PWD/haproxy 
varnishtest /home/user/haproxy/reg-tests/stick-table/b00000.vtc
#    top  TEST /home/user/haproxy/reg-tests/stick-table/b00000.vtc passed (0.112)