Haproxy multi sockets support

[yafitshm]

In an environment where nbproc > 1, when updating by 'socat' it updates a random proc and will not update all the haproxy processes that are currently running.
To resolve that and provide better visibility to haproxy, it is recommended to setup multi sockets and attach each socket to a uniq process.

When updating haproxy with a new OCSP response, it is required to update all sockets.
Can this be fixed to support multi admin sockets?

[pierky]

Hello @yafitshm, thanks for pointing that out.

You can find the current implementation of what I think may solve this issue in the "issue9" branch.
The trick is to run hapos-upd with --socket "path_to_socket1 path_to_socket2 path_to_socketN" argument.
Socket files can also be passed using wildcard: --socket "/var/run/haproxy/*.sock".

Could you give it a try and let me know if it works for you?

Thanks.

[pierky]

Hello @yafitshm, did you have a chance to test the new release? Did it work as you expected?
Thanks

[yafitshm]

Hi,

It does not work with the wildcard option, but found that this change solves the problem:

echo "set ssl ocsp-response base64 -w 0 $TMP/ocsp.der" | for file in ls $HAPROXY_ADMIN_SOCKET; do $SOCAT_BIN stdio $file &>>$TMP/log; done

What do you think?
Thanks.

[pierky]

Hello @yafitshm, could you provide me more details about the error you receive when using wildcard?
I had some tests and couldn't reproduce any issue.
Thanks

[yafitshm]

Hi,

I got an error that it cannot open the second socket. For some reason, I cannot replicate it now.
I have set the wildcard on one of the haproxies to monitor the ocsp status and make sure it is updated on all sockets using the wildcards.
Thanks.

[pierky]

Hi @yafitshm, can you confirm it is working? If so I'll merge it into master.
Thanks

[yafitshm]

Hi,
When running:
hapos-upd -c /path/to/ssl/cert.pem -s "/var/run/haproxy_stats."
I get the following error:
can't update haproxy ssl ocsp-response using /var/run/haproxy_stats. socket

I have double checked it now, and when adding the for loop, it resolves that problem and all processes are getting the ocsp update.

Were you able to verify it also?
Thanks.

[pierky]

Can't understand why you are not using the * in haproxy_stats.
Does it work if you put it in?

[yafitshm]

Sorry...I have tried jt. Didnt you get my message on this? I was trying with "/var/run/haproxy_stats*.sock".Am I missing anything? Sent from Yahoo Mail on Android On יום ה׳, דצמ׳ 7, 2017 at 21:17, Pier Carlo Chiodi<notifications@github.com> wrote: Can't understand why you are not using the * in haproxy_stats. Does it work if you put it in? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[pierky]

I understand now! In your first message (then edited) you were saying it worked. Then in the second one the * was not shown (as you can see on the GitHub web page) and this confused me.
I'll double check it and get back to you.

[j0sh3rs]

HAProxy released version 1.8, which includes multithreading and global-master support (for actual multithreading), and this is the preferred method of implementing HAProxy now. Doing so only requires an nbproc 1 setting (or omitting the line), which allows for a single stats socket, bypassing this problem