Hacker News new | comments | ask | show | jobs | submit login
HAProxy 1.8.0 (mail-archive.com)
147 points by rjgray on Nov 26, 2017 | hide | past | web | favorite | 23 comments

I really am amazed at the stability and quality of the HAProxy project and that since it's inception many , many years ago.

We use it on many of our projects and it has always been a very reliable piece of software, even at high traffic.

Kudos Willy and team, congratulations on the release!


Totally agree. Want to show the appreciation in beers. I wish there are options other than paypal.

> haproxy can now be built with native systemd support using USE_SYSTEMD=1 and starting it with -Ws (systemd-aware master-worker mode).

What features/integrations make sense for a proxy with systemd? I'd assume it's only a unit that comes with the package, but that "-Ws" makes me wonder if there're deeper integrations.

I was the person creating the patch. For now all it does is compiling in support for `Type=notify` (using sd_notify [1]) in the unit file: haproxy is able to notify systemd when it completed the `start` or the `reload`.

In the future this could be extended to support systemd's socket passing and status messages. The latter allowing you to show a short string in `systemctl status haproxy`. See this example for php-fpm:

    [root@example~]systemctl status php7.0-fpm.service 
    ‚óŹ php7.0-fpm.service - The PHP 7.0 FastCGI Process Manager
       Loaded: loaded (/lib/systemd/system/php7.0-fpm.service; enabled)
       Active: active (running) since Sat 2017-11-25 13:28:22 CET; 1 day 8h ago
         Docs: man:php-fpm7.0(8)
     Main PID: 4624 (php-fpm7.0)
       Status: "Processes active: 3, idle: 29, Requests: 1203613, slow: 545, Traffic: 10.1req/sec"

See the mailing list thread for the full discussion of the feature: https://www.mail-archive.com/haproxy@formilux.org/msg27874.h...

[1] https://www.freedesktop.org/software/systemd/man/sd_notify.h...

I actually had/have an issue with the systemd-wrapper haproxy uses in 1.7 where systemd gets confused when doing a reload + a restart before all sessions are closed. This caused haproxy to completely stop accepting connections until the systemd timeout kicked in and sent a kill -9

I reported it and was told it might not affect 1.8 since the systemd-wrapper is removed there, so gonna give this a try soon. See this thread: https://www.mail-archive.com/haproxy@formilux.org/msg27404.h...

(And I switched to only doing a reload notify in Ansible together with the hard-stop-after option in haproxy which is OK for me as well in 1.7)

If anyone is wondering, as I was, what haproxy is, it's a "reliable, high performance TCP/HTTP load balancer."


Great ! I'm using it since 1.4 on projects that are reliable because of it. It's a great software.

Now I know what my week R&D time will be : HTTP2 in HAProxy !

I do hope that HAProxy might support ACME at some point, I'm currently stuck on Traefik which has been breaking some traffic but I rely heavily on dynamically issued LE certs.

Otherwise, outside of SSL, HAProxy has been very pleasant in my experience.

We are using https://github.com/janeczku/haproxy-acme-validation-plugin to provide ACME support directly in HAProxy without an extra backend. Example:

    frontend example.com
        # Redirect ACME domain validations
        acl url_acme_http01 path_beg /.well-known/acme-challenge/
        http-request use-service lua.acme-http01 if METH_GET url_acme_http01
        # Redirect all plain HTTP traffic to HTTPS
        redirect scheme https code 301 if !{ ssl_fc }

Where's your problem? Spin up a certbot docker container and use this here in haproxy:

    frontend http_in
      bind *:80
      bind *:443 ssl crt /path/to/letsencrypt/data/mydomain.pem
      acl path_letsencrypt path_beg /.well-known/acme-challenge
      use_backend letsencrypt if path_letsencrypt
    backend letsencrypt
      mode http
      server server-letsencrypt MYLOCALIP:8080

For the letsencrypt docker image, I use mesosphere/letsencrypt-dcos with a patched run.sh that triggers a docker kill -s HUP on the haproxy container.

My problem is usually that I rely heavily on traefik being able to very easily issue certificates simply by having a backend with a hostname present.

If I, for example, configure my PHP VM to be reachable over "test.example.org" in Traefik, then Traefik will automatically try to issue a certificate for this domain once it detects the config change.

On HAProxy this is not as easy as I need to tell both LE and HAP about the new backend.

If it was integrated, I would only have to tell HAP.

> On HAProxy this is not as easy as I need to tell both LE and HAP about the new backend.

You only need to tell the certbot container the new domain. The frontend config I gave you actually hits before any host-ACLs which means it will pass all acme-challenge requests on all domains to the certbot container, and certbot will reload haproxy when it's done.

No I need to tell both.

HAP still needs to know where to route the traffic to and LE needs to know which domains are available.

Can you share your experience with Traefik? We also wanted to integrate it into our stack. What problems do you have? How it scales?

My major problem with Traefik is that if you aren't using the defined stacks and opt for file configuration it can be a bit exhausting to configure, TOML is a rather repetitive format.

It also lacks support for HTTP streaming for non-standard HTTP (I wish there was an option to just enable streaming on a host) which sucks for some enterprise software, and streaming for entire hosts so my nextcloud instance always has to wait for the traefik host to buffer the response before being able to download the file to the browser.

However, in terms of scaling and being able to get a SSL-terminating or SSL-handover reverse proxy going it's a breeze and it handles decent load very well.

Amazing work. Thanks haproxy team!

Do people really announce new releases just over email and things like mail-archive or? Those mail archives always looked strange to me for some unknown reason.

For going on 20 years, yes. I even add hashes for each package (i.e. the tarball & platform installers) to the end of the message and sign it. I find it odd and inconvenient when projects don't announce releases via email.


If there is a mailing list for the software, why not send releases information over there? It makes a lot of sense to me. I'm also subscribed to several, and some software also announce patches or security related stuff on mail lists. I see mail as a low barrier of entry (every developer has an email address).

What else would you use to notify interested people and be able to receive feedback at the same time?

Sure I think it makes sense to have this on the forum as well as a shadow post or something, I posted this https://discourse.haproxy.org/t/haproxy-1-8-officially-relea... will see if willy would like to keep this and perhaps create an announcemet category. Ultimately his call, but there has been a lot of 1.8 discussion on the forum lately.

Not only do people do it, but not too long ago it was the ONLY way people did it.

How else would they do it?

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact