Making changes to haproxy package; how do I make them available to everyone?
-
I've changed ports info to compile 1.4.18
amd64
http://e-sac.siteseguro.ws/pfsense/8/amd64/All/haproxy-1.4.18.tbzi386
http://e-sac.siteseguro.ws/pfsense/8/All/haproxy-1.4.18.tbz -
I was going to say, I had no problem compiling 1.4.18, but you've already completed it. That's great. Is there anything else I need to do?
-
Install package 0.3 on a pfsense other then your production server and test it.
I'll check here too.
When all tests are done, I'll change version to 1.0 release.
-
We did try 1.4.16 but there was something about it that didn't work correctly with RPC/MAPI (we're load balancing Exchange 2010). Whatever it was, it worked when we used 1.4.18 without any changes to the config.
The RPC/MAPI you use with 1.4.18 is for owa or all exchange services? Can I replace Micro$oft NLB with haproxy?
It could be very usefull to me. Exchange NLB freaks out my network everytime I enable it.
-
All exchange services. We are using this for that on RPC/MAPI, OWA/EWS (both the HTTPS access and the HTTP listener which redirects to HTTPS), IMAP, POP3, SMTP (both internal and external).
I and a few co-workers have been eating our own dog food by running our own Outlook clients through our pfSense HAProxy setup for the better part of a month now and it's working great.
About 50% of our desktops are Mac and are running Outlook 2011, which uses EWS for all of its mail access, and in my limited testing so far it seems to work well that way too.
NLB is pretty crappy, so yeah we're definitely looking forward to replacing it. Once this package goes live, we're going to be doing some strict penetration testing since our pfSense cluster straddles our internal and DMZ (so that it can deal with external SMTP), and then we're going to get the rest of our group and department on it before rolling it out for the whole organization.
Once I get it all set I'll write up a post about it.
I'm doing some limited testing here at home of 0.3 version. Tomorrow when I get into work I will load it on there and try it out (it's not production yet, just the few people including myself who are using it live for ourselves) and I'll report back.
-
All exchange services. We are using this for that on RPC/MAPI, OWA/EWS
Great I`ll test too, any specific balance option to do this?
Once this package goes live, we're going to be doing some strict penetration testing since our pfSense cluster straddles our internal and DMZ (so that it can deal with external SMTP)
Try postfix forwarder package, it works really nice together with exchange. it keeps out more then 80% misconfigured/fake spam servers and protects your exchange servers from internet.
-
The balance option depends on the service. For OWA, use source because you need to keep the same client on the same CAS server and since it's HTTPS you can't insert a tracking cookie. For SMTP/POP3/IMAP use round robin. RPC is a bit complex because by default Exchange uses three different services over RPC (the endpoint mapper, the address book, and MAPI) and a giant range of ports for RPC. You have to make changes so that the address book and MAPI use a single port. Then you need to create a separate frontend for each of those and add advanced options to keep the client connections on the same CAS servers (technically you don't need to create separate frontends to do this in HAProxy, but with the way it's implemented in pfSense you do). For the MAPI stuff I'm using the newly added leastconn balance option, but I was using round robin before that. I think that the advanced options end up overriding it anyway so I'm not sure it makes a difference.
It'll be clearer once I have time to put together a real write-up.
As for spam protection, we have that covered for now with a single appliance. Once this is in place, we plan making use of multiple spam gateways which we will also load balance with this setup.
-
Also one quick question before I go to sleep, how big is your exchange environment?
-
There are 14 exchange servers distributed in some locations, but my problem is with 02 exchange servers in the main site.
Total mailboxes are 60k.
-
Everything is looking good to me.
I noticed that you made the required version 2.0. Are we only updating this for 2.0? As far as I know it's only the binary for 7 that is needed to make this work on 1.2.3.
That's a large exchange environment you have! We've got around 1,100 mailboxes. Are you on Exchange 2010 as well?
-
Everything is looking good to me.
Good news. :) Did you tested all features?
I noticed that you made the required version 2.0. Are we only updating this for 2.0? As far as I know it's only the binary for 7 that is needed to make this work on 1.2.3.
I'll compile it to 1.2.3 too. The required version you see is just on 2.0 xml.
Are you on Exchange 2010 as well?
not yet.
-
Yes, as far as I can tell all features are working. I am still running my own Outlook instance through it. All options in the package are there and appear to be working fine. The XMLRPC sync is good.
Any chance I can get access to this wiki page to update it once this goes totally live:
http://doc.pfsense.org/index.php/Haproxy_packageAre you on 2007 or 2003?
-
Are you on 2007 or 2003?
Both, some locations are not migrated yet.
Any chance I can get access to this wiki page to update it once this goes totally live:
Ask core developers to create an acount at docs.pfsense.org to you.
-
Hey marcello, are we ready to finalize the package? Is there anything else you need from me?
What's the best way to contact a core developer for wiki access without annoying them? I know PMing is generally frowned upon..
-
Just changed package version to 1.4.18 pkg v 1.0
Since I finish 1.2.3 compiling and testing I'll change there too.
to create an account at docs.pfsense.com, just send an email to wikiadmin@pfsense.org asking it.
-
Sounds good, though I do not see the version updated.
-
I've republished package version change.
-
Marcello, just want to say that everything is working great. Thanks so much for your help. I have wiki access and as soon I have some time, this week or early next week, I'll update the docs to reflect the changes.
I updated my cluster members today and noticed that the package still pulls files from your servers rather than the pfSense servers. Is that normal? Will it stay that way?
-
Package version 1.4.18 was not on ports when I published this update and also files.pfsense.org was not building haproxy everyday.
Since freebsd ports updated haproxy to 1.4.18 and it this package is available on files.pfsense, I will update package download link.
-
Thanks again for everything; I may make more changes in the future but I think I'm done for a little while. I've updated the docs, and I referred to you by your forums name in case you didn't want your real name in there. Feel free to change that or let me know and I'll make the change.
http://doc.pfsense.org/index.php/Haproxy_package
