Re: Question about system architecture with different sets of webservers

From: Willy Tarreau <>
Date: Wed, 30 Jul 2008 22:44:41 +0200

Hi Samuel,

I've just quickly read your mail, to be honnest.

On Wed, Jul 30, 2008 at 10:57:58AM +0200, Samuel Vogel wrote:
> 2008/7/29 <>
> > Look at haproxy configuration example, it looks like your requirement,
> > at least, selecting backends based on regex
> This is what I looked up in your documentation. My question just is, if this
> really is feasible solution?
> To Start with there would be 5 servers, everyone serving up about a 100
> different websites. So the regexp for every server would be pretty long. If
> every domain has 10 characters, that would be more than a 1000 character
> regexp. I don't know how haproxy would deal and also scale witth that.

Don't do that. Large regexes are unmaintainable and a major source of typos and long downtimes on all sites which heavily rely on them.

If you want to have a list of sites, you'd better use a multi-match ACL. One solution is the following (preferred) :

     acl site_on_back1 hdr(host) -i
     acl site_on_back1 hdr(host) -i
     acl site_on_back1 hdr(host) -i
     acl site_on_back1 hdr(host) -i
     acl site_on_back1 hdr(host) -i
     use_backend back1 if site_on_back1

It *will* be faster than an awful regex, and fully maintainable. Later it will be possible to load ACLs from a file. The "-f" flag is already supported, but ignored right now. It will then be perfectly suited for such a usage.

The second solution is adapted so small lists, it consists in building as many ACLs as you have sites :

     acl site1 hdr(host) -i
     acl site2 hdr(host) -i
     acl site3 hdr(host) -i
     acl site4 hdr(host) -i
     acl site5 hdr(host) -i
     use_backend back1 if site1 or site2 or site3 or site4 or site5

But there's a limit on the number of words per line (256 I believe) and it will be slightly slower and harder to maintain.

> Also: Can you manipulate the ACLs at runtime without have to take haproxy
> down?

Not right now either, you have to reload the configuration. One thing which still needs thinking before properly implementing file-based ACLs is a way to reliably reload them in all processes (for people running multiple processes). Also, there's still a problem with chroots that needs to be fixed. Perhaps immediately going for an unchrooted side process responsible for such file access would make sense.

Willy Received on 2008/07/30 22:44

This archive was generated by hypermail 2.2.0 : 2008/07/30 23:00 CEST