@ja8zyjits wrote:

Problem:

Iam trying to build a forward proxy with ssl termination, further it upstreams to my proxy servers eg: TOR. My upstream proxy services are non-https.

Client -> Network-Haproxy -> Uptstream-Proxy -> Internet

I could easily succeed in tcp mode of HAproxy without ssl termination, but when I terminate ssl and forward, things don’t work.

Steps Followed:

I followed the below steps to generate self-certified ssl certificates.

$ openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout haproxy-ca-key.pem -out haproxy-ca-cert.pem -subj "/C=GB/ST=London/L=London/O=Global Security/OU=IT Department/CN=example.com"

combined them for creating final .pem file

$ cat haproxy-ca-cert.pem haproxy-ca-key.pem >> mysite.pem

The above file is used in my haproxy.cfg for ssl termination.

global
	log /dev/log	local0
	log /dev/log	local1 notice
	chroot /var/lib/haproxy
	stats socket /run/haproxy/admin.sock mode 660 level admin
	stats timeout 30s
	user haproxy
	group haproxy
	daemon

	# Default SSL material locations
	ca-base /etc/ssl/certs
	crt-base /etc/ssl/private

	# Default ciphers to use on SSL-enabled listening sockets.
	# For more information, see ciphers(1SSL). This list is from:
	#  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
	ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256::RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
	ssl-default-bind-options no-sslv3

defaults
	log	global
	mode	http
	option	httplog
	option	dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
	errorfile 400 /etc/haproxy/errors/400.http
	errorfile 403 /etc/haproxy/errors/403.http
	errorfile 408 /etc/haproxy/errors/408.http
	errorfile 500 /etc/haproxy/errors/500.http
	errorfile 502 /etc/haproxy/errors/502.http
	errorfile 503 /etc/haproxy/errors/503.http
	errorfile 504 /etc/haproxy/errors/504.http

	stats enable
	stats uri /stats
   	stats realm Haproxy\ Statistics
   	stats auth user:password


frontend www.mysite.com
    mode http
    bind 0.0.0.0:8443
    bind 0.0.0.0:443 ssl crt /home/ubuntu/haproxy/mysite.pem crt-ignore-err all
    redirect scheme https if !{ ssl_fc }
    default_backend web_servers

backend web_servers
    mode http
    balance roundrobin
    server server1 xx.xx.xx.xx:xxxx #my upstream server which is not ssl protected

When I try to curl from my client machine to use the above proxy I get following error.

$ curl -k --proxy https://my-haproxy-server:443 --cacert haproxy-ca-cert.pem  https://httpbin.org/ip -vvv
*   Trying my-haproxy-server...
* TCP_NODELAY set
* Connected to my-haproxy-server (my-haproxy-server) port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: self signed certificate
* Closing connection 0
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

If you have read the cfg file, you can see I have redirected :8443 to :443, so I can send request to non https proxy, but that too doesn’t work

$ curl -k --proxy http://my-haproxy-server:8443 --cacert haproxy-ca-cert.pem  https://httpbin.org/ip -vvv
*   Trying my-haproxy-server...
* TCP_NODELAY set
* Connected to my-haproxy-server (my-haproxy-server) port 8443 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to httpbin.org:443
> CONNECT httpbin.org:443 HTTP/1.1
> Host: httpbin.org:443
> User-Agent: curl/7.58.0
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 302 Found
< content-length: 0
< location: https://httpbin.org:443/
< cache-control: no-cache
< connection: close
< 
* Received HTTP code 302 from proxy after CONNECT
* CONNECT phase completed!
* Closing connection 0
curl: (56) Received HTTP code 302 from proxy after CONNECT

Any lead would be appreciated.

Extra Info:

• HAPROXY: HA-Proxy version 2.0.13-1ppa1~bionic 2020/02/15 - https://haproxy.org/
• OPENSSL: OpenSSL 1.1.1 11 Sep 2018
• CURL: curl 7.58.0 (x86_64-pc-linux-gnu) libcurl/7.58.0 OpenSSL/1.1.1 zlib/1.2.11 libidn2/2.0.4 libpsl/0.19.1 (+libidn2/2.0.4) nghttp2/1.30.0 librtmp/2.3
• SF post: https://serverfault.com/questions/1005257/haproxy-forward-proxy-with-ssl-termination

Posts: 1

Participants: 1

Read full topic

@djmdev wrote:

I am working on a setup where there are two HAProxies behind an AWS Network load balancer. Behind the HAProxy are apache web servers. I am passing ssl traffic from the NLB to HAProxy and then SSL offloading is taking place on HAProxy. Requests are working as expected. However the log files are getting flooded with the following messages.

heartbeat1276×296 53.9 KB

Another weird part is its not happening all the time. But when its hapenning, the log is getting flooded.
Reload/Restart seems to solve it temporarily.

Following is the output of haproxy -vv

HA-Proxy version 2.0.2-1~bpo10+1 2019/07/17 - https://haproxy.org/
Build options :
  TARGET  = linux-glibc
  CPU     = generic
  CC      = gcc
  CFLAGS  = -O2 -g -O2 -fdebug-prefix-map=/build/haproxy-2.0.2=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-format-truncation -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-old-style-declaration -Wno-ignored-qualifiers -Wno-clobbered -Wno-missing-field-initializers -Wno-implicit-fallthrough -Wno-stringop-overflow -Wno-cast-function-type -Wtype-limits -Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference
  OPTIONS = USE_PCRE2=1 USE_PCRE2_JIT=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_ZLIB=1 USE_SYSTEMD=1

Feature list : +EPOLL -KQUEUE -MY_EPOLL -MY_SPLICE +NETFILTER -PCRE -PCRE_JIT +PCRE2 +PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED +REGPARM -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H -VSYSCALL +GETADDRINFO +OPENSSL +LUA +FUTEX +ACCEPT4 -MY_ACCEPT4 +ZLIB -SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL +SYSTEMD -OBSOLETE_LINKER +PRCTL +THREAD_DUMP -EVPORTS

Default settings :
  bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with multi-threading support (MAX_THREADS=64, default=8).
Built with OpenSSL version : OpenSSL 1.1.1c  28 May 2019
Running on OpenSSL version : OpenSSL 1.1.1b  26 Feb 2019
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with Lua version : Lua 5.3.3
Built with network namespace support.
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with PCRE2 version : 10.32 2018-09-10
PCRE2 library supports JIT : yes
Encrypted password support via crypt(3): yes
Built with the Prometheus exporter as a service

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
              h2 : mode=HTX        side=FE|BE     mux=H2
              h2 : mode=HTTP       side=FE        mux=H2
       <default> : mode=HTX        side=FE|BE     mux=H1
       <default> : mode=TCP|HTTP   side=FE|BE     mux=PASS

Available services :
	prometheus-exporter

Available filters :
	[SPOE] spoe
	[COMP] compression
	[CACHE] cache
	[TRACE] trace

Also, is there any chance that this can impact SSL offload time

Posts: 1

Participants: 1

Read full topic

@jeunii wrote:

0

I currently have a solution that works well for doing NAT.

Front end IP:Port (10.238.232.20:443)--------+-------- Back end IP:Port (172.22.0.42:443)
                                             |
                                             | eth0
                                        +---------+
                                        |         |
                                        |   NAT   |
                                        |         |
                                        +---------+

This is what my setup looks like. My NAT box has only one interface eth0 with IP 10.238.232.20 and my objective is to do both IP Masquerading and IP forwarding.

In the above scenario, im accomplishing it using iptables

echo 1 >  /proc/sys/net/ipv4/ip_forward

iptables -t nat -F
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -t nat -A PREROUTING -p tcp -d 10.238.232.20 --dport 443 -j DNAT --to-destination 172.22.0.42:443
iptables -t nat -A POSTROUTING -p tcp -d 172.22.0.42 --dport 443 -j SNAT --to-source 10.238.232.20

Now I want to switch from iptables to HAProxy while preserving the above behaviour.

Here is the snippet of what I have till now

frontend k8s_https_frontend
  bind *:443
  mode tcp
  default_backend k8s_https_backend

backend k8s_https_backend
  mode tcp 
  balance roundrobin
  server https_ingress 172.22.0.42:443 check port 443

Now from my browser, when I do a curl 10.238.232.20:443 , I definitely do get a 200 response from my backend. I am just not sure if that is enough to meet both the criteria for IP masquerading and IP forwarding.

Is there something else I need to do in my HAProxy config ?

Posts: 1

Participants: 1

Read full topic

@pludikovsky wrote:

I’m seeing a pretty strange behavior with one HAProxy setup using mode tcp trying to do pass-through to 2 HTTPS enabled servers.

Relevant configuration:

frontend front-ssl
  default_backend back-ssl
  bind 1.1.1.1:443
  mode tcp

backend back-ssl
  server back-ssl-001 1.1.1.2:8443 weight 100 check check-ssl maxconn 128 ssl verify none
  server back-ssl-002 1.1.1.3:8443 weight 100 check check-ssl maxconn 128 ssl verify none
  log global
  balance leastconn
  mode tcp
  option httpchk GET /check
  http-check expect status 200

As far as I can tell from the configuration & documentation this should work by just passing through the TCP packets. However, what I see is that the bind address accepts plain text HTTP requests which it encapsulates in HTTPS requests to the backend:

telnet 1.1.1.1 443
Trying 1.1.1.1...
Connected to 1.1.1.1.
Escape character is '^]'.
GET / HTTP/1.1
Connection: close
Accept: */*
Host: myservice.mydomain

HTTP/1.1 404 Not Found
Date: Tue, 03 Mar 2020 14:28:06 GMT
Connection: close

HAproxy is 1.7.12-1ppa1~xenial

Posts: 1

Participants: 1

Read full topic

@surebalu wrote:

Hi Folks,

In my current organization we are using Apache modproxy for load balancing activities. One of our vendor suggested to use HAProxy for load balancing. I tried searching for what advantages HAProxy over apache modproxy, didn’t find it anywhere. Can some one please help me to understand the differences and advantages of HAProxy over modproxy.

Thanks
Surendra

Posts: 1

Participants: 1

Read full topic

@shen wrote:

(topic withdrawn by author, will be automatically deleted in 24 hours unless flagged)

Posts: 1

Participants: 1

Read full topic

@justauser wrote:

Hello together,
I try to achieve a good result on ssllabs.com, but I got a complain that my website uses tls v1.0 - I thought that I disabled it by this row in haproxy.cfg:

bind abns@go_to_myfrontend accept-proxy ssl crt /etc/haproxy/certs/mycert.pem verify none ciphers EECDH+AESGCM:EDH+AESGCM force-tlsv12 no-tlsv10

But no. Curious is, that when I added the row, ssllabs stopped complains abot tls 1.1.

Do someone know what I missed?

–
OpenSSL 1.0.2k-fips 26 Jan 2017
HA-Proxy version 1.5.18 2016/05/10
CentOS Linux release 7.7.1908 (Core)

Thanks a lot in advance for your time.

Posts: 2

Participants: 2

Read full topic

@eyepulp wrote:

Howdy - We’ve been anxiously awaiting the set ssl cert and commit ssl cert features under newer haproxy releases. During initial testing today we were getting an error:

self.runtime_api.command(f"set ssl cert {domain_name}.pem <<\n{pem}")
[(‘1’, [“Can’t replace a certificate which is not referenced by the configuration!”, “Can’t update example_com.pem!”])]

I feel pretty dumb if I mis-read the intent of the ssl cert features, but can we only update pre-existing certs and not add new ones without a full reload/restart?

Posts: 1

Participants: 1

Read full topic

@aarathy53 wrote:

Hi

Is there a way to set up haproxy rewrite without a backend ?

Thanks in advance

Posts: 1

Participants: 1

Read full topic

@zeff wrote:

Hello,

We see errors ending with “CD–” flags, with some requests ending with HTTP 200. According the the documentation, CD means that client ended the connection unexpectedly at the data phase layer. We collected packet dump from failed requests and we see that the client sends RST on the TCP session. This is usually the flow in the session stream:
TLS Client Hello -> Server Hello, Change Cipher Spec -> Things go on TLS traffic (which are encrypted) -> Client sends few ACKS -> Client Change Cipher Spec -> Few packets on TLS -> ACK from server/client -> Client sends RST, ACK

Questions:

1. We wonder what is the best practices in debugging such errors, if TLS decryption is not possible.
2. Is it normal to see many “CD” errors with TLS or at all?

Thanks.

Posts: 1

Participants: 1

Read full topic

@lzkill wrote:

I’ve been using haproxy sticky sessions in front of a stateful application for some time now. Are these header based routing rules preserved if we restart/reload the service? How could we achieve this?

Thanks in advance!

Posts: 1

Participants: 1

Read full topic

@spn wrote:

Hello everyone.
I need help with using the lua-acme to generate certificates.
I followed this guide -> https://www.haproxy.com/de/blog/lets-encrypt-acme2-for-haproxy/
But it is not really well explained. From where do I get the letsencrypt-x3-ca-chain.pem?
I think this is thte problem why it is not working for me.

relevant log entries

Mar 10 17:49:08 anx-testlb0501 haproxy[29550]: 00000000:acme.accept(0009)=001d from [127.0.0.1:40610] ALPN=
Mar 10 17:49:08 anx-testlb0501 haproxy[29550]: 00000000:acme.clireq[001d:ffffffff]: POST /acme/order HTTP/1.1
Mar 10 17:49:08 anx-testlb0501 haproxy[29550]: 00000000:acme.clihdr[001d:ffffffff]: host: 127.0.0.1:9011
Mar 10 17:49:08 anx-testlb0501 haproxy[29550]: 00000000:acme.clihdr[001d:ffffffff]: authorization: Basic YWNtZTphY21l
Mar 10 17:49:08 anx-testlb0501 haproxy[29550]: 00000000:acme.clihdr[001d:ffffffff]: user-agent: curl/7.52.1
Mar 10 17:49:08 anx-testlb0501 haproxy[29550]: 00000000:acme.clihdr[001d:ffffffff]: accept: /
Mar 10 17:49:08 anx-testlb0501 haproxy[29550]: 00000000:acme.clihdr[001d:ffffffff]: content-length: 5491
Mar 10 17:49:08 anx-testlb0501 haproxy[29550]: 00000000:acme.clihdr[001d:ffffffff]: expect: 100-continue
Mar 10 17:49:08 anx-testlb0501 haproxy[29550]: 00000000:acme.clihdr[001d:ffffffff]: content-type: multipart/form-data; boundary=------------------------adb21e245d3e4676
Mar 10 17:49:08 anx-testlb0501 haproxy[29550]: 00000002:acme-ca.accept(000a)=001e from [127.0.0.1:41240] ALPN=
Mar 10 17:49:08 anx-testlb0501 haproxy[29550]: 00000002:acme-ca.clireq[001e:ffffffff]: GET /directory HTTP/1.1
Mar 10 17:49:08 anx-testlb0501 haproxy[29550]: 00000002:acme-ca.clihdr[001e:ffffffff]: host: 127.0.0.1:9012
Mar 10 17:49:08 anx-testlb0501 haproxy[29550]: 00000002:acme-ca.clihdr[001e:ffffffff]: accept: /
Mar 10 17:49:08 anx-testlb0501 haproxy[29550]: 00000002:acme-ca.clihdr[001e:ffffffff]: user-agent: haproxy-lua-http/1.0
Mar 10 17:49:08 anx-testlb0501 haproxy[29550]: fd[001f] OpenSSL error[0x1416f086] tls_process_server_certificate: certificate verify failed
Mar 10 17:49:10 anx-testlb0501 haproxy[29550]: fd[001f] OpenSSL error[0x1416f086] tls_process_server_certificate: certificate verify failed
Mar 10 17:49:11 anx-testlb0501 haproxy[29550]: fd[001f] OpenSSL error[0x1416f086] tls_process_server_certificate: certificate verify failed
Mar 10 17:49:12 anx-testlb0501 haproxy[29550]: fd[001f] OpenSSL error[0x1416f086] tls_process_server_certificate: certificate verify failed
Mar 10 17:49:12 anx-testlb0501 haproxy[29553]: 127.0.0.1:41240 [10/Mar/2020:17:49:08.114] acme-ca acme-ca/ca 0/0/-1/-1/4881 503 221 - - SC-- 2/1/0/0/3 0/0 “GET /directory HTTP/1.1”
Mar 10 17:49:12 anx-testlb0501 haproxy[29553]: 127.0.0.1:41240 [10/Mar/2020:17:49:08.114] acme-ca acme-ca/ca 0/0/-1/-1/4881 503 221 - - SC-- 2/1/0/0/3 0/0 “GET /directory HTTP/1.1”
Mar 10 17:49:12 anx-testlb0501 haproxy[29550]: 00000002:acme-ca.clicls[001e:adfd]
Mar 10 17:49:12 anx-testlb0501 haproxy[29550]: 00000002:acme-ca.closed[001e:adfd]
Mar 10 17:49:12 anx-testlb0501 haproxy[29550]: 00000001:LUA-SOCKET.srvcls[ffffffff:adfd]
Mar 10 17:49:12 anx-testlb0501 haproxy[29550]: 00000001:LUA-SOCKET.clicls[ffffffff:adfd]
Mar 10 17:49:12 anx-testlb0501 haproxy[29550]: 00000001:LUA-SOCKET.closed[ffffffff:adfd]

Thank you!!

Posts: 1

Participants: 1

Read full topic

@simonuk1 wrote:

Is there a reason to compile with pcre2 and pcre2jit over pcre ?

Posts: 2

Participants: 2

Read full topic

@khurshid-alam wrote:

The paths are like this:

https://example.com/10001/5235723gdh.jpg

https://example.com/10007/836789370md.jpg

We want to extract the number and compare.

I tried with

    acl image1 path_reg \/[0-9]*\/.* le 10005
    acl image2 path_reg \/[0-9]*\/.* ge 10006

    use_backend image1 if image1
    use_backend image2 if image2

But it is not working. How can I make this working?

Thanks.

Posts: 1

Participants: 1

Read full topic

@egozkan wrote:

Hello all,

I want to use different backends by using regex but it is not working as expected. My configuration like as shown below.

acl cons path_reg ^/(test)/([a-z-0-9]+/){0,1}$
use_backend consistent if cons

For example, this config should work like this:

https://domain.com/test --> should switch to consistent backend
https://domain.com/test/?a=1 --> should not switch to consistent backend but to default

how can i get it?

Thanks

Posts: 1

Participants: 1

Read full topic

@Vels456 wrote:

I have a haproxy and rsyslog setup, I’m facing issue that haproxy logs are being written in 2 files /var/log/messages and /var/log/haproxy.log(I need this to be written only in this file)

Haproxy:
version - 2.0
haproxy config -> Has log global in all frontends

rsyslog:
version - 5.8.10

part of content in /etc/rsyslog.conf is below

*.info;mail.none;authpriv.none;cron.none        /var/log/messages

/etc/rsyslog.d/49-haproxy.conf content is:

$UDPServerAddress 127.0.0.1
$UDPServerRun 514
local1.* -/var/log/haproxy.log
& ~

Posts: 1

Participants: 1

Read full topic

@jmcclure wrote:

HAProxy 2.1.3
Alpine 3.11.3

I’ve installed HAProxy and it works as expected. My question is, why I cannot get rid of this warning message and is my timeout configuration in the defaults section not being picked up by the backend:

[WARNING] 071/135712 (11) : config : missing timeouts for backend 'ignite'.
       | While not properly invalid, you will certainly encounter various problems
       | with such a configuration. To fix this, please ensure that all following
       | timeouts are set to a non-zero value: 'client', 'connect', 'server'.

Have about a dozen backends defined, and I am getting the above message for each. I have common timeout configuration in a defaults section (simplified below) of my configuration file:

defaults 
    timeout connect 5s
    timeout client 1m
    timeout server 1m    

backend ignite
    mode http
    balance roundrobin
    option forwardfor except 127.0.0.0/8
    server serverx serverx:7080 check inter 10s fall 3 rise 2

I assumed each backend would ‘default’ to those timeouts unless I override them in the backend block if needed. I see a lot of posted log examples with that message in them, but, nothing about this being an issue, nor how to address it.

Any ideas why my configuration produces this warning? Are the timeouts defined in the default section being applied to each backend with my configuration setup?

Thanks,
James

Posts: 1

Participants: 1

Read full topic

@midas1989 wrote:

Hello all

I have a http frontend which goes via URL to a certain backend.

Now I want to achieve that the backend only takes a certain number of clients and otherwise redirects to the next one or displays an error status page.

So far I only found how to forward the new requests to the next server with a certain number of connections.

But it can be that several clients arrive over the same source ip. Therefore you would have to split the requests based on header or cookie

Can I get some help here?

Best regards

Posts: 1

Participants: 1

Read full topic

@thanhnb wrote:

I use HAProxy as LB for 3 backend web (Apache, same code).
Sometime client on browser get ERROR connection timeout when connect to HAProxy.
I have written a custom script CURL from laptop to my web and run it (1 request per second, during 8 hours)
If my script CURL execute request GET to HAProxy node as LB, sometime my script logged error Timeout request (1-2 ERROR per 20-30 minute). When ERROR Timeout request happend, i see log haproxy process request and return status 200 to client, respone time ~ 0.5s, but client dont get haproxy response.

If my script CURL execute directly request GET to Apache Web Server, it work Like a charm.

This my haproxy config: https://paste.cloud365.vn/?77901e48f1c63e75#SeXKZfbDYUpQxM/B38wZQqkULfHXXW+pKHMz4mSuFNs=

Posts: 3

Participants: 1

Read full topic

@Howard wrote:

My scenario is that through iptables TEE I mirror packet to two HA proxies, and the second proxy is for backup. However I don’t want the second proxy reply Ack but still could collect packet, so I drop the Ack packet from second proxy. However, because the backup proxy sequence number isn’t the same as primary proxy so the connection wouldn’t establish on backup proxy. Is there a way to make two HA proxy synchronously establish connection? The second connection is fake it’s only to collect packet and if primary failover the backup proxy could take over.

image586×502 36.4 KB

Posts: 1

Participants: 1

Read full topic