Hi,

server-template is a great feature for Kubernetes haproxy users, but we are suffering a problem with haproxy 2.0.14 (it is the only version we’ve ever tried) with server-template as the backend server discovery on Kubernetes.

The background is we use haproxy as load balancer to accept incoming requests from the client and load balance the request to our backend app servers running in the different pods in the same Kube namespace. Meanwhile, we have several such deployments in other kube namespaces too.

We found server-template still keeps the out-of-date backend server pod’s IP, when the server is marked to be down, this happens when we do the scaling down, which reduces the number of app pods in the backend by kubectl scale command.

The problem with this behavior is: the already deleted pod’s IP will be reclaimed and recycled by Kubernetes, and that IP will be used when some other new pod is created after some time. And in some not-rare case, the new pod can be similar app pod but running in another Kubernetes namespace. And that violates the rule of how we expect server-template to work: only cares what the SRV record says about the endpoints(pod IPs) of the backend app service in the current namespace.

Here is what we are seeing from show servers state:

$ echo “show servers state” | socat ./admin-1.sock
# be_id be_name srv_id srv_name srv_addr srv_op_state srv_admin_state srv_uweight srv_iweight srv_time_since_last_change srv_check_status srv_check_result srv_check_health srv_check_state srv_agent_state bk_f_forced_id srv_f_forced_id srv_fqdn srv_port srvrecord
8 app-perf-us-south-01 1 server-1 172.30.254.86 2 64 1 1 83648 15 3 4 6 0 0 0 172-30-254-86.app.app-perf.svc.cluster.local 5983 _https._tcp.app.app-perf.svc.cluster.local
8 app-perf-us-south-01 2 server-2 172.30.233.39 2 64 1 1 83643 15 3 4 6 0 0 0 172-30-233-39.app.app-perf.svc.cluster.local 5983 _https._tcp.app.app-perf.svc.cluster.local
8 app-perf-us-south-01 3 server-3 172.30.47.190 0 64 1 1 34795 7 2 0 6 0 0 0 - 5983 _https._tcp.app.app-perf.svc.cluster.local

so we can see the server-3 with IP of 172.30.47.190 is still here with an empty srv_fqdn and the srv_op_state is 0.

while the dig to the SRV record at the same time shows there’s no such entry can be resolved to this IP:
$ dig -t SRV _https._tcp.app.app-perf.svc.cluer.local +short
0 4 5983 172-30-130-236.app.app-perf.svc.cluster.local.
0 4 5983 172-30-139-184.app.app-perf.svc.cluster.local.

only 2 entries are here.

So once 172.30.47.190 was later used by another pod, and haproxy thinks it’s back and starts to distribute traffic to it no matter if or not where the new pod lives in (another namespace, or maybe even another kind of pod).

So this is like a problem that blocking us to use server-template in Kubernetes. I am wondering if I can get any help on this case to identify if I missed any configuration to make server-template as I expect: always keep the server list up-to-date with what the SRV record resolves.

It will be great if I can get help here. Thank you very much.

1 post - 1 participant

Read full topic

Hello,

I am trying to read the /var/log/haproxy.log file with the command: clog -f haproxy.log but nothing happens. No window opens. How do I see my error log? I’m on pfsense.

Thank you so much!

1 post - 1 participant

Read full topic

Hello community!

I’m posting here as I came across an issue that I’m not able to resolve and I’ve been searching around for a while now. I had a working config using SSL termination with 1 single frontend for 80 and 443 and 2 backends for 2 different websites. After enabling SSL passthrough the second website (site2) stopped working with the given error and I am not sure if it’s due to the tcp mode with an httpcheck in it at the backend level.

HAproxy version: haproxy/bionic-updates,bionic-security,now 1.8.8-1ubuntu0.10

HAproxy config

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
maxconn 2000
ca-base /etc/ssl/certs
crt-base /etc/ssl/private

defaults
log global
mode http
option httplog
option dontlognull
#option forwardfor
option redispatch
option http-server-close
timeout connect 5000
timeout client 50000
timeout server 50000
timeout tunnel 3600s
timeout http-keep-alive 1s
timeout http-request 15s
timeout queue 30s
timeout tarpit 60s
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

frontend http_in
mode http
option httplog
bind *:80
option forwardfor
redirect scheme https if !{ ssl_fc }

frontend https_in
mode tcp
option tcplog
bind *:443
acl tls req.ssl_hello_type 1
tcp-request inspect-delay 5s
tcp-request content accept if tls
stats uri /haproxy?stats

	acl is_websocket path_beg -i /api
	acl host_calabrio req.ssl_sni -i site1.domain.com
        acl host_ece req.ssl_sni -i site2.domain.com

	use_backend api_back_calabrio if is_websocket
	use_backend https_back_calabrio if host_calabrio
	use_backend https_back_ece if host_ece

#Calabrio backend https
backend https_back_calabrio
mode tcp
option ssl-hello-chk
cookie JSESSIONID prefix nocache
default-server inter 3000 fall 2
server CLBPC1-LAB2-1 172.20.104.52:443 check cookie s1
server CLBPC2-LAB2-1 172.21.104.52:443 check backup cookie s2

#Calabrio backend API
backend api_back_calabrio
default-server inter 3000 fall 2
server CLBPC1-LAB2-1 172.20.104.52:8888 check
server CLBPC2-LAB2-1 172.21.104.52:8888 check backup

#Cisco ECE backend https
backend https_back_ece
mode tcp
option ssl-hello-chk
option httpchk HEAD /default
http-check expect ! rstatus ^5
cookie JSESSIONID prefix nocache
default-server inter 3000 fall 2
server ECE1-LAB2-1 172.20.206.45:443 check ssl verify none cookie s1
server ECE2-LAB2-1 172.21.206.45:443 check ssl backup verify none cookie s2

The backend that is not working is “backend https_back_ece” and the log entry with the issue is the following:

Apr 30 12:50:29 CLB1-LAB2-1 haproxy[1477]: 192.168.151.36:55267 [30/Apr/2020:12:50:28.995] https_in https_back_ece/ECE1-LAB2-1 1/0/47 505 – 11/11/0/0/0 0/0

The first backend is working without issues.

Any clue on why it’s giving back the SSL protocol error?

Thank you!
Tofaz

1 post - 1 participant

Read full topic

Hi,

I fail in setting up haproxy for SNI and SSL offloading/termination with multiple domains. I tried this:

frontend Frontend
    mode    http
    option  httplog
    option  dontlognull
    option  http-keep-alive
    option  forwardfor

	bind 192.168.151.10:443 ssl alpn h2,http/1.1 crt-list /etc/haproxy/cert.list

	use_backend BE1 if { ssl_fc_sni domain1.com }
	use_backend BE2 if { ssl_fc_sni domain2.com }

backend BE1
	balance source
	stick-table type ip size 50k expire 30m  
	stick on src
	http-reuse safe
	server SERVER1 192.168.170.10:443 ssl verify none alpn h2,http/1.1

backend BE2
	balance source
	stick-table type ip size 50k expire 30m  
	stick on src
	http-reuse safe
	server SERVER2 192.168.180.10:443 ssl verify none alpn h2,http/1.1

This fails with “SSL handshake failure”. When I only use one domain and only one certificate with “ctr” instead of “crt-list” and one backend, it works.

How to get this working?

TIA

HA-Proxy version 2.0.14-1~bpo10+1 2020/04/16 - https://haproxy.org/
Build options :
  TARGET  = linux-glibc
  CPU     = generic
  CC      = gcc
  CFLAGS  = -O2 -g -O2 -fdebug-prefix-map=/build/haproxy-kKmitW/haproxy-2.0.14=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-old-style-declaration -Wno-ignored-qualifiers -Wno-clobbered -Wno-missing-field-initializers -Wno-implicit-fallthrough -Wno-stringop-overflow -Wno-cast-function-type -Wtype-limits -Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference
  OPTIONS = USE_PCRE2=1 USE_PCRE2_JIT=1 USE_REGPARM=1 USE_OPENSSL=1 
USE_LUA=1 USE_ZLIB=1 USE_SYSTEMD=1

Feature list : +EPOLL -KQUEUE -MY_EPOLL -MY_SPLICE +NETFILTER -PCRE -PCRE_JIT +PCRE2 +PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED +REGPARM -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H -VSYSCALL +GETADDRINFO +OPENSSL +LUA +FUTEX +ACCEPT4 -MY_ACCEPT4 +ZLIB -SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL +SYSTEMD -OBSOLETE_LINKER +PRCTL +THREAD_DUMP -EVPORTS

Default settings :
  bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with multi-threading support (MAX_THREADS=64, default=1).
Built with OpenSSL version : OpenSSL 1.1.1d  10 Sep 2019
Running on OpenSSL version : OpenSSL 1.1.1g  21 Apr 2020
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with Lua version : Lua 5.3.3
Built with network namespace support.
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT 
IP_FREEBIND
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), 
gzip("gzip")
Built with PCRE2 version : 10.32 2018-09-10
PCRE2 library supports JIT : yes
Encrypted password support via crypt(3): yes
Built with the Prometheus exporter as a service

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
              h2 : mode=HTX        side=FE|BE     mux=H2
              h2 : mode=HTTP       side=FE        mux=H2
       <default> : mode=HTX        side=FE|BE     mux=H1
       <default> : mode=TCP|HTTP   side=FE|BE     mux=PASS

Available services :
     prometheus-exporter

Available filters :
	[SPOE] spoe
	[COMP] compression
	[CACHE] cache
	[TRACE] trace

1 post - 1 participant

Read full topic

HI, I have configured a lb rule on HAproxy and while doing curl -kv http://domain.co/some/uri gives 500 response code while curl -kv http://ip:port/some/uri gives 200. Could some one please suggest where the problem might reside or guide me some steps to troubleshoot this. Thanks in Advance

1 post - 1 participant

Read full topic

Hello,
I’ve been using HAProxy for basic redirections since many months now, with one domain name.

What I want achieve now is to setup another redirection for a second domain name toward my Wordpress site.
Here’s a high level schema of what I want:

I’ve been looking all over the web for weeks now, but I found nothing relevant so far.
And specifically for the Worpdress site, I think I need extra “rules”, a bit like for the guacamole already in place.

My current Haproxy.cfg

I’m available to discuss this, even with a share screen if needed.

1 post - 1 participant

Read full topic

Hello,

I wish to delete my account on discourse.haproxy.org but it does not seems possible through the interface.

As far as I know, since the GDPR has been set, this is illegal.

please kindly provides a way to remove account on this forum, thanks

1 post - 1 participant

Read full topic

I’m trying to use HAProxy as a failover TCP solution in case our primary server goes down.
However it simply does not seem to work.

haproxy.cfg

frontend haproxy_sync
    bind *:8090
    mode tcp
    option tcplog
    default_backend sync

backend sync
    mode tcp
    option tcplog
    balance roundrobin
    server server1 sync1:8090 check on-marked-down shutdown-sessions on-marked-up shutdown-backup-sessions
    server server2 sync2:8090 check backup

HAProxy is able to see both servers and connect to the open port

root@scw-haproxy:~# nc -vz sync1 8090
sync1 [hidden] 8090 (?) open

root@scw-haproxy:~# nc -vz sync2 8090
sync2 [hidden] 8090 (?) open

When I test the configuration by shutting down sync1 haproxy log shows:

May  2 13:22:54 scw-haproxy haproxy[8985]: Server sync/server1 is DOWN, reason: Layer4 connection problem, info: "Connection refused", check duration: 81ms. 0 active and 1 backup servers left. Running on backup. 0 sessions active, 0 requeued, 0 remaining in queue.
May  2 13:22:54 scw-haproxy haproxy[8985]: Server sync/server1 is DOWN, reason: Layer4 connection problem, info: "Connection refused", check duration: 81ms. 0 active and 1 backup servers left. Running on backup. 0 sessions active, 0 requeued, 0 remaining in queue.

But no traffic ends up going through to server2/sync2 (backup server)

Any idea what I have configured incorrectly here?
I am using HA-Proxy version 1.6.3

1 post - 1 participant

Read full topic

Hi HAproxy gurus!

Some time ago I read about possibility to obtain backend servers IPs, infrastructure disclosing (and possible attacks like DDoS) by using simple operation to decoding session cookies.

In short this method is about HTTP cookie insert type is common used in cookie persistence method for HTTP traffic.
And this is common used setup (and not only in F5 balancers) because of easiness - all cookies was generated on balancer and each of backend servers not need to be setup to answering by server-specific cookie.

After attacker obtain backend server IP, a ton or traffic sending to them -> balancer exclude backend server from pool -> attacker obtain NEXT backend server IP and a ton or traffic sending to them -> balancer exclude backend server from pool -> and again and again

Of course, after some time balancer include back previously excluded backend to servers pool, but before this service Quality degrade, and in some cases this is cost a lot of money to company…

How the HAproxy is guarded from this types of infrastructure disclosing ?

1 post - 1 participant

Read full topic

Greeting for day!
In my php application when i use mysql direct connection it work perfectly . But when i use haproxy ip for ha , its take too long for retrieve result.
Ha proxy configuration as following

global
    maxconn         5000
    nbproc          5

defaults
retries 3
option redispatch
timeout client 120s
timeout connect 10s
timeout server 120s

Galera Cluster Frontend configuration

frontend galera_cluster_frontend
bind 0.0.0.0:3307
mode tcp

log global
option  dontlognull

option tcplog
default_backend galera_cluster_backend

Galera Cluster Backend configuration

backend galera_cluster_backend

bind 0.0.0.0:3307

 mode tcp
 option tcpka
 
option tcplog
option log-health-checks
retries                   3

balance roundrobin

balance leastconn
server db-server-01 e2e-34-201:3306  check weight 1
server db-server-02 e2e-34-202:3306  check weight 3
server db-server-03 e2e-34-203:3306  check weight 2

Please share solution asap.

1 post - 1 participant

Read full topic

I have a HAProxy, which listens on port 443. There are 2 types of requests coming to port 443: 1) normal API request which contains proxy-protocol v2 header ( so I need "Accept-proxy, for such packets). 2) health-check request which doesn’t have proxy-protocol header.

How can I configure ‘bind *:443 …’ rule, so that I can handle 2 types of packets correctly ? i.e HAProxy can apply ‘accept-proxy’ for request with proxy-protocol header, and not using accept-proxy for request which doesn’t have proxy-protocol header.

1 post - 1 participant

Read full topic

Hi,

I’m trying to read the first bytes (below 500 bytes) of a custom protocol to extract and log session identifying information. Since the client might be extremely slow to send the initial bytes I wanted to try and implement a while loop to read the first incoming message and tried with a very simple sleep to get started.

However this ends up with the message aborting Lua processing on expired timeout.

Is this type of thing generally not possible within a tcp-request content action?

test.lua

local function my_tcp_action(txn)
    txn.Info(txn, ">>> TCP ACTION")
    txn.Info(txn, ">>> request buffer not complete, waiting a second")
    core.sleep(10)
    txn.Info(txn, ">>> done sleeping")
    local request_buffer_content_len = txn.req:get_in_len()
    core.Debug(request_buffer_content_len)
    local request_buffer_content = txn.req:dup()
    core.Debug(tostring(request_buffer_content))
end

core.register_action('my_tcp_action', {'tcp-req'}, my_tcp_action, 0)

haproxy.cfg

global
  log stdout format raw local0
  tune.ssl.default-dh-param 2048
  ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:!aNULL:!MD5:!DSS
  ssl-default-bind-options ssl-min-ver TLSv1.2
  ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:!aNULL:!MD5:!DSS
  ssl-default-server-options ssl-min-ver TLSv1.2
  server-state-file global

  # lua settings
  tune.lua.session-timeout 30s
  lua-load /srv/lua/test.lua

defaults
  log               global
  retries                   3
  backlog               10000
  maxconn               10000
  timeout connect         30s
  timeout client          30s
  timeout server          30s
  timeout tunnel        3600s
  timeout http-keep-alive  1s
  timeout http-request    15s
  timeout queue           30s
  timeout tarpit          60s

frontend minimal_frontend
  bind *:55777 ssl crt /srv/crt/some_crt.pem tfo tls-ticket-keys /srv/crt/tls-ticket-keys
  mode tcp
  timeout client 10m
  option clitcpka
  tcp-request inspect-delay 30s
  tcp-request content accept if { req_ssl_hello_type 1 }
  use_backend minimal_backend

backend minimal_backend
  balance roundrobin
  mode tcp
  timeout server 10m
  tcp-request inspect-delay 30s
  tcp-request content lua.stratus_tcp_action
  server nc 127.0.0.1:6667 id 6667 weight 0

1 post - 1 participant

Read full topic

How to configure logging so everything gets logged what gets displayed when haproxy is running in forground?

1 post - 1 participant

Read full topic

Hello All and thank you for your assistance in advance.

I have an office that is connecting to Haproxy server via a IPsec tunnel. I have several clients that are connecting into the office via an OpenVPN server. The traffic coming through the Openvpn server never has an issue. The office traffic works extremely intermittently. When I say works I see where Haproxy is responding via the log. Using TCPdump I can see traffic from the office machines is reaching the Haproxy server however I am not seeing ANY response in the Haproxy log when it is failing. Where my confusion is coming into play is that the Openvpn traffic comes from X.X.X.172 and the office machine I am looking at comes from x.x.x.244 where all the X match.

Is there a configuration setting I should look at?

not sure what to look at next.

1 post - 1 participant

Read full topic

I recently moved a domain into HAProxy. Most of the HTTP requests go through fine but some requests that have un-encoded characters in their URL are thrown with 400 Bad Request
an example of such a URL is
http://www.domain.com/push.asp?Message=א
Note that the Message parameter value has a Hebrew letter as a value but it is not encoded. if I change the Hebrew letter to any English letter the request is passed to the backend without any issue. but this request is rejected as Bad Request.
Since I know my webserver (IIS in this case) can handle the request, is there a way to tell HAProxy to skip validation of the HTTP request?
My frontend in this case is working in HTTP mode

I should also note that testing this “bad” URL from a web browser works as the browser encodes the URL. only when the URL contains 1 byte on the wire for this letter (0xE0 in this case) the request is rejected

Thanks

Update: I found the “option accept-invalid-http-request” option and was wondering if there is some way to incorporate that with an ACL?

1 post - 1 participant

Read full topic

I want to have a dynamic rule that takes subdomain and uses that value to form a backend name connection; example

123.foo.bar = use backend 123_backend
234.foo.bar = use backend 234_backend
…
even more interesting alternative if it could use a dynamic lan domain naming…
123.foo.bar = use backend 123.foo.lan
…
else (no backend responding on that name) use default backend

I want to avoid using any mapfile (to avoid restart of Ha) and minimize manual administration, the general idea is to have 2-3 rules dynamically covering hundred of front/backends

I hope the question is not to stupid to be asked

1 post - 1 participant

Read full topic

I want to deny access for few URI for eg:- /info/some. below is the config i am using but still getting 200 when doing curl.

acl bl_info path,url_dec -m beg -i /info/some
acl bl_para path,url_dec -m beg -i /param/some

http-request deny if bl_para
http-request deny if bl_info

Please suggest what is wrong here and what i should do ? Thanks in advance

1 post - 1 participant

Read full topic

I struggled quite a bit trying to figure out how to use the new directive to dynamically update certificates with HAProxy 2.1 when loading certificates from a directory. I think i got it right now, hope it is helpful to someone (and happy for feedback). The key point i missed for quite a while was that the certificate name for “set ssl cert” is the full path to the file and not just the filename.

haproxy.cfg excerpt:

global
    stats socket /var/run/haproxy mode 600 level admin
frontend https-in
    bind *:443 ssl crt /etc/ssl/private/

script to update certificates from letsencrypt certbot:

#!/bin/bash

set -e

LE_DIR=/etc/letsencrypt/live
HA_DIR=/etc/ssl/private
DOMAINS=$(ls ${LE_DIR})

# update certs for HA Proxy
for DOMAIN in ${DOMAINS}
do
  # also update the file in the filesystem for when haproxy restarts
  cat ${LE_DIR}/${DOMAIN}/fullchain.pem ${LE_DIR}/${DOMAIN}/privkey.pem | tee ${HA_DIR}/${DOMAIN}.pem
  echo -e "set ssl cert /etc/ssl/private/${DOMAIN}.pem <<\n$(cat ${HA_DIR}/${DOMAIN}.pem)\n" | socat stdio /var/run/haproxy
  echo -e "commit ssl cert /etc/ssl/private/${DOMAIN}.pem" | socat stdio /var/run/haproxy
done

Note: This script does not work when you dynamically add new domains, as those new domains will not be known to HAProxy. From HAProxy 2.2 on, there seem to be additional commands to cover that use case, but afaik you would need to know which domain is new vs which is already existing, to run the correct thing.

1 post - 1 participant

Read full topic

Hello,

I’m facing an error with haproxy and http2.
our application use big cookies and so we need to change param tune.bufsize to more than 16k (actually tune.bufsize 32768).

With http1.1 it’s work perfectly but with http2 enabled we got a browser error “ERR_HTTP2_FRAME_SIZE_ERROR” (chrome)
if we rollback tune.bufsize to default everything work

haproxy socket show no error:
echo “show errors” | socat unix-connect:/var/lib/haproxy/stats stdio
Total events captured on [06/May/2020:15:44:36.053] : 0

it may be related to the frame size but i don’t know how to extend it:
https://http2.github.io/http2-spec/#FrameSize

Do you know how to deal with that?

Thanks for your help.

Regards,

1 post - 1 participant

Read full topic

Context: I have a HAProxy configured to proxy TCP traffic for websockets. So a TCP redirecting session looks like this:

client app --> [(frontend) haproxy (backend)] --> server app

From the server’s perspective, the TCP client that establishes the TCP connection is the HAProxy’s backend. When this new connection is established, it’s possible for me to know the TCP client’s port (in other words, the port of the HAProxy backend’s TCP client connection).

Question: Is there a way to display this client’s port in the logs? Not the client app’s port, but really the backend’s tcp client port. Basically, I would like to have a way to correlate the socket I have on the server with a session on haproxy.

What I tried: I looked in the doc to customize the TCP log format and I tried to find a field that would give me the info I need, but nothing seems to fit.

1 post - 1 participant

Read full topic