@hapijs wrote:

My haproxy are in one machine(aws instance), and my rails app server with unicorn are in different machine(aws instance). It will be great if i get some help from community.

Posts: 1

Participants: 1

Read full topic

@frekx wrote:

I try to set up a multi layer haproxy setup. The first layer being a haproxy instance doing simple tcp level load balancing using proxy protocol to second layer als running haproxy. The first layer has multiple public ips attached to which need to be handled differently on the second layer, especially in regards to certificates.
Unfortunately it seems to me that haproxy on the second layer can only be configured to bind to ip addresses of the servers network interfaces but not to the receiving ip of the first layer. SNI is not an option here.

Posts: 2

Participants: 2

Read full topic

@nem0nxt wrote:

We have an application that uses .Net and have authentication (tokens) cookies pass to the user when it authenticates in order to track him (login - logout). I tried to pass those cookies on haproxy but with no success. Does anyone has a working example on how to redirect those cookies to the user. I have haproxy 1.5.14. I tried it with SSL passthrough (mode tcp) and also with (mode http) some http settings (tweaking) that i found scattered on the web. The cookies never pass on the IIS server. I am using the haproxy as a reverse proxy just to clarify.

Thank you!

Posts: 1

Participants: 1

Read full topic

@norcis wrote:

Hi,

I would like to duplicate http request which comes to frontend and send it to two backed servers. First server's response should be delivered to client, second server is dummy, replays are not returned to client (only logged for performance measure).

Is it possible with Haproxy?

Posts: 1

Participants: 1

Read full topic

@coreoperations wrote:

I am using haproxy to load balance in front of some Oracle application servers, it is working fine, however we have built some new app servers and cannot get them to work with haproxy.

The config is a copy/paste of a config that is working for existing servers, just with new IP addresses and port numbers for the new backend servers.

When I test using lynx or curl from the haproxy server I can retrieve the test page, but haproxy is reporting a L7TOUT on the stats page and giving a 503 service unavailable error in the browser.

The config is as follows:

  listen Load-Balancer-balancernew
    bind *:5051
    mode http
    balance roundrobin

    stats enable
    stats hide-version
    stats auth statuser:statpassword
    stats uri /stats
    stats refresh 20s
    stats show-node
    stats admin if TRUE

    cookie SERVERIDbalancernew insert indirect         #inserts cookie for session persistence

    option httpclose
    option forwardfor

    option httpchk GET /forms/frmservlet?config=balancernew      #checks html file

    http-check expect status 200            #expects status 200 if anything else reports server as down
    http-check disable-on-404

    server sh1app1_5051 192.168.1.60:5051 cookie sh1app1_5051 check
    server sh1app2_5051 192.168.1.70:5051 cookie sh1app2_5051 check
    option redispatch                       #dispatches request to other server if one server down

And when I retrieve the url http://192.168.1.60:5051/forms/frmservlet?config=balancernew or http://192.168.1.70:5051/forms/frmservlet?config=balancernew in curl or lynx the page is displayed.

Any suggestions as to how I might troubleshoot would be greatly appreciated, I’ve reached the limits of my haproxy skills.

Posts: 1

Participants: 1

Read full topic

@zerobane wrote:

Hello,

Having some issues with redirects on the spark history page and haproxy on a SSL termination.

Home page works great; SSL certificate is valid.

Bit if you click on any job history links; Its seems the spark history page redirects to http; almost like it skips haproxy somehow.

Wondering if I am missing something simple in my configurations;

#spark
frontend jtest6
bind *:29205 ssl crt /root/cert/mykey
bind *:29999
mode http
option httpclose
option http-server-close
option forwardfor
reqadd X-Forwarded-Proto:\ https

#backend jtestb6
mode http
balance source
server server1 192.168.0.17:18080

Posts: 1

Participants: 1

Read full topic

@MidanTahrir wrote:

Hi,
I am new to haproxy, running on CentOS 6.7. See haproxy version information below.
Previously i used stunnel and pen.
I run haproxy as a non root user and have managed to set up some instances with load balancing and SSL. Fine, It works.

Now I am trying to configure an instance to a remote machine with signed client authentication.

myservice----haproxy---ssl---->remote machine.

This does not work. When started in foreground mode i get an ssl handshake error.
This is the point where i noticed that haproxy gives me no log file.

I would like to see more information from haproxy: statistics, error mesages etc.
Where are the log files? How can I configure logging without being root?

I've read a lot in https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#8 but still have no clue.

Can someone please give me advice or an example config how to get a bit logging from haproxyß

Thanks in advance
MT

HA-Proxy version 1.5.4 2014/09/02
Copyright 2000-2014 Willy Tarreau w@1wt.eu

Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing
OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_PCRE=1

Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.3
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 7.8 2008-09-05
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND

Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.

Posts: 1

Participants: 1

Read full topic

@lucasbds wrote:

Hi,

I'm trying to redirect a tcp traffic based on a regex but it isn't working. The client app opens a socket and send the message. I need to switch it depending on the content.
Can anyone give me a help!?

frontend switching

bind            192.168.0.176:2820

log-format [%t]\ from\ %ci:%cp\ to\ %fi:%fp\ %si:%sp\ %s\ %ts\ request_size=%U\ response_size=%B

acl acl_system2 req.payload(0,0) -m reg -i (.+)(06SWITCH)(.*)

use_backend system2 if acl_system2
use_backend system1

I also don't know the size of the payload it may differ between different requests..

Posts: 1

Participants: 1

Read full topic

@alanhl wrote:

How can I rate limit post request by url for once per day?

Is this something that I would have to use stick-tables and/or ACL? I was looking for examples but couldn't find what I was quite looking for. Any examples or pointers to resources would be greatly appreciated!

Posts: 1

Participants: 1

Read full topic

@sirhopcount wrote:

Hi,

I have been trying to deploy a SSL/SNI configuration with HAProxy 1.5 (1.5.8-3+deb8u2 to be specific) and although it does work (I can start, stop and restart the service) the configuration check always reports the following:

$ /usr/sbin/haproxy -c -f /etc/haproxy/haproxy.cfg
[ALERT] 179/141417 (14223) : parsing [/etc/haproxy/haproxy.cfg:68] : 'bind xxx.xxx.xxx.xxx:443' : unable to load SSL private key from PEM file '/etc/haproxy/ssl/xxx.xxx.xxx.xxx/'.
[ALERT] 179/141417 (14223) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg
[ALERT] 179/141417 (14223) : Proxy 'xxx.xxx.xxx.xxx_https': no SSL certificate specified for bind 'xxx.xxx.xxx.xxx:443' at /etc/haproxy/haproxy.cfg:68.
[ALERT] 179/141417 (14223) : Fatal errors found in configuration.

I cannot for the life of me find out why this error is generated.

I have tried multiple ways of sorting the order of the certificates and keys. Some of them are definitely not correct as HAProxy wont start but the current order (cert -> key -> intermediate) works.

The weird thing is that this configuration "works", its just that the error wont go away.

Can anybody give me any insight as to why this is.

Regards,

sirhopcount

Posts: 1

Participants: 1

Read full topic

@brianii wrote:

After some research and reviewing this other case posted on this site, I'm of the believe that version 1.5.4 and above of haproxy was modified to send a [FIN, ACK] for an http closure instead of the [RST, ACK] that earlier versions provided. In my testing I only ever see version 1.5.X send the [RST, ACK]. I've done this testing with both the 1.5.4 installed from RPM as well as that 1.5.18 that I've built from source and I get the same results.

Here is a trace of haproxy doing an httpchck to my service running on port 8181:

  1 0.000000000    10.41.183.26          10.253.215.32         TCP      76     36435→8181 [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=3353589862 TSecr=0 WS=128
  2 0.000018502    10.253.215.32         10.41.183.26          TCP      76     8181→36435 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSval=4196372022 TSecr=3353589862 WS=256
  3 0.001154189    10.41.183.26          10.253.215.32         TCP      68     36435→8181 [ACK] Seq=1 Ack=1 Win=14720 Len=0 TSval=3353589863 TSecr=4196372022
  4 0.001198735    10.41.183.26          10.253.215.32         HTTP     104    GET /ping 1.1
  5 0.001205593    10.253.215.32         10.41.183.26          TCP      68     8181→36435 [ACK] Seq=1 Ack=37 Win=14592 Len=0 TSval=4196372023 TSecr=3353589863
  6 0.001486994    10.253.215.32         10.41.183.26          HTTP/XML 214    HTTP/1.1 200 OK
  7 0.002579072    10.41.183.26          10.253.215.32         TCP      68     36435→8181 [ACK] Seq=37 Ack=147 Win=15744 Len=0 TSval=3353589864 TSecr=4196372023
  8 0.002626112    10.41.183.26          10.253.215.32         TCP      68     36435→8181 [RST, ACK] Seq=37 Ack=147 Win=15744 Len=0 TSval=3353589864 TSecr=4196372023

This httpchk was driven by this haproxy.cfg

> global
> log 127.0.0.1 local0

> chroot /var/lib/haproxy
> pidfile /var/run/haproxy.pid
> maxconn 4000
> user haproxy
> group haproxy
> daemon

> # turn on stats unix socket
> stats socket /var/lib/haproxy/stats

> defaults
> log global
> retries 3
> timeout connect 10s
> timeout client 10000m
> timeout server 10000m

> listen my-cluster
> bind 127.0.0.1:8181
> mode http
> option httpchk GET /ping 1.1
> http-check expect string AUTH
> option httplog
> option http-server-close
> default-server inter 30s
> server myserv-1 betadb-p:8181 check

I've attempted to use the 'http-server-close' option with this haproxy.cfg:

> global
> log 127.0.0.1 local0

> chroot /var/lib/haproxy
> pidfile /var/run/haproxy.pid
> maxconn 4000
> user haproxy
> group haproxy
> daemon

> # turn on stats unix socket
> stats socket /var/lib/haproxy/stats

> defaults
> log global
> retries 3
> timeout connect 10s
> timeout client 10000m
> timeout server 10000m

> listen my-cluster
> bind 127.0.0.1:8181
> mode http
> option httpchk GET /ping 1.1
> http-check expect string AUTH
> option httplog
> option http-server-close
> default-server inter 30s
> server myserv-1 betadb-p:8181 check

And that did not change the network trace as far as I can tell:

  1 0.000000000    10.253.215.39         10.253.215.32         TCP      76     36371→8181 [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=4193044510 TSecr=0 WS=256
  2 0.000020008    10.253.215.32         10.253.215.39         TCP      76     8181→36371 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSval=4196446053 TSecr=4193044510 WS=256
  3 0.000266409    10.253.215.39         10.253.215.32         TCP      68     36371→8181 [ACK] Seq=1 Ack=1 Win=14848 Len=0 TSval=4193044510 TSecr=4196446053
  4 0.000312234    10.253.215.39         10.253.215.32         HTTP     90     GET /ping HTTP/1.0
  5 0.000320249    10.253.215.32         10.253.215.39         TCP      68     8181→36371 [ACK] Seq=1 Ack=23 Win=14592 Len=0 TSval=4196446053 TSecr=4193044510
  6 0.000566198    10.253.215.32         10.253.215.39         HTTP/XML 214    HTTP/1.1 200 OK
  7 0.000709283    10.253.215.39         10.253.215.32         TCP      68     36371→8181 [ACK] Seq=23 Ack=147 Win=15872 Len=0 TSval=4193044510 TSecr=4196446053
  8 0.000776358    10.253.215.39         10.253.215.32         TCP      68     36371→8181 [RST, ACK] Seq=23 Ack=147 Win=15872 Len=0 TSval=4193044510 TSecr=4196446053

So I guess I'm looking for some advice if there is some sort of configuration I need in place to get haproxy to send the [FIN, ACK] instead of the [RST, ACK]. The [RST, ACK] closures are causing my programs socket errors saying the 'connection was reset by peer'

Posts: 1

Participants: 1

Read full topic

@beaver6675 wrote:

Hi, was there any follow up to

http://permalink.gmane.org/gmane.comp.web.haproxy/23039

?

RFC: add support for OpenSSL Engine e.g. PKCS11 HSM

Summary:
Main change is config keywords for engine support, and per proc private key loading.
Reason: PKCS#11 libraries are not required to be fork() safe. E.g. master process
loads private key in SSL context, fork() to worker -> all handles to private key objects
may be invalid: this depends on the PKCS11 library in question.

Counter-arguments from other project: nginx developers are not agreeable to this sort of change;
they expect the engine to handle fork(). However this does not seem to be realistic in the real world.

https://forum.nginx.org/read.php?29,260557,260561#msg-260561

E.g. openssl engine provided by HSM vendor which is a wrapper around vendor PKCS11 library, vendor library i s not fork() safe.

Design: keywords on bind:

• engine (enable OpenSSL engine)
• engine_conf (OpenSSL CONF file)
• engine_key_label (label of PKCS11 private key in HSM)
  Example: bind ... engine engine_conf /etc/haproxy/openssl.cnf engine_key_label myprivatekey

in ssl_sock.c: don't load private key into SSL_CTX if we are using engine

ssl_sock.c:ssl_sock_load_cert_file()

if (using_engine) // skip private key SSL_CTX_use_PrivateKey_file and SSL_CTX_check_private_key
because we want to load this stuff in the child process.

ssl_sock.c:ssl_sock_init()
pseudocode:

in the bind_conf structure we keep a new flag if engine is initialized and private key is load

ssl_sock_init():
if (using_engine && private_key not initialized) { load private key from engine }

Comments?

I have a working patch if anyone is interested; but I would like to get your inputs first.

Posts: 1

Participants: 1

Read full topic

@yanggis wrote:

Help about Haproxy control list, how can allow only some specific links to pass haproxy server
Dear all, I have a domain whitelist file, which includes around 200 links. The whitelist looks like:

facebook.com
google.com
amazon.com
ebay.com
...
bbc.com

I want to create a acl control list to only allow the domains in the whitelist to pass my server. At present, I tried the config file, but unfortunately it doesnt work as expected:

default_backend b_deadend_http
use_backend http_ok if { hdr_beg(host) -f /etc/haproxy/white.lst }

I'm not sure what's wrong, does the whitelist file require any special format? or the acl rule is problematic?

Any tips will be appreciated.

Posts: 5

Participants: 2

Read full topic

@kotarusv wrote:

My rsyslog setup for Haproxy working fine. current production setup is RHEL 6.7 and haproxy 1.5.x versions.

However same setup for RHEL 7.2 and HAProxy 1.6.6 is not working. We always run separate instances for 80 and 443 on same RP servers. Binary is same for both 80 and 443 except renaming program name to haporxy-80 and haproxy-443.

working setup:

$ ps -ef | grep haproxy
www 22071 1 5 16:18 ? 00:23:01 /opt/httpd/haproxy/sbin/haproxy-80 -f /opt/httpd/haproxy-80/etc/haproxy.conf -p /var/run/haproxy-80.pid -sf 19292
wwwssl 22121 1 15 16:19 ? 00:59:42 /opt/httpd/haproxy/sbin/haproxy-ssl -f /opt/httpd//haproxy-ssl/etc/haproxy.conf -p /var/run/haproxy-ssl.pid -sf 21171

$ ls -l /etc/rsyslog.d/haproxy-*
-rw-r--r--. 1 root root 286 Jan 16 2014 /etc/rsyslog.d/haproxy-80.conf
-rw-r--r--. 1 root root 292 Jan 16 2014 /etc/rsyslog.d/haproxy-ssl.conf

$ cat /etc/rsyslog.d/haproxy-80.conf

if ($programname == 'haproxy-80' and $syslogseverity-text == 'info') then -/opt/httpd/logs/haproxy-80/haproxy-80-info.log
& ~
if ($programname == 'haproxy-80' and $syslogseverity-text == 'notice') then -/opt/httpd/logs/haproxy-80/haproxy-80-notice.log
& ~

$ cat /etc/rsyslog.d/haproxy-ssl.conf
if ($programname == 'haproxy-ssl' and $syslogseverity-text == 'info') then -/opt/httpd/logs/haproxy-ssl/haproxy-ssl-info.log
& ~
if ($programname == 'haproxy-ssl' and $syslogseverity-text == 'notice') then -/opt/httpd/logs/haproxy-ssl/haproxy-ssl-notice.log
& ~

80 instance haproxy.cfg file:

global
daemon
user www
group www
pidfile /var/run/haproxy-80.pid
log /dev/log local1 notice
log /dev/log local0 info
maxconn 50000
tune.bufsize 65536
spread-checks 5
stats socket /var/run/haproxy-80.stat mode 600 level admin
stats timeout 2m
nbproc 1
tune.comp.maxlevel 5

Pretty same for 443 instance as well.

Our intention is send logs to separate files for both 80 and 443 as well as filter out info and notice logs ( similar t apache access and error logs) as per our internal requirements. Above setup is working fine

$ ls -ltr /opt/httpd/logs/haproxy-80

-rw------- 1 root root 819055 Jul 5 22:55 haproxy-80-notice.log
-rw------- 1 root root 467127188 Jul 5 22:55 haproxy-80-info.log

$ ls -ltr /opt/httpd/logs/haproxy-ssl
-rw------- 1 root root 1079239 Jul 5 22:56 haproxy-ssl-notice.log
-rw------- 1 root root 323238292 Jul 5 22:56 haproxy-ssl-info.log

What is the problem??

We are moving to RHEL 7.x and HAProxy 1.6.6 . Same config working as above is not working for now. i can see only 'notice' files bu 'info' files are not generating. I'm suspecting $syslogseverity-text is not working as expected. If I change the rsyslog config as below then I can see all entries ( both info and notice) in a single file. I really want to separate logs like our current setup

$ cat /etc/rsyslog.d/haproxy-80.conf
if $programname == 'haproxy-80' then -/opt/haproxy/log/haproxy-80/haproxy-80-info.log ( is working)

Can you help if anything wrong in new setup?

Srinivas Kotaru

Posts: 1

Participants: 1

Read full topic

@devnull wrote:

Hi,

I've found a few examples such as http://m12.io/blog/http-2-with-haproxy-and-nginx-guide that detail how to setup HTTP/2 and HTTP/1.1 co-existence.

But they seem to be limited to using SSL.

In particular, the examples I've found seem to use :

use_backend nodes-http2 if { ssl_fc_alpn -i h2 }

As a test for whether a client supports HTTP/2. What is the equivalent to use for plain old HTTP ?

Thanks !

Posts: 2

Participants: 2

Read full topic

@sottolski wrote:

Howdy,

I'm trying to condense my configruation for 1.6.6 a bit. Instead of

frontend FE-1
    bind 172.17.1.11:443 ssl crt /etc/ssl/private/mycert.pem
    reqadd "X-Forwarded-Proto: https"
    default_backend app-servers

frontend FE-2
    bind 172.17.1.12:443 ssl crt /etc/ssl/private/mycert.pem
    reqadd "X-Forwarded-Proto: https"
    default_backend app-servers

frontend FE-3
    bind 172.17.1.13:443 ssl crt /etc/ssl/private/mycert.pem
    reqadd "X-Forwarded-Proto: https"
    default_backend app-servers

I thought I could do something like

frontend SSL
    bind 172.17.1.11:443 ssl crt /etc/ssl/private/mycert.pem name FE-1
    bind 172.17.1.12:443 ssl crt /etc/ssl/private/mycert.pem name FE-2
    bind 172.17.1.13:443 ssl crt /etc/ssl/private/mycert.pem name FE-3
    reqadd "X-Forwarded-Proto: https"
    default_backend app-servers

The docs tell me

name

<name>

Sets an optional name for these sockets, which will be reported on the stats
page.

However, I seem not the see any of may names on the stats page.

haproxy_stats.png1236x197 20.7 KB

Is it a misunderstanding on my side what the name is for, or may it be a bug?

Thanks

Sascha

Posts: 1

Participants: 1

Read full topic

@gwilson_aus wrote:

Testing haproxy as a load balancing tool to our 4 2008 R2 terminal servers.

It's working ok except that I can't work out how to let staff have more than one simultaneous rdp session. At present if they start a second rdp session from a different device haproxy always connects them to their existing session. I can understand why this is happening as the hash is seeing the user name but I'd like users to be allowed 2 different rdp server sessions simultaneously.

Does anyone know how to acheive this with ha proxy?

Many thanks,

Greg.

Posts: 1

Participants: 1

Read full topic

@codeslinger wrote:

Hi all,

I have a setup with multiple HAProxy servers (running 1.6.3 from haproxy.org) balancing for a number of backend servers using stick-table to replicate backend target choices between the peers. The sessions coming in are long-lived and need to all hit the same backend for the same logical grouping. (X-Foobar header value)

I also have a script that runs periodically to discover the existence of backends and will recreate the haproxy.cfg file in the event that any have been added or removed. (for blue/green deploys) It will recreate the config file and then issue a soft reload (haproxy -sf).

I've noticed, though, that sometimes right after the reload a new session will come in and be sent to a backend that was different than that was chosen prior to the reload. See the logs in this paste (haproxy.cfg also in there):

https://gist.github.com/codeslinger/7c631fd18b30c41b57a23e949cf12d58

Note in the haproxy.log section therein that the connection that came in at 21:27:11 was placed on a different backend than the one that came in at 20:59:10, even though they had the same X-Foobar header value. The reload occurred at 21:27:03. There were other sessions with this same X-Foobar value that came in before the reload on all the peer HAProxys that also were directed to the correct backend. I imagine that means the record was in the sticktable and replicated properly prior to the reload, no?

My guess is that there is a race condition whereby the new process attaches to the listening ports and starts servicing new sessions prior to receiving any/all of the sticktable data from the old process. I've confirmed in the source code that the listening ports are bound in the new process before the SIGUSR1 is issued to the old process to tell it to stop service, but I can't seem to find where the sticktable data is sent to the new process quite yet. (i.e. no smoking gun for a bug report)

Does anyone have any ideas on how I can fix/workaround this issue? Given the nature of our sessions, if they don't all hit the same backend, its a really bad experience for our clients. I would sure appreciate any help anyone had to give. Thanks!

Posts: 2

Participants: 2

Read full topic

@albercuba wrote:

Hello everyone. I want to configure HAProxy to allow connections only from users with a valid certificate, so the connection between the client application and HAProxy is restricted and then the connection between HAProxy and my backend servers is only SSL without certificate authentication.

So far my configuration works with Firefox, Internet Explorer, Microsoft Edge, Chrome, Thunderbird (IMAP) and Smarthphones mail apps (IMAP).

The problem comes when I try to use Outlook 2016 client (I also tested it with Outlook 2010 and Outlook 2013 and I get the same problem) it just crashes.

This is what I did to create the certificates --> https://paste.ee/p/d4kYu

And this is my HAProxy configuration file --> https://paste.ee/p/Xw5Lp

Did someone manage to get this working?

UPDATE 1 !!!

I found that when using any Microsoft product (Edge, Internet Explorer, Outlook) I get a "Connection closed during SSL handshake" error in my HAProxy logs and then I am asked to confirm the client certificate.

So my guess is that it fails when using Outlook because I have no way to confirm the certificate, therefore no data is sent to finish the SSL handshake

UPDATE 2 !!!

I changed my "defaults" configuration and now I do not get the "Connection closed during SSL handshake" error, but Outlook still crashes

Thanks

Posts: 1

Participants: 1

Read full topic

@asthomas wrote:

I configured HAProxy with "timeout tunnel 40s". I then connected a WebSocket through HAProxy where the client application transmits a lot of data, but the server only sends something back every 5 minutes. The client transmits furiously for about 55 seconds and then HAProxy cuts the connection. This behaviour is consistent.

From the documentation, it says the HAProxy will only cut the connection if the timeout elapses with no traffic in either direction. There was plenty of traffic in this case, but only from client to server.

I modified the configuration of HAProxy to "timeout tunnel 3600s" and the disconnection went away.

If it helps, the client connects via a WebSocket over SSL to HAProxy, and HAProxy connects to the backend server unencrypted. The backend server is on the same machine as HAProxy.

Posts: 1

Participants: 1

Read full topic