@Saoclyph wrote:

Last year I followed this great tutorial, and I got openvpn, ssh, and some websites to work from a single 443 port.

Everything was working great until last week, when I upgraded my pfsense box from 2.4.3 to 2.4.4. It also upgraded the haproxy package from 1.5 to 1.8, and now haproxy does not proxy anything except for openvpn that still works.

Running the config through the config check says it is OK.

I tried to get some debug logging but nothing is sent to my syslog server (it was working before). And when I launch haproxy in debug mode with “-d”, I get the default log format instead of the tcp or http as defined in the config.

Is there any major changes in the config from 1.5 to 1.8?

My current configuration:

haproxy.cfg

# Automaticaly generated, dont edit manually.
# Generated on: 2018-10-04 00:12
global
	maxconn			500
	log			log.example.com:514	local0	debug
	stats socket /tmp/haproxy.socket level admin  expose-fd listeners
	uid			80
	gid			80
	nbproc			1
	nbthread			1
	hard-stop-after		15m
	chroot				/tmp/haproxy_chroot
	daemon
	log-send-hostname		pfs
	server-state-file /tmp/haproxy_server_state
	# Modern browser compatibility only as mentioned here:
	# https://wiki.mozilla.org/Security/Server_Side_TLS
	ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
	tune.ssl.default-dh-param 2048
	
	# Time-to-first-Byte (TTFB) value needs to be optimized based on
	# the actual public certificate chain see
	# https://www.igvita.com/2013/10/24
	# /optimizing-tls-record-size-and-buffering-latency/
	tune.ssl.maxrecord 1370

listen HAProxyLocalStats
	bind 127.0.0.1:2200 name localstats
	mode http
	stats enable
	stats admin if TRUE
	stats show-legends
	stats uri /haproxy/haproxy_stats.php?haproxystats=1
	timeout client 5000
	timeout connect 5000
	timeout server 5000

frontend WAN_HTTPS_offload-merged
	bind			127.0.0.1:2043 name 127.0.0.1:2043  no-sslv3 no-tls-tickets no-tlsv10 no-tlsv11 ssl crt-list /var/etc/haproxy/WAN_HTTPS_offload.crt_list ca-file /var/etc/haproxy/clientca_WAN_HTTPS_offload.pem verify optional  accept-proxy npn http/1.1
	mode			http
	log			global
	option			httplog
	option			http-keep-alive
	timeout client		7200000
	# Remove headers that expose security-sensitive information.
	rspidel ^Server:.*$
	rspidel ^X-Powered-By:.*$
	rspidel ^X-AspNet-Version:.*$
	
	# add some security related headers
	#rspadd Content-Security-Policy:\ default-src\ https:\ wss:\ data:\ \'unsafe-inline\'\ \'unsafe-eval\'
	
	rspadd X-Frame-Options:\ SAMEORIGIN
	rspadd X-Content-Type-Options:\ nosniff
	rspadd X-Xss-Protection:\ 1;\ mode=block
	
	capture request header X-Forwarded-For len 15
	capture request header host  len 50
	capture request header X-Plex-Device-Name  len 50
	
	declare capture response len 32
	declare capture response len 32
	http-response capture res.hdr(X-Forwarded-For) id 0
	http-response capture res.hdr(host) id 1
	acl			aclsystem_ssl_c_used	ssl_c_used
	acl			is_local	src 192.168.10.0/24
	acl			CF_cert_ok	ssl_c_verify 0
	acl			is_gateway	src 192.168.10.254
	acl			is_local	src 10.105.8.0/24
	acl			Plex_random	var(txn.txnhost) -m str -i plex.example.com
	acl			Plex_random	var(txn.txnhost) -m str -i plex.example.com:443
	http-request set-var(txn.txnhost) hdr(host)
	http-request add-header X-Forwarded-For %[req.hdr(CF-Connecting-IP)]  if  CF_cert_ok aclsystem_ssl_c_used 
	http-request add-header X-Forwarded-For %ci  if  is_local 
	use_backend plex_nas_ipvANY  if  Plex_random is_local !is_gateway 
	use_backend plex_nas_ipvANY  if  Plex_random CF_cert_ok aclsystem_ssl_c_used 
	default_backend None_backend_ipvANY

frontend WAN_SSLH-merged
	bind			127.0.0.1:2022 name 127.0.0.1:2022  no-sslv3 ssl crt-list /var/etc/haproxy/WAN_SSLH.crt_list  accept-proxy npn ssh/2.0
	mode			tcp
	log			global
	timeout client		7200000
	acl			ssl_acl	ssl_fc_npn -i ssh/2.0
	acl			proxmox	ssl_fc_sni_reg  prox.ssh.example.com
	use_backend ssh_proxmox_b_ipvANY  if  proxmox ssl_acl 

frontend WAN_443-merged
	bind			192.168.10.100:443 name 192.168.10.100:443   
	mode			tcp
	log			global
	timeout client		30000
	tcp-request content accept if { req.ssl_hello_type 1 } or !{ req.ssl_hello_type 1 }
	tcp-request inspect-delay	5s
	acl			is_local	src 192.168.10.0/24
	acl			vpn_acl	req.len 0
	acl			vpn_acl_1	req.ssl_hello_type 1
	acl			ssh_acl	req_ssl_hello_type 1
	acl			ssh_acl_1	req_ssl_sni -m end -i ssh.example.com
	acl			https	req.ssl_ver gt 0
	acl			offload_hostnames	req.ssl_sni -i plex.example.com
	acl			proxy_hostnames	req.ssl_sni -i bw.example.com
	tcp-request content accept if { req.ssl_ver gt 0 }
	use_backend OpenVPN_local_tun_b_ipvANY  if  !vpn_acl !vpn_acl_1 
	use_backend WAN_SSLH_b_ipvANY  if  ssh_acl ssh_acl_1 
	use_backend WAN_HTTPS_offload_b_ipvANY  if  https offload_hostnames 
	use_backend WAN_HTTPS_proxy_b_ipvANY  if  https proxy_hostnames 
	default_backend None_backend_ssl_ipvANY

frontend WAN_HTTPS_proxy-merged
	bind			127.0.0.1:2044 name 127.0.0.1:2044   accept-proxy npn http/1.1
	mode			tcp
	log			global
	option			tcplog
	timeout client		7200000
	tcp-request inspect-delay	5s
	acl			is_local	src 192.168.10.0/24
	acl			is_gateway	src 192.168.10.254
	acl			bitwarden	req.ssl_sni -i bw.example.com
	tcp-request content accept if { req.ssl_hello_type 1 }
	use_backend bitwarden_nas_ipvANY  if  bitwarden 
	default_backend None_backend_ssl_ipvANY

frontend test
	bind			192.168.10.100:80 name 192.168.10.100:80   
	mode			http
	log			global
	option			http-keep-alive
	timeout client		30000

backend None_backend_ipvANY
	mode			http
	id			101
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			none_backend_server 127.0.0.1:81 id 100  

backend plex_nas_ipvANY
	mode			http
	id			112
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			plex_nas 192.168.20.2:32400 id 113 check inter 1000  

backend ssh_proxmox_b_ipvANY
	mode			tcp
	id			114
	log			global
	timeout connect		30000
	timeout server		30000
	retries			2
	server			proxmox_server 192.168.10.30:22 id 115  

backend None_backend_ssl_ipvANY
	mode			tcp
	id			102
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			none_backend_server 127.0.0.1:81 id 103  

backend OpenVPN_local_tun_b_ipvANY
	mode			tcp
	id			104
	log			global
	timeout connect		3000
	timeout server		7200000
	retries			2
	server			OpenVPN_local_tun 192.168.10.100:100911 id 105  

backend WAN_SSLH_b_ipvANY
	mode			tcp
	id			110
	log			global
	timeout connect		30000
	timeout server		7200000
	retries			3
	server			WAN_SSLH 127.0.0.1:2022 id 111 ssl  verify none send-proxy 

backend WAN_HTTPS_offload_b_ipvANY
	mode			tcp
	id			108
	log			global
	timeout connect		30000
	timeout server		7200000
	retries			3
	server			WAN_HTTPS_offload 127.0.0.1:2043 id 109 ssl  verify none send-proxy 

backend WAN_HTTPS_proxy_b_ipvANY
	mode			tcp
	id			116
	log			global
	timeout connect		30000
	timeout server		7200000
	retries			3
	server			WAN_HTTPS_proxy 127.0.0.1:2044 id 117 ssl  verify none send-proxy 

backend bitwarden_nas_ipvANY
	mode			tcp
	id			118
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			bitwarden_nas_server 192.168.20.2:8091 id 119 ssl check inter 1000  verify none

Does anyone know if there are any changes that need to be done so that this config can work for 1.8?

Posts: 1

Participants: 1

Read full topic

@vinodlouis wrote:

I need help to convert following nginx configuration
host1 = http://localhost:8088 in code

server {
listen 9001;
server_name localhost;
location /analytics/ {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Script-Name /analytics;
proxy_pass host1;
proxy_redirect http://localhost/ host1/;
#YOUR_SERVER_NAME is localhost if both nginx and superset run on same server
}
location ~ ^/(static|superset|sqllab|savedqueryview|druid|tablemodelview|databaseasync|dashboardmodelview|slicemodelview) {
try_files $uri /analytics/$uri /analytics/$uri?query_string @rules; } location @rules { rewrite ^(.*) /analytics$1 permanent;
}
}

Im trying to access the application running at 8080 via 9001/analytics

Posts: 1

Participants: 1

Read full topic

@fdellwing wrote:

Hi,

I would like to block all requests that use any of the ip addresses of the server as host. Is there an easier way than acl is_ip hdr(host) -i 1.2.3.4 -i 4.3.2.1?

Greetings

Posts: 3

Participants: 2

Read full topic

@GoodmanDev wrote:

Hello!

I currently host a multi-server application using Apache HTTPD as a proxy, and am in the process of moving across to HAProxy. I’ve found a lot of the configuration far simpler and more intuitive than Apache, but am stumped on one particular requirement (enforced by the application).

Requests come in to HAProxy on a path matching /ApplicationA/rest/of/path, /ApplicationB/rest/of/path, /ApplicationC/rest/of/path, and based on the application letter (A, B, C) HAProxy is to pass the request onto one of a number of backend servers. The caveat is that the request needs to be forwarded to the backend on /Application/rest/of/path, rather than /Application/rest/of/path.

I’ve tried the something along these lines, but since the reqrep is applied before use backend, I end up with the request URL failing to match.

acl   url_application_a   path_beg   /ApplicationA
acl   url_application_b   path_beg   /ApplicationB
acl   url_application_a   path_beg   /ApplicationC

use_backend   APP_A   if   url_application_a
use_backend   APP_B   if   url_application_b
use_backend   APP_C   if   url_application_c

reqrep   ^([^\ :]*)\ /ApplicationA[/]?(.*)        \1\ /Application/\2      if url_application_a
reqrep   ^([^\ :]*)\ /ApplicationB[/]?(.*)        \1\ /Application/\2      if url_application_b
reqrep   ^([^\ :]*)\ /ApplicationC[/]?(.*)        \1\ /Application/\2      if url_application_c

Is what I’m looking for possible? And am I just missing something silly? Any help would be greatly appreciated!

Thanks in advance

Posts: 1

Participants: 1

Read full topic

@smalecwks wrote:

Hi,

I have setup working with client certificate authentication.
I would like to make setup to block particular user based on CN field in client certificate from accessing URL with regular expression.

I can block url with regular expression with acl:

acl restricted_page url_reg TEST
http-request deny if restricted_page

which works and prevents me to access URL with keyword TEST.

I tried to filter users with http-request set-header X-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
but can’t make it working

Basically I would like to achieve something like this:

if client certificate CN=user1 then block URLs with keyword TEST1
if client certificate CN=user2 then block URLs with keyword TEST2

Thank you in advance for any suggestions

Posts: 1

Participants: 1

Read full topic

@Harery wrote:

I’m using round-robin balance type with back-end three web servers
but all incoming connection always forwards to web-01 not balancing with 3 web servers
PS* when closing web-01 all connection going to web-02

here’s my config file i need to balance all traffic with back-end server not only one server

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy

	pidfile /var/run/haproxy.pid
	maxconn 50000
	user haproxy
	group haproxy
	daemon

	stats socket /var/lib/haproxy/stats mode 600 level admin
	stats timeout 30s
	
	ca-base /etc/opt/rh/rh-haproxy18/haproxy/ssl/live/yasso.com
	crt-base /etc/opt/rh/rh-haproxy18/haproxy/ssl/live/yasso.com/
	
	tune.ssl.default-dh-param 4096
   	ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets 
	ssl-default-bind-ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384

defaults
	mode http 
	log	global
	timeout connect 25000ms 
	timeout client 60000ms 
	timeout server 60000ms
	timeout queue 60000ms
	timeout http-request 15000ms
	timeout http-keep-alive 15000ms
	option	httplog
	option	dontlognull
	option redispatch
	option forwardfor 
	option http-server-close
	option httpclose

frontend https-in

	rspadd X-Frame-Options:\ DENY
	bind *:443 ssl crt /etc/opt/rh/rh-haproxy18/haproxy/ssl/live/yasso.com/yasso.com.pem

	stats enable  
	stats realm Haproxy\ Statistics  
	stats uri /haproxy_stats 
	stats refresh 10s
	stats show-node
	stats auth yasso:yasso
	stats admin if TRUE	

	default_backend WEB-APP
	
backend WEB-APP

	balance roundrobin
	option http-keep-alive
	option httpchk HEAD / HTTP/1.1\r\nHost:localhost
	cookie SERVERID insert indirect nocache
	stick-table type integer size 1k expire 3h
	stick on dst_port
	
    	server web-01 192.168.100.78:80 check cookie web-01
    	server web-02 192.168.100.79:80 check cookie web-02
    	server web-03 192.168.100.80:80 check cookie web-03

	timeout tunnel 10h

	http-request set-header X-Forwarded-Port %[dst_port]
	http-request add-header X-Forwarded-Proto https if { ssl_fc }

Posts: 1

Participants: 1

Read full topic

@e-pirate wrote:

Hi, folks!
Is there is a way to send real backend address as a Host header in the httpchk requests? We are currently using HTTP 1.0, but would like to switch to HTTP 1.1 and sending meaningful Host header is a mast in your case. Here is our current backend section of the config:

backend apiservers
  balance                 leastconn
  mode                    http
  option                  httpchk GET /healthz HTTP/1.0\r\nAuthorization:\ Bearer\ SOME_TOKEN_HERE
  http-check              disable-on-404
  http-check              expect rstring ^ok
  server                  core1 core1.cloud:443 ssl check
  server                  core2 core2.cloud:443 ssl check
  server                  core3 core3.cloud:443 ssl check

Options like http-request add-header Host %[src] and http-send-name-header Host in the backend section seem not affect httpchk mechanism. Any ideas?

Posts: 2

Participants: 2

Read full topic

@monkey wrote:

Hi I would like to setup a reverse proxy to an exchange server and a webserver. I have installed the wildcard certificate on all three servers.The haproxy server has an IP address of 192.168.1.14. The below settings work when accessing from local network and setting the dns to resolve to the above IP. The issue is externally, The domain name resolves to the external facing IP and then nats to 192.168.1.14 however I can’t get anything to work. The firewall is a basic router. Is this because it is getting redirected as opposed to reverse proxing through the haproxy? Any help appreciated.

frontend servers
bind *:80
bind *:443 ssl crt /etc/ssl/certs/site_cer.pem
acl ismail req.hdr(Host) -i -m str mail.domain
use_backend mailservers if ismail

acl issite req.hdr(Host) -i -m str domain
use_backend webservers if issite

#---------------------------------------------------------------------

static backend for serving up images, stylesheets and such

#---------------------------------------------------------------------
backend mailservers
server server2 mail.domain:443 check ssl verify none

backend webservers
server server1 domain:443 check ssl verify none

Posts: 1

Participants: 1

Read full topic

@Skinnyguinea wrote:

Hi,

Can I configure HA Proxy using just 2 Virtual Machines?

Also, can I use a single instance of HA Proxy to forward requests to multiple servers?

Posts: 1

Participants: 1

Read full topic

@stucky101 wrote:

Ladies and Gents
I’m trying to use a map file to make dynamic backend decisions based on user agent strings.
Problem is my user agent has spaces in it.
The mapfile works without spaces:

teststring dest_pool

and in the cfg:
acl has_http_useragent hdr(user-agent),map_str(/usr/local/haproxy/maps/webcenter_useragents.cfg) -m found
use_backend %[req.hdr(user-agent),map_str(/usr/local/haproxy/maps/webcenter_useragents.cfg)] if has_http_useragent

If I add and escape a space it doesn’t match anymore:

test\ string dest_pool

I get a NOSRV

Q1. Can I change the default delimiter for the k/v’s in a map ? I have not found a reference to that.
Q2. Is there any other way to deal with the spaces ?

Unfortunately, my user agent is “Studio Site Designer”

Thx for a great product

Posts: 1

Participants: 1

Read full topic

@veljko wrote:

Hi,
I am total beginner for HAProxy so please any advice will be much useful.
I have two virtual machines on Microsoft Azure.
They are in virtual network, and they have private IP addresses 10.0.9.4 and 10.0.9.5
I created new Network interface on Microsoft Azure in the same virtual network with IP address 10.0.9.7
Of course this is not delegated to any virtual machines.

Name of interface is : lb.oozie.local, private IP address 10.0.9.7

I added in /etc/hosts on .4 and .5
10.0.9.7 lb.oozie.local

I installed haproxy on both machines 4 and 5.
haconfig file is the following:

global
** log /dev/log local0**
** log /dev/log local1 notice**
** chroot /var/lib/haproxy**

** stats timeout 30s**
** #user haproxy**
** #group haproxy**
** daemon**

** # Default SSL material locations**
** ca-base /etc/ssl/certs**
** crt-base /etc/ssl/private**

** # Default ciphers to use on SSL-enabled listening sockets.**
** # For more information, see ciphers(1SSL).**
** ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL**

defaults
** log global**
** mode http**
** option httplog**
** option dontlognull**
** timeout connect 5000**
** timeout client 50000**
** timeout server 50000**

frontend localnodes
** bind lb.oozie.local:80**
** mode http**
** default_backend nodes**

backend nodes
** mode http**
** balance roundrobin**
** option forwardfor**
** http-request set-header X-Forwarded-Port %[dst_port]**
** http-request add-header X-Forwarded-Proto https if { ssl_fc }**
** option httpchk HEAD / HTTP/1.1\r\nHost:localhost**
** server oozie1 10.0.9.4:11000 check**
** server oozie2 10.0.9.5:11000 check**

listen stats lb.oozie.local:1936
** stats enable**
** stats uri /haproxy?stats**

I did also:
sudo service haproxy restart

Redirecting to /bin/systemctl restart haproxy.service

Validation returns that haproxy is valid:
haproxy -f /etc/haproxy/haproxy.cfg -c

[WARNING] 284/112531 (110051) : config : frontend ‘GLOBAL’ has no ‘bind’ directive. Please declare it as a backend if this was intended.
Configuration file is valid

As I understood my servers should get the ip address (10.0.9.7).

I try from 10.0.9.4 and 10.0.9.5 ping to 10.0.9.7

but on both servers I am getting it is not recognized.
ping 10.0.9.7

PING 10.0.9.7 (10.0.9.7) 56(84) bytes of data.
From 10.0.9.4 icmp_seq=1 Destination Host Unreachable
From 10.0.9.4 icmp_seq=2 Destination Host Unreachable

Also if it is relevant:

• i installed keepalived mechanism
• I did not set public IP address for Load Balancer address, it has only private IP 10.0.9.7, because service is invoked directly from servers 10.0.9.4 and 10.0.9.5

please help.
Thank you in advance,

Posts: 1

Participants: 1

Read full topic

@k4m0 wrote:

Hi Community,

This is my first topic
I have a problem with the configuration of an error page on haproxy version 1.8.14 … I have already configured several error pages without problems on the same instance.
The page that is creating problems unlike the other uses svg (Scalable Vector Graphics) .
The page served from haproxy is truncated (always in the same place), if I increase the tune.bufsize the problem is solved, but I do not want to increase it to avoid resource problems (possibly causing the system to run out of memory).
I thought it was a problem related to the size of http headers but I do not think this is the problem because testing a “curl -s -w % {size_header} page” the size is 260 bytes.
The page has 144k size, but I have a larger page that works correctly.
By serving the page from an apache via errorloc the problem does not occur … but I do not want to handle error pages from webserver but from haproxy …
From log i see nothing strange respect other error page :

k4m0_http_fe k4m0_http_fe/ 0/-1/-1/-1/0 403 16384 - - PR-- 5/1/0/0/0 0/0 {|} “GET / HTTP/1.1”

also with echo “show errors” | socat … nothing

Does anyone have any idea what the problem might be?

Thank you so much
K4m0

Posts: 1

Participants: 1

Read full topic

@agenerette wrote:

Hello,

Using the deviantony/docker-elk repo, i recently setup ELK on an EC2 instance running Docker (version 17.05.0-ce, build 89658be) and docker-compose (docker-compose version 1.6.2, build 4d72027). I also used the docker-elk-filebeat repo to install filebeat.

After configuring everything, I’m able to see basic log file entries flowing thru such that I can view them in Kibana: I have to access the GUI, though, via an ssh tunnel into my Docker host.

I would like, though, to be able to access the Kibana GUI via an haproxy container that’s also running on my Docker host. That way I’d be able to just hit “http://<EC2 instance’s IP>/logs” and have this redirect to Kibana, without having to open port 5601 on the host and modify the current security group.

When I try, though, the UI loads partially, then just stops. Clicking on the different options (Discover, Visualize, etc) changes the URL listed (to one that contains “myapp-demo/app/kibana#/home?_g=()”, “myapp-demo/app/kibana#/discover” etc), but that’s it. Oh, and I have a simple entry in my local /etc/hosts file mapping myapp-demo to the AWS instance’s IP.

Security groups are setup, temporarily, on the EC2 instance such that ports 22, 5601, 9200, 9100 are all open to my admin workstation’s IP. iptables has only the entries that were put in place by the installation of Docker (iptables wasn’t even there on the Docker host, before I installed Docker).

Here’s an excerpt from my haproxy.cfg file (I’ve created a pastebin at https://pastebin.com/yavnXyEw, just in case my posting proves difficult to read):

frontend web
bind *:80
reqadd X-Forwarded-Proto:\ http if !{ ssl_fc }
reqadd X-Forwarded-Proto:\ https if { ssl_fc }

default_backend myapp_ui

…
acl is_kibana path_sub logs
acl is_kibana path_sub kibana
acl is_kibana path_sub bundles
acl is_kibana path_sub app/kibana
acl is_kibana path_sub plugins/kibana/assets

use_backend kibana if is_kibana
use_backend es_head if is_es_head

…

backend myapp_ui
server ui1 myapp:8080 check

backend kibana
mode http
reqrep ^([^\ ] \ /)logs[/]?(. ) \1\2
reqrep ^([^\ ] \ /)kibana[/]?(. ) \1\2
server kibana kibana:5601 check

And here’s an excerpt from my docker-compose.yml file:

haproxy:
image: < personal repo >
restart: always
links:

• myapp
• kibana
• es_head
  volumes:
• ./docker/haproxy/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro
  ports:
• “80:80”

kibana:
image: < personal repo >
ports:

• “5601:5601”

Now, since I’m able to get the GUI to load partially, I know that the setup is mostly functional. The issue seems to be, perhaps, with my haproxy acls. I’m not sure what else I need to add in that area.

'Anyone out there have experience with this kind of setup and any ideas on what I can do to get around the issue that I’m seeing?

Posts: 1

Participants: 1

Read full topic

@skurtzemann wrote:

Hi,

I’ve got a question about haproxy seamless reload : when this operation is perform does all backend servers connections be reset ?

Our use case:

• we use Voyager Ingress for Kubernetes (https://appscode.com/products/voyager/) this last use haproxy to
  perform balancing
• we have configure each servers backend with maxconn 1 (we only what one connection to be handle by one pod)
• when a new pod is schedule, Voyager update backend servers then do a haproxy seamless reload which cause that we lost previous connections states for servers

Thanks

Sébastien Kurtzemann

Posts: 2

Participants: 2

Read full topic

@ndakotaeq wrote:

Hello, I am fighting with understanding the nature of or retransmissions that are sent after ACK is received.

Config:

haproxy.cfg

global
log /dev/log local0
log /dev/log local1 debug

daemon
user haproxy
group haproxy
maxconnrate 280
maxsessrate 280
maxconn     260000
stats socket /var/run/haproxy.sock level admin

defaults
mode tcp
log global
option tcplog
option dontlognull
timeout connect 5s
timeout client 24h
timeout server 60m
maxconn 260000

peers lbs
peer ilb1-1a-1 172.1.1.3:9010
peer ilb1-1a-2 172.1.2.3:9010

frontend service_name
bind 50.1.1.3:48641
acl p48641 dst_port 48641
use_backend service_name_48641 if p48641

backend service_name_48641
balance leastconn
option independant-streams
server server_vir1 ae1-1a-1:48641 on-marked-down shutdown-sessions check fall 3 rise 2 inter 10s slowstart 200s source 172.1.2.3
server server_vir2 ae1-1a-1:48641 on-marked-down shutdown-sessions check fall 3 rise 2 inter 10s slowstart 200s source 172.1.2.4
server server_vir3 ae1-1a-1:48641 on-marked-down shutdown-sessions check fall 3 rise 2 inter 10s slowstart 200s source 172.1.2.5
server server_vir4 ae1-1a-1:48641 on-marked-down shutdown-sessions check fall 3 rise 2 inter 10s slowstart 200s source 172.1.2.6
server server_vir5 ae1-1a-1:48641 on-marked-down shutdown-sessions check fall 3 rise 2 inter 10s slowstart 200s source 172.1.2.7

Sysctl config:

sysctl config

abi.vsyscall32 = 1
crypto.fips_enabled = 1
debug.exception-trace = 1
debug.kprobes-optimization = 1
debug.panic_on_rcu_stall = 0
dev.hpet.max-user-freq = 64
fs.aio-max-nr = 65536
fs.aio-nr = 0
fs.nr_open = 1048576
fs.overflowgid = 65534
fs.overflowuid = 65534
fs.pipe-max-size = 1048576
fs.pipe-user-pages-hard = 0
fs.pipe-user-pages-soft = 16384
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
fs.quota.allocated_dquots = 0
fs.quota.cache_hits = 0
fs.quota.drops = 0
fs.quota.free_dquots = 0
fs.quota.lookups = 0
fs.quota.reads = 0
fs.quota.syncs = 4
fs.quota.warnings = 1
fs.quota.writes = 0
fs.suid_dumpable = 2
kernel.random.entropy_avail = 3472
kernel.random.poolsize = 4096
kernel.random.read_wakeup_threshold = 64
kernel.random.urandom_min_reseed_secs = 60
kernel.random.write_wakeup_threshold = 896
kernel.randomize_va_space = 2
kernel.real-root-dev = 0
kernel.sched_autogroup_enabled = 0
kernel.sched_cfs_bandwidth_slice_us = 5000
kernel.sched_child_runs_first = 0
kernel.sched_domain.cpu0.domain0.busy_factor = 32
kernel.sched_domain.cpu0.domain0.busy_idx = 2
kernel.sched_domain.cpu0.domain0.cache_nice_tries = 1
kernel.sched_domain.cpu0.domain0.flags = 4143
kernel.sched_domain.cpu0.domain0.forkexec_idx = 0
kernel.sched_domain.cpu0.domain0.idle_idx = 1
kernel.sched_domain.cpu0.domain0.imbalance_pct = 125
kernel.sched_domain.cpu0.domain0.max_interval = 4
kernel.sched_domain.cpu0.domain0.max_newidle_lb_cost = 17558
kernel.sched_domain.cpu0.domain0.min_interval = 2
kernel.sched_domain.cpu0.domain0.name = DIE
kernel.sched_domain.cpu0.domain0.newidle_idx = 0
kernel.sched_domain.cpu0.domain0.wake_idx = 0
kernel.sched_domain.cpu1.domain0.busy_factor = 32
kernel.sched_domain.cpu1.domain0.busy_idx = 2
kernel.sched_domain.cpu1.domain0.cache_nice_tries = 1
kernel.sched_domain.cpu1.domain0.flags = 4143
kernel.sched_domain.cpu1.domain0.forkexec_idx = 0
kernel.sched_domain.cpu1.domain0.idle_idx = 1
kernel.sched_domain.cpu1.domain0.imbalance_pct = 125
kernel.sched_domain.cpu1.domain0.max_interval = 4
kernel.sched_domain.cpu1.domain0.max_newidle_lb_cost = 9445
kernel.sched_domain.cpu1.domain0.min_interval = 2
kernel.sched_domain.cpu1.domain0.name = DIE
kernel.sched_domain.cpu1.domain0.newidle_idx = 0
kernel.sched_domain.cpu1.domain0.wake_idx = 0
kernel.sched_latency_ns = 12000000
kernel.sched_migration_cost_ns = 500000
kernel.sched_min_granularity_ns = 1500000
kernel.sched_nr_migrate = 32
kernel.sched_rr_timeslice_ms = 100
kernel.sched_rt_period_us = 1000000
kernel.sched_rt_runtime_us = 950000
kernel.sched_schedstats = 0
kernel.sched_shares_window_ns = 10000000
kernel.sched_time_avg_ms = 1000
kernel.sched_tunable_scaling = 1
kernel.sched_wakeup_granularity_ns = 2000000
kernel.sem = 250 32000 32 128
kernel.sem_next_id = -1
kernel.shm_next_id = -1
kernel.shm_rmid_forced = 0
kernel.shmall = 18446744073692774399
kernel.shmmax = 18446744073692774399
kernel.shmmni = 4096
kernel.softlockup_all_cpu_backtrace = 0
kernel.softlockup_panic = 0
kernel.stack_tracer_enabled = 0
kernel.sysrq = 16
kernel.tainted = 0
kernel.threads-max = 62405
kernel.timer_migration = 1
kernel.traceoff_on_warning = 0
kernel.unknown_nmi_panic = 1
kernel.usermodehelper.bset = 4294967295 31
kernel.usermodehelper.inheritable = 4294967295 31
kernel.version = #1 SMP Fri Oct 13 10:46:25 EDT 2017
kernel.watchdog = 1
kernel.watchdog_cpumask = 0-1
kernel.watchdog_thresh = 10
kernel.yama.ptrace_scope = 0
net.core.bpf_jit_enable = 0
net.core.busy_poll = 0
net.core.busy_read = 0
net.core.default_qdisc = pfifo_fast
net.core.dev_weight = 64
net.core.message_burst = 10
net.core.message_cost = 5
net.core.netdev_budget = 300
net.core.netdev_max_backlog = 1000
net.core.netdev_rss_key = 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
net.core.netdev_tstamp_prequeue = 1
net.core.optmem_max = 20480
net.core.rmem_default = 212992
net.core.rmem_max = 212992
net.core.rps_sock_flow_entries = 0
net.core.somaxconn = 1024
net.core.warnings = 1
net.core.wmem_default = 212992
net.core.wmem_max = 212992
net.core.xfrm_acq_expires = 30
net.core.xfrm_aevent_etime = 10
net.core.xfrm_aevent_rseqth = 2
net.core.xfrm_larval_drop = 1
net.ipv4.cipso_cache_bucket_size = 10
net.ipv4.cipso_cache_enable = 1
net.ipv4.cipso_rbm_optfmt = 0
net.ipv4.cipso_rbm_strictvalid = 1
net.ipv4.conf.all.accept_local = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.arp_accept = 0
net.ipv4.conf.all.arp_announce = 0
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.all.arp_ignore = 0
net.ipv4.conf.all.arp_notify = 0
net.ipv4.conf.all.bootp_relay = 0
net.ipv4.conf.all.disable_policy = 0
net.ipv4.conf.all.disable_xfrm = 0
net.ipv4.conf.all.force_igmp_version = 2
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.all.medium_id = 0
net.ipv4.conf.all.promote_secondaries = 1
net.ipv4.conf.all.proxy_arp = 0
net.ipv4.conf.all.proxy_arp_pvlan = 0
net.ipv4.conf.all.route_localnet = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.shared_media = 1
net.ipv4.conf.all.src_valid_mark = 0
net.ipv4.conf.all.tag = 0
net.ipv4.conf.default.accept_local = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.arp_accept = 0
net.ipv4.conf.default.arp_announce = 0
net.ipv4.conf.default.arp_filter = 0
net.ipv4.conf.default.arp_ignore = 0
net.ipv4.conf.default.arp_notify = 0
net.ipv4.conf.default.bootp_relay = 0
net.ipv4.conf.default.disable_policy = 0
net.ipv4.conf.default.disable_xfrm = 0
net.ipv4.conf.default.force_igmp_version = 2
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.default.medium_id = 0
net.ipv4.conf.default.promote_secondaries = 1
net.ipv4.conf.default.proxy_arp = 0
net.ipv4.conf.default.proxy_arp_pvlan = 0
net.ipv4.conf.default.route_localnet = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.shared_media = 1
net.ipv4.conf.default.src_valid_mark = 0
net.ipv4.conf.default.tag = 0
net.ipv4.conf.eth0.accept_local = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.eth0.arp_accept = 0
net.ipv4.conf.eth0.arp_announce = 0
net.ipv4.conf.eth0.arp_filter = 0
net.ipv4.conf.eth0.arp_ignore = 0
net.ipv4.conf.eth0.arp_notify = 0
net.ipv4.conf.eth0.bootp_relay = 0
net.ipv4.conf.eth0.disable_policy = 0
net.ipv4.conf.eth0.disable_xfrm = 0
net.ipv4.conf.eth0.force_igmp_version = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.eth0.log_martians = 0
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth0.medium_id = 0
net.ipv4.conf.eth0.promote_secondaries = 1
net.ipv4.conf.eth0.proxy_arp = 0
net.ipv4.conf.eth0.proxy_arp_pvlan = 0
net.ipv4.conf.eth0.route_localnet = 0
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.eth0.secure_redirects = 0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.eth0.shared_media = 1
net.ipv4.conf.eth0.src_valid_mark = 0
net.ipv4.conf.eth0.tag = 0
net.ipv4.conf.eth2.accept_local = 0
net.ipv4.conf.eth2.accept_redirects = 0
net.ipv4.conf.eth2.accept_source_route = 0
net.ipv4.conf.eth2.arp_accept = 0
net.ipv4.conf.eth2.arp_announce = 0
net.ipv4.conf.eth2.arp_filter = 0
net.ipv4.conf.eth2.arp_ignore = 0
net.ipv4.conf.eth2.arp_notify = 0
net.ipv4.conf.eth2.bootp_relay = 0
net.ipv4.conf.eth2.disable_policy = 0
net.ipv4.conf.eth2.disable_xfrm = 0
net.ipv4.conf.eth2.force_igmp_version = 0
net.ipv4.conf.eth2.forwarding = 1
net.ipv4.conf.eth2.log_martians = 0
net.ipv4.conf.eth2.mc_forwarding = 0
net.ipv4.conf.eth2.medium_id = 0
net.ipv4.conf.eth2.promote_secondaries = 1
net.ipv4.conf.eth2.proxy_arp = 0
net.ipv4.conf.eth2.proxy_arp_pvlan = 0
net.ipv4.conf.eth2.route_localnet = 0
net.ipv4.conf.eth2.rp_filter = 1
net.ipv4.conf.eth2.secure_redirects = 0
net.ipv4.conf.eth2.send_redirects = 0
net.ipv4.conf.eth2.shared_media = 1
net.ipv4.conf.eth2.src_valid_mark = 0
net.ipv4.conf.eth2.tag = 0
net.ipv4.conf.lo.accept_local = 0
net.ipv4.conf.lo.accept_redirects = 1
net.ipv4.conf.lo.accept_source_route = 1
net.ipv4.conf.lo.arp_accept = 0
net.ipv4.conf.lo.arp_announce = 0
net.ipv4.conf.lo.arp_filter = 0
net.ipv4.conf.lo.arp_ignore = 0
net.ipv4.conf.lo.arp_notify = 0
net.ipv4.conf.lo.bootp_relay = 0
net.ipv4.conf.lo.disable_policy = 1
net.ipv4.conf.lo.disable_xfrm = 1
net.ipv4.conf.lo.force_igmp_version = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.lo.log_martians = 0
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.lo.medium_id = 0
net.ipv4.conf.lo.promote_secondaries = 0
net.ipv4.conf.lo.proxy_arp = 0
net.ipv4.conf.lo.proxy_arp_pvlan = 0
net.ipv4.conf.lo.route_localnet = 0
net.ipv4.conf.lo.rp_filter = 0
net.ipv4.conf.lo.secure_redirects = 1
net.ipv4.conf.lo.send_redirects = 1
net.ipv4.conf.lo.shared_media = 1
net.ipv4.conf.lo.src_valid_mark = 0
net.ipv4.conf.lo.tag = 0
net.ipv4.icmp_echo_ignore_all = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_errors_use_inbound_ifaddr = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.icmp_msgs_burst = 50
net.ipv4.icmp_msgs_per_sec = 1000
net.ipv4.icmp_ratelimit = 1000
net.ipv4.icmp_ratemask = 6168
net.ipv4.igmp_max_memberships = 20
net.ipv4.igmp_max_msf = 10
net.ipv4.igmp_qrv = 2
net.ipv4.inet_peer_maxttl = 600
net.ipv4.inet_peer_minttl = 120
net.ipv4.inet_peer_threshold = 65664
net.ipv4.ip_default_ttl = 64
net.ipv4.ip_dynaddr = 0
net.ipv4.ip_early_demux = 1
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_use_pmtu = 0
net.ipv4.ip_local_port_range = 1024 65535
net.ipv4.ip_local_reserved_ports =
net.ipv4.ip_no_pmtu_disc = 0
net.ipv4.ip_nonlocal_bind = 1
net.ipv4.ipfrag_high_thresh = 4194304
net.ipv4.ipfrag_low_thresh = 3145728
net.ipv4.ipfrag_max_dist = 64
net.ipv4.ipfrag_secret_interval = 600
net.ipv4.ipfrag_time = 30
net.ipv4.neigh.default.anycast_delay = 100
net.ipv4.neigh.default.app_solicit = 0
net.ipv4.neigh.default.base_reachable_time_ms = 30000
net.ipv4.neigh.default.delay_first_probe_time = 5
net.ipv4.neigh.default.gc_interval = 30
net.ipv4.neigh.default.gc_stale_time = 60
net.ipv4.neigh.default.gc_thresh1 = 128
net.ipv4.neigh.default.gc_thresh2 = 512
net.ipv4.neigh.default.gc_thresh3 = 1024
net.ipv4.neigh.default.locktime = 100
net.ipv4.neigh.default.mcast_solicit = 3
net.ipv4.neigh.default.proxy_delay = 80
net.ipv4.neigh.default.proxy_qlen = 64
net.ipv4.neigh.default.retrans_time_ms = 1000
net.ipv4.neigh.default.ucast_solicit = 3
net.ipv4.neigh.default.unres_qlen = 31
net.ipv4.neigh.default.unres_qlen_bytes = 65536
net.ipv4.neigh.eth0.anycast_delay = 100
net.ipv4.neigh.eth0.app_solicit = 0
net.ipv4.neigh.eth0.base_reachable_time_ms = 30000
net.ipv4.neigh.eth0.delay_first_probe_time = 5
net.ipv4.neigh.eth0.gc_stale_time = 60
net.ipv4.neigh.eth0.locktime = 100
net.ipv4.neigh.eth0.mcast_solicit = 3
net.ipv4.neigh.eth0.proxy_delay = 80
net.ipv4.neigh.eth0.proxy_qlen = 64
net.ipv4.neigh.eth0.retrans_time_ms = 1000
net.ipv4.neigh.eth0.ucast_solicit = 3
net.ipv4.neigh.eth0.unres_qlen = 31
net.ipv4.neigh.eth0.unres_qlen_bytes = 65536
net.ipv4.neigh.eth1.anycast_delay = 100
net.ipv4.neigh.eth1.app_solicit = 0
net.ipv4.neigh.eth1.base_reachable_time_ms = 30000
net.ipv4.neigh.eth1.delay_first_probe_time = 5
net.ipv4.neigh.eth1.gc_stale_time = 60
net.ipv4.neigh.eth1.locktime = 100
net.ipv4.neigh.eth1.mcast_solicit = 3
net.ipv4.neigh.eth1.proxy_delay = 80
net.ipv4.neigh.eth1.proxy_qlen = 64
net.ipv4.neigh.eth1.retrans_time_ms = 1000
net.ipv4.neigh.eth1.ucast_solicit = 3
net.ipv4.neigh.eth1.unres_qlen = 31
net.ipv4.neigh.eth1.unres_qlen_bytes = 65536
net.ipv4.neigh.eth2.anycast_delay = 100
net.ipv4.neigh.eth2.app_solicit = 0
net.ipv4.neigh.eth2.base_reachable_time_ms = 30000
net.ipv4.neigh.eth2.delay_first_probe_time = 5
net.ipv4.neigh.eth2.gc_stale_time = 60
net.ipv4.neigh.eth2.locktime = 100
net.ipv4.neigh.eth2.mcast_solicit = 3
net.ipv4.neigh.eth2.proxy_delay = 80
net.ipv4.neigh.eth2.proxy_qlen = 64
net.ipv4.neigh.eth2.retrans_time_ms = 1000
net.ipv4.neigh.eth2.ucast_solicit = 3
net.ipv4.neigh.eth2.unres_qlen = 31
net.ipv4.neigh.eth2.unres_qlen_bytes = 65536
net.ipv4.neigh.lo.anycast_delay = 100
net.ipv4.neigh.lo.app_solicit = 0
net.ipv4.neigh.lo.base_reachable_time_ms = 30000
net.ipv4.neigh.lo.delay_first_probe_time = 5
net.ipv4.neigh.lo.gc_stale_time = 60
net.ipv4.neigh.lo.locktime = 100
net.ipv4.neigh.lo.mcast_solicit = 3
net.ipv4.neigh.lo.proxy_delay = 80
net.ipv4.neigh.lo.proxy_qlen = 64
net.ipv4.neigh.lo.retrans_time_ms = 1000
net.ipv4.neigh.lo.ucast_solicit = 3
net.ipv4.neigh.lo.unres_qlen = 31
net.ipv4.neigh.lo.unres_qlen_bytes = 65536
net.ipv4.ping_group_range = 1 0
net.ipv4.route.error_burst = 5000
net.ipv4.route.error_cost = 1000
net.ipv4.route.gc_elasticity = 8
net.ipv4.route.gc_interval = 60
net.ipv4.route.gc_min_interval = 0
net.ipv4.route.gc_min_interval_ms = 500
net.ipv4.route.gc_thresh = -1
net.ipv4.route.gc_timeout = 300
net.ipv4.route.max_size = 2147483647
net.ipv4.route.min_adv_mss = 256
net.ipv4.route.min_pmtu = 552
net.ipv4.route.mtu_expires = 600
net.ipv4.route.redirect_load = 20
net.ipv4.route.redirect_number = 9
net.ipv4.route.redirect_silence = 20480
net.ipv4.tcp_abort_on_overflow = 0
net.ipv4.tcp_adv_win_scale = 1
net.ipv4.tcp_allowed_congestion_control = cubic reno
net.ipv4.tcp_app_win = 31
net.ipv4.tcp_autocorking = 1
net.ipv4.tcp_available_congestion_control = cubic reno
net.ipv4.tcp_base_mss = 1024
net.ipv4.tcp_challenge_ack_limit = 2147483647
net.ipv4.tcp_congestion_control = cubic
net.ipv4.tcp_dsack = 1
net.ipv4.tcp_early_retrans = 3
net.ipv4.tcp_ecn = 2
net.ipv4.tcp_fack = 1
net.ipv4.tcp_fastopen = 0
net.ipv4.tcp_fastopen_key = 00000000-00000000-00000000-00000000
net.ipv4.tcp_fin_timeout = 60
net.ipv4.tcp_frto = 2
net.ipv4.tcp_invalid_ratelimit = 500
net.ipv4.tcp_keepalive_intvl = 75
net.ipv4.tcp_keepalive_probes = 9
net.ipv4.tcp_keepalive_time = 7200
net.ipv4.tcp_limit_output_bytes = 262144
net.ipv4.tcp_low_latency = 0
net.ipv4.tcp_max_orphans = 32768
net.ipv4.tcp_max_ssthresh = 0
net.ipv4.tcp_max_syn_backlog = 1280
net.ipv4.tcp_max_tw_buckets = 32768
net.ipv4.tcp_mem = 185361 247148 370722
net.ipv4.tcp_min_tso_segs = 2
net.ipv4.tcp_moderate_rcvbuf = 1
net.ipv4.tcp_mtu_probing = 2
net.ipv4.tcp_no_metrics_save = 0
net.ipv4.tcp_notsent_lowat = -1
net.ipv4.tcp_orphan_retries = 0
net.ipv4.tcp_reordering = 3
net.ipv4.tcp_retrans_collapse = 1
net.ipv4.tcp_retries1 = 3
net.ipv4.tcp_retries2 = 15
net.ipv4.tcp_rfc1337 = 0
net.ipv4.tcp_rmem = 4096 87380 6291456
net.ipv4.tcp_sack = 1
net.ipv4.tcp_slow_start_after_idle = 0
net.ipv4.tcp_stdurg = 0
net.ipv4.tcp_syn_retries = 6
net.ipv4.tcp_synack_retries = 5
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_thin_dupack = 0
net.ipv4.tcp_thin_linear_timeouts = 0
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_tso_win_divisor = 3
net.ipv4.tcp_tw_recycle = 0
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_wmem = 4096 16384 4194304
net.ipv4.tcp_workaround_signed_windows = 0
net.ipv4.udp_mem = 187218 249624 374436
net.ipv4.udp_rmem_min = 4096
net.ipv4.udp_wmem_min = 4096
net.ipv4.vs.am_droprate = 10
net.ipv4.vs.amemthresh = 1024
net.ipv4.vs.backup_only = 0
net.ipv4.vs.cache_bypass = 0
net.ipv4.vs.conn_reuse_mode = 1
net.ipv4.vs.conntrack = 0
net.ipv4.vs.drop_entry = 0
net.ipv4.vs.drop_packet = 0
net.ipv4.vs.expire_nodest_conn = 0
net.ipv4.vs.expire_quiescent_template = 0
net.ipv4.vs.nat_icmp_send = 0
net.ipv4.vs.pmtu_disc = 1
net.ipv4.vs.secure_tcp = 0
net.ipv4.vs.snat_reroute = 1
net.ipv4.vs.sync_ports = 1
net.ipv4.vs.sync_qlen_max = 61800
net.ipv4.vs.sync_refresh_period = 0
net.ipv4.vs.sync_retries = 0
net.ipv4.vs.sync_sock_size = 0
net.ipv4.vs.sync_threshold = 3 50
net.ipv4.vs.sync_version = 1
net.ipv4.xfrm4_gc_thresh = 32768
net.netfilter.nf_conntrack_acct = 0
net.netfilter.nf_conntrack_buckets = 65536
net.netfilter.nf_conntrack_checksum = 1
net.netfilter.nf_conntrack_count = 7575
net.netfilter.nf_conntrack_dccp_loose = 1
net.netfilter.nf_conntrack_dccp_timeout_closereq = 64
net.netfilter.nf_conntrack_dccp_timeout_closing = 64
net.netfilter.nf_conntrack_dccp_timeout_open = 43200
net.netfilter.nf_conntrack_dccp_timeout_partopen = 480
net.netfilter.nf_conntrack_dccp_timeout_request = 240
net.netfilter.nf_conntrack_dccp_timeout_respond = 480
net.netfilter.nf_conntrack_dccp_timeout_timewait = 240
net.netfilter.nf_conntrack_events = 1
net.netfilter.nf_conntrack_events_retry_timeout = 15
net.netfilter.nf_conntrack_expect_max = 1024
net.netfilter.nf_conntrack_generic_timeout = 600
net.netfilter.nf_conntrack_helper = 1
net.netfilter.nf_conntrack_icmp_timeout = 30
net.netfilter.nf_conntrack_log_invalid = 0
net.netfilter.nf_conntrack_max = 1048576
net.netfilter.nf_conntrack_sctp_timeout_closed = 10
net.netfilter.nf_conntrack_sctp_timeout_cookie_echoed = 3
net.netfilter.nf_conntrack_sctp_timeout_cookie_wait = 3
net.netfilter.nf_conntrack_sctp_timeout_established = 432000
net.netfilter.nf_conntrack_sctp_timeout_heartbeat_acked = 210
net.netfilter.nf_conntrack_sctp_timeout_heartbeat_sent = 30
net.netfilter.nf_conntrack_sctp_timeout_shutdown_ack_sent = 3
net.netfilter.nf_conntrack_sctp_timeout_shutdown_recd = 0
net.netfilter.nf_conntrack_sctp_timeout_shutdown_sent = 0
net.netfilter.nf_conntrack_tcp_be_liberal = 0
net.netfilter.nf_conntrack_tcp_loose = 0
net.netfilter.nf_conntrack_tcp_max_retrans = 3
net.netfilter.nf_conntrack_tcp_timeout_close = 10
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_established = 3600
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_last_ack = 30
net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 300
net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 60
net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 120
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_unacknowledged = 300
net.netfilter.nf_conntrack_timestamp = 0
net.netfilter.nf_conntrack_udp_timeout = 30
net.netfilter.nf_conntrack_udp_timeout_stream = 180
net.netfilter.nf_log.0 = NONE
net.netfilter.nf_log.1 = NONE
net.netfilter.nf_log.2 = nfnetlink_log
net.netfilter.nf_log.3 = NONE
net.netfilter.nf_log.4 = NONE
net.netfilter.nf_log.5 = NONE
net.netfilter.nf_log.6 = NONE
net.netfilter.nf_log.7 = NONE
net.netfilter.nf_log.8 = NONE
net.netfilter.nf_log.9 = NONE
net.nf_conntrack_max = 1048576
net.unix.max_dgram_qlen = 512
sunrpc.max_resvport = 1023
sunrpc.min_resvport = 665
sunrpc.nfs_debug = 0x0000
sunrpc.nfsd_debug = 0x0000
sunrpc.nlm_debug = 0x0000
sunrpc.rpc_debug = 0x0000
sunrpc.tcp_fin_timeout = 15
sunrpc.tcp_max_slot_table_entries = 65536
sunrpc.tcp_slot_table_entries = 2
sunrpc.transports = tcp 1048576
sunrpc.transports = udp 32768
sunrpc.transports = tcp-bc 1048576
sunrpc.udp_slot_table_entries = 16
user.max_ipc_namespaces = 31202
user.max_mnt_namespaces = 31202
user.max_net_namespaces = 31202
user.max_pid_namespaces = 31202
user.max_user_namespaces = 0
user.max_uts_namespaces = 31202
vm.admin_reserve_kbytes = 8192
vm.block_dump = 0
vm.dirty_background_bytes = 0
vm.dirty_background_ratio = 10
vm.dirty_bytes = 0
vm.dirty_expire_centisecs = 3000
vm.dirty_ratio = 20
vm.dirty_writeback_centisecs = 500
vm.drop_caches = 0
vm.extfrag_threshold = 500
vm.hugepages_treat_as_movable = 0
vm.hugetlb_shm_group = 0
vm.laptop_mode = 0
vm.legacy_va_layout = 0
vm.lowmem_reserve_ratio = 256 256 32
vm.max_map_count = 65530
vm.memory_failure_early_kill = 0
vm.memory_failure_recovery = 1
vm.min_free_kbytes = 67584
vm.min_slab_ratio = 5
vm.min_unmapped_ratio = 1
vm.mmap_min_addr = 4096
vm.mmap_rnd_bits = 28
vm.mmap_rnd_compat_bits = 8
vm.nr_hugepages = 0
vm.nr_hugepages_mempolicy = 0
vm.nr_overcommit_hugepages = 0
vm.nr_pdflush_threads = 0
vm.numa_zonelist_order = default
vm.oom_dump_tasks = 1
vm.oom_kill_allocating_task = 0
vm.overcommit_kbytes = 0
vm.overcommit_memory = 0
vm.overcommit_ratio = 50
vm.page-cluster = 3
vm.panic_on_oom = 0
vm.percpu_pagelist_fraction = 0
vm.stat_interval = 1
vm.swappiness = 60
vm.user_reserve_kbytes = 131072
vm.vfs_cache_pressure = 100
vm.zone_reclaim_mode = 0

hostnamectl

Icon name: computer-vm
Chassis: vm
Virtualization: vmware
Operating System: Red Hat Enterprise Linux Server 7.5 (Maipo)
CPE OS Name: cpe:/o:redhat:enterprise_linux:7.5:GA:server
Kernel: Linux 3.10.0-862.11.6.el7.x86_64
Architecture: x86-64

Retransmissions

“No.”,“Time”,“Source”,“Destination”,“Delta”,“Protocol”,“Length”,“Seq”,“Next seq”,“ack”,“MSS Value”,“Info”
“1”,“0.000000”,“1.2.3.4”,“50.1.1.3”,“0.000000”,“TCP”,“76”,“0”,“0”,“0”,“1420”,“40935 > 48641 [SYN] Seq=0 Win=65535 Len=0 MSS=1420 SACK_PERM=1 WS=256”
“2”,“0.000021”,“50.1.1.3”,“1.2.3.4”,“0.000021”,“TCP”,“76”,“0”,“0”,“1”,“1460”,“48641 > 40935 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 WS=128”
“3”,“0.040704”,“1.2.3.4”,“50.1.1.3”,“0.040683”,“TCP”,“68”,“1”,“1”,“1”,"",“40935 > 48641 [ACK] Seq=1 Ack=1 Win=85248 Len=0”
“4”,“0.040825”,“172.1.2.6”,“172.1.2.10”,“0.000121”,“TCP”,“76”,“0”,“0”,“0”,“1460”,“16712 > 48641 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=128”
“5”,“0.040881”,“172.1.2.10”,“172.1.2.6”,“0.000056”,“TCP”,“76”,“0”,“0”,“1”,“1460”,“48641 > 16712 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 WS=128”
“6”,“0.040894”,“172.1.2.6”,“172.1.2.10”,“0.000013”,“TCP”,“68”,“1”,“1”,“1”,"",“16712 > 48641 [ACK] Seq=1 Ack=1 Win=29312 Len=0”
“7”,“0.043899”,“1.2.3.4”,“50.1.1.3”,“0.003005”,“TLSv1.2”,“276”,“1”,“209”,“1”,"",“Client Hello”
“8”,“0.043914”,“50.1.1.3”,“1.2.3.4”,“0.000015”,“TCP”,“68”,“1”,“1”,“209”,"",“48641 > 40935 [ACK] Seq=1 Ack=209 Win=30080 Len=0”
“9”,“0.043967”,“172.1.2.6”,“172.1.2.10”,“0.000053”,“TLSv1.2”,“276”,“1”,“209”,“1”,"",“Client Hello”
“10”,“0.044020”,“172.1.2.10”,“172.1.2.6”,“0.000053”,“TCP”,“68”,“1”,“1”,“209”,"",“48641 > 16712 [ACK] Seq=1 Ack=209 Win=30080 Len=0”
“11”,“0.044497”,“172.1.2.10”,“172.1.2.6”,“0.000477”,“TLSv1.2”,“154”,“1”,“87”,“209”,"",“Server Hello”
“12”,“0.044506”,“172.1.2.6”,“172.1.2.10”,“0.000009”,“TCP”,“68”,“209”,“209”,“87”,"",“16712 > 48641 [ACK] Seq=209 Ack=87 Win=29312 Len=0”
“13”,“0.044532”,“50.1.1.3”,“1.2.3.4”,“0.000026”,“TLSv1.2”,“154”,“1”,“87”,“209”,"",“Server Hello”
“14”,“0.044541”,“172.1.2.10”,“172.1.2.6”,“0.000009”,“TLSv1.2”,“119”,“87”,“138”,“209”,"",“Change Cipher Spec, Encrypted Handshake Message”
“15”,“0.044545”,“172.1.2.6”,“172.1.2.10”,“0.000004”,“TCP”,“68”,“209”,“209”,“138”,"",“16712 > 48641 [ACK] Seq=209 Ack=138 Win=29312 Len=0”
“16”,“0.044561”,“50.1.1.3”,“1.2.3.4”,“0.000016”,“TLSv1.2”,“119”,“87”,“138”,“209”,"",“Change Cipher Spec, Encrypted Handshake Message”
“17”,“0.072641”,“1.2.3.4”,“50.1.1.3”,“0.028080”,“TCP”,“68”,“209”,“209”,“87”,"",“40935 > 48641 [ACK] Seq=209 Ack=87 Win=85248 Len=0”
“18”,“0.080670”,“1.2.3.4”,“50.1.1.3”,“0.008029”,“TCP”,“68”,“209”,“209”,“138”,"",“40935 > 48641 [ACK] Seq=209 Ack=138 Win=85248 Len=0”
“19”,“0.080893”,“1.2.3.4”,“50.1.1.3”,“0.000223”,“TLSv1.2”,“119”,“209”,“260”,“138”,"",“Change Cipher Spec, Encrypted Handshake Message”
“20”,“0.080941”,“172.1.2.6”,“172.1.2.10”,“0.000048”,“TLSv1.2”,“119”,“209”,“260”,“138”,"",“Change Cipher Spec, Encrypted Handshake Message”
“21”,“0.091404”,“1.2.3.4”,“50.1.1.3”,“0.010463”,“TCP”,“1476”,“260”,“1668”,“138”,"",“40935 > 48641 [ACK] Seq=260 Ack=138 Win=85248 Len=1408 [TCP segment of a reassembled PDU]”
“22”,“0.091417”,“50.1.1.3”,“1.2.3.4”,“0.000013”,“TCP”,“68”,“138”,“138”,“1668”,"",“48641 > 40935 [ACK] Seq=138 Ack=1668 Win=33024 Len=0”
“23”,“0.091475”,“172.1.2.6”,“172.1.2.10”,“0.000058”,“TCP”,“1476”,“260”,“1668”,“138”,"",“16712 > 48641 [PSH, ACK] Seq=260 Ack=138 Win=29312 Len=1408 [TCP segment of a reassembled PDU]”
“24”,“0.091565”,“172.1.2.10”,“172.1.2.6”,“0.000090”,“TCP”,“68”,“138”,“138”,“1668”,"",“48641 > 16712 [ACK] Seq=138 Ack=1668 Win=33024 Len=0”
“25”,“0.131937”,“1.2.3.4”,“50.1.1.3”,“0.040372”,“TLSv1.2”,“332”,“1668”,“1932”,“138”,"",“Application Data”
“26”,“0.131964”,“172.1.2.6”,“172.1.2.10”,“0.000027”,“TLSv1.2”,“332”,“1668”,“1932”,“138”,"",“Application Data”
“27”,“0.136742”,“172.1.2.10”,“172.1.2.6”,“0.004778”,“TLSv1.2”,“297”,“138”,“367”,“1932”,"",“Application Data”
“28”,“0.136765”,“50.1.1.3”,“1.2.3.4”,“0.000023”,“TLSv1.2”,“297”,“138”,“367”,“1932”,"",“Application Data”
“29”,“0.176645”,“172.1.2.6”,“172.1.2.10”,“0.039880”,“TCP”,“68”,“1932”,“1932”,“367”,"",“16712 > 48641 [ACK] Seq=1932 Ack=367 Win=30336 Len=0”
“30”,“0.212685”,“1.2.3.4”,“50.1.1.3”,“0.036040”,“TCP”,“68”,“1932”,“1932”,“367”,"",“40935 > 48641 [ACK] Seq=1932 Ack=367 Win=86272 Len=0”
“31”,“200.137180”,“172.1.2.10”,“172.1.2.6”,“199.924495”,“TLSv1.2”,“99”,“367”,“398”,“1932”,"",“Encrypted Alert”
“32”,“200.137196”,“172.1.2.6”,“172.1.2.10”,“0.000016”,“TCP”,“68”,“1932”,“1932”,“398”,"",“16712 > 48641 [ACK] Seq=1932 Ack=398 Win=30336 Len=0”
“33”,“200.137214”,“172.1.2.10”,“172.1.2.6”,“0.000018”,“TCP”,“68”,“398”,“398”,“1932”,"",“48641 > 16712 [FIN, ACK] Seq=398 Ack=1932 Win=35840 Len=0”
“34”,“200.137233”,“50.1.1.3”,“1.2.3.4”,“0.000019”,“TLSv1.2”,“99”,“367”,“398”,“1932”,"",“Encrypted Alert”
“35”,“200.137292”,“50.1.1.3”,“1.2.3.4”,“0.000059”,“TCP”,“68”,“398”,“398”,“1932”,"",“48641 > 40935 [FIN, ACK] Seq=398 Ack=1932 Win=35840 Len=0”
“36”,“200.168647”,“1.2.3.4”,“50.1.1.3”,“0.031355”,“TCP”,“68”,“1932”,“1932”,“398”,"",“40935 > 48641 [ACK] Seq=1932 Ack=398 Win=86272 Len=0”
“37”,“200.176660”,“172.1.2.6”,“172.1.2.10”,“0.008013”,“TCP”,“68”,“1932”,“1932”,“399”,"",“16712 > 48641 [ACK] Seq=1932 Ack=399 Win=30336 Len=0”
“38”,“200.198702”,“1.2.3.4”,“50.1.1.3”,“0.022042”,“TCP”,“68”,“1932”,“1932”,“399”,"",“40935 > 48641 [ACK] Seq=1932 Ack=399 Win=86272 Len=0”
“39”,“300.204869”,“1.2.3.4”,“50.1.1.3”,“100.006167”,“TLSv1.2”,“99”,“1932”,“1963”,“399”,"",“Encrypted Alert”
“40”,“300.204896”,“172.1.2.6”,“172.1.2.10”,“0.000027”,“TLSv1.2”,“99”,“1932”,“1963”,“399”,"",“Encrypted Alert”
“41”,“300.207748”,“1.2.3.4”,“50.1.1.3”,“0.002852”,“TCP”,“68”,“1963”,“1963”,“399”,"",“40935 > 48641 [RST, ACK] Seq=1963 Ack=399 Win=86272 Len=0”
“42”,“300.207785”,“172.1.2.6”,“172.1.2.10”,“0.000037”,“TCP”,“68”,“1963”,“1963”,“399”,"",“16712 > 48641 [FIN, ACK] Seq=1963 Ack=399 Win=30336 Len=0”
“43”,“300.207837”,“172.1.2.10”,“172.1.2.6”,“0.000052”,“TCP”,“68”,“399”,“399”,“1964”,"",“48641 > 16712 [ACK] Seq=399 Ack=1964 Win=35712 Len=0”
“44”,“300.217641”,“172.1.2.6”,“172.1.2.10”,“0.009804”,“TCP”,“68”,“1963”,“1963”,“399”,"","[TCP Retransmission] 16712 > 48641 [FIN, ACK] Seq=1963 Ack=399 Win=30336 Len=0"
“45”,“300.217690”,“172.1.2.10”,“172.1.2.6”,“0.000049”,“TCP”,“68”,“399”,“399”,“1964”,"","[TCP Dup ACK 43#1] 48641 > 16712 [ACK] Seq=399 Ack=1964 Win=35712 Len=0"
“46”,“300.419643”,“172.1.2.6”,“172.1.2.10”,“0.201953”,“TLSv1.2”,“99”,“1932”,“1964”,“399”,"","[TCP Spurious Retransmission] , Encrypted Alert"
“47”,“300.419704”,“172.1.2.10”,“172.1.2.6”,“0.000061”,“TCP”,“68”,“399”,“399”,“1964”,"","[TCP Dup ACK 43#2] 48641 > 16712 [ACK] Seq=399 Ack=1964 Win=35712 Len=0"
“48”,“300.824654”,“172.1.2.6”,“172.1.2.10”,“0.404950”,“TLSv1.2”,“99”,“1932”,“1964”,“399”,"","[TCP Spurious Retransmission] , Encrypted Alert"
“49”,“300.824709”,“172.1.2.10”,“172.1.2.6”,“0.000055”,“TCP”,“68”,“399”,“399”,“1964”,"","[TCP Dup ACK 43#3] 48641 > 16712 [ACK] Seq=399 Ack=1964 Win=35712 Len=0"
“50”,“301.633648”,“172.1.2.6”,“172.1.2.10”,“0.808939”,“TLSv1.2”,“99”,“1932”,“1964”,“399”,"","[TCP Spurious Retransmission] , Encrypted Alert"
“51”,“301.633705”,“172.1.2.10”,“172.1.2.6”,“0.000057”,“TCP”,“68”,“399”,“399”,“1964”,"","[TCP Dup ACK 43#4] 48641 > 16712 [ACK] Seq=399 Ack=1964 Win=35712 Len=0"
“52”,“303.253642”,“172.1.2.6”,“172.1.2.10”,“1.619937”,“TLSv1.2”,“99”,“1932”,“1964”,“399”,"","[TCP Spurious Retransmission] , Encrypted Alert"
“53”,“303.253698”,“172.1.2.10”,“172.1.2.6”,“0.000056”,“TCP”,“68”,“399”,“399”,“1964”,"","[TCP Dup ACK 43#5] 48641 > 16712 [ACK] Seq=399 Ack=1964 Win=35712 Len=0"
“54”,“306.493641”,“172.1.2.6”,“172.1.2.10”,“3.239943”,“TLSv1.2”,“99”,“1932”,“1964”,“399”,"","[TCP Spurious Retransmission] , Encrypted Alert"
“55”,“306.493694”,“172.1.2.10”,“172.1.2.6”,“0.000053”,“TCP”,“68”,“399”,“399”,“1964”,"","[TCP Dup ACK 43#6] 48641 > 16712 [ACK] Seq=399 Ack=1964 Win=35712 Len=0"
“56”,“312.965655”,“172.1.2.6”,“172.1.2.10”,“6.471961”,“TLSv1.2”,“99”,“1932”,“1964”,“399”,"","[TCP Spurious Retransmission] , Encrypted Alert"
“57”,“312.965775”,“172.1.2.10”,“172.1.2.6”,“0.000120”,“TCP”,“68”,“399”,“399”,“1964”,"","[TCP Dup ACK 43#7] 48641 > 16712 [ACK] Seq=399 Ack=1964 Win=35712 Len=0"
“58”,“325.925671”,“172.1.2.6”,“172.1.2.10”,“12.959896”,“TLSv1.2”,“99”,“1932”,“1964”,“399”,"","[TCP Spurious Retransmission] , Encrypted Alert"
“59”,“325.925726”,“172.1.2.10”,“172.1.2.6”,“0.000055”,“TCP”,“68”,“399”,“399”,“1964”,"","[TCP Dup ACK 43#8] 48641 > 16712 [ACK] Seq=399 Ack=1964 Win=35712 Len=0"
“60”,“351.845660”,“172.1.2.6”,“172.1.2.10”,“25.919934”,“TLSv1.2”,“99”,“1932”,“1964”,“399”,"","[TCP Spurious Retransmission] , Encrypted Alert"
“61”,“351.845697”,“172.1.2.10”,“172.1.2.6”,“0.000037”,“TCP”,“68”,“399”,“399”,“1964”,"","[TCP Dup ACK 43#9] 48641 > 16712 [ACK] Seq=399 Ack=1964 Win=35712 Len=0"

after haproxy got RST form the client (frame 41)
connection between client and haproxy seems to be closd
after haproxy sends FIN,ACK to the server ( frame 42 )
and gets ACK from the server ( frame 43 )

But starting from “frame 44” haproxy starts to send retransmissions of FIN,ACK like it never got ACK from the server. It seems like ACK had been arrived to the interface but never arrived to the process. or I am missing some important config line or I it is a bug?
Help me to understand the nature of those retransmissions.

Posts: 1

Participants: 1

Read full topic

@waynewex wrote:

Hi all,

Receiving a few bad requests. It seems like they are coming from Facebook’s crawler, but I’m not sure if it is my issue or there side.

Here is an example of “show errors” command using socat:

[15/Oct/2018:20:43:12.275] frontend mysite (#2): invalid request
  backend mysite (#2), server <NONE> (#-1), event #368
  src 66.220.149.10:40984, session #28221, session flags 0x00000080
  HTTP msg state MSG_RQBEFORE(0), msg flags 0x00000000, tx flags 0x00000000
  HTTP chunk len 0 bytes, HTTP body len 0 bytes
  buffer flags 0x00808002, out 0 bytes, total 517 bytes
  pending 517 bytes, wrapping at 32768, error at position 0:

  00000  \x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03N\xB3Q\x14\xDC\xADz\xF3
  00019+ \x85\xAC\x8E\xCE!\xAC\xFA;\xC4\x1Dv\xF4\x86\x04\xFB\xDC\x88*\x885\xCB
  00040+ \xB7m>\x00\x00\xAA\xC00\xC0,\xC0(\xC0$\xC0\x14\xC0\n
  00058  \x00\xA5\x00\xA3\x00\xA1\x00\x9F\x00k\x00j\x00i\x00h\x009\x008\x007
  00080+ \x006\xCC\xA9\xCC\xA8\xCC\x14\xCC\x13\xCC\xAA\xCC\x15\x00\x88\x00\x87
  00098+ \x00\x86\x00\x85\xC02\xC0.\xC0*\xC0&\xC0\x0F\xC0\x05\x00\x9D\x00=\x005
  00120+ \x00\x84\xC0/\xC0+\xC0'\xC0#\xC0\x13\xC0\t\x00\xA4\x00\xA2\x00\xA0\x00
  00141+ \x9E\x00g\x00@\x00?\x00>\x003\x002\x001\x000\x00\x9A\x00\x99\x00\x98
  00164+ \x00\x97\x00E\x00D\x00C\x00B\xC01\xC0-\xC0)\xC0%\xC0\x0E\xC0\x04\x00
  00187+ \x9C\x00<\x00/\x00\x96\x00A\xC0\x12\xC0\x08\x00\x16\x00\x13\x00\x10
  00206+ \x00\r\xC0\r\xC0\x03\x00\n
  00214  \x00\xFF\x01\x00\x01)\x00\x00\x00\x14\x00\x12\x00\x00\x0Ffb.mysite.c
  00242+ om\x00\x0B\x00\x04\x03\x00\x01\x02\x00\n
  00254  \x00\x1C\x00\x1A\x00\x17\x00\x19\x00\x1C\x00\e\x00\x18\x00\x1A\x00\x16
  00272+ \x00\x0E\x00\r\x00\x0B\x00\x0C\x00\t\x00\n
  00284  \x00\r\x00 \x00\x1E\x06\x01\x06\x02\x06\x03\x05\x01\x05\x02\x05\x03
  00302+ \x04\x01\x04\x02\x04\x03\x03\x01\x03\x02\x03\x03\x02\x01\x02\x02\x02
  00319+ \x033t\x00\x00\x00\x10\x00\x0B\x00\t\x08http/1.1\x00\x15\x00\xAE\x00
  00344+ \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
  00361+ \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
  00378+ \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
  00395+ \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
  00412+ \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
  00429+ \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
  00446+ \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
  00463+ \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
  00480+ \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
  00497+ \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
  00514+ \x00\x00\x00

It looks like the request is in hex?

My logs are looking like this at the moment:

Oct 15 20:47:36 mysiteLBNYC haproxy[24611]: 31.13.115.13:49652 [15/Oct/2018:20:47:36.390] mysite mysite/<NOSRV> -1/-1/-1/-1/0 400 187 - - PRNN 354/354/0/0/5 0/0 “<BADREQ>”
Oct 15 20:47:36 mysiteLBNYC haproxy[24611]: 31.13.127.12:58420 [15/Oct/2018:20:47:36.774] mysite mysite/<NOSRV> -1/-1/-1/-1/0 400 187 - - PRNN 356/356/0/0/5 0/0 “<BADREQ>”
Oct 15 20:47:36 mysiteLBNYC haproxy[24611]: 31.13.115.13:52454 [15/Oct/2018:20:47:36.807] mysite mysite/<NOSRV> -1/-1/-1/-1/0 400 187 - - PRNN 355/355/0/0/5 0/0 “<BADREQ>”
Oct 15 20:47:37 mysiteLBNYC haproxy[24609]: 31.13.115.13:55376 [15/Oct/2018:20:47:37.238] mysite mysite/<NOSRV> -1/-1/-1/-1/0 400 187 - - PRNN 797/797/0/0/5 0/0 “<BADREQ>”
Oct 15 20:47:37 mysiteLBNYC haproxy[24611]: 173.252.87.11:60154 [15/Oct/2018:20:47:37.556] mysite mysite/<NOSRV> -1/-1/-1/-1/0 400 187 - - PRNN 348/348/0/0/5 0/0 “<BADREQ>”
Oct 15 20:47:37 mysiteLBNYC haproxy[24609]: 173.252.87.4:58662 [15/Oct/2018:20:47:37.779] mysite mysite/<NOSRV> -1/-1/-1/-1/0 400 187 - - PRNN 803/803/1/0/5 0/0 “<BADREQ>”
Oct 15 20:47:38 mysiteLBNYC haproxy[24609]: 173.252.87.9:52904 [15/Oct/2018:20:47:38.081] mysite mysite/<NOSRV> -1/-1/-1/-1/0 400 187 - - PRNN 791/791/0/0/5 0/0 “<BADREQ>”

The site seems to be working fine in general, and I am unable to produce any errors myself.

Any help on this would be much appreciated!

Posts: 1

Participants: 1

Read full topic

@ndakotaeq wrote:

Hello, I am seeing in the capture that after client sent RST haproxy sends FIN,ACK to the server, why don’t it sent RST to the server?

it seems to cause problems because it is starting FIN,ACK retransmission ( 9 times ) after it got ACK from the server

Posts: 1

Participants: 1

Read full topic

@strangeqargo wrote:

I subscribed to a mailing list, and there is a steady stream of new messages incoming, so I tried to send a message with a proposed patch to [haproxy@formilux.org], and got some autoreplies from admins about them ‘no longer working there’

what do, why, what’s wrong with me

Posts: 2

Participants: 2

Read full topic

@Eddiie wrote:

Hello,

I need some help creating acls to branch based off a URL Parameter.

Example: http://www.mysitesample.com/my/site/is/here/myfile.aspx?parameter1=foo&clientid=bar01&index=100

I want to switch send traffic to backend servers matching a range of what “clientid” equals, type is text.
Samples of what clientid can equal: Client01, client01, CLIENT01, cLIENT01, CottageCheese01, Bluesky03 (and all upper/lower case variants), might not be the word client at all. more like the client’s name. The text ‘bar01’ is a sample and not a constant) and the ClientID parameter can appear anywhere in the client list.

say
Client01 through client05 goes to backend 1
Client06 through client10 goes to backend 2
CottageCheese01 or Bluesky03 goes to backend 3
If all else fails, go to backend 4.

Hopefully this explains it.
thank you!

Posts: 1

Participants: 1

Read full topic

@muelli wrote:

Hello forum,

I need to set a http-response header under certain conditions.
My idea was to use this configuration in the frontend section:

acl path_set path_beg /some/path
http-response del-header Pragma if path_set
http-response set-header Cache-Control no-cache if path_set
http-response set-header Expires -1 if path_set

However, if I run a check on the config, haproxy tells me:

acl ‘path_set’ will never match because it only involves keywords that are incompatible with ‘frontend http-response header rule’

And indeed, the rule does not work. If I remove the condition (if…) the headers are set but of course for all paths.
Can someone help me understand, why this happens and how I prevent/fix this, so the condition works?

Thanks alot,
Hans

edit: I use haproxy version 1.6.13 on this server. Could it be a version problem?

Posts: 1

Participants: 1

Read full topic