@cuu508 wrote:

My HAProxy 1.9.x instance is receiving a mix of HTTP/1.0 and HTTP/1.1 requests from clients (clients are mostly things like curl, wget and http libraries, not web browsers).

I can see from the logs that when HAProxy receives a HTTP/1.0 request from a client, it makes a HTTP/1.0 request to a backend. I.e., it doesn’t convert it to HTTP/1.1 before handing off to the backend. This is messing with keepalive connections to the backend: for HTTP/1.0 requests, the backend server (nginx) returns a “Connection: Close” response header, and Haproxy closes that specific connection.

Is it possible to tell Haproxy to only ever make HTTP/1.1 requests to backends?

I’m aware of the possibility to use HTTP/2 to backends with http-use-htx. But I’d like to keep things plain and simple if possible.

Posts: 2

Participants: 2

Read full topic

@TJarriault wrote:

Hi,
I need to add an LDAP authentication on my haproxy. Is it possible to do this instead basic auth ?

Many thanks,

Tony

Posts: 2

Participants: 2

Read full topic

@nike wrote:

Sir
i have configured Haproxy with ssl-passthrough on centos 7 server as frontend and the same OS has been used for backend also. Haproxy is running fine on backend test page i.e httpd(apache) but it is not running on my php application on backend. Haproxy status showing its Lastchk as L6ok/1mns …my haproxy config below …plz help…
Global
# to have these messages end up in /var/log/haproxy.log you will
# need to:
#
# 1) configure syslog to accept network log events. This is done
# by adding the ‘-r’ option to the SYSLOGD_OPTIONS in
# /etc/sysconfig/syslog
#
# 2) configure local2 events to go to the /var/log/haproxy.log
# file. A line like the following can be added to
# /etc/sysconfig/syslog
#
# local2.* /var/log/haproxy.log

################################################################################3

Global settings

#---------------------------------------------------------------------
global

log         127.0.0.1 local2

chroot      /var/lib/haproxy
pidfile     /var/run/haproxy.pid
maxconn     4000
user        haproxy
group       haproxy
daemon

# turn on stats unix socket
stats socket /var/lib/haproxy/stats

#---------------------------------------------------------------------

common defaults that all the ‘listen’ and ‘backend’ sections will

use if not designated in their block

#---------------------------------------------------------------------
defaults
mode tcp
log global
option tcplog
option dontlognull
option http-server-close
option redispatch
retries 3
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout check 10s
maxconn 3000

#---------------------------------------------------------------------

main frontend which proxys to the backends

#---------------------------------------------------------------------
frontend https-in
bind *:80
bind *:443
mode tcp
default_backend app

frontend stats
bind *:80
mode http
stats enable
stats uri /stats
stats realm HAProxy\ Statistics
stats auth admin:admin
stats refresh 10s
stats admin if { src 127.0.0.1 }

#---------------------------------------------------------------------

round robin balancing between the various backends

#---------------------------------------------------------------------
backend app
mode tcp
option ssl-hello-chk
balance roundrobin
server name of backend host x.x.x.x:443 check

i am using mode tcp i.e Layer 4 but here is status report showing Layer 6
Server
Cur Max Limit Cur Max Limit Cur Max Limit Total LbTot Last In Out Req Resp Req Conn Resp Retr Redis Status LastChk Wght Act Bck Chk Dwn Dwntme Thrtle
server 0 0 - 0 4 0 3 - 18 18 1m34s 10784 194855 0 0 0 0 0 24m23s UP L6OK in 23ms 1 Y - 0 0 0s -
Backend 0 0 0 4 0 3 300 18 18 1m34s 10784 194855 0 0 0 0 0 0 24m23s UP

thanks in advance

Posts: 1

Participants: 1

Read full topic

@sgr wrote:

Hello,

I faced a segfault in HAProxy when using tcp-check connect configuration setup. Google showed a lot of people having the same issue and saying the bug has been fixed in version 1.9.6 or later versions (https://www.mail-archive.com/haproxy@formilux.org/msg33141.html).

However I check with the last available version at https://haproxy.debian.net/ and still have the issue.

I have made several tests and it turns out that the more frontends / backends you have the more frequently the coredumps occurs. With 4 frontends I had this about 4 times a day, with over 100 frontend it happens every 2 or 3 minutes event if only one of them is using the tcp-check connect.

In dmsg I got logs like that:

[Mon Jul  1 10:55:38 2019] haproxy[29988]: segfault at 10 ip 000055d2a1731e85 sp 00007f01f37e2390 error 4 in haproxy[55d2a1660000+1e6000]
[Mon Jul  1 10:55:58 2019] haproxy[30027]: segfault at 10 ip 0000560f4a9e7e85 sp 00007f94fd508390 error 4 in haproxy[560f4a916000+1e6000]
[Mon Jul  1 10:56:11 2019] haproxy[30114]: segfault at 10 ip 000056534d544e85 sp 00007fa56ac1a390 error 4 in haproxy[56534d473000+1e6000]
[Mon Jul  1 10:56:16 2019] haproxy[30150]: segfault at 6 ip 00005565aa6b4203 sp 00007f5b8ee442f0 error 4
[Mon Jul  1 10:56:16 2019] haproxy[30151]: segfault at 6 ip 00005565aa6b4203 sp 00007f5b8e6432f0 error 4
[Mon Jul  1 10:56:16 2019]  in haproxy[5565aa5e4000+1e6000]
[Mon Jul  1 10:56:16 2019]  in haproxy[5565aa5e4000+1e6000]
[Mon Jul  1 10:57:12 2019] traps: haproxy[30168] general protection ip:55f8194a1ec8 sp:7f9fb7606390 error:0
[Mon Jul  1 10:57:12 2019]  in haproxy[55f8193d0000+1e6000]
[Mon Jul  1 10:57:17 2019] haproxy[30353]: segfault at 6 ip 000055a43df1b203 sp 00007f4fa68832f0 error 4 in haproxy[55a43de4b000+1e6000]
[Mon Jul  1 10:57:29 2019] haproxy[30378]: segfault at 6 ip 000056028e238203 sp 00007f88d36882f0 error 4 in haproxy[56028e168000+1e6000]

How to reproduce on Debian Stretch:

• Install HAproxy 1.9.x
• Add EXTRAOPTS="-f /etc/haproxy/sites-enabled/" in /etc/default/haproxy
• Use the default haproxy.cfg provided by the package and add nbthread 4 in the global section (I didn’t manage to trigger the bug without adding threads).
• generate extra configuration using the following script:

#!/bin/bash

cd /etc/haproxy
mkdir -p sites-enabled

rm sites-enabled/*

cat <<EOF > sites-enabled/00-stats.cfg
listen stats
    bind *:80
    stats uri /
    stats admin if TRUE
EOF

for i in $(seq 50); do
cat <<EOF > sites-enabled/front-$i.cfg
listen frontend$i
        mode tcp
        option tcplog

        bind 127.0.0.$i:12345

        option tcp-check
        tcp-check connect port 25
        tcp-check expect rstring "^220 "
        tcp-check send "quit\r\n"

        server 127.0.0.1 127.0.0.1:25 check inter 500ms
EOF

done

• Make sure you have a smtp server installed on localhost (exim, postfix, opensmtpd would do the job).
• restart HAProxy and wait.

I can provide further details if required.

My HAProxy installed version on a Debian Stretch.

HA-Proxy version 1.9.8-1~bpo9+1 2019/05/18 - https://haproxy.org/
Build options :
  TARGET  = linux2628
  CPU     = generic
  CC      = gcc
  CFLAGS  = -O2 -g -O2 -fdebug-prefix-map=/build/haproxy-1.9.8=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-old-style-declaration -Wno-ignored-qualifiers -Wno-clobbered -Wno-missing-field-initializers -Wtype-limits -Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference
  OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_SYSTEMD=1 USE_PCRE2=1 USE_PCRE2_JIT=1 USE_NS=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with OpenSSL version : OpenSSL 1.1.0j  20 Nov 2018
Running on OpenSSL version : OpenSSL 1.1.0f  25 May 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2
Built with Lua version : Lua 5.3.3
Built with network namespace support.
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with zlib version : 1.2.8
Running on zlib version : 1.2.8
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with PCRE2 version : 10.22 2016-07-29
PCRE2 library supports JIT : yes
Encrypted password support via crypt(3): yes
Built with multi-threading support.

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
              h2 : mode=HTX        side=FE|BE
              h2 : mode=HTTP       side=FE
       <default> : mode=HTX        side=FE|BE
       <default> : mode=TCP|HTTP   side=FE|BE

Available filters :
	[SPOE] spoe
	[COMP] compression
	[CACHE] cache
	[TRACE] trace

Posts: 1

Participants: 1

Read full topic

@amirkhalili wrote:

I have to redirect my URL to the following address and then remove the 1st part of the URL and then send it to the backend.
The absolute URL is: https://test.domain.com
It should redirect to the: https://test.domain.com/portal
then I should remove the first part (Portal I mean) and then add the next parts (after /portal) to the URL and send it to the backend.
**the final URL which must send to the backend should be something like this: https://test.domain.com/dist/… **
The HAProxy version is: HA-Proxy version 1.8.4-1deb90d 2018/02/08
Now I have the following configuration:

frontend MAIN-HTTPS
bind :443 ssl transparent crt /etc/ssl/certs
acl test hdr(host) test.domain.com
reqirep ^([^\ :])\ /(.*) \1\ /portal/\2 if test
use_backend testPortal if test

backend testPortal
mode http
acl no_redir url_beg /portal
reqrep ^([^\ :])\ /(.) \1\ /portal/\2 if no_redir
http-request redirect scheme https if !{ ssl_fc }
server web-testFanap test.domain.com:100 check

please help me!

Posts: 1

Participants: 1

Read full topic

@newbie91 wrote:

hallo, can someone help me? I have problem with multiple website that I hosted on my backend server, I have 2 backend server as follow :

1. server1.local 192.168.10.100
2. server2.local 192.168.11.100

and my haproxy server is : server3.local 192.168.12.10

my dirrectory web I put it on both backend server :

1. server1 /var/www/html/nextcloud
2. server2 /var/www/html/nextcloud

I wanto configure load balancing and HA in HAProxy server, but not working, my haproxy.cfg is as follow :

frontend LB
bind *:80
reqadd X-Forwarded-Proto:\ http
#default_backend LB

Define hosts

acl host_cacti hdr(host) -i dakusoft.cacti
acl host_osticket hdr(host) -i dakusoft.osticket
acl host_nextcloud hdr(host) -i dakusoft.nextcloud

figure out which one to use

use_backend cacti_cluster if host_cacti
use_backend osticket_cluster if host_osticket
use_backend nextcloud_cluster if host_nextcloud

backend cacti_cluster
balance leastconn
option httpclose
rspadd X-Frame-Options:\ SAMEORIGIN
option forwardfor
cookie JSESSIONID prefix
server server1 server1.local:80 cookie server1 check
#server server2 server2.local:80 cookie server2 check

backend nextcloud_cluster
balance leastconn
rspadd X-Frame-Options:\ SAMEORIGIN
option httpclose
option forwardfor
cookie JSESSIONID prefix
server server1 server1.local:80 cookie server1 check
server server2 server2.local:80 cookie server2 check

and this is virtualhost configuration on backend that I created on both of backend server

Posts: 1

Participants: 1

Read full topic

@be_tnt wrote:

Hello!

I have 2 web servers behind Haproxy. I would like to “undesired” traffic to those server using fail2ban but on haproxy not on the web servers. I have so enabled haproxy log as follows:

global
   log 127.0.0.1:514 local0

defaults
   log global
   mode http
   option httplog
   option dontlognull

But in the log, I do not have the domain information. Is there a way to add it?

Thx!

Posts: 2

Participants: 1

Read full topic

@ian wrote:

Hi all
I am hoping someone can help me, is it possible to rewrite URLs in a response body ( not response header). I have a requirement that makes an api request through the HAProxy (as an api gateway) that returns a list of URLs( amongst other items) in the response body that are used to make further api requests to backend, however I want all requests to use the HAProxy api gateway and to mask urls from users, any ideas on how to rewrite items in a response body.

Hopefully someone can give me a clue how to achieve this
Regards

Ian

Posts: 1

Participants: 1

Read full topic

@sgreddy wrote:

Hi,
We are trying to move our infrastructre from Microsoft NLB to HAproxy to do the load balancing.I have almost completed configuring the HAproxy but when i tried to SSL test throguh SSLlabs im getting this error for IE8 browser. Can you please let me know what would be the appropriate cipher to use for enabling the IE8

here are the ciphers configured on my HAproxy
ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA

    ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA

Posts: 1

Participants: 1

Read full topic

@be_tnt wrote:

Hello!

I used this article to enable logging in my haproxy https://www.haproxy.com/blog/introduction-to-haproxy-logging/

Created log files are working well but I am getting the exact same message in my messages file. Is there a way to disable that? (I am on centos 7).

Thx!

Posts: 2

Participants: 1

Read full topic

@moscardo wrote:

Hi,
Last weekend we had an outage due to the backend for one VIP going down. Everything I could see in the logs is that there were no backends available, and in Fortigate I can see that 50% of the connection ( the healthchecks) where refused.

So, on the left side you have a failed healthcheck and on the right side a good one.

Any idea why HAProxy could had start failing without any configuration changed being applied? After a machine reboot it came back fine. It was also happening on the failover instance of HAProxy.

I realized that sni ssl_fc_sni was not configured in the backend , but I am surprissed that we didn’t ran into problems for many weeks and suddenly it happened.

Here is the backend config:

server web1 10.11.1.1:443 maxconn 8 check inter 5s fall 4 rise 3 ssl verify none

Thanks.

Posts: 1

Participants: 1

Read full topic

@ashT wrote:

haproxy -vv output

HA-Proxy version 2.0.1 2019/06/26 - https://haproxy.org/
Build options :
TARGET = linux-glibc
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-old-style-declaration -Wno-ignored-qualifiers -Wno-clobbered -Wno-missing-field-initializers -Wtype-limits -Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference
OPTIONS = USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1

Feature list : +EPOLL -KQUEUE -MY_EPOLL -MY_SPLICE +NETFILTER +PCRE -PCRE_JIT -PCRE2 -PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED -REGPARM -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H -VSYSCALL +GETADDRINFO +OPENSSL -LUA +FUTEX +ACCEPT4 -MY_ACCEPT4 +ZLIB -SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL -SYSTEMD -OBSOLETE_LINKER +PRCTL +THREAD_DUMP -EVPORTS

Default settings :
bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with multi-threading support (MAX_THREADS=64, default=2).
Built with OpenSSL version : OpenSSL 1.1.0j 20 Nov 2018
Running on OpenSSL version : OpenSSL 1.1.0j 20 Nov 2018
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2
Built with network namespace support.
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with zlib version : 1.2.8
Running on zlib version : 1.2.8
Compression algorithms supported : identity(“identity”), deflate(“deflate”), raw-deflate(“deflate”), gzip(“gzip”)
Built with PCRE version : 8.39 2016-06-14
Running on PCRE version : 8.39 2016-06-14
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Encrypted password support via crypt(3): yes

Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as cannot be specified using ‘proto’ keyword)
h2 : mode=HTX side=FE|BE mux=H2
h2 : mode=HTTP side=FE mux=H2
: mode=HTX side=FE|BE mux=H1
: mode=TCP|HTTP side=FE|BE mux=PASS

Available services : none

Available filters :
[SPOE] spoe
[COMP] compression
[CACHE] cache
[TRACE] trace

Config

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
user haproxy
group haproxy
daemon
#maxconn 65536

defaults
log global
mode http
http-reuse never
no log
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

frontend test
bind :80
mode http
maxconn 65536
default_backend nginx

backend nginx
mode http
balance leastconn
server 10.32.95.110 10.32.95.110:81 weight 255
server 10.32.110.236 10.32.110.236:81 weight 255
server 10.33.238.57 10.33.238.57:81 weight 255

Here, connection to the backends are not getting closed after response

Posts: 2

Participants: 2

Read full topic

@SeanHaynes wrote:

Morning
I have been playing with HAProxy for a few months now, I set up proof of concept which clearly showed how amazing it is, followed by a minor production deployment, to now a full blown HAProxy active /passive deployment on our intranet.

However end users have been experiencing the 504 timeout issue, here is an example from the log:
haproxy[1865]: x.x.x.x:50479 [03/Jul/2019:08:27:09.382] http_front http_back/server.server.com 0/0/1/-1/50002 504 195 - - sH-- 42/40/1/0/0 0/0 “POST /cgi-bin/lansaweb?wam=G_UVE&webrtn=display&ml=LANSA:XHTML&partHTTP/1.1”

In the HAProxy config I had set 50000ms as the timeout for both the client and the server - the reason for this is that some requests require a significant amount of time to compile from a backend db - our sites are spread across the country…

So I increased the timeouts:

timeout connect 500
timeout client 1200000
timeout server 1200000

However even after restarting HAProxy - the 504 apperas to be still set at 50000 as evidenced above.

any help / advice would be greatly appreciated.

Many thanks

Posts: 1

Participants: 1

Read full topic

@mrwho wrote:

I have a haproxy 1.5.18 setup and some users came with tailing dot in hostname
for example “domain.com.”
i cut tailing dot with

http-request replace-value Host (.*). \1

it goes normal to backend servers
but in log file it’s still comes as “domain.com.”

i use

capture request header Host len 20
log-format %[capture.req.hdr(0),lower]\

Posts: 1

Participants: 1

Read full topic

@wontbeherelong wrote:

Hi,

Anyone able to tell me what I’m doing wrong here? Most of my services are run on sub domains and work perfectly, However, for SSO to work I need Plex to be a sub directory. My dashboard service (Organizr) is at mydomain.com, and for plex I have told it to point to mydomain.com/plex. So, the relevant part of my config currently looks something like this:

frontend shared-frontend-merged
	acl			ACL1	var(txn.txnhost) -m str -i mydomain.co.uk
	acl			ACLPlex	var(txn.txnpath) -m beg -i /plex

use_backend Organizr_ipvANY  if  ACL1 
	use_backend Plex_ipvANY  if  ACLPlex 

Yet when I try to access Plex through Organizr I’m faced with a 404 served up by nginx. Have I missed something obvious?

Posts: 6

Participants: 2

Read full topic

@ashT wrote:

HAProxy 2.0 configuration

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
user haproxy
group haproxy
daemon
#maxconn 65536

defaults
log global
mode http
option httplog
http-reuse never
no log
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

frontend test
bind :80
mode http
maxconn 65536
default_backend nginx

backend nginx
mode http
balance leastconn
server 10.32.95.110 10.32.95.110:81 weight 255 pool-max-conn 0 pool-purge-delay 0
server 10.32.110.236 10.32.110.236:81 weight 255 pool-max-conn 0 pool-purge-delay 0
server 10.33.238.57 10.33.238.57:81 weight 255 pool-max-conn 0 pool-purge-delay 0

When making multiple requests over 1 connection using wrk tool, connection to backend is not closed after another backend is selected as per the load balancing algorithm used. Instead old connections are kept idling and re-used when algorithm choses that server. Please let me know if this is expected.

Posts: 1

Participants: 1

Read full topic

@ashT wrote:

According to configuration manual: http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#4.2-option%20http-keep-alive

If the client request has to go to another backend or another server due to
content switching or the load balancing algorithm, the idle connection will
immediately be closed and a new one re-opened.

But connections to backend servers are not closed after another server is chosen for sending request. As mentioned in observation: HAProxy http-reuse never option not working for HAProxy 1.9.8 and 2.0.1

Posts: 1

Participants: 1

Read full topic

@drier_copy wrote:

(topic withdrawn by author, will be automatically deleted in 24 hours unless flagged)

Posts: 1

Participants: 1

Read full topic

@deep22028 wrote:

Hi,

I have setup haproxy(layer4) in tcp mode in front of my 4 nginx servers(layer 7). the haproxy load balance traffic to nginx servers in round robin fashion.

We are performing performance testing for this setup for handling high TPS ~ 10K - 15K. but at around 8K tps, we start observing high response time for our apis. along with this the connect time to backend servers increases instantly from ~0ms to 80 ms when the tps hit 8K. also the SYN-SENT connection count increases when this happens.

nginx are serving static content. there are four apis configured with different payload
1) /test1 - 1 kb size with 250 ms delay at nginx to replicate prod apis which take 250 ms while processing a request (traffic distribution - 5%)
2) /test2 - 2 kb size with 150 ms delay at nginx to replicate prod apis which take 150 ms while processing a request (traffic distribution - 40%)
3) /test40 - 40 kb size with 200 ms delay at nginx to replicate prod apis which take 200 ms while processing a request (traffic distribution - 15%)
4) /testbytes - 450 bytes size with 350 ms delay at nginx to replicate prod apis which take 350 ms while processing a request (traffic distribution - 40%)

need urgent help to resolve this issue!

Posts: 2

Participants: 1

Read full topic

@Asthor wrote:

Hello guys,

i am using HAProxy to encrypt and load balance my two Axios Assyst Jboss webservers.

The main functions are working. HAProxy direkts with encryption to the Assyst Loginpage.

2019-07-04_11h45_32.png1458×856 17.6 KB

But after logging in, the page is just blank and i need to refresh the page to get Assyst fully loaded.

Page after login:

2019-07-04_11h47_36.png1446×740 6.34 KB

and after refresh:

2019-07-04_11h48_35.png1660×874 101 KB

I think there is an issue in directing the response from the webserver after logging in.
Does anyone had an similar experiance or idea to fix it?

Here is my config:

global
    log 127.0.0.1 local0
    chroot /var/log/haproxy
    pidfile /var/run/haproxy.pid
    maxconn 100000
    user haproxy
    group haproxy
    daemon

    stats socket /var/run/haproxy.sock mode 660 level admin

    # Default SSL material locations
    ca-base /etc/haproxy/cert
    crt-base /etc/haproxy/cert

defaults
    log     global
    mode    http
    option httplog
    option dontlognull
    option redispatch
    option accept-invalid-http-response
    option accept-invalid-http-request
    option http-server-close
    option forwardfor except 127.0.0.0/8
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 100000

    stats enable
    stats hide-version
    stats refresh 30s
    stats show-node
    stats auth assyst:assyst
    stats uri  /haproxy?stats


frontend http_https
    mode http
    bind :443 ssl crt /etc/haproxy/cert/serverlb01.pem crt-ignore-err all
    bind :80

    http-request set-header X-Forwarded-Proto https if { ssl_fc }
    redirect scheme https if !{ ssl_fc }
    # option http-keep-alive
    default_backend assyst_prod_lb

backend assyst_prod_lb
    balance roundrobin
    cookie JSESSIONID prefix nocache
    server server1.domain.net 101.161.219.202:8080 cookie s1 check inter 5s
    server server2.domain.net 101.161.219.203:8080 cookie s2 check inter 5s

Posts: 1

Participants: 1

Read full topic