Hi Guys,
I have a java web app running behind HAProxy Load balancer, users getting authentication error when connecting (they can’t login), but everything is working fine with incognito mode or if clear browser cache.
This is looks like a sticky session issue. we are running haproxy 2.3 and client requests will be redirected by haproxy using round-robin (our webapp required to have persistent connections) so here is my config. appreciate any feedback. cheers
global
log stdout format raw local0 info
pidfile /run/haproxy.pid
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
tune.ssl.default-dh-param 2048
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 60000
timeout client 50000
timeout server 50000
listen stats
bind *:1936
stats enable
stats uri /
stats hide-version
stats auth xxx:xxx
frontend http-frontend
bind *:80
bind *:443 ssl crt /server.pem
redirect scheme https if !{ ssl_fc }
mode http
default_backend http-backend
resolvers localdns
parse-resolv-conf
hold valid 5s
backend http-backend
mode http
balance roundrobin
default-server inter 2s fastinter 2s downinter 2s fall 3 rise 2
cookie JSESSIONID prefix
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
dynamic-cookie-key MYKEY
cookie SRVID insert dynamic
default-server resolvers localdns
option httpchk HEAD /ha/health HTTP/1.0
server-template webapp1 1 ${BACKEND_1} check fall 3 rise 2
server-template webapp2 1 ${BACKEND_2} check fall 3 rise 2
1 post - 1 participant