Hello,
I am new to haproxy so learning as I go, so please excuse any obvious mistakes.
I have a working haproxy setup that forwards http requests to load balance between two servers. This is running on a CentOS Linux release 7.9.2009 VM
It is running haproxy18, installed via rpm
haproxy18 -vvv
HA-Proxy version 1.8.27-493ce0b 2020/11/06
Copyright 2000-2020 Willy Tarreau <willy@haproxy.org>
Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-unused-label
OPTIONS = USE_LINUX_TPROXY=1 USE_CRYPT_H=1 USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_SYSTEMD=1 USE_PCRE=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Built with OpenSSL version : OpenSSL 1.1.1k FIPS 25 Mar 2021
Running on OpenSSL version : OpenSSL 1.1.1k FIPS 25 Mar 2021
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Encrypted password support via crypt(3): yes
Built with multi-threading support.
Built with PCRE version : 8.32 2012-11-30
Running on PCRE version : 8.32 2012-11-30
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with zlib version : 1.2.7
Running on zlib version : 1.2.7
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with network namespace support.
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Available filters :
[SPOE] spoe
[COMP] compression
[TRACE] trace
My config is as follows
global
log /dev/log local0 debug
maxconn 8000
user haproxy
group haproxy
daemon
defaults
balance roundrobin
log global
option httplog
timeout client 30s
timeout connect 4s
timeout server 30s
timeout check 5s
option allbackups
listen admin_page
bind *:9600
mode http
stats enable
stats refresh 60s
stats uri /
frontend fe_connector_443
bind *:443 ssl crt /etc/ssl/private/cert.pem
mode http
capture cookie JSESSIONID= len 32
option forwardfor
default_backend be_connector_443
backend be_connector_443
mode http
balance roundrobin
cookie JSESSIONID prefix indirect nocache
option forwardfor
server cac01 192.168.30.11:443 check cookie s1 verify none ssl
server cac02 192.168.30.12:443 check cookie s2 verify none ssl
This works as I would expect, I use the client application to connect to the proxy, the application presents me with a cert warning which I accept, the proxy then forwards the http traffic to the backend servers and then I am able to log in to my application and use it as expected.
In the log, I get these messages when, using my client application, connecting to the proxy:
Feb 21 13:07:46 anyware-proxy01 haproxy18[9950]: IP:38390 [21/Feb/2023:13:07:46.681] fe_connector_443~ fe_connector_443/<NOSRV> -1/-1/-1/-1/22 400 187 - - CR-- 1/1/0/0/0 0/0 "<BADREQ>"
Feb 21 13:07:51 anyware-proxy01 haproxy18[9950]: IP:38391 [21/Feb/2023:13:07:51.414] fe_connector_443~ be_connector_443/cac01 0/0/1/251/253 200 1280 JSESSIONID=s1~8bec635c-9f38-42f8 JSESSIONID=8bec635c-9f38-42f8-a4 --VD 1/1/0/0/0 0/0 "POST /pcoip-broker/xml HTTP/1.1"
Feb 21 13:07:51 anyware-proxy01 haproxy18[9950]: IP:40326 [21/Feb/2023:13:07:51.677] fe_connector_443~ fe_connector_443/<NOSRV> -1/-1/-1/-1/31 400 187 - - CR-- 1/1/0/0/0 0/0 "<BADREQ>"
Feb 21 13:07:53 anyware-proxy01 haproxy18[9950]: IP:40327 [21/Feb/2023:13:07:51.768] fe_connector_443~ be_connector_443/cac01 0/0/1/1865/1867 200 2229 JSESSIONID=s1~8bec635c-9f38-42f8 JSESSIONID=8bec635c-9f38-42f8-a4 --VD 1/1/0/0/0 0/0 "POST /pcoip-broker/xml HTTP/1.1"
However as this is an old version of haproxy, I would like to upgrade to the latest version, which I have built from source:
/opt/haproxy-2.7.3/sbin/haproxy -vvv
HAProxy version 2.7.3-1065b10 2023/02/14 - https://haproxy.org/
Status: stable branch - will stop receiving fixes around Q1 2024.
Known bugs: http://www.haproxy.org/bugs/bugs-2.7.3.html
Running on: Linux 3.10.0-1160.81.1.el7.x86_64 #1 SMP Fri Dec 16 17:29:43 UTC 2022 x86_64
Build options :
TARGET = linux-glibc
CPU = generic
CC = cc
CFLAGS = -O2 -g -Wall -Wextra -Wundef -Wdeclaration-after-statement -Wfatal-errors -Wtype-limits -fwrapv -Wno-address-of-packed-member -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-clobbered -Wno-missing-field-initializers -Wno-cast-function-type -Wno-string-plus-int -Wno-atomic-alignment
OPTIONS = USE_PCRE=1 USE_THREAD=1 USE_LIBCRYPT=1 USE_OPENSSL=1 USE_LUA=1 USE_ZLIB=1 USE_TFO=1 USE_NS=1 USE_SYSTEMD=1
DEBUG = -DDEBUG_STRICT -DDEBUG_MEMORY_POOLS
Feature list : -51DEGREES +ACCEPT4 +BACKTRACE -CLOSEFROM +CPU_AFFINITY +CRYPT_H -DEVICEATLAS +DL -ENGINE +EPOLL -EVPORTS +GETADDRINFO -KQUEUE +LIBCRYPT +LINUX_SPLICE +LINUX_TPROXY +LUA -MEMORY_PROFILING +NETFILTER +NS -OBSOLETE_LINKER +OPENSSL -OPENSSL_WOLFSSL -OT +PCRE -PCRE2 -PCRE2_JIT -PCRE_JIT +POLL +PRCTL -PROCCTL -PROMEX -PTHREAD_EMULATION -QUIC +RT +SHM_OPEN -SLZ -STATIC_PCRE -STATIC_PCRE2 +SYSTEMD +TFO +THREAD +THREAD_DUMP +TPROXY -WURFL +ZLIB
Default settings :
bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Built with multi-threading support (MAX_TGROUPS=16, MAX_THREADS=256, default=4).
Built with OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
Running on OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2
Built with Lua version : Lua 5.4.4
Built with network namespace support.
Support for malloc_trim() is enabled.
Built with zlib version : 1.2.7
Running on zlib version : 1.2.7
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with PCRE version : 8.32 2012-11-30
Running on PCRE version : 8.32 2012-11-30
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Encrypted password support via crypt(3): yes
Built with gcc compiler version 4.8.5 20150623 (Red Hat 4.8.5-44)
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
h2 : mode=HTTP side=FE|BE mux=H2 flags=HTX|HOL_RISK|NO_UPG
fcgi : mode=HTTP side=BE mux=FCGI flags=HTX|HOL_RISK|NO_UPG
<default> : mode=HTTP side=FE|BE mux=H1 flags=HTX
h1 : mode=HTTP side=FE|BE mux=H1 flags=HTX|NO_UPG
<default> : mode=TCP side=FE|BE mux=PASS flags=
none : mode=TCP side=FE|BE mux=PASS flags=NO_UPG
Available services : none
Available filters :
[BWLIM] bwlim-in
[BWLIM] bwlim-out
[CACHE] cache
[COMP] compression
[FCGI] fcgi-app
[SPOE] spoe
[TRACE] trace
When using the same config as above, I am no longer able to connect via my client application, it just times out, and I get these messages in the haproxy log
Feb 21 13:18:11 anyware-proxy01 haproxy[10121]: IP:38980 [21/Feb/2023:13:18:11.239] fe_connector_443~ be_connector_443/cac01 0/0/4/74/78 200 1855 - - ---- 1/1/0/0/0 0/0 "POST /pcoip-broker/xml HTTP/1.1"
Feb 21 13:18:12 anyware-proxy01 haproxy[10121]: IP:38990 [21/Feb/2023:13:18:12.017] fe_connector_443~ be_connector_443/cac01 0/0/3/1/4 200 519 - - ---- 1/1/0/0/0 0/0 "POST /broker/xml HTTP/1.1"
Feb 21 13:18:12 anyware-proxy01 haproxy[10121]: IP:39000 [21/Feb/2023:13:18:12.716] fe_connector_443~ be_connector_443/cac01 0/0/3/35/38 200 1855 - - ---- 1/1/0/0/0 0/0 "POST /pcoip-broker/xml HTTP/1.1"
Feb 21 13:18:15 anyware-proxy01 haproxy[10121]: IP:39011 [21/Feb/2023:13:18:15.035] fe_connector_443~ be_connector_443/cac01 0/0/4/1/5 200 519 - - ---- 1/1/0/0/0 0/0 "POST /broker/xml HTTP/1.1"
I can’t see where the issue might be. All I can tell is using 2.7.3 behaves differently from 1.8.27
Would anyone be able to help, or provide any suggestions as to what might be happening?
Thank you
Matt
1 post - 1 participant