Issue with iis backend intermittently

a couple of days ago my setup which is haproxy in front of two IIS servers started having issues. The symptoms are redirect errors noted in Pingdom and 504 errors from the IIS server. There have been no changes to code on the windows servers nor haproxy. Once these 504 errors start the fix has been to disable and reenable the NIC card on the windows servers. There are NO errors in the event queue of the windows servers when there is an issue. I have temporarily changed the backend to only use one server for trouble shooting purposes. Please find my sanitized haproxy pertinent parts configuration below any and all recommendations are welcome and thank you for your time.

global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
        stats timeout 30s
        user haproxy
        group haproxy
        daemon
        tune.maxrewrite 16384
        tune.bufsize    32768
        tune.ssl.default-dh-param 2048
        maxconn 4000

        #CORS preflight backend
        lua-load /etc/haproxy/cors.lua

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL). This list is from:
        #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
        # An alternative list with additional directives can be obtained from
        #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
        ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
        ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
        #no-tls10
        #ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
        #ssl-default-bind-options ssl-min-ver TLSv1.0

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 20s
        timeout client  10m
        timeout server  10m
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http


frontend psites_com
    bind 1.2.3.4:80
    bind 1.2.3.4:443 ssl crt /etc/haproxy/ssl/
    mode http

    #tcp-request connection reject if { src -f /etc/haproxy/blacklist_clients }
    tcp-request connection reject unless { src -f /etc/haproxy/whitelist.ip }
 # Add CORS headers when Origin header is present
    capture request header origin len 128
    # if a preflight request is made, use CORS preflight backend
    http-request use-service lua.cors-response if METH_OPTIONS { capture.req.hdr(0) -m found }
    # add Access-Control-Allow-Origin HTTP header to response if origin matches the list of allowed URLs
    http-request set-header Access-Control-Allow-Origin %[capture.req.hdr(0)] if { capture.req.hdr(0) -m found }

        acl block-WP path_end -i .php
        acl block-ADS path_end -i ads.txt
        acl block-JAR path_end -i .jar
        #acl badURL path -m reg \+[A-Za-z0-9]+\+[A-Za-z0-9]+\+
        acl block-WPincludes path_beg -i /wp-includes/

        # Letsencrypt
        acl letsencrypt-acl path_beg /.well-known/acme-challenge/

        # SSL
        acl https_domain hdr(host) -i -f /etc/haproxy/ssl_domains

        # Black List
        acl blockedagent hdr_sub(user-agent) -i -f /etc/haproxy/blacklist.agent

        # Clients that were sent to bots
        acl blacklisted_clients src -i -f /etc/haproxy/blacklist_clients

      ################  Default Logic ############################################ 

        # Block black listed IPS
        http-request deny if blockedagent
        http-request deny if blacklisted_clients
        http-request deny if block-WP
        #http-request deny if badURL
        http-request deny if block-JAR
        http-request deny if block-WPincludes
        http-request deny if block-ADS

        # Redirect http -> https
        redirect scheme https if !{ ssl_fc }

        # Default
        default_backend xsites_cloud
        
        backend xsites_cloud
    mode http
    balance source
    option forwardfor
    http-request set-header X-Forwarded-For %[src]
    server  i-3.cloud 10.100.0.13:80 check
#    server  i-4.cloud 10.100.0.16:80 check  (remarked out for testing)
#    retries 4  (had previously tried this to help with 504 errors)
#    option redispatch 2 (had previously tried this to help with 504 errors)

@@NOTE this is a large config and I just pulled all the pieces I thought prevent to this discussion

My version of haproxy is 2.4.22```

1 post - 1 participant

Read full topic