Haproxy / Iptables / VPS : works some minutes then --> Error 503

@Matthieu_HPP wrote:

Hi,

I am trying to use HAProxy on a VPS (debian 8). Iptables is used as firewall.
I can't modify /etc/sysctl.conf.
My application uses websockets and redis to share data among both backend servers.

When I connect to the the VPS, the web site works some minutes, then Error : 503
There is no reported error my application logs.

Am I doing something wrong ? Do I have to renounce to HAPproxy or the VPS to modify sysctl ?

Extract of HAProxy log files and conf files follow.

Many thanks for your help.

Matthieu

(IP address modified with xxx)

Extract of the Log file :

Jul 10 18:42:35 matthieu haproxy[558]: 149.91.89.xxx:46024 [10/Jul/2017:18:42:30.036] https_app~ http_app/server_app_2 0/4991/2/7/5007 400 228 - - --NI 690/690/687/100/0 0/466 "GET /socket.io/?EIO=3&tr$
Jul 10 18:42:35 matthieu haproxy[558]: 149.91.89.xxx:46008 [10/Jul/2017:18:42:30.036] https_app~ http_app/<NOSRV> 0/5007/-1/-1/5009 503 213 - - sQNN 689/689/687/0/0 0/472 "GET /socket.io/?EIO=3&transpo$
Jul 10 18:42:35 matthieu haproxy[558]: 149.91.89.xxx:46034 [10/Jul/2017:18:42:30.036] https_app~ http_app/<NOSRV> 0/5007/-1/-1/5009 503 213 - - sQNN 688/688/686/0/0 0/471 "POST /socket.io/?EIO=3&transp$

Config file :

global
            log /dev/log    local0
            log /dev/log    local1 notice
    #      log 127.0.0.1:8008 local0
            chroot /var/lib/haproxy
            stats socket /run/haproxy/admin.sock mode 660 level admin
            stats timeout 30s
            user haproxy
            group haproxy
            daemon
            maxconn 10000
            debug

        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL). This list is from:
        #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/

        ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
        ssl-default-bind-options no-sslv3

        ssl-default-server-options no-sslv3
        ssl-default-server-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

defaults http
        log             global
        mode            http
        option          httplog
        option          dontlognull
        retries         3
        option          redispatch
        option          http-server-close
#       option          forceclose
        option          forwardfor except 127.0.0.1
        timeout         connect 5s
        timeout         client 30s
        timeout         client-fin 30s
        timeout         tunnel 1h
        timeout         server 30s

#       default-server inter 1s rise 2 fall 1 on-marked-down shutdown-sessions
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

#front-end
frontend https_app
        bind 0.0.0.0:443 ssl no-sslv3 crt /etc/ssl/letsencrypt
        default_backend  http_app

#back-end
backend http_app
        option httpchk HEAD /health
        http-check expect status 200
        http-request add-header X-Forwarded-Proto https if { ssl_fc }
        http-request set-header X-Forwarded-Port %[dst_port]
        balance roundrobin
        cookie SERVERID insert indirect nocache
        server server_app_1  127.0.0.1:3001 maxconn 100 check cookie server_app_1
        server server_app_2  127.0.0.1:3002 maxconn 100 check cookie server_app_2

Posts: 3

Participants: 2

Read full topic