On 6 April 2010 19:43, Willy Tarreau <w...@1wt.eu> wrote: > On Tue, Apr 06, 2010 at 11:42:53AM +0100, Matt wrote: > > Hi all, > > > > Using HA-Proxy version 1.3.19 2009/07/27. Set-up is HA-Proxy balancing a > > pool of Jetty servers. > > > > We had a tomcat application using keep-alive that was having issues (kept > on > > opening many connections), so to stop that and other clients getting the > > same problem we used the option httpclose which fixed the problem. > > > > This though has added another issue when using digest authentication with > > curl. When sending to the HA-Proxy IP:- > > > > **request** > > > User-Agent: curl/7.19.5 (i486-pc-linux-gnu) libcurl/7.19.5 > OpenSSL/0.9.8g > > zlib/1.2.3.3 libidn/1.15 > > > Host: ........... > > > Accept: */* > > > content-type:application/xml > > > Content-Length: 0 > > > Expect: 100-continue > > > > **response** > > < HTTP/1.1 100 Continue > > < Connection: close > > * Empty reply from server > > * Closing connection #0 > > curl: (52) Empty reply from server > > > > It looks like HA-Proxy is sending 100-continue and not 401 and adding the > > connection closed header. If I use curl with the --http1.0 option, then > it > > works as expected, but I guess this is forcing Jetty to work in http 1.0 > > mode. > > This was fixed in 1.3.23 and 1.3.24. The issue is not what you describe > above. > What happens is that the client sends the "Expect: 100-continue" header, > which > is forwarded to the server. The server then replies with "HTTP/1.1 100 > Continue" > and haproxy adds the "Connection: close" response there. Strictly speaking, > both > curl and haproxy are incorrect here : > - haproxy should not add any header on a 100-continue response > - libcurl should ignore any header in a 100-continue response. > > But the reality is that both do probably not consider the 100-continue > response as a special case, which it is. > > There is nothing you can do with the configuration to fix this, you should > really update your version (also other annoying issues have been fixed > since > 1.3.19). Either you install 1.3.24 (or 1.3.23 if you don't find 1.3.24 yet > for > your distro), or you can switch to 1.4.3. > > Well, maybe if you remove "option httpclose" and replace it with > "reqadd Connection:\ close", without the corresponding "rspadd", it could > work, > if you don't have anything else touching the response (no cookie insertion, > ...). > This would rely on the server to correctly close the response. But it would > be > an awful hack. > > > When using apache in front of HA-Proxy with both force-proxy-request-1.0 > and > > proxy-nokeepalive the request is successful. > > This is because the Expect header appeared in 1.1, so the client cannot use > it > if you force the request as 1.0. > > On second thoughts I don't think this is going to work. If 1.3.24 is the same as 1.4.3, i'm getting an error on the first request not the challenge when using 1.4.3 and option httpclose, or option http-server-close.
When using curl :- * Server auth using Digest with user 'su' > PUT ............. HTTP/1.1 > User-Agent: curl/7.19.5 (i486-pc-linux-gnu) libcurl/7.19.5 OpenSSL/0.9.8g zlib/1.2.3.3 libidn/1.15 > Host: .......... > Accept: */* > content-type:application/xml > Content-Length: 0 > Expect: 100-continue > < HTTP/1.1 100 Continue * HTTP 1.0, assume close after body < HTTP/1.0 502 Bad Gateway < Cache-Control: no-cache < Connection: close < Content-Type: text/html < <html><body><h1>502 Bad Gateway</h1> The server returned an invalid or incomplete response. </body></html> * Closing connection #0 The Jetty server throws an exception :- HTTP/1.1 PUT Request URL: http://.......... User-Agent: curl/7.19.5 (i486-pc-linux-gnu) libcurl/7.19.5 OpenSSL/0.9.8g zlib/1.2.3.3 libidn/1.15 Host: ............ Accept: */* Content-Type: application/xml Content-Length: 0 Expect: 100-continue X-Forwarded-For: ........... Connection: close Querystring: null -ERROR Authenticator Authenticator caught IO Error when trying to authenticate user! org.mortbay.jetty.EofException org.mortbay.jetty.HttpGenerator.flush(HttpGenerator.java:760) org.mortbay.jetty.AbstractGenerator$Output.flush(AbstractGenerator.java:565) org.mortbay.jetty.HttpConnection$Output.flush(HttpConnection.java:904) org.mortbay.jetty.AbstractGenerator$Output.write(AbstractGenerator.java:633) org.mortbay.jetty.AbstractGenerator$Output.write(AbstractGenerator.java:586) org.mortbay.jetty.security.DigestAuthenticator.authenticate(DigestAuthenticator.java:131) ........... Caused by: java.nio.channels.ClosedChannelException ........... HA Proxy debug:- accept(0007)=0008 from [...........:49194] clireq[0008:ffff]: PUT ........... HTTP/1.1 clihdr[0008:ffff]: User-Agent: curl/7.19.5 (i486-pc-linux-gnu) libcurl/7.19.5 OpenSSL/0.9.8g zlib/1.2.3.3 libidn/1.15 clihdr[0008:ffff]: Host: ................ clihdr[0008:ffff]: Accept: */* clihdr[0008:ffff]: content-type:application/xml clihdr[0008:ffff]: Content-Length: 0 clihdr[0008:ffff]: Expect: 100-continue srvrep[0008:0009]: HTTP/1.1 100 Continue srvcls[0008:0009] clicls[0008:0009] closed[0008:0009] Making sure that both httpclose and http-server-close are absent causes the requests to work. Thanks, Matt
