On 7 April 2010 11:10, Matt <mattmora...@gmail.com> wrote: > On 6 April 2010 19:43, Willy Tarreau <w...@1wt.eu> wrote: > >> On Tue, Apr 06, 2010 at 11:42:53AM +0100, Matt wrote: >> > Hi all, >> > >> > Using HA-Proxy version 1.3.19 2009/07/27. Set-up is HA-Proxy balancing >> a >> > pool of Jetty servers. >> > >> > We had a tomcat application using keep-alive that was having issues >> (kept on >> > opening many connections), so to stop that and other clients getting the >> > same problem we used the option httpclose which fixed the problem. >> > >> > This though has added another issue when using digest authentication >> with >> > curl. When sending to the HA-Proxy IP:- >> > >> > **request** >> > > User-Agent: curl/7.19.5 (i486-pc-linux-gnu) libcurl/7.19.5 >> OpenSSL/0.9.8g >> > zlib/1.2.3.3 libidn/1.15 >> > > Host: ........... >> > > Accept: */* >> > > content-type:application/xml >> > > Content-Length: 0 >> > > Expect: 100-continue >> > >> > **response** >> > < HTTP/1.1 100 Continue >> > < Connection: close >> > * Empty reply from server >> > * Closing connection #0 >> > curl: (52) Empty reply from server >> > >> > It looks like HA-Proxy is sending 100-continue and not 401 and adding >> the >> > connection closed header. If I use curl with the --http1.0 option, then >> it >> > works as expected, but I guess this is forcing Jetty to work in http 1.0 >> > mode. >> >> This was fixed in 1.3.23 and 1.3.24. The issue is not what you describe >> above. >> What happens is that the client sends the "Expect: 100-continue" header, >> which >> is forwarded to the server. The server then replies with "HTTP/1.1 100 >> Continue" >> and haproxy adds the "Connection: close" response there. Strictly >> speaking, both >> curl and haproxy are incorrect here : >> - haproxy should not add any header on a 100-continue response >> - libcurl should ignore any header in a 100-continue response. >> >> But the reality is that both do probably not consider the 100-continue >> response as a special case, which it is. >> >> There is nothing you can do with the configuration to fix this, you should >> really update your version (also other annoying issues have been fixed >> since >> 1.3.19). Either you install 1.3.24 (or 1.3.23 if you don't find 1.3.24 yet >> for >> your distro), or you can switch to 1.4.3. >> >> Well, maybe if you remove "option httpclose" and replace it with >> "reqadd Connection:\ close", without the corresponding "rspadd", it could >> work, >> if you don't have anything else touching the response (no cookie >> insertion, ...). >> This would rely on the server to correctly close the response. But it >> would be >> an awful hack. >> >> > When using apache in front of HA-Proxy with both force-proxy-request-1.0 >> and >> > proxy-nokeepalive the request is successful. >> >> This is because the Expect header appeared in 1.1, so the client cannot >> use it >> if you force the request as 1.0. >> >> On second thoughts I don't think this is going to work. If 1.3.24 is the > same as 1.4.3, i'm getting an error on the first request not the challenge > when using 1.4.3 and option httpclose, or option http-server-close. > > When using curl :- > * Server auth using Digest with user 'su' > > PUT ............. HTTP/1.1 > > User-Agent: curl/7.19.5 (i486-pc-linux-gnu) libcurl/7.19.5 OpenSSL/0.9.8g > zlib/1.2.3.3 libidn/1.15 > > Host: .......... > > Accept: */* > > content-type:application/xml > > Content-Length: 0 > > Expect: 100-continue > > > < HTTP/1.1 100 Continue > * HTTP 1.0, assume close after body > < HTTP/1.0 502 Bad Gateway > < Cache-Control: no-cache > < Connection: close > < Content-Type: text/html > < > <html><body><h1>502 Bad Gateway</h1> > The server returned an invalid or incomplete response. > </body></html> > * Closing connection #0 > > The Jetty server throws an exception :- > HTTP/1.1 PUT > Request URL: http://.......... > User-Agent: curl/7.19.5 (i486-pc-linux-gnu) libcurl/7.19.5 OpenSSL/0.9.8g > zlib/1.2.3.3 libidn/1.15 > Host: ............ > Accept: */* > Content-Type: application/xml > Content-Length: 0 > Expect: 100-continue > X-Forwarded-For: ........... > Connection: close > Querystring: null > -ERROR Authenticator Authenticator caught IO Error when trying > to authenticate user! > org.mortbay.jetty.EofException > org.mortbay.jetty.HttpGenerator.flush(HttpGenerator.java:760) > > org.mortbay.jetty.AbstractGenerator$Output.flush(AbstractGenerator.java:565) > org.mortbay.jetty.HttpConnection$Output.flush(HttpConnection.java:904) > > org.mortbay.jetty.AbstractGenerator$Output.write(AbstractGenerator.java:633) > > org.mortbay.jetty.AbstractGenerator$Output.write(AbstractGenerator.java:586) > > org.mortbay.jetty.security.DigestAuthenticator.authenticate(DigestAuthenticator.java:131) > ........... > Caused by: java.nio.channels.ClosedChannelException > ........... > > HA Proxy debug:- > accept(0007)=0008 from [...........:49194] > clireq[0008:ffff]: PUT ........... HTTP/1.1 > clihdr[0008:ffff]: User-Agent: curl/7.19.5 (i486-pc-linux-gnu) > libcurl/7.19.5 OpenSSL/0.9.8g zlib/1.2.3.3 libidn/1.15 > clihdr[0008:ffff]: Host: ................ > clihdr[0008:ffff]: Accept: */* > clihdr[0008:ffff]: content-type:application/xml > clihdr[0008:ffff]: Content-Length: 0 > clihdr[0008:ffff]: Expect: 100-continue > srvrep[0008:0009]: HTTP/1.1 100 Continue > srvcls[0008:0009] > clicls[0008:0009] > closed[0008:0009] > > Making sure that both httpclose and http-server-close are absent causes the > requests to work. > > Thanks, >
1.3.23 gives the same issue as above. If you think it could be an issue with HA Proxy and need me to test a patch/setting just shout. Matt