On Wed, Nov 30, 2011 at 03:56:14PM +0200, Daniel Rankov wrote: > Ok, now I'm kind of stuck here. > Let me share you my observations on my really simple evirionment: > for client I use wget on server with ip 192.168.2.30 > haproxy is set on server with ip 192.168.2.38 > and haproxy and web serer comunicate on 127.0.0.1. haproxy is in tcpmode. > this is the monitored tcpdump for connection client to haproxy /just the > closing connection part/ : > .... > 14:56:40.448210 IP 192.168.2.30.55867 > 192.168.2.38.443: . ack 7983 win > 204 <nop,nop,timestamp 2554292865 2553505887> > 14:56:40.448849 IP 192.168.2.30.55867 > 192.168.2.38.443: F 618:618(0) ack > 7983 win 204 <nop,nop,timestamp 2554292866 2553505887> > 14:56:40.449513 IP 192.168.2.38.443 > 192.168.2.30.55867: F 7983:7983(0) > ack 619 win 62 <nop,nop,timestamp 2553505889 2554292866> > 14:56:40.449656 IP 192.168.2.30.55867 > 192.168.2.38.443: . ack 7984 win > 204 <nop,nop,timestamp 2554292867 2553505889> > > and this is tcpdump for 127.0.0.1 /just the closing part again/ : > .... > 14:56:40.447887 IP 127.0.0.1.59302 > 127.0.0.1.8443: . ack 7983 win 386 > <nop,nop,timestamp 2553505887 2553505886> > 14:56:40.448914 IP 127.0.0.1.59302 > 127.0.0.1.8443: F 618:618(0) ack 7983 > win 386 <nop,nop,timestamp 2553505888 2553505886> > 14:56:40.449236 IP 127.0.0.1.8443 > 127.0.0.1.59302: F 7983:7983(0) ack 619 > win 273 <nop,nop,timestamp 2553505888 2553505888> > 14:56:40.449272 IP 127.0.0.1.59302 > 127.0.0.1.8443: . ack 7984 win 386 > <nop,nop,timestamp 2553505889 2553505888> > > So that showes me that the connections from haproxy to webserver are closed > with FIN/FIN-ACK/ACK. > here is netstat -anpo | grep TIME: > tcp 0 0 127.0.0.1:59302 127.0.0.1:8443 > TIME_WAIT - timewait (58.73/0/0) > > is that the expected bahaviour ?
Yes, if you're in TCP mode (I though you were using HTTP mode), it's perfectly expected because in TCP mode there is no way to know if some important data were sent and not received by the other side, so you cannot use an RST to force a close. Also, in TCP mode, haproxy just relays on the other side what it sees. So as you can see, wget closes the connection to haproxy, then haproxy does the same with the server. If you want to force an RST, you can use "option nolinger" in the backend. But then again, this is really not recommended since it can lead to incomplete data being received by the server. In the case of HTTPS, it should not be an issue due to the SSL closing handshake, but this is something to keep in mind. Regards, Willy
