Hi Scott,
Le 09/07/2013 06:05, Scott J. Goldman a écrit :
Hi.
I'm running HAProxy 1.5-dev19, and seeing a weird issue. Was curious if anyone
has seen this before or if perhaps my config is just wrong.
This is a common issue. By default haproxy is in 'tunnel' mode, which
means it only analyzes the headers of the first request in a connection,
everything after this is considered as pure data.
You should have a look to "option http-server-close", "option httpclose"
and "timeout http-keep-alive".
See below for comments.
In my nginx logs (where the traffic is being routed), I can see the same issue,
the same requests coming are listed from my load balancer and not the original
peer (while other requests appear fine). Here is my haproxy config:
######################
global
user haproxy
group haproxy
daemon
maxconn 16384
pidfile /var/run/haproxy.pid
stats socket /var/run/haproxy.sock level admin
defaults
balance roundrobin
mode http
retries 3
maxconn 4096
option redispatch
contimeout 300000
clitimeout 1200000
srvtimeout 1200000
listen ssl-front
mode tcp
bind 192.30.252.97:443 ssl crt zzzzzz.key
# add headers needed by various apps to detect SSL-ness
reqadd X-Forwarded-Proto:\ https if { ssl_fc }
reqadd X-Proto:\ SSL if { ssl_fc }
# Reject non HTTP traffic
tcp-request inspect-delay 5s
tcp-request content accept if HTTP
tcp-request content reject
server http-via-ssl 127.0.0.1:8090 send-proxy
I don't understand the need of this proxy, why not simply put the bind
and reqadd lines in the "http-via-ssl" line ? (btw you're in tcp mode here).
listen http-front
bind 192.30.252.97:80
redirect scheme https if !{ ssl_fc }
listen http-via-ssl
bind 127.0.0.1:8090 accept-proxy
# Here, you can add the options to enable client side keep-alive
# Then haproxy will analyze each request
option http-server-close
timeout http-keep-alive 5s
# I'd suggest you to move X-Real-IP here,
# so that you don't have to remember to add it on each backend
# you will declare.
option forwardfor header X-Real-IP
acl garage hdr_end(host) -i garage.github.com
acl spider-skull-island hdr_end(host) -i spider-skull-island.github.com
acl machine-room hdr_end(host) -i machine-room.github.com
acl codeload hdr_end(host) -i codeload.github.com
acl nodeload hdr_end(host) -i nodeload.github.com
acl gist hdr_end(host) -i gist.github.com
acl github_com hdr_end(host) -i github.com
use_backend garage if garage
use_backend spider-skull-island if spider-skull-island
use_backend machine-room if machine-room
use_backend codeload if codeload
use_backend codeload if nodeload
use_backend github_com if gist
use_backend github_com if github_com
default_backend github_com
(...)
backend github_com
balance roundrobin
option forwardfor header X-Real-IP
-> To move in the frontend
server github-fe101-cp1-prd github-fe101-cp1-prd:9100 check
server github-fe102-cp1-prd github-fe102-cp1-prd:9100 check
server github-fe103-cp1-prd github-fe103-cp1-prd:9100 check
server github-fe104-cp1-prd github-fe104-cp1-prd:9100 check
backend garage
balance roundrobin
option forwardfor header X-Real-IP
-> To move in the frontend
server github-staff2-cp1-prd github-staff2-cp1-prd:9100 check
backend spider-skull-island
balance roundrobin
option forwardfor header X-Real-IP
-> To move in the frontend
server github-staff3-cp1-prd github-staff3-cp1-prd:9100 check
backend machine-room
balance roundrobin
option forwardfor header X-Real-IP
-> To move in the frontend
server github-staff4-cp1-prd github-staff4-cp1-prd:9100 check
backend codeload
balance uri
option forwardfor header X-Real-IP
-> To move in the frontend
timeout http-request 7200000
option httpchk GET /_ping HTTP/1.1\r\nHost:\ codeload.github.com
server github-arch1-cp1-prd github-arch1-cp1-prd:9999 check
server github-arch2-cp1-prd github-arch2-cp1-prd:9999 check
listen githubctl 0.0.0.0:8086
stats uri /
stats auth github:XXXXXXXXXXXXXXXXXXXX
stats hide-version
listen monitoring 0.0.0.0:8087
mode health
######################
Hoping this helps.
--
Cyril Bonté
