Hi, all!
Recently, we use haproxy1.5-dev21 in our product.And we want to get the benefit of http-keep-alive. But after we added the option http-keep-alive and deployed new version of haproxy. We found that the connection of FIN_WAIT_2 CLOSED ESTABLISHED increased quickly. when we change to the tunnel mode, it decreased. root@Haproxy01:~ # session-count.sh LISTEN 8 FIN_WAIT_1 245 FIN_WAIT_2 22836 SYN_SENT 46 LAST_ACK 943 CLOSING 4 CLOSE_WAIT 1151 CLOSED 21940 SYN_RCVD 11 TIME_WAIT 255 ESTABLISHED 13894 And some related configuration below. defaults #TCP SECTION maxconn 200000 backlog 32768 timeout connect 10s timeout client 60s timeout server 60s timeout queue 30s timeout check 5s timeout http-request 5s timeout http-keep-alive 10s timeout tunnel 3600s # option nolinger # option http-no-delay #HTTP SECTION option accept-invalid-http-request option accept-invalid-http-response option redispatch retries 2 option httplog no option checkcache option http-keep-alive ######### frontend ############## frontend tcp-in bind :2001 mss 1360 transparent mode tcp log global option tcplog no option http-keep-alive no option accept-invalid-http-request #distingush HTTP and non-HTTP tcp-request inspect-delay 30s tcp-request content accept if HTTP #ACL DEFINE acl squid_incompatiable-Host hdr_reg(Host) -f /usr/local/etc/acl-define.d/squid_incompatiable-Host.txt #ACL DEFINE of websocket acl missing_host hdr_cnt(Host) eq 0 acl has_range hdr_cnt(Range) gt 0 acl check_SquidCluster-tos02 nbsrv(SquidCluster-tos02) 0 #ACL DEFINE of websocket acl is_websocket hdr(Upgrade) -i WebSocket acl is_websocket hdr_beg(Host) -i ws acl matches_media url_reg -i -f /usr/local/etc/acl-define.d/whitelist.txt acl check_bk_SquidMediaCluster-tos02 nbsrv(SquidMediaCluster-tos02) 0 #ACTION use_backend Direct if !HTTP use_backend Direct if HTTP_1.1 missing_host use_backend Direct if METH_CONNECT use_backend NginxClusterWebsockets if is_websocket use_backend NginxClusterNormal if HTTP squid_incompatiable-Host use_backend SquidMediaCluster-tos02 if HTTP matches_media !check_bk_SquidMediaCluster-tos02 use_backend SquidCluster-tos02 if !check_SquidCluster-tos02 default_backend Direct backend SquidCluster-tos02 mode http option forwardfor header X-Client balance hdr(Host) log global acl mgmt-src src -f /usr/local/etc/acl-define.d/mgmt-src.txt acl is_internal_error status ge 500 #reqadd Internal-Proto:\ 02 rspideny . if is_internal_error !mgmt-src rspidel ^via:.* unless mgmt-src rspidel ^x-cache:* unless mgmt-src rspidel ^x-cache-lookup:* unless mgmt-src rspidel ^X-Ecap:* unless mgmt-src source 0.0.0.0 option httpchk GET http://www.baidu.com server sq-L1-n1a 192.168.138.1:3001 weight 20 check inter 5s maxconn 10000 server sq-L1-n1b 192.168.138.1:3002 weight 20 check inter 5s maxconn 10000 server sq-L1-n1c 192.168.138.1:3003 weight 20 check inter 5s maxconn 10000 server sq-L1-n2a 192.168.138.2:3001 weight 20 check inter 5s maxconn 10000 server sq-L1-n2b 192.168.138.2:3002 weight 20 check inter 5s maxconn 10000 server sq-L1-n3a 192.168.138.3:3001 weight 20 check inter 5s maxconn 10000 server sq-L1-n3b 192.168.138.3:3002 weight 20 check inter 5s maxconn 10000 server sq-L1-n3c 192.168.138.3:3003 weight 20 check inter 5s maxconn 10000 server sq-L1-n3d 192.168.138.3:3004 weight 20 check inter 5s maxconn 10000 backend Direct mode tcp log global option tcplog no option http-keep-alive no option httpclose no option http-server-close no option accept-invalid-http-response no option http-pretend-keepalive source 0.0.0.0 usesrc clientip option transparent we also found out that increased connection was not come from backend SquidCluster-tos02, but almost all came from backend Direct. root@Haproxy01:~ # netstat -na|egrep "(3001|3002|3003|3004)" |wc -l 1761 Can any one help to fix this ?