Hi, all!
Recently, we use haproxy1.5-dev21 in our product.And we want to get
the benefit of http-keep-alive. But after we added the option
http-keep-alive and deployed new version of haproxy. We found that the
connection of FIN_WAIT_2 CLOSED ESTABLISHED increased quickly. when we
change to the tunnel mode, it decreased.
root@Haproxy01:~ # session-count.sh
LISTEN 8
FIN_WAIT_1 245
FIN_WAIT_2 22836
SYN_SENT 46
LAST_ACK 943
CLOSING 4
CLOSE_WAIT 1151
CLOSED 21940
SYN_RCVD 11
TIME_WAIT 255
ESTABLISHED 13894
And some related configuration below.
defaults
#TCP SECTION
maxconn 200000
backlog 32768
timeout connect 10s
timeout client 60s
timeout server 60s
timeout queue 30s
timeout check 5s
timeout http-request 5s
timeout http-keep-alive 10s
timeout tunnel 3600s
# option nolinger
# option http-no-delay
#HTTP SECTION
option accept-invalid-http-request
option accept-invalid-http-response
option redispatch
retries 2
option httplog
no option checkcache
option http-keep-alive
######### frontend ##############
frontend tcp-in
bind :2001 mss 1360 transparent
mode tcp
log global
option tcplog
no option http-keep-alive
no option accept-invalid-http-request
#distingush HTTP and non-HTTP
tcp-request inspect-delay 30s
tcp-request content accept if HTTP
#ACL DEFINE
acl squid_incompatiable-Host hdr_reg(Host) -f
/usr/local/etc/acl-define.d/squid_incompatiable-Host.txt
#ACL DEFINE of websocket
acl missing_host hdr_cnt(Host) eq 0
acl has_range hdr_cnt(Range) gt 0
acl check_SquidCluster-tos02 nbsrv(SquidCluster-tos02) 0
#ACL DEFINE of websocket
acl is_websocket hdr(Upgrade) -i WebSocket
acl is_websocket hdr_beg(Host) -i ws
acl matches_media url_reg -i -f
/usr/local/etc/acl-define.d/whitelist.txt
acl check_bk_SquidMediaCluster-tos02 nbsrv(SquidMediaCluster-tos02) 0
#ACTION
use_backend Direct if !HTTP
use_backend Direct if HTTP_1.1 missing_host
use_backend Direct if METH_CONNECT
use_backend NginxClusterWebsockets if is_websocket
use_backend NginxClusterNormal if HTTP squid_incompatiable-Host
use_backend SquidMediaCluster-tos02 if HTTP matches_media
!check_bk_SquidMediaCluster-tos02
use_backend SquidCluster-tos02 if !check_SquidCluster-tos02
default_backend Direct
backend SquidCluster-tos02
mode http
option forwardfor header X-Client
balance hdr(Host)
log global
acl mgmt-src src -f /usr/local/etc/acl-define.d/mgmt-src.txt
acl is_internal_error status ge 500
#reqadd Internal-Proto:\ 02
rspideny . if is_internal_error !mgmt-src
rspidel ^via:.* unless mgmt-src
rspidel ^x-cache:* unless mgmt-src
rspidel ^x-cache-lookup:* unless mgmt-src
rspidel ^X-Ecap:* unless mgmt-src
source 0.0.0.0
option httpchk GET http://www.baidu.com
server sq-L1-n1a 192.168.138.1:3001 weight 20 check inter 5s
maxconn 10000
server sq-L1-n1b 192.168.138.1:3002 weight 20 check inter 5s
maxconn 10000
server sq-L1-n1c 192.168.138.1:3003 weight 20 check inter 5s
maxconn 10000
server sq-L1-n2a 192.168.138.2:3001 weight 20 check inter 5s
maxconn 10000
server sq-L1-n2b 192.168.138.2:3002 weight 20 check inter 5s
maxconn 10000
server sq-L1-n3a 192.168.138.3:3001 weight 20 check inter 5s
maxconn 10000
server sq-L1-n3b 192.168.138.3:3002 weight 20 check inter 5s
maxconn 10000
server sq-L1-n3c 192.168.138.3:3003 weight 20 check inter 5s
maxconn 10000
server sq-L1-n3d 192.168.138.3:3004 weight 20 check inter 5s
maxconn 10000
backend Direct
mode tcp
log global
option tcplog
no option http-keep-alive
no option httpclose
no option http-server-close
no option accept-invalid-http-response
no option http-pretend-keepalive
source 0.0.0.0 usesrc clientip
option transparent
we also found out that increased connection was not come from backend
SquidCluster-tos02, but almost all came from backend Direct.
root@Haproxy01:~ # netstat -na|egrep "(3001|3002|3003|3004)" |wc -l
1761
Can any one help to fix this ?
