2014-06-04 18:31 GMT+02:00 Baptiste <bed...@gmail.com>:
> On Wed, Jun 4, 2014 at 6:05 PM, Kevin Maziere <ke...@kbrwadventure.com>
> wrote:
> >
> >
> >
> > 2014-06-04 17:10 GMT+02:00 Nenad Merdanovic <ni...@nimzo.info>:
> >>
> >> Hello Kevin,
> >>
> >> On 06/04/2014 05:05 PM, Willy Tarreau wrote:
> >> > On Wed, Jun 04, 2014 at 04:49:53PM +0200, Kevin Maziere wrote:
> >> >>> Anyway, from the various reports we get, it seems like sending an
> >> >>> empty
> >> >>> 408 message is enough to workaround this abnormal Chrome behaviour.
> >> >>> For
> >> >>> this you can proceed like this :
> >> >>>
> >> >>> errorfile 408 /dev/null
> >> >>>
> >> >>> After days of tests it appears that 408 error page are still
> appening,
> >> >>> but
> >> >> less frequently.
> >> >> I don't know how but I can see them on my logs and on my browser.
> >> >
> >> > In the logs it's perfectly normal as haproxy reports what has been
> done,
> >> > but in the browser, it's really not possible since the error message
> was
> >> > replaced with the contents of /dev/null. What might happen is either
> >> > that
> >> > some requests go to another haproxy or another server which still
> emits
> >> > the error, or that such errors were abusively cached by the client
> which
> >> > reports them on closed connection.
> >> >
> >> > Regards,
> >> > Willy
> >> >
> >> >
> >>
> >> Can you post your latest configuration?
> >> Here is my conf :
> >
> >
> > # Configuration for haproxy1.5
> >
> > global
> > log 127.0.0.1 local0
> > log 127.0.0.1 local1 notice
> > maxconn 15000
> >
> > #debug
> > #quiet
> > user haproxy
> > group haproxy
> >
> > defaults
> > log global
> > mode http
> > option httplog
> > #option dontlognull
> > retries 5
> > option redispatch
> > maxconn 15000
> > option forwardfor
> > timeout server 30m
> > timeout connect 5s
> > timeout client 10s
> > timeout http-keep-alive 5s
> > timeout http-request 8s
> >
> > # Application Frontend
> >
> > frontend ipv4-127.0.0.1-80
> > bind 172.16.0.1:80
> > redirect scheme https code 301 if !{ ssl_fc }
> >
> > frontend ipv4-127.0.0.1-443
> > bind 172.16.0.1:443 ssl crt /etc/haproxy/certs/wildcard.pem ciphers
> >
> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-RC4-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA:RC4-SHA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!EDH
> > rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains
> >
> > reqadd X-Forwarded-Proto:\ https
> > option http-server-close
> > default_backend ipv4-80
> >
> >
> > frontend ipv4-172_16_0_126-80
> > bind 172.16.0.126:80
> > redirect scheme https code 301 if !{ ssl_fc }
> >
> > frontend ipv4-172_16_0_126-443
> > bind 172.16.0.126:443 ssl crt /etc/haproxy/certs/wildcard.pem ciphers
> >
> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-RC4-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA:RC4-SHA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!EDH
> > rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains
> >
> > reqadd X-Forwarded-Proto:\ https
> > option http-server-close
> > default_backend ipv4-80
> >
> >
> > frontend ipv6-2000_00_00_00-80
> > bind 2000:00:00::0:80
> > redirect scheme https code 301 if !{ ssl_fc }
> >
> > frontend ipv6-2000_00_00_00-443
> > bind 2000:00:00::0:443 ssl crt /etc/haproxy/certs/wildcard.pem ciphers
> >
> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-RC4-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA:RC4-SHA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!EDH
> > rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains
> >
> > reqadd X-Forwarded-Proto:\ https
> > option http-server-close
> > default_backend ipv6-80
> >
> >
> > frontend ipv6-2000_11_11_11-80
> > bind 2000:11:11::1:80
> > redirect scheme https code 301 if !{ ssl_fc }
> >
> > frontend ipv6-2000_11_11_11-443
> > bind 2000:11:11::1:443 ssl crt /etc/haproxy/certs/wildcard.pem ciphers
> >
> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-RC4-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA:RC4-SHA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!EDH
> > rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains
> >
> > reqadd X-Forwarded-Proto:\ https
> > option http-server-close
> > default_backend ipv6-80
> >
> >
> >
> >
> >
> > # Application Backend
> > backend ipv4-80
> > balance roundrobin
> > server pubwebsite01 172.16.0.116:80 weight 1 check inter 5000
> rise 2
> > fall 5
> > server pubwebsite02 172.16.0.123:80 weight 1 check inter 5000
> rise 2
> > fall 5
> >
> > backend ipv6-80
> > balance roundrobin
> > server pubwebsite01 2000:22:22::22:80 weight 1 check inter 5000
> rise 2
> > fall 5
> > server pubwebsite02 2000:22:22::23:80 weight 1 check inter 5000
> rise 2
> > fall 5
> >
> >
> >
> > listen admin 172.16.0.126:1234
> > mode http
> > stats uri /
> >
> > # For Chrome :
> https://code.google.com/p/chromium/issues/detail?id=85229#c33
> > and ML haproxy
> > errorfile 408 /dev/null
> >
> >>
> >> Regards,
> >> --
> >> Nenad Merdanovic | PGP: 0x423edcb2 | Web: http://nimzo.info
> >> Linkedin: http://www.linkedin.com/in/nenadmerdanovic
> >
> >
>
>
> Kevin,
>
> You should add this directive in your defaults section:
> errorfile 408 /dev/null
>
> Cause in your current configuration it applies to your stats page only!
>
> ho, I miss that. Thanks a lot.
Kévin
> Baptiste
>
