2014-06-04 18:31 GMT+02:00 Baptiste <bed...@gmail.com>: > On Wed, Jun 4, 2014 at 6:05 PM, Kevin Maziere <ke...@kbrwadventure.com> > wrote: > > > > > > > > 2014-06-04 17:10 GMT+02:00 Nenad Merdanovic <ni...@nimzo.info>: > >> > >> Hello Kevin, > >> > >> On 06/04/2014 05:05 PM, Willy Tarreau wrote: > >> > On Wed, Jun 04, 2014 at 04:49:53PM +0200, Kevin Maziere wrote: > >> >>> Anyway, from the various reports we get, it seems like sending an > >> >>> empty > >> >>> 408 message is enough to workaround this abnormal Chrome behaviour. > >> >>> For > >> >>> this you can proceed like this : > >> >>> > >> >>> errorfile 408 /dev/null > >> >>> > >> >>> After days of tests it appears that 408 error page are still > appening, > >> >>> but > >> >> less frequently. > >> >> I don't know how but I can see them on my logs and on my browser. > >> > > >> > In the logs it's perfectly normal as haproxy reports what has been > done, > >> > but in the browser, it's really not possible since the error message > was > >> > replaced with the contents of /dev/null. What might happen is either > >> > that > >> > some requests go to another haproxy or another server which still > emits > >> > the error, or that such errors were abusively cached by the client > which > >> > reports them on closed connection. > >> > > >> > Regards, > >> > Willy > >> > > >> > > >> > >> Can you post your latest configuration? > >> Here is my conf : > > > > > > # Configuration for haproxy1.5 > > > > global > > log 127.0.0.1 local0 > > log 127.0.0.1 local1 notice > > maxconn 15000 > > > > #debug > > #quiet > > user haproxy > > group haproxy > > > > defaults > > log global > > mode http > > option httplog > > #option dontlognull > > retries 5 > > option redispatch > > maxconn 15000 > > option forwardfor > > timeout server 30m > > timeout connect 5s > > timeout client 10s > > timeout http-keep-alive 5s > > timeout http-request 8s > > > > # Application Frontend > > > > frontend ipv4-127.0.0.1-80 > > bind 172.16.0.1:80 > > redirect scheme https code 301 if !{ ssl_fc } > > > > frontend ipv4-127.0.0.1-443 > > bind 172.16.0.1:443 ssl crt /etc/haproxy/certs/wildcard.pem ciphers > > > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-RC4-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA:RC4-SHA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!EDH > > rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains > > > > reqadd X-Forwarded-Proto:\ https > > option http-server-close > > default_backend ipv4-80 > > > > > > frontend ipv4-172_16_0_126-80 > > bind 172.16.0.126:80 > > redirect scheme https code 301 if !{ ssl_fc } > > > > frontend ipv4-172_16_0_126-443 > > bind 172.16.0.126:443 ssl crt /etc/haproxy/certs/wildcard.pem ciphers > > > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-RC4-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA:RC4-SHA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!EDH > > rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains > > > > reqadd X-Forwarded-Proto:\ https > > option http-server-close > > default_backend ipv4-80 > > > > > > frontend ipv6-2000_00_00_00-80 > > bind 2000:00:00::0:80 > > redirect scheme https code 301 if !{ ssl_fc } > > > > frontend ipv6-2000_00_00_00-443 > > bind 2000:00:00::0:443 ssl crt /etc/haproxy/certs/wildcard.pem ciphers > > > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-RC4-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA:RC4-SHA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!EDH > > rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains > > > > reqadd X-Forwarded-Proto:\ https > > option http-server-close > > default_backend ipv6-80 > > > > > > frontend ipv6-2000_11_11_11-80 > > bind 2000:11:11::1:80 > > redirect scheme https code 301 if !{ ssl_fc } > > > > frontend ipv6-2000_11_11_11-443 > > bind 2000:11:11::1:443 ssl crt /etc/haproxy/certs/wildcard.pem ciphers > > > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-RC4-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA:RC4-SHA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!EDH > > rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains > > > > reqadd X-Forwarded-Proto:\ https > > option http-server-close > > default_backend ipv6-80 > > > > > > > > > > > > # Application Backend > > backend ipv4-80 > > balance roundrobin > > server pubwebsite01 172.16.0.116:80 weight 1 check inter 5000 > rise 2 > > fall 5 > > server pubwebsite02 172.16.0.123:80 weight 1 check inter 5000 > rise 2 > > fall 5 > > > > backend ipv6-80 > > balance roundrobin > > server pubwebsite01 2000:22:22::22:80 weight 1 check inter 5000 > rise 2 > > fall 5 > > server pubwebsite02 2000:22:22::23:80 weight 1 check inter 5000 > rise 2 > > fall 5 > > > > > > > > listen admin 172.16.0.126:1234 > > mode http > > stats uri / > > > > # For Chrome : > https://code.google.com/p/chromium/issues/detail?id=85229#c33 > > and ML haproxy > > errorfile 408 /dev/null > > > >> > >> Regards, > >> -- > >> Nenad Merdanovic | PGP: 0x423edcb2 | Web: http://nimzo.info > >> Linkedin: http://www.linkedin.com/in/nenadmerdanovic > > > > > > > Kevin, > > You should add this directive in your defaults section: > errorfile 408 /dev/null > > Cause in your current configuration it applies to your stats page only! > > ho, I miss that. Thanks a lot.
Kévin > Baptiste >