frequent NOSRV/SC log hits behind AWS ELB

Tue, 10 Mar 2015 03:50:03 -0700 

Hello,
i am running haproxy version: 1.5.11 on EC2 instances behind an AWS load 
balancer
lately i am noticing a lot of 503 forbidden logs with "SC" as termination state 
due to "nosrv" error
my backend servers(which are behind an ELB of their own) are all healthy and 
responsive
moreover i set a loop that checks port 80 between haproxy and backend servers; 
and it never failed; it was checking the connection every 10 ms 
this is a log sample:
 Mar 10 10:33:50  api haproxy[1056]: 172.16.100.169:15235 
[10/Mar/2015:10:33:50.905] API API/<NOSRV> 8/-1/-1/-1/8 503 213 - - SC-- 
79/79/0/0/0 0/0 {177.103.215.19|Dalvik/1.6.0 (Linux; U; Android 4.4.4; XT1032 
Build/KXB21.14-L1.} "POST /api/v2.3/androidevent?buildnumber=1.10 HTTP/1.1"

and this is my current config:
global        log /dev/log    local0        log /dev/log    local1 notice       
 chroot /var/lib/haproxy        stats socket /run/haproxy/admin.sock mode 660 
level admin        stats timeout 30s        user haproxy        group haproxy   
 maxconn 65000        daemon
        # Default SSL material locations        ca-base /etc/ssl/certs        
crt-base /etc/ssl/private
        # Default ciphers to use on SSL-enabled listening sockets.        # For 
more information, see ciphers(1SSL).        ssl-default-bind-ciphers 
kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL     
   ssl-default-bind-options no-sslv3
defaults        log     global        mode    http        option  httplog       
 option  dontlognull        timeout connect 10000        timeout client  50000  
      timeout server  50000        # users which we are redrecting no where, 
example rejected will die in 50 ms        timeout tarpit  50        errorfile 
400 /etc/haproxy/errors/400.http        errorfile 403 
/etc/haproxy/errors/403.http        errorfile 408 /etc/haproxy/errors/408.http  
      errorfile 500 /etc/haproxy/errors/500.http        errorfile 502 
/etc/haproxy/errors/502.http        errorfile 503 /etc/haproxy/errors/503.http  
      errorfile 504 /etc/haproxy/errors/504.http        balance roundrobin      
  # keeps keep alive between client and proxy but disable it between proxy and 
backedn        option http-server-close        option forwardfor             
option redispatch           retries 99 frontend API         bind *:80

        maxconn 60000         # Blacklist: Deny access to some IPs before 
anything else is checked        tcp-request content reject if { src -f 
/etc/haproxy/blacklist.lst }          http-request set-header 
X-custom-http-scheme %[hdr(X-Forwarded-Proto)]
               stick-table type ip size 500k expire 30s store 
conn_cur,conn_rate(10s),http_req_rate(10s),http_err_rate(10s)         
        option http-server-close        # elb logs pubc ips         capture 
request header X-Forwarded-For len 50        capture request header User-Agent 
len 64                acl network_allowed src x.x.x.x                acl 
restricted_page path_beg /restricted                http-request deny if 
restricted_page !network_allowed                        # direct uris to 
propper elb                acl uri_api path_beg /api                acl 
uri_wdev path_beg /wdev                acl uri_staging path_beg /staging
                use_backend api if uri_api                use_backend wdev if 
uri_wdev                use_backend staging if uri_staging     

        default_backend API
backend API        server API  ELB_CNAME:80 check  backend wdev        server 
wdev  ELB_CNAME:80 check  backend staging        server staging  ELB_CNAME:80 
check

Reply via email to