Certainly, ``` [~]$ haproxy -vv HA-Proxy version 1.5.14 2015/07/02 Copyright 2000-2015 Willy Tarreau <wi...@haproxy.org>
Build options : TARGET = linux26 CPU = generic CC = gcc CFLAGS = -m64 -march=x86-64 -O2 -g -fno-strict-aliasing OPTIONS = USE_ZLIB=yes USE_OPENSSL=1 USE_PCRE=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 Encrypted password support via crypt(3): yes Built with zlib version : 1.2.3 Compression algorithms supported : identity, deflate, gzip Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013 Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Built with PCRE version : 7.8 2008-09-05 PCRE library supports JIT : no (USE_PCRE_JIT not set) Built with transparent proxy support using: IP_TRANSPARENT IP_FREEBIND Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. ``` And the config: ``` global log 127.0.0.1 local0 log 127.0.0.1 local1 notice maxconn 200000 tune.ssl.default-dh-param 1024 nbproc 20 defaults log global mode http compression algo gzip compression type text/html text/plain retries 3 timeout client 400s timeout connect 5s timeout server 400s timeout tunnel 400s option abortonclose option redispatch option tcpka option http-keep-alive timeout http-keep-alive 15s balance leastconn listen admin bind 192.0.2.200:901 mode http stats uri / stats enable frontend main option httplog capture request header CF-Connecting-IP len 64 capture request header CF-Ray len 64 bind 192.0.2.100:80 bind 192.0.2.100:443 ssl crt /etc/ssl/certs/example.com ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:ECDH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS:!DH no-sslv3 maxconn 120000 reqidel ^x-forwarded-for:.* reqidel ^client-ip:.* acl static_asset_url url_beg /static/assets use_backend example_s3_static_backend if static_asset_url acl some_url url_beg /something use_backend some_backend if some_url redirect scheme https code 301 if !{ ssl_fc } acl prod_is_down nbsrv(main_backend) lt 1 use_backend status_page if prod_is_down default_backend main_backend backend some_backend option forwardfor option httplog reqirep ([\w:]+\s)(\/[\w\d]+)(\/.*) \1\ \3 option httpchk GET /healthcheck server somenode01 192.0.2.1:8282 weight 10 slowstart 1m maxconn 8192 check server somenode02 192.0.2.2:8282 weight 10 slowstart 1m maxconn 8192 check backend main_backend option forwardfor option httplog fullconn 132000 http-check expect status 200 cookie SERVERID insert indirect nocache option httpchk GET /healthcheck server mainnode01 192.0.2.11:443 weight 10 slowstart 1m maxconn 8192 check check-ssl ssl verify none cookie ID1 server mainnode02 192.0.2.12:443 weight 10 slowstart 1m maxconn 8192 check check-ssl ssl verify none cookie ID2 server mainnode03 192.0.2.13:443 weight 10 slowstart 1m maxconn 8192 check check-ssl ssl verify none cookie ID3 backend example_s3_static_backend option forwardfor option httplog reqirep ^Host: Host:\ example-static.s3.amazonaws.com reqirep ^([^\ :]*)\ (/[^/]+/[^/]+)(.*) \1\ \3 reqidel ^Authorization:.* rspidel ^x-amz-id-2:.* rspidel ^x-amz-request-id:.* rspidel ^Server:.* server aws_s3 example-static.s3-us-west-2.amazonaws.com:443 weight 10 slowstart 1m maxconn 8192 check check-ssl ssl verify required ca-file /etc/ssl/certs/ca-bundle.crt inter 60s backend status_page redirect location http://unavailable.example.com code 307 ``` On Thu, Sep 17, 2015 at 12:18 AM, Aleksandar Lazic <al-hapr...@none.at> wrote: > Hi John. > > Am 17-09-2015 07:03, schrieb John Skarbek: > >> Good Morning! >> >> So recently I went into battle between our CDN provider and our >> application team due to some HTTP400's coming from somewhere. At first >> I never suspected haproxy to be at fault due to the way I was groking >> our logs. The end result is that I discovered haproxy doesn't log the >> GET request, but rather only logs a `BADREQ` with a termination state of >> `PR--`. Which based on reading documentation haproxy isn't going to log >> a 414, but instead a 400. I ponder if this is due to something being >> truncated forcing haproxy to see a malformed request. >> >> Digging into documentation, I glossed over the fact that the default >> buffer size isn't 16k, but actually a lower 8192. Unfortunately my >> fault, reading quickly got me to this point. But due to reading further >> the following statement is where I finally have a question; under the >> config item tune.maxrewrite: >> >> "...It is generally wise to set it to about 1024. It is automatically >> readjusted to half of bufsize if it is larger than that. This means you >> don't have to worry about it when changing bufsize" >> > > Please can you post the output of haproxy -vv and the anonymized > configuration, thanks. > > [snipp] > > BR Aleks > -- [image: rally-logo-68x68.jpg] John T Skarbek | jskar...@rallydev.com Infrastructure Engineer, Engineering 1101 Haynes Street, Suite 105, Raleigh, NC 27604 720.921.8126 Office