On Wed, Oct 28, 2015 at 12:13 AM, Baptiste <bed...@gmail.com> wrote: > On Tue, Oct 27, 2015 at 11:44 AM, Ben Tisdall <ben.tisd...@photobox.com> > wrote: >> Hi and thanks for a great load balancer. We're developing a much more >> complex proxy ruleset and being able to switch back to haproxy now >> that it supports DNS resolution was a huge relief! >> >> Unfortunately DNS resolution is not doing what I expect given the >> configuration. When the downstream ELB to which the server points to >> switches IP addresses the backend is failing with a L4 timeout on the >> check. DNS queries are being made, see: >> https://gist.github.com/btisdall/31b57b57fee19dc79637 >> >> This is the output of "show stat resolvers": >> >> Resolvers section aws >> nameserver aws_0: >> sent: 2892976 >> valid: 2887729 >> update: 0 >> cname: 0 >> cname_error: 0 >> any_err: 0 >> nx: 0 >> timeout: 0 >> refused: 0 >> other: 0 >> invalid: 2887729 >> too_big: 0 >> truncated: 0 >> outdated: 0 >> >> Note that "valid" and "invalid" counts increase in exact step. >> Switching to "resolve-prefer ipv4" had no effect on this. >> >> Config >> ===== >> >> resolvers aws >> nameserver aws_0 10.111.0.2:53 >> >> # ... >> >> server myserver some-server.example.com:80 check resolvers aws >> >> Build Options >> ========== >> >> HA-Proxy version 1.6.1 2015/10/20 >> Copyright 2000-2015 Willy Tarreau <wi...@haproxy.org> >> >> Build options : >> TARGET = linux2628 >> CPU = generic >> CC = gcc >> CFLAGS = -g -O2 -fstack-protector --param=ssp-buffer-size=4 >> -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 >> OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_LUA=1 USE_PCRE=1 >> >> Default settings : >> maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 >> >> Encrypted password support via crypt(3): yes >> Built with zlib version : 1.2.8 >> Compression algorithms supported : identity("identity"), >> deflate("deflate"), raw-deflate("deflate"), gzip("gzip") >> Built with OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014 >> Running on OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014 >> OpenSSL library supports TLS extensions : yes >> OpenSSL library supports SNI : yes >> OpenSSL library supports prefer-server-ciphers : yes >> Built with PCRE version : 8.31 2012-07-06 >> PCRE library supports JIT : no (USE_PCRE_JIT not set) >> Built with Lua version : Lua 5.3.1 >> Built with transparent proxy support using: IP_TRANSPARENT >> IPV6_TRANSPARENT IP_FREEBIND >> >> Available polling systems : >> epoll : pref=300, test result OK >> poll : pref=200, test result OK >> select : pref=150, test result OK >> Total: 3 (3 usable), will use epoll. >> >> Regards, >> >> -- >> Ben >> > > > Hi Ben, > > I can't reproduce the problem with git version. > I'll try with 1.6.1, but DNS code is supposed to be the same between > both versions for now. > > I've setup the following amazon lab: > - 1 instance with HAProxy running poininting to 1 ELB > - 1 ELB instance taking traffic from haproxy above above and > load-balancing haproxy's stats page from above server > - 1 instance to inject traffic on ELB to force it to change its IP > address after a few minutes > > HTTP stream is like: public > haproxy:8080 > elb:80 > haproxy:80 > It works like a charm. > I triggered a DNS change on ELB by massiveley injecting traffic and > here is the output of DNS stats: > > Resolvers section aws > nameserver aws1: > sent: 95 > valid: 95 > update: 1 > cname: 0 > cname_error: 0 > any_err: 0 > nx: 0 > timeout: 0 > refused: 0 > other: 0 > invalid: 0 > too_big: 0 > truncated: 0 > outdated: 0 > > > Here is my configuration: > > global > daemon > log 127.0.0.1:514 local0 info > stats socket /tmp/socket level admin > stats timeout 10m > > resolvers aws > nameserver aws1 172.31.0.2:53 > > defaults HTTP > mode http > timeout client 10s > timeout connect 4s > timeout server 10s > > frontend f > bind :8080 > default_backend b > > backend b > server s ${LBNAME}:80 check resolvers aws resolve-prefer ipv4 > > frontend s > bind :80 > stats enable > stats uri /stats > stats show-legends > http-request redirect location /stats if { path / } > > > > Please take a real pcap file using tcpdump and send it to me privately. > > You also seem to use a CNAME which points to your ELB amazon name. > Could you let me know how you setup this, so I can try to reproduce > the issue in my lab? > > Maybe the CNAME parsing is broken. > > Baptiste
Ok, I use my personal domain name to create a CNAME pointing to my internal ELB name and I can now reproduce the problem: Resolvers section aws nameserver aws1: sent: 10485 valid: 10469 update: 0 cname: 0 cname_error: 0 any_err: 0 nx: 12 timeout: 0 refused: 0 other: 0 invalid: 10469 too_big: 0 truncated: 0 outdated: 0 Now, let's dig in there :) Baptiste