On 01/03/2016 9:57 PM, "Zoltan Lorincz" <zol...@gmail.com> wrote: > > Hi all, > > i am very new to haproxy. Read trough all the docs but i think something is wrong with my configuration, because if we connect directly to tomcat we don't get any 502 errors. > > The errors from haproxy look like this. > > Mar 1 11:41:37 www1 haproxy[15362]: xx.xx.xx.xx:56387 [01/Mar/2016:11:41:35.480] https-in~ servers/www1a 1987/0/0/-1/2029 502 8878 - - PH-- 1764/1758/46/26/0 0/0 "POST /abc/test/b25766378a05446496645649e2ddaf7a/poll HTTP/1.1" > > > > Tomcat connector config: > ------------------------------------------------------------------------------------------- > <Connector > URIEncoding = "UTF-8" > port = "8080" > protocol = "HTTP/1.1" > maxThreads = "1850" > connectionTimeout = "900000" > keepAliveTimeout = "900000" > maxKeepAliveRequests = "-1" > redirectPort = "8443" /> > > ------------------------------------------------------------------------------------------- > I have tomcat8 running behind ssl terminating haproxy but my connector is configured like this:
<Connector port="8080" protocol="HTTP/1.1" proxyPort="443" scheme="https" secure="true" connectionTimeout="20000" URIEncoding="UTF-8" redirectPort="8443" /> which is common way to tell tomcat that although receiving plain traffic the response urls need to be https. > > Haproxy config: > ------------------------------------------------------------------------------------------- > global > log /dev/log local0 > log /dev/log local1 notice > chroot /var/lib/haproxy > stats socket /run/haproxy/admin.sock mode 777 level admin > stats timeout 30s > user haproxy > group haproxy > daemon > > # Per process limit: The default is 2000, too small for us > maxconn 18000 > # Increase the cache from 20000 (default), higher values reduce CPU usage > tune.ssl.cachesize 60000 > > # Default SSL material locations > ca-base /etc/ssl/certs > crt-base /etc/ssl/private > > # Default ciphers to use on SSL-enabled listening sockets. > # For more information, see ciphers(1SSL). > ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL > ssl-default-bind-options no-sslv3 no-tls-tickets > > defaults > log global > mode http > option httplog > option http-server-close > option forwardfor > option dontlognull > # Set the listen limit: The default is 2000, too small for us > maxconn 9000 > > # we should fix this > option accept-invalid-http-response > option accept-invalid-http-request > no option checkcache > > timeout connect 80000 > timeout client 900000 > timeout server 500000 > > errorfile 400 /etc/haproxy/errors/400.http > errorfile 403 /etc/haproxy/errors/403.http > errorfile 408 /etc/haproxy/errors/408.http > errorfile 500 /etc/haproxy/errors/500.http > errorfile 502 /etc/haproxy/errors/502.http > errorfile 503 /etc/haproxy/errors/503.http > errorfile 504 /etc/haproxy/errors/504.http > > frontend http-in > bind *:80 > > > # Skip the message broker from redirection > acl skip_pages path_reg ^/([\w]{2}/)?(message|yrf-laps)/(.*) > > # Redirect all subdomains to www. > redirect prefix https://www.example.com code 301 if !{ hdr_beg(host) -i www. } > > # Redirect all trafic to https > redirect scheme https if !skip_pages !{ ssl_fc } > default_backend servers > > frontend https-in > # add no-tlsv10 for disabling tls 1.0 > bind *:443 ssl crt /etc/ssl/private/www_example_com.pem > > default_backend servers > # Redirect all subdomains to www. > redirect prefix https://www.example.com code 301 if !{ hdr_beg(host) -i www. } > backend servers > > # Skip the cre redirect > acl stage_cre_redirect shdr_beg(Location) http://stage.cre.com > acl cre_redirect shdr_beg(Location) http://www.cre.com > > # Skip the blog.example.com redirect > acl blog_redirect shdr_beg(Location) http://blog.example.com > > # Rewrite the response location (for redirect cases) > rspirep ^Location:\ http://(.*) Location:\ https://\1 if !cre_redirect !stage_cre_redirect !blog_redirect { ssl_fc } > # Every connection is closed and opened to the server > option http-server-close > > # Recommended to enable > option http-pretend-keepalive > # The url to check the backend servers health > option httpchk GET /srvstatus.htm > > # Balancing > balance roundrobin > appsession JSESSIONID len 52 timeout 3h request-learn prefix > stick-table type string len 32 size 1M expire 3h > # We have 3 backend servers, one is for backup > server www1a 127.0.0.1:8080 check > server www2a xx.xx.xx.xx:8080 check > server www1b 127.0.0.1:8081 check backup > -------------------------------------------------------------------------------------------------------------- > > Sorry about the long haproxy config file. I was not sure which part is relevant to this error. > I would appreciate any pointers you could give me. > > Thank you, > Zoltan. >