Mathieu,
I have often been fooled like this by multiple haproxy instances running at the
same time.
Whenever I had restarted them with config changes there were sometimes open
client connections keeping instances with older configs alive. Those would
respond to a random set of the connections.
So I suggest you make sure first you have exactly one instance running, e. g.
with “ps aux | grep haproxy”.
Daniel
--
Daniel Schneller
Principal Cloud Engineer
CenterDevice GmbH | Hochstraße 11
| 42697 Solingen
tel: +49 1754155711 | Deutschland
daniel.schnel...@centerdevice.de | www.centerdevice.de
Geschäftsführung: Dr. Patrick Peschlow, Dr. Lukas Pustina,
Michael Rosbach, Handelsregister-Nr.: HRB 18655,
HR-Gericht: Bonn, USt-IdNr.: DE-815299431
> On 13. Feb. 2017, at 15:45, Mathieu Poussin <math...@lodgify.com> wrote:
>
> Hello.
>
> I have setup HAProxy on our environment and I can see a very strange
> behaviour.
>
> I have the following configuration (Just a part of it) :
>
> global
> chroot /var/lib/haproxy
> user haproxy
> group haproxy
> daemon
> tune.maxrewrite 4096
>
> ################
> ### Defaults ###
> ################
>
> defaults
> mode http
> option httplog
> option dontlog-normal
> option dontlognull
> option log-health-checks
> option redispatch
> option http-server-close
> unique-id-header X-LB-Request-ID
> log-format %{+Q}r\ %ST\ "%CC"\ "%hr"\ "%CS"\ "%hs"\ %ID
>
> timeout connect 5000
> timeout client 50000
> timeout server 50000
>
> frontend websitemanager
> bind *:8004
> log global
> capture request header Host len 128
> capture request header X-Real-IP len 128
> capture request header X-LB-Request-ID len 128
> capture request header X-HAProxy-Key len 128
> http-request set-var(txn.x_haproxy_key) req.hdr(X-HAProxy-Key)
> http-request set-var(txn.x_real_ip) req.hdr(X-Real-IP)
> http-request set-var(txn.url) url
> mode http
> default_backend websitemanager
>
> backend websitemanager
> mode http
> log global
> balance roundrobin
> option httpchk GET /health/ HTTP/1.0
> http-check expect ! string false
> acl debug_headers var(txn.x_real_ip) xxx.xxx.xxx.xxx
> acl debug_headers var(txn.x_haproxy_key) -m str -i xxx
> acl debug_headers var(txn.referer) -m sub -i haproxy-key=xxx
> acl debug_headers var(txn.url) -m sub -i haproxy-key=xxx
> http-response set-header X-HAProxy-Frontend-Name "%f" if debug_headers
> http-response set-header X-HAProxy-Frontend-Socket "%fi:%fp" if
> debug_headers
> http-response set-header X-HAProxy-Backend-Group "%b" if debug_headers
> http-response set-header X-HAProxy-Backend-Name "%s" if debug_headers
> http-response set-header X-HAProxy-Backend-Socket "%si:%sp" if
> debug_headers
> http-response set-header X-HAProxy-Via "%H" if debug_headers
> http-response set-header X-HAProxy-TerminationState "%ts" if
> debug_headers
> http-response set-header X-Real-IP "%[var(txn.x_real_ip)]"
> server gc-certmgr-live-1 10.0.0.49:80 check observe layer7 on-error
> mark-down slowstart 10s weight 100
> server gc-certmgr-live-2 10.0.0.50:80 check observe layer7 on-error
> mark-down slowstart 10s weight 100
> server gc-certmgr-live-3 10.0.0.51:80 check observe layer7 on-error
> mark-down slowstart 10s weight 100
>
> And many other fronted/backend combo with the same configuration (The same
> ACL).
> Basically, I want the X-HAProxy headers to appears in any of the following
> condition :
> - The connection is coming from HQ (Specific X-Real-IP header)
> - The header X-HAProxy-Key header is present and set to the correct key
> - The Referer contains the key
> - The URL contains the key as parameter
>
> I have a nginx in front of this setup, that is setting up the X-Real-IP.
> I’ve checked the logs, and the connection is forwarded to HAProxy in all the
> cases, so nginx is not the cause of the issue (Or at least it’s still
> forwarding to HAProxy)
>
>
> Almost half of the requests are failing the ACL where they should work
> without issue (Because the source IP matches or because of the connection
> string.
>
> It’s completely random, I have no idea why it’s doing that.
>
> What could be the cause ? I could not find much googling for this issue.
>
> My version is HA-Proxy version 1.7.2-6edf8f-4
>
> Thank you.
> Best regards,
> Mathieu
>
