Re: haproxy + RDP

Thu, 11 May 2017 03:24:59 -0700 

El 11/05/17 a las 11:23, Aleksandar Lazic escribió:
> Hi Antonio Trujillo Carmona.
>
> Antonio Trujillo Carmona have written on Thu, 11 May 2017 10:22:59
> +0200:
>
>> Why this configuration don't detect a server down?
> Please can you post the output of haproxy -vv
$ haproxy -vv
HA-Proxy version 1.5.18 2016/05/10
Copyright 2000-2016 Willy Tarreau <wi...@haproxy.org>

Build options :
  TARGET  = linux2628
  CPU     = generic
  CC      = gcc
  CFLAGS  = -O2 -g -fno-strict-aliasing -DTCP_USER_TIMEOUT=18
  OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1
USE_PCRE=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.7
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.32 2012-11-30
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with transparent proxy support using: IP_TRANSPARENT
IPV6_TRANSPARENT IP_FREEBIND

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.


> Please can you post some logs as you have debug activated.
# haproxy -d -f /etc/haproxy/haproxy.cfg
[WARNING] 130/120716 (27612) : parsing [/etc/haproxy/haproxy.cfg:165] :
'timeout server' will be ignored because frontend 'RDP' has no backend
capability
[WARNING] 130/120716 (27612) : config : backend 'bk_rdp' uses tcp-check
rules without 'option tcp-check', so the rules are ignored.
Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result FAILED
Total: 3 (2 usable), will use epoll.
Using epoll() as the polling mechanism.
[WARNING] 130/120717 (27612) : Server CitrixSF-SSL/CitrixSF03 is DOWN,
reason: Layer4 connection problem, info: "Connection refused", check
duration: 3ms. 1 active and 0 backup servers left. 0 sessions active, 0
requeued, 0 remaining in queue.
[WARNING] 130/120718 (27612) : Server bk_rdp/gr43sterminal02 is DOWN,
reason: Socket error, check duration: 12ms. 1 active and 0 backup
servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
[WARNING] 130/120719 (27612) : Server bk_rdp/gr43sterminal01 is DOWN,
reason: Layer4 timeout, check duration: 2001ms. 0 active and 0 backup
servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
[ALERT] 130/120719 (27612) : backend 'bk_rdp' has no server available!

Message from syslogd@localhost at May 11 12:07:19 ...
 haproxy[27612]: backend bk_rdp has no server available!

Message from syslogd@localhost at May 11 12:07:19 ...
 haproxy[27612]: backend bk_rdp has no server available!



but :
# nmap gr43sterminal02 -p3389

Starting Nmap 6.40 ( http://nmap.org ) at 2017-05-11 12:12 CEST
Nmap scan report for gr43sterminal02 (10.104.23.141)
Host is up (0.00072s latency).
rDNS record for 10.104.23.141: gr43sterminal02.hvn.sas.junta-andalucia.es
PORT     STATE SERVICE
3389/tcp open  ms-wbt-server

This one is up and the other down

if I comment
#       option ssl-hello-chk

both appear up
# haproxy -d -f /etc/haproxy/haproxy.cfg
[WARNING] 130/121803 (27722) : parsing [/etc/haproxy/haproxy.cfg:165] :
'timeout server' will be ignored because frontend 'RDP' has no backend
capability
Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result FAILED
Total: 3 (2 usable), will use epoll.
Using epoll() as the polling mechanism.
[WARNING] 130/121804 (27722) : Server CitrixSF-SSL/CitrixSF03 is DOWN,
reason: Layer4 connection problem, info: "Connection refused", check
duration: 3ms. 1 active and 0 backup servers left. 0 sessions active, 0
requeued, 0 remaining in queue.
00000000:gr43stemis01.clicls[ffffffff:0009]
00000000:gr43stemis01.closed[ffffffff:0009]
00000000:gr43stemis01.clicls[ffffffff:000a]
00000000:gr43stemis01.closed[ffffffff:000a]
00000000:gr43stemis01.clicls[ffffffff:000b]
00000000:gr43stemis01.closed[ffffffff:000b]
00000000:gr43stemis01.clicls[ffffffff:000c]
00000000:gr43stemis01.closed[ffffffff:000c]
00000000:gr43stemis01.clicls[ffffffff:000d]
00000000:gr43stemis01.closed[ffffffff:000d]
00000000:RDP.accept(0007)=000a from [10.104.24.53:60969]


only if I comment
#    option ssl-hello-chk
#    tcp-check connect port 3389 ssl
it seem work, but I'm afraid that it check server not service, so if
server is up but service RDP fail haproxy will not detect it.

>
>> global
>>     log 127.0.0.1 local0 debug
>>     log 127.0.0.1 local1 notice
>>     log 10.104.16.5 local7 debug
>>         chroot /var/lib/haproxy
>>         user haproxy
>>         group haproxy
>>         daemon
>>     node GR43STEMIS01-BALANCEADOR-HA-SSL
>>
>> # Para sincronizar las tablas de sesión
>> peers pares
>> #    disable
>>     peer gr43stemis01 10.107.20.7:1024
>>     peer gr43stemis02 10.107.20.8:1024
>>
>> defaults
>>     log     global
>>         mode    http
>>         option  dontlognull
>>     option httpchk
>>         retries 3
>>         option redispatch
>>         maxconn 5000
>>         timeout connect 50s
>>         timeout client  30min
>>         timeout server 50s
>> .../...
>> frontend RDP
>>     mode tcp
>>     bind *:3389
>>     timeout client 1h
>>     timeout server 1h
>>     tcp-request inspect-delay 5s
>>     tcp-request content accept if RDP_COOKIE
>> #    use_backend bk_rdp
>>     default_backend bk_rdp
>>    
>> backend bk_rdp
>>     mode tcp
>>     balance leastconn
>>     #balance rdp_coockie
>>     timeout server 1h
>>     timeout connect 4s
>>     log global
>>     stick-table type string len 32 size 10k expire 1h peers pares
>>     stick on rdp_cookie(msthash)
>>    
>>     persist rdp-cookie
>> #    option tcp-check
>>     option ssl-hello-chk
>> #    option tcpka
>>
>>     tcp-check connect port 3389 ssl
>>
>>     server gr43sterminal01    10.104.22.142:3389 weight 1 check inter
>> 2000 rise 2 fall 3
>>     server gr43sterminal02  10.104.23.141:3389 weight
>> 1 check inter 2000 rise 2 fall 3
>>
>>
>>
>> Thank.
>> --
>>
>> Antonio Trujillo Carmona
>>
>> Técnico de redes y sistemas.
>>
>> Subdirección de Tecnologías de la Información y Comunicaciones
>>
>> Servicio Andaluz de Salud. Consejería de Salud de la Junta de
>> Andalucía
>>
>> antonio.trujillo.s...@juntadeandalucia.es
>>
>> Tel. +34 670947670 747670)
>>
>>
>>
>>


-- 

*Antonio Trujillo Carmona*

*Técnico de redes y sistemas.*

*Subdirección de Tecnologías de la Información y Comunicaciones*

Servicio Andaluz de Salud. Consejería de Salud de la Junta de Andalucía

_antonio.trujillo.sspa@juntadeandalucia.es_

Tel. +34 670947670 747670)

Reply via email to