Hi Antonio Trujillo Carmona. Antonio Trujillo Carmona have written on Mon, 15 May 2017 08:40:16 +0200:
> El 12/05/17 a las 11:55, Aleksandar Lazic escribió: > > Hi Antonio Trujillo Carmona. > > > > Antonio Trujillo Carmona have written on Fri, 12 May 2017 10:23:59 > > +0200: > > > >> El 11/05/17 a las 15:06, Aleksandar Lazic escribió: > >>> .../ > >>> How about to activate the 'option tcp-check' as mentioned in the > >>> Warning? > >>> In the config below is it's commented, any reason why? > >>> > >>> It's also active in the doc which you maybe know. > >>> > >>> https://www.haproxy.com/doc/aloha/7.0/deployment_guides/microsoft_remote_desktop_services.html > >>> > >>> Does this changes anything? > >> ok cleaing up a liter I try: > >> frontend RDP > >> mode tcp > >> bind *:3389 > >> timeout client 1h > >> tcp-request inspect-delay 5s > >> tcp-request content accept if RDP_COOKIE > >> default_backend bk_rdp > >> ############################################################# > >> backend bk_rdp > >> mode tcp > >> balance leastconn > >> #balance rdp_coockie > >> timeout server 1h > >> timeout connect 4s > >> log global > >> option tcplog > >> stick-table type string len 32 size 10k expire 1h peers > >> pares stick on rdp_cookie(msthash) > >> # persist rdp-cookie > >> option tcp-check > >> # option ssl-hello-chk > >> # option tcpka > >> tcp-check connect port 3389 ssl > >> > >> # server gr43sterminal01 10.104.22.142:3389 weight 1 check > >> verify none inter 2000 rise 2 fall 3 > >> # server gr43sterminal02 10.104.23.141:3389 weight 1 check > >> verify none inter 2000 rise 2 fall 3 > >> # > >> default-server inter 3s rise 2 fall 3 > >> server gr43sterminal01 10.104.22.142:3389 weight 1 check > >> server gr43sterminal02 10.104.23.141:3389 weight 1 check > >> > >> And I got: > >> [ALERT] 131/100222 (8564) : Proxy 'bk_rdp', server > >> 'gr43sterminal01' [/etc/haproxy/haproxy.cfg:189] verify is enabled > >> by default but no CA file specified. If you're running on a LAN > >> where you're certain to trust the server's certificate, please set > >> an explicit 'verify none' statement on the 'server' line, or use > >> 'ssl-server-verify none' in the global section to disable > >> server-side verifications by default. [ALERT] 131/100222 (8564) : > >> Proxy 'bk_rdp', server > >> 'gr43sterminal02' [/etc/haproxy/haproxy.cfg:190] verify is enabled > >> by default but no CA file specified. If you're running on a LAN > >> where you're certain to trust the server's certificate, please set > >> an explicit 'verify none' statement on the 'server' line, or use > >> 'ssl-server-verify none' in the global section to disable > >> server-side verifications by default. [ALERT] 131/100222 (8564) : > >> Fatal errors found in configuration. > >> > >> So I try adding verify none in server line > >> > >> and haproxy see both server up (but one is down). > >> I try withou ssl: > >> > >> tcp-check connect port 3389 > >> server gr43sterminal01 10.104.22.142:3389 weight 1 check > >> server gr43sterminal02 10.104.23.141:3389 weight 1 check > >> > >> but the result is the same haproxy see both server up (but one is > >> down) > >> > >> only if I leve only option tcp-check (or none) it seem work > >> > >> > >> ################# > >> # persist rdp-cookie > >> option tcp-check > >> # option ssl-hello-chk > >> # option tcpka > >> # tcp-check connect port 3389 ssl > >> # tcp-check connect port 3389 > >> > >> # server gr43sterminal01 10.104.22.142:3389 weight 1 check > >> verify none inter 2000 rise 2 fall 3 > >> # server gr43sterminal02 10.104.23.141:3389 weight 1 check > >> verify none inter 2000 rise 2 fall 3 > >> # > >> default-server inter 3s rise 2 fall 3 > >> server gr43sterminal01 10.104.22.142:3389 weight 1 check > >> server gr43sterminal02 10.104.23.141:3389 weight 1 check > >> ################## > >> > >> > >> output: > >> > >> [WARNING] 131/102105 (8773) : Server bk_rdp/gr43sterminal01 is > >> DOWN, reason: Layer4 timeout, info: " at initial connection step of > >> tcp-check", check duration: 3001ms. 1 active and 0 backup servers > >> left. 0 sessions active, 0 requeued, 0 remaining in queue. > > So finally it works. > > > > Regards > > Aleks > But in that mode it check server available, not service, if RDP > service is down haproxy don't detect it. Maybe you will need some tcp-check squence to check the service. http://cbonte.github.io/haproxy-dconv/1.5/configuration.html#4.2-tcp-check%20send http://cbonte.github.io/haproxy-dconv/1.5/configuration.html#4.2-tcp-check%20send-binary I have found a perl script which checks the rdp maybe this will help you to find the right sequence. https://github.com/portcullislabs/rdp-sec-check/blob/master/rdp-sec-check.pl Regards Aleks