Hi Antonio Trujillo Carmona. cool thanks for sharing.
Regards Aleks Antonio Trujillo Carmona have written on Wed, 24 May 2017 09:01:16 +0200: > El 16/05/17 a las 23:17, Aleksandar Lazic escribió: > Hi Antonio Trujillo Carmona. > > > > Antonio Trujillo Carmona have written on Mon, 15 May 2017 08:40:16 > > +0200: > > > > El 12/05/17 a las 11:55, Aleksandar Lazic escribió: > >> Hi Antonio Trujillo Carmona. > >>> > >>> Antonio Trujillo Carmona have written on Fri, 12 May 2017 10:23:59 > >>> +0200: > >>> > >>> El 11/05/17 a las 15:06, Aleksandar Lazic escribió: > >>>> .../ > >>>>> How about to activate the 'option tcp-check' as mentioned in the > >>>>> Warning? > >>>>> In the config below is it's commented, any reason why? > >>>>> > >>>>> It's also active in the doc which you maybe know. > >>>>> > >>>>> https://www.haproxy.com/doc/aloha/7.0/deployment_guides/microsoft_remote_desktop_services.html > >>>>> > >>>>> Does this changes anything? > >>>>> ok cleaing up a liter I try: > >>>> frontend RDP > >>>> mode tcp > >>>> bind *:3389 > >>>> timeout client 1h > >>>> tcp-request inspect-delay 5s > >>>> tcp-request content accept if RDP_COOKIE > >>>> default_backend bk_rdp > >>>> ############################################################# > >>>> backend bk_rdp > >>>> mode tcp > >>>> balance leastconn > >>>> #balance rdp_coockie > >>>> timeout server 1h > >>>> timeout connect 4s > >>>> log global > >>>> option tcplog > >>>> stick-table type string len 32 size 10k expire 1h peers > >>>> pares stick on rdp_cookie(msthash) > >>>> # persist rdp-cookie > >>>> option tcp-check > >>>> # option ssl-hello-chk > >>>> # option tcpka > >>>> tcp-check connect port 3389 ssl > >>>> > >>>> # server gr43sterminal01 10.104.22.142:3389 weight 1 check > >>>> verify none inter 2000 rise 2 fall 3 > >>>> # server gr43sterminal02 10.104.23.141:3389 weight 1 check > >>>> verify none inter 2000 rise 2 fall 3 > >>>> # > >>>> default-server inter 3s rise 2 fall 3 > >>>> server gr43sterminal01 10.104.22.142:3389 weight 1 check > >>>> server gr43sterminal02 10.104.23.141:3389 weight 1 check > >>>> > >>>> And I got: > >>>> [ALERT] 131/100222 (8564) : Proxy 'bk_rdp', server > >>>> 'gr43sterminal01' [/etc/haproxy/haproxy.cfg:189] verify is > >>>> enabled by default but no CA file specified. If you're running > >>>> on a LAN where you're certain to trust the server's certificate, > >>>> please set an explicit 'verify none' statement on the 'server' > >>>> line, or use 'ssl-server-verify none' in the global section to > >>>> disable server-side verifications by default. [ALERT] 131/100222 > >>>> (8564) : Proxy 'bk_rdp', server > >>>> 'gr43sterminal02' [/etc/haproxy/haproxy.cfg:190] verify is > >>>> enabled by default but no CA file specified. If you're running > >>>> on a LAN where you're certain to trust the server's certificate, > >>>> please set an explicit 'verify none' statement on the 'server' > >>>> line, or use 'ssl-server-verify none' in the global section to > >>>> disable server-side verifications by default. [ALERT] 131/100222 > >>>> (8564) : Fatal errors found in configuration. > >>>> > >>>> So I try adding verify none in server line > >>>> > >>>> and haproxy see both server up (but one is down). > >>>> I try withou ssl: > >>>> > >>>> tcp-check connect port 3389 > >>>> server gr43sterminal01 10.104.22.142:3389 weight 1 check > >>>> server gr43sterminal02 10.104.23.141:3389 weight 1 check > >>>> > >>>> but the result is the same haproxy see both server up (but one is > >>>> down) > >>>> > >>>> only if I leve only option tcp-check (or none) it seem work > >>>> > >>>> > >>>> ################# > >>>> # persist rdp-cookie > >>>> option tcp-check > >>>> # option ssl-hello-chk > >>>> # option tcpka > >>>> # tcp-check connect port 3389 ssl > >>>> # tcp-check connect port 3389 > >>>> > >>>> # server gr43sterminal01 10.104.22.142:3389 weight 1 check > >>>> verify none inter 2000 rise 2 fall 3 > >>>> # server gr43sterminal02 10.104.23.141:3389 weight 1 check > >>>> verify none inter 2000 rise 2 fall 3 > >>>> # > >>>> default-server inter 3s rise 2 fall 3 > >>>> server gr43sterminal01 10.104.22.142:3389 weight 1 check > >>>> server gr43sterminal02 10.104.23.141:3389 weight 1 check > >>>> ################## > >>>> > >>>> > >>>> output: > >>>> > >>>> [WARNING] 131/102105 (8773) : Server bk_rdp/gr43sterminal01 is > >>>> DOWN, reason: Layer4 timeout, info: " at initial connection step > >>>> of tcp-check", check duration: 3001ms. 1 active and 0 backup > >>>> servers left. 0 sessions active, 0 requeued, 0 remaining in > >>>> queue. So finally it works. > >>> > >>> Regards > >>> Aleks > >>> But in that mode it check server available, not service, if RDP > >> service is down haproxy don't detect it. > >> > > Maybe you will need some tcp-check squence to check the service. > > > > http://cbonte.github.io/haproxy-dconv/1.5/configuration.html#4.2-tcp-check%20send > > http://cbonte.github.io/haproxy-dconv/1.5/configuration.html#4.2-tcp-check%20send-binary > > > > I have found a perl script which checks the rdp maybe this will help > > you to find the right sequence. > > > > https://github.com/portcullislabs/rdp-sec-check/blob/master/rdp-sec-check.pl > > > > Regards > > Aleks > > Finally it work. > The configuration last in: > ############################################################# > frontend RDP > mode tcp > bind *:3389 > timeout client 1h > tcp-request inspect-delay 25s > tcp-request content accept if RDP_COOKIE > default_backend bk_rdp > ############################################################# > backend bk_rdp > mode tcp > balance leastconn > timeout server 1h > timeout connect 25s > log global > option tcplog > stick-table type string len 32 size 10k expire 1h peers pares > stick on rdp_cookie(msthash) > option tcp-check > default-server inter 3s rise 2 fall 3 > server gr43sterminal01 10.107.20.38:3389 weight 1 check port > 3389 inter 2000 rise 2 fall 3 server gr43sterminal02 > 10.107.20.39:3389 weight 1 check port 3389 inter 2000 rise 2 fall 3 > > The fact is that this configuration was tested priorly and it don't > work, I must re-type it, and it work, maybe a typon with a unsee > character was the matter. > > Thank for the help. > -- > > Antonio Trujillo Carmona > > Técnico de redes y sistemas. > > Subdirección de Tecnologías de la Información y Comunicaciones > > Servicio Andaluz de Salud. Consejería de Salud de la Junta de > Andalucía > > antonio.trujillo.s...@juntadeandalucia.es > > Tel. +34 670947670 747670) > > > >