Hi Haproxy List,
I upgraded to 1.8.7 (coming from 1.8.3) and found i could no-longer use
one of our IIS websites. The login procedure thats using windows
authentication / ntlm seems to fail..
Removing option http-tunnel seems to fix this though. Afaik http-tunnel
'should' switch to tunnelmode after the first request and as such should
have no issue sending the credentials the the server.?.
Below are: config / haproxy -vv / tcpdump / sess all
Is it a known issue? Is there anything else i can provide?
Regards,
PiBa-NL (Pieter)
-----------------------------
# Automaticaly generated, dont edit manually.
# Generated on: 2018-04-10 21:00
global
maxconn 1000
log 192.168.8.10 local1 info
stats socket /tmp/haproxy.socket level admin
gid 80
nbproc 1
nbthread 1
hard-stop-after 15m
chroot /tmp/haproxy_chroot
daemon
tune.ssl.default-dh-param 2048
defaults
option log-health-checks
frontend site.domain.nl2
bind 192.168.8.5:443 name 192.168.8.5:443 ssl crt
/var/etc/haproxy/site.domain.nl2.pem crt-list
/var/etc/haproxy/site.domain.nl2.crt_list
mode http
log global
option httplog
option http-tunnel
maxconn 100
timeout client 1h
option tcplog
default_backend website-intern_http_ipvANY
backend site-intern_http_ipvANY
mode http
log global
option http-tunnel
timeout connect 10s
timeout server 1h
retries 3
server site 192.168.13.44:443 ssl weight 1.1 verify none
-----------------------------
[2.4.3-RELEASE][root@pfsense_5.local]/root: haproxy -vv
HA-Proxy version 1.8.7 2018/04/07
Copyright 2000-2018 Willy Tarreau <wi...@haproxy.org>
Build options :
TARGET = freebsd
CPU = generic
CC = cc
CFLAGS = -O2 -pipe -fstack-protector -fno-strict-aliasing
-fno-strict-aliasing -Wdeclaration-after-statement -fwrapv
-fno-strict-overflow -Wno-address-of-packed-member -Wno-null-dereference
-Wno-unused-label -DFREEBSD_PORTS
OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_CPU_AFFINITY=1
USE_ACCEPT4=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_STATIC_PCRE=1
USE_PCRE_JIT=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Built with network namespace support.
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity("identity"),
deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with PCRE version : 8.40 2017-01-11
Running on PCRE version : 8.40 2017-01-11
PCRE library supports JIT : yes
Built with multi-threading support.
Encrypted password support via crypt(3): yes
Built with transparent proxy support using: IP_BINDANY IPV6_BINDANY
Built with Lua version : Lua 5.3.4
Built with OpenSSL version : OpenSSL 1.0.2m-freebsd 2 Nov 2017
Running on OpenSSL version : OpenSSL 1.0.2m-freebsd 2 Nov 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2
Available polling systems :
kqueue : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use kqueue.
Available filters :
[TRACE] trace
[COMP] compression
[SPOE] spoe
-----------------------------
tcpdump of : Client 8.32>Haproxy 8.5:
21:09:13.452118 IP 192.168.8.32.51658 > 192.168.8.5.443: Flags [S], seq
1417754656, win 8192, options [mss 1260,nop,wscale 8,nop,nop,sackOK],
length 0
21:09:13.452312 IP 192.168.8.5.443 > 192.168.8.32.51658: Flags [S.], seq
1950703403, ack 1417754657, win 65228, options [mss 1260,nop,wscale
7,sackOK,eol], length 0
21:09:13.453030 IP 192.168.8.32.51658 > 192.168.8.5.443: Flags [.], ack
1, win 260, length 0
21:09:13.457740 IP 192.168.8.32.51658 > 192.168.8.5.443: Flags [P.], seq
1:190, ack 1, win 260, length 189
21:09:13.457762 IP 192.168.8.5.443 > 192.168.8.32.51658: Flags [.], ack
190, win 510, length 0
21:09:13.459503 IP 192.168.8.5.443 > 192.168.8.32.51658: Flags [.], seq
1:1261, ack 190, win 511, length 1260
21:09:13.459516 IP 192.168.8.5.443 > 192.168.8.32.51658: Flags [.], seq
1261:2521, ack 190, win 511, length 1260
21:09:13.459527 IP 192.168.8.5.443 > 192.168.8.32.51658: Flags [P.], seq
2521:2686, ack 190, win 511, length 165
21:09:13.460342 IP 192.168.8.32.51658 > 192.168.8.5.443: Flags [.], ack
2686, win 260, length 0
21:09:13.478984 IP 192.168.8.32.51658 > 192.168.8.5.443: Flags [P.], seq
190:316, ack 2686, win 260, length 126
21:09:13.479038 IP 192.168.8.5.443 > 192.168.8.32.51658: Flags [.], ack
316, win 510, length 0
21:09:13.480105 IP 192.168.8.5.443 > 192.168.8.32.51658: Flags [P.], seq
2686:2737, ack 316, win 511, length 51
21:09:13.490136 IP 192.168.8.32.51658 > 192.168.8.5.443: Flags [P.], seq
316:615, ack 2737, win 260, length 299
21:09:13.490159 IP 192.168.8.5.443 > 192.168.8.32.51658: Flags [.], ack
615, win 509, length 0
21:09:13.502733 IP 192.168.8.5.443 > 192.168.8.32.51658: Flags [.], seq
2737:3997, ack 615, win 511, length 1260
21:09:13.502745 IP 192.168.8.5.443 > 192.168.8.32.51658: Flags [P.], seq
3997:4314, ack 615, win 511, length 317
21:09:13.502970 IP 192.168.8.32.51658 > 192.168.8.5.443: Flags [.], ack
4314, win 260, length 0
<User fills in the password popup from the browser this takes a few seconds>
21:09:25.294174 IP 192.168.8.32.51658 > 192.168.8.5.443: Flags [P.], seq
615:992, ack 4314, win 260, length 377
21:09:25.294233 IP 192.168.8.5.443 > 192.168.8.32.51658: Flags [.], ack
992, win 508, length 0
<After a little while the connection is lost..>
21:11:26.433054 IP 192.168.8.5.443 > 192.168.8.32.51658: Flags [P.], seq
4314:4345, ack 992, win 508, length 31
21:11:26.433087 IP 192.168.8.5.443 > 192.168.8.32.51658: Flags [F.], seq
4345, ack 992, win 508, length 0
21:11:26.434317 IP 192.168.8.32.51658 > 192.168.8.5.443: Flags [.], ack
4346, win 260, length 0
21:11:26.446968 IP 192.168.8.32.51658 > 192.168.8.5.443: Flags [F.], seq
992, ack 4346, win 260, length 0
21:11:26.446994 IP 192.168.8.5.443 > 192.168.8.32.51658: Flags [.], ack
993, win 508, length 0
tcpdump of: Haproxy 13.5> Webserver 13.44:
21:09:13.490504 IP 192.168.13.5.6015 > 192.168.13.44.443: Flags [S], seq
2510965801, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val
1036282720 ecr 0], length 0
21:09:13.492572 IP 192.168.13.44.443 > 192.168.13.5.6015: Flags [S.],
seq 3868280669, ack 2510965802, win 8192, options [mss 1460,nop,wscale
8,sackOK,TS val 4405365 ecr 1036282720], length 0
21:09:13.492596 IP 192.168.13.5.6015 > 192.168.13.44.443: Flags [.], ack
1, win 513, options [nop,nop,TS val 1036282720 ecr 4405365], length 0
21:09:13.492737 IP 192.168.13.5.6015 > 192.168.13.44.443: Flags [P.],
seq 1:518, ack 1, win 513, options [nop,nop,TS val 1036282720 ecr
4405365], length 517
21:09:13.495339 IP 192.168.13.44.443 > 192.168.13.5.6015: Flags [.], seq
1:1449, ack 518, win 260, options [nop,nop,TS val 4405365 ecr
1036282720], length 1448
21:09:13.495356 IP 192.168.13.5.6015 > 192.168.13.44.443: Flags [.], ack
1449, win 501, options [nop,nop,TS val 1036282729 ecr 4405365], length 0
21:09:13.495363 IP 192.168.13.44.443 > 192.168.13.5.6015: Flags [P.],
seq 1449:2660, ack 518, win 260, options [nop,nop,TS val 4405365 ecr
1036282720], length 1211
21:09:13.495374 IP 192.168.13.5.6015 > 192.168.13.44.443: Flags [.], ack
2660, win 492, options [nop,nop,TS val 1036282729 ecr 4405365], length 0
21:09:13.497287 IP 192.168.13.5.6015 > 192.168.13.44.443: Flags [P.],
seq 518:644, ack 2660, win 513, options [nop,nop,TS val 1036282729 ecr
4405365], length 126
21:09:13.500555 IP 192.168.13.44.443 > 192.168.13.5.6015: Flags [P.],
seq 2660:2711, ack 644, win 259, options [nop,nop,TS val 4405366 ecr
1036282729], length 51
21:09:13.500570 IP 192.168.13.5.6015 > 192.168.13.44.443: Flags [.], ack
2711, win 512, options [nop,nop,TS val 1036282729 ecr 4405366], length 0
21:09:13.500799 IP 192.168.13.5.6015 > 192.168.13.44.443: Flags [P.],
seq 644:943, ack 2711, win 513, options [nop,nop,TS val 1036282729 ecr
4405366], length 299
21:09:13.502465 IP 192.168.13.44.443 > 192.168.13.5.6015: Flags [.], seq
2711:4159, ack 943, win 258, options [nop,nop,TS val 4405366 ecr
1036282729], length 1448
21:09:13.502483 IP 192.168.13.5.6015 > 192.168.13.44.443: Flags [.], ack
4159, win 501, options [nop,nop,TS val 1036282729 ecr 4405366], length 0
21:09:13.502492 IP 192.168.13.44.443 > 192.168.13.5.6015: Flags [P.],
seq 4159:4288, ack 943, win 258, options [nop,nop,TS val 4405366 ecr
1036282729], length 129
21:09:13.502502 IP 192.168.13.5.6015 > 192.168.13.44.443: Flags [.], ack
4288, win 500, options [nop,nop,TS val 1036282729 ecr 4405366], length 0
<User/Password is never send>
21:11:26.432105 IP 192.168.13.44.443 > 192.168.13.5.6015: Flags [R.],
seq 4288, ack 943, win 0, length 0
-----------------------------
'sess all' before and after the credentials..
[2.4.3-RELEASE][root@pfsense_5.itm.local]/root:
/usr/local/pkg/haproxy/haproxy_socket.sh show sess all
show sess all
0x8024adf80: [10/Apr/2018:21:09:13.453304] id=7 proto=tcpv4
source=192.168.8.32:51658
flags=0x4ce, conn_retries=3, srv_conn=0x8024f6000, pend_pos=0x0
frontend=portal.itemedical.nl2 (id=2 mode=http),
listener=192.168.8.5:443 (id=1) addr=192.168.8.5:443
backend=synergy-intern_http_ipvANY (id=3 mode=http)
addr=192.168.13.5:6015
server=portalServer (id=1) addr=192.168.13.44:443
task=0x80242d8c0 (state=0x08 nice=0 calls=4 exp=7s tmask=0x1 age=3s)
txn=0x80244b8c0 flags=0x100000 meth=1 status=401 req.st=MSG_TUNNEL
rsp.st=MSG_TUNNEL waiting=0
si[0]=0x8024ae1c8 (state=EST flags=0x08 endp0=NONE:0x8024a8350
exp=<NEVER>, et=0x000)
si[1]=0x8024ae1f0 (state=EST flags=0x118 endp1=NONE:0x8024a8380
exp=<NEVER>, et=0x000)
co0=0x80243c480 ctrl=tcpv4 xprt=SSL mux=PASS data=STRM
target=LISTENER:0x80243c300
flags=0x80203306 fd=10 fd.state=25 fd.cache=0 updt=0 fd.tmask=0x1
co1=0x80243c600 ctrl=tcpv4 xprt=SSL mux=PASS data=STRM
target=SERVER:0x8024f6000
flags=0x00203306 fd=11 fd.state=25 fd.cache=0 updt=0 fd.tmask=0x1
req=0x8024adf90 (f=0x8848000 an=0x0 pipe=0 tofwd=-1 total=270)
an_exp=<NEVER> rex=59m57s wex=<NEVER>
buf=0x7d2c18 data=0x7d2c2c o=0 p=0 req.next=0 i=0 size=0
res=0x8024adfd0 (f=0xc8048200 an=0x0 pipe=0 tofwd=-1 total=1548)
an_exp=<NEVER> rex=59m57s wex=<NEVER>
buf=0x802507840 data=0x802507854 o=0 p=0 rsp.next=0 i=0 size=16384
0x8024aed80: [10/Apr/2018:21:09:16.365440] id=8 proto=unix_stream
source=unix:1
flags=0x88, conn_retries=0, srv_conn=0x0, pend_pos=0x0
frontend=GLOBAL (id=0 mode=tcp), listener=? (id=1) addr=unix:1
backend=<NONE> (id=-1 mode=-)
server=<NONE> (id=-1)
task=0x80242d780 (state=0x02 nice=-64 calls=1 exp=10s tmask=0x1 age=0s)
si[0]=0x8024aefc8 (state=EST flags=0x08 endp0=NONE:0x8024a8530
exp=<NEVER>, et=0x000)
si[1]=0x8024aeff0 (state=EST flags=0x4018 endp1=APPCTX:0x80243cc00
exp=<NEVER>, et=0x000)
co0=0x80243ca80 ctrl=unix_stream xprt=RAW mux=PASS data=STRM
target=LISTENER:0x80243c180
flags=0x00203306 fd=12 fd.state=25 fd.cache=0 updt=0 fd.tmask=0x1
app1=0x80243cc00 st0=7 st1=0 st2=3 applet=<CLI> tmask=0x1
req=0x8024aed90 (f=0x40c08202 an=0x0 pipe=0 tofwd=-1 total=15)
an_exp=<NEVER> rex=10s wex=<NEVER>
buf=0x8025b3340 data=0x8025b3354 o=0 p=0 req.next=0 i=0 size=16384
res=0x8024aedd0 (f=0x80008002 an=0x0 pipe=0 tofwd=-1 total=1398)
an_exp=<NEVER> rex=<NEVER> wex=<NEVER>
buf=0x802501900 data=0x802501914 o=1398 p=1398 rsp.next=0 i=0
size=16384
[2.4.3-RELEASE][root@pfsense_5.itm.local]/root:
/usr/local/pkg/haproxy/haproxy_socket.sh show sess all
show sess all
0x8024adf80: [10/Apr/2018:21:09:13.453304] id=7 proto=tcpv4
source=192.168.8.32:51658
flags=0x4ce, conn_retries=3, srv_conn=0x8024f6000, pend_pos=0x0
frontend=portal.itemedical.nl2 (id=2 mode=http),
listener=192.168.8.5:443 (id=1) addr=192.168.8.5:443
backend=synergy-intern_http_ipvANY (id=3 mode=http)
addr=192.168.13.5:6015
server=portalServer (id=1) addr=192.168.13.44:443
task=0x80242d8c0 (state=0x04 nice=0 calls=5 exp=59m43s tmask=0x1 age=16s)
txn=0x80244b8c0 flags=0x100000 meth=1 status=401 req.st=MSG_TUNNEL
rsp.st=MSG_TUNNEL waiting=0
si[0]=0x8024ae1c8 (state=EST flags=0x08 endp0=NONE:0x8024a8350
exp=<NEVER>, et=0x000)
si[1]=0x8024ae1f0 (state=EST flags=0x118 endp1=NONE:0x8024a8380
exp=<NEVER>, et=0x000)
co0=0x80243c480 ctrl=tcpv4 xprt=SSL mux=PASS data=STRM
target=LISTENER:0x80243c300
flags=0x80203306 fd=10 fd.state=25 fd.cache=0 updt=0 fd.tmask=0x1
co1=0x80243c600 ctrl=tcpv4 xprt=SSL mux=PASS data=STRM
target=SERVER:0x8024f6000
flags=0x00203306 fd=11 fd.state=25 fd.cache=0 updt=0 fd.tmask=0x1
req=0x8024adf90 (f=0x8848000 an=0x0 pipe=0 tofwd=-1 total=270)
an_exp=<NEVER> rex=59m43s wex=<NEVER>
buf=0x7d2c18 data=0x7d2c2c o=0 p=0 req.next=0 i=0 size=0
res=0x8024adfd0 (f=0x88048000 an=0x0 pipe=0 tofwd=-1 total=1548)
an_exp=<NEVER> rex=59m43s wex=<NEVER>
buf=0x7d2c18 data=0x7d2c2c o=0 p=0 rsp.next=0 i=0 size=0
0x8024aed80: [10/Apr/2018:21:09:29.621432] id=9 proto=unix_stream
source=unix:1
flags=0x88, conn_retries=0, srv_conn=0x0, pend_pos=0x0
frontend=GLOBAL (id=0 mode=tcp), listener=? (id=1) addr=unix:1
backend=<NONE> (id=-1 mode=-)
server=<NONE> (id=-1)
task=0x80242d780 (state=0x02 nice=-64 calls=1 exp=10s tmask=0x1 age=0s)
si[0]=0x8024aefc8 (state=EST flags=0x08 endp0=NONE:0x8024a8530
exp=<NEVER>, et=0x000)
si[1]=0x8024aeff0 (state=EST flags=0x4018 endp1=APPCTX:0x80243cc00
exp=<NEVER>, et=0x000)
co0=0x80243ca80 ctrl=unix_stream xprt=RAW mux=PASS data=STRM
target=LISTENER:0x80243c180
flags=0x00203306 fd=12 fd.state=25 fd.cache=0 updt=0 fd.tmask=0x1
app1=0x80243cc00 st0=7 st1=0 st2=3 applet=<CLI> tmask=0x1
req=0x8024aed90 (f=0x40c08202 an=0x0 pipe=0 tofwd=-1 total=15)
an_exp=<NEVER> rex=10s wex=<NEVER>
buf=0x802507840 data=0x802507854 o=0 p=0 req.next=0 i=0 size=16384
res=0x8024aedd0 (f=0x80008002 an=0x0 pipe=0 tofwd=-1 total=1393)
an_exp=<NEVER> rex=<NEVER> wex=<NEVER>
buf=0x802501900 data=0x802501914 o=1393 p=1393 rsp.next=0 i=0
size=16384