Also, haproxy and servers are on the same subnet : no filtering nor routing between them. Ping as no troubles, servers are not overloaded by other connections.
-- Ionel GARDAIS Tech'Advantage CIO - IT Team manager ----- Mail original ----- De: "Ionel GARDAIS" <ionel.gard...@tech-advantage.com> À: "Aleksandar Lazic" <al-hapr...@none.at> Cc: "haproxy" <haproxy@formilux.org> Envoyé: Samedi 14 Septembre 2019 14:07:42 Objet: Re: Issue with checks after 2.0.6 Sure. Note : as soon as I remove the check from the server line then 'systemctl reload haproxy', access is OK. # haproxy -vv HA-Proxy version 2.0.6-1~bpo9+1 2019/09/14 - https://haproxy.org/ Build options : TARGET = linux-glibc CPU = generic CC = gcc CFLAGS = -O2 -g -O2 -fdebug-prefix-map=/build/haproxy-2.0.6=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-old-style-declaration -Wno-ignored-qualifiers -Wno-clobbered -Wno-missing-field-initializers -Wtype-limits -Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference OPTIONS = USE_PCRE2=1 USE_PCRE2_JIT=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_ZLIB=1 USE_SYSTEMD=1 Feature list : +EPOLL -KQUEUE -MY_EPOLL -MY_SPLICE +NETFILTER -PCRE -PCRE_JIT +PCRE2 +PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED +REGPARM -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H -VSYSCALL +GETADDRINFO +OPENSSL +LUA +FUTEX +ACCEPT4 -MY_ACCEPT4 +ZLIB -SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL +SYSTEMD -OBSOLETE_LINKER +PRCTL +THREAD_DUMP -EVPORTS Default settings : bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 Built with multi-threading support (MAX_THREADS=64, default=2). Built with OpenSSL version : OpenSSL 1.1.0k 28 May 2019 Running on OpenSSL version : OpenSSL 1.1.0k 28 May 2019 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 Built with Lua version : Lua 5.3.3 Built with network namespace support. Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Built with zlib version : 1.2.8 Running on zlib version : 1.2.8 Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip") Built with PCRE2 version : 10.22 2016-07-29 PCRE2 library supports JIT : yes Encrypted password support via crypt(3): yes Built with the Prometheus exporter as a service Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. Available multiplexer protocols : (protocols marked as <default> cannot be specified using 'proto' keyword) h2 : mode=HTX side=FE|BE mux=H2 h2 : mode=HTTP side=FE mux=H2 <default> : mode=HTX side=FE|BE mux=H1 <default> : mode=TCP|HTTP side=FE|BE mux=PASS Available services : prometheus-exporter Available filters : [SPOE] spoe [COMP] compression [CACHE] cache [TRACE] trace # cat /etc/haproxy/haproxy.cfg global log /dev/log local0 info log /dev/log local1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners stats timeout 30s user haproxy group haproxy daemon # Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private # Default ciphers to use on SSL-enabled listening sockets. # For more information, see ciphers(1SSL). This list is from: # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ ssl-default-bind-ciphers EECDH+AES:+AES128:+AES256:+SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA ssl-default-bind-options no-sslv3 tune.ssl.default-dh-param 2048 defaults log global mode http option httplog option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http option forwardfor except 127.0.0.1/8 option redispatch option http-keep-alive no option http-use-htx frontend ssl bind ${HAPROXY_VRRP}:443 ssl crt tad-2019-chain.crt bind ${HAPROXY_IPV4}:443 ssl crt tad-2019-chain.crt bind ${HAPROXY_IPV6}:443 ssl crt tad-2019-chain.crt # capture request header Host len 50 # capture response header Location len 50 # capture request header User-Agent len 50 http-request set-header X-Forwarded-Proto https http-request set-header X-Forwarded-Port 443 http-request set-header X-Forwarded-Host %[ssl_fc_sni] http-response set-header Strict-Transport-Security max-age=31536000;\ includeSubDomains acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure rspirep ^(Set-Cookie:.*) \1;\ Secure unless secured_cookie acl host-tools hdr(host) tools.example.com acl to-etap path_beg /etap use_backend bck-etap if host-tools to-etap backend bck-etap server etap 192.168.1.69:8080 check >From haproxy.log : Sep 14 13:57:35 haproxy-1 haproxy[9978]: Server bck-etap/etap is DOWN, reason: Layer4 timeout, check duration: 2001ms. 0 active and 0 backup servers left. 0 sessions active, 0 dequeued, 0 remaining in queue. Sep 14 13:57:35 haproxy-1 haproxy[9976]: [WARNING] 256/135735 (9978) : Server bck-etap/etap is DOWN, reason: Layer4 timeout, check duration: 2001ms. 0 active and 0 backup servers left. 0 sessions active, 0 dequeued, 0 remaining in queue. Sep 14 13:57:35 haproxy-1 haproxy[9978]: Server bck-etap/etap is DOWN, reason: Layer4 timeout, check duration: 2001ms. 0 active and 0 backup servers left. 0 sessions active, 0 dequeued, 0 remaining in queue. Sep 14 13:57:35 haproxy-1 haproxy[9978]: backend bck-etap has no server available! Sep 14 13:57:35 haproxy-1 haproxy[9978]: backend bck-etap has no server available! Sep 14 13:57:35 haproxy-1 haproxy[9976]: [ALERT] 256/135735 (9978) : backend 'bck-etap' has no server available! Sep 14 13:58:16 haproxy-1 haproxy[9978]: 172.17.10.1:51523 [14/Sep/2019:13:58:16.024] ssl~ bck-etap/<NOSRV> 0/-1/-1/-1/0 503 213 - - SC-- 16/15/0/0/0 0/0 "GET /etap/ HTTP/1.1" ^C -- Ionel GARDAIS Tech'Advantage CIO - IT Team manager ----- Mail original ----- De: "Aleksandar Lazic" <al-hapr...@none.at> À: "Ionel GARDAIS" <ionel.gard...@tech-advantage.com>, "haproxy" <haproxy@formilux.org> Envoyé: Samedi 14 Septembre 2019 13:12:49 Objet: Re: Issue with checks after 2.0.6 Hi. Am 14.09.2019 um 13:08 schrieb GARDAIS Ionel: > Hi, > > I've just upgraded to 2.0.6 and all server checks went erratic. > I had to disable checks for the servers to be reachable. > > The observed behavior was a flip-flap (but mostly down) of server availability > with L4TOUT when the server was considered unresponsive. Please can you share some more informations like some configs and log lines. > Ionel Best regards Aleks -- 232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301 -- 232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301