Re: [WARNING] (1) : We generated two equal cookies for two different servers.

Wed, 11 Aug 2021 04:14:05 -0700 

On 11.08.21 09:04, Willy Tarreau wrote:

Hi Aleks,

On Mon, Aug 09, 2021 at 06:40:29PM +0200, Aleksandar Lazic wrote:

Hi.

We use the HAProxy 2.4 image which have now HAProxy 2.4.2.
https://hub.docker.com/layers/haproxy/library/haproxy/2.4/images/sha256-d5e2a5261d6367c31c8ce9b2e692fe67237bdc29f37f2e153d346e8b0dc7c13b?context=explore

I get this message for dynamic cookies.

```
[WARNING]  (1) : We generated two equal cookies for two different servers.
Please change the secret key for 'my-haproxy'.
```

But from my point of view and for server-template and dynamic-cookie-key make
this message no sense or am I wrong?


The problem is that when using dynamic cookies, the dynamic-cookie-key,
the server's IP, and its port are hashed together to generate a fixed
cookie value that will be stable across a cluster of haproxy LBs, but
hashes are never without collisions despite being 64-bit, and here you
apparently faced one. Given how unlikely it is, I suspect that the issue
in fact is that you might have multiple servers on the same address.
Maybe just during some DNS transitions. If that's the case, maybe we
should improve the collision check to only report it if it happens for
servers with different addresses.


Well not the same IP but quite similar.
Your explanation can be the reason for the warning.

```
dig cloud-service.namespace.svc.cluster.local

cloud-service.namespace.svc.cluster.local. 5    IN A 10.128.2.111
cloud-service.namespace.svc.cluster.local. 5    IN A 10.128.2.112
cloud-service.namespace.svc.cluster.local. 5    IN A 10.128.2.113
cloud-service.namespace.svc.cluster.local. 5    IN A 10.128.2.114
cloud-service.namespace.svc.cluster.local. 5    IN A 10.128.2.115
cloud-service.namespace.svc.cluster.local. 5    IN A 10.129.9.83
cloud-service.namespace.svc.cluster.local. 5    IN A 10.129.9.84
cloud-service.namespace.svc.cluster.local. 5    IN A 10.129.9.85
cloud-service.namespace.svc.cluster.local. 5    IN A 10.129.9.86
cloud-service.namespace.svc.cluster.local. 5    IN A 10.129.9.87
cloud-service.namespace.svc.cluster.local. 5    IN A 10.131.4.233
cloud-service.namespace.svc.cluster.local. 5    IN A 10.131.4.234
cloud-service.namespace.svc.cluster.local. 5    IN A 10.131.4.235
cloud-service.namespace.svc.cluster.local. 5    IN A 10.131.4.236
cloud-service.namespace.svc.cluster.local. 5    IN A 10.131.4.237
```


Willy

Reply via email to