OCSP update restarts all proxies

Wed, 27 Sep 2023 15:30:52 -0700 

The haproxy -vv output is at the end of this message.

I got the built-in OCSP udpating mechanism working.  Works beautifully.
Today I discovered that once an hour when the OCSP gets updated, haproxy stops all its proxies and starts them back up. syslog:
Sep 27 15:00:01 - haproxy[3520801] Proxy web80 stopped (cumulated conns: FE: 42, BE: 0). Sep 27 15:00:01 - haproxy[3520801] Proxy web stopped (cumulated conns: FE: 1403, BE: 0). Sep 27 15:00:01 - haproxy[3520801] Proxy be_deny stopped (cumulated conns: FE: 0, BE: 122). Sep 27 15:00:01 - haproxy[3520801] Proxy be_raspi1_81 stopped (cumulated conns: FE: 0, BE: 0). Sep 27 15:00:01 - haproxy[3520801] Proxy be_raspi2_81 stopped (cumulated conns: FE: 0, BE: 0). Sep 27 15:00:01 - haproxy[3520801] Proxy be_raspi3_81 stopped (cumulated conns: FE: 0, BE: 0). Sep 27 15:00:01 - haproxy[3520801] Proxy be_smeagol_81 stopped (cumulated conns: FE: 0, BE: 700). Sep 27 15:00:01 - haproxy[3520801] Proxy be_plex_32400_tls stopped (cumulated conns: FE: 0, BE: 0). Sep 27 15:00:01 - haproxy[3520801] Proxy be_gitlab_8881 stopped (cumulated conns: FE: 0, BE: 235). Sep 27 15:00:01 - haproxy[3520801] Proxy be_gitlab2_8881 stopped (cumulated conns: FE: 0, BE: 180). Sep 27 15:00:01 - haproxy[3520801] Proxy be_artifactory_8082 stopped (cumulated conns: FE: 0, BE: 0). Sep 27 15:00:01 - haproxy[3520801] Proxy be_zabbix_81 stopped (cumulated conns: FE: 0, BE: 969). Sep 27 15:00:01 - haproxy[3545799] -:- [27/Sep/2023:15:00:01.668] <OCSP-UPDATE> /etc/ssl/certs/local/REDACTED_org.wildcards.combined 
.pem 1 "Update successful" 0 1
Sep 27 15:00:01 - haproxy[3545799] -:- [27/Sep/2023:15:00:01.795] <OCSP-UPDATE> /etc/ssl/certs/local/REDACTED2.com.wildcards.combined.p 
em 1 "Update successful" 0 1
Sep 27 15:00:01 - haproxy[3520801] -:- [27/Sep/2023:15:00:01.944] <OCSP-UPDATE> /etc/ssl/certs/local/REDACTED_org.wildcards.combined 
.pem 1 "Update successful" 0 2
Sep 27 15:00:02 - haproxy[3520801] -:- [27/Sep/2023:15:00:01.998] <OCSP-UPDATE> /etc/ssl/certs/local/REDACTED2.com.wildcards.combined.p 
em 1 "Update successful" 0 2
The really irritating effect is that once an hour, my Zabbix server records an event saying haproxy has been restarted: 

https://imgur.com/a/WPkKoFa
(imgur will claim the image has mature content.  it doesn't.)
It looks like the only thing that resets back to zero on the stats page is the uptime in the "status" column for each backend. That's good news, but I would hope for none of the data to be reset.
I have one big concern, which may be unfounded: I'm worried that the proxies going down will mean that in-flight connections will be terminated. I'm guessing that the work for seamless reloads will ensure that doesn't happen, I just want to be sure.
Not knowing a lot about how haproxy is architected, I do not know if there is some reason that the backends have to be cycled. Seems like only frontends that listen with TLS would need that. I would hope it would be possible to even avoid that ... maybe have OCSP data be copied from a certain memory location every time a frontend needs it, and when OCSP gets updated, overwrite the data in that memory location in a thread-safe way. I know a fair amount about thread safety in Java, but nothing about it in C. 

Final questions for today:
1) Can the OCSP update interval be changed? I don't recall exactly what the validity for a LetsEncrypt OCSP response is, but I know it was at least 24 hours, and I think it might have even been as long as a week. I would like to increase the interval to 8-12 hours if I can.
2) There are two certs being used in my setup, and haproxy logs updates for both of them twice. I would have hoped for that to only happen once. I'm a bit mystified by the fact that it is done twice. I would have expected either one time or four times ... I have one frontend that listens with TLS, with four bind lines all using exactly the same certificate list. (one TCP, and three UDP) 


-------------
HAProxy version 2.8.3-0499db-3 2023/09/14 - https://haproxy.org/
Status: long-term supported branch - will stop receiving fixes around Q2 2028. 
Known bugs: http://www.haproxy.org/bugs/bugs-2.8.3.html
Running on: Linux 6.1.0-1022-oem #22-Ubuntu SMP PREEMPT_DYNAMIC Wed Sep 6 08:19:34 UTC 2023 x86_64 
Build options :
  TARGET  = linux-glibc
  CPU     = native
  CC      = cc
CFLAGS = -O2 -march=native -g -Wall -Wextra -Wundef -Wdeclaration-after-statement -Wfatal-errors -Wtype-limits -Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference -fwrapv -Wno-address-of-packed-member -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-clobbered -Wno-missing-field-initializers -Wno-cast-function-type -Wno-string-plus-int -Wno-atomic-alignment OPTIONS = USE_OPENSSL=1 USE_ZLIB=1 USE_SYSTEMD=1 USE_QUIC=1 USE_PCRE2_JIT=1 
  DEBUG   =
Feature list : -51DEGREES +ACCEPT4 +BACKTRACE -CLOSEFROM +CPU_AFFINITY +CRYPT_H -DEVICEATLAS +DL -ENGINE +EPOLL -EVPORTS +GETADDRINFO -KQUEUE -LIBATOMIC +LIBCRYPT +LINUX_CAP +LINUX_SPLICE +LINUX_TPROXY -LUA -MATH -MEMORY_PROFILING +NETFILTER +NS -OBSOLETE_LINKER +OPENSSL -OPENSSL_WOLFSSL -OT -PCRE +PCRE2 +PCRE2_JIT -PCRE_JIT +POLL +PRCTL -PROCCTL -PROMEX -PTHREAD_EMULATION +QUIC +RT +SHM_OPEN -SLZ +SSL -STATIC_PCRE -STATIC_PCRE2 +SYSTEMD +TFO +THREAD +THREAD_DUMP +TPROXY -WURFL +ZLIB 

Default settings :
  bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Built with multi-threading support (MAX_TGROUPS=16, MAX_THREADS=256, default=48). 
Built with OpenSSL version : OpenSSL 3.1.2+quic 1 Aug 2023
Running on OpenSSL version : OpenSSL 3.1.2+quic 1 Aug 2023
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
OpenSSL providers loaded : default
Built with network namespace support.
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip") Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND 
Built with PCRE2 version : 10.39 2021-10-29
PCRE2 library supports JIT : yes
Encrypted password support via crypt(3): yes
Built with gcc compiler version 11.4.0

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
       quic : mode=HTTP  side=FE     mux=QUIC  flags=HTX|NO_UPG|FRAMED
         h2 : mode=HTTP  side=FE|BE  mux=H2    flags=HTX|HOL_RISK|NO_UPG
       fcgi : mode=HTTP  side=BE     mux=FCGI  flags=HTX|HOL_RISK|NO_UPG
  <default> : mode=HTTP  side=FE|BE  mux=H1    flags=HTX
         h1 : mode=HTTP  side=FE|BE  mux=H1    flags=HTX|NO_UPG
  <default> : mode=TCP   side=FE|BE  mux=PASS  flags=
       none : mode=TCP   side=FE|BE  mux=PASS  flags=NO_UPG

Available services : none

Available filters :
        [BWLIM] bwlim-in
        [BWLIM] bwlim-out
        [CACHE] cache
        [COMP] compression
        [FCGI] fcgi-app
        [SPOE] spoe
        [TRACE] trace

Reply via email to