RE: HAProxy failover - DNS change cached by IE for a long time

[Norman Branitsky]

Comments inline.

From: Igor Cicimov [mailto:ig...@encompasscorporation.com]
Sent: July-08-17 11:20 PM
To: Norman Branitsky 
Cc: HAProxy 
Subject: RE: HAProxy failover - DNS change cached by IE for a long time

Of course it can work see
https://icicimov.github.io/blog/high-availability/Keepalived-in-Amazon-VPC-across-availability-zones/
Nice but way too complicated for my needs.
I don’t have to guarantee uninterrupted failover for my app.
I’m also planning to switch to a Docker Swarm based deployment with 2 Container 
Hosts – 1 in each Availability Zone.
I originally planned to run standalone HAProxy servers, but it seems to me that 
if I create them as Docker Containers,
then Docker Swarm will act like VRRP and automatically redirect traffic should 
one of the HAProxy containers fail.

If your servers are in aws why are you not using Route53 then? It allows for 
low dns ttl even lower then 10 sec.
It has many advanced options of load balancing and health checking for sure it 
is superior compared to NS1.
I do have support for the Route53 api as well as DynECT and NS1.
I’m using RightScale as a Cloud Management Platform for cloud “independence” so 
I need generic solutions.
It was only on June 21 that AWS made the following announcement:
https://aws.amazon.com/about-aws/whats-new/2017/06/amazon-route-53-announces-support-for-multivalue-answers-in-response-to-dns-queries/

If your app does not need sticky sessions you dont need peers setup and you can 
start using both haproxies right away.
You can also set haproxy to insert its own cookies and mantain the stickinnes 
in that way. I've been using it that way
with active-active haproxy servers for ages in AWS with Route53 dns health 
checks
(min hc interval is 10 seconds though and additonal costs apply) for apps that 
need sticky sessions.
All our apps require sticky sessions (I’ve been trying for 4 years to get this 
changed.)
And 10 second Health Checks cost real money with AWS.
The 30 second Health Checks with NS1 are included in our contract.
The 60 second Health Checks using the DynECT Managed DNS Traffic Managers are 
in our contract.
In HAProxy 1.5.18, I was using “appsession JSESSIONID”.
In HAProxy 1.7.8, I’ve switched to letting HAProxy insert a SRV cookie.
So I believe I can now safely change the NS1 Filter to round-robin mode.
I’m guessing you think this will force IE to refresh its DNS cache.
Just confirming that returning multiple records to the clients might fix ie10 
issue.
According to this 
https://blogs.msdn.microsoft.com/ieinternals/2012/09/26/braindump-dns/ ie10 
will cache up to 256 records
up to 30min and wil not respect ttl. You need to change this setting in the 
windows registry which you can't expect your costumers to do.
Well maybe this is the solution to the problem.
If I let NS1 and Route53 return a multi-value response of all the healthy 
HAProxy servers,
then when a server goes offline, IE will mark it bad and failover to the next 
in the list.
When the first server comes back online, IE won’t bother switching back.

RE: HAProxy failover - DNS change cached by IE for a long time

[Igor Cicimov]

On 9 Jul 2017 12:20 pm, "Norman Branitsky" 
wrote:

Thanks for the responses.

shouldbe q931, in a private email to me, and Baptiste, both suggested I not
use DNS.
Baptiste suggested VRRP and shouldbe q931 suggested something similar using
keepalived.

I replied to shouldbe q931 thus:



As far as I know, keepalived requires a separate network interface
connecting the 2 servers

to manage the heartbeat connection.

In my case, the 2 HAProxy servers are in different Amazon AWS Availability
Zones (Data Centers)

with different network subnets.

I don’t think I can make keepalived work in this configuration.

Of course it can work see
https://icicimov.github.io/blog/high-availability/Keepalived-in-Amazon-VPC-across-availability-zones/

Igor, you suggested 30 seconds was too long for a health check failover.

Unfortunately, that is the minimum setting that NS1 supports.

If your servers are in aws why are you not using Route53 then? It allows
for low dns ttl even lower then 10 sec. It has many advanced options of
load balancing and health checking for sure it is superior compared to NS1.



The reason the NS1 Filter only returns the first healthy HAProxy is that
this configuration has been in place

for quite some time while my HAProxy servers were running version 1.5.

I’m in the process of upgrading all my HAProxy servers to version 1.7.8
with a peers section defined.

If your app does not need sticky sessions you dont need peers setup and you
can start using both haproxies right away. You can also set haproxy to
insert its own cookies and mantain the stickinnes in that way. I've been
using it that way with active-active haproxy servers for ages in AWS with
Route53 dns health checks (min hc interval is 10 seconds though and
additonal costs apply) for apps that need sticky sessions.

So I believe I can now safely change the NS1 Filter to round-robin mode.



You’re suggestion to reduce the JVM ttl value sounds interesting.

I’m guessing you think this will force IE to refresh its DNS cache.



Something interesting appeared in my testing.

With haproxy1 and haproxy2 running, I connected to my app using IE.

I then shutdown haproxy1.

After 30 seconds, NS1 performed a DNS failover to haproxy2 and the IE
client complained about no connection.

(In a 2nd tab it connects immediately as usual.)

After about 20 minutes the first tab reconnected.

I then restarted haproxy1.

After 30 seconds, NS1 performed a DNS switch back to haproxy1.

Now the IE client continued to operate correctly!

It’s as if it had seen haproxy1 before so it didn’t complain on the switch
back?!?

Just confirming that returning multiple records to the clients might fix
ie10 issue.
According to this
https://blogs.msdn.microsoft.com/ieinternals/2012/09/26/braindump-dns/ ie10
will cache up to 256 records up to 30min and wil not respect ttl. You need
to change this setting in the windows registry which you can't expect your
costumers to do.



*From:* Igor Cicimov [mailto:ig...@encompasscorporation.com]
*Sent:* July-08-17 9:14 AM
*To:* Norman Branitsky 
*Cc:* HAProxy 
*Subject:* RE: HAProxy failover - DNS change cached by IE for a long time



On 8 Jul 2017 2:58 am, "Norman Branitsky" 
wrote:

I changed the TTL on my application’s DNS entry, to no avail.

Try tuning these parameters in jvm, assuming Sun oracle jdk here:

-Dsun.net.inetaddr.ttl=value
-Dsun.net.inetaddr.negative.ttl=value

If security manager is installled System wide, by adding a line containing

networkaddress.cache.ttl=value

in $JAVA_HOME/jre/lib/security/java.security

JDK 1.6, 1.7 & 1.8 default cache setting:

30 secs (When a security manager is not set)
-1   (When a security manager is set)

* DNS Cache is refreshed every 30 seconds

So adjust the value to some low value of 10 sec say.

Once the DNS entry updates to point to the 2nd HAProxy server,
IE displays it’s dnserror.htm page:
“This page can’t be displayed”.
Copy/Paste the URL into a new tab and the page renders immediately.
The original tab continues to display the dnserror page –
probably for 20 minutes.

*From:* Norman Branitsky [mailto:norman.branit...@micropact.com]
*Sent:* June-27-17 10:44 AM
*To:* haproxy@formilux.org
*Subject:* HAProxy failover - DNS change cached by IE for a long time

This sender failed our fraud detection checks and may not
be who they appear to be. Learn about spoofing


Feedback 

Using the NS1 managed DNS service, I monitor the health of 2 HAProxy 1.7.7
servers defined as peers.

NS1 checks the health of the HAProxy servers every 30 seconds.

If haproxy1 fails to respond, NS1 changes the DNS response to point to
haproxy2.

When haproxy1 comes back online, NS1 reverts the DNS response to haproxy1.

NS1 checks the health of my Java application server every 60 seconds.

NS1 DNS records looks like 

Re: Reg: HAProxy 1.6.12 on RHEL7.2 (MAXCONN in FRONT-END/LISTEN BLOCK)

[Velmurugan Dhakshnamoorthy]

Thanks all for the detailed explanation. I have leaned many facts from this
post. Apologies could not reply immediately as I was on long leave.

Let me brief what I am trying to do now, based on the behavior pattern ,
each PeopleSoft URL from IE browser opens up 6-7 tcp connections, when we
loaded 100 users through HP loarunner via HAProxy , observed  that the
total TCP ESTABLISHED connections are around 500 to 550 after keep-alive on
.

I have set maxconn 550 in listen block and increased the syn backlog size
in linux kernal as well.when injected around 500 users (around 2500
connections), HAProxy allows 550 connections and rest all getting queued in
kernel.whenever there is a logout from users, connection is released from
queue.

listen  http_proxy
bind :
bind : ssl crt /etc/haproxy/certs/.pem
maxconn550 # Allow maximum 550 concurrent connections - 100 sessions
backlog 10
#cookie JSESSIONID sss-443-PORTAL prefix
server  server1 :

my questions are
---
1) Is my approach valid to allow maximum 100 users via HAProxy by queuing
rest of the connections in kernel?
2) Observed during queuing that the the inside 100 user transactions are
bit slow for login, navigation etc. but without queuing there is no
response issue for 100 users. I am not sure if kernel queue affects the
response time for established connections ?
3) I suppose, the connections which are in queue will be released upon
first in & first out basis
4) sometimes, when user logout from browser, HAProxy does not immediately
change the TCP connection from ESTABLISHED status, is there anyway to force
the connections to close whenever URL logout is called, so that further
connections from queue can be released.
5) when keep-alive is on in HAProxy, observed that even browser clicks on
website URL starts a persistent TCP connections, is there anyway to keep a
persistent connections only when there is a valid JSESSION ID PS_TOKEN ?
other connections without TOKEN/expired token should be closed forcefully.

for your information, i have installed SSL in HAProxy. You help would be
much appreciated.

Regards,
Vel


Best Wishes,
Vel

On Tue, Jul 4, 2017 at 1:38 PM, Igor Cicimov  wrote:

> On Tue, Jul 4, 2017 at 1:34 PM, Velmurugan Dhakshnamoorthy <
> dvel@gmail.com> wrote:
>
>> Thanks much for detailed explanation.
>>
>> Once the limit of 100 sessions are reached, note we are talking about *100
>> sessions in Weblogic* and *NOT 100 connections to the backend*, what is
>> the Weblogic server going to do? We need to understand what happens on
>> Weblogic side once the 101st session is accepted. You get error 500
>> straight away or something else happens? Maybe nothing and the request gets
>> dropped after sitting in the Weblogic queue for some time?
>>
>> [Vel] once the limit(100) is reached in weblogic, 101 user will receive
>> error 500, OOM (OutOfMeory) error in weblogic back-end.when there is OOM
>> occurs, even connected users responses will be impacted.
>>
>> Regards,
>> Vel
>>
>>
> ​Well, the biggest issue you have is that number or connections is not the
> same as number of sessions. Lets say you have reached your 100 connections
> limit which corresponds to 100 sessions in WL and one client's browser
> starts closing its connections. For HAP the number of connections will drop
> below 100, lets say to 96, and it is possible that in that moment a new
> user gets connected which will cause WL to create a new 101th session and
> crash. So how are you going to solve this dependency between connections on
> the HAP side and sessions in the WL side?
>
> Another thing is that modern browsers can open up to 6-7 connections to a
> single domain name which potentially leaves you with less than ​20 users
> during the overload period with the limitation of 100 connections in HAP.
> Also depending on the users activity, every time the user is active WL will
> restart the session timer to 20 min, you might end up with less than 20
> users connected for a long long time.
>
>

RE: HAProxy failover - DNS change cached by IE for a long time

[Norman Branitsky]

Thanks for the responses.
shouldbe q931, in a private email to me, and Baptiste, both suggested I not use 
DNS.
Baptiste suggested VRRP and shouldbe q931 suggested something similar using 
keepalived.
I replied to shouldbe q931 thus:

As far as I know, keepalived requires a separate network interface connecting 
the 2 servers
to manage the heartbeat connection.
In my case, the 2 HAProxy servers are in different Amazon AWS Availability 
Zones (Data Centers)
with different network subnets.
I don’t think I can make keepalived work in this configuration.

Igor, you suggested 30 seconds was too long for a health check failover.
Unfortunately, that is the minimum setting that NS1 supports.

The reason the NS1 Filter only returns the first healthy HAProxy is that this 
configuration has been in place
for quite some time while my HAProxy servers were running version 1.5.
I’m in the process of upgrading all my HAProxy servers to version 1.7.8 with a 
peers section defined.
So I believe I can now safely change the NS1 Filter to round-robin mode.

You’re suggestion to reduce the JVM ttl value sounds interesting.
I’m guessing you think this will force IE to refresh its DNS cache.

Something interesting appeared in my testing.
With haproxy1 and haproxy2 running, I connected to my app using IE.
I then shutdown haproxy1.
After 30 seconds, NS1 performed a DNS failover to haproxy2 and the IE client 
complained about no connection.
(In a 2nd tab it connects immediately as usual.)
After about 20 minutes the first tab reconnected.
I then restarted haproxy1.
After 30 seconds, NS1 performed a DNS switch back to haproxy1.
Now the IE client continued to operate correctly!
It’s as if it had seen haproxy1 before so it didn’t complain on the switch 
back?!?

From: Igor Cicimov [mailto:ig...@encompasscorporation.com]
Sent: July-08-17 9:14 AM
To: Norman Branitsky 
Cc: HAProxy 
Subject: RE: HAProxy failover - DNS change cached by IE for a long time

On 8 Jul 2017 2:58 am, "Norman Branitsky" 
> wrote:
I changed the TTL on my application’s DNS entry, to no avail.
Try tuning these parameters in jvm, assuming Sun oracle jdk here:

-Dsun.net.inetaddr.ttl=value
-Dsun.net.inetaddr.negative.ttl=value

If security manager is installled System wide, by adding a line containing

networkaddress.cache.ttl=value

in $JAVA_HOME/jre/lib/security/java.security

JDK 1.6, 1.7 & 1.8 default cache setting:

30 secs (When a security manager is not set)
-1   (When a security manager is set)

* DNS Cache is refreshed every 30 seconds

So adjust the value to some low value of 10 sec say.
Once the DNS entry updates to point to the 2nd HAProxy server,
IE displays it’s dnserror.htm page:
“This page can’t be displayed”.
Copy/Paste the URL into a new tab and the page renders immediately.
The original tab continues to display the dnserror page –
probably for 20 minutes.
From: Norman Branitsky 
[mailto:norman.branit...@micropact.com]
Sent: June-27-17 10:44 AM
To: haproxy@formilux.org
Subject: HAProxy failover - DNS change cached by IE for a long time

This sender failed our fraud detection checks and may not be who they appear to 
be. Learn about spoofing

Feedback

Using the NS1 managed DNS service, I monitor the health of 2 HAProxy 1.7.7 
servers defined as peers.
NS1 checks the health of the HAProxy servers every 30 seconds.
If haproxy1 fails to respond, NS1 changes the DNS response to point to haproxy2.
When haproxy1 comes back online, NS1 reverts the DNS response to haproxy1.
NS1 checks the health of my Java application server every 60 seconds.
NS1 DNS records looks like this:

haproxy1 A record

haproxy2 A record

tm1  CNAME record “Dynamic” – NS1 “filter” returns the first in the list of 
all health haproxy servers

vr   CNAME record pointing to tm1 – name of the Java application server
If I connect to my Java application with Chrome or Firefox, I often don’t 
notice the haproxy DNS failover.
If I do get a connection error, it almost always reconnects within seconds.
I don’t lose my session.
If I connect to my Java application with IE (only tested IE10 mode so far), the 
haproxy DNS failover cause a DNS error.
This error won’t clear for at least 20 minutes.
If I open a new tab I connect instantly.
Since the JSESSIONID cookie is still available, I’m still logged in but 
obviously not on the same data entry page.
What can I do to kick IE in the head and cause it to refresh its DNS cache?
It doesn’t seem to respect the TTL value.

Re: help for configuration between http and tcp mode

[Andrew Smalley]

Hello M

Looking at your configuration you are trying to use HTTPS/TCP/SSL
Connection for HTTP

frontend https_influxdb
  bind 192.168.246.17:8086 ssl crt /data/ssl_certs no-sslv3 ciphers
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:
ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-
RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:
DHE-RSA-AES128-SHA:DES-CBC3-SHA:!NULL:!aNULL:!RC4:!RC2:!
MEDIUM:!LOW:!EXPORT:!DES:!MD5:!PSK:!3DES
  mode http
  option dontlognull

I would make this assuming port 8086 is a HTTP Connection

frontend https_influxdb
  bind 192.168.246.17:8086
  mode http
  option dontlognull


TCP Mode will work with any connection however HTTP will only work with
unencrypted HTTP Type traffic as it is application aware.

Also TCP Mode is really Layer4 and non application aware.

Andrew Smalley

Loadbalancer.org Ltd.
www.loadbalancer.org 






+1 888 867 9504 / +44 (0)330 380 1064
asmal...@loadbalancer.org

Leave a Review
 | Deployment
Guides

| Blog 

On 8 July 2017 at 21:19, M  wrote:

> Hi,
>
> I don't understand why http mode is no able provide a backend server
> whereas at same time tcp mode is able to do it.
>
> I am trying to setup Haproxy in front of an Influxdb database running on
> HTTPS.
>
> When frontend is configured on http mode, requests are failing with NOSRV
> error.
> When fronted is configure on tcp mod, requests are working.
>
> Example below with http mode on tcp/8086 port and tcp mode on tcp/8087
> with same backend:
>
> #curl -G https://influxdb-drp.example.net:8086/query -u admin:''
> --data-urlencode "q=SHOW DATABASES"
> 503 Service Unavailable
> No server is available to handle this request.
> 
>
> Haproxy log showing NOSRV and SC:
> Jul  8 19:59:44 kalinga haproxy[26228]: 192.168.246.17:52946
> [08/Jul/2017:19:59:44.661] https_influxdb~ https_influxdb/ -1/-1/136
> 212 SC 0/0/0/0/0 0/0
>
>
> #curl -G https://influxdb-drp.example.net:8087/query -u admin:''
> --data-urlencode "q=SHOW DATABASES"
> {"results":[{"statement_id":0,"series":[{"name":"databases",
> "columns":["name"],"values":[["_internal"]]}]}]}
>
> Haproxy log:
> Jul  8 20:00:16 kalinga haproxy[26228]: 192.168.246.17:37142
> [08/Jul/2017:20:00:16.672] https_influxdb_tcp~ influxdb-drp.example.net/
> https_8086 0/2/123 332 -- 1/1/0/0/0 0/0
>
> Haproxy configuration file:
>
> 
> ---
>
> global
> log /dev/log local1 debug
> maxconn 4096
> debug
> tune.ssl.default-dh-param 4096
>
> defaults
> log global
> modetcp
> option  tcplog
> retries 3
> option redispatch
> maxconn 4000
> timeout connect 5000ms
> timeout client 5ms
> timeout server 5ms
>
> frontend https_influxdb
>   bind 192.168.246.17:8086 ssl crt /data/ssl_certs no-sslv3 ciphers
> ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:
> ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-
> RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:
> DHE-RSA-AES128-SHA:DES-CBC3-SHA:!NULL:!aNULL:!RC4:!RC2:!
> MEDIUM:!LOW:!EXPORT:!DES:!MD5:!PSK:!3DES
>   mode http
>   option dontlognull
>
>   reqadd X-Forwarded-Proto:\ https
>
>   option http-server-close
>   option forwardfor
>
>   acl host_influxdb-drp.example.net hdr(host) -i influxdb-drp.example.net
>   use_backend influxdb-drp.example.net if host_influxdb-drp.example.net
>
> frontend https_influxdb_tcp
>   bind 192.168.246.17:8087 ssl crt /data/ssl_certs no-sslv3 ciphers
> ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:
> ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-
> RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:
> DHE-RSA-AES128-SHA:DES-CBC3-SHA:!NULL:!aNULL:!RC4:!RC2:!
> MEDIUM:!LOW:!EXPORT:!DES:!MD5:!PSK:!3DES
>   mode tcp
>   option dontlognull
>   option http-server-close
>   option tcplog
>
>   default_backend influxdb-drp.example.net
>
> backend influxdb-drp.example.net
>   mode http
>   server https_8086 127.0.0.1:8086 check ssl verify none
>
> 
> ---
>
> How can I configure Haproxy to work on http mode?
>
> M.
>

help for configuration between http and tcp mode

[M]

Hi,

I don't understand why http mode is no able provide a backend server whereas at 
same time tcp mode is able to do it. 

I am trying to setup Haproxy in front of an Influxdb database running on HTTPS.

When frontend is configured on http mode, requests are failing with NOSRV error.
When fronted is configure on tcp mod, requests are working. 

Example below with http mode on tcp/8086 port and tcp mode on tcp/8087 with 
same backend:

#curl -G https://influxdb-drp.example.net:8086/query -u admin:'' 
--data-urlencode "q=SHOW DATABASES"
503 Service Unavailable
No server is available to handle this request.


Haproxy log showing NOSRV and SC:
Jul  8 19:59:44 kalinga haproxy[26228]: 192.168.246.17:52946 
[08/Jul/2017:19:59:44.661] https_influxdb~ https_influxdb/ -1/-1/136 212 
SC 0/0/0/0/0 0/0


#curl -G https://influxdb-drp.example.net:8087/query -u admin:'' 
--data-urlencode "q=SHOW DATABASES"
{"results":[{"statement_id":0,"series":[{"name":"databases","columns":["name"],"values":[["_internal"]]}]}]}

Haproxy log:
Jul  8 20:00:16 kalinga haproxy[26228]: 192.168.246.17:37142 
[08/Jul/2017:20:00:16.672] https_influxdb_tcp~ 
influxdb-drp.example.net/https_8086 0/2/123 332 -- 1/1/0/0/0 0/0

Haproxy configuration file:

---

global
log /dev/log local1 debug
maxconn 4096
debug
tune.ssl.default-dh-param 4096

defaults
log global
modetcp
option  tcplog
retries 3
option redispatch
maxconn 4000
timeout connect 5000ms
timeout client 5ms
timeout server 5ms

frontend https_influxdb
  bind 192.168.246.17:8086 ssl crt /data/ssl_certs no-sslv3 ciphers 
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:!NULL:!aNULL:!RC4:!RC2:!MEDIUM:!LOW:!EXPORT:!DES:!MD5:!PSK:!3DES
  mode http
  option dontlognull

  reqadd X-Forwarded-Proto:\ https

  option http-server-close
  option forwardfor

  acl host_influxdb-drp.example.net hdr(host) -i influxdb-drp.example.net
  use_backend influxdb-drp.example.net if host_influxdb-drp.example.net

frontend https_influxdb_tcp
  bind 192.168.246.17:8087 ssl crt /data/ssl_certs no-sslv3 ciphers 
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:!NULL:!aNULL:!RC4:!RC2:!MEDIUM:!LOW:!EXPORT:!DES:!MD5:!PSK:!3DES
  mode tcp
  option dontlognull
  option http-server-close
  option tcplog

  default_backend influxdb-drp.example.net

backend influxdb-drp.example.net
  mode http
  server https_8086 127.0.0.1:8086 check ssl verify none

---

How can I configure Haproxy to work on http mode?

M.

RE: HAProxy failover - DNS change cached by IE for a long time

[Igor Cicimov]

On 8 Jul 2017 2:58 am, "Norman Branitsky" 
wrote:

I changed the TTL on my application’s DNS entry, to no avail.

Try tuning these parameters in jvm, assuming Sun oracle jdk here:

-Dsun.net.inetaddr.ttl=value
-Dsun.net.inetaddr.negative.ttl=value

If security manager is installled System wide, by adding a line containing

networkaddress.cache.ttl=value

in $JAVA_HOME/jre/lib/security/java.security

JDK 1.6, 1.7 & 1.8 default cache setting:

30 secs (When a security manager is not set)
-1   (When a security manager is set)

* DNS Cache is refreshed every 30 seconds

So adjust the value to some low value of 10 sec say.

Once the DNS entry updates to point to the 2nd HAProxy server,

IE displays it’s dnserror.htm page:

“This page can’t be displayed”.

Copy/Paste the URL into a new tab and the page renders immediately.

The original tab continues to display the dnserror page –

probably for 20 minutes.



*From:* Norman Branitsky [mailto:norman.branit...@micropact.com]
*Sent:* June-27-17 10:44 AM
*To:* haproxy@formilux.org
*Subject:* HAProxy failover - DNS change cached by IE for a long time



This sender failed our fraud detection checks and may not be
 who they appear to be. Learn about spoofing


Feedback 

Using the NS1 managed DNS service, I monitor the health of 2 HAProxy 1.7.7
servers defined as peers.

NS1 checks the health of the HAProxy servers every 30 seconds.

If haproxy1 fails to respond, NS1 changes the DNS response to point to
haproxy2.

When haproxy1 comes back online, NS1 reverts the DNS response to haproxy1.

NS1 checks the health of my Java application server every 60 seconds.

NS1 DNS records looks like this:

haproxy1 A record

haproxy2 A record

tm1  CNAME record “Dynamic” – NS1 “filter” returns the first in the
list of all health haproxy servers

vr   CNAME record pointing to tm1 – name of the Java application server



If I connect to my Java application with Chrome or Firefox, I often don’t
notice the haproxy DNS failover.

If I do get a connection error, it almost always reconnects within seconds.

I don’t lose my session.



If I connect to my Java application with IE (only tested IE10 mode so far),
the haproxy DNS failover cause a DNS error.

This error won’t clear for at least 20 minutes.

If I open a new tab I connect instantly.

Since the JSESSIONID cookie is still available, I’m still logged in but
obviously not on the same data entry page.

What can I do to kick IE in the head and cause it to refresh its DNS cache?
It doesn’t seem to respect the TTL value.



Norman




*Norman Branitsky *Cloud Architect

MicroPact

(o) 416.916.1752

(c) 416.843.0670

(t) 1-888-232-0224 x61752

www.micropact.com

Think it > Track it > Done

Re: help for setting up haproxy using Linux system proxy

[Aaron West]

On 8 July 2017 at 11:25, Aaron West  wrote:
> for me at least, it would
> boggle the mind that you have a reverse proxy using a forward proxy.

I think I I should clarify the above... I don't mean using forward
proxies as a real server(Think webfilters) because that makes sense I
just mean routing to client or server via a forward proxy seems
confusing to me...

Aaron West

Loadbalancer.org

www.loadbalancer.org
+1 888 867 9504 / +44 (0)330 380 1064
aa...@loadbalancer.org

LEAVE A REVIEW | DEPLOYMENT GUIDES | BLOG

Re: help for setting up haproxy using Linux system proxy

[Aaron West]

I'm going to go out on a limb here and say that you can't(Or shouldn't
just in case somehow you can...), first, for me at least, it would
boggle the mind that you have a reverse proxy using a forward proxy.

I guess you could use a transparent proxy although I'm still not sure
why but HAproxy would then just be routing to it's destination unaware
there's a proxy in the way...

However, the question really has to be why? Only thing I can think of
is that you are trying to implement a DMZ so have decided to restrict
all outbound traffic, why not just allow the specific traffic through
the firewall? You can cherry pick exactly what to allow so only allow
the destination or sources that you actually require, it would be much
much easier.

Sorry if that's not what you wanted to hear or if I'm wrong in some way...

Aaron West

Loadbalancer.org

www.loadbalancer.org
+1 888 867 9504 / +44 (0)330 380 1064
aa...@loadbalancer.org

LEAVE A REVIEW | DEPLOYMENT GUIDES | BLOG


On 8 July 2017 at 08:56, founder  wrote:
>
> i have linux sever setting up with haproxy but this sever can't access 
> directly to Internet . we have set up a proxy at linux server but it seems 
> haproxy has not used system proxy. how can we set haproxy to use system 
> proxy. thanks in adance.
> 发自我的iPhone

help for setting up haproxy using Linux system proxy

[founder]

i have linux sever setting up with haproxy but this sever can't access directly 
to Internet . we have set up a proxy at linux server but it seems haproxy has 
not used system proxy. how can we set haproxy to use system proxy. thanks in 
adance.
iPhone