Hi All,
We have a virtual desktop deployment under VMWare Horizon View that
uses PCoIP Zero clients that stopped working after upgrading the load
balancers in front of the internal Connection Servers (the virtual
desktop broker) from 1.8.12 to 2.0.7.
After putting in "no option http-use-htx" these clients work fine.
This is not a problem overall with HAProxy as other devices using a
different client (mobile, PC etc) are fine, so it is obviously an edge
case that affects this particular device, but I thought it important
to report as it is still a regression between 1.8 and 2.0.
Ive got logs, version info and config in this email, but understand
that more info is likely to be required in order to get to the bottom
of this...and fully understand this may be a client/device specific
bug, rather than a HAProxy one.
More logs and traces can be gathered as required.
This is running on Alpine Linux 3.10, so its a musl based build:
HA-Proxy version 2.0.7 2019/09/27 - https://haproxy.org/
Build options :
TARGET = linux-glibc
CPU = generic
CC = gcc
CFLAGS = -Os -fomit-frame-pointer
OPTIONS = USE_PCRE=1 USE_OPENSSL=1 USE_LUA=1 USE_ZLIB=1 USE_NS=1
Feature list : +EPOLL -KQUEUE -MY_EPOLL -MY_SPLICE +NETFILTER +PCRE
-PCRE_JIT -PCRE2 -PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD
-PTHREAD_PSHARED -REGPARM -STATIC_PCRE -STATIC_PCRE2 +TPROXY
+LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H -VSYSCALL +GETADDRINFO
+OPENSSL +LUA +FUTEX +ACCEPT4 -MY_ACCEPT4 +ZLIB -SLZ +CPU_AFFINITY
+TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL -SYSTEMD
-OBSOLETE_LINKER +PRCTL +THREAD_DUMP -EVPORTS
Default settings :
bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Built with multi-threading support (MAX_THREADS=64, default=2).
Built with OpenSSL version : OpenSSL 1.1.1d 10 Sep 2019
Running on OpenSSL version : OpenSSL 1.1.1d 10 Sep 2019
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with Lua version : Lua 5.3.5
Built with network namespace support.
Built with transparent proxy support using: IP_TRANSPARENT
IPV6_TRANSPARENT IP_FREEBIND
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity("identity"),
deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with PCRE version : 8.43 2019-02-23
Running on PCRE version : 8.43 2019-02-23
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Encrypted password support via crypt(3): yes
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Available multiplexer protocols :
(protocols marked as cannot be specified using 'proto' keyword)
h2 : mode=HTXside=FE|BE mux=H2
h2 : mode=HTTP side=FEmux=H2
: mode=HTXside=FE|BE mux=H1
: mode=TCP|HTTP side=FE|BE mux=PASS
Available services : none
Available filters :
[SPOE] spoe
[COMP] compression
[CACHE] cache
[TRACE] trace
Here is the config in question (with the option to disable HTX still in place):
# VMware View Connection Server Defaults
defaults
# Default to HTTP mode
mode http
no option http-use-htx
# Retry another server on connection failure
option redispatch
# Timeouts
timeout connect5s
timeout http-keep-alive1s
timeout http-request 15s
timeout queue 30s
timeout tarpit 1m
timeout client 300s
timeout server 300s
# Logging options
option httplog
option dontlognull
log global
# Set default balancing algorithm
balance leastconn
# Default server check options
default-server inter 5s rise 2 fall 3
# Maximum connections
maxconn 2
# VMware View Connection Server Front-End
frontend fe_viewcs
# Listen on HTTP (80) and HTTPS (443)
bind 172.16.0.134:80
bind 172.16.0.134:443 ssl crt viewcs.pem
# Redirect HTTP -> HTTPS
redirect scheme https code 301 if !{ ssl_fc }
# Remove Origin header to resolve
https://kb.vmware.com/kb/2144768 as per
https://support.f5.com/csp/article/K65620682
http-request del-header Origin
# Use View Connection Server Back-End
use_backend be_viewcs
# View Connection Server Back-End
backend be_viewcs
# Maintain affinity based on JSESSIONID cookie
stick match req.cook(JSESSIONID)
stick store-response res.cook(JSESSIONID)
stick-table type string size 2k expire 1h peers peers_global
# Health check
option httpchk GET /broker/xml/ HTTP/1.1\r\nHost:\
viewfqdn\r\nConnection:\ Close\r\n\r\n
option log-health-checks