Hi Lukas, On 22 Jun 2017 3:02 am, "Lukas Tribus" <[email protected]> wrote:
Hello, > Daniel, if using ssl to the backends shouldn't you use http mode? > Per your config you are using tcp which is default one. Afaik tcp > is for ssl passthrough. For the record, this is not true. Just because you need TCP mode for TLS passthrough, doesn't mean you have to use HTTP mode when terminating TLS. Actually, terminating TLS while using TCP mode is a quite common configuration (for example with HTTP/2). Thanks for clarifying this. >> Try adding: >> option httpclose >> in the backend and see if that helps. > > Sorry, replace httpclose with http-server-close Actually, I would have suggested the opposite: making the whole thing less expensive, by going full blown keep-alive with http-reuse: option http-keep-alive option prefer-last-server timeout http-keep-alive 30s http-reuse safe Keep-alive is on by default hence my suggestion to use the opposite. Of course keep-alive enabled is always better especially in case of ssl. > global > ulimit-n 20000 Why specify ulimit? Haproxy will do this for you, you are just asking for trouble. I suggest you remove this. Maybe something on your backend (conntrack or the application) is rate-limiting per IP, or the aggressive client your are facing is keep-aliving properly with the backend, while it doesn't when using haproxy. I would apply the keep-alive configurations above and I would also suggest that you check the CPU load on your backend server as connections through haproxy become unresponsive, because that CPU can be saturated due to TLS negotiations as well. That's what the haproxy log shows, the response time from the tomcat backend is high suggesting something is wrong. Maybe something that you mentioned above (which makes sesnse), some system settings or if we can see the tomcat connector settings (and logs possibly) maybe something there is causing issues. Regards, Lukas
