When you enable htx do you have the same problems? Comment in `no option http-use-htx` Regards Aleks
Sat Sep 14 14:12:30 GMT+02:00 2019 GARDAIS Ionel <[email protected]>: > Also, haproxy and servers are on the same subnet : no filtering nor routing > between them. > Ping as no troubles, servers are not overloaded by other connections. > > -- > Ionel GARDAIS > Tech'Advantage CIO - IT Team manager > > ----- Mail original ----- > De: "Ionel GARDAIS" <[email protected]> > À: "Aleksandar Lazic" <[email protected]> > Cc: "haproxy" <[email protected]> > Envoyé: Samedi 14 Septembre 2019 14:07:42 > Objet: Re: Issue with checks after 2.0.6 > > Sure. > Note : as soon as I remove the check from the server line then 'systemctl > reload haproxy', access is OK. > > # haproxy -vv > HA-Proxy version 2.0.6-1~bpo9+1 2019/09/14 - https://haproxy.org/ > Build options : > TARGET = linux-glibc > CPU = generic > CC = gcc > CFLAGS = -O2 -g -O2 -fdebug-prefix-map=/build/haproxy-2.0.6=. > -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time > -D_FORTIFY_SOURCE=2 -fno-strict-aliasing -Wdeclaration-after-statement > -fwrapv -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter > -Wno-old-style-declaration -Wno-ignored-qualifiers -Wno-clobbered > -Wno-missing-field-initializers -Wtype-limits -Wshift-negative-value > -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference > OPTIONS = USE_PCRE2=1 USE_PCRE2_JIT=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 > USE_ZLIB=1 USE_SYSTEMD=1 > > Feature list : +EPOLL -KQUEUE -MY_EPOLL -MY_SPLICE +NETFILTER -PCRE -PCRE_JIT > +PCRE2 +PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED +REGPARM > -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT > +CRYPT_H -VSYSCALL +GETADDRINFO +OPENSSL +LUA +FUTEX +ACCEPT4 -MY_ACCEPT4 > +ZLIB -SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL > +SYSTEMD -OBSOLETE_LINKER +PRCTL +THREAD_DUMP -EVPORTS > > Default settings : > bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 > > Built with multi-threading support (MAX_THREADS=64, default=2). > Built with OpenSSL version : OpenSSL 1.1.0k 28 May 2019 > Running on OpenSSL version : OpenSSL 1.1.0k 28 May 2019 > OpenSSL library supports TLS extensions : yes > OpenSSL library supports SNI : yes > OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 > Built with Lua version : Lua 5.3.3 > Built with network namespace support. > Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT > IP_FREEBIND > Built with zlib version : 1.2.8 > Running on zlib version : 1.2.8 > Compression algorithms supported : identity("identity"), deflate("deflate"), > raw-deflate("deflate"), gzip("gzip") > Built with PCRE2 version : 10.22 2016-07-29 > PCRE2 library supports JIT : yes > Encrypted password support via crypt(3): yes > Built with the Prometheus exporter as a service > > Available polling systems : > epoll : pref=300, test result OK > poll : pref=200, test result OK > select : pref=150, test result OK > Total: 3 (3 usable), will use epoll. > > Available multiplexer protocols : > (protocols marked as <default> cannot be specified using 'proto' keyword) > h2 : mode=HTX side=FE|BE mux=H2 > h2 : mode=HTTP side=FE mux=H2 > <default> : mode=HTX side=FE|BE mux=H1 > <default> : mode=TCP|HTTP side=FE|BE mux=PASS > > Available services : > prometheus-exporter > > Available filters : > [SPOE] spoe > [COMP] compression > [CACHE] cache > [TRACE] trace > > > > > > > # cat /etc/haproxy/haproxy.cfg > global > log /dev/log local0 info > log /dev/log local1 notice > chroot /var/lib/haproxy > stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd > listeners > stats timeout 30s > user haproxy > group haproxy > daemon > > # Default SSL material locations > ca-base /etc/ssl/certs > crt-base /etc/ssl/private > > # Default ciphers to use on SSL-enabled listening sockets. > # For more information, see ciphers(1SSL). This list is from: > # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ > ssl-default-bind-ciphers > EECDH+AES:+AES128:+AES256:+SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA > ssl-default-bind-options no-sslv3 > tune.ssl.default-dh-param 2048 > > defaults > log global > mode http > option httplog > option dontlognull > timeout connect 5000 > timeout client 50000 > timeout server 50000 > errorfile 400 /etc/haproxy/errors/400.http > errorfile 403 /etc/haproxy/errors/403.http > errorfile 408 /etc/haproxy/errors/408.http > errorfile 500 /etc/haproxy/errors/500.http > errorfile 502 /etc/haproxy/errors/502.http > errorfile 503 /etc/haproxy/errors/503.http > errorfile 504 /etc/haproxy/errors/504.http > > option forwardfor except 127.0.0.1/8 > option redispatch > option http-keep-alive > no option http-use-htx > > frontend ssl > bind ${HAPROXY_VRRP}:443 ssl crt tad-2019-chain.crt > bind ${HAPROXY_IPV4}:443 ssl crt tad-2019-chain.crt > bind ${HAPROXY_IPV6}:443 ssl crt tad-2019-chain.crt > > # capture request header Host len 50 > # capture response header Location len 50 > # capture request header User-Agent len 50 > > http-request set-header X-Forwarded-Proto https > http-request set-header X-Forwarded-Port 443 > http-request set-header X-Forwarded-Host %[ssl_fc_sni] > > http-response set-header Strict-Transport-Security max-age=31536000;\ > includeSubDomains > > acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure > rspirep ^(Set-Cookie:.*) \1;\ Secure unless secured_cookie > > acl host-tools hdr(host) tools.example.com > > acl to-etap path_beg /etap > > use_backend bck-etap if host-tools to-etap > > backend bck-etap > server etap 192.168.1.69:8080 check > > > > From haproxy.log : > > Sep 14 13:57:35 haproxy-1 haproxy[9978]: Server bck-etap/etap is DOWN, > reason: Layer4 timeout, check duration: 2001ms. 0 active and 0 backup servers > left. 0 sessions active, 0 dequeued, 0 remaining in queue. > Sep 14 13:57:35 haproxy-1 haproxy[9976]: [WARNING] 256/135735 (9978) : Server > bck-etap/etap is DOWN, reason: Layer4 timeout, check duration: 2001ms. 0 > active and 0 backup servers left. 0 sessions active, 0 dequeued, 0 remaining > in queue. > Sep 14 13:57:35 haproxy-1 haproxy[9978]: Server bck-etap/etap is DOWN, > reason: Layer4 timeout, check duration: 2001ms. 0 active and 0 backup servers > left. 0 sessions active, 0 dequeued, 0 remaining in queue. > Sep 14 13:57:35 haproxy-1 haproxy[9978]: backend bck-etap has no server > available! > Sep 14 13:57:35 haproxy-1 haproxy[9978]: backend bck-etap has no server > available! > Sep 14 13:57:35 haproxy-1 haproxy[9976]: [ALERT] 256/135735 (9978) : backend > 'bck-etap' has no server available! > > > Sep 14 13:58:16 haproxy-1 haproxy[9978]: 172.17.10.1:51523 > [14/Sep/2019:13:58:16.024] ssl~ bck-etap/<NOSRV> 0/-1/-1/-1/0 503 213 - - > SC-- 16/15/0/0/0 0/0 "GET /etap/ HTTP/1.1" > ^C > > > -- > Ionel GARDAIS > Tech'Advantage CIO - IT Team manager > > ----- Mail original ----- > De: "Aleksandar Lazic" <[email protected]> > À: "Ionel GARDAIS" <[email protected]>, "haproxy" > <[email protected]> > Envoyé: Samedi 14 Septembre 2019 13:12:49 > Objet: Re: Issue with checks after 2.0.6 > > Hi. > > Am 14.09.2019 um 13:08 schrieb GARDAIS Ionel: > > Hi, > > > > I've just upgraded to 2.0.6 and all server checks went erratic. > > I had to disable checks for the servers to be reachable. > > > > The observed behavior was a flip-flap (but mostly down) of server > > availability > > with L4TOUT when the server was considered unresponsive. > > Please can you share some more informations like some configs and log lines. > > > Ionel > > Best regards > Aleks > -- > 232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON > Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301 > -- > 232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON > Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301 >
