Hi, Here is my setup : - 2 debian lenny nodes, with haproxy 1.3.22 (lenny backport package) - kernel 2.6.33 with last grsecurity patch (grsecurity-2.1.14-2.6.33-201003071645.patch) - postfix 2.5.5
haproxy runs on one of the two nodes (wich one is controlled by heartbeat),
and uses the 2 nodes as backend for HTTP, HTTPS and SMTP.
No problem with HTTP and HTTPS backends.
But I have a problem with the SMTP backends when enabling BLACKHOLE grsecurity
feature. I spend some time with Brad Spengler (grsec dev) to try to fix this
within grsec. Tried some patches. But nothing found. There seems to be a
missing RST packet when closing connection, and for now he found no way to fix
it whithout disabling BLACKHOLE feature.
Last thought was it could be a problem/bug within haproxy
Symptoms :
- each SMTP probe (smtpchk) results to a socket in the LAST_ACK state on the
remote backend (the local backend is not affected since BLACKHOLE does not
affect local sockets).
- Lots of TCP replay from the SMTP backend.
- lots of smtp probes fails probably due to the big quantity of sockets
remaining in LAST_ACK state. From my stats, it's around 6% of the probes that
fails.
Attached the haproxy configuration, and 2 small tcpdump captures. One with
BLACKHOLE enabled (haproxy_smtp_probe_ko.pcap) and the other with BLACKHOLE
disabled (haproxy_smtp_probe_ok.pcap).
So do you have an idea about this problem ? bug ? not a bug ? incompatibility
between the two ?
Thanks for your feedback,
Guillaume
--
Guillaume Castagnino
[email protected]
Tel : +33148242089
global
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
user haproxy
group haproxy
daemon
defaults
log global
option httplog
option dontlognull
retries 3
option redispatch
stats enable
stats auth XXXX:XXXX
maxconn 2000
timeout connect 4s
timeout client 5s
timeout server 30s
timeout http-request 5s
backend back-http
balance roundrobin
mode http
option httpclose
option forwardfor header X-Client
option httpchk HEAD /.check HTTP/1.0
cookie SERVERID insert nocache indirect
server pepperway-prod1 pepperway-prod1:80 cookie pool1 check inter
2000 rise 2 fall 5 maxconn 200
server pepperway-prod2 pepperway-prod2:80 cookie pool2 check inter
2000 rise 2 fall 5 maxconn 200
backend back-https
balance source
mode tcp
option ssl-hello-chk
server pepperway-prod1 pepperway-prod1:443 check inter 2000 rise 2
fall 5 maxconn 100
server pepperway-prod2 pepperway-prod2:443 check inter 2000 rise 2
fall 5 maxconn 100
backend back-smtp
balance roundrobin
mode tcp
option smtpchk EHLO pepperway.fr
server pepperway-prod1 pepperway-prod1:25 check inter 2000 rise 2 fall
5 maxconn 100
server pepperway-prod2 pepperway-prod2:25 check inter 2000 rise 2 fall
5 maxconn 100
frontend front-webapp 87.98.142.217:80
mode http
default_backend back-http
frontend front-webapp2 91.121.61.220:80
mode http
default_backend back-http
frontend front-webapp-ssl 87.98.142.217:443
mode tcp
default_backend back-https
frontend front-smtp 87.98.142.217:25
mode tcp
default_backend back-smtp
haproxy_smtp_probe_ko.pcap
Description: Binary data
haproxy_smtp_probe_ok.pcap
Description: Binary data
