On Tue, Apr 06, 2010 at 11:42:53AM +0100, Matt wrote: > Hi all, > > Using HA-Proxy version 1.3.19 2009/07/27. Set-up is HA-Proxy balancing a > pool of Jetty servers. > > We had a tomcat application using keep-alive that was having issues (kept on > opening many connections), so to stop that and other clients getting the > same problem we used the option httpclose which fixed the problem. > > This though has added another issue when using digest authentication with > curl. When sending to the HA-Proxy IP:- > > **request** > > User-Agent: curl/7.19.5 (i486-pc-linux-gnu) libcurl/7.19.5 OpenSSL/0.9.8g > zlib/1.2.3.3 libidn/1.15 > > Host: ........... > > Accept: */* > > content-type:application/xml > > Content-Length: 0 > > Expect: 100-continue > > **response** > < HTTP/1.1 100 Continue > < Connection: close > * Empty reply from server > * Closing connection #0 > curl: (52) Empty reply from server > > It looks like HA-Proxy is sending 100-continue and not 401 and adding the > connection closed header. If I use curl with the --http1.0 option, then it > works as expected, but I guess this is forcing Jetty to work in http 1.0 > mode.
This was fixed in 1.3.23 and 1.3.24. The issue is not what you describe above. What happens is that the client sends the "Expect: 100-continue" header, which is forwarded to the server. The server then replies with "HTTP/1.1 100 Continue" and haproxy adds the "Connection: close" response there. Strictly speaking, both curl and haproxy are incorrect here : - haproxy should not add any header on a 100-continue response - libcurl should ignore any header in a 100-continue response. But the reality is that both do probably not consider the 100-continue response as a special case, which it is. There is nothing you can do with the configuration to fix this, you should really update your version (also other annoying issues have been fixed since 1.3.19). Either you install 1.3.24 (or 1.3.23 if you don't find 1.3.24 yet for your distro), or you can switch to 1.4.3. Well, maybe if you remove "option httpclose" and replace it with "reqadd Connection:\ close", without the corresponding "rspadd", it could work, if you don't have anything else touching the response (no cookie insertion, ...). This would rely on the server to correctly close the response. But it would be an awful hack. > When using apache in front of HA-Proxy with both force-proxy-request-1.0 and > proxy-nokeepalive the request is successful. This is because the Expect header appeared in 1.1, so the client cannot use it if you force the request as 1.0. Regards, Willy
