Thank you very much for taking the time to review my information and give so much detailed feed back!
I implemented the changes and the proxy now responds as designed. In production testing I found another item I need to attend to. My original requirements did not include maintaining session affinity (stickiness?), but those requirements have changed. In looking at the documentation (I'm learning a lot from that alone!) I see a number of keywords that are related to this, but I don't have enough context to grasp their application. I don't know much about HTTP interaction beyond what I need for tracking down network/communication problems. I need to configure HAProxy so it remembers which server responded to the client's the previous request, and maintain that continuity until the session ends. As a practice, we avoid the use of cookies. I am load balancing HTTP (80), HTTPS (443) and net.tcp (808). Is there a preferred common practice/keyword configuration for accomplishing this with HAProxy? Again, many thanks for your time and attention. On Sat, Mar 19, 2011 at 12:44 AM, Willy Tarreau <[email protected]> wrote: > Hello Don, > > On Fri, Mar 18, 2011 at 06:54:09PM -0600, Don MacArthur wrote: > > When I address the browser URL directly to the web server address all > works > > well. When i direct it through the proxy, on two sites I receive a > message > > that it can't connect, and on the third I get the prompt for the invalid > > cert (correct, I'm accessing via the IP address) and then a 403 forbidden > > message. The proxy server can ping the web server and the web server can > > ping the proxy server. I experienced none of this in my test environment > > and am wondering if I broke the config somehow, though I can find no > > differences other than the addresses. > > I see several things that are wrong in your config, some of which could > explain your issues : > > > listen port_443a > > mode http > > Here I find it very strange that your port 443 is http. In my opinion > you'd want to have "mode tcp" here because I suspect that you're running > SSL on this port. > > > balance roundrobin > > option httpchk HTTP/1.1 > > This is not the proper syntax for option httpchk. This will result in > sending invalid HTTP requests ("OPTIONS HTTP/1.1 HTTP/1.1"). If you > use only one parameter, it must be a URI (eg: /). Please take a look > at the doc for the various possibilities. > > Also, having httpchk on an SSL service will probably not work, unless > your server is able to talk HTTP on this port too. Otherwise, please > use "option ssl-hello-chk" which will test for SSL. > > > bind 10.100.5.15:443 > > stats uri /haproxy-stats > > "stats uri" can only be used in HTTP instances, because on SSL, the > request is ciphered in the stream and haproxy will not be able to do > anything with it. > > > server web1 10.100.5.5:443 > > Right now, this server has no checks as it misses the "check" parameter. > This is why it used to work, otherwise you would have noticed on the > stats page that the server would have been down. > > Same comments for the second instance below. > > > listen port_443b > > mode tcp > > balance leastconn > > option httpchk HTTP/1.1 > > bind 10.100.5.16:443 > > stats uri /haproxy-stats > > server web2 10.100.5.6:443 > > > > listen port_808 > > mode tcp > > Here I suspect that you wanted HTTP on this port, but I may be > wrong. If this is HTTP that you need, then I suggest that you > also add "option http-server-close" too, otherwise haprox will > only check the first request of every connection, and your > stats will not always be accessible. > > > balance leastconn > > option httpchk HTTP/1.1 > > bind 10.100.5.17:808 > > stats uri /haproxy-stats > > server web3 10.100.5.7:808 > > Regards, > Willy > > >
