Hi, On Mon, Mar 05, 2012 at 12:49:18PM +0100, [email protected] wrote: > Perhaps I'm having a problem with my specific implementation. > If I balance source at haproxy before SSL decryption and send traffic on, I > get routed to a number of different backend servers from different IPs. > > If I use LVS to direct incoming traffic to a group of stud SSL decryptors > with PROXY protocol enabled, then onto HAProxy with balance source, all my > traffic goes to the same backend. > > example logs: > HAProxy listening on :443 > > Mar 5 10:27:46 localhost haproxy[25795]: X.26.0.161:34205 > [05/Mar/2012:10:27:45.418] https_server https_server/server2 0/0/971 3743 -- > 0/0/0 > /0/0 0/0 > Mar 5 11:27:49 localhost haproxy[25795]: X.74.241.4:6281 > [05/Mar/2012:11:27:48.835] https_server https_server/server9 0/0/822 3743 -- > 0/0/0 > /0/0 0/0 > Mar 5 11:28:22 localhost haproxy[25795]: X.4.0.11:49394 > [05/Mar/2012:11:28:21.779] https_server https_server/server2 0/0/832 3743 -- > 0/0/0/0 > /0 0/0 > Mar 5 11:29:10 localhost haproxy[25795]: X.94.93.215:50166 > [05/Mar/2012:11:29:08.833] https_server https_server/server14 0/0/1271 3919 > -- 0 > /0/0/0/0 0/0 > > But with Stud and PROXY protocol before HAProxy everything goes to server 4 > > Mar 5 11:31:01 localhost haproxy[28351]: ::ffff:X.74.241.4:35759 > [05/Mar/2012:11:31:01.141] http_server http_server/server4 98/0/0/618/716 200 > 494 - - ---- 0/0/0/0/0 0/0 {.example.com|} {|session=YcydrYJakCICpnlCNCHozw; > Path=/; Domain=.example.com; Secure; HttpOnly; } "POST /login HTTP/1.1" > Mar 5 11:31:05 localhost haproxy[28351]: ::ffff:X.4.0.11:50993 > [05/Mar/2012:11:31:04.304] http_server http_server/server4 102/0/0/638/740 > 200 494 - - ---- 0/0/0/0/0 0/0 {10.2.6.104|} > {|session=oChlXqg4XksajMIHUcuEvA; Path=/; Domain=.example.com; Secure; > HttpOnly; } "POST /login HTTP/1.1" > Mar 5 11:31:09 localhost haproxy[28351]: ::ffff:X.94.93.215:52581 > [05/Mar/2012:11:31:09.033] http_server http_server/server4 314/0/0/619/933 > 200 494 - - ---- 0/0/0/0/0 0/0 {.example.com|} > {|session=WQbyueVe6A86Zs0fMY20WA; Path=/; Domain=.example.com; Secure; > HttpOnly; } "POST /login HTTP/1.1" > Mar 5 11:32:03 localhost haproxy[28351]: ::ffff:X.26.0.161:48867 > [05/Mar/2012:11:32:02.762] http_server http_server/server4 60/0/0/601/661 200 > 494 - - ---- 0/0/0/0/0 0/0 {.example.com|} {|session=w7xNRxyq-ySzLuxd7o4bjg; > Path=/; Domain=.example.com; Secure; HttpOnly; } "POST /login HTTP/1.1" > > The Haproxy config is here: (to stop this post being super long) > http://pastie.org/3525275 > > Could stud supplying the client IP in an ipv6 format be causing this?
I don't think so, otherwise the logs would be wrong. I suspect that somewhere we don't correctly hash all the 16 bytes of the IPv6 address and only use the first 4 (all zero), resulting in what you're observing. I'll check if I can reproduce here. Thanks for the report, Willy
