Hi, On Fri, Jul 05, 2013 at 09:25:30AM +0200, Lukas Tribus wrote: > > My Haproxy.cfg frontend is working with 'mode tcp' like this.. > > ---------------------------- > > defaults > > mode tcp > > # mode http > > option tcplog > > retries 3 > > option redispatch > > timeout connect 5000 > > timeout client 50000 > > timeout server 50000 > > > > frontend all 0.0.0.0:80 > > maxconn 2000 > > timeout client 50000 > > default_backend backserver > > ---------------------------- > > > > And backend is working with 'mode http' like this > > ---------------------------- > > backend backserver > > mode http > > balance roundrobin > > option http-server-close > > option forwardfor > > server serv1 192.168.x.x maxconn 1024 > > server serv2 192.168.x.x maxconn 1024 > > ---------------------------- > > > Is this really the complete configuration? You seem to use http mode on > the backend and tcp mode on the frontent, which I'm not sure it supposed to > work (it should abort with an error when starting haproxy). > Can you remove "mode http" from the backend?
Yes it does work since some 1.5-dev-something. It's handy to select either an HTTP server or an SSH server if you see what I mean :-) One of the downsides of this is that you can't get HTTP logs because the log buffer is allocated by the frontend, and the log format is defined by the frontend. So logs are in TCP format only. So in general when you're doing this, you're very close to be doing something wrong. > > I can understand that Haproxy has accepted invalid http request from client. > > But I have 2 questions. > > > > 1) Does my Haproxy check requests about Http-Level(L7) headers content in > > spite of running with 'mode tcp'? > > According to the logs from unix-socket, Haproxy seems to check requests > > about L7 headers... > > I cant understand it why. > > No, but you seem to run "mode http" on the backend, which is why there is > layer 7 processing. Exactly. > You can apply one of this options to avoid dropping invalid requests: > - option accept-invalid-http-request in the frontent/default section > - option accept-invalid-http-response in the backend/default section > - remove "mode http" and use "mode tcp" And I'm wondering what is the purpose of deliberately leaving such obviously bad (and probably dangerous) requests pass through... Best regards, Willy
