Hi all,
We have a haproxy for our web service. We forward the tcp port 80 traffic to
haproxy. And if it's not the HTTP traffic we send it to the Internet use the
option transparent.But We found there are lots of HTTP traffic in the Direct
Backend,which shouldn't be there.
Here is the configure.
###############
global
pidfile /var/run/haproxy.pid
maxconn 200000
maxpipes 50000
daemon
stats socket /tmp/haproxy.sock
nbproc 4
spread-checks 5
tune.rcvbuf.client 16384
tune.rcvbuf.server 16384
tune.sndbuf.client 32768
tune.sndbuf.server 16384
defaults
#TCP SECTION
maxconn 200000
backlog 32768
timeout connect 5s
timeout client 60s
timeout server 60s
timeout queue 60s
timeout check 10s
timeout http-request 15s
timeout http-keep-alive 1s
timeout tunnel 3600s
option tcpka
#HTTP SECTION
hash-type consistent
option accept-invalid-http-request
option accept-invalid-http-response
option redispatch
option http-server-close
option http-pretend-keepalive
retries 2
option httplog
no option checkcache
#SYSTEM SECTION
option dontlog-normal
option dontlognull
option log-separate-errors
######### frontend ##############
frontend tcp-in
bind :2222
mode tcp
log global
option tcplog
tcp-request inspect-delay 30s
tcp-request content accept if HTTP
use_backend NginxCluster if HTTP
default_backend Direct
backend NginxCluster
mode http
option abortonclose
balance uri whole
log global
source 0.0.0.0
server ngx1 192.168.10.1:80 weight 20 check inter 5s maxconn 10000
server ngx2 192.168.10.2:80 weight 20 check inter 5s maxconn 10000
server ngx3 192.168.10.3:80 weight 20 check inter 5s maxconn 10000
backend Direct
mode tcp
log global
option tcplog
no option httpclose
no option http-server-close
no option accept-invalid-http-response
no option http-pretend-keepalive
option transparent
option abortonclose
option tcp-smart-connect
And here is the topological.
client
|
|
|
|
|
|
haproxy
|
_______|________
| |
| |
|http traffic |not http traffic
| |to Internet outside
nginx Internet
So is the HTTP ACL can not capture all the HTTP traffic there?
Regards
Jinge