ACL HTTP not capture all the HTTP traffic ?

jinge Sun, 14 Jul 2013 07:35:58 -0700

Hi all,


We have a haproxy for our web service. We forward the tcp port 80 traffic to 
haproxy. And if it's not the HTTP traffic we send it to the Internet use the 
option transparent.But We found there are lots of  HTTP traffic in the Direct 
Backend,which shouldn't be there. 
Here is the configure.


###############
global
       pidfile /var/run/haproxy.pid
       maxconn 200000
        maxpipes 50000
       daemon
       stats socket /tmp/haproxy.sock
       nbproc 4
       spread-checks 5
        tune.rcvbuf.client 16384
        tune.rcvbuf.server 16384
        tune.sndbuf.client 32768
       tune.sndbuf.server 16384

defaults
#TCP SECTION
       maxconn 200000
        backlog 32768
       timeout connect 5s
       timeout client 60s
       timeout server 60s
       timeout queue 60s
       timeout check 10s
       timeout http-request 15s
       timeout http-keep-alive 1s
        timeout tunnel 3600s
       option tcpka


#HTTP SECTION
       hash-type consistent
       option accept-invalid-http-request
       option accept-invalid-http-response
       option redispatch
       option http-server-close
       option http-pretend-keepalive
       retries 2
       option httplog
        no option checkcache

#SYSTEM SECTION
       option dontlog-normal
       option dontlognull
       option log-separate-errors
        

######### frontend ##############
frontend tcp-in
       bind :2222 
       mode tcp
       log global
        option tcplog

        tcp-request inspect-delay 30s
        tcp-request content accept if HTTP

        use_backend NginxCluster if HTTP 
       default_backend Direct

backend NginxCluster
       mode http
       option abortonclose
       balance uri whole
       log global
       source 0.0.0.0
       server ngx1 192.168.10.1:80 weight 20 check inter 5s maxconn 10000
       server ngx2 192.168.10.2:80 weight 20 check inter 5s maxconn 10000
       server ngx3 192.168.10.3:80 weight 20 check inter 5s maxconn 10000

backend Direct
        mode tcp
        log global
        option tcplog
        no option httpclose
        no option http-server-close
        no option accept-invalid-http-response
        no option http-pretend-keepalive
        option transparent      
        option abortonclose     
        option tcp-smart-connect

And here is the topological.

                        client
                                |
                                |
                                |
                                |
                                |
                                |
                        haproxy
                                |
                 _______|________
                |                                |
                |                                |
                |http traffic            |not http traffic
                |                                |to Internet outside
                nginx            Internet


So is the HTTP ACL can not capture all the HTTP traffic there?



Regards
Jinge

ACL HTTP not capture all the HTTP traffic ?

Reply via email to