Hi. I tried relaxing the checks but that didn't appear to work in this case.
a portion of my configuration: listen haproxy 192.168.56.2:8080 stats enable option httpchk *option accept-invalid-http-request* cookie SERVERID insert nocache balance roundrobin server openam1 192.168.56.3:8080 cookie 01 id 1001 check inter 2000 rise 2 fall 5 server openam2 192.168.56.4:8080 cookie 02 id 1002 check inter 2000 rise 2 fall 5 with the same results when I "show errors" on the socket: [root@haproxy haproxy]# echo "show errors" | socat stdio /tmp/haproxy Total events captured on [13/Sep/2013:12:06:26.261] : 3 [13/Sep/2013:12:06:20.044] frontend haproxy (#1): invalid request src 192.168.56.6, session #2, backend haproxy (#1), server <NONE> (#-1) HTTP internal state 26, buffer flags 0x00909002, event #2 request length 455 bytes, error at position 109: 00000 POST /openam/namingservice HTTP/1.0\r\n 00037 User-Agent: OpenAM Web Agent/4.0.0\r\n 00073 Connection: close\r\n 00092 Accept: text/xml\r\r\n 00111 Content-Type: text/xml; charset=UTF-8\r\r\n 00151 Host: openam.gw.com\r\n 00172 Content-Length: 260\r\n 00193 \r\n 00195 <?xml version="1.0" encoding="UTF-8" standalone="yes"?>\n 00251 <RequestSet vers="1.0" svcid="com.iplanet.am.naming" reqid="3">\n 00315 <Request><![CDATA[\n 00334 <NamingRequest vers="3.0" reqid="2">\n 00371 <GetNamingProfile>\n 00390 </GetNamingProfile>\n 00410 </NamingRequest>]]>\n 00430 </Request>\n 00441 </RequestSet>\n James ----- Original Message ----- From: Lukas Tribus Sent: 09/13/13 11:29 AM To: James Card, [email protected] Subject: RE: Receiving 403 errors with no attempt to communicate with the actual server Hi James, > So this confirms what you are saying (see below). Without haproxy in a > non-LB environment this works so apparently tomcat on the target openAM > server is more lenient. You can disable those strict RFC checks by configuring [1]: option accept-invalid-http-request However, by doing so you are only masking the problem and it could lead to more serious problems eventually. Lukas [1] http://cbonte.github.io/haproxy-dconv/configuration-1.4.html#4-option%20accept-invalid-http-request
