Hi, Your last chance is tcp mode :)
Cheers Le 13 sept. 2013 18:09, "James Card" <[email protected]> a écrit : > Hi. I tried relaxing the checks but that didn't appear to work in this > case. > > a portion of my configuration: > > listen haproxy 192.168.56.2:8080 > stats enable > option httpchk > *option accept-invalid-http-request* > cookie SERVERID insert nocache > balance roundrobin > server openam1 192.168.56.3:8080 cookie 01 id 1001 check inter > 2000 rise 2 fall 5 > server openam2 192.168.56.4:8080 cookie 02 id 1002 check inter > 2000 rise 2 fall 5 > > with the same results when I "show errors" on the socket: > > > [root@haproxy haproxy]# echo "show errors" | socat stdio /tmp/haproxy > Total events captured on [13/Sep/2013:12:06:26.261] : 3 > > [13/Sep/2013:12:06:20.044] frontend haproxy (#1): invalid request > src 192.168.56.6, session #2, backend haproxy (#1), server <NONE> (#-1) > HTTP internal state 26, buffer flags 0x00909002, event #2 > request length 455 bytes, error at position 109: > > 00000 POST /openam/namingservice HTTP/1.0\r\n > 00037 User-Agent: OpenAM Web Agent/4.0.0\r\n > 00073 Connection: close\r\n > 00092 Accept: text/xml\r\r\n > 00111 Content-Type: text/xml; charset=UTF-8\r\r\n > 00151 Host: openam.gw.com\r\n > 00172 Content-Length: 260\r\n > 00193 \r\n > 00195 <?xml version="1.0" encoding="UTF-8" standalone="yes"?>\n > 00251 <RequestSet vers="1.0" svcid="com.iplanet.am.naming" reqid="3">\n > 00315 <Request><![CDATA[\n > 00334 <NamingRequest vers="3.0" reqid="2">\n > 00371 <GetNamingProfile>\n > 00390 </GetNamingProfile>\n > 00410 </NamingRequest>]]>\n > 00430 </Request>\n > 00441 </RequestSet>\n > > > James > > > > ----- Original Message ----- > > From: Lukas Tribus > > Sent: 09/13/13 11:29 AM > > To: James Card, [email protected] > > Subject: RE: Receiving 403 errors with no attempt to communicate with the > actual server > > > Hi James, > > > > So this confirms what you are saying (see below). Without haproxy in a > > non-LB environment this works so apparently tomcat on the target openAM > > server is more lenient. > > You can disable those strict RFC checks by configuring [1]: > option accept-invalid-http-request > > However, by doing so you are only masking the problem and it could lead to > more serious problems eventually. > > > Lukas > > > > [1] > http://cbonte.github.io/haproxy-dconv/configuration-1.4.html#4-option%20accept-invalid-http-request > > >
