Hi Chris,
the option you mentioned keeps alive TCP connection on the client
side, if the client is compatible with HTTP keep alive.
The connection is kept alive as long as it needs to be, it can be
driven by HAProxy through the "timeout http-keepalive" parameter.
It does not mean all the requests from a client session will be
redirected to a single server.
For this purpose, you can use the "cookie" keyword, IE: "cookie
SERVERID insert" + cookie parameter on the server line.
This cookie will timeout when the browser windows will be closed. This
is a session cookie.
You can force an idle timeout on such cookie if you wish.
I recommend you to read the configuration manual of HAProxy about the
options above.
Baptiste
On Tue, Oct 29, 2013 at 12:31 AM, Chris <bludge...@gmail.com> wrote:
> Hello again Baptiste,
>
> Thank you for replying back to my questions, they are very helpful answers
> and I really do appreciate your time.
>
> Concerning your question back about persistence or stickiness:
>
>
>> - Sessions need to stay alive after being offloaded to the backend web
>> servers to port 80 on them. (Session keepalive or stickiness?)
>
> do you mean persistence or connection keepalives ???
>
>
> I meant for session persistence, and does the following allow persistence to
> happen correctly?:
>
> option http-server-close
>
>
> If it does, one final question would be how does one control the length of
> persistence, is that something controlled with a specific timeout variable?
>
> Thank you so much again, I really appreciate your help a lot.
>
> Chris
>
>
> -Chris
>
>
> On Tue, Oct 22, 2013 at 2:13 AM, Baptiste <bed...@gmail.com> wrote:
>>
>> Hi Chris,
>>
>> My answers inline.
>>
>> On Mon, Oct 21, 2013 at 10:57 PM, Chris <bludge...@gmail.com> wrote:
>> > - If any of these domains and subdomains are called with http://, they
>> > need
>> > to be redirected to https://
>>
>> # redirect http to https when connection is not ciphered
>> http-request redirect scheme https if !{ ssl_fc } { hdr(host)
>> www.test.com broker.test.com eclose.test.com images.test.com }
>>
>>
>> > - If a call comes in just to test.com, it needs to be redirected to
>> > https
>> > www.test.com:443
>>
>> # redirect text.com:80 to https://www.test.com:443
>> http-request redirect prefix https://www.test.com if !{ ssl_fc } {
>> hdr(host) test.com }
>>
>>
>> > - Sessions need to stay alive after being offloaded to the backend web
>> > servers to port 80 on them. (Session keepalive or stickiness?)
>>
>> do you mean persistence or connection keepalives ???
>>
>>
>> > - images.test.com does not need to have SSL offloaded and I'm wondering
>> > if I
>> > should incorporate this into haproxy at all, maybe for load balancing at
>> > some point, this seems like a good idea)
>>
>> well, this is not what you asked in your first question, you wanted to
>> offload SSL on all your domains.
>> That said, I agree, ciphering images (usually) is useless.
>>
>> # redirect http to https when connection is not ciphered
>> http-request redirect scheme https if !{ ssl_fc } { hdr(host)
>> www.test.com broker.test.com eclose.test.com }
>>
>> since images.test.com is not in the list, the traffic will be accepted
>> on port 80.
>>
>> > defaults
>> > mode http
>> > maxconn 512
>> > option dontlognull
>> > option http-server-close
>> > retries 3
>> > contimeout 60000
>> > clitimeout 60000
>> > srvtimeout 60000
>> >
>> > frontend haproxy_http
>> > bind 0.0.0.0:80
>> > timeout client 86400000
>> > acl is_test hdr_end(host) -i www.test.com
>> > acl is_broker_test hdr_end(host) -i broker.test.com
>> > acl is_eclose_test hdr_end(host) -i eclose.test.com
>> > acl is_images_test hdr_end(host) -i images.test.com
>> >
>> >
>> # redirect http to https when connection is not ciphered
>> http-request redirect scheme https if !{ ssl_fc } { hdr(host)
>> www.test.com broker.test.com eclose.test.com images.test.com }
>> # redirect text.com:80 to https://www.test.com:443
>> http-request redirect prefix https://www.test.com if !{ ssl_fc }
>> { hdr(host) test.com }
>>
>> use_backend is_images_test if { hdr(host) images.test.com }
>>
>> >
>> >
>> >
>> > frontend haproxy_https
>> > bind 0.0.0.0:443 ssl crt /etc/haproxy/certs/wildcard.pem
>> > log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\
>> > %CC\
>> > %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\
>> > {%[ssl_c_verify],%{+Q}[ssl_c_s_dn],{+Q[ssl_c_i_dn]}\ %{+Q}r
>> > acl is_test_https hdr_end(host) -i www.test.com
>> > acl is_broker_test_https hdr_end(host) -i broker.test.com
>> > acl is_eclose_test_https hdr_end(host) -i eclose.test.com
>> > use_backend is_test_https_backend if is_test_https
>> > use_backend is_broker_https_backend if
>> > is_broker_test_https
>> > use_backend is_eclose_https_backend if is_eclose_test_https
>> >
>> >
>> >
>> > # backends
>> >
>> > backend is_test_https_backend
>> > mode http
>> > balance source
>> > option http-server-close
>> > server server1 192.168.33.70
>> > server server2 192.168.33.170
>> >
>> > backend is_broker_https_backend
>> > mode http
>> > balance source
>> > option http-server-close
>> > server server1 192.168.33.71
>> > server server2 192.168.33.171
>> >
>> > backend is_eclose_https_backend
>> > mode http
>> > balance source
>> > option http-server-close
>> > server server1 192.168.33.72
>> > server server2 192.168.33.172
>> >
>> > backend is_images_test
>> > mode http
>> > balance source
>> > option http-server-close
>> > server server1 192.168.33.73
>> > server server2 192.168.33.13
>> >
>> >
>> > I think I'm close, but just not sure if I'm sanely doing things. I've
>> > tried
>> > to put piece of information together from several different posts around
>> > the
>> > Internet, but I have found nothing that is concise enough to really make
>> > me
>> > understand what I'm doing wrong.
>> >
>> > Thank you SO much,
>> >
>> > Chris
>>
>>
>> configuration out of my head, with no testing, but should work.
>>
>> Baptiste
>
>
