Hi Chris, How can you point HAProxy in such problem? I mean, you have a single server in your farm, so if the browser can't download objects, it may come from an other point. And since you have a single server, you don't need persistence ;)
Can you confirm whether: - the application works well in HTTP (clear) - the application works well without HAProxy Note that SSL offloading may have some impacts on web application: http://blog.exceliance.fr/2013/02/26/ssl-offloading-impact-on-web-applications/ Can you enable logs as described in the link above and check the result? Baptiste On Mon, Nov 11, 2013 at 8:49 PM, Chris <bludge...@gmail.com> wrote: > Hello everyone, > > I have a question concerning session persistence with offloading SSL via > haproxy to backend nginx web servers running a PHP website. > > Basically, I have a configuration that is performing the SSL offloading > successfully, however, it seems that session persistence is not working > properly as some of the images from the nginx web server are not showing up, > however the log in fields for this web server are showing up. > > What needs to happen is that an http request comes into haproxy, http calls > get redirected to https, SSL is offloaded and the connection is handed over > to the relevant back-end - with session persistence in-tact via ACLs within > haproxy. > > I have read that "http-server-close" will preserve the connection and keep > it persistent but I have not been able to get this to work. I have also > read that the type of balance used (such as round robin) can affect the > persistence of connections. I have also tried to use > > "cookie PHPSESSID insert nocache indirect" but I just am having no luck as > there are a slew of configurations that can be used to do this task and I > have gone over the haproxy documentation again and again and I just am not > sure of the correct way of doing this. The haproxy documentation is very > thorough, but it is also very complex. > > In an effort to try to get this working, below is the configuration for my > haproxy setup, I have stripped out all of the testing configurations that > I've been using to try to get it to work. I am hoping that someone might be > able to assist me with properly getting this configured to make sessions > persistent. > > Your expertise and advice are greatly welcomed and very appreciated - I > thank you for your time. > > --- > global > log 127.0.0.1 local0 > log 127.0.0.1 local1 > user haproxy > group haproxy > daemon > > defaults > log global > mode http > option httplog > option dontlognull > option redispatch > stats enable > maxconn 512 > retries 3 > contimeout 60000 > clitimeout 60000 > srvtimeout 60000 > > > ###### http frontend to redirect to https frontend > > frontend https_frontend > bind 0.0.0.0:80 > redirect scheme https if !{ ssl_fc } > > > ###### https frontend to offload SSL to the backends > > frontend haproxy_https > mode http > option http-server-close > bind 0.0.0.0:443 ssl crt /etc/haproxy/psl-wildcard/wildcard.pem ca-file > /etc/haproxy/psl-wildcard/wildcard.ca-bundle > > acl is_psl_https hdr_end(host) -i www.test-site.com > acl is_broker_psl_https hdr_end(host) -i broker.test-site.com > acl is_eclose_psl_https hdr_end(host) -i eclose.test-site.com > > use_backend is_psl_https_backend if is_psl_https > use_backend is_broker_https_backend if is_broker_psl_https > use_backend is_eclose_https_backend if is_eclose_psl_https > > default_backend is_psl_https_backend > > > > ###### backends > > backend is_psl_https_backend > mode http > balance source > option http-server-close > server server1 10.10.221.171:80 > > backend is_broker_https_backend > mode http > balance source > option http-server-close > server server1 10.10.221.172:80 > > backend is_eclose_https_backend > mode http > balance source > option http-server-close > server server1 10.10.221.173:80 > > > listen admin 0.0.0.0:22002 > mode http > stats uri / > > ---- > > Again, thank you very much. > > Sincerely, > > Chris
