Baptiste, Thanks again for taking the time to read through and respond. I had done a lot of troubleshooting and tried many different configuration options, to the point that I am now confused. You are correct, with only one web server, persistence is not necessary, I should have realized this. I tried testing the web server by bypassing haproxy and I was getting the same result, no image showing up so it is a web server problem that needs to be resolved first.
With that said, the end plan is to indeed put 2 or 3 web servers behind haproxy to be load balanced too - when that time comes, may I ask you what the best way to implement session persistence would be, ensuring that when a client connects to the web servers that they continue to stay on that web server during their entire session? Would this be the - option http-server-close ? Or, would implementing some sort of PHPSESSID cookie be needed? I think for true testing then, they need to get their web servers working first, and then I need to get another one set up so that I can actually test out session persistence. Last question, when I get this into place, and to verify that sessions are staying persistent, what is the best way to verify this? Will haproxy logs show this, or do I need to perform some sort of strace on the haproxy PID to watch it? Thanks a million Baptiste, you are a life saver - not only to me, to but many people on this amazing list Sincerely, Chris -Chris On Tue, Nov 12, 2013 at 12:12 AM, Baptiste <bed...@gmail.com> wrote: > Hi Chris, > > How can you point HAProxy in such problem? > I mean, you have a single server in your farm, so if the browser can't > download objects, it may come from an other point. > And since you have a single server, you don't need persistence ;) > > Can you confirm whether: > - the application works well in HTTP (clear) > - the application works well without HAProxy > > Note that SSL offloading may have some impacts on web application: > > http://blog.exceliance.fr/2013/02/26/ssl-offloading-impact-on-web-applications/ > > Can you enable logs as described in the link above and check the result? > > Baptiste > > > On Mon, Nov 11, 2013 at 8:49 PM, Chris <bludge...@gmail.com> wrote: > > Hello everyone, > > > > I have a question concerning session persistence with offloading SSL via > > haproxy to backend nginx web servers running a PHP website. > > > > Basically, I have a configuration that is performing the SSL offloading > > successfully, however, it seems that session persistence is not working > > properly as some of the images from the nginx web server are not showing > up, > > however the log in fields for this web server are showing up. > > > > What needs to happen is that an http request comes into haproxy, http > calls > > get redirected to https, SSL is offloaded and the connection is handed > over > > to the relevant back-end - with session persistence in-tact via ACLs > within > > haproxy. > > > > I have read that "http-server-close" will preserve the connection and > keep > > it persistent but I have not been able to get this to work. I have also > > read that the type of balance used (such as round robin) can affect the > > persistence of connections. I have also tried to use > > > > "cookie PHPSESSID insert nocache indirect" but I just am having no luck > as > > there are a slew of configurations that can be used to do this task and I > > have gone over the haproxy documentation again and again and I just am > not > > sure of the correct way of doing this. The haproxy documentation is very > > thorough, but it is also very complex. > > > > In an effort to try to get this working, below is the configuration for > my > > haproxy setup, I have stripped out all of the testing configurations that > > I've been using to try to get it to work. I am hoping that someone > might be > > able to assist me with properly getting this configured to make sessions > > persistent. > > > > Your expertise and advice are greatly welcomed and very appreciated - I > > thank you for your time. > > > > --- > > global > > log 127.0.0.1 local0 > > log 127.0.0.1 local1 > > user haproxy > > group haproxy > > daemon > > > > defaults > > log global > > mode http > > option httplog > > option dontlognull > > option redispatch > > stats enable > > maxconn 512 > > retries 3 > > contimeout 60000 > > clitimeout 60000 > > srvtimeout 60000 > > > > > > ###### http frontend to redirect to https frontend > > > > frontend https_frontend > > bind 0.0.0.0:80 > > redirect scheme https if !{ ssl_fc } > > > > > > ###### https frontend to offload SSL to the backends > > > > frontend haproxy_https > > mode http > > option http-server-close > > bind 0.0.0.0:443 ssl crt /etc/haproxy/psl-wildcard/wildcard.pem > ca-file > > /etc/haproxy/psl-wildcard/wildcard.ca-bundle > > > > acl is_psl_https hdr_end(host) -i www.test-site.com > > acl is_broker_psl_https hdr_end(host) -i broker.test-site.com > > acl is_eclose_psl_https hdr_end(host) -i eclose.test-site.com > > > > use_backend is_psl_https_backend if is_psl_https > > use_backend is_broker_https_backend if > is_broker_psl_https > > use_backend is_eclose_https_backend if > is_eclose_psl_https > > > > default_backend is_psl_https_backend > > > > > > > > ###### backends > > > > backend is_psl_https_backend > > mode http > > balance source > > option http-server-close > > server server1 10.10.221.171:80 > > > > backend is_broker_https_backend > > mode http > > balance source > > option http-server-close > > server server1 10.10.221.172:80 > > > > backend is_eclose_https_backend > > mode http > > balance source > > option http-server-close > > server server1 10.10.221.173:80 > > > > > > listen admin 0.0.0.0:22002 > > mode http > > stats uri / > > > > ---- > > > > Again, thank you very much. > > > > Sincerely, > > > > Chris >
