Hi Chris, It is recommended to use option http-server-close, unless for specific use (like NTLM). So please turn it on.
You have basically 3 main choices: - cookie SERVERID insert => HAProxy will setup a cookie called SERVERID - cookie PHPSESSID prefix => HAProxy will use the application cookie setup by your web servers - stick table + stick store + stick match => HAProxy will learn cookies, store them in a table and use it for persistence. For option #1 and #2 don't forget the cookie parameter on the server directive. Baptiste On Tue, Nov 12, 2013 at 5:14 PM, Chris <bludge...@gmail.com> wrote: > Baptiste, > > Thanks again for taking the time to read through and respond. I had done a > lot of troubleshooting and tried many different configuration options, to > the point that I am now confused. You are correct, with only one web > server, persistence is not necessary, I should have realized this. I tried > testing the web server by bypassing haproxy and I was getting the same > result, no image showing up so it is a web server problem that needs to be > resolved first. > > With that said, the end plan is to indeed put 2 or 3 web servers behind > haproxy to be load balanced too - when that time comes, may I ask you what > the best way to implement session persistence would be, ensuring that when a > client connects to the web servers that they continue to stay on that web > server during their entire session? > > Would this be the - option http-server-close ? Or, would implementing some > sort of PHPSESSID cookie be needed? > > I think for true testing then, they need to get their web servers working > first, and then I need to get another one set up so that I can actually test > out session persistence. > > Last question, when I get this into place, and to verify that sessions are > staying persistent, what is the best way to verify this? Will haproxy logs > show this, or do I need to perform some sort of strace on the haproxy PID to > watch it? > > Thanks a million Baptiste, you are a life saver - not only to me, to but > many people on this amazing list > > Sincerely, > > Chris > > > -Chris > > > On Tue, Nov 12, 2013 at 12:12 AM, Baptiste <bed...@gmail.com> wrote: >> >> Hi Chris, >> >> How can you point HAProxy in such problem? >> I mean, you have a single server in your farm, so if the browser can't >> download objects, it may come from an other point. >> And since you have a single server, you don't need persistence ;) >> >> Can you confirm whether: >> - the application works well in HTTP (clear) >> - the application works well without HAProxy >> >> Note that SSL offloading may have some impacts on web application: >> >> http://blog.exceliance.fr/2013/02/26/ssl-offloading-impact-on-web-applications/ >> >> Can you enable logs as described in the link above and check the result? >> >> Baptiste >> >> >> On Mon, Nov 11, 2013 at 8:49 PM, Chris <bludge...@gmail.com> wrote: >> > Hello everyone, >> > >> > I have a question concerning session persistence with offloading SSL via >> > haproxy to backend nginx web servers running a PHP website. >> > >> > Basically, I have a configuration that is performing the SSL offloading >> > successfully, however, it seems that session persistence is not working >> > properly as some of the images from the nginx web server are not showing >> > up, >> > however the log in fields for this web server are showing up. >> > >> > What needs to happen is that an http request comes into haproxy, http >> > calls >> > get redirected to https, SSL is offloaded and the connection is handed >> > over >> > to the relevant back-end - with session persistence in-tact via ACLs >> > within >> > haproxy. >> > >> > I have read that "http-server-close" will preserve the connection and >> > keep >> > it persistent but I have not been able to get this to work. I have also >> > read that the type of balance used (such as round robin) can affect the >> > persistence of connections. I have also tried to use >> > >> > "cookie PHPSESSID insert nocache indirect" but I just am having no luck >> > as >> > there are a slew of configurations that can be used to do this task and >> > I >> > have gone over the haproxy documentation again and again and I just am >> > not >> > sure of the correct way of doing this. The haproxy documentation is >> > very >> > thorough, but it is also very complex. >> > >> > In an effort to try to get this working, below is the configuration for >> > my >> > haproxy setup, I have stripped out all of the testing configurations >> > that >> > I've been using to try to get it to work. I am hoping that someone >> > might be >> > able to assist me with properly getting this configured to make sessions >> > persistent. >> > >> > Your expertise and advice are greatly welcomed and very appreciated - I >> > thank you for your time. >> > >> > --- >> > global >> > log 127.0.0.1 local0 >> > log 127.0.0.1 local1 >> > user haproxy >> > group haproxy >> > daemon >> > >> > defaults >> > log global >> > mode http >> > option httplog >> > option dontlognull >> > option redispatch >> > stats enable >> > maxconn 512 >> > retries 3 >> > contimeout 60000 >> > clitimeout 60000 >> > srvtimeout 60000 >> > >> > >> > ###### http frontend to redirect to https frontend >> > >> > frontend https_frontend >> > bind 0.0.0.0:80 >> > redirect scheme https if !{ ssl_fc } >> > >> > >> > ###### https frontend to offload SSL to the backends >> > >> > frontend haproxy_https >> > mode http >> > option http-server-close >> > bind 0.0.0.0:443 ssl crt /etc/haproxy/psl-wildcard/wildcard.pem >> > ca-file >> > /etc/haproxy/psl-wildcard/wildcard.ca-bundle >> > >> > acl is_psl_https hdr_end(host) -i www.test-site.com >> > acl is_broker_psl_https hdr_end(host) -i broker.test-site.com >> > acl is_eclose_psl_https hdr_end(host) -i eclose.test-site.com >> > >> > use_backend is_psl_https_backend if is_psl_https >> > use_backend is_broker_https_backend if >> > is_broker_psl_https >> > use_backend is_eclose_https_backend if >> > is_eclose_psl_https >> > >> > default_backend is_psl_https_backend >> > >> > >> > >> > ###### backends >> > >> > backend is_psl_https_backend >> > mode http >> > balance source >> > option http-server-close >> > server server1 10.10.221.171:80 >> > >> > backend is_broker_https_backend >> > mode http >> > balance source >> > option http-server-close >> > server server1 10.10.221.172:80 >> > >> > backend is_eclose_https_backend >> > mode http >> > balance source >> > option http-server-close >> > server server1 10.10.221.173:80 >> > >> > >> > listen admin 0.0.0.0:22002 >> > mode http >> > stats uri / >> > >> > ---- >> > >> > Again, thank you very much. >> > >> > Sincerely, >> > >> > Chris > >
