Hi Baptiste, Lukas,
@Lukas: Sorry I misread your tunnel-mode for tcp-mode. Tunnel-mode works
(almost) fine as you can read below.
I have been investigating my problem a bit more, and then I remembered
that I also updated haproxy a week before we started using our new
Windows 2012 servers.
The problem I'm having (also tested with ss-20140101 yesterday) happens
with http-keep-alive enabled and also when just running in tunnel mode.
But, when http-keep-alive is enabled I get the problem with ~98% of the
requests and in tunnel mode I get it with ~10% of the requests.
Authentication seems to succeed but the connection just 'hangs'.
Sometimes refreshing 10 times fixes it.
I have downgraded to dev19 this morning and it seems that the problem
went away in tunnel mode. (http-keep-alive is of course not available)
While I am not sure yet, it could be something broke during dev19-dev21.
This may sound a bit silly but connections to our IIS servers 'feel
faster and more responsive' when using dev19.
I will build a small test environment to see if I can reproduce it and
capture some traffic. Right now it's just a hunch.
My config is below. When I use http-keep-alive I just uncomment the
'option http-keep-alive' and comment the 'no option http-server-close'.
###
# Global Settings
###
global
log 127.0.0.1 local0
daemon
user haproxy
group haproxy
maxconn 32768
spread-checks 3
stats socket /var/run/haproxy.stat mode 666 level admin
###
# Defaults
###
defaults
log global
mode http
option abortonclose
timeout check 2s
timeout client 10s
timeout connect 10s
timeout http-keep-alive 30s
timeout http-request 30s
timeout queue 15s
timeout server 10s
timeout tarpit 120s
###
# Define the admin section
###
listen admin
bind X.X.X.1:8080
bind 2001:x:x:x::1:8080
stats enable
stats uri /haproxy?stats
stats auth admin:somepass
stats admin if TRUE
stats refresh 5s
###
# Frontend for services
###
frontend default-fe
bind X.X.X.37:80
bind 2001:X:X:X:6:80
bind X.X.X.37:443 ssl crt /etc/haproxy/ssl/cert.pem crt
/etc/haproxy/ssl/othercert.pem ciphers RC4:HIGH:!aNULL:!MD5
bind 2001:X:X:X::6:443 ssl crt /etc/haproxy/ssl/cert.pem crt
/etc/haproxy/ssl/othercert.pem ciphers RC4:HIGH:!aNULL:!MD5
option httplog
option forwardfor
# Add X-Forwarded-* headers
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Forwarded-Ssl on if { ssl_fc }
http-request set-header X-Forwarded-Proto http if ! { ssl_fc }
http-request set-header X-Forwarded-Ssl off if ! { ssl_fc }
# Define hosts which need to redirect to HTTPS
acl need_ssl hdr(Host) -i blah
acl need_ssl hdr(Host) -i host1
acl need_ssl hdr(host) -i host2
acl need_ssl hdr(host) -i host3
redirect scheme https if need_ssl ! { ssl_fc }
# Define backends and redirect correct hostnames
use_backend mgmt if { hdr(Host) -i blah }
use_backend mgmt if { hdr(Host) -i somehost }
use_backend mgmt if { hdr(Host) -i anotherhost }
use_backend app1 if { hdr(Host) -i host1 }
use_backend app2 if { hdr(Host) -i host2 }
use_backend app3 if { hdr(Host) -i host3 }
http-request redirect location http://some.site if { hdr(Host)
-i something }
###
# backend_mgmt
###
backend mgmt
fullconn 20
option http-server-close
option httpchk GET / HTTP/1.0
server mgmt-01 192.168.1.7:80 cookie mgmt-01 check inter 2000
###
# backend app1
###
backend app1
fullconn 5
no option http-server-close # ONLY USE IF NTLM IS NEEDED!
# option http-keep-alive
option httpchk GET /url HTTP/1.0
server app1 192.168.1.30:80 cookie app1 check inter 2000
###
# backend app2
###
backend app2
fullconn 512
no option http-server-close # ONLY USE IF NTLM IS NEEDED!
# option http-keep-alive
option httpchk GET / HTTP/1.0
server app2 192.168.1.46:443 cookie app2 ssl check inter 2000
###
# backend app3
###
backend app3
fullconn 512
no option http-server-close # ONLY USE IF NTLM IS NEEDED!
# option http-keep-alive
option httpchk GET / HTTP/1.0
server app3 192.168.1.44:443 cookie app3 ssl check inter 2000
