Hi Sander, In my configuration, I enabled "option http-keep-alive" in the default section, that way, it is applied to all next frontend and backend. Then you can disable it locally by prefixing the same option by no. And it works :) I've attached to this mail, the log session showing myself browsing exchange 2010 webmail with http-keep-alive mode. I've also tested with an outlook 2007 client (RPC over HTTP mode). Interestingly, this one does the NTLM negotiation, run the request then shut the connection... and do this all the time!!!! Each time, of course, it asks the server to negotiate a new SSL key.... But it works since in the log I can see all the requests coming from a single client side TCP connection :)
In your case, your frontend is in tunnel mode. I don't know the impact when the frontend is in tunnel mode and the backend in http-keep-alive. Please enable keep alive directly in your default section and report us the result. Baptiste On Fri, Jan 3, 2014 at 10:39 AM, Sander Klein <[email protected]> wrote: > Hi Baptiste, Lukas, > > @Lukas: Sorry I misread your tunnel-mode for tcp-mode. Tunnel-mode works > (almost) fine as you can read below. > > I have been investigating my problem a bit more, and then I remembered that > I also updated haproxy a week before we started using our new Windows 2012 > servers. > > The problem I'm having (also tested with ss-20140101 yesterday) happens with > http-keep-alive enabled and also when just running in tunnel mode. But, when > http-keep-alive is enabled I get the problem with ~98% of the requests and > in tunnel mode I get it with ~10% of the requests. Authentication seems to > succeed but the connection just 'hangs'. Sometimes refreshing 10 times fixes > it. > > I have downgraded to dev19 this morning and it seems that the problem went > away in tunnel mode. (http-keep-alive is of course not available) > > While I am not sure yet, it could be something broke during dev19-dev21. > This may sound a bit silly but connections to our IIS servers 'feel faster > and more responsive' when using dev19. > > I will build a small test environment to see if I can reproduce it and > capture some traffic. Right now it's just a hunch. > > My config is below. When I use http-keep-alive I just uncomment the 'option > http-keep-alive' and comment the 'no option http-server-close'. > > ### > # Global Settings > ### > global > log 127.0.0.1 local0 > > daemon > user haproxy > group haproxy > maxconn 32768 > spread-checks 3 > stats socket /var/run/haproxy.stat mode 666 level admin > > ### > # Defaults > ### > defaults > log global > > mode http > > option abortonclose > > timeout check 2s > timeout client 10s > timeout connect 10s > timeout http-keep-alive 30s > timeout http-request 30s > timeout queue 15s > timeout server 10s > timeout tarpit 120s > > ### > # Define the admin section > ### > listen admin > bind X.X.X.1:8080 > bind 2001:x:x:x::1:8080 > stats enable > stats uri /haproxy?stats > stats auth admin:somepass > stats admin if TRUE > stats refresh 5s > > ### > # Frontend for services > ### > frontend default-fe > bind X.X.X.37:80 > bind 2001:X:X:X:6:80 > bind X.X.X.37:443 ssl crt /etc/haproxy/ssl/cert.pem crt > /etc/haproxy/ssl/othercert.pem ciphers RC4:HIGH:!aNULL:!MD5 > bind 2001:X:X:X::6:443 ssl crt /etc/haproxy/ssl/cert.pem crt > /etc/haproxy/ssl/othercert.pem ciphers RC4:HIGH:!aNULL:!MD5 > > option httplog > option forwardfor > > > # Add X-Forwarded-* headers > http-request set-header X-Forwarded-Proto https if { ssl_fc } > http-request set-header X-Forwarded-Ssl on if { ssl_fc } > http-request set-header X-Forwarded-Proto http if ! { ssl_fc } > http-request set-header X-Forwarded-Ssl off if ! { ssl_fc } > > # Define hosts which need to redirect to HTTPS > acl need_ssl hdr(Host) -i blah > acl need_ssl hdr(Host) -i host1 > acl need_ssl hdr(host) -i host2 > acl need_ssl hdr(host) -i host3 > > > redirect scheme https if need_ssl ! { ssl_fc } > > # Define backends and redirect correct hostnames > use_backend mgmt if { hdr(Host) -i blah } > use_backend mgmt if { hdr(Host) -i somehost } > use_backend mgmt if { hdr(Host) -i anotherhost } > > use_backend app1 if { hdr(Host) -i host1 } > > use_backend app2 if { hdr(Host) -i host2 } > use_backend app3 if { hdr(Host) -i host3 } > > http-request redirect location http://some.site if { hdr(Host) -i > something } > > ### > # backend_mgmt > ### > backend mgmt > fullconn 20 > > option http-server-close > > option httpchk GET / HTTP/1.0 > > server mgmt-01 192.168.1.7:80 cookie mgmt-01 check inter 2000 > > ### > # backend app1 > ### > backend app1 > fullconn 5 > > no option http-server-close # ONLY USE IF NTLM IS NEEDED! > # option http-keep-alive > option httpchk GET /url HTTP/1.0 > > server app1 192.168.1.30:80 cookie app1 check inter 2000 > > ### > # backend app2 > ### > backend app2 > fullconn 512 > > no option http-server-close # ONLY USE IF NTLM IS NEEDED! > # option http-keep-alive > > option httpchk GET / HTTP/1.0 > > server app2 192.168.1.46:443 cookie app2 ssl check inter 2000 > > ### > # backend app3 > ### > backend app3 > fullconn 512 > > no option http-server-close # ONLY USE IF NTLM IS NEEDED! > # option http-keep-alive > > option httpchk GET / HTTP/1.0 > > server app3 192.168.1.44:443 cookie app3 ssl check inter 2000 > > >
traffic-140102-235614.log
Description: Binary data
