Hello, On Mon, May 05, 2014 at 05:27:28PM -0700, chris somme wrote: > Hello, > > We're running 1.5-dev19 2013/06/17 and running ssh connections through > haproxy in mode tcp. > > Recently we ran into a problem where we had a lot of client connections to > haproxy sitting around in FIN_WAIT2 and the corresponding connections to > the backend in in CLOSE_WAIT. It appears that our backend has closed the > connections but the socket isn't being shudown by the client, and haproxy > is holding the connection to the backend open until the client connection > is shut down. Those sockets eventually prevented us from accepting new > connections, the sockets that are in the CLOSE_WAIT state count against > maxconn. > > Once the connection reaches the client timeout haproxy closes the > connection to the backend and the socket in CLOSE_WAIT goes away. > > We're on linux and have have tried setting tcp_fin_timeout, hoping that it > would shutdown the connections in FIN_WAIT2 and in turn shutdown the > sockets in CLOSE_WAIT. The tcp_fin_timeout value doesn't seem to have an > effect -- it's currently set to 30 seconds, but socket in FIN_WAIT2 linger > beyond that.
Normally it should work, but keep in mind that closing at the lower level is the ugliest thing to do! > Is there anyway besides the client timeout (which impacts all client > interactions, not just close) to get the backend connections int mode tcp > freed up sooner? In the roadmap is an item called "half-closed timeout" which was planned exactly for this purpose. That way you could have a client timeout of 1h for example, and something like 1 minute for a half-closed one. I think it's a bit tricky to implement but not that much. Basically, in process_session() when doing a shutr() or shutw(), we should check for each side if the half-closed timeout is configured on the proxy, then change the current timeout (rto/wto) to this one if it was still active. I don't know if we want distinct timeouts (one per side) to avoid the usual complexity of the front+back where a single value configures both sides but we never know which part's value, or a single one, considering that the half-closed timeout configured in the frontend always applies to the client side, that the backend's applies to the server side, and that for "listen" proxies, the same value applies to both sides (just like defaults sections will do). I think this is enough. I don't really see the point of having half-closed timeout only on one side or with a different value. I don't know if you're interested in trying to implement this. Regards, Willy
