Hi
We use haproxy at various layers in our setup. We have been seeing 504
errors in our logs and discovered that it was haproxy that sent it. On
further investigation we found that on some packets we go over 8k and it
is during this time that we get the 504. On further reading the haproxy
docs, we made one change:
tune.maxrewrite 1024
Now we dont see any of the 504 errors anymore and everything is working
perfectly. After reading the docs, we decided not to implement the
#tune.bufsize 32768 setting as that could have more serious
implications than just changing the tune.maxrewrite setting.
Q1. This is really just a further explanation as to why changing
tune.maxrewrite now enabled packet sizes larger than 8k?
Q2. What do we change in future if we find the same issue but the
packet sizes are now greater than 16k?
Q3. The 8k mentioned above, is that a default setting for the header
size? If not, what does the 8k refer to? Surely the packets should be
reconstructed at each end and then passed on.
I have posted the haproxy config we use below.
global
log 127.0.0.1 local0
log 127.0.0.1 local1 debug
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4096
uid 99
gid 99
daemon
stats socket /var/lib/haproxy/stats
#tune.bufsize 32768
tune.maxrewrite 1024
defaults
mode http
retries 3
option redispatch
maxconn 3000
contimeout 5000
clitimeout 50000
srvtimeout 50000
log global
option httplog
option dontlognull
cookie HTTP insert nocache
balance roundrobin
option httpclose
option forwardfor
option contstats
stats enable
option http-server-close
option abortonclose
option dontlog-normal
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
frontend dc1ntgxlv01.domain.com_frontend
bind 10.11.115.116:443 ssl crt
/etc/haproxy/wildcard.domain.com.pem ciphers
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
mode http
option httpclose
option forwardfor
reqadd X-Forwarded-Proto:\ https
default_backend dc1ntgxlv01.domain.com_backend
backend dc1ntgxlv01.domain.com_backend
mode http
balance roundrobin
cookie SERVERID insert indirect nocache httponly secure
server dc1ntgaix01 dc1ntgaix01.domain.com:443 check cookie
dc1ntgaix01 ssl crt /etc/haproxy/wildcard.domain.com.pem
server dc1ntgaix02 dc1ntgaix02.domain.com:443 check cookie
dc1ntgaix02 ssl crt /etc/haproxy/wildcard.domain.com.pem
frontend dc1ntixlv01.domain.com_frontend
bind 10.11.115.118:443 ssl crt
/etc/haproxy/wildcard.domain1.com.pem ciphers
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
mode http
option httpclose
option forwardfor
reqadd X-Forwarded-Proto:\ https
default_backend dc1ntixlv01.domain.com_backend
backend dc1ntixlv01.domain.com_backend
mode http
balance roundrobin
cookie SERVERID insert indirect nocache httponly secure
server dc1ntiaix01 dc1ntiaix01.domain.com:443 check cookie
dc1ntiaix01 ssl crt /etc/haproxy/wildcard.domain1.com.pem
server dc1ntiaix02 dc1ntiaix02.domain.com:443 check cookie
dc1ntiaix02 ssl crt /etc/haproxy/wildcard.domain1.com.pem
frontend dc1ntgblv01.domain.com_frontend
bind 10.11.115.119:443 ssl crt
/etc/haproxy/wildcard.domain.com.pem ciphers
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
mode http
option httpclose
option forwardfor
reqadd X-Forwarded-Proto:\ https
default_backend dc1ntgblv01.domain.com_backend
backend dc1ntgblv01.domain.com_backend
mode http
balance roundrobin
cookie SERVERID insert indirect nocache httponly secure
server dc1ntgabs01 dc1ntgabs01.domain.com:443 check cookie
dc1ntgabs01 ssl crt /etc/haproxy/wildcard.domain.com.pem
server dc1ntgabs02 dc1ntgabs02.domain.com:443 check cookie
dc1ntgabs02 ssl crt /etc/haproxy/wildcard.domain.com.pem
frontend dc1ntgrlv01.domain.com_frontend
bind 10.11.115.122:443 ssl crt
/etc/haproxy/wildcard.domain.com.pem ciphers
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
mode http
option httpclose
option forwardfor
reqadd X-Forwarded-Proto:\ https
default_backend dc1ntgrlv01.domain.com_backend
backend dc1ntgrlv01.domain.com_backend
mode http
balance roundrobin
cookie SERVERID insert indirect nocache httponly secure
server dc1ntgarp01 dc1ntgarp01.domain.com:443 check cookie
dc1ntgarp01 ssl crt /etc/haproxy/wildcard.domain.com.pem
server dc1ntgarp02 dc1ntgarp02.domain.com:443 check cookie
dc1ntgarp02 ssl crt /etc/haproxy/wildcard.domain.com.pem
frontend dc1ntmrlv01.domain.com_frontend
bind 10.11.115.123:443 ssl crt
/etc/haproxy/wildcard.domain2.com.pem ciphers
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
mode http
option httpclose
option forwardfor
reqadd X-Forwarded-Proto:\ https
default_backend dc1ntmrlv01.domain.com_backend
backend dc1ntmrlv01.domain.com_backend
mode http
balance roundrobin
cookie SERVERID insert indirect nocache httponly secure
server dc1ntmarp01 dc1ntmarp01.domain.com:443 check cookie
dc1ntmarp01 ssl crt /etc/haproxy/wildcard.domain2.com.pem
server dc1ntmarp02 dc1ntmarp02.domain.com:443 check cookie
dc1ntmarp02 ssl crt /etc/haproxy/wildcard.domain2.com.pem
frontend dc1ntirlv01.domain.com_frontend
bind 10.11.115.124:443 ssl crt
/etc/haproxy/wildcard.domain1.com.pem ciphers
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
mode http
option httpclose
option forwardfor
reqadd X-Forwarded-Proto:\ https
default_backend dc1ntirlv01.domain.com_backend
backend dc1ntirlv01.domain.com_backend
mode http
balance roundrobin
cookie SERVERID insert indirect nocache httponly secure
server dc1ntiarp01 dc1ntiarp01.domain.com:443 check cookie
dc1ntiarp01 ssl crt /etc/haproxy/wildcard.domain1.com.pem
server dc1ntiarp02 dc1ntiarp02.domain.com:443 check cookie
dc1ntiarp02 ssl crt /etc/haproxy/wildcard.domain1.com.pem
frontend dc1ntgilv01.domain.com_frontend
bind 10.11.115.125:443 ssl crt
/etc/haproxy/wildcard.domain.com.pem ciphers
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
mode http
option httpclose
option forwardfor
reqadd X-Forwarded-Proto:\ https
default_backend dc1ntgilv01.domain.com_backend
backend dc1ntgilv01.domain.com_backend
mode http
balance roundrobin
cookie SERVERID insert indirect nocache httponly secure
server dc1ntgaif01 dc1ntgaif01.domain.com:443 check cookie
dc1ntgaif01 ssl crt /etc/haproxy/wildcard.domain.com.pem
server dc1ntgaif02 dc1ntgaif02.domain.com:443 check cookie
dc1ntgaif02 ssl crt /etc/haproxy/wildcard.domain.com.pem
frontend dc1ntgtmv01.domain.com_frontend
bind 10.11.115.128:443 ssl crt
/etc/haproxy/wildcard.domain.com.pem ciphers
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
mode http
option httpclose
option forwardfor
reqadd X-Forwarded-Proto:\ https
default_backend dc1ntgtmv01.domain.com_backend
backend dc1ntgtmv01.domain.com_backend
mode http
balance roundrobin
cookie SERVERID insert indirect nocache httponly secure
server dc1ntgatm01 dc1ntgatm01.domain.com:443 check cookie
dc1ntgatm01 ssl crt /etc/haproxy/wildcard.domain.com.pem
server dc1ntgatm02 dc1ntgatm02.domain.com:443 check cookie
dc1ntgatm02 ssl crt /etc/haproxy/wildcard.domain.com.pem
frontend dc1ntmilv01.domain.com_frontend
bind 10.11.115.126:443 ssl crt
/etc/haproxy/wildcard.domain2.com.pem ciphers
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
mode http
option httpclose
option forwardfor
reqadd X-Forwarded-Proto:\ https
default_backend dc1ntmilv01.domain.com_backend
backend dc1ntmilv01.domain.com_backend
mode http
balance roundrobin
cookie SERVERID insert indirect nocache httponly secure
server dc1ntmaif01 dc1ntmaif01.domain.com:443 check cookie
dc1ntmaif01 ssl crt /etc/haproxy/wildcard.domain2.com.pem
server dc1ntmaif02 dc1ntmaif02.domain.com:443 check cookie
dc1ntmaif02 ssl crt /etc/haproxy/wildcard.domain2.com.pem
listen stats
bind 10.11.115.110:444 ssl crt
/etc/haproxy/wildcard.domain.com.pem ciphers
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
mode http
option httpclose
option forwardfor
balance roundrobin
cookie SERVERID insert indirect nocache httponly secure
stats uri /
stats realm Haproxy\ Statistics
stats refresh 5s
stats auth admin:password123
--
Trustpay Global Limited is an authorised Electronic Money Institution
regulated by the Financial Conduct Authority registration number 900043.
Company No 07427913 Registered in England and Wales with registered address
130 Wood Street, London, EC2V 6DL, United Kingdom.
For further details please visit our website at www.trustpayglobal.com.
The information in this email and any attachments are confidential and
remain the property of Trustpay Global Ltd unless agreed by contract. It is
intended solely for the person to whom or the entity to which it is
addressed. If you are not the intended recipient you may not use, disclose,
copy, distribute, print or rely on the content of this email or its
attachments. If this email has been received by you in error please advise
the sender and delete the email from your system. Trustpay Global Ltd does
not accept any liability for any personal view expressed in this message.