On Wed, Jun 4, 2014 at 6:05 PM, Kevin Maziere <ke...@kbrwadventure.com> wrote:
>
>
>
> 2014-06-04 17:10 GMT+02:00 Nenad Merdanovic <ni...@nimzo.info>:
>>
>> Hello Kevin,
>>
>> On 06/04/2014 05:05 PM, Willy Tarreau wrote:
>> > On Wed, Jun 04, 2014 at 04:49:53PM +0200, Kevin Maziere wrote:
>> >>> Anyway, from the various reports we get, it seems like sending an
>> >>> empty
>> >>> 408 message is enough to workaround this abnormal Chrome behaviour.
>> >>> For
>> >>> this you can proceed like this :
>> >>>
>> >>> errorfile 408 /dev/null
>> >>>
>> >>> After days of tests it appears that 408 error page are still appening,
>> >>> but
>> >> less frequently.
>> >> I don't know how but I can see them on my logs and on my browser.
>> >
>> > In the logs it's perfectly normal as haproxy reports what has been done,
>> > but in the browser, it's really not possible since the error message was
>> > replaced with the contents of /dev/null. What might happen is either
>> > that
>> > some requests go to another haproxy or another server which still emits
>> > the error, or that such errors were abusively cached by the client which
>> > reports them on closed connection.
>> >
>> > Regards,
>> > Willy
>> >
>> >
>>
>> Can you post your latest configuration?
>> Here is my conf :
>
>
> # Configuration for haproxy1.5
>
> global
> log 127.0.0.1 local0
> log 127.0.0.1 local1 notice
> maxconn 15000
>
> #debug
> #quiet
> user haproxy
> group haproxy
>
> defaults
> log global
> mode http
> option httplog
> #option dontlognull
> retries 5
> option redispatch
> maxconn 15000
> option forwardfor
> timeout server 30m
> timeout connect 5s
> timeout client 10s
> timeout http-keep-alive 5s
> timeout http-request 8s
>
> # Application Frontend
>
> frontend ipv4-127.0.0.1-80
> bind 172.16.0.1:80
> redirect scheme https code 301 if !{ ssl_fc }
>
> frontend ipv4-127.0.0.1-443
> bind 172.16.0.1:443 ssl crt /etc/haproxy/certs/wildcard.pem ciphers
> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-RC4-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA:RC4-SHA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!EDH
> rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains
>
> reqadd X-Forwarded-Proto:\ https
> option http-server-close
> default_backend ipv4-80
>
>
> frontend ipv4-172_16_0_126-80
> bind 172.16.0.126:80
> redirect scheme https code 301 if !{ ssl_fc }
>
> frontend ipv4-172_16_0_126-443
> bind 172.16.0.126:443 ssl crt /etc/haproxy/certs/wildcard.pem ciphers
> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-RC4-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA:RC4-SHA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!EDH
> rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains
>
> reqadd X-Forwarded-Proto:\ https
> option http-server-close
> default_backend ipv4-80
>
>
> frontend ipv6-2000_00_00_00-80
> bind 2000:00:00::0:80
> redirect scheme https code 301 if !{ ssl_fc }
>
> frontend ipv6-2000_00_00_00-443
> bind 2000:00:00::0:443 ssl crt /etc/haproxy/certs/wildcard.pem ciphers
> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-RC4-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA:RC4-SHA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!EDH
> rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains
>
> reqadd X-Forwarded-Proto:\ https
> option http-server-close
> default_backend ipv6-80
>
>
> frontend ipv6-2000_11_11_11-80
> bind 2000:11:11::1:80
> redirect scheme https code 301 if !{ ssl_fc }
>
> frontend ipv6-2000_11_11_11-443
> bind 2000:11:11::1:443 ssl crt /etc/haproxy/certs/wildcard.pem ciphers
> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-RC4-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA:RC4-SHA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!EDH
> rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains
>
> reqadd X-Forwarded-Proto:\ https
> option http-server-close
> default_backend ipv6-80
>
>
>
>
>
> # Application Backend
> backend ipv4-80
> balance roundrobin
> server pubwebsite01 172.16.0.116:80 weight 1 check inter 5000 rise 2
> fall 5
> server pubwebsite02 172.16.0.123:80 weight 1 check inter 5000 rise 2
> fall 5
>
> backend ipv6-80
> balance roundrobin
> server pubwebsite01 2000:22:22::22:80 weight 1 check inter 5000 rise 2
> fall 5
> server pubwebsite02 2000:22:22::23:80 weight 1 check inter 5000 rise 2
> fall 5
>
>
>
> listen admin 172.16.0.126:1234
> mode http
> stats uri /
>
> # For Chrome : https://code.google.com/p/chromium/issues/detail?id=85229#c33
> and ML haproxy
> errorfile 408 /dev/null
>
>>
>> Regards,
>> --
>> Nenad Merdanovic | PGP: 0x423edcb2 | Web: http://nimzo.info
>> Linkedin: http://www.linkedin.com/in/nenadmerdanovic
>
>
Kevin,
You should add this directive in your defaults section:
errorfile 408 /dev/null
Cause in your current configuration it applies to your stats page only!
Baptiste
