On Wed, Jul 23, 2014 at 4:24 PM, Cyril Bonté <[email protected]> wrote:
> Le 23/07/2014 22:07, Tamim Khan a écrit : > > That settings seems to have fixed our lockup problem. Unfortunately, >> much like the docs say, since the setting only processes the first >> request and just tunnels the rest. This prevents us from using "option >> forwardfor" which is required by our application. >> > > Indeed, and with your configuration, that was already not the case with > haproxy 1.4.18, where the X-Forwarded-For header was only added on the > first request in the connection. > Switching to 1.5.2 has the advantage to fix your configuration > transparently. Yup you are right. Sorry, I should have been more clear in my last email. We were not using the forwardfor option until our attempt to upgrade to 1.5.2. When we ran into the issues above we tried removing our 1.5.2 specific features (SSL frontend) and tried our config on 1.4.18 in order to see if the issue was related to the new features we were using or as a result of the upgrade. During this process, we neglected to test if forwardfor was actually working on 1.4.18. In any case, we would like the forwardfor option to work for all requests after our upgrade to 1.5.2 From reading the docs, it seems like keep alives to the backend should > be enabled by default in the default mode of "http-keep-alive". Is this > not the case? If not then what do we need to do in order to enable keep > alives on the backend and keep the X-Forwarded-For header? > This is the case, but your configuration doesn't stick on a server for > successive requests (no cookie, round robin load balancing algorithm used, > ...). > You may require "option prefer-last-server" [1] > > [1] http://cbonte.github.io/haproxy-dconv/configuration-1. > 5.html#option%20prefer-last-server > > > -- > Cyril Bonté > That setting certainly seems to have helped. We also looked into our logs saw that our nf_conntrack table was getting full. After adjusting that along with our number of usable ports our lockup problems seem to have been resolved. Thank you guys for your help!
