Hi all! Just joined newbie :-) ..and immediately poking with a question. I have HAProxy 1.5.2 installed from RHEL 7 EPEL; haproxy -vv is below. The first frontend NATs traffic to backend servers, and second frontend uses app servers with public IPs.
Question: What am I messing up in the config? (IP numbers are imaginary, not real.) When I go to http://200.200.200.111 and http://200.200.200.222, and press F5 (refresh) on Firefox for a few time, I end up with 4 cookies instead of 2. I presume I should have: Cookie SERVICE_1 for service/site 200.200.200.111 and cookie SERVICE_2 for service/site 200.200.200.222 But instead I end up having both cookies SERVICE_1 and SERVICE_2 for both services/sites. 4 in total. The values of cookies are valid and sane. End result is, this setup does not work with these erroneous cookies. global daemon # disable only when debugging description "HA LB" log 127.0.0.1 local0 # configure local0 in /etc/rsyslog.d/*.conf pidfile /run/haproxy.pid chroot /var/lib/haproxy stats socket /var/lib/haproxy/stats user root group haproxy mode 640 level operator spread-checks 5 # distribute health check with N% of randomness maxcompcpuusage 60 # default 100 uses all CPU cycles for compression, if needed user haproxy # default is 'haproxy' group haproxy # default is 'haproxy' tune.http.cookielen 63 # default: 63 tune.ssl.cachesize 20000 # default: 20000 tune.ssl.default-dh-param 2048 # default: 1024 # set these maxconnxxx settings on frontends, too maxconnrate 10 # new connections per second maxsslrate 10 # new connections per second maxconn 1000 # this is dependent on Linux ulimit, so set it, too! defaults backlog 2000 # related to maxconn; verify correct value log global # by default log where global settings say to balance source # default LB algorithm for backends for good persistence retries 3 ### Hint: It would be nice to define these as defaults here for SSL frontends... #no-sslv3 #crt /etc/pki/tls/key_and_crt_chained.pem #ciphers ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:AES256-SHA timeout connect 20s timeout server 30s timeout client 30s timeout check 1s # inter uses this as timeout timeout http-request 10s # timeout http-keep-alive 10s # timeout queue 45s # timeout tarpit 60s # only utilised by reqtarpit for DDoS remedy option redispatch # any server can handle any session by default option abortonclose # abort request if client closes output channel while waiting option dontlognull # do not log empty probes option http-server-close # close backend, but keep client connection alive option tcp-smart-accept # performance tweak; use if it works with clients option tcp-smart-connect # performance tweak; use if it works with clients # ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ service 1 - NATed servers frontend service_1_outside_80 mode http bind 200.200.200.111:80 name outside_VIP1_80 maxconn 1000 reqadd X-Forwarded-Proto:\ http option forwardfor except 127.0.0.0/8 # auto-insert "X-Forwarded-For" default_backend service_1_inside backend service_1_inside mode http balance roundrobin # source roundrobin leastconn ... stick-table type string len 32 size 100k expire 1h store conn_cur,conn_rate(60s) stick on cookie(SERVICE_1) cookie SERVICE_1 insert indirect maxlife 1h default-server maxconn 1000 weight 100 inter 2s fastinter 700ms downinter 10s fall 3 rise 2 server App_101 10.10.10.101:80 cookie app101 check server App_102 10.10.10.102:80 cookie app102 check http-check disable-on-404 option httpchk GET / # ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ service 2 - Direct servers frontend service_2_outside_80 mode http bind 200.200.200.222:80 name outside_VIP2_80 maxconn 1000 reqadd X-Forwarded-Proto:\ http option forwardfor except 127.0.0.0/8 # auto-insert "X-Forwarded-For" default_backend service_2_inside backend service_2_inside mode http balance roundrobin stick-table type string len 32 size 100k expire 1h store conn_cur,conn_rate(60s) stick on cookie(SERVICE_2) cookie SERVICE_2 insert indirect maxlife 1h default-server maxconn 1000 weight 100 inter 2s fastinter 700ms downinter 10s fall 3 rise 2 server App_141 200.200.200.141:80 cookie app141 check server App_142 200.200.200.142:80 cookie app142 check http-check disable-on-404 option httpchk GET / $ haproxy -vv HA-Proxy version 1.5.2 2014/07/12 Copyright 2000-2014 Willy Tarreau <[email protected]> Build options : TARGET = linux2628 CPU = generic CC = gcc CFLAGS = -O2 -g -fno-strict-aliasing OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_PCRE=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 Encrypted password support via crypt(3): yes Built with zlib version : 1.2.7 Compression algorithms supported : identity, deflate, gzip Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013 Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Built with PCRE version : 8.32 2012-11-30 PCRE library supports JIT : no (USE_PCRE_JIT not set) Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll.
