We have some odd bug.. haproxy seems to work fine locally - but when we
access from "internet hosts" and not local hosts, using the public IP -
haproxy says:
188.40.40.69:40599 [25/Nov/2014:13:07:50.359] pbutik pbutik/<NOSRV>
-1/-1/-1/-1/31 408 0 - - cR-- 0/0/0/0/0 0/0 "<BADREQ>"
(this public ip is a server in germany).
We sniffed the request, and according to wireshark the client sends:
GET / HTTP/1.1
Host: pbutikken-test.kk.dk
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101
Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
a few milliseconds after having established the connection (syn,
syn-ack), and then haproxy immediately responds with a RST and logs the
<BADREQ> line..
out haproxy config:
defaults
log global
maxconn 8000
option redispatch
retries 3
stats enable
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout check 10s
frontend pbutik
bind 10.10.151.130:443 ssl crt
/etc/haproxy/pbutikken.kk.dk.combined.pem ciphers
RC4-SHA:AES128-SHA:AES256-SHA no-sslv3
bind 10.10.151.130:80
mode http
acl accessok src -f /etc/haproxy/accessok-ips
acl is_pbutikken hdr_end(host) -i pbutikken.example.dk
acl is_pbutikken_pre hdr_end(host) -i pbutikken-pre.example.dk
acl is_pbutikken_test hdr_end(host) -i pbutikken-test.example.dk
balance roundrobin
default_backend varnish-dmz
errorfile 408 /dev/null
option httplog
option accept-invalid-http-request
reqadd X-Forwarded-Proto:\ https if { ssl_fc }
tcp-request connection reject if !accessok
timeout client 30
use_backend pbutik-pre if is_pbutikken_pre
use_backend pbutik-prod if is_pbutikken
use_backend pbutik-test if is_pbutikken_test
--
Regards,
Klavs Klavsen, GSEC - [email protected] - http://www.vsen.dk - Tlf. 61281200
"Those who do not understand Unix are condemned to reinvent it, poorly."
--Henry Spencer
