> The HAProxy is used by normal browsers
> but also from cronjobs with various languages(Perl,Python,C,Go etc)
>
> I was surprised about this very long inactivity period for TCP
> connection on a system which has reasonable settings for TCP keepalive[3].
This is not what TCP keepalives does. First of all TCP keepalive will
keep the connection alive as long as the TCP peer on the other side
answers the probe requests (but doesn't enforce a layer 7 inactivity timeout).
Second of all, you would have to specifically enable TCP keepalive via
config "option clitcpka", which you didn't.
TCP keepalives have nothing to do with your problem, nor will they
solve your issue.
> But setting 'timeout tunnel' is not set, and since this HAProxy is
> serving proxy traffic to squid all client/server connections are treated
> as tunnels. am I right?
No, because you configured "option http-server-close" mode, which means
keep-alive on the client side, *not* tunnel mode. In fact, tunnel mode
would break your forwardfor config.
> For few of the connections that were in established state( for the old
> process) I run tcpdump and saw no activity at all, I have attached a
> network trace from one those and you can see that client sends
> periodically every 10min 5bytes.
According to your configuration, you have a 10 seconds keep-alive timeout,
thus, after 10 seconds of inactivity, the TCP session should close, HOWEVER
you do have some insane timeouts that may affect the session anyway:
> timeout queue 1m
> timeout client 30m
> timeout server 30m
Bring'em down to 5 seconds each, not more.
Upgrade HAProxy to latest 1.5 stable. There is a decent amount of fixes
since 1.5.6.
If it still doesn't timeout, connect to the unix domain socket of your old
process (you will have to change socket path before reloading to avoid)
and issue "show sess".
Regards,
Lukas
