On 13.03.2015 18:44, Lukas Tribus wrote:
>> What version of haproxy are you using ? (And what OS) ?
>>
>>> In the first frontend I set:
>>> server clear /var/lib/haproxy/test send-proxy
>>>
>>> In the second frontend I set:
>>> bind /var/lib/haproxy/test accept-proxy
>>
>> Are you able to connect to the /var/lib/haproxy/test socket with
>> netcat or socat ? And/or do you have chroot in haproxy.cfg ?
>
> Also if you drop privileges, check permission with the haproxy user.
>
> If supported by your kernel, you could use abstract namespaces
> instead.
According to the documentation abstract namespaces are not recommended
when using nbproc > 1. The reason I'm dealing with unix sockets at all
is that I want to get around the problem of losing the stick table
content on reload I posted about in another mail. The idea is to run two
instances. One with nbproc > 1 for ssl offloading and that forwards the
requests to the second instance that is using nbproc = 1 and contains
the http frontend and a backend. In theory this should allow me to
reload the config of the backend instance without losing the stick table
content.
I'm using chroot /var/lib/haproxy but the behavior is the same without
this directive. Either way a socket gets created as
/var/lib/haproxy/test as intended but for some reason I keep getting 503
when using a unix socket but everything works fine when using abstract
namespaces or an ip address.
I've attached the configuration and the debug output in case that helps
to pinpoint the issue.
Regards,
Dennis
[root@centos7web ~]# haproxy -d -f /etc/haproxy/haproxy-ssl.cfg
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result FAILED
Total: 3 (2 usable), will use epoll.
Using epoll() as the polling mechanism.
00000000:front-https.accept(0004)=0008 from [10.99.0.1:45947]
00000000:front-https.clireq[0008:ffffffff]: GET /health.txt HTTP/1.1
00000000:front-https.clihdr[0008:ffffffff]: Host: 10.99.0.202
00000000:front-https.clihdr[0008:ffffffff]: User-Agent: Mozilla/5.0 (X11; Linux
x86_64; rv:36.0) Gecko/20100101 Firefox/36.0
00000000:front-https.clihdr[0008:ffffffff]: Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
00000000:front-https.clihdr[0008:ffffffff]: Accept-Language: en-US,en;q=0.5
00000000:front-https.clihdr[0008:ffffffff]: Accept-Encoding: gzip, deflate
00000000:front-https.clihdr[0008:ffffffff]: X-Forwarded-For: 64.30.224.26
00000000:front-https.clihdr[0008:ffffffff]: Connection: keep-alive
00000000:front-https.clihdr[0008:ffffffff]: Cache-Control: max-age=0
00000000:front-https.clicls[0008:0009]
00000000:front-https.closed[0008:0009]
global
log 127.0.0.1 local2 debug
log-tag haproxy-ssl
# chroot /var/lib/haproxy
pidfile /var/run/haproxy-haproxy-ssl.pid
maxconn 4000
user haproxy
group haproxy
daemon
nbproc 1
tune.ssl.default-dh-param 1024
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
listen front-https
bind 10.99.0.202:443 ssl crt /etc/pki/tls/certs/crt.chain.pem
http-request set-header X-Forwarded-Proto https
#server clear abns@ssl-proxy send-proxy
server clear /var/lib/haproxy/test send-proxy
#server clear 127.0.0.1:8081 send-proxy
frontend front1
bind 10.99.0.202:80
#bind abns@ssl-proxy accept-proxy
bind /var/lib/haproxy/test accept-proxy
#bind 127.0.0.1:8081 accept-proxy
default_backend back1
backend back1
mode http
balance roundrobin
option httpchk GET /health.txt HTTP/1.1\r\nHost:\ 10.99.0.1
http-check expect string alive
stick-table type ip size 200k expire 30m
stick on src
server websvr2 10.99.0.202:8080 check
