On 13.03.2015 18:44, Lukas Tribus wrote: >> What version of haproxy are you using ? (And what OS) ? >> >>> In the first frontend I set: >>> server clear /var/lib/haproxy/test send-proxy >>> >>> In the second frontend I set: >>> bind /var/lib/haproxy/test accept-proxy >> >> Are you able to connect to the /var/lib/haproxy/test socket with >> netcat or socat ? And/or do you have chroot in haproxy.cfg ? > > Also if you drop privileges, check permission with the haproxy user. > > If supported by your kernel, you could use abstract namespaces > instead.
According to the documentation abstract namespaces are not recommended when using nbproc > 1. The reason I'm dealing with unix sockets at all is that I want to get around the problem of losing the stick table content on reload I posted about in another mail. The idea is to run two instances. One with nbproc > 1 for ssl offloading and that forwards the requests to the second instance that is using nbproc = 1 and contains the http frontend and a backend. In theory this should allow me to reload the config of the backend instance without losing the stick table content. I'm using chroot /var/lib/haproxy but the behavior is the same without this directive. Either way a socket gets created as /var/lib/haproxy/test as intended but for some reason I keep getting 503 when using a unix socket but everything works fine when using abstract namespaces or an ip address. I've attached the configuration and the debug output in case that helps to pinpoint the issue. Regards, Dennis
[root@centos7web ~]# haproxy -d -f /etc/haproxy/haproxy-ssl.cfg Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result FAILED Total: 3 (2 usable), will use epoll. Using epoll() as the polling mechanism. 00000000:front-https.accept(0004)=0008 from [10.99.0.1:45947] 00000000:front-https.clireq[0008:ffffffff]: GET /health.txt HTTP/1.1 00000000:front-https.clihdr[0008:ffffffff]: Host: 10.99.0.202 00000000:front-https.clihdr[0008:ffffffff]: User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 00000000:front-https.clihdr[0008:ffffffff]: Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 00000000:front-https.clihdr[0008:ffffffff]: Accept-Language: en-US,en;q=0.5 00000000:front-https.clihdr[0008:ffffffff]: Accept-Encoding: gzip, deflate 00000000:front-https.clihdr[0008:ffffffff]: X-Forwarded-For: 64.30.224.26 00000000:front-https.clihdr[0008:ffffffff]: Connection: keep-alive 00000000:front-https.clihdr[0008:ffffffff]: Cache-Control: max-age=0 00000000:front-https.clicls[0008:0009] 00000000:front-https.closed[0008:0009]
global log 127.0.0.1 local2 debug log-tag haproxy-ssl # chroot /var/lib/haproxy pidfile /var/run/haproxy-haproxy-ssl.pid maxconn 4000 user haproxy group haproxy daemon nbproc 1 tune.ssl.default-dh-param 1024 defaults mode http log global option httplog option dontlognull option http-server-close option forwardfor except 127.0.0.0/8 option redispatch retries 3 timeout http-request 10s timeout queue 1m timeout connect 10s timeout client 1m timeout server 1m timeout http-keep-alive 10s timeout check 10s maxconn 3000 listen front-https bind 10.99.0.202:443 ssl crt /etc/pki/tls/certs/crt.chain.pem http-request set-header X-Forwarded-Proto https #server clear abns@ssl-proxy send-proxy server clear /var/lib/haproxy/test send-proxy #server clear 127.0.0.1:8081 send-proxy frontend front1 bind 10.99.0.202:80 #bind abns@ssl-proxy accept-proxy bind /var/lib/haproxy/test accept-proxy #bind 127.0.0.1:8081 accept-proxy default_backend back1 backend back1 mode http balance roundrobin option httpchk GET /health.txt HTTP/1.1\r\nHost:\ 10.99.0.1 http-check expect string alive stick-table type ip size 200k expire 30m stick on src server websvr2 10.99.0.202:8080 check