DNS resolvers issue with haproxy 1.6

Thu, 15 Oct 2015 01:25:29 -0700 

Hi all,

We are running HAProxy on our Docker / Swarm / Weave cluster also featuring 
Weave-DNS for service discovery between the containers in the cluster. We are 
deploying fairly often to the cluster for both dev and stage environments and 
was very happy to see the DNS Resolvers feature introduced with HAProxy 1.6. 
Problem is that I cannot seem to get this feature to work with our setup. 
HAProxy does never pick up a DNS change as it is supposed to, so when a 
container is redeployed the backend will go down whenever the container gets 
assigned a new IP from Weave.

Weave-DNS is available on every node in the cluster on IP 172.17.42.1 and I can 
resolve all the internal DNS names using the resolver at this address to the 
correct IP from inside the container running HAProxy. The DNS changes 
immediately when a container is redeployed and gets assigned a new IP.

A simplified and anonymised version of our HAProxy config:

defaults
    log global
    option httplog
    option dontlognull
    option log-health-checks
    option httpchk
    mode http
    option http-server-close
    timeout connect 7s
    timeout client 10s
    timeout server 10s
    timeout check 5s

resolvers weave-dns
    nameserver dns1 172.17.42.1:53
    timeout retry 1s
    hold valid 10s

frontend http-in
    bind *:80
    acl acl_domain1 hdr(host) -i domain1.io
    use_backend backend_domain1 if acl_domain1

    acl acl_domain2 hdr(host) -i domain2.io
    use_backend backend_domain2 if acl_domain2

frontend https-in
    bind *:443 ssl crt /data/ssl-certs/
    reqadd X-Forwarded-Proto:\ https

    acl acl_domain1 hdr(host) -i domain1.io
    use_backend backend_domain1 if acl_domain1

    acl acl_domain2 hdr(host) -i domain2.io
    use_backend backend_domain2 if acl_domain2

backend backend_domain1
    server domain1-server domain1.weave.local:80 check inter 1000 resolvers 
weave-dns resolve-prefer ipv4

backend backend_domain2
    server domain2-server domain2.weave.local:80 check inter 1000 resolvers 
weave-dns resolve-prefer ipv4

Is there any reason why the server check should not pick up the DNS change and 
update HAProxy with the new IP so the backend continue to work when we do a 
redeploy?


I also encountered another issue when trying to upgrade to the final 1.6.0 
version. The server is using two wildcard certificates in the folder specified 
in the config. When running the ssllabs.com SSL test on the server at domain2 
(the cert that is not the default one, but using SNI) then HAProxy segfaults 
and dies completely. This behaviour is not observed on neither of the 
1.6.0-devX builds.

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to