On Tue, Oct 27, 2015 at 11:44 AM, Ben Tisdall <ben.tisd...@photobox.com> wrote:
> Hi and thanks for a great load balancer. We're developing a much more
> complex proxy ruleset and being able to switch back to haproxy now
> that it supports DNS resolution was a huge relief!
>
> Unfortunately DNS resolution is not doing what I expect given the
> configuration. When the downstream ELB to which the server points to
> switches IP addresses the backend is failing with a L4 timeout on the
> check. DNS queries are being made, see:
> https://gist.github.com/btisdall/31b57b57fee19dc79637
>
> This is the output of "show stat resolvers":
>
> Resolvers section aws
> nameserver aws_0:
> sent: 2892976
> valid: 2887729
> update: 0
> cname: 0
> cname_error: 0
> any_err: 0
> nx: 0
> timeout: 0
> refused: 0
> other: 0
> invalid: 2887729
> too_big: 0
> truncated: 0
> outdated: 0
>
> Note that "valid" and "invalid" counts increase in exact step.
> Switching to "resolve-prefer ipv4" had no effect on this.
>
> Config
> =====
>
> resolvers aws
> nameserver aws_0 10.111.0.2:53
>
> # ...
>
> server myserver some-server.example.com:80 check resolvers aws
>
> Build Options
> ==========
>
> HA-Proxy version 1.6.1 2015/10/20
> Copyright 2000-2015 Willy Tarreau <wi...@haproxy.org>
>
> Build options :
> TARGET = linux2628
> CPU = generic
> CC = gcc
> CFLAGS = -g -O2 -fstack-protector --param=ssp-buffer-size=4
> -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2
> OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_LUA=1 USE_PCRE=1
>
> Default settings :
> maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
>
> Encrypted password support via crypt(3): yes
> Built with zlib version : 1.2.8
> Compression algorithms supported : identity("identity"),
> deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
> Built with OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014
> Running on OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014
> OpenSSL library supports TLS extensions : yes
> OpenSSL library supports SNI : yes
> OpenSSL library supports prefer-server-ciphers : yes
> Built with PCRE version : 8.31 2012-07-06
> PCRE library supports JIT : no (USE_PCRE_JIT not set)
> Built with Lua version : Lua 5.3.1
> Built with transparent proxy support using: IP_TRANSPARENT
> IPV6_TRANSPARENT IP_FREEBIND
>
> Available polling systems :
> epoll : pref=300, test result OK
> poll : pref=200, test result OK
> select : pref=150, test result OK
> Total: 3 (3 usable), will use epoll.
>
> Regards,
>
> --
> Ben
>
Hi Ben,
I can't reproduce the problem with git version.
I'll try with 1.6.1, but DNS code is supposed to be the same between
both versions for now.
I've setup the following amazon lab:
- 1 instance with HAProxy running poininting to 1 ELB
- 1 ELB instance taking traffic from haproxy above above and
load-balancing haproxy's stats page from above server
- 1 instance to inject traffic on ELB to force it to change its IP
address after a few minutes
HTTP stream is like: public > haproxy:8080 > elb:80 > haproxy:80
It works like a charm.
I triggered a DNS change on ELB by massiveley injecting traffic and
here is the output of DNS stats:
Resolvers section aws
nameserver aws1:
sent: 95
valid: 95
update: 1
cname: 0
cname_error: 0
any_err: 0
nx: 0
timeout: 0
refused: 0
other: 0
invalid: 0
too_big: 0
truncated: 0
outdated: 0
Here is my configuration:
global
daemon
log 127.0.0.1:514 local0 info
stats socket /tmp/socket level admin
stats timeout 10m
resolvers aws
nameserver aws1 172.31.0.2:53
defaults HTTP
mode http
timeout client 10s
timeout connect 4s
timeout server 10s
frontend f
bind :8080
default_backend b
backend b
server s ${LBNAME}:80 check resolvers aws resolve-prefer ipv4
frontend s
bind :80
stats enable
stats uri /stats
stats show-legends
http-request redirect location /stats if { path / }
Please take a real pcap file using tcpdump and send it to me privately.
You also seem to use a CNAME which points to your ELB amazon name.
Could you let me know how you setup this, so I can try to reproduce
the issue in my lab?
Maybe the CNAME parsing is broken.
Baptiste
