Re: Haproxy 1. 5.14 + Tomcat 8 giving random 502 errors

Tue, 01 Mar 2016 04:20:21 -0800 

You have tomcat on 8443 which is usually an SSL enabled port, but none of
your backend server definitions enable SSL.

In the 3 'server' lines towards the end of your config, add 'ssl' at the
end.

Let us know!
On Mar 1, 2016 5:57 AM, "Zoltan Lorincz" <zol...@gmail.com> wrote:

> Hi all,
>
> i am very new to haproxy. Read trough all the docs but i think something
> is wrong with my configuration, because if we connect directly to tomcat we
> don't get any 502 errors.
>
> The errors from haproxy look like this.
>
> Mar  1 11:41:37 www1 haproxy[15362]: xx.xx.xx.xx:56387
> [01/Mar/2016:11:41:35.480] https-in~ servers/www1a 1987/0/0/-1/2029 502
> 8878 - - PH-- 1764/1758/46/26/0 0/0 "POST
> /abc/test/b25766378a05446496645649e2ddaf7a/poll HTTP/1.1"
>
>
>
> Tomcat connector config:
>
> -------------------------------------------------------------------------------------------
> <Connector
> URIEncoding = "UTF-8"
> port = "8080"
> protocol = "HTTP/1.1"
> maxThreads = "1850"
>     connectionTimeout = "900000"
>     keepAliveTimeout = "900000"
>     maxKeepAliveRequests = "-1"
>     redirectPort = "8443" />
>
>
> -------------------------------------------------------------------------------------------
>
>
> Haproxy config:
>
> -------------------------------------------------------------------------------------------
> global
> log /dev/log local0
> log /dev/log local1 notice
> chroot /var/lib/haproxy
> stats socket /run/haproxy/admin.sock mode 777 level admin
> stats timeout 30s
> user haproxy
> group haproxy
> daemon
>
> # Per process limit: The default is 2000, too small for us
> maxconn 18000
> # Increase the cache from 20000 (default), higher values reduce CPU usage
> tune.ssl.cachesize 60000
>
> # Default SSL material locations
> ca-base /etc/ssl/certs
> crt-base /etc/ssl/private
>
> # Default ciphers to use on SSL-enabled listening sockets.
> # For more information, see ciphers(1SSL).
> ssl-default-bind-ciphers
> kEECDH+aRSA+AES:kRSA+AES:+AES256:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
>         ssl-default-bind-options no-sslv3 no-tls-tickets
>
> defaults
> log global
> mode http
> option httplog
> option  http-server-close
> option  forwardfor
> option dontlognull
> # Set the listen limit: The default is 2000, too small for us
> maxconn 9000
>
> # we should fix this
> option accept-invalid-http-response
> option accept-invalid-http-request
> no option checkcache
>
>         timeout connect 80000
>         timeout client  900000
>         timeout server  500000
>
> errorfile 400 /etc/haproxy/errors/400.http
> errorfile 403 /etc/haproxy/errors/403.http
> errorfile 408 /etc/haproxy/errors/408.http
> errorfile 500 /etc/haproxy/errors/500.http
> errorfile 502 /etc/haproxy/errors/502.http
> errorfile 503 /etc/haproxy/errors/503.http
> errorfile 504 /etc/haproxy/errors/504.http
>
> frontend http-in
> bind *:80
>
>
> # Skip the message broker from redirection
> acl skip_pages   path_reg ^/([\w]{2}/)?(message|yrf-laps)/(.*)
>
> # Redirect all subdomains to www.
> redirect prefix https://www.example.com code 301 if !{ hdr_beg(host) -i
> www. }
>
> # Redirect all trafic to https
> redirect scheme https if !skip_pages !{ ssl_fc }
> default_backend servers
>
> frontend https-in
> # add no-tlsv10 for disabling tls 1.0
> bind *:443 ssl  crt /etc/ssl/private/www_example_com.pem
>
> default_backend servers
> # Redirect all subdomains to www.
> redirect prefix https://www.example.com code 301 if !{ hdr_beg(host) -i
> www. }
> backend servers
>
> # Skip the cre redirect
> acl stage_cre_redirect shdr_beg(Location)   http://stage.cre.com
> acl cre_redirect shdr_beg(Location)   http://www.cre.com
>
>     # Skip the blog.example.com redirect
> acl blog_redirect shdr_beg(Location) http://blog.example.com
>
> # Rewrite the response location (for redirect cases)
> rspirep ^Location:\ http://(.*)  Location:\ https://\1  if  !cre_redirect
> !stage_cre_redirect !blog_redirect { ssl_fc }
> # Every connection is closed and opened to the server
> option http-server-close
>
> # Recommended to enable
> option http-pretend-keepalive
> # The url to check the backend servers health
> option httpchk GET /srvstatus.htm
>
> # Balancing
> balance roundrobin
> appsession JSESSIONID len 52 timeout 3h request-learn prefix
> stick-table type string len 32 size 1M expire 3h
> # We have 3 backend servers, one is for backup
> server www1a 127.0.0.1:8080 check
> server www2a xx.xx.xx.xx:8080 check
>         server www1b 127.0.0.1:8081 check  backup
>
> --------------------------------------------------------------------------------------------------------------
>
> Sorry about the long haproxy config file. I was not sure which part is
> relevant to this error.
> I would appreciate any pointers you could give me.
>
> Thank you,
> Zoltan.
>
>

Reply via email to