Zoltan,
the "HP--" in the log means:
P : the session was prematurely aborted by the proxy, because of a
connection limit enforcement, because a DENY filter was matched,
because of a security check which detected and blocked a dangerous
error in server response which might have caused information leak
(eg: cacheable cookie).
H : the proxy was waiting for complete, valid response HEADERS from the
server (HTTP only).
Since you are saying that hitting the tomcat backend directly works,
I would suggest trying to remove all the extra acls and matches.
Try getting the basic frontend/backend part working, then add your
ACL's and matches one at a time.
The "P" in the log unfortunately leaves a lot of potential reasons,
whcih you are likely going to have to track down via trial and error.
If removing the additional ACL's doesn't cause it to start working,
I'd look at cookies and the "dangerous error" aspects.
On Tue, Mar 1, 2016 at 7:36 AM, Zoltan Lorincz <zol...@gmail.com> wrote:
> Dear Jeff,
>
> thank you very much for your answer!
> The Tomcat connector doesn't have HTTPS enabled.
> I forgot to remove the old "redirectPort" from tomcat's connector setting,
> i did remove it now and restarted servers but the error still persist.
>
> Thank you,
> Zoltan.
>
>
> On Tue, Mar 1, 2016 at 2:19 PM, Jeff Palmer <j...@palmerit.net> wrote:
>>
>> You have tomcat on 8443 which is usually an SSL enabled port, but none of
>> your backend server definitions enable SSL.
>>
>> In the 3 'server' lines towards the end of your config, add 'ssl' at the
>> end.
>>
>> Let us know!
>>
>> On Mar 1, 2016 5:57 AM, "Zoltan Lorincz" <zol...@gmail.com> wrote:
>>>
>>> Hi all,
>>>
>>> i am very new to haproxy. Read trough all the docs but i think something
>>> is wrong with my configuration, because if we connect directly to tomcat we
>>> don't get any 502 errors.
>>>
>>> The errors from haproxy look like this.
>>>
>>> Mar 1 11:41:37 www1 haproxy[15362]: xx.xx.xx.xx:56387
>>> [01/Mar/2016:11:41:35.480] https-in~ servers/www1a 1987/0/0/-1/2029 502 8878
>>> - - PH-- 1764/1758/46/26/0 0/0 "POST
>>> /abc/test/b25766378a05446496645649e2ddaf7a/poll HTTP/1.1"
>>>
>>>
>>>
>>> Tomcat connector config:
>>>
>>> -------------------------------------------------------------------------------------------
>>> <Connector
>>> URIEncoding = "UTF-8"
>>> port = "8080"
>>> protocol = "HTTP/1.1"
>>> maxThreads = "1850"
>>> connectionTimeout = "900000"
>>> keepAliveTimeout = "900000"
>>> maxKeepAliveRequests = "-1"
>>> redirectPort = "8443" />
>>>
>>>
>>> -------------------------------------------------------------------------------------------
>>>
>>>
>>> Haproxy config:
>>>
>>> -------------------------------------------------------------------------------------------
>>> global
>>> log /dev/log local0
>>> log /dev/log local1 notice
>>> chroot /var/lib/haproxy
>>> stats socket /run/haproxy/admin.sock mode 777 level admin
>>> stats timeout 30s
>>> user haproxy
>>> group haproxy
>>> daemon
>>>
>>> # Per process limit: The default is 2000, too small for us
>>> maxconn 18000
>>> # Increase the cache from 20000 (default), higher values reduce CPU usage
>>> tune.ssl.cachesize 60000
>>>
>>> # Default SSL material locations
>>> ca-base /etc/ssl/certs
>>> crt-base /etc/ssl/private
>>>
>>> # Default ciphers to use on SSL-enabled listening sockets.
>>> # For more information, see ciphers(1SSL).
>>> ssl-default-bind-ciphers
>>> kEECDH+aRSA+AES:kRSA+AES:+AES256:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
>>> ssl-default-bind-options no-sslv3 no-tls-tickets
>>>
>>> defaults
>>> log global
>>> mode http
>>> option httplog
>>> option http-server-close
>>> option forwardfor
>>> option dontlognull
>>> # Set the listen limit: The default is 2000, too small for us
>>> maxconn 9000
>>>
>>> # we should fix this
>>> option accept-invalid-http-response
>>> option accept-invalid-http-request
>>> no option checkcache
>>>
>>> timeout connect 80000
>>> timeout client 900000
>>> timeout server 500000
>>>
>>> errorfile 400 /etc/haproxy/errors/400.http
>>> errorfile 403 /etc/haproxy/errors/403.http
>>> errorfile 408 /etc/haproxy/errors/408.http
>>> errorfile 500 /etc/haproxy/errors/500.http
>>> errorfile 502 /etc/haproxy/errors/502.http
>>> errorfile 503 /etc/haproxy/errors/503.http
>>> errorfile 504 /etc/haproxy/errors/504.http
>>>
>>> frontend http-in
>>> bind *:80
>>>
>>>
>>> # Skip the message broker from redirection
>>> acl skip_pages path_reg ^/([\w]{2}/)?(message|yrf-laps)/(.*)
>>>
>>> # Redirect all subdomains to www.
>>> redirect prefix https://www.example.com code 301 if !{ hdr_beg(host) -i
>>> www. }
>>>
>>> # Redirect all trafic to https
>>> redirect scheme https if !skip_pages !{ ssl_fc }
>>> default_backend servers
>>>
>>> frontend https-in
>>> # add no-tlsv10 for disabling tls 1.0
>>> bind *:443 ssl crt /etc/ssl/private/www_example_com.pem
>>>
>>> default_backend servers
>>> # Redirect all subdomains to www.
>>> redirect prefix https://www.example.com code 301 if !{ hdr_beg(host) -i
>>> www. }
>>> backend servers
>>>
>>> # Skip the cre redirect
>>> acl stage_cre_redirect shdr_beg(Location) http://stage.cre.com
>>> acl cre_redirect shdr_beg(Location) http://www.cre.com
>>>
>>> # Skip the blog.example.com redirect
>>> acl blog_redirect shdr_beg(Location) http://blog.example.com
>>>
>>> # Rewrite the response location (for redirect cases)
>>> rspirep ^Location:\ http://(.*) Location:\ https://\1 if !cre_redirect
>>> !stage_cre_redirect !blog_redirect { ssl_fc }
>>> # Every connection is closed and opened to the server
>>> option http-server-close
>>>
>>> # Recommended to enable
>>> option http-pretend-keepalive
>>> # The url to check the backend servers health
>>> option httpchk GET /srvstatus.htm
>>>
>>> # Balancing
>>> balance roundrobin
>>> appsession JSESSIONID len 52 timeout 3h request-learn prefix
>>> stick-table type string len 32 size 1M expire 3h
>>> # We have 3 backend servers, one is for backup
>>> server www1a 127.0.0.1:8080 check
>>> server www2a xx.xx.xx.xx:8080 check
>>> server www1b 127.0.0.1:8081 check backup
>>>
>>> --------------------------------------------------------------------------------------------------------------
>>>
>>> Sorry about the long haproxy config file. I was not sure which part is
>>> relevant to this error.
>>> I would appreciate any pointers you could give me.
>>>
>>> Thank you,
>>> Zoltan.
>>>
>
--
Jeff Palmer
https://PalmerIT.net
