Hi.
Am 02-03-2016 07:48, schrieb Zoltan Lorincz:
Jeff,
thanks again for the detailed answer.
I've already tested a configuration without various ACL's.
Please can you try to run the connector with debug on.
http://tomcat.apache.org/tomcat-8.0-doc/logging.html#Using_java.util.logging_%28default%29
I would try to use this.
org.apache.catalina.session.level=ALL
org.apache.coyote.http11.Http11Protocol.level=ALL
Pay attention this will produce a lot entries in the logs and could have
some impact to the performance.
The standard setup have also some low limits maybe you must increase
this limits.
http://tomcat.apache.org/tomcat-8.0-doc/config/http.html#Standard_Implementation
Is it possible to run also HAProxy in debug mode?
http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#3.3
BTW: Thanks Cyril for the html doc ;-))
When i check the errors logs. I got this:
[02/Mar/2016:07:38:34.834] backend servers (#4): invalid response
frontend https-in (#3), server www1a (#1), event #9270
src 46.140.96.254:61409 [4], session #20091598, session flags
0x000000cf
HTTP msg state 26, msg flags 0x00000000, tx flags 0xa8200060
HTTP chunk len 0 bytes, HTTP body len 0 bytes
buffer flags 0x00048002, out 0 bytes, total 5 bytes
pending 5 bytes, wrapping at 16384, error at position 2:
00000 20c\r\n
Do you have any idea what could cause this?
What's the error line(s) on the tomcat site?
Please can you also post the current 'conf/server.xml' with all
'Connector*', thanks.
BR Aleks
Thank you,
Zoltan.
On Tue, Mar 1, 2016 at 6:11 PM, Jeff Palmer <j...@palmerit.net> wrote:
Zoltan,
the "HP--" in the log means:
P : the session was prematurely aborted by the proxy, because of a
connection limit enforcement, because a DENY filter was
matched,
because of a security check which detected and blocked a
dangerous
error in server response which might have caused
information leak
(eg: cacheable cookie).
H : the proxy was waiting for complete, valid response HEADERS from
the
server (HTTP only).
Since you are saying that hitting the tomcat backend directly works,
I would suggest trying to remove all the extra acls and matches.
Try getting the basic frontend/backend part working, then add your
ACL's and matches one at a time.
The "P" in the log unfortunately leaves a lot of potential reasons,
whcih you are likely going to have to track down via trial and error.
If removing the additional ACL's doesn't cause it to start working,
I'd look at cookies and the "dangerous error" aspects.
On Tue, Mar 1, 2016 at 7:36 AM, Zoltan Lorincz <zol...@gmail.com>
wrote:
Dear Jeff,
thank you very much for your answer!
The Tomcat connector doesn't have HTTPS enabled.
I forgot to remove the old "redirectPort" from tomcat's connector
setting,
i did remove it now and restarted servers but the error still
persist.
Thank you,
Zoltan.
On Tue, Mar 1, 2016 at 2:19 PM, Jeff Palmer <j...@palmerit.net>
wrote:
You have tomcat on 8443 which is usually an SSL enabled port, but
none of
your backend server definitions enable SSL.
In the 3 'server' lines towards the end of your config, add 'ssl'
at the
end.
Let us know!
On Mar 1, 2016 5:57 AM, "Zoltan Lorincz" <zol...@gmail.com> wrote:
Hi all,
i am very new to haproxy. Read trough all the docs but i think
something
is wrong with my configuration, because if we connect directly to
tomcat we
don't get any 502 errors.
The errors from haproxy look like this.
Mar 1 11:41:37 www1 haproxy[15362]: xx.xx.xx.xx:56387
[01/Mar/2016:11:41:35.480] https-in~ servers/www1a
1987/0/0/-1/2029 502 8878
- - PH-- 1764/1758/46/26/0 0/0 "POST
/abc/test/b25766378a05446496645649e2ddaf7a/poll HTTP/1.1"
Tomcat connector config:
-------------------------------------------------------------------------------------------
<Connector
URIEncoding = "UTF-8"
port = "8080"
protocol = "HTTP/1.1"
maxThreads = "1850"
connectionTimeout = "900000"
keepAliveTimeout = "900000"
maxKeepAliveRequests = "-1"
redirectPort = "8443" />
-------------------------------------------------------------------------------------------
Haproxy config:
-------------------------------------------------------------------------------------------
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 777 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Per process limit: The default is 2000, too small for us
maxconn 18000
# Increase the cache from 20000 (default), higher values reduce
CPU usage
tune.ssl.cachesize 60000
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL).
ssl-default-bind-ciphers
kEECDH+aRSA+AES:kRSA+AES:+AES256:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
ssl-default-bind-options no-sslv3 no-tls-tickets
defaults
log global
mode http
option httplog
option http-server-close
option forwardfor
option dontlognull
# Set the listen limit: The default is 2000, too small for us
maxconn 9000
# we should fix this
option accept-invalid-http-response
option accept-invalid-http-request
no option checkcache
timeout connect 80000
timeout client 900000
timeout server 500000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend http-in
bind *:80
# Skip the message broker from redirection
acl skip_pages path_reg ^/([\w]{2}/)?(message|yrf-laps)/(.*)
# Redirect all subdomains to www.
redirect prefix https://www.example.com code 301 if !{
hdr_beg(host) -i
www. }
# Redirect all trafic to https
redirect scheme https if !skip_pages !{ ssl_fc }
default_backend servers
frontend https-in
# add no-tlsv10 for disabling tls 1.0
bind *:443 ssl crt /etc/ssl/private/www_example_com.pem
default_backend servers
# Redirect all subdomains to www.
redirect prefix https://www.example.com code 301 if !{
hdr_beg(host) -i
www. }
backend servers
# Skip the cre redirect
acl stage_cre_redirect shdr_beg(Location) http://stage.cre.com
acl cre_redirect shdr_beg(Location) http://www.cre.com
# Skip the blog.example.com [1] redirect
acl blog_redirect shdr_beg(Location) http://blog.example.com
# Rewrite the response location (for redirect cases)
rspirep ^Location:\ http://(.*) Location:\ https://\1 if
!cre_redirect
!stage_cre_redirect !blog_redirect { ssl_fc }
# Every connection is closed and opened to the server
option http-server-close
# Recommended to enable
option http-pretend-keepalive
# The url to check the backend servers health
option httpchk GET /srvstatus.htm
# Balancing
balance roundrobin
appsession JSESSIONID len 52 timeout 3h request-learn prefix
stick-table type string len 32 size 1M expire 3h
# We have 3 backend servers, one is for backup
server www1a 127.0.0.1:8080 [2] check
server www2a xx.xx.xx.xx:8080 check
server www1b 127.0.0.1:8081 [3] check backup
--------------------------------------------------------------------------------------------------------------
Sorry about the long haproxy config file. I was not sure which
part is
relevant to this error.
I would appreciate any pointers you could give me.
Thank you,
Zoltan.
--
Jeff Palmer
https://PalmerIT.net
Links:
------
[1] http://blog.example.com
[2] http://127.0.0.1:8080
[3] http://127.0.0.1:8081
[4] http://46.140.96.254:61409