Hi.

Am 02-03-2016 07:48, schrieb Zoltan Lorincz:
Jeff,

thanks again for the detailed answer.
I've already tested a configuration without various ACL's.

Please can you try to run the connector with debug on.

http://tomcat.apache.org/tomcat-8.0-doc/logging.html#Using_java.util.logging_%28default%29

I would try to use this.

org.apache.catalina.session.level=ALL
org.apache.coyote.http11.Http11Protocol.level=ALL

Pay attention this will produce a lot entries in the logs and could have some impact to the performance.

The standard setup have also some low limits maybe you must increase this limits.

http://tomcat.apache.org/tomcat-8.0-doc/config/http.html#Standard_Implementation

Is it possible to run also HAProxy in debug mode?
http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#3.3

BTW: Thanks Cyril for the html doc ;-))

When i check the errors logs. I got this:

[02/Mar/2016:07:38:34.834] backend servers (#4): invalid response
  frontend https-in (#3), server www1a (#1), event #9270
  src 46.140.96.254:61409 [4], session #20091598, session flags
0x000000cf
  HTTP msg state 26, msg flags 0x00000000, tx flags 0xa8200060
  HTTP chunk len 0 bytes, HTTP body len 0 bytes
  buffer flags 0x00048002, out 0 bytes, total 5 bytes
  pending 5 bytes, wrapping at 16384, error at position 2:

  00000  20c\r\n

Do you have any idea what could cause this?

What's the error line(s) on the tomcat site?

Please can you also post the current 'conf/server.xml' with all 'Connector*', thanks.

BR Aleks

Thank you,
Zoltan.

On Tue, Mar 1, 2016 at 6:11 PM, Jeff Palmer <j...@palmerit.net> wrote:

Zoltan,

the "HP--" in the log means:

P : the session was prematurely aborted by the proxy, because of a
connection limit enforcement, because a DENY filter was
matched,
because of a security check which detected and blocked a
dangerous
error in server response which might have caused
information leak
(eg: cacheable cookie).

H : the proxy was waiting for complete, valid response HEADERS from
the
server (HTTP only).

Since you are saying that hitting the tomcat backend directly works,
I would suggest trying to remove all the extra acls and matches.
Try getting the basic frontend/backend part working,  then add your
ACL's and matches one at a time.

The "P" in the log unfortunately leaves a lot of potential reasons,
whcih you are likely going to have to track down via trial and error.
If removing the additional ACL's doesn't cause it to start working,
I'd look at cookies and the "dangerous error" aspects.

On Tue, Mar 1, 2016 at 7:36 AM, Zoltan Lorincz <zol...@gmail.com>
wrote:
Dear Jeff,

thank you very much for your answer!
The Tomcat connector doesn't have HTTPS enabled.
I  forgot to remove the old "redirectPort" from tomcat's connector
setting,
i did remove it now and restarted servers but the error still
persist.

Thank you,
Zoltan.


On Tue, Mar 1, 2016 at 2:19 PM, Jeff Palmer <j...@palmerit.net>
wrote:

You have tomcat on 8443 which is usually an SSL enabled port, but
none of
your backend server definitions enable SSL.

In the 3 'server' lines towards the end of your config, add 'ssl'
at the
end.

Let us know!

On Mar 1, 2016 5:57 AM, "Zoltan Lorincz" <zol...@gmail.com> wrote:

Hi all,

i am very new to haproxy. Read trough all the docs but i think
something
is wrong with my configuration, because if we connect directly to
tomcat we
don't get any 502 errors.

The errors from haproxy look like this.

Mar  1 11:41:37 www1 haproxy[15362]: xx.xx.xx.xx:56387
[01/Mar/2016:11:41:35.480] https-in~ servers/www1a
1987/0/0/-1/2029 502 8878
- - PH-- 1764/1758/46/26/0 0/0 "POST
/abc/test/b25766378a05446496645649e2ddaf7a/poll HTTP/1.1"



Tomcat connector config:



-------------------------------------------------------------------------------------------
<Connector
URIEncoding = "UTF-8"
port = "8080"
protocol = "HTTP/1.1"
maxThreads = "1850"
connectionTimeout = "900000"
keepAliveTimeout = "900000"
maxKeepAliveRequests = "-1"
redirectPort = "8443" />




-------------------------------------------------------------------------------------------


Haproxy config:



-------------------------------------------------------------------------------------------
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 777 level admin
stats timeout 30s
user haproxy
group haproxy
daemon

# Per process limit: The default is 2000, too small for us
maxconn 18000
# Increase the cache from 20000 (default), higher values reduce
CPU usage
tune.ssl.cachesize 60000

# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private

# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL).
ssl-default-bind-ciphers

kEECDH+aRSA+AES:kRSA+AES:+AES256:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
ssl-default-bind-options no-sslv3 no-tls-tickets

defaults
log global
mode http
option httplog
option  http-server-close
option  forwardfor
option dontlognull
# Set the listen limit: The default is 2000, too small for us
maxconn 9000

# we should fix this
option accept-invalid-http-response
option accept-invalid-http-request
no option checkcache

timeout connect 80000
timeout client  900000
timeout server  500000

errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

frontend http-in
bind *:80


# Skip the message broker from redirection
acl skip_pages   path_reg ^/([\w]{2}/)?(message|yrf-laps)/(.*)

# Redirect all subdomains to www.
redirect prefix https://www.example.com code 301 if !{
hdr_beg(host) -i
www. }

# Redirect all trafic to https
redirect scheme https if !skip_pages !{ ssl_fc }
default_backend servers

frontend https-in
# add no-tlsv10 for disabling tls 1.0
bind *:443 ssl  crt /etc/ssl/private/www_example_com.pem

default_backend servers
# Redirect all subdomains to www.
redirect prefix https://www.example.com code 301 if !{
hdr_beg(host) -i
www. }
backend servers

# Skip the cre redirect
acl stage_cre_redirect shdr_beg(Location)   http://stage.cre.com
acl cre_redirect shdr_beg(Location)   http://www.cre.com

# Skip the blog.example.com [1] redirect
acl blog_redirect shdr_beg(Location) http://blog.example.com

# Rewrite the response location (for redirect cases)
rspirep ^Location:\ http://(.*)  Location:\ https://\1  if
!cre_redirect
!stage_cre_redirect !blog_redirect { ssl_fc }
# Every connection is closed and opened to the server
option http-server-close

# Recommended to enable
option http-pretend-keepalive
# The url to check the backend servers health
option httpchk GET /srvstatus.htm

# Balancing
balance roundrobin
appsession JSESSIONID len 52 timeout 3h request-learn prefix
stick-table type string len 32 size 1M expire 3h
# We have 3 backend servers, one is for backup
server www1a 127.0.0.1:8080 [2] check
server www2a xx.xx.xx.xx:8080 check
server www1b 127.0.0.1:8081 [3] check  backup



--------------------------------------------------------------------------------------------------------------

Sorry about the long haproxy config file. I was not sure which
part is
relevant to this error.
I would appreciate any pointers you could give me.

Thank you,
Zoltan.



--
Jeff Palmer
https://PalmerIT.net



Links:
------
[1] http://blog.example.com
[2] http://127.0.0.1:8080
[3] http://127.0.0.1:8081
[4] http://46.140.96.254:61409

Reply via email to