Hi,
Am 25.04.2016 um 15:51 schrieb Craig McLure:
>From a firewall perspective all sockets are configured to forcefully
stop after about 20 minutes after which time a connection will go
'stale' and no longer function, any additional packets on that socket
will be ignored.
And why would you configure the firewall to do this? I don't see how
this makes
sense.
This is fine for our purposes, but when keep-alive
comes into play this raises some problems. Theoretically using all the
timeouts available in haproxy it's tentatively possible to maintain a
connection for *LONGER* than that period, at which point the
connection gets silently dropped, and in haproxy the connection fails
in a non-graceful way.
Even if haproxy would *try* to close the session after time X, there is
not guarantee
that current in flight request/response would be finished in time to not
get dropped
at firewall level. What about slow downloads? They could go on for hours ...
Ideally, obviously, I'd like for haproxy to have a way to close the
connection as gracefully as possible after X minutes, rather than the
current scenario where it may get killed ungracefully.
This is not supported. You can simulate this behavior by soft reloading
haproxy
every X minutes or by shutting down those "offensive" session via the admin
socket:
http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#9.2-shutdown%20session
However I would strongly suggest you go back to the drawing board and work
out why you need this behavior in the first place.
If you are concerned about the number of open connection on the proxy,
just lower
timeout http-keep-alive to something like 30 - 300 ms. That is way more
effective.
cheers,
Lukas
