Hi, On Mon, Apr 25, 2016 at 3:39 PM, Lukas Tribus <[email protected]> wrote: > Hi, > > > Am 25.04.2016 um 15:51 schrieb Craig McLure: >> >> >From a firewall perspective all sockets are configured to forcefully >> stop after about 20 minutes after which time a connection will go >> 'stale' and no longer function, any additional packets on that socket >> will be ignored. > > > And why would you configure the firewall to do this? I don't see how this > makes > sense.
Resource limitations, physical restrictions, upstream limitations, security requirements, could be anything, it's not really relevant to the discussion, there could be many reasons why someone needed a specific cut-off after a certain amount of time. > > >> This is fine for our purposes, but when keep-alive >> comes into play this raises some problems. Theoretically using all the >> timeouts available in haproxy it's tentatively possible to maintain a >> connection for *LONGER* than that period, at which point the >> connection gets silently dropped, and in haproxy the connection fails >> in a non-graceful way. > > > Even if haproxy would *try* to close the session after time X, there is not > guarantee > that current in flight request/response would be finished in time to not get > dropped > at firewall level. What about slow downloads? They could go on for hours ... This is true if you make assumptions about what's happening on the backend, 10 minutes was (as noted) an example, could be 3 hours, could be 200 years, the relevance here was simply existence of the functionality. As far as connections dropped during in-flight request / response cycle, they should follow the HTTP spec on how to behave in that scenario, and obviously the 'force close' would occur prior to the firewall dropping the connection. > > >> Ideally, obviously, I'd like for haproxy to have a way to close the >> connection as gracefully as possible after X minutes, rather than the >> current scenario where it may get killed ungracefully. > > > This is not supported. This is the answer I needed. > You can simulate this behavior by soft reloading haproxy > every X minutes or by shutting down those "offensive" session via the admin > socket: > > http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#9.2-shutdown%20session > > > However I would strongly suggest you go back to the drawing board and work > out why you need this behavior in the first place. > With that in mind, it's not overly uncommon behaviour. nginx for example has keepalive_timeout to facilitate the behaviour I'm looking for here, I simply needed to know if I had missed something in the manual with regards to haproxys support of this functionality, obviously I hadn't, and as you say it's not supported. > > If you are concerned about the number of open connection on the proxy, just > lower > timeout http-keep-alive to something like 30 - 300 ms. That is way more > effective. > Using a low timeout is the general solution I'm using. Again, the email was sent to see if the drop could be forced, because it's possible even with strict timeouts for a request that a connection could stay for a long time depending on how it's interacting with the backend. > > cheers, > > Lukas > Thanks, Craig
