Hi.
@openshift there is a discussion about stickiness.
Let's say you have such a config.
###
backend be_edge_http_1-caddy-teplate_caddy-template-usage
mode http
option redispatch
option forwardfor
balance leastconn
timeout check 5000ms
http-request set-header X-Forwarded-Host %[req.hdr(host)]
http-request set-header X-Forwarded-Port %[dst_port]
http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
http-request set-header X-Forwarded-Proto https if { ssl_fc }
cookie 4106ca6931bf4a3e0db2474573f01a3f insert indirect nocache
httponly secure
http-request set-header Forwarded
for=%[src];host=%[req.hdr(host)];proto=%[req.hdr(X-Forwarded-Proto)]
server ed869f92f458c2810361c096e64c6729 10.1.3.34:2015 check inter
5000ms cookie ed869f92f458c2810361c096e64c6729
server 8032c03a054e0b5a670bcab37f8510c6 10.1.4.62:2015 check inter
5000ms cookie 8032c03a054e0b5a670bcab37f8510c6
server 868d4f965e5d8c8ff73379a299facedf 10.1.5.2:2015 check inter
5000ms cookie 868d4f965e5d8c8ff73379a299facedf
server 5e855f052852749bed7013707a57de94 10.1.5.3:2015 check inter
5000ms cookie 5e855f052852749bed7013707a57de94
###
I have seen that when I use a browser, which accepts cookies, I always
reach the same endpoint.
https://caddy-template-usage-1-caddy-teplate.playground.itandtel.at/templates/print-hostname.tmpl
I'm quite sure this works as designed ;-)
It is useless which of the algo I use the cookie stickiness is always
the winner right?
https://github.com/openshift/origin/blob/master/images/router/haproxy/conf/haproxy-config.template#L339-L345
http://cbonte.github.io/haproxy-dconv/1.5/configuration.html#4.2-balance
Are my observation right?
Can I overrule the cookie stickiness in the config above?
Haproxy: 1.5.14 (RedHat version)
Full haproxy part
------------------------------------------
global
# maxconn 4096
daemon
ca-base /etc/ssl
crt-base /etc/ssl
stats socket /var/lib/haproxy/run/haproxy.sock mode 600 level admin
stats timeout 2m
# Prevent vulnerability to POODLE attacks
# TODO: use when 1.5.14 is available
# ssl-default-bind-options no-sslv3
# Modern cipher suite (no legacy browser support) from
https://wiki.mozilla.org/Security/Server_Side_TLS
# tune.ssl.default-dh-param 2048
# ssl-default-bind-ciphers
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
# Intermediate cipher suite (default) from
https://wiki.mozilla.org/Security/Server_Side_TLS
tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
# Old cipher suite (maximum compatibility but insecure) from
https://wiki.mozilla.org/Security/Server_Side_TLS
# tune.ssl.default-dh-param 1024
# ssl-default-bind-ciphers
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
defaults
# maxconn 4096
# Add x-forwarded-for header.
timeout connect 5s
timeout client 30s
timeout server 30s
# Long timeout for WebSocket connections.
timeout tunnel 1h
listen stats :1936
mode http
# Health check monitoring uri.
monitor-uri /healthz
# Add your custom health check monitoring failure condition here.
# monitor fail if <condition>
stats enable
stats hide-version
stats realm Haproxy\ Statistics
stats uri /
stats auth admin:WELL_WHAT_A_PASS;-)
frontend public
bind :80
mode http
tcp-request inspect-delay 5s
tcp-request content accept if HTTP
# check if we need to redirect/force using https.
acl secure_redirect
base,map_beg(/var/lib/haproxy/conf/os_edge_http_redirect.map) -m found
redirect scheme https if secure_redirect
# Check if it is an edge route exposed insecurely.
acl edge_http_expose
base,map_beg(/var/lib/haproxy/conf/os_edge_http_expose.map) -m found
use_backend
be_edge_http_%[base,map_beg(/var/lib/haproxy/conf/os_edge_http_expose.map)]
if edge_http_expose
# map to http backend
# Search from most specific to general path (host case).
# Note: If no match, haproxy uses the default_backend, no other
# use_backend directives below this will be processed.
use_backend
be_http_%[base,map_beg(/var/lib/haproxy/conf/os_http_be.map)]
default_backend openshift_default
# public ssl accepts all connections and isn't checking certificates yet
certificates to use will be
# determined by the next backend in the chain which may be an app
backend (passthrough termination) or a backend
# that terminates encryption in this router (edge)
frontend public_ssl
bind :443
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
# if the connection is SNI and the route is a passthrough don't use
the termination backend, just use the tcp backend
acl sni req.ssl_sni -m found
acl sni_passthrough
req.ssl_sni,map(/var/lib/haproxy/conf/os_sni_passthrough.map) -m found
use_backend
be_tcp_%[req.ssl_sni,map(/var/lib/haproxy/conf/os_tcp_be.map)] if sni
sni_passthrough
# if the route is SNI and NOT passthrough enter the termination flow
use_backend be_sni if sni
# non SNI requests should enter a default termination backend rather
than the custom cert SNI backend since it
# will not be able to match a cert to an SNI host
default_backend be_no_sni
##########################################################################
# TLS SNI
#
# When using SNI we can terminate encryption with custom certificates.
# Certs will be stored in a directory and will be matched with the SNI
host header
# which must exist in the CN of the certificate. Certificates must be
concatenated
# as a single file (handled by the plugin writer) per the haproxy
documentation.
#
# Finally, check re-encryption settings and re-encrypt or just pass
along the unencrypted
# traffic
##########################################################################
backend be_sni
server fe_sni 127.0.0.1:10444 weight 1 send-proxy
frontend fe_sni
# terminate ssl on edge
bind 127.0.0.1:10444 ssl no-sslv3 crt
/var/lib/containers/router/certs/default.pem crt
/var/lib/containers/router/certs accept-proxy
mode http
# check re-encrypt backends first - from most specific to general
path.
acl reencrypt base,map_beg(/var/lib/haproxy/conf/os_reencrypt.map) -m
found
# Search from most specific to general path (host case).
use_backend
be_secure_%[base,map_beg(/var/lib/haproxy/conf/os_reencrypt.map)] if
reencrypt
# map to http backend
# Search from most specific to general path (host case).
# Note: If no match, haproxy uses the default_backend, no other
# use_backend directives below this will be processed.
use_backend
be_edge_http_%[base,map_beg(/var/lib/haproxy/conf/os_edge_http_be.map)]
default_backend openshift_default
##########################################################################
# END TLS SNI
##########################################################################
##########################################################################
# TLS NO SNI
#
# When we don't have SNI the only thing we can try to do is terminate
the encryption
# using our wild card certificate. Once that is complete we can either
re-encrypt
# the traffic or pass it on to the backends
##########################################################################
# backend for when sni does not exist, or ssl term needs to happen on
the edge
backend be_no_sni
server fe_no_sni 127.0.0.1:10443 weight 1 send-proxy
frontend fe_no_sni
# terminate ssl on edge
bind 127.0.0.1:10443 ssl no-sslv3 crt
/var/lib/containers/router/certs/default.pem accept-proxy
mode http
# check re-encrypt backends first - path or host based.
acl reencrypt base,map_beg(/var/lib/haproxy/conf/os_reencrypt.map) -m
found
# Search from most specific to general path (host case).
use_backend
be_secure_%[base,map_beg(/var/lib/haproxy/conf/os_reencrypt.map)] if
reencrypt
# map to http backend
# Search from most specific to general path (host case).
# Note: If no match, haproxy uses the default_backend, no other
# use_backend directives below this will be processed.
use_backend
be_edge_http_%[base,map_beg(/var/lib/haproxy/conf/os_edge_http_be.map)]
default_backend openshift_default
##########################################################################
# END TLS NO SNI
##########################################################################
backend openshift_default
mode http
option forwardfor
#option http-keep-alive
option http-pretend-keepalive
# To configure custom default errors, you can either uncomment the
# line below (server ... 127.0.0.1:8080) and point it to your custom
# backend service or alternatively, you can send a custom 503 error.
#server openshift_backend 127.0.0.1:8080
errorfile 503 /var/lib/haproxy/conf/error-page-503.http
------------------------------------------
BR Aleks