Hi Aleksandar, Le 28/10/2016 à 18:19, Aleksandar Lazic a écrit :
Wrong lines in github link below [...]balance leastconn timeout check 5000ms http-request set-header X-Forwarded-Host %[req.hdr(host)] http-request set-header X-Forwarded-Port %[dst_port] http-request set-header X-Forwarded-Proto http if !{ ssl_fc } http-request set-header X-Forwarded-Proto https if { ssl_fc }cookie 4106ca6931bf4a3e0db2474573f01a3f insert indirect nocache httponly secure http-request set-header Forwarded for=%[src];host=%[req.hdr(host)];proto=%[req.hdr(X-Forwarded-Proto)] server ed869f92f458c2810361c096e64c6729 10.1.3.34:2015 check inter 5000ms cookie ed869f92f458c2810361c096e64c6729 server 8032c03a054e0b5a670bcab37f8510c6 10.1.4.62:2015 check inter 5000ms cookie 8032c03a054e0b5a670bcab37f8510c6 server 868d4f965e5d8c8ff73379a299facedf 10.1.5.2:2015 check inter 5000ms cookie 868d4f965e5d8c8ff73379a299facedf server 5e855f052852749bed7013707a57de94 10.1.5.3:2015 check inter 5000ms cookie 5e855f052852749bed7013707a57de94 ### I have seen that when I use a browser, which accepts cookies, I always reach the same endpoint. https://caddy-template-usage-1-caddy-teplate.playground.itandtel.at/templates/print-hostname.tmpl I'm quite sure this works as designed ;-) It is useless which of the algo I use the cookie stickiness is always the winner right? https://github.com/openshift/origin/blob/master/images/router/haproxy/conf/haproxy-config.template#L339-L345Right lines https://github.com/openshift/origin/blob/master/images/router/haproxy/conf/haproxy-config.template#L260-L266
The cookie takes priority, but it doesn't make the balancing algorithm useless. For example, when one of your server becomes DOWN, haproxy will rebalance the connections to another server, applying roundrobin/leastconn or any other algo you've configured.
http://cbonte.github.io/haproxy-dconv/1.5/configuration.html#4.2-balance Are my observation right? Can I overrule the cookie stickiness in the config above? Haproxy: 1.5.14 (RedHat version) Full haproxy part ------------------------------------------ global # maxconn 4096 daemon ca-base /etc/ssl crt-base /etc/ssl stats socket /var/lib/haproxy/run/haproxy.sock mode 600 level admin stats timeout 2m # Prevent vulnerability to POODLE attacks # TODO: use when 1.5.14 is available # ssl-default-bind-options no-sslv3 # Modern cipher suite (no legacy browser support) from https://wiki.mozilla.org/Security/Server_Side_TLS # tune.ssl.default-dh-param 2048 # ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK # Intermediate cipher suite (default) from https://wiki.mozilla.org/Security/Server_Side_TLS tune.ssl.default-dh-param 2048 ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA # Old cipher suite (maximum compatibility but insecure) from https://wiki.mozilla.org/Security/Server_Side_TLS # tune.ssl.default-dh-param 1024 # ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA defaults # maxconn 4096 # Add x-forwarded-for header. timeout connect 5s timeout client 30s timeout server 30s # Long timeout for WebSocket connections. timeout tunnel 1h listen stats :1936 mode http # Health check monitoring uri. monitor-uri /healthz # Add your custom health check monitoring failure condition here. # monitor fail if <condition> stats enable stats hide-version stats realm Haproxy\ Statistics stats uri / stats auth admin:WELL_WHAT_A_PASS;-) frontend public bind :80 mode http tcp-request inspect-delay 5s tcp-request content accept if HTTP # check if we need to redirect/force using https. acl secure_redirect base,map_beg(/var/lib/haproxy/conf/os_edge_http_redirect.map) -m found redirect scheme https if secure_redirect # Check if it is an edge route exposed insecurely. acl edge_http_expose base,map_beg(/var/lib/haproxy/conf/os_edge_http_expose.map) -m found use_backend be_edge_http_%[base,map_beg(/var/lib/haproxy/conf/os_edge_http_expose.map)] if edge_http_expose # map to http backend # Search from most specific to general path (host case). # Note: If no match, haproxy uses the default_backend, no other # use_backend directives below this will be processed. use_backend be_http_%[base,map_beg(/var/lib/haproxy/conf/os_http_be.map)] default_backend openshift_default # public ssl accepts all connections and isn't checking certificates yet certificates to use will be # determined by the next backend in the chain which may be an app backend (passthrough termination) or a backend # that terminates encryption in this router (edge) frontend public_ssl bind :443 tcp-request inspect-delay 5s tcp-request content accept if { req_ssl_hello_type 1 } # if the connection is SNI and the route is a passthrough don't use the termination backend, just use the tcp backend acl sni req.ssl_sni -m found acl sni_passthrough req.ssl_sni,map(/var/lib/haproxy/conf/os_sni_passthrough.map) -m found use_backend be_tcp_%[req.ssl_sni,map(/var/lib/haproxy/conf/os_tcp_be.map)] if sni sni_passthrough # if the route is SNI and NOT passthrough enter the termination flow use_backend be_sni if sni # non SNI requests should enter a default termination backend rather than the custom cert SNI backend since it # will not be able to match a cert to an SNI host default_backend be_no_sni ########################################################################## # TLS SNI # # When using SNI we can terminate encryption with custom certificates. # Certs will be stored in a directory and will be matched with the SNI host header # which must exist in the CN of the certificate. Certificates must be concatenated # as a single file (handled by the plugin writer) per the haproxy documentation. # # Finally, check re-encryption settings and re-encrypt or just pass along the unencrypted # traffic ########################################################################## backend be_sni server fe_sni 127.0.0.1:10444 weight 1 send-proxy frontend fe_sni # terminate ssl on edge bind 127.0.0.1:10444 ssl no-sslv3 crt /var/lib/containers/router/certs/default.pem crt /var/lib/containers/router/certs accept-proxy mode http # check re-encrypt backends first - from most specific to general path. acl reencrypt base,map_beg(/var/lib/haproxy/conf/os_reencrypt.map) -m found # Search from most specific to general path (host case). use_backend be_secure_%[base,map_beg(/var/lib/haproxy/conf/os_reencrypt.map)] if reencrypt # map to http backend # Search from most specific to general path (host case). # Note: If no match, haproxy uses the default_backend, no other # use_backend directives below this will be processed. use_backend be_edge_http_%[base,map_beg(/var/lib/haproxy/conf/os_edge_http_be.map)] default_backend openshift_default ########################################################################## # END TLS SNI ########################################################################## ########################################################################## # TLS NO SNI # # When we don't have SNI the only thing we can try to do is terminate the encryption # using our wild card certificate. Once that is complete we can either re-encrypt # the traffic or pass it on to the backends ########################################################################## # backend for when sni does not exist, or ssl term needs to happen on the edge backend be_no_sni server fe_no_sni 127.0.0.1:10443 weight 1 send-proxy frontend fe_no_sni # terminate ssl on edge bind 127.0.0.1:10443 ssl no-sslv3 crt /var/lib/containers/router/certs/default.pem accept-proxy mode http # check re-encrypt backends first - path or host based. acl reencrypt base,map_beg(/var/lib/haproxy/conf/os_reencrypt.map) -m found # Search from most specific to general path (host case). use_backend be_secure_%[base,map_beg(/var/lib/haproxy/conf/os_reencrypt.map)] if reencrypt # map to http backend # Search from most specific to general path (host case). # Note: If no match, haproxy uses the default_backend, no other # use_backend directives below this will be processed. use_backend be_edge_http_%[base,map_beg(/var/lib/haproxy/conf/os_edge_http_be.map)] default_backend openshift_default ########################################################################## # END TLS NO SNI ########################################################################## backend openshift_default mode http option forwardfor #option http-keep-alive option http-pretend-keepalive # To configure custom default errors, you can either uncomment the # line below (server ... 127.0.0.1:8080) and point it to your custom # backend service or alternatively, you can send a custom 503 error. #server openshift_backend 127.0.0.1:8080 errorfile 503 /var/lib/haproxy/conf/error-page-503.http ------------------------------------------ BR Aleks
-- Cyril Bonté
