Hi Lukas,
thanks for the advice, the problem was about the chroot option.
strace with chroot :
-----------------------------
Process 46596 attached
epoll_wait(0, {}, 200, 1000) = 0
epoll_wait(0, {}, 200, 1000) = 0
epoll_wait(0, {}, 200, 1000) = 0
epoll_wait(0, {{EPOLLIN, {u32=13, u64=13}}}, 200, 1000) = 1
accept4(13, {sa_family=AF_INET, sin_port=htons(37165),
sin_addr=inet_addr("xxx.xxx.xxx.xxx")}, [16], SOCK_NONBLOCK) = 1
setsockopt(1, SOL_TCP, TCP_NODELAY, [1], 4) = 0
accept4(13, 0x7fffd2207480, [128], SOCK_NONBLOCK) = -1 EAGAIN (Resource
temporarily unavailable)
read(1, "\26\3\1\0\342\1\0\0\336\3\3", 11) = 11
read(1,
"\244\25\5#\1\6w\r1c\25\305J1\207\307d\265\303\226;d)1\300\244G\334\352'>\263"...,
220) = 220
write(1,
"\26\3\3\0Q\2\0\0M\3\3o\243\233:\351\3\5\35\0\234@\240\177\237\225\360\235JA\301B"...,
137) = 137
read(1, 0x7fb090c0e3b3, 5) = -1 EAGAIN (Resource
temporarily unavailable)
epoll_ctl(0, EPOLL_CTL_ADD, 1, {EPOLLIN|EPOLLRDHUP, {u32=1, u64=1}}) = 0
epoll_wait(0, {{EPOLLIN, {u32=1, u64=1}}}, 200, 1000) = 1
read(1, "\24\3\3\0\1", 5) = 5
read(1, "\1", 1) = 1
read(1, "\26\3\3\0(", 5) = 5
read(1,
"\0\0\0\0\0\0\0\0[\36(\366]\301\37\246m\362\205\214\5G\373\10\267\204\214b9%;\352"...,
40) = 40
read(1, 0x7fb090c0e3b3, 5) = -1 EAGAIN (Resource
temporarily unavailable)
epoll_wait(0, {{EPOLLIN, {u32=1, u64=1}}}, 200, 1000) = 1
read(1, "\27\3\3\4\377", 5) = 5
read(1,
"\0\0\0\0\0\0\0\1%\210]1&!D\353\32\342]\326\265\370\363\304\360\272o_g\236\250\302"...,
1279) = 1279
getsockname(1, {sa_family=AF_INET, sin_port=htons(443),
sin_addr=inet_addr("xxx.xxx.xxx.xxx")}, [16]) = 0
getsockopt(1, SOL_IP, 0x50 /* IP_??? */,
"\2\0\1\273\227P\37[\0\0\0\0\0\0\0\0", [16]) = 0
socket(PF_LOCAL, SOCK_STREAM, 0) = 2
fcntl(2, F_SETFL, O_RDONLY|O_NONBLOCK) = 0
connect(2, {sa_family=AF_LOCAL, sun_path="/var/run/haproxy_plain.sock"},
110) = -1 ENOENT (No such file or directory)
close(2) = 0
socket(PF_LOCAL, SOCK_STREAM, 0) = 2
fcntl(2, F_SETFL, O_RDONLY|O_NONBLOCK) = 0
----------------------
we have a : connect(2, {sa_family=AF_LOCAL,
sun_path="/var/run/haproxy_plain.sock"}, 110) = -1 ENOENT (No such file
or directory)
The socket was in /var/run/ but Haproxy didn't find it, so i've thought
that Haproxy was searching the socket in the chroot path and i was right :
global
chroot /path/to/chroot/
unix-bind /path/to/chroot/ mode 770 group haproxy
../...
listen web_tls
mode http
bind *:443 ssl crt fullchain.pem process 2
bind *:443 ssl crt fullchain.pem process 3
maxconn 100000
server web-plain unix@haproxy_plain.sock send-proxy-v2-ssl
frontend web_plain
mode http
bind *:80 process 1
bind unix@haproxy_plain.sock process 1 accept-proxy
This way it works, it seems that in contrary to the stats socket, the
server socket is chrooted , so you have to prefix with /path/to/chroot/.
Thanks for the help !
PS : i use "send-proxy-v2-ssl" because i want to know i want to know if
the connection was via TLS or not, but how can i get this information in
the plani frontend ? I've tried to use "if { ssl_fc }" but it doesn't
work...
Le 12/12/2016 à 21:55, Lukas Tribus a écrit :
Hello Arnall,
you said you tried different users, did you remove the "user nobody"
configuration completely?
Strace output would also help, just make sure you are looking at the
correct process or use nbproc 1 to avoid any confusion while
troubleshooting.
Lukas
