Okay, thanks Holger! We were hitting the maxconn limit, which is what sparked this investigation. When we were at that limit, the discrepancy between frontend and backend was higher than when I could observe it above (we restarted HAProxy to re-establish the connections and start anew).
I also realized that my `netstat` command above isn't quite right, since it is counting connections in the TIME_WAIT state, while HAProxy would only be concerned with ESTABLISHED connections, right? So is the solution to just increase the maxconn (and/or add more HAProxy nodes)? On Fri, Mar 31, 2017 at 10:00 AM, Holger Just <[email protected]> wrote: > Hi Patrick, > > Patrick Kaeding wrote: > > I have one frontend, listening on port 443, and two backends, which send > > traffic to either port 5050 or 5051. The haproxy stats screen is > > showing many more frontend connections than backend (in one case, 113k > > on the frontend, 97k on one backend, and 3k on the other backend). > > Most browser nowadays speculatively create more than one connection to > the server (HAProxy in this case) to use them for parallel downloading > of assets. > > Now, such a connection to the frontend will only result in a connection > to the backend once the full HTTP request have been received and parsed > by HAProxy. Since some of these speculative connections will just sit > idle and will eventually get closed without having received any data, > the number of frontend-connections is almost always higher than the sum > of backend-connections. > > In addition to that, you might observe more connections accepted by the > kernel than are shown in HAProxy's frontend. This is due to the fact > that a new connection is only forwarded to HAProxy from the kernel once > it is fully established and HAProxy has actively accepted in. > > If you are running against your maxconn or generally on high load, some > connections might be accepted by the kernel already but not yet handled > by HAProxy. > > Cheers, > Holger > -- Patrick Kaeding [email protected]
