Hello Pavlos,
Below we have provided both the information you requested. Your guidance would
be appreciated.
(1) Sanitized version of HAProxy configuration is below. Please help us
identify why using multiple HAProxy config files in a directory forces us to
reset our password to our WebSocket product for us to login? Single
haproxy.cfg file works perfectly with the same configuration.
(2) >> May I ask why you are using the SysVinit and not systemd to start
haproxy? You are using CentOS 7.2, which uses systemd,
Thank you for guiding us to use systemd. Today, we created a haproxy.service
executable file in /usr/lib/systemd/system/haproxy.service, but failed to start
HAProxy. The haproxy.service file is below. What did we do wrong?
----
HAProxy configuration file (sanitized)
----
global
log 127.0.0.1 local2
log-tag haproxy
pidfile /var/run/haproxy.pid
user haproxy
group haproxy
nbproc 1
maxconn 5000
spread-checks 5
debug
chroot "/usr/local/haproxy-1.7.5/lib"
stats socket ""/usr/local/haproxy-1.7.5/lib/haproxy.sock"
maxsslconn 256
tune.ssl.default-dh-param 4096
ca-base /etc/pki/CA/ssl.cert
crt-base /etc/pki/CA/ssl.key
ssl-default-bind-ciphers
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
ssl-default-bind-options no-sslv3 no-tls-tickets
ssl-default-server-ciphers
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
ssl-default-server-options no-sslv3 no-tls-tickets
maxcomprate 1
maxcompcpuusage 50
tune.comp.maxlevel 5
defaults
mode http
log global
option httplog
option http-server-close
option redispatch
retries 3
backlog 10000
timeout client 50000ms
timeout connect 5000ms
timeout server 50000ms
timeout http-keep-alive 10s
timeout http-request 15s
timeout queue 30s
timeout check 10s
timeout tarpit 60s
default-server inter 3s rise 2 fall 3
option forwardfor
option abortonclose
maxconn 50000
compression algo gzip
compression offload
compression type text/html "text/html; charset=utf-8"
text/html;charset=utf-8 text/plain text/css text/javascript
application/x-javascript application/javascript application/ecmascript
application/rss+xml application/atomsvc+xml application/atom+xml
application/atom+xml;type=entry application/atom+xml;type=feed
application/cmisquery+xml application/cmisallowableactions+xml
application/cmisatom+xml application/cmistree+xml application/cmisacl+xml
application/msword application/vnd.ms-excel application/vnd.ms-powerpoint
image/svg+xml
errorfile 400 /usr/local/haproxy-1.7.5/errors/400.http
...
frontend webapps-frontend
bind *:443 name https ssl crt /etc/pki/CA/pem.ecc
log global
option forwardfor
option httplog clf
http-request set-header X-Forwarded-Port %[dst_port]
acl host_coscend_http req.hdr(Host) coscend.com
acl host_coscend_https req.hdr(Host) coscend.com
acl path_subdomain_cc_classic path_beg -i "/CoscendCC"
use_backend subdomain_cc_classic-backend if host_coscend_https
path_subdomain_cc_classic
default_backend webapps-backend
backend webapps-backend
log global
balance roundrobin
option http-server-close
http-request set-header X-Forwarded-Port %[dst_port]
option httpchk HEAD / HTTP/1.1\r\nHost:localhost
server Demo <IP>:Port cookie pad-p check
backend subdomain_cc_classic-backend
timeout tunnel 3600s
rspirep ^(Location:)\ http://(.*)$ Location:\ https://\2
server Production <IP>:<Port> cookie cc-p check
-----
Using systemd to start HAProxy with following haproxy.service FAILED
------
[Unit]
Description=HAProxy Load Balancer
After=network.target
[Service]
Environment="CONFIG=/usr/local/haproxy-1.7.5/conf/haproxy.cfg"
"PIDFILE=/var/run/haproxy.pid" "LOCKFILE=/var/lock/subsys/haproxy"
ExecStartPre=/usr/local/sbin/haproxy -f $CONFIG -c -q
ExecStart=/usr/local/sbin/haproxy-systemd-wrapper -D -V -f $CONFIG -p $PIDFILE
ExecReload=/usr/local/sbin/haproxy -f $CONFIG -c -q
KillMode=mixed
Restart=always
[Install]
WantedBy=multi-user.target
Thank you.
Sincerely,
Hemant K. Sabat
Coscend Communications Solutions
Web site: www.Coscend.com
------------------------------------------------------------------
Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education,
Telepresence Services, on the fly…
------------------------------------------------------------------
CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages
from Coscend Communications Solutions' posted at:
http://www.Coscend.com/Terms_and_Conditions.html
-----Original Message-----
From: Pavlos Parissis [mailto:[email protected]]
Sent: Friday, April 7, 2017 3:11 PM
To: [email protected]; 'haproxy' <[email protected]>
Subject: Re: Multiple Config Files Use Leads to Lockout
On 07/04/2017 06:00 μμ, Coscend@HAProxy wrote:
> Dear HAProxy Community,
>
>
>
> We are seeking your guidance with regard to the following issue we are
> facing with our HAProxy use.
>
>
>
> ------
>
> ISSUE
>
> -------
>
> When we use a single monolithic config file (haproxy.cfg), HAPRoxy
> launches fine and we are able to access our products that use HTTP/TCP
> (WebSockets) and RTMP.
>
>
>
> When we launch HAProxy using multiple config files in a directory,
> HAProxy launches fine. However, our products do not allow
> administrator to login (i.e., locks out). We have to reset the
> password to login. Once the admin logs out, again it locks out the
> administrator and the password has to be reset to login.
>
>
>
> How is using multiple HAProxy config files in a directory connected to
> logging in to our WebSocket product?
>
>
>
> ----
>
> DETAILS
>
> ----
>
> We are running HAProxy as a daemon service. We are using HAProxy init
> script from HAProxy’s Github source. /etc/init.d/haproxy has the following
> lines:
>
May I ask why you are using the SysVinit and not systemd to start haproxy? You
are using CentOS 7.2, which uses systemd, thus my question.
>
>
> Option 1: When using SINGLE Config FILE
>
> CFG=haproxy-1.7.5/conf/$BASENAME.cfg
>
>
>
> Option 2: When using a config DIRECTORY (conf.modular) with multiple
> files in alphanumerical order, namely global, defaults, frontend,
> backend, dns resolver and statistics:
>
> CFG=haproxy-1.7.5/conf.modular
>
>
Without seeing the actual configuration, it would be quite difficult to get a
useful response. Can you share a sanitized version of your configuration?
Cheers,
Pavlos
