El 12/05/17 a las 11:55, Aleksandar Lazic escribió: > Hi Antonio Trujillo Carmona. > > Antonio Trujillo Carmona have written on Fri, 12 May 2017 10:23:59 > +0200: > >> El 11/05/17 a las 15:06, Aleksandar Lazic escribió: >>> .../ >>> How about to activate the 'option tcp-check' as mentioned in the >>> Warning? >>> In the config below is it's commented, any reason why? >>> >>> It's also active in the doc which you maybe know. >>> >>> https://www.haproxy.com/doc/aloha/7.0/deployment_guides/microsoft_remote_desktop_services.html >>> >>> Does this changes anything? >> ok cleaing up a liter I try: >> frontend RDP >> mode tcp >> bind *:3389 >> timeout client 1h >> tcp-request inspect-delay 5s >> tcp-request content accept if RDP_COOKIE >> default_backend bk_rdp >> ############################################################# >> backend bk_rdp >> mode tcp >> balance leastconn >> #balance rdp_coockie >> timeout server 1h >> timeout connect 4s >> log global >> option tcplog >> stick-table type string len 32 size 10k expire 1h peers pares >> stick on rdp_cookie(msthash) >> # persist rdp-cookie >> option tcp-check >> # option ssl-hello-chk >> # option tcpka >> tcp-check connect port 3389 ssl >> >> # server gr43sterminal01 10.104.22.142:3389 weight 1 check >> verify none inter 2000 rise 2 fall 3 >> # server gr43sterminal02 10.104.23.141:3389 weight 1 check >> verify none inter 2000 rise 2 fall 3 >> # >> default-server inter 3s rise 2 fall 3 >> server gr43sterminal01 10.104.22.142:3389 weight 1 check >> server gr43sterminal02 10.104.23.141:3389 weight 1 check >> >> And I got: >> [ALERT] 131/100222 (8564) : Proxy 'bk_rdp', server 'gr43sterminal01' >> [/etc/haproxy/haproxy.cfg:189] verify is enabled by default but no CA >> file specified. If you're running on a LAN where you're certain to >> trust the server's certificate, please set an explicit 'verify none' >> statement on the 'server' line, or use 'ssl-server-verify none' in >> the global section to disable server-side verifications by default. >> [ALERT] 131/100222 (8564) : Proxy 'bk_rdp', server 'gr43sterminal02' >> [/etc/haproxy/haproxy.cfg:190] verify is enabled by default but no CA >> file specified. If you're running on a LAN where you're certain to >> trust the server's certificate, please set an explicit 'verify none' >> statement on the 'server' line, or use 'ssl-server-verify none' in >> the global section to disable server-side verifications by default. >> [ALERT] 131/100222 (8564) : Fatal errors found in configuration. >> >> So I try adding verify none in server line >> >> and haproxy see both server up (but one is down). >> I try withou ssl: >> >> tcp-check connect port 3389 >> server gr43sterminal01 10.104.22.142:3389 weight 1 check >> server gr43sterminal02 10.104.23.141:3389 weight 1 check >> >> but the result is the same haproxy see both server up (but one is >> down) >> >> only if I leve only option tcp-check (or none) it seem work >> >> >> ################# >> # persist rdp-cookie >> option tcp-check >> # option ssl-hello-chk >> # option tcpka >> # tcp-check connect port 3389 ssl >> # tcp-check connect port 3389 >> >> # server gr43sterminal01 10.104.22.142:3389 weight 1 check >> verify none inter 2000 rise 2 fall 3 >> # server gr43sterminal02 10.104.23.141:3389 weight 1 check >> verify none inter 2000 rise 2 fall 3 >> # >> default-server inter 3s rise 2 fall 3 >> server gr43sterminal01 10.104.22.142:3389 weight 1 check >> server gr43sterminal02 10.104.23.141:3389 weight 1 check >> ################## >> >> >> output: >> >> [WARNING] 131/102105 (8773) : Server bk_rdp/gr43sterminal01 is DOWN, >> reason: Layer4 timeout, info: " at initial connection step of >> tcp-check", check duration: 3001ms. 1 active and 0 backup servers >> left. 0 sessions active, 0 requeued, 0 remaining in queue. > So finally it works. > > Regards > Aleks But in that mode it check server available, not service, if RDP service is down haproxy don't detect it.
-- *Antonio Trujillo Carmona* *Técnico de redes y sistemas.* *Subdirección de Tecnologías de la Información y Comunicaciones* Servicio Andaluz de Salud. Consejería de Salud de la Junta de Andalucía [email protected]_ Tel. +34 670947670 747670)
