Re: haproxy + RDP

Aleksandar Lazic Tue, 16 May 2017 14:18:07 -0700

Hi Antonio Trujillo Carmona.

Antonio Trujillo Carmona have written on Mon, 15 May 2017 08:40:16
+0200:


> El 12/05/17 a las 11:55, Aleksandar Lazic escribió:
> > Hi Antonio Trujillo Carmona.
> >
> > Antonio Trujillo Carmona have written on Fri, 12 May 2017 10:23:59
> > +0200:
> >  
> >> El 11/05/17 a las 15:06, Aleksandar Lazic escribió:  
> >>> .../
> >>> How about to activate the 'option tcp-check' as mentioned in the
> >>> Warning?
> >>> In the config below is it's commented, any reason why?
> >>>
> >>> It's also active in the doc which you maybe know.
> >>>
> >>> https://www.haproxy.com/doc/aloha/7.0/deployment_guides/microsoft_remote_desktop_services.html
> >>>
> >>> Does this changes anything?    
> >> ok cleaing up a liter I try:
> >> frontend RDP
> >>         mode tcp
> >>         bind *:3389
> >>         timeout client 1h
> >>         tcp-request inspect-delay 5s
> >>         tcp-request content accept if RDP_COOKIE
> >>         default_backend bk_rdp
> >> #############################################################
> >> backend bk_rdp
> >>         mode tcp
> >>         balance leastconn
> >>         #balance rdp_coockie
> >>         timeout server 1h
> >>         timeout connect 4s
> >>         log global
> >>         option tcplog
> >>         stick-table type string len 32 size 10k expire 1h peers
> >> pares stick on rdp_cookie(msthash)
> >> #       persist rdp-cookie
> >>         option tcp-check
> >> #       option ssl-hello-chk
> >> #       option tcpka
> >>         tcp-check connect port 3389 ssl
> >>
> >> #       server gr43sterminal01  10.104.22.142:3389 weight 1 check
> >> verify none inter 2000 rise 2 fall 3
> >> #       server gr43sterminal02  10.104.23.141:3389 weight 1 check
> >> verify none inter 2000 rise 2 fall 3
> >> #
> >>         default-server inter 3s rise 2 fall 3
> >>         server gr43sterminal01  10.104.22.142:3389 weight 1 check
> >>         server gr43sterminal02  10.104.23.141:3389 weight 1 check
> >>
> >> And I got:
> >> [ALERT] 131/100222 (8564) : Proxy 'bk_rdp', server
> >> 'gr43sterminal01' [/etc/haproxy/haproxy.cfg:189] verify is enabled
> >> by default but no CA file specified. If you're running on a LAN
> >> where you're certain to trust the server's certificate, please set
> >> an explicit 'verify none' statement on the 'server' line, or use
> >> 'ssl-server-verify none' in the global section to disable
> >> server-side verifications by default. [ALERT] 131/100222 (8564) :
> >> Proxy 'bk_rdp', server
> >> 'gr43sterminal02' [/etc/haproxy/haproxy.cfg:190] verify is enabled
> >> by default but no CA file specified. If you're running on a LAN
> >> where you're certain to trust the server's certificate, please set
> >> an explicit 'verify none' statement on the 'server' line, or use
> >> 'ssl-server-verify none' in the global section to disable
> >> server-side verifications by default. [ALERT] 131/100222 (8564) :
> >> Fatal errors found in configuration.
> >>
> >> So I try adding verify none in server line
> >>
> >> and haproxy see both server up (but one is down).
> >> I try  withou ssl:
> >>
> >>         tcp-check connect port 3389
> >>         server gr43sterminal01  10.104.22.142:3389 weight 1 check
> >>         server gr43sterminal02  10.104.23.141:3389 weight 1 check
> >>
> >> but the result is the same haproxy see both server up (but one is
> >> down)
> >>
> >> only if I leve only option tcp-check (or none) it seem work
> >>
> >>
> >> #################
> >> #       persist rdp-cookie
> >>         option tcp-check
> >> #       option ssl-hello-chk
> >> #       option tcpka
> >> #       tcp-check connect port 3389 ssl
> >> #       tcp-check connect port 3389
> >>
> >> #       server gr43sterminal01  10.104.22.142:3389 weight 1 check
> >> verify none inter 2000 rise 2 fall 3
> >> #       server gr43sterminal02  10.104.23.141:3389 weight 1 check
> >> verify none inter 2000 rise 2 fall 3
> >> #
> >>         default-server inter 3s rise 2 fall 3
> >>         server gr43sterminal01  10.104.22.142:3389 weight 1 check
> >>         server gr43sterminal02  10.104.23.141:3389 weight 1 check
> >> ##################
> >>
> >>
> >> output:
> >>
> >> [WARNING] 131/102105 (8773) : Server bk_rdp/gr43sterminal01 is
> >> DOWN, reason: Layer4 timeout, info: " at initial connection step of
> >> tcp-check", check duration: 3001ms. 1 active and 0 backup servers
> >> left. 0 sessions active, 0 requeued, 0 remaining in queue.  
> > So finally it works.
> >
> > Regards
> > Aleks  
> But in that mode it check server available, not service, if RDP
> service is down haproxy don't detect it.

Maybe you will need some tcp-check squence to check the service.

http://cbonte.github.io/haproxy-dconv/1.5/configuration.html#4.2-tcp-check%20send
http://cbonte.github.io/haproxy-dconv/1.5/configuration.html#4.2-tcp-check%20send-binary

I have found a perl script which checks the rdp maybe this will help
you to find the right sequence.

https://github.com/portcullislabs/rdp-sec-check/blob/master/rdp-sec-check.pl

Regards
Aleks

Re: haproxy + RDP

Reply via email to